Back to index

lightning-sunbird  0.9+nobinonly
addbuiltin.c
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 
00037 /*
00038  * Tool for converting builtin CA certs.
00039  *
00040  * $Id: addbuiltin.c,v 1.13.24.1 2007/02/14 00:01:24 alexei.volkov.bugs%sun.com Exp $
00041  */
00042 
00043 #include "nssrenam.h"
00044 #include "nss.h"
00045 #include "cert.h"
00046 #include "certdb.h"
00047 #include "secutil.h"
00048 #include "pk11func.h"
00049 
00050 #if defined(WIN32)
00051 #include <fcntl.h>
00052 #include <io.h>
00053 #endif
00054 
00055 void dumpbytes(unsigned char *buf, int len)
00056 {
00057     int i;
00058     for (i=0; i < len; i++) {
00059        if ((i !=0) && ((i & 0xf) == 0)) {
00060            printf("\n");
00061        }
00062        printf("\\%03o",buf[i]);
00063     }
00064     printf("\n");
00065 }
00066 
00067 char *getTrustString(unsigned int trust)
00068 {
00069     if (trust & CERTDB_TRUSTED) {
00070        if (trust & CERTDB_TRUSTED_CA) {
00071               return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
00072        } else {
00073               return "CKT_NETSCAPE_TRUSTED";
00074        }
00075     } else {
00076        if (trust & CERTDB_TRUSTED_CA) {
00077               return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
00078        } else if (trust & CERTDB_VALID_CA) {
00079               return "CKT_NETSCAPE_VALID_DELEGATOR";
00080        } else {
00081               return "CKT_NETSCAPE_TRUST_UNKNOWN";
00082        }
00083     }
00084     return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
00085 }
00086 
00087 static const SEC_ASN1Template serialTemplate[] = {
00088     { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
00089     { 0 }
00090 };
00091 
00092 static SECStatus
00093 ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
00094 {
00095     SECStatus rv = SECSuccess;
00096     CERTCertificate *cert;
00097     unsigned char sha1_hash[SHA1_LENGTH];
00098     unsigned char md5_hash[MD5_LENGTH];
00099     SECItem *serial = NULL;
00100 
00101     cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
00102     if (!cert) {
00103        return SECFailure;
00104     }
00105     serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate);
00106     if (!serial) {
00107        return SECFailure;
00108     }
00109 
00110     printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
00111     printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
00112     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
00113     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
00114     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
00115     printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
00116     printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
00117     printf("CKA_SUBJECT MULTILINE_OCTAL\n");
00118     dumpbytes(cert->derSubject.data,cert->derSubject.len);
00119     printf("END\n");
00120     printf("CKA_ID UTF8 \"0\"\n");
00121     printf("CKA_ISSUER MULTILINE_OCTAL\n");
00122     dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
00123     printf("END\n");
00124     printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
00125     dumpbytes(serial->data,serial->len);
00126     printf("END\n");
00127     printf("CKA_VALUE MULTILINE_OCTAL\n");
00128     dumpbytes(sdder->data,sdder->len);
00129     printf("END\n");
00130 
00131     PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
00132     PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
00133     printf("\n# Trust for Certificate \"%s\"\n",nickname);
00134     printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
00135     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
00136     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
00137     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
00138     printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
00139     printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
00140     dumpbytes(sha1_hash,SHA1_LENGTH);
00141     printf("END\n");
00142     printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
00143     dumpbytes(md5_hash,MD5_LENGTH);
00144     printf("END\n");
00145 
00146     printf("CKA_ISSUER MULTILINE_OCTAL\n");
00147     dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
00148     printf("END\n");
00149     printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
00150     dumpbytes(serial->data,serial->len);
00151     printf("END\n");
00152     
00153     printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
00154                              getTrustString(trust->sslFlags));
00155     printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
00156                              getTrustString(trust->emailFlags));
00157     printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
00158                              getTrustString(trust->objectSigningFlags));
00159 #ifdef notdef
00160     printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
00161     printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
00162     printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
00163     printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
00164     printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
00165     printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
00166     printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
00167 #endif
00168     printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
00169                 trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
00170                 "CK_TRUE" : "CK_FALSE");
00171 
00172 
00173     PORT_Free(sdder->data);
00174     return(rv);
00175 
00176 }
00177 
00178 void printheader() {
00179     printf("# \n"
00180 "# ***** BEGIN LICENSE BLOCK *****\n"
00181 "# Version: MPL 1.1/GPL 2.0/LGPL 2.1\n"
00182 "#\n"
00183 "# The contents of this file are subject to the Mozilla Public License Version\n"
00184 "# 1.1 (the \"License\"); you may not use this file except in compliance with\n"
00185 "# the License. You may obtain a copy of the License at\n"
00186 "# http://www.mozilla.org/MPL/\n"
00187 "#\n"
00188 "# Software distributed under the License is distributed on an \"AS IS\" basis,\n"
00189 "# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License\n"
00190 "# for the specific language governing rights and limitations under the\n"
00191 "# License.\n"
00192 "#\n"
00193 "# The Original Code is the Netscape security libraries..\n"
00194 "#\n"
00195 "# The Initial Developer of the Original Code is\n"
00196 "# Netscape Communications Corporation.\n"
00197 "# Portions created by the Initial Developer are Copyright (C) 1994-2000\n"
00198 "# the Initial Developer. All Rights Reserved.\n"
00199 "#\n"
00200 "# Contributor(s):\n"
00201 "#\n"
00202 "# Alternatively, the contents of this file may be used under the terms of\n"
00203 "# either the GNU General Public License Version 2 or later (the \"GPL\"), or\n"
00204 "# the GNU Lesser General Public License Version 2.1 or later (the \"LGPL\"),\n"
00205 "# in which case the provisions of the GPL or the LGPL are applicable instead\n"
00206 "# of those above. If you wish to allow use of your version of this file only\n"
00207 "# under the terms of either the GPL or the LGPL, and not to allow others to\n"
00208 "# use your version of this file under the terms of the MPL, indicate your\n"
00209 "# decision by deleting the provisions above and replace them with the notice\n"
00210 "# and other provisions required by the GPL or the LGPL. If you do not delete\n"
00211 "# the provisions above, a recipient may use your version of this file under\n"
00212 "# the terms of any one of the MPL, the GPL or the LGPL.\n"
00213 "#\n"
00214 "# ***** END LICENSE BLOCK *****\n"
00215      "#\n"
00216      "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.13.24.1 $ $Date: 2007/02/14 00:01:24 $\"\n"
00217      "\n"
00218      "#\n"
00219      "# certdata.txt\n"
00220      "#\n"
00221      "# This file contains the object definitions for the certs and other\n"
00222      "# information \"built into\" NSS.\n"
00223      "#\n"
00224      "# Object definitions:\n"
00225      "#\n"
00226      "#    Certificates\n"
00227      "#\n"
00228      "#  -- Attribute --          -- type --              -- value --\n"
00229      "#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE\n"
00230      "#  CKA_TOKEN                CK_BBOOL                CK_TRUE\n"
00231      "#  CKA_PRIVATE              CK_BBOOL                CK_FALSE\n"
00232      "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
00233      "#  CKA_LABEL                UTF8                    (varies)\n"
00234      "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
00235      "#  CKA_SUBJECT              DER+base64              (varies)\n"
00236      "#  CKA_ID                   byte array              (varies)\n"
00237      "#  CKA_ISSUER               DER+base64              (varies)\n"
00238      "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
00239      "#  CKA_VALUE                DER+base64              (varies)\n"
00240      "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
00241      "#\n"
00242      "#    Trust\n"
00243      "#\n"
00244      "#  -- Attribute --              -- type --          -- value --\n"
00245      "#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST\n"
00246      "#  CKA_TOKEN                    CK_BBOOL            CK_TRUE\n"
00247      "#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE\n"
00248      "#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE\n"
00249      "#  CKA_LABEL                    UTF8                (varies)\n"
00250      "#  CKA_ISSUER                   DER+base64          (varies)\n"
00251      "#  CKA_SERIAL_NUMBER            DER+base64          (varies)\n"
00252      "#  CKA_CERT_HASH                binary+base64       (varies)\n"
00253      "#  CKA_EXPIRES                  CK_DATE             (not used here)\n"
00254      "#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)\n"
00255      "#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)\n"
00256      "#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)\n"
00257      "#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)\n"
00258      "#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)\n"
00259      "#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)\n"
00260      "#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)\n"
00261      "#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)\n"
00262      "#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)\n"
00263      "#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)\n"
00264      "#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)\n"
00265      "#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)\n"
00266      "#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)\n"
00267      "#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)\n"
00268      "#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)\n"
00269      "#  (other trust attributes can be defined)\n"
00270      "#\n"
00271      "\n"
00272      "#\n"
00273      "# The object to tell NSS that this is a root list and we don't\n"
00274      "# have to go looking for others.\n"
00275      "#\n"
00276      "BEGINDATA\n"
00277      "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
00278      "CKA_TOKEN CK_BBOOL CK_TRUE\n"
00279      "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
00280      "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
00281      "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
00282 }
00283 
00284 static void Usage(char *progName)
00285 {
00286     fprintf(stderr, "%s -n nickname -t trust [-i certfile]\n", progName);
00287     fprintf(stderr, 
00288             "\tRead a der-encoded cert from certfile or stdin, and output\n"
00289             "\tit to stdout in a format suitable for the builtin root module.\n"
00290             "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n"
00291             "\t(pipe through atob if the cert is b64-encoded)\n", progName);
00292     fprintf(stderr, "%-15s nickname to assign to builtin cert.\n", 
00293                     "-n nickname");
00294     fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
00295     fprintf(stderr, "%-15s file to read (default stdin)\n", "-i certfile");
00296     exit(-1);
00297 }
00298 
00299 enum {
00300     opt_Input = 0,
00301     opt_Nickname,
00302     opt_Trust
00303 };
00304 
00305 static secuCommandFlag addbuiltin_options[] =
00306 {
00307        { /* opt_Input         */  'i', PR_TRUE, 0, PR_FALSE },
00308        { /* opt_Nickname      */  'n', PR_TRUE, 0, PR_FALSE },
00309        { /* opt_Trust         */  't', PR_TRUE, 0, PR_FALSE }
00310 };
00311 
00312 int main(int argc, char **argv)
00313 {
00314     SECStatus rv;
00315     char *nickname;
00316     char *trusts;
00317     char *progName;
00318     PRFileDesc *infile;
00319     CERTCertTrust trust = { 0 };
00320     SECItem derCert = { 0 };
00321 
00322     secuCommand addbuiltin = { 0 };
00323     addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
00324     addbuiltin.options = addbuiltin_options;
00325 
00326     progName = strrchr(argv[0], '/');
00327     progName = progName ? progName+1 : argv[0];
00328 
00329     rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
00330 
00331     if (rv != SECSuccess)
00332        Usage(progName);
00333 
00334     if (!addbuiltin.options[opt_Nickname].activated &&
00335         !addbuiltin.options[opt_Trust].activated) {
00336        fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
00337               progName);
00338        Usage(progName);
00339     }
00340 
00341     if (addbuiltin.options[opt_Input].activated) {
00342        infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
00343        if (!infile) {
00344            fprintf(stderr, "%s: failed to open input file.\n", progName);
00345            exit(1);
00346        }
00347     } else {
00348 #if defined(WIN32)
00349        /* If we're going to read binary data from stdin, we must put stdin
00350        ** into O_BINARY mode or else incoming \r\n's will become \n's,
00351        ** and latin-1 characters will be altered.
00352        */
00353 
00354        int smrv = _setmode(_fileno(stdin), _O_BINARY);
00355        if (smrv == -1) {
00356            fprintf(stderr,
00357            "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
00358                    progName);
00359            exit(1);
00360        }
00361 #endif
00362        infile = PR_STDIN;
00363     }
00364 
00365     nickname = strdup(addbuiltin.options[opt_Nickname].arg);
00366     trusts = strdup(addbuiltin.options[opt_Trust].arg);
00367 
00368     NSS_NoDB_Init(NULL);
00369 
00370     rv = CERT_DecodeTrustString(&trust, trusts);
00371     if (rv) {
00372        fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
00373        Usage(progName);
00374     }
00375 
00376     SECU_FileToItem(&derCert, infile);
00377     
00378     /*printheader();*/
00379 
00380     rv = ConvertCertificate(&derCert, nickname, &trust);
00381     if (rv) {
00382        fprintf(stderr, "%s: failed to convert certificate.\n", progName);
00383        exit(1);
00384     }
00385     
00386     if (NSS_Shutdown() != SECSuccess) {
00387         exit(1);
00388     }
00389 
00390     return(SECSuccess);
00391 }