Back to index

lightning-sunbird  0.9+nobinonly
secutil.h
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 #ifndef _SEC_UTIL_H_
00037 #define _SEC_UTIL_H_
00038 
00039 #include "seccomon.h"
00040 #include "secitem.h"
00041 #include "prerror.h"
00042 #include "base64.h"
00043 #include "key.h"
00044 #include "secpkcs7.h"
00045 #include "secasn1.h"
00046 #include "secder.h"
00047 #include <stdio.h>
00048 
00049 #define SEC_CT_PRIVATE_KEY         "private-key"
00050 #define SEC_CT_PUBLIC_KEY          "public-key"
00051 #define SEC_CT_CERTIFICATE         "certificate"
00052 #define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
00053 #define SEC_CT_PKCS7               "pkcs7"
00054 #define SEC_CT_CRL                 "crl"
00055 
00056 #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
00057 #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
00058 
00059 #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
00060 #define NS_CERT_TRAILER "-----END CERTIFICATE-----"
00061 
00062 #define NS_CRL_HEADER  "-----BEGIN CRL-----"
00063 #define NS_CRL_TRAILER "-----END CRL-----"
00064 
00065 /* From libsec/pcertdb.c --- it's not declared in sec.h */
00066 extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle,
00067               SECItem *derCert, char *nickname, CERTCertTrust *trust);
00068 
00069 
00070 #ifdef SECUTIL_NEW
00071 typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, 
00072                            char *msg, int level);
00073 #else
00074 typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
00075 #endif
00076 
00077 typedef struct {
00078     enum {
00079        PW_NONE = 0,
00080        PW_FROMFILE = 1,
00081        PW_PLAINTEXT = 2,
00082        PW_EXTERNAL = 3
00083     } source;
00084     char *data;
00085 } secuPWData;
00086 
00087 /*
00088 ** Change a password on a token, or initialize a token with a password
00089 ** if it does not already have one.
00090 ** Use passwd to send the password in plaintext, pwFile to specify a
00091 ** file containing the password, or NULL for both to prompt the user.
00092 */
00093 SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
00094 
00095 /*  These were stolen from the old sec.h... */
00096 /*
00097 ** Check a password for legitimacy. Passwords must be at least 8
00098 ** characters long and contain one non-alphabetic. Return DSTrue if the
00099 ** password is ok, DSFalse otherwise.
00100 */
00101 extern PRBool SEC_CheckPassword(char *password);
00102 
00103 /*
00104 ** Blind check of a password. Complement to SEC_CheckPassword which 
00105 ** ignores length and content type, just retuning DSTrue is the password
00106 ** exists, DSFalse if NULL
00107 */
00108 extern PRBool SEC_BlindCheckPassword(char *password);
00109 
00110 /*
00111 ** Get a password.
00112 ** First prompt with "msg" on "out", then read the password from "in".
00113 ** The password is then checked using "chkpw".
00114 */
00115 extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
00116                                   PRBool (*chkpw)(char *));
00117 
00118 char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
00119 
00120 char *SECU_GetPasswordString(void *arg, char *prompt);
00121 
00122 /*
00123 ** Write a dongle password.
00124 ** Uses MD5 to hash constant system data (hostname, etc.), and then
00125 ** creates RC4 key to encrypt a password "pw" into a file "fd".
00126 */
00127 extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
00128 
00129 /*
00130 ** Get a dongle password.
00131 ** Uses MD5 to hash constant system data (hostname, etc.), and then
00132 ** creates RC4 key to decrypt and return a password from file "fd".
00133 */
00134 extern char *SEC_ReadDongleFile(int fd);
00135 
00136 
00137 /* End stolen headers */
00138 
00139 /* Just sticks the two strings together with a / if needed */
00140 char *SECU_AppendFilenameToDir(char *dir, char *filename);
00141 
00142 /* Returns result of getenv("SSL_DIR") or NULL */
00143 extern char *SECU_DefaultSSLDir(void);
00144 
00145 /*
00146 ** Should be called once during initialization to set the default 
00147 **    directory for looking for cert.db, key.db, and cert-nameidx.db files
00148 ** Removes trailing '/' in 'base' 
00149 ** If 'base' is NULL, defaults to set to .netscape in home directory.
00150 */
00151 extern char *SECU_ConfigDirectory(const char* base);
00152 
00153 /* 
00154 ** Basic callback function for SSL_GetClientAuthDataHook
00155 */
00156 extern int
00157 SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
00158                      struct CERTDistNamesStr *caNames,
00159                      struct CERTCertificateStr **pRetCert,
00160                      struct SECKEYPrivateKeyStr **pRetKey);
00161 
00162 /* print out an error message */
00163 extern void SECU_PrintError(char *progName, char *msg, ...);
00164 
00165 /* print out a system error message */
00166 extern void SECU_PrintSystemError(char *progName, char *msg, ...);
00167 
00168 /* Return informative error string */
00169 extern const char * SECU_Strerror(PRErrorCode errNum);
00170 
00171 /* print information about cert verification failure */
00172 extern void
00173 SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
00174        CERTCertificate *cert, PRBool checksig, 
00175        SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
00176 
00177 /* Read the contents of a file into a SECItem */
00178 extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
00179 extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
00180 
00181 /* Read in a DER from a file, may be ascii  */
00182 extern SECStatus 
00183 SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
00184 
00185 /* Indent based on "level" */
00186 extern void SECU_Indent(FILE *out, int level);
00187 
00188 /* Print integer value and hex */
00189 extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
00190 
00191 /* Print ObjectIdentifier symbolically */
00192 extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
00193 
00194 /* Print AlgorithmIdentifier symbolically */
00195 extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
00196                               int level);
00197 
00198 /* Print SECItem as hex */
00199 extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
00200 
00201 /* dump a buffer in hex and ASCII */
00202 extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
00203 
00204 /*
00205  * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
00206  * do indent formatting based on "level" and add a newline afterward;
00207  * otherwise just print the formatted time string only.
00208  */
00209 extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
00210 
00211 /*
00212  * Format and print the Generalized Time "t".  If the tag message "m"
00213  * is not NULL, * do indent formatting based on "level" and add a newline
00214  * afterward; otherwise just print the formatted time string only.
00215  */
00216 extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
00217                                   int level);
00218 
00219 /*
00220  * Format and print the UTC or Generalized Time "t".  If the tag message
00221  * "m" is not NULL, do indent formatting based on "level" and add a newline
00222  * afterward; otherwise just print the formatted time string only.
00223  */
00224 extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
00225 
00226 /* callback for listing certs through pkcs11 */
00227 extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
00228 
00229 /* Dump all certificate nicknames in a database */
00230 extern SECStatus
00231 SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, 
00232                            PRBool sortByName, PRBool sortByTrust);
00233 
00234 /* See if nickname already in database. Return 1 true, 0 false, -1 error */
00235 int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
00236 
00237 /* Dump contents of cert req */
00238 extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
00239        int level);
00240 
00241 /* Dump contents of certificate */
00242 extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
00243 
00244 /* print trust flags on a cert */
00245 extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level);
00246 
00247 /* Dump contents of public key */
00248 extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
00249 
00250 #ifdef HAVE_EPV_TEMPLATE
00251 /* Dump contents of private key */
00252 extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
00253 #endif
00254 
00255 /* Print the MD5 and SHA1 fingerprints of a cert */
00256 extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
00257                                   int level);
00258 
00259 /* Pretty-print any PKCS7 thing */
00260 extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, 
00261                                   int level);
00262 
00263 /* Init PKCS11 stuff */
00264 extern SECStatus SECU_PKCS11Init(PRBool readOnly);
00265 
00266 /* Dump contents of signed data */
00267 extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
00268                             SECU_PPFunc inner);
00269 
00270 extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
00271 
00272 extern void
00273 SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
00274 
00275 extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
00276 extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
00277 
00278 extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
00279 extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
00280                                  char *msg, int level);
00281 
00282 extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
00283                              char *msg, int level);
00284 
00285 extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
00286 
00287 #ifdef SECU_GetPassword
00288 /* Convert a High public Key to a Low public Key */
00289 extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
00290 #endif
00291 
00292 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
00293 
00294 extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
00295 extern void SEC_Init(void);
00296 
00297 extern char *SECU_SECModDBName(void);
00298 
00299 extern void SECU_PrintPRandOSError(char *progName);
00300 
00301 extern SECStatus SECU_RegisterDynamicOids(void);
00302 
00303 /* Identifies hash algorithm tag by its string representation. */
00304 extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
00305 
00306 /* Store CRL in output file or pk11 db. Also
00307  * encodes with base64 and exports to file if ascii flag is set
00308  * and file is not NULL. */
00309 extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
00310                                PRFileDesc *outFile, int ascii, char *url);
00311 
00312 
00313 /*
00314 ** DER sign a single block of data using private key encryption and the
00315 ** MD5 hashing algorithm. This routine first computes a digital signature
00316 ** using SEC_SignData, then wraps it with an CERTSignedData and then der
00317 ** encodes the result.
00318 **     "arena" is the memory arena to use to allocate data from
00319 **      "sd" returned CERTSignedData 
00320 **     "result" the final der encoded data (memory is allocated)
00321 **     "buf" the input data to sign
00322 **     "len" the amount of data to sign
00323 **     "pk" the private key to encrypt with
00324 */
00325 extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
00326                                      unsigned char *buf, int len,
00327                                      SECKEYPrivateKey *pk, SECOidTag algID);
00328 
00329 typedef enum  {
00330     noKeyFound = 1,
00331     noSignatureMatch = 2,
00332     failToEncode = 3,
00333     failToSign = 4,
00334     noMem = 5
00335 } SignAndEncodeFuncExitStat;
00336 
00337 extern SECStatus
00338 SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
00339                       SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
00340 
00341 extern SECStatus
00342 SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
00343 
00344 /*
00345 ** Finds the crl Authority Key Id extension. Returns NULL if no such extension
00346 ** was found.
00347 */
00348 CERTAuthKeyID *
00349 SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
00350 
00351 /*
00352  * Find the issuer of a crl. Cert usage should be checked before signing a crl.
00353  */
00354 CERTCertificate *
00355 SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
00356                    CERTAuthKeyID* id, PRTime validTime);
00357 
00358 
00359 /* call back function used in encoding of an extension. Called from
00360  * SECU_EncodeAndAddExtensionValue */
00361 typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
00362                                                void *value, SECItem *encodedValue);
00363 
00364 /* Encodes and adds extensions to the CRL or CRL entries. */
00365 SECStatus 
00366 SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, 
00367                                 void *value, PRBool criticality, int extenType, 
00368                                 EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
00369 
00370 
00371 /*
00372  *
00373  *  Utilities for parsing security tools command lines 
00374  *
00375  */
00376 
00377 /*  A single command flag  */
00378 typedef struct {
00379     char flag;
00380     PRBool needsArg;
00381     char *arg;
00382     PRBool activated;
00383 } secuCommandFlag;
00384 
00385 /*  A full array of command/option flags  */
00386 typedef struct
00387 {
00388     int numCommands;
00389     int numOptions;
00390 
00391     secuCommandFlag *commands;
00392     secuCommandFlag *options;
00393 } secuCommand;
00394 
00395 /*  fill the "arg" and "activated" fields for each flag  */
00396 SECStatus 
00397 SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd);
00398 char *
00399 SECU_GetOptionArg(secuCommand *cmd, int optionNum);
00400 
00401 /*
00402  *
00403  *  Error messaging
00404  *
00405  */
00406 
00407 /* Return informative error string */
00408 char *SECU_ErrorString(int16 err);
00409 
00410 /* Return informative error string. Does not call XP_GetString */
00411 char *SECU_ErrorStringRaw(int16 err);
00412 
00413 void printflags(char *trusts, unsigned int flags);
00414 
00415 #ifndef XP_UNIX
00416 extern int ffs(unsigned int i);
00417 #endif
00418 
00419 #include "secerr.h"
00420 #include "sslerr.h"
00421 
00422 #endif /* _SEC_UTIL_H_ */