pam_pkcs11 0.6.12
secutil.h
Go to the documentation of this file.
1/* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
36#ifndef _SEC_UTIL_H_
37#define _SEC_UTIL_H_
38
39#include "seccomon.h"
40#include "secitem.h"
41#include "prerror.h"
42#include "base64.h"
43#include "key.h"
44#include "secpkcs7.h"
45#include "secasn1.h"
46#include "secder.h"
47#include <stdio.h>
48
49#define SEC_CT_PRIVATE_KEY "private-key"
50#define SEC_CT_PUBLIC_KEY "public-key"
51#define SEC_CT_CERTIFICATE "certificate"
52#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
53#define SEC_CT_PKCS7 "pkcs7"
54#define SEC_CT_CRL "crl"
55
56#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
57#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
58
59#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
60#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
61
62#define NS_CRL_HEADER "-----BEGIN CRL-----"
63#define NS_CRL_TRAILER "-----END CRL-----"
64
65/* From libsec/pcertdb.c --- it's not declared in sec.h */
66extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle,
67 SECItem *derCert, char *nickname, CERTCertTrust *trust);
68
69
70#ifdef SECUTIL_NEW
71typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
72 char *msg, int level);
73#else
74typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
75#endif
76
77typedef struct {
78 enum {
83 } source;
84 char *data;
86
87/*
88** Change a password on a token, or initialize a token with a password
89** if it does not already have one.
90** Use passwd to send the password in plaintext, pwFile to specify a
91** file containing the password, or NULL for both to prompt the user.
92*/
93SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
94
95/* These were stolen from the old sec.h... */
96/*
97** Check a password for legitimacy. Passwords must be at least 8
98** characters long and contain one non-alphabetic. Return DSTrue if the
99** password is ok, DSFalse otherwise.
100*/
101extern PRBool SEC_CheckPassword(char *password);
102
103/*
104** Blind check of a password. Complement to SEC_CheckPassword which
105** ignores length and content type, just retuning DSTrue is the password
106** exists, DSFalse if NULL
107*/
108extern PRBool SEC_BlindCheckPassword(char *password);
109
110/*
111** Get a password.
112** First prompt with "msg" on "out", then read the password from "in".
113** The password is then checked using "chkpw".
114*/
115extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
116 PRBool (*chkpw)(char *));
117
118char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
119
120char *SECU_GetPasswordString(void *arg, char *prompt);
121
122/*
123** Write a dongle password.
124** Uses MD5 to hash constant system data (hostname, etc.), and then
125** creates RC4 key to encrypt a password "pw" into a file "fd".
126*/
127extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
128
129/*
130** Get a dongle password.
131** Uses MD5 to hash constant system data (hostname, etc.), and then
132** creates RC4 key to decrypt and return a password from file "fd".
133*/
134extern char *SEC_ReadDongleFile(int fd);
135
136
137/* End stolen headers */
138
139/* Just sticks the two strings together with a / if needed */
140char *SECU_AppendFilenameToDir(char *dir, char *filename);
141
142/* Returns result of getenv("SSL_DIR") or NULL */
143extern char *SECU_DefaultSSLDir(void);
144
145/*
146** Should be called once during initialization to set the default
147** directory for looking for cert.db, key.db, and cert-nameidx.db files
148** Removes trailing '/' in 'base'
149** If 'base' is NULL, defaults to set to .netscape in home directory.
150*/
151extern char *SECU_ConfigDirectory(const char* base);
152
153/*
154** Basic callback function for SSL_GetClientAuthDataHook
155*/
156extern int
157SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
158 struct CERTDistNamesStr *caNames,
159 struct CERTCertificateStr **pRetCert,
160 struct SECKEYPrivateKeyStr **pRetKey);
161
162/* print out an error message */
163extern void SECU_PrintError(char *progName, char *msg, ...);
164
165/* print out a system error message */
166extern void SECU_PrintSystemError(char *progName, char *msg, ...);
167
168/* Return informative error string */
169extern const char * SECU_Strerror(PRErrorCode errNum);
170
171/* print information about cert verification failure */
172extern void
173SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
174 CERTCertificate *cert, PRBool checksig,
175 SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
176
177/* Read the contents of a file into a SECItem */
178extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
179extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
180
181/* Read in a DER from a file, may be ascii */
182extern SECStatus
183SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
184
185/* Indent based on "level" */
186extern void SECU_Indent(FILE *out, int level);
187
188/* Print integer value and hex */
189extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
190
191/* Print ObjectIdentifier symbolically */
192extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
193
194/* Print AlgorithmIdentifier symbolically */
195extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
196 int level);
197
198/* Print SECItem as hex */
199extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
200
201/* dump a buffer in hex and ASCII */
202extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
203
204/*
205 * Format and print the UTC Time "t". If the tag message "m" is not NULL,
206 * do indent formatting based on "level" and add a newline afterward;
207 * otherwise just print the formatted time string only.
208 */
209extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
210
211/*
212 * Format and print the Generalized Time "t". If the tag message "m"
213 * is not NULL, * do indent formatting based on "level" and add a newline
214 * afterward; otherwise just print the formatted time string only.
215 */
216extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
217 int level);
218
219/*
220 * Format and print the UTC or Generalized Time "t". If the tag message
221 * "m" is not NULL, do indent formatting based on "level" and add a newline
222 * afterward; otherwise just print the formatted time string only.
223 */
224extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
225
226/* callback for listing certs through pkcs11 */
227extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
228
229/* Dump all certificate nicknames in a database */
230extern SECStatus
231SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
232 PRBool sortByName, PRBool sortByTrust);
233
234/* See if nickname already in database. Return 1 true, 0 false, -1 error */
235int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
236
237/* Dump contents of cert req */
238extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
239 int level);
240
241/* Dump contents of certificate */
242extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
243
244/* print trust flags on a cert */
245extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level);
246
247/* Dump contents of public key */
248extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
249
250#ifdef HAVE_EPV_TEMPLATE
251/* Dump contents of private key */
252extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
253#endif
254
255/* Print the MD5 and SHA1 fingerprints of a cert */
256extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
257 int level);
258
259/* Pretty-print any PKCS7 thing */
260extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
261 int level);
262
263/* Init PKCS11 stuff */
264extern SECStatus SECU_PKCS11Init(PRBool readOnly);
265
266/* Dump contents of signed data */
267extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
268 SECU_PPFunc inner);
269
270extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
271
272extern void
273SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
274
275extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
276extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
277
278extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
279extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
280 char *msg, int level);
281
282extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
283 char *msg, int level);
284
285extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
286
287#ifdef SECU_GetPassword
288/* Convert a High public Key to a Low public Key */
289extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
290#endif
291
292extern SECItem *SECU_GetPBEPassword(void *arg);
293
294extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
295
296extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
297extern void SEC_Init(void);
298
299extern char *SECU_SECModDBName(void);
300
301extern void SECU_PrintPRandOSError(char *progName);
302
303extern SECStatus SECU_RegisterDynamicOids(void);
304
305/* Identifies hash algorithm tag by its string representation. */
306extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
307
308/* Store CRL in output file or pk11 db. Also
309 * encodes with base64 and exports to file if ascii flag is set
310 * and file is not NULL. */
311extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
312 PRFileDesc *outFile, int ascii, char *url);
313
314
315/*
316** DER sign a single block of data using private key encryption and the
317** MD5 hashing algorithm. This routine first computes a digital signature
318** using SEC_SignData, then wraps it with an CERTSignedData and then der
319** encodes the result.
320** "arena" is the memory arena to use to allocate data from
321** "sd" returned CERTSignedData
322** "result" the final der encoded data (memory is allocated)
323** "buf" the input data to sign
324** "len" the amount of data to sign
325** "pk" the private key to encrypt with
326*/
327extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
328 unsigned char *buf, int len,
329 SECKEYPrivateKey *pk, SECOidTag algID);
330
338
339extern SECStatus
340SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
341 SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
342
343extern SECStatus
344SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
345
346/*
347** Finds the crl Authority Key Id extension. Returns NULL if no such extension
348** was found.
349*/
350CERTAuthKeyID *
351SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
352
353/*
354 * Find the issuer of a crl. Cert usage should be checked before signing a crl.
355 */
356CERTCertificate *
357SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
358 CERTAuthKeyID* id, PRTime validTime);
359
360
361/* call back function used in encoding of an extension. Called from
362 * SECU_EncodeAndAddExtensionValue */
363typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
364 void *value, SECItem *encodedValue);
365
366/* Encodes and adds extensions to the CRL or CRL entries. */
367SECStatus
368SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
369 void *value, PRBool criticality, int extenType,
370 EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
371
372
373/*
374 *
375 * Utilities for parsing security tools command lines
376 *
377 */
378
379/* A single command flag */
380typedef struct {
381 char flag;
382 PRBool needsArg;
383 char *arg;
384 PRBool activated;
386
387/* A full array of command/option flags */
396
397/* fill the "arg" and "activated" fields for each flag */
398SECStatus
399SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd);
400char *
401SECU_GetOptionArg(secuCommand *cmd, int optionNum);
402
403/*
404 *
405 * Error messaging
406 *
407 */
408
409/* Return informative error string */
410char *SECU_ErrorString(int16 err);
411
412/* Return informative error string. Does not call XP_GetString */
413char *SECU_ErrorStringRaw(int16 err);
414
415void printflags(char *trusts, unsigned int flags);
416
417#ifndef XP_UNIX
418extern int ffs(unsigned int i);
419#endif
420
421#include "secerr.h"
422#include "sslerr.h"
423
424#endif /* _SEC_UTIL_H_ */
char * SECU_GetPasswordString(void *arg, char *prompt)
char * SECU_DefaultSSLDir(void)
SignAndEncodeFuncExitStat
Definition secutil.h:331
@ failToSign
Definition secutil.h:335
@ noSignatureMatch
Definition secutil.h:333
@ noKeyFound
Definition secutil.h:332
@ noMem
Definition secutil.h:336
@ failToEncode
Definition secutil.h:334
SECStatus SECU_PrintCertNickname(CERTCertListNode *cert, void *data)
SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle, SECItem *derCert, char *nickname, CERTCertTrust *trust)
void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
char * SEC_GetPassword(FILE *in, FILE *out, char *msg, PRBool(*chkpw)(char *))
PRBool SEC_BlindCheckPassword(char *password)
char * SECU_ErrorStringRaw(int16 err)
char * SECU_GetOptionArg(secuCommand *cmd, int optionNum)
void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, char *msg, int level)
SECStatus(* EXTEN_EXT_VALUE_ENCODER)(PRArenaPool *extHandleArena, void *value, SECItem *encodedValue)
Definition secutil.h:363
int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level)
void SECU_PrintPRandOSError(char *progName)
void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level)
int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level, SECU_PPFunc inner)
SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src)
char * SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
void SECU_PrintSystemError(char *progName, char *msg,...)
void SECU_PrintError(char *progName, char *msg,...)
int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src)
char * SECU_AppendFilenameToDir(char *dir, char *filename)
int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname)
void SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level)
void SECU_Indent(FILE *out, int level)
SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
int(* SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level)
Definition secutil.h:74
SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw)
SECStatus SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, void *value, PRBool criticality, int extenType, EXTEN_EXT_VALUE_ENCODER EncodeValueFn)
int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
SECItem * SECU_GetPBEPassword(void *arg)
void printflags(char *trusts, unsigned int flags)
SECStatus SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl)
SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile)
const char * SECU_Strerror(PRErrorCode errNum)
void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level)
void SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
char * SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
PRBool SEC_CheckPassword(char *password)
void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level)
char * SECU_ErrorString(int16 err)
void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len)
SECStatus SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc *out, PRBool sortByName, PRBool sortByTrust)
SECStatus SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd)
char * SECU_SECModDBName(void)
void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level)
void SEC_Init(void)
int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level)
void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
char * SEC_ReadDongleFile(int fd)
SECStatus SEC_WriteDongleFile(int fd, char *pw)
SECOidTag SECU_StringToSignatureAlgTag(const char *alg)
void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
SECStatus SECU_RegisterDynamicOids(void)
SECStatus SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode)
SECStatus SECU_PKCS11Init(PRBool readOnly)
int ffs(unsigned int i)
CERTCertificate * SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem *subject, CERTAuthKeyID *id, PRTime validTime)
SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, int ascii, char *url)
int SECU_GetClientAuthData(void *arg, PRFileDesc *fd, struct CERTDistNamesStr *caNames, struct CERTCertificateStr **pRetCert, struct SECKEYPrivateKeyStr **pRetKey)
SECStatus SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, char *msg, int level)
int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level)
void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
char * SECU_ConfigDirectory(const char *base)
SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level)
void SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, void *pinArg, PRBool verbose)
CERTAuthKeyID * SECU_FindCRLAuthKeyIDExten(PRArenaPool *arena, CERTSignedCrl *crl)
PRBool needsArg
Definition secutil.h:382
PRBool activated
Definition secutil.h:384
int numCommands
Definition secutil.h:390
int numOptions
Definition secutil.h:391
secuCommandFlag * options
Definition secutil.h:394
secuCommandFlag * commands
Definition secutil.h:393
@ PW_FROMFILE
Definition secutil.h:80
@ PW_PLAINTEXT
Definition secutil.h:81
@ PW_EXTERNAL
Definition secutil.h:82
char * data
Definition secutil.h:84