OBS User unknown 2009-08-07 22:12:54 +00:00 committed by Git OBS Bridge
parent 791ca476a3
commit 7f66ac8018
11 changed files with 22 additions and 701 deletions

View File

@ -1,108 +0,0 @@
--- pam_pkcs11-0.6.0/src/common/cert_info.c~ 2007-06-06 05:28:08.000000000 -0400
+++ pam_pkcs11-0.6.0/src/common/cert_info.c 2007-07-18 12:48:08.000000000 -0400
@@ -52,7 +52,7 @@ static const SECOidData kerberosPN_Entry
SECOidTag CERT_MicrosoftUPN_OID = SEC_OID_UNKNOWN;
/* { 1.3.6.1.4.1.311 } */
static const unsigned char microsoftUPNOID[] =
- { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 }; /*, xxxx */
+{ 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0x14, 0x2, 0x3 };
static const SECOidData microsoftUPN_Entry =
{ TO_ITEM(microsoftUPNOID), SEC_OID_UNKNOWN,
"Microsoft Universal Priniciple", CKM_INVALID_MECHANISM,
@@ -127,6 +127,75 @@ static char **cert_info_digest(X509 *x50
return entries;
}
+static char **
+cert_info_upn (X509 *x509)
+{
+ SECItem alt_name;
+ SECStatus status;
+ PRArenaPool *arena = NULL;
+ CERTGeneralName *nameList;
+ CERTGeneralName *current;
+ SECOidTag tag;
+ static char *results[CERT_INFO_SIZE] = { NULL };
+ int result = 0;
+ SECItem decoded;
+
+ DBG("Looking for ALT_NAME");
+
+ status = CERT_FindCertExtension (x509, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
+ if (status != SECSuccess) {
+ DBG("Not found");
+ goto no_upn;
+ }
+
+ arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ DBG("Could not allocate arena");
+ goto no_upn;
+ }
+
+ nameList = current = CERT_DecodeAltNameExtension (arena, &alt_name);
+ if (!nameList) {
+ DBG("Could not decode name");
+ goto no_upn;
+ }
+
+ cert_fetchOID(&CERT_MicrosoftUPN_OID, &microsoftUPN_Entry);
+ do {
+ if (current->type == certOtherName) {
+ tag = SECOID_FindOIDTag (&current->name.OthName.oid);
+ DBG1("got other name with tag %#x", tag);
+ if (tag == CERT_MicrosoftUPN_OID) {
+ status = SEC_ASN1DecodeItem (arena, &decoded,
+ SEC_UTF8StringTemplate,
+ &current->name.OthName.name);
+ if (status == SECSuccess) {
+ results[result] = malloc (decoded.len + 1);
+ memcpy (results[result], decoded.data, decoded.len);
+ results[result][decoded.len] = '\0';
+ DBG1("Got upn: %s", results[result]);
+ result++;
+ } else {
+ DBG("Could not decode upn...");
+ }
+ }
+ } else {
+ DBG("not other name...");
+ }
+ current = CERT_GetNextGeneralName (current);
+ } while (current != nameList && result < CERT_INFO_MAX_ENTRIES);
+
+no_upn:
+ if (arena) {
+ PORT_FreeArena (arena, PR_FALSE);
+ }
+
+ if (alt_name.data) {
+ SECITEM_FreeItem (&alt_name, PR_FALSE);
+ }
+
+ return results;
+}
/**
* request info on certificate
@@ -174,8 +243,7 @@ char **cert_info(X509 *x509, int type, A
break;
/* need oid tag. */
case CERT_UPN : /* Microsoft's Universal Principal Name */
- cert_fetchOID(&CERT_MicrosoftUPN_OID ,& microsoftUPN_Entry);
- return cert_GetNameElements(&x509->subject, CERT_MicrosoftUPN_OID);
+ return cert_info_upn (x509);
case CERT_UID : /* Certificate Unique Identifier */
return cert_GetNameElements(&x509->subject, SEC_OID_RFC1274_UID);
break;
--- pam_pkcs11-0.6.0/src/mappers/ms_mapper.c~ 2007-07-18 12:48:41.000000000 -0400
+++ pam_pkcs11-0.6.0/src/mappers/ms_mapper.c 2007-07-18 13:21:02.000000000 -0400
@@ -70,7 +70,7 @@ static char *check_upn(char *str) {
return NULL;
}
if (ignoredomain) return str;
- if (!strcmp(domainname,domain)) {
+ if (strcmp(domainname,domain)) {
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}

View File

@ -1,11 +1,11 @@
--- pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c~ 2007-07-16 16:41:27.000000000 -0400 --- pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
+++ pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c 2007-07-16 16:41:44.000000000 -0400 +++ pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
@@ -42,7 +42,7 @@ struct configuration_st configuration = @@ -45,7 +45,7 @@
0, /* int card_only; */ 0, /* int card_only; */
0, /* int wait_for_card; */ 0, /* int wait_for_card; */
"default", /* const char *pkcs11_module; */ "default", /* const char *pkcs11_module; */
- "/etc/pam_pkcs11/pkcs11_module.so",/* const char *pkcs11_module_path; */ - CONFDIR "/pkcs11_module.so",/* const char *pkcs11_module_path; */
+ NULL, /* const char *pkcs11_module_path; */ + NULL, /* const char *pkcs11_module_path; */
NULL, /* screen savers */ NULL, /* screen savers */
0, /* int slot_num; */ NULL, /* slot_description */
0, /* support threads */ -1, /* int slot_num; */

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7f84a68a6904a5098580a80e911ff2bba644d04df9596593253eafb75154bf5c
size 770599

3
pam_pkcs11-0.6.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:76425a1abf99449f7ff80f5b4387354ec7106241b5c9f30351eca5f3360eb544
size 805737

View File

@ -1,70 +0,0 @@
ldap_mapper.c: In function 'ldap_get_certificate':
ldap_mapper.c:757: warning: implicit declaration of function 'd2i_X509'
ldap_mapper.c:757: warning: assignment makes pointer from integer without a cast
ldap_mapper.c: In function 'ldap_mapper_match_user':
ldap_mapper.c:871: warning: implicit declaration of function 'X509_cmp'
error.c: In function 'set_error':
error.c:34: warning: implicit declaration of function 'vsnprintf'
cert_vfy.c: In function 'verify_certificate':
cert_vfy.c:36: warning: implicit declaration of function 'SECU_Strerror'
cert_vfy.c:36: warning: implicit declaration of function 'PR_GetError'
cert_vfy.c: In function 'verify_signature':
cert_vfy.c:59: warning: implicit declaration of function 'SEC_GetSignatureAlgorithmOidTag'
cert_vfy.c:63: warning: implicit declaration of function 'VFY_VerifyData'
cert_vfy.c:67: warning: implicit declaration of function 'SECKEY_DestroyPublicKey'
pkcs11_eventmgr.c: In function 'thats_all_folks':
pkcs11_eventmgr.c:93: warning: implicit declaration of function 'NSS_Shutdown'
pkcs11_eventmgr.c: In function 'main':
pkcs11_eventmgr.c:379: warning: implicit declaration of function 'NSS_Init'
pkcs11_eventmgr.c:382: warning: implicit declaration of function 'NSS_NoDB_Init'
pkcs11_eventmgr.c:421: warning: statement with no effect
pkcs11_eventmgr.c:463: warning: implicit declaration of function 'PK11_GetSlotID'
pkcs11_eventmgr.c:466: warning: implicit declaration of function 'PK11_IsPresent'
pkcs11_eventmgr.c:467: warning: implicit declaration of function 'PK11_GetSlotSeries'
pkcs11_eventmgr.c:493: warning: implicit declaration of function 'PK11_FreeSlot'
================================================================================
--- src/common/cert_vfy.c
+++ src/common/cert_vfy.c
@@ -18,8 +18,10 @@
#include "cert_vfy.h"
#ifdef HAVE_NSS
-
+#include <nspr.h>
+#include <cryptohi.h>
#include "cert.h"
+#include "secutil.h"
int verify_certificate(X509 * x509, cert_policy *policy)
{
--- src/common/error.c
+++ src/common/error.c
@@ -17,6 +17,7 @@
#include "error.h"
#include <string.h>
+#include <stdio.h>
#define __ERROR_C_
--- src/mappers/ldap_mapper.c
+++ src/mappers/ldap_mapper.c
@@ -36,6 +36,7 @@
#include <ldap.h>
#include <pwd.h>
+#include <ssl/x509.h>
#include "../common/cert_st.h"
#include "../common/debug.h"
--- src/tools/pkcs11_eventmgr.c
+++ src/tools/pkcs11_eventmgr.c
@@ -32,6 +32,8 @@
#ifdef HAVE_NSS
#include <secmod.h>
+#include <nss.h>
+#include <pk11pub.h>
#endif
#define DEF_POLLING 1 /* 1 second timeout */

View File

@ -1,14 +0,0 @@
https://bugzilla.novell.com/show_bug.cgi?id=293026
http://www.opensc-project.org/opensc/ticket/154
================================================================================
--- etc/pam_pkcs11.conf.example
+++ etc/pam_pkcs11.conf.example
@@ -131,7 +131,7 @@
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
cert_item = cn;
# Define mapfile if needed, else select "none"
- mapfile = file:///etc/pam_pkcs11/generic_mapping
+ mapfile = file:///etc/pam_pkcs11/generic_mapping;
# Decide if use getpwent() to map login
use_getpwent = false;
}

View File

@ -1,35 +0,0 @@
--- pam_pkcs11-0.5.3/src/mappers/ms_mapper.c~ 2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/src/mappers/ms_mapper.c 2007-01-17 14:27:52.000000000 -0500
@@ -52,6 +52,7 @@
static int ignorecase = 0;
static int ignoredomain =0;
static const char *domainname="";
+static const char *domainnickname="";
static int debug =0;
/* check syntax and domain match on provided string */
@@ -73,6 +74,16 @@
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}
+ if (domainnickname && domainnickname[0]) {
+ char *tmp;
+ size_t tmp_len;
+ DBG1("Adding domain nick name '%s'",domainnickname);
+ tmp_len = strlen (str) + strlen (domainnickname) + 2;
+ tmp = malloc (tmp_len);
+ snprintf (tmp, tmp_len, "%s\\%s", domainnickname, str);
+ free (str);
+ str = tmp;
+ }
return str;
}
@@ -179,6 +190,7 @@
ignorecase = scconf_get_bool(blk,"ignorecase",ignorecase);
ignoredomain = scconf_get_bool(blk,"ignoredomain",ignoredomain);
domainname = scconf_get_str(blk,"domainname",domainname);
+ domainnickname = scconf_get_str(blk,"domainnickname",domainnickname);
} else {
DBG1("No block declaration for mapper '%s'",mapper_name);
}

View File

@ -1,27 +0,0 @@
pkcs11_lib.c:289: warning: 'i' is used uninitialized in this function
================================================================================
--- src/common/pkcs11_lib.c
+++ src/common/pkcs11_lib.c
@@ -283,14 +283,15 @@
return 0;
}
}
- }
+ } else {
/* we're configured for a specific module and token, see if it's present */
- slot_num--;
- if (slot_num >= 0 && slot_num < module->slotCount && module->slots &&
- module->slots[i] && PK11_IsPresent(module->slots[i])) {
- h->slot = PK11_ReferenceSlot(module->slots[i]);
- *slotID = PK11_GetSlotID(h->slot);
- return 0;
+ slot_num--;
+ if (slot_num >= 0 && slot_num < module->slotCount && module->slots &&
+ module->slots[slot_num] && PK11_IsPresent(module->slots[slot_num])) {
+ h->slot = PK11_ReferenceSlot(module->slots[slot_num]);
+ *slotID = PK11_GetSlotID(h->slot);
+ return 0;
+ }
}
return -1;
}

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Aug 5 15:55:31 CEST 2009 - sbrabec@suse.cz
- Updated to version 0.6.1:
* Added functions to API.
* Fixes from openSUSE packages upstreamed.
* Minor fixes.
* Translaton updates.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jun 25 12:41:19 CEST 2009 - sbrabec@suse.cz Thu Jun 25 12:41:19 CEST 2009 - sbrabec@suse.cz

View File

@ -1,5 +1,5 @@
# #
# spec file for package pam_pkcs11 (Version 0.6.0) # spec file for package pam_pkcs11 (Version 0.6.1)
# #
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
@ -19,22 +19,16 @@
Name: pam_pkcs11 Name: pam_pkcs11
Version: 0.6.0 Version: 0.6.1
Release: 140 Release: 1
Url: http://www.opensc-project.org/pam_pkcs11/ Url: http://www.opensc-project.org/pam_pkcs11/
Group: Productivity/Security Group: Productivity/Security
License: LGPL v2.1 or later License: LGPL v2.1 or later
Summary: PKCS #11 PAM Module Summary: PKCS #11 PAM Module
Source: %{name}-%{version}.tar.bz2 Source: %{name}-%{version}.tar.bz2
Source1: pam_pkcs11-common-auth-smartcard.pam Source1: pam_pkcs11-common-auth-smartcard.pam
Source2: secutil.h
Patch: %{name}-mapfile-syntax.patch
Patch1: %{name}-0.5.3-nss-conf.patch Patch1: %{name}-0.5.3-nss-conf.patch
Patch2: %{name}-0.6.0-ms-upn-oid.patch
Patch3: %{name}-0.6.0-nss-autoconf.patch Patch3: %{name}-0.6.0-nss-autoconf.patch
Patch4: %{name}-msnickname.patch
Patch5: %{name}-implicit-declaration.patch
Patch6: %{name}-uninitialized.patch
BuildRequires: curl-devel libopenssl-devel libxslt mozilla-nss-devel openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config BuildRequires: curl-devel libopenssl-devel libxslt mozilla-nss-devel openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -71,15 +65,9 @@ Authors:
%prep %prep
%setup -q %setup -q
%patch
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
%patch5
%patch6
cp -a %{S:1} common-auth-smartcard cp -a %{S:1} common-auth-smartcard
cp -a %{S:2} src/common/
%build %build
# LDAP_DEPRECATED required for for ldap_simple_bind_s(), ldap_search_s(), ldap_unbind_s() # LDAP_DEPRECATED required for for ldap_simple_bind_s(), ldap_search_s(), ldap_unbind_s()

422
secutil.h
View File

@ -1,422 +0,0 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef _SEC_UTIL_H_
#define _SEC_UTIL_H_
#include "seccomon.h"
#include "secitem.h"
#include "prerror.h"
#include "base64.h"
#include "key.h"
#include "secpkcs7.h"
#include "secasn1.h"
#include "secder.h"
#include <stdio.h>
#define SEC_CT_PRIVATE_KEY "private-key"
#define SEC_CT_PUBLIC_KEY "public-key"
#define SEC_CT_CERTIFICATE "certificate"
#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
#define SEC_CT_PKCS7 "pkcs7"
#define SEC_CT_CRL "crl"
#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
#define NS_CRL_HEADER "-----BEGIN CRL-----"
#define NS_CRL_TRAILER "-----END CRL-----"
/* From libsec/pcertdb.c --- it's not declared in sec.h */
extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle,
SECItem *derCert, char *nickname, CERTCertTrust *trust);
#ifdef SECUTIL_NEW
typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
char *msg, int level);
#else
typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
#endif
typedef struct {
enum {
PW_NONE = 0,
PW_FROMFILE = 1,
PW_PLAINTEXT = 2,
PW_EXTERNAL = 3
} source;
char *data;
} secuPWData;
/*
** Change a password on a token, or initialize a token with a password
** if it does not already have one.
** Use passwd to send the password in plaintext, pwFile to specify a
** file containing the password, or NULL for both to prompt the user.
*/
SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
/* These were stolen from the old sec.h... */
/*
** Check a password for legitimacy. Passwords must be at least 8
** characters long and contain one non-alphabetic. Return DSTrue if the
** password is ok, DSFalse otherwise.
*/
extern PRBool SEC_CheckPassword(char *password);
/*
** Blind check of a password. Complement to SEC_CheckPassword which
** ignores length and content type, just retuning DSTrue is the password
** exists, DSFalse if NULL
*/
extern PRBool SEC_BlindCheckPassword(char *password);
/*
** Get a password.
** First prompt with "msg" on "out", then read the password from "in".
** The password is then checked using "chkpw".
*/
extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
PRBool (*chkpw)(char *));
char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
char *SECU_GetPasswordString(void *arg, char *prompt);
/*
** Write a dongle password.
** Uses MD5 to hash constant system data (hostname, etc.), and then
** creates RC4 key to encrypt a password "pw" into a file "fd".
*/
extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
/*
** Get a dongle password.
** Uses MD5 to hash constant system data (hostname, etc.), and then
** creates RC4 key to decrypt and return a password from file "fd".
*/
extern char *SEC_ReadDongleFile(int fd);
/* End stolen headers */
/* Just sticks the two strings together with a / if needed */
char *SECU_AppendFilenameToDir(char *dir, char *filename);
/* Returns result of getenv("SSL_DIR") or NULL */
extern char *SECU_DefaultSSLDir(void);
/*
** Should be called once during initialization to set the default
** directory for looking for cert.db, key.db, and cert-nameidx.db files
** Removes trailing '/' in 'base'
** If 'base' is NULL, defaults to set to .netscape in home directory.
*/
extern char *SECU_ConfigDirectory(const char* base);
/*
** Basic callback function for SSL_GetClientAuthDataHook
*/
extern int
SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
struct CERTDistNamesStr *caNames,
struct CERTCertificateStr **pRetCert,
struct SECKEYPrivateKeyStr **pRetKey);
/* print out an error message */
extern void SECU_PrintError(char *progName, char *msg, ...);
/* print out a system error message */
extern void SECU_PrintSystemError(char *progName, char *msg, ...);
/* Return informative error string */
extern const char * SECU_Strerror(PRErrorCode errNum);
/* print information about cert verification failure */
extern void
SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
CERTCertificate *cert, PRBool checksig,
SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
/* Read the contents of a file into a SECItem */
extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
/* Read in a DER from a file, may be ascii */
extern SECStatus
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
/* Indent based on "level" */
extern void SECU_Indent(FILE *out, int level);
/* Print integer value and hex */
extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
/* Print ObjectIdentifier symbolically */
extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
/* Print AlgorithmIdentifier symbolically */
extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
int level);
/* Print SECItem as hex */
extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
/* dump a buffer in hex and ASCII */
extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
/*
* Format and print the UTC Time "t". If the tag message "m" is not NULL,
* do indent formatting based on "level" and add a newline afterward;
* otherwise just print the formatted time string only.
*/
extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
/*
* Format and print the Generalized Time "t". If the tag message "m"
* is not NULL, * do indent formatting based on "level" and add a newline
* afterward; otherwise just print the formatted time string only.
*/
extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
int level);
/*
* Format and print the UTC or Generalized Time "t". If the tag message
* "m" is not NULL, do indent formatting based on "level" and add a newline
* afterward; otherwise just print the formatted time string only.
*/
extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
/* callback for listing certs through pkcs11 */
extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
/* Dump all certificate nicknames in a database */
extern SECStatus
SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
PRBool sortByName, PRBool sortByTrust);
/* See if nickname already in database. Return 1 true, 0 false, -1 error */
int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
/* Dump contents of cert req */
extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
int level);
/* Dump contents of certificate */
extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
/* print trust flags on a cert */
extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level);
/* Dump contents of public key */
extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
#ifdef HAVE_EPV_TEMPLATE
/* Dump contents of private key */
extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
#endif
/* Print the MD5 and SHA1 fingerprints of a cert */
extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
int level);
/* Pretty-print any PKCS7 thing */
extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
int level);
/* Init PKCS11 stuff */
extern SECStatus SECU_PKCS11Init(PRBool readOnly);
/* Dump contents of signed data */
extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
SECU_PPFunc inner);
extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
extern void
SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
char *msg, int level);
extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
char *msg, int level);
extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
#ifdef SECU_GetPassword
/* Convert a High public Key to a Low public Key */
extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
#endif
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
extern void SEC_Init(void);
extern char *SECU_SECModDBName(void);
extern void SECU_PrintPRandOSError(char *progName);
extern SECStatus SECU_RegisterDynamicOids(void);
/* Identifies hash algorithm tag by its string representation. */
extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
/* Store CRL in output file or pk11 db. Also
* encodes with base64 and exports to file if ascii flag is set
* and file is not NULL. */
extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
PRFileDesc *outFile, int ascii, char *url);
/*
** DER sign a single block of data using private key encryption and the
** MD5 hashing algorithm. This routine first computes a digital signature
** using SEC_SignData, then wraps it with an CERTSignedData and then der
** encodes the result.
** "arena" is the memory arena to use to allocate data from
** "sd" returned CERTSignedData
** "result" the final der encoded data (memory is allocated)
** "buf" the input data to sign
** "len" the amount of data to sign
** "pk" the private key to encrypt with
*/
extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algID);
typedef enum {
noKeyFound = 1,
noSignatureMatch = 2,
failToEncode = 3,
failToSign = 4,
noMem = 5
} SignAndEncodeFuncExitStat;
extern SECStatus
SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
extern SECStatus
SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
/*
** Finds the crl Authority Key Id extension. Returns NULL if no such extension
** was found.
*/
CERTAuthKeyID *
SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
/*
* Find the issuer of a crl. Cert usage should be checked before signing a crl.
*/
CERTCertificate *
SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
CERTAuthKeyID* id, PRTime validTime);
/* call back function used in encoding of an extension. Called from
* SECU_EncodeAndAddExtensionValue */
typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
void *value, SECItem *encodedValue);
/* Encodes and adds extensions to the CRL or CRL entries. */
SECStatus
SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
void *value, PRBool criticality, int extenType,
EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
/*
*
* Utilities for parsing security tools command lines
*
*/
/* A single command flag */
typedef struct {
char flag;
PRBool needsArg;
char *arg;
PRBool activated;
} secuCommandFlag;
/* A full array of command/option flags */
typedef struct
{
int numCommands;
int numOptions;
secuCommandFlag *commands;
secuCommandFlag *options;
} secuCommand;
/* fill the "arg" and "activated" fields for each flag */
SECStatus
SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd);
char *
SECU_GetOptionArg(secuCommand *cmd, int optionNum);
/*
*
* Error messaging
*
*/
/* Return informative error string */
char *SECU_ErrorString(int16 err);
/* Return informative error string. Does not call XP_GetString */
char *SECU_ErrorStringRaw(int16 err);
void printflags(char *trusts, unsigned int flags);
#ifndef XP_UNIX
extern int ffs(unsigned int i);
#endif
#include "secerr.h"
#include "sslerr.h"
#endif /* _SEC_UTIL_H_ */