1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the Netscape security libraries.
16
* The Initial Developer of the Original Code is
17
* Netscape Communications Corporation.
18
* Portions created by the Initial Developer are Copyright (C) 1994-2000
19
* the Initial Developer. All Rights Reserved.
23
* Alternatively, the contents of this file may be used under the terms of
24
* either the GNU General Public License Version 2 or later (the "GPL"), or
25
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26
* in which case the provisions of the GPL or the LGPL are applicable instead
27
* of those above. If you wish to allow use of your version of this file only
28
* under the terms of either the GPL or the LGPL, and not to allow others to
29
* use your version of this file under the terms of the MPL, indicate your
30
* decision by deleting the provisions above and replace them with the notice
31
* and other provisions required by the GPL or the LGPL. If you do not delete
32
* the provisions above, a recipient may use your version of this file under
33
* the terms of any one of the MPL, the GPL or the LGPL.
35
* ***** END LICENSE BLOCK ***** */
49
#define SEC_CT_PRIVATE_KEY "private-key"
50
#define SEC_CT_PUBLIC_KEY "public-key"
51
#define SEC_CT_CERTIFICATE "certificate"
52
#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
53
#define SEC_CT_PKCS7 "pkcs7"
54
#define SEC_CT_CRL "crl"
56
#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
57
#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
59
#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
60
#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
62
#define NS_CRL_HEADER "-----BEGIN CRL-----"
63
#define NS_CRL_TRAILER "-----END CRL-----"
65
/* From libsec/pcertdb.c --- it's not declared in sec.h */
66
extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle,
67
SECItem *derCert, char *nickname, CERTCertTrust *trust);
71
typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
72
char *msg, int level);
74
typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
88
** Change a password on a token, or initialize a token with a password
89
** if it does not already have one.
90
** Use passwd to send the password in plaintext, pwFile to specify a
91
** file containing the password, or NULL for both to prompt the user.
93
SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
95
/* These were stolen from the old sec.h... */
97
** Check a password for legitimacy. Passwords must be at least 8
98
** characters long and contain one non-alphabetic. Return DSTrue if the
99
** password is ok, DSFalse otherwise.
101
extern PRBool SEC_CheckPassword(char *password);
104
** Blind check of a password. Complement to SEC_CheckPassword which
105
** ignores length and content type, just retuning DSTrue is the password
106
** exists, DSFalse if NULL
108
extern PRBool SEC_BlindCheckPassword(char *password);
112
** First prompt with "msg" on "out", then read the password from "in".
113
** The password is then checked using "chkpw".
115
extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
116
PRBool (*chkpw)(char *));
118
char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
120
char *SECU_GetPasswordString(void *arg, char *prompt);
123
** Write a dongle password.
124
** Uses MD5 to hash constant system data (hostname, etc.), and then
125
** creates RC4 key to encrypt a password "pw" into a file "fd".
127
extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
130
** Get a dongle password.
131
** Uses MD5 to hash constant system data (hostname, etc.), and then
132
** creates RC4 key to decrypt and return a password from file "fd".
134
extern char *SEC_ReadDongleFile(int fd);
137
/* End stolen headers */
139
/* Just sticks the two strings together with a / if needed */
140
char *SECU_AppendFilenameToDir(char *dir, char *filename);
142
/* Returns result of getenv("SSL_DIR") or NULL */
143
extern char *SECU_DefaultSSLDir(void);
146
** Should be called once during initialization to set the default
147
** directory for looking for cert.db, key.db, and cert-nameidx.db files
148
** Removes trailing '/' in 'base'
149
** If 'base' is NULL, defaults to set to .netscape in home directory.
151
extern char *SECU_ConfigDirectory(const char* base);
154
** Basic callback function for SSL_GetClientAuthDataHook
157
SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
158
struct CERTDistNamesStr *caNames,
159
struct CERTCertificateStr **pRetCert,
160
struct SECKEYPrivateKeyStr **pRetKey);
162
/* print out an error message */
163
extern void SECU_PrintError(char *progName, char *msg, ...);
165
/* print out a system error message */
166
extern void SECU_PrintSystemError(char *progName, char *msg, ...);
168
/* Return informative error string */
169
extern const char * SECU_Strerror(PRErrorCode errNum);
171
/* print information about cert verification failure */
173
SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
174
CERTCertificate *cert, PRBool checksig,
175
SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
177
/* Read the contents of a file into a SECItem */
178
extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
179
extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
181
/* Read in a DER from a file, may be ascii */
183
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
185
/* Indent based on "level" */
186
extern void SECU_Indent(FILE *out, int level);
188
/* Print integer value and hex */
189
extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
191
/* Print ObjectIdentifier symbolically */
192
extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
194
/* Print AlgorithmIdentifier symbolically */
195
extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
198
/* Print SECItem as hex */
199
extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
201
/* dump a buffer in hex and ASCII */
202
extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
205
* Format and print the UTC Time "t". If the tag message "m" is not NULL,
206
* do indent formatting based on "level" and add a newline afterward;
207
* otherwise just print the formatted time string only.
209
extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
212
* Format and print the Generalized Time "t". If the tag message "m"
213
* is not NULL, * do indent formatting based on "level" and add a newline
214
* afterward; otherwise just print the formatted time string only.
216
extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
220
* Format and print the UTC or Generalized Time "t". If the tag message
221
* "m" is not NULL, do indent formatting based on "level" and add a newline
222
* afterward; otherwise just print the formatted time string only.
224
extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
226
/* callback for listing certs through pkcs11 */
227
extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
229
/* Dump all certificate nicknames in a database */
231
SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
232
PRBool sortByName, PRBool sortByTrust);
234
/* See if nickname already in database. Return 1 true, 0 false, -1 error */
235
int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
237
/* Dump contents of cert req */
238
extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
241
/* Dump contents of certificate */
242
extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
244
/* print trust flags on a cert */
245
extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level);
247
/* Dump contents of public key */
248
extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
250
#ifdef HAVE_EPV_TEMPLATE
251
/* Dump contents of private key */
252
extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
255
/* Print the MD5 and SHA1 fingerprints of a cert */
256
extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
259
/* Pretty-print any PKCS7 thing */
260
extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
263
/* Init PKCS11 stuff */
264
extern SECStatus SECU_PKCS11Init(PRBool readOnly);
266
/* Dump contents of signed data */
267
extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level,
270
extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
273
SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
275
extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
276
extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
278
extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
279
extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
280
char *msg, int level);
282
extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
283
char *msg, int level);
285
extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
287
#ifdef SECU_GetPassword
288
/* Convert a High public Key to a Low public Key */
289
extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
292
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
294
extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
295
extern void SEC_Init(void);
297
extern char *SECU_SECModDBName(void);
299
extern void SECU_PrintPRandOSError(char *progName);
301
extern SECStatus SECU_RegisterDynamicOids(void);
303
/* Identifies hash algorithm tag by its string representation. */
304
extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
306
/* Store CRL in output file or pk11 db. Also
307
* encodes with base64 and exports to file if ascii flag is set
308
* and file is not NULL. */
309
extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
310
PRFileDesc *outFile, int ascii, char *url);
314
** DER sign a single block of data using private key encryption and the
315
** MD5 hashing algorithm. This routine first computes a digital signature
316
** using SEC_SignData, then wraps it with an CERTSignedData and then der
317
** encodes the result.
318
** "arena" is the memory arena to use to allocate data from
319
** "sd" returned CERTSignedData
320
** "result" the final der encoded data (memory is allocated)
321
** "buf" the input data to sign
322
** "len" the amount of data to sign
323
** "pk" the private key to encrypt with
325
extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
326
unsigned char *buf, int len,
327
SECKEYPrivateKey *pk, SECOidTag algID);
331
noSignatureMatch = 2,
335
} SignAndEncodeFuncExitStat;
338
SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
339
SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
342
SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
345
** Finds the crl Authority Key Id extension. Returns NULL if no such extension
349
SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
352
* Find the issuer of a crl. Cert usage should be checked before signing a crl.
355
SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
356
CERTAuthKeyID* id, PRTime validTime);
359
/* call back function used in encoding of an extension. Called from
360
* SECU_EncodeAndAddExtensionValue */
361
typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
362
void *value, SECItem *encodedValue);
364
/* Encodes and adds extensions to the CRL or CRL entries. */
366
SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
367
void *value, PRBool criticality, int extenType,
368
EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
373
* Utilities for parsing security tools command lines
377
/* A single command flag */
385
/* A full array of command/option flags */
391
secuCommandFlag *commands;
392
secuCommandFlag *options;
395
/* fill the "arg" and "activated" fields for each flag */
397
SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd);
399
SECU_GetOptionArg(secuCommand *cmd, int optionNum);
407
/* Return informative error string */
408
char *SECU_ErrorString(int16 err);
410
/* Return informative error string. Does not call XP_GetString */
411
char *SECU_ErrorStringRaw(int16 err);
413
void printflags(char *trusts, unsigned int flags);
416
extern int ffs(unsigned int i);
422
#endif /* _SEC_UTIL_H_ */