mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 03:30:17 +01:00
1091 lines
29 KiB
C
1091 lines
29 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "seccomon.h"
|
|
#include "nss.h"
|
|
#include "key.h"
|
|
#include "cert.h"
|
|
#include "pk11func.h"
|
|
#include "secmod.h"
|
|
#include "cmmf.h"
|
|
#include "crmf.h"
|
|
#include "base64.h"
|
|
#include "secasn1.h"
|
|
#include "cryptohi.h"
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
|
|
#define DEFAULT_ALLOC_SIZE 200
|
|
#define DEFAULT_CGI_VARS 20
|
|
|
|
typedef struct CGIVariableStr {
|
|
char *name;
|
|
char *value;
|
|
} CGIVariable;
|
|
|
|
typedef struct CGIVarTableStr {
|
|
CGIVariable **variables;
|
|
int numVars;
|
|
int numAlloc;
|
|
} CGIVarTable;
|
|
|
|
typedef struct CertResponseInfoStr {
|
|
CERTCertificate *cert;
|
|
long certReqID;
|
|
} CertResponseInfo;
|
|
|
|
typedef struct ChallengeCreationInfoStr {
|
|
long random;
|
|
SECKEYPublicKey *pubKey;
|
|
} ChallengeCreationInfo;
|
|
|
|
char *missingVar = NULL;
|
|
|
|
/*
|
|
* Error values.
|
|
*/
|
|
typedef enum {
|
|
NO_ERROR = 0,
|
|
NSS_INIT_FAILED,
|
|
AUTH_FAILED,
|
|
REQ_CGI_VAR_NOT_PRESENT,
|
|
CRMF_REQ_NOT_PRESENT,
|
|
BAD_ASCII_FOR_REQ,
|
|
CGI_VAR_MISSING,
|
|
COULD_NOT_FIND_CA,
|
|
COULD_NOT_DECODE_REQS,
|
|
OUT_OF_MEMORY,
|
|
ERROR_RETRIEVING_REQUEST_MSG,
|
|
ERROR_RETRIEVING_CERT_REQUEST,
|
|
ERROR_RETRIEVING_SUBJECT_FROM_REQ,
|
|
ERROR_RETRIEVING_PUBLIC_KEY_FROM_REQ,
|
|
ERROR_CREATING_NEW_CERTIFICATE,
|
|
COULD_NOT_START_EXTENSIONS,
|
|
ERROR_RETRIEVING_EXT_FROM_REQ,
|
|
ERROR_ADDING_EXT_TO_CERT,
|
|
ERROR_ENDING_EXTENSIONS,
|
|
COULD_NOT_FIND_ISSUER_PRIVATE_KEY,
|
|
UNSUPPORTED_SIGN_OPERATION_FOR_ISSUER,
|
|
ERROR_SETTING_SIGN_ALG,
|
|
ERROR_ENCODING_NEW_CERT,
|
|
ERROR_SIGNING_NEW_CERT,
|
|
ERROR_CREATING_CERT_REP_CONTENT,
|
|
ERROR_CREATING_SINGLE_CERT_RESPONSE,
|
|
ERROR_SETTING_CERT_RESPONSES,
|
|
ERROR_CREATING_CA_LIST,
|
|
ERROR_ADDING_ISSUER_TO_CA_LIST,
|
|
ERROR_ENCODING_CERT_REP_CONTENT,
|
|
NO_POP_FOR_REQUEST,
|
|
UNSUPPORTED_POP,
|
|
ERROR_RETRIEVING_POP_SIGN_KEY,
|
|
ERROR_RETRIEVING_ALG_ID_FROM_SIGN_KEY,
|
|
ERROR_RETRIEVING_SIGNATURE_FROM_POP_SIGN_KEY,
|
|
DO_CHALLENGE_RESPONSE,
|
|
ERROR_RETRIEVING_PUB_KEY_FROM_NEW_CERT,
|
|
ERROR_ENCODING_CERT_REQ_FOR_POP,
|
|
ERROR_VERIFYING_SIGNATURE_POP,
|
|
ERROR_RETRIEVING_PUB_KEY_FOR_CHALL,
|
|
ERROR_CREATING_EMPTY_CHAL_CONTENT,
|
|
ERROR_EXTRACTING_GEN_NAME_FROM_ISSUER,
|
|
ERROR_SETTING_CHALLENGE,
|
|
ERROR_ENCODING_CHALL,
|
|
ERROR_CONVERTING_CHALL_TO_BASE64,
|
|
ERROR_CONVERTING_RESP_FROM_CHALL_TO_BIN,
|
|
ERROR_CREATING_KEY_RESP_FROM_DER,
|
|
ERROR_RETRIEVING_CLIENT_RESPONSE_TO_CHALLENGE,
|
|
ERROR_RETURNED_CHALL_NOT_VALUE_EXPECTED,
|
|
ERROR_GETTING_KEY_ENCIPHERMENT,
|
|
ERROR_NO_POP_FOR_PRIVKEY,
|
|
ERROR_UNSUPPORTED_POPOPRIVKEY_TYPE
|
|
} ErrorCode;
|
|
|
|
const char *
|
|
CGITableFindValue(CGIVarTable *varTable, const char *key);
|
|
|
|
void
|
|
spitOutHeaders(void)
|
|
{
|
|
printf("Content-type: text/html\n\n");
|
|
}
|
|
|
|
void
|
|
dumpRequest(CGIVarTable *varTable)
|
|
{
|
|
int i;
|
|
CGIVariable *var;
|
|
|
|
printf ("<table border=1 cellpadding=1 cellspacing=1 width=\"100%%\">\n");
|
|
printf ("<tr><td><b><center>Variable Name<center></b></td>"
|
|
"<td><b><center>Value</center></b></td></tr>\n");
|
|
for (i=0; i<varTable->numVars; i++) {
|
|
var = varTable->variables[i];
|
|
printf ("<tr><td><pre>%s</pre></td><td><pre>%s</pre></td></tr>\n",
|
|
var->name, var->value);
|
|
}
|
|
printf("</table>\n");
|
|
}
|
|
|
|
void
|
|
echo_request(CGIVarTable *varTable)
|
|
{
|
|
spitOutHeaders();
|
|
printf("<html><head><title>CGI Echo Page</title></head>\n"
|
|
"<body><h1>Got the following request</h1>\n");
|
|
dumpRequest(varTable);
|
|
printf("</body></html>");
|
|
}
|
|
|
|
void
|
|
processVariable(CGIVariable *var)
|
|
{
|
|
char *plusSign, *percentSign;
|
|
|
|
/*First look for all of the '+' and convert them to spaces */
|
|
plusSign = var->value;
|
|
while ((plusSign=strchr(plusSign, '+')) != NULL) {
|
|
*plusSign = ' ';
|
|
}
|
|
percentSign = var->value;
|
|
while ((percentSign=strchr(percentSign, '%')) != NULL) {
|
|
char string[3];
|
|
int value;
|
|
|
|
string[0] = percentSign[1];
|
|
string[1] = percentSign[2];
|
|
string[2] = '\0';
|
|
|
|
sscanf(string,"%x", &value);
|
|
*percentSign = (char)value;
|
|
memmove(&percentSign[1], &percentSign[3], 1+strlen(&percentSign[3]));
|
|
}
|
|
}
|
|
|
|
char *
|
|
parseNextVariable(CGIVarTable *varTable, char *form_output)
|
|
{
|
|
char *ampersand, *equal;
|
|
CGIVariable *var;
|
|
|
|
if (varTable->numVars == varTable->numAlloc) {
|
|
CGIVariable **newArr = realloc(varTable->variables,
|
|
(varTable->numAlloc + DEFAULT_CGI_VARS)*sizeof(CGIVariable*));
|
|
if (newArr == NULL) {
|
|
return NULL;
|
|
}
|
|
varTable->variables = newArr;
|
|
varTable->numAlloc += DEFAULT_CGI_VARS;
|
|
}
|
|
equal = strchr(form_output, '=');
|
|
if (equal == NULL) {
|
|
return NULL;
|
|
}
|
|
ampersand = strchr(equal, '&');
|
|
if (ampersand == NULL) {
|
|
return NULL;
|
|
}
|
|
equal[0] = '\0';
|
|
if (ampersand != NULL) {
|
|
ampersand[0] = '\0';
|
|
}
|
|
var = malloc(sizeof(CGIVariable));
|
|
var->name = form_output;
|
|
var->value = &equal[1];
|
|
varTable->variables[varTable->numVars] = var;
|
|
varTable->numVars++;
|
|
processVariable(var);
|
|
return (ampersand != NULL) ? &ersand[1] : NULL;
|
|
}
|
|
|
|
void
|
|
ParseInputVariables(CGIVarTable *varTable, char *form_output)
|
|
{
|
|
varTable->variables = malloc(sizeof(CGIVariable*)*DEFAULT_CGI_VARS);
|
|
varTable->numVars = 0;
|
|
varTable->numAlloc = DEFAULT_CGI_VARS;
|
|
while (form_output && form_output[0] != '\0') {
|
|
form_output = parseNextVariable(varTable, form_output);
|
|
}
|
|
}
|
|
|
|
const char *
|
|
CGITableFindValue(CGIVarTable *varTable, const char *key)
|
|
{
|
|
const char *retVal = NULL;
|
|
int i;
|
|
|
|
for (i=0; i<varTable->numVars; i++) {
|
|
if (strcmp(varTable->variables[i]->name, key) == 0) {
|
|
retVal = varTable->variables[i]->value;
|
|
break;
|
|
}
|
|
}
|
|
return retVal;
|
|
}
|
|
|
|
char*
|
|
passwordCallback(PK11SlotInfo *slot, PRBool retry, void *arg)
|
|
{
|
|
const char *passwd;
|
|
if (retry) {
|
|
return NULL;
|
|
}
|
|
passwd = CGITableFindValue((CGIVarTable*)arg, "dbPassword");
|
|
if (passwd == NULL) {
|
|
return NULL;
|
|
}
|
|
return PORT_Strdup(passwd);
|
|
}
|
|
|
|
ErrorCode
|
|
initNSS(CGIVarTable *varTable)
|
|
{
|
|
const char *nssDir;
|
|
PK11SlotInfo *keySlot;
|
|
SECStatus rv;
|
|
|
|
nssDir = CGITableFindValue(varTable,"NSSDirectory");
|
|
if (nssDir == NULL) {
|
|
missingVar = "NSSDirectory";
|
|
return REQ_CGI_VAR_NOT_PRESENT;
|
|
}
|
|
rv = NSS_Init(nssDir);
|
|
if (rv != SECSuccess) {
|
|
return NSS_INIT_FAILED;
|
|
}
|
|
PK11_SetPasswordFunc(passwordCallback);
|
|
keySlot = PK11_GetInternalKeySlot();
|
|
rv = PK11_Authenticate(keySlot, PR_FALSE, varTable);
|
|
PK11_FreeSlot(keySlot);
|
|
if (rv != SECSuccess) {
|
|
return AUTH_FAILED;
|
|
}
|
|
return NO_ERROR;
|
|
}
|
|
|
|
void
|
|
dumpErrorMessage(ErrorCode errNum)
|
|
{
|
|
spitOutHeaders();
|
|
printf("<html><head><title>Error</title></head><body><h1>Error processing "
|
|
"data</h1> Received the error %d<p>", errNum);
|
|
if (errNum == REQ_CGI_VAR_NOT_PRESENT) {
|
|
printf ("The missing variable is %s.", missingVar);
|
|
}
|
|
printf ("<i>More useful information here in the future.</i></body></html>");
|
|
}
|
|
|
|
ErrorCode
|
|
initOldCertReq(CERTCertificateRequest *oldCertReq,
|
|
CERTName *subject, CERTSubjectPublicKeyInfo *spki)
|
|
{
|
|
PLArenaPool *poolp;
|
|
|
|
poolp = oldCertReq->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
SEC_ASN1EncodeInteger(poolp, &oldCertReq->version,
|
|
SEC_CERTIFICATE_VERSION_3);
|
|
CERT_CopyName(poolp, &oldCertReq->subject, subject);
|
|
SECKEY_CopySubjectPublicKeyInfo(poolp, &oldCertReq->subjectPublicKeyInfo,
|
|
spki);
|
|
oldCertReq->attributes = NULL;
|
|
return NO_ERROR;
|
|
}
|
|
|
|
ErrorCode
|
|
addExtensions(CERTCertificate *newCert, CRMFCertRequest *certReq)
|
|
{
|
|
int numExtensions, i;
|
|
void *extHandle;
|
|
ErrorCode rv = NO_ERROR;
|
|
CRMFCertExtension *ext;
|
|
SECStatus srv;
|
|
|
|
numExtensions = CRMF_CertRequestGetNumberOfExtensions(certReq);
|
|
if (numExtensions == 0) {
|
|
/* No extensions to add */
|
|
return NO_ERROR;
|
|
}
|
|
extHandle = CERT_StartCertExtensions(newCert);
|
|
if (extHandle == NULL) {
|
|
rv = COULD_NOT_START_EXTENSIONS;
|
|
goto loser;
|
|
}
|
|
for (i=0; i<numExtensions; i++) {
|
|
ext = CRMF_CertRequestGetExtensionAtIndex(certReq, i);
|
|
if (ext == NULL) {
|
|
rv = ERROR_RETRIEVING_EXT_FROM_REQ;
|
|
}
|
|
srv = CERT_AddExtension(extHandle, CRMF_CertExtensionGetOidTag(ext),
|
|
CRMF_CertExtensionGetValue(ext),
|
|
CRMF_CertExtensionGetIsCritical(ext), PR_FALSE);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_ADDING_EXT_TO_CERT;
|
|
}
|
|
}
|
|
srv = CERT_FinishExtensions(extHandle);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_ENDING_EXTENSIONS;
|
|
goto loser;
|
|
}
|
|
return NO_ERROR;
|
|
loser:
|
|
return rv;
|
|
}
|
|
|
|
void
|
|
writeOutItem(const char *filePath, SECItem *der)
|
|
{
|
|
PRFileDesc *outfile;
|
|
|
|
outfile = PR_Open (filePath,
|
|
PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
|
|
0666);
|
|
PR_Write(outfile, der->data, der->len);
|
|
PR_Close(outfile);
|
|
|
|
}
|
|
|
|
ErrorCode
|
|
createNewCert(CERTCertificate**issuedCert,CERTCertificateRequest *oldCertReq,
|
|
CRMFCertReqMsg *currReq, CRMFCertRequest *certReq,
|
|
CERTCertificate *issuerCert, CGIVarTable *varTable)
|
|
{
|
|
CERTCertificate *newCert = NULL;
|
|
CERTValidity *validity;
|
|
PRExplodedTime printableTime;
|
|
PRTime now, after;
|
|
ErrorCode rv=NO_ERROR;
|
|
SECKEYPrivateKey *issuerPrivKey;
|
|
SECItem derCert = { 0 };
|
|
SECOidTag signTag;
|
|
SECStatus srv;
|
|
long version;
|
|
|
|
now = PR_Now();
|
|
PR_ExplodeTime(now, PR_GMTParameters, &printableTime);
|
|
printableTime.tm_month += 9;
|
|
after = PR_ImplodeTime(&printableTime);
|
|
validity = CERT_CreateValidity(now, after);
|
|
newCert = *issuedCert =
|
|
CERT_CreateCertificate(rand(), &(issuerCert->subject), validity,
|
|
oldCertReq);
|
|
if (newCert == NULL) {
|
|
rv = ERROR_CREATING_NEW_CERTIFICATE;
|
|
goto loser;
|
|
}
|
|
rv = addExtensions(newCert, certReq);
|
|
if (rv != NO_ERROR) {
|
|
goto loser;
|
|
}
|
|
issuerPrivKey = PK11_FindKeyByAnyCert(issuerCert, varTable);
|
|
if (issuerPrivKey == NULL) {
|
|
rv = COULD_NOT_FIND_ISSUER_PRIVATE_KEY;
|
|
}
|
|
signTag = SEC_GetSignatureAlgorithmOidTag(issuerPrivatekey->keytype,
|
|
SEC_OID_UNKNOWN);
|
|
if (signTag == SEC_OID_UNKNOWN) {
|
|
rv = UNSUPPORTED_SIGN_OPERATION_FOR_ISSUER;
|
|
goto loser;
|
|
}
|
|
srv = SECOID_SetAlgorithmID(newCert->arena, &newCert->signature,
|
|
signTag, 0);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_SETTING_SIGN_ALG;
|
|
goto loser;
|
|
}
|
|
srv = CRMF_CertRequestGetCertTemplateVersion(certReq, &version);
|
|
if (srv != SECSuccess) {
|
|
/* No version included in the request */
|
|
*(newCert->version.data) = SEC_CERTIFICATE_VERSION_3;
|
|
} else {
|
|
SECITEM_FreeItem(&newCert->version, PR_FALSE);
|
|
SEC_ASN1EncodeInteger(newCert->arena, &newCert->version, version);
|
|
}
|
|
SEC_ASN1EncodeItem(newCert->arena, &derCert, newCert,
|
|
CERT_CertificateTemplate);
|
|
if (derCert.data == NULL) {
|
|
rv = ERROR_ENCODING_NEW_CERT;
|
|
goto loser;
|
|
}
|
|
srv = SEC_DerSignData(newCert->arena, &(newCert->derCert), derCert.data,
|
|
derCert.len, issuerPrivKey, signTag);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_SIGNING_NEW_CERT;
|
|
goto loser;
|
|
}
|
|
#ifdef WRITE_OUT_RESPONSE
|
|
writeOutItem("newcert.der", &newCert->derCert);
|
|
#endif
|
|
return NO_ERROR;
|
|
loser:
|
|
*issuedCert = NULL;
|
|
if (newCert) {
|
|
CERT_DestroyCertificate(newCert);
|
|
}
|
|
return rv;
|
|
|
|
}
|
|
|
|
void
|
|
formatCMMFResponse(char *nickname, char *base64Response)
|
|
{
|
|
char *currLine, *nextLine;
|
|
|
|
printf("var retVal = crypto.importUserCertificates(\"%s\",\n", nickname);
|
|
currLine = base64Response;
|
|
while (1) {
|
|
nextLine = strchr(currLine, '\n');
|
|
if (nextLine == NULL) {
|
|
/* print out the last line here. */
|
|
printf ("\"%s\",\n", currLine);
|
|
break;
|
|
}
|
|
nextLine[0] = '\0';
|
|
printf("\"%s\\n\"+\n", currLine);
|
|
currLine = nextLine+1;
|
|
}
|
|
printf("true);\n"
|
|
"if(retVal == '') {\n"
|
|
"\tdocument.write(\"<h1>New Certificate Successfully Imported.</h1>\");\n"
|
|
"} else {\n"
|
|
"\tdocument.write(\"<h2>Unable to import New Certificate</h2>\");\n"
|
|
"\tdocument.write(\"crypto.importUserCertificates returned <b>\");\n"
|
|
"\tdocument.write(retVal);\n"
|
|
"\tdocument.write(\"</b>\");\n"
|
|
"}\n");
|
|
}
|
|
|
|
void
|
|
spitOutCMMFResponse(char *nickname, char *base64Response)
|
|
{
|
|
spitOutHeaders();
|
|
printf("<html>\n<head>\n<title>CMMF Resonse Page</title>\n</head>\n\n"
|
|
"<body><h1>CMMF Response Page</h1>\n"
|
|
"<script language=\"JavaScript\">\n"
|
|
"<!--\n");
|
|
formatCMMFResponse(nickname, base64Response);
|
|
printf("// -->\n"
|
|
"</script>\n</body>\n</html>");
|
|
}
|
|
|
|
char*
|
|
getNickname(CERTCertificate *cert)
|
|
{
|
|
char *nickname;
|
|
|
|
if (cert->nickname != NULL) {
|
|
return cert->nickname;
|
|
}
|
|
nickname = CERT_GetCommonName(&cert->subject);
|
|
if (nickname != NULL) {
|
|
return nickname;
|
|
}
|
|
return CERT_NameToAscii(&cert->subject);
|
|
}
|
|
|
|
ErrorCode
|
|
createCMMFResponse(CertResponseInfo *issuedCerts, int numCerts,
|
|
CERTCertificate *issuerCert, char **base64der)
|
|
{
|
|
CMMFCertRepContent *certRepContent=NULL;
|
|
ErrorCode rv = NO_ERROR;
|
|
CMMFCertResponse **responses, *currResponse;
|
|
CERTCertList *caList;
|
|
int i;
|
|
SECStatus srv;
|
|
PLArenaPool *poolp;
|
|
SECItem *der;
|
|
|
|
certRepContent = CMMF_CreateCertRepContent();
|
|
if (certRepContent == NULL) {
|
|
rv = ERROR_CREATING_CERT_REP_CONTENT;
|
|
goto loser;
|
|
}
|
|
responses = PORT_NewArray(CMMFCertResponse*, numCerts);
|
|
if (responses == NULL) {
|
|
rv = OUT_OF_MEMORY;
|
|
goto loser;
|
|
}
|
|
for (i=0; i<numCerts;i++) {
|
|
responses[i] = currResponse =
|
|
CMMF_CreateCertResponse(issuedCerts[i].certReqID);
|
|
if (currResponse == NULL) {
|
|
rv = ERROR_CREATING_SINGLE_CERT_RESPONSE;
|
|
goto loser;
|
|
}
|
|
CMMF_CertResponseSetPKIStatusInfoStatus(currResponse, cmmfGranted);
|
|
CMMF_CertResponseSetCertificate(currResponse, issuedCerts[i].cert);
|
|
}
|
|
srv = CMMF_CertRepContentSetCertResponses(certRepContent, responses,
|
|
numCerts);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_SETTING_CERT_RESPONSES;
|
|
goto loser;
|
|
}
|
|
caList = CERT_NewCertList();
|
|
if (caList == NULL) {
|
|
rv = ERROR_CREATING_CA_LIST;
|
|
goto loser;
|
|
}
|
|
srv = CERT_AddCertToListTail(caList, issuerCert);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_ADDING_ISSUER_TO_CA_LIST;
|
|
goto loser;
|
|
}
|
|
srv = CMMF_CertRepContentSetCAPubs(certRepContent, caList);
|
|
CERT_DestroyCertList(caList);
|
|
poolp = PORT_NewArena(1024);
|
|
der = SEC_ASN1EncodeItem(poolp, NULL, certRepContent,
|
|
CMMFCertRepContentTemplate);
|
|
if (der == NULL) {
|
|
rv = ERROR_ENCODING_CERT_REP_CONTENT;
|
|
goto loser;
|
|
}
|
|
#ifdef WRITE_OUT_RESPONSE
|
|
writeOutItem("CertRepContent.der", der);
|
|
#endif
|
|
*base64der = BTOA_DataToAscii(der->data, der->len);
|
|
return NO_ERROR;
|
|
loser:
|
|
return rv;
|
|
}
|
|
|
|
ErrorCode
|
|
issueCerts(CertResponseInfo *issuedCerts, int numCerts,
|
|
CERTCertificate *issuerCert)
|
|
{
|
|
ErrorCode rv;
|
|
char *base64Response;
|
|
|
|
rv = createCMMFResponse(issuedCerts, numCerts, issuerCert, &base64Response);
|
|
if (rv != NO_ERROR) {
|
|
goto loser;
|
|
}
|
|
spitOutCMMFResponse(getNickname(issuedCerts[0].cert),base64Response);
|
|
return NO_ERROR;
|
|
loser:
|
|
return rv;
|
|
}
|
|
|
|
ErrorCode
|
|
verifySignature(CGIVarTable *varTable, CRMFCertReqMsg *currReq,
|
|
CRMFCertRequest *certReq, CERTCertificate *newCert)
|
|
{
|
|
SECStatus srv;
|
|
ErrorCode rv = NO_ERROR;
|
|
CRMFPOPOSigningKey *signKey = NULL;
|
|
SECAlgorithmID *algID = NULL;
|
|
SECItem *signature = NULL;
|
|
SECKEYPublicKey *pubKey = NULL;
|
|
SECItem *reqDER = NULL;
|
|
|
|
srv = CRMF_CertReqMsgGetPOPOSigningKey(currReq, &signKey);
|
|
if (srv != SECSuccess || signKey == NULL) {
|
|
rv = ERROR_RETRIEVING_POP_SIGN_KEY;
|
|
goto loser;
|
|
}
|
|
algID = CRMF_POPOSigningKeyGetAlgID(signKey);
|
|
if (algID == NULL) {
|
|
rv = ERROR_RETRIEVING_ALG_ID_FROM_SIGN_KEY;
|
|
goto loser;
|
|
}
|
|
signature = CRMF_POPOSigningKeyGetSignature(signKey);
|
|
if (signature == NULL) {
|
|
rv = ERROR_RETRIEVING_SIGNATURE_FROM_POP_SIGN_KEY;
|
|
goto loser;
|
|
}
|
|
/* Make the length the number of bytes instead of bits */
|
|
signature->len = (signature->len+7)/8;
|
|
pubKey = CERT_ExtractPublicKey(newCert);
|
|
if (pubKey == NULL) {
|
|
rv = ERROR_RETRIEVING_PUB_KEY_FROM_NEW_CERT;
|
|
goto loser;
|
|
}
|
|
reqDER = SEC_ASN1EncodeItem(NULL, NULL, certReq, CRMFCertRequestTemplate);
|
|
if (reqDER == NULL) {
|
|
rv = ERROR_ENCODING_CERT_REQ_FOR_POP;
|
|
goto loser;
|
|
}
|
|
srv = VFY_VerifyDataWithAlgorithmID(reqDER->data, reqDER->len, pubKey,
|
|
signature, &algID->algorithm, NULL, varTable);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_VERIFYING_SIGNATURE_POP;
|
|
goto loser;
|
|
}
|
|
/* Fall thru in successfull case. */
|
|
loser:
|
|
if (pubKey != NULL) {
|
|
SECKEY_DestroyPublicKey(pubKey);
|
|
}
|
|
if (reqDER != NULL) {
|
|
SECITEM_FreeItem(reqDER, PR_TRUE);
|
|
}
|
|
if (signature != NULL) {
|
|
SECITEM_FreeItem(signature, PR_TRUE);
|
|
}
|
|
if (algID != NULL) {
|
|
SECOID_DestroyAlgorithmID(algID, PR_TRUE);
|
|
}
|
|
if (signKey != NULL) {
|
|
CRMF_DestroyPOPOSigningKey(signKey);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
ErrorCode
|
|
doChallengeResponse(CGIVarTable *varTable, CRMFCertReqMsg *currReq,
|
|
CRMFCertRequest *certReq, CERTCertificate *newCert,
|
|
ChallengeCreationInfo *challs, int *numChall)
|
|
{
|
|
CRMFPOPOPrivKey *privKey = NULL;
|
|
CRMFPOPOPrivKeyChoice privKeyChoice;
|
|
SECStatus srv;
|
|
ErrorCode rv = NO_ERROR;
|
|
|
|
srv = CRMF_CertReqMsgGetPOPKeyEncipherment(currReq, &privKey);
|
|
if (srv != SECSuccess || privKey == NULL) {
|
|
rv = ERROR_GETTING_KEY_ENCIPHERMENT;
|
|
goto loser;
|
|
}
|
|
privKeyChoice = CRMF_POPOPrivKeyGetChoice(privKey);
|
|
CRMF_DestroyPOPOPrivKey(privKey);
|
|
switch (privKeyChoice) {
|
|
case crmfSubsequentMessage:
|
|
challs = &challs[*numChall];
|
|
challs->random = rand();
|
|
challs->pubKey = CERT_ExtractPublicKey(newCert);
|
|
if (challs->pubKey == NULL) {
|
|
rv = ERROR_RETRIEVING_PUB_KEY_FOR_CHALL;
|
|
goto loser;
|
|
}
|
|
(*numChall)++;
|
|
rv = DO_CHALLENGE_RESPONSE;
|
|
break;
|
|
case crmfThisMessage:
|
|
/* There'd better be a PKIArchiveControl in this message */
|
|
if (!CRMF_CertRequestIsControlPresent(certReq,
|
|
crmfPKIArchiveOptionsControl)) {
|
|
rv = ERROR_NO_POP_FOR_PRIVKEY;
|
|
goto loser;
|
|
}
|
|
break;
|
|
default:
|
|
rv = ERROR_UNSUPPORTED_POPOPRIVKEY_TYPE;
|
|
goto loser;
|
|
}
|
|
loser:
|
|
return rv;
|
|
}
|
|
|
|
ErrorCode
|
|
doProofOfPossession(CGIVarTable *varTable, CRMFCertReqMsg *currReq,
|
|
CRMFCertRequest *certReq, CERTCertificate *newCert,
|
|
ChallengeCreationInfo *challs, int *numChall)
|
|
{
|
|
CRMFPOPChoice popChoice;
|
|
ErrorCode rv = NO_ERROR;
|
|
|
|
popChoice = CRMF_CertReqMsgGetPOPType(currReq);
|
|
if (popChoice == crmfNoPOPChoice) {
|
|
rv = NO_POP_FOR_REQUEST;
|
|
goto loser;
|
|
}
|
|
switch (popChoice) {
|
|
case crmfSignature:
|
|
rv = verifySignature(varTable, currReq, certReq, newCert);
|
|
break;
|
|
case crmfKeyEncipherment:
|
|
rv = doChallengeResponse(varTable, currReq, certReq, newCert,
|
|
challs, numChall);
|
|
break;
|
|
case crmfRAVerified:
|
|
case crmfKeyAgreement:
|
|
default:
|
|
rv = UNSUPPORTED_POP;
|
|
goto loser;
|
|
}
|
|
loser:
|
|
return rv;
|
|
}
|
|
|
|
void
|
|
convertB64ToJS(char *base64)
|
|
{
|
|
int i;
|
|
|
|
for (i=0; base64[i] != '\0'; i++) {
|
|
if (base64[i] == '\n') {
|
|
printf ("\\n");
|
|
}else {
|
|
printf ("%c", base64[i]);
|
|
}
|
|
}
|
|
}
|
|
|
|
void
|
|
formatChallenge(char *chall64, char *certRepContentDER,
|
|
ChallengeCreationInfo *challInfo, int numChalls)
|
|
{
|
|
printf ("function respondToChallenge() {\n"
|
|
" var chalForm = document.chalForm;\n\n"
|
|
" chalForm.CertRepContent.value = '");
|
|
convertB64ToJS(certRepContentDER);
|
|
printf ("';\n"
|
|
" chalForm.ChallResponse.value = crypto.popChallengeResponse('");
|
|
convertB64ToJS(chall64);
|
|
printf("');\n"
|
|
" chalForm.submit();\n"
|
|
"}\n");
|
|
|
|
}
|
|
|
|
void
|
|
spitOutChallenge(char *chall64, char *certRepContentDER,
|
|
ChallengeCreationInfo *challInfo, int numChalls,
|
|
char *nickname)
|
|
{
|
|
int i;
|
|
|
|
spitOutHeaders();
|
|
printf("<html>\n"
|
|
"<head>\n"
|
|
"<title>Challenge Page</title>\n"
|
|
"<script language=\"JavaScript\">\n"
|
|
"<!--\n");
|
|
/* The JavaScript function actually gets defined within
|
|
* this function call
|
|
*/
|
|
formatChallenge(chall64, certRepContentDER, challInfo, numChalls);
|
|
printf("// -->\n"
|
|
"</script>\n"
|
|
"</head>\n"
|
|
"<body onLoad='respondToChallenge()'>\n"
|
|
"<h1>Cartman is now responding to the Challenge "
|
|
"presented by the CGI</h1>\n"
|
|
"<form action='crmfcgi' method='post' name='chalForm'>\n"
|
|
"<input type='hidden' name=CertRepContent value=''>\n"
|
|
"<input type='hidden' name=ChallResponse value=''>\n");
|
|
for (i=0;i<numChalls; i++) {
|
|
printf("<input type='hidden' name='chal%d' value='%d'>\n",
|
|
i+1, challInfo[i].random);
|
|
}
|
|
printf("<input type='hidden' name='nickname' value='%s'>\n", nickname);
|
|
printf("</form>\n</body>\n</html>");
|
|
}
|
|
|
|
ErrorCode
|
|
issueChallenge(CertResponseInfo *issuedCerts, int numCerts,
|
|
ChallengeCreationInfo *challInfo, int numChalls,
|
|
CERTCertificate *issuer, CGIVarTable *varTable)
|
|
{
|
|
ErrorCode rv = NO_ERROR;
|
|
CMMFPOPODecKeyChallContent *chalContent = NULL;
|
|
int i;
|
|
SECStatus srv;
|
|
PLArenaPool *poolp;
|
|
CERTGeneralName *genName;
|
|
SECItem *challDER = NULL;
|
|
char *chall64, *certRepContentDER;
|
|
|
|
rv = createCMMFResponse(issuedCerts, numCerts, issuer,
|
|
&certRepContentDER);
|
|
if (rv != NO_ERROR) {
|
|
goto loser;
|
|
}
|
|
chalContent = CMMF_CreatePOPODecKeyChallContent();
|
|
if (chalContent == NULL) {
|
|
rv = ERROR_CREATING_EMPTY_CHAL_CONTENT;
|
|
goto loser;
|
|
}
|
|
poolp = PORT_NewArena(1024);
|
|
if (poolp == NULL) {
|
|
rv = OUT_OF_MEMORY;
|
|
goto loser;
|
|
}
|
|
genName = CERT_GetCertificateNames(issuer, poolp);
|
|
if (genName == NULL) {
|
|
rv = ERROR_EXTRACTING_GEN_NAME_FROM_ISSUER;
|
|
goto loser;
|
|
}
|
|
for (i=0;i<numChalls;i++) {
|
|
srv = CMMF_POPODecKeyChallContentSetNextChallenge(chalContent,
|
|
challInfo[i].random,
|
|
genName,
|
|
challInfo[i].pubKey,
|
|
varTable);
|
|
SECKEY_DestroyPublicKey(challInfo[i].pubKey);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_SETTING_CHALLENGE;
|
|
goto loser;
|
|
}
|
|
}
|
|
challDER = SEC_ASN1EncodeItem(NULL, NULL, chalContent,
|
|
CMMFPOPODecKeyChallContentTemplate);
|
|
if (challDER == NULL) {
|
|
rv = ERROR_ENCODING_CHALL;
|
|
goto loser;
|
|
}
|
|
chall64 = BTOA_DataToAscii(challDER->data, challDER->len);
|
|
SECITEM_FreeItem(challDER, PR_TRUE);
|
|
if (chall64 == NULL) {
|
|
rv = ERROR_CONVERTING_CHALL_TO_BASE64;
|
|
goto loser;
|
|
}
|
|
spitOutChallenge(chall64, certRepContentDER, challInfo, numChalls,
|
|
getNickname(issuedCerts[0].cert));
|
|
loser:
|
|
return rv;
|
|
}
|
|
|
|
|
|
ErrorCode
|
|
processRequest(CGIVarTable *varTable)
|
|
{
|
|
CERTCertDBHandle *certdb;
|
|
SECKEYKeyDBHandle *keydb;
|
|
CRMFCertReqMessages *certReqs = NULL;
|
|
const char *crmfReq;
|
|
const char *caNickname;
|
|
CERTCertificate *caCert = NULL;
|
|
CertResponseInfo *issuedCerts = NULL;
|
|
CERTSubjectPublicKeyInfo spki = { 0 };
|
|
ErrorCode rv=NO_ERROR;
|
|
PRBool doChallengeResponse = PR_FALSE;
|
|
SECItem der = { 0 };
|
|
SECStatus srv;
|
|
CERTCertificateRequest oldCertReq = { 0 };
|
|
CRMFCertReqMsg **reqMsgs = NULL,*currReq = NULL;
|
|
CRMFCertRequest **reqs = NULL, *certReq = NULL;
|
|
CERTName subject = { 0 };
|
|
int numReqs,i;
|
|
ChallengeCreationInfo *challInfo=NULL;
|
|
int numChalls = 0;
|
|
|
|
certdb = CERT_GetDefaultCertDB();
|
|
keydb = SECKEY_GetDefaultKeyDB();
|
|
crmfReq = CGITableFindValue(varTable, "CRMFRequest");
|
|
if (crmfReq == NULL) {
|
|
rv = CGI_VAR_MISSING;
|
|
missingVar = "CRMFRequest";
|
|
goto loser;
|
|
}
|
|
caNickname = CGITableFindValue(varTable, "CANickname");
|
|
if (caNickname == NULL) {
|
|
rv = CGI_VAR_MISSING;
|
|
missingVar = "CANickname";
|
|
goto loser;
|
|
}
|
|
caCert = CERT_FindCertByNickname(certdb, caNickname);
|
|
if (caCert == NULL) {
|
|
rv = COULD_NOT_FIND_CA;
|
|
goto loser;
|
|
}
|
|
srv = ATOB_ConvertAsciiToItem(&der, crmfReq);
|
|
if (srv != SECSuccess) {
|
|
rv = BAD_ASCII_FOR_REQ;
|
|
goto loser;
|
|
}
|
|
certReqs = CRMF_CreateCertReqMessagesFromDER(der.data, der.len);
|
|
SECITEM_FreeItem(&der, PR_FALSE);
|
|
if (certReqs == NULL) {
|
|
rv = COULD_NOT_DECODE_REQS;
|
|
goto loser;
|
|
}
|
|
numReqs = CRMF_CertReqMessagesGetNumMessages(certReqs);
|
|
issuedCerts = PORT_ZNewArray(CertResponseInfo, numReqs);
|
|
challInfo = PORT_ZNewArray(ChallengeCreationInfo, numReqs);
|
|
if (issuedCerts == NULL || challInfo == NULL) {
|
|
rv = OUT_OF_MEMORY;
|
|
goto loser;
|
|
}
|
|
reqMsgs = PORT_ZNewArray(CRMFCertReqMsg*, numReqs);
|
|
reqs = PORT_ZNewArray(CRMFCertRequest*, numReqs);
|
|
if (reqMsgs == NULL || reqs == NULL) {
|
|
rv = OUT_OF_MEMORY;
|
|
goto loser;
|
|
}
|
|
for (i=0; i<numReqs; i++) {
|
|
currReq = reqMsgs[i] =
|
|
CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqs, i);
|
|
if (currReq == NULL) {
|
|
rv = ERROR_RETRIEVING_REQUEST_MSG;
|
|
goto loser;
|
|
}
|
|
certReq = reqs[i] = CRMF_CertReqMsgGetCertRequest(currReq);
|
|
if (certReq == NULL) {
|
|
rv = ERROR_RETRIEVING_CERT_REQUEST;
|
|
goto loser;
|
|
}
|
|
srv = CRMF_CertRequestGetCertTemplateSubject(certReq, &subject);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_RETRIEVING_SUBJECT_FROM_REQ;
|
|
goto loser;
|
|
}
|
|
srv = CRMF_CertRequestGetCertTemplatePublicKey(certReq, &spki);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_RETRIEVING_PUBLIC_KEY_FROM_REQ;
|
|
goto loser;
|
|
}
|
|
rv = initOldCertReq(&oldCertReq, &subject, &spki);
|
|
if (rv != NO_ERROR) {
|
|
goto loser;
|
|
}
|
|
rv = createNewCert(&issuedCerts[i].cert, &oldCertReq, currReq, certReq,
|
|
caCert, varTable);
|
|
if (rv != NO_ERROR) {
|
|
goto loser;
|
|
}
|
|
rv = doProofOfPossession(varTable, currReq, certReq, issuedCerts[i].cert,
|
|
challInfo, &numChalls);
|
|
if (rv != NO_ERROR) {
|
|
if (rv == DO_CHALLENGE_RESPONSE) {
|
|
doChallengeResponse = PR_TRUE;
|
|
} else {
|
|
goto loser;
|
|
}
|
|
}
|
|
CRMF_CertReqMsgGetID(currReq, &issuedCerts[i].certReqID);
|
|
CRMF_DestroyCertReqMsg(currReq);
|
|
CRMF_DestroyCertRequest(certReq);
|
|
}
|
|
if (doChallengeResponse) {
|
|
rv = issueChallenge(issuedCerts, numReqs, challInfo, numChalls, caCert,
|
|
varTable);
|
|
} else {
|
|
rv = issueCerts(issuedCerts, numReqs, caCert);
|
|
}
|
|
loser:
|
|
if (certReqs != NULL) {
|
|
CRMF_DestroyCertReqMessages(certReqs);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
ErrorCode
|
|
processChallengeResponse(CGIVarTable *varTable, const char *certRepContent)
|
|
{
|
|
SECItem binDER = { 0 };
|
|
SECStatus srv;
|
|
ErrorCode rv = NO_ERROR;
|
|
const char *clientResponse;
|
|
const char *formChalValue;
|
|
const char *nickname;
|
|
CMMFPOPODecKeyRespContent *respContent = NULL;
|
|
int numResponses,i;
|
|
long curResponse, expectedResponse;
|
|
char cgiChalVar[10];
|
|
#ifdef WRITE_OUT_RESPONSE
|
|
SECItem certRepBinDER = { 0 };
|
|
|
|
ATOB_ConvertAsciiToItem(&certRepBinDER, certRepContent);
|
|
writeOutItem("challCertRepContent.der", &certRepBinDER);
|
|
PORT_Free(certRepBinDER.data);
|
|
#endif
|
|
clientResponse = CGITableFindValue(varTable, "ChallResponse");
|
|
if (clientResponse == NULL) {
|
|
rv = REQ_CGI_VAR_NOT_PRESENT;
|
|
missingVar = "ChallResponse";
|
|
goto loser;
|
|
}
|
|
srv = ATOB_ConvertAsciiToItem(&binDER, clientResponse);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_CONVERTING_RESP_FROM_CHALL_TO_BIN;
|
|
goto loser;
|
|
}
|
|
respContent = CMMF_CreatePOPODecKeyRespContentFromDER(binDER.data,
|
|
binDER.len);
|
|
SECITEM_FreeItem(&binDER, PR_FALSE);
|
|
binDER.data = NULL;
|
|
if (respContent == NULL) {
|
|
rv = ERROR_CREATING_KEY_RESP_FROM_DER;
|
|
goto loser;
|
|
}
|
|
numResponses = CMMF_POPODecKeyRespContentGetNumResponses(respContent);
|
|
for (i=0;i<numResponses;i++){
|
|
srv = CMMF_POPODecKeyRespContentGetResponse(respContent,i,&curResponse);
|
|
if (srv != SECSuccess) {
|
|
rv = ERROR_RETRIEVING_CLIENT_RESPONSE_TO_CHALLENGE;
|
|
goto loser;
|
|
}
|
|
sprintf(cgiChalVar, "chal%d", i+1);
|
|
formChalValue = CGITableFindValue(varTable, cgiChalVar);
|
|
if (formChalValue == NULL) {
|
|
rv = REQ_CGI_VAR_NOT_PRESENT;
|
|
missingVar = strdup(cgiChalVar);
|
|
goto loser;
|
|
}
|
|
sscanf(formChalValue, "%ld", &expectedResponse);
|
|
if (expectedResponse != curResponse) {
|
|
rv = ERROR_RETURNED_CHALL_NOT_VALUE_EXPECTED;
|
|
goto loser;
|
|
}
|
|
}
|
|
nickname = CGITableFindValue(varTable, "nickname");
|
|
if (nickname == NULL) {
|
|
rv = REQ_CGI_VAR_NOT_PRESENT;
|
|
missingVar = "nickname";
|
|
goto loser;
|
|
}
|
|
spitOutCMMFResponse(nickname, certRepContent);
|
|
loser:
|
|
if (respContent != NULL) {
|
|
CMMF_DestroyPOPODecKeyRespContent(respContent);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
int
|
|
main()
|
|
{
|
|
char *form_output = NULL;
|
|
int form_output_len, form_output_used;
|
|
CGIVarTable varTable = { 0 };
|
|
ErrorCode errNum = 0;
|
|
char *certRepContent;
|
|
|
|
#ifdef ATTACH_CGI
|
|
/* Put an ifinite loop in here so I can attach to
|
|
* the process after the process is spun off
|
|
*/
|
|
{ int stupid = 1;
|
|
while (stupid);
|
|
}
|
|
#endif
|
|
|
|
form_output_used = 0;
|
|
srand(time(NULL));
|
|
while (feof(stdin) == 0) {
|
|
if (form_output == NULL) {
|
|
form_output = PORT_NewArray(char, DEFAULT_ALLOC_SIZE+1);
|
|
form_output_len = DEFAULT_ALLOC_SIZE;
|
|
} else if ((form_output_used + DEFAULT_ALLOC_SIZE) >= form_output_len) {
|
|
form_output_len += DEFAULT_ALLOC_SIZE;
|
|
form_output = PORT_Realloc(form_output, form_output_len+1);
|
|
}
|
|
form_output_used += fread(&form_output[form_output_used], sizeof(char),
|
|
DEFAULT_ALLOC_SIZE, stdin);
|
|
}
|
|
ParseInputVariables(&varTable, form_output);
|
|
certRepContent = CGITableFindValue(&varTable, "CertRepContent");
|
|
if (certRepContent == NULL) {
|
|
errNum = initNSS(&varTable);
|
|
if (errNum != 0) {
|
|
goto loser;
|
|
}
|
|
errNum = processRequest(&varTable);
|
|
} else {
|
|
errNum = processChallengeResponse(&varTable, certRepContent);
|
|
}
|
|
if (errNum != NO_ERROR) {
|
|
goto loser;
|
|
}
|
|
goto done;
|
|
loser:
|
|
dumpErrorMessage(errNum);
|
|
done:
|
|
free (form_output);
|
|
return 0;
|
|
}
|
|
|