This commit is contained in:
parent
791ca476a3
commit
7f66ac8018
@ -1,108 +0,0 @@
|
|||||||
--- pam_pkcs11-0.6.0/src/common/cert_info.c~ 2007-06-06 05:28:08.000000000 -0400
|
|
||||||
+++ pam_pkcs11-0.6.0/src/common/cert_info.c 2007-07-18 12:48:08.000000000 -0400
|
|
||||||
@@ -52,7 +52,7 @@ static const SECOidData kerberosPN_Entry
|
|
||||||
SECOidTag CERT_MicrosoftUPN_OID = SEC_OID_UNKNOWN;
|
|
||||||
/* { 1.3.6.1.4.1.311 } */
|
|
||||||
static const unsigned char microsoftUPNOID[] =
|
|
||||||
- { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 }; /*, xxxx */
|
|
||||||
+{ 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0x14, 0x2, 0x3 };
|
|
||||||
static const SECOidData microsoftUPN_Entry =
|
|
||||||
{ TO_ITEM(microsoftUPNOID), SEC_OID_UNKNOWN,
|
|
||||||
"Microsoft Universal Priniciple", CKM_INVALID_MECHANISM,
|
|
||||||
@@ -127,6 +127,75 @@ static char **cert_info_digest(X509 *x50
|
|
||||||
return entries;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static char **
|
|
||||||
+cert_info_upn (X509 *x509)
|
|
||||||
+{
|
|
||||||
+ SECItem alt_name;
|
|
||||||
+ SECStatus status;
|
|
||||||
+ PRArenaPool *arena = NULL;
|
|
||||||
+ CERTGeneralName *nameList;
|
|
||||||
+ CERTGeneralName *current;
|
|
||||||
+ SECOidTag tag;
|
|
||||||
+ static char *results[CERT_INFO_SIZE] = { NULL };
|
|
||||||
+ int result = 0;
|
|
||||||
+ SECItem decoded;
|
|
||||||
+
|
|
||||||
+ DBG("Looking for ALT_NAME");
|
|
||||||
+
|
|
||||||
+ status = CERT_FindCertExtension (x509, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
|
|
||||||
+ if (status != SECSuccess) {
|
|
||||||
+ DBG("Not found");
|
|
||||||
+ goto no_upn;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
|
|
||||||
+ if (!arena) {
|
|
||||||
+ DBG("Could not allocate arena");
|
|
||||||
+ goto no_upn;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ nameList = current = CERT_DecodeAltNameExtension (arena, &alt_name);
|
|
||||||
+ if (!nameList) {
|
|
||||||
+ DBG("Could not decode name");
|
|
||||||
+ goto no_upn;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cert_fetchOID(&CERT_MicrosoftUPN_OID, µsoftUPN_Entry);
|
|
||||||
+ do {
|
|
||||||
+ if (current->type == certOtherName) {
|
|
||||||
+ tag = SECOID_FindOIDTag (¤t->name.OthName.oid);
|
|
||||||
+ DBG1("got other name with tag %#x", tag);
|
|
||||||
+ if (tag == CERT_MicrosoftUPN_OID) {
|
|
||||||
+ status = SEC_ASN1DecodeItem (arena, &decoded,
|
|
||||||
+ SEC_UTF8StringTemplate,
|
|
||||||
+ ¤t->name.OthName.name);
|
|
||||||
+ if (status == SECSuccess) {
|
|
||||||
+ results[result] = malloc (decoded.len + 1);
|
|
||||||
+ memcpy (results[result], decoded.data, decoded.len);
|
|
||||||
+ results[result][decoded.len] = '\0';
|
|
||||||
+ DBG1("Got upn: %s", results[result]);
|
|
||||||
+ result++;
|
|
||||||
+ } else {
|
|
||||||
+ DBG("Could not decode upn...");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ DBG("not other name...");
|
|
||||||
+ }
|
|
||||||
+ current = CERT_GetNextGeneralName (current);
|
|
||||||
+ } while (current != nameList && result < CERT_INFO_MAX_ENTRIES);
|
|
||||||
+
|
|
||||||
+no_upn:
|
|
||||||
+ if (arena) {
|
|
||||||
+ PORT_FreeArena (arena, PR_FALSE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (alt_name.data) {
|
|
||||||
+ SECITEM_FreeItem (&alt_name, PR_FALSE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return results;
|
|
||||||
+}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* request info on certificate
|
|
||||||
@@ -174,8 +243,7 @@ char **cert_info(X509 *x509, int type, A
|
|
||||||
break;
|
|
||||||
/* need oid tag. */
|
|
||||||
case CERT_UPN : /* Microsoft's Universal Principal Name */
|
|
||||||
- cert_fetchOID(&CERT_MicrosoftUPN_OID ,& microsoftUPN_Entry);
|
|
||||||
- return cert_GetNameElements(&x509->subject, CERT_MicrosoftUPN_OID);
|
|
||||||
+ return cert_info_upn (x509);
|
|
||||||
case CERT_UID : /* Certificate Unique Identifier */
|
|
||||||
return cert_GetNameElements(&x509->subject, SEC_OID_RFC1274_UID);
|
|
||||||
break;
|
|
||||||
--- pam_pkcs11-0.6.0/src/mappers/ms_mapper.c~ 2007-07-18 12:48:41.000000000 -0400
|
|
||||||
+++ pam_pkcs11-0.6.0/src/mappers/ms_mapper.c 2007-07-18 13:21:02.000000000 -0400
|
|
||||||
@@ -70,7 +70,7 @@ static char *check_upn(char *str) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
if (ignoredomain) return str;
|
|
||||||
- if (!strcmp(domainname,domain)) {
|
|
||||||
+ if (strcmp(domainname,domain)) {
|
|
||||||
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
@ -1,11 +1,11 @@
|
|||||||
--- pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c~ 2007-07-16 16:41:27.000000000 -0400
|
--- pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
|
||||||
+++ pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c 2007-07-16 16:41:44.000000000 -0400
|
+++ pam_pkcs11-0.6.1/src/pam_pkcs11/pam_config.c
|
||||||
@@ -42,7 +42,7 @@ struct configuration_st configuration =
|
@@ -45,7 +45,7 @@
|
||||||
0, /* int card_only; */
|
0, /* int card_only; */
|
||||||
0, /* int wait_for_card; */
|
0, /* int wait_for_card; */
|
||||||
"default", /* const char *pkcs11_module; */
|
"default", /* const char *pkcs11_module; */
|
||||||
- "/etc/pam_pkcs11/pkcs11_module.so",/* const char *pkcs11_module_path; */
|
- CONFDIR "/pkcs11_module.so",/* const char *pkcs11_module_path; */
|
||||||
+ NULL, /* const char *pkcs11_module_path; */
|
+ NULL, /* const char *pkcs11_module_path; */
|
||||||
NULL, /* screen savers */
|
NULL, /* screen savers */
|
||||||
0, /* int slot_num; */
|
NULL, /* slot_description */
|
||||||
0, /* support threads */
|
-1, /* int slot_num; */
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:7f84a68a6904a5098580a80e911ff2bba644d04df9596593253eafb75154bf5c
|
|
||||||
size 770599
|
|
3
pam_pkcs11-0.6.1.tar.bz2
Normal file
3
pam_pkcs11-0.6.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:76425a1abf99449f7ff80f5b4387354ec7106241b5c9f30351eca5f3360eb544
|
||||||
|
size 805737
|
@ -1,70 +0,0 @@
|
|||||||
ldap_mapper.c: In function 'ldap_get_certificate':
|
|
||||||
ldap_mapper.c:757: warning: implicit declaration of function 'd2i_X509'
|
|
||||||
ldap_mapper.c:757: warning: assignment makes pointer from integer without a cast
|
|
||||||
ldap_mapper.c: In function 'ldap_mapper_match_user':
|
|
||||||
ldap_mapper.c:871: warning: implicit declaration of function 'X509_cmp'
|
|
||||||
error.c: In function 'set_error':
|
|
||||||
error.c:34: warning: implicit declaration of function 'vsnprintf'
|
|
||||||
cert_vfy.c: In function 'verify_certificate':
|
|
||||||
cert_vfy.c:36: warning: implicit declaration of function 'SECU_Strerror'
|
|
||||||
cert_vfy.c:36: warning: implicit declaration of function 'PR_GetError'
|
|
||||||
cert_vfy.c: In function 'verify_signature':
|
|
||||||
cert_vfy.c:59: warning: implicit declaration of function 'SEC_GetSignatureAlgorithmOidTag'
|
|
||||||
cert_vfy.c:63: warning: implicit declaration of function 'VFY_VerifyData'
|
|
||||||
cert_vfy.c:67: warning: implicit declaration of function 'SECKEY_DestroyPublicKey'
|
|
||||||
pkcs11_eventmgr.c: In function 'thats_all_folks':
|
|
||||||
pkcs11_eventmgr.c:93: warning: implicit declaration of function 'NSS_Shutdown'
|
|
||||||
pkcs11_eventmgr.c: In function 'main':
|
|
||||||
pkcs11_eventmgr.c:379: warning: implicit declaration of function 'NSS_Init'
|
|
||||||
pkcs11_eventmgr.c:382: warning: implicit declaration of function 'NSS_NoDB_Init'
|
|
||||||
pkcs11_eventmgr.c:421: warning: statement with no effect
|
|
||||||
pkcs11_eventmgr.c:463: warning: implicit declaration of function 'PK11_GetSlotID'
|
|
||||||
pkcs11_eventmgr.c:466: warning: implicit declaration of function 'PK11_IsPresent'
|
|
||||||
pkcs11_eventmgr.c:467: warning: implicit declaration of function 'PK11_GetSlotSeries'
|
|
||||||
pkcs11_eventmgr.c:493: warning: implicit declaration of function 'PK11_FreeSlot'
|
|
||||||
================================================================================
|
|
||||||
--- src/common/cert_vfy.c
|
|
||||||
+++ src/common/cert_vfy.c
|
|
||||||
@@ -18,8 +18,10 @@
|
|
||||||
#include "cert_vfy.h"
|
|
||||||
|
|
||||||
#ifdef HAVE_NSS
|
|
||||||
-
|
|
||||||
+#include <nspr.h>
|
|
||||||
+#include <cryptohi.h>
|
|
||||||
#include "cert.h"
|
|
||||||
+#include "secutil.h"
|
|
||||||
|
|
||||||
int verify_certificate(X509 * x509, cert_policy *policy)
|
|
||||||
{
|
|
||||||
--- src/common/error.c
|
|
||||||
+++ src/common/error.c
|
|
||||||
@@ -17,6 +17,7 @@
|
|
||||||
|
|
||||||
#include "error.h"
|
|
||||||
#include <string.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
|
|
||||||
#define __ERROR_C_
|
|
||||||
|
|
||||||
--- src/mappers/ldap_mapper.c
|
|
||||||
+++ src/mappers/ldap_mapper.c
|
|
||||||
@@ -36,6 +36,7 @@
|
|
||||||
|
|
||||||
#include <ldap.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
+#include <ssl/x509.h>
|
|
||||||
|
|
||||||
#include "../common/cert_st.h"
|
|
||||||
#include "../common/debug.h"
|
|
||||||
--- src/tools/pkcs11_eventmgr.c
|
|
||||||
+++ src/tools/pkcs11_eventmgr.c
|
|
||||||
@@ -32,6 +32,8 @@
|
|
||||||
|
|
||||||
#ifdef HAVE_NSS
|
|
||||||
#include <secmod.h>
|
|
||||||
+#include <nss.h>
|
|
||||||
+#include <pk11pub.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define DEF_POLLING 1 /* 1 second timeout */
|
|
@ -1,14 +0,0 @@
|
|||||||
https://bugzilla.novell.com/show_bug.cgi?id=293026
|
|
||||||
http://www.opensc-project.org/opensc/ticket/154
|
|
||||||
================================================================================
|
|
||||||
--- etc/pam_pkcs11.conf.example
|
|
||||||
+++ etc/pam_pkcs11.conf.example
|
|
||||||
@@ -131,7 +131,7 @@
|
|
||||||
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
|
|
||||||
cert_item = cn;
|
|
||||||
# Define mapfile if needed, else select "none"
|
|
||||||
- mapfile = file:///etc/pam_pkcs11/generic_mapping
|
|
||||||
+ mapfile = file:///etc/pam_pkcs11/generic_mapping;
|
|
||||||
# Decide if use getpwent() to map login
|
|
||||||
use_getpwent = false;
|
|
||||||
}
|
|
@ -1,35 +0,0 @@
|
|||||||
--- pam_pkcs11-0.5.3/src/mappers/ms_mapper.c~ 2005-09-12 05:12:55.000000000 -0400
|
|
||||||
+++ pam_pkcs11-0.5.3/src/mappers/ms_mapper.c 2007-01-17 14:27:52.000000000 -0500
|
|
||||||
@@ -52,6 +52,7 @@
|
|
||||||
static int ignorecase = 0;
|
|
||||||
static int ignoredomain =0;
|
|
||||||
static const char *domainname="";
|
|
||||||
+static const char *domainnickname="";
|
|
||||||
static int debug =0;
|
|
||||||
|
|
||||||
/* check syntax and domain match on provided string */
|
|
||||||
@@ -73,6 +74,16 @@
|
|
||||||
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
+ if (domainnickname && domainnickname[0]) {
|
|
||||||
+ char *tmp;
|
|
||||||
+ size_t tmp_len;
|
|
||||||
+ DBG1("Adding domain nick name '%s'",domainnickname);
|
|
||||||
+ tmp_len = strlen (str) + strlen (domainnickname) + 2;
|
|
||||||
+ tmp = malloc (tmp_len);
|
|
||||||
+ snprintf (tmp, tmp_len, "%s\\%s", domainnickname, str);
|
|
||||||
+ free (str);
|
|
||||||
+ str = tmp;
|
|
||||||
+ }
|
|
||||||
return str;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -179,6 +190,7 @@
|
|
||||||
ignorecase = scconf_get_bool(blk,"ignorecase",ignorecase);
|
|
||||||
ignoredomain = scconf_get_bool(blk,"ignoredomain",ignoredomain);
|
|
||||||
domainname = scconf_get_str(blk,"domainname",domainname);
|
|
||||||
+ domainnickname = scconf_get_str(blk,"domainnickname",domainnickname);
|
|
||||||
} else {
|
|
||||||
DBG1("No block declaration for mapper '%s'",mapper_name);
|
|
||||||
}
|
|
@ -1,27 +0,0 @@
|
|||||||
pkcs11_lib.c:289: warning: 'i' is used uninitialized in this function
|
|
||||||
================================================================================
|
|
||||||
--- src/common/pkcs11_lib.c
|
|
||||||
+++ src/common/pkcs11_lib.c
|
|
||||||
@@ -283,14 +283,15 @@
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
+ } else {
|
|
||||||
/* we're configured for a specific module and token, see if it's present */
|
|
||||||
- slot_num--;
|
|
||||||
- if (slot_num >= 0 && slot_num < module->slotCount && module->slots &&
|
|
||||||
- module->slots[i] && PK11_IsPresent(module->slots[i])) {
|
|
||||||
- h->slot = PK11_ReferenceSlot(module->slots[i]);
|
|
||||||
- *slotID = PK11_GetSlotID(h->slot);
|
|
||||||
- return 0;
|
|
||||||
+ slot_num--;
|
|
||||||
+ if (slot_num >= 0 && slot_num < module->slotCount && module->slots &&
|
|
||||||
+ module->slots[slot_num] && PK11_IsPresent(module->slots[slot_num])) {
|
|
||||||
+ h->slot = PK11_ReferenceSlot(module->slots[slot_num]);
|
|
||||||
+ *slotID = PK11_GetSlotID(h->slot);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
return -1;
|
|
||||||
}
|
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 5 15:55:31 CEST 2009 - sbrabec@suse.cz
|
||||||
|
|
||||||
|
- Updated to version 0.6.1:
|
||||||
|
* Added functions to API.
|
||||||
|
* Fixes from openSUSE packages upstreamed.
|
||||||
|
* Minor fixes.
|
||||||
|
* Translaton updates.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jun 25 12:41:19 CEST 2009 - sbrabec@suse.cz
|
Thu Jun 25 12:41:19 CEST 2009 - sbrabec@suse.cz
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# spec file for package pam_pkcs11 (Version 0.6.0)
|
# spec file for package pam_pkcs11 (Version 0.6.1)
|
||||||
#
|
#
|
||||||
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
@ -19,22 +19,16 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: pam_pkcs11
|
Name: pam_pkcs11
|
||||||
Version: 0.6.0
|
Version: 0.6.1
|
||||||
Release: 140
|
Release: 1
|
||||||
Url: http://www.opensc-project.org/pam_pkcs11/
|
Url: http://www.opensc-project.org/pam_pkcs11/
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
License: LGPL v2.1 or later
|
License: LGPL v2.1 or later
|
||||||
Summary: PKCS #11 PAM Module
|
Summary: PKCS #11 PAM Module
|
||||||
Source: %{name}-%{version}.tar.bz2
|
Source: %{name}-%{version}.tar.bz2
|
||||||
Source1: pam_pkcs11-common-auth-smartcard.pam
|
Source1: pam_pkcs11-common-auth-smartcard.pam
|
||||||
Source2: secutil.h
|
|
||||||
Patch: %{name}-mapfile-syntax.patch
|
|
||||||
Patch1: %{name}-0.5.3-nss-conf.patch
|
Patch1: %{name}-0.5.3-nss-conf.patch
|
||||||
Patch2: %{name}-0.6.0-ms-upn-oid.patch
|
|
||||||
Patch3: %{name}-0.6.0-nss-autoconf.patch
|
Patch3: %{name}-0.6.0-nss-autoconf.patch
|
||||||
Patch4: %{name}-msnickname.patch
|
|
||||||
Patch5: %{name}-implicit-declaration.patch
|
|
||||||
Patch6: %{name}-uninitialized.patch
|
|
||||||
BuildRequires: curl-devel libopenssl-devel libxslt mozilla-nss-devel openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
|
BuildRequires: curl-devel libopenssl-devel libxslt mozilla-nss-devel openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
@ -71,15 +65,9 @@ Authors:
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch
|
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
|
||||||
%patch5
|
|
||||||
%patch6
|
|
||||||
cp -a %{S:1} common-auth-smartcard
|
cp -a %{S:1} common-auth-smartcard
|
||||||
cp -a %{S:2} src/common/
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# LDAP_DEPRECATED required for for ldap_simple_bind_s(), ldap_search_s(), ldap_unbind_s()
|
# LDAP_DEPRECATED required for for ldap_simple_bind_s(), ldap_search_s(), ldap_unbind_s()
|
||||||
|
422
secutil.h
422
secutil.h
@ -1,422 +0,0 @@
|
|||||||
/* ***** BEGIN LICENSE BLOCK *****
|
|
||||||
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
||||||
*
|
|
||||||
* The contents of this file are subject to the Mozilla Public License Version
|
|
||||||
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
||||||
* the License. You may obtain a copy of the License at
|
|
||||||
* http://www.mozilla.org/MPL/
|
|
||||||
*
|
|
||||||
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
||||||
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
||||||
* for the specific language governing rights and limitations under the
|
|
||||||
* License.
|
|
||||||
*
|
|
||||||
* The Original Code is the Netscape security libraries.
|
|
||||||
*
|
|
||||||
* The Initial Developer of the Original Code is
|
|
||||||
* Netscape Communications Corporation.
|
|
||||||
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
||||||
* the Initial Developer. All Rights Reserved.
|
|
||||||
*
|
|
||||||
* Contributor(s):
|
|
||||||
*
|
|
||||||
* Alternatively, the contents of this file may be used under the terms of
|
|
||||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
||||||
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
||||||
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
||||||
* of those above. If you wish to allow use of your version of this file only
|
|
||||||
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
||||||
* use your version of this file under the terms of the MPL, indicate your
|
|
||||||
* decision by deleting the provisions above and replace them with the notice
|
|
||||||
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
||||||
* the provisions above, a recipient may use your version of this file under
|
|
||||||
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
||||||
*
|
|
||||||
* ***** END LICENSE BLOCK ***** */
|
|
||||||
#ifndef _SEC_UTIL_H_
|
|
||||||
#define _SEC_UTIL_H_
|
|
||||||
|
|
||||||
#include "seccomon.h"
|
|
||||||
#include "secitem.h"
|
|
||||||
#include "prerror.h"
|
|
||||||
#include "base64.h"
|
|
||||||
#include "key.h"
|
|
||||||
#include "secpkcs7.h"
|
|
||||||
#include "secasn1.h"
|
|
||||||
#include "secder.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
#define SEC_CT_PRIVATE_KEY "private-key"
|
|
||||||
#define SEC_CT_PUBLIC_KEY "public-key"
|
|
||||||
#define SEC_CT_CERTIFICATE "certificate"
|
|
||||||
#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
|
|
||||||
#define SEC_CT_PKCS7 "pkcs7"
|
|
||||||
#define SEC_CT_CRL "crl"
|
|
||||||
|
|
||||||
#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
|
|
||||||
#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
|
|
||||||
|
|
||||||
#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
|
|
||||||
#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
|
|
||||||
|
|
||||||
#define NS_CRL_HEADER "-----BEGIN CRL-----"
|
|
||||||
#define NS_CRL_TRAILER "-----END CRL-----"
|
|
||||||
|
|
||||||
/* From libsec/pcertdb.c --- it's not declared in sec.h */
|
|
||||||
extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle,
|
|
||||||
SECItem *derCert, char *nickname, CERTCertTrust *trust);
|
|
||||||
|
|
||||||
|
|
||||||
#ifdef SECUTIL_NEW
|
|
||||||
typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
|
|
||||||
char *msg, int level);
|
|
||||||
#else
|
|
||||||
typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
enum {
|
|
||||||
PW_NONE = 0,
|
|
||||||
PW_FROMFILE = 1,
|
|
||||||
PW_PLAINTEXT = 2,
|
|
||||||
PW_EXTERNAL = 3
|
|
||||||
} source;
|
|
||||||
char *data;
|
|
||||||
} secuPWData;
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Change a password on a token, or initialize a token with a password
|
|
||||||
** if it does not already have one.
|
|
||||||
** Use passwd to send the password in plaintext, pwFile to specify a
|
|
||||||
** file containing the password, or NULL for both to prompt the user.
|
|
||||||
*/
|
|
||||||
SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
|
|
||||||
|
|
||||||
/* These were stolen from the old sec.h... */
|
|
||||||
/*
|
|
||||||
** Check a password for legitimacy. Passwords must be at least 8
|
|
||||||
** characters long and contain one non-alphabetic. Return DSTrue if the
|
|
||||||
** password is ok, DSFalse otherwise.
|
|
||||||
*/
|
|
||||||
extern PRBool SEC_CheckPassword(char *password);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Blind check of a password. Complement to SEC_CheckPassword which
|
|
||||||
** ignores length and content type, just retuning DSTrue is the password
|
|
||||||
** exists, DSFalse if NULL
|
|
||||||
*/
|
|
||||||
extern PRBool SEC_BlindCheckPassword(char *password);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Get a password.
|
|
||||||
** First prompt with "msg" on "out", then read the password from "in".
|
|
||||||
** The password is then checked using "chkpw".
|
|
||||||
*/
|
|
||||||
extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
|
|
||||||
PRBool (*chkpw)(char *));
|
|
||||||
|
|
||||||
char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
|
|
||||||
|
|
||||||
char *SECU_GetPasswordString(void *arg, char *prompt);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Write a dongle password.
|
|
||||||
** Uses MD5 to hash constant system data (hostname, etc.), and then
|
|
||||||
** creates RC4 key to encrypt a password "pw" into a file "fd".
|
|
||||||
*/
|
|
||||||
extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Get a dongle password.
|
|
||||||
** Uses MD5 to hash constant system data (hostname, etc.), and then
|
|
||||||
** creates RC4 key to decrypt and return a password from file "fd".
|
|
||||||
*/
|
|
||||||
extern char *SEC_ReadDongleFile(int fd);
|
|
||||||
|
|
||||||
|
|
||||||
/* End stolen headers */
|
|
||||||
|
|
||||||
/* Just sticks the two strings together with a / if needed */
|
|
||||||
char *SECU_AppendFilenameToDir(char *dir, char *filename);
|
|
||||||
|
|
||||||
/* Returns result of getenv("SSL_DIR") or NULL */
|
|
||||||
extern char *SECU_DefaultSSLDir(void);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Should be called once during initialization to set the default
|
|
||||||
** directory for looking for cert.db, key.db, and cert-nameidx.db files
|
|
||||||
** Removes trailing '/' in 'base'
|
|
||||||
** If 'base' is NULL, defaults to set to .netscape in home directory.
|
|
||||||
*/
|
|
||||||
extern char *SECU_ConfigDirectory(const char* base);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Basic callback function for SSL_GetClientAuthDataHook
|
|
||||||
*/
|
|
||||||
extern int
|
|
||||||
SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
|
|
||||||
struct CERTDistNamesStr *caNames,
|
|
||||||
struct CERTCertificateStr **pRetCert,
|
|
||||||
struct SECKEYPrivateKeyStr **pRetKey);
|
|
||||||
|
|
||||||
/* print out an error message */
|
|
||||||
extern void SECU_PrintError(char *progName, char *msg, ...);
|
|
||||||
|
|
||||||
/* print out a system error message */
|
|
||||||
extern void SECU_PrintSystemError(char *progName, char *msg, ...);
|
|
||||||
|
|
||||||
/* Return informative error string */
|
|
||||||
extern const char * SECU_Strerror(PRErrorCode errNum);
|
|
||||||
|
|
||||||
/* print information about cert verification failure */
|
|
||||||
extern void
|
|
||||||
SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
|
|
||||||
CERTCertificate *cert, PRBool checksig,
|
|
||||||
SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
|
|
||||||
|
|
||||||
/* Read the contents of a file into a SECItem */
|
|
||||||
extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
|
|
||||||
extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
|
|
||||||
|
|
||||||
/* Read in a DER from a file, may be ascii */
|
|
||||||
extern SECStatus
|
|
||||||
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
|
|
||||||
|
|
||||||
/* Indent based on "level" */
|
|
||||||
extern void SECU_Indent(FILE *out, int level);
|
|
||||||
|
|
||||||
/* Print integer value and hex */
|
|
||||||
extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
|
|
||||||
|
|
||||||
/* Print ObjectIdentifier symbolically */
|
|
||||||
extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
|
|
||||||
|
|
||||||
/* Print AlgorithmIdentifier symbolically */
|
|
||||||
extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
|
|
||||||
int level);
|
|
||||||
|
|
||||||
/* Print SECItem as hex */
|
|
||||||
extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
|
|
||||||
|
|
||||||
/* dump a buffer in hex and ASCII */
|
|
||||||
extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Format and print the UTC Time "t". If the tag message "m" is not NULL,
|
|
||||||
* do indent formatting based on "level" and add a newline afterward;
|
|
||||||
* otherwise just print the formatted time string only.
|
|
||||||
*/
|
|
||||||
extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Format and print the Generalized Time "t". If the tag message "m"
|
|
||||||
* is not NULL, * do indent formatting based on "level" and add a newline
|
|
||||||
* afterward; otherwise just print the formatted time string only.
|
|
||||||
*/
|
|
||||||
extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
|
|
||||||
int level);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Format and print the UTC or Generalized Time "t". If the tag message
|
|
||||||
* "m" is not NULL, do indent formatting based on "level" and add a newline
|
|
||||||
* afterward; otherwise just print the formatted time string only.
|
|
||||||
*/
|
|
||||||
extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
|
|
||||||
|
|
||||||
/* callback for listing certs through pkcs11 */
|
|
||||||
extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
|
|
||||||
|
|
||||||
/* Dump all certificate nicknames in a database */
|
|
||||||
extern SECStatus
|
|
||||||
SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
|
|
||||||
PRBool sortByName, PRBool sortByTrust);
|
|
||||||
|
|
||||||
/* See if nickname already in database. Return 1 true, 0 false, -1 error */
|
|
||||||
int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
|
|
||||||
|
|
||||||
/* Dump contents of cert req */
|
|
||||||
extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
|
|
||||||
int level);
|
|
||||||
|
|
||||||
/* Dump contents of certificate */
|
|
||||||
extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
|
|
||||||
|
|
||||||
/* print trust flags on a cert */
|
|
||||||
extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level);
|
|
||||||
|
|
||||||
/* Dump contents of public key */
|
|
||||||
extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
|
|
||||||
|
|
||||||
#ifdef HAVE_EPV_TEMPLATE
|
|
||||||
/* Dump contents of private key */
|
|
||||||
extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Print the MD5 and SHA1 fingerprints of a cert */
|
|
||||||
extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
|
|
||||||
int level);
|
|
||||||
|
|
||||||
/* Pretty-print any PKCS7 thing */
|
|
||||||
extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
|
|
||||||
int level);
|
|
||||||
|
|
||||||
/* Init PKCS11 stuff */
|
|
||||||
extern SECStatus SECU_PKCS11Init(PRBool readOnly);
|
|
||||||
|
|
||||||
/* Dump contents of signed data */
|
|
||||||
extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
|
|
||||||
SECU_PPFunc inner);
|
|
||||||
|
|
||||||
extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
|
|
||||||
|
|
||||||
extern void
|
|
||||||
SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
|
|
||||||
|
|
||||||
extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
|
|
||||||
extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
|
|
||||||
|
|
||||||
extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
|
|
||||||
extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
|
|
||||||
char *msg, int level);
|
|
||||||
|
|
||||||
extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
|
|
||||||
char *msg, int level);
|
|
||||||
|
|
||||||
extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
|
|
||||||
|
|
||||||
#ifdef SECU_GetPassword
|
|
||||||
/* Convert a High public Key to a Low public Key */
|
|
||||||
extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
|
|
||||||
|
|
||||||
extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
|
|
||||||
extern void SEC_Init(void);
|
|
||||||
|
|
||||||
extern char *SECU_SECModDBName(void);
|
|
||||||
|
|
||||||
extern void SECU_PrintPRandOSError(char *progName);
|
|
||||||
|
|
||||||
extern SECStatus SECU_RegisterDynamicOids(void);
|
|
||||||
|
|
||||||
/* Identifies hash algorithm tag by its string representation. */
|
|
||||||
extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
|
|
||||||
|
|
||||||
/* Store CRL in output file or pk11 db. Also
|
|
||||||
* encodes with base64 and exports to file if ascii flag is set
|
|
||||||
* and file is not NULL. */
|
|
||||||
extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
|
|
||||||
PRFileDesc *outFile, int ascii, char *url);
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
** DER sign a single block of data using private key encryption and the
|
|
||||||
** MD5 hashing algorithm. This routine first computes a digital signature
|
|
||||||
** using SEC_SignData, then wraps it with an CERTSignedData and then der
|
|
||||||
** encodes the result.
|
|
||||||
** "arena" is the memory arena to use to allocate data from
|
|
||||||
** "sd" returned CERTSignedData
|
|
||||||
** "result" the final der encoded data (memory is allocated)
|
|
||||||
** "buf" the input data to sign
|
|
||||||
** "len" the amount of data to sign
|
|
||||||
** "pk" the private key to encrypt with
|
|
||||||
*/
|
|
||||||
extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
|
|
||||||
unsigned char *buf, int len,
|
|
||||||
SECKEYPrivateKey *pk, SECOidTag algID);
|
|
||||||
|
|
||||||
typedef enum {
|
|
||||||
noKeyFound = 1,
|
|
||||||
noSignatureMatch = 2,
|
|
||||||
failToEncode = 3,
|
|
||||||
failToSign = 4,
|
|
||||||
noMem = 5
|
|
||||||
} SignAndEncodeFuncExitStat;
|
|
||||||
|
|
||||||
extern SECStatus
|
|
||||||
SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
|
|
||||||
SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
|
|
||||||
|
|
||||||
extern SECStatus
|
|
||||||
SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Finds the crl Authority Key Id extension. Returns NULL if no such extension
|
|
||||||
** was found.
|
|
||||||
*/
|
|
||||||
CERTAuthKeyID *
|
|
||||||
SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Find the issuer of a crl. Cert usage should be checked before signing a crl.
|
|
||||||
*/
|
|
||||||
CERTCertificate *
|
|
||||||
SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
|
|
||||||
CERTAuthKeyID* id, PRTime validTime);
|
|
||||||
|
|
||||||
|
|
||||||
/* call back function used in encoding of an extension. Called from
|
|
||||||
* SECU_EncodeAndAddExtensionValue */
|
|
||||||
typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
|
|
||||||
void *value, SECItem *encodedValue);
|
|
||||||
|
|
||||||
/* Encodes and adds extensions to the CRL or CRL entries. */
|
|
||||||
SECStatus
|
|
||||||
SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
|
|
||||||
void *value, PRBool criticality, int extenType,
|
|
||||||
EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
*
|
|
||||||
* Utilities for parsing security tools command lines
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* A single command flag */
|
|
||||||
typedef struct {
|
|
||||||
char flag;
|
|
||||||
PRBool needsArg;
|
|
||||||
char *arg;
|
|
||||||
PRBool activated;
|
|
||||||
} secuCommandFlag;
|
|
||||||
|
|
||||||
/* A full array of command/option flags */
|
|
||||||
typedef struct
|
|
||||||
{
|
|
||||||
int numCommands;
|
|
||||||
int numOptions;
|
|
||||||
|
|
||||||
secuCommandFlag *commands;
|
|
||||||
secuCommandFlag *options;
|
|
||||||
} secuCommand;
|
|
||||||
|
|
||||||
/* fill the "arg" and "activated" fields for each flag */
|
|
||||||
SECStatus
|
|
||||||
SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd);
|
|
||||||
char *
|
|
||||||
SECU_GetOptionArg(secuCommand *cmd, int optionNum);
|
|
||||||
|
|
||||||
/*
|
|
||||||
*
|
|
||||||
* Error messaging
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* Return informative error string */
|
|
||||||
char *SECU_ErrorString(int16 err);
|
|
||||||
|
|
||||||
/* Return informative error string. Does not call XP_GetString */
|
|
||||||
char *SECU_ErrorStringRaw(int16 err);
|
|
||||||
|
|
||||||
void printflags(char *trusts, unsigned int flags);
|
|
||||||
|
|
||||||
#ifndef XP_UNIX
|
|
||||||
extern int ffs(unsigned int i);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "secerr.h"
|
|
||||||
#include "sslerr.h"
|
|
||||||
|
|
||||||
#endif /* _SEC_UTIL_H_ */
|
|
Loading…
Reference in New Issue
Block a user