mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 11:40:13 +01:00
870 lines
20 KiB
C
870 lines
20 KiB
C
/* ***** BEGIN LICENSE BLOCK *****
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
*
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
* http://www.mozilla.org/MPL/
|
|
*
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
* for the specific language governing rights and limitations under the
|
|
* License.
|
|
*
|
|
* The Original Code is the Netscape security libraries.
|
|
*
|
|
* The Initial Developer of the Original Code is
|
|
* Netscape Communications Corporation.
|
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
* the Initial Developer. All Rights Reserved.
|
|
*
|
|
* Contributor(s):
|
|
*
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
* the provisions above, a recipient may use your version of this file under
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
*
|
|
* ***** END LICENSE BLOCK ***** */
|
|
|
|
#include "signtool.h"
|
|
#include "zip.h"
|
|
#include "prmem.h"
|
|
#include "blapi.h"
|
|
#include "sechash.h" /* for HASH_GetHashObject() */
|
|
|
|
static int create_pk7 (char *dir, char *keyName, int *keyType);
|
|
static int jar_find_key_type (CERTCertificate *cert);
|
|
static int manifesto (char *dirname, char *install_script, PRBool recurse);
|
|
static int manifesto_fn(char *relpath, char *basedir, char *reldir,
|
|
char *filename, void *arg);
|
|
static int manifesto_xpi_fn(char *relpath, char *basedir, char *reldir,
|
|
char *filename, void *arg);
|
|
static int sign_all_arc_fn(char *relpath, char *basedir, char *reldir,
|
|
char *filename, void *arg);
|
|
static int add_meta (FILE *fp, char *name);
|
|
static int SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert);
|
|
static int generate_SF_file (char *manifile, char *who);
|
|
static int calculate_MD5_range (FILE *fp, long r1, long r2,
|
|
JAR_Digest *dig);
|
|
static void SignOut (void *arg, const char *buf, unsigned long len);
|
|
|
|
static char *metafile = NULL;
|
|
static int optimize = 0;
|
|
static FILE *mf;
|
|
static ZIPfile *zipfile = NULL;
|
|
|
|
/*
|
|
* S i g n A r c h i v e
|
|
*
|
|
* Sign an individual archive tree. A directory
|
|
* called META-INF is created underneath this.
|
|
*
|
|
*/
|
|
int
|
|
SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
|
|
char *meta_file, char *install_script, int _optimize, PRBool recurse)
|
|
{
|
|
int status;
|
|
char tempfn [FNSIZE], fullfn [FNSIZE];
|
|
int keyType = rsaKey;
|
|
|
|
metafile = meta_file;
|
|
optimize = _optimize;
|
|
|
|
/* To create XPI compatible Archive manifesto() must be run before
|
|
* the zipfile is opened. This is so the signed files are not added
|
|
* the archive before the crucial rsa/dsa file*/
|
|
if (xpi_arc) {
|
|
manifesto (tree, install_script, recurse);
|
|
}
|
|
|
|
if (zip_file) {
|
|
zipfile = JzipOpen(zip_file, NULL /*no comment*/);
|
|
}
|
|
|
|
/*Sign and add files to the archive normally with manifesto()*/
|
|
if (!xpi_arc) {
|
|
manifesto (tree, install_script, recurse);
|
|
}
|
|
|
|
if (keyName) {
|
|
status = create_pk7 (tree, keyName, &keyType);
|
|
if (status < 0) {
|
|
PR_fprintf(errorFD, "the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
|
|
tree);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
}
|
|
|
|
/* Add the rsa/dsa file as the first file in the archive. This is crucial
|
|
* for a XPInstall compatible archive */
|
|
if (xpi_arc) {
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "%s \n", XPI_TEXT);
|
|
}
|
|
|
|
/* rsa/dsa to zip */
|
|
sprintf (tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
|
|
"dsa" : "rsa"));
|
|
sprintf (fullfn, "%s/%s", tree, tempfn);
|
|
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
|
|
|
/* Loop through all files & subdirectories, add to archive */
|
|
foreach (tree, "", manifesto_xpi_fn, recurse, PR_FALSE /*include dirs */,
|
|
(void * )NULL);
|
|
}
|
|
/* mf to zip */
|
|
strcpy (tempfn, "META-INF/manifest.mf");
|
|
sprintf (fullfn, "%s/%s", tree, tempfn);
|
|
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
|
|
|
/* sf to zip */
|
|
sprintf (tempfn, "META-INF/%s.sf", base);
|
|
sprintf (fullfn, "%s/%s", tree, tempfn);
|
|
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
|
|
|
/* Add the rsa/dsa file to the zip archive normally */
|
|
if (!xpi_arc) {
|
|
/* rsa/dsa to zip */
|
|
sprintf (tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
|
|
"dsa" : "rsa"));
|
|
sprintf (fullfn, "%s/%s", tree, tempfn);
|
|
JzipAdd(fullfn, tempfn, zipfile, compression_level);
|
|
}
|
|
|
|
JzipClose(zipfile);
|
|
|
|
if (verbosity >= 0) {
|
|
if (javascript) {
|
|
PR_fprintf(outputFD, "jarfile \"%s\" signed successfully\n",
|
|
zip_file);
|
|
} else {
|
|
PR_fprintf(outputFD, "tree \"%s\" signed successfully\n",
|
|
tree);
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
typedef struct {
|
|
char *keyName;
|
|
int javascript;
|
|
char *metafile;
|
|
char *install_script;
|
|
int optimize;
|
|
} SignArcInfo;
|
|
|
|
/*
|
|
* S i g n A l l A r c
|
|
*
|
|
* Javascript may generate multiple .arc directories, one
|
|
* for each jar archive needed. Sign them all.
|
|
*
|
|
*/
|
|
int
|
|
SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
|
|
char *install_script, int optimize, PRBool recurse)
|
|
{
|
|
SignArcInfo info;
|
|
|
|
info.keyName = keyName;
|
|
info.javascript = javascript;
|
|
info.metafile = metafile;
|
|
info.install_script = install_script;
|
|
info.optimize = optimize;
|
|
|
|
return foreach(jartree, "", sign_all_arc_fn, recurse,
|
|
PR_TRUE /*include dirs*/, (void * )&info);
|
|
}
|
|
|
|
|
|
static int
|
|
sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
|
|
void *arg)
|
|
{
|
|
char *zipfile = NULL;
|
|
char *arc = NULL, *archive = NULL;
|
|
int retval = 0;
|
|
SignArcInfo * infop = (SignArcInfo * )arg;
|
|
|
|
/* Make sure there is one and only one ".arc" in the relative path,
|
|
* and that it is at the end of the path (don't sign .arcs within .arcs) */
|
|
if ( (PL_strcaserstr(relpath, ".arc") == relpath + strlen(relpath) -
|
|
4) &&
|
|
(PL_strcasestr(relpath, ".arc") == relpath + strlen(relpath) - 4) ) {
|
|
|
|
if (!infop) {
|
|
PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
|
|
errorCount++;
|
|
retval = -1;
|
|
goto finish;
|
|
}
|
|
archive = PR_smprintf("%s/%s", basedir, relpath);
|
|
|
|
zipfile = PL_strdup(archive);
|
|
arc = PORT_Strrchr (zipfile, '.');
|
|
|
|
if (arc == NULL) {
|
|
PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
|
|
errorCount++;
|
|
retval = -1;
|
|
goto finish;
|
|
}
|
|
|
|
PL_strcpy (arc, ".jar");
|
|
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "\nsigning: %s\n", zipfile);
|
|
}
|
|
retval = SignArchive(archive, infop->keyName, zipfile,
|
|
infop->javascript, infop->metafile, infop->install_script,
|
|
infop->optimize, PR_TRUE /* recurse */);
|
|
}
|
|
finish:
|
|
if (archive)
|
|
PR_Free(archive);
|
|
if (zipfile)
|
|
PR_Free(zipfile);
|
|
|
|
return retval;
|
|
}
|
|
|
|
|
|
/*********************************************************************
|
|
*
|
|
* c r e a t e _ p k 7
|
|
*/
|
|
static int
|
|
create_pk7 (char *dir, char *keyName, int *keyType)
|
|
{
|
|
int status = 0;
|
|
char *file_ext;
|
|
|
|
CERTCertificate * cert;
|
|
CERTCertDBHandle * db;
|
|
|
|
FILE * in, *out;
|
|
|
|
char sf_file [FNSIZE];
|
|
char pk7_file [FNSIZE];
|
|
|
|
/* open cert database */
|
|
db = CERT_GetDefaultCertDB();
|
|
|
|
if (db == NULL)
|
|
return - 1;
|
|
|
|
/* find cert */
|
|
/*cert = CERT_FindCertByNicknameOrEmailAddr(db, keyName);*/
|
|
cert = PK11_FindCertFromNickname(keyName, &pwdata);
|
|
|
|
if (cert == NULL) {
|
|
SECU_PrintError ( PROGRAM_NAME,
|
|
"Cannot find the cert \"%s\"", keyName);
|
|
return -1;
|
|
}
|
|
|
|
|
|
/* determine the key type, which sets the extension for pkcs7 object */
|
|
|
|
*keyType = jar_find_key_type (cert);
|
|
file_ext = (*keyType == dsaKey) ? "dsa" : "rsa";
|
|
|
|
sprintf (sf_file, "%s/META-INF/%s.sf", dir, base);
|
|
sprintf (pk7_file, "%s/META-INF/%s.%s", dir, base, file_ext);
|
|
|
|
if ((in = fopen (sf_file, "rb")) == NULL) {
|
|
PR_fprintf(errorFD, "%s: Can't open %s for reading\n", PROGRAM_NAME,
|
|
sf_file);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
if ((out = fopen (pk7_file, "wb")) == NULL) {
|
|
PR_fprintf(errorFD, "%s: Can't open %s for writing\n", PROGRAM_NAME,
|
|
sf_file);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
status = SignFile (out, in, cert);
|
|
|
|
CERT_DestroyCertificate (cert);
|
|
fclose (in);
|
|
fclose (out);
|
|
|
|
if (status) {
|
|
PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
|
|
PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
|
|
errorCount++;
|
|
return - 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* j a r _ f i n d _ k e y _ t y p e
|
|
*
|
|
* Determine the key type for a given cert, which
|
|
* should be rsaKey or dsaKey. Any error return 0.
|
|
*
|
|
*/
|
|
static int
|
|
jar_find_key_type (CERTCertificate *cert)
|
|
{
|
|
SECKEYPrivateKey * privk = NULL;
|
|
KeyType keyType;
|
|
|
|
/* determine its type */
|
|
privk = PK11_FindKeyByAnyCert (cert, &pwdata);
|
|
if (privk == NULL) {
|
|
PR_fprintf(errorFD, "warning - can't find private key for this cert\n");
|
|
warningCount++;
|
|
return 0;
|
|
}
|
|
|
|
keyType = privk->keyType;
|
|
SECKEY_DestroyPrivateKey (privk);
|
|
return keyType;
|
|
}
|
|
|
|
|
|
/*
|
|
* m a n i f e s t o
|
|
*
|
|
* Run once for every subdirectory in which a
|
|
* manifest is to be created -- usually exactly once.
|
|
*
|
|
*/
|
|
static int
|
|
manifesto (char *dirname, char *install_script, PRBool recurse)
|
|
{
|
|
char metadir [FNSIZE], sfname [FNSIZE];
|
|
|
|
/* Create the META-INF directory to hold signing info */
|
|
|
|
if (PR_Access (dirname, PR_ACCESS_READ_OK)) {
|
|
PR_fprintf(errorFD, "%s: unable to read your directory: %s\n",
|
|
PROGRAM_NAME, dirname);
|
|
errorCount++;
|
|
perror (dirname);
|
|
exit (ERRX);
|
|
}
|
|
|
|
if (PR_Access (dirname, PR_ACCESS_WRITE_OK)) {
|
|
PR_fprintf(errorFD, "%s: unable to write to your directory: %s\n",
|
|
PROGRAM_NAME, dirname);
|
|
errorCount++;
|
|
perror(dirname);
|
|
exit(ERRX);
|
|
}
|
|
|
|
sprintf (metadir, "%s/META-INF", dirname);
|
|
|
|
strcpy (sfname, metadir);
|
|
|
|
PR_MkDir (metadir, 0777);
|
|
|
|
strcat (metadir, "/");
|
|
strcat (metadir, MANIFEST);
|
|
|
|
if ((mf = fopen (metadir, "wb")) == NULL) {
|
|
perror (MANIFEST);
|
|
PR_fprintf(errorFD, "%s: Probably, the directory you are trying to"
|
|
" sign has\n", PROGRAM_NAME);
|
|
PR_fprintf(errorFD, "%s: permissions problems or may not exist.\n",
|
|
PROGRAM_NAME);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "Generating %s file..\n", metadir);
|
|
}
|
|
|
|
fprintf(mf, "Manifest-Version: 1.0\n");
|
|
fprintf (mf, "Created-By: %s\n", CREATOR);
|
|
fprintf (mf, "Comments: %s\n", BREAKAGE);
|
|
|
|
if (scriptdir) {
|
|
fprintf (mf, "Comments: --\n");
|
|
fprintf (mf, "Comments: --\n");
|
|
fprintf (mf, "Comments: -- This archive signs Javascripts which may not necessarily\n");
|
|
fprintf (mf, "Comments: -- be included in the physical jar file.\n");
|
|
fprintf (mf, "Comments: --\n");
|
|
fprintf (mf, "Comments: --\n");
|
|
}
|
|
|
|
if (install_script)
|
|
fprintf (mf, "Install-Script: %s\n", install_script);
|
|
|
|
if (metafile)
|
|
add_meta (mf, "+");
|
|
|
|
/* Loop through all files & subdirectories */
|
|
foreach (dirname, "", manifesto_fn, recurse, PR_FALSE /*include dirs */,
|
|
(void * )NULL);
|
|
|
|
fclose (mf);
|
|
|
|
strcat (sfname, "/");
|
|
strcat (sfname, base);
|
|
strcat (sfname, ".sf");
|
|
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "Generating %s.sf file..\n", base);
|
|
}
|
|
generate_SF_file (metadir, sfname);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* m a n i f e s t o _ x p i _ f n
|
|
*
|
|
* Called by pointer from SignArchive(), once for
|
|
* each file within the directory. This function
|
|
* is only used for adding to XPI compatible archive
|
|
*
|
|
*/
|
|
static int manifesto_xpi_fn
|
|
(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
|
|
{
|
|
char fullname [FNSIZE];
|
|
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "--> %s\n", relpath);
|
|
}
|
|
|
|
/* extension matching */
|
|
if (extensionsGiven) {
|
|
char *ext = PL_strrchr(relpath, '.');
|
|
if (!ext)
|
|
return 0;
|
|
if (!PL_HashTableLookup(extensions, ext))
|
|
return 0;
|
|
}
|
|
sprintf (fullname, "%s/%s", basedir, relpath);
|
|
JzipAdd(fullname, relpath, zipfile, compression_level);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* m a n i f e s t o _ f n
|
|
*
|
|
* Called by pointer from manifesto(), once for
|
|
* each file within the directory.
|
|
*
|
|
*/
|
|
static int manifesto_fn
|
|
(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
|
|
{
|
|
int use_js;
|
|
|
|
JAR_Digest dig;
|
|
char fullname [FNSIZE];
|
|
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "--> %s\n", relpath);
|
|
}
|
|
|
|
/* extension matching */
|
|
if (extensionsGiven) {
|
|
char *ext = PL_strrchr(relpath, '.');
|
|
if (!ext)
|
|
return 0;
|
|
if (!PL_HashTableLookup(extensions, ext))
|
|
return 0;
|
|
}
|
|
|
|
sprintf (fullname, "%s/%s", basedir, relpath);
|
|
|
|
fprintf (mf, "\n");
|
|
|
|
use_js = 0;
|
|
|
|
if (scriptdir && !PORT_Strcmp (scriptdir, reldir))
|
|
use_js++;
|
|
|
|
/* sign non-.js files inside .arc directories using the javascript magic */
|
|
|
|
if ( (PL_strcaserstr(filename, ".js") != filename + strlen(filename) - 3)
|
|
&& (PL_strcaserstr(reldir, ".arc") == reldir + strlen(filename) - 4))
|
|
use_js++;
|
|
|
|
if (use_js) {
|
|
fprintf (mf, "Name: %s\n", filename);
|
|
fprintf (mf, "Magic: javascript\n");
|
|
|
|
if (optimize == 0)
|
|
fprintf (mf, "javascript.id: %s\n", filename);
|
|
|
|
if (metafile)
|
|
add_meta (mf, filename);
|
|
} else {
|
|
fprintf (mf, "Name: %s\n", relpath);
|
|
if (metafile)
|
|
add_meta (mf, relpath);
|
|
}
|
|
|
|
JAR_digest_file (fullname, &dig);
|
|
|
|
|
|
if (optimize == 0) {
|
|
fprintf (mf, "Digest-Algorithms: MD5 SHA1\n");
|
|
fprintf (mf, "MD5-Digest: %s\n", BTOA_DataToAscii (dig.md5,
|
|
MD5_LENGTH));
|
|
}
|
|
|
|
fprintf (mf, "SHA1-Digest: %s\n", BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
|
|
|
|
if (!use_js) {
|
|
JzipAdd(fullname, relpath, zipfile, compression_level);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* a d d _ m e t a
|
|
*
|
|
* Parse the metainfo file, and add any details
|
|
* necessary to the manifest file. In most cases you
|
|
* should be using the -i option (ie, for SmartUpdate).
|
|
*
|
|
*/
|
|
static int add_meta (FILE *fp, char *name)
|
|
{
|
|
FILE * met;
|
|
char buf [BUFSIZ];
|
|
|
|
int place;
|
|
char *pattern, *meta;
|
|
|
|
int num = 0;
|
|
|
|
if ((met = fopen (metafile, "r")) != NULL) {
|
|
while (fgets (buf, BUFSIZ, met)) {
|
|
char *s;
|
|
|
|
for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
|
|
;
|
|
*s = 0;
|
|
|
|
if (*buf == 0)
|
|
continue;
|
|
|
|
pattern = buf;
|
|
|
|
/* skip to whitespace */
|
|
for (s = buf; *s && *s != ' ' && *s != '\t'; s++)
|
|
;
|
|
|
|
/* terminate pattern */
|
|
if (*s == ' ' || *s == '\t')
|
|
*s++ = 0;
|
|
|
|
/* eat through whitespace */
|
|
while (*s == ' ' || *s == '\t')
|
|
s++;
|
|
|
|
meta = s;
|
|
|
|
/* this will eventually be regexp matching */
|
|
|
|
place = 0;
|
|
if (!PORT_Strcmp (pattern, name))
|
|
place = 1;
|
|
|
|
if (place) {
|
|
num++;
|
|
if (verbosity >= 0) {
|
|
PR_fprintf(outputFD, "[%s] %s\n", name, meta);
|
|
}
|
|
fprintf (fp, "%s\n", meta);
|
|
}
|
|
}
|
|
fclose (met);
|
|
} else {
|
|
PR_fprintf(errorFD, "%s: can't open metafile: %s\n", PROGRAM_NAME,
|
|
metafile);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
return num;
|
|
}
|
|
|
|
|
|
/**********************************************************************
|
|
*
|
|
* S i g n F i l e
|
|
*/
|
|
static int
|
|
SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert)
|
|
{
|
|
int nb;
|
|
char ibuf[4096], digestdata[32];
|
|
const SECHashObject *hashObj;
|
|
void *hashcx;
|
|
unsigned int len;
|
|
|
|
SECItem digest;
|
|
SEC_PKCS7ContentInfo * cinfo;
|
|
SECStatus rv;
|
|
|
|
if (outFile == NULL || inFile == NULL || cert == NULL)
|
|
return - 1;
|
|
|
|
/* XXX probably want to extend interface to allow other hash algorithms */
|
|
hashObj = HASH_GetHashObject(HASH_AlgSHA1);
|
|
|
|
hashcx = (*hashObj->create)();
|
|
if (hashcx == NULL)
|
|
return - 1;
|
|
|
|
(*hashObj->begin)(hashcx);
|
|
|
|
for (; ; ) {
|
|
if (feof(inFile))
|
|
break;
|
|
nb = fread(ibuf, 1, sizeof(ibuf), inFile);
|
|
if (nb == 0) {
|
|
if (ferror(inFile)) {
|
|
PORT_SetError(SEC_ERROR_IO);
|
|
(*hashObj->destroy)(hashcx, PR_TRUE);
|
|
return - 1;
|
|
}
|
|
/* eof */
|
|
break;
|
|
}
|
|
(*hashObj->update)(hashcx, (unsigned char *) ibuf, nb);
|
|
}
|
|
|
|
(*hashObj->end)(hashcx, (unsigned char *) digestdata, &len, 32);
|
|
(*hashObj->destroy)(hashcx, PR_TRUE);
|
|
|
|
digest.data = (unsigned char *) digestdata;
|
|
digest.len = len;
|
|
|
|
cinfo = SEC_PKCS7CreateSignedData
|
|
(cert, certUsageObjectSigner, NULL,
|
|
SEC_OID_SHA1, &digest, NULL, NULL);
|
|
|
|
if (cinfo == NULL)
|
|
return - 1;
|
|
|
|
rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
|
|
if (rv != SECSuccess) {
|
|
SEC_PKCS7DestroyContentInfo (cinfo);
|
|
return - 1;
|
|
}
|
|
|
|
if (no_time == 0) {
|
|
rv = SEC_PKCS7AddSigningTime (cinfo);
|
|
if (rv != SECSuccess) {
|
|
/* don't check error */
|
|
}
|
|
}
|
|
|
|
rv = SEC_PKCS7Encode(cinfo, SignOut, outFile, NULL, NULL, &pwdata);
|
|
|
|
SEC_PKCS7DestroyContentInfo (cinfo);
|
|
|
|
if (rv != SECSuccess)
|
|
return - 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* g e n e r a t e _ S F _ f i l e
|
|
*
|
|
* From the supplied manifest file, calculates
|
|
* digests on the various sections, creating a .SF
|
|
* file in the process.
|
|
*
|
|
*/
|
|
static int generate_SF_file (char *manifile, char *who)
|
|
{
|
|
FILE * sf;
|
|
FILE * mf;
|
|
long r1, r2, r3;
|
|
char whofile [FNSIZE];
|
|
char *buf, *name = NULL;
|
|
JAR_Digest dig;
|
|
int line = 0;
|
|
|
|
strcpy (whofile, who);
|
|
|
|
if ((mf = fopen (manifile, "rb")) == NULL) {
|
|
perror (manifile);
|
|
exit (ERRX);
|
|
}
|
|
|
|
if ((sf = fopen (whofile, "wb")) == NULL) {
|
|
perror (who);
|
|
exit (ERRX);
|
|
}
|
|
|
|
buf = (char *) PORT_ZAlloc (BUFSIZ);
|
|
|
|
if (buf)
|
|
name = (char *) PORT_ZAlloc (BUFSIZ);
|
|
|
|
if (buf == NULL || name == NULL)
|
|
out_of_memory();
|
|
|
|
fprintf (sf, "Signature-Version: 1.0\n");
|
|
fprintf (sf, "Created-By: %s\n", CREATOR);
|
|
fprintf (sf, "Comments: %s\n", BREAKAGE);
|
|
|
|
if (fgets (buf, BUFSIZ, mf) == NULL) {
|
|
PR_fprintf(errorFD, "%s: empty manifest file!\n", PROGRAM_NAME);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
if (strncmp (buf, "Manifest-Version:", 17)) {
|
|
PR_fprintf(errorFD, "%s: not a manifest file!\n", PROGRAM_NAME);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
fseek (mf, 0L, SEEK_SET);
|
|
|
|
/* Process blocks of headers, and calculate their hashen */
|
|
|
|
while (1) {
|
|
/* Beginning range */
|
|
r1 = ftell (mf);
|
|
|
|
if (fgets (name, BUFSIZ, mf) == NULL)
|
|
break;
|
|
|
|
line++;
|
|
|
|
if (r1 != 0 && strncmp (name, "Name:", 5)) {
|
|
PR_fprintf(errorFD,
|
|
"warning: unexpected input in manifest file \"%s\" at line %d:\n",
|
|
manifile, line);
|
|
PR_fprintf(errorFD, "%s\n", name);
|
|
warningCount++;
|
|
}
|
|
|
|
r2 = r1;
|
|
while (fgets (buf, BUFSIZ, mf)) {
|
|
if (*buf == 0 || *buf == '\n' || *buf == '\r')
|
|
break;
|
|
|
|
line++;
|
|
|
|
/* Ending range for hashing */
|
|
r2 = ftell (mf);
|
|
}
|
|
|
|
r3 = ftell (mf);
|
|
|
|
if (r1) {
|
|
fprintf (sf, "\n");
|
|
fprintf (sf, "%s", name);
|
|
}
|
|
|
|
calculate_MD5_range (mf, r1, r2, &dig);
|
|
|
|
if (optimize == 0) {
|
|
fprintf (sf, "Digest-Algorithms: MD5 SHA1\n");
|
|
fprintf (sf, "MD5-Digest: %s\n",
|
|
BTOA_DataToAscii (dig.md5, MD5_LENGTH));
|
|
}
|
|
|
|
fprintf (sf, "SHA1-Digest: %s\n",
|
|
BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
|
|
|
|
/* restore normalcy after changing offset position */
|
|
fseek (mf, r3, SEEK_SET);
|
|
}
|
|
|
|
PORT_Free (buf);
|
|
PORT_Free (name);
|
|
|
|
fclose (sf);
|
|
fclose (mf);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* c a l c u l a t e _ M D 5 _ r a n g e
|
|
*
|
|
* Calculate the MD5 digest on a range of bytes in
|
|
* the specified fopen'd file. Returns base64.
|
|
*
|
|
*/
|
|
static int
|
|
calculate_MD5_range (FILE *fp, long r1, long r2, JAR_Digest *dig)
|
|
{
|
|
int num;
|
|
int range;
|
|
unsigned char *buf;
|
|
SECStatus rv;
|
|
|
|
range = r2 - r1;
|
|
|
|
/* position to the beginning of range */
|
|
fseek (fp, r1, SEEK_SET);
|
|
|
|
buf = (unsigned char *) PORT_ZAlloc (range);
|
|
if (buf == NULL)
|
|
out_of_memory();
|
|
|
|
if ((num = fread (buf, 1, range, fp)) != range) {
|
|
PR_fprintf(errorFD, "%s: expected %d bytes, got %d\n", PROGRAM_NAME,
|
|
range, num);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
rv = PK11_HashBuf(SEC_OID_MD5, dig->md5, buf, range);
|
|
if (rv == SECSuccess) {
|
|
rv =PK11_HashBuf(SEC_OID_SHA1, dig->sha1, buf, range);
|
|
}
|
|
if (rv != SECSuccess) {
|
|
PR_fprintf(errorFD, "%s: can't generate digest context\n",
|
|
PROGRAM_NAME);
|
|
errorCount++;
|
|
exit (ERRX);
|
|
}
|
|
|
|
PORT_Free (buf);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static void SignOut (void *arg, const char *buf, unsigned long len)
|
|
{
|
|
fwrite (buf, len, 1, (FILE * ) arg);
|
|
}
|
|
|
|
|