The Tor Browser / annotate

security/nss/cmd/smimetools/cmsutil.c@141e0f1194b1 (annotated)

security/nss/cmd/smimetools/cmsutil.c

Wed, 31 Dec 2014 07:16:47 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 07:16:47 +0100
branch
TOR_BUG_9701
changeset 3
141e0f1194b1
permissions
-rw-r--r--

Revert simplistic fix pending revisit of Mozilla integration attempt.

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 /*
michael@0 6 * cmsutil -- A command to work with CMS data
michael@0 7 */
michael@0 8
michael@0 9 #include "nspr.h"
michael@0 10 #include "secutil.h"
michael@0 11 #include "plgetopt.h"
michael@0 12 #include "secpkcs7.h"
michael@0 13 #include "cert.h"
michael@0 14 #include "certdb.h"
michael@0 15 #include "secoid.h"
michael@0 16 #include "cms.h"
michael@0 17 #include "nss.h"
michael@0 18 #include "smime.h"
michael@0 19 #include "pk11func.h"
michael@0 20
michael@0 21 #if defined(XP_UNIX)
michael@0 22 #include <unistd.h>
michael@0 23 #endif
michael@0 24
michael@0 25 #if defined(_WIN32)
michael@0 26 #include "fcntl.h"
michael@0 27 #include "io.h"
michael@0 28 #endif
michael@0 29
michael@0 30 #include <stdio.h>
michael@0 31 #include <string.h>
michael@0 32
michael@0 33 char *progName = NULL;
michael@0 34 static int cms_verbose = 0;
michael@0 35 static secuPWData pwdata = { PW_NONE, 0 };
michael@0 36 static PK11PasswordFunc pwcb = NULL;
michael@0 37 static void *pwcb_arg = NULL;
michael@0 38
michael@0 39
michael@0 40 /* XXX stolen from cmsarray.c
michael@0 41 * nss_CMSArray_Count - count number of elements in array
michael@0 42 */
michael@0 43 int
michael@0 44 nss_CMSArray_Count(void **array)
michael@0 45 {
michael@0 46 int n = 0;
michael@0 47 if (array == NULL)
michael@0 48 return 0;
michael@0 49 while (*array++ != NULL)
michael@0 50 n++;
michael@0 51 return n;
michael@0 52 }
michael@0 53
michael@0 54 static SECStatus
michael@0 55 DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input,
michael@0 56 SECAlgorithmID **algids)
michael@0 57 {
michael@0 58 NSSCMSDigestContext *digcx;
michael@0 59 SECStatus rv;
michael@0 60
michael@0 61 digcx = NSS_CMSDigestContext_StartMultiple(algids);
michael@0 62 if (digcx == NULL)
michael@0 63 return SECFailure;
michael@0 64
michael@0 65 NSS_CMSDigestContext_Update(digcx, input->data, input->len);
michael@0 66
michael@0 67 rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests);
michael@0 68 return rv;
michael@0 69 }
michael@0 70
michael@0 71
michael@0 72 static void
michael@0 73 Usage(char *progName)
michael@0 74 {
michael@0 75 fprintf(stderr,
michael@0 76 "Usage: %s [-C|-D|-E|-O|-S] [<options>] [-d dbdir] [-u certusage]\n"
michael@0 77 " -C create a CMS encrypted data message\n"
michael@0 78 " -D decode a CMS message\n"
michael@0 79 " -b decode a batch of files named in infile\n"
michael@0 80 " -c content use this detached content\n"
michael@0 81 " -n suppress output of content\n"
michael@0 82 " -h num display num levels of CMS message info as email headers\n"
michael@0 83 " -k keep decoded encryption certs in perm cert db\n"
michael@0 84 " -E create a CMS enveloped data message\n"
michael@0 85 " -r id,... create envelope for these recipients,\n"
michael@0 86 " where id can be a certificate nickname or email address\n"
michael@0 87 " -S create a CMS signed data message\n"
michael@0 88 " -G include a signing time attribute\n"
michael@0 89 " -H hash use hash (default:SHA1)\n"
michael@0 90 " -N nick use certificate named \"nick\" for signing\n"
michael@0 91 " -P include a SMIMECapabilities attribute\n"
michael@0 92 " -T do not include content in CMS message\n"
michael@0 93 " -Y nick include a EncryptionKeyPreference attribute with cert\n"
michael@0 94 " (use \"NONE\" to omit)\n"
michael@0 95 " -O create a CMS signed message containing only certificates\n"
michael@0 96 " General Options:\n"
michael@0 97 " -d dbdir key/cert database directory (default: ~/.netscape)\n"
michael@0 98 " -e envelope enveloped data message in this file is used for bulk key\n"
michael@0 99 " -i infile use infile as source of data (default: stdin)\n"
michael@0 100 " -o outfile use outfile as destination of data (default: stdout)\n"
michael@0 101 " -p password use password as key db password (default: prompt)\n"
michael@0 102 " -f pwfile use password file to set password on all PKCS#11 tokens)\n"
michael@0 103 " -u certusage set type of certificate usage (default: certUsageEmailSigner)\n"
michael@0 104 " -v print debugging information\n"
michael@0 105 "\n"
michael@0 106 "Cert usage codes:\n",
michael@0 107 progName);
michael@0 108 fprintf(stderr, "%-25s 0 - certUsageSSLClient\n", " ");
michael@0 109 fprintf(stderr, "%-25s 1 - certUsageSSLServer\n", " ");
michael@0 110 fprintf(stderr, "%-25s 2 - certUsageSSLServerWithStepUp\n", " ");
michael@0 111 fprintf(stderr, "%-25s 3 - certUsageSSLCA\n", " ");
michael@0 112 fprintf(stderr, "%-25s 4 - certUsageEmailSigner\n", " ");
michael@0 113 fprintf(stderr, "%-25s 5 - certUsageEmailRecipient\n", " ");
michael@0 114 fprintf(stderr, "%-25s 6 - certUsageObjectSigner\n", " ");
michael@0 115 fprintf(stderr, "%-25s 7 - certUsageUserCertImport\n", " ");
michael@0 116 fprintf(stderr, "%-25s 8 - certUsageVerifyCA\n", " ");
michael@0 117 fprintf(stderr, "%-25s 9 - certUsageProtectedObjectSigner\n", " ");
michael@0 118 fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
michael@0 119 fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
michael@0 120
michael@0 121 exit(-1);
michael@0 122 }
michael@0 123
michael@0 124 struct optionsStr {
michael@0 125 char *pwfile;
michael@0 126 char *password;
michael@0 127 SECCertUsage certUsage;
michael@0 128 CERTCertDBHandle *certHandle;
michael@0 129 };
michael@0 130
michael@0 131 struct decodeOptionsStr {
michael@0 132 struct optionsStr *options;
michael@0 133 SECItem content;
michael@0 134 int headerLevel;
michael@0 135 PRBool suppressContent;
michael@0 136 NSSCMSGetDecryptKeyCallback dkcb;
michael@0 137 PK11SymKey *bulkkey;
michael@0 138 PRBool keepCerts;
michael@0 139 };
michael@0 140
michael@0 141 struct signOptionsStr {
michael@0 142 struct optionsStr *options;
michael@0 143 char *nickname;
michael@0 144 char *encryptionKeyPreferenceNick;
michael@0 145 PRBool signingTime;
michael@0 146 PRBool smimeProfile;
michael@0 147 PRBool detached;
michael@0 148 SECOidTag hashAlgTag;
michael@0 149 };
michael@0 150
michael@0 151 struct envelopeOptionsStr {
michael@0 152 struct optionsStr *options;
michael@0 153 char **recipients;
michael@0 154 };
michael@0 155
michael@0 156 struct certsonlyOptionsStr {
michael@0 157 struct optionsStr *options;
michael@0 158 char **recipients;
michael@0 159 };
michael@0 160
michael@0 161 struct encryptOptionsStr {
michael@0 162 struct optionsStr *options;
michael@0 163 char **recipients;
michael@0 164 NSSCMSMessage *envmsg;
michael@0 165 SECItem *input;
michael@0 166 FILE *outfile;
michael@0 167 PRFileDesc *envFile;
michael@0 168 PK11SymKey *bulkkey;
michael@0 169 SECOidTag bulkalgtag;
michael@0 170 int keysize;
michael@0 171 };
michael@0 172
michael@0 173 static NSSCMSMessage *
michael@0 174 decode(FILE *out, SECItem *input, const struct decodeOptionsStr *decodeOptions)
michael@0 175 {
michael@0 176 NSSCMSDecoderContext *dcx;
michael@0 177 SECStatus rv;
michael@0 178 NSSCMSMessage *cmsg;
michael@0 179 int nlevels, i;
michael@0 180 SECItem sitem = { 0, 0, 0 };
michael@0 181
michael@0 182 PORT_SetError(0);
michael@0 183 dcx = NSS_CMSDecoder_Start(NULL,
michael@0 184 NULL, NULL, /* content callback */
michael@0 185 pwcb, pwcb_arg, /* password callback */
michael@0 186 decodeOptions->dkcb, /* decrypt key callback */
michael@0 187 decodeOptions->bulkkey);
michael@0 188 if (dcx == NULL) {
michael@0 189 fprintf(stderr, "%s: failed to set up message decoder.\n", progName);
michael@0 190 return NULL;
michael@0 191 }
michael@0 192 rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len);
michael@0 193 if (rv != SECSuccess) {
michael@0 194 fprintf(stderr, "%s: failed to decode message.\n", progName);
michael@0 195 NSS_CMSDecoder_Cancel(dcx);
michael@0 196 return NULL;
michael@0 197 }
michael@0 198 cmsg = NSS_CMSDecoder_Finish(dcx);
michael@0 199 if (cmsg == NULL) {
michael@0 200 fprintf(stderr, "%s: failed to decode message.\n", progName);
michael@0 201 return NULL;
michael@0 202 }
michael@0 203
michael@0 204 if (decodeOptions->headerLevel >= 0) {
michael@0 205 /*fprintf(out, "SMIME: ", decodeOptions->headerLevel, i);*/
michael@0 206 fprintf(out, "SMIME: ");
michael@0 207 }
michael@0 208
michael@0 209 nlevels = NSS_CMSMessage_ContentLevelCount(cmsg);
michael@0 210 for (i = 0; i < nlevels; i++) {
michael@0 211 NSSCMSContentInfo *cinfo;
michael@0 212 SECOidTag typetag;
michael@0 213
michael@0 214 cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
michael@0 215 typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
michael@0 216
michael@0 217 if (decodeOptions->headerLevel >= 0)
michael@0 218 fprintf(out, "\tlevel=%d.%d; ", decodeOptions->headerLevel, nlevels - i);
michael@0 219
michael@0 220 switch (typetag) {
michael@0 221 case SEC_OID_PKCS7_SIGNED_DATA:
michael@0 222 {
michael@0 223 NSSCMSSignedData *sigd = NULL;
michael@0 224 SECItem **digests;
michael@0 225 int nsigners;
michael@0 226 int j;
michael@0 227
michael@0 228 if (decodeOptions->headerLevel >= 0)
michael@0 229 fprintf(out, "type=signedData; ");
michael@0 230 sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo);
michael@0 231 if (sigd == NULL) {
michael@0 232 SECU_PrintError(progName, "signedData component missing");
michael@0 233 goto loser;
michael@0 234 }
michael@0 235
michael@0 236 /* if we have a content file, but no digests for this signedData */
michael@0 237 if (decodeOptions->content.data != NULL &&
michael@0 238 !NSS_CMSSignedData_HasDigests(sigd)) {
michael@0 239 PLArenaPool *poolp;
michael@0 240 SECAlgorithmID **digestalgs;
michael@0 241
michael@0 242 /* detached content: grab content file */
michael@0 243 sitem = decodeOptions->content;
michael@0 244
michael@0 245 if ((poolp = PORT_NewArena(1024)) == NULL) {
michael@0 246 fprintf(stderr, "cmsutil: Out of memory.\n");
michael@0 247 goto loser;
michael@0 248 }
michael@0 249 digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
michael@0 250 if (DigestFile (poolp, &digests, &sitem, digestalgs)
michael@0 251 != SECSuccess) {
michael@0 252 SECU_PrintError(progName,
michael@0 253 "problem computing message digest");
michael@0 254 PORT_FreeArena(poolp, PR_FALSE);
michael@0 255 goto loser;
michael@0 256 }
michael@0 257 if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests)
michael@0 258 != SECSuccess) {
michael@0 259 SECU_PrintError(progName,
michael@0 260 "problem setting message digests");
michael@0 261 PORT_FreeArena(poolp, PR_FALSE);
michael@0 262 goto loser;
michael@0 263 }
michael@0 264 PORT_FreeArena(poolp, PR_FALSE);
michael@0 265 }
michael@0 266
michael@0 267 /* import the certificates */
michael@0 268 if (NSS_CMSSignedData_ImportCerts(sigd,
michael@0 269 decodeOptions->options->certHandle,
michael@0 270 decodeOptions->options->certUsage,
michael@0 271 decodeOptions->keepCerts)
michael@0 272 != SECSuccess) {
michael@0 273 SECU_PrintError(progName, "cert import failed");
michael@0 274 goto loser;
michael@0 275 }
michael@0 276
michael@0 277 /* find out about signers */
michael@0 278 nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
michael@0 279 if (decodeOptions->headerLevel >= 0)
michael@0 280 fprintf(out, "nsigners=%d; ", nsigners);
michael@0 281 if (nsigners == 0) {
michael@0 282 /* Might be a cert transport message
michael@0 283 ** or might be an invalid message, such as a QA test message
michael@0 284 ** or a message from an attacker.
michael@0 285 */
michael@0 286 SECStatus rv;
michael@0 287 rv = NSS_CMSSignedData_VerifyCertsOnly(sigd,
michael@0 288 decodeOptions->options->certHandle,
michael@0 289 decodeOptions->options->certUsage);
michael@0 290 if (rv != SECSuccess) {
michael@0 291 fprintf(stderr, "cmsutil: Verify certs-only failed!\n");
michael@0 292 goto loser;
michael@0 293 }
michael@0 294 return cmsg;
michael@0 295 }
michael@0 296
michael@0 297 /* still no digests? */
michael@0 298 if (!NSS_CMSSignedData_HasDigests(sigd)) {
michael@0 299 SECU_PrintError(progName, "no message digests");
michael@0 300 goto loser;
michael@0 301 }
michael@0 302
michael@0 303 for (j = 0; j < nsigners; j++) {
michael@0 304 const char * svs;
michael@0 305 NSSCMSSignerInfo *si;
michael@0 306 NSSCMSVerificationStatus vs;
michael@0 307 SECStatus bad;
michael@0 308
michael@0 309 si = NSS_CMSSignedData_GetSignerInfo(sigd, j);
michael@0 310 if (decodeOptions->headerLevel >= 0) {
michael@0 311 char *signercn;
michael@0 312 static char empty[] = { "" };
michael@0 313
michael@0 314 signercn = NSS_CMSSignerInfo_GetSignerCommonName(si);
michael@0 315 if (signercn == NULL)
michael@0 316 signercn = empty;
michael@0 317 fprintf(out, "\n\t\tsigner%d.id=\"%s\"; ", j, signercn);
michael@0 318 if (signercn != empty)
michael@0 319 PORT_Free(signercn);
michael@0 320 }
michael@0 321 bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j,
michael@0 322 decodeOptions->options->certHandle,
michael@0 323 decodeOptions->options->certUsage);
michael@0 324 vs = NSS_CMSSignerInfo_GetVerificationStatus(si);
michael@0 325 svs = NSS_CMSUtil_VerificationStatusToString(vs);
michael@0 326 if (decodeOptions->headerLevel >= 0) {
michael@0 327 fprintf(out, "signer%d.status=%s; ", j, svs);
michael@0 328 /* goto loser ? */
michael@0 329 } else if (bad && out) {
michael@0 330 fprintf(stderr, "signer %d status = %s\n", j, svs);
michael@0 331 goto loser;
michael@0 332 }
michael@0 333 }
michael@0 334 }
michael@0 335 break;
michael@0 336 case SEC_OID_PKCS7_ENVELOPED_DATA:
michael@0 337 {
michael@0 338 NSSCMSEnvelopedData *envd;
michael@0 339 if (decodeOptions->headerLevel >= 0)
michael@0 340 fprintf(out, "type=envelopedData; ");
michael@0 341 envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo);
michael@0 342 if (envd == NULL) {
michael@0 343 SECU_PrintError(progName, "envelopedData component missing");
michael@0 344 goto loser;
michael@0 345 }
michael@0 346 }
michael@0 347 break;
michael@0 348 case SEC_OID_PKCS7_ENCRYPTED_DATA:
michael@0 349 {
michael@0 350 NSSCMSEncryptedData *encd;
michael@0 351 if (decodeOptions->headerLevel >= 0)
michael@0 352 fprintf(out, "type=encryptedData; ");
michael@0 353 encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo);
michael@0 354 if (encd == NULL) {
michael@0 355 SECU_PrintError(progName, "encryptedData component missing");
michael@0 356 goto loser;
michael@0 357 }
michael@0 358 }
michael@0 359 break;
michael@0 360 case SEC_OID_PKCS7_DATA:
michael@0 361 if (decodeOptions->headerLevel >= 0)
michael@0 362 fprintf(out, "type=data; ");
michael@0 363 break;
michael@0 364 default:
michael@0 365 break;
michael@0 366 }
michael@0 367 if (decodeOptions->headerLevel >= 0)
michael@0 368 fprintf(out, "\n");
michael@0 369 }
michael@0 370
michael@0 371 if (!decodeOptions->suppressContent && out) {
michael@0 372 SECItem *item = (sitem.data ? &sitem
michael@0 373 : NSS_CMSMessage_GetContent(cmsg));
michael@0 374 if (item && item->data && item->len) {
michael@0 375 fwrite(item->data, item->len, 1, out);
michael@0 376 }
michael@0 377 }
michael@0 378 return cmsg;
michael@0 379
michael@0 380 loser:
michael@0 381 if (cmsg)
michael@0 382 NSS_CMSMessage_Destroy(cmsg);
michael@0 383 return NULL;
michael@0 384 }
michael@0 385
michael@0 386 /* example of a callback function to use with encoder */
michael@0 387 /*
michael@0 388 static void
michael@0 389 writeout(void *arg, const char *buf, unsigned long len)
michael@0 390 {
michael@0 391 FILE *f = (FILE *)arg;
michael@0 392
michael@0 393 if (f != NULL && buf != NULL)
michael@0 394 (void)fwrite(buf, len, 1, f);
michael@0 395 }
michael@0 396 */
michael@0 397
michael@0 398 static NSSCMSMessage *
michael@0 399 signed_data(struct signOptionsStr *signOptions)
michael@0 400 {
michael@0 401 NSSCMSMessage *cmsg = NULL;
michael@0 402 NSSCMSContentInfo *cinfo;
michael@0 403 NSSCMSSignedData *sigd;
michael@0 404 NSSCMSSignerInfo *signerinfo;
michael@0 405 CERTCertificate *cert= NULL, *ekpcert = NULL;
michael@0 406
michael@0 407 if (cms_verbose) {
michael@0 408 fprintf(stderr, "Input to signed_data:\n");
michael@0 409 if (signOptions->options->password)
michael@0 410 fprintf(stderr, "password [%s]\n", signOptions->options->password);
michael@0 411 else if (signOptions->options->pwfile)
michael@0 412 fprintf(stderr, "password file [%s]\n", signOptions->options->pwfile);
michael@0 413 else
michael@0 414 fprintf(stderr, "password [NULL]\n");
michael@0 415 fprintf(stderr, "certUsage [%d]\n", signOptions->options->certUsage);
michael@0 416 if (signOptions->options->certHandle)
michael@0 417 fprintf(stderr, "certdb [%p]\n", signOptions->options->certHandle);
michael@0 418 else
michael@0 419 fprintf(stderr, "certdb [NULL]\n");
michael@0 420 if (signOptions->nickname)
michael@0 421 fprintf(stderr, "nickname [%s]\n", signOptions->nickname);
michael@0 422 else
michael@0 423 fprintf(stderr, "nickname [NULL]\n");
michael@0 424 }
michael@0 425 if (signOptions->nickname == NULL) {
michael@0 426 fprintf(stderr,
michael@0 427 "ERROR: please indicate the nickname of a certificate to sign with.\n");
michael@0 428 return NULL;
michael@0 429 }
michael@0 430 if ((cert = CERT_FindUserCertByUsage(signOptions->options->certHandle,
michael@0 431 signOptions->nickname,
michael@0 432 signOptions->options->certUsage,
michael@0 433 PR_FALSE,
michael@0 434 &pwdata)) == NULL) {
michael@0 435 SECU_PrintError(progName,
michael@0 436 "the corresponding cert for key \"%s\" does not exist",
michael@0 437 signOptions->nickname);
michael@0 438 return NULL;
michael@0 439 }
michael@0 440 if (cms_verbose) {
michael@0 441 fprintf(stderr, "Found certificate for %s\n", signOptions->nickname);
michael@0 442 }
michael@0 443 /*
michael@0 444 * create the message object
michael@0 445 */
michael@0 446 cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
michael@0 447 if (cmsg == NULL) {
michael@0 448 fprintf(stderr, "ERROR: cannot create CMS message.\n");
michael@0 449 return NULL;
michael@0 450 }
michael@0 451 /*
michael@0 452 * build chain of objects: message->signedData->data
michael@0 453 */
michael@0 454 if ((sigd = NSS_CMSSignedData_Create(cmsg)) == NULL) {
michael@0 455 fprintf(stderr, "ERROR: cannot create CMS signedData object.\n");
michael@0 456 goto loser;
michael@0 457 }
michael@0 458 cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
michael@0 459 if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd)
michael@0 460 != SECSuccess) {
michael@0 461 fprintf(stderr, "ERROR: cannot attach CMS signedData object.\n");
michael@0 462 goto loser;
michael@0 463 }
michael@0 464 cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
michael@0 465 /* we're always passing data in and detaching optionally */
michael@0 466 if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL,
michael@0 467 signOptions->detached)
michael@0 468 != SECSuccess) {
michael@0 469 fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
michael@0 470 goto loser;
michael@0 471 }
michael@0 472 /*
michael@0 473 * create & attach signer information
michael@0 474 */
michael@0 475 signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, signOptions->hashAlgTag);
michael@0 476 if (signerinfo == NULL) {
michael@0 477 fprintf(stderr, "ERROR: cannot create CMS signerInfo object.\n");
michael@0 478 goto loser;
michael@0 479 }
michael@0 480 if (cms_verbose) {
michael@0 481 fprintf(stderr,
michael@0 482 "Created CMS message, added signed data w/ signerinfo\n");
michael@0 483 }
michael@0 484 /* we want the cert chain included for this one */
michael@0 485 if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain,
michael@0 486 signOptions->options->certUsage)
michael@0 487 != SECSuccess) {
michael@0 488 fprintf(stderr, "ERROR: cannot find cert chain.\n");
michael@0 489 goto loser;
michael@0 490 }
michael@0 491 if (cms_verbose) {
michael@0 492 fprintf(stderr, "imported certificate\n");
michael@0 493 }
michael@0 494 if (signOptions->signingTime) {
michael@0 495 if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now())
michael@0 496 != SECSuccess) {
michael@0 497 fprintf(stderr, "ERROR: cannot add signingTime attribute.\n");
michael@0 498 goto loser;
michael@0 499 }
michael@0 500 }
michael@0 501 if (signOptions->smimeProfile) {
michael@0 502 if (NSS_CMSSignerInfo_AddSMIMECaps(signerinfo) != SECSuccess) {
michael@0 503 fprintf(stderr, "ERROR: cannot add SMIMECaps attribute.\n");
michael@0 504 goto loser;
michael@0 505 }
michael@0 506 }
michael@0 507
michael@0 508 if (!signOptions->encryptionKeyPreferenceNick) {
michael@0 509 /* check signing cert for fitness as encryption cert */
michael@0 510 SECStatus FitForEncrypt = CERT_CheckCertUsage(cert,
michael@0 511 certUsageEmailRecipient);
michael@0 512
michael@0 513 if (SECSuccess == FitForEncrypt) {
michael@0 514 /* if yes, add signing cert as EncryptionKeyPreference */
michael@0 515 if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, cert,
michael@0 516 signOptions->options->certHandle)
michael@0 517 != SECSuccess) {
michael@0 518 fprintf(stderr,
michael@0 519 "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n");
michael@0 520 goto loser;
michael@0 521 }
michael@0 522 if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, cert,
michael@0 523 signOptions->options->certHandle)
michael@0 524 != SECSuccess) {
michael@0 525 fprintf(stderr,
michael@0 526 "ERROR: cannot add default MS SMIMEEncKeyPrefs attribute.\n");
michael@0 527 goto loser;
michael@0 528 }
michael@0 529 } else {
michael@0 530 /* this is a dual-key cert case, we need to look for the encryption
michael@0 531 certificate under the same nickname as the signing cert */
michael@0 532 /* get the cert, add it to the message */
michael@0 533 if ((ekpcert = CERT_FindUserCertByUsage(
michael@0 534 signOptions->options->certHandle,
michael@0 535 signOptions->nickname,
michael@0 536 certUsageEmailRecipient,
michael@0 537 PR_FALSE,
michael@0 538 &pwdata)) == NULL) {
michael@0 539 SECU_PrintError(progName,
michael@0 540 "the corresponding cert for key \"%s\" does not exist",
michael@0 541 signOptions->encryptionKeyPreferenceNick);
michael@0 542 goto loser;
michael@0 543 }
michael@0 544 if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert,
michael@0 545 signOptions->options->certHandle)
michael@0 546 != SECSuccess) {
michael@0 547 fprintf(stderr,
michael@0 548 "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
michael@0 549 goto loser;
michael@0 550 }
michael@0 551 if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert,
michael@0 552 signOptions->options->certHandle)
michael@0 553 != SECSuccess) {
michael@0 554 fprintf(stderr,
michael@0 555 "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
michael@0 556 goto loser;
michael@0 557 }
michael@0 558 if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
michael@0 559 fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
michael@0 560 goto loser;
michael@0 561 }
michael@0 562 }
michael@0 563 } else if (PL_strcmp(signOptions->encryptionKeyPreferenceNick, "NONE") == 0) {
michael@0 564 /* No action */
michael@0 565 } else {
michael@0 566 /* get the cert, add it to the message */
michael@0 567 if ((ekpcert = CERT_FindUserCertByUsage(
michael@0 568 signOptions->options->certHandle,
michael@0 569 signOptions->encryptionKeyPreferenceNick,
michael@0 570 certUsageEmailRecipient, PR_FALSE, &pwdata))
michael@0 571 == NULL) {
michael@0 572 SECU_PrintError(progName,
michael@0 573 "the corresponding cert for key \"%s\" does not exist",
michael@0 574 signOptions->encryptionKeyPreferenceNick);
michael@0 575 goto loser;
michael@0 576 }
michael@0 577 if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert,
michael@0 578 signOptions->options->certHandle)
michael@0 579 != SECSuccess) {
michael@0 580 fprintf(stderr, "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
michael@0 581 goto loser;
michael@0 582 }
michael@0 583 if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert,
michael@0 584 signOptions->options->certHandle)
michael@0 585 != SECSuccess) {
michael@0 586 fprintf(stderr, "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
michael@0 587 goto loser;
michael@0 588 }
michael@0 589 if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
michael@0 590 fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
michael@0 591 goto loser;
michael@0 592 }
michael@0 593 }
michael@0 594
michael@0 595 if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) {
michael@0 596 fprintf(stderr, "ERROR: cannot add CMS signerInfo object.\n");
michael@0 597 goto loser;
michael@0 598 }
michael@0 599 if (cms_verbose) {
michael@0 600 fprintf(stderr, "created signed-data message\n");
michael@0 601 }
michael@0 602 if (ekpcert) {
michael@0 603 CERT_DestroyCertificate(ekpcert);
michael@0 604 }
michael@0 605 if (cert) {
michael@0 606 CERT_DestroyCertificate(cert);
michael@0 607 }
michael@0 608 return cmsg;
michael@0 609 loser:
michael@0 610 if (ekpcert) {
michael@0 611 CERT_DestroyCertificate(ekpcert);
michael@0 612 }
michael@0 613 if (cert) {
michael@0 614 CERT_DestroyCertificate(cert);
michael@0 615 }
michael@0 616 NSS_CMSMessage_Destroy(cmsg);
michael@0 617 return NULL;
michael@0 618 }
michael@0 619
michael@0 620 static NSSCMSMessage *
michael@0 621 enveloped_data(struct envelopeOptionsStr *envelopeOptions)
michael@0 622 {
michael@0 623 NSSCMSMessage *cmsg = NULL;
michael@0 624 NSSCMSContentInfo *cinfo;
michael@0 625 NSSCMSEnvelopedData *envd;
michael@0 626 NSSCMSRecipientInfo *recipientinfo;
michael@0 627 CERTCertificate **recipientcerts = NULL;
michael@0 628 CERTCertDBHandle *dbhandle;
michael@0 629 PLArenaPool *tmppoolp = NULL;
michael@0 630 SECOidTag bulkalgtag;
michael@0 631 int keysize, i = 0;
michael@0 632 int cnt;
michael@0 633 dbhandle = envelopeOptions->options->certHandle;
michael@0 634 /* count the recipients */
michael@0 635 if ((cnt = nss_CMSArray_Count((void **)envelopeOptions->recipients)) == 0) {
michael@0 636 fprintf(stderr, "ERROR: please name at least one recipient.\n");
michael@0 637 goto loser;
michael@0 638 }
michael@0 639 if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
michael@0 640 fprintf(stderr, "ERROR: out of memory.\n");
michael@0 641 goto loser;
michael@0 642 }
michael@0 643 /* XXX find the recipient's certs by email address or nickname */
michael@0 644 if ((recipientcerts =
michael@0 645 (CERTCertificate **)PORT_ArenaZAlloc(tmppoolp,
michael@0 646 (cnt+1)*sizeof(CERTCertificate*)))
michael@0 647 == NULL) {
michael@0 648 fprintf(stderr, "ERROR: out of memory.\n");
michael@0 649 goto loser;
michael@0 650 }
michael@0 651 for (i=0; envelopeOptions->recipients[i] != NULL; i++) {
michael@0 652 if ((recipientcerts[i] =
michael@0 653 CERT_FindCertByNicknameOrEmailAddr(dbhandle,
michael@0 654 envelopeOptions->recipients[i]))
michael@0 655 == NULL) {
michael@0 656 SECU_PrintError(progName, "cannot find certificate for \"%s\"",
michael@0 657 envelopeOptions->recipients[i]);
michael@0 658 i=0;
michael@0 659 goto loser;
michael@0 660 }
michael@0 661 }
michael@0 662 recipientcerts[i] = NULL;
michael@0 663 i=0;
michael@0 664 /* find a nice bulk algorithm */
michael@0 665 if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientcerts, &bulkalgtag,
michael@0 666 &keysize) != SECSuccess) {
michael@0 667 fprintf(stderr, "ERROR: cannot find common bulk algorithm.\n");
michael@0 668 goto loser;
michael@0 669 }
michael@0 670 /*
michael@0 671 * create the message object
michael@0 672 */
michael@0 673 cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
michael@0 674 if (cmsg == NULL) {
michael@0 675 fprintf(stderr, "ERROR: cannot create CMS message.\n");
michael@0 676 goto loser;
michael@0 677 }
michael@0 678 /*
michael@0 679 * build chain of objects: message->envelopedData->data
michael@0 680 */
michael@0 681 if ((envd = NSS_CMSEnvelopedData_Create(cmsg, bulkalgtag, keysize))
michael@0 682 == NULL) {
michael@0 683 fprintf(stderr, "ERROR: cannot create CMS envelopedData object.\n");
michael@0 684 goto loser;
michael@0 685 }
michael@0 686 cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
michael@0 687 if (NSS_CMSContentInfo_SetContent_EnvelopedData(cmsg, cinfo, envd)
michael@0 688 != SECSuccess) {
michael@0 689 fprintf(stderr, "ERROR: cannot attach CMS envelopedData object.\n");
michael@0 690 goto loser;
michael@0 691 }
michael@0 692 cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
michael@0 693 /* we're always passing data in, so the content is NULL */
michael@0 694 if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE)
michael@0 695 != SECSuccess) {
michael@0 696 fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
michael@0 697 goto loser;
michael@0 698 }
michael@0 699 /*
michael@0 700 * create & attach recipient information
michael@0 701 */
michael@0 702 for (i = 0; recipientcerts[i] != NULL; i++) {
michael@0 703 if ((recipientinfo = NSS_CMSRecipientInfo_Create(cmsg,
michael@0 704 recipientcerts[i]))
michael@0 705 == NULL) {
michael@0 706 fprintf(stderr, "ERROR: cannot create CMS recipientInfo object.\n");
michael@0 707 goto loser;
michael@0 708 }
michael@0 709 if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientinfo)
michael@0 710 != SECSuccess) {
michael@0 711 fprintf(stderr, "ERROR: cannot add CMS recipientInfo object.\n");
michael@0 712 goto loser;
michael@0 713 }
michael@0 714 CERT_DestroyCertificate(recipientcerts[i]);
michael@0 715 }
michael@0 716 if (tmppoolp)
michael@0 717 PORT_FreeArena(tmppoolp, PR_FALSE);
michael@0 718 return cmsg;
michael@0 719 loser:
michael@0 720 if (recipientcerts) {
michael@0 721 for (; recipientcerts[i] != NULL; i++) {
michael@0 722 CERT_DestroyCertificate(recipientcerts[i]);
michael@0 723 }
michael@0 724 }
michael@0 725 if (cmsg)
michael@0 726 NSS_CMSMessage_Destroy(cmsg);
michael@0 727 if (tmppoolp)
michael@0 728 PORT_FreeArena(tmppoolp, PR_FALSE);
michael@0 729 return NULL;
michael@0 730 }
michael@0 731
michael@0 732 PK11SymKey *dkcb(void *arg, SECAlgorithmID *algid)
michael@0 733 {
michael@0 734 return (PK11SymKey*)arg;
michael@0 735 }
michael@0 736
michael@0 737 static SECStatus
michael@0 738 get_enc_params(struct encryptOptionsStr *encryptOptions)
michael@0 739 {
michael@0 740 struct envelopeOptionsStr envelopeOptions;
michael@0 741 SECStatus rv = SECFailure;
michael@0 742 NSSCMSMessage *env_cmsg;
michael@0 743 NSSCMSContentInfo *cinfo;
michael@0 744 int i, nlevels;
michael@0 745 /*
michael@0 746 * construct an enveloped data message to obtain bulk keys
michael@0 747 */
michael@0 748 if (encryptOptions->envmsg) {
michael@0 749 env_cmsg = encryptOptions->envmsg; /* get it from an old message */
michael@0 750 } else {
michael@0 751 SECItem dummyOut = { 0, 0, 0 };
michael@0 752 SECItem dummyIn = { 0, 0, 0 };
michael@0 753 char str[] = "Hello!";
michael@0 754 PLArenaPool *tmparena = PORT_NewArena(1024);
michael@0 755 dummyIn.data = (unsigned char *)str;
michael@0 756 dummyIn.len = strlen(str);
michael@0 757 envelopeOptions.options = encryptOptions->options;
michael@0 758 envelopeOptions.recipients = encryptOptions->recipients;
michael@0 759 env_cmsg = enveloped_data(&envelopeOptions);
michael@0 760 NSS_CMSDEREncode(env_cmsg, &dummyIn, &dummyOut, tmparena);
michael@0 761 PR_Write(encryptOptions->envFile, dummyOut.data, dummyOut.len);
michael@0 762 PORT_FreeArena(tmparena, PR_FALSE);
michael@0 763 }
michael@0 764 /*
michael@0 765 * get the content info for the enveloped data
michael@0 766 */
michael@0 767 nlevels = NSS_CMSMessage_ContentLevelCount(env_cmsg);
michael@0 768 for (i = 0; i < nlevels; i++) {
michael@0 769 SECOidTag typetag;
michael@0 770 cinfo = NSS_CMSMessage_ContentLevel(env_cmsg, i);
michael@0 771 typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
michael@0 772 if (typetag == SEC_OID_PKCS7_DATA) {
michael@0 773 /*
michael@0 774 * get the symmetric key
michael@0 775 */
michael@0 776 encryptOptions->bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
michael@0 777 encryptOptions->keysize = NSS_CMSContentInfo_GetBulkKeySize(cinfo);
michael@0 778 encryptOptions->bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
michael@0 779 rv = SECSuccess;
michael@0 780 break;
michael@0 781 }
michael@0 782 }
michael@0 783 if (i == nlevels) {
michael@0 784 fprintf(stderr, "%s: could not retrieve enveloped data.", progName);
michael@0 785 }
michael@0 786 if (env_cmsg)
michael@0 787 NSS_CMSMessage_Destroy(env_cmsg);
michael@0 788 return rv;
michael@0 789 }
michael@0 790
michael@0 791 static NSSCMSMessage *
michael@0 792 encrypted_data(struct encryptOptionsStr *encryptOptions)
michael@0 793 {
michael@0 794 SECStatus rv = SECFailure;
michael@0 795 NSSCMSMessage *cmsg = NULL;
michael@0 796 NSSCMSContentInfo *cinfo;
michael@0 797 NSSCMSEncryptedData *encd;
michael@0 798 NSSCMSEncoderContext *ecx = NULL;
michael@0 799 PLArenaPool *tmppoolp = NULL;
michael@0 800 SECItem derOut = { 0, 0, 0 };
michael@0 801 /* arena for output */
michael@0 802 tmppoolp = PORT_NewArena(1024);
michael@0 803 if (!tmppoolp) {
michael@0 804 fprintf(stderr, "%s: out of memory.\n", progName);
michael@0 805 return NULL;
michael@0 806 }
michael@0 807 /*
michael@0 808 * create the message object
michael@0 809 */
michael@0 810 cmsg = NSS_CMSMessage_Create(NULL);
michael@0 811 if (cmsg == NULL) {
michael@0 812 fprintf(stderr, "ERROR: cannot create CMS message.\n");
michael@0 813 goto loser;
michael@0 814 }
michael@0 815 /*
michael@0 816 * build chain of objects: message->encryptedData->data
michael@0 817 */
michael@0 818 if ((encd = NSS_CMSEncryptedData_Create(cmsg, encryptOptions->bulkalgtag,
michael@0 819 encryptOptions->keysize))
michael@0 820 == NULL) {
michael@0 821 fprintf(stderr, "ERROR: cannot create CMS encryptedData object.\n");
michael@0 822 goto loser;
michael@0 823 }
michael@0 824 cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
michael@0 825 if (NSS_CMSContentInfo_SetContent_EncryptedData(cmsg, cinfo, encd)
michael@0 826 != SECSuccess) {
michael@0 827 fprintf(stderr, "ERROR: cannot attach CMS encryptedData object.\n");
michael@0 828 goto loser;
michael@0 829 }
michael@0 830 cinfo = NSS_CMSEncryptedData_GetContentInfo(encd);
michael@0 831 /* we're always passing data in, so the content is NULL */
michael@0 832 if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE)
michael@0 833 != SECSuccess) {
michael@0 834 fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
michael@0 835 goto loser;
michael@0 836 }
michael@0 837 ecx = NSS_CMSEncoder_Start(cmsg, NULL, NULL, &derOut, tmppoolp, NULL, NULL,
michael@0 838 dkcb, encryptOptions->bulkkey, NULL, NULL);
michael@0 839 if (!ecx) {
michael@0 840 fprintf(stderr, "%s: cannot create encoder context.\n", progName);
michael@0 841 goto loser;
michael@0 842 }
michael@0 843 rv = NSS_CMSEncoder_Update(ecx, (char *)encryptOptions->input->data,
michael@0 844 encryptOptions->input->len);
michael@0 845 if (rv) {
michael@0 846 fprintf(stderr, "%s: failed to add data to encoder.\n", progName);
michael@0 847 goto loser;
michael@0 848 }
michael@0 849 rv = NSS_CMSEncoder_Finish(ecx);
michael@0 850 if (rv) {
michael@0 851 fprintf(stderr, "%s: failed to encrypt data.\n", progName);
michael@0 852 goto loser;
michael@0 853 }
michael@0 854 fwrite(derOut.data, derOut.len, 1, encryptOptions->outfile);
michael@0 855 /*
michael@0 856 if (bulkkey)
michael@0 857 PK11_FreeSymKey(bulkkey);
michael@0 858 */
michael@0 859 if (tmppoolp)
michael@0 860 PORT_FreeArena(tmppoolp, PR_FALSE);
michael@0 861 return cmsg;
michael@0 862 loser:
michael@0 863 /*
michael@0 864 if (bulkkey)
michael@0 865 PK11_FreeSymKey(bulkkey);
michael@0 866 */
michael@0 867 if (tmppoolp)
michael@0 868 PORT_FreeArena(tmppoolp, PR_FALSE);
michael@0 869 if (cmsg)
michael@0 870 NSS_CMSMessage_Destroy(cmsg);
michael@0 871 return NULL;
michael@0 872 }
michael@0 873
michael@0 874 static NSSCMSMessage *
michael@0 875 signed_data_certsonly(struct certsonlyOptionsStr *certsonlyOptions)
michael@0 876 {
michael@0 877 NSSCMSMessage *cmsg = NULL;
michael@0 878 NSSCMSContentInfo *cinfo;
michael@0 879 NSSCMSSignedData *sigd;
michael@0 880 CERTCertificate **certs = NULL;
michael@0 881 CERTCertDBHandle *dbhandle;
michael@0 882 PLArenaPool *tmppoolp = NULL;
michael@0 883 int i = 0, cnt;
michael@0 884 dbhandle = certsonlyOptions->options->certHandle;
michael@0 885 if ((cnt = nss_CMSArray_Count((void**)certsonlyOptions->recipients)) == 0) {
michael@0 886 fprintf(stderr,
michael@0 887 "ERROR: please indicate the nickname of a certificate to sign with.\n");
michael@0 888 goto loser;
michael@0 889 }
michael@0 890 if (!(tmppoolp = PORT_NewArena(1024))) {
michael@0 891 fprintf(stderr, "ERROR: out of memory.\n");
michael@0 892 goto loser;
michael@0 893 }
michael@0 894 if (!(certs = PORT_ArenaZNewArray(tmppoolp, CERTCertificate *, cnt + 1))) {
michael@0 895 fprintf(stderr, "ERROR: out of memory.\n");
michael@0 896 goto loser;
michael@0 897 }
michael@0 898 for (i=0; certsonlyOptions->recipients[i] != NULL; i++) {
michael@0 899 if ((certs[i] =
michael@0 900 CERT_FindCertByNicknameOrEmailAddr(dbhandle,
michael@0 901 certsonlyOptions->recipients[i]))
michael@0 902 == NULL) {
michael@0 903 SECU_PrintError(progName, "cannot find certificate for \"%s\"",
michael@0 904 certsonlyOptions->recipients[i]);
michael@0 905 i=0;
michael@0 906 goto loser;
michael@0 907 }
michael@0 908 }
michael@0 909 certs[i] = NULL;
michael@0 910 i=0;
michael@0 911 /*
michael@0 912 * create the message object
michael@0 913 */
michael@0 914 cmsg = NSS_CMSMessage_Create(NULL);
michael@0 915 if (cmsg == NULL) {
michael@0 916 fprintf(stderr, "ERROR: cannot create CMS message.\n");
michael@0 917 goto loser;
michael@0 918 }
michael@0 919 /*
michael@0 920 * build chain of objects: message->signedData->data
michael@0 921 */
michael@0 922 if ((sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, certs[0], PR_TRUE))
michael@0 923 == NULL) {
michael@0 924 fprintf(stderr, "ERROR: cannot create CMS signedData object.\n");
michael@0 925 goto loser;
michael@0 926 }
michael@0 927 CERT_DestroyCertificate(certs[0]);
michael@0 928 for (i=1; i<cnt; i++) {
michael@0 929 if (NSS_CMSSignedData_AddCertChain(sigd, certs[i])) {
michael@0 930 fprintf(stderr, "ERROR: cannot add cert chain for \"%s\".\n",
michael@0 931 certsonlyOptions->recipients[i]);
michael@0 932 goto loser;
michael@0 933 }
michael@0 934 CERT_DestroyCertificate(certs[i]);
michael@0 935 }
michael@0 936 cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
michael@0 937 if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd)
michael@0 938 != SECSuccess) {
michael@0 939 fprintf(stderr, "ERROR: cannot attach CMS signedData object.\n");
michael@0 940 goto loser;
michael@0 941 }
michael@0 942 cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
michael@0 943 if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE)
michael@0 944 != SECSuccess) {
michael@0 945 fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
michael@0 946 goto loser;
michael@0 947 }
michael@0 948 if (tmppoolp)
michael@0 949 PORT_FreeArena(tmppoolp, PR_FALSE);
michael@0 950 return cmsg;
michael@0 951 loser:
michael@0 952 if (certs) {
michael@0 953 for (; i<cnt; i++) {
michael@0 954 CERT_DestroyCertificate(certs[i]);
michael@0 955 }
michael@0 956 }
michael@0 957 if (cmsg)
michael@0 958 NSS_CMSMessage_Destroy(cmsg);
michael@0 959 if (tmppoolp)
michael@0 960 PORT_FreeArena(tmppoolp, PR_FALSE);
michael@0 961 return NULL;
michael@0 962 }
michael@0 963
michael@0 964 static char *
michael@0 965 pl_fgets(char * buf, int size, PRFileDesc * fd)
michael@0 966 {
michael@0 967 char * bp = buf;
michael@0 968 int nb = 0;;
michael@0 969
michael@0 970 while (size > 1) {
michael@0 971 nb = PR_Read(fd, bp, 1);
michael@0 972 if (nb < 0) {
michael@0 973 /* deal with error */
michael@0 974 return NULL;
michael@0 975 } else if (nb == 0) {
michael@0 976 /* deal with EOF */
michael@0 977 return NULL;
michael@0 978 } else if (*bp == '\n') {
michael@0 979 /* deal with EOL */
michael@0 980 ++bp; /* keep EOL character */
michael@0 981 break;
michael@0 982 } else {
michael@0 983 /* ordinary character */
michael@0 984 ++bp;
michael@0 985 --size;
michael@0 986 }
michael@0 987 }
michael@0 988 *bp = '\0';
michael@0 989 return buf;
michael@0 990 }
michael@0 991
michael@0 992 typedef enum { UNKNOWN, DECODE, SIGN, ENCRYPT, ENVELOPE, CERTSONLY } Mode;
michael@0 993
michael@0 994 static int
michael@0 995 doBatchDecode(FILE *outFile, PRFileDesc *batchFile,
michael@0 996 const struct decodeOptionsStr *decodeOptions)
michael@0 997 {
michael@0 998 char * str;
michael@0 999 int exitStatus = 0;
michael@0 1000 char batchLine[512];
michael@0 1001
michael@0 1002 while (NULL != (str = pl_fgets(batchLine, sizeof batchLine, batchFile))) {
michael@0 1003 NSSCMSMessage *cmsg = NULL;
michael@0 1004 PRFileDesc * inFile;
michael@0 1005 int len = strlen(str);
michael@0 1006 SECStatus rv;
michael@0 1007 SECItem input = {0, 0, 0};
michael@0 1008 char cc;
michael@0 1009
michael@0 1010 while (len > 0 &&
michael@0 1011 ((cc = str[len - 1]) == '\n' || cc == '\r')) {
michael@0 1012 str[--len] = '\0';
michael@0 1013 }
michael@0 1014 if (!len) /* skip empty line */
michael@0 1015 continue;
michael@0 1016 if (str[0] == '#')
michael@0 1017 continue; /* skip comment line */
michael@0 1018 fprintf(outFile, "========== %s ==========\n", str);
michael@0 1019 inFile = PR_Open(str, PR_RDONLY, 00660);
michael@0 1020 if (inFile == NULL) {
michael@0 1021 fprintf(outFile, "%s: unable to open \"%s\" for reading\n",
michael@0 1022 progName, str);
michael@0 1023 exitStatus = 1;
michael@0 1024 continue;
michael@0 1025 }
michael@0 1026 rv = SECU_FileToItem(&input, inFile);
michael@0 1027 PR_Close(inFile);
michael@0 1028 if (rv != SECSuccess) {
michael@0 1029 SECU_PrintError(progName, "unable to read infile");
michael@0 1030 exitStatus = 1;
michael@0 1031 continue;
michael@0 1032 }
michael@0 1033 cmsg = decode(outFile, &input, decodeOptions);
michael@0 1034 SECITEM_FreeItem(&input, PR_FALSE);
michael@0 1035 if (cmsg)
michael@0 1036 NSS_CMSMessage_Destroy(cmsg);
michael@0 1037 else {
michael@0 1038 SECU_PrintError(progName, "problem decoding");
michael@0 1039 exitStatus = 1;
michael@0 1040 }
michael@0 1041 }
michael@0 1042 return exitStatus;
michael@0 1043 }
michael@0 1044
michael@0 1045 int
michael@0 1046 main(int argc, char **argv)
michael@0 1047 {
michael@0 1048 FILE *outFile;
michael@0 1049 NSSCMSMessage *cmsg = NULL;
michael@0 1050 PRFileDesc *inFile;
michael@0 1051 PLOptState *optstate;
michael@0 1052 PLOptStatus status;
michael@0 1053 Mode mode = UNKNOWN;
michael@0 1054 struct decodeOptionsStr decodeOptions = { 0 };
michael@0 1055 struct signOptionsStr signOptions = { 0 };
michael@0 1056 struct envelopeOptionsStr envelopeOptions = { 0 };
michael@0 1057 struct certsonlyOptionsStr certsonlyOptions = { 0 };
michael@0 1058 struct encryptOptionsStr encryptOptions = { 0 };
michael@0 1059 struct optionsStr options = { 0 };
michael@0 1060 int exitstatus;
michael@0 1061 static char *ptrarray[128] = { 0 };
michael@0 1062 int nrecipients = 0;
michael@0 1063 char *str, *tok;
michael@0 1064 char *envFileName;
michael@0 1065 SECItem input = { 0, 0, 0};
michael@0 1066 SECItem envmsg = { 0, 0, 0 };
michael@0 1067 SECStatus rv;
michael@0 1068 PRFileDesc *contentFile = NULL;
michael@0 1069 PRBool batch = PR_FALSE;
michael@0 1070
michael@0 1071 #ifdef NISCC_TEST
michael@0 1072 const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
michael@0 1073 PORT_Assert(ev);
michael@0 1074 ev = PR_GetEnv("NSS_STRICT_SHUTDOWN");
michael@0 1075 PORT_Assert(ev);
michael@0 1076 #endif
michael@0 1077
michael@0 1078 progName = strrchr(argv[0], '/');
michael@0 1079 if (!progName)
michael@0 1080 progName = strrchr(argv[0], '\\');
michael@0 1081 progName = progName ? progName+1 : argv[0];
michael@0 1082
michael@0 1083 inFile = PR_STDIN;
michael@0 1084 outFile = stdout;
michael@0 1085 envFileName = NULL;
michael@0 1086 mode = UNKNOWN;
michael@0 1087 decodeOptions.content.data = NULL;
michael@0 1088 decodeOptions.content.len = 0;
michael@0 1089 decodeOptions.suppressContent = PR_FALSE;
michael@0 1090 decodeOptions.headerLevel = -1;
michael@0 1091 decodeOptions.keepCerts = PR_FALSE;
michael@0 1092 options.certUsage = certUsageEmailSigner;
michael@0 1093 options.password = NULL;
michael@0 1094 options.pwfile = NULL;
michael@0 1095 signOptions.nickname = NULL;
michael@0 1096 signOptions.detached = PR_FALSE;
michael@0 1097 signOptions.signingTime = PR_FALSE;
michael@0 1098 signOptions.smimeProfile = PR_FALSE;
michael@0 1099 signOptions.encryptionKeyPreferenceNick = NULL;
michael@0 1100 signOptions.hashAlgTag = SEC_OID_SHA1;
michael@0 1101 envelopeOptions.recipients = NULL;
michael@0 1102 encryptOptions.recipients = NULL;
michael@0 1103 encryptOptions.envmsg = NULL;
michael@0 1104 encryptOptions.envFile = NULL;
michael@0 1105 encryptOptions.bulkalgtag = SEC_OID_UNKNOWN;
michael@0 1106 encryptOptions.bulkkey = NULL;
michael@0 1107 encryptOptions.keysize = -1;
michael@0 1108
michael@0 1109 /*
michael@0 1110 * Parse command line arguments
michael@0 1111 */
michael@0 1112 optstate = PL_CreateOptState(argc, argv,
michael@0 1113 "CDEGH:N:OPSTY:bc:d:e:f:h:i:kno:p:r:s:u:v");
michael@0 1114 while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
michael@0 1115 switch (optstate->option) {
michael@0 1116 case 'C':
michael@0 1117 mode = ENCRYPT;
michael@0 1118 break;
michael@0 1119 case 'D':
michael@0 1120 mode = DECODE;
michael@0 1121 break;
michael@0 1122 case 'E':
michael@0 1123 mode = ENVELOPE;
michael@0 1124 break;
michael@0 1125 case 'G':
michael@0 1126 if (mode != SIGN) {
michael@0 1127 fprintf(stderr,
michael@0 1128 "%s: option -G only supported with option -S.\n",
michael@0 1129 progName);
michael@0 1130 Usage(progName);
michael@0 1131 exit(1);
michael@0 1132 }
michael@0 1133 signOptions.signingTime = PR_TRUE;
michael@0 1134 break;
michael@0 1135 case 'H':
michael@0 1136 if (mode != SIGN) {
michael@0 1137 fprintf(stderr,
michael@0 1138 "%s: option -H only supported with option -S.\n",
michael@0 1139 progName);
michael@0 1140 Usage(progName);
michael@0 1141 exit(1);
michael@0 1142 }
michael@0 1143 decodeOptions.suppressContent = PR_TRUE;
michael@0 1144 if (!strcmp(optstate->value, "MD2"))
michael@0 1145 signOptions.hashAlgTag = SEC_OID_MD2;
michael@0 1146 else if (!strcmp(optstate->value, "MD4"))
michael@0 1147 signOptions.hashAlgTag = SEC_OID_MD4;
michael@0 1148 else if (!strcmp(optstate->value, "MD5"))
michael@0 1149 signOptions.hashAlgTag = SEC_OID_MD5;
michael@0 1150 else if (!strcmp(optstate->value, "SHA1"))
michael@0 1151 signOptions.hashAlgTag = SEC_OID_SHA1;
michael@0 1152 else if (!strcmp(optstate->value, "SHA256"))
michael@0 1153 signOptions.hashAlgTag = SEC_OID_SHA256;
michael@0 1154 else if (!strcmp(optstate->value, "SHA384"))
michael@0 1155 signOptions.hashAlgTag = SEC_OID_SHA384;
michael@0 1156 else if (!strcmp(optstate->value, "SHA512"))
michael@0 1157 signOptions.hashAlgTag = SEC_OID_SHA512;
michael@0 1158 else {
michael@0 1159 fprintf(stderr,
michael@0 1160 "%s: -H requires one of MD2,MD4,MD5,SHA1,SHA256,SHA384,SHA512\n",
michael@0 1161 progName);
michael@0 1162 exit(1);
michael@0 1163 }
michael@0 1164 break;
michael@0 1165 case 'N':
michael@0 1166 if (mode != SIGN) {
michael@0 1167 fprintf(stderr,
michael@0 1168 "%s: option -N only supported with option -S.\n",
michael@0 1169 progName);
michael@0 1170 Usage(progName);
michael@0 1171 exit(1);
michael@0 1172 }
michael@0 1173 signOptions.nickname = strdup(optstate->value);
michael@0 1174 break;
michael@0 1175 case 'O':
michael@0 1176 mode = CERTSONLY;
michael@0 1177 break;
michael@0 1178 case 'P':
michael@0 1179 if (mode != SIGN) {
michael@0 1180 fprintf(stderr,
michael@0 1181 "%s: option -P only supported with option -S.\n",
michael@0 1182 progName);
michael@0 1183 Usage(progName);
michael@0 1184 exit(1);
michael@0 1185 }
michael@0 1186 signOptions.smimeProfile = PR_TRUE;
michael@0 1187 break;
michael@0 1188 case 'S':
michael@0 1189 mode = SIGN;
michael@0 1190 break;
michael@0 1191 case 'T':
michael@0 1192 if (mode != SIGN) {
michael@0 1193 fprintf(stderr,
michael@0 1194 "%s: option -T only supported with option -S.\n",
michael@0 1195 progName);
michael@0 1196 Usage(progName);
michael@0 1197 exit(1);
michael@0 1198 }
michael@0 1199 signOptions.detached = PR_TRUE;
michael@0 1200 break;
michael@0 1201 case 'Y':
michael@0 1202 if (mode != SIGN) {
michael@0 1203 fprintf(stderr,
michael@0 1204 "%s: option -Y only supported with option -S.\n",
michael@0 1205 progName);
michael@0 1206 Usage(progName);
michael@0 1207 exit(1);
michael@0 1208 }
michael@0 1209 signOptions.encryptionKeyPreferenceNick = strdup(optstate->value);
michael@0 1210 break;
michael@0 1211
michael@0 1212 case 'b':
michael@0 1213 if (mode != DECODE) {
michael@0 1214 fprintf(stderr,
michael@0 1215 "%s: option -b only supported with option -D.\n",
michael@0 1216 progName);
michael@0 1217 Usage(progName);
michael@0 1218 exit(1);
michael@0 1219 }
michael@0 1220 batch = PR_TRUE;
michael@0 1221 break;
michael@0 1222
michael@0 1223 case 'c':
michael@0 1224 if (mode != DECODE) {
michael@0 1225 fprintf(stderr,
michael@0 1226 "%s: option -c only supported with option -D.\n",
michael@0 1227 progName);
michael@0 1228 Usage(progName);
michael@0 1229 exit(1);
michael@0 1230 }
michael@0 1231 contentFile = PR_Open(optstate->value, PR_RDONLY, 006600);
michael@0 1232 if (contentFile == NULL) {
michael@0 1233 fprintf(stderr, "%s: unable to open \"%s\" for reading.\n",
michael@0 1234 progName, optstate->value);
michael@0 1235 exit(1);
michael@0 1236 }
michael@0 1237
michael@0 1238 rv = SECU_FileToItem(&decodeOptions.content, contentFile);
michael@0 1239 PR_Close(contentFile);
michael@0 1240 if (rv != SECSuccess) {
michael@0 1241 SECU_PrintError(progName, "problem reading content file");
michael@0 1242 exit(1);
michael@0 1243 }
michael@0 1244 if (!decodeOptions.content.data) {
michael@0 1245 /* file was zero length */
michael@0 1246 decodeOptions.content.data = (unsigned char *)PORT_Strdup("");
michael@0 1247 decodeOptions.content.len = 0;
michael@0 1248 }
michael@0 1249
michael@0 1250 break;
michael@0 1251 case 'd':
michael@0 1252 SECU_ConfigDirectory(optstate->value);
michael@0 1253 break;
michael@0 1254 case 'e':
michael@0 1255 envFileName = strdup(optstate->value);
michael@0 1256 encryptOptions.envFile = PR_Open(envFileName, PR_RDONLY, 00660);
michael@0 1257 break;
michael@0 1258
michael@0 1259 case 'h':
michael@0 1260 if (mode != DECODE) {
michael@0 1261 fprintf(stderr,
michael@0 1262 "%s: option -h only supported with option -D.\n",
michael@0 1263 progName);
michael@0 1264 Usage(progName);
michael@0 1265 exit(1);
michael@0 1266 }
michael@0 1267 decodeOptions.headerLevel = atoi(optstate->value);
michael@0 1268 if (decodeOptions.headerLevel < 0) {
michael@0 1269 fprintf(stderr, "option -h cannot have a negative value.\n");
michael@0 1270 exit(1);
michael@0 1271 }
michael@0 1272 break;
michael@0 1273 case 'i':
michael@0 1274 if (!optstate->value) {
michael@0 1275 fprintf(stderr, "-i option requires filename argument\n");
michael@0 1276 exit(1);
michael@0 1277 }
michael@0 1278 inFile = PR_Open(optstate->value, PR_RDONLY, 00660);
michael@0 1279 if (inFile == NULL) {
michael@0 1280 fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
michael@0 1281 progName, optstate->value);
michael@0 1282 exit(1);
michael@0 1283 }
michael@0 1284 break;
michael@0 1285
michael@0 1286 case 'k':
michael@0 1287 if (mode != DECODE) {
michael@0 1288 fprintf(stderr,
michael@0 1289 "%s: option -k only supported with option -D.\n",
michael@0 1290 progName);
michael@0 1291 Usage(progName);
michael@0 1292 exit(1);
michael@0 1293 }
michael@0 1294 decodeOptions.keepCerts = PR_TRUE;
michael@0 1295 break;
michael@0 1296
michael@0 1297 case 'n':
michael@0 1298 if (mode != DECODE) {
michael@0 1299 fprintf(stderr,
michael@0 1300 "%s: option -n only supported with option -D.\n",
michael@0 1301 progName);
michael@0 1302 Usage(progName);
michael@0 1303 exit(1);
michael@0 1304 }
michael@0 1305 decodeOptions.suppressContent = PR_TRUE;
michael@0 1306 break;
michael@0 1307 case 'o':
michael@0 1308 outFile = fopen(optstate->value, "wb");
michael@0 1309 if (outFile == NULL) {
michael@0 1310 fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
michael@0 1311 progName, optstate->value);
michael@0 1312 exit(1);
michael@0 1313 }
michael@0 1314 break;
michael@0 1315 case 'p':
michael@0 1316 if (!optstate->value) {
michael@0 1317 fprintf(stderr, "%s: option -p must have a value.\n", progName);
michael@0 1318 Usage(progName);
michael@0 1319 exit(1);
michael@0 1320 }
michael@0 1321
michael@0 1322 options.password = strdup(optstate->value);
michael@0 1323 break;
michael@0 1324
michael@0 1325 case 'f':
michael@0 1326 if (!optstate->value) {
michael@0 1327 fprintf(stderr, "%s: option -f must have a value.\n", progName);
michael@0 1328 Usage(progName);
michael@0 1329 exit(1);
michael@0 1330 }
michael@0 1331
michael@0 1332 options.pwfile = strdup(optstate->value);
michael@0 1333 break;
michael@0 1334
michael@0 1335 case 'r':
michael@0 1336 if (!optstate->value) {
michael@0 1337 fprintf(stderr, "%s: option -r must have a value.\n", progName);
michael@0 1338 Usage(progName);
michael@0 1339 exit(1);
michael@0 1340 }
michael@0 1341 envelopeOptions.recipients = ptrarray;
michael@0 1342 str = (char *)optstate->value;
michael@0 1343 do {
michael@0 1344 tok = strchr(str, ',');
michael@0 1345 if (tok) *tok = '\0';
michael@0 1346 envelopeOptions.recipients[nrecipients++] = strdup(str);
michael@0 1347 if (tok) str = tok + 1;
michael@0 1348 } while (tok);
michael@0 1349 envelopeOptions.recipients[nrecipients] = NULL;
michael@0 1350 encryptOptions.recipients = envelopeOptions.recipients;
michael@0 1351 certsonlyOptions.recipients = envelopeOptions.recipients;
michael@0 1352 break;
michael@0 1353
michael@0 1354 case 'u': {
michael@0 1355 int usageType;
michael@0 1356
michael@0 1357 usageType = atoi (strdup(optstate->value));
michael@0 1358 if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
michael@0 1359 return -1;
michael@0 1360 options.certUsage = (SECCertUsage)usageType;
michael@0 1361 break;
michael@0 1362 }
michael@0 1363 case 'v':
michael@0 1364 cms_verbose = 1;
michael@0 1365 break;
michael@0 1366
michael@0 1367 }
michael@0 1368 }
michael@0 1369 if (status == PL_OPT_BAD)
michael@0 1370 Usage(progName);
michael@0 1371 PL_DestroyOptState(optstate);
michael@0 1372
michael@0 1373 if (mode == UNKNOWN)
michael@0 1374 Usage(progName);
michael@0 1375
michael@0 1376 if (mode != CERTSONLY && !batch) {
michael@0 1377 rv = SECU_FileToItem(&input, inFile);
michael@0 1378 if (rv != SECSuccess) {
michael@0 1379 SECU_PrintError(progName, "unable to read infile");
michael@0 1380 exit(1);
michael@0 1381 }
michael@0 1382 if (inFile != PR_STDIN) {
michael@0 1383 PR_Close(inFile);
michael@0 1384 }
michael@0 1385 }
michael@0 1386 if (cms_verbose) {
michael@0 1387 fprintf(stderr, "received commands\n");
michael@0 1388 }
michael@0 1389
michael@0 1390 /* Call the NSS initialization routines */
michael@0 1391 PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
michael@0 1392 rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
michael@0 1393 if (SECSuccess != rv) {
michael@0 1394 SECU_PrintError(progName, "NSS_Init failed");
michael@0 1395 exit(1);
michael@0 1396 }
michael@0 1397 if (cms_verbose) {
michael@0 1398 fprintf(stderr, "NSS has been initialized.\n");
michael@0 1399 }
michael@0 1400 options.certHandle = CERT_GetDefaultCertDB();
michael@0 1401 if (!options.certHandle) {
michael@0 1402 SECU_PrintError(progName, "No default cert DB");
michael@0 1403 exit(1);
michael@0 1404 }
michael@0 1405 if (cms_verbose) {
michael@0 1406 fprintf(stderr, "Got default certdb\n");
michael@0 1407 }
michael@0 1408 if (options.password)
michael@0 1409 {
michael@0 1410 pwdata.source = PW_PLAINTEXT;
michael@0 1411 pwdata.data = options.password;
michael@0 1412 }
michael@0 1413 if (options.pwfile)
michael@0 1414 {
michael@0 1415 pwdata.source = PW_FROMFILE;
michael@0 1416 pwdata.data = options.pwfile;
michael@0 1417 }
michael@0 1418 pwcb = SECU_GetModulePassword;
michael@0 1419 pwcb_arg = (void *)&pwdata;
michael@0 1420
michael@0 1421 PK11_SetPasswordFunc(&SECU_GetModulePassword);
michael@0 1422
michael@0 1423
michael@0 1424 #if defined(_WIN32)
michael@0 1425 if (outFile == stdout) {
michael@0 1426 /* If we're going to write binary data to stdout, we must put stdout
michael@0 1427 ** into O_BINARY mode or else outgoing \n's will become \r\n's.
michael@0 1428 */
michael@0 1429 int smrv = _setmode(_fileno(stdout), _O_BINARY);
michael@0 1430 if (smrv == -1) {
michael@0 1431 fprintf(stderr,
michael@0 1432 "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
michael@0 1433 progName);
michael@0 1434 return smrv;
michael@0 1435 }
michael@0 1436 }
michael@0 1437 #endif
michael@0 1438
michael@0 1439 exitstatus = 0;
michael@0 1440 switch (mode) {
michael@0 1441 case DECODE: /* -D */
michael@0 1442 decodeOptions.options = &options;
michael@0 1443 if (encryptOptions.envFile) {
michael@0 1444 /* Decoding encrypted-data, so get the bulkkey from an
michael@0 1445 * enveloped-data message.
michael@0 1446 */
michael@0 1447 SECU_FileToItem(&envmsg, encryptOptions.envFile);
michael@0 1448 decodeOptions.options = &options;
michael@0 1449 encryptOptions.envmsg = decode(NULL, &envmsg, &decodeOptions);
michael@0 1450 if (!encryptOptions.envmsg) {
michael@0 1451 SECU_PrintError(progName, "problem decoding env msg");
michael@0 1452 exitstatus = 1;
michael@0 1453 break;
michael@0 1454 }
michael@0 1455 rv = get_enc_params(&encryptOptions);
michael@0 1456 decodeOptions.dkcb = dkcb;
michael@0 1457 decodeOptions.bulkkey = encryptOptions.bulkkey;
michael@0 1458 }
michael@0 1459 if (!batch) {
michael@0 1460 cmsg = decode(outFile, &input, &decodeOptions);
michael@0 1461 if (!cmsg) {
michael@0 1462 SECU_PrintError(progName, "problem decoding");
michael@0 1463 exitstatus = 1;
michael@0 1464 }
michael@0 1465 } else {
michael@0 1466 exitstatus = doBatchDecode(outFile, inFile, &decodeOptions);
michael@0 1467 if (inFile != PR_STDIN) {
michael@0 1468 PR_Close(inFile);
michael@0 1469 }
michael@0 1470 }
michael@0 1471 break;
michael@0 1472 case SIGN: /* -S */
michael@0 1473 signOptions.options = &options;
michael@0 1474 cmsg = signed_data(&signOptions);
michael@0 1475 if (!cmsg) {
michael@0 1476 SECU_PrintError(progName, "problem signing");
michael@0 1477 exitstatus = 1;
michael@0 1478 }
michael@0 1479 break;
michael@0 1480 case ENCRYPT: /* -C */
michael@0 1481 if (!envFileName) {
michael@0 1482 fprintf(stderr, "%s: you must specify an envelope file with -e.\n",
michael@0 1483 progName);
michael@0 1484 exit(1);
michael@0 1485 }
michael@0 1486 encryptOptions.options = &options;
michael@0 1487 encryptOptions.input = &input;
michael@0 1488 encryptOptions.outfile = outFile;
michael@0 1489 /* decode an enveloped-data message to get the bulkkey (create
michael@0 1490 * a new one if neccessary)
michael@0 1491 */
michael@0 1492 if (!encryptOptions.envFile) {
michael@0 1493 encryptOptions.envFile = PR_Open(envFileName,
michael@0 1494 PR_WRONLY|PR_CREATE_FILE, 00660);
michael@0 1495 if (!encryptOptions.envFile) {
michael@0 1496 fprintf(stderr, "%s: failed to create file %s.\n", progName,
michael@0 1497 envFileName);
michael@0 1498 exit(1);
michael@0 1499 }
michael@0 1500 } else {
michael@0 1501 SECU_FileToItem(&envmsg, encryptOptions.envFile);
michael@0 1502 decodeOptions.options = &options;
michael@0 1503 encryptOptions.envmsg = decode(NULL, &envmsg, &decodeOptions);
michael@0 1504 if (encryptOptions.envmsg == NULL) {
michael@0 1505 SECU_PrintError(progName, "problem decrypting env msg");
michael@0 1506 exitstatus = 1;
michael@0 1507 break;
michael@0 1508 }
michael@0 1509 }
michael@0 1510 rv = get_enc_params(&encryptOptions);
michael@0 1511 /* create the encrypted-data message */
michael@0 1512 cmsg = encrypted_data(&encryptOptions);
michael@0 1513 if (!cmsg) {
michael@0 1514 SECU_PrintError(progName, "problem encrypting");
michael@0 1515 exitstatus = 1;
michael@0 1516 }
michael@0 1517 if (encryptOptions.bulkkey) {
michael@0 1518 PK11_FreeSymKey(encryptOptions.bulkkey);
michael@0 1519 encryptOptions.bulkkey = NULL;
michael@0 1520 }
michael@0 1521 break;
michael@0 1522 case ENVELOPE: /* -E */
michael@0 1523 envelopeOptions.options = &options;
michael@0 1524 cmsg = enveloped_data(&envelopeOptions);
michael@0 1525 if (!cmsg) {
michael@0 1526 SECU_PrintError(progName, "problem enveloping");
michael@0 1527 exitstatus = 1;
michael@0 1528 }
michael@0 1529 break;
michael@0 1530 case CERTSONLY: /* -O */
michael@0 1531 certsonlyOptions.options = &options;
michael@0 1532 cmsg = signed_data_certsonly(&certsonlyOptions);
michael@0 1533 if (!cmsg) {
michael@0 1534 SECU_PrintError(progName, "problem with certs-only");
michael@0 1535 exitstatus = 1;
michael@0 1536 }
michael@0 1537 break;
michael@0 1538 default:
michael@0 1539 fprintf(stderr, "One of options -D, -S or -E must be set.\n");
michael@0 1540 Usage(progName);
michael@0 1541 exitstatus = 1;
michael@0 1542 }
michael@0 1543 if ( (mode == SIGN || mode == ENVELOPE || mode == CERTSONLY)
michael@0 1544 && (!exitstatus) ) {
michael@0 1545 PLArenaPool *arena = PORT_NewArena(1024);
michael@0 1546 NSSCMSEncoderContext *ecx;
michael@0 1547 SECItem output = { 0, 0, 0 };
michael@0 1548
michael@0 1549 if (!arena) {
michael@0 1550 fprintf(stderr, "%s: out of memory.\n", progName);
michael@0 1551 exit(1);
michael@0 1552 }
michael@0 1553
michael@0 1554 if (cms_verbose) {
michael@0 1555 fprintf(stderr, "cmsg [%p]\n", cmsg);
michael@0 1556 fprintf(stderr, "arena [%p]\n", arena);
michael@0 1557 if (pwcb_arg && (PW_PLAINTEXT == ((secuPWData*)pwcb_arg)->source))
michael@0 1558 fprintf(stderr, "password [%s]\n",
michael@0 1559 ((secuPWData*)pwcb_arg)->data);
michael@0 1560 else
michael@0 1561 fprintf(stderr, "password [NULL]\n");
michael@0 1562 }
michael@0 1563 ecx = NSS_CMSEncoder_Start(cmsg,
michael@0 1564 NULL, NULL, /* DER output callback */
michael@0 1565 &output, arena, /* destination storage */
michael@0 1566 pwcb, pwcb_arg, /* password callback */
michael@0 1567 NULL, NULL, /* decrypt key callback */
michael@0 1568 NULL, NULL ); /* detached digests */
michael@0 1569 if (!ecx) {
michael@0 1570 fprintf(stderr, "%s: cannot create encoder context.\n", progName);
michael@0 1571 exit(1);
michael@0 1572 }
michael@0 1573 if (cms_verbose) {
michael@0 1574 fprintf(stderr, "input len [%d]\n", input.len);
michael@0 1575 { unsigned int j;
michael@0 1576 for(j=0;j<input.len;j++)
michael@0 1577 fprintf(stderr, "%2x%c", input.data[j], (j>0&&j%35==0)?'\n':' ');
michael@0 1578 }
michael@0 1579 }
michael@0 1580 if (input.len > 0) { /* skip if certs-only (or other zero content) */
michael@0 1581 rv = NSS_CMSEncoder_Update(ecx, (char *)input.data, input.len);
michael@0 1582 if (rv) {
michael@0 1583 fprintf(stderr,
michael@0 1584 "%s: failed to add data to encoder.\n", progName);
michael@0 1585 exit(1);
michael@0 1586 }
michael@0 1587 }
michael@0 1588 rv = NSS_CMSEncoder_Finish(ecx);
michael@0 1589 if (rv) {
michael@0 1590 SECU_PrintError(progName, "failed to encode data");
michael@0 1591 exit(1);
michael@0 1592 }
michael@0 1593
michael@0 1594 if (cms_verbose) {
michael@0 1595 fprintf(stderr, "encoding passed\n");
michael@0 1596 }
michael@0 1597 fwrite(output.data, output.len, 1, outFile);
michael@0 1598 if (cms_verbose) {
michael@0 1599 fprintf(stderr, "wrote to file\n");
michael@0 1600 }
michael@0 1601 PORT_FreeArena(arena, PR_FALSE);
michael@0 1602 }
michael@0 1603 if (cmsg)
michael@0 1604 NSS_CMSMessage_Destroy(cmsg);
michael@0 1605 if (outFile != stdout)
michael@0 1606 fclose(outFile);
michael@0 1607
michael@0 1608 SECITEM_FreeItem(&decodeOptions.content, PR_FALSE);
michael@0 1609 SECITEM_FreeItem(&envmsg, PR_FALSE);
michael@0 1610 SECITEM_FreeItem(&input, PR_FALSE);
michael@0 1611 if (NSS_Shutdown() != SECSuccess) {
michael@0 1612 SECU_PrintError(progName, "NSS_Shutdown failed");
michael@0 1613 exitstatus = 1;
michael@0 1614 }
michael@0 1615 PR_Cleanup();
michael@0 1616 return exitstatus;
michael@0 1617 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial