[nss-softokn] Update to NSS_3_14_RC1
Elio Maldonado
emaldonado at fedoraproject.org
Sun Oct 21 18:42:18 UTC 2012
commit 78e1e764785e10f7e91e0f6c42f4ee26386b354d
Author: Elio Maldonado <emaldona at redhat.com>
Date: Sun Oct 21 11:33:27 2012 -0700
Update to NSS_3_14_RC1
- Remove patches rendered obsolete by this update and update others
- Temporarily modifiy the spec file while bootstrapping the buildroot a follows:
- Remove unwanted headers that we lo loger ship
- Modified the post install scriplet to ensure the in-tree freebl library is loaded
- Todo: Remove this changes in the next build
Bug-745224-nss-3.13.4-fips-sha224-selftest.patch | 22 -
...Restore-use-of-NSS_NoDB_Init-or-alternate.patch | 13 -
add-relro-linker-option.patch | 16 -
drbg.patch | 481 ---
nss-softokn-fix-gcc47-secmodt.patch | 12 -
nss-softokn.spec | 41 +-
softoken-minimal-test-dependencies.patch | 4021 +-------------------
7 files changed, 44 insertions(+), 4562 deletions(-)
---
diff --git a/nss-softokn.spec b/nss-softokn.spec
index fbca3d7..9fce271 100644
--- a/nss-softokn.spec
+++ b/nss-softokn.spec
@@ -4,11 +4,16 @@
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
+# FIXME: Remove the export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} line
+# once we have boostrapped the buildroot with the new freebl. This is done
+# to guarantee that shlibsign will use the in-tree freebl, otherwise the
+# the digestLen check and signature verification would fail.
# Produce .chk files for the final stripped binaries
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
+ export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
@@ -57,10 +62,11 @@ Source2: nss-split-softokn.sh
Source3: nss-softokn.pc.in
Source4: nss-softokn-config.in
-Patch1: add-relro-linker-option.patch
+Patch8: softoken-minimal-test-dependencies.patch
+# This patch uses the gcc-iquote dir option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to place the in-tree directories at the head of the list on list of directories
-# to be searched for for header files. This is ensures a build even when system freebl
+# to be searched for for header files. This ensures a build even when system freebl
# headers are older. Such is the case when we are starting a major update.
# NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers.
# Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it.
@@ -116,6 +122,7 @@ Header and library files for doing development with Network Security Services.
%prep
%setup -q
+%patch8 -p0 -b .crypto
# activate if needed when doing a major update with new apis
%patch9 -p0 -b .iquote
@@ -175,7 +182,10 @@ export USE_64
%endif
# uncomment if the iguote patch is activated
-#export IN_TREE_FREEBL_HEADERS_FIRST=1
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+# Use only the basicutil subset for sectools.a
+export NSS_BUILD_SOFTOKEN_ONLY=1
# Compile softokn plus needed support
%{__make} -C ./mozilla/security/coreconf
@@ -215,15 +225,6 @@ export SOFTOKEN_VPATCH
chmod 755 ./mozilla/dist/pkgconfig/nss-softokn-config
-# enable the following line to force a test failure
-# find ./mozilla -name \*.chk | xargs rm -f
-
-#
-# We can't run a subset of the tests because the tools have
-# dependencies on nss libraries outside of softokn.
-# Let's leave this as a place holder.
-#
-
%check
# Begin -- copied from the build section
@@ -299,6 +300,13 @@ do
%{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
+# FIXME: Remove this section once the bootstrapping in done
+# nss-softokn-devel will no longer own sechash.h or secmodt.h, nss-devel will.
+for file in mozilla/dist/public/nss/sechash.h mozilla/dist/public/nss/secmodt.h
+do
+ %{__rm} -f $file
+done
+
# Copy the include files we want
for file in mozilla/dist/public/nss/*.h
do
@@ -371,15 +379,16 @@ done
# which installed them before us.
#
%{_includedir}/nss3/ecl-exp.h
-%{_includedir}/nss3/sechash.h
%{_includedir}/nss3/nsslowhash.h
-%{_includedir}/nss3/secmodt.h
%{_includedir}/nss3/shsign.h
%changelog
-* Fri Oct 19 2012 Elio Maldonado <emaldona at redhat.com> - 3.14-0.1.rc.1
+* Sun Oct 21 2012 Elio Maldonado <emaldona at redhat.com> - 3.14-0.1.rc.1
- Update to NSS_3_14_RC1
-- Remove patches rendered obsolete by this update
+- Remove patches rendered obsolete by this update and update others
+- Temporarily modifiy the spec file while bootstrapping the buildroot a follows:
+- Remove unwanted headers that we lo loger ship
+- Modified the post install scriplet to ensure the in-tree freebl library is loaded
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.13.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
diff --git a/softoken-minimal-test-dependencies.patch b/softoken-minimal-test-dependencies.patch
index 52abbff..b8daa9c 100644
--- a/softoken-minimal-test-dependencies.patch
+++ b/softoken-minimal-test-dependencies.patch
@@ -1,3950 +1,7 @@
-diff -up ./mozilla/security/nss/cmd/lib/manifest.mn.crypto ./mozilla/security/nss/cmd/lib/manifest.mn
---- ./mozilla/security/nss/cmd/lib/manifest.mn.crypto 2011-09-16 12:16:50.000000000 -0700
-+++ ./mozilla/security/nss/cmd/lib/manifest.mn 2012-04-01 13:15:51.536584250 -0700
-@@ -48,11 +48,6 @@ PRIVATE_EXPORTS = secutil.h \
- $(NULL)
-
- CSRCS = secutil.c \
-- secpwd.c \
-- derprint.c \
-- moreoids.c \
-- pppolicy.c \
-- ffs.c \
- pk11table.c \
- $(NULL)
-
-diff -up ./mozilla/security/nss/cmd/lib/secutil.c.crypto ./mozilla/security/nss/cmd/lib/secutil.c
---- ./mozilla/security/nss/cmd/lib/secutil.c.crypto 2012-03-10 06:55:34.000000000 -0800
-+++ ./mozilla/security/nss/cmd/lib/secutil.c 2012-04-01 13:15:51.538584248 -0700
-@@ -48,10 +48,7 @@
- #include "prenv.h"
- #include "prnetdb.h"
-
--#include "cryptohi.h"
- #include "secutil.h"
--#include "secpkcs7.h"
--#include "secpkcs5.h"
- #include <stdarg.h>
- #if !defined(_WIN32_WCE)
- #include <sys/stat.h>
-@@ -62,29 +59,9 @@
- #include <unistd.h>
- #endif
-
--/* for SEC_TraverseNames */
--#include "cert.h"
--#include "certt.h"
--#include "certdb.h"
--
--/* #include "secmod.h" */
--#include "pk11func.h"
- #include "secoid.h"
-
--static char consoleName[] = {
--#ifdef XP_UNIX
-- "/dev/tty"
--#else
--#ifdef XP_OS2
-- "\\DEV\\CON"
--#else
-- "CON:"
--#endif
--#endif
--};
--
--#include "nssutil.h"
--#include "ssl.h"
-+extern long DER_GetInteger(SECItem *src);
-
- static PRBool wrapEnabled = PR_TRUE;
-
-@@ -105,7 +82,7 @@ SECU_PrintErrMsg(FILE *out, int level, c
- {
- va_list args;
- PRErrorCode err = PORT_GetError();
-- const char * errString = SECU_Strerror(err);
-+ const char * errString = PORT_ErrorToString(err);
-
- va_start(args, msg);
-
-@@ -125,7 +102,7 @@ SECU_PrintError(char *progName, char *ms
- {
- va_list args;
- PRErrorCode err = PORT_GetError();
-- const char * errString = SECU_Strerror(err);
-+ const char * errString = PORT_ErrorToString(err);
-
- va_start(args, msg);
-
-@@ -155,446 +132,6 @@ SECU_PrintSystemError(char *progName, ch
- va_end(args);
- }
-
--static void
--secu_ClearPassword(char *p)
--{
-- if (p) {
-- PORT_Memset(p, 0, PORT_Strlen(p));
-- PORT_Free(p);
-- }
--}
--
--char *
--SECU_GetPasswordString(void *arg, char *prompt)
--{
--#ifndef _WINDOWS
-- char *p = NULL;
-- FILE *input, *output;
--
-- /* open terminal */
-- input = fopen(consoleName, "r");
-- if (input == NULL) {
-- fprintf(stderr, "Error opening input terminal for read\n");
-- return NULL;
-- }
--
-- output = fopen(consoleName, "w");
-- if (output == NULL) {
-- fprintf(stderr, "Error opening output terminal for write\n");
-- return NULL;
-- }
--
-- p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword);
--
--
-- fclose(input);
-- fclose(output);
--
-- return p;
--
--#else
-- /* Win32 version of above. opening the console may fail
-- on windows95, and certainly isn't necessary.. */
--
-- char *p = NULL;
--
-- p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword);
-- return p;
--
--#endif
--}
--
--
--/*
-- * p a s s w o r d _ h a r d c o d e
-- *
-- * A function to use the password passed in the -f(pwfile) argument
-- * of the command line.
-- * After use once, null it out otherwise PKCS11 calls us forever.?
-- *
-- */
--char *
--SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
--{
-- char* phrases, *phrase;
-- PRFileDesc *fd;
-- PRInt32 nb;
-- char *pwFile = arg;
-- int i;
-- const long maxPwdFileSize = 4096;
-- char* tokenName = NULL;
-- int tokenLen = 0;
--
-- if (!pwFile)
-- return 0;
--
-- if (retry) {
-- return 0; /* no good retrying - the files contents will be the same */
-- }
--
-- phrases = PORT_ZAlloc(maxPwdFileSize);
--
-- if (!phrases) {
-- return 0; /* out of memory */
-- }
--
-- fd = PR_Open(pwFile, PR_RDONLY, 0);
-- if (!fd) {
-- fprintf(stderr, "No password file \"%s\" exists.\n", pwFile);
-- PORT_Free(phrases);
-- return NULL;
-- }
--
-- nb = PR_Read(fd, phrases, maxPwdFileSize);
--
-- PR_Close(fd);
--
-- if (nb == 0) {
-- fprintf(stderr,"password file contains no data\n");
-- PORT_Free(phrases);
-- return NULL;
-- }
--
-- if (slot) {
-- tokenName = PK11_GetTokenName(slot);
-- if (tokenName) {
-- tokenLen = PORT_Strlen(tokenName);
-- }
-- }
-- i = 0;
-- do
-- {
-- int startphrase = i;
-- int phraseLen;
--
-- /* handle the Windows EOL case */
-- while (phrases[i] != '\r' && phrases[i] != '\n' && i < nb) i++;
-- /* terminate passphrase */
-- phrases[i++] = '\0';
-- /* clean up any EOL before the start of the next passphrase */
-- while ( (i<nb) && (phrases[i] == '\r' || phrases[i] == '\n')) {
-- phrases[i++] = '\0';
-- }
-- /* now analyze the current passphrase */
-- phrase = &phrases[startphrase];
-- if (!tokenName)
-- break;
-- if (PORT_Strncmp(phrase, tokenName, tokenLen)) continue;
-- phraseLen = PORT_Strlen(phrase);
-- if (phraseLen < (tokenLen+1)) continue;
-- if (phrase[tokenLen] != ':') continue;
-- phrase = &phrase[tokenLen+1];
-- break;
--
-- } while (i<nb);
--
-- phrase = PORT_Strdup((char*)phrase);
-- PORT_Free(phrases);
-- return phrase;
--}
--
--char *
--SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
--{
-- char prompt[255];
-- secuPWData *pwdata = (secuPWData *)arg;
-- secuPWData pwnull = { PW_NONE, 0 };
-- secuPWData pwxtrn = { PW_EXTERNAL, "external" };
-- char *pw;
--
-- if (pwdata == NULL)
-- pwdata = &pwnull;
--
-- if (PK11_ProtectedAuthenticationPath(slot)) {
-- pwdata = &pwxtrn;
-- }
-- if (retry && pwdata->source != PW_NONE) {
-- PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n");
-- return NULL;
-- }
--
-- switch (pwdata->source) {
-- case PW_NONE:
-- sprintf(prompt, "Enter Password or Pin for \"%s\":",
-- PK11_GetTokenName(slot));
-- return SECU_GetPasswordString(NULL, prompt);
-- case PW_FROMFILE:
-- /* Instead of opening and closing the file every time, get the pw
-- * once, then keep it in memory (duh).
-- */
-- pw = SECU_FilePasswd(slot, retry, pwdata->data);
-- pwdata->source = PW_PLAINTEXT;
-- pwdata->data = PL_strdup(pw);
-- /* it's already been dup'ed */
-- return pw;
-- case PW_EXTERNAL:
-- sprintf(prompt,
-- "Press Enter, then enter PIN for \"%s\" on external device.\n",
-- PK11_GetTokenName(slot));
-- (void) SECU_GetPasswordString(NULL, prompt);
-- /* Fall Through */
-- case PW_PLAINTEXT:
-- return PL_strdup(pwdata->data);
-- default:
-- break;
-- }
--
-- PR_fprintf(PR_STDERR, "Password check failed: No password found.\n");
-- return NULL;
--}
--
--char *
--secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
--{
-- char *p0 = NULL;
-- char *p1 = NULL;
-- FILE *input, *output;
-- secuPWData *pwdata = arg;
--
-- if (pwdata->source == PW_FROMFILE) {
-- return SECU_FilePasswd(slot, retry, pwdata->data);
-- }
-- if (pwdata->source == PW_PLAINTEXT) {
-- return PL_strdup(pwdata->data);
-- }
--
-- /* PW_NONE - get it from tty */
-- /* open terminal */
--#ifdef _WINDOWS
-- input = stdin;
--#else
-- input = fopen(consoleName, "r");
--#endif
-- if (input == NULL) {
-- PR_fprintf(PR_STDERR, "Error opening input terminal for read\n");
-- return NULL;
-- }
--
-- /* we have no password, so initialize database with one */
-- PR_fprintf(PR_STDERR,
-- "Enter a password which will be used to encrypt your keys.\n"
-- "The password should be at least 8 characters long,\n"
-- "and should contain at least one non-alphabetic character.\n\n");
--
-- output = fopen(consoleName, "w");
-- if (output == NULL) {
-- PR_fprintf(PR_STDERR, "Error opening output terminal for write\n");
-- return NULL;
-- }
--
--
-- for (;;) {
-- if (p0)
-- PORT_Free(p0);
-- p0 = SEC_GetPassword(input, output, "Enter new password: ",
-- SEC_BlindCheckPassword);
--
-- if (p1)
-- PORT_Free(p1);
-- p1 = SEC_GetPassword(input, output, "Re-enter password: ",
-- SEC_BlindCheckPassword);
-- if (p0 && p1 && !PORT_Strcmp(p0, p1)) {
-- break;
-- }
-- PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n");
-- }
--
-- /* clear out the duplicate password string */
-- secu_ClearPassword(p1);
--
-- fclose(input);
-- fclose(output);
--
-- return p0;
--}
--
--SECStatus
--SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile)
--{
-- return SECU_ChangePW2(slot, passwd, 0, pwFile, 0);
--}
--
--SECStatus
--SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
-- char *oldPwFile, char *newPwFile)
--{
-- SECStatus rv;
-- secuPWData pwdata, newpwdata;
-- char *oldpw = NULL, *newpw = NULL;
--
-- if (oldPass) {
-- pwdata.source = PW_PLAINTEXT;
-- pwdata.data = oldPass;
-- } else if (oldPwFile) {
-- pwdata.source = PW_FROMFILE;
-- pwdata.data = oldPwFile;
-- } else {
-- pwdata.source = PW_NONE;
-- pwdata.data = NULL;
-- }
--
-- if (newPass) {
-- newpwdata.source = PW_PLAINTEXT;
-- newpwdata.data = newPass;
-- } else if (newPwFile) {
-- newpwdata.source = PW_FROMFILE;
-- newpwdata.data = newPwFile;
-- } else {
-- newpwdata.source = PW_NONE;
-- newpwdata.data = NULL;
-- }
--
-- if (PK11_NeedUserInit(slot)) {
-- newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata);
-- rv = PK11_InitPin(slot, (char*)NULL, newpw);
-- goto done;
-- }
--
-- for (;;) {
-- oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata);
--
-- if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
-- if (pwdata.source == PW_NONE) {
-- PR_fprintf(PR_STDERR, "Invalid password. Try again.\n");
-- } else {
-- PR_fprintf(PR_STDERR, "Invalid password.\n");
-- PORT_Memset(oldpw, 0, PL_strlen(oldpw));
-- PORT_Free(oldpw);
-- return SECFailure;
-- }
-- } else
-- break;
--
-- PORT_Free(oldpw);
-- }
--
-- newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
--
-- if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
-- PR_fprintf(PR_STDERR, "Failed to change password.\n");
-- return SECFailure;
-- }
--
-- PORT_Memset(oldpw, 0, PL_strlen(oldpw));
-- PORT_Free(oldpw);
--
-- PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
--
--done:
-- PORT_Memset(newpw, 0, PL_strlen(newpw));
-- PORT_Free(newpw);
-- return SECSuccess;
--}
--
--struct matchobj {
-- SECItem index;
-- char *nname;
-- PRBool found;
--};
--
--char *
--SECU_DefaultSSLDir(void)
--{
-- char *dir;
-- static char sslDir[1000];
--
-- dir = PR_GetEnv("SSL_DIR");
-- if (!dir)
-- return NULL;
--
-- sprintf(sslDir, "%s", dir);
--
-- if (sslDir[strlen(sslDir)-1] == '/')
-- sslDir[strlen(sslDir)-1] = 0;
--
-- return sslDir;
--}
--
--char *
--SECU_AppendFilenameToDir(char *dir, char *filename)
--{
-- static char path[1000];
--
-- if (dir[strlen(dir)-1] == '/')
-- sprintf(path, "%s%s", dir, filename);
-- else
-- sprintf(path, "%s/%s", dir, filename);
-- return path;
--}
--
--char *
--SECU_ConfigDirectory(const char* base)
--{
-- static PRBool initted = PR_FALSE;
-- const char *dir = ".netscape";
-- char *home;
-- static char buf[1000];
--
-- if (initted) return buf;
--
--
-- if (base == NULL || *base == 0) {
-- home = PR_GetEnv("HOME");
-- if (!home) home = "";
--
-- if (*home && home[strlen(home) - 1] == '/')
-- sprintf (buf, "%.900s%s", home, dir);
-- else
-- sprintf (buf, "%.900s/%s", home, dir);
-- } else {
-- sprintf(buf, "%.900s", base);
-- if (buf[strlen(buf) - 1] == '/')
-- buf[strlen(buf) - 1] = 0;
-- }
--
--
-- initted = PR_TRUE;
-- return buf;
--}
--
--/*Turn off SSL for now */
--/* This gets called by SSL when server wants our cert & key */
--int
--SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
-- struct CERTDistNamesStr *caNames,
-- struct CERTCertificateStr **pRetCert,
-- struct SECKEYPrivateKeyStr **pRetKey)
--{
-- SECKEYPrivateKey *key;
-- CERTCertificate *cert;
-- int errsave;
--
-- if (arg == NULL) {
-- fprintf(stderr, "no key/cert name specified for client auth\n");
-- return -1;
-- }
-- cert = PK11_FindCertFromNickname(arg, NULL);
-- errsave = PORT_GetError();
-- if (!cert) {
-- if (errsave == SEC_ERROR_BAD_PASSWORD)
-- fprintf(stderr, "Bad password\n");
-- else if (errsave > 0)
-- fprintf(stderr, "Unable to read cert (error %d)\n", errsave);
-- else if (errsave == SEC_ERROR_BAD_DATABASE)
-- fprintf(stderr, "Unable to get cert from database (%d)\n", errsave);
-- else
-- fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave);
-- return -1;
-- }
--
-- key = PK11_FindKeyByAnyCert(arg,NULL);
-- if (!key) {
-- fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError());
-- return -1;
-- }
--
--
-- *pRetCert = cert;
-- *pRetKey = key;
--
-- return 0;
--}
--
- SECStatus
- secu_StdinToItem(SECItem *dst)
- {
-@@ -716,65 +253,6 @@ loser:
- return SECFailure;
- }
-
--SECStatus
--SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
--{
-- SECStatus rv;
-- if (ascii) {
-- /* First convert ascii to binary */
-- SECItem filedata;
-- char *asc, *body;
--
-- /* Read in ascii data */
-- rv = SECU_FileToItem(&filedata, inFile);
-- asc = (char *)filedata.data;
-- if (!asc) {
-- fprintf(stderr, "unable to read data from input file\n");
-- return SECFailure;
-- }
--
-- /* check for headers and trailers and remove them */
-- if ((body = strstr(asc, "-----BEGIN")) != NULL) {
-- char *trailer = NULL;
-- asc = body;
-- body = PORT_Strchr(body, '\n');
-- if (!body)
-- body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
-- if (body)
-- trailer = strstr(++body, "-----END");
-- if (trailer != NULL) {
-- *trailer = '\0';
-- } else {
-- fprintf(stderr, "input has header but no trailer\n");
-- PORT_Free(filedata.data);
-- return SECFailure;
-- }
-- } else {
-- body = asc;
-- }
--
-- /* Convert to binary */
-- rv = ATOB_ConvertAsciiToItem(der, body);
-- if (rv) {
-- fprintf(stderr, "error converting ascii to binary (%s)\n",
-- SECU_Strerror(PORT_GetError()));
-- PORT_Free(filedata.data);
-- return SECFailure;
-- }
--
-- PORT_Free(filedata.data);
-- } else {
-- /* Read in binary der */
-- rv = SECU_FileToItem(der, inFile);
-- if (rv) {
-- fprintf(stderr, "error converting der (%s)\n",
-- SECU_Strerror(PORT_GetError()));
-- return SECFailure;
-- }
-- }
-- return SECSuccess;
--}
--
- #define INDENT_MULT 4
- void
- SECU_Indent(FILE *out, int level)
-@@ -932,23 +410,6 @@ SECU_PrintBuf(FILE *out, const char *msg
- }
- }
-
--SECStatus
--SECU_StripTagAndLength(SECItem *i)
--{
-- unsigned int start;
--
-- if (!i || !i->data || i->len < 2) { /* must be at least tag and length */
-- return SECFailure;
-- }
-- start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2);
-- if (i->len < start) {
-- return SECFailure;
-- }
-- i->data += start;
-- i->len -= start;
-- return SECSuccess;
--}
--
-
- /* This expents i->data[0] to be the MSB of the integer.
- ** if you want to print a DER-encoded integer (with the tag and length)
-@@ -993,2461 +454,100 @@ SECU_PrintInteger(FILE *out, SECItem *i,
- }
-
- static void
--secu_PrintRawStringQuotesOptional(FILE *out, SECItem *si, const char *m,
-- int level, PRBool quotes)
-+secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
-- int column;
-- unsigned int i;
--
-- if ( m ) {
-- SECU_Indent(out, level); fprintf(out, "%s: ", m);
-- column = (level * INDENT_MULT) + strlen(m) + 2;
-- level++;
-- } else {
-- SECU_Indent(out, level);
-- column = level*INDENT_MULT;
-- }
-- if (quotes) {
-- fprintf(out, "\""); column++;
-- }
--
-- for (i = 0; i < si->len; i++) {
-- unsigned char val = si->data[i];
-- if (wrapEnabled && column > 76) {
-- secu_Newline(out);
-- SECU_Indent(out, level); column = level*INDENT_MULT;
-- }
--
-- fprintf(out,"%c", printable[val]); column++;
-- }
--
-- if (quotes) {
-- fprintf(out, "\""); column++;
-- }
-- if (wrapEnabled &&
-- (column != level*INDENT_MULT || column > 76)) {
-- secu_Newline(out);
-+ SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-+ SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1);
-+ SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1);
-+ if (pk->u.rsa.publicExponent.len == 1 &&
-+ pk->u.rsa.publicExponent.data[0] == 1) {
-+ SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n");
- }
- }
-
- static void
--secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level)
--{
-- secu_PrintRawStringQuotesOptional(out, si, m, level, PR_TRUE);
--}
--
--void
--SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
-+secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
-- SECItem my = *si;
--
-- if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len)
-- return;
-- secu_PrintRawString(out, &my, m, level);
-+ SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-+ SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1);
-+ SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1);
-+ SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1);
-+ SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1);
- }
-
--/* print an unencoded boolean */
-+#ifdef NSS_ENABLE_ECC
- static void
--secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level)
-+secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
-- int val = 0;
--
-- if ( i->data && i->len ) {
-- val = i->data[0];
-- }
-+ SECItem curveOID = { siBuffer, NULL, 0};
-
-- if (!m) {
-- m = "Boolean";
-+ SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-+ SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
-+ /* For named curves, the DEREncodedParams field contains an
-+ * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID).
-+ */
-+ if ((pk->u.ec.DEREncodedParams.len > 2) &&
-+ (pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
-+ curveOID.len = pk->u.ec.DEREncodedParams.data[1];
-+ curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
-+ SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
- }
-- SECU_Indent(out, level);
-- fprintf(out, "%s: %s\n", m, (val ? "True" : "False"));
- }
-+#endif /* NSS_ENABLE_ECC */
-
--/*
-- * Format and print "time". If the tag message "m" is not NULL,
-- * do indent formatting based on "level" and add a newline afterward;
-- * otherwise just print the formatted time string only.
-- */
--static void
--secu_PrintTime(FILE *out, int64 time, char *m, int level)
-+#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
-+/* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1] */
-+static PRBool HasShortDuplicate(int i, secuCommandFlag *a, int count)
- {
-- PRExplodedTime printableTime;
-- char *timeString;
--
-- /* Convert to local time */
-- PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
--
-- timeString = PORT_Alloc(256);
-- if (timeString == NULL)
-- return;
--
-- if (m != NULL) {
-- SECU_Indent(out, level);
-- fprintf(out, "%s: ", m);
-- }
--
-- if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) {
-- fputs(timeString, out);
-- }
--
-- if (m != NULL)
-- fprintf(out, "\n");
-+ char target = a[i].flag;
-+ int j;
-
-- PORT_Free(timeString);
-+ /* duplicate '\0' flags are okay, they are used with long forms */
-+ for (j = i+1; j < count; j++) {
-+ if (a[j].flag && a[j].flag == target) {
-+ return PR_TRUE;
-+ }
-+ }
-+ return PR_FALSE;
- }
-+#endif /* defined(DEBUG) || defined(FORCE_PR_ASSERT) */
-
--/*
-- * Format and print the UTC Time "t". If the tag message "m" is not NULL,
-- * do indent formatting based on "level" and add a newline afterward;
-- * otherwise just print the formatted time string only.
-- */
--void
--SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
-+/* Returns true iff a[i].longform has a duplicate in a[i+1 : count-1] */
-+static PRBool HasLongDuplicate(int i, secuCommandFlag *a, int count)
- {
-- int64 time;
-- SECStatus rv;
--
-- rv = DER_UTCTimeToTime(&time, t);
-- if (rv != SECSuccess)
-- return;
--
-- secu_PrintTime(out, time, m, level);
--}
--
--/*
-- * Format and print the Generalized Time "t". If the tag message "m"
-- * is not NULL, * do indent formatting based on "level" and add a newline
-- * afterward; otherwise just print the formatted time string only.
-- */
--void
--SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
--{
-- int64 time;
-- SECStatus rv;
--
--
-- rv = DER_GeneralizedTimeToTime(&time, t);
-- if (rv != SECSuccess)
-- return;
--
-- secu_PrintTime(out, time, m, level);
--}
--
--/*
-- * Format and print the UTC or Generalized Time "t". If the tag message
-- * "m" is not NULL, do indent formatting based on "level" and add a newline
-- * afterward; otherwise just print the formatted time string only.
-- */
--void
--SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
--{
-- switch (t->type) {
-- case siUTCTime:
-- SECU_PrintUTCTime(out, t, m, level);
-- break;
--
-- case siGeneralizedTime:
-- SECU_PrintGeneralizedTime(out, t, m, level);
-- break;
--
-- default:
-- PORT_Assert(0);
-- break;
-- }
--}
--
--
--/* This prints a SET or SEQUENCE */
--void
--SECU_PrintSet(FILE *out, SECItem *t, char *m, int level)
--{
-- int type = t->data[0] & SEC_ASN1_TAGNUM_MASK;
-- int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED;
-- const char * label;
-- SECItem my = *t;
--
-- if (!constructed) {
-- SECU_PrintAsHex(out, t, m, level);
-- return;
-- }
-- if (SECSuccess != SECU_StripTagAndLength(&my))
-- return;
--
-- SECU_Indent(out, level);
-- if (m) {
-- fprintf(out, "%s: ", m);
-- }
--
-- if (type == SEC_ASN1_SET)
-- label = "Set ";
-- else if (type == SEC_ASN1_SEQUENCE)
-- label = "Sequence ";
-- else
-- label = "";
-- fprintf(out,"%s{\n", label); /* } */
--
-- while (my.len >= 2) {
-- SECItem tmp = my;
--
-- if (tmp.data[1] & 0x80) {
-- unsigned int i;
-- unsigned int lenlen = tmp.data[1] & 0x7f;
-- if (lenlen > sizeof tmp.len)
-- break;
-- tmp.len = 0;
-- for (i=0; i < lenlen; i++) {
-- tmp.len = (tmp.len << 8) | tmp.data[2+i];
-- }
-- tmp.len += lenlen + 2;
-- } else {
-- tmp.len = tmp.data[1] + 2;
-- }
-- if (tmp.len > my.len) {
-- tmp.len = my.len;
-- }
-- my.data += tmp.len;
-- my.len -= tmp.len;
-- SECU_PrintAny(out, &tmp, NULL, level + 1);
-- }
-- SECU_Indent(out, level); fprintf(out, /* { */ "}\n");
--}
--
--static void
--secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level)
--{
-- int type = i->data[0] & SEC_ASN1_TAGNUM_MASK;
-- int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED;
-- SECItem tmp;
--
-- if (constructed) {
-- char * m2;
-- if (!m)
-- m2 = PR_smprintf("[%d]", type);
-- else
-- m2 = PR_smprintf("%s: [%d]", m, type);
-- if (m2) {
-- SECU_PrintSet(out, i, m2, level);
-- PR_smprintf_free(m2);
-- }
-- return;
-- }
--
-- SECU_Indent(out, level);
-- if (m) {
-- fprintf(out, "%s: ", m);
-- }
-- fprintf(out,"[%d]\n", type);
--
-- tmp = *i;
-- if (SECSuccess == SECU_StripTagAndLength(&tmp))
-- SECU_PrintAsHex(out, &tmp, m, level+1);
--}
--
--static void
--secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level)
--{
-- SECItem tmp = *i;
-- if (SECSuccess == SECU_StripTagAndLength(&tmp))
-- SECU_PrintAsHex(out, &tmp, m, level);
--}
--
--static void
--secu_PrintBitString(FILE *out, SECItem *i, char *m, int level)
--{
-- int unused_bits;
-- SECItem tmp = *i;
--
-- if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2)
-- return;
--
-- unused_bits = *tmp.data++;
-- tmp.len--;
--
-- SECU_PrintAsHex(out, &tmp, m, level);
-- if (unused_bits) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "(%d least significant bits unused)\n", unused_bits);
-- }
--}
--
--/* in a decoded bit string, the len member is a bit length. */
--static void
--secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level)
--{
-- int unused_bits;
-- SECItem tmp = *i;
--
--
-- unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0;
-- DER_ConvertBitString(&tmp); /* convert length to byte length */
--
-- SECU_PrintAsHex(out, &tmp, m, level);
-- if (unused_bits) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "(%d least significant bits unused)\n", unused_bits);
-- }
--}
--
--
--/* Print a DER encoded Boolean */
--void
--SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level)
--{
-- SECItem my = *i;
-- if (SECSuccess == SECU_StripTagAndLength(&my))
-- secu_PrintBoolean(out, &my, m, level);
--}
--
--/* Print a DER encoded integer */
--void
--SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level)
--{
-- SECItem my = *i;
-- if (SECSuccess == SECU_StripTagAndLength(&my))
-- SECU_PrintInteger(out, &my, m, level);
--}
--
--/* Print a DER encoded OID */
--void
--SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level)
--{
-- SECItem my = *i;
-- if (SECSuccess == SECU_StripTagAndLength(&my))
-- SECU_PrintObjectID(out, &my, m, level);
--}
--
--static void
--secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level)
--{
-- unsigned char * s;
-- unsigned char * d;
-- int len;
-- SECItem tmp = {0, 0, 0};
-- SECItem my = *i;
--
-- if (SECSuccess != SECU_StripTagAndLength(&my))
-- goto loser;
-- if (my.len % 2)
-- goto loser;
-- len = (int)(my.len / 2);
-- tmp.data = (unsigned char *)PORT_Alloc(len);
-- if (!tmp.data)
-- goto loser;
-- tmp.len = len;
-- for (s = my.data, d = tmp.data ; len > 0; len--) {
-- PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2;
-- if (!isprint(bmpChar))
-- goto loser;
-- *d++ = (unsigned char)bmpChar;
-- }
-- secu_PrintRawString(out, &tmp, m, level);
-- PORT_Free(tmp.data);
-- return;
--
--loser:
-- SECU_PrintAsHex(out, i, m, level);
-- if (tmp.data)
-- PORT_Free(tmp.data);
--}
--
--static void
--secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level)
--{
-- unsigned char * s;
-- unsigned char * d;
-- int len;
-- SECItem tmp = {0, 0, 0};
-- SECItem my = *i;
--
-- if (SECSuccess != SECU_StripTagAndLength(&my))
-- goto loser;
-- if (my.len % 4)
-- goto loser;
-- len = (int)(my.len / 4);
-- tmp.data = (unsigned char *)PORT_Alloc(len);
-- if (!tmp.data)
-- goto loser;
-- tmp.len = len;
-- for (s = my.data, d = tmp.data ; len > 0; len--) {
-- PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
-- s += 4;
-- if (!isprint(bmpChar))
-- goto loser;
-- *d++ = (unsigned char)bmpChar;
-- }
-- secu_PrintRawString(out, &tmp, m, level);
-- PORT_Free(tmp.data);
-- return;
--
--loser:
-- SECU_PrintAsHex(out, i, m, level);
-- if (tmp.data)
-- PORT_Free(tmp.data);
--}
--
--static void
--secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level)
--{
-- switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) {
-- case SEC_ASN1_ENUMERATED:
-- case SEC_ASN1_INTEGER:
-- SECU_PrintEncodedInteger(out, i, m, level);
-- break;
-- case SEC_ASN1_OBJECT_ID:
-- SECU_PrintEncodedObjectID(out, i, m, level);
-- break;
-- case SEC_ASN1_BOOLEAN:
-- SECU_PrintEncodedBoolean(out, i, m, level);
-- break;
-- case SEC_ASN1_UTF8_STRING:
-- case SEC_ASN1_PRINTABLE_STRING:
-- case SEC_ASN1_VISIBLE_STRING:
-- case SEC_ASN1_IA5_STRING:
-- case SEC_ASN1_T61_STRING:
-- SECU_PrintString(out, i, m, level);
-- break;
-- case SEC_ASN1_GENERALIZED_TIME:
-- SECU_PrintGeneralizedTime(out, i, m, level);
-- break;
-- case SEC_ASN1_UTC_TIME:
-- SECU_PrintUTCTime(out, i, m, level);
-- break;
-- case SEC_ASN1_NULL:
-- SECU_Indent(out, level);
-- if (m && m[0])
-- fprintf(out, "%s: NULL\n", m);
-- else
-- fprintf(out, "NULL\n");
-- break;
-- case SEC_ASN1_SET:
-- case SEC_ASN1_SEQUENCE:
-- SECU_PrintSet(out, i, m, level);
-- break;
-- case SEC_ASN1_OCTET_STRING:
-- secu_PrintOctetString(out, i, m, level);
-- break;
-- case SEC_ASN1_BIT_STRING:
-- secu_PrintBitString(out, i, m, level);
-- break;
-- case SEC_ASN1_BMP_STRING:
-- secu_PrintBMPString(out, i, m, level);
-- break;
-- case SEC_ASN1_UNIVERSAL_STRING:
-- secu_PrintUniversalString(out, i, m, level);
-- break;
-- default:
-- SECU_PrintAsHex(out, i, m, level);
-- break;
-- }
--}
--
--void
--SECU_PrintAny(FILE *out, SECItem *i, char *m, int level)
--{
-- if ( i && i->len && i->data ) {
-- switch (i->data[0] & SEC_ASN1_CLASS_MASK) {
-- case SEC_ASN1_CONTEXT_SPECIFIC:
-- secu_PrintContextSpecific(out, i, m, level);
-- break;
-- case SEC_ASN1_UNIVERSAL:
-- secu_PrintUniversal(out, i, m, level);
-- break;
-- default:
-- SECU_PrintAsHex(out, i, m, level);
-- break;
-- }
-- }
--}
--
--static int
--secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level)
--{
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1);
-- SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level+1);
-- return 0;
--}
--
--/* This function does NOT expect a DER type and length. */
--SECOidTag
--SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level)
--{
-- SECOidData *oiddata;
-- char * oidString = NULL;
--
-- oiddata = SECOID_FindOID(oid);
-- if (oiddata != NULL) {
-- const char *name = oiddata->desc;
-- SECU_Indent(out, level);
-- if (m != NULL)
-- fprintf(out, "%s: ", m);
-- fprintf(out, "%s\n", name);
-- return oiddata->offset;
-- }
-- oidString = CERT_GetOidString(oid);
-- if (oidString) {
-- SECU_Indent(out, level);
-- if (m != NULL)
-- fprintf(out, "%s: ", m);
-- fprintf(out, "%s\n", oidString);
-- PR_smprintf_free(oidString);
-- return SEC_OID_UNKNOWN;
-- }
-- SECU_PrintAsHex(out, oid, m, level);
-- return SEC_OID_UNKNOWN;
--}
--
--typedef struct secuPBEParamsStr {
-- SECItem salt;
-- SECItem iterationCount;
-- SECItem keyLength;
-- SECAlgorithmID cipherAlg;
-- SECAlgorithmID kdfAlg;
--} secuPBEParams;
--
--SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate);
--
--/* SECOID_PKCS5_PBKDF2 */
--const SEC_ASN1Template secuKDF2Params[] =
--{
-- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-- { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-- { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-- { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
-- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-- { 0 }
--};
--
--/* PKCS5v1 & PKCS12 */
--const SEC_ASN1Template secuPBEParamsTemp[] =
--{
-- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-- { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-- { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-- { 0 }
--};
--
--/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
--const SEC_ASN1Template secuPBEV2Params[] =
--{
-- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams)},
-- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
-- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-- { 0 }
--};
--
--void
--secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
--{
-- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- SECStatus rv;
-- SECKEYRSAPSSParams param;
-- SECAlgorithmID maskHashAlg;
--
-- if (m) {
-- SECU_Indent(out, level);
-- fprintf (out, "%s:\n", m);
-- }
--
-- if (!pool) {
-- SECU_Indent(out, level);
-- fprintf(out, "Out of memory\n");
-- return;
-- }
--
-- PORT_Memset(¶m, 0, sizeof param);
--
-- rv = SEC_QuickDERDecodeItem(pool, ¶m,
-- SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
-- value);
-- if (rv == SECSuccess) {
-- if (!param.hashAlg) {
-- SECU_Indent(out, level+1);
-- fprintf(out, "Hash algorithm: default, SHA-1\n");
-- } else {
-- SECU_PrintObjectID(out, ¶m.hashAlg->algorithm,
-- "Hash algorithm", level+1);
-- }
-- if (!param.maskAlg) {
-- SECU_Indent(out, level+1);
-- fprintf(out, "Mask algorithm: default, MGF1\n");
-- SECU_Indent(out, level+1);
-- fprintf(out, "Mask hash algorithm: default, SHA-1\n");
-- } else {
-- SECU_PrintObjectID(out, ¶m.maskAlg->algorithm,
-- "Mask algorithm", level+1);
-- rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
-- SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
-- ¶m.maskAlg->parameters);
-- if (rv == SECSuccess) {
-- SECU_PrintObjectID(out, &maskHashAlg.algorithm,
-- "Mask hash algorithm", level+1);
-- } else {
-- SECU_Indent(out, level+1);
-- fprintf(out, "Invalid mask generation algorithm parameters\n");
-- }
-- }
-- if (!param.saltLength.data) {
-- SECU_Indent(out, level+1);
-- fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
-- } else {
-- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level+1);
-- }
-- } else {
-- SECU_Indent(out, level+1);
-- fprintf(out, "Invalid RSA-PSS parameters\n");
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--void
--secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
--{
-- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- SECStatus rv;
-- secuPBEParams param;
--
-- if (m) {
-- SECU_Indent(out, level);
-- fprintf (out, "%s:\n", m);
-- }
--
-- if (!pool) {
-- SECU_Indent(out, level);
-- fprintf(out, "Out of memory\n");
-- return;
-- }
--
-- PORT_Memset(¶m, 0, sizeof param);
-- rv = SEC_QuickDERDecodeItem(pool, ¶m, secuKDF2Params, value);
-- if (rv == SECSuccess) {
-- SECU_PrintAsHex(out, ¶m.salt, "Salt", level+1);
-- SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count",
-- level+1);
-- SECU_PrintInteger(out, ¶m.keyLength, "Key Length", level+1);
-- SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF algorithm", level+1);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--void
--secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level)
--{
-- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- SECStatus rv;
-- secuPBEParams param;
--
-- if (m) {
-- SECU_Indent(out, level);
-- fprintf (out, "%s:\n", m);
-- }
--
-- if (!pool) {
-- SECU_Indent(out, level);
-- fprintf(out, "Out of memory\n");
-- return;
-- }
--
-- PORT_Memset(¶m, 0, sizeof param);
-- rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEV2Params, value);
-- if (rv == SECSuccess) {
-- SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF", level+1);
-- SECU_PrintAlgorithmID(out, ¶m.cipherAlg, "Cipher", level+1);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--void
--secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level)
--{
-- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- SECStatus rv;
-- secuPBEParams param;
--
-- if (m) {
-- SECU_Indent(out, level);
-- fprintf (out, "%s:\n", m);
-- }
--
-- if (!pool) {
-- SECU_Indent(out, level);
-- fprintf(out, "Out of memory\n");
-- return;
-- }
--
-- PORT_Memset(¶m, 0, sizeof(secuPBEParams));
-- rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEParamsTemp, value);
-- if (rv == SECSuccess) {
-- SECU_PrintAsHex(out, ¶m.salt, "Salt", level+1);
-- SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count",
-- level+1);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--/* This function does NOT expect a DER type and length. */
--void
--SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
--{
-- SECOidTag algtag;
-- SECU_PrintObjectID(out, &a->algorithm, m, level);
--
-- algtag = SECOID_GetAlgorithmTag(a);
-- if (SEC_PKCS5IsAlgorithmPBEAlgTag(algtag)) {
-- switch (algtag) {
-- case SEC_OID_PKCS5_PBKDF2:
-- secu_PrintKDF2Params(out, &a->parameters, "Parameters", level+1);
-- break;
-- case SEC_OID_PKCS5_PBES2:
-- secu_PrintPKCS5V2Params(out, &a->parameters, "Encryption", level+1);
-- break;
-- case SEC_OID_PKCS5_PBMAC1:
-- secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
-- break;
-- default:
-- secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
-- break;
-- }
-- return;
-- }
--
-- if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
-- secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
-- return;
-- }
--
-- if (a->parameters.len == 0
-- || (a->parameters.len == 2
-- && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
-- /* No arguments or NULL argument */
-- } else {
-- /* Print args to algorithm */
-- SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
-- }
--}
--
--static void
--secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
--{
-- SECItem *value;
-- int i;
-- char om[100];
--
-- if (m) {
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- }
--
-- /*
-- * Should make this smarter; look at the type field and then decode
-- * and print the value(s) appropriately!
-- */
-- SECU_PrintObjectID(out, &(attr->type), "Type", level+1);
-- if (attr->values != NULL) {
-- i = 0;
-- while ((value = attr->values[i++]) != NULL) {
-- sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : "");
-- if (attr->encoded || attr->typeTag == NULL) {
-- SECU_PrintAny(out, value, om, level+1);
-- } else {
-- switch (attr->typeTag->offset) {
-- default:
-- SECU_PrintAsHex(out, value, om, level+1);
-- break;
-- case SEC_OID_PKCS9_CONTENT_TYPE:
-- SECU_PrintObjectID(out, value, om, level+1);
-- break;
-- case SEC_OID_PKCS9_SIGNING_TIME:
-- SECU_PrintTimeChoice(out, value, om, level+1);
-- break;
-- }
-- }
-- }
-- }
--}
--
--static void
--secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
--{
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1);
-- SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1);
-- if (pk->u.rsa.publicExponent.len == 1 &&
-- pk->u.rsa.publicExponent.data[0] == 1) {
-- SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n");
-- }
--}
--
--static void
--secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
--{
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1);
-- SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1);
-- SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1);
-- SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1);
--}
--
--#ifdef NSS_ENABLE_ECC
--static void
--secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
--{
-- SECItem curveOID = { siBuffer, NULL, 0};
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
-- /* For named curves, the DEREncodedParams field contains an
-- * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID).
-- */
-- if ((pk->u.ec.DEREncodedParams.len > 2) &&
-- (pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
-- curveOID.len = pk->u.ec.DEREncodedParams.data[1];
-- curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
-- SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
-- }
--}
--#endif /* NSS_ENABLE_ECC */
--
--static void
--secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
-- CERTSubjectPublicKeyInfo *i, char *msg, int level)
--{
-- SECKEYPublicKey *pk;
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", msg);
-- SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1);
--
-- pk = SECKEY_ExtractPublicKey(i);
-- if (pk) {
-- switch (pk->keyType) {
-- case rsaKey:
-- secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1);
-- break;
--
-- case dsaKey:
-- secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1);
-- break;
--
--#ifdef NSS_ENABLE_ECC
-- case ecKey:
-- secu_PrintECPublicKey(out, pk, "EC Public Key", level +1);
-- break;
--#endif
--
-- case dhKey:
-- case fortezzaKey:
-- case keaKey:
-- SECU_Indent(out, level);
-- fprintf(out, "unable to format this SPKI algorithm type\n");
-- goto loser;
-- default:
-- SECU_Indent(out, level);
-- fprintf(out, "unknown SPKI algorithm type\n");
-- goto loser;
-- }
-- PORT_FreeArena(pk->arena, PR_FALSE);
-- } else {
-- SECU_PrintErrMsg(out, level, "Error", "Parsing public key");
--loser:
-- if (i->subjectPublicKey.data) {
-- SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level);
-- }
-- }
--}
--
--static SECStatus
--secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level)
--{
-- SECItem decodedValue;
-- SECStatus rv;
-- int64 invalidTime;
-- char *formattedTime = NULL;
--
-- decodedValue.data = NULL;
-- rv = SEC_ASN1DecodeItem (NULL, &decodedValue,
-- SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
-- value);
-- if (rv == SECSuccess) {
-- rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
-- if (rv == SECSuccess) {
-- formattedTime = CERT_GenTime2FormattedAscii
-- (invalidTime, "%a %b %d %H:%M:%S %Y");
-- SECU_Indent(out, level +1);
-- fprintf (out, "%s: %s\n", msg, formattedTime);
-- PORT_Free (formattedTime);
-- }
-- }
-- PORT_Free (decodedValue.data);
-- return (rv);
--}
--
--static SECStatus
--PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level)
--{
-- CERTOidSequence *os;
-- SECItem **op;
--
-- os = CERT_DecodeOidSequence(value);
-- if( (CERTOidSequence *)NULL == os ) {
-- return SECFailure;
-- }
--
-- for( op = os->oids; *op; op++ ) {
-- SECU_PrintObjectID(out, *op, msg, level + 1);
-- }
-- CERT_DestroyOidSequence(os);
-- return SECSuccess;
--}
--
--static SECStatus
--secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) {
-- CERTBasicConstraints constraints;
-- SECStatus rv;
--
-- SECU_Indent(out, level);
-- if (msg) {
-- fprintf(out,"%s: ",msg);
-- }
-- rv = CERT_DecodeBasicConstraintValue(&constraints,value);
-- if (rv == SECSuccess && constraints.isCA) {
-- if (constraints.pathLenConstraint >= 0) {
-- fprintf(out,"Is a CA with a maximum path length of %d.\n",
-- constraints.pathLenConstraint);
-- } else {
-- fprintf(out,"Is a CA with no maximum path length.\n");
-- }
-- } else {
-- fprintf(out,"Is not a CA.\n");
-- }
-- return SECSuccess;
--}
--
--static const char * const nsTypeBits[] = {
-- "SSL Client",
-- "SSL Server",
-- "S/MIME",
-- "Object Signing",
-- "Reserved",
-- "SSL CA",
-- "S/MIME CA",
-- "ObjectSigning CA"
--};
--
--/* NSCertType is merely a bit string whose bits are displayed symbolically */
--static SECStatus
--secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level)
--{
-- int unused;
-- int NS_Type;
-- int i;
-- int found = 0;
-- SECItem my = *value;
--
-- if ((my.data[0] != SEC_ASN1_BIT_STRING) ||
-- SECSuccess != SECU_StripTagAndLength(&my)) {
-- SECU_PrintAny(out, value, "Data", level);
-- return SECSuccess;
-- }
--
-- unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0;
-- NS_Type = my.data[1] & (0xff << unused);
--
--
-- SECU_Indent(out, level);
-- if (msg) {
-- fprintf(out,"%s: ",msg);
-- } else {
-- fprintf(out,"Netscape Certificate Type: ");
-- }
-- for (i=0; i < 8; i++) {
-- if ( (0x80 >> i) & NS_Type) {
-- fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]);
-- found = 1;
-- }
-- }
-- fprintf(out, (found ? ">\n" : "none\n"));
-- return SECSuccess;
--}
--
--static const char * const usageBits[] = {
-- "Digital Signature", /* 0x80 */
-- "Non-Repudiation", /* 0x40 */
-- "Key Encipherment", /* 0x20 */
-- "Data Encipherment", /* 0x10 */
-- "Key Agreement", /* 0x08 */
-- "Certificate Signing", /* 0x04 */
-- "CRL Signing", /* 0x02 */
-- "Encipher Only", /* 0x01 */
-- "Decipher Only", /* 0x0080 */
-- NULL
--};
--
--/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */
--static void
--secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level)
--{
-- int unused;
-- int usage;
-- int i;
-- int found = 0;
-- SECItem my = *value;
--
-- if ((my.data[0] != SEC_ASN1_BIT_STRING) ||
-- SECSuccess != SECU_StripTagAndLength(&my)) {
-- SECU_PrintAny(out, value, "Data", level);
-- return;
-- }
--
-- unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0;
-- usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8
-- : (my.data[1] << 8) |
-- (my.data[2] & (0xff << unused));
--
-- SECU_Indent(out, level);
-- fprintf(out, "Usages: ");
-- for (i=0; usageBits[i]; i++) {
-- if ( (0x8000 >> i) & usage) {
-- if (found)
-- SECU_Indent(out, level + 2);
-- fprintf(out, "%s\n", usageBits[i]);
-- found = 1;
-- }
-- }
-- if (!found) {
-- fprintf(out, "(none)\n");
-- }
--}
--
--static void
--secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level)
--{
-- PRStatus st;
-- PRNetAddr addr;
-- char addrBuf[80];
--
-- memset(&addr, 0, sizeof addr);
-- if (value->len == 4) {
-- addr.inet.family = PR_AF_INET;
-- memcpy(&addr.inet.ip, value->data, value->len);
-- } else if (value->len == 16) {
-- addr.ipv6.family = PR_AF_INET6;
-- memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len);
-- if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) {
-- /* convert to IPv4. */
-- addr.inet.family = PR_AF_INET;
-- memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4);
-- memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad);
-- }
-- } else {
-- goto loser;
-- }
--
-- st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf);
-- if (st == PR_SUCCESS) {
-- SECU_Indent(out, level);
-- fprintf(out, "%s: %s\n", msg, addrBuf);
-- } else {
--loser:
-- SECU_PrintAsHex(out, value, msg, level);
-- }
--}
--
--
--static void
--secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level)
--{
-- char label[40];
-- if (msg && msg[0]) {
-- SECU_Indent(out, level++); fprintf(out, "%s: \n", msg);
-- }
-- switch (gname->type) {
-- case certOtherName :
-- SECU_PrintAny( out, &gname->name.OthName.name, "Other Name", level);
-- SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level+1);
-- break;
-- case certDirectoryName :
-- SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level);
-- break;
-- case certRFC822Name :
-- secu_PrintRawString( out, &gname->name.other, "RFC822 Name", level);
-- break;
-- case certDNSName :
-- secu_PrintRawString( out, &gname->name.other, "DNS name", level);
-- break;
-- case certURI :
-- secu_PrintRawString( out, &gname->name.other, "URI", level);
-- break;
-- case certIPAddress :
-- secu_PrintIPAddress(out, &gname->name.other, "IP Address", level);
-- break;
-- case certRegisterID :
-- SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level);
-- break;
-- case certX400Address :
-- SECU_PrintAny( out, &gname->name.other, "X400 Address", level);
-- break;
-- case certEDIPartyName :
-- SECU_PrintAny( out, &gname->name.other, "EDI Party", level);
-- break;
-- default:
-- PR_snprintf(label, sizeof label, "unknown type [%d]",
-- (int)gname->type - 1);
-- SECU_PrintAsHex(out, &gname->name.other, label, level);
-- break;
-- }
--}
--
--static void
--secu_PrintGeneralNames(FILE *out, CERTGeneralName *gname, char *msg, int level)
--{
-- CERTGeneralName *name = gname;
-- do {
-- secu_PrintGeneralName(out, name, msg, level);
-- name = CERT_GetNextGeneralName(name);
-- } while (name && name != gname);
--}
--
--
--static void
--secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level)
--{
-- CERTAuthKeyID *kid = NULL;
-- PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
--
-- if (!pool) {
-- SECU_PrintError("Error", "Allocating new ArenaPool");
-- return;
-- }
-- kid = CERT_DecodeAuthKeyID(pool, value);
-- if (!kid) {
-- SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-- SECU_PrintAny(out, value, "Data", level);
-- } else {
-- int keyIDPresent = (kid->keyID.data && kid->keyID.len);
-- int issuerPresent = kid->authCertIssuer != NULL;
-- int snPresent = (kid->authCertSerialNumber.data &&
-- kid->authCertSerialNumber.len);
--
-- if (keyIDPresent)
-- SECU_PrintAsHex(out, &kid->keyID, "Key ID", level);
-- if (issuerPresent)
-- secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level);
-- if (snPresent)
-- SECU_PrintInteger(out, &kid->authCertSerialNumber,
-- "Serial Number", level);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--
--static void
--secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level)
--{
-- CERTGeneralName * nameList;
-- CERTGeneralName * current;
-- PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
--
-- if (!pool) {
-- SECU_PrintError("Error", "Allocating new ArenaPool");
-- return;
-- }
-- nameList = current = CERT_DecodeAltNameExtension(pool, value);
-- if (!current) {
-- if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
-- /* Decoder found empty sequence, which is invalid. */
-- PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
-- }
-- SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-- SECU_PrintAny(out, value, "Data", level);
-- } else {
-- do {
-- secu_PrintGeneralName(out, current, msg, level);
-- current = CERT_GetNextGeneralName(current);
-- } while (current != nameList);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--static void
--secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level)
--{
-- CERTCrlDistributionPoints * dPoints;
-- PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
--
-- if (!pool) {
-- SECU_PrintError("Error", "Allocating new ArenaPool");
-- return;
-- }
-- dPoints = CERT_DecodeCRLDistributionPoints(pool, value);
-- if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) {
-- CRLDistributionPoint ** pPoints = dPoints->distPoints;
-- CRLDistributionPoint * pPoint;
-- while (NULL != (pPoint = *pPoints++)) {
-- SECU_Indent(out, level); fputs("Distribution point:\n", out);
-- if (pPoint->distPointType == generalName &&
-- pPoint->distPoint.fullName != NULL) {
-- secu_PrintGeneralNames(out, pPoint->distPoint.fullName, NULL,
-- level + 1);
-- } else if (pPoint->distPointType == relativeDistinguishedName &&
-- pPoint->distPoint.relativeName.avas) {
-- SECU_PrintRDN(out, &pPoint->distPoint.relativeName, "RDN",
-- level + 1);
-- } else if (pPoint->derDistPoint.data) {
-- SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level + 1);
-- }
-- if (pPoint->reasons.data) {
-- secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons",
-- level + 1);
-- }
-- if (pPoint->crlIssuer) {
-- secu_PrintGeneralName(out, pPoint->crlIssuer, "CRL issuer",
-- level + 1);
-- }
-- }
-- } else {
-- SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-- SECU_PrintAny(out, value, "Data", level);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--
--static void
--secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value,
-- char *msg, int level)
--{
-- CERTNameConstraint *head = value;
-- SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg);
-- level++;
-- do {
-- secu_PrintGeneralName(out, &value->name, NULL, level);
-- if (value->min.data)
-- SECU_PrintInteger(out, &value->min, "Minimum", level+1);
-- if (value->max.data)
-- SECU_PrintInteger(out, &value->max, "Maximum", level+1);
-- value = CERT_GetNextNameConstraint(value);
-- } while (value != head);
--}
--
--static void
--secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level)
--{
-- CERTNameConstraints * cnstrnts;
-- PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
--
-- if (!pool) {
-- SECU_PrintError("Error", "Allocating new ArenaPool");
-- return;
-- }
-- cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value);
-- if (!cnstrnts) {
-- SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-- SECU_PrintAny(out, value, "Raw", level);
-- } else {
-- if (cnstrnts->permited)
-- secu_PrintNameConstraintSubtree(out, cnstrnts->permited,
-- "Permitted", level);
-- if (cnstrnts->excluded)
-- secu_PrintNameConstraintSubtree(out, cnstrnts->excluded,
-- "Excluded", level);
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--
--static void
--secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level)
--{
-- CERTAuthInfoAccess **infos = NULL;
-- PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
--
-- if (!pool) {
-- SECU_PrintError("Error", "Allocating new ArenaPool");
-- return;
-- }
-- infos = CERT_DecodeAuthInfoAccessExtension(pool, value);
-- if (!infos) {
-- SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-- SECU_PrintAny(out, value, "Raw", level);
-- } else {
-- CERTAuthInfoAccess *info;
-- while (NULL != (info = *infos++)) {
-- if (info->method.data) {
-- SECU_PrintObjectID(out, &info->method, "Method", level);
-- } else {
-- SECU_Indent(out,level);
-- fprintf(out, "Error: missing method\n");
-- }
-- if (info->location) {
-- secu_PrintGeneralName(out, info->location, "Location", level);
-- } else {
-- SECU_PrintAny(out, &info->derLocation, "Location", level);
-- }
-- }
-- }
-- PORT_FreeArena(pool, PR_FALSE);
--}
--
--
--void
--SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
-- char *msg, int level)
--{
-- SECOidTag oidTag;
--
-- if ( extensions ) {
-- if (msg && *msg) {
-- SECU_Indent(out, level++); fprintf(out, "%s:\n", msg);
-- }
--
-- while ( *extensions ) {
-- SECItem *tmpitem;
--
-- tmpitem = &(*extensions)->id;
-- SECU_PrintObjectID(out, tmpitem, "Name", level);
--
-- tmpitem = &(*extensions)->critical;
-- if ( tmpitem->len ) {
-- secu_PrintBoolean(out, tmpitem, "Critical", level);
-- }
--
-- oidTag = SECOID_FindOIDTag (&((*extensions)->id));
-- tmpitem = &((*extensions)->value);
--
-- switch (oidTag) {
-- case SEC_OID_X509_INVALID_DATE:
-- case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME:
-- secu_PrintX509InvalidDate(out, tmpitem, "Date", level );
-- break;
-- case SEC_OID_X509_CERTIFICATE_POLICIES:
-- SECU_PrintPolicy(out, tmpitem, "Data", level );
-- break;
-- case SEC_OID_NS_CERT_EXT_BASE_URL:
-- case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
-- case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
-- case SEC_OID_NS_CERT_EXT_CA_CRL_URL:
-- case SEC_OID_NS_CERT_EXT_CA_CERT_URL:
-- case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
-- case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
-- case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL:
-- case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
-- case SEC_OID_OCSP_RESPONDER:
-- SECU_PrintString(out,tmpitem, "URL", level);
-- break;
-- case SEC_OID_NS_CERT_EXT_COMMENT:
-- SECU_PrintString(out,tmpitem, "Comment", level);
-- break;
-- case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
-- SECU_PrintString(out,tmpitem, "ServerName", level);
-- break;
-- case SEC_OID_NS_CERT_EXT_CERT_TYPE:
-- secu_PrintNSCertType(out,tmpitem,"Data",level);
-- break;
-- case SEC_OID_X509_BASIC_CONSTRAINTS:
-- secu_PrintBasicConstraints(out,tmpitem,"Data",level);
-- break;
-- case SEC_OID_X509_EXT_KEY_USAGE:
-- PrintExtKeyUsageExtension(out, tmpitem, NULL, level);
-- break;
-- case SEC_OID_X509_KEY_USAGE:
-- secu_PrintX509KeyUsage(out, tmpitem, NULL, level );
-- break;
-- case SEC_OID_X509_AUTH_KEY_ID:
-- secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level );
-- break;
-- case SEC_OID_X509_SUBJECT_ALT_NAME:
-- case SEC_OID_X509_ISSUER_ALT_NAME:
-- secu_PrintAltNameExtension(out, tmpitem, NULL, level );
-- break;
-- case SEC_OID_X509_CRL_DIST_POINTS:
-- secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level );
-- break;
-- case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD:
-- SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL,
-- level );
-- break;
-- case SEC_OID_X509_NAME_CONSTRAINTS:
-- secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level);
-- break;
-- case SEC_OID_X509_AUTH_INFO_ACCESS:
-- secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level);
-- break;
--
-- case SEC_OID_X509_CRL_NUMBER:
-- case SEC_OID_X509_REASON_CODE:
--
-- /* PKIX OIDs */
-- case SEC_OID_PKIX_OCSP:
-- case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
-- case SEC_OID_PKIX_OCSP_NONCE:
-- case SEC_OID_PKIX_OCSP_CRL:
-- case SEC_OID_PKIX_OCSP_RESPONSE:
-- case SEC_OID_PKIX_OCSP_NO_CHECK:
-- case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF:
-- case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR:
-- case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-- case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-- case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-- case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-- case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-- case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-- case SEC_OID_PKIX_REGINFO_UTF8_PAIRS:
-- case SEC_OID_PKIX_REGINFO_CERT_REQUEST:
--
-- /* Netscape extension OIDs. */
-- case SEC_OID_NS_CERT_EXT_NETSCAPE_OK:
-- case SEC_OID_NS_CERT_EXT_ISSUER_LOGO:
-- case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO:
-- case SEC_OID_NS_CERT_EXT_ENTITY_LOGO:
-- case SEC_OID_NS_CERT_EXT_USER_PICTURE:
--
-- /* x.509 v3 Extensions */
-- case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR:
-- case SEC_OID_X509_SUBJECT_KEY_ID:
-- case SEC_OID_X509_POLICY_MAPPINGS:
-- case SEC_OID_X509_POLICY_CONSTRAINTS:
--
--
-- default:
-- SECU_PrintAny(out, tmpitem, "Data", level);
-- break;
-- }
--
-- secu_Newline(out);
-- extensions++;
-- }
-- }
--}
--
--/* An RDN is a subset of a DirectoryName, and we already know how to
-- * print those, so make a directory name out of the RDN, and print it.
-- */
--void
--SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level)
--{
-- CERTName name;
-- CERTRDN *rdns[2];
--
-- name.arena = NULL;
-- name.rdns = rdns;
-- rdns[0] = rdn;
-- rdns[1] = NULL;
-- SECU_PrintName(out, &name, msg, level);
--}
--
--void
--SECU_PrintNameQuotesOptional(FILE *out, CERTName *name, const char *msg,
-- int level, PRBool quotes)
--{
-- char *nameStr = NULL;
-- char *str;
-- SECItem my;
--
-- if (!name) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return;
-- }
-- if (!name->rdns || !name->rdns[0]) {
-- str = "(empty)";
-- } else {
-- str = nameStr = CERT_NameToAscii(name);
-- }
-- if (!str) {
-- str = "!Invalid AVA!";
-- }
-- my.data = (unsigned char *)str;
-- my.len = PORT_Strlen(str);
--#if 1
-- secu_PrintRawStringQuotesOptional(out, &my, msg, level, quotes);
--#else
-- SECU_Indent(out, level); fprintf(out, "%s: ", msg);
-- fprintf(out, str);
-- secu_Newline(out);
--#endif
-- PORT_Free(nameStr);
--}
--
--void
--SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level)
--{
-- SECU_PrintNameQuotesOptional(out, name, msg, level, PR_TRUE);
--}
--
--void
--printflags(char *trusts, unsigned int flags)
--{
-- if (flags & CERTDB_VALID_CA)
-- if (!(flags & CERTDB_TRUSTED_CA) &&
-- !(flags & CERTDB_TRUSTED_CLIENT_CA))
-- PORT_Strcat(trusts, "c");
-- if (flags & CERTDB_TERMINAL_RECORD)
-- if (!(flags & CERTDB_TRUSTED))
-- PORT_Strcat(trusts, "p");
-- if (flags & CERTDB_TRUSTED_CA)
-- PORT_Strcat(trusts, "C");
-- if (flags & CERTDB_TRUSTED_CLIENT_CA)
-- PORT_Strcat(trusts, "T");
-- if (flags & CERTDB_TRUSTED)
-- PORT_Strcat(trusts, "P");
-- if (flags & CERTDB_USER)
-- PORT_Strcat(trusts, "u");
-- if (flags & CERTDB_SEND_WARN)
-- PORT_Strcat(trusts, "w");
-- if (flags & CERTDB_INVISIBLE_CA)
-- PORT_Strcat(trusts, "I");
-- if (flags & CERTDB_GOVT_APPROVED_CA)
-- PORT_Strcat(trusts, "G");
-- return;
--}
--
--/* callback for listing certs through pkcs11 */
--SECStatus
--SECU_PrintCertNickname(CERTCertListNode *node, void *data)
--{
-- CERTCertTrust *trust;
-- CERTCertificate* cert;
-- FILE *out;
-- char trusts[30];
-- char *name;
--
-- cert = node->cert;
--
-- PORT_Memset (trusts, 0, sizeof (trusts));
-- out = (FILE *)data;
--
-- name = node->appData;
-- if (!name || !name[0]) {
-- name = cert->nickname;
-- }
-- if (!name || !name[0]) {
-- name = cert->emailAddr;
-- }
-- if (!name || !name[0]) {
-- name = "(NULL)";
-- }
--
-- trust = cert->trust;
-- if (trust) {
-- printflags(trusts, trust->sslFlags);
-- PORT_Strcat(trusts, ",");
-- printflags(trusts, trust->emailFlags);
-- PORT_Strcat(trusts, ",");
-- printflags(trusts, trust->objectSigningFlags);
-- } else {
-- PORT_Memcpy(trusts,",,",3);
-- }
-- fprintf(out, "%-60s %-5s\n", name, trusts);
--
-- return (SECSuccess);
--}
--
--int
--SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, char *m, int level)
--{
-- CERTCertExtension **extensions = NULL;
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- int rv = 0;
--
-- if (!arena)
-- return SEC_ERROR_NO_MEMORY;
--
-- rv = SEC_QuickDERDecodeItem(arena, &extensions,
-- SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any);
-- if (!rv)
-- SECU_PrintExtensions(out, extensions, m, level);
-- else
-- SECU_PrintAny(out, any, m, level);
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--/* print a decoded SET OF or SEQUENCE OF Extensions */
--int
--SECU_PrintSetOfExtensions(FILE *out, SECItem **any, char *m, int level)
--{
-- int rv = 0;
-- if (m && *m) {
-- SECU_Indent(out, level++); fprintf(out, "%s:\n", m);
-- }
-- while (any && any[0]) {
-- rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level);
-- any++;
-- }
-- return rv;
--}
--
--/* print a decoded SET OF or SEQUENCE OF "ANY" */
--int
--SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level)
--{
-- int rv = 0;
-- if (m && *m) {
-- SECU_Indent(out, level++); fprintf(out, "%s:\n", m);
-- }
-- while (any && any[0]) {
-- SECU_PrintAny(out, any[0], "", level);
-- any++;
-- }
-- return rv;
--}
--
--int
--SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level)
--{
-- int rv = 0;
-- SECOidTag tag;
-- tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level);
-- if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) {
-- rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level);
-- } else {
-- rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level);
-- }
-- return rv;
--}
--
--int
--SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
--{
-- int rv = 0;
-- while (attrs[0]) {
-- rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1);
-- attrs++;
-- }
-- return rv;
--}
--
--int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */
--SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- CERTCertificateRequest *cr;
-- int rv = SEC_ERROR_NO_MEMORY;
--
-- if (!arena)
-- return rv;
--
-- /* Decode certificate request */
-- cr = PORT_ArenaZNew(arena, CERTCertificateRequest);
-- if (!cr)
-- goto loser;
-- cr->arena = arena;
-- rv = SEC_QuickDERDecodeItem(arena, cr,
-- SEC_ASN1_GET(CERT_CertificateRequestTemplate), der);
-- if (rv)
-- goto loser;
--
-- /* Pretty print it out */
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &cr->version, "Version", level+1);
-- SECU_PrintName(out, &cr->subject, "Subject", level+1);
-- secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo,
-- "Subject Public Key Info", level+1);
-- if (cr->attributes)
-- SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1);
-- rv = 0;
--loser:
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--int
--SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- CERTCertificate *c;
-- int rv = SEC_ERROR_NO_MEMORY;
-- int iv;
--
-- if (!arena)
-- return rv;
--
-- /* Decode certificate */
-- c = PORT_ArenaZNew(arena, CERTCertificate);
-- if (!c)
-- goto loser;
-- c->arena = arena;
-- rv = SEC_ASN1DecodeItem(arena, c,
-- SEC_ASN1_GET(CERT_CertificateTemplate), der);
-- if (rv) {
-- SECU_Indent(out, level);
-- SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-- SECU_PrintAny(out, der, "Raw", level);
-- goto loser;
-- }
-- /* Pretty print it out */
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- iv = c->version.len ? DER_GetInteger(&c->version) : 0; /* version is optional */
-- SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv);
--
-- SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
-- SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
-- SECU_PrintName(out, &c->issuer, "Issuer", level+1);
-- secu_PrintValidity(out, &c->validity, "Validity", level+1);
-- SECU_PrintName(out, &c->subject, "Subject", level+1);
-- secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo,
-- "Subject Public Key Info", level+1);
-- if (c->issuerID.data)
-- secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1);
-- if (c->subjectID.data)
-- secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1);
-- SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1);
--loser:
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--int
--SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- SECKEYPublicKey key;
-- int rv = SEC_ERROR_NO_MEMORY;
--
-- if (!arena)
-- return rv;
--
-- PORT_Memset(&key, 0, sizeof(key));
-- rv = SEC_ASN1DecodeItem(arena, &key,
-- SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der);
-- if (!rv) {
-- /* Pretty print it out */
-- secu_PrintRSAPublicKey(out, &key, m, level);
-- }
--
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--int
--SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- int rv = SEC_ERROR_NO_MEMORY;
-- CERTSubjectPublicKeyInfo spki;
--
-- if (!arena)
-- return rv;
--
-- PORT_Memset(&spki, 0, sizeof spki);
-- rv = SEC_ASN1DecodeItem(arena, &spki,
-- SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate),
-- der);
-- if (!rv) {
-- if (m && *m) {
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- }
-- secu_PrintSubjectPublicKeyInfo(out, arena, &spki,
-- "Subject Public Key Info", level+1);
-- }
--
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--#ifdef HAVE_EPV_TEMPLATE
--int
--SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- SECKEYEncryptedPrivateKeyInfo key;
-- int rv = SEC_ERROR_NO_MEMORY;
--
-- if (!arena)
-- return rv;
--
-- PORT_Memset(&key, 0, sizeof(key));
-- rv = SEC_ASN1DecodeItem(arena, &key,
-- SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der);
-- if (rv)
-- goto loser;
--
-- /* Pretty print it out */
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm",
-- level+1);
-- SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1);
--loser:
-- PORT_FreeArena(arena, PR_TRUE);
-- return rv;
--}
--#endif
--
--int
--SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
--{
-- unsigned char fingerprint[20];
-- char *fpStr = NULL;
-- int err = PORT_GetError();
-- SECStatus rv;
-- SECItem fpItem;
--
-- /* print MD5 fingerprint */
-- memset(fingerprint, 0, sizeof fingerprint);
-- rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len);
-- fpItem.data = fingerprint;
-- fpItem.len = MD5_LENGTH;
-- fpStr = CERT_Hexify(&fpItem, 1);
-- SECU_Indent(out, level); fprintf(out, "%s (MD5):", m);
-- if (wrapEnabled) {
-- fprintf(out, "\n");
-- SECU_Indent(out, level+1);
-- }
-- else {
-- fprintf(out, " ");
-- }
-- fprintf(out, "%s\n", fpStr);
-- PORT_Free(fpStr);
-- fpStr = NULL;
-- if (rv != SECSuccess && !err)
-- err = PORT_GetError();
--
-- /* print SHA1 fingerprint */
-- memset(fingerprint, 0, sizeof fingerprint);
-- rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len);
-- fpItem.data = fingerprint;
-- fpItem.len = SHA1_LENGTH;
-- fpStr = CERT_Hexify(&fpItem, 1);
-- SECU_Indent(out, level); fprintf(out, "%s (SHA1):", m);
-- if (wrapEnabled) {
-- fprintf(out, "\n");
-- SECU_Indent(out, level+1);
-- }
-- else {
-- fprintf(out, " ");
-- }
-- fprintf(out, "%s\n", fpStr);
-- PORT_Free(fpStr);
-- if (wrapEnabled)
-- fprintf(out, "\n");
--
-- if (err)
-- PORT_SetError(err);
-- if (err || rv != SECSuccess)
-- return SECFailure;
--
-- return 0;
--}
--
--/*
--** PKCS7 Support
--*/
--
--/* forward declaration */
--static int
--secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *, int);
--
--/*
--** secu_PrintPKCS7EncContent
--** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it)
--*/
--static void
--secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src,
-- char *m, int level)
--{
-- if (src->contentTypeTag == NULL)
-- src->contentTypeTag = SECOID_FindOID(&(src->contentType));
--
-- SECU_Indent(out, level);
-- fprintf(out, "%s:\n", m);
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Content Type: %s\n",
-- (src->contentTypeTag != NULL) ? src->contentTypeTag->desc
-- : "Unknown");
-- SECU_PrintAlgorithmID(out, &(src->contentEncAlg),
-- "Content Encryption Algorithm", level+1);
-- SECU_PrintAsHex(out, &(src->encContent),
-- "Encrypted Content", level+1);
--}
--
--/*
--** secu_PrintRecipientInfo
--** Prints a PKCS7RecipientInfo type
--*/
--static void
--secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m,
-- int level)
--{
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(info->version), "Version", level + 1);
--
-- SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer",
-- level + 1);
-- SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber),
-- "Serial Number", level + 1);
--
-- /* Parse and display encrypted key */
-- SECU_PrintAlgorithmID(out, &(info->keyEncAlg),
-- "Key Encryption Algorithm", level + 1);
-- SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1);
--}
--
--/*
--** secu_PrintSignerInfo
--** Prints a PKCS7SingerInfo type
--*/
--static void
--secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level)
--{
-- SEC_PKCS7Attribute *attr;
-- int iv;
-- char om[100];
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(info->version), "Version", level + 1);
--
-- SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer",
-- level + 1);
-- SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber),
-- "Serial Number", level + 1);
--
-- SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm",
-- level + 1);
--
-- if (info->authAttr != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Authenticated Attributes:\n");
-- iv = 0;
-- while ((attr = info->authAttr[iv++]) != NULL) {
-- sprintf(om, "Attribute (%d)", iv);
-- secu_PrintAttribute(out, attr, om, level + 2);
-- }
-- }
--
-- /* Parse and display signature */
-- SECU_PrintAlgorithmID(out, &(info->digestEncAlg),
-- "Digest Encryption Algorithm", level + 1);
-- SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1);
--
-- if (info->unAuthAttr != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Unauthenticated Attributes:\n");
-- iv = 0;
-- while ((attr = info->unAuthAttr[iv++]) != NULL) {
-- sprintf(om, "Attribute (%x)", iv);
-- secu_PrintAttribute(out, attr, om, level + 2);
-- }
-- }
--}
--
--/* callers of this function must make sure that the CERTSignedCrl
-- from which they are extracting the CERTCrl has been fully-decoded.
-- Otherwise it will not have the entries even though the CRL may have
-- some */
--
--void
--SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level)
--{
-- CERTCrlEntry *entry;
-- int iv;
-- char om[100];
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- /* version is optional */
-- iv = crl->version.len ? DER_GetInteger(&crl->version) : 0;
-- SECU_Indent(out, level+1);
-- fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv);
-- SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm",
-- level + 1);
-- SECU_PrintName(out, &(crl->name), "Issuer", level + 1);
-- SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1);
-- if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */
-- SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1);
--
-- if (crl->entries != NULL) {
-- iv = 0;
-- while ((entry = crl->entries[iv++]) != NULL) {
-- sprintf(om, "Entry %d (0x%x):\n", iv, iv);
-- SECU_Indent(out, level + 1); fputs(om, out);
-- SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number",
-- level + 2);
-- SECU_PrintTimeChoice(out, &(entry->revocationDate),
-- "Revocation Date", level + 2);
-- SECU_PrintExtensions(out, entry->extensions,
-- "Entry Extensions", level + 2);
-- }
-- }
-- SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1);
--}
--
--/*
--** secu_PrintPKCS7Signed
--** Pretty print a PKCS7 signed data type (up to version 1).
--*/
--static int
--secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src,
-- const char *m, int level)
--{
-- SECAlgorithmID *digAlg; /* digest algorithms */
-- SECItem *aCert; /* certificate */
-- CERTSignedCrl *aCrl; /* certificate revocation list */
-- SEC_PKCS7SignerInfo *sigInfo; /* signer information */
-- int rv, iv;
-- char om[100];
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(src->version), "Version", level + 1);
--
-- /* Parse and list digest algorithms (if any) */
-- if (src->digestAlgorithms != NULL) {
-- SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n");
-- iv = 0;
-- while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
-- sprintf(om, "Digest Algorithm (%x)", iv);
-- SECU_PrintAlgorithmID(out, digAlg, om, level + 2);
-- }
-- }
--
-- /* Now for the content */
-- rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo),
-- "Content Information", level + 1);
-- if (rv != 0)
-- return rv;
--
-- /* Parse and list certificates (if any) */
-- if (src->rawCerts != NULL) {
-- SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n");
-- iv = 0;
-- while ((aCert = src->rawCerts[iv++]) != NULL) {
-- sprintf(om, "Certificate (%x)", iv);
-- rv = SECU_PrintSignedData(out, aCert, om, level + 2,
-- SECU_PrintCertificate);
-- if (rv)
-- return rv;
-- }
-- }
--
-- /* Parse and list CRL's (if any) */
-- if (src->crls != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Signed Revocation Lists:\n");
-- iv = 0;
-- while ((aCrl = src->crls[iv++]) != NULL) {
-- sprintf(om, "Signed Revocation List (%x)", iv);
-- SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om);
-- SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm,
-- "Signature Algorithm", level+3);
-- DER_ConvertBitString(&aCrl->signatureWrap.signature);
-- SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
-- level+3);
-- SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List",
-- level + 3);
-- }
-- }
--
-- /* Parse and list signatures (if any) */
-- if (src->signerInfos != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Signer Information List:\n");
-- iv = 0;
-- while ((sigInfo = src->signerInfos[iv++]) != NULL) {
-- sprintf(om, "Signer Information (%x)", iv);
-- secu_PrintSignerInfo(out, sigInfo, om, level + 2);
-- }
-- }
--
-- return 0;
--}
--
--/*
--** secu_PrintPKCS7Enveloped
--** Pretty print a PKCS7 enveloped data type (up to version 1).
--*/
--static void
--secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src,
-- const char *m, int level)
--{
-- SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */
-- int iv;
-- char om[100];
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(src->version), "Version", level + 1);
--
-- /* Parse and list recipients (this is not optional) */
-- if (src->recipientInfos != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Recipient Information List:\n");
-- iv = 0;
-- while ((recInfo = src->recipientInfos[iv++]) != NULL) {
-- sprintf(om, "Recipient Information (%x)", iv);
-- secu_PrintRecipientInfo(out, recInfo, om, level + 2);
-- }
-- }
--
-- secu_PrintPKCS7EncContent(out, &src->encContentInfo,
-- "Encrypted Content Information", level + 1);
--}
--
--/*
--** secu_PrintPKCS7SignedEnveloped
--** Pretty print a PKCS7 singed and enveloped data type (up to version 1).
--*/
--static int
--secu_PrintPKCS7SignedAndEnveloped(FILE *out,
-- SEC_PKCS7SignedAndEnvelopedData *src,
-- const char *m, int level)
--{
-- SECAlgorithmID *digAlg; /* pointer for digest algorithms */
-- SECItem *aCert; /* pointer for certificate */
-- CERTSignedCrl *aCrl; /* pointer for certificate revocation list */
-- SEC_PKCS7SignerInfo *sigInfo; /* pointer for signer information */
-- SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */
-- int rv, iv;
-- char om[100];
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(src->version), "Version", level + 1);
--
-- /* Parse and list recipients (this is not optional) */
-- if (src->recipientInfos != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Recipient Information List:\n");
-- iv = 0;
-- while ((recInfo = src->recipientInfos[iv++]) != NULL) {
-- sprintf(om, "Recipient Information (%x)", iv);
-- secu_PrintRecipientInfo(out, recInfo, om, level + 2);
-- }
-- }
--
-- /* Parse and list digest algorithms (if any) */
-- if (src->digestAlgorithms != NULL) {
-- SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n");
-- iv = 0;
-- while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
-- sprintf(om, "Digest Algorithm (%x)", iv);
-- SECU_PrintAlgorithmID(out, digAlg, om, level + 2);
-- }
-- }
--
-- secu_PrintPKCS7EncContent(out, &src->encContentInfo,
-- "Encrypted Content Information", level + 1);
--
-- /* Parse and list certificates (if any) */
-- if (src->rawCerts != NULL) {
-- SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n");
-- iv = 0;
-- while ((aCert = src->rawCerts[iv++]) != NULL) {
-- sprintf(om, "Certificate (%x)", iv);
-- rv = SECU_PrintSignedData(out, aCert, om, level + 2,
-- SECU_PrintCertificate);
-- if (rv)
-- return rv;
-- }
-- }
-+ int j;
-+ char *target = a[i].longform;
-
-- /* Parse and list CRL's (if any) */
-- if (src->crls != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Signed Revocation Lists:\n");
-- iv = 0;
-- while ((aCrl = src->crls[iv++]) != NULL) {
-- sprintf(om, "Signed Revocation List (%x)", iv);
-- SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om);
-- SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm,
-- "Signature Algorithm", level+3);
-- DER_ConvertBitString(&aCrl->signatureWrap.signature);
-- SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
-- level+3);
-- SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List",
-- level + 3);
-- }
-- }
-+ if (!target)
-+ return PR_FALSE;
-
-- /* Parse and list signatures (if any) */
-- if (src->signerInfos != NULL) {
-- SECU_Indent(out, level + 1);
-- fprintf(out, "Signer Information List:\n");
-- iv = 0;
-- while ((sigInfo = src->signerInfos[iv++]) != NULL) {
-- sprintf(om, "Signer Information (%x)", iv);
-- secu_PrintSignerInfo(out, sigInfo, om, level + 2);
-+ for (j = i+1; j < count; j++) {
-+ if (a[j].longform && strcmp(a[j].longform, target) == 0) {
-+ return PR_TRUE;
-+ }
- }
-- }
--
-- return 0;
--}
--
--int
--SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- CERTCrl *c = NULL;
-- int rv = SEC_ERROR_NO_MEMORY;
--
-- if (!arena)
-- return rv;
-- do {
-- /* Decode CRL */
-- c = PORT_ArenaZNew(arena, CERTCrl);
-- if (!c)
-- break;
--
-- rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der);
-- if (rv != SECSuccess)
-- break;
-- SECU_PrintCRLInfo (out, c, m, level);
-- } while (0);
-- PORT_FreeArena (arena, PR_FALSE);
-- return rv;
--}
--
--
--/*
--** secu_PrintPKCS7Encrypted
--** Pretty print a PKCS7 encrypted data type (up to version 1).
--*/
--static void
--secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src,
-- const char *m, int level)
--{
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(src->version), "Version", level + 1);
--
-- secu_PrintPKCS7EncContent(out, &src->encContentInfo,
-- "Encrypted Content Information", level + 1);
-+ return PR_FALSE;
- }
-
--/*
--** secu_PrintPKCS7Digested
--** Pretty print a PKCS7 digested data type (up to version 1).
--*/
-+#ifdef NSS_ENABLE_ECC
- static void
--secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src,
-- const char *m, int level)
--{
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_PrintInteger(out, &(src->version), "Version", level + 1);
--
-- SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm",
-- level + 1);
-- secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information",
-- level + 1);
-- SECU_PrintAsHex(out, &src->digest, "Digest", level + 1);
--}
--
--/*
--** secu_PrintPKCS7ContentInfo
--** Takes a SEC_PKCS7ContentInfo type and sends the contents to the
--** appropriate function
--*/
--static int
--secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src,
-- char *m, int level)
--{
-- const char *desc;
-- SECOidTag kind;
-- int rv;
--
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- level++;
--
-- if (src->contentTypeTag == NULL)
-- src->contentTypeTag = SECOID_FindOID(&(src->contentType));
--
-- if (src->contentTypeTag == NULL) {
-- desc = "Unknown";
-- kind = SEC_OID_PKCS7_DATA;
-- } else {
-- desc = src->contentTypeTag->desc;
-- kind = src->contentTypeTag->offset;
-- }
--
-- if (src->content.data == NULL) {
-- SECU_Indent(out, level); fprintf(out, "%s:\n", desc);
-- level++;
-- SECU_Indent(out, level); fprintf(out, "<no content>\n");
-- return 0;
-- }
--
-- rv = 0;
-- switch (kind) {
-- case SEC_OID_PKCS7_SIGNED_DATA: /* Signed Data */
-- rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level);
-- break;
--
-- case SEC_OID_PKCS7_ENVELOPED_DATA: /* Enveloped Data */
-- secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level);
-- break;
--
-- case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA: /* Signed and Enveloped */
-- rv = secu_PrintPKCS7SignedAndEnveloped(out,
-- src->content.signedAndEnvelopedData,
-- desc, level);
-- break;
--
-- case SEC_OID_PKCS7_DIGESTED_DATA: /* Digested Data */
-- secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level);
-- break;
--
-- case SEC_OID_PKCS7_ENCRYPTED_DATA: /* Encrypted Data */
-- secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level);
-- break;
--
-- default:
-- SECU_PrintAsHex(out, src->content.data, desc, level);
-- break;
-- }
--
-- return rv;
--}
--
--/*
--** SECU_PrintPKCS7ContentInfo
--** Decode and print any major PKCS7 data type (up to version 1).
--*/
--int
--SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level)
--{
-- SEC_PKCS7ContentInfo *cinfo;
-- int rv;
--
-- cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
-- if (cinfo != NULL) {
-- /* Send it to recursive parsing and printing module */
-- rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level);
-- SEC_PKCS7DestroyContentInfo(cinfo);
-- } else {
-- rv = -1;
-- }
--
-- return rv;
--}
--
--/*
--** End of PKCS7 functions
--*/
--
--void
--printFlags(FILE *out, unsigned int flags, int level)
--{
-- if ( flags & CERTDB_TERMINAL_RECORD ) {
-- SECU_Indent(out, level); fprintf(out, "Terminal Record\n");
-- }
-- if ( flags & CERTDB_TRUSTED ) {
-- SECU_Indent(out, level); fprintf(out, "Trusted\n");
-- }
-- if ( flags & CERTDB_SEND_WARN ) {
-- SECU_Indent(out, level); fprintf(out, "Warn When Sending\n");
-- }
-- if ( flags & CERTDB_VALID_CA ) {
-- SECU_Indent(out, level); fprintf(out, "Valid CA\n");
-- }
-- if ( flags & CERTDB_TRUSTED_CA ) {
-- SECU_Indent(out, level); fprintf(out, "Trusted CA\n");
-- }
-- if ( flags & CERTDB_NS_TRUSTED_CA ) {
-- SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n");
-- }
-- if ( flags & CERTDB_USER ) {
-- SECU_Indent(out, level); fprintf(out, "User\n");
-- }
-- if ( flags & CERTDB_TRUSTED_CLIENT_CA ) {
-- SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n");
-- }
-- if ( flags & CERTDB_GOVT_APPROVED_CA ) {
-- SECU_Indent(out, level); fprintf(out, "Step-up\n");
-- }
--}
--
--void
--SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level)
--{
-- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n");
-- printFlags(out, trust->sslFlags, level+2);
-- SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n");
-- printFlags(out, trust->emailFlags, level+2);
-- SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n");
-- printFlags(out, trust->objectSigningFlags, level+2);
--}
--
--int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level)
--{
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- CERTName *name;
-- int rv = SEC_ERROR_NO_MEMORY;
--
-- if (!arena)
-- return rv;
--
-- name = PORT_ArenaZNew(arena, CERTName);
-- if (!name)
-- goto loser;
--
-- rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der);
-- if (rv)
-- goto loser;
--
-- SECU_PrintName(out, name, m, level);
--loser:
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
-- int level, SECU_PPFunc inner)
-+secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
- {
-- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-- CERTSignedData *sd;
-- int rv = SEC_ERROR_NO_MEMORY;
--
-- if (!arena)
-- return rv;
--
-- /* Strip off the signature */
-- sd = PORT_ArenaZNew(arena, CERTSignedData);
-- if (!sd)
-- goto loser;
--
-- rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate),
-- der);
-- if (rv)
-- goto loser;
-+ SECItem curveOID = { siBuffer, NULL, 0};
-
- SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-- rv = (*inner)(out, &sd->data, "Data", level+1);
--
-- SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
-- level+1);
-- DER_ConvertBitString(&sd->signature);
-- SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
-- SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
--loser:
-- PORT_FreeArena(arena, PR_FALSE);
-- return rv;
--}
--
--SECStatus
--SEC_PrintCertificateAndTrust(CERTCertificate *cert,
-- const char *label,
-- CERTCertTrust *trust)
--{
-- SECStatus rv;
-- SECItem data;
--
-- data.data = cert->derCert.data;
-- data.len = cert->derCert.len;
--
-- rv = SECU_PrintSignedData(stdout, &data, label, 0,
-- SECU_PrintCertificate);
-- if (rv) {
-- return(SECFailure);
-- }
-- if (trust) {
-- SECU_PrintTrustFlags(stdout, trust,
-- "Certificate Trust Flags", 1);
-- } else if (cert->trust) {
-- SECU_PrintTrustFlags(stdout, cert->trust,
-- "Certificate Trust Flags", 1);
-+ SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
-+ /* For named curves, the DEREncodedParams field contains an
-+ * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID).
-+ */
-+ if ((pk->u.ec.DEREncodedParams.len > 2) &&
-+ (pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
-+ curveOID.len = pk->u.ec.DEREncodedParams.data[1];
-+ curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
-+ SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
- }
--
-- printf("\n");
--
-- return(SECSuccess);
- }
-+#endif /* NSS_ENABLE_ECC */
-
- #if defined(DEBUG) || defined(FORCE_PR_ASSERT)
- /* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1] */
-@@ -3662,145 +762,6 @@ SECU_PrintPRandOSError(char *progName)
- }
- }
-
--
--static char *
--bestCertName(CERTCertificate *cert) {
-- if (cert->nickname) {
-- return cert->nickname;
-- }
-- if (cert->emailAddr && cert->emailAddr[0]) {
-- return cert->emailAddr;
-- }
-- return cert->subjectName;
--}
--
--void
--SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle,
-- CERTCertificate *cert, PRBool checksig,
-- SECCertificateUsage certUsage, void *pinArg, PRBool verbose,
-- PRTime datetime)
--{
-- CERTVerifyLog log;
-- CERTVerifyLogNode *node;
--
-- PRErrorCode err = PORT_GetError();
--
-- log.arena = PORT_NewArena(512);
-- log.head = log.tail = NULL;
-- log.count = 0;
-- CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL);
--
-- SECU_displayVerifyLog(outfile, &log, verbose);
--
-- for (node = log.head; node; node = node->next) {
-- if (node->cert)
-- CERT_DestroyCertificate(node->cert);
-- }
-- PORT_FreeArena(log.arena, PR_FALSE);
--
-- PORT_SetError(err); /* restore original error code */
--}
--
--void
--SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
-- PRBool verbose)
--{
-- CERTVerifyLogNode *node = NULL;
-- unsigned int depth = (unsigned int)-1;
-- unsigned int flags = 0;
-- char * errstr = NULL;
--
-- if (log->count > 0) {
-- fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n");
-- for (node = log->head; node; node = node->next) {
-- if (depth != node->depth) {
-- depth = node->depth;
-- fprintf(outfile,"CERT %d. %s %s:\n", depth,
-- bestCertName(node->cert),
-- depth ? "[Certificate Authority]": "");
-- if (verbose) {
-- const char * emailAddr;
-- emailAddr = CERT_GetFirstEmailAddress(node->cert);
-- if (emailAddr) {
-- fprintf(outfile,"Email Address(es): ");
-- do {
-- fprintf(outfile, "%s\n", emailAddr);
-- emailAddr = CERT_GetNextEmailAddress(node->cert,
-- emailAddr);
-- } while (emailAddr);
-- }
-- }
-- }
-- fprintf(outfile, " ERROR %ld: %s\n", node->error,
-- SECU_Strerror(node->error));
-- errstr = NULL;
-- switch (node->error) {
-- case SEC_ERROR_INADEQUATE_KEY_USAGE:
-- flags = (unsigned int)node->arg;
-- switch (flags) {
-- case KU_DIGITAL_SIGNATURE:
-- errstr = "Cert cannot sign.";
-- break;
-- case KU_KEY_ENCIPHERMENT:
-- errstr = "Cert cannot encrypt.";
-- break;
-- case KU_KEY_CERT_SIGN:
-- errstr = "Cert cannot sign other certs.";
-- break;
-- default:
-- errstr = "[unknown usage].";
-- break;
-- }
-- case SEC_ERROR_INADEQUATE_CERT_TYPE:
-- flags = (unsigned int)node->arg;
-- switch (flags) {
-- case NS_CERT_TYPE_SSL_CLIENT:
-- case NS_CERT_TYPE_SSL_SERVER:
-- errstr = "Cert cannot be used for SSL.";
-- break;
-- case NS_CERT_TYPE_SSL_CA:
-- errstr = "Cert cannot be used as an SSL CA.";
-- break;
-- case NS_CERT_TYPE_EMAIL:
-- errstr = "Cert cannot be used for SMIME.";
-- break;
-- case NS_CERT_TYPE_EMAIL_CA:
-- errstr = "Cert cannot be used as an SMIME CA.";
-- break;
-- case NS_CERT_TYPE_OBJECT_SIGNING:
-- errstr = "Cert cannot be used for object signing.";
-- break;
-- case NS_CERT_TYPE_OBJECT_SIGNING_CA:
-- errstr = "Cert cannot be used as an object signing CA.";
-- break;
-- default:
-- errstr = "[unknown usage].";
-- break;
-- }
-- case SEC_ERROR_UNKNOWN_ISSUER:
-- case SEC_ERROR_UNTRUSTED_ISSUER:
-- case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-- errstr = node->cert->issuerName;
-- break;
-- default:
-- break;
-- }
-- if (errstr) {
-- fprintf(stderr," %s\n",errstr);
-- }
-- }
-- }
--}
--
--void
--SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
-- CERTCertificate *cert, PRBool checksig,
-- SECCertificateUsage certUsage, void *pinArg, PRBool verbose)
--{
-- SECU_printCertProblemsOnDate(outfile, handle, cert, checksig,
-- certUsage, pinArg, verbose, PR_Now());
--}
--
- SECOidTag
- SECU_StringToSignatureAlgTag(const char *alg)
- {
-@@ -3828,299 +789,6 @@ SECU_StringToSignatureAlgTag(const char
- return hashAlgTag;
- }
-
--
--SECStatus
--SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile,
-- PRBool ascii, char *url)
--{
-- PORT_Assert(derCrl != NULL);
-- if (!derCrl) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return SECFailure;
-- }
--
-- if (outFile != NULL) {
-- if (ascii) {
-- PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER,
-- BTOA_DataToAscii(derCrl->data, derCrl->len),
-- NS_CRL_TRAILER);
-- } else {
-- if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) {
-- return SECFailure;
-- }
-- }
-- }
-- if (slot) {
-- CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url,
-- SEC_CRL_TYPE, NULL, 0, NULL, 0);
-- if (newCrl != NULL) {
-- SEC_DestroyCrl(newCrl);
-- return SECSuccess;
-- }
-- return SECFailure;
-- }
-- if (!outFile && !slot) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return SECFailure;
-- }
-- return SECSuccess;
--}
--
--SECStatus
--SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
-- SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode)
--{
-- SECItem der;
-- SECKEYPrivateKey *caPrivateKey = NULL;
-- SECStatus rv;
-- PRArenaPool *arena;
-- SECOidTag algID;
-- void *dummy;
--
-- PORT_Assert(issuer != NULL && signCrl != NULL);
-- if (!issuer || !signCrl) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return SECFailure;
-- }
--
-- arena = signCrl->arena;
--
-- caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL);
-- if (caPrivateKey == NULL) {
-- *resCode = noKeyFound;
-- return SECFailure;
-- }
--
-- algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag);
-- if (algID == SEC_OID_UNKNOWN) {
-- *resCode = noSignatureMatch;
-- rv = SECFailure;
-- goto done;
-- }
--
-- if (!signCrl->crl.signatureAlg.parameters.data) {
-- rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0);
-- if (rv != SECSuccess) {
-- *resCode = failToEncode;
-- goto done;
-- }
-- }
--
-- der.len = 0;
-- der.data = NULL;
-- dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl,
-- SEC_ASN1_GET(CERT_CrlTemplate));
-- if (!dummy) {
-- *resCode = failToEncode;
-- rv = SECFailure;
-- goto done;
-- }
--
-- rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap,
-- der.data, der.len, caPrivateKey, algID);
-- if (rv != SECSuccess) {
-- *resCode = failToSign;
-- goto done;
-- }
--
-- signCrl->derCrl = PORT_ArenaZNew(arena, SECItem);
-- if (signCrl->derCrl == NULL) {
-- *resCode = noMem;
-- PORT_SetError(SEC_ERROR_NO_MEMORY);
-- rv = SECFailure;
-- goto done;
-- }
--
-- signCrl->derCrl->len = 0;
-- signCrl->derCrl->data = NULL;
-- dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl,
-- SEC_ASN1_GET(CERT_SignedCrlTemplate));
-- if (!dummy) {
-- *resCode = failToEncode;
-- rv = SECFailure;
-- goto done;
-- }
--
--done:
-- if (caPrivateKey) {
-- SECKEY_DestroyPrivateKey(caPrivateKey);
-- }
-- return rv;
--}
--
--
--
--SECStatus
--SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl)
--{
-- void *dummy;
-- SECStatus rv = SECSuccess;
-- SECItem der;
--
-- PORT_Assert(destArena && srcCrl && destCrl);
-- if (!destArena || !srcCrl || !destCrl) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return SECFailure;
-- }
--
-- der.len = 0;
-- der.data = NULL;
-- dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl,
-- SEC_ASN1_GET(CERT_CrlTemplate));
-- if (!dummy) {
-- return SECFailure;
-- }
--
-- rv = SEC_QuickDERDecodeItem(destArena, destCrl,
-- SEC_ASN1_GET(CERT_CrlTemplate), &der);
-- if (rv != SECSuccess) {
-- return SECFailure;
-- }
--
-- destCrl->arena = destArena;
--
-- return rv;
--}
--
--SECStatus
--SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
-- unsigned char *buf, int len, SECKEYPrivateKey *pk,
-- SECOidTag algID)
--{
-- SECItem it;
-- SECStatus rv;
--
-- it.data = 0;
--
-- /* XXX We should probably have some asserts here to make sure the key type
-- * and algID match
-- */
--
-- /* Sign input buffer */
-- rv = SEC_SignData(&it, buf, len, pk, algID);
-- if (rv) goto loser;
--
-- /* Fill out SignedData object */
-- PORT_Memset(sd, 0, sizeof(*sd));
-- sd->data.data = buf;
-- sd->data.len = len;
-- sd->signature.data = it.data;
-- sd->signature.len = it.len << 3; /* convert to bit string */
-- rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0);
-- if (rv) goto loser;
--
-- return rv;
--
-- loser:
-- PORT_Free(it.data);
-- return rv;
--}
--
--#if 0
--
--/* we need access to the private function cert_FindExtension for this code to work */
--
--CERTAuthKeyID *
--SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl)
--{
-- SECItem encodedExtenValue;
-- SECStatus rv;
-- CERTAuthKeyID *ret;
-- CERTCrl* crl;
--
-- if (!scrl) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return NULL;
-- }
--
-- crl = &scrl->crl;
--
-- encodedExtenValue.data = NULL;
-- encodedExtenValue.len = 0;
--
-- rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID,
-- &encodedExtenValue);
-- if ( rv != SECSuccess ) {
-- return (NULL);
-- }
--
-- ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
--
-- PORT_Free(encodedExtenValue.data);
-- encodedExtenValue.data = NULL;
--
-- return(ret);
--}
--
--#endif
--
--/*
-- * Find the issuer of a Crl. Use the authorityKeyID if it exists.
-- */
--CERTCertificate *
--SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
-- CERTAuthKeyID* authorityKeyID, PRTime validTime)
--{
-- CERTCertificate *issuerCert = NULL;
-- CERTCertList *certList = NULL;
--
-- if (!subject) {
-- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-- return NULL;
-- }
--
-- certList =
-- CERT_CreateSubjectCertList(NULL, dbhandle, subject,
-- validTime, PR_TRUE);
-- if (certList) {
-- CERTCertListNode *node = CERT_LIST_HEAD(certList);
--
-- /* XXX and authoritykeyid in the future */
-- while ( ! CERT_LIST_END(node, certList) ) {
-- CERTCertificate *cert = node->cert;
-- /* check cert CERTCertTrust data is allocated, check cert
-- usage extension, check that cert has pkey in db. Select
-- the first (newest) user cert */
-- if (cert->trust &&
-- CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess &&
-- CERT_IsUserCert(cert)) {
--
-- issuerCert = CERT_DupCertificate(cert);
-- break;
-- }
-- node = CERT_LIST_NEXT(node);
-- }
-- CERT_DestroyCertList(certList);
-- }
-- return(issuerCert);
--}
--
--
--/* Encodes and adds extensions to the CRL or CRL entries. */
--SECStatus
--SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
-- void *value, PRBool criticality, int extenType,
-- EXTEN_EXT_VALUE_ENCODER EncodeValueFn)
--{
-- SECItem encodedValue;
-- SECStatus rv;
--
-- encodedValue.data = NULL;
-- encodedValue.len = 0;
-- do {
-- rv = (*EncodeValueFn)(arena, value, &encodedValue);
-- if (rv != SECSuccess)
-- break;
--
-- rv = CERT_AddExtension(extHandle, extenType, &encodedValue,
-- criticality, PR_TRUE);
-- if (rv != SECSuccess)
-- break;
-- } while (0);
--
-- return (rv);
--}
--
- /* Caller ensures that dst is at least item->len*2+1 bytes long */
- void
- SECU_SECItemToHex(const SECItem * item, char * dst)
-@@ -4183,40 +851,3 @@ SECU_SECItemHexStringToBinary(SECItem* s
- srcdest->len /= 2;
- return SECSuccess;
- }
--
--CERTCertificate*
--SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
-- char *name, PRBool ascii,
-- void *pwarg)
--{
-- CERTCertificate *the_cert;
-- the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
-- if (the_cert) {
-- return the_cert;
-- }
-- the_cert = PK11_FindCertFromNickname(name, pwarg);
-- if (!the_cert) {
-- /* Don't have a cert with name "name" in the DB. Try to
-- * open a file with such name and get the cert from there.*/
-- SECStatus rv;
-- SECItem item = {0, NULL, 0};
-- PRFileDesc* fd = PR_Open(name, PR_RDONLY, 0777);
-- if (!fd) {
-- return NULL;
-- }
-- rv = SECU_ReadDERFromFile(&item, fd, ascii);
-- PR_Close(fd);
-- if (rv != SECSuccess || !item.len) {
-- PORT_Free(item.data);
-- return NULL;
-- }
-- the_cert = CERT_NewTempCertificate(handle, &item,
-- NULL /* nickname */,
-- PR_FALSE /* isPerm */,
-- PR_TRUE /* copyDER */);
-- PORT_Free(item.data);
-- }
-- return the_cert;
--}
--
--
-diff -up ./mozilla/security/nss/cmd/lib/secutil.h.crypto ./mozilla/security/nss/cmd/lib/secutil.h
---- ./mozilla/security/nss/cmd/lib/secutil.h.crypto 2012-03-10 04:10:45.000000000 -0800
-+++ ./mozilla/security/nss/cmd/lib/secutil.h 2012-04-01 13:15:51.539584248 -0700
-@@ -38,7 +38,10 @@
-
- #include "seccomon.h"
- #include "secitem.h"
-+#include "secoid.h"
-+#include "secoidt.h"
- #include "secport.h"
-+#include "key.h"
- #include "prerror.h"
- #include "base64.h"
- #include "key.h"
-@@ -47,25 +50,6 @@
- #include "secder.h"
- #include <stdio.h>
-
--#define SEC_CT_PRIVATE_KEY "private-key"
--#define SEC_CT_PUBLIC_KEY "public-key"
--#define SEC_CT_CERTIFICATE "certificate"
--#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
--#define SEC_CT_PKCS7 "pkcs7"
--#define SEC_CT_CRL "crl"
--#define SEC_CT_NAME "name"
--
--#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
--#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
--
--#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
--#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
--
--#define NS_CRL_HEADER "-----BEGIN CRL-----"
--#define NS_CRL_TRAILER "-----END CRL-----"
--
--#define SECU_Strerror PORT_ErrorToString
--
- #ifdef SECUTIL_NEW
- typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
- char *msg, int level);
-@@ -73,203 +57,29 @@ typedef int (*SECU_PPFunc)(PRFileDesc *o
- typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
- #endif
-
--typedef struct {
-- enum {
-- PW_NONE = 0,
-- PW_FROMFILE = 1,
-- PW_PLAINTEXT = 2,
-- PW_EXTERNAL = 3
-- } source;
-- char *data;
--} secuPWData;
--
--/*
--** Change a password on a token, or initialize a token with a password
--** if it does not already have one.
--** Use passwd to send the password in plaintext, pwFile to specify a
--** file containing the password, or NULL for both to prompt the user.
--*/
--SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
--
--/*
--** Change a password on a token, or initialize a token with a password
--** if it does not already have one.
--** In this function, you can specify both the old and new passwords
--** as either a string or file. NOTE: any you don't specify will
--** be prompted for
--*/
--SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
-- char *oldPwFile, char *newPwFile);
--
--/* These were stolen from the old sec.h... */
--/*
--** Check a password for legitimacy. Passwords must be at least 8
--** characters long and contain one non-alphabetic. Return DSTrue if the
--** password is ok, DSFalse otherwise.
--*/
--extern PRBool SEC_CheckPassword(char *password);
--
--/*
--** Blind check of a password. Complement to SEC_CheckPassword which
--** ignores length and content type, just retuning DSTrue is the password
--** exists, DSFalse if NULL
--*/
--extern PRBool SEC_BlindCheckPassword(char *password);
--
--/*
--** Get a password.
--** First prompt with "msg" on "out", then read the password from "in".
--** The password is then checked using "chkpw".
--*/
--extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
-- PRBool (*chkpw)(char *));
--
--char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
--
--char *SECU_GetPasswordString(void *arg, char *prompt);
--
--/*
--** Write a dongle password.
--** Uses MD5 to hash constant system data (hostname, etc.), and then
--** creates RC4 key to encrypt a password "pw" into a file "fd".
--*/
--extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
--
--/*
--** Get a dongle password.
--** Uses MD5 to hash constant system data (hostname, etc.), and then
--** creates RC4 key to decrypt and return a password from file "fd".
--*/
--extern char *SEC_ReadDongleFile(int fd);
--
--
--/* End stolen headers */
--
--/* Just sticks the two strings together with a / if needed */
--char *SECU_AppendFilenameToDir(char *dir, char *filename);
--
--/* Returns result of getenv("SSL_DIR") or NULL */
--extern char *SECU_DefaultSSLDir(void);
--
--/*
--** Should be called once during initialization to set the default
--** directory for looking for cert.db, key.db, and cert-nameidx.db files
--** Removes trailing '/' in 'base'
--** If 'base' is NULL, defaults to set to .netscape in home directory.
--*/
--extern char *SECU_ConfigDirectory(const char* base);
--
--/*
--** Basic callback function for SSL_GetClientAuthDataHook
--*/
--extern int
--SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
-- struct CERTDistNamesStr *caNames,
-- struct CERTCertificateStr **pRetCert,
-- struct SECKEYPrivateKeyStr **pRetKey);
--
--extern PRBool SECU_GetWrapEnabled();
--extern void SECU_EnableWrap(PRBool enable);
--
- /* print out an error message */
- extern void SECU_PrintError(char *progName, char *msg, ...);
-
- /* print out a system error message */
- extern void SECU_PrintSystemError(char *progName, char *msg, ...);
-
--/* revalidate the cert and print information about cert verification
-- * failure at time == now */
--extern void
--SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
-- CERTCertificate *cert, PRBool checksig,
-- SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
--
--/* revalidate the cert and print information about cert verification
-- * failure at specified time */
--extern void
--SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle,
-- CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage,
-- void *pinArg, PRBool verbose, PRTime datetime);
--
--/* print out CERTVerifyLog info. */
--extern void
--SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
-- PRBool verbose);
-
- /* Read the contents of a file into a SECItem */
- extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
- extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
-
--/* Read in a DER from a file, may be ascii */
--extern SECStatus
--SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
--
- /* Indent based on "level" */
- extern void SECU_Indent(FILE *out, int level);
-
- /* Print integer value and hex */
- extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
-
--/* Print ObjectIdentifier symbolically */
--extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
--
--/* Print AlgorithmIdentifier symbolically */
--extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
-- int level);
--
- /* Print SECItem as hex */
- extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
-
- /* dump a buffer in hex and ASCII */
- extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
-
--/*
-- * Format and print the UTC Time "t". If the tag message "m" is not NULL,
-- * do indent formatting based on "level" and add a newline afterward;
-- * otherwise just print the formatted time string only.
-- */
--extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
--
--/*
-- * Format and print the Generalized Time "t". If the tag message "m"
-- * is not NULL, * do indent formatting based on "level" and add a newline
-- * afterward; otherwise just print the formatted time string only.
-- */
--extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
-- int level);
--
--/*
-- * Format and print the UTC or Generalized Time "t". If the tag message
-- * "m" is not NULL, do indent formatting based on "level" and add a newline
-- * afterward; otherwise just print the formatted time string only.
-- */
--extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
--
--/* callback for listing certs through pkcs11 */
--extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
--
--/* Dump all certificate nicknames in a database */
--extern SECStatus
--SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
-- PRBool sortByName, PRBool sortByTrust);
--
--/* See if nickname already in database. Return 1 true, 0 false, -1 error */
--int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
--
--/* Dump contents of cert req */
--extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
-- int level);
--
--/* Dump contents of certificate */
--extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
--
--/* Dump contents of a DER certificate name (issuer or subject) */
--extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
--
--/* print trust flags on a cert */
--extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
-- int level);
--
- /* Dump contents of an RSA public key */
- extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
-
-@@ -341,70 +151,6 @@ extern SECStatus SECU_RegisterDynamicOid
- /* Identifies hash algorithm tag by its string representation. */
- extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
-
--/* Store CRL in output file or pk11 db. Also
-- * encodes with base64 and exports to file if ascii flag is set
-- * and file is not NULL. */
--extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
-- PRFileDesc *outFile, PRBool ascii, char *url);
--
--
--/*
--** DER sign a single block of data using private key encryption and the
--** MD5 hashing algorithm. This routine first computes a digital signature
--** using SEC_SignData, then wraps it with an CERTSignedData and then der
--** encodes the result.
--** "arena" is the memory arena to use to allocate data from
--** "sd" returned CERTSignedData
--** "result" the final der encoded data (memory is allocated)
--** "buf" the input data to sign
--** "len" the amount of data to sign
--** "pk" the private key to encrypt with
--*/
--extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
-- unsigned char *buf, int len,
-- SECKEYPrivateKey *pk, SECOidTag algID);
--
--typedef enum {
-- noKeyFound = 1,
-- noSignatureMatch = 2,
-- failToEncode = 3,
-- failToSign = 4,
-- noMem = 5
--} SignAndEncodeFuncExitStat;
--
--extern SECStatus
--SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
-- SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
--
--extern SECStatus
--SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
--
--/*
--** Finds the crl Authority Key Id extension. Returns NULL if no such extension
--** was found.
--*/
--CERTAuthKeyID *
--SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
--
--/*
-- * Find the issuer of a crl. Cert usage should be checked before signing a crl.
-- */
--CERTCertificate *
--SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
-- CERTAuthKeyID* id, PRTime validTime);
--
--
--/* call back function used in encoding of an extension. Called from
-- * SECU_EncodeAndAddExtensionValue */
--typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
-- void *value, SECItem *encodedValue);
--
--/* Encodes and adds extensions to the CRL or CRL entries. */
--SECStatus
--SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
-- void *value, PRBool criticality, int extenType,
-- EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
--
- /* Caller ensures that dst is at least item->len*2+1 bytes long */
- void
- SECU_SECItemToHex(const SECItem * item, char * dst);
diff -up ./mozilla/security/nss/cmd/manifest.mn.crypto ./mozilla/security/nss/cmd/manifest.mn
---- ./mozilla/security/nss/cmd/manifest.mn.crypto 2010-12-06 09:22:48.000000000 -0800
-+++ ./mozilla/security/nss/cmd/manifest.mn 2012-04-01 13:15:51.540584249 -0700
-@@ -41,46 +41,9 @@ DEPTH = ../..
+--- ./mozilla/security/nss/cmd/manifest.mn.crypto 2012-09-01 18:29:28.000000000 +0000
++++ ./mozilla/security/nss/cmd/manifest.mn 2012-10-02 15:59:32.213547057 +0000
+@@ -9,52 +9,10 @@ DEPTH = ../..
REQUIRES = nss nspr libdbm
DIRS = lib \
@@ -3961,7 +18,10 @@ diff -up ./mozilla/security/nss/cmd/manifest.mn.crypto ./mozilla/security/nss/cm
- dbtest \
- derdump \
- digest \
+- httpserv \
fipstest \
+ $(LOWHASHTEST_SRCDIR) \
+- listsuites \
- makepqg \
- multinit \
- ocspclnt \
@@ -3972,7 +32,10 @@ diff -up ./mozilla/security/nss/cmd/manifest.mn.crypto ./mozilla/security/nss/cm
- p7verify \
- pk12util \
- pk11mode \
+- pk1sign \
+- pkix-errcodes \
- pp \
+- pwdecrypt \
- rsaperf \
- sdrtest \
- selfserv \
@@ -3992,27 +55,9 @@ diff -up ./mozilla/security/nss/cmd/manifest.mn.crypto ./mozilla/security/nss/cm
TEMPORARILY_DONT_BUILD = \
diff -up ./mozilla/security/nss/cmd/platlibs.mk.crypto ./mozilla/security/nss/cmd/platlibs.mk
---- ./mozilla/security/nss/cmd/platlibs.mk.crypto 2010-06-11 17:58:33.000000000 -0700
-+++ ./mozilla/security/nss/cmd/platlibs.mk 2012-04-01 13:15:51.540584249 -0700
-@@ -92,43 +92,13 @@ DEFINES += -DNSS_USE_STATIC_LIBS
- # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
- CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-
--PKIXLIB = \
-- $(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
--
- # can't do this in manifest.mn because OS_ARCH isn't defined there.
+--- ./mozilla/security/nss/cmd/platlibs.mk.crypto 2012-07-17 15:22:42.000000000 +0000
++++ ./mozilla/security/nss/cmd/platlibs.mk 2012-10-02 16:03:14.388622383 +0000
+@@ -56,25 +56,9 @@ PKIXLIB = \
ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH)))
EXTRA_LIBS += \
@@ -4038,7 +83,7 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.crypto ./mozilla/security/nss/cm
$(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
-@@ -143,30 +113,9 @@ EXTRA_LIBS += \
+@@ -89,30 +73,9 @@ EXTRA_LIBS += \
else
EXTRA_LIBS += \
@@ -4069,41 +114,20 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.crypto ./mozilla/security/nss/cm
$(NULL)
ifeq ($(OS_ARCH), AIX)
-@@ -199,8 +148,6 @@ ifeq (,$(filter-out WINNT WINCE,$(OS_ARC
+@@ -145,9 +108,6 @@ ifeq (,$(filter-out WINNT WINCE,$(OS_ARC
EXTRA_LIBS += \
$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
- $(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
- $(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
- $(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
+- $(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
-@@ -227,8 +174,6 @@ endif
- # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
- EXTRA_SHARED_LIBS += \
- -L$(DIST)/lib \
-- -lssl3 \
-- -lsmime3 \
- -lnss3 \
- -L$(NSSUTIL_LIB_DIR) \
- -lnssutil3 \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
diff -up ./mozilla/security/nss/tests/all.sh.crypto ./mozilla/security/nss/tests/all.sh
---- ./mozilla/security/nss/tests/all.sh.crypto 2012-04-01 13:21:51.519603762 -0700
-+++ ./mozilla/security/nss/tests/all.sh 2012-04-01 13:22:41.577606476 -0700
-@@ -303,10 +303,10 @@ run_cycles()
-
- ############################## main code ###############################
-
--cycles="standard pkix upgradedb sharedb"
-+cycles="standard"
- CYCLES=${NSS_CYCLES:-$cycles}
-
--tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
-+tests="cipher"
- TESTS=${NSS_TESTS:-$tests}
-
- ALL_TESTS=${TESTS}
-@@ -328,13 +328,20 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
+--- ./mozilla/security/nss/tests/all.sh.crypto 2012-06-13 18:16:39.000000000 +0000
++++ ./mozilla/security/nss/tests/all.sh 2012-10-02 15:59:32.217547061 +0000
+@@ -295,13 +295,13 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
fi
# NOTE:
@@ -4116,13 +140,6 @@ diff -up ./mozilla/security/nss/tests/all.sh.crypto ./mozilla/security/nss/tests
-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
-+########################################################################
-+# -- testing softoken module --
-+# This modified copy of all.sh runs a reduced set of directories.
-+# We check for the latest item being built.
-+# See variable DIRS in security/nss/cmd/manifest.mn
-+########################################################################
-+
+if [ ! -f ${DIST}/${OBJDIR}/bin/shlibsign -a \
+ ! -f ${DIST}/${OBJDIR}/bin/shlibsign.exe ]; then
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
More information about the scm-commits
mailing list