]>
Commit | Line | Data |
---|---|---|
aeb9cc10 DB |
1 | /* |
2 | Common functions used by the NSS-aware code in systemtap. | |
3 | ||
4 | Copyright (C) 2009-2011 Red Hat Inc. | |
5 | ||
6 | This file is part of systemtap, and is free software. You can | |
7 | redistribute it and/or modify it under the terms of the GNU General Public | |
8 | License as published by the Free Software Foundation; either version 2 of the | |
9 | License, or (at your option) any later version. | |
10 | ||
11 | This program is distributed in the hope that it will be useful, | |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | GNU General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU General Public License | |
17 | along with this program; if not, write to the Free Software | |
18 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
19 | */ | |
20 | ||
21 | #include <iostream> | |
22 | #include <fstream> | |
23 | #include <sstream> | |
24 | #include <iomanip> | |
25 | #include <cerrno> | |
26 | #include <cstdio> | |
27 | #include <cassert> | |
28 | ||
29 | extern "C" { | |
30 | #include <time.h> | |
31 | #include <termios.h> | |
32 | #include <unistd.h> | |
33 | #include <glob.h> | |
34 | #include <sys/stat.h> | |
35 | #include <sys/utsname.h> | |
36 | ||
37 | #include <nss.h> | |
38 | #include <nspr.h> | |
39 | #include <ssl.h> | |
40 | #include <prerror.h> | |
41 | #include <secerr.h> | |
42 | #include <sslerr.h> | |
43 | #include <cryptohi.h> | |
44 | #include <keyhi.h> | |
45 | #include <secder.h> | |
46 | } | |
47 | ||
48 | #include "nsscommon.h" | |
49 | #include "util.h" | |
50 | ||
51 | using namespace std; | |
52 | ||
53 | // Common constants and settings. | |
54 | const char * | |
55 | server_cert_nickname () | |
56 | { | |
57 | return (const char *)"stap-server"; | |
58 | } | |
59 | ||
60 | string | |
61 | server_cert_db_path () | |
62 | { | |
63 | string data_path; | |
64 | const char* s_d = getenv ("SYSTEMTAP_DIR"); | |
65 | if (s_d != NULL) | |
66 | data_path = s_d; | |
67 | else | |
68 | data_path = get_home_directory() + string("/.systemtap"); | |
69 | return data_path + "/ssl/server"; | |
70 | } | |
71 | ||
72 | string | |
73 | server_cert_file () | |
74 | { | |
75 | return server_cert_db_path () + "/stap.cert"; | |
76 | } | |
77 | ||
78 | string | |
79 | local_client_cert_db_path () | |
80 | { | |
81 | string data_path; | |
82 | const char* s_d = getenv ("SYSTEMTAP_DIR"); | |
83 | if (s_d != NULL) | |
84 | data_path = s_d; | |
85 | else | |
86 | data_path = get_home_directory() + string("/.systemtap"); | |
87 | return data_path + "/ssl/client"; | |
88 | } | |
89 | ||
90 | string | |
91 | global_client_cert_db_path () | |
92 | { | |
93 | return SYSCONFDIR "/systemtap/ssl/client"; | |
94 | } | |
95 | ||
96 | // Common error handling for applications using this file. | |
97 | void | |
98 | nsscommon_error (const string &msg, int logit) | |
99 | { | |
100 | // Call the extern "C" version supplied by each application. | |
101 | nsscommon_error (msg.c_str (), logit); | |
102 | } | |
103 | ||
104 | // Logging. Enabled only by stap-serverd but called from some common methods. | |
105 | static ofstream logfile; | |
106 | ||
107 | void | |
108 | start_log (const char *arg) | |
109 | { | |
110 | if (logfile.is_open ()) | |
111 | logfile.close (); | |
112 | ||
113 | logfile.open (arg, ios_base::app); | |
114 | if (! logfile.good ()) | |
115 | nsscommon_error (_F("Could not open log file %s", arg)); | |
116 | } | |
117 | ||
118 | bool | |
119 | log_ok () | |
120 | { | |
121 | return logfile.good (); | |
122 | } | |
123 | ||
124 | void | |
125 | log (const string &msg) | |
126 | { | |
127 | if (logfile.good ()) | |
128 | logfile << msg << endl << flush; | |
129 | else | |
130 | clog << msg << endl << flush; | |
131 | } | |
132 | ||
133 | void | |
134 | end_log () | |
135 | { | |
136 | if (logfile.is_open ()) | |
137 | logfile.close (); | |
138 | } | |
139 | ||
140 | // NSS/NSPR error reporting and cleanup. | |
141 | // These functions are called from C code as well as C++, so make them extern "C". | |
142 | extern "C" | |
143 | void | |
144 | nssError (void) | |
145 | { | |
146 | // See if PR_GetError can tell us what the error is. | |
147 | PRErrorCode errorNumber = PR_GetError (); | |
148 | ||
149 | // PR_ErrorToString always returns a valid string for errors in this range. | |
150 | if (errorNumber >= PR_NSPR_ERROR_BASE && errorNumber <= PR_MAX_ERROR) | |
151 | { | |
152 | nsscommon_error (_F("(%d) %s", errorNumber, PR_ErrorToString (errorNumber, PR_LANGUAGE_EN))); | |
153 | return; | |
154 | } | |
155 | ||
156 | // PR_ErrorToString does not handle errors outside the range above, so we handle them ourselves. | |
157 | const char *errorText; | |
158 | switch (errorNumber) { | |
159 | default: errorText = "Unknown error"; break; | |
160 | #define NSSYERROR(code,msg) case code: errorText = msg; break | |
161 | #include "stapsslerr.h" | |
162 | #undef NSSYERROR | |
163 | } | |
164 | ||
165 | nsscommon_error (_F("(%d) %s", errorNumber, errorText)); | |
166 | } | |
167 | ||
168 | extern "C" | |
169 | SECStatus | |
dff24561 | 170 | nssInit (const char *db_path, int readWrite, int issueMessage) |
aeb9cc10 DB |
171 | { |
172 | SECStatus secStatus; | |
173 | if (readWrite) | |
174 | secStatus = NSS_InitReadWrite (db_path); | |
175 | else | |
176 | secStatus = NSS_Init (db_path); | |
dff24561 | 177 | if (secStatus != SECSuccess && issueMessage) |
aeb9cc10 DB |
178 | { |
179 | nsscommon_error (_F("Error initializing NSS for %s", db_path)); | |
180 | nssError (); | |
181 | } | |
182 | return secStatus; | |
183 | } | |
184 | ||
185 | extern "C" | |
186 | void | |
187 | nssCleanup (const char *db_path) | |
188 | { | |
189 | // Shutdown NSS and ensure that it went down successfully. This is because we can not | |
190 | // initialize NSS again if it does not. | |
191 | if (NSS_Shutdown () != SECSuccess) | |
192 | { | |
193 | if (db_path) | |
194 | nsscommon_error (_F("Unable to shutdown NSS for database %s", db_path)); | |
195 | else | |
196 | nsscommon_error (_("Unable to shutdown NSS")); | |
197 | nssError (); | |
198 | } | |
199 | } | |
200 | ||
201 | // Certificate database password support functions. | |
202 | // | |
203 | // Disable character echoing, if the fd is a tty. | |
204 | static void | |
205 | echoOff(int fd) | |
206 | { | |
207 | if (isatty(fd)) { | |
208 | struct termios tio; | |
209 | tcgetattr(fd, &tio); | |
210 | tio.c_lflag &= ~ECHO; | |
211 | tcsetattr(fd, TCSAFLUSH, &tio); | |
212 | } | |
213 | } | |
214 | ||
215 | /* Enable character echoing, if the fd is a tty. */ | |
216 | static void | |
217 | echoOn(int fd) | |
218 | { | |
219 | if (isatty(fd)) { | |
220 | struct termios tio; | |
221 | tcgetattr(fd, &tio); | |
222 | tio.c_lflag |= ECHO; | |
223 | tcsetattr(fd, TCSAFLUSH, &tio); | |
224 | } | |
225 | } | |
226 | ||
227 | /* | |
228 | * This function is our custom password handler that is called by | |
229 | * NSS when retrieving private certs and keys from the database. Returns a | |
230 | * pointer to a string with a password for the database. Password pointer | |
231 | * must be allocated by one of the NSPR memory allocation functions, or by PORT_Strdup, | |
232 | * and will be freed by the caller. | |
233 | */ | |
234 | extern "C" | |
235 | char * | |
236 | nssPasswordCallback (PK11SlotInfo *info __attribute ((unused)), PRBool retry, void *arg) | |
237 | { | |
238 | static int retries = 0; | |
239 | #define PW_MAX 200 | |
240 | char* password = NULL; | |
241 | char* password_ret = NULL; | |
242 | const char *dbname ; | |
243 | int infd; | |
244 | int isTTY; | |
245 | ||
246 | if (! retry) | |
247 | { | |
248 | /* Not a retry. */ | |
249 | retries = 0; | |
250 | } | |
251 | else | |
252 | { | |
253 | /* Maximum of 2 retries for bad password. */ | |
254 | if (++retries > 2) | |
255 | return NULL; /* No more retries */ | |
256 | } | |
257 | ||
258 | /* Can only prompt for a password if stdin is a tty. */ | |
259 | infd = fileno (stdin); | |
260 | isTTY = isatty (infd); | |
261 | if (! isTTY) | |
262 | { | |
263 | nsscommon_error (_("Cannot prompt for certificate database password. stdin is not a tty")); | |
264 | return NULL; | |
265 | } | |
266 | ||
267 | /* Prompt for password */ | |
268 | password = (char *)PORT_Alloc (PW_MAX); | |
269 | if (! password) | |
270 | { | |
271 | nssError (); | |
272 | return NULL; | |
273 | } | |
274 | ||
275 | dbname = (const char *)arg; | |
276 | cerr << _F("Password for certificate database in %s: ", dbname) << flush; | |
277 | echoOff (infd); | |
278 | password_ret = fgets (password, PW_MAX, stdin); | |
279 | cerr << endl << flush; | |
280 | echoOn(infd); | |
281 | ||
282 | if (password_ret) | |
283 | /* stomp on the newline */ | |
284 | *strchrnul (password, '\n') = '\0'; | |
285 | else | |
286 | PORT_Free (password); | |
287 | ||
288 | return password_ret; | |
289 | } | |
290 | ||
291 | extern "C" | |
292 | int | |
293 | create_server_cert_db (const char *db_path) | |
294 | { | |
295 | return create_dir (db_path, 0755); | |
296 | } | |
297 | ||
298 | static int | |
299 | create_client_cert_db (const char *db_path) | |
300 | { | |
301 | // Same properties as the server's database, at present. | |
302 | return create_server_cert_db (db_path); | |
303 | } | |
304 | ||
305 | static int | |
306 | clean_cert_db (const string &db_path) | |
307 | { | |
308 | // First remove all files from the directory | |
309 | glob_t globbuf; | |
310 | string filespec = db_path + "/*"; | |
311 | int r = glob (filespec.c_str (), 0, NULL, & globbuf); | |
312 | if (r == GLOB_NOSPACE || r == GLOB_ABORTED) | |
313 | nsscommon_error (_F("Could not search certificate database directory %s", db_path.c_str ())); | |
314 | else if (r != GLOB_NOMATCH) | |
315 | { | |
316 | for (unsigned i = 0; i < globbuf.gl_pathc; ++i) | |
317 | { | |
318 | if (remove_file_or_dir (globbuf.gl_pathv[i]) != 0) | |
319 | nsscommon_error (_F("Could not remove %s", globbuf.gl_pathv[i])); | |
320 | } | |
321 | } | |
322 | ||
323 | // Now remove the directory itself. | |
324 | if (remove_file_or_dir (db_path.c_str ()) != 0) | |
325 | { | |
326 | nsscommon_error (_F("Could not remove certificate database directory %s\n%s", | |
327 | db_path.c_str (), strerror (errno))); | |
328 | return 1; | |
329 | } | |
330 | ||
331 | return 0; | |
332 | } | |
333 | ||
334 | static int | |
335 | init_password (PK11SlotInfo *slot, const string &db_path, bool use_password) | |
336 | { | |
337 | // Prompt for the database password, if we're using one. Keep the passwords in memory for as | |
338 | // little time as possible. | |
339 | SECStatus secStatus; | |
340 | if (use_password) | |
341 | { | |
342 | char *pw1 = 0; | |
343 | int attempts; | |
344 | const int max_attempts = 3; | |
345 | for (attempts = 0; attempts < max_attempts; ++attempts) | |
346 | { | |
347 | pw1 = nssPasswordCallback (slot, false, (void*)db_path.c_str ()); | |
348 | if (! pw1) | |
349 | continue; | |
350 | cerr << "Confirm "; | |
351 | bool match = false; | |
352 | char *pw2 = nssPasswordCallback (slot, false, (void*)db_path.c_str ()); | |
353 | if (pw2) | |
354 | { | |
355 | if (strcmp (pw1, pw2) == 0) | |
356 | match = true; | |
357 | else | |
358 | nsscommon_error (_("Passwords do not match")); | |
359 | memset (pw2, 0, strlen (pw2)); | |
360 | PORT_Free (pw2); | |
361 | } | |
362 | if (match) | |
363 | break; | |
364 | memset (pw1, 0, strlen (pw1)); | |
365 | PORT_Free (pw1); | |
366 | } | |
367 | if (attempts >= max_attempts) | |
368 | { | |
369 | nsscommon_error (_("Too many password attempts")); | |
370 | return 1; | |
371 | } | |
372 | secStatus = PK11_InitPin (slot, 0, pw1); | |
373 | memset (pw1, 0, strlen (pw1)); | |
374 | PORT_Free (pw1); | |
375 | } | |
376 | else | |
377 | secStatus = PK11_InitPin (slot, 0, 0); | |
378 | ||
379 | if (secStatus != SECSuccess) | |
380 | { | |
381 | nsscommon_error (_F("Could not initialize pin for certificate database %s", db_path.c_str())); | |
382 | nssError (); | |
383 | return 1; | |
384 | } | |
385 | ||
386 | return 0; | |
387 | } | |
388 | ||
389 | static SECKEYPrivateKey * | |
390 | generate_private_key (const string &db_path, PK11SlotInfo *slot, SECKEYPublicKey **pubkeyp) | |
391 | { | |
392 | if (PK11_Authenticate (slot, PR_TRUE, 0) != SECSuccess) | |
393 | { | |
394 | nsscommon_error (_F("Unable to authenticate the default slot for certificate database %s", | |
395 | db_path.c_str ())); | |
396 | nssError (); | |
397 | return 0; | |
398 | } | |
399 | ||
400 | // Do some random-number initialization. | |
401 | // TODO: We can do better. | |
402 | srand (time (NULL)); | |
403 | char randbuf[64]; | |
404 | for (unsigned i = 0; i < sizeof (randbuf); ++i) | |
405 | randbuf[i] = rand (); | |
406 | PK11_RandomUpdate (randbuf, sizeof (randbuf)); | |
407 | memset (randbuf, 0, sizeof (randbuf)); | |
408 | ||
409 | // Set up for RSA. | |
410 | PK11RSAGenParams rsaparams; | |
411 | rsaparams.keySizeInBits = 1024; | |
412 | rsaparams.pe = 0x010001; | |
413 | CK_MECHANISM_TYPE mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; | |
414 | ||
415 | // Generate the key pair. | |
416 | SECKEYPrivateKey *privKey = PK11_GenerateKeyPair (slot, mechanism, & rsaparams, pubkeyp, | |
417 | PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, | |
418 | 0/*pwdata*/); | |
419 | if (! privKey) | |
420 | { | |
421 | nsscommon_error (_("Unable to generate public/private key pair")); | |
422 | nssError (); | |
423 | } | |
424 | return privKey; | |
425 | } | |
426 | ||
427 | static CERTCertificateRequest * | |
428 | generate_cert_request (SECKEYPublicKey *pubk, CERTName *subject) | |
429 | { | |
430 | CERTSubjectPublicKeyInfo *spki = SECKEY_CreateSubjectPublicKeyInfo (pubk); | |
431 | if (! spki) | |
432 | { | |
433 | nsscommon_error (_("Unable to create subject public key info for certificate request")); | |
434 | nssError (); | |
435 | return 0; | |
436 | } | |
437 | ||
438 | /* Generate certificate request */ | |
439 | CERTCertificateRequest *cr = CERT_CreateCertificateRequest (subject, spki, 0); | |
440 | SECKEY_DestroySubjectPublicKeyInfo (spki); | |
441 | if (! cr) | |
442 | { | |
443 | nsscommon_error (_("Unable to create certificate request")); | |
444 | nssError (); | |
445 | } | |
446 | return cr; | |
447 | } | |
448 | ||
449 | static CERTCertificate * | |
450 | create_cert (CERTCertificateRequest *certReq, const string &dnsNames) | |
451 | { | |
452 | // What is the current date and time? | |
453 | PRTime now = PR_Now (); | |
454 | ||
455 | // What is the date and time 1 year from now? | |
456 | PRExplodedTime printableTime; | |
457 | PR_ExplodeTime (now, PR_GMTParameters, & printableTime); | |
458 | printableTime.tm_month += 12; | |
459 | PRTime after = PR_ImplodeTime (& printableTime); | |
460 | ||
461 | // Note that the time is now in micro-second units. | |
462 | CERTValidity *validity = CERT_CreateValidity (now, after); | |
463 | if (! validity) | |
464 | { | |
465 | nsscommon_error (_("Unable to create certificate validity dates")); | |
466 | nssError (); | |
467 | return 0; | |
468 | } | |
469 | ||
470 | // Create a default serial number using the current time. | |
471 | PRTime serialNumber = now >> 19; // copied from certutil. | |
472 | ||
473 | // Create the certificate. | |
474 | CERTCertificate *cert = CERT_CreateCertificate (serialNumber, & certReq->subject, validity, | |
475 | certReq); | |
476 | CERT_DestroyValidity (validity); | |
477 | if (! cert) | |
478 | { | |
479 | nsscommon_error (_("Unable to create certificate")); | |
480 | nssError (); | |
481 | return 0; | |
482 | } | |
483 | ||
484 | // Predeclare these to keep C++ happy about jumps to the label 'error'. | |
485 | SECStatus secStatus = SECSuccess; | |
486 | unsigned char keyUsage = 0x0; | |
487 | PRArenaPool *arena = 0; | |
488 | ||
489 | // Add the extensions that we need. | |
490 | void *extHandle = CERT_StartCertExtensions (cert); | |
491 | if (! extHandle) | |
492 | { | |
493 | nsscommon_error (_("Unable to allocate certificate extensions")); | |
494 | nssError (); | |
495 | goto error; | |
496 | } | |
497 | ||
498 | // Cert type extension. | |
499 | keyUsage |= (0x80 >> 1); // SSL Server | |
500 | keyUsage |= (0x80 >> 3); // Object signer | |
501 | keyUsage |= (0x80 >> 7); // Object signing CA | |
502 | ||
503 | SECItem bitStringValue; | |
504 | bitStringValue.data = & keyUsage; | |
505 | bitStringValue.len = 1; | |
506 | ||
507 | secStatus = CERT_EncodeAndAddBitStrExtension (extHandle, | |
508 | SEC_OID_NS_CERT_EXT_CERT_TYPE, | |
509 | & bitStringValue, PR_TRUE); | |
510 | if (secStatus != SECSuccess) | |
511 | { | |
512 | nsscommon_error (_("Unable to encode certificate type extensions")); | |
513 | nssError (); | |
514 | goto error; | |
515 | } | |
516 | ||
517 | // Alternate dns name extension. | |
518 | if (! dnsNames.empty ()) | |
519 | { | |
520 | arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); | |
521 | if (! arena) | |
522 | { | |
523 | nsscommon_error (_("Unable to allocate alternate DNS name extension for certificate")); | |
524 | goto error; | |
525 | } | |
526 | ||
527 | // Walk down the comma separated list of names. | |
528 | CERTGeneralName *nameList = 0; | |
529 | CERTGeneralName *current = 0; | |
530 | PRCList *prev = 0; | |
531 | vector<string>components; | |
532 | tokenize (dnsNames, components, ","); | |
533 | for (unsigned i = 0; i < components.size (); ++i) | |
534 | { | |
535 | char *tbuf = (char *)PORT_ArenaAlloc (arena, components[i].size () + 1); | |
536 | strcpy (tbuf, components[i].c_str ()); | |
537 | ||
538 | current = (CERTGeneralName *)PORT_ZAlloc (sizeof (CERTGeneralName)); | |
539 | if (! current) | |
540 | { | |
541 | nsscommon_error (_("Unable to allocate alternate DNS name extension for certificate")); | |
542 | goto error; | |
543 | } | |
544 | if (prev) | |
545 | { | |
546 | current->l.prev = prev; | |
547 | prev->next = & current->l; | |
548 | } | |
549 | else | |
550 | nameList = current; | |
551 | ||
552 | current->type = certDNSName; | |
553 | current->name.other.data = (unsigned char *)tbuf; | |
554 | current->name.other.len = strlen (tbuf); | |
555 | prev = & current->l; | |
556 | } | |
557 | ||
558 | // At this point nameList points to the head of a doubly linked, | |
559 | // but not yet circular, list and current points to its tail. | |
560 | if (nameList) | |
561 | { | |
562 | // Make nameList circular. | |
563 | nameList->l.prev = prev; | |
564 | current->l.next = & nameList->l; | |
565 | ||
566 | // Encode and add the extension. | |
567 | SECItem item; | |
568 | secStatus = CERT_EncodeAltNameExtension (arena, nameList, & item); | |
569 | if (secStatus != SECSuccess) | |
570 | { | |
571 | nsscommon_error (_("Unable to encode alternate DNS name extension for certificate")); | |
572 | nssError (); | |
573 | goto error; | |
574 | } | |
575 | secStatus = CERT_AddExtension(extHandle, | |
576 | SEC_OID_X509_SUBJECT_ALT_NAME, | |
577 | & item, PR_FALSE, PR_TRUE); | |
578 | if (secStatus != SECSuccess) | |
579 | { | |
580 | nsscommon_error (_("Unable to add alternate DNS name extension for certificate")); | |
581 | nssError (); | |
582 | goto error; | |
583 | } | |
584 | } | |
585 | } // extra dns names specified. | |
586 | ||
587 | // We did not create any extensions on the cert request. | |
588 | assert (certReq->attributes != NULL); | |
589 | assert (certReq->attributes[0] == NULL); | |
590 | ||
591 | // Finished with cert extensions. | |
592 | secStatus = CERT_FinishExtensions (extHandle); | |
593 | if (secStatus != SECSuccess) | |
594 | { | |
595 | nsscommon_error (_("Unable to complete alternate DNS name extension for certificate")); | |
596 | nssError (); | |
597 | goto error; | |
598 | } | |
599 | ||
600 | return cert; | |
601 | ||
602 | error: | |
603 | if (arena) | |
604 | PORT_FreeArena (arena, PR_FALSE); | |
605 | CERT_DestroyCertificate (cert); | |
606 | return 0; | |
607 | } | |
608 | ||
609 | static SECItem * | |
610 | sign_cert (CERTCertificate *cert, SECKEYPrivateKey *privKey) | |
611 | { | |
612 | SECOidTag algID = SEC_GetSignatureAlgorithmOidTag (privKey->keyType, | |
613 | SEC_OID_UNKNOWN); | |
614 | if (algID == SEC_OID_UNKNOWN) | |
615 | { | |
616 | nsscommon_error (_("Unable to determine the signature algorithm for the signing the certificate")); | |
617 | nssError (); | |
618 | return 0; | |
619 | } | |
620 | ||
621 | PRArenaPool *arena = cert->arena; | |
622 | SECStatus rv = SECOID_SetAlgorithmID (arena, & cert->signature, algID, 0); | |
623 | if (rv != SECSuccess) | |
624 | { | |
625 | nsscommon_error (_("Unable to set the signature algorithm for signing the certificate")); | |
626 | nssError (); | |
627 | return 0; | |
628 | } | |
629 | ||
630 | /* we only deal with cert v3 here */ | |
631 | *(cert->version.data) = 2; | |
632 | cert->version.len = 1; | |
633 | ||
634 | SECItem der; | |
635 | der.len = 0; | |
636 | der.data = 0; | |
637 | void *dummy = SEC_ASN1EncodeItem (arena, & der, cert, | |
638 | SEC_ASN1_GET (CERT_CertificateTemplate)); | |
639 | if (! dummy) | |
640 | { | |
641 | nsscommon_error (_("Unable to encode the certificate for signing")); | |
642 | nssError (); | |
643 | return 0; | |
644 | } | |
645 | ||
646 | SECItem *result = (SECItem *)PORT_ArenaZAlloc (arena, sizeof (SECItem)); | |
647 | if (! result) | |
648 | { | |
649 | nsscommon_error (_("Unable to allocate memory for signing the certificate")); | |
650 | return 0; | |
651 | } | |
652 | ||
653 | rv = SEC_DerSignData (arena, result, der.data, der.len, privKey, algID); | |
654 | if (rv != SECSuccess) | |
655 | { | |
656 | nsscommon_error (_("Unable to sign the certificate")); | |
657 | nssError (); | |
658 | return 0; | |
659 | } | |
660 | ||
661 | cert->derCert = *result; | |
662 | return result; | |
663 | } | |
664 | ||
665 | static SECStatus | |
666 | add_server_cert (const string &db_path, SECItem *certDER, PK11SlotInfo *slot) | |
667 | { | |
668 | // Decode the cert. | |
669 | CERTCertificate *cert = CERT_DecodeCertFromPackage((char *)certDER->data, certDER->len); | |
670 | if (! cert) | |
671 | { | |
672 | nsscommon_error (_("Unable to decode certificate")); | |
673 | nssError (); | |
674 | return SECFailure; | |
675 | } | |
676 | ||
677 | // Import it into the database. | |
678 | CERTCertDBHandle *handle = 0; | |
679 | CERTCertTrust *trust = NULL; | |
680 | SECStatus secStatus = PK11_ImportCert (slot, cert, CK_INVALID_HANDLE, | |
681 | server_cert_nickname (), PR_FALSE); | |
682 | if (secStatus != SECSuccess) | |
683 | { | |
684 | nsscommon_error (_F("Unable to import certificate into the database at %s", db_path.c_str ())); | |
685 | nssError (); | |
686 | goto done; | |
687 | } | |
688 | ||
689 | // Make it a trusted server and signer. | |
690 | trust = (CERTCertTrust *)PORT_ZAlloc (sizeof (CERTCertTrust)); | |
691 | if (! trust) | |
692 | { | |
693 | nsscommon_error (_("Unable to allocate certificate trust")); | |
694 | secStatus = SECFailure; | |
695 | goto done; | |
696 | } | |
697 | ||
698 | secStatus = CERT_DecodeTrustString (trust, "PCu,,PCu"); | |
699 | if (secStatus != SECSuccess) | |
700 | { | |
701 | nsscommon_error (_("Unable decode trust string 'PCu,,PCu'")); | |
702 | nssError (); | |
703 | goto done; | |
704 | } | |
705 | ||
706 | handle = CERT_GetDefaultCertDB (); | |
707 | assert (handle); | |
708 | secStatus = CERT_ChangeCertTrust (handle, cert, trust); | |
709 | if (secStatus != SECSuccess) | |
710 | { | |
711 | nsscommon_error (_("Unable to change certificate trust")); | |
712 | nssError (); | |
713 | } | |
714 | ||
715 | done: | |
716 | CERT_DestroyCertificate (cert); | |
717 | if (trust) | |
718 | PORT_Free (trust); | |
719 | return secStatus; | |
720 | } | |
721 | ||
722 | SECStatus | |
723 | add_client_cert (const string &inFileName, const string &db_path) | |
724 | { | |
725 | FILE *inFile = fopen (inFileName.c_str (), "rb"); | |
726 | if (! inFile) | |
727 | { | |
728 | nsscommon_error (_F("Could not open certificate file %s for reading\n%s", | |
729 | inFileName.c_str (), strerror (errno))); | |
730 | return SECFailure; | |
731 | } | |
732 | ||
733 | int fd = fileno (inFile); | |
734 | struct stat info; | |
735 | int rc = fstat (fd, &info); | |
736 | if (rc != 0) | |
737 | { | |
738 | nsscommon_error (_F("Could not obtain information about certificate file %s\n%s", | |
739 | inFileName.c_str (), strerror (errno))); | |
740 | fclose (inFile); | |
741 | return SECFailure; | |
742 | } | |
743 | ||
744 | SECItem certDER; | |
745 | certDER.len = info.st_size; | |
746 | certDER.data = (unsigned char *)PORT_Alloc (certDER.len); | |
747 | size_t read = fread (certDER.data, 1, certDER.len, inFile); | |
748 | fclose (inFile); | |
749 | if (read != certDER.len) | |
750 | { | |
751 | nsscommon_error (_F("Error reading from certificate file %s\n%s", | |
752 | inFileName.c_str (), strerror (errno))); | |
753 | return SECFailure; | |
754 | } | |
755 | ||
756 | // See if the database already exists and can be initialized. | |
dff24561 | 757 | SECStatus secStatus = nssInit (db_path.c_str (), 1/*readwrite*/, 0/*issueMessage*/); |
aeb9cc10 DB |
758 | if (secStatus != SECSuccess) |
759 | { | |
760 | // Try again with a fresh database. | |
761 | if (clean_cert_db (db_path.c_str ()) != 0) | |
762 | { | |
763 | // Message already issued. | |
764 | return SECFailure; | |
765 | } | |
766 | ||
767 | // Make sure the given path exists. | |
768 | if (create_client_cert_db (db_path.c_str ()) != 0) | |
769 | { | |
770 | nsscommon_error (_F("Could not create certificate database directory %s", | |
771 | db_path.c_str ())); | |
772 | return SECFailure; | |
773 | } | |
774 | ||
775 | // Initialize the new database. | |
776 | secStatus = nssInit (db_path.c_str (), 1/*readwrite*/); | |
777 | if (secStatus != SECSuccess) | |
778 | { | |
779 | // Message already issued. | |
780 | return SECFailure; | |
781 | } | |
782 | } | |
783 | ||
784 | // Predeclare these to keep C++ happy about jumps to the label 'done'. | |
785 | CERTCertificate *cert = 0; | |
786 | CERTCertDBHandle *handle = 0; | |
787 | CERTCertTrust *trust = 0; | |
788 | PK11SlotInfo *slot = 0; | |
789 | ||
790 | // Add the cert to the database | |
791 | // Decode the cert. | |
792 | secStatus = SECFailure; | |
793 | cert = CERT_DecodeCertFromPackage ((char *)certDER.data, certDER.len); | |
794 | if (! cert) | |
795 | { | |
796 | nsscommon_error (_("Unable to decode certificate")); | |
797 | nssError (); | |
798 | goto done; | |
799 | } | |
800 | ||
801 | // We need the internal slot for this database. | |
802 | slot = PK11_GetInternalKeySlot (); | |
803 | if (! slot) | |
804 | { | |
805 | nsscommon_error (_F("Could not obtain internal key slot for certificate database %s", db_path.c_str())); | |
806 | nssError (); | |
807 | goto done; | |
808 | } | |
809 | ||
810 | // Import it into the database. | |
811 | secStatus = PK11_ImportCert (slot, cert, CK_INVALID_HANDLE, | |
812 | server_cert_nickname (), PR_FALSE); | |
813 | if (secStatus != SECSuccess) | |
814 | { | |
815 | nsscommon_error (_F("Could not import certificate into the database at %s", db_path.c_str())); | |
816 | nssError (); | |
817 | goto done; | |
818 | } | |
819 | ||
820 | // Make it a trusted SSL peer. | |
821 | trust = (CERTCertTrust *)PORT_ZAlloc (sizeof (CERTCertTrust)); | |
822 | if (! trust) | |
823 | { | |
824 | nsscommon_error (_("Could not allocate certificate trust")); | |
825 | goto done; | |
826 | } | |
827 | ||
828 | secStatus = CERT_DecodeTrustString (trust, "P,P,P"); | |
829 | if (secStatus != SECSuccess) | |
830 | { | |
831 | nsscommon_error (_("Unable decode trust string 'P,P,P'")); | |
832 | nssError (); | |
833 | goto done; | |
834 | } | |
835 | ||
836 | handle = CERT_GetDefaultCertDB (); | |
837 | assert (handle); | |
838 | secStatus = CERT_ChangeCertTrust (handle, cert, trust); | |
839 | if (secStatus != SECSuccess) | |
840 | { | |
841 | nsscommon_error (_("Unable to change certificate trust")); | |
842 | nssError (); | |
843 | } | |
844 | ||
845 | done: | |
846 | if (slot) | |
847 | PK11_FreeSlot (slot); | |
848 | if (trust) | |
849 | PORT_Free (trust); | |
850 | if (cert) | |
851 | CERT_DestroyCertificate (cert); | |
852 | if (certDER.data) | |
853 | PORT_Free (certDER.data); | |
854 | nssCleanup (db_path.c_str ()); | |
855 | return secStatus; | |
856 | } | |
857 | ||
858 | int | |
859 | gen_cert_db (const string &db_path, const string &extraDnsNames, bool use_password) | |
860 | { | |
861 | // Log the generation of a new database. | |
862 | log (_F("Generating a new certificate database directory in %s", | |
863 | db_path.c_str ())); | |
864 | ||
865 | // Start with a clean cert database. | |
866 | if (clean_cert_db (db_path.c_str ()) != 0) | |
867 | { | |
868 | // Message already issued. | |
869 | return 1; | |
870 | } | |
871 | ||
872 | // Make sure the given path exists. | |
873 | if (create_server_cert_db (db_path.c_str ()) != 0) | |
874 | { | |
875 | nsscommon_error (_F("Could not create certificate database directory %s", | |
876 | db_path.c_str ())); | |
877 | return 1; | |
878 | } | |
879 | ||
880 | // Initialize the new database. | |
881 | SECStatus secStatus = nssInit (db_path.c_str (), 1/*readwrite*/); | |
882 | if (secStatus != SECSuccess) | |
883 | { | |
884 | // Message already issued. | |
885 | return 1; | |
886 | } | |
887 | ||
888 | // Pre declare these to keep g++ happy about jumps to the label 'error'. | |
889 | CERTName *subject = 0; | |
890 | SECKEYPublicKey *pubkey = 0; | |
891 | SECKEYPrivateKey *privkey = 0; | |
892 | CERTCertificateRequest *cr = 0; | |
893 | CERTCertificate *cert = 0; | |
894 | SECItem *certDER = 0; | |
895 | string dnsNames; | |
896 | int rc; | |
897 | string outFileName; | |
898 | FILE *outFile = 0; | |
899 | ||
900 | // We need the internal slot for this database. | |
901 | PK11SlotInfo *slot = PK11_GetInternalKeySlot (); | |
902 | if (! slot) | |
903 | { | |
904 | nsscommon_error (_F("Could not obtain internal key slot for certificate database %s", db_path.c_str())); | |
905 | nssError (); | |
906 | goto error; | |
907 | } | |
908 | ||
909 | // Establish the password (if any) for the new database. | |
910 | rc = init_password (slot, db_path, use_password); | |
911 | if (rc != 0) | |
912 | { | |
913 | // Messages already issued. | |
914 | goto error; | |
915 | } | |
916 | ||
917 | // Format the cert subject. | |
918 | subject = CERT_AsciiToName ((char *)"CN=Systemtap Compile Server, OU=Systemtap"); | |
919 | if (! subject) | |
920 | { | |
921 | nsscommon_error (_("Unable to encode certificate common header")); | |
922 | nssError (); | |
923 | goto error; | |
924 | } | |
925 | ||
926 | // Next, generate the private key. | |
927 | privkey = generate_private_key (db_path, slot, & pubkey); | |
928 | if (! privkey) | |
929 | { | |
930 | // Message already issued. | |
931 | goto error; | |
932 | } | |
933 | ||
934 | // Next, generate a cert request. | |
935 | cr = generate_cert_request (pubkey, subject); | |
936 | if (! cr) | |
937 | { | |
938 | // Message already issued. | |
939 | goto error; | |
940 | } | |
941 | ||
942 | // Now, generate the cert. We need our host name and the supplied additional dns names (if any). | |
943 | struct utsname utsname; | |
944 | uname (& utsname); | |
945 | dnsNames = utsname.nodename; | |
946 | if (! extraDnsNames.empty ()) | |
947 | dnsNames += "," + extraDnsNames; | |
948 | cert = create_cert (cr, dnsNames); | |
949 | CERT_DestroyCertificateRequest (cr); | |
950 | if (! cert) | |
951 | { | |
952 | // NSS error already issued. | |
953 | nsscommon_error (_("Unable to create certificate")); | |
954 | goto error; | |
955 | } | |
956 | ||
957 | // Sign the cert. | |
958 | certDER = sign_cert (cert, privkey); | |
959 | if (! certDER) | |
960 | { | |
961 | // Message already issued. | |
962 | goto error; | |
963 | } | |
964 | ||
965 | // Now output it to a file. | |
966 | outFileName = db_path + "/stap.cert"; | |
967 | outFile = fopen (outFileName.c_str (), "wb"); | |
968 | if (outFile) | |
969 | { | |
970 | size_t written = fwrite (certDER->data, 1, certDER->len, outFile); | |
971 | if (written != certDER->len) | |
972 | { | |
973 | nsscommon_error (_F("Error writing to certificate file %s\n%s", | |
974 | outFileName.c_str (), strerror (errno))); | |
975 | } | |
976 | fclose (outFile); | |
977 | } | |
978 | else | |
979 | { | |
980 | nsscommon_error (_F("Could not open certificate file %s for writing\n%s", | |
981 | outFileName.c_str (), strerror (errno))); | |
982 | } | |
983 | ||
984 | // Add the cert to the database | |
985 | secStatus = add_server_cert (db_path, certDER, slot); | |
986 | CERT_DestroyCertificate (cert); | |
987 | if (secStatus != SECSuccess) | |
988 | { | |
989 | // NSS error already issued. | |
990 | nsscommon_error (_F("Unable to add certificate to %s", db_path.c_str ())); | |
991 | goto error; | |
992 | } | |
993 | ||
994 | // Done with the certificate database | |
995 | PK11_FreeSlot (slot); | |
996 | CERT_DestroyName (subject); | |
997 | SECKEY_DestroyPublicKey (pubkey); | |
998 | SECKEY_DestroyPrivateKey (privkey); | |
999 | goto done; | |
1000 | ||
1001 | error: | |
1002 | if (slot) | |
1003 | PK11_FreeSlot (slot); | |
1004 | if (subject) | |
1005 | CERT_DestroyName (subject); | |
1006 | if (pubkey) | |
1007 | SECKEY_DestroyPublicKey (pubkey); | |
1008 | if (privkey) | |
1009 | SECKEY_DestroyPrivateKey (privkey); | |
1010 | if (cert) | |
1011 | CERT_DestroyCertificate (cert); // Also destroys certDER. | |
1012 | ||
1013 | done: | |
1014 | nssCleanup (db_path.c_str ()); | |
1015 | return secStatus != SECSuccess; | |
1016 | } | |
1017 | ||
1018 | CERTCertList *get_cert_list_from_db (const string &cert_nickname) | |
1019 | { | |
1020 | // Search the client-side database of trusted servers. | |
1021 | CERTCertDBHandle *handle = CERT_GetDefaultCertDB (); | |
1022 | assert (handle); | |
1023 | CERTCertificate *db_cert = PK11_FindCertFromNickname (cert_nickname.c_str (), 0); | |
1024 | if (! db_cert) | |
1025 | { | |
1026 | // No trusted servers. Not an error. Just an empty list returned. | |
1027 | return 0; | |
1028 | } | |
1029 | ||
1030 | // Here, we have one cert with the desired nickname. | |
1031 | // Now, we will attempt to get a list of ALL certs | |
1032 | // with the same subject name as the cert we have. That list | |
1033 | // should contain, at a minimum, the one cert we have already found. | |
1034 | // If the list of certs is empty (0), the libraries have failed. | |
1035 | CERTCertList *certs = CERT_CreateSubjectCertList (0, handle, & db_cert->derSubject, | |
1036 | PR_Now (), PR_FALSE); | |
1037 | CERT_DestroyCertificate (db_cert); | |
1038 | if (! certs) | |
1039 | { | |
1040 | nsscommon_error (_("NSS library failure in CERT_CreateSubjectCertList")); | |
1041 | nssError (); | |
1042 | } | |
1043 | ||
1044 | return certs; | |
1045 | } | |
1046 | ||
1047 | string get_cert_serial_number (const CERTCertificate *cert) | |
1048 | { | |
1049 | ostringstream serialNumber; | |
1050 | serialNumber << hex << setfill('0') << right; | |
1051 | for (unsigned i = 0; i < cert->serialNumber.len; ++i) | |
1052 | { | |
1053 | if (i > 0) | |
1054 | serialNumber << ':'; | |
1055 | serialNumber << setw(2) << (unsigned)cert->serialNumber.data[i]; | |
1056 | } | |
1057 | return serialNumber.str (); | |
1058 | } | |
1059 | ||
1060 | static int | |
1061 | format_cert_validity_time (SECItem &vTime, char *timeString, size_t ts_size) | |
1062 | { | |
1063 | int64 time; | |
1064 | SECStatus secStatus; | |
1065 | ||
1066 | switch (vTime.type) { | |
1067 | case siUTCTime: | |
1068 | secStatus = DER_UTCTimeToTime (& time, & vTime); | |
1069 | break; | |
1070 | case siGeneralizedTime: | |
1071 | secStatus = DER_GeneralizedTimeToTime (& time, & vTime); | |
1072 | break; | |
1073 | default: | |
eeacd9d4 | 1074 | nsscommon_error (_("Could not decode certificate validity")); |
aeb9cc10 DB |
1075 | return 1; |
1076 | } | |
1077 | if (secStatus != SECSuccess) | |
1078 | { | |
eeacd9d4 | 1079 | nsscommon_error (_("Could not decode certificate validity time")); |
aeb9cc10 DB |
1080 | return 1; |
1081 | } | |
1082 | ||
1083 | // Convert to local time. | |
1084 | PRExplodedTime printableTime; | |
1085 | PR_ExplodeTime (time, PR_GMTParameters, & printableTime); | |
1086 | if (! PR_FormatTime (timeString, ts_size, "%a %b %d %H:%M:%S %Y", & printableTime)) | |
1087 | { | |
eeacd9d4 | 1088 | nsscommon_error (_("Could not format certificate validity time")); |
aeb9cc10 DB |
1089 | return 1; |
1090 | } | |
1091 | ||
1092 | return 0; | |
1093 | } | |
1094 | ||
1095 | static bool | |
1096 | cert_is_valid (CERTCertificate *cert) | |
1097 | { | |
1098 | // Verify the the certificate is valid as an SSL server and as an object signer and that | |
1099 | // it is valid now. | |
1100 | CERTCertDBHandle *handle = CERT_GetDefaultCertDB (); | |
1101 | assert (handle); | |
1102 | SECCertificateUsage usage = certificateUsageSSLServer | certificateUsageObjectSigner; | |
1103 | SECStatus secStatus = CERT_VerifyCertificate (handle, cert, PR_TRUE/*checkSig*/, usage, | |
1104 | PR_Now (), NULL, NULL/*log*/, & usage); | |
1105 | return secStatus == SECSuccess; | |
1106 | } | |
1107 | ||
1108 | static bool | |
1109 | cert_db_is_valid (const string &db_path, const string &nss_cert_name) | |
1110 | { | |
1111 | // Make sure the given path exists. | |
1112 | if (! file_exists (db_path)) | |
1113 | { | |
1114 | log (_F("Certificate database %s does not exist", db_path.c_str ())); | |
1115 | return false; | |
1116 | } | |
1117 | ||
1118 | // If a 'pw' file exists, then this is an old database. Treat any certs as invalid. | |
1119 | if (file_exists (db_path + "/pw")) | |
1120 | { | |
1121 | log (_F("Certificate database %s is obsolete", db_path.c_str ())); | |
1122 | return false; | |
1123 | } | |
1124 | ||
1125 | // Initialize the NSS libraries -- readonly | |
1126 | SECStatus secStatus = nssInit (db_path.c_str ()); | |
1127 | if (secStatus != SECSuccess) | |
1128 | { | |
1129 | // Message already issued. | |
1130 | return false; | |
1131 | } | |
1132 | ||
1133 | // Obtain a list of our certs from the database. | |
1134 | bool valid_p = false; | |
1135 | CERTCertList *certs = get_cert_list_from_db (nss_cert_name); | |
1136 | if (! certs) | |
1137 | { | |
1138 | log (_F("No certificate found in database %s", db_path.c_str ())); | |
1139 | goto done; | |
1140 | } | |
1141 | ||
1142 | log (_F("Certificate found in database %s", db_path.c_str ())); | |
1143 | for (CERTCertListNode *node = CERT_LIST_HEAD (certs); | |
1144 | ! CERT_LIST_END (node, certs); | |
1145 | node = CERT_LIST_NEXT (node)) | |
1146 | { | |
1147 | // The certificate we're working with. | |
1148 | CERTCertificate *c = node->cert; | |
1149 | ||
1150 | // Print the validity dates of the certificate. | |
1151 | CERTValidity &v = c->validity; | |
1152 | char timeString[256]; | |
1153 | if (format_cert_validity_time (v.notBefore, timeString, sizeof (timeString)) == 0) | |
1154 | log (_F(" Not Valid Before: %s", timeString)); | |
1155 | if (format_cert_validity_time (v.notAfter, timeString, sizeof (timeString)) == 0) | |
1156 | log (_F(" Not Valid After: %s", timeString)); | |
1157 | ||
1158 | // Now ask NSS to check the validity. | |
1159 | if (cert_is_valid (c)) | |
1160 | { | |
1161 | // The cert is valid. One valid cert is enough. | |
1162 | log (_(" Certificate is valid")); | |
1163 | valid_p = true; | |
1164 | break; | |
1165 | } | |
1166 | ||
1167 | // The cert is not valid. Look for another one. | |
1168 | log (_(" Certificate is not valid")); | |
1169 | } | |
1170 | CERT_DestroyCertList (certs); | |
1171 | ||
1172 | done: | |
1173 | nssCleanup (db_path.c_str ()); | |
1174 | return valid_p; | |
1175 | } | |
1176 | ||
1177 | // Ensure that our certificate exists and is valid. Generate a new one if not. | |
1178 | int | |
1179 | check_cert (const string &db_path, const string &nss_cert_name, bool use_db_password) | |
1180 | { | |
1181 | // Generate a new cert database if the current one does not exist or is not valid. | |
1182 | if (! cert_db_is_valid (db_path, nss_cert_name)) | |
1183 | { | |
1184 | if (gen_cert_db (db_path, "", use_db_password) != 0) | |
1185 | { | |
1186 | // NSS message already issued. | |
1187 | nsscommon_error (_("Unable to generate new certificate")); | |
1188 | return 1; | |
1189 | } | |
1190 | } | |
1191 | return 0; | |
1192 | } | |
1193 | ||
1194 | void sign_file ( | |
1195 | const string &db_path, | |
1196 | const string &nss_cert_name, | |
1197 | const string &inputName, | |
1198 | const string &outputName | |
1199 | ) { | |
1200 | /* Get own certificate and private key. */ | |
1201 | CERTCertificate *cert = PK11_FindCertFromNickname (nss_cert_name.c_str (), NULL); | |
1202 | if (cert == NULL) | |
1203 | { | |
1204 | nsscommon_error (_F("Unable to find certificate with nickname %s in %s.", | |
1205 | nss_cert_name.c_str (), db_path.c_str())); | |
1206 | nssError (); | |
1207 | return; | |
1208 | } | |
1209 | ||
1210 | // Predeclare these to keep C++ happy abount branches to 'done'. | |
1211 | unsigned char buffer[4096]; | |
63a1cb66 | 1212 | PRFileDesc *local_file_fd = NULL; |
aeb9cc10 DB |
1213 | PRInt32 numBytes; |
1214 | SECStatus secStatus; | |
1215 | SGNContext *sgn; | |
1216 | SECItem signedData; | |
1217 | ||
1218 | /* db_path.c_str () gets passed to nssPasswordCallback */ | |
1219 | SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert (cert, (void *)db_path.c_str ()); | |
1220 | if (privKey == NULL) | |
1221 | { | |
1222 | nsscommon_error (_F("Unable to obtain private key from the certificate with nickname %s in %s.", | |
1223 | nss_cert_name.c_str (), db_path.c_str())); | |
1224 | nssError (); | |
1225 | goto done; | |
1226 | } | |
1227 | ||
1228 | /* Sign the file. */ | |
1229 | /* Set up the signing context. */ | |
1230 | sgn = SGN_NewContext (SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, privKey); | |
1231 | if (! sgn) | |
1232 | { | |
1233 | nsscommon_error (_("Could not create signing context")); | |
1234 | nssError (); | |
1235 | return; | |
1236 | } | |
1237 | secStatus = SGN_Begin (sgn); | |
1238 | if (secStatus != SECSuccess) | |
1239 | { | |
1240 | nsscommon_error (_("Could not initialize signing context.")); | |
1241 | nssError (); | |
1242 | return; | |
1243 | } | |
1244 | ||
1245 | /* Now read the data and add it to the signature. */ | |
1246 | local_file_fd = PR_Open (inputName.c_str(), PR_RDONLY, 0); | |
1247 | if (local_file_fd == NULL) | |
1248 | { | |
1249 | nsscommon_error (_F("Could not open module file %s", inputName.c_str ())); | |
1250 | nssError (); | |
1251 | return; | |
1252 | } | |
1253 | ||
1254 | for (;;) | |
1255 | { | |
1256 | numBytes = PR_Read (local_file_fd, buffer, sizeof (buffer)); | |
1257 | if (numBytes == 0) | |
1258 | break; /* EOF */ | |
1259 | ||
1260 | if (numBytes < 0) | |
1261 | { | |
1262 | nsscommon_error (_F("Error reading module file %s", inputName.c_str ())); | |
1263 | nssError (); | |
1264 | goto done; | |
1265 | } | |
1266 | ||
1267 | /* Add the data to the signature. */ | |
1268 | secStatus = SGN_Update (sgn, buffer, numBytes); | |
1269 | if (secStatus != SECSuccess) | |
1270 | { | |
1271 | nsscommon_error (_F("Error while signing module file %s", inputName.c_str ())); | |
1272 | nssError (); | |
1273 | goto done; | |
1274 | } | |
1275 | } | |
1276 | ||
1277 | /* Complete the signature. */ | |
1278 | secStatus = SGN_End (sgn, & signedData); | |
1279 | if (secStatus != SECSuccess) | |
1280 | { | |
1281 | nsscommon_error (_F("Could not complete signature of module file %s", inputName.c_str ())); | |
1282 | nssError (); | |
1283 | goto done; | |
1284 | } | |
1285 | ||
1286 | SGN_DestroyContext (sgn, PR_TRUE); | |
1287 | ||
1288 | /* Now write the signed data to the output file. */ | |
93ea565a LB |
1289 | if(local_file_fd != NULL) |
1290 | PR_Close (local_file_fd); | |
aeb9cc10 DB |
1291 | local_file_fd = PR_Open (outputName.c_str(), PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, |
1292 | PR_IRUSR | PR_IWUSR | PR_IRGRP | PR_IWGRP | PR_IROTH); | |
1293 | if (local_file_fd == NULL) | |
1294 | { | |
1295 | nsscommon_error (_F("Could not open signature file %s", outputName.c_str ())); | |
1296 | nssError (); | |
1297 | goto done; | |
1298 | } | |
1299 | ||
1300 | numBytes = PR_Write (local_file_fd, signedData.data, signedData.len); | |
1301 | if (numBytes < 0 || numBytes != (PRInt32)signedData.len) | |
1302 | { | |
1303 | nsscommon_error (_F("Error writing to signature file %s", outputName.c_str ())); | |
1304 | nssError (); | |
1305 | } | |
1306 | ||
1307 | done: | |
1308 | if (privKey) | |
1309 | SECKEY_DestroyPrivateKey (privKey); | |
1310 | CERT_DestroyCertificate (cert); | |
97b1f2ee LB |
1311 | if(local_file_fd != NULL) |
1312 | PR_Close (local_file_fd); | |
aeb9cc10 DB |
1313 | } |
1314 | ||
1315 | /* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */ |