Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 299418 Details for
Bug 346731
Port crypto-utils to use NSS library for cryptography
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch for certwatch and genkey crypto-utils
keyutil.c (text/plain), 18.67 KB, created by
Elio Maldonado Batiz
on 2008-03-28 00:50:04 UTC
(
hide
)
Description:
patch for certwatch and genkey crypto-utils
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2008-03-28 00:50:04 UTC
Size:
18.67 KB
patch
obsolete
>/* > Copyright 2005 Red Hat, Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; either version 2 of the License, or > (at your option) any later version. > > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public License > along with this program; if not, write to the Free Software > Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. > > In addition, as a special exception, Red Hat, Inc. gives permission > to link the code of this program with the OpenSSL library (or with > modified versions of OpenSSL that use the same license as OpenSSL), > and distribute linked combinations including the two. You must obey > the GNU General Public License in all respects for all of the code > used other than OpenSSL. If you modify this file, you may extend > this exception to your version of the file, but you are not > obligated to do so. If you do not wish to do so, delete this > exception statement from your version. > >*/ > >/* ***** BEGIN LICENSE BLOCK ***** > * Version: MPL 1.1/GPL 2.0/LGPL 2.1 > * > * The contents of this file are subject to the Mozilla Public License Version > * 1.1 (the "License"); you may not use this file except in compliance with > * the License. You may obtain a copy of the License at > * http://www.mozilla.org/MPL/ > * > * Software distributed under the License is distributed on an "AS IS" basis, > * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License > * for the specific language governing rights and limitations under the > * License. > * > * The Original Code is the Netscape security libraries. > * > * The Initial Developer of the Original Code is > * Netscape Communications Corporation. > * Portions created by the Initial Developer are Copyright (C) 1994-2000 > * the Initial Developer. All Rights Reserved. > * > * Contributor(s): > * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories > * > * Alternatively, the contents of this file may be used under the terms of > * either the GNU General Public License Version 2 or later (the "GPL"), or > * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), > * in which case the provisions of the GPL or the LGPL are applicable instead > * of those above. If you wish to allow use of your version of this file only > * under the terms of either the GPL or the LGPL, and not to allow others to > * use your version of this file under the terms of the MPL, indicate your > * decision by deleting the provisions above and replace them with the notice > * and other provisions required by the GPL or the LGPL. If you do not delete > * the provisions above, a recipient may use your version of this file under > * the terms of any one of the MPL, the GPL or the LGPL. > * > * ***** END LICENSE BLOCK ***** */ > >/* $Id: keyutil.c,v 1.10 2008/03/23 10:09:40 emaldona Exp $ */ > >/* Key generation, encryption, and certificate utility code, based on > * code from NSS's security utilities and the certutil application. > * Elio Maldonado <emaldona@redhat.com> > */ > >#include <stdio.h> >#include <string.h> >/*#include "secutil.h"*/ > >#include <unistd.h> >#include <sys/time.h> >#include <termios.h> > >#include <nspr.h> >#include <nss.h> >#include <cert.h> >#include <certt.h> >#include <prio.h> >#include <prlong.h> >#include <prtime.h> >#include <pk11func.h> >#include <pkcs11t.h> >#include <assert.h> >#include <secmod.h> >#include <base64.h> >#include <seccomon.h> >#include <secmodt.h> >#include <secoidt.h> >#include <keythi.h> > >#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <getopt.h> >#include <time.h> > >#define REP_MECHANISM mechanism[testId/2/2%46] > >#define NUM_KEYSTROKES 120 >#define RAND_BUF_SIZE 60 > >#define ERROR_BREAK rv = SECFailure;break; > >typedef struct { > enum { > PW_NONE = 0, > PW_FROMFILE = 1, > PW_PLAINTEXT = 2, > PW_EXTERNAL = 3 > } source; > char *data; >} secuPWData; > >typedef enum _CommandType { > cmd_GenKeyPair, > cmd_GenCert, > cmd_GenCsr, > comd_WrapPrivateKey, > cmd_UnwrapPrivateKey >} CommandType; > >struct KeyPairStr { > SECKEYPrivateKey *refPrivk; > SECKEYPublicKey *pubkey; >}; > >typedef struct KeyPairStr KeyPair; > >typedef struct _PrivateKeyStr PrivateKey; > > > >/* Uses the password passed in the -f(pwfile) argument of the command line. > * After use once, null it out otherwise PKCS11 calls us forever.? > * > * Code based on SECU_GetModulePassword from the Mozilla NSS secutils > * imternal librart. > */ >#if(0) >static char *GetModulePasswordFromFile(PK11SlotInfo *slot, PRBool retry, void *arg) >{ > int i; > unsigned char phrase[200]; > PRFileDesc *fd; > PRInt32 nb; > char *pwFile = arg; > > if (!pwFile) return 0; > if (retry) return 0; /* no good retrying - file contents will be the same */ > if (!(fd = PR_Open(pwFile, PR_RDONLY, 0))) return 0; > > nb = PR_Read(fd, phrase, sizeof(phrase)); > PR_Close(fd); > > /* handle the Windows EOL case */ > i = 0; > while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; > phrase[i] = '\0'; > if (nb == 0) return NULL; > > return (char*) PORT_Strdup((char*)phrase); >} >#endif > >static SECStatus >CERTUTIL_FileForRNG(const char *noise) >{ > char buf[2048]; > PRFileDesc *fd; > PRInt32 count; > > fd = PR_Open(noise,PR_RDONLY,0); > if (!fd) { > fprintf(stderr, "failed to open noise file."); > return SECFailure; > } > > do { > count = PR_Read(fd,buf,sizeof(buf)); > if (count > 0) { > PK11_RandomUpdate(buf,count); > } > } while (count > 0); > > PR_Close(fd); > return SECSuccess; >} > >/* returns 0 for success, -1 for failure (EOF encountered) */ >static int >UpdateRNG(void) >{ > char randbuf[RAND_BUF_SIZE]; > int fd, count; > int c; > int rv = 0; > cc_t orig_cc_min; > cc_t orig_cc_time; > tcflag_t orig_lflag; > struct termios tio; > char meter[] = { > "\r| |" }; > >#define FPS fprintf(stderr, > FPS "\n"); > FPS "A random seed must be generated that will be used in the\n"); > FPS "creation of your key. One of the easiest ways to create a\n"); > FPS "random seed is to use the timing of keystrokes on a keyboard.\n"); > FPS "\n"); > FPS "To begin, type keys on the keyboard until this progress meter\n"); > FPS "is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!\n"); > FPS "\n"); > FPS "\n"); > FPS "Continue typing until the progress meter is full:\n\n"); > FPS meter); > FPS "\r|"); > > /* turn off echo on stdin & return on 1 char instead of NL */ > fd = fileno(stdin); > > tcgetattr(fd, &tio); > orig_lflag = tio.c_lflag; > orig_cc_min = tio.c_cc[VMIN]; > orig_cc_time = tio.c_cc[VTIME]; > tio.c_lflag &= ~ECHO; > tio.c_lflag &= ~ICANON; > tio.c_cc[VMIN] = 1; > tio.c_cc[VTIME] = 0; > tcsetattr(fd, TCSAFLUSH, &tio); > > /* Get random noise from keyboard strokes */ > count = 0; > while (count < sizeof randbuf) { > c = getc(stdin); > if (c == EOF) { > rv = -1; > break; > } > randbuf[count] = c; > if (count == 0 || c != randbuf[count-1]) { > count++; > FPS "*"); > } > } > PK11_RandomUpdate(randbuf, sizeof randbuf); > memset(randbuf, 0, sizeof randbuf); > > FPS "\n\n"); > FPS "Finished. Press enter to continue: "); >#if defined(VMS) > while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF) > ; >#else > while ((c = getc(stdin)) != '\n' && c != EOF) > ; >#endif > if (c == EOF) > rv = -1; > FPS "\n"); > >#undef FPS > >#if defined(XP_UNIX) && !defined(VMS) > /* set back termio the way it was */ > tio.c_lflag = orig_lflag; > tio.c_cc[VMIN] = orig_cc_min; > tio.c_cc[VTIME] = orig_cc_time; > tcsetattr(fd, TCSAFLUSH, &tio); >#endif > return rv; >} > >SECKEYPrivateKey * >CERTUTIL_GeneratePrivateKey( > KeyType keytype, /* rsaKey */ > PK11SlotInfo *slot, > int size, > int publicExponent, > const char *noise, > SECKEYPublicKey **pubkeyp, > const char *pqgFile,/* NULL */ > secuPWData *pwdata) >{ > CK_MECHANISM_TYPE mechanism; > SECOidTag algtag; > PK11RSAGenParams rsaparams; > void * params; > SECKEYPrivateKey * privKey = NULL; > > if (slot == NULL) > return NULL; > > if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess) > return NULL; > > /* > * Do some random-number initialization. > */ > > if (noise) { > SECStatus rv = CERTUTIL_FileForRNG(noise); > if (rv != SECSuccess) { > PORT_SetError(PR_END_OF_FILE_ERROR); /* XXX */ > return NULL; > } > } else { > int rv = UpdateRNG(); > if (rv) { > PORT_SetError(PR_END_OF_FILE_ERROR); > return NULL; > } > } > > rsaparams.keySizeInBits = size; > rsaparams.pe = publicExponent; > mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; > /* MD5 ? */ > algtag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION; > params = &rsaparams; > > fprintf(stderr, "\n\n"); > fprintf(stderr, "Generating key. This may take a few moments...\n\n"); > > privKey = PK11_GenerateKeyPair( > slot, mechanism, params, pubkeyp, > PR_TRUE /*isPerm*/, > PR_TRUE /*isSensitive*/, > pwdata /*wincx*/); > > return privKey; >} > >int gen_key_pair(const char *seedFile, int keySize, > const char *password, const char *outFile) >{ >#if (0) > CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_KEY_PAIR_GEN; >#endif > PK11RSAGenParams *kgparams; > > SECKEYPrivateKey *refPrivk=NULL; > SECKEYPublicKey *pubkey=NULL; > > PK11SlotInfo *internal = PK11_GetInternalKeySlot(); > secuPWData pwdata = { PW_NONE, 0 }; > > //SECStatus status; > //int errcode; > > kgparams = PR_Malloc(sizeof(PK11RSAGenParams)); > kgparams->keySizeInBits = keySize; > kgparams->pe = 65537L; > > /* > if (password) > pwdata.source = PW_FROMFILE; > pwdata.data = certutil.options[opt_PasswordFile].arg; > */ > >#if (0) > refPrivk = PK11_GenerateKeyPair(internal, PK11_GetKeyGen(mech), > kgparams, &pubkey, > PR_FALSE/*isPerm*/, > PR_FALSE /*isSensitive*/, > NULL/*wincx*/ > ); >#endif > > refPrivk = CERTUTIL_GeneratePrivateKey( > rsaKey, > internal, > keySize, > 65537L, > seedFile, > &pubkey, > NULL,/* no pqgFile */ > &pwdata > ); >/*secuPWData *pwdata)*/ > > assert(refPrivk); > assert(pubkey); > > return 0; >} > >static void gen_cert(const char *seedfile, int keysize) >{ > /* > rv = CertReq(privkey, > pubkey, > rsa, > hashAlgTag, // SEC_OID_MD5 > subject, > certutil.options[opt_PhoneNumber].arg, > 1, // ascii > certutil.options[opt_ExtendedEmailAddrs].arg, > certutil.options[opt_ExtendedDNSNames].arg, > certutil_extns, > outFile ? outFile : PR_STDOUT); >*/ >} > >static void gen_csr(const char *seedfile, int keysize) >{ > >} > >static int wrap_key(const char *keyToWrap, > const char *password, > const char *enckeyFile) >{ > int result = 0; > FILE * out = NULL; > /*char *buffer = NULL;*/ > /*char *key = NULL;*/ > PK11SlotInfo *slot; /* encrypt key in this slot */ > > /* encrypt key with this algorithm */ > SECOidTag algTag = SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC; > > struct SECItemStr { > SECItemType type; > unsigned char *data; > unsigned int len; > }; > > SECItem pwitem = { 0, NULL, 0 }; /* password for PBE encryption */ > CERTCertificate *cert = NULL; /* wrap priv key for this user cert */ > int iteration = 1000; /* iterations for PBE alg */ > secuPWData pwdata = { PW_NONE, 0 }; > SECKEYEncryptedPrivateKeyInfo *epki = NULL; > size_t nwritten = 0; > > out = fopen(enckeyFile, "w"); > if (!out) { > printf("Can't open %s for writing\n", enckeyFile); > return -1; > } > /* TODO: Add here the case where password is required to > * authenticate ourselves to the module. > * > */ > > do { > slot = PK11_GetInternalKeySlot(); > if (PK11_NeedLogin(slot)) { > SECStatus rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); > if (rv != SECSuccess) { > /* FIXME: remove prints or write to an error log file */ > printf("Could not authenticate to token %s\n", > PK11_GetTokenName(slot)); > result = rv; > break; > } > } > > pwitem.type = siBuffer; > pwitem.data = (unsigned char *) strdup(password); > pwitem.len = strlen(password); > > epki = PK11_ExportEncryptedPrivateKeyInfo( > slot, /* optional, encrypt key in this slot */ > algTag, /* encrypt key with this algorithm */ > &pwitem, /* password for PBE encryption */ > cert, /* wrap priv key for this user cert */ > iteration, /* interations for PBE alg */ > &pwdata /* context for password callback ? */ > ); > > if (!epki) { > result = -1; > break; > } > > nwritten = fwrite(epki, 1, sizeof(SECKEYEncryptedPrivateKeyInfo), out); > assert(nwritten == sizeof(SECKEYEncryptedPrivateKeyInfo)); > > } while (0); > > /* cleanup:*/ > if (slot) PK11_FreeSlot(slot); > if (out) fclose(out); > /* Do with need to clear and free the PrivateKeyInfo? */ > > /* do some verification here */ > > return result; >} > >static char *unwrap_key(const char *enckeyFile, const char *password) >{ > int result; > int size = 0; > FILE * in; > char *buffer; > > in = fopen (enckeyFile, "r"); > if (!in) { > printf("Can't open %s for reading\n", enckeyFile); > return NULL; > } > fseek (in, 0, SEEK_END); > size = ftell(in); > rewind(in); > > buffer = (char*) malloc (sizeof(char)*size); > if (buffer == NULL) {fputs ("Memory error",stderr); exit (2);} > > result = fread (buffer,1,size,in); > if (result != size) {fputs ("Reading error",stderr); exit (3);} > > /* the whole file is now loaded in the memory buffer > * and we can decrypt it. */ > > // terminate > fclose (in); > if (buffer) free (buffer); > > return 0; >} > >int main(int argc, char **argv) >{ > /* > This utitity is invoked by the genkey perl script as follows. > if (!open (PIPE, > "| $bindir/keyutil --type=rsa --algorithm=des3 ". > "--in $keyfile -passout stdin ". > "--out $enckey")) { > Newt::newtWinMessage("Error", "Close", > "Unable to set passphrase". > "\n\nPress return to continue"); > return "Back"; > } > */ > CommandType cmd = cmd_GenKeyPair; > > // --randfile $randfile --keysize > int optc, rv = 0; > static const struct option options[] = { > { "command", required_argument, NULL, 'c'}, > /* > { "type", required_argument, NULL, 't' }, > { "algorithm", required_argument, NULL, 'a' }, > */ > { "randfile", required_argument, NULL, 'z' }, > { "keysize", required_argument, NULL, 'g' }, > { "input", required_argument, NULL, 'i' }, > { "password", required_argument, NULL, 'p' }, > { "output", required_argument, NULL, 'o' }, > { NULL } > }; > char *cmdstr = NULL; > /* > char *type = "rsa"; > char *algorithm = "des3"; > */ > char *seedfile = NULL; > int keysize = 1024; > char *keyfile = NULL; > char *outfile = NULL; > char *password; > char *configdir = ""; > > char *certDBPrefix = ""; > char *keyDBPrefix = ""; > > /* > my $args = ""; > if ($genreq_mode) { > # build the arguments for a gen request call > $args = "--command=genreq"; > $args = $args . $SPACE . "--keysize=" . "$bits" if $bits; > $args = $args . $SPACE . "--subject=" . "$subject" if $subject; # global variable, set in $cert was > $args = $args . $SPACE . "--validity=" . "$valid_months" if $valid_months; > $args = $args . $SPACE . "--outfile=" . "$certfile" if $certfile; # actually a csr file > $args = $args . $SPACE . "--noisefile=" . "$randfile" if $randfile; > > print "genreq command: $args\n" if $traceon; > > system("$bindir/keyutil %args"); > > } else { > # build the arguments for a gen cert call, self-signed > $args = "--command=gencert"; > $args = $args . $SPACE . "--keysize=" . "$bits" if $bits; > $args = $args . $SPACE . "--mdigest=" . "$mdigest" if $mdigest; ## default sha1 > $args = $args . $SPACE . "--subject=" . "$subject" if $subject; ## coolected earlier > $args = $args . $SPACE . "--validity=" . "$valid_months" if $valid_months; > $args = $args . $SPACE . "--noisefile=" . "$randfile" if $randfile; > > # FIXME ignoring for now > #if ($pwdfile) { $args = $args . $SPACE . "--pwfile" . $SPACE . "$pwdfile"; } > > print "gencert command: $args\n" if $traceon; > > system("$bindir/keyutil $args"); > } > > */ > > /*t:a:*/ > while ((optc = getopt_long(argc, argv, "c:z:g:i:o:", options, NULL)) != -1) { > switch (optc) { > case 'c': > cmdstr = strdup(optarg); > if (strcmp(cmdstr, "genrsa")==0) { > cmd = cmd_GenKeyPair; > } else if (strcmp(cmdstr, "gencert")==0) { > cmd = cmd_GenCert; > } else if (strcmp(cmdstr, "gencsr")==0) { > cmd = cmd_GenCsr; > } else if (strcmp(cmdstr, "wrapkey")==0) { > cmd = comd_WrapPrivateKey; > } else if (strcmp(cmdstr, "unwrapkey")==0) { > cmd = cmd_UnwrapPrivateKey; > } else { > printf("Invalid argument: %s\n", cmdstr); > exit(2); > } > break; > /* > case 't': > type = strdup(optarg); > assert(strcmp(type,"rsa")==0); > break; > case 'a': > algorithm = strdup(optarg); > assert(strcmp(type,"des3")==0); > break; > */ > case 'z': > seedfile = strdup(optarg); > break; > case 'g': > keysize = atoi(optarg); > break; > case 'i': > keyfile = strdup(optarg); > break; > case 'o': > outfile = strdup(optarg); > break; > default: > exit(2); > break; > } > } > password = argv[optind]; > > /* NSS initialization */ > > if (NSS_Initialize(configdir, certDBPrefix, keyDBPrefix, > SECMOD_DB, NSS_INIT_READONLY) != SECSuccess) { > return EXIT_FAILURE; > } > > switch (cmd) { > case cmd_GenKeyPair: > /* no password */ > (void) gen_key_pair(seedfile, keysize, NULL, outfile); > break; > case cmd_GenCert: > (void) gen_cert(seedfile, keysize); > break; > case cmd_GenCsr: > (void) gen_csr(seedfile, keysize); > break; > case comd_WrapPrivateKey: > rv = wrap_key(keyfile, password, outfile); > break; > case cmd_UnwrapPrivateKey: > (void) unwrap_key(keyfile, "password"); > break; > } > > return rv; >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=299418">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 346731
:
299417
|
299418
|
299429
|
299430
|
299432
|
304057
|
304280
|
304281
|
304282
|
304284
|
304285
|
304286
|
304287
|
304288
|
304289
|
304290
|
305047
|
305048
|
308356
|
320816
|
320817
|
320818
|
320819
|
320820
|
320821
|
320822
|
320823
|
321049
|
321051
|
321681
|
321682
|
321683
|
321684