131
* build config string from individual internationalized strings
134
nss_MkConfigString(const char *man, const char *libdesc, const char *tokdesc,
135
const char *ptokdesc, const char *slotdesc, const char *pslotdesc,
136
const char *fslotdesc, const char *fpslotdesc, int minPwd)
138
char *strings = NULL;
141
/* make sure the internationalization was done correctly... */
142
strings = PR_smprintf("");
143
if (strings == NULL) return NULL;
146
newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
147
PR_smprintf_free(strings);
148
strings = newStrings;
150
if (strings == NULL) return NULL;
153
newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdesc);
154
PR_smprintf_free(strings);
155
strings = newStrings;
157
if (strings == NULL) return NULL;
160
newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
162
PR_smprintf_free(strings);
163
strings = newStrings;
165
if (strings == NULL) return NULL;
168
newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdesc);
169
PR_smprintf_free(strings);
170
strings = newStrings;
172
if (strings == NULL) return NULL;
175
newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
177
PR_smprintf_free(strings);
178
strings = newStrings;
180
if (strings == NULL) return NULL;
183
newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdesc);
184
PR_smprintf_free(strings);
185
strings = newStrings;
187
if (strings == NULL) return NULL;
190
newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
192
PR_smprintf_free(strings);
193
strings = newStrings;
195
if (strings == NULL) return NULL;
198
newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
200
PR_smprintf_free(strings);
201
strings = newStrings;
203
if (strings == NULL) return NULL;
205
newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
206
PR_smprintf_free(strings);
207
strings = newStrings;
131
213
* statics to remember the PK11_ConfigurePKCS11()
140
222
* the PKCS #11 internal token.
143
PK11_ConfigurePKCS11(const char *man, const char *libdes, const char *tokdes,
144
const char *ptokdes, const char *slotdes, const char *pslotdes,
145
const char *fslotdes, const char *fpslotdes, int minPwd, int pwRequired)
225
PK11_ConfigurePKCS11(const char *man, const char *libdesc, const char *tokdesc,
226
const char *ptokdesc, const char *slotdesc, const char *pslotdesc,
227
const char *fslotdesc, const char *fpslotdesc, int minPwd,
147
char *strings = NULL;
150
/* make sure the internationalization was done correctly... */
151
strings = PR_smprintf("");
152
if (strings == NULL) return;
155
newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
156
PR_smprintf_free(strings);
157
strings = newStrings;
232
strings = nss_MkConfigString(man,libdesc,tokdesc,ptokdesc,slotdesc,
233
pslotdesc,fslotdesc,fpslotdesc,minPwd);
234
if (strings == NULL) {
159
if (strings == NULL) return;
162
newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdes);
163
PR_smprintf_free(strings);
164
strings = newStrings;
165
239
if (pk11_config_name != NULL) {
166
240
PORT_Free(pk11_config_name);
168
pk11_config_name = PORT_Strdup(libdes);
170
if (strings == NULL) return;
173
newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
175
PR_smprintf_free(strings);
176
strings = newStrings;
178
if (strings == NULL) return;
181
newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdes);
182
PR_smprintf_free(strings);
183
strings = newStrings;
185
if (strings == NULL) return;
188
newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
190
PR_smprintf_free(strings);
191
strings = newStrings;
193
if (strings == NULL) return;
196
newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdes);
197
PR_smprintf_free(strings);
198
strings = newStrings;
200
if (strings == NULL) return;
203
newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
205
PR_smprintf_free(strings);
206
strings = newStrings;
208
if (strings == NULL) return;
211
newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
213
PR_smprintf_free(strings);
214
strings = newStrings;
216
if (strings == NULL) return;
218
newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
219
PR_smprintf_free(strings);
220
strings = newStrings;
221
if (strings == NULL) return;
242
pk11_config_name = PORT_Strdup(libdesc);
223
245
if (pk11_config_strings != NULL) {
224
246
PR_smprintf_free(pk11_config_strings);
391
* OK there are now lots of options here, lets go through them all:
363
* see nss_Init for definitions of the various options.
393
* configdir - base directory where all the cert, key, and module datbases live.
394
* certPrefix - prefix added to the beginning of the cert database example: "
396
* keyPrefix - prefix added to the beginning of the key database example: "
398
* secmodName - name of the security module database (usually "secmod.db").
399
* readOnly - Boolean: true if the databases are to be opened read only.
400
* nocertdb - Don't open the cert DB and key DB's, just initialize the
402
* nomoddb - Don't open the security module DB, just initialize the
404
* forceOpen - Continue to force initializations even if the databases cannot
365
* this function builds a moduleSpec string from the options and previously
366
* set statics (from PKCS11_Configure, for instance), and uses it to kick off
367
* the loading of the various PKCS #11 modules.
408
static PRBool nss_IsInitted = PR_FALSE;
409
static void* plContext = NULL;
411
static SECStatus nss_InitShutdownList(void);
414
static CERTCertificate dummyCert;
418
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
419
const char *secmodName, const char *updateDir,
420
const char *updCertPrefix, const char *updKeyPrefix,
421
const char *updateID, const char *updateName,
422
PRBool readOnly, PRBool noCertDB,
423
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
424
PRBool optimizeSpace, PRBool noSingleThreadedModules,
425
PRBool allowAlreadyInitializedModules,
426
PRBool dontFinalizeModules)
370
nss_InitModules(const char *configdir, const char *certPrefix,
371
const char *keyPrefix, const char *secmodName,
372
const char *updateDir, const char *updCertPrefix,
373
const char *updKeyPrefix, const char *updateID,
374
const char *updateName, char *configName, char *configStrings,
375
PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
376
PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
377
PRBool isContextInit)
379
SECStatus rv = SECFailure;
428
380
char *moduleSpec = NULL;
429
381
char *flags = NULL;
430
SECStatus rv = SECFailure;
431
382
char *lconfigdir = NULL;
432
383
char *lcertPrefix = NULL;
433
384
char *lkeyPrefix = NULL;
437
388
char *lupdKeyPrefix = NULL;
438
389
char *lupdateID = NULL;
439
390
char *lupdateName = NULL;
440
PKIX_UInt32 actualMinorVersion = 0;
441
PKIX_Error *pkixError = NULL;;
447
/* New option bits must not change the size of CERTCertificate. */
448
PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
450
if (SECSuccess != cert_InitLocks()) {
454
if (SECSuccess != InitCRLCache()) {
458
if (SECSuccess != OCSP_InitGlobal()) {
462
392
flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
463
pk11_password_required, optimizeSpace);
393
pwRequired, optimizeSpace);
464
394
if (flags == NULL) return rv;
467
397
* configdir is double nested, and Windows uses the same character
468
398
* for file seps as we use for escapes! (sigh).
470
lconfigdir = nss_doubleEscape(configdir);
400
lconfigdir = secmod_DoubleEscape(configdir, '\'', '\"');
471
401
if (lconfigdir == NULL) {
474
lcertPrefix = nss_doubleEscape(certPrefix);
404
lcertPrefix = secmod_DoubleEscape(certPrefix, '\'', '\"');
475
405
if (lcertPrefix == NULL) {
478
lkeyPrefix = nss_doubleEscape(keyPrefix);
408
lkeyPrefix = secmod_DoubleEscape(keyPrefix, '\'', '\"');
479
409
if (lkeyPrefix == NULL) {
482
lsecmodName = nss_doubleEscape(secmodName);
412
lsecmodName = secmod_DoubleEscape(secmodName, '\'', '\"');
483
413
if (lsecmodName == NULL) {
486
lupdateDir = nss_doubleEscape(updateDir);
416
lupdateDir = secmod_DoubleEscape(updateDir, '\'', '\"');
487
417
if (lupdateDir == NULL) {
490
lupdCertPrefix = nss_doubleEscape(updCertPrefix);
420
lupdCertPrefix = secmod_DoubleEscape(updCertPrefix, '\'', '\"');
491
421
if (lupdCertPrefix == NULL) {
494
lupdKeyPrefix = nss_doubleEscape(updKeyPrefix);
424
lupdKeyPrefix = secmod_DoubleEscape(updKeyPrefix, '\'', '\"');
495
425
if (lupdKeyPrefix == NULL) {
498
lupdateID = nss_doubleEscape(updateID);
428
lupdateID = secmod_DoubleEscape(updateID, '\'', '\"');
499
429
if (lupdateID == NULL) {
502
lupdateName = nss_doubleEscape(updateName);
432
lupdateName = secmod_DoubleEscape(updateName, '\'', '\"');
503
433
if (lupdateName == NULL) {
506
if (noSingleThreadedModules || allowAlreadyInitializedModules ||
507
dontFinalizeModules) {
508
pk11_setGlobalOptions(noSingleThreadedModules,
509
allowAlreadyInitializedModules,
510
dontFinalizeModules);
513
437
moduleSpec = PR_smprintf(
514
438
"name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' "
515
439
"secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' "
516
440
"updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" "
517
"NSS=\"flags=internal,moduleDB,moduleDBOnly,critical\"",
518
pk11_config_name ? pk11_config_name : NSS_DEFAULT_MOD_NAME,
441
"NSS=\"flags=internal,moduleDB,moduleDBOnly,critical%s\"",
442
configName ? configName : NSS_DEFAULT_MOD_NAME,
519
443
lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
520
444
lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID,
521
lupdateName, pk11_config_strings ? pk11_config_strings : "");
445
lupdateName, configStrings ? configStrings : "",
446
isContextInit ? "" : ",defaultModDB,internalKeySlot");
524
449
PORT_Free(flags);
540
465
SECMOD_DestroyModule(module);
544
if (rv == SECSuccess) {
472
* OK there are now lots of options here, lets go through them all:
474
* configdir - base directory where all the cert, key, and module datbases live.
475
* certPrefix - prefix added to the beginning of the cert database example: "
477
* keyPrefix - prefix added to the beginning of the key database example: "
479
* secmodName - name of the security module database (usually "secmod.db").
480
* updateDir - used in initMerge, old directory to update from.
481
* updateID - used in initMerge, unique ID to represent the updated directory.
482
* updateName - used in initMerge, token name when updating.
483
* initContextPtr - used in initContext, pointer to return a unique context
485
* readOnly - Boolean: true if the databases are to be opened read only.
486
* nocertdb - Don't open the cert DB and key DB's, just initialize the
488
* nomoddb - Don't open the security module DB, just initialize the
490
* forceOpen - Continue to force initializations even if the databases cannot
492
* noRootInit - don't try to automatically load the root cert store if one is
494
* optimizeSpace - tell NSS to use fewer hash table buckets.
496
* The next three options are used in an attempt to share PKCS #11 modules
497
* with other loaded, running libraries. PKCS #11 was not designed with this
498
* sort of sharing in mind, so use of these options may lead to questionable
499
* results. These options are may be incompatible with NSS_LoadContext() calls.
501
* noSingleThreadedModules - don't load modules that are not thread safe (many
502
* smart card tokens will not work).
503
* allowAlreadyInitializedModules - if a module has already been loaded and
504
* initialize try to use it.
505
* don'tFinalizeModules - dont shutdown modules we may have loaded.
508
static PRBool nssIsInitted = PR_FALSE;
509
static NSSInitContext *nssInitContextList = NULL;
510
static void* plContext = NULL;
512
struct NSSInitContextStr {
513
NSSInitContext *next;
517
#define NSS_INIT_MAGIC 0x1413A91C
518
static SECStatus nss_InitShutdownList(void);
521
static CERTCertificate dummyCert;
525
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
526
const char *secmodName, const char *updateDir,
527
const char *updCertPrefix, const char *updKeyPrefix,
528
const char *updateID, const char *updateName,
529
NSSInitContext ** initContextPtr,
530
NSSInitParameters *initParams,
531
PRBool readOnly, PRBool noCertDB,
532
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
533
PRBool optimizeSpace, PRBool noSingleThreadedModules,
534
PRBool allowAlreadyInitializedModules,
535
PRBool dontFinalizeModules)
537
SECStatus rv = SECFailure;
538
PKIX_UInt32 actualMinorVersion = 0;
539
PKIX_Error *pkixError = NULL;
540
PRBool isReallyInitted;
541
char *configStrings = NULL;
542
char *configName = NULL;
543
PRBool passwordRequired = PR_FALSE;
545
/* if we are trying to init with a traditional NSS_Init call, maintain
546
* the traditional idempotent behavior. */
547
if (!initContextPtr && nssIsInitted) {
551
/* this tells us whether or not some library has already initialized us.
552
* if so, we don't want to double call some of the basic initialization
554
isReallyInitted = NSS_IsInitialized();
556
if (!isReallyInitted) {
557
/* New option bits must not change the size of CERTCertificate. */
558
PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
560
if (SECSuccess != cert_InitLocks()) {
564
if (SECSuccess != InitCRLCache()) {
568
if (SECSuccess != OCSP_InitGlobal()) {
573
if (noSingleThreadedModules || allowAlreadyInitializedModules ||
574
dontFinalizeModules) {
575
pk11_setGlobalOptions(noSingleThreadedModules,
576
allowAlreadyInitializedModules,
577
dontFinalizeModules);
580
if (initContextPtr) {
581
*initContextPtr = PORT_ZNew(NSSInitContext);
582
if (*initContextPtr == NULL) {
586
* For traditional NSS_Init, we used the PK11_Configure() call to set
587
* globals. with InitContext, we pass those strings in as parameters.
589
* This allows old NSS_Init calls to work as before, while at the same
590
* time new calls and old calls will not interfere with each other.
593
if (initParams->length < sizeof(NSSInitParameters)) {
594
PORT_SetError(SEC_ERROR_INVALID_ARGS);
597
configStrings = nss_MkConfigString(initParams->manufactureID,
598
initParams->libraryDescription,
599
initParams->cryptoTokenDescription,
600
initParams->dbTokenDescription,
601
initParams->cryptoSlotDescription,
602
initParams->dbSlotDescription,
603
initParams->FIPSSlotDescription,
604
initParams->FIPSTokenDescription,
605
initParams->minPWLen);
606
if (configStrings == NULL) {
607
PORT_SetError(SEC_ERROR_NO_MEMORY);
610
configName = initParams->libraryDescription;
611
passwordRequired = initParams->passwordRequired;
614
configStrings = pk11_config_strings;
615
configName = pk11_config_name;
616
passwordRequired = pk11_password_required;
619
/* we always try to initialize the modules */
620
rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
621
updateDir, updCertPrefix, updKeyPrefix, updateID,
622
updateName, configName, configStrings, passwordRequired,
623
readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
624
(initContextPtr != NULL));
626
if (rv != SECSuccess) {
631
/* finish up initialization */
632
if (!isReallyInitted) {
545
633
if (SECOID_Init() != SECSuccess) {
548
636
if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
551
639
if (nss_InitShutdownList() != SECSuccess) {
554
642
CERT_SetDefaultCertDB((CERTCertDBHandle *)
555
643
STAN_GetDefaultTrustDomain());
556
644
if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
557
645
if (!SECMOD_HasRootCerts()) {
558
nss_FindExternalRoot(configdir, secmodName);
646
const char *dbpath = configdir;
647
/* handle supported database modifiers */
648
if (strncmp(dbpath, "sql:", 4) == 0) {
650
} else if(strncmp(dbpath, "dbm:", 4) == 0) {
652
} else if(strncmp(dbpath, "extern:", 7) == 0) {
654
} else if(strncmp(dbpath, "rdb:", 4) == 0) {
655
/* if rdb: is specified, the configdir isn't really a
660
nss_FindExternalRoot(dbpath, secmodName);
562
666
cert_CreateSubjectKeyIDHashTable();
563
nss_IsInitted = PR_TRUE;
566
if (SECSuccess == rv) {
567
668
pkixError = PKIX_Initialize
568
669
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
569
670
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
571
672
if (pkixError != NULL) {
574
675
char *ev = getenv("NSS_ENABLE_PKIX_VERIFY");
575
676
if (ev && ev[0]) {
576
677
CERT_SetUsePKIXForValidation(PR_TRUE);
685
* Now mark the appropriate init state. If initContextPtr was passed
686
* in, then return the new context pointer and add it to the
687
* nssInitContextList. Otherwise set the global nss_isInitted flag
689
if (!initContextPtr) {
690
nssIsInitted = PR_TRUE;
692
(*initContextPtr)->magic = NSS_INIT_MAGIC;
693
(*initContextPtr)->next = nssInitContextList;
694
nssInitContextList = (*initContextPtr);
700
if (initContextPtr && *initContextPtr) {
701
PORT_Free(*initContextPtr);
702
*initContextPtr = NULL;
704
PR_smprintf_free(configStrings);
586
712
NSS_Init(const char *configdir)
588
return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "",
589
PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
714
return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
715
NULL, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
590
716
PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
594
720
NSS_InitReadWrite(const char *configdir)
596
return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "",
597
PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
722
return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
723
NULL, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
598
724
PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);