/security/nss/cmd/lib/secutil.c
C | 4116 lines | 3360 code | 513 blank | 243 comment | 866 complexity | 560e1bd79c68f204d7f7158f868c5ea2 MD5 | raw file
Possible License(s): LGPL-3.0, MIT, BSD-3-Clause, MPL-2.0-no-copyleft-exception, GPL-2.0, LGPL-2.1
Large files files are truncated, but you can click here to view the full file
- /* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
- /*
- ** secutil.c - various functions used by security stuff
- **
- */
- #include "prtypes.h"
- #include "prtime.h"
- #include "prlong.h"
- #include "prerror.h"
- #include "prprf.h"
- #include "plgetopt.h"
- #include "prenv.h"
- #include "prnetdb.h"
- #include "cryptohi.h"
- #include "secutil.h"
- #include "secpkcs7.h"
- #include "secpkcs5.h"
- #include <stdarg.h>
- #if !defined(_WIN32_WCE)
- #include <sys/stat.h>
- #include <errno.h>
- #endif
- #ifdef XP_UNIX
- #include <unistd.h>
- #endif
- /* for SEC_TraverseNames */
- #include "cert.h"
- #include "certt.h"
- #include "certdb.h"
- /* #include "secmod.h" */
- #include "pk11func.h"
- #include "secoid.h"
- static char consoleName[] = {
- #ifdef XP_UNIX
- #ifdef VMS
- "TT"
- #else
- "/dev/tty"
- #endif
- #else
- #ifdef XP_OS2
- "\\DEV\\CON"
- #else
- "CON:"
- #endif
- #endif
- };
- char *
- SECU_GetString(int16 error_number)
- {
- static char errString[80];
- sprintf(errString, "Unknown error string (%d)", error_number);
- return errString;
- }
- void
- SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
- {
- va_list args;
- PRErrorCode err = PORT_GetError();
- const char * errString = SECU_Strerror(err);
- va_start(args, msg);
- SECU_Indent(out, level);
- fprintf(out, "%s: ", progName);
- vfprintf(out, msg, args);
- if (errString != NULL && PORT_Strlen(errString) > 0)
- fprintf(out, ": %s\n", errString);
- else
- fprintf(out, ": error %d\n", (int)err);
- va_end(args);
- }
- void
- SECU_PrintError(char *progName, char *msg, ...)
- {
- va_list args;
- PRErrorCode err = PORT_GetError();
- const char * errString = SECU_Strerror(err);
- va_start(args, msg);
- fprintf(stderr, "%s: ", progName);
- vfprintf(stderr, msg, args);
- if (errString != NULL && PORT_Strlen(errString) > 0)
- fprintf(stderr, ": %s\n", errString);
- else
- fprintf(stderr, ": error %d\n", (int)err);
- va_end(args);
- }
- void
- SECU_PrintSystemError(char *progName, char *msg, ...)
- {
- va_list args;
- va_start(args, msg);
- fprintf(stderr, "%s: ", progName);
- vfprintf(stderr, msg, args);
- #if defined(_WIN32_WCE)
- fprintf(stderr, ": %d\n", PR_GetOSError());
- #else
- fprintf(stderr, ": %s\n", strerror(errno));
- #endif
- va_end(args);
- }
- static void
- secu_ClearPassword(char *p)
- {
- if (p) {
- PORT_Memset(p, 0, PORT_Strlen(p));
- PORT_Free(p);
- }
- }
- char *
- SECU_GetPasswordString(void *arg, char *prompt)
- {
- #ifndef _WINDOWS
- char *p = NULL;
- FILE *input, *output;
- /* open terminal */
- input = fopen(consoleName, "r");
- if (input == NULL) {
- fprintf(stderr, "Error opening input terminal for read\n");
- return NULL;
- }
- output = fopen(consoleName, "w");
- if (output == NULL) {
- fprintf(stderr, "Error opening output terminal for write\n");
- return NULL;
- }
- p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword);
-
- fclose(input);
- fclose(output);
- return p;
- #else
- /* Win32 version of above. opening the console may fail
- on windows95, and certainly isn't necessary.. */
- char *p = NULL;
- p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword);
- return p;
- #endif
- }
- /*
- * p a s s w o r d _ h a r d c o d e
- *
- * A function to use the password passed in the -f(pwfile) argument
- * of the command line.
- * After use once, null it out otherwise PKCS11 calls us forever.?
- *
- */
- char *
- SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
- {
- char* phrases, *phrase;
- PRFileDesc *fd;
- PRInt32 nb;
- char *pwFile = arg;
- int i;
- const long maxPwdFileSize = 4096;
- char* tokenName = NULL;
- int tokenLen = 0;
- if (!pwFile)
- return 0;
- if (retry) {
- return 0; /* no good retrying - the files contents will be the same */
- }
- phrases = PORT_ZAlloc(maxPwdFileSize);
- if (!phrases) {
- return 0; /* out of memory */
- }
-
- fd = PR_Open(pwFile, PR_RDONLY, 0);
- if (!fd) {
- fprintf(stderr, "No password file \"%s\" exists.\n", pwFile);
- PORT_Free(phrases);
- return NULL;
- }
- nb = PR_Read(fd, phrases, maxPwdFileSize);
-
- PR_Close(fd);
- if (nb == 0) {
- fprintf(stderr,"password file contains no data\n");
- PORT_Free(phrases);
- return NULL;
- }
- if (slot) {
- tokenName = PK11_GetTokenName(slot);
- if (tokenName) {
- tokenLen = PORT_Strlen(tokenName);
- }
- }
- i = 0;
- do
- {
- int startphrase = i;
- int phraseLen;
- /* handle the Windows EOL case */
- while (phrases[i] != '\r' && phrases[i] != '\n' && i < nb) i++;
- /* terminate passphrase */
- phrases[i++] = '\0';
- /* clean up any EOL before the start of the next passphrase */
- while ( (i<nb) && (phrases[i] == '\r' || phrases[i] == '\n')) {
- phrases[i++] = '\0';
- }
- /* now analyze the current passphrase */
- phrase = &phrases[startphrase];
- if (!tokenName)
- break;
- if (PORT_Strncmp(phrase, tokenName, tokenLen)) continue;
- phraseLen = PORT_Strlen(phrase);
- if (phraseLen < (tokenLen+1)) continue;
- if (phrase[tokenLen] != ':') continue;
- phrase = &phrase[tokenLen+1];
- break;
- } while (i<nb);
- phrase = PORT_Strdup((char*)phrase);
- PORT_Free(phrases);
- return phrase;
- }
- char *
- SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
- {
- char prompt[255];
- secuPWData *pwdata = (secuPWData *)arg;
- secuPWData pwnull = { PW_NONE, 0 };
- secuPWData pwxtrn = { PW_EXTERNAL, "external" };
- char *pw;
- if (pwdata == NULL)
- pwdata = &pwnull;
- if (PK11_ProtectedAuthenticationPath(slot)) {
- pwdata = &pwxtrn;
- }
- if (retry && pwdata->source != PW_NONE) {
- PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n");
- return NULL;
- }
- switch (pwdata->source) {
- case PW_NONE:
- sprintf(prompt, "Enter Password or Pin for \"%s\":",
- PK11_GetTokenName(slot));
- return SECU_GetPasswordString(NULL, prompt);
- case PW_FROMFILE:
- /* Instead of opening and closing the file every time, get the pw
- * once, then keep it in memory (duh).
- */
- pw = SECU_FilePasswd(slot, retry, pwdata->data);
- pwdata->source = PW_PLAINTEXT;
- pwdata->data = PL_strdup(pw);
- /* it's already been dup'ed */
- return pw;
- case PW_EXTERNAL:
- sprintf(prompt,
- "Press Enter, then enter PIN for \"%s\" on external device.\n",
- PK11_GetTokenName(slot));
- (void) SECU_GetPasswordString(NULL, prompt);
- /* Fall Through */
- case PW_PLAINTEXT:
- return PL_strdup(pwdata->data);
- default:
- break;
- }
- PR_fprintf(PR_STDERR, "Password check failed: No password found.\n");
- return NULL;
- }
- char *
- secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
- {
- char *p0 = NULL;
- char *p1 = NULL;
- FILE *input, *output;
- secuPWData *pwdata = arg;
- if (pwdata->source == PW_FROMFILE) {
- return SECU_FilePasswd(slot, retry, pwdata->data);
- }
- if (pwdata->source == PW_PLAINTEXT) {
- return PL_strdup(pwdata->data);
- }
-
- /* PW_NONE - get it from tty */
- /* open terminal */
- #ifdef _WINDOWS
- input = stdin;
- #else
- input = fopen(consoleName, "r");
- #endif
- if (input == NULL) {
- PR_fprintf(PR_STDERR, "Error opening input terminal for read\n");
- return NULL;
- }
- /* we have no password, so initialize database with one */
- PR_fprintf(PR_STDERR,
- "Enter a password which will be used to encrypt your keys.\n"
- "The password should be at least 8 characters long,\n"
- "and should contain at least one non-alphabetic character.\n\n");
- output = fopen(consoleName, "w");
- if (output == NULL) {
- PR_fprintf(PR_STDERR, "Error opening output terminal for write\n");
- return NULL;
- }
- for (;;) {
- if (p0)
- PORT_Free(p0);
- p0 = SEC_GetPassword(input, output, "Enter new password: ",
- SEC_BlindCheckPassword);
- if (p1)
- PORT_Free(p1);
- p1 = SEC_GetPassword(input, output, "Re-enter password: ",
- SEC_BlindCheckPassword);
- if (p0 && p1 && !PORT_Strcmp(p0, p1)) {
- break;
- }
- PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n");
- }
-
- /* clear out the duplicate password string */
- secu_ClearPassword(p1);
-
- fclose(input);
- fclose(output);
- return p0;
- }
- SECStatus
- SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile)
- {
- return SECU_ChangePW2(slot, passwd, 0, pwFile, 0);
- }
- SECStatus
- SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
- char *oldPwFile, char *newPwFile)
- {
- SECStatus rv;
- secuPWData pwdata, newpwdata;
- char *oldpw = NULL, *newpw = NULL;
- if (oldPass) {
- pwdata.source = PW_PLAINTEXT;
- pwdata.data = oldPass;
- } else if (oldPwFile) {
- pwdata.source = PW_FROMFILE;
- pwdata.data = oldPwFile;
- } else {
- pwdata.source = PW_NONE;
- pwdata.data = NULL;
- }
- if (newPass) {
- newpwdata.source = PW_PLAINTEXT;
- newpwdata.data = newPass;
- } else if (newPwFile) {
- newpwdata.source = PW_FROMFILE;
- newpwdata.data = newPwFile;
- } else {
- newpwdata.source = PW_NONE;
- newpwdata.data = NULL;
- }
- if (PK11_NeedUserInit(slot)) {
- newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata);
- rv = PK11_InitPin(slot, (char*)NULL, newpw);
- goto done;
- }
- for (;;) {
- oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata);
- if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
- if (pwdata.source == PW_NONE) {
- PR_fprintf(PR_STDERR, "Invalid password. Try again.\n");
- } else {
- PR_fprintf(PR_STDERR, "Invalid password.\n");
- PORT_Memset(oldpw, 0, PL_strlen(oldpw));
- PORT_Free(oldpw);
- return SECFailure;
- }
- } else
- break;
- PORT_Free(oldpw);
- }
- newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
- if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
- PR_fprintf(PR_STDERR, "Failed to change password.\n");
- return SECFailure;
- }
- PORT_Memset(oldpw, 0, PL_strlen(oldpw));
- PORT_Free(oldpw);
- PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
- done:
- PORT_Memset(newpw, 0, PL_strlen(newpw));
- PORT_Free(newpw);
- return SECSuccess;
- }
- struct matchobj {
- SECItem index;
- char *nname;
- PRBool found;
- };
- char *
- SECU_DefaultSSLDir(void)
- {
- char *dir;
- static char sslDir[1000];
- dir = PR_GetEnv("SSL_DIR");
- if (!dir)
- return NULL;
- sprintf(sslDir, "%s", dir);
- if (sslDir[strlen(sslDir)-1] == '/')
- sslDir[strlen(sslDir)-1] = 0;
- return sslDir;
- }
- char *
- SECU_AppendFilenameToDir(char *dir, char *filename)
- {
- static char path[1000];
- if (dir[strlen(dir)-1] == '/')
- sprintf(path, "%s%s", dir, filename);
- else
- sprintf(path, "%s/%s", dir, filename);
- return path;
- }
- char *
- SECU_ConfigDirectory(const char* base)
- {
- static PRBool initted = PR_FALSE;
- const char *dir = ".netscape";
- char *home;
- static char buf[1000];
- if (initted) return buf;
-
- if (base == NULL || *base == 0) {
- home = PR_GetEnv("HOME");
- if (!home) home = "";
- if (*home && home[strlen(home) - 1] == '/')
- sprintf (buf, "%.900s%s", home, dir);
- else
- sprintf (buf, "%.900s/%s", home, dir);
- } else {
- sprintf(buf, "%.900s", base);
- if (buf[strlen(buf) - 1] == '/')
- buf[strlen(buf) - 1] = 0;
- }
- initted = PR_TRUE;
- return buf;
- }
- /*Turn off SSL for now */
- /* This gets called by SSL when server wants our cert & key */
- int
- SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
- struct CERTDistNamesStr *caNames,
- struct CERTCertificateStr **pRetCert,
- struct SECKEYPrivateKeyStr **pRetKey)
- {
- SECKEYPrivateKey *key;
- CERTCertificate *cert;
- int errsave;
- if (arg == NULL) {
- fprintf(stderr, "no key/cert name specified for client auth\n");
- return -1;
- }
- cert = PK11_FindCertFromNickname(arg, NULL);
- errsave = PORT_GetError();
- if (!cert) {
- if (errsave == SEC_ERROR_BAD_PASSWORD)
- fprintf(stderr, "Bad password\n");
- else if (errsave > 0)
- fprintf(stderr, "Unable to read cert (error %d)\n", errsave);
- else if (errsave == SEC_ERROR_BAD_DATABASE)
- fprintf(stderr, "Unable to get cert from database (%d)\n", errsave);
- else
- fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave);
- return -1;
- }
- key = PK11_FindKeyByAnyCert(arg,NULL);
- if (!key) {
- fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError());
- return -1;
- }
- *pRetCert = cert;
- *pRetKey = key;
- return 0;
- }
- SECStatus
- secu_StdinToItem(SECItem *dst)
- {
- unsigned char buf[1000];
- PRInt32 numBytes;
- PRBool notDone = PR_TRUE;
- dst->len = 0;
- dst->data = NULL;
- while (notDone) {
- numBytes = PR_Read(PR_STDIN, buf, sizeof(buf));
- if (numBytes < 0) {
- return SECFailure;
- }
- if (numBytes == 0)
- break;
- if (dst->data) {
- unsigned char * p = dst->data;
- dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes);
- if (!dst->data) {
- PORT_Free(p);
- }
- } else {
- dst->data = (unsigned char*)PORT_Alloc(numBytes);
- }
- if (!dst->data) {
- return SECFailure;
- }
- PORT_Memcpy(dst->data + dst->len, buf, numBytes);
- dst->len += numBytes;
- }
- return SECSuccess;
- }
- SECStatus
- SECU_FileToItem(SECItem *dst, PRFileDesc *src)
- {
- PRFileInfo info;
- PRInt32 numBytes;
- PRStatus prStatus;
- if (src == PR_STDIN)
- return secu_StdinToItem(dst);
- prStatus = PR_GetOpenFileInfo(src, &info);
- if (prStatus != PR_SUCCESS) {
- PORT_SetError(SEC_ERROR_IO);
- return SECFailure;
- }
- /* XXX workaround for 3.1, not all utils zero dst before sending */
- dst->data = 0;
- if (!SECITEM_AllocItem(NULL, dst, info.size))
- goto loser;
- numBytes = PR_Read(src, dst->data, info.size);
- if (numBytes != info.size) {
- PORT_SetError(SEC_ERROR_IO);
- goto loser;
- }
- return SECSuccess;
- loser:
- SECITEM_FreeItem(dst, PR_FALSE);
- dst->data = NULL;
- return SECFailure;
- }
- SECStatus
- SECU_TextFileToItem(SECItem *dst, PRFileDesc *src)
- {
- PRFileInfo info;
- PRInt32 numBytes;
- PRStatus prStatus;
- unsigned char *buf;
- if (src == PR_STDIN)
- return secu_StdinToItem(dst);
- prStatus = PR_GetOpenFileInfo(src, &info);
- if (prStatus != PR_SUCCESS) {
- PORT_SetError(SEC_ERROR_IO);
- return SECFailure;
- }
- buf = (unsigned char*)PORT_Alloc(info.size);
- if (!buf)
- return SECFailure;
- numBytes = PR_Read(src, buf, info.size);
- if (numBytes != info.size) {
- PORT_SetError(SEC_ERROR_IO);
- goto loser;
- }
- if (buf[numBytes-1] == '\n') numBytes--;
- #ifdef _WINDOWS
- if (buf[numBytes-1] == '\r') numBytes--;
- #endif
- /* XXX workaround for 3.1, not all utils zero dst before sending */
- dst->data = 0;
- if (!SECITEM_AllocItem(NULL, dst, numBytes))
- goto loser;
- memcpy(dst->data, buf, numBytes);
- PORT_Free(buf);
- return SECSuccess;
- loser:
- PORT_Free(buf);
- return SECFailure;
- }
- SECStatus
- SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
- {
- SECStatus rv;
- if (ascii) {
- /* First convert ascii to binary */
- SECItem filedata;
- char *asc, *body;
- /* Read in ascii data */
- rv = SECU_FileToItem(&filedata, inFile);
- asc = (char *)filedata.data;
- if (!asc) {
- fprintf(stderr, "unable to read data from input file\n");
- return SECFailure;
- }
- /* check for headers and trailers and remove them */
- if ((body = strstr(asc, "-----BEGIN")) != NULL) {
- char *trailer = NULL;
- asc = body;
- body = PORT_Strchr(body, '\n');
- if (!body)
- body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
- if (body)
- trailer = strstr(++body, "-----END");
- if (trailer != NULL) {
- *trailer = '\0';
- } else {
- fprintf(stderr, "input has header but no trailer\n");
- PORT_Free(filedata.data);
- return SECFailure;
- }
- } else {
- body = asc;
- }
-
- /* Convert to binary */
- rv = ATOB_ConvertAsciiToItem(der, body);
- if (rv) {
- fprintf(stderr, "error converting ascii to binary (%s)\n",
- SECU_Strerror(PORT_GetError()));
- PORT_Free(filedata.data);
- return SECFailure;
- }
- PORT_Free(filedata.data);
- } else {
- /* Read in binary der */
- rv = SECU_FileToItem(der, inFile);
- if (rv) {
- fprintf(stderr, "error converting der (%s)\n",
- SECU_Strerror(PORT_GetError()));
- return SECFailure;
- }
- }
- return SECSuccess;
- }
- #define INDENT_MULT 4
- void
- SECU_Indent(FILE *out, int level)
- {
- int i;
- for (i = 0; i < level; i++) {
- fprintf(out, " ");
- }
- }
- static void secu_Newline(FILE *out)
- {
- fprintf(out, "\n");
- }
- void
- SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level)
- {
- unsigned i;
- int column;
- PRBool isString = PR_TRUE;
- PRBool isWhiteSpace = PR_TRUE;
- PRBool printedHex = PR_FALSE;
- unsigned int limit = 15;
- if ( m ) {
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
- level++;
- }
-
- SECU_Indent(out, level); column = level*INDENT_MULT;
- if (!data->len) {
- fprintf(out, "(empty)\n");
- return;
- }
- /* take a pass to see if it's all printable. */
- for (i = 0; i < data->len; i++) {
- unsigned char val = data->data[i];
- if (!val || !isprint(val)) {
- isString = PR_FALSE;
- break;
- }
- if (isWhiteSpace && !isspace(val)) {
- isWhiteSpace = PR_FALSE;
- }
- }
- /* Short values, such as bit strings (which are printed with this
- ** function) often look like strings, but we want to see the bits.
- ** so this test assures that short values will be printed in hex,
- ** perhaps in addition to being printed as strings.
- ** The threshold size (4 bytes) is arbitrary.
- */
- if (!isString || data->len <= 4) {
- for (i = 0; i < data->len; i++) {
- if (i != data->len - 1) {
- fprintf(out, "%02x:", data->data[i]);
- column += 3;
- } else {
- fprintf(out, "%02x", data->data[i]);
- column += 2;
- break;
- }
- if (column > 76 || (i % 16 == limit)) {
- secu_Newline(out);
- SECU_Indent(out, level);
- column = level*INDENT_MULT;
- limit = i % 16;
- }
- }
- printedHex = PR_TRUE;
- }
- if (isString && !isWhiteSpace) {
- if (printedHex != PR_FALSE) {
- secu_Newline(out);
- SECU_Indent(out, level); column = level*INDENT_MULT;
- }
- for (i = 0; i < data->len; i++) {
- unsigned char val = data->data[i];
- if (val) {
- fprintf(out,"%c",val);
- column++;
- } else {
- column = 77;
- }
- if (column > 76) {
- secu_Newline(out);
- SECU_Indent(out, level); column = level*INDENT_MULT;
- }
- }
- }
-
- if (column != level*INDENT_MULT) {
- secu_Newline(out);
- }
- }
- static const char *hex = "0123456789abcdef";
- static const char printable[257] = {
- "................" /* 0x */
- "................" /* 1x */
- " !\"#$%&'()*+,-./" /* 2x */
- "0123456789:;<=>?" /* 3x */
- "@ABCDEFGHIJKLMNO" /* 4x */
- "PQRSTUVWXYZ[\\]^_" /* 5x */
- "`abcdefghijklmno" /* 6x */
- "pqrstuvwxyz{|}~." /* 7x */
- "................" /* 8x */
- "................" /* 9x */
- "................" /* ax */
- "................" /* bx */
- "................" /* cx */
- "................" /* dx */
- "................" /* ex */
- "................" /* fx */
- };
- void
- SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len)
- {
- const unsigned char *cp = (const unsigned char *)vp;
- char buf[80];
- char *bp;
- char *ap;
- fprintf(out, "%s [Len: %d]\n", msg, len);
- memset(buf, ' ', sizeof buf);
- bp = buf;
- ap = buf + 50;
- while (--len >= 0) {
- unsigned char ch = *cp++;
- *bp++ = hex[(ch >> 4) & 0xf];
- *bp++ = hex[ch & 0xf];
- *bp++ = ' ';
- *ap++ = printable[ch];
- if (ap - buf >= 66) {
- *ap = 0;
- fprintf(out, " %s\n", buf);
- memset(buf, ' ', sizeof buf);
- bp = buf;
- ap = buf + 50;
- }
- }
- if (bp > buf) {
- *ap = 0;
- fprintf(out, " %s\n", buf);
- }
- }
- SECStatus
- SECU_StripTagAndLength(SECItem *i)
- {
- unsigned int start;
- if (!i || !i->data || i->len < 2) { /* must be at least tag and length */
- return SECFailure;
- }
- start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2);
- if (i->len < start) {
- return SECFailure;
- }
- i->data += start;
- i->len -= start;
- return SECSuccess;
- }
- /* This expents i->data[0] to be the MSB of the integer.
- ** if you want to print a DER-encoded integer (with the tag and length)
- ** call SECU_PrintEncodedInteger();
- */
- void
- SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
- {
- int iv;
- if (!i || !i->len || !i->data) {
- SECU_Indent(out, level);
- if (m) {
- fprintf(out, "%s: (null)\n", m);
- } else {
- fprintf(out, "(null)\n");
- }
- } else if (i->len > 4) {
- SECU_PrintAsHex(out, i, m, level);
- } else {
- if (i->type == siUnsignedInteger && *i->data & 0x80) {
- /* Make sure i->data has zero in the highest bite
- * if i->data is an unsigned integer */
- SECItem tmpI;
- char data[] = {0, 0, 0, 0, 0};
- PORT_Memcpy(data + 1, i->data, i->len);
- tmpI.len = i->len + 1;
- tmpI.data = (void*)data;
- iv = DER_GetInteger(&tmpI);
- } else {
- iv = DER_GetInteger(i);
- }
- SECU_Indent(out, level);
- if (m) {
- fprintf(out, "%s: %d (0x%x)\n", m, iv, iv);
- } else {
- fprintf(out, "%d (0x%x)\n", iv, iv);
- }
- }
- }
- static void
- secu_PrintRawString(FILE *out, SECItem *si, char *m, int level)
- {
- int column;
- unsigned int i;
- if ( m ) {
- SECU_Indent(out, level); fprintf(out, "%s: ", m);
- column = (level * INDENT_MULT) + strlen(m) + 2;
- level++;
- } else {
- SECU_Indent(out, level);
- column = level*INDENT_MULT;
- }
- fprintf(out, "\""); column++;
- for (i = 0; i < si->len; i++) {
- unsigned char val = si->data[i];
- if (column > 76) {
- secu_Newline(out);
- SECU_Indent(out, level); column = level*INDENT_MULT;
- }
- fprintf(out,"%c", printable[val]); column++;
- }
- fprintf(out, "\""); column++;
- if (column != level*INDENT_MULT || column > 76) {
- secu_Newline(out);
- }
- }
- void
- SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
- {
- SECItem my = *si;
- if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len)
- return;
- secu_PrintRawString(out, &my, m, level);
- }
- /* print an unencoded boolean */
- static void
- secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level)
- {
- int val = 0;
-
- if ( i->data && i->len ) {
- val = i->data[0];
- }
- if (!m) {
- m = "Boolean";
- }
- SECU_Indent(out, level);
- fprintf(out, "%s: %s\n", m, (val ? "True" : "False"));
- }
- /*
- * Format and print "time". If the tag message "m" is not NULL,
- * do indent formatting based on "level" and add a newline afterward;
- * otherwise just print the formatted time string only.
- */
- static void
- secu_PrintTime(FILE *out, int64 time, char *m, int level)
- {
- PRExplodedTime printableTime;
- char *timeString;
- /* Convert to local time */
- PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
- timeString = PORT_Alloc(256);
- if (timeString == NULL)
- return;
- if (m != NULL) {
- SECU_Indent(out, level);
- fprintf(out, "%s: ", m);
- }
- if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) {
- fprintf(out, timeString);
- }
- if (m != NULL)
- fprintf(out, "\n");
- PORT_Free(timeString);
- }
- /*
- * Format and print the UTC Time "t". If the tag message "m" is not NULL,
- * do indent formatting based on "level" and add a newline afterward;
- * otherwise just print the formatted time string only.
- */
- void
- SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
- {
- int64 time;
- SECStatus rv;
- rv = DER_UTCTimeToTime(&time, t);
- if (rv != SECSuccess)
- return;
- secu_PrintTime(out, time, m, level);
- }
- /*
- * Format and print the Generalized Time "t". If the tag message "m"
- * is not NULL, * do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
- */
- void
- SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
- {
- int64 time;
- SECStatus rv;
- rv = DER_GeneralizedTimeToTime(&time, t);
- if (rv != SECSuccess)
- return;
- secu_PrintTime(out, time, m, level);
- }
- /*
- * Format and print the UTC or Generalized Time "t". If the tag message
- * "m" is not NULL, do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
- */
- void
- SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
- {
- switch (t->type) {
- case siUTCTime:
- SECU_PrintUTCTime(out, t, m, level);
- break;
- case siGeneralizedTime:
- SECU_PrintGeneralizedTime(out, t, m, level);
- break;
- default:
- PORT_Assert(0);
- break;
- }
- }
- /* This prints a SET or SEQUENCE */
- void
- SECU_PrintSet(FILE *out, SECItem *t, char *m, int level)
- {
- int type = t->data[0] & SEC_ASN1_TAGNUM_MASK;
- int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED;
- const char * label;
- SECItem my = *t;
- if (!constructed) {
- SECU_PrintAsHex(out, t, m, level);
- return;
- }
- if (SECSuccess != SECU_StripTagAndLength(&my))
- return;
- SECU_Indent(out, level);
- if (m) {
- fprintf(out, "%s: ", m);
- }
- if (type == SEC_ASN1_SET)
- label = "Set ";
- else if (type == SEC_ASN1_SEQUENCE)
- label = "Sequence ";
- else
- label = "";
- fprintf(out,"%s{\n", label); /* } */
- while (my.len >= 2) {
- SECItem tmp = my;
- if (tmp.data[1] & 0x80) {
- unsigned int i;
- unsigned int lenlen = tmp.data[1] & 0x7f;
- if (lenlen > sizeof tmp.len)
- break;
- tmp.len = 0;
- for (i=0; i < lenlen; i++) {
- tmp.len = (tmp.len << 8) | tmp.data[2+i];
- }
- tmp.len += lenlen + 2;
- } else {
- tmp.len = tmp.data[1] + 2;
- }
- if (tmp.len > my.len) {
- tmp.len = my.len;
- }
- my.data += tmp.len;
- my.len -= tmp.len;
- SECU_PrintAny(out, &tmp, NULL, level + 1);
- }
- SECU_Indent(out, level); fprintf(out, /* { */ "}\n");
- }
- static void
- secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level)
- {
- int type = i->data[0] & SEC_ASN1_TAGNUM_MASK;
- int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED;
- SECItem tmp;
- if (constructed) {
- char * m2;
- if (!m)
- m2 = PR_smprintf("[%d]", type);
- else
- m2 = PR_smprintf("%s: [%d]", m, type);
- if (m2) {
- SECU_PrintSet(out, i, m2, level);
- PR_smprintf_free(m2);
- }
- return;
- }
- SECU_Indent(out, level);
- if (m) {
- fprintf(out, "%s: ", m);
- }
- fprintf(out,"[%d]\n", type);
- tmp = *i;
- if (SECSuccess == SECU_StripTagAndLength(&tmp))
- SECU_PrintAsHex(out, &tmp, m, level+1);
- }
- static void
- secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level)
- {
- SECItem tmp = *i;
- if (SECSuccess == SECU_StripTagAndLength(&tmp))
- SECU_PrintAsHex(out, &tmp, m, level);
- }
- static void
- secu_PrintBitString(FILE *out, SECItem *i, char *m, int level)
- {
- int unused_bits;
- SECItem tmp = *i;
- if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2)
- return;
- unused_bits = *tmp.data++;
- tmp.len--;
- SECU_PrintAsHex(out, &tmp, m, level);
- if (unused_bits) {
- SECU_Indent(out, level + 1);
- fprintf(out, "(%d least significant bits unused)\n", unused_bits);
- }
- }
- /* in a decoded bit string, the len member is a bit length. */
- static void
- secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level)
- {
- int unused_bits;
- SECItem tmp = *i;
- unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0;
- DER_ConvertBitString(&tmp); /* convert length to byte length */
- SECU_PrintAsHex(out, &tmp, m, level);
- if (unused_bits) {
- SECU_Indent(out, level + 1);
- fprintf(out, "(%d least significant bits unused)\n", unused_bits);
- }
- }
- /* Print a DER encoded Boolean */
- void
- SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level)
- {
- SECItem my = *i;
- if (SECSuccess == SECU_StripTagAndLength(&my))
- secu_PrintBoolean(out, &my, m, level);
- }
- /* Print a DER encoded integer */
- void
- SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level)
- {
- SECItem my = *i;
- if (SECSuccess == SECU_StripTagAndLength(&my))
- SECU_PrintInteger(out, &my, m, level);
- }
- /* Print a DER encoded OID */
- void
- SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level)
- {
- SECItem my = *i;
- if (SECSuccess == SECU_StripTagAndLength(&my))
- SECU_PrintObjectID(out, &my, m, level);
- }
- static void
- secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level)
- {
- unsigned char * s;
- unsigned char * d;
- int len;
- SECItem tmp = {0, 0, 0};
- SECItem my = *i;
- if (SECSuccess != SECU_StripTagAndLength(&my))
- goto loser;
- if (my.len % 2)
- goto loser;
- len = (int)(my.len / 2);
- tmp.data = (unsigned char *)PORT_Alloc(len);
- if (!tmp.data)
- goto loser;
- tmp.len = len;
- for (s = my.data, d = tmp.data ; len > 0; len--) {
- PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2;
- if (!isprint(bmpChar))
- goto loser;
- *d++ = (unsigned char)bmpChar;
- }
- secu_PrintRawString(out, &tmp, m, level);
- PORT_Free(tmp.data);
- return;
- loser:
- SECU_PrintAsHex(out, i, m, level);
- if (tmp.data)
- PORT_Free(tmp.data);
- }
- static void
- secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level)
- {
- unsigned char * s;
- unsigned char * d;
- int len;
- SECItem tmp = {0, 0, 0};
- SECItem my = *i;
- if (SECSuccess != SECU_StripTagAndLength(&my))
- goto loser;
- if (my.len % 4)
- goto loser;
- len = (int)(my.len / 4);
- tmp.data = (unsigned char *)PORT_Alloc(len);
- if (!tmp.data)
- goto loser;
- tmp.len = len;
- for (s = my.data, d = tmp.data ; len > 0; len--) {
- PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
- s += 4;
- if (!isprint(bmpChar))
- goto loser;
- *d++ = (unsigned char)bmpChar;
- }
- secu_PrintRawString(out, &tmp, m, level);
- PORT_Free(tmp.data);
- return;
- loser:
- SECU_PrintAsHex(out, i, m, level);
- if (tmp.data)
- PORT_Free(tmp.data);
- }
- static void
- secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level)
- {
- switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) {
- case SEC_ASN1_ENUMERATED:
- case SEC_ASN1_INTEGER:
- SECU_PrintEncodedInteger(out, i, m, level);
- break;
- case SEC_ASN1_OBJECT_ID:
- SECU_PrintEncodedObjectID(out, i, m, level);
- break;
- case SEC_ASN1_BOOLEAN:
- SECU_PrintEncodedBoolean(out, i, m, level);
- break;
- case SEC_ASN1_UTF8_STRING:
- case SEC_ASN1_PRINTABLE_STRING:
- case SEC_ASN1_VISIBLE_STRING:
- case SEC_ASN1_IA5_STRING:
- case SEC_ASN1_T61_STRING:
- SECU_PrintString(out, i, m, level);
- break;
- case SEC_ASN1_GENERALIZED_TIME:
- SECU_PrintGeneralizedTime(out, i, m, level);
- break;
- case SEC_ASN1_UTC_TIME:
- SECU_PrintUTCTime(out, i, m, level);
- break;
- case SEC_ASN1_NULL:
- SECU_Indent(out, level);
- if (m && m[0])
- fprintf(out, "%s: NULL\n", m);
- else
- fprintf(out, "NULL\n");
- break;
- case SEC_ASN1_SET:
- case SEC_ASN1_SEQUENCE:
- SECU_PrintSet(out, i, m, level);
- break;
- case SEC_ASN1_OCTET_STRING:
- secu_PrintOctetString(out, i, m, level);
- break;
- case SEC_ASN1_BIT_STRING:
- secu_PrintBitString(out, i, m, level);
- break;
- case SEC_ASN1_BMP_STRING:
- secu_PrintBMPString(out, i, m, level);
- break;
- case SEC_ASN1_UNIVERSAL_STRING:
- secu_PrintUniversalString(out, i, m, level);
- break;
- default:
- SECU_PrintAsHex(out, i, m, level);
- break;
- }
- }
- void
- SECU_PrintAny(FILE *out, SECItem *i, char *m, int level)
- {
- if ( i && i->len && i->data ) {
- switch (i->data[0] & SEC_ASN1_CLASS_MASK) {
- case SEC_ASN1_CONTEXT_SPECIFIC:
- secu_PrintContextSpecific(out, i, m, level);
- break;
- case SEC_ASN1_UNIVERSAL:
- secu_PrintUniversal(out, i, m, level);
- break;
- default:
- SECU_PrintAsHex(out, i, m, level);
- break;
- }
- }
- }
- static int
- secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level)
- {
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
- SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1);
- SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level+1);
- return 0;
- }
- /* This function does NOT expect a DER type and length. */
- SECOidTag
- SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level)
- {
- SECOidData *oiddata;
- char * oidString = NULL;
-
- oiddata = SECOID_FindOID(oid);
- if (oiddata != NULL) {
- const char *name = oiddata->desc;
- SECU_Indent(out, level);
- if (m != NULL)
- fprintf(out, "%s: ", m);
- fprintf(out, "%s\n", name);
- return oiddata->offset;
- }
- oidString = CERT_GetOidString(oid);
- if (oidString) {
- SECU_Indent(out, level);
- if (m != NULL)
- fprintf(out, "%s: ", m);
- fprintf(out, "%s\n", oidString);
- PR_smprintf_free(oidString);
- return SEC_OID_UNKNOWN;
- }
- SECU_PrintAsHex(out, oid, m, level);
- return SEC_OID_UNKNOWN;
- }
- typedef struct secuPBEParamsStr {
- SECItem salt;
- SECItem iterationCount;
- SECItem keyLength;
- SECAlgorithmID cipherAlg;
- SECAlgorithmID kdfAlg;
- } secuPBEParams;
- SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate);
- /* SECOID_PKCS5_PBKDF2 */
- const SEC_ASN1Template secuKDF2Params[] =
- {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
- { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
- { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
- { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
- { 0 }
- };
- /* PKCS5v1 & PKCS12 */
- const SEC_ASN1Template secuPBEParamsTemp[] =
- {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
- { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
- { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
- { 0 }
- };
- /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
- const SEC_ASN1Template secuPBEV2Params[] =
- {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams)},
- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
- { 0 }
- };
- void
- secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
- {
- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- SECStatus rv;
- secuPBEParams param;
- if (m) {
- SECU_Indent(out, level);
- fprintf (out, "%s:\n", m);
- }
- if (!pool) {
- SECU_Indent(out, level);
- fprintf(out, "Out of memory\n");
- return;
- }
- PORT_Memset(¶m, 0, sizeof param);
- rv = SEC_QuickDERDecodeItem(pool, ¶m, secuKDF2Params, value);
- if (rv == SECSuccess) {
- SECU_PrintAsHex(out, ¶m.salt, "Salt", level+1);
- SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count",
- level+1);
- SECU_PrintInteger(out, ¶m.keyLength, "Key Length", level+1);
- SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF algorithm", level+1);
- }
- PORT_FreeArena(pool, PR_FALSE);
- }
- void
- secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level)
- {
- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- SECStatus rv;
- secuPBEParams param;
- if (m) {
- SECU_Indent(out, level);
- fprintf (out, "%s:\n", m);
- }
- if (!pool) {
- SECU_Indent(out, level);
- fprintf(out, "Out of memory\n");
- return;
- }
- PORT_Memset(¶m, 0, sizeof param);
- rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEV2Params, value);
- if (rv == SECSuccess) {
- SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF", level+1);
- SECU_PrintAlgorithmID(out, ¶m.cipherAlg, "Cipher", level+1);
- }
- PORT_FreeArena(pool, PR_FALSE);
- }
- void
- secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level)
- {
- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- SECStatus rv;
- secuPBEParams param;
- if (m) {
- SECU_Indent(out, level);
- fprintf (out, "%s:\n", m);
- }
- if (!pool) {
- SECU_Indent(out, level);
- fprintf(out, "Out of memory\n");
- return;
- }
- PORT_Memset(¶m, 0, sizeof(secuPBEParams));
- rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEParamsTemp, value);
- if (rv == SECSuccess) {
- SECU_PrintAsHex(out, ¶m.salt, "Salt", level+1);
- SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count",
- level+1);
- }
- PORT_FreeArena(pool, PR_FALSE);
- }
- /* This function does NOT expect a DER type and length. */
- void
- SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
- {
- SECOidTag algtag;
- SECU_PrintObjectID(out, &a->algorithm, m, level);
- algtag = SECOID_GetAlgorithmTag(a);
- if (SEC_PKCS5IsAlgorithmPBEAlgTag(algtag)) {
- switch (algtag) {
- case SEC_OID_PKCS5_PBKDF2:
- secu_PrintKDF2Params(out, &a->parameters, "Parameters", level+1);
- break;
- case SEC_OID_PKCS5_PBES2:
- secu_PrintPKCS5V2Params(out, &a->parameters, "Encryption", level+1);
- break;
- case SEC_OID_PKCS5_PBMAC1:
- secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
- break;
- default:
- secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
- break;
- }
- return;
- }
-
- if (a->parameters.len == 0
- || (a->parameters.len == 2
- && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
- /* No arguments or NULL argument */
- } else {
- /* Print args to algorithm */
- SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
- }
- }
- static void
- secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
- {
- SECItem *value;
- int i;
- char om[100];
- if (m) {
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
- }
- /*
- * Should make this smarter; look at the type field and then decode
- * and print the value(s) appropriately!
- */
- SECU_PrintObjectID(out, &(attr->type), "Type", level+1);
- if (attr->values != NULL) {
- i = 0;
- while ((value = attr->values[i++]) != NULL) {
- sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : "");
- if (attr->encoded || attr->typeTag == NULL) {
- SECU_PrintAny(out, value, om, level+1);
- } else {
- switch (attr->typeTag->offset) {
- default:
- SECU_PrintAsHex(out, value, om, level+1);
- break;
- case SEC_OID_PKCS9_CONTENT_TYPE:
- SECU_PrintObjectID(out, value, om, level+1);
- break;
- case SEC_OID_PKCS9_SIGNING_TIME:
- SECU_PrintTimeChoice(out, value, om, level+1);
- break;
- }
- }
- }
- }
- }
- static void
- secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
- SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1);
- SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1);
- if (pk->u.rsa.publicExponent.len == 1 &&
- pk->u.rsa.publicExponent.data[0] == 1) {
- SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n");
- }
- }
- static void
- secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
- SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1);
- SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1);
- SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1);
- SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1);
- }
- #ifdef NSS_ENABLE_ECC
- static void
- secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
- SECItem curveOID = { siBuffer, NULL, 0};
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
- SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
- /* For named curves, the DEREncodedParams field contains an
- * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID).
- */
- if ((pk->u.ec.DEREncodedParams.len > 2) &&
- (pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
- curveOID.len = pk->u.ec.DEREncodedParams.data[1];
- curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
- SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
- }
- }
- #endif /* NSS_ENABLE_ECC */
- static void
- secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
- CERTSubjectPublicKeyInfo *i, char *msg, int level)
- {
- SECKEYPublicKey *pk;
- SECU_Indent(out, level); fprintf(out, "%s:\n", msg);
- SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1);
- pk = SECKEY_ExtractPublicKey(i);
- if (pk) {
- switch (pk->keyType) {
- case rsaKey:
- secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1);
- break;
- case dsaKey:
- secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1);
- break;
- #ifdef NSS_ENABLE_ECC
- case ecKey:
- secu_PrintECPublicKey(out, pk, "EC Public Key", level +1);
- break;
- #endif
- case dhKey:
- case fortezzaKey:
- case keaKey:
- SECU_Indent(out, level);
- fprintf(out, "unable to format this SPKI algorithm type\n");
- goto loser;
- default:
- SECU_Indent(out, level);
- fprintf(out, "unknown SPKI algorithm type\n");
- goto loser;
- }
- PORT_FreeArena(pk->arena, PR_FALSE);
- } else {
- SECU_PrintErrMsg(out, level, "Error", "Parsing public key");
- loser:
- if (i->subjectPublicKey.data) {
- SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level);
- }
- }
- }
- static SECStatus
- secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level)
- {
- SECItem decodedValue;
- SECStatus rv;
- int64 invalidTime;
- char *formattedTime = NULL;
- decodedValue.data = NULL;
- rv = SEC_ASN1DecodeItem (NULL, &decodedValue,
- SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
- value);
- if (rv == SECSuccess) {
- rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
- if (rv == SECSuccess) {
- formattedTime = CERT_GenTime2FormattedAscii
- (invalidTime, "%a %b %d %H:%M:%S %Y");
- SECU_Indent(out, level +1);
- fprintf (out, "%s: %s\n", msg, formattedTime);
- PORT_Free (formattedTime);
- }
- }
- PORT_Free (decodedValue.data);
- return (rv);
- }
- static SECStatus
- PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level)
- {
- CERTOidSequence *os;
- SECItem **op;
- os = CERT_DecodeOidSequence(value);
- if( (CERTOidSequence *)NULL == os ) {
- return SECFailure;
- }
- for( op = os->oids; *op; op++ ) {
- SECU_PrintObjectID(out, *op, msg, level + 1);
- }
- CERT_DestroyOidSequence(os);
- return SECSuccess;
- }
- static SECStatus
- secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) {
- CERTBasicConstraints constraints;
- SECStatus rv;
- SECU_Indent(out, level);
- if (msg) {
- fprintf(out,"%s: ",msg);
- }
- rv = CERT_DecodeBasicConstraintValue(&constraints,value);
- if (rv == SECSuccess && constraints.isCA) {
- if (constraints.pathLenConstraint >= 0) {
- fprintf(out,"Is a CA with a maximum path length of %d.\n",
- constraints.pathLenConstraint);
- } else {
- fprintf(out,"Is a CA with no maximum path length.\n");
- }
- } else {
- fprintf(out,"Is not a CA.\n");
- }
- return SECSuccess;
- }
- static const char * const nsTypeBits[] = {
- "SSL Client",
- "SSL Server",
- "S/MIME",
- "Object Signing",
- "Reserved",
- "SSL CA",
- "S/MIME CA",
- "ObjectSigning CA"
- };
- /* NSCertType is merely a bit string whose bits are displayed symbolically */
- static SECStatus
- secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level)
- {
- int unused;
- int NS_Type;
- int i;
- int found = 0;
- SECItem my = *value;
- if ((my.data[0] != SEC_ASN1_BIT_STRING) ||
- SECSuccess != SECU_StripTagAndLength(&my)) {
- SECU_PrintAny(out, value, "Data", level);
- return SECSuccess;
- }
- unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0;
- NS_Type = my.data[1] & (0xff << unused);
-
- SECU_Indent(out, level);
- if (msg) {
- fprintf(out,"%s: ",msg);
- } else {
- fprintf(out,"Netscape Certificate Type: ");
- }
- for (i=0; i < 8; i++) {
- if ( (0x80 >> i) & NS_Type) {
- fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]);
- found = 1;
- }
- }
- fprintf(out, (found ? ">\n" : "none\n"));
- return SECSuccess;
- }
- static const char * const usageBits[] = {
- "Digital Signature", /* 0x80 */
- "Non-Repudiation", /* 0x40 */
- "Key Encipherment", /* 0x20 */
- "Data Encipherment", /* 0x10 */
- "Key Agreement", /* 0x08 */
- "Certificate Signing", /* 0x04 */
- "CRL Signing", /* 0x02 */
- "Encipher Only", /* 0x01 */
- "Decipher Only", /* 0x0080 */
- NULL
- };
- /* X509KeyUsage is merely a bit string whose bits are displayed symbolically */
- static void
- secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level)
- {
- int unused;
- int usage;
- int i;
- int found = 0;
- SECItem my = *value;
- if ((my.data[0] != SEC_ASN1_BIT_STRING) ||
- SECSuccess != SECU_StripTagAndLength(&my)) {
- SECU_PrintAny(out, value, "Data", level);
- return;
- }
- unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0;
- usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8
- : (my.data[1] << 8) |
- (my.data[2] & (0xff << unused));
- SECU_Indent(out, level);
- fprintf(out, "Usages: ");
- for (i=0; usageBits[i]; i++) {
- if ( (0x8000 >> i) & usage) {
- if (found)
- SECU_Indent(out, level + 2);
- fprintf(out, "%s\n", usageBits[i]);
- found = 1;
- }
- }
- if (!found) {
- fprintf(out, "(none)\n");
- }
- }
- static void
- secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level)
- {
- PRStatus st;
- PRNetAddr addr;
- char addrBuf[80];
- memset(&addr, 0, sizeof addr);
- if (value->len == 4) {
- addr.inet.family = PR_AF_INET;
- memcpy(&addr.inet.ip, value->data, value->len);
- } else if (value->len == 16) {
- addr.ipv6.family = PR_AF_INET6;
- memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len);
- if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) {
- /* convert to IPv4. */
- addr.inet.family = PR_AF_INET;
- memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4);
- memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad);
- }
- } else {
- goto loser;
- }
- st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf);
- if (st == PR_SUCCESS) {
- SECU_Indent(out, level);
- fprintf(out, "%s: %s\n", msg, addrBuf);
- } else {
- loser:
- SECU_PrintAsHex(out, value, msg, level);
- }
- }
- static void
- secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level)
- {
- char label[40];
- if (msg && msg[0]) {
- SECU_Indent(out, level++); fprintf(out, "%s: \n", msg);
- }
- switch (gname->type) {
- case certOtherName :
- SECU_PrintAny( out, &gname->name.OthName.name, "Other Name", level);
- SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level+1);
- break;
- case certDirectoryName :
- SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level);
- break;
- case certRFC822Name :
- secu_PrintRawString( out, &gname->name.other, "RFC822 Name", level);
- break;
- case certDNSName :
- secu_PrintRawString( out, &gname->name.other, "DNS name", level);
- break;
- case certURI :
- secu_PrintRawString( out, &gname->name.other, "URI", level);
- break;
- case certIPAddress :
- secu_PrintIPAddress(out, &gname->name.other, "IP Address", level);
- break;
- case certRegisterID :
- SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level);
- break;
- case certX400Address :
- SECU_PrintAny( out, &gname->name.other, "X400 Address", level);
- break;
- case certEDIPartyName :
- SECU_PrintAny( out, &gname->name.other, "EDI Party", level);
- break;
- default:
- PR_snprintf(label, sizeof label, "unknown type [%d]",
- (int)gname->type - 1);
- SECU_PrintAsHex(out, &gname->name.other, label, level);
- break;
- }
- }
- static void
- secu_PrintGeneralNames(FILE *out, CERTGeneralName *gname, char *msg, int level)
- {
- CERTGeneralName *name = gname;
- do {
- secu_PrintGeneralName(out, name, msg, level);
- name = CERT_GetNextGeneralName(name);
- } while (name && name != gnam…
Large files files are truncated, but you can click here to view the full file