]>
Commit | Line | Data |
---|---|---|
aeb9cc10 DB |
1 | /* |
2 | Common functions used by the NSS-aware code in systemtap. | |
3 | ||
529ab2f8 | 4 | Copyright (C) 2009-2018 Red Hat Inc. |
aeb9cc10 DB |
5 | |
6 | This file is part of systemtap, and is free software. You can | |
7 | redistribute it and/or modify it under the terms of the GNU General Public | |
8 | License as published by the Free Software Foundation; either version 2 of the | |
9 | License, or (at your option) any later version. | |
10 | ||
11 | This program is distributed in the hope that it will be useful, | |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | GNU General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU General Public License | |
e8daaf60 | 17 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
aeb9cc10 DB |
18 | */ |
19 | ||
a4ed6ee1 JS |
20 | #include "config.h" |
21 | ||
aeb9cc10 DB |
22 | #include <iostream> |
23 | #include <fstream> | |
24 | #include <sstream> | |
aeb9cc10 DB |
25 | #include <cerrno> |
26 | #include <cstdio> | |
27 | #include <cassert> | |
28 | ||
29 | extern "C" { | |
30 | #include <time.h> | |
31 | #include <termios.h> | |
32 | #include <unistd.h> | |
33 | #include <glob.h> | |
34 | #include <sys/stat.h> | |
35 | #include <sys/utsname.h> | |
aeb9cc10 DB |
36 | #include <nss.h> |
37 | #include <nspr.h> | |
38 | #include <ssl.h> | |
39 | #include <prerror.h> | |
40 | #include <secerr.h> | |
41 | #include <sslerr.h> | |
42 | #include <cryptohi.h> | |
43 | #include <keyhi.h> | |
44 | #include <secder.h> | |
b3367f63 | 45 | #include <cert.h> |
ca8da51f | 46 | #ifdef HAVE_HTTP_SUPPORT |
638abbd0 SC |
47 | #include <openssl/bio.h> |
48 | #include <openssl/x509.h> | |
49 | #include <openssl/pem.h> | |
50 | #include <openssl/x509v3.h> | |
ca8da51f | 51 | #endif |
aeb9cc10 DB |
52 | } |
53 | ||
54 | #include "nsscommon.h" | |
55 | #include "util.h" | |
56 | ||
57 | using namespace std; | |
58 | ||
59 | // Common constants and settings. | |
60 | const char * | |
61 | server_cert_nickname () | |
62 | { | |
63 | return (const char *)"stap-server"; | |
64 | } | |
65 | ||
c981acd9 DB |
66 | string |
67 | add_cert_db_prefix (const string &db_path) { | |
c2e2d5ff | 68 | #if 0 && ((NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 37)) |
529ab2f8 FCE |
69 | // https://wiki.mozilla.org/NSS_Shared_DB |
70 | if (db_path.find (':') == string::npos) | |
71 | return string("sql:") + db_path; | |
72 | #elif (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 12) | |
c981acd9 DB |
73 | // Use the dbm prefix, if a prefix is not already specified, |
74 | // since we're using the old database format. | |
75 | if (db_path.find (':') == string::npos) | |
76 | return string("dbm:") + db_path; | |
77 | #endif | |
78 | return db_path; | |
79 | } | |
80 | ||
aeb9cc10 DB |
81 | string |
82 | server_cert_db_path () | |
83 | { | |
84 | string data_path; | |
85 | const char* s_d = getenv ("SYSTEMTAP_DIR"); | |
86 | if (s_d != NULL) | |
87 | data_path = s_d; | |
88 | else | |
89 | data_path = get_home_directory() + string("/.systemtap"); | |
90 | return data_path + "/ssl/server"; | |
91 | } | |
92 | ||
aeb9cc10 DB |
93 | string |
94 | local_client_cert_db_path () | |
95 | { | |
96 | string data_path; | |
97 | const char* s_d = getenv ("SYSTEMTAP_DIR"); | |
98 | if (s_d != NULL) | |
99 | data_path = s_d; | |
100 | else | |
101 | data_path = get_home_directory() + string("/.systemtap"); | |
102 | return data_path + "/ssl/client"; | |
103 | } | |
104 | ||
aeb9cc10 DB |
105 | // Common error handling for applications using this file. |
106 | void | |
107 | nsscommon_error (const string &msg, int logit) | |
108 | { | |
109 | // Call the extern "C" version supplied by each application. | |
110 | nsscommon_error (msg.c_str (), logit); | |
111 | } | |
112 | ||
113 | // Logging. Enabled only by stap-serverd but called from some common methods. | |
114 | static ofstream logfile; | |
115 | ||
116 | void | |
da43562f | 117 | start_log (const char *arg, bool redirect_clog) |
aeb9cc10 DB |
118 | { |
119 | if (logfile.is_open ()) | |
120 | logfile.close (); | |
121 | ||
122 | logfile.open (arg, ios_base::app); | |
123 | if (! logfile.good ()) | |
124 | nsscommon_error (_F("Could not open log file %s", arg)); | |
da43562f DS |
125 | else if (redirect_clog) |
126 | clog.rdbuf(logfile.rdbuf()); | |
aeb9cc10 DB |
127 | } |
128 | ||
129 | bool | |
130 | log_ok () | |
131 | { | |
132 | return logfile.good (); | |
133 | } | |
134 | ||
135 | void | |
136 | log (const string &msg) | |
137 | { | |
6ef4a081 DB |
138 | // What time is it? |
139 | time_t now; | |
140 | time (& now); | |
141 | string nowStr = ctime (& now); | |
142 | // Remove the newline from the end of the time string. | |
143 | nowStr.erase (nowStr.size () - 1, 1); | |
144 | ||
aeb9cc10 | 145 | if (logfile.good ()) |
6ef4a081 | 146 | logfile << nowStr << ": " << msg << endl << flush; |
aeb9cc10 | 147 | else |
6ef4a081 | 148 | clog << nowStr << ": " << msg << endl << flush; |
aeb9cc10 DB |
149 | } |
150 | ||
151 | void | |
152 | end_log () | |
153 | { | |
154 | if (logfile.is_open ()) | |
155 | logfile.close (); | |
156 | } | |
157 | ||
158 | // NSS/NSPR error reporting and cleanup. | |
159 | // These functions are called from C code as well as C++, so make them extern "C". | |
160 | extern "C" | |
161 | void | |
162 | nssError (void) | |
163 | { | |
164 | // See if PR_GetError can tell us what the error is. | |
165 | PRErrorCode errorNumber = PR_GetError (); | |
166 | ||
7e001983 FCE |
167 | // Try PR_ErrorToName and PR_ErrorToString; they are wise. |
168 | const char* errorName = PR_ErrorToName(errorNumber); | |
169 | const char* errorText = PR_ErrorToString (errorNumber, PR_LANGUAGE_EN); | |
aeb9cc10 | 170 | |
7e001983 FCE |
171 | if (errorName && errorText) |
172 | { | |
173 | nsscommon_error (_F("(%d %s) %s", errorNumber, errorName, errorText)); | |
174 | return; | |
175 | } | |
176 | ||
177 | // Fall back to our own scraped ssl error text. | |
aeb9cc10 DB |
178 | switch (errorNumber) { |
179 | default: errorText = "Unknown error"; break; | |
180 | #define NSSYERROR(code,msg) case code: errorText = msg; break | |
181 | #include "stapsslerr.h" | |
182 | #undef NSSYERROR | |
183 | } | |
aeb9cc10 DB |
184 | nsscommon_error (_F("(%d) %s", errorNumber, errorText)); |
185 | } | |
186 | ||
187 | extern "C" | |
188 | SECStatus | |
dff24561 | 189 | nssInit (const char *db_path, int readWrite, int issueMessage) |
aeb9cc10 DB |
190 | { |
191 | SECStatus secStatus; | |
c981acd9 DB |
192 | string full_db_path = add_cert_db_prefix (db_path); |
193 | db_path = full_db_path.c_str(); | |
aeb9cc10 DB |
194 | if (readWrite) |
195 | secStatus = NSS_InitReadWrite (db_path); | |
196 | else | |
197 | secStatus = NSS_Init (db_path); | |
dff24561 | 198 | if (secStatus != SECSuccess && issueMessage) |
aeb9cc10 DB |
199 | { |
200 | nsscommon_error (_F("Error initializing NSS for %s", db_path)); | |
201 | nssError (); | |
202 | } | |
203 | return secStatus; | |
204 | } | |
205 | ||
206 | extern "C" | |
207 | void | |
208 | nssCleanup (const char *db_path) | |
209 | { | |
9447d916 DB |
210 | // Make sure that NSS has been initialized. Some early versions of NSS do not check this |
211 | // within NSS_Shutdown(). | |
212 | // When called with no certificate database path (db_path == 0), then the caller does | |
213 | // not know whether NSS has actually been initialized. For example, the rpm finder, | |
214 | // which calls here to shutdown NSS manually if rpmFreeCrypto() is not available | |
215 | // (see rpm_finder.cxx:missing_rpm_enlist). | |
216 | // However, if we're trying to close a certificate database which has not been initialized, | |
217 | // then we have a (non fatal) internal error. | |
218 | if (! NSS_IsInitialized ()) | |
219 | { | |
220 | if (db_path) | |
221 | { | |
c981acd9 DB |
222 | string full_db_path = add_cert_db_prefix (db_path); |
223 | db_path = full_db_path.c_str(); | |
9447d916 DB |
224 | nsscommon_error (_F("WARNING: Attempt to shutdown NSS for database %s, which was never initialized", db_path)); |
225 | } | |
226 | return; | |
227 | } | |
228 | ||
aeb9cc10 DB |
229 | // Shutdown NSS and ensure that it went down successfully. This is because we can not |
230 | // initialize NSS again if it does not. | |
9447d916 | 231 | if (NSS_Shutdown () != SECSuccess) |
aeb9cc10 DB |
232 | { |
233 | if (db_path) | |
c981acd9 DB |
234 | { |
235 | string full_db_path = add_cert_db_prefix (db_path); | |
236 | db_path = full_db_path.c_str(); | |
237 | nsscommon_error (_F("Unable to shutdown NSS for database %s", db_path)); | |
238 | } | |
aeb9cc10 | 239 | else |
9447d916 | 240 | nsscommon_error (_("Unable to shutdown NSS")); |
aeb9cc10 DB |
241 | nssError (); |
242 | } | |
243 | } | |
244 | ||
245 | // Certificate database password support functions. | |
246 | // | |
247 | // Disable character echoing, if the fd is a tty. | |
248 | static void | |
249 | echoOff(int fd) | |
250 | { | |
251 | if (isatty(fd)) { | |
252 | struct termios tio; | |
253 | tcgetattr(fd, &tio); | |
254 | tio.c_lflag &= ~ECHO; | |
255 | tcsetattr(fd, TCSAFLUSH, &tio); | |
256 | } | |
257 | } | |
258 | ||
259 | /* Enable character echoing, if the fd is a tty. */ | |
260 | static void | |
261 | echoOn(int fd) | |
262 | { | |
263 | if (isatty(fd)) { | |
264 | struct termios tio; | |
265 | tcgetattr(fd, &tio); | |
266 | tio.c_lflag |= ECHO; | |
267 | tcsetattr(fd, TCSAFLUSH, &tio); | |
268 | } | |
269 | } | |
270 | ||
271 | /* | |
272 | * This function is our custom password handler that is called by | |
273 | * NSS when retrieving private certs and keys from the database. Returns a | |
274 | * pointer to a string with a password for the database. Password pointer | |
275 | * must be allocated by one of the NSPR memory allocation functions, or by PORT_Strdup, | |
276 | * and will be freed by the caller. | |
277 | */ | |
278 | extern "C" | |
279 | char * | |
280 | nssPasswordCallback (PK11SlotInfo *info __attribute ((unused)), PRBool retry, void *arg) | |
281 | { | |
282 | static int retries = 0; | |
283 | #define PW_MAX 200 | |
284 | char* password = NULL; | |
285 | char* password_ret = NULL; | |
286 | const char *dbname ; | |
287 | int infd; | |
288 | int isTTY; | |
289 | ||
290 | if (! retry) | |
291 | { | |
292 | /* Not a retry. */ | |
293 | retries = 0; | |
294 | } | |
295 | else | |
296 | { | |
297 | /* Maximum of 2 retries for bad password. */ | |
298 | if (++retries > 2) | |
299 | return NULL; /* No more retries */ | |
300 | } | |
301 | ||
302 | /* Can only prompt for a password if stdin is a tty. */ | |
303 | infd = fileno (stdin); | |
304 | isTTY = isatty (infd); | |
305 | if (! isTTY) | |
306 | { | |
307 | nsscommon_error (_("Cannot prompt for certificate database password. stdin is not a tty")); | |
308 | return NULL; | |
309 | } | |
310 | ||
311 | /* Prompt for password */ | |
312 | password = (char *)PORT_Alloc (PW_MAX); | |
313 | if (! password) | |
314 | { | |
315 | nssError (); | |
316 | return NULL; | |
317 | } | |
318 | ||
319 | dbname = (const char *)arg; | |
320 | cerr << _F("Password for certificate database in %s: ", dbname) << flush; | |
321 | echoOff (infd); | |
322 | password_ret = fgets (password, PW_MAX, stdin); | |
323 | cerr << endl << flush; | |
324 | echoOn(infd); | |
325 | ||
326 | if (password_ret) | |
327 | /* stomp on the newline */ | |
328 | *strchrnul (password, '\n') = '\0'; | |
329 | else | |
330 | PORT_Free (password); | |
331 | ||
332 | return password_ret; | |
333 | } | |
334 | ||
3dc20443 | 335 | static int |
aeb9cc10 DB |
336 | create_server_cert_db (const char *db_path) |
337 | { | |
338 | return create_dir (db_path, 0755); | |
339 | } | |
340 | ||
341 | static int | |
342 | create_client_cert_db (const char *db_path) | |
343 | { | |
344 | // Same properties as the server's database, at present. | |
345 | return create_server_cert_db (db_path); | |
346 | } | |
347 | ||
348 | static int | |
349 | clean_cert_db (const string &db_path) | |
350 | { | |
351 | // First remove all files from the directory | |
352 | glob_t globbuf; | |
353 | string filespec = db_path + "/*"; | |
354 | int r = glob (filespec.c_str (), 0, NULL, & globbuf); | |
355 | if (r == GLOB_NOSPACE || r == GLOB_ABORTED) | |
356 | nsscommon_error (_F("Could not search certificate database directory %s", db_path.c_str ())); | |
357 | else if (r != GLOB_NOMATCH) | |
358 | { | |
359 | for (unsigned i = 0; i < globbuf.gl_pathc; ++i) | |
360 | { | |
361 | if (remove_file_or_dir (globbuf.gl_pathv[i]) != 0) | |
362 | nsscommon_error (_F("Could not remove %s", globbuf.gl_pathv[i])); | |
363 | } | |
03dd566c | 364 | globfree(& globbuf); |
aeb9cc10 DB |
365 | } |
366 | ||
367 | // Now remove the directory itself. | |
368 | if (remove_file_or_dir (db_path.c_str ()) != 0) | |
369 | { | |
370 | nsscommon_error (_F("Could not remove certificate database directory %s\n%s", | |
371 | db_path.c_str (), strerror (errno))); | |
372 | return 1; | |
373 | } | |
374 | ||
375 | return 0; | |
376 | } | |
377 | ||
378 | static int | |
379 | init_password (PK11SlotInfo *slot, const string &db_path, bool use_password) | |
380 | { | |
381 | // Prompt for the database password, if we're using one. Keep the passwords in memory for as | |
382 | // little time as possible. | |
383 | SECStatus secStatus; | |
384 | if (use_password) | |
385 | { | |
386 | char *pw1 = 0; | |
387 | int attempts; | |
388 | const int max_attempts = 3; | |
389 | for (attempts = 0; attempts < max_attempts; ++attempts) | |
390 | { | |
391 | pw1 = nssPasswordCallback (slot, false, (void*)db_path.c_str ()); | |
392 | if (! pw1) | |
393 | continue; | |
394 | cerr << "Confirm "; | |
395 | bool match = false; | |
396 | char *pw2 = nssPasswordCallback (slot, false, (void*)db_path.c_str ()); | |
397 | if (pw2) | |
398 | { | |
399 | if (strcmp (pw1, pw2) == 0) | |
400 | match = true; | |
401 | else | |
402 | nsscommon_error (_("Passwords do not match")); | |
403 | memset (pw2, 0, strlen (pw2)); | |
404 | PORT_Free (pw2); | |
405 | } | |
406 | if (match) | |
407 | break; | |
408 | memset (pw1, 0, strlen (pw1)); | |
409 | PORT_Free (pw1); | |
410 | } | |
411 | if (attempts >= max_attempts) | |
412 | { | |
413 | nsscommon_error (_("Too many password attempts")); | |
414 | return 1; | |
415 | } | |
416 | secStatus = PK11_InitPin (slot, 0, pw1); | |
417 | memset (pw1, 0, strlen (pw1)); | |
418 | PORT_Free (pw1); | |
419 | } | |
420 | else | |
421 | secStatus = PK11_InitPin (slot, 0, 0); | |
422 | ||
423 | if (secStatus != SECSuccess) | |
424 | { | |
425 | nsscommon_error (_F("Could not initialize pin for certificate database %s", db_path.c_str())); | |
426 | nssError (); | |
427 | return 1; | |
428 | } | |
429 | ||
430 | return 0; | |
431 | } | |
432 | ||
433 | static SECKEYPrivateKey * | |
434 | generate_private_key (const string &db_path, PK11SlotInfo *slot, SECKEYPublicKey **pubkeyp) | |
435 | { | |
436 | if (PK11_Authenticate (slot, PR_TRUE, 0) != SECSuccess) | |
437 | { | |
438 | nsscommon_error (_F("Unable to authenticate the default slot for certificate database %s", | |
439 | db_path.c_str ())); | |
440 | nssError (); | |
441 | return 0; | |
442 | } | |
443 | ||
444 | // Do some random-number initialization. | |
445 | // TODO: We can do better. | |
446 | srand (time (NULL)); | |
447 | char randbuf[64]; | |
448 | for (unsigned i = 0; i < sizeof (randbuf); ++i) | |
449 | randbuf[i] = rand (); | |
450 | PK11_RandomUpdate (randbuf, sizeof (randbuf)); | |
451 | memset (randbuf, 0, sizeof (randbuf)); | |
452 | ||
453 | // Set up for RSA. | |
454 | PK11RSAGenParams rsaparams; | |
529ab2f8 | 455 | rsaparams.keySizeInBits = 4096; /* 1024 too small; SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED */ |
aeb9cc10 DB |
456 | rsaparams.pe = 0x010001; |
457 | CK_MECHANISM_TYPE mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; | |
458 | ||
459 | // Generate the key pair. | |
460 | SECKEYPrivateKey *privKey = PK11_GenerateKeyPair (slot, mechanism, & rsaparams, pubkeyp, | |
461 | PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, | |
462 | 0/*pwdata*/); | |
463 | if (! privKey) | |
464 | { | |
465 | nsscommon_error (_("Unable to generate public/private key pair")); | |
466 | nssError (); | |
467 | } | |
468 | return privKey; | |
469 | } | |
470 | ||
471 | static CERTCertificateRequest * | |
472 | generate_cert_request (SECKEYPublicKey *pubk, CERTName *subject) | |
473 | { | |
474 | CERTSubjectPublicKeyInfo *spki = SECKEY_CreateSubjectPublicKeyInfo (pubk); | |
475 | if (! spki) | |
476 | { | |
477 | nsscommon_error (_("Unable to create subject public key info for certificate request")); | |
478 | nssError (); | |
479 | return 0; | |
480 | } | |
481 | ||
482 | /* Generate certificate request */ | |
483 | CERTCertificateRequest *cr = CERT_CreateCertificateRequest (subject, spki, 0); | |
484 | SECKEY_DestroySubjectPublicKeyInfo (spki); | |
485 | if (! cr) | |
486 | { | |
487 | nsscommon_error (_("Unable to create certificate request")); | |
488 | nssError (); | |
489 | } | |
490 | return cr; | |
491 | } | |
492 | ||
493 | static CERTCertificate * | |
494 | create_cert (CERTCertificateRequest *certReq, const string &dnsNames) | |
495 | { | |
496 | // What is the current date and time? | |
497 | PRTime now = PR_Now (); | |
498 | ||
499 | // What is the date and time 1 year from now? | |
500 | PRExplodedTime printableTime; | |
501 | PR_ExplodeTime (now, PR_GMTParameters, & printableTime); | |
502 | printableTime.tm_month += 12; | |
503 | PRTime after = PR_ImplodeTime (& printableTime); | |
504 | ||
505 | // Note that the time is now in micro-second units. | |
506 | CERTValidity *validity = CERT_CreateValidity (now, after); | |
507 | if (! validity) | |
508 | { | |
509 | nsscommon_error (_("Unable to create certificate validity dates")); | |
510 | nssError (); | |
511 | return 0; | |
512 | } | |
513 | ||
514 | // Create a default serial number using the current time. | |
515 | PRTime serialNumber = now >> 19; // copied from certutil. | |
516 | ||
517 | // Create the certificate. | |
518 | CERTCertificate *cert = CERT_CreateCertificate (serialNumber, & certReq->subject, validity, | |
519 | certReq); | |
520 | CERT_DestroyValidity (validity); | |
521 | if (! cert) | |
522 | { | |
523 | nsscommon_error (_("Unable to create certificate")); | |
524 | nssError (); | |
525 | return 0; | |
526 | } | |
527 | ||
528 | // Predeclare these to keep C++ happy about jumps to the label 'error'. | |
529 | SECStatus secStatus = SECSuccess; | |
530 | unsigned char keyUsage = 0x0; | |
531 | PRArenaPool *arena = 0; | |
532 | ||
533 | // Add the extensions that we need. | |
534 | void *extHandle = CERT_StartCertExtensions (cert); | |
535 | if (! extHandle) | |
536 | { | |
537 | nsscommon_error (_("Unable to allocate certificate extensions")); | |
538 | nssError (); | |
539 | goto error; | |
540 | } | |
541 | ||
542 | // Cert type extension. | |
543 | keyUsage |= (0x80 >> 1); // SSL Server | |
544 | keyUsage |= (0x80 >> 3); // Object signer | |
545 | keyUsage |= (0x80 >> 7); // Object signing CA | |
546 | ||
547 | SECItem bitStringValue; | |
548 | bitStringValue.data = & keyUsage; | |
549 | bitStringValue.len = 1; | |
550 | ||
551 | secStatus = CERT_EncodeAndAddBitStrExtension (extHandle, | |
552 | SEC_OID_NS_CERT_EXT_CERT_TYPE, | |
553 | & bitStringValue, PR_TRUE); | |
554 | if (secStatus != SECSuccess) | |
555 | { | |
556 | nsscommon_error (_("Unable to encode certificate type extensions")); | |
557 | nssError (); | |
558 | goto error; | |
559 | } | |
560 | ||
561 | // Alternate dns name extension. | |
562 | if (! dnsNames.empty ()) | |
563 | { | |
564 | arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); | |
565 | if (! arena) | |
566 | { | |
567 | nsscommon_error (_("Unable to allocate alternate DNS name extension for certificate")); | |
568 | goto error; | |
569 | } | |
570 | ||
571 | // Walk down the comma separated list of names. | |
572 | CERTGeneralName *nameList = 0; | |
573 | CERTGeneralName *current = 0; | |
574 | PRCList *prev = 0; | |
575 | vector<string>components; | |
576 | tokenize (dnsNames, components, ","); | |
577 | for (unsigned i = 0; i < components.size (); ++i) | |
578 | { | |
579 | char *tbuf = (char *)PORT_ArenaAlloc (arena, components[i].size () + 1); | |
580 | strcpy (tbuf, components[i].c_str ()); | |
581 | ||
582 | current = (CERTGeneralName *)PORT_ZAlloc (sizeof (CERTGeneralName)); | |
583 | if (! current) | |
584 | { | |
585 | nsscommon_error (_("Unable to allocate alternate DNS name extension for certificate")); | |
586 | goto error; | |
587 | } | |
588 | if (prev) | |
589 | { | |
590 | current->l.prev = prev; | |
591 | prev->next = & current->l; | |
592 | } | |
593 | else | |
594 | nameList = current; | |
595 | ||
596 | current->type = certDNSName; | |
597 | current->name.other.data = (unsigned char *)tbuf; | |
598 | current->name.other.len = strlen (tbuf); | |
599 | prev = & current->l; | |
600 | } | |
601 | ||
602 | // At this point nameList points to the head of a doubly linked, | |
603 | // but not yet circular, list and current points to its tail. | |
604 | if (nameList) | |
605 | { | |
606 | // Make nameList circular. | |
607 | nameList->l.prev = prev; | |
608 | current->l.next = & nameList->l; | |
609 | ||
610 | // Encode and add the extension. | |
611 | SECItem item; | |
612 | secStatus = CERT_EncodeAltNameExtension (arena, nameList, & item); | |
613 | if (secStatus != SECSuccess) | |
614 | { | |
615 | nsscommon_error (_("Unable to encode alternate DNS name extension for certificate")); | |
616 | nssError (); | |
617 | goto error; | |
618 | } | |
619 | secStatus = CERT_AddExtension(extHandle, | |
620 | SEC_OID_X509_SUBJECT_ALT_NAME, | |
621 | & item, PR_FALSE, PR_TRUE); | |
622 | if (secStatus != SECSuccess) | |
623 | { | |
624 | nsscommon_error (_("Unable to add alternate DNS name extension for certificate")); | |
625 | nssError (); | |
626 | goto error; | |
627 | } | |
628 | } | |
629 | } // extra dns names specified. | |
630 | ||
631 | // We did not create any extensions on the cert request. | |
632 | assert (certReq->attributes != NULL); | |
633 | assert (certReq->attributes[0] == NULL); | |
634 | ||
635 | // Finished with cert extensions. | |
636 | secStatus = CERT_FinishExtensions (extHandle); | |
637 | if (secStatus != SECSuccess) | |
638 | { | |
639 | nsscommon_error (_("Unable to complete alternate DNS name extension for certificate")); | |
640 | nssError (); | |
641 | goto error; | |
642 | } | |
643 | ||
644 | return cert; | |
645 | ||
646 | error: | |
647 | if (arena) | |
648 | PORT_FreeArena (arena, PR_FALSE); | |
649 | CERT_DestroyCertificate (cert); | |
650 | return 0; | |
651 | } | |
652 | ||
653 | static SECItem * | |
654 | sign_cert (CERTCertificate *cert, SECKEYPrivateKey *privKey) | |
655 | { | |
656 | SECOidTag algID = SEC_GetSignatureAlgorithmOidTag (privKey->keyType, | |
657 | SEC_OID_UNKNOWN); | |
658 | if (algID == SEC_OID_UNKNOWN) | |
659 | { | |
660 | nsscommon_error (_("Unable to determine the signature algorithm for the signing the certificate")); | |
661 | nssError (); | |
662 | return 0; | |
663 | } | |
664 | ||
665 | PRArenaPool *arena = cert->arena; | |
666 | SECStatus rv = SECOID_SetAlgorithmID (arena, & cert->signature, algID, 0); | |
667 | if (rv != SECSuccess) | |
668 | { | |
669 | nsscommon_error (_("Unable to set the signature algorithm for signing the certificate")); | |
670 | nssError (); | |
671 | return 0; | |
672 | } | |
673 | ||
674 | /* we only deal with cert v3 here */ | |
675 | *(cert->version.data) = 2; | |
676 | cert->version.len = 1; | |
677 | ||
678 | SECItem der; | |
679 | der.len = 0; | |
680 | der.data = 0; | |
681 | void *dummy = SEC_ASN1EncodeItem (arena, & der, cert, | |
682 | SEC_ASN1_GET (CERT_CertificateTemplate)); | |
683 | if (! dummy) | |
684 | { | |
685 | nsscommon_error (_("Unable to encode the certificate for signing")); | |
686 | nssError (); | |
687 | return 0; | |
688 | } | |
689 | ||
690 | SECItem *result = (SECItem *)PORT_ArenaZAlloc (arena, sizeof (SECItem)); | |
691 | if (! result) | |
692 | { | |
693 | nsscommon_error (_("Unable to allocate memory for signing the certificate")); | |
694 | return 0; | |
695 | } | |
696 | ||
697 | rv = SEC_DerSignData (arena, result, der.data, der.len, privKey, algID); | |
698 | if (rv != SECSuccess) | |
699 | { | |
700 | nsscommon_error (_("Unable to sign the certificate")); | |
701 | nssError (); | |
702 | return 0; | |
703 | } | |
704 | ||
705 | cert->derCert = *result; | |
706 | return result; | |
707 | } | |
708 | ||
709 | static SECStatus | |
710 | add_server_cert (const string &db_path, SECItem *certDER, PK11SlotInfo *slot) | |
711 | { | |
712 | // Decode the cert. | |
713 | CERTCertificate *cert = CERT_DecodeCertFromPackage((char *)certDER->data, certDER->len); | |
714 | if (! cert) | |
715 | { | |
716 | nsscommon_error (_("Unable to decode certificate")); | |
717 | nssError (); | |
718 | return SECFailure; | |
719 | } | |
720 | ||
721 | // Import it into the database. | |
722 | CERTCertDBHandle *handle = 0; | |
723 | CERTCertTrust *trust = NULL; | |
724 | SECStatus secStatus = PK11_ImportCert (slot, cert, CK_INVALID_HANDLE, | |
725 | server_cert_nickname (), PR_FALSE); | |
726 | if (secStatus != SECSuccess) | |
727 | { | |
728 | nsscommon_error (_F("Unable to import certificate into the database at %s", db_path.c_str ())); | |
729 | nssError (); | |
730 | goto done; | |
731 | } | |
732 | ||
733 | // Make it a trusted server and signer. | |
734 | trust = (CERTCertTrust *)PORT_ZAlloc (sizeof (CERTCertTrust)); | |
735 | if (! trust) | |
736 | { | |
737 | nsscommon_error (_("Unable to allocate certificate trust")); | |
738 | secStatus = SECFailure; | |
739 | goto done; | |
740 | } | |
741 | ||
742 | secStatus = CERT_DecodeTrustString (trust, "PCu,,PCu"); | |
743 | if (secStatus != SECSuccess) | |
744 | { | |
745 | nsscommon_error (_("Unable decode trust string 'PCu,,PCu'")); | |
746 | nssError (); | |
747 | goto done; | |
748 | } | |
749 | ||
750 | handle = CERT_GetDefaultCertDB (); | |
751 | assert (handle); | |
752 | secStatus = CERT_ChangeCertTrust (handle, cert, trust); | |
753 | if (secStatus != SECSuccess) | |
754 | { | |
755 | nsscommon_error (_("Unable to change certificate trust")); | |
756 | nssError (); | |
757 | } | |
758 | ||
759 | done: | |
760 | CERT_DestroyCertificate (cert); | |
761 | if (trust) | |
762 | PORT_Free (trust); | |
763 | return secStatus; | |
764 | } | |
765 | ||
766 | SECStatus | |
638abbd0 | 767 | add_client_cert (const string &inFileName, const string &db_path, bool init_db) |
aeb9cc10 DB |
768 | { |
769 | FILE *inFile = fopen (inFileName.c_str (), "rb"); | |
770 | if (! inFile) | |
771 | { | |
772 | nsscommon_error (_F("Could not open certificate file %s for reading\n%s", | |
773 | inFileName.c_str (), strerror (errno))); | |
774 | return SECFailure; | |
775 | } | |
776 | ||
777 | int fd = fileno (inFile); | |
778 | struct stat info; | |
779 | int rc = fstat (fd, &info); | |
780 | if (rc != 0) | |
781 | { | |
782 | nsscommon_error (_F("Could not obtain information about certificate file %s\n%s", | |
783 | inFileName.c_str (), strerror (errno))); | |
784 | fclose (inFile); | |
785 | return SECFailure; | |
786 | } | |
787 | ||
788 | SECItem certDER; | |
789 | certDER.len = info.st_size; | |
790 | certDER.data = (unsigned char *)PORT_Alloc (certDER.len); | |
1d7ae21b FCE |
791 | if (certDER.data == NULL) |
792 | { | |
793 | nsscommon_error (_F("Could not allocate certDER\n%s", | |
794 | strerror (errno))); | |
795 | fclose (inFile); | |
796 | return SECFailure; | |
797 | } | |
aeb9cc10 DB |
798 | size_t read = fread (certDER.data, 1, certDER.len, inFile); |
799 | fclose (inFile); | |
800 | if (read != certDER.len) | |
801 | { | |
802 | nsscommon_error (_F("Error reading from certificate file %s\n%s", | |
803 | inFileName.c_str (), strerror (errno))); | |
804 | return SECFailure; | |
805 | } | |
806 | ||
638abbd0 SC |
807 | SECStatus secStatus; |
808 | if (init_db) | |
aeb9cc10 | 809 | { |
638abbd0 SC |
810 | // The http client adds a cert by calling us via add_server_trust which |
811 | // first has already called nssInit; we don't want to call nssInit twice | |
812 | // See if the database already exists and can be initialized. | |
813 | secStatus = nssInit (db_path.c_str (), 1/*readwrite*/, 0/*issueMessage*/); | |
aeb9cc10 | 814 | if (secStatus != SECSuccess) |
638abbd0 SC |
815 | { |
816 | // Try again with a fresh database. | |
817 | if (clean_cert_db (db_path.c_str ()) != 0) | |
818 | { | |
819 | // Message already issued. | |
820 | return SECFailure; | |
821 | } | |
822 | ||
823 | // Make sure the given path exists. | |
824 | if (create_client_cert_db (db_path.c_str ()) != 0) | |
825 | { | |
826 | nsscommon_error (_F("Could not create certificate database directory %s", | |
827 | db_path.c_str ())); | |
828 | return SECFailure; | |
829 | } | |
830 | ||
831 | // Initialize the new database. | |
832 | secStatus = nssInit (db_path.c_str (), 1/*readwrite*/); | |
833 | if (secStatus != SECSuccess) | |
834 | { | |
835 | // Message already issued. | |
836 | return SECFailure; | |
837 | } | |
838 | } | |
aeb9cc10 DB |
839 | } |
840 | ||
841 | // Predeclare these to keep C++ happy about jumps to the label 'done'. | |
842 | CERTCertificate *cert = 0; | |
843 | CERTCertDBHandle *handle = 0; | |
844 | CERTCertTrust *trust = 0; | |
845 | PK11SlotInfo *slot = 0; | |
846 | ||
847 | // Add the cert to the database | |
848 | // Decode the cert. | |
849 | secStatus = SECFailure; | |
850 | cert = CERT_DecodeCertFromPackage ((char *)certDER.data, certDER.len); | |
851 | if (! cert) | |
852 | { | |
853 | nsscommon_error (_("Unable to decode certificate")); | |
854 | nssError (); | |
855 | goto done; | |
856 | } | |
857 | ||
858 | // We need the internal slot for this database. | |
859 | slot = PK11_GetInternalKeySlot (); | |
860 | if (! slot) | |
861 | { | |
862 | nsscommon_error (_F("Could not obtain internal key slot for certificate database %s", db_path.c_str())); | |
863 | nssError (); | |
864 | goto done; | |
865 | } | |
866 | ||
867 | // Import it into the database. | |
868 | secStatus = PK11_ImportCert (slot, cert, CK_INVALID_HANDLE, | |
869 | server_cert_nickname (), PR_FALSE); | |
870 | if (secStatus != SECSuccess) | |
871 | { | |
872 | nsscommon_error (_F("Could not import certificate into the database at %s", db_path.c_str())); | |
873 | nssError (); | |
874 | goto done; | |
875 | } | |
876 | ||
877 | // Make it a trusted SSL peer. | |
878 | trust = (CERTCertTrust *)PORT_ZAlloc (sizeof (CERTCertTrust)); | |
879 | if (! trust) | |
880 | { | |
881 | nsscommon_error (_("Could not allocate certificate trust")); | |
882 | goto done; | |
883 | } | |
884 | ||
885 | secStatus = CERT_DecodeTrustString (trust, "P,P,P"); | |
886 | if (secStatus != SECSuccess) | |
887 | { | |
888 | nsscommon_error (_("Unable decode trust string 'P,P,P'")); | |
889 | nssError (); | |
890 | goto done; | |
891 | } | |
892 | ||
893 | handle = CERT_GetDefaultCertDB (); | |
894 | assert (handle); | |
895 | secStatus = CERT_ChangeCertTrust (handle, cert, trust); | |
896 | if (secStatus != SECSuccess) | |
897 | { | |
898 | nsscommon_error (_("Unable to change certificate trust")); | |
899 | nssError (); | |
900 | } | |
7502ddfd | 901 | |
aeb9cc10 | 902 | done: |
7502ddfd | 903 | // Free NSS/NSPR objects and shutdown NSS. |
aeb9cc10 DB |
904 | if (slot) |
905 | PK11_FreeSlot (slot); | |
906 | if (trust) | |
907 | PORT_Free (trust); | |
908 | if (cert) | |
909 | CERT_DestroyCertificate (cert); | |
910 | if (certDER.data) | |
911 | PORT_Free (certDER.data); | |
638abbd0 SC |
912 | if (init_db) |
913 | nssCleanup (db_path.c_str ()); | |
7502ddfd DB |
914 | |
915 | // Make sure that the cert database files are read/write by the owner and | |
916 | // readable by all. | |
917 | glob_t globbuf; | |
918 | string filespec = db_path + "/*"; | |
919 | int r = glob (filespec.c_str (), 0, NULL, & globbuf); | |
920 | if (r == GLOB_NOSPACE || r == GLOB_ABORTED) { | |
921 | // Not fatal, just a warning | |
922 | nsscommon_error (_F("Could not search certificate database directory %s", db_path.c_str ())); | |
923 | } | |
924 | else if (r != GLOB_NOMATCH) | |
925 | { | |
926 | mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; | |
927 | for (unsigned i = 0; i < globbuf.gl_pathc; ++i) | |
928 | { | |
929 | // Not fatal, just a warning | |
930 | if (chmod (globbuf.gl_pathv[i], mode) != 0) | |
931 | nsscommon_error (_F("Could set file permissions for %s", globbuf.gl_pathv[i])); | |
932 | } | |
03dd566c | 933 | globfree(&globbuf); |
7502ddfd DB |
934 | } |
935 | ||
aeb9cc10 DB |
936 | return secStatus; |
937 | } | |
938 | ||
939 | int | |
940 | gen_cert_db (const string &db_path, const string &extraDnsNames, bool use_password) | |
941 | { | |
942 | // Log the generation of a new database. | |
943 | log (_F("Generating a new certificate database directory in %s", | |
944 | db_path.c_str ())); | |
945 | ||
946 | // Start with a clean cert database. | |
947 | if (clean_cert_db (db_path.c_str ()) != 0) | |
948 | { | |
949 | // Message already issued. | |
950 | return 1; | |
951 | } | |
952 | ||
953 | // Make sure the given path exists. | |
954 | if (create_server_cert_db (db_path.c_str ()) != 0) | |
955 | { | |
956 | nsscommon_error (_F("Could not create certificate database directory %s", | |
957 | db_path.c_str ())); | |
958 | return 1; | |
959 | } | |
960 | ||
961 | // Initialize the new database. | |
962 | SECStatus secStatus = nssInit (db_path.c_str (), 1/*readwrite*/); | |
963 | if (secStatus != SECSuccess) | |
964 | { | |
965 | // Message already issued. | |
966 | return 1; | |
967 | } | |
968 | ||
969 | // Pre declare these to keep g++ happy about jumps to the label 'error'. | |
970 | CERTName *subject = 0; | |
971 | SECKEYPublicKey *pubkey = 0; | |
972 | SECKEYPrivateKey *privkey = 0; | |
973 | CERTCertificateRequest *cr = 0; | |
974 | CERTCertificate *cert = 0; | |
975 | SECItem *certDER = 0; | |
976 | string dnsNames; | |
704918e7 | 977 | string hostname; |
aeb9cc10 DB |
978 | int rc; |
979 | string outFileName; | |
980 | FILE *outFile = 0; | |
981 | ||
982 | // We need the internal slot for this database. | |
983 | PK11SlotInfo *slot = PK11_GetInternalKeySlot (); | |
984 | if (! slot) | |
985 | { | |
986 | nsscommon_error (_F("Could not obtain internal key slot for certificate database %s", db_path.c_str())); | |
987 | nssError (); | |
988 | goto error; | |
989 | } | |
990 | ||
991 | // Establish the password (if any) for the new database. | |
992 | rc = init_password (slot, db_path, use_password); | |
993 | if (rc != 0) | |
994 | { | |
995 | // Messages already issued. | |
996 | goto error; | |
997 | } | |
998 | ||
999 | // Format the cert subject. | |
1000 | subject = CERT_AsciiToName ((char *)"CN=Systemtap Compile Server, OU=Systemtap"); | |
1001 | if (! subject) | |
1002 | { | |
1003 | nsscommon_error (_("Unable to encode certificate common header")); | |
1004 | nssError (); | |
1005 | goto error; | |
1006 | } | |
1007 | ||
1008 | // Next, generate the private key. | |
1009 | privkey = generate_private_key (db_path, slot, & pubkey); | |
1010 | if (! privkey) | |
1011 | { | |
1012 | // Message already issued. | |
1013 | goto error; | |
1014 | } | |
1015 | ||
1016 | // Next, generate a cert request. | |
1017 | cr = generate_cert_request (pubkey, subject); | |
1018 | if (! cr) | |
1019 | { | |
1020 | // Message already issued. | |
1021 | goto error; | |
1022 | } | |
1023 | ||
12ef2e2d | 1024 | // For the cert, we need our host name. |
aeb9cc10 DB |
1025 | struct utsname utsname; |
1026 | uname (& utsname); | |
1027 | dnsNames = utsname.nodename; | |
12ef2e2d DB |
1028 | |
1029 | // Because avahi identifies hosts using a ".local" domain, add one to the list of names. | |
704918e7 DB |
1030 | hostname = dnsNames.substr (0, dnsNames.find ('.')); |
1031 | dnsNames += string(",") + hostname + ".local"; | |
12ef2e2d DB |
1032 | |
1033 | // Add any extra names that were supplied. | |
aeb9cc10 DB |
1034 | if (! extraDnsNames.empty ()) |
1035 | dnsNames += "," + extraDnsNames; | |
12ef2e2d DB |
1036 | |
1037 | // Now, generate the cert. | |
aeb9cc10 DB |
1038 | cert = create_cert (cr, dnsNames); |
1039 | CERT_DestroyCertificateRequest (cr); | |
1040 | if (! cert) | |
1041 | { | |
1042 | // NSS error already issued. | |
1043 | nsscommon_error (_("Unable to create certificate")); | |
1044 | goto error; | |
1045 | } | |
1046 | ||
1047 | // Sign the cert. | |
1048 | certDER = sign_cert (cert, privkey); | |
1049 | if (! certDER) | |
1050 | { | |
1051 | // Message already issued. | |
1052 | goto error; | |
1053 | } | |
1054 | ||
1055 | // Now output it to a file. | |
1056 | outFileName = db_path + "/stap.cert"; | |
1057 | outFile = fopen (outFileName.c_str (), "wb"); | |
1058 | if (outFile) | |
1059 | { | |
1060 | size_t written = fwrite (certDER->data, 1, certDER->len, outFile); | |
1061 | if (written != certDER->len) | |
1062 | { | |
1063 | nsscommon_error (_F("Error writing to certificate file %s\n%s", | |
1064 | outFileName.c_str (), strerror (errno))); | |
1065 | } | |
1066 | fclose (outFile); | |
1067 | } | |
1068 | else | |
1069 | { | |
1070 | nsscommon_error (_F("Could not open certificate file %s for writing\n%s", | |
1071 | outFileName.c_str (), strerror (errno))); | |
1072 | } | |
1073 | ||
1074 | // Add the cert to the database | |
1075 | secStatus = add_server_cert (db_path, certDER, slot); | |
1076 | CERT_DestroyCertificate (cert); | |
1077 | if (secStatus != SECSuccess) | |
1078 | { | |
1079 | // NSS error already issued. | |
1080 | nsscommon_error (_F("Unable to add certificate to %s", db_path.c_str ())); | |
1081 | goto error; | |
1082 | } | |
1083 | ||
1084 | // Done with the certificate database | |
1085 | PK11_FreeSlot (slot); | |
1086 | CERT_DestroyName (subject); | |
1087 | SECKEY_DestroyPublicKey (pubkey); | |
1088 | SECKEY_DestroyPrivateKey (privkey); | |
1089 | goto done; | |
1090 | ||
1091 | error: | |
1092 | if (slot) | |
1093 | PK11_FreeSlot (slot); | |
1094 | if (subject) | |
1095 | CERT_DestroyName (subject); | |
1096 | if (pubkey) | |
1097 | SECKEY_DestroyPublicKey (pubkey); | |
1098 | if (privkey) | |
1099 | SECKEY_DestroyPrivateKey (privkey); | |
1100 | if (cert) | |
1101 | CERT_DestroyCertificate (cert); // Also destroys certDER. | |
1102 | ||
1103 | done: | |
1104 | nssCleanup (db_path.c_str ()); | |
1105 | return secStatus != SECSuccess; | |
1106 | } | |
1107 | ||
1108 | CERTCertList *get_cert_list_from_db (const string &cert_nickname) | |
1109 | { | |
1110 | // Search the client-side database of trusted servers. | |
1111 | CERTCertDBHandle *handle = CERT_GetDefaultCertDB (); | |
1112 | assert (handle); | |
1113 | CERTCertificate *db_cert = PK11_FindCertFromNickname (cert_nickname.c_str (), 0); | |
1114 | if (! db_cert) | |
1115 | { | |
1116 | // No trusted servers. Not an error. Just an empty list returned. | |
1117 | return 0; | |
1118 | } | |
1119 | ||
1120 | // Here, we have one cert with the desired nickname. | |
1121 | // Now, we will attempt to get a list of ALL certs | |
1122 | // with the same subject name as the cert we have. That list | |
1123 | // should contain, at a minimum, the one cert we have already found. | |
1124 | // If the list of certs is empty (0), the libraries have failed. | |
1125 | CERTCertList *certs = CERT_CreateSubjectCertList (0, handle, & db_cert->derSubject, | |
1126 | PR_Now (), PR_FALSE); | |
1127 | CERT_DestroyCertificate (db_cert); | |
1128 | if (! certs) | |
1129 | { | |
1130 | nsscommon_error (_("NSS library failure in CERT_CreateSubjectCertList")); | |
1131 | nssError (); | |
1132 | } | |
1133 | ||
1134 | return certs; | |
1135 | } | |
1136 | ||
aeb9cc10 DB |
1137 | static int |
1138 | format_cert_validity_time (SECItem &vTime, char *timeString, size_t ts_size) | |
1139 | { | |
1140 | int64 time; | |
1141 | SECStatus secStatus; | |
1142 | ||
1143 | switch (vTime.type) { | |
1144 | case siUTCTime: | |
1145 | secStatus = DER_UTCTimeToTime (& time, & vTime); | |
1146 | break; | |
1147 | case siGeneralizedTime: | |
1148 | secStatus = DER_GeneralizedTimeToTime (& time, & vTime); | |
1149 | break; | |
1150 | default: | |
eeacd9d4 | 1151 | nsscommon_error (_("Could not decode certificate validity")); |
aeb9cc10 DB |
1152 | return 1; |
1153 | } | |
1154 | if (secStatus != SECSuccess) | |
1155 | { | |
eeacd9d4 | 1156 | nsscommon_error (_("Could not decode certificate validity time")); |
aeb9cc10 DB |
1157 | return 1; |
1158 | } | |
1159 | ||
1160 | // Convert to local time. | |
1161 | PRExplodedTime printableTime; | |
1162 | PR_ExplodeTime (time, PR_GMTParameters, & printableTime); | |
1163 | if (! PR_FormatTime (timeString, ts_size, "%a %b %d %H:%M:%S %Y", & printableTime)) | |
1164 | { | |
eeacd9d4 | 1165 | nsscommon_error (_("Could not format certificate validity time")); |
aeb9cc10 DB |
1166 | return 1; |
1167 | } | |
1168 | ||
1169 | return 0; | |
1170 | } | |
1171 | ||
1172 | static bool | |
1173 | cert_is_valid (CERTCertificate *cert) | |
1174 | { | |
1175 | // Verify the the certificate is valid as an SSL server and as an object signer and that | |
1176 | // it is valid now. | |
1177 | CERTCertDBHandle *handle = CERT_GetDefaultCertDB (); | |
1178 | assert (handle); | |
1179 | SECCertificateUsage usage = certificateUsageSSLServer | certificateUsageObjectSigner; | |
1180 | SECStatus secStatus = CERT_VerifyCertificate (handle, cert, PR_TRUE/*checkSig*/, usage, | |
1181 | PR_Now (), NULL, NULL/*log*/, & usage); | |
1182 | return secStatus == SECSuccess; | |
1183 | } | |
1184 | ||
638abbd0 SC |
1185 | |
1186 | bool | |
1187 | get_host_name (CERTCertificate *c, string &host_name) | |
1188 | { | |
1189 | // Get the host name. It is in the alt-name extension of the | |
1190 | // certificate. | |
1191 | ||
1192 | SECStatus secStatus; | |
1193 | PRArenaPool *tmpArena = NULL; | |
1194 | // A memory pool to work in | |
1195 | tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1196 | if (! tmpArena) | |
1197 | { | |
1198 | clog << _("Out of memory:"); | |
1199 | return false; | |
1200 | } | |
1201 | ||
1202 | SECItem subAltName; | |
1203 | subAltName.data = NULL; | |
1204 | secStatus = CERT_FindCertExtension (c, | |
1205 | SEC_OID_X509_SUBJECT_ALT_NAME, | |
1206 | & subAltName); | |
1207 | if (secStatus != SECSuccess || ! subAltName.data) | |
1208 | { | |
1209 | clog << _("Unable to find alt name extension on server certificate: ") << endl; | |
1210 | PORT_FreeArena (tmpArena, PR_FALSE); | |
1211 | return false; | |
1212 | } | |
1213 | ||
1214 | // Decode the extension. | |
1215 | CERTGeneralName *nameList = CERT_DecodeAltNameExtension (tmpArena, & subAltName); | |
1216 | SECITEM_FreeItem(& subAltName, PR_FALSE); | |
1217 | if (! nameList) | |
1218 | { | |
1219 | clog << _("Unable to decode alt name extension on server certificate: ") << endl; | |
1220 | return false; | |
1221 | } | |
1222 | ||
1223 | // We're interested in the first alternate name. | |
1224 | assert (nameList->type == certDNSName); | |
1225 | host_name = string ((const char *)nameList->name.other.data, | |
1226 | nameList->name.other.len); | |
1227 | PORT_FreeArena (tmpArena, PR_FALSE); | |
1228 | return true; | |
1229 | } | |
1230 | ||
aeb9cc10 | 1231 | static bool |
638abbd0 SC |
1232 | cert_db_is_valid (const string &db_path, const string &nss_cert_name, |
1233 | CERTCertificate *this_cert) | |
aeb9cc10 DB |
1234 | { |
1235 | // Make sure the given path exists. | |
1236 | if (! file_exists (db_path)) | |
1237 | { | |
1238 | log (_F("Certificate database %s does not exist", db_path.c_str ())); | |
1239 | return false; | |
1240 | } | |
1241 | ||
1242 | // If a 'pw' file exists, then this is an old database. Treat any certs as invalid. | |
1243 | if (file_exists (db_path + "/pw")) | |
1244 | { | |
1245 | log (_F("Certificate database %s is obsolete", db_path.c_str ())); | |
1246 | return false; | |
1247 | } | |
1248 | ||
1249 | // Initialize the NSS libraries -- readonly | |
1250 | SECStatus secStatus = nssInit (db_path.c_str ()); | |
1251 | if (secStatus != SECSuccess) | |
1252 | { | |
1253 | // Message already issued. | |
1254 | return false; | |
1255 | } | |
1256 | ||
1257 | // Obtain a list of our certs from the database. | |
1258 | bool valid_p = false; | |
1259 | CERTCertList *certs = get_cert_list_from_db (nss_cert_name); | |
1260 | if (! certs) | |
1261 | { | |
1262 | log (_F("No certificate found in database %s", db_path.c_str ())); | |
1263 | goto done; | |
1264 | } | |
1265 | ||
1266 | log (_F("Certificate found in database %s", db_path.c_str ())); | |
1267 | for (CERTCertListNode *node = CERT_LIST_HEAD (certs); | |
1268 | ! CERT_LIST_END (node, certs); | |
1269 | node = CERT_LIST_NEXT (node)) | |
1270 | { | |
1271 | // The certificate we're working with. | |
1272 | CERTCertificate *c = node->cert; | |
1273 | ||
1274 | // Print the validity dates of the certificate. | |
1275 | CERTValidity &v = c->validity; | |
1276 | char timeString[256]; | |
1277 | if (format_cert_validity_time (v.notBefore, timeString, sizeof (timeString)) == 0) | |
6ef4a081 | 1278 | log (_F(" Not Valid Before: %s UTC", timeString)); |
aeb9cc10 | 1279 | if (format_cert_validity_time (v.notAfter, timeString, sizeof (timeString)) == 0) |
6ef4a081 | 1280 | log (_F(" Not Valid After: %s UTC", timeString)); |
aeb9cc10 DB |
1281 | |
1282 | // Now ask NSS to check the validity. | |
1283 | if (cert_is_valid (c)) | |
1284 | { | |
1285 | // The cert is valid. One valid cert is enough. | |
6ef4a081 | 1286 | log (_("Certificate is valid")); |
aeb9cc10 | 1287 | valid_p = true; |
638abbd0 SC |
1288 | if (this_cert) |
1289 | *this_cert = *c; | |
aeb9cc10 DB |
1290 | break; |
1291 | } | |
1292 | ||
1293 | // The cert is not valid. Look for another one. | |
6ef4a081 | 1294 | log (_("Certificate is not valid")); |
aeb9cc10 DB |
1295 | } |
1296 | CERT_DestroyCertList (certs); | |
1297 | ||
1298 | done: | |
1299 | nssCleanup (db_path.c_str ()); | |
1300 | return valid_p; | |
1301 | } | |
1302 | ||
638abbd0 SC |
1303 | |
1304 | #ifdef HAVE_HTTP_SUPPORT | |
1305 | /* | |
1306 | * Similar to cert_db_is_valid; additionally it checks host_name and does no logging | |
1307 | */ | |
1308 | static bool | |
1309 | get_pem_cert_is_valid (const string &db_path, const string &nss_cert_name, | |
1310 | const string &host_name, CERTCertificate *this_cert) | |
1311 | { | |
1312 | bool nss_already_init_p = false; | |
1313 | bool found_match = false; | |
1314 | ||
1315 | if (! file_exists (db_path)) | |
1316 | return false; | |
1317 | ||
1318 | if (file_exists (db_path + "/pw")) | |
1319 | return false; | |
1320 | ||
1321 | if (NSS_IsInitialized ()) | |
1322 | nss_already_init_p = true; | |
1323 | ||
1324 | if (nssInit (db_path.c_str ()) != SECSuccess) | |
1325 | return false; | |
1326 | ||
1327 | CERTCertList *certs = get_cert_list_from_db (nss_cert_name); | |
1328 | if (! certs) | |
1329 | { | |
1330 | nssCleanup (db_path.c_str ()); | |
1331 | return false; | |
1332 | } | |
1333 | ||
1334 | for (CERTCertListNode *node = CERT_LIST_HEAD (certs); | |
1335 | ! CERT_LIST_END (node, certs); | |
1336 | node = CERT_LIST_NEXT (node)) | |
1337 | { | |
1338 | CERTCertificate *c = node->cert; | |
1339 | // An http client searches for the corresponding server's certificate | |
1340 | if (host_name.length() > 0) | |
1341 | { | |
1342 | string cert_host_name; | |
1343 | if (get_host_name (c, cert_host_name) == false) | |
1344 | continue; | |
1345 | ||
1346 | if (cert_host_name != host_name) | |
1347 | { | |
1348 | size_t dot; | |
1349 | if ((dot = host_name.find ('.')) == string::npos | |
1350 | || cert_host_name != host_name.substr(0,dot)) | |
1351 | continue; | |
1352 | } | |
1353 | } | |
1354 | ||
1355 | // Now ask NSS to check the validity. | |
1356 | if (cert_is_valid (c)) | |
1357 | { | |
1358 | if (this_cert) | |
1359 | *this_cert = *c; | |
1360 | found_match = true; | |
1361 | break; | |
1362 | } | |
1363 | } | |
1364 | CERT_DestroyCertList (certs); | |
1365 | ||
1366 | // NSS shutdown is global and is forceful | |
1367 | if (!nss_already_init_p) | |
1368 | nssCleanup (db_path.c_str ()); | |
1369 | return found_match; | |
1370 | } | |
1371 | ||
1372 | ||
1373 | bool | |
1374 | cvt_nss_to_pem (CERTCertificate *c, string &cert_pem) | |
1375 | { | |
1376 | BIO *bio; | |
1377 | X509 *certificate_509; | |
1378 | ||
1379 | bio = BIO_new(BIO_s_mem()); | |
1380 | certificate_509 = X509_new(); | |
1381 | // Load the nss certificate into the openssl BIO | |
1382 | int count = BIO_write (bio, (const void*)c->derCert.data, c->derCert.len); | |
1383 | if (count == 0) | |
1384 | return false; | |
1385 | // Parse the BIO into an X509 | |
1386 | certificate_509 = d2i_X509_bio(bio, &certificate_509); | |
1387 | // Convert the X509 to PEM form | |
1388 | int rc = PEM_write_bio_X509(bio, certificate_509); | |
1389 | if (rc != 1) | |
1390 | return false; | |
1391 | BUF_MEM *mem = NULL; | |
1392 | // Load the buffer from the PEM form | |
1393 | BIO_get_mem_ptr(bio, &mem); | |
1394 | cert_pem = string(mem->data, mem->length); | |
1395 | BIO_free(bio); | |
1396 | X509_free(certificate_509); | |
1397 | return true; | |
1398 | } | |
1399 | ||
1400 | ||
1401 | bool | |
1402 | get_pem_cert (const string &db_path, const string &nss_cert_name, const string &host, | |
1403 | string &cert) | |
1404 | { | |
1405 | CERTCertificate cc; | |
1406 | CERTCertificate *c = &cc; | |
1407 | // Do we have an nss certificate in the nss cert db for server host? | |
1408 | if (get_pem_cert_is_valid (db_path, nss_cert_name, host, c)) | |
1409 | { | |
1410 | // If we do, then convert to PEM form | |
1411 | cvt_nss_to_pem (c, cert); | |
1412 | return true; | |
1413 | } | |
1414 | return false; | |
1415 | } | |
1416 | ||
1417 | bool | |
1418 | have_san_match (string & hostname, string & pem_cert) | |
1419 | { | |
1420 | bool have_match = false; | |
1421 | STACK_OF (GENERAL_NAME) * san_names = NULL; | |
1422 | ||
1423 | BIO *bio = BIO_new(BIO_s_mem()); | |
1424 | BIO_puts(bio, pem_cert.c_str()); | |
1425 | X509 *server_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); | |
1426 | ||
1427 | // Extract the source alternate names from the certificate | |
1428 | san_names = | |
1429 | (stack_st_GENERAL_NAME *) X509_get_ext_d2i ((X509 *) server_cert, | |
1430 | NID_subject_alt_name, NULL, | |
1431 | NULL); | |
1432 | if (san_names == NULL) | |
1433 | { | |
1434 | return false; | |
1435 | } | |
1436 | ||
1437 | for (int i = 0; i < sk_GENERAL_NAME_num (san_names); i++) | |
1438 | { | |
1439 | const GENERAL_NAME *current_name = sk_GENERAL_NAME_value (san_names, i); | |
1440 | ||
1441 | if (current_name->type == GEN_DNS) | |
1442 | { | |
1443 | const int scheme_len = 8; // https:// | |
1444 | string dns_name = | |
1445 | string ((char *) ASN1_STRING_get0_data (current_name->d.dNSName)); | |
1446 | ||
1447 | if ((size_t) ASN1_STRING_length (current_name->d.dNSName) == | |
1448 | dns_name.length ()) | |
1449 | { | |
1450 | if (hostname.compare(scheme_len,dns_name.length(), dns_name)) | |
1451 | { | |
1452 | have_match = true; | |
1453 | break; | |
1454 | } | |
1455 | } | |
1456 | } | |
1457 | } | |
1458 | sk_GENERAL_NAME_pop_free (san_names, GENERAL_NAME_free); | |
1459 | BIO_free(bio); | |
1460 | X509_free(server_cert); | |
1461 | ||
1462 | return have_match; | |
1463 | } | |
1464 | #endif | |
1465 | ||
1466 | ||
aeb9cc10 DB |
1467 | // Ensure that our certificate exists and is valid. Generate a new one if not. |
1468 | int | |
1469 | check_cert (const string &db_path, const string &nss_cert_name, bool use_db_password) | |
1470 | { | |
1471 | // Generate a new cert database if the current one does not exist or is not valid. | |
638abbd0 | 1472 | if (! cert_db_is_valid (db_path, nss_cert_name, NULL)) |
aeb9cc10 DB |
1473 | { |
1474 | if (gen_cert_db (db_path, "", use_db_password) != 0) | |
1475 | { | |
1476 | // NSS message already issued. | |
1477 | nsscommon_error (_("Unable to generate new certificate")); | |
1478 | return 1; | |
1479 | } | |
1480 | } | |
1481 | return 0; | |
1482 | } | |
1483 | ||
1484 | void sign_file ( | |
1485 | const string &db_path, | |
1486 | const string &nss_cert_name, | |
1487 | const string &inputName, | |
1488 | const string &outputName | |
1489 | ) { | |
1490 | /* Get own certificate and private key. */ | |
1491 | CERTCertificate *cert = PK11_FindCertFromNickname (nss_cert_name.c_str (), NULL); | |
1492 | if (cert == NULL) | |
1493 | { | |
1494 | nsscommon_error (_F("Unable to find certificate with nickname %s in %s.", | |
1495 | nss_cert_name.c_str (), db_path.c_str())); | |
1496 | nssError (); | |
1497 | return; | |
1498 | } | |
1499 | ||
1500 | // Predeclare these to keep C++ happy abount branches to 'done'. | |
1501 | unsigned char buffer[4096]; | |
63a1cb66 | 1502 | PRFileDesc *local_file_fd = NULL; |
aeb9cc10 DB |
1503 | PRInt32 numBytes; |
1504 | SECStatus secStatus; | |
1505 | SGNContext *sgn; | |
1506 | SECItem signedData; | |
1507 | ||
1508 | /* db_path.c_str () gets passed to nssPasswordCallback */ | |
1509 | SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert (cert, (void *)db_path.c_str ()); | |
1510 | if (privKey == NULL) | |
1511 | { | |
1512 | nsscommon_error (_F("Unable to obtain private key from the certificate with nickname %s in %s.", | |
1513 | nss_cert_name.c_str (), db_path.c_str())); | |
1514 | nssError (); | |
1515 | goto done; | |
1516 | } | |
1517 | ||
1518 | /* Sign the file. */ | |
1519 | /* Set up the signing context. */ | |
1520 | sgn = SGN_NewContext (SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, privKey); | |
1521 | if (! sgn) | |
1522 | { | |
1523 | nsscommon_error (_("Could not create signing context")); | |
1524 | nssError (); | |
1525 | return; | |
1526 | } | |
1527 | secStatus = SGN_Begin (sgn); | |
1528 | if (secStatus != SECSuccess) | |
1529 | { | |
1530 | nsscommon_error (_("Could not initialize signing context.")); | |
1531 | nssError (); | |
1532 | return; | |
1533 | } | |
1534 | ||
1535 | /* Now read the data and add it to the signature. */ | |
1536 | local_file_fd = PR_Open (inputName.c_str(), PR_RDONLY, 0); | |
1537 | if (local_file_fd == NULL) | |
1538 | { | |
1539 | nsscommon_error (_F("Could not open module file %s", inputName.c_str ())); | |
1540 | nssError (); | |
1541 | return; | |
1542 | } | |
1543 | ||
1544 | for (;;) | |
1545 | { | |
5ab345f0 DB |
1546 | // No need for PR_Read_Complete here, since we're already managing multiple |
1547 | // reads to a fixed size buffer. | |
aeb9cc10 DB |
1548 | numBytes = PR_Read (local_file_fd, buffer, sizeof (buffer)); |
1549 | if (numBytes == 0) | |
1550 | break; /* EOF */ | |
1551 | ||
1552 | if (numBytes < 0) | |
1553 | { | |
1554 | nsscommon_error (_F("Error reading module file %s", inputName.c_str ())); | |
1555 | nssError (); | |
1556 | goto done; | |
1557 | } | |
1558 | ||
1559 | /* Add the data to the signature. */ | |
1560 | secStatus = SGN_Update (sgn, buffer, numBytes); | |
1561 | if (secStatus != SECSuccess) | |
1562 | { | |
1563 | nsscommon_error (_F("Error while signing module file %s", inputName.c_str ())); | |
1564 | nssError (); | |
1565 | goto done; | |
1566 | } | |
1567 | } | |
1568 | ||
1569 | /* Complete the signature. */ | |
1570 | secStatus = SGN_End (sgn, & signedData); | |
1571 | if (secStatus != SECSuccess) | |
1572 | { | |
1573 | nsscommon_error (_F("Could not complete signature of module file %s", inputName.c_str ())); | |
1574 | nssError (); | |
1575 | goto done; | |
1576 | } | |
1577 | ||
1578 | SGN_DestroyContext (sgn, PR_TRUE); | |
1579 | ||
1580 | /* Now write the signed data to the output file. */ | |
93ea565a LB |
1581 | if(local_file_fd != NULL) |
1582 | PR_Close (local_file_fd); | |
aeb9cc10 DB |
1583 | local_file_fd = PR_Open (outputName.c_str(), PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, |
1584 | PR_IRUSR | PR_IWUSR | PR_IRGRP | PR_IWGRP | PR_IROTH); | |
1585 | if (local_file_fd == NULL) | |
1586 | { | |
1587 | nsscommon_error (_F("Could not open signature file %s", outputName.c_str ())); | |
1588 | nssError (); | |
1589 | goto done; | |
1590 | } | |
1591 | ||
1592 | numBytes = PR_Write (local_file_fd, signedData.data, signedData.len); | |
1593 | if (numBytes < 0 || numBytes != (PRInt32)signedData.len) | |
1594 | { | |
1595 | nsscommon_error (_F("Error writing to signature file %s", outputName.c_str ())); | |
1596 | nssError (); | |
1597 | } | |
1598 | ||
1599 | done: | |
1600 | if (privKey) | |
1601 | SECKEY_DestroyPrivateKey (privKey); | |
1602 | CERT_DestroyCertificate (cert); | |
97b1f2ee LB |
1603 | if(local_file_fd != NULL) |
1604 | PR_Close (local_file_fd); | |
aeb9cc10 DB |
1605 | } |
1606 | ||
5ab345f0 DB |
1607 | // PR_Read() is not guaranteed to read all of the requested data in one call. |
1608 | // Iterate until all of the requested data has been read. | |
1609 | // Return the same values as PR_Read() would. | |
1610 | PRInt32 PR_Read_Complete (PRFileDesc *fd, void *buf, PRInt32 requestedBytes) | |
1611 | { | |
1612 | // Read until EOF or until the expected number of bytes has been read. | |
1613 | // PR_Read wants (void*), but we need (char *) to do address arithmetic. | |
1614 | char *buffer = (char *)buf; | |
18c01558 FCE |
1615 | PRInt32 totalBytes; |
1616 | PRInt32 bytesRead; | |
1617 | for (totalBytes = 0; totalBytes < requestedBytes; totalBytes += bytesRead) | |
5ab345f0 DB |
1618 | { |
1619 | // Now read the data. | |
1620 | bytesRead = PR_Read (fd, (void *)(buffer + totalBytes), requestedBytes - totalBytes); | |
1621 | if (bytesRead == 0) | |
1622 | break; // EOF | |
1623 | if (bytesRead < 0) | |
1624 | return bytesRead; // Error | |
1625 | } | |
1626 | ||
1627 | // Return the number of bytes we managed to read. | |
1628 | return totalBytes; | |
1629 | } | |
1630 | ||
b3367f63 | 1631 | SECStatus |
cd1418c7 | 1632 | read_cert_info_from_file (const string &certPath, string &fingerprint) |
b3367f63 DS |
1633 | { |
1634 | FILE *certFile = fopen (certPath.c_str (), "rb"); | |
1635 | SECStatus secStatus = SECFailure; | |
1636 | ||
1637 | if (! certFile) | |
1638 | { | |
1639 | nsscommon_error (_F("Could not open certificate file %s for reading\n%s", | |
1640 | certPath.c_str (), strerror (errno))); | |
1641 | return SECFailure; | |
1642 | } | |
1643 | ||
1644 | int fd = fileno (certFile); | |
1645 | struct stat info; | |
1646 | int rc = fstat (fd, &info); | |
1647 | if (rc != 0) | |
1648 | { | |
1649 | nsscommon_error (_F("Could not obtain information about certificate file %s\n%s", | |
1650 | certPath.c_str (), strerror (errno))); | |
1651 | fclose (certFile); | |
1652 | return SECFailure; | |
1653 | } | |
1654 | ||
1655 | PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1656 | if (!arena) | |
1657 | { | |
1658 | nsscommon_error (_F("Could not create arena while decoding certificate from file %s", | |
1659 | certPath.c_str ())); | |
82c6d474 | 1660 | fclose (certFile); |
b3367f63 DS |
1661 | goto done; |
1662 | } | |
1663 | ||
1664 | SECItem derCert; | |
1665 | if (!SECITEM_AllocItem(arena, &derCert, info.st_size)) | |
1666 | { | |
1667 | nsscommon_error (_F("Could not allocate DER cert\n%s", | |
1668 | strerror (errno))); | |
1669 | fclose (certFile); | |
1670 | goto done; | |
1671 | } | |
1672 | ||
1673 | size_t read; | |
1674 | read = fread (derCert.data, 1, derCert.len, certFile); | |
1675 | fclose (certFile); | |
1676 | if (read != derCert.len) | |
1677 | { | |
1678 | nsscommon_error (_F("Error reading from certificate file %s\n%s", | |
1679 | certPath.c_str (), strerror (errno))); | |
1680 | goto done; | |
1681 | } | |
1682 | derCert.type = siDERCertBuffer; | |
1683 | ||
cd1418c7 | 1684 | // Sigh. We'd like to use CERT_DecodeDERCertificate() here, but |
b3367f63 DS |
1685 | // although /usr/include/nss3/cert.h declares them, the shared |
1686 | // library doesn't export them. | |
1687 | ||
1688 | CERTCertificate *cert; | |
1689 | int rv; | |
cd1418c7 | 1690 | char *str; |
b3367f63 DS |
1691 | |
1692 | // Strip off the signature. | |
1693 | CERTSignedData *sd; | |
1694 | sd = PORT_ArenaZNew(arena, CERTSignedData); | |
1695 | if (!sd) | |
1696 | { | |
1697 | nsscommon_error (_F("Could not allocate signed data while decoding certificate from file %s", | |
1698 | certPath.c_str ())); | |
1699 | goto done; | |
1700 | } | |
1701 | rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), | |
1702 | &derCert); | |
1703 | if (rv) | |
1704 | { | |
1705 | nsscommon_error (_F("Could not decode signature while decoding certificate from file %s", | |
1706 | certPath.c_str ())); | |
1707 | goto done; | |
1708 | } | |
1709 | ||
1710 | // Decode the certificate. | |
1711 | cert = PORT_ArenaZNew(arena, CERTCertificate); | |
1712 | if (!cert) | |
1713 | { | |
1714 | nsscommon_error (_F("Could not allocate cert while decoding certificate from file %s", | |
1715 | certPath.c_str ())); | |
1716 | goto done; | |
1717 | } | |
1718 | cert->arena = arena; | |
1719 | rv = SEC_ASN1DecodeItem(arena, cert, | |
1720 | SEC_ASN1_GET(CERT_CertificateTemplate), &sd->data); | |
1721 | if (rv) | |
1722 | { | |
1723 | nsscommon_error (_F("Could not decode certificate from file %s", | |
1724 | certPath.c_str ())); | |
1725 | goto done; | |
1726 | } | |
1727 | ||
b3367f63 | 1728 | // Get the fingerprint from the signature. |
cd1418c7 | 1729 | unsigned char fingerprint_buf[SHA1_LENGTH]; |
b3367f63 DS |
1730 | SECItem fpItem; |
1731 | rv = PK11_HashBuf(SEC_OID_SHA1, fingerprint_buf, derCert.data, derCert.len); | |
1732 | if (rv) | |
1733 | { | |
1734 | nsscommon_error (_F("Could not decode SHA1 fingerprint from file %s", | |
1735 | certPath.c_str ())); | |
1736 | goto done; | |
1737 | } | |
1738 | fpItem.data = fingerprint_buf; | |
cd1418c7 | 1739 | fpItem.len = sizeof(fingerprint_buf); |
b3367f63 DS |
1740 | str = CERT_Hexify(&fpItem, 1); |
1741 | if (! str) | |
1742 | { | |
1743 | nsscommon_error (_F("Could not hexify SHA1 fingerprint from file %s", | |
1744 | certPath.c_str ())); | |
1745 | goto done; | |
1746 | } | |
1747 | fingerprint = str; | |
1748 | transform(fingerprint.begin(), fingerprint.end(), fingerprint.begin(), | |
1749 | ::tolower); | |
1750 | PORT_Free(str); | |
1751 | secStatus = SECSuccess; | |
1752 | ||
1753 | done: | |
1754 | if (arena) | |
1755 | PORT_FreeArena(arena, PR_FALSE); | |
1756 | return secStatus; | |
1757 | } | |
1758 | ||
aeb9cc10 | 1759 | /* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */ |