📄 certutil.c

📁 支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509v3证书等安全协议或标准的开发库编译用到NSPR
💻 C
📖 第 1 页 / 共 5 页
字号:
  }  rv->oids = (SECItem **)PORT_ArenaZAlloc(arena, sizeof(SECItem *));  if( (SECItem **)NULL == rv->oids ) {    goto loser;  }  rv->arena = arena;  return rv; loser:  if( (PRArenaPool *)NULL != arena ) {    PORT_FreeArena(arena, PR_FALSE);  }  return (CERTOidSequence *)NULL;}static SECStatusAddOidToSequence(CERTOidSequence *os, SECOidTag oidTag){  SECItem **oids;  PRUint32 count = 0;  SECOidData *od;  od = SECOID_FindOIDByTag(oidTag);  if( (SECOidData *)NULL == od ) {    return SECFailure;  }  for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {    count++;  }  /* ArenaZRealloc */  {    PRUint32 i;    oids = (SECItem **)PORT_ArenaZAlloc(os->arena, sizeof(SECItem *) * (count+2));    if( (SECItem **)NULL == oids ) {      return SECFailure;    }        for( i = 0; i < count; i++ ) {      oids[i] = os->oids[i];    }    /* ArenaZFree(os->oids); */  }  os->oids = oids;  os->oids[count] = &od->oid;  return SECSuccess;}static SECItem *EncodeOidSequence(CERTOidSequence *os){  SECItem *rv;  extern const SEC_ASN1Template CERT_OidSeqTemplate[];  rv = (SECItem *)PORT_ArenaZAlloc(os->arena, sizeof(SECItem));  if( (SECItem *)NULL == rv ) {    goto loser;  }  if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {    goto loser;  }  return rv; loser:  return (SECItem *)NULL;}static SECStatus AddExtKeyUsage (void *extHandle){  char buffer[5];  int value;  CERTOidSequence *os;  SECStatus rv;  SECItem *item;  os = CreateOidSequence();  if( (CERTOidSequence *)NULL == os ) {    return SECFailure;  }  while (1) {    fprintf(stdout, "%-25s 0 - Server Auth\n", "");    fprintf(stdout, "%-25s 1 - Client Auth\n", "");    fprintf(stdout, "%-25s 2 - Code Signing\n", "");    fprintf(stdout, "%-25s 3 - Email Protection\n", "");    fprintf(stdout, "%-25s 4 - Timestamp\n", "");    fprintf(stdout, "%-25s 5 - OSCP Responder\n", "");#ifdef DEBUG_NSSTEAM_ONLY    fprintf(stdout, "%-25s 6 - Step-up\n", "");#endif /* DEBUG_NSSTEAM_ONLY */    fprintf(stdout, "%-25s Other to finish\n", "");    gets(buffer);    value = atoi(buffer);    switch( value ) {    case 0:      rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);      break;    case 1:      rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);      break;    case 2:      rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);      break;    case 3:      rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);      break;    case 4:      rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);      break;    case 5:      rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);      break;#ifdef DEBUG_NSSTEAM_ONLY    case 6:      rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);      break;#endif /* DEBUG_NSSTEAM_ONLY */    default:      goto endloop;    }    if( SECSuccess != rv ) goto loser;  } endloop:;  item = EncodeOidSequence(os);  buffer[0] = 'n';  puts ("Is this a critical extension [y/n]? ");  gets (buffer);	  rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,                         ((buffer[0] == 'y' || buffer[0] == 'Y')                          ? PR_TRUE : PR_FALSE), PR_TRUE);  /*FALLTHROUGH*/ loser:  CERT_DestroyOidSequence(os);  return rv;}static SECStatus AddNscpCertType (void *extHandle){    SECItem bitStringValue;    unsigned char keyUsage = 0x0;    char buffer[5];    int value;    while (1) {	fprintf(stdout, "%-25s 0 - SSL Client\n", "");	fprintf(stdout, "%-25s 1 - SSL Server\n", "");	fprintf(stdout, "%-25s 2 - S/MIME\n", "");	fprintf(stdout, "%-25s 3 - Object Signing\n", "");   	fprintf(stdout, "%-25s 4 - Reserved for futuer use\n", "");	fprintf(stdout, "%-25s 5 - SSL CA\n", "");   	fprintf(stdout, "%-25s 6 - S/MIME CA\n", "");	fprintf(stdout, "%-25s 7 - Object Signing CA\n", "");	fprintf(stdout, "%-25s Other to finish\n", "");	gets (buffer);	value = atoi (buffer);	if (value < 0 || value > 7)	    break;	keyUsage |= (0x80 >> value);    }    bitStringValue.data = &keyUsage;    bitStringValue.len = 1;    buffer[0] = 'n';    puts ("Is this a critical extension [y/n]? ");    gets (buffer);	    return (CERT_EncodeAndAddBitStrExtension	    (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,	     (buffer[0] == 'y' || buffer[0] == 'Y') ? PR_TRUE : PR_FALSE));}typedef SECStatus (* EXTEN_VALUE_ENCODER)		(PRArenaPool *extHandle, void *value, SECItem *encodedValue);static SECStatus EncodeAndAddExtensionValue(	PRArenaPool *	arena, 	void *		extHandle, 	void *		value, 	PRBool 		criticality,	int 		extenType, 	EXTEN_VALUE_ENCODER EncodeValueFn){    SECItem encodedValue;    SECStatus rv;	    encodedValue.data = NULL;    encodedValue.len = 0;    do {	rv = (*EncodeValueFn)(arena, value, &encodedValue);	if (rv != SECSuccess)	break;	rv = CERT_AddExtension	     (extHandle, extenType, &encodedValue, criticality,PR_TRUE);    } while (0);	    return (rv);}static SECStatus AddBasicConstraint(void *extHandle){    CERTBasicConstraints basicConstraint;        SECItem encodedValue;    SECStatus rv;    char buffer[10];    encodedValue.data = NULL;    encodedValue.len = 0;    do {	basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;	puts ("Is this a CA certificate [y/n]?");	gets (buffer);	basicConstraint.isCA = (buffer[0] == 'Y' || buffer[0] == 'y') ?                                PR_TRUE : PR_FALSE;	puts ("Enter the path length constraint, enter to skip [<0 for unlimited path]:");	gets (buffer);	if (PORT_Strlen (buffer) > 0)	    basicConstraint.pathLenConstraint = atoi (buffer);		rv = CERT_EncodeBasicConstraintValue (NULL, &basicConstraint, &encodedValue);	if (rv)	    return (rv);	buffer[0] = 'n';	puts ("Is this a critical extension [y/n]? ");	gets (buffer);		rv = CERT_AddExtension	     (extHandle, SEC_OID_X509_BASIC_CONSTRAINTS,	      &encodedValue, (buffer[0] == 'y' || buffer[0] == 'Y') ?              PR_TRUE : PR_FALSE ,PR_TRUE);    } while (0);    PORT_Free (encodedValue.data);    return (rv);}static SECItem *SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, SECKEYPrivateKey *selfsignprivkey, char *issuerNickName, void *pwarg){    SECItem der;    SECItem *result = NULL;    SECKEYPrivateKey *caPrivateKey = NULL;        SECStatus rv;    PRArenaPool *arena;    SECOidTag algID;    void *dummy;    if( selfsign ) {      caPrivateKey = selfsignprivkey;    } else {      /*CERTCertificate *issuer = CERT_FindCertByNickname(handle, issuerNickName);*/      CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);      if( (CERTCertificate *)NULL == issuer ) {        SECU_PrintError(progName, "unable to find issuer with nickname %s", 	                issuerNickName);        return (SECItem *)NULL;      }      caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);    if (caPrivateKey == NULL) {	SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);	return NULL;    }    }	    arena = cert->arena;    switch(caPrivateKey->keyType) {      case rsaKey:	algID = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;	break;      case dsaKey:	algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;	break;      default:	fprintf(stderr, "Unknown key type for issuer.");	goto done;	break;    }    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);    if (rv != SECSuccess) {	fprintf(stderr, "Could not set signature algorithm id.");	goto done;    }    /* we only deal with cert v3 here */    *(cert->version.data) = 2;    cert->version.len = 1;    der.len = 0;    der.data = NULL;    dummy = SEC_ASN1EncodeItem (arena, &der, cert, CERT_CertificateTemplate);    if (!dummy) {	fprintf (stderr, "Could not encode certificate.\n");	goto done;    }    result = (SECItem *) PORT_ArenaZAlloc (arena, sizeof (SECItem));    if (result == NULL) {	fprintf (stderr, "Could not allocate item for certificate data.\n");	goto done;    }    rv = SEC_DerSignData (arena, result, der.data, der.len, caPrivateKey,			  algID);    if (rv != SECSuccess) {	fprintf (stderr, "Could not sign encoded certificate data.\n");	PORT_Free(result);	result = NULL;	goto done;    }    cert->derCert = *result;done:    SECKEY_DestroyPrivateKey(caPrivateKey);    return result;}static SECStatus AddAuthKeyID (void *extHandle){    CERTAuthKeyID *authKeyID = NULL;        PRArenaPool *arena = NULL;    SECStatus rv = SECSuccess;    char buffer[512];    do {	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);	if ( !arena ) {	    SECU_PrintError(progName, "out of memory");	    GEN_BREAK (SECFailure);	}	if (GetYesNo ("Enter value for the authKeyID extension [y/n]?\n") == 0)	    break;		authKeyID = PORT_ArenaZAlloc (arena, sizeof (CERTAuthKeyID));	if (authKeyID == NULL) {	    GEN_BREAK (SECFailure);	}	rv = GetString (arena, "Enter value for the key identifier fields, enter to omit:",			&authKeyID->keyID);	if (rv != SECSuccess)	    break;	authKeyID->authCertIssuer = GetGeneralName (arena);	if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError ())		break;		rv = GetString (arena, "Enter value for the authCertSerial field, enter to omit:",			&authKeyID->authCertSerialNumber);	buffer[0] = 'n';	puts ("Is this a critical extension [y/n]? ");	gets (buffer);		rv = EncodeAndAddExtensionValue	    (arena, extHandle, authKeyID,	     (buffer[0] == 'y' || buffer[0] == 'Y') ? PR_TRUE : PR_FALSE,	     SEC_OID_X509_AUTH_KEY_ID, 	     (EXTEN_VALUE_ENCODER) CERT_EncodeAuthKeyID);	if (rv)	    break;	    } while (0);    if (arena)	PORT_FreeArena (arena, PR_FALSE);    return (rv);}       static SECStatus AddCrlDistPoint(void *extHandle){    PRArenaPool *arena = NULL;    CERTCrlDistributionPoints *crlDistPoints = NULL;    CRLDistributionPoint *current;    SECStatus rv = SECSuccess;    int count = 0, intValue;    char buffer[5];    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);    if ( !arena )	return (SECFailure);    do {	current = NULL;	current = PORT_ArenaZAlloc (arena, sizeof (*current));        if (current == NULL) {	    GEN_BREAK (SECFailure);	}   	/* Get the distributionPointName fields - this field is optional */	puts ("Enter the type of the distribution point name:\n");	puts ("\t1 - Full Name\n\t2 - Relative Name\n\tOther - omit\n\t\tChoice: ");	scanf ("%d", &intValue);	switch (intValue) {	    case generalName:		current->distPointType = intValue;		current->distPoint.fullName = GetGeneralName (arena);		rv = PORT_GetError();		break;			    case relativeDistinguishedName: {		CERTName *name;		char buffer[512];		current->distPointType = intValue;		puts ("Enter the relative name: ");		fflush (stdout);		gets (buffer);		/* For simplicity, use CERT_AsciiToName to converse from a string		   to NAME, but we only interest in the first RDN */		name = CERT_AsciiToName (buffer);		if (!name) {		    GEN_BREAK (SECFailure);		}		rv = CERT_CopyRDN (arena, &current->distPoint.relativeName, name->rdns[0]);		CERT_DestroyName (name);		break;	    }	}	if (rv != SECSuccess)	    break;	/* Get the reason flags */	puts ("\nSelect one of the following for the reason flags\n");	puts ("\t0 - unused\n\t1 - keyCompromise\n\t2 - caCompromise\n\t3 - affiliationChanged\n");	puts ("\t4 - superseded\n\t5 - cessationOfOperation\n\t6 - certificateHold\n");	puts ("\tother - omit\t\tChoice: ");
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -