rpm/pam_pkcs11
SHA256
1
0
Fork 0
forked from pool/pam_pkcs11
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_pkcs11?expand=0&rev=3

Browse Source
This commit is contained in:
OBS User unknown 2007-08-03 20:28:44 +00:00 committed by Git OBS Bridge
parent 732562c948
commit ce2eb867b9
10 changed files with 680 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
pam_pkcs11-0.5.3-nss-conf.patch Normal file
View File

@ -0,0 +1,34 @@
--- pam_pkcs11-0.5.3/etc/pam_pkcs11.conf.example~ 2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/etc/pam_pkcs11.conf.example 2007-03-01 10:42:20.000000000 -0500
@@ -9,7 +9,7 @@ pam_pkcs11 {
nullok = true;
# Enable debugging support.
- debug = true;
+ debug = false;
# Do not prompt the user for the passwords but take them from the
# PAM_ items instead.
@@ -24,7 +24,12 @@ pam_pkcs11 {
use_authtok = false;
# Filename of the PKCS #11 module. The default value is "default"
- use_pkcs11_module = opensc;
+ use_pkcs11_module = nss;
+
+ pkcs11_module nss {
+ nss_dir = /etc/pki/nssdb;
+ crl_policy = none;
+ }
pkcs11_module opensc {
module = /usr/lib/opensc-pkcs11.so;
@@ -112,7 +112,7 @@
# If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise
# certificate will not match :-)
- use_mappers = digest, cn, pwent, uid, mail, subject, null;
+ use_mappers = ms;
# When no absolute path or module info is provided, use this
# value as module search path

108
pam_pkcs11-0.6.0-ms-upn-oid.patch Normal file
View File

@ -0,0 +1,108 @@
--- pam_pkcs11-0.6.0/src/common/cert_info.c~ 2007-06-06 05:28:08.000000000 -0400
+++ pam_pkcs11-0.6.0/src/common/cert_info.c 2007-07-18 12:48:08.000000000 -0400
@@ -52,7 +52,7 @@ static const SECOidData kerberosPN_Entry
SECOidTag CERT_MicrosoftUPN_OID = SEC_OID_UNKNOWN;
/* { 1.3.6.1.4.1.311 } */
static const unsigned char microsoftUPNOID[] =
- { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 }; /*, xxxx */
+{ 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0x14, 0x2, 0x3 };
static const SECOidData microsoftUPN_Entry =
{ TO_ITEM(microsoftUPNOID), SEC_OID_UNKNOWN,
"Microsoft Universal Priniciple", CKM_INVALID_MECHANISM,
@@ -127,6 +127,75 @@ static char **cert_info_digest(X509 *x50
return entries;
}
+static char **
+cert_info_upn (X509 *x509)
+{
+ SECItem alt_name;
+ SECStatus status;
+ PRArenaPool *arena = NULL;
+ CERTGeneralName *nameList;
+ CERTGeneralName *current;
+ SECOidTag tag;
+ static char *results[CERT_INFO_SIZE] = { NULL };
+ int result = 0;
+ SECItem decoded;
+
+ DBG("Looking for ALT_NAME");
+
+ status = CERT_FindCertExtension (x509, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
+ if (status != SECSuccess) {
+ DBG("Not found");
+ goto no_upn;
+ }
+
+ arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ DBG("Could not allocate arena");
+ goto no_upn;
+ }
+
+ nameList = current = CERT_DecodeAltNameExtension (arena, &alt_name);
+ if (!nameList) {
+ DBG("Could not decode name");
+ goto no_upn;
+ }
+
+ cert_fetchOID(&CERT_MicrosoftUPN_OID, &microsoftUPN_Entry);
+ do {
+ if (current->type == certOtherName) {
+ tag = SECOID_FindOIDTag (&current->name.OthName.oid);
+ DBG1("got other name with tag %#x", tag);
+ if (tag == CERT_MicrosoftUPN_OID) {
+ status = SEC_ASN1DecodeItem (arena, &decoded,
+ SEC_UTF8StringTemplate,
+ &current->name.OthName.name);
+ if (status == SECSuccess) {
+ results[result] = malloc (decoded.len + 1);
+ memcpy (results[result], decoded.data, decoded.len);
+ results[result][decoded.len] = '\0';
+ DBG1("Got upn: %s", results[result]);
+ result++;
+ } else {
+ DBG("Could not decode upn...");
+ }
+ }
+ } else {
+ DBG("not other name...");
+ }
+ current = CERT_GetNextGeneralName (current);
+ } while (current != nameList && result < CERT_INFO_MAX_ENTRIES);
+
+no_upn:
+ if (arena) {
+ PORT_FreeArena (arena, PR_FALSE);
+ }
+
+ if (alt_name.data) {
+ SECITEM_FreeItem (&alt_name, PR_FALSE);
+ }
+
+ return results;
+}
/**
* request info on certificate
@@ -174,8 +243,7 @@ char **cert_info(X509 *x509, int type, A
break;
/* need oid tag. */
case CERT_UPN : /* Microsoft's Universal Principal Name */
- cert_fetchOID(&CERT_MicrosoftUPN_OID ,& microsoftUPN_Entry);
- return cert_GetNameElements(&x509->subject, CERT_MicrosoftUPN_OID);
+ return cert_info_upn (x509);
case CERT_UID : /* Certificate Unique Identifier */
return cert_GetNameElements(&x509->subject, SEC_OID_RFC1274_UID);
break;
--- pam_pkcs11-0.6.0/src/mappers/ms_mapper.c~ 2007-07-18 12:48:41.000000000 -0400
+++ pam_pkcs11-0.6.0/src/mappers/ms_mapper.c 2007-07-18 13:21:02.000000000 -0400
@@ -70,7 +70,7 @@ static char *check_upn(char *str) {
return NULL;
}
if (ignoredomain) return str;
- if (!strcmp(domainname,domain)) {
+ if (strcmp(domainname,domain)) {
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}

11
pam_pkcs11-0.6.0-nss-autoconf.patch Normal file
View File

@ -0,0 +1,11 @@
--- pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c~ 2007-07-16 16:41:27.000000000 -0400
+++ pam_pkcs11-0.6.0/src/pam_pkcs11/pam_config.c 2007-07-16 16:41:44.000000000 -0400
@@ -42,7 +42,7 @@ struct configuration_st configuration =
0, /* int card_only; */
0, /* int wait_for_card; */
"default", /* const char *pkcs11_module; */
- "/etc/pam_pkcs11/pkcs11_module.so",/* const char *pkcs11_module_path; */
+ NULL, /* const char *pkcs11_module_path; */
NULL, /* screen savers */
0, /* int slot_num; */
0, /* support threads */

3
pam_pkcs11-common-auth-smartcard.pam Normal file
View File

@ -0,0 +1,3 @@
auth required pam_env.so
auth required pam_pkcs11.so
auth required pam_unix2.so use_first_pass

16
pam_pkcs11-implicit-declaration.patch Normal file
View File

@ -0,0 +1,16 @@
ldap_mapper.c: In function 'ldap_get_certificate':
ldap_mapper.c:757: warning: implicit declaration of function 'd2i_X509'
ldap_mapper.c:757: warning: assignment makes pointer from integer without a cast
ldap_mapper.c: In function 'ldap_mapper_match_user':
ldap_mapper.c:871: warning: implicit declaration of function 'X509_cmp'
================================================================================
--- src/mappers/ldap_mapper.c
+++ src/mappers/ldap_mapper.c
@@ -36,6 +36,7 @@
#include <ldap.h>
#include <pwd.h>
+#include <ssl/x509.h>
#include "../common/cert_st.h"
#include "../common/debug.h"

14
pam_pkcs11-mapfile-syntax.patch Normal file
View File

@ -0,0 +1,14 @@
https://bugzilla.novell.com/show_bug.cgi?id=293026
http://www.opensc-project.org/opensc/ticket/154
================================================================================
--- etc/pam_pkcs11.conf.example
+++ etc/pam_pkcs11.conf.example
@@ -131,7 +131,7 @@
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
cert_item = cn;
# Define mapfile if needed, else select "none"
- mapfile = file:///etc/pam_pkcs11/generic_mapping
+ mapfile = file:///etc/pam_pkcs11/generic_mapping;
# Decide if use getpwent() to map login
use_getpwent = false;
}

35
pam_pkcs11-msnickname.patch Normal file
View File

@ -0,0 +1,35 @@
--- pam_pkcs11-0.5.3/src/mappers/ms_mapper.c~ 2005-09-12 05:12:55.000000000 -0400
+++ pam_pkcs11-0.5.3/src/mappers/ms_mapper.c 2007-01-17 14:27:52.000000000 -0500
@@ -52,6 +52,7 @@
static int ignorecase = 0;
static int ignoredomain =0;
static const char *domainname="";
+static const char *domainnickname="";
static int debug =0;
/* check syntax and domain match on provided string */
@@ -73,6 +74,16 @@
DBG2("Domain '%s' doesn't match UPN domain '%s'",domainname,domain);
return NULL;
}
+ if (domainnickname && domainnickname[0]) {
+ char *tmp;
+ size_t tmp_len;
+ DBG1("Adding domain nick name '%s'",domainnickname);
+ tmp_len = strlen (str) + strlen (domainnickname) + 2;
+ tmp = malloc (tmp_len);
+ snprintf (tmp, tmp_len, "%s\\%s", domainnickname, str);
+ free (str);
+ str = tmp;
+ }
return str;
}
@@ -179,6 +190,7 @@
ignorecase = scconf_get_bool(blk,"ignorecase",ignorecase);
ignoredomain = scconf_get_bool(blk,"ignoredomain",ignoredomain);
domainname = scconf_get_str(blk,"domainname",domainname);
+ domainnickname = scconf_get_str(blk,"domainnickname",domainnickname);
} else {
DBG1("No block declaration for mapper '%s'",mapper_name);
}

8
pam_pkcs11.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Jul 31 17:34:21 CEST 2007 - sbrabec@suse.cz
- Build with NSS instead of openssl.
- Applied patches from Jacob Berkman: MS UPN OID and NSS
configuration.
- Fixed implicit declaration.
-------------------------------------------------------------------
Thu Jul 26 14:32:24 CEST 2007 - sbrabec@suse.cz

32
pam_pkcs11.spec
View File

@ -12,13 +12,21 @@
Name: pam_pkcs11
Version: 0.6.0
Release: 1
Release: 4
URL: http://www.opensc-project.org/pam_pkcs11/
Group: Productivity/Security
License: LGPL v2 or later
Summary: PKCS #11 PAM Module
Source: %{name}-%{version}.tar.bz2
BuildRequires: curl-devel libxslt openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
Source1: pam_pkcs11-common-auth-smartcard.pam
Source2: secutil.h
Patch: %{name}-mapfile-syntax.patch
Patch1: %{name}-0.5.3-nss-conf.patch
Patch2: %{name}-0.6.0-ms-upn-oid.patch
Patch3: %{name}-0.6.0-nss-autoconf.patch
Patch4: %{name}-msnickname.patch
Patch5: %{name}-implicit-declaration.patch
BuildRequires: curl-devel libopenssl-devel libxslt mozilla-nss-devel openldap2-devel openssl-devel pam-devel pcsc-lite-devel pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -54,13 +62,23 @@ Authors:
%prep
%setup -q
%patch
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5
cp -a %{S:1} common-auth-smartcard
cp -a %{S:2} src/common/
%build
# LDAP_DEPRECATED required for for ldap_simple_bind_s(), ldap_search_s(), ldap_unbind_s()
# -fno-strict-aliasing required for pam_pkcs11-0.6.0:
export CFLAGS="$RPM_OPT_FLAGS -DLDAP_DEPRECATED -fno-strict-aliasing"
export CPPFLAGS="`pkg-config --cflags xulrunner-xpcom | sed 's: *:/system_wrappers&:g'`"
%configure\
--datadir=%{_docdir}\
--with-nss\
--with-curl
make %{?jobs:-j%jobs}
@ -78,7 +96,9 @@ for conf in *.conf.example ; do
done
cd ..
mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name}
cp -a AUTHORS COPYING ChangeLog ChangeLog.svn NEWS README TODO doc/pam_pkcs11.html doc/mappers_api.html doc/README.autologin doc/README.mappers $RPM_BUILD_ROOT%{_docdir}/%{name}
cp -a AUTHORS COPYING ChangeLog ChangeLog.svn NEWS README TODO doc/pam_pkcs11.html doc/mappers_api.html doc/api doc/README.autologin doc/README.mappers $RPM_BUILD_ROOT%{_docdir}/%{name}
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
cp common-auth-smartcard $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/
%find_lang %{name}
%clean
@ -95,8 +115,14 @@ rm -rf $RPM_BUILD_ROOT
%dir %{_sysconfdir}/pam_pkcs11/cacerts
%dir %{_sysconfdir}/pam_pkcs11/crls
%config(noreplace) %{_sysconfdir}/pam_pkcs11/*.conf
%config(noreplace) %{_sysconfdir}/pam.d/common-auth-smartcard
%changelog
* Tue Jul 31 2007 - sbrabec@suse.cz
- Build with NSS instead of openssl.
- Applied patches from Jacob Berkman: MS UPN OID and NSS
configuration.
- Fixed implicit declaration.
* Thu Jul 26 2007 - sbrabec@suse.cz
- Updated to version 0.6.0:
* compiler warning fixes

422
secutil.h Normal file
View File

@ -0,0 +1,422 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef _SEC_UTIL_H_
#define _SEC_UTIL_H_
#include "seccomon.h"
#include "secitem.h"
#include "prerror.h"
#include "base64.h"
#include "key.h"
#include "secpkcs7.h"
#include "secasn1.h"
#include "secder.h"
#include <stdio.h>
#define SEC_CT_PRIVATE_KEY "private-key"
#define SEC_CT_PUBLIC_KEY "public-key"
#define SEC_CT_CERTIFICATE "certificate"
#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
#define SEC_CT_PKCS7 "pkcs7"
#define SEC_CT_CRL "crl"
#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
#define NS_CRL_HEADER "-----BEGIN CRL-----"
#define NS_CRL_TRAILER "-----END CRL-----"
/* From libsec/pcertdb.c --- it's not declared in sec.h */
extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle,
SECItem *derCert, char *nickname, CERTCertTrust *trust);
#ifdef SECUTIL_NEW
typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
char *msg, int level);
#else
typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
#endif
typedef struct {
enum {
PW_NONE = 0,
PW_FROMFILE = 1,
PW_PLAINTEXT = 2,
PW_EXTERNAL = 3
} source;
char *data;
} secuPWData;
/*
** Change a password on a token, or initialize a token with a password
** if it does not already have one.
** Use passwd to send the password in plaintext, pwFile to specify a
** file containing the password, or NULL for both to prompt the user.
*/
SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
/* These were stolen from the old sec.h... */
/*
** Check a password for legitimacy. Passwords must be at least 8
** characters long and contain one non-alphabetic. Return DSTrue if the
** password is ok, DSFalse otherwise.
*/
extern PRBool SEC_CheckPassword(char *password);
/*
** Blind check of a password. Complement to SEC_CheckPassword which
** ignores length and content type, just retuning DSTrue is the password
** exists, DSFalse if NULL
*/
extern PRBool SEC_BlindCheckPassword(char *password);
/*
** Get a password.
** First prompt with "msg" on "out", then read the password from "in".
** The password is then checked using "chkpw".
*/
extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
PRBool (*chkpw)(char *));
char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
char *SECU_GetPasswordString(void *arg, char *prompt);
/*
** Write a dongle password.
** Uses MD5 to hash constant system data (hostname, etc.), and then
** creates RC4 key to encrypt a password "pw" into a file "fd".
*/
extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
/*
** Get a dongle password.
** Uses MD5 to hash constant system data (hostname, etc.), and then
** creates RC4 key to decrypt and return a password from file "fd".
*/
extern char *SEC_ReadDongleFile(int fd);
/* End stolen headers */
/* Just sticks the two strings together with a / if needed */
char *SECU_AppendFilenameToDir(char *dir, char *filename);
/* Returns result of getenv("SSL_DIR") or NULL */
extern char *SECU_DefaultSSLDir(void);
/*
** Should be called once during initialization to set the default
** directory for looking for cert.db, key.db, and cert-nameidx.db files
** Removes trailing '/' in 'base'
** If 'base' is NULL, defaults to set to .netscape in home directory.
*/
extern char *SECU_ConfigDirectory(const char* base);
/*
** Basic callback function for SSL_GetClientAuthDataHook
*/
extern int
SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
struct CERTDistNamesStr *caNames,
struct CERTCertificateStr **pRetCert,
struct SECKEYPrivateKeyStr **pRetKey);
/* print out an error message */
extern void SECU_PrintError(char *progName, char *msg, ...);
/* print out a system error message */
extern void SECU_PrintSystemError(char *progName, char *msg, ...);
/* Return informative error string */
extern const char * SECU_Strerror(PRErrorCode errNum);
/* print information about cert verification failure */
extern void
SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
CERTCertificate *cert, PRBool checksig,
SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
/* Read the contents of a file into a SECItem */
extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
/* Read in a DER from a file, may be ascii */
extern SECStatus
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
/* Indent based on "level" */
extern void SECU_Indent(FILE *out, int level);
/* Print integer value and hex */
extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
/* Print ObjectIdentifier symbolically */
extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
/* Print AlgorithmIdentifier symbolically */
extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
int level);
/* Print SECItem as hex */
extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
/* dump a buffer in hex and ASCII */
extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
/*
* Format and print the UTC Time "t". If the tag message "m" is not NULL,
* do indent formatting based on "level" and add a newline afterward;
* otherwise just print the formatted time string only.
*/
extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
/*
* Format and print the Generalized Time "t". If the tag message "m"
* is not NULL, * do indent formatting based on "level" and add a newline
* afterward; otherwise just print the formatted time string only.
*/
extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
int level);
/*
* Format and print the UTC or Generalized Time "t". If the tag message
* "m" is not NULL, do indent formatting based on "level" and add a newline
* afterward; otherwise just print the formatted time string only.
*/
extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
/* callback for listing certs through pkcs11 */
extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
/* Dump all certificate nicknames in a database */
extern SECStatus
SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
PRBool sortByName, PRBool sortByTrust);
/* See if nickname already in database. Return 1 true, 0 false, -1 error */
int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
/* Dump contents of cert req */
extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
int level);
/* Dump contents of certificate */
extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
/* print trust flags on a cert */
extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level);
/* Dump contents of public key */
extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
#ifdef HAVE_EPV_TEMPLATE
/* Dump contents of private key */
extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
#endif
/* Print the MD5 and SHA1 fingerprints of a cert */
extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
int level);
/* Pretty-print any PKCS7 thing */
extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
int level);
/* Init PKCS11 stuff */
extern SECStatus SECU_PKCS11Init(PRBool readOnly);
/* Dump contents of signed data */
extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
SECU_PPFunc inner);
extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
extern void
SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
char *msg, int level);
extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
char *msg, int level);
extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
#ifdef SECU_GetPassword
/* Convert a High public Key to a Low public Key */
extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
#endif
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
extern void SEC_Init(void);
extern char *SECU_SECModDBName(void);
extern void SECU_PrintPRandOSError(char *progName);
extern SECStatus SECU_RegisterDynamicOids(void);
/* Identifies hash algorithm tag by its string representation. */
extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
/* Store CRL in output file or pk11 db. Also
* encodes with base64 and exports to file if ascii flag is set
* and file is not NULL. */
extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
PRFileDesc *outFile, int ascii, char *url);
/*
** DER sign a single block of data using private key encryption and the
** MD5 hashing algorithm. This routine first computes a digital signature
** using SEC_SignData, then wraps it with an CERTSignedData and then der
** encodes the result.
** "arena" is the memory arena to use to allocate data from
** "sd" returned CERTSignedData
** "result" the final der encoded data (memory is allocated)
** "buf" the input data to sign
** "len" the amount of data to sign
** "pk" the private key to encrypt with
*/
extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algID);
typedef enum {
noKeyFound = 1,
noSignatureMatch = 2,
failToEncode = 3,
failToSign = 4,
noMem = 5
} SignAndEncodeFuncExitStat;
extern SECStatus
SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
extern SECStatus
SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
/*
** Finds the crl Authority Key Id extension. Returns NULL if no such extension
** was found.
*/
CERTAuthKeyID *
SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
/*
* Find the issuer of a crl. Cert usage should be checked before signing a crl.
*/
CERTCertificate *
SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
CERTAuthKeyID* id, PRTime validTime);
/* call back function used in encoding of an extension. Called from
* SECU_EncodeAndAddExtensionValue */
typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
void *value, SECItem *encodedValue);
/* Encodes and adds extensions to the CRL or CRL entries. */
SECStatus
SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
void *value, PRBool criticality, int extenType,
EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
/*
*
* Utilities for parsing security tools command lines
*
*/
/* A single command flag */
typedef struct {
char flag;
PRBool needsArg;
char *arg;
PRBool activated;
} secuCommandFlag;
/* A full array of command/option flags */
typedef struct
{
int numCommands;
int numOptions;
secuCommandFlag *commands;
secuCommandFlag *options;
} secuCommand;
/* fill the "arg" and "activated" fields for each flag */
SECStatus
SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd);
char *
SECU_GetOptionArg(secuCommand *cmd, int optionNum);
/*
*
* Error messaging
*
*/
/* Return informative error string */
char *SECU_ErrorString(int16 err);
/* Return informative error string. Does not call XP_GetString */
char *SECU_ErrorStringRaw(int16 err);
void printflags(char *trusts, unsigned int flags);
#ifndef XP_UNIX
extern int ffs(unsigned int i);
#endif
#include "secerr.h"
#include "sslerr.h"
#endif /* _SEC_UTIL_H_ */