📄 certutil.c
字号:
/* For now, split handling of slot to internal vs. other. slot should * probably be allowed to be NULL so that all slots can be listed. * In that case, need to add a call to PK11_TraverseSlotCerts(). */ if (slot == NULL) { PK11SlotList *list; PK11SlotListElement *le; list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,&pwdata); if (list) for (le = list->head; le; le = le->next) { rv = listKeys(le->slot,keyType,&pwdata); } } else { rv = listKeys(slot,keyType,&pwdata); } return rv;}static SECStatusDeleteKey(SECKEYKeyDBHandle *handle, char *nickname){ SECStatus rv; rv = SECU_DeleteKeyByName(handle, nickname); if (rv != SECSuccess) { SECU_PrintError("problem deleting private key \"%s\"\n", nickname); } return rv;}/* * L i s t M o d u l e s * * Print a list of the PKCS11 modules that are * available. This is useful for smartcard people to * make sure they have the drivers loaded. * */static SECStatusListModules(void){ PK11SlotList *list; PK11SlotListElement *le; /* get them all! */ list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,NULL); if (list == NULL) return SECFailure; /* look at each slot*/ for (le = list->head ; le; le = le->next) { printf ("\n"); printf (" slot: %s\n", PK11_GetSlotName(le->slot)); printf (" token: %s\n", PK11_GetTokenName(le->slot)); } PK11_FreeSlotList(list); return SECSuccess;}static void Usage(char *progName){#define FPS fprintf(stderr, FPS "Type %s -H for more detailed descriptions\n", progName); FPS "Usage: %s -N [-d certdir] [-f pwfile]\n", progName); FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-a] [-i input]\n", progName); FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n" "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n" "\t\t [-f pwfile] [-d certdir] [-1] [-2] [-3] [-4] [-5] [-6]\n", progName); FPS "\t%s -D -n cert-name [-d certdir]\n", progName); FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-a] [-i input]\n", progName); FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" "\t\t [-f pwfile] [-z noisefile] [-d certdir]\n", progName); FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n" "\t\t [-z noisefile] [-d certdir]\n", progName); FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n", progName); FPS "\t\t [-f pwfile] [-d certdir]\n"); FPS "\t%s -L [-n cert-name] [-d certdir] [-r] [-a]\n", progName); FPS "\t%s -M -n cert-name -t trustargs [-d certdir]\n", progName); FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-p phone] [-a]\n" "\t\t [-k key-type] [-h token-name] [-f pwfile] [-g key-size]\n", progName); FPS "\t%s -V -n cert-name -u usage [-b time] [-e] [-d certdir]\n", progName); FPS "\t%s -S -n cert-name -s subj [-c issuer-name | -x] -t trustargs\n" "\t\t [-k key-type] [-h token-name] [-g key-size]\n" "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n" "\t\t [-f pwfile] [-d certdir]\n" "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6]\n", progName); FPS "\t%s -U [-d certdir]\n", progName); exit(-1);}static void LongUsage(char *progName){ FPS "%-15s Add a certificate to the database (create if needed)\n", "-A"); FPS "%-15s Add an Email certificate to the database (create if needed)\n", "-E"); FPS "%-20s Specify the nickname of the certificate to add\n", " -n cert-name"); FPS "%-20s Set the certificate trust attributes:\n", " -t trustargs"); FPS "%-25s p \t valid peer\n", ""); FPS "%-25s P \t trusted peer (implies p)\n", ""); FPS "%-25s c \t valid CA\n", ""); FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", ""); FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", ""); FPS "%-25s u \t user cert\n", ""); FPS "%-25s w \t send warning\n", "");#ifdef DEBUG_NSSTEAM_ONLY FPS "%-25s g \t make step-up cert\n", "");#endif /* DEBUG_NSSTEAM_ONLY */ FPS "%-20s Specify the password file\n", " -f pwfile"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "%-20s The input certificate is encoded in ASCII (RFC1113)\n", " -a"); FPS "%-20s Specify the certificate file (default is stdin)\n", " -i input"); FPS "\n"); FPS "%-15s Create a new binary certificate from a BINARY cert request\n", "-C"); FPS "%-20s The nickname of the issuer cert\n", " -c issuer-name"); FPS "%-20s The BINARY certificate request file\n", " -i cert-request "); FPS "%-20s Output binary cert to this file (default is stdout)\n", " -o output-cert"); FPS "%-20s Self sign\n", " -x"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", " -w warp-months"); FPS "%-20s Months valid (default is 3)\n", " -v months-valid"); FPS "%-20s Specify the password file\n", " -f pwfile"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "%-20s Create key usage extension\n", " -1 "); FPS "%-20s Create basic constraint extension\n", " -2 "); FPS "%-20s Create authority key ID extension\n", " -3 "); FPS "%-20s Create crl distribution point extension\n", " -4 "); FPS "%-20s Create netscape cert type extension\n", " -5 "); FPS "%-20s Create extended key usage extension\n", " -6 "); FPS "\n"); FPS "%-15s Generate a new key pair\n", "-G"); FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", " -k key-type"); FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n", " -y exp"); FPS "%-20s Specify the password file\n", " -f password-file"); FPS "%-20s Specify the noise file to be used\n", " -z noisefile"); FPS "%-20s read PQG value from pqgfile (dsa only)\n", " -q pqgfile"); FPS "%-20s Key database directory (default is ~/.netscape)\n", " -d keydir"); FPS "\n"); FPS "%-15s Delete a certificate from the database\n", "-D"); FPS "%-20s The nickname of the cert to delete\n", " -n cert-name"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "\n"); FPS "%-15s List all modules\n", /*, or print out a single named module\n",*/ "-U"); FPS "%-20s Module database directory (default is '~/.netscape')\n", " -d moddir"); FPS "%-15s List all keys\n", /*, or print out a single named key\n",*/ "-K"); FPS "%-20s Name of token in which to look for keys (default is internal," " use \"all\" to list keys on all tokens)\n", " -h token-name "); FPS "%-20s Type of key pair to list (\"all\", \"dsa\", \"rsa\" (default))\n", " -k key-type"); FPS "%-20s Specify the password file\n", " -f password-file"); FPS "%-20s Key database directory (default is ~/.netscape)\n", " -d keydir"); FPS "\n"); FPS "%-15s List all certs, or print out a single named cert\n", "-L"); FPS "%-20s Pretty print named cert (list all if unspecified)\n", " -n cert-name"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "%-20s For single cert, print binary DER encoding\n", " -r"); FPS "%-20s For single cert, print ASCII encoding (RFC1113)\n", " -a"); FPS "\n"); FPS "%-15s Modify trust attributes of certificate\n", "-M"); FPS "%-20s The nickname of the cert to modify\n", " -n cert-name"); FPS "%-20s Set the certificate trust attributes (see -A above)\n", " -t trustargs"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "\n"); FPS "%-15s Create a new certificate database\n", "-N"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "\n"); FPS "%-15s Generate a certificate request (stdout)\n", "-R"); FPS "%-20s Specify the subject name (using RFC1485)\n", " -s subject"); FPS "%-20s Output the cert request to this file\n", " -o output-req"); FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", " -k key-type"); FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); FPS "%-20s Specify the password file\n", " -f pwfile"); FPS "%-20s Key database directory (default is ~/.netscape)\n", " -d keydir"); FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n", " -p phone"); FPS "%-20s Output the cert request in ASCII (RFC1113); default is binary\n", " -a"); FPS "\n"); FPS "%-15s Validate a certificate\n", "-V"); FPS "%-20s The nickname of the cert to Validate\n", " -n cert-name"); FPS "%-20s validity time (\"YYMMDDHHMMSS[+HHMM|-HHMM|Z]\")\n", " -b time"); FPS "%-20s Check certificate signature \n", " -e "); FPS "%-20s Specify certificate usage:\n", " -u certusage"); FPS "%-25s C \t SSL Client\n", ""); FPS "%-25s V \t SSL Server\n", ""); FPS "%-25s S \t Email signer\n", ""); FPS "%-25s R \t Email Recipient\n", ""); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "\n"); FPS "%-15s Make a certificate and add to database\n", "-S"); FPS "%-20s Specify the nickname of the cert\n", " -n key-name"); FPS "%-20s Specify the subject name (using RFC1485)\n", " -s subject"); FPS "%-20s The nickname of the issuer cert\n", " -c issuer-name"); FPS "%-20s Set the certificate trust attributes (see -A above)\n", " -t trustargs"); FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", " -k key-type"); FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); FPS "%-20s Self sign\n", " -x"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", " -w warp-months"); FPS "%-20s Months valid (default is 3)\n", " -v months-valid"); FPS "%-20s Specify the password file\n", " -f pwfile"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n", " -p phone"); FPS "%-20s Create key usage extension\n", " -1 "); FPS "%-20s Create basic constraint extension\n", " -2 "); FPS "%-20s Create authority key ID extension\n", " -3 "); FPS "%-20s Create crl distribution point extension\n", " -4 "); FPS "%-20s Create netscape cert type extension\n", " -5 "); FPS "%-20s Create extended key usage extension\n", " -6 "); FPS "\n"); exit(-1);#undef FPS}static CERTCertificate *MakeV1Cert( CERTCertDBHandle * handle, CERTCertificateRequest *req, char * issuerNickName, PRBool selfsign, int serialNumber, int warpmonths, int validitylength){ CERTCertificate *issuerCert = NULL; CERTValidity *validity; CERTCertificate *cert = NULL;#ifndef NSPR20 PRTime printableTime; int64 now, after;#else PRExplodedTime printableTime; PRTime now, after;#endif if ( !selfsign ) { issuerCert = CERT_FindCertByNicknameOrEmailAddr(handle, issuerNickName); if (!issuerCert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", issuerNickName); return NULL; } } now = PR_Now();#ifndef NSPR20 PR_ExplodeGMTTime (&printableTime, now);#else PR_ExplodeTime (now, PR_GMTParameters, &printableTime);#endif if ( warpmonths ) {#ifndef NSPR20 printableTime.tm_mon += warpmonths; now = PR_ImplodeTime (&printableTime, 0, 0); PR_ExplodeGMTTime (&printableTime, now);#else printableTime.tm_month += warpmonths; now = PR_ImplodeTime (&printableTime); PR_ExplodeTime (now, PR_GMTParameters, &printableTime);#endif }#ifndef NSPR20 printableTime.tm_mon += validitylength; printableTime.tm_mon += 3; after = PR_ImplodeTime (&printableTime, 0, 0);#else printableTime.tm_month += validitylength; printableTime.tm_month += 3; after = PR_ImplodeTime (&printableTime);#endif /* note that the time is now in micro-second unit */ validity = CERT_CreateValidity (now, after); if ( selfsign ) { cert = CERT_CreateCertificate (serialNumber,&(req->subject), validity, req); } else { cert = CERT_CreateCertificate (serialNumber,&(issuerCert->subject), validity, req); } CERT_DestroyValidity(validity); if ( issuerCert ) { CERT_DestroyCertificate (issuerCert); } return(cert);}static SECStatus AddKeyUsage (void *extHandle){ SECItem bitStringValue; unsigned char keyUsage = 0x0; char buffer[5]; int value; while (1) { fprintf(stdout, "%-25s 0 - Digital Signature\n", ""); fprintf(stdout, "%-25s 1 - Non-repudiation\n", ""); fprintf(stdout, "%-25s 2 - Key encipherment\n", ""); fprintf(stdout, "%-25s 3 - Data encipherment\n", ""); fprintf(stdout, "%-25s 4 - Key agreement\n", ""); fprintf(stdout, "%-25s 5 - Cert signning key\n", ""); fprintf(stdout, "%-25s 6 - CRL signning key\n", ""); fprintf(stdout, "%-25s Other to finish\n", ""); gets (buffer); value = atoi (buffer); if (value < 0 || value > 6) break; keyUsage |= (0x80 >> value); } bitStringValue.data = &keyUsage; bitStringValue.len = 1; buffer[0] = 'n'; puts ("Is this a critical extension [y/n]? "); gets (buffer); return (CERT_EncodeAndAddBitStrExtension (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue, (buffer[0] == 'y' || buffer[0] == 'Y') ? PR_TRUE : PR_FALSE));}static CERTOidSequence *CreateOidSequence(void){ CERTOidSequence *rv = (CERTOidSequence *)NULL; PRArenaPool *arena = (PRArenaPool *)NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if( (PRArenaPool *)NULL == arena ) { goto loser; } rv = (CERTOidSequence *)PORT_ArenaZAlloc(arena, sizeof(CERTOidSequence)); if( (CERTOidSequence *)NULL == rv ) { goto loser;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -