security/nss/cmd/lib/secutil.h@6474c204b198
security/nss/cmd/lib/secutil.h
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 #ifndef _SEC_UTIL_H_
5 #define _SEC_UTIL_H_
7 #include "seccomon.h"
8 #include "secitem.h"
9 #include "secport.h"
10 #include "prerror.h"
11 #include "base64.h"
12 #include "key.h"
13 #include "secpkcs7.h"
14 #include "secasn1.h"
15 #include "secder.h"
16 #include <stdio.h>
18 #include "basicutil.h"
19 #include "sslerr.h"
20 #include "sslt.h"
23 #define SEC_CT_PRIVATE_KEY "private-key"
24 #define SEC_CT_PUBLIC_KEY "public-key"
25 #define SEC_CT_CERTIFICATE "certificate"
26 #define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
27 #define SEC_CT_CERTIFICATE_ID "certificate-identity"
28 #define SEC_CT_PKCS7 "pkcs7"
29 #define SEC_CT_CRL "crl"
30 #define SEC_CT_NAME "name"
32 #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
33 #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
35 #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
36 #define NS_CERT_TRAILER "-----END CERTIFICATE-----"
38 #define NS_CRL_HEADER "-----BEGIN CRL-----"
39 #define NS_CRL_TRAILER "-----END CRL-----"
41 #define SECU_Strerror PORT_ErrorToString
44 typedef struct {
45 enum {
46 PW_NONE = 0,
47 PW_FROMFILE = 1,
48 PW_PLAINTEXT = 2,
49 PW_EXTERNAL = 3
50 } source;
51 char *data;
52 } secuPWData;
54 /*
55 ** Change a password on a token, or initialize a token with a password
56 ** if it does not already have one.
57 ** Use passwd to send the password in plaintext, pwFile to specify a
58 ** file containing the password, or NULL for both to prompt the user.
59 */
60 SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
62 /*
63 ** Change a password on a token, or initialize a token with a password
64 ** if it does not already have one.
65 ** In this function, you can specify both the old and new passwords
66 ** as either a string or file. NOTE: any you don't specify will
67 ** be prompted for
68 */
69 SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
70 char *oldPwFile, char *newPwFile);
72 /* These were stolen from the old sec.h... */
73 /*
74 ** Check a password for legitimacy. Passwords must be at least 8
75 ** characters long and contain one non-alphabetic. Return DSTrue if the
76 ** password is ok, DSFalse otherwise.
77 */
78 extern PRBool SEC_CheckPassword(char *password);
80 /*
81 ** Blind check of a password. Complement to SEC_CheckPassword which
82 ** ignores length and content type, just retuning DSTrue is the password
83 ** exists, DSFalse if NULL
84 */
85 extern PRBool SEC_BlindCheckPassword(char *password);
87 /*
88 ** Get a password.
89 ** First prompt with "msg" on "out", then read the password from "in".
90 ** The password is then checked using "chkpw".
91 */
92 extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
93 PRBool (*chkpw)(char *));
95 char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
97 char *SECU_GetPasswordString(void *arg, char *prompt);
99 /*
100 ** Write a dongle password.
101 ** Uses MD5 to hash constant system data (hostname, etc.), and then
102 ** creates RC4 key to encrypt a password "pw" into a file "fd".
103 */
104 extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
106 /*
107 ** Get a dongle password.
108 ** Uses MD5 to hash constant system data (hostname, etc.), and then
109 ** creates RC4 key to decrypt and return a password from file "fd".
110 */
111 extern char *SEC_ReadDongleFile(int fd);
114 /* End stolen headers */
116 /* Just sticks the two strings together with a / if needed */
117 char *SECU_AppendFilenameToDir(char *dir, char *filename);
119 /* Returns result of getenv("SSL_DIR") or NULL */
120 extern char *SECU_DefaultSSLDir(void);
122 /*
123 ** Should be called once during initialization to set the default
124 ** directory for looking for cert.db, key.db, and cert-nameidx.db files
125 ** Removes trailing '/' in 'base'
126 ** If 'base' is NULL, defaults to set to .netscape in home directory.
127 */
128 extern char *SECU_ConfigDirectory(const char* base);
130 /*
131 ** Basic callback function for SSL_GetClientAuthDataHook
132 */
133 extern int
134 SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
135 struct CERTDistNamesStr *caNames,
136 struct CERTCertificateStr **pRetCert,
137 struct SECKEYPrivateKeyStr **pRetKey);
139 extern PRBool SECU_GetWrapEnabled(void);
140 extern void SECU_EnableWrap(PRBool enable);
142 extern PRBool SECU_GetUtf8DisplayEnabled(void);
143 extern void SECU_EnableUtf8Display(PRBool enable);
145 /* revalidate the cert and print information about cert verification
146 * failure at time == now */
147 extern void
148 SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
149 CERTCertificate *cert, PRBool checksig,
150 SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
152 /* revalidate the cert and print information about cert verification
153 * failure at specified time */
154 extern void
155 SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle,
156 CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage,
157 void *pinArg, PRBool verbose, PRTime datetime);
159 /* print out CERTVerifyLog info. */
160 extern void
161 SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
162 PRBool verbose);
164 /* Read in a DER from a file, may be ascii */
165 extern SECStatus
166 SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
167 PRBool warnOnPrivateKeyInAsciiFile);
169 /* Print integer value and hex */
170 extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m,
171 int level);
173 /* Print ObjectIdentifier symbolically */
174 extern SECOidTag SECU_PrintObjectID(FILE *out, const SECItem *oid,
175 const char *m, int level);
177 /* Print AlgorithmIdentifier symbolically */
178 extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
179 int level);
181 /*
182 * Format and print the UTC Time "t". If the tag message "m" is not NULL,
183 * do indent formatting based on "level" and add a newline afterward;
184 * otherwise just print the formatted time string only.
185 */
186 extern void SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m,
187 int level);
189 /*
190 * Format and print the Generalized Time "t". If the tag message "m"
191 * is not NULL, * do indent formatting based on "level" and add a newline
192 * afterward; otherwise just print the formatted time string only.
193 */
194 extern void SECU_PrintGeneralizedTime(FILE *out, const SECItem *t,
195 const char *m, int level);
197 /*
198 * Format and print the UTC or Generalized Time "t". If the tag message
199 * "m" is not NULL, do indent formatting based on "level" and add a newline
200 * afterward; otherwise just print the formatted time string only.
201 */
202 extern void SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m,
203 int level);
205 /* callback for listing certs through pkcs11 */
206 extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
208 /* Dump all certificate nicknames in a database */
209 extern SECStatus
210 SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
211 PRBool sortByName, PRBool sortByTrust);
213 /* See if nickname already in database. Return 1 true, 0 false, -1 error */
214 int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
216 /* Dump contents of cert req */
217 extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
218 int level);
220 /* Dump contents of certificate */
221 extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m,
222 int level);
224 extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
225 int level);
227 /* Dump contents of a DER certificate name (issuer or subject) */
228 extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
230 /* print trust flags on a cert */
231 extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
232 int level);
234 extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m,
235 int level);
237 #ifdef HAVE_EPV_TEMPLATE
238 /* Dump contents of private key */
239 extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
240 #endif
242 /* Dump contents of an RSA public key */
243 extern void SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level);
245 /* Dump contents of a DSA public key */
246 extern void SECU_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level);
248 /* Print the MD5 and SHA1 fingerprints of a cert */
249 extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
250 int level);
252 /* Pretty-print any PKCS7 thing */
253 extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
254 int level);
256 /* Init PKCS11 stuff */
257 extern SECStatus SECU_PKCS11Init(PRBool readOnly);
259 /* Dump contents of signed data */
260 extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
261 int level, SECU_PPFunc inner);
263 /* Dump contents of signed data, excluding the signature */
264 extern int SECU_PrintSignedContent(FILE *out, SECItem *der, char *m, int level,
265 SECU_PPFunc inner);
267 /* Print cert data and its trust flags */
268 extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
269 const char *label,
270 CERTCertTrust *trust);
272 extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
274 extern void
275 SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
277 extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m,
278 int level);
279 extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level);
281 extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
282 extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
283 char *msg, int level);
285 extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
286 char *msg, int level);
288 extern void SECU_PrintNameQuotesOptional(FILE *out, CERTName *name,
289 const char *msg, int level,
290 PRBool quotes);
291 extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg,
292 int level);
293 extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level);
295 #ifdef SECU_GetPassword
296 /* Convert a High public Key to a Low public Key */
297 extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
298 #endif
300 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
302 extern SECStatus DER_PrettyPrint(FILE *out, const SECItem *it, PRBool raw);
304 extern char *SECU_SECModDBName(void);
306 /* Fetch and register an oid if it hasn't been done already */
307 extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
309 extern SECStatus SECU_RegisterDynamicOids(void);
311 /* Identifies hash algorithm tag by its string representation. */
312 extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
314 /* Store CRL in output file or pk11 db. Also
315 * encodes with base64 and exports to file if ascii flag is set
316 * and file is not NULL. */
317 extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
318 PRFileDesc *outFile, PRBool ascii, char *url);
321 /*
322 ** DER sign a single block of data using private key encryption and the
323 ** MD5 hashing algorithm. This routine first computes a digital signature
324 ** using SEC_SignData, then wraps it with an CERTSignedData and then der
325 ** encodes the result.
326 ** "arena" is the memory arena to use to allocate data from
327 ** "sd" returned CERTSignedData
328 ** "result" the final der encoded data (memory is allocated)
329 ** "buf" the input data to sign
330 ** "len" the amount of data to sign
331 ** "pk" the private key to encrypt with
332 */
333 extern SECStatus SECU_DerSignDataCRL(PLArenaPool *arena, CERTSignedData *sd,
334 unsigned char *buf, int len,
335 SECKEYPrivateKey *pk, SECOidTag algID);
337 typedef enum {
338 noKeyFound = 1,
339 noSignatureMatch = 2,
340 failToEncode = 3,
341 failToSign = 4,
342 noMem = 5
343 } SignAndEncodeFuncExitStat;
345 extern SECStatus
346 SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
347 SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
349 extern SECStatus
350 SECU_CopyCRL(PLArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
352 /*
353 ** Finds the crl Authority Key Id extension. Returns NULL if no such extension
354 ** was found.
355 */
356 CERTAuthKeyID *
357 SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *crl);
359 /*
360 * Find the issuer of a crl. Cert usage should be checked before signing a crl.
361 */
362 CERTCertificate *
363 SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
364 CERTAuthKeyID* id, PRTime validTime);
367 /* call back function used in encoding of an extension. Called from
368 * SECU_EncodeAndAddExtensionValue */
369 typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PLArenaPool *extHandleArena,
370 void *value, SECItem *encodedValue);
372 /* Encodes and adds extensions to the CRL or CRL entries. */
373 SECStatus
374 SECU_EncodeAndAddExtensionValue(PLArenaPool *arena, void *extHandle,
375 void *value, PRBool criticality, int extenType,
376 EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
378 /* Caller ensures that dst is at least item->len*2+1 bytes long */
379 void
380 SECU_SECItemToHex(const SECItem * item, char * dst);
382 /* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
383 * successful */
384 SECStatus
385 SECU_SECItemHexStringToBinary(SECItem* srcdest);
387 /* Parse a version range string, with "min" and "max" version numbers,
388 * separated by colon (":"), and return the result in vr and v2.
389 *
390 * Both min and max values are optional.
391 * The following syntax is used to specify the enabled protocol versions:
392 * A string with only a max value is expected as ":{max}",
393 * and all implemented versions less than or equal to max will be enabled.
394 * A string with only a min value is expected as "{min}:",
395 * and all implemented versions greater than or equal to min will be enabled.
396 * A string consisting of a colon only means "all versions enabled".
397 *
398 * Because output parameter type SSLVersionRange doesn't allow to set
399 * version 2 values, we use a separate boolean output parameter
400 * to return whether SSL 2 is enabled.
401 *
402 * In order to avoid a link dependency from libsectool to libssl,
403 * the caller must provide the desired default values for the min/max values,
404 * by providing defaultEnableSSL2 and defaultVersionRange
405 * (which can be obtained from libssl by calling SSL_VersionRangeGetSupported).
406 */
407 SECStatus
408 SECU_ParseSSLVersionRangeString(const char *input,
409 const SSLVersionRange defaultVersionRange,
410 const PRBool defaultEnableSSL2,
411 SSLVersionRange *vrange,
412 PRBool *enableSSL2);
414 /*
415 *
416 * Error messaging
417 *
418 */
420 void printflags(char *trusts, unsigned int flags);
422 #if !defined(XP_UNIX) && !defined(XP_OS2)
423 extern int ffs(unsigned int i);
424 #endif
426 /* Finds certificate by searching it in the DB or by examinig file
427 * in the local directory. */
428 CERTCertificate*
429 SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
430 char *name, PRBool ascii,
431 void *pwarg);
432 #include "secerr.h"
433 #include "sslerr.h"
435 #endif /* _SEC_UTIL_H_ */
