modutil.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 875 行 · 第 1/2 页

		break;
	case DISABLE_COMMAND:
		break;
	case ENABLE_COMMAND:
		break;
	case FIPS_COMMAND:
		if(PL_strcasecmp(fipsArg, "true") &&
			PL_strcasecmp(fipsArg, "false")) {
			PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
			return INVALID_FIPS_ARG;
		}
		break;
	case JAR_COMMAND:
		if(installDir == NULL) {
			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
				commandNames[JAR_COMMAND], optionStrings[INSTALLDIR_ARG]);
			return MISSING_PARAM_ERR;
		}
		break;
	case LIST_COMMAND:
		break;
	case UNDEFAULT_COMMAND:
	case DEFAULT_COMMAND:
		if(mechanisms == NULL) {
			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
				commandNames[command], optionStrings[MECHANISMS_ARG]);
			return MISSING_PARAM_ERR;
		}
		break;
	default:
		/* Ignore this here */
		break;
	}

	return SUCCESS;
}

/********************************************************************
 *
 * i n i t _ c r y p t o
 *
 * Does crypto initialization that all commands will require.
 * If -nocertdb option is specified, don't open key or cert db (we don't
 * need them if we aren't going to be verifying signatures).  This is
 * because serverland doesn't always have cert and key database files
 * available.
 */
static Error
init_crypto(PRBool create, PRBool readOnly)
{
	char *moddbname=NULL, *dir, *keydbname, *certdbname;
	PRBool free_moddbname = PR_FALSE;
	Error retval;

	if(SECU_ConfigDirectory(dbdir)[0] == '\0') {
		PR_fprintf(PR_STDERR, errStrings[NO_DBDIR_ERR]);
		retval=NO_DBDIR_ERR;
		goto loser;
	}
	moddbname = SECU_SECModDBName(); /* this changes later in the function */
	dir = SECU_ConfigDirectory(NULL);
	keydbname = SECU_KeyDBNameCallback(NULL, PRIVATE_KEY_DB_FILE_VERSION);
	certdbname = SECU_CertDBNameCallback(NULL, CERT_DB_FILE_VERSION);

	/* Make sure db directory exists and is readable */
	if(PR_Access(dir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
		PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dir);
		retval = DIR_DOESNT_EXIST_ERR;
		goto loser;
	} else if(PR_Access(dir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
		PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dir);
		retval = DIR_NOT_READABLE_ERR;
		goto loser;
	}

	/* Check for the proper permissions on databases */
	if(create) {
		/* Make sure dbs don't already exist, and the directory is
			writeable */
		if(PR_Access(moddbname, PR_ACCESS_EXISTS)==PR_SUCCESS) {
			PR_fprintf(PR_STDERR, errStrings[FILE_ALREADY_EXISTS_ERR],
			  moddbname);
			retval=FILE_ALREADY_EXISTS_ERR;
			goto loser;
		} else if(PR_Access(keydbname, PR_ACCESS_EXISTS)==PR_SUCCESS) {
			PR_fprintf(PR_STDERR, errStrings[FILE_ALREADY_EXISTS_ERR], keydbname);
			retval=FILE_ALREADY_EXISTS_ERR;
			goto loser;
		} else if(PR_Access(certdbname, PR_ACCESS_EXISTS)==PR_SUCCESS) {
			PR_fprintf(PR_STDERR, errStrings[FILE_ALREADY_EXISTS_ERR],certdbname);
			retval=FILE_ALREADY_EXISTS_ERR;
			goto loser;
		} else if(PR_Access(dir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
			PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dir);
			retval=DIR_NOT_WRITEABLE_ERR;
			goto loser;
		}
	} else {
		/* Make sure dbs are readable and writeable */
		if(PR_Access(moddbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
#ifndef XP_PC
			/* in serverland, they always use secmod.db, even on UNIX. Try
			   this */
			moddbname = PR_smprintf("%s/secmod.db", dir);
			free_moddbname = PR_TRUE;
			if(PR_Access(moddbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
#endif
			PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], moddbname);
			retval=FILE_NOT_READABLE_ERR;
			goto loser;
#ifndef XP_PC
			}
#endif
		}
		if(!nocertdb) { /* don't open cert and key db if -nocertdb */
			if(PR_Access(keydbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
				PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR],
				  keydbname);
				retval=FILE_NOT_READABLE_ERR;
				goto loser;
			}
			if(PR_Access(certdbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
				PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR],
				  certdbname);
				retval=FILE_NOT_READABLE_ERR;
				goto loser;
			}
		}

		/* Check for write access if we'll be making changes */
		if( !readOnly ) {
			if(PR_Access(moddbname, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
				PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
				  moddbname);
				retval=FILE_NOT_WRITEABLE_ERR;
				goto loser;
			}
			if(!nocertdb) { /* don't open key and cert db if -nocertdb */
				if(PR_Access(keydbname, PR_ACCESS_WRITE_OK)
															!= PR_SUCCESS) {
					PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
					  keydbname);
					retval=FILE_NOT_WRITEABLE_ERR;
					goto loser;
				}
				if(PR_Access(certdbname, PR_ACCESS_WRITE_OK)
															!= PR_SUCCESS) {
					PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
					  certdbname);
					retval=FILE_NOT_WRITEABLE_ERR;
					goto loser;
				}
			}
		}
		PR_fprintf(PR_STDOUT, msgStrings[USING_DBDIR_MSG],
		  SECU_ConfigDirectory(NULL));
	}
	SEC_Init();

	/* Open/create key database */
	RNG_RNGInit(); /* This is required before SECU_OpenKeyDB */
	RNG_SystemInfoForRNG();
	if(!nocertdb) {
		if(create) PR_fprintf(PR_STDOUT, msgStrings[CREATING_DB_MSG],
		  keydbname);
		if(SECU_OpenKeyDB(readOnly) == NULL) {
			PR_fprintf(PR_STDERR, "\n");
			PR_fprintf(PR_STDERR, errStrings[DB_ACCESS_ERR], keydbname);
			retval=DB_ACCESS_ERR;
			goto loser;
		}
		if(create) PR_fprintf(PR_STDOUT, msgStrings[DONE_MSG]);
	}

	/* Open/create cert database */
	if(!nocertdb) {
		if(create) PR_fprintf(PR_STDOUT, msgStrings[CREATING_DB_MSG],
		  certdbname);
		if(SECU_OpenCertDB(readOnly) == NULL) {
			PR_fprintf(PR_STDERR, "\n");
			PR_fprintf(PR_STDERR, errStrings[DB_ACCESS_ERR], certdbname);
			retval=DB_ACCESS_ERR;
			goto loser;
		}
		if(create) PR_fprintf(PR_STDOUT, msgStrings[DONE_MSG]);
	}

	/* Open/create module database */
	if(create) PR_fprintf(PR_STDOUT, msgStrings[CREATING_DB_MSG], moddbname);
	SECMOD_init(moddbname);
	if(create) PR_fprintf(PR_STDOUT, msgStrings[DONE_MSG]);

	retval=SUCCESS;
loser:
	if(free_moddbname) {
		PR_Free(moddbname);
	}
	return retval;
}

/*************************************************************************
 *
 * u s a g e
 */
static void
usage()
{
	PR_fprintf(PR_STDOUT,
"\nNetscape Cryptographic Module Utility\n"
"Usage: modutil [command] [options]\n\n"
"                            COMMANDS\n"
"---------------------------------------------------------------------------\n"
"-add MODULE_NAME                 Add the named module to the module database\n"
"   -libfile LIBRARY_FILE         The name of the file (.so or .dll)\n"
"                                 containing the implementation of PKCS #11\n"
"   [-ciphers CIPHER_LIST]        Enable the given ciphers on this module\n"
"   [-mechanisms MECHANISM_LIST]  Make the module a default provider of the\n"
"                                 given mechanisms\n"
"-changepw TOKEN                  Change the password on the named token\n"
"   [-pwfile FILE]                The old password is in this file\n"
"   [-newpwfile FILE]             The new password is in this file\n"
"-create                          Create a new set of security databases\n"
"-default MODULE                  Make the given module a default provider\n"
"   -mechanisms MECHANISM_LIST    of the given mechanisms\n"
"   [-slot SLOT]                  limit change to only the given slot\n"
"-delete MODULE                   Remove the named module from the module\n"
"                                 database\n"
"-disable MODULE                  Disable the named module\n"
"   [-slot SLOT]                  Disable only the named slot on the module\n"
"-enable MODULE                   Enable the named module\n"
"   [-slot SLOT]                  Enable only the named slot on the module\n"
"-fips [ true | false ]           If true, enable FIPS mode.  If false,\n"
"                                 disable FIPS mode\n"
"-force                           Do not run interactively\n"
"-jar JARFILE                     Install a PKCS #11 module from the given\n"
"                                 JAR file in the PKCS #11 JAR format\n"
"   -installdir DIR               Use DIR as the root directory of the\n"
"                                 installation\n"
"   [-tempdir DIR]                Use DIR as the temporary installation\n"
"                                 directory. If not specified, the current\n"
"                                 directory is used\n"
"-list [MODULE]                   Lists information about the specified module\n"
"                                 or about all modules if none is specified\n"
"-undefault MODULE                The given module is NOT a default provider\n"
"   -mechanisms MECHANISM_LIST    of the listed mechanisms\n"
"   [-slot SLOT]                  limit change to only the given slot\n"
"---------------------------------------------------------------------------\n"
"\n"
"                             OPTIONS\n"
"---------------------------------------------------------------------------\n"
"-dbdir DIR                       Directory DIR contains the security databases\n"
"-nocertdb                        Do not load certificate or key databases. No\n"
"                                 verification will be performed on JAR files.\n"
"---------------------------------------------------------------------------\n"
"\n"
"Mechanism lists are colon-separated.  The following mechanisms are recognized:\n"
"RSA, DSA, RC2, RC4, RC5, DES, DH, FORTEZZA, SHA1, MD5, MD2, SSL, TLS, RANDOM,\n"
" FRIENDLY\n"
"\n"
"Cipher lists are colon-separated.  The following ciphers are recognized:\n"
"FORTEZZA\n"
"\nQuestions or bug reports should be sent to modutil-support@netscape.com.\n"
);

}

/*************************************************************************
 *
 * m a i n
 */
int
main(int argc, char *argv[])
{
	int errcode = SUCCESS;
	PRBool createdb, readOnly;
#define STDINBUF_SIZE 80
	char stdinbuf[STDINBUF_SIZE];

	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);

	if(parse_args(argc, argv) != SUCCESS) {
		usage();
		errcode = INVALID_USAGE_ERR;
		goto loser;
	}

	if(verify_params() != SUCCESS) {
		usage();
		errcode = INVALID_USAGE_ERR;
		goto loser;
	}

	if(command==NO_COMMAND) {
		PR_fprintf(PR_STDERR, errStrings[NO_COMMAND_ERR]);
		usage();
		errcode = INVALID_USAGE_ERR;
		goto loser;
	}

	/* Set up crypto stuff */
	createdb = command==CREATE_COMMAND;
	readOnly = command==LIST_COMMAND;

	/* Make sure browser is not running if we're writing to a database */
	/* Do this before initializing crypto */
	if(!readOnly && !force) {
		char *response;

		PR_fprintf(PR_STDOUT, msgStrings[BROWSER_RUNNING_MSG]);
		if( ! PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
			PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
			errcode = STDIN_READ_ERR;
			goto loser;
		}
		if( (response=strtok(stdinbuf, " \r\n\t")) ) {
			if(!PL_strcasecmp(response, "q")) {
				PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
				errcode = SUCCESS;
				goto loser;
			}
		}
		PR_fprintf(PR_STDOUT, "\n");
	}

	errcode = init_crypto(createdb, readOnly);
	if( errcode != SUCCESS) {
		goto loser;
	}


	/* Execute the command */
	switch(command) {
	case ADD_COMMAND:
		errcode = AddModule(moduleName, libFile, ciphers, mechanisms);
		break;
	case CHANGEPW_COMMAND:
		errcode = ChangePW(tokenName, pwFile, newpwFile);
		break;
	case CREATE_COMMAND:
		/* The work was already done in init_crypto() */
		break;
	case DEFAULT_COMMAND:
		errcode = SetDefaultModule(moduleName, slotName, mechanisms);
		break;
	case DELETE_COMMAND:
		errcode = DeleteModule(moduleName);
		break;
	case DISABLE_COMMAND:
		errcode = EnableModule(moduleName, slotName, PR_FALSE);
		break;
	case ENABLE_COMMAND:
		errcode = EnableModule(moduleName, slotName, PR_TRUE);
		break;
	case FIPS_COMMAND:
		errcode = FipsMode(fipsArg);
		break;
	case JAR_COMMAND:
		Pk11Install_SetErrorHandler(install_error);
		errcode = Pk11Install_DoInstall(jarFile, installDir, tempDir,
						PR_STDOUT, force, nocertdb);
		break;
	case LIST_COMMAND:
		if(moduleName) {
			errcode = ListModule(moduleName);
		} else {
			errcode = ListModules();
		}
		break;
	case UNDEFAULT_COMMAND:
		errcode = UnsetDefaultModule(moduleName, slotName, mechanisms);
		break;
	default:
		PR_fprintf(PR_STDERR, "This command is not supported yet.\n");
		errcode = INVALID_USAGE_ERR;
		break;
	}

loser:
	PR_Cleanup();
	return errcode;
}

/************************************************************************
 *
 * i n s t a l l _ e r r o r
 *
 * Callback function to handle errors in PK11 JAR file installation.
 */
static void
install_error(char *message)
{
	PR_fprintf(PR_STDERR, "Install error: %s\n", message);
}

/*************************************************************************
 *
 * o u t _ o f _ m e m o r y
 */
void
out_of_memory(void)
{
	PR_fprintf(PR_STDERR, errStrings[OUT_OF_MEM_ERR]);
	exit(OUT_OF_MEM_ERR);
}


/**************************************************************************
 *
 * P R _ f g e t s
 *
 * fgets implemented with NSPR.
 */
static char*
PR_fgets(char *buf, int size, PRFileDesc *file)
{
	int i;
	int status;
	char c;

	i=0;
	while(i < size-1) {
		status = PR_Read(file, (void*) &c, 1);
		if(status==-1) {
			return NULL;
		} else if(status==0) {
			break;
		}
		buf[i++] = c;
		if(c=='\n') {
			break;
		}
	}
	buf[i]='\0';

	return buf;
}