1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/cmd/lib/secutil.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,435 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +#ifndef _SEC_UTIL_H_
1.8 +#define _SEC_UTIL_H_
1.9 +
1.10 +#include "seccomon.h"
1.11 +#include "secitem.h"
1.12 +#include "secport.h"
1.13 +#include "prerror.h"
1.14 +#include "base64.h"
1.15 +#include "key.h"
1.16 +#include "secpkcs7.h"
1.17 +#include "secasn1.h"
1.18 +#include "secder.h"
1.19 +#include <stdio.h>
1.20 +
1.21 +#include "basicutil.h"
1.22 +#include "sslerr.h"
1.23 +#include "sslt.h"
1.24 +
1.25 +
1.26 +#define SEC_CT_PRIVATE_KEY "private-key"
1.27 +#define SEC_CT_PUBLIC_KEY "public-key"
1.28 +#define SEC_CT_CERTIFICATE "certificate"
1.29 +#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
1.30 +#define SEC_CT_CERTIFICATE_ID "certificate-identity"
1.31 +#define SEC_CT_PKCS7 "pkcs7"
1.32 +#define SEC_CT_CRL "crl"
1.33 +#define SEC_CT_NAME "name"
1.34 +
1.35 +#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
1.36 +#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
1.37 +
1.38 +#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
1.39 +#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
1.40 +
1.41 +#define NS_CRL_HEADER "-----BEGIN CRL-----"
1.42 +#define NS_CRL_TRAILER "-----END CRL-----"
1.43 +
1.44 +#define SECU_Strerror PORT_ErrorToString
1.45 +
1.46 +
1.47 +typedef struct {
1.48 + enum {
1.49 + PW_NONE = 0,
1.50 + PW_FROMFILE = 1,
1.51 + PW_PLAINTEXT = 2,
1.52 + PW_EXTERNAL = 3
1.53 + } source;
1.54 + char *data;
1.55 +} secuPWData;
1.56 +
1.57 +/*
1.58 +** Change a password on a token, or initialize a token with a password
1.59 +** if it does not already have one.
1.60 +** Use passwd to send the password in plaintext, pwFile to specify a
1.61 +** file containing the password, or NULL for both to prompt the user.
1.62 +*/
1.63 +SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
1.64 +
1.65 +/*
1.66 +** Change a password on a token, or initialize a token with a password
1.67 +** if it does not already have one.
1.68 +** In this function, you can specify both the old and new passwords
1.69 +** as either a string or file. NOTE: any you don't specify will
1.70 +** be prompted for
1.71 +*/
1.72 +SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
1.73 + char *oldPwFile, char *newPwFile);
1.74 +
1.75 +/* These were stolen from the old sec.h... */
1.76 +/*
1.77 +** Check a password for legitimacy. Passwords must be at least 8
1.78 +** characters long and contain one non-alphabetic. Return DSTrue if the
1.79 +** password is ok, DSFalse otherwise.
1.80 +*/
1.81 +extern PRBool SEC_CheckPassword(char *password);
1.82 +
1.83 +/*
1.84 +** Blind check of a password. Complement to SEC_CheckPassword which
1.85 +** ignores length and content type, just retuning DSTrue is the password
1.86 +** exists, DSFalse if NULL
1.87 +*/
1.88 +extern PRBool SEC_BlindCheckPassword(char *password);
1.89 +
1.90 +/*
1.91 +** Get a password.
1.92 +** First prompt with "msg" on "out", then read the password from "in".
1.93 +** The password is then checked using "chkpw".
1.94 +*/
1.95 +extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
1.96 + PRBool (*chkpw)(char *));
1.97 +
1.98 +char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
1.99 +
1.100 +char *SECU_GetPasswordString(void *arg, char *prompt);
1.101 +
1.102 +/*
1.103 +** Write a dongle password.
1.104 +** Uses MD5 to hash constant system data (hostname, etc.), and then
1.105 +** creates RC4 key to encrypt a password "pw" into a file "fd".
1.106 +*/
1.107 +extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
1.108 +
1.109 +/*
1.110 +** Get a dongle password.
1.111 +** Uses MD5 to hash constant system data (hostname, etc.), and then
1.112 +** creates RC4 key to decrypt and return a password from file "fd".
1.113 +*/
1.114 +extern char *SEC_ReadDongleFile(int fd);
1.115 +
1.116 +
1.117 +/* End stolen headers */
1.118 +
1.119 +/* Just sticks the two strings together with a / if needed */
1.120 +char *SECU_AppendFilenameToDir(char *dir, char *filename);
1.121 +
1.122 +/* Returns result of getenv("SSL_DIR") or NULL */
1.123 +extern char *SECU_DefaultSSLDir(void);
1.124 +
1.125 +/*
1.126 +** Should be called once during initialization to set the default
1.127 +** directory for looking for cert.db, key.db, and cert-nameidx.db files
1.128 +** Removes trailing '/' in 'base'
1.129 +** If 'base' is NULL, defaults to set to .netscape in home directory.
1.130 +*/
1.131 +extern char *SECU_ConfigDirectory(const char* base);
1.132 +
1.133 +/*
1.134 +** Basic callback function for SSL_GetClientAuthDataHook
1.135 +*/
1.136 +extern int
1.137 +SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
1.138 + struct CERTDistNamesStr *caNames,
1.139 + struct CERTCertificateStr **pRetCert,
1.140 + struct SECKEYPrivateKeyStr **pRetKey);
1.141 +
1.142 +extern PRBool SECU_GetWrapEnabled(void);
1.143 +extern void SECU_EnableWrap(PRBool enable);
1.144 +
1.145 +extern PRBool SECU_GetUtf8DisplayEnabled(void);
1.146 +extern void SECU_EnableUtf8Display(PRBool enable);
1.147 +
1.148 +/* revalidate the cert and print information about cert verification
1.149 + * failure at time == now */
1.150 +extern void
1.151 +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
1.152 + CERTCertificate *cert, PRBool checksig,
1.153 + SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
1.154 +
1.155 +/* revalidate the cert and print information about cert verification
1.156 + * failure at specified time */
1.157 +extern void
1.158 +SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle,
1.159 + CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage,
1.160 + void *pinArg, PRBool verbose, PRTime datetime);
1.161 +
1.162 +/* print out CERTVerifyLog info. */
1.163 +extern void
1.164 +SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
1.165 + PRBool verbose);
1.166 +
1.167 +/* Read in a DER from a file, may be ascii */
1.168 +extern SECStatus
1.169 +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
1.170 + PRBool warnOnPrivateKeyInAsciiFile);
1.171 +
1.172 +/* Print integer value and hex */
1.173 +extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m,
1.174 + int level);
1.175 +
1.176 +/* Print ObjectIdentifier symbolically */
1.177 +extern SECOidTag SECU_PrintObjectID(FILE *out, const SECItem *oid,
1.178 + const char *m, int level);
1.179 +
1.180 +/* Print AlgorithmIdentifier symbolically */
1.181 +extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
1.182 + int level);
1.183 +
1.184 +/*
1.185 + * Format and print the UTC Time "t". If the tag message "m" is not NULL,
1.186 + * do indent formatting based on "level" and add a newline afterward;
1.187 + * otherwise just print the formatted time string only.
1.188 + */
1.189 +extern void SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m,
1.190 + int level);
1.191 +
1.192 +/*
1.193 + * Format and print the Generalized Time "t". If the tag message "m"
1.194 + * is not NULL, * do indent formatting based on "level" and add a newline
1.195 + * afterward; otherwise just print the formatted time string only.
1.196 + */
1.197 +extern void SECU_PrintGeneralizedTime(FILE *out, const SECItem *t,
1.198 + const char *m, int level);
1.199 +
1.200 +/*
1.201 + * Format and print the UTC or Generalized Time "t". If the tag message
1.202 + * "m" is not NULL, do indent formatting based on "level" and add a newline
1.203 + * afterward; otherwise just print the formatted time string only.
1.204 + */
1.205 +extern void SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m,
1.206 + int level);
1.207 +
1.208 +/* callback for listing certs through pkcs11 */
1.209 +extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
1.210 +
1.211 +/* Dump all certificate nicknames in a database */
1.212 +extern SECStatus
1.213 +SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
1.214 + PRBool sortByName, PRBool sortByTrust);
1.215 +
1.216 +/* See if nickname already in database. Return 1 true, 0 false, -1 error */
1.217 +int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
1.218 +
1.219 +/* Dump contents of cert req */
1.220 +extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
1.221 + int level);
1.222 +
1.223 +/* Dump contents of certificate */
1.224 +extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m,
1.225 + int level);
1.226 +
1.227 +extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
1.228 + int level);
1.229 +
1.230 +/* Dump contents of a DER certificate name (issuer or subject) */
1.231 +extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
1.232 +
1.233 +/* print trust flags on a cert */
1.234 +extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
1.235 + int level);
1.236 +
1.237 +extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m,
1.238 + int level);
1.239 +
1.240 +#ifdef HAVE_EPV_TEMPLATE
1.241 +/* Dump contents of private key */
1.242 +extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
1.243 +#endif
1.244 +
1.245 +/* Dump contents of an RSA public key */
1.246 +extern void SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level);
1.247 +
1.248 +/* Dump contents of a DSA public key */
1.249 +extern void SECU_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level);
1.250 +
1.251 +/* Print the MD5 and SHA1 fingerprints of a cert */
1.252 +extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
1.253 + int level);
1.254 +
1.255 +/* Pretty-print any PKCS7 thing */
1.256 +extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
1.257 + int level);
1.258 +
1.259 +/* Init PKCS11 stuff */
1.260 +extern SECStatus SECU_PKCS11Init(PRBool readOnly);
1.261 +
1.262 +/* Dump contents of signed data */
1.263 +extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
1.264 + int level, SECU_PPFunc inner);
1.265 +
1.266 +/* Dump contents of signed data, excluding the signature */
1.267 +extern int SECU_PrintSignedContent(FILE *out, SECItem *der, char *m, int level,
1.268 + SECU_PPFunc inner);
1.269 +
1.270 +/* Print cert data and its trust flags */
1.271 +extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
1.272 + const char *label,
1.273 + CERTCertTrust *trust);
1.274 +
1.275 +extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
1.276 +
1.277 +extern void
1.278 +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
1.279 +
1.280 +extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m,
1.281 + int level);
1.282 +extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level);
1.283 +
1.284 +extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
1.285 +extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
1.286 + char *msg, int level);
1.287 +
1.288 +extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
1.289 + char *msg, int level);
1.290 +
1.291 +extern void SECU_PrintNameQuotesOptional(FILE *out, CERTName *name,
1.292 + const char *msg, int level,
1.293 + PRBool quotes);
1.294 +extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg,
1.295 + int level);
1.296 +extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level);
1.297 +
1.298 +#ifdef SECU_GetPassword
1.299 +/* Convert a High public Key to a Low public Key */
1.300 +extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
1.301 +#endif
1.302 +
1.303 +extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
1.304 +
1.305 +extern SECStatus DER_PrettyPrint(FILE *out, const SECItem *it, PRBool raw);
1.306 +
1.307 +extern char *SECU_SECModDBName(void);
1.308 +
1.309 +/* Fetch and register an oid if it hasn't been done already */
1.310 +extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
1.311 +
1.312 +extern SECStatus SECU_RegisterDynamicOids(void);
1.313 +
1.314 +/* Identifies hash algorithm tag by its string representation. */
1.315 +extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
1.316 +
1.317 +/* Store CRL in output file or pk11 db. Also
1.318 + * encodes with base64 and exports to file if ascii flag is set
1.319 + * and file is not NULL. */
1.320 +extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
1.321 + PRFileDesc *outFile, PRBool ascii, char *url);
1.322 +
1.323 +
1.324 +/*
1.325 +** DER sign a single block of data using private key encryption and the
1.326 +** MD5 hashing algorithm. This routine first computes a digital signature
1.327 +** using SEC_SignData, then wraps it with an CERTSignedData and then der
1.328 +** encodes the result.
1.329 +** "arena" is the memory arena to use to allocate data from
1.330 +** "sd" returned CERTSignedData
1.331 +** "result" the final der encoded data (memory is allocated)
1.332 +** "buf" the input data to sign
1.333 +** "len" the amount of data to sign
1.334 +** "pk" the private key to encrypt with
1.335 +*/
1.336 +extern SECStatus SECU_DerSignDataCRL(PLArenaPool *arena, CERTSignedData *sd,
1.337 + unsigned char *buf, int len,
1.338 + SECKEYPrivateKey *pk, SECOidTag algID);
1.339 +
1.340 +typedef enum {
1.341 + noKeyFound = 1,
1.342 + noSignatureMatch = 2,
1.343 + failToEncode = 3,
1.344 + failToSign = 4,
1.345 + noMem = 5
1.346 +} SignAndEncodeFuncExitStat;
1.347 +
1.348 +extern SECStatus
1.349 +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
1.350 + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
1.351 +
1.352 +extern SECStatus
1.353 +SECU_CopyCRL(PLArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
1.354 +
1.355 +/*
1.356 +** Finds the crl Authority Key Id extension. Returns NULL if no such extension
1.357 +** was found.
1.358 +*/
1.359 +CERTAuthKeyID *
1.360 +SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *crl);
1.361 +
1.362 +/*
1.363 + * Find the issuer of a crl. Cert usage should be checked before signing a crl.
1.364 + */
1.365 +CERTCertificate *
1.366 +SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
1.367 + CERTAuthKeyID* id, PRTime validTime);
1.368 +
1.369 +
1.370 +/* call back function used in encoding of an extension. Called from
1.371 + * SECU_EncodeAndAddExtensionValue */
1.372 +typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PLArenaPool *extHandleArena,
1.373 + void *value, SECItem *encodedValue);
1.374 +
1.375 +/* Encodes and adds extensions to the CRL or CRL entries. */
1.376 +SECStatus
1.377 +SECU_EncodeAndAddExtensionValue(PLArenaPool *arena, void *extHandle,
1.378 + void *value, PRBool criticality, int extenType,
1.379 + EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
1.380 +
1.381 +/* Caller ensures that dst is at least item->len*2+1 bytes long */
1.382 +void
1.383 +SECU_SECItemToHex(const SECItem * item, char * dst);
1.384 +
1.385 +/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
1.386 + * successful */
1.387 +SECStatus
1.388 +SECU_SECItemHexStringToBinary(SECItem* srcdest);
1.389 +
1.390 +/* Parse a version range string, with "min" and "max" version numbers,
1.391 + * separated by colon (":"), and return the result in vr and v2.
1.392 + *
1.393 + * Both min and max values are optional.
1.394 + * The following syntax is used to specify the enabled protocol versions:
1.395 + * A string with only a max value is expected as ":{max}",
1.396 + * and all implemented versions less than or equal to max will be enabled.
1.397 + * A string with only a min value is expected as "{min}:",
1.398 + * and all implemented versions greater than or equal to min will be enabled.
1.399 + * A string consisting of a colon only means "all versions enabled".
1.400 + *
1.401 + * Because output parameter type SSLVersionRange doesn't allow to set
1.402 + * version 2 values, we use a separate boolean output parameter
1.403 + * to return whether SSL 2 is enabled.
1.404 + *
1.405 + * In order to avoid a link dependency from libsectool to libssl,
1.406 + * the caller must provide the desired default values for the min/max values,
1.407 + * by providing defaultEnableSSL2 and defaultVersionRange
1.408 + * (which can be obtained from libssl by calling SSL_VersionRangeGetSupported).
1.409 + */
1.410 +SECStatus
1.411 +SECU_ParseSSLVersionRangeString(const char *input,
1.412 + const SSLVersionRange defaultVersionRange,
1.413 + const PRBool defaultEnableSSL2,
1.414 + SSLVersionRange *vrange,
1.415 + PRBool *enableSSL2);
1.416 +
1.417 +/*
1.418 + *
1.419 + * Error messaging
1.420 + *
1.421 + */
1.422 +
1.423 +void printflags(char *trusts, unsigned int flags);
1.424 +
1.425 +#if !defined(XP_UNIX) && !defined(XP_OS2)
1.426 +extern int ffs(unsigned int i);
1.427 +#endif
1.428 +
1.429 +/* Finds certificate by searching it in the DB or by examinig file
1.430 + * in the local directory. */
1.431 +CERTCertificate*
1.432 +SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
1.433 + char *name, PRBool ascii,
1.434 + void *pwarg);
1.435 +#include "secerr.h"
1.436 +#include "sslerr.h"
1.437 +
1.438 +#endif /* _SEC_UTIL_H_ */
