RetroZilla/security/nss/cmd/crmftest/testcrmf.c

1711 lines
50 KiB
C
Raw Normal View History

2015-10-21 05:03:22 +02:00
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* This program does 5 separate functions. By default, it does them all.
* It can be told to do any subset of them.
* It does them in this order:
*
* 1. Generate file of CRMF cert requests.
* Generates 2 keys pairs, one for signing, one for encryption.
* Can generate RSA or DSA (XXX - DSA is only useful for signing).
* Generate a cert request for each of the two public keys.
* Generate a single CRMF cert request message that requests both certs.
* Leave the generated CRMF request message in file
* configdir/CertReqMessages.der
*
* 2. Decode CRMF Request(s) Message.
* Reads in the file configdir/CertReqMessages.der
* (either generated by step 1 above, or user supplied).
* Decodes it. NOTHING MORE. Drops these decoded results on the floor.
* The CMMF response (below) contains a completely unrelated cert. :-(
*
* 3. CMMF "Stuff".
* a) Generates a CMMF response, containing a single cert chain, as if
* it was a response to a received CRMF request. But the cert is
* simply a user cert from the user's local soft token, whose
* nickname is given in the -p option. The CMMF response has no
* relationship to the request generated above. The CMMF message
* is placed in configdir/CertRepContent.der.
* b) Decodes the newly generated CMMF response found in file
* configdir/CertRepContent.der and discards the result. 8-/
* c) Generate a CMMF Key Escrow message
* needs 2 nicknames:
* It takes the public and private keys for the cert identified
* by -p nickname, and wraps them with a sym key that is in turn
* wrapped with the pubkey in the CA cert, whose nickname is
* given with the -s option.
* Store the message in configdir/KeyRecRepContent.der
* d) Decode the CMMF Key Escrow message generated just above.
* Get it from file configdir/KeyRecRepContent.der
* This is just a decoder test. Results are discarded.
*
* 4. Key Recovery
* This code does not yet compile, and what it was intended to do
* has not been fully determined.
*
* 5. Challenge/Response.
* Haven't analyzed this code yet.
*
*
*/
/* KNOWN BUGS:
** 1. generates BOTH signing and encryption cert requests, even for DSA keys.
**
** 2. Does not verify the siganture in the "Proof of Posession" in the
** decoded cert requests. It only checks syntax of the POP.
** 3. CMMF "Stuff" should be broken up into separate steps, each of
** which may be optionally selected.
*/
#include <stdio.h>
#include "nspr.h"
#include "nss.h"
#include "crmf.h"
#include "secerr.h"
#include "pk11func.h"
#include "key.h"
#include "cmmf.h"
#include "plgetopt.h"
#include "secutil.h"
#include "pk11pqg.h"
#if 0
#include "pkcs11.h"
#include "secmod.h"
#include "secmodi.h"
#include "pqggen.h"
#include "secmod.h"
#include "secmodi.h"
#include "pkcs11.h"
#include "secitem.h"
#include "secasn1.h"
#include "sechash.h"
#endif
#define MAX_KEY_LEN 512
#define PATH_LEN 150
#define BUFF_SIZE 150
#define UID_BITS 800
#define BPB 8
#define CRMF_FILE "CertReqMessages.der"
PRTime notBefore;
char *personalCert = NULL;
char *recoveryEncrypter = NULL;
char *caCertName = NULL;
static secuPWData pwdata = { PW_NONE, 0 };
char *configdir;
PRBool doingDSA = PR_FALSE;
CERTCertDBHandle *db;
typedef struct {
SECKEYPrivateKey *privKey;
SECKEYPublicKey *pubKey;
CRMFCertRequest *certReq;
CRMFCertReqMsg *certReqMsg;
} TESTKeyPair;
void
debug_test(SECItem *src, char *filePath)
{
PRFileDesc *fileDesc;
fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
printf ("Could not cretae file %s.\n", filePath);
return;
}
PR_Write(fileDesc, src->data, src->len);
}
SECStatus
get_serial_number(long *dest)
{
SECStatus rv;
if (dest == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long));
/* make serial number positive */
if (*dest < 0L)
*dest = - *dest;
return SECSuccess;
}
PK11RSAGenParams *
GetRSAParams(void)
{
PK11RSAGenParams *rsaParams;
rsaParams = PORT_ZNew(PK11RSAGenParams);
if (rsaParams == NULL)
return NULL;
rsaParams->keySizeInBits = MAX_KEY_LEN;
rsaParams->pe = 0x10001;
return rsaParams;
}
PQGParams*
GetDSAParams(void)
{
PQGParams *params = NULL;
PQGVerify *vfy = NULL;
SECStatus rv;
rv = PK11_PQG_ParamGen(0, &params, &vfy);
if (rv != SECSuccess) {
return NULL;
}
PK11_PQG_DestroyVerify(vfy);
return params;
}
/* Generate a key pair, and then generate a subjectPublicKeyInfo
** for the public key in that pair. return all 3.
*/
CERTSubjectPublicKeyInfo *
GetSubjectPubKeyInfo(TESTKeyPair *pair)
{
CERTSubjectPublicKeyInfo *spki = NULL;
SECKEYPrivateKey *privKey = NULL;
SECKEYPublicKey *pubKey = NULL;
PK11SlotInfo *keySlot = NULL;
keySlot = PK11_GetInternalKeySlot();
PK11_Authenticate(keySlot, PR_FALSE, &pwdata);
if (!doingDSA) {
PK11RSAGenParams *rsaParams = GetRSAParams();
if (rsaParams == NULL) {
PK11_FreeSlot(keySlot);
return NULL;
}
privKey = PK11_GenerateKeyPair(keySlot, CKM_RSA_PKCS_KEY_PAIR_GEN,
(void*)rsaParams, &pubKey, PR_FALSE,
PR_FALSE, &pwdata);
} else {
PQGParams *dsaParams = GetDSAParams();
if (dsaParams == NULL) {
PK11_FreeSlot(keySlot);
return NULL;
}
privKey = PK11_GenerateKeyPair(keySlot, CKM_DSA_KEY_PAIR_GEN,
(void*)dsaParams, &pubKey, PR_FALSE,
PR_FALSE, &pwdata);
}
PK11_FreeSlot(keySlot);
if (privKey == NULL || pubKey == NULL) {
if (pubKey) {
SECKEY_DestroyPublicKey(pubKey);
}
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
}
return NULL;
}
spki = SECKEY_CreateSubjectPublicKeyInfo(pubKey);
pair->privKey = privKey;
pair->pubKey = pubKey;
return spki;
}
SECStatus
InitPKCS11(void)
{
PK11SlotInfo *keySlot;
PK11_SetPasswordFunc(SECU_GetModulePassword);
keySlot = PK11_GetInternalKeySlot();
if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) {
if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) {
printf ("Initializing the PINs failed.\n");
return SECFailure;
}
}
PK11_FreeSlot(keySlot);
return SECSuccess;
}
void
WriteItOut (void *arg, const char *buf, unsigned long len)
{
PRFileDesc *fileDesc = (PRFileDesc*)arg;
PR_Write(fileDesc, (void*)buf, len);
}
CRMFCertExtCreationInfo*
GetExtensions(void)
{
unsigned char keyUsage[4] = { 0x03, 0x02, 0x07, KU_DIGITAL_SIGNATURE };
/* What are these magic numbers? */
SECItem data = { 0, NULL, 0 };
CRMFCertExtension *extension;
CRMFCertExtCreationInfo *extInfo =
PORT_ZNew(CRMFCertExtCreationInfo);
data.data = keyUsage;
data.len = sizeof keyUsage;
extension =
CRMF_CreateCertExtension(SEC_OID_X509_KEY_USAGE, PR_FALSE, &data);
if (extension && extInfo) {
extInfo->numExtensions = 1;
extInfo->extensions = PORT_ZNewArray(CRMFCertExtension*, 1);
extInfo->extensions[0] = extension;
}
return extInfo;
}
void
FreeExtInfo(CRMFCertExtCreationInfo *extInfo)
{
int i;
for (i=0; i<extInfo->numExtensions; i++) {
CRMF_DestroyCertExtension(extInfo->extensions[i]);
}
PORT_Free(extInfo->extensions);
PORT_Free(extInfo);
}
int
InjectCertName( CRMFCertRequest * certReq,
CRMFCertTemplateField inTemplateField,
const char * inNameString)
{
char * nameStr;
CERTName * name;
int irv = 0;
nameStr = PORT_Strdup(inNameString);
if (!nameStr)
return 5;
name = CERT_AsciiToName(nameStr);
if (name == NULL) {
printf ("Could not create CERTName structure from %s.\n", nameStr);
irv = 5;
goto finish;
}
irv = CRMF_CertRequestSetTemplateField(certReq, inTemplateField, (void*)name);
if (irv != SECSuccess) {
printf ("Could not add name to cert template\n");
irv = 6;
}
finish:
PORT_Free(nameStr);
if (name)
CERT_DestroyName(name);
return irv;
}
int
CreateCertRequest(TESTKeyPair *pair, long inRequestID)
{
CERTCertificate * caCert;
CERTSubjectPublicKeyInfo *spki;
CRMFCertExtCreationInfo * extInfo;
CRMFCertRequest * certReq;
CRMFEncryptedKey * encKey;
CRMFPKIArchiveOptions * pkiArchOpt;
SECAlgorithmID * algID;
long serialNumber;
long version = 3;
SECStatus rv;
CRMFValidityCreationInfo validity;
unsigned char UIDbuf[UID_BITS / BPB];
SECItem issuerUID = { siBuffer, NULL, 0 };
SECItem subjectUID = { siBuffer, NULL, 0 };
/* len in bits */
issuerUID.data = UIDbuf;
issuerUID.len = UID_BITS;
subjectUID.data = UIDbuf;
subjectUID.len = UID_BITS;
pair->certReq = NULL;
certReq = CRMF_CreateCertRequest(inRequestID);
if (certReq == NULL) {
printf ("Could not initialize a certificate request.\n");
return 1;
}
/* set to version 3 */
rv = CRMF_CertRequestSetTemplateField(certReq, crmfVersion,
(void*)(&version));
if (rv != SECSuccess) {
printf("Could not add the version number to the "
"Certificate Request.\n");
CRMF_DestroyCertRequest(certReq);
return 2;
}
/* set serial number */
if (get_serial_number(&serialNumber) != SECSuccess) {
printf ("Could not generate a serial number for cert request.\n");
CRMF_DestroyCertRequest(certReq);
return 3;
}
rv = CRMF_CertRequestSetTemplateField (certReq, crmfSerialNumber,
(void*)(&serialNumber));
if (rv != SECSuccess) {
printf ("Could not add serial number to certificate template\n.");
CRMF_DestroyCertRequest(certReq);
return 4;
}
/* Set issuer name */
rv = InjectCertName(certReq, crmfIssuer,
"CN=mozilla CA Shack,O=Information Systems");
if (rv) {
printf ("Could not add issuer to cert template\n");
CRMF_DestroyCertRequest(certReq);
return 5;
}
/* Set Subject Name */
rv = InjectCertName(certReq, crmfSubject,
"CN=mozilla CA Shack ID,O=Engineering,C=US");
if (rv) {
printf ("Could not add Subject to cert template\n");
CRMF_DestroyCertRequest(certReq);
return 5;
}
/* Set Algorithm ID */
algID = PK11_CreatePBEAlgorithmID(SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
1, NULL);
if (algID == NULL) {
printf ("Couldn't create algorithm ID\n");
CRMF_DestroyCertRequest(certReq);
return 9;
}
rv = CRMF_CertRequestSetTemplateField(certReq, crmfSigningAlg, (void*)algID);
SECOID_DestroyAlgorithmID(algID, PR_TRUE);
if (rv != SECSuccess) {
printf ("Could not add the signing algorithm to the cert template.\n");
CRMF_DestroyCertRequest(certReq);
return 10;
}
/* Set Validity Dates */
validity.notBefore = &notBefore;
validity.notAfter = NULL;
notBefore = PR_Now();
rv = CRMF_CertRequestSetTemplateField(certReq, crmfValidity,(void*)(&validity));
if (rv != SECSuccess) {
printf ("Could not add validity to cert template\n");
CRMF_DestroyCertRequest(certReq);
return 11;
}
/* Generate a key pair and Add the spki to the request */
spki = GetSubjectPubKeyInfo(pair);
if (spki == NULL) {
printf ("Could not create a Subject Public Key Info to add\n");
CRMF_DestroyCertRequest(certReq);
return 12;
}
rv = CRMF_CertRequestSetTemplateField(certReq, crmfPublicKey, (void*)spki);
SECKEY_DestroySubjectPublicKeyInfo(spki);
if (rv != SECSuccess) {
printf ("Could not add the public key to the template\n");
CRMF_DestroyCertRequest(certReq);
return 13;
}
/* Set the requested isser Unique ID */
PK11_GenerateRandom(UIDbuf, sizeof UIDbuf);
CRMF_CertRequestSetTemplateField(certReq,crmfIssuerUID, (void*)&issuerUID);
/* Set the requested Subject Unique ID */
PK11_GenerateRandom(UIDbuf, sizeof UIDbuf);
CRMF_CertRequestSetTemplateField(certReq,crmfSubjectUID, (void*)&subjectUID);
/* Add extensions - XXX need to understand these magic numbers */
extInfo = GetExtensions();
CRMF_CertRequestSetTemplateField(certReq, crmfExtension, (void*)extInfo);
FreeExtInfo(extInfo);
/* get the recipient CA's cert */
caCert = CERT_FindCertByNickname(db, caCertName);
if (caCert == NULL) {
printf ("Could not find the certificate for %s\n", caCertName);
CRMF_DestroyCertRequest(certReq);
return 50;
}
encKey = CRMF_CreateEncryptedKeyWithEncryptedValue(pair->privKey, caCert);
CERT_DestroyCertificate(caCert);
if (encKey == NULL) {
printf ("Could not create Encrypted Key with Encrypted Value.\n");
return 14;
}
pkiArchOpt = CRMF_CreatePKIArchiveOptions(crmfEncryptedPrivateKey, encKey);
CRMF_DestroyEncryptedKey(encKey);
if (pkiArchOpt == NULL) {
printf ("Could not create PKIArchiveOptions.\n");
return 15;
}
rv = CRMF_CertRequestSetPKIArchiveOptions(certReq, pkiArchOpt);
CRMF_DestroyPKIArchiveOptions(pkiArchOpt);
if (rv != SECSuccess) {
printf ("Could not add the PKIArchiveControl to Cert Request.\n");
return 16;
}
pair->certReq = certReq;
return 0;
}
int
Encode(CRMFCertReqMsg *inCertReq1, CRMFCertReqMsg *inCertReq2)
{
PRFileDesc *fileDesc;
SECStatus rv;
int irv = 0;
CRMFCertReqMsg *msgArr[3];
char filePath[PATH_LEN];
PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, CRMF_FILE);
fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
irv = 14;
goto finish;
}
msgArr[0] = inCertReq1;
msgArr[1] = inCertReq2;
msgArr[2] = NULL;
rv = CRMF_EncodeCertReqMessages(msgArr, WriteItOut, (void*)fileDesc);
if (rv != SECSuccess) {
printf ("An error occurred while encoding.\n");
irv = 15;
}
finish:
PR_Close(fileDesc);
return irv;
}
int
AddProofOfPossession(TESTKeyPair *pair,
CRMFPOPChoice inPOPChoice)
{
switch(inPOPChoice){
case crmfSignature:
CRMF_CertReqMsgSetSignaturePOP(pair->certReqMsg, pair->privKey,
pair->pubKey, NULL, NULL, &pwdata);
break;
case crmfRAVerified:
CRMF_CertReqMsgSetRAVerifiedPOP(pair->certReqMsg);
break;
case crmfKeyEncipherment:
CRMF_CertReqMsgSetKeyEnciphermentPOP(pair->certReqMsg,
crmfSubsequentMessage,
crmfChallengeResp, NULL);
break;
case crmfKeyAgreement:
{
SECItem pendejo;
unsigned char lame[] = { 0xf0, 0x0f, 0xf0, 0x0f, 0xf0 };
pendejo.data = lame;
pendejo.len = 5;
CRMF_CertReqMsgSetKeyAgreementPOP(pair->certReqMsg, crmfThisMessage,
crmfNoSubseqMess, &pendejo);
}
break;
default:
return 1;
}
return 0;
}
int
Decode(void)
{
PRFileDesc *fileDesc;
CRMFCertReqMsg *certReqMsg;
CRMFCertRequest *certReq;
CRMFCertReqMessages *certReqMsgs;
SECStatus rv;
int numMsgs, i;
long lame;
CRMFGetValidity validity = {NULL, NULL};
SECItem item = { siBuffer, NULL, 0 };
char filePath[PATH_LEN];
PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, CRMF_FILE);
fileDesc = PR_Open(filePath, PR_RDONLY, 0644);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
return 214;
}
rv = SECU_FileToItem(&item, fileDesc);
PR_Close(fileDesc);
if (rv != SECSuccess) {
return 215;
}
certReqMsgs = CRMF_CreateCertReqMessagesFromDER((char *)item.data, item.len);
if (certReqMsgs == NULL) {
printf ("Error decoding CertReqMessages.\n");
return 202;
}
numMsgs = CRMF_CertReqMessagesGetNumMessages(certReqMsgs);
if (numMsgs <= 0) {
printf ("WARNING: The DER contained %d messages.\n", numMsgs);
}
for (i=0; i < numMsgs; i++) {
SECStatus rv;
printf("crmftest: Processing cert request %d\n", i);
certReqMsg = CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqMsgs, i);
if (certReqMsg == NULL) {
printf ("ERROR: Could not access the message at index %d of %s\n",
i, filePath);
}
rv = CRMF_CertReqMsgGetID(certReqMsg, &lame);
if (rv) {
SECU_PrintError("crmftest", "CRMF_CertReqMsgGetID");
}
certReq = CRMF_CertReqMsgGetCertRequest(certReqMsg);
if (!certReq) {
SECU_PrintError("crmftest", "CRMF_CertReqMsgGetCertRequest");
}
rv = CRMF_CertRequestGetCertTemplateValidity(certReq, &validity);
if (rv) {
SECU_PrintError("crmftest", "CRMF_CertRequestGetCertTemplateValidity");
}
if (!validity.notBefore) {
/* We encoded a notBefore, so somthing's wrong if it's not here. */
printf("ERROR: Validity period notBefore date missing.\n");
}
/* XXX It's all parsed now. We probably should DO SOMETHING with it.
** But nope. We just throw it all away.
** Maybe this was intended to be no more than a decoder test.
*/
CRMF_DestroyGetValidity(&validity);
CRMF_DestroyCertRequest(certReq);
CRMF_DestroyCertReqMsg(certReqMsg);
}
CRMF_DestroyCertReqMessages(certReqMsgs);
SECITEM_FreeItem(&item, PR_FALSE);
return 0;
}
int
GetBitsFromFile(const char *filePath, SECItem *item)
{
PRFileDesc *fileDesc;
SECStatus rv;
fileDesc = PR_Open(filePath, PR_RDONLY, 0644);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
return 14;
}
rv = SECU_FileToItem(item, fileDesc);
PR_Close(fileDesc);
if (rv != SECSuccess) {
item->data = NULL;
item->len = 0;
return 15;
}
return 0;
}
int
DecodeCMMFCertRepContent(char *derFile)
{
CMMFCertRepContent *certRepContent;
int irv = 0;
SECItem fileBits = { siBuffer, NULL, 0 };
GetBitsFromFile(derFile, &fileBits);
if (fileBits.data == NULL) {
printf("Could not get bits from file %s\n", derFile);
return 304;
}
certRepContent = CMMF_CreateCertRepContentFromDER(db,
(char*)fileBits.data, fileBits.len);
if (certRepContent == NULL) {
printf ("Error while decoding %s\n", derFile);
irv = 303;
} else {
/* That was fun. Now, let's throw it away! */
CMMF_DestroyCertRepContent(certRepContent);
}
SECITEM_FreeItem(&fileBits, PR_FALSE);
return irv;
}
int
EncodeCMMFCertReply(const char *filePath,
CERTCertificate *cert,
CERTCertList *list)
{
int rv = 0;
SECStatus srv;
PRFileDesc *fileDesc = NULL;
CMMFCertRepContent *certRepContent = NULL;
CMMFCertResponse *certResp = NULL;
CMMFCertResponse *certResponses[3];
certResp = CMMF_CreateCertResponse(0xff123);
CMMF_CertResponseSetPKIStatusInfoStatus(certResp, cmmfGranted);
CMMF_CertResponseSetCertificate(certResp, cert);
certResponses[0] = certResp;
certResponses[1] = NULL;
certResponses[2] = NULL;
certRepContent = CMMF_CreateCertRepContent();
CMMF_CertRepContentSetCertResponses(certRepContent, certResponses, 1);
CMMF_CertRepContentSetCAPubs(certRepContent, list);
fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
rv = 400;
goto finish;
}
srv = CMMF_EncodeCertRepContent(certRepContent, WriteItOut,
(void*)fileDesc);
PR_Close(fileDesc);
if (srv != SECSuccess) {
printf ("CMMF_EncodeCertRepContent failed,\n");
rv = 401;
}
finish:
if (certRepContent) {
CMMF_DestroyCertRepContent(certRepContent);
}
if (certResp) {
CMMF_DestroyCertResponse(certResp);
}
return rv;
}
/* Extract the public key from the cert whose nickname is given. */
int
extractPubKeyFromNamedCert(const char * nickname, SECKEYPublicKey **pPubKey)
{
CERTCertificate *caCert = NULL;
SECKEYPublicKey *caPubKey = NULL;
int rv = 0;
caCert = CERT_FindCertByNickname(db, (char *)nickname);
if (caCert == NULL) {
printf ("Could not get the certifcate for %s\n", caCertName);
rv = 411;
goto finish;
}
caPubKey = CERT_ExtractPublicKey(caCert);
if (caPubKey == NULL) {
printf ("Could not extract the public from the "
"certificate for \n%s\n", caCertName);
rv = 412;
}
finish:
*pPubKey = caPubKey;
CERT_DestroyCertificate(caCert);
caCert = NULL;
return rv;
}
int
EncodeCMMFRecoveryMessage(const char * filePath,
CERTCertificate *cert,
CERTCertList *list)
{
SECKEYPublicKey *caPubKey = NULL;
SECKEYPrivateKey *privKey = NULL;
CMMFKeyRecRepContent *repContent = NULL;
PRFileDesc *fileDesc;
int rv = 0;
SECStatus srv;
/* Extract the public key from the cert whose nickname is given in
** the -s option.
*/
rv = extractPubKeyFromNamedCert( caCertName, &caPubKey);
if (rv)
goto finish;
repContent = CMMF_CreateKeyRecRepContent();
if (repContent == NULL) {
printf ("Could not allocate a CMMFKeyRecRepContent structure\n");
rv = 407;
goto finish;
}
srv = CMMF_KeyRecRepContentSetPKIStatusInfoStatus(repContent,
cmmfGrantedWithMods);
if (srv != SECSuccess) {
printf ("Error trying to set PKIStatusInfo for "
"CMMFKeyRecRepContent.\n");
rv = 406;
goto finish;
}
srv = CMMF_KeyRecRepContentSetNewSignCert(repContent, cert);
if (srv != SECSuccess) {
printf ("Error trying to set the new signing certificate for "
"key recovery\n");
rv = 408;
goto finish;
}
srv = CMMF_KeyRecRepContentSetCACerts(repContent, list);
if (srv != SECSuccess) {
printf ("Errory trying to add the list of CA certs to the "
"CMMFKeyRecRepContent structure.\n");
rv = 409;
goto finish;
}
privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
if (privKey == NULL) {
printf ("Could not get the private key associated with the\n"
"certificate %s\n", personalCert);
rv = 410;
goto finish;
}
srv = CMMF_KeyRecRepContentSetCertifiedKeyPair(repContent, cert, privKey,
caPubKey);
if (srv != SECSuccess) {
printf ("Could not set the Certified Key Pair\n");
rv = 413;
goto finish;
}
fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
rv = 414;
goto finish;
}
srv = CMMF_EncodeKeyRecRepContent(repContent, WriteItOut,
(void*)fileDesc);
PR_Close(fileDesc);
if (srv != SECSuccess) {
printf ("CMMF_EncodeKeyRecRepContent failed\n");
rv = 415;
}
finish:
if (privKey)
SECKEY_DestroyPrivateKey(privKey);
if (caPubKey)
SECKEY_DestroyPublicKey(caPubKey);
if (repContent)
CMMF_DestroyKeyRecRepContent(repContent);
return rv;
}
int
decodeCMMFRecoveryMessage(const char * filePath)
{
CMMFKeyRecRepContent *repContent = NULL;
int rv = 0;
SECItem fileBits = { siBuffer, NULL, 0 };
GetBitsFromFile(filePath, &fileBits);
if (!fileBits.len) {
rv = 451;
goto finish;
}
repContent =
CMMF_CreateKeyRecRepContentFromDER(db, (const char *) fileBits.data,
fileBits.len);
if (repContent == NULL) {
printf ("ERROR: CMMF_CreateKeyRecRepContentFromDER failed on file:\n"
"\t%s\n", filePath);
rv = 452;
}
finish:
if (repContent) {
CMMF_DestroyKeyRecRepContent(repContent);
}
SECITEM_FreeItem(&fileBits, PR_FALSE);
return rv;
}
int
DoCMMFStuff(void)
{
CERTCertificate *cert = NULL;
CERTCertList *list = NULL;
int rv = 0;
char filePath[PATH_LEN];
/* Do common setup for the following steps.
*/
PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, "CertRepContent.der");
cert = CERT_FindCertByNickname(db, personalCert);
if (cert == NULL) {
printf ("Could not find the certificate for %s\n", personalCert);
rv = 416;
goto finish;
}
list = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageEmailSigner);
if (list == NULL) {
printf ("Could not find the certificate chain for %s\n", personalCert);
rv = 418;
goto finish;
}
/* a) Generate the CMMF response message, using a user cert named
** by -p option, rather than a cert generated from the CRMF
** request itself. The CMMF message is placed in
** configdir/CertRepContent.der.
*/
rv = EncodeCMMFCertReply(filePath, cert, list);
if (rv != 0) {
goto finish;
}
/* b) Decode the CMMF Cert granting message encoded just above,
** found in configdir/CertRepContent.der.
** This only tests the decoding. The decoded content is discarded.
*/
rv = DecodeCMMFCertRepContent(filePath);
if (rv != 0) {
goto finish;
}
/* c) Generate a CMMF Key Excrow message
** It takes the public and private keys for the cert identified
** by -p nickname, and wraps them with a sym key that is in turn
** wrapped with the pubkey in the CA cert, whose nickname is
** given by the -s option.
** Store the message in configdir/KeyRecRepContent.der
*/
PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir,
"KeyRecRepContent.der");
rv = EncodeCMMFRecoveryMessage(filePath, cert, list);
if (rv)
goto finish;
/* d) Decode the CMMF Key Excrow message generated just above.
** Get it from file configdir/KeyRecRepContent.der
** This is just a decoder test. Results are discarded.
*/
rv = decodeCMMFRecoveryMessage(filePath);
finish:
if (cert) {
CERT_DestroyCertificate(cert);
}
if (list) {
CERT_DestroyCertList(list);
}
return rv;
}
static CK_MECHANISM_TYPE
mapWrapKeyType(KeyType keyType)
{
switch (keyType) {
case rsaKey:
return CKM_RSA_PKCS;
default:
break;
}
return CKM_INVALID_MECHANISM;
}
#define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/
int
DoKeyRecovery( SECKEYPrivateKey *privKey)
{
#ifdef DOING_KEY_RECOVERY /* Doesn't compile yet. */
SECKEYPublicKey *pubKey;
PK11SlotInfo *slot;
unsigned char *ciphertext;
unsigned char *text_compared;
SECKEYPrivateKey *unwrappedPrivKey;
SECKEYPrivateKey *caPrivKey;
CMMFKeyRecRepContent *keyRecRep;
CMMFCertifiedKeyPair *certKeyPair;
CERTCertificate *caCert;
CERTCertificate *myCert;
SECKEYPublicKey *caPubKey;
PRFileDesc *fileDesc;
CK_ULONG max_bytes_encrypted;
CK_ULONG bytes_encrypted;
CK_ULONG bytes_compared;
CK_ULONG bytes_decrypted;
CK_RV crv;
CK_OBJECT_HANDLE id;
CK_MECHANISM mech = { CKM_INVALID_MECHANISM, NULL, 0};
SECStatus rv;
SECItem fileBits;
SECItem nickname;
unsigned char plaintext[KNOWN_MESSAGE_LENGTH];
char filePath[PATH_LEN];
static const unsigned char known_message[] = { "Known Crypto Message" };
/*caCert = CERT_FindCertByNickname(db, caCertName);*/
myCert = CERT_FindCertByNickname(db, personalCert);
if (myCert == NULL) {
printf ("Could not find the certificate for %s\n", personalCert);
return 700;
}
caCert = CERT_FindCertByNickname(db, recoveryEncrypter);
if (caCert == NULL) {
printf ("Could not find the certificate for %s\n", recoveryEncrypter);
return 701;
}
caPubKey = CERT_ExtractPublicKey(caCert);
pubKey = SECKEY_ConvertToPublicKey(privKey);
max_bytes_encrypted = PK11_GetPrivateModulusLen(privKey);
slot = PK11_GetBestSlot(mapWrapKeyType(privKey->keyType), NULL);
id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
switch(privKey->keyType) {
case rsaKey:
mech.mechanism = CKM_RSA_PKCS;
break;
case dsaKey:
mech.mechanism = CKM_DSA;
break;
case dhKey:
mech.mechanism = CKM_DH_PKCS_DERIVE;
break;
default:
printf ("Bad Key type in key recovery.\n");
return 512;
}
PK11_EnterSlotMonitor(slot);
crv = PK11_GETTAB(slot)->C_EncryptInit(slot->session, &mech, id);
if (crv != CKR_OK) {
PK11_ExitSlotMonitor(slot);
PK11_FreeSlot(slot);
printf ("C_EncryptInit failed in KeyRecovery\n");
return 500;
}
ciphertext = PORT_NewArray(unsigned char, max_bytes_encrypted);
if (ciphertext == NULL) {
PK11_ExitSlotMonitor(slot);
PK11_FreeSlot(slot);
printf ("Could not allocate memory for ciphertext.\n");
return 501;
}
bytes_encrypted = max_bytes_encrypted;
crv = PK11_GETTAB(slot)->C_Encrypt(slot->session,
known_message,
KNOWN_MESSAGE_LENGTH,
ciphertext,
&bytes_encrypted);
PK11_ExitSlotMonitor(slot);
PK11_FreeSlot(slot);
if (crv != CKR_OK) {
PORT_Free(ciphertext);
return 502;
}
/* Always use the smaller of these two values . . . */
bytes_compared = ( bytes_encrypted > KNOWN_MESSAGE_LENGTH )
? KNOWN_MESSAGE_LENGTH
: bytes_encrypted;
/* If there was a failure, the plaintext */
/* goes at the end, therefore . . . */
text_compared = ( bytes_encrypted > KNOWN_MESSAGE_LENGTH )
? (ciphertext + bytes_encrypted -
KNOWN_MESSAGE_LENGTH )
: ciphertext;
keyRecRep = CMMF_CreateKeyRecRepContent();
if (keyRecRep == NULL) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
CMMF_DestroyKeyRecRepContent(keyRecRep);
printf ("Could not allocate a CMMFKeyRecRepContent structre.\n");
return 503;
}
rv = CMMF_KeyRecRepContentSetPKIStatusInfoStatus(keyRecRep,
cmmfGranted);
if (rv != SECSuccess) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
CMMF_DestroyKeyRecRepContent(keyRecRep);
printf ("Could not set the status for the KeyRecRepContent\n");
return 504;
}
/* The myCert here should correspond to the certificate corresponding
* to the private key, but for this test any certificate will do.
*/
rv = CMMF_KeyRecRepContentSetCertifiedKeyPair(keyRecRep, myCert,
privKey, caPubKey);
if (rv != SECSuccess) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
CMMF_DestroyKeyRecRepContent(keyRecRep);
printf ("Could not set the Certified Key Pair\n");
return 505;
}
PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir,
"KeyRecRepContent.der");
fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
CMMF_DestroyKeyRecRepContent(keyRecRep);
printf ("Could not open file %s\n", filePath);
return 506;
}
rv = CMMF_EncodeKeyRecRepContent(keyRecRep, WriteItOut, fileDesc);
CMMF_DestroyKeyRecRepContent(keyRecRep);
PR_Close(fileDesc);
if (rv != SECSuccess) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
printf ("Error while encoding CMMFKeyRecRepContent\n");
return 507;
}
GetBitsFromFile(filePath, &fileBits);
if (fileBits.data == NULL) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
printf ("Could not get the bits from file %s\n", filePath);
return 508;
}
keyRecRep =
CMMF_CreateKeyRecRepContentFromDER(db,(const char*)fileBits.data,
fileBits.len);
if (keyRecRep == NULL) {
printf ("Could not decode the KeyRecRepContent in file %s\n",
filePath);
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
return 509;
}
caPrivKey = PK11_FindKeyByAnyCert(caCert, &pwdata);
if (CMMF_KeyRecRepContentGetPKIStatusInfoStatus(keyRecRep) !=
cmmfGranted) {
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
CMMF_DestroyKeyRecRepContent(keyRecRep);
printf ("A bad status came back with the "
"KeyRecRepContent structure\n");
return 510;
}
#define NICKNAME "Key Recovery Test Key"
nickname.data = (unsigned char*)NICKNAME;
nickname.len = PORT_Strlen(NICKNAME);
certKeyPair = CMMF_KeyRecRepContentGetCertKeyAtIndex(keyRecRep, 0);
CMMF_DestroyKeyRecRepContent(keyRecRep);
rv = CMMF_CertifiedKeyPairUnwrapPrivKey(certKeyPair,
caPrivKey,
&nickname,
PK11_GetInternalKeySlot(),
db,
&unwrappedPrivKey, &pwdata);
CMMF_DestroyCertifiedKeyPair(certKeyPair);
if (rv != SECSuccess) {
printf ("Unwrapping the private key failed.\n");
return 511;
}
/*Now let's try to decrypt the ciphertext with the "recovered" key*/
PK11_EnterSlotMonitor(slot);
crv =
PK11_GETTAB(slot)->C_DecryptInit(unwrappedPrivKey->pkcs11Slot->session,
&mech,
unwrappedPrivKey->pkcs11ID);
if (crv != CKR_OK) {
PK11_ExitSlotMonitor(slot);
PORT_Free(ciphertext);
PK11_FreeSlot(slot);
printf ("Decrypting with the recovered key failed.\n");
return 513;
}
bytes_decrypted = KNOWN_MESSAGE_LENGTH;
crv = PK11_GETTAB(slot)->C_Decrypt(unwrappedPrivKey->pkcs11Slot->session,
ciphertext,
bytes_encrypted, plaintext,
&bytes_decrypted);
SECKEY_DestroyPrivateKey(unwrappedPrivKey);
PK11_ExitSlotMonitor(slot);
PORT_Free(ciphertext);
if (crv != CKR_OK) {
PK11_FreeSlot(slot);
printf ("Decrypting the ciphertext with recovered key failed.\n");
return 514;
}
if ((bytes_decrypted != KNOWN_MESSAGE_LENGTH) ||
(PORT_Memcmp(plaintext, known_message, KNOWN_MESSAGE_LENGTH) != 0)) {
PK11_FreeSlot(slot);
printf ("The recovered plaintext does not equal the known message:\n"
"\tKnown message: %s\n"
"\tRecovered plaintext: %s\n", known_message, plaintext);
return 515;
}
#endif
return 0;
}
int
DoChallengeResponse(SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey)
{
CMMFPOPODecKeyChallContent *chalContent = NULL;
CMMFPOPODecKeyRespContent *respContent = NULL;
CERTCertificate *myCert = NULL;
CERTGeneralName *myGenName = NULL;
PRArenaPool *poolp = NULL;
PRFileDesc *fileDesc;
SECItem *publicValue;
SECItem *keyID;
SECKEYPrivateKey *foundPrivKey;
long *randomNums;
int numChallengesFound = 0;
int numChallengesSet = 1;
int i;
long retrieved;
SECStatus rv;
SECItem DecKeyChallBits;
char filePath[PATH_LEN];
chalContent = CMMF_CreatePOPODecKeyChallContent();
myCert = CERT_FindCertByNickname(db, personalCert);
if (myCert == NULL) {
printf ("Could not find the certificate for %s\n", personalCert);
return 900;
}
poolp = PORT_NewArena(1024);
if (poolp == NULL) {
printf("Could no allocate a new arena in DoChallengeResponse\n");
return 901;
}
myGenName = CERT_GetCertificateNames(myCert, poolp);
if (myGenName == NULL) {
printf ("Could not get the general names for %s certificate\n",
personalCert);
return 902;
}
randomNums = PORT_ArenaNewArray(poolp,long, numChallengesSet);
PK11_GenerateRandom((unsigned char *)randomNums,
numChallengesSet * sizeof(long));
for (i=0; i<numChallengesSet; i++) {
rv = CMMF_POPODecKeyChallContentSetNextChallenge(chalContent,
randomNums[i],
myGenName,
pubKey,
&pwdata);
if (rv != SECSuccess) {
printf ("Could not set the challenge in DoChallengeResponse\n");
return 903;
}
}
PR_snprintf(filePath, PATH_LEN, "%s/POPODecKeyChallContent.der",
configdir);
fileDesc = PR_Open(filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
return 904;
}
rv = CMMF_EncodePOPODecKeyChallContent(chalContent,WriteItOut,
(void*)fileDesc);
PR_Close(fileDesc);
CMMF_DestroyPOPODecKeyChallContent(chalContent);
if (rv != SECSuccess) {
printf ("Could not encode the POPODecKeyChallContent.\n");
return 905;
}
GetBitsFromFile(filePath, &DecKeyChallBits);
chalContent = CMMF_CreatePOPODecKeyChallContentFromDER
((const char*)DecKeyChallBits.data, DecKeyChallBits.len);
SECITEM_FreeItem(&DecKeyChallBits, PR_FALSE);
if (chalContent == NULL) {
printf ("Could not create the POPODecKeyChallContent from DER\n");
return 906;
}
numChallengesFound =
CMMF_POPODecKeyChallContentGetNumChallenges(chalContent);
if (numChallengesFound != numChallengesSet) {
printf ("Number of Challenges Found (%d) does not equal the number "
"set (%d)\n", numChallengesFound, numChallengesSet);
return 907;
}
for (i=0; i<numChallengesSet; i++) {
publicValue = CMMF_POPODecKeyChallContentGetPublicValue(chalContent, i);
if (publicValue == NULL) {
printf("Could not get the public value for challenge at index %d\n",
i);
return 908;
}
keyID = PK11_MakeIDFromPubKey(publicValue);
if (keyID == NULL) {
printf ("Could not make the keyID from the public value\n");
return 909;
}
foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata);
if (foundPrivKey == NULL) {
printf ("Could not find the private key corresponding to the public"
" value.\n");
return 910;
}
rv = CMMF_POPODecKeyChallContDecryptChallenge(chalContent, i,
foundPrivKey);
if (rv != SECSuccess) {
printf ("Could not decrypt the challenge at index %d\n", i);
return 911;
}
rv = CMMF_POPODecKeyChallContentGetRandomNumber(chalContent, i,
&retrieved);
if (rv != SECSuccess) {
printf ("Could not get the random number from the challenge at "
"index %d\n", i);
return 912;
}
if (retrieved != randomNums[i]) {
printf ("Retrieved the number (%ld), expected (%ld)\n", retrieved,
randomNums[i]);
return 913;
}
}
CMMF_DestroyPOPODecKeyChallContent(chalContent);
PR_snprintf(filePath, PATH_LEN, "%s/POPODecKeyRespContent.der",
configdir);
fileDesc = PR_Open(filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0666);
if (fileDesc == NULL) {
printf ("Could not open file %s\n", filePath);
return 914;
}
rv = CMMF_EncodePOPODecKeyRespContent(randomNums, numChallengesSet,
WriteItOut, fileDesc);
PR_Close(fileDesc);
if (rv != 0) {
printf ("Could not encode the POPODecKeyRespContent\n");
return 915;
}
GetBitsFromFile(filePath, &DecKeyChallBits);
respContent =
CMMF_CreatePOPODecKeyRespContentFromDER((const char*)DecKeyChallBits.data,
DecKeyChallBits.len);
if (respContent == NULL) {
printf ("Could not decode the contents of the file %s\n", filePath);
return 916;
}
numChallengesFound =
CMMF_POPODecKeyRespContentGetNumResponses(respContent);
if (numChallengesFound != numChallengesSet) {
printf ("Number of responses found (%d) does not match the number "
"of challenges set (%d)\n",
numChallengesFound, numChallengesSet);
return 917;
}
for (i=0; i<numChallengesSet; i++) {
rv = CMMF_POPODecKeyRespContentGetResponse(respContent, i, &retrieved);
if (rv != SECSuccess) {
printf ("Could not retrieve the response at index %d\n", i);
return 918;
}
if (retrieved != randomNums[i]) {
printf ("Retrieved the number (%ld), expected (%ld)\n", retrieved,
randomNums[i]);
return 919;
}
}
CMMF_DestroyPOPODecKeyRespContent(respContent);
return 0;
}
int
MakeCertRequest(TESTKeyPair *pair, CRMFPOPChoice inPOPChoice, long inRequestID)
{
int irv;
/* Generate a key pair and a cert request for it. */
irv = CreateCertRequest(pair, inRequestID);
if (irv != 0 || pair->certReq == NULL) {
goto loser;
}
pair->certReqMsg = CRMF_CreateCertReqMsg();
if (!pair->certReqMsg) {
irv = 999;
goto loser;
}
/* copy certReq into certReqMsg */
CRMF_CertReqMsgSetCertRequest(pair->certReqMsg, pair->certReq);
irv = AddProofOfPossession(pair, inPOPChoice);
loser:
return irv;
}
int
DestroyPairReqAndMsg(TESTKeyPair *pair)
{
SECStatus rv = SECSuccess;
int irv = 0;
if (pair->certReq) {
rv = CRMF_DestroyCertRequest(pair->certReq);
pair->certReq = NULL;
if (rv != SECSuccess) {
printf ("Error when destroying cert request.\n");
irv = 100;
}
}
if (pair->certReqMsg) {
rv = CRMF_DestroyCertReqMsg(pair->certReqMsg);
pair->certReqMsg = NULL;
if (rv != SECSuccess) {
printf ("Error when destroying cert request msg.\n");
if (!irv)
irv = 101;
}
}
return irv;
}
int
DestroyPair(TESTKeyPair *pair)
{
int irv = 0;
if (pair->pubKey) {
SECKEY_DestroyPublicKey(pair->pubKey);
pair->pubKey = NULL;
}
if (pair->privKey) {
SECKEY_DestroyPrivateKey(pair->privKey);
pair->privKey = NULL;
}
DestroyPairReqAndMsg(pair);
return irv;
}
int
DoCRMFRequest(TESTKeyPair *signPair, TESTKeyPair *cryptPair)
{
int irv, tirv = 0;
/* Generate a key pair and a cert request for it. */
irv = MakeCertRequest(signPair, crmfSignature, 0x0f020304);
if (irv != 0 || signPair->certReq == NULL) {
goto loser;
}
if (!doingDSA) {
irv = MakeCertRequest(cryptPair, crmfKeyAgreement, 0x0f050607);
if (irv != 0 || cryptPair->certReq == NULL) {
goto loser;
}
}
/* encode the cert request messages into a unified request message.
** leave it in a file with a fixed name. :(
*/
irv = Encode(signPair->certReqMsg, cryptPair->certReqMsg);
loser:
if (signPair->certReq) {
tirv = DestroyPairReqAndMsg(signPair);
if (tirv && !irv)
irv = tirv;
}
if (cryptPair->certReq) {
tirv = DestroyPairReqAndMsg(cryptPair);
if (tirv && !irv)
irv = tirv;
}
return irv;
}
void
Usage (void)
{
printf ("Usage:\n"
"\tcrmftest -d [Database Directory] -p [Personal Cert]\n"
"\t -e [Encrypter] -s [CA Certificate] [-P password]\n\n"
"\t [crmf] [dsa] [decode] [cmmf] [recover] [challenge]\n"
"\t [-f password_file]\n"
"Database Directory\n"
"\tThis is the directory where the key3.db, cert7.db, and\n"
"\tsecmod.db files are located. This is also the directory\n"
"\twhere the program will place CRMF/CMMF der files\n"
"Personal Cert\n"
"\tThis is the certificate that already exists in the cert\n"
"\tdatabase to use while encoding the response. The private\n"
"\tkey associated with the certificate must also exist in the\n"
"\tkey database.\n"
"Encrypter\n"
"\tThis is the certificate to use when encrypting the the \n"
"\tkey recovery response. The private key for this cert\n"
"\tmust also be present in the key database.\n"
"CA Certificate\n"
"\tThis is the nickname of the certificate to use as the\n"
"\tCA when doing all of the encoding.\n");
}
#define TEST_MAKE_CRMF_REQ 0x0001
#define TEST_USE_DSA 0x0002
#define TEST_DECODE_CRMF_REQ 0x0004
#define TEST_DO_CMMF_STUFF 0x0008
#define TEST_KEY_RECOVERY 0x0010
#define TEST_CHALLENGE_RESPONSE 0x0020
SECStatus
parsePositionalParam(const char * arg, PRUint32 *flags)
{
if (!strcmp(arg, "crmf")) {
*flags |= TEST_MAKE_CRMF_REQ;
} else if (!strcmp(arg, "dsa")) {
*flags |= TEST_MAKE_CRMF_REQ | TEST_USE_DSA;
doingDSA = PR_TRUE;
} else if (!strcmp(arg, "decode")) {
*flags |= TEST_DECODE_CRMF_REQ;
} else if (!strcmp(arg, "cmmf")) {
*flags |= TEST_DO_CMMF_STUFF;
} else if (!strcmp(arg, "recover")) {
*flags |= TEST_KEY_RECOVERY;
} else if (!strcmp(arg, "challenge")) {
*flags |= TEST_CHALLENGE_RESPONSE;
} else {
printf("unknown positional paremeter: %s\n", arg);
return SECFailure;
}
return SECSuccess;
}
/* it's not clear, in some cases, whether the desired key is from
** the sign pair or the crypt pair, so we're guessing in some places.
** This define serves to remind us of the places where we're guessing.
*/
#define WHICH_KEY cryptPair
int
main(int argc, char **argv)
{
TESTKeyPair signPair, cryptPair;
PLOptState *optstate;
PLOptStatus status;
char *password = NULL;
char *pwfile = NULL;
int irv = 0;
PRUint32 flags = 0;
SECStatus rv;
PRBool nssInit = PR_FALSE;
PRBool pArg = PR_FALSE;
PRBool eArg = PR_FALSE;
PRBool sArg = PR_FALSE;
PRBool PArg = PR_FALSE;
memset( &signPair, 0, sizeof signPair);
memset( &cryptPair, 0, sizeof cryptPair);
printf ("\ncrmftest v1.0\n");
optstate = PL_CreateOptState(argc, argv, "d:p:e:s:P:f:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case 'd':
configdir = PORT_Strdup(optstate->value);
rv = NSS_Init(configdir);
if (rv != SECSuccess) {
printf ("NSS_Init (-d) failed\n");
return 101;
}
nssInit = PR_TRUE;
break;
case 'p':
personalCert = PORT_Strdup(optstate->value);
if (personalCert == NULL) {
printf ("-p failed\n");
return 603;
}
pArg = PR_TRUE;
break;
case 'e':
recoveryEncrypter = PORT_Strdup(optstate->value);
if (recoveryEncrypter == NULL) {
printf ("-e failed\n");
return 602;
}
eArg = PR_TRUE;
break;
case 's':
caCertName = PORT_Strdup(optstate->value);
if (caCertName == NULL) {
printf ("-s failed\n");
return 604;
}
sArg = PR_TRUE;
break;
case 'P':
password = PORT_Strdup(optstate->value);
if (password == NULL) {
printf ("-P failed\n");
return 606;
}
pwdata.source = PW_PLAINTEXT;
pwdata.data = password;
PArg = PR_TRUE;
break;
case 'f':
pwfile = PORT_Strdup(optstate->value);
if (pwfile == NULL) {
printf ("-f failed\n");
return 607;
}
pwdata.source = PW_FROMFILE;
pwdata.data = pwfile;
break;
case 0: /* positional parameter */
rv = parsePositionalParam(optstate->value, &flags);
if (rv) {
printf ("bad positional parameter.\n");
return 605;
}
break;
default:
Usage();
return 601;
}
}
PL_DestroyOptState(optstate);
if (status == PL_OPT_BAD || !nssInit) {
Usage();
return 600;
}
if (!flags)
flags = ~ TEST_USE_DSA;
db = CERT_GetDefaultCertDB();
InitPKCS11();
if (flags & TEST_MAKE_CRMF_REQ) {
printf("Generating CRMF request\n");
irv = DoCRMFRequest(&signPair, &cryptPair);
if (irv)
goto loser;
}
if (flags & TEST_DECODE_CRMF_REQ) {
printf("Decoding CRMF request\n");
irv = Decode();
if (irv != 0) {
printf("Error while decoding\n");
goto loser;
}
}
if (flags & TEST_DO_CMMF_STUFF) {
printf("Doing CMMF Stuff\n");
if ((irv = DoCMMFStuff()) != 0) {
printf ("CMMF tests failed.\n");
goto loser;
}
}
if (flags & TEST_KEY_RECOVERY) {
/* Requires some other options be set.
** Once we know exactly what hey are, test for them here.
*/
printf("Doing Key Recovery\n");
irv = DoKeyRecovery(WHICH_KEY.privKey);
if (irv != 0) {
printf ("Error doing key recovery\n");
goto loser;
}
}
if (flags & TEST_CHALLENGE_RESPONSE) {
printf("Doing Challenge / Response\n");
irv = DoChallengeResponse(WHICH_KEY.privKey, WHICH_KEY.pubKey);
if (irv != 0) {
printf ("Error doing challenge-response\n");
goto loser;
}
}
printf ("Exiting successfully!!!\n\n");
irv = 0;
loser:
DestroyPair(&signPair);
DestroyPair(&cryptPair);
rv = NSS_Shutdown();
if (rv) {
printf("NSS_Shutdown did not shutdown cleanly!\n");
}
PORT_Free(configdir);
if (irv)
printf("crmftest returning %d\n", irv);
return irv;
}