/security/nss/cmd/lib/secutil.h

http://github.com/zpao/v8monkey · C Header · 464 lines · 199 code · 90 blank · 175 comment · 1 complexity · 2009420cfa3a3437863be69f752ccfe6 MD5 · raw file

  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is the Netscape security libraries.
  15. *
  16. * The Initial Developer of the Original Code is
  17. * Netscape Communications Corporation.
  18. * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19. * the Initial Developer. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. *
  23. * Alternatively, the contents of this file may be used under the terms of
  24. * either the GNU General Public License Version 2 or later (the "GPL"), or
  25. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26. * in which case the provisions of the GPL or the LGPL are applicable instead
  27. * of those above. If you wish to allow use of your version of this file only
  28. * under the terms of either the GPL or the LGPL, and not to allow others to
  29. * use your version of this file under the terms of the MPL, indicate your
  30. * decision by deleting the provisions above and replace them with the notice
  31. * and other provisions required by the GPL or the LGPL. If you do not delete
  32. * the provisions above, a recipient may use your version of this file under
  33. * the terms of any one of the MPL, the GPL or the LGPL.
  34. *
  35. * ***** END LICENSE BLOCK ***** */
  36. #ifndef _SEC_UTIL_H_
  37. #define _SEC_UTIL_H_
  38. #include "seccomon.h"
  39. #include "secitem.h"
  40. #include "secport.h"
  41. #include "prerror.h"
  42. #include "base64.h"
  43. #include "key.h"
  44. #include "secpkcs7.h"
  45. #include "secasn1.h"
  46. #include "secder.h"
  47. #include <stdio.h>
  48. #define SEC_CT_PRIVATE_KEY "private-key"
  49. #define SEC_CT_PUBLIC_KEY "public-key"
  50. #define SEC_CT_CERTIFICATE "certificate"
  51. #define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
  52. #define SEC_CT_PKCS7 "pkcs7"
  53. #define SEC_CT_CRL "crl"
  54. #define SEC_CT_NAME "name"
  55. #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
  56. #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
  57. #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
  58. #define NS_CERT_TRAILER "-----END CERTIFICATE-----"
  59. #define NS_CRL_HEADER "-----BEGIN CRL-----"
  60. #define NS_CRL_TRAILER "-----END CRL-----"
  61. #define SECU_Strerror PORT_ErrorToString
  62. #ifdef SECUTIL_NEW
  63. typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
  64. char *msg, int level);
  65. #else
  66. typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
  67. #endif
  68. typedef struct {
  69. enum {
  70. PW_NONE = 0,
  71. PW_FROMFILE = 1,
  72. PW_PLAINTEXT = 2,
  73. PW_EXTERNAL = 3
  74. } source;
  75. char *data;
  76. } secuPWData;
  77. /*
  78. ** Change a password on a token, or initialize a token with a password
  79. ** if it does not already have one.
  80. ** Use passwd to send the password in plaintext, pwFile to specify a
  81. ** file containing the password, or NULL for both to prompt the user.
  82. */
  83. SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
  84. /*
  85. ** Change a password on a token, or initialize a token with a password
  86. ** if it does not already have one.
  87. ** In this function, you can specify both the old and new passwords
  88. ** as either a string or file. NOTE: any you don't specify will
  89. ** be prompted for
  90. */
  91. SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
  92. char *oldPwFile, char *newPwFile);
  93. /* These were stolen from the old sec.h... */
  94. /*
  95. ** Check a password for legitimacy. Passwords must be at least 8
  96. ** characters long and contain one non-alphabetic. Return DSTrue if the
  97. ** password is ok, DSFalse otherwise.
  98. */
  99. extern PRBool SEC_CheckPassword(char *password);
  100. /*
  101. ** Blind check of a password. Complement to SEC_CheckPassword which
  102. ** ignores length and content type, just retuning DSTrue is the password
  103. ** exists, DSFalse if NULL
  104. */
  105. extern PRBool SEC_BlindCheckPassword(char *password);
  106. /*
  107. ** Get a password.
  108. ** First prompt with "msg" on "out", then read the password from "in".
  109. ** The password is then checked using "chkpw".
  110. */
  111. extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
  112. PRBool (*chkpw)(char *));
  113. char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
  114. char *SECU_GetPasswordString(void *arg, char *prompt);
  115. /*
  116. ** Write a dongle password.
  117. ** Uses MD5 to hash constant system data (hostname, etc.), and then
  118. ** creates RC4 key to encrypt a password "pw" into a file "fd".
  119. */
  120. extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
  121. /*
  122. ** Get a dongle password.
  123. ** Uses MD5 to hash constant system data (hostname, etc.), and then
  124. ** creates RC4 key to decrypt and return a password from file "fd".
  125. */
  126. extern char *SEC_ReadDongleFile(int fd);
  127. /* End stolen headers */
  128. /* Just sticks the two strings together with a / if needed */
  129. char *SECU_AppendFilenameToDir(char *dir, char *filename);
  130. /* Returns result of getenv("SSL_DIR") or NULL */
  131. extern char *SECU_DefaultSSLDir(void);
  132. /*
  133. ** Should be called once during initialization to set the default
  134. ** directory for looking for cert.db, key.db, and cert-nameidx.db files
  135. ** Removes trailing '/' in 'base'
  136. ** If 'base' is NULL, defaults to set to .netscape in home directory.
  137. */
  138. extern char *SECU_ConfigDirectory(const char* base);
  139. /*
  140. ** Basic callback function for SSL_GetClientAuthDataHook
  141. */
  142. extern int
  143. SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
  144. struct CERTDistNamesStr *caNames,
  145. struct CERTCertificateStr **pRetCert,
  146. struct SECKEYPrivateKeyStr **pRetKey);
  147. /* print out an error message */
  148. extern void SECU_PrintError(char *progName, char *msg, ...);
  149. /* print out a system error message */
  150. extern void SECU_PrintSystemError(char *progName, char *msg, ...);
  151. /* revalidate the cert and print information about cert verification
  152. * failure at time == now */
  153. extern void
  154. SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
  155. CERTCertificate *cert, PRBool checksig,
  156. SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
  157. /* revalidate the cert and print information about cert verification
  158. * failure at specified time */
  159. extern void
  160. SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle,
  161. CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage,
  162. void *pinArg, PRBool verbose, PRTime datetime);
  163. /* print out CERTVerifyLog info. */
  164. extern void
  165. SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
  166. PRBool verbose);
  167. /* Read the contents of a file into a SECItem */
  168. extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
  169. extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
  170. /* Read in a DER from a file, may be ascii */
  171. extern SECStatus
  172. SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
  173. /* Indent based on "level" */
  174. extern void SECU_Indent(FILE *out, int level);
  175. /* Print integer value and hex */
  176. extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
  177. /* Print ObjectIdentifier symbolically */
  178. extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
  179. /* Print AlgorithmIdentifier symbolically */
  180. extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
  181. int level);
  182. /* Print SECItem as hex */
  183. extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
  184. /* dump a buffer in hex and ASCII */
  185. extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
  186. /*
  187. * Format and print the UTC Time "t". If the tag message "m" is not NULL,
  188. * do indent formatting based on "level" and add a newline afterward;
  189. * otherwise just print the formatted time string only.
  190. */
  191. extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
  192. /*
  193. * Format and print the Generalized Time "t". If the tag message "m"
  194. * is not NULL, * do indent formatting based on "level" and add a newline
  195. * afterward; otherwise just print the formatted time string only.
  196. */
  197. extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
  198. int level);
  199. /*
  200. * Format and print the UTC or Generalized Time "t". If the tag message
  201. * "m" is not NULL, do indent formatting based on "level" and add a newline
  202. * afterward; otherwise just print the formatted time string only.
  203. */
  204. extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
  205. /* callback for listing certs through pkcs11 */
  206. extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
  207. /* Dump all certificate nicknames in a database */
  208. extern SECStatus
  209. SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
  210. PRBool sortByName, PRBool sortByTrust);
  211. /* See if nickname already in database. Return 1 true, 0 false, -1 error */
  212. int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
  213. /* Dump contents of cert req */
  214. extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
  215. int level);
  216. /* Dump contents of certificate */
  217. extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
  218. /* Dump contents of a DER certificate name (issuer or subject) */
  219. extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
  220. /* print trust flags on a cert */
  221. extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
  222. int level);
  223. /* Dump contents of an RSA public key */
  224. extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
  225. extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m,
  226. int level);
  227. #ifdef HAVE_EPV_TEMPLATE
  228. /* Dump contents of private key */
  229. extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
  230. #endif
  231. /* Print the MD5 and SHA1 fingerprints of a cert */
  232. extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
  233. int level);
  234. /* Pretty-print any PKCS7 thing */
  235. extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
  236. int level);
  237. /* Init PKCS11 stuff */
  238. extern SECStatus SECU_PKCS11Init(PRBool readOnly);
  239. /* Dump contents of signed data */
  240. extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
  241. int level, SECU_PPFunc inner);
  242. /* Print cert data and its trust flags */
  243. extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
  244. const char *label,
  245. CERTCertTrust *trust);
  246. extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
  247. extern void
  248. SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
  249. extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
  250. extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
  251. extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
  252. extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
  253. char *msg, int level);
  254. extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
  255. char *msg, int level);
  256. extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg,
  257. int level);
  258. extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level);
  259. #ifdef SECU_GetPassword
  260. /* Convert a High public Key to a Low public Key */
  261. extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
  262. #endif
  263. extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
  264. extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
  265. extern char *SECU_SECModDBName(void);
  266. extern void SECU_PrintPRandOSError(char *progName);
  267. extern SECStatus SECU_RegisterDynamicOids(void);
  268. /* Identifies hash algorithm tag by its string representation. */
  269. extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
  270. /* Store CRL in output file or pk11 db. Also
  271. * encodes with base64 and exports to file if ascii flag is set
  272. * and file is not NULL. */
  273. extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
  274. PRFileDesc *outFile, PRBool ascii, char *url);
  275. /*
  276. ** DER sign a single block of data using private key encryption and the
  277. ** MD5 hashing algorithm. This routine first computes a digital signature
  278. ** using SEC_SignData, then wraps it with an CERTSignedData and then der
  279. ** encodes the result.
  280. ** "arena" is the memory arena to use to allocate data from
  281. ** "sd" returned CERTSignedData
  282. ** "result" the final der encoded data (memory is allocated)
  283. ** "buf" the input data to sign
  284. ** "len" the amount of data to sign
  285. ** "pk" the private key to encrypt with
  286. */
  287. extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
  288. unsigned char *buf, int len,
  289. SECKEYPrivateKey *pk, SECOidTag algID);
  290. typedef enum {
  291. noKeyFound = 1,
  292. noSignatureMatch = 2,
  293. failToEncode = 3,
  294. failToSign = 4,
  295. noMem = 5
  296. } SignAndEncodeFuncExitStat;
  297. extern SECStatus
  298. SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
  299. SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
  300. extern SECStatus
  301. SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
  302. /*
  303. ** Finds the crl Authority Key Id extension. Returns NULL if no such extension
  304. ** was found.
  305. */
  306. CERTAuthKeyID *
  307. SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
  308. /*
  309. * Find the issuer of a crl. Cert usage should be checked before signing a crl.
  310. */
  311. CERTCertificate *
  312. SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
  313. CERTAuthKeyID* id, PRTime validTime);
  314. /* call back function used in encoding of an extension. Called from
  315. * SECU_EncodeAndAddExtensionValue */
  316. typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
  317. void *value, SECItem *encodedValue);
  318. /* Encodes and adds extensions to the CRL or CRL entries. */
  319. SECStatus
  320. SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
  321. void *value, PRBool criticality, int extenType,
  322. EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
  323. /* Caller ensures that dst is at least item->len*2+1 bytes long */
  324. void
  325. SECU_SECItemToHex(const SECItem * item, char * dst);
  326. /* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
  327. * successful */
  328. SECStatus
  329. SECU_SECItemHexStringToBinary(SECItem* srcdest);
  330. /*
  331. *
  332. * Utilities for parsing security tools command lines
  333. *
  334. */
  335. /* A single command flag */
  336. typedef struct {
  337. char flag;
  338. PRBool needsArg;
  339. char *arg;
  340. PRBool activated;
  341. char *longform;
  342. } secuCommandFlag;
  343. /* A full array of command/option flags */
  344. typedef struct
  345. {
  346. int numCommands;
  347. int numOptions;
  348. secuCommandFlag *commands;
  349. secuCommandFlag *options;
  350. } secuCommand;
  351. /* fill the "arg" and "activated" fields for each flag */
  352. SECStatus
  353. SECU_ParseCommandLine(int argc, char **argv, char *progName,
  354. const secuCommand *cmd);
  355. char *
  356. SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
  357. /*
  358. *
  359. * Error messaging
  360. *
  361. */
  362. void printflags(char *trusts, unsigned int flags);
  363. #if !defined(XP_UNIX) && !defined(XP_OS2)
  364. extern int ffs(unsigned int i);
  365. #endif
  366. /* Finds certificate by searching it in the DB or by examinig file
  367. * in the local directory. */
  368. CERTCertificate*
  369. SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
  370. char *name, PRBool ascii,
  371. void *pwarg);
  372. #include "secerr.h"
  373. #include "sslerr.h"
  374. #endif /* _SEC_UTIL_H_ */