security/nss/lib/jar/jarjart.c

   1 /* ***** BEGIN LICENSE BLOCK *****
   2  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   3  *
   4  * The contents of this file are subject to the Mozilla Public License Version
   5  * 1.1 (the "License"); you may not use this file except in compliance with
   6  * the License. You may obtain a copy of the License at
   7  * http://www.mozilla.org/MPL/
   8  *
   9  * Software distributed under the License is distributed on an "AS IS" basis,
  10  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11  * for the specific language governing rights and limitations under the
  12  * License.
  13  *
  14  * The Original Code is the Netscape security libraries.
  15  *
  16  * The Initial Developer of the Original Code is
  17  * Netscape Communications Corporation.
  18  * Portions created by the Initial Developer are Copyright (C) 1994-2000
  19  * the Initial Developer. All Rights Reserved.
  20  *
  21  * Contributor(s):
  22  *
  23  * Alternatively, the contents of this file may be used under the terms of
  24  * either the GNU General Public License Version 2 or later (the "GPL"), or
  25  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  26  * in which case the provisions of the GPL or the LGPL are applicable instead
  27  * of those above. If you wish to allow use of your version of this file only
  28  * under the terms of either the GPL or the LGPL, and not to allow others to
  29  * use your version of this file under the terms of the MPL, indicate your
  30  * decision by deleting the provisions above and replace them with the notice
  31  * and other provisions required by the GPL or the LGPL. If you do not delete
  32  * the provisions above, a recipient may use your version of this file under
  33  * the terms of any one of the MPL, the GPL or the LGPL.
  34  *
  35  * ***** END LICENSE BLOCK ***** */
  36
  37 /*
  38  *  JARJART
  39  *
  40  *  JAR functions used by Jartool
  41  */
  42
  43 /* This allows manifest files above 64k to be
  44    processed on non-win16 platforms */
  45
  46 #include "jar.h"
  47 #include "jarint.h"
  48 #include "jarjart.h"
  49 #include "blapi.h"      /* JAR is supposed to be above the line!! */
  50 #include "pk11func.h"   /* PK11 wrapper funcs are all above the line. */
  51 #include "certdb.h"
  52
  53 /* from certdb.h */
  54 #define CERTDB_USER (1<<6)
  55
  56 /*
  57  *  S O B _ l i s t _ c e r t s
  58  *
  59  *  Return a list of newline separated certificate nicknames
  60  *  (this function used by the Jartool)
  61  *
  62  */
  63
  64 static SECStatus jar_list_cert_callback
  65      (CERTCertificate *cert, SECItem *k, void *data)
  66   {
  67   char *name;
  68   char **ugly_list;
  69
  70   int trusted;
  71
  72   ugly_list = (char **) data;
  73
  74   if (cert)
  75     {
  76     name = cert->nickname;
  77
  78     trusted = cert->trust->objectSigningFlags & CERTDB_USER;
  79
  80     /* Add this name or email to list */
  81
  82     if (name && trusted)
  83       {
  84       *ugly_list = (char*)PORT_Realloc
  85            (*ugly_list, PORT_Strlen (*ugly_list) + PORT_Strlen (name) + 2);
  86
  87       if (*ugly_list)
  88         {
  89         if (**ugly_list)
  90           PORT_Strcat (*ugly_list, "\n");
  91
  92         PORT_Strcat (*ugly_list, name);
  93         }
  94       }
  95     }
  96
  97   return (SECSuccess);
  98   }
  99
 100 /*
 101  *  S O B _ J A R _ l i s t _ c e r t s
 102  *
 103  *  Return a linfeed separated ascii list of certificate
 104  *  nicknames for the Jartool.
 105  *
 106  */
 107
 108 char *JAR_JAR_list_certs (void)
 109   {
 110   SECStatus status = SECFailure;
 111   CERTCertDBHandle *certdb;
 112   CERTCertList *certs;
 113   CERTCertListNode *node;
 114
 115   char *ugly_list;
 116
 117   certdb = JAR_open_database();
 118
 119   /* a little something */
 120   ugly_list = (char*)PORT_ZAlloc (16);
 121
 122   if (ugly_list)
 123     {
 124     *ugly_list = 0;
 125
 126     certs = PK11_ListCerts(PK11CertListUnique, NULL/* pwarg*/);
 127     if (certs)
 128       {
 129         for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
 130                                 node = CERT_LIST_NEXT(node))
 131            {
 132             jar_list_cert_callback(node->cert, NULL, (void *)&ugly_list);
 133            }
 134         CERT_DestroyCertList(certs);
 135         status = SECSuccess;
 136        }
 137     }
 138
 139   JAR_close_database (certdb);
 140
 141   return (status != SECSuccess) ? NULL : ugly_list;
 142   }
 143
 144 int JAR_JAR_validate_archive (char *filename)
 145   {
 146   JAR *jar;
 147   int status = -1;
 148
 149   jar = JAR_new();
 150
 151   if (jar)
 152     {
 153     status = JAR_pass_archive (jar, jarArchGuess, filename, "");
 154
 155     if (status == 0)
 156       status = jar->valid;
 157
 158     JAR_destroy (jar);
 159     }
 160
 161   return status;
 162   }
 163
 164 char *JAR_JAR_get_error (int status)
 165   {
 166   return JAR_get_error (status);
 167   }
 168
 169 /*
 170  *  S O B _ J A R _  h a s h
 171  *
 172  *  Hash algorithm interface for use by the Jartool. Since we really
 173  *  don't know the private sizes of the context, and Java does need to
 174  *  know this number, allocate 512 bytes for it.
 175  *
 176  *  In april 1997 hashes in this file were changed to call PKCS11,
 177  *  as FIPS requires that when a smartcard has failed validation,
 178  *  hashes are not to be performed. But because of the difficulty of
 179  *  preserving pointer context between calls to the JAR_JAR hashing
 180  *  functions, the hash routines are called directly, though after
 181  *  checking to see if hashing is allowed.
 182  *
 183  */
 184
 185 void *JAR_JAR_new_hash (int alg)
 186   {
 187   void *context;
 188
 189   MD5Context *md5;
 190   SHA1Context *sha1;
 191
 192   /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
 193
 194   if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
 195     return NULL;
 196
 197   context = PORT_ZAlloc (512);
 198
 199   if (context)
 200     {
 201     switch (alg)
 202       {
 203       case 1:  /* MD5 */
 204                md5 = (MD5Context *) context;
 205                MD5_Begin (md5);
 206                break;
 207
 208       case 2:  /* SHA1 */
 209                sha1 = (SHA1Context *) context;
 210                SHA1_Begin (sha1);
 211                break;
 212       }
 213     }
 214
 215   return context;
 216   }
 217
 218 void *JAR_JAR_hash (int alg, void *cookie, int length, void *data)
 219   {
 220   MD5Context *md5;
 221   SHA1Context *sha1;
 222
 223   /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
 224
 225   if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
 226     return NULL;
 227
 228   if (length > 0)
 229     {
 230     switch (alg)
 231       {
 232       case 1:  /* MD5 */
 233                md5 = (MD5Context *) cookie;
 234                MD5_Update (md5, (unsigned char*)data, length);
 235                break;
 236
 237       case 2:  /* SHA1 */
 238                sha1 = (SHA1Context *) cookie;
 239                SHA1_Update (sha1, (unsigned char*)data, length);
 240                break;
 241       }
 242     }
 243
 244   return cookie;
 245   }
 246
 247 void *JAR_JAR_end_hash (int alg, void *cookie)
 248   {
 249   int length;
 250   unsigned char *data;
 251   char *ascii;
 252
 253   MD5Context *md5;
 254   SHA1Context *sha1;
 255
 256   unsigned int md5_length;
 257   unsigned char md5_digest [MD5_LENGTH];
 258
 259   unsigned int sha1_length;
 260   unsigned char sha1_digest [SHA1_LENGTH];
 261
 262   /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
 263
 264   if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
 265     return NULL;
 266
 267   switch (alg)
 268     {
 269     case 1:  /* MD5 */
 270
 271              md5 = (MD5Context *) cookie;
 272
 273              MD5_End (md5, md5_digest, &md5_length, MD5_LENGTH);
 274              /* MD5_DestroyContext (md5, PR_TRUE); */
 275
 276              data = md5_digest;
 277              length = md5_length;
 278
 279              break;
 280
 281     case 2:  /* SHA1 */
 282
 283              sha1 = (SHA1Context *) cookie;
 284
 285              SHA1_End (sha1, sha1_digest, &sha1_length, SHA1_LENGTH);
 286              /* SHA1_DestroyContext (sha1, PR_TRUE); */
 287
 288              data = sha1_digest;
 289              length = sha1_length;
 290
 291              break;
 292
 293     default: return NULL;
 294     }
 295
 296   /* Instead of destroy context, since we created it */
 297   /* PORT_Free (cookie); */
 298
 299   ascii = BTOA_DataToAscii(data, length);
 300
 301   return ascii ? PORT_Strdup (ascii) : NULL;
 302   }
 303
 304 /*
 305  *  S O B _ J A R _ s i g n _ a r c h i v e
 306  *
 307  *  A simple API to sign a JAR archive.
 308  *
 309  */
 310
 311 int JAR_JAR_sign_archive
 312       (char *nickname, char *password, char *sf, char *outsig)
 313   {
 314   int status = JAR_ERR_GENERAL;
 315   JAR_FILE sf_fp;
 316   JAR_FILE out_fp;
 317
 318   CERTCertDBHandle *certdb;
 319   void *keydb;
 320
 321   CERTCertificate *cert;
 322
 323   if (PORT_Strlen (sf) < 5)
 324     {
 325     return JAR_ERR_GENERAL;
 326     }
 327
 328   /* open cert and key databases */
 329
 330   certdb = JAR_open_database();
 331   if (certdb == NULL)
 332     return JAR_ERR_GENERAL;
 333
 334   keydb = jar_open_key_database();
 335   if (keydb == NULL)
 336     {
 337     JAR_close_database(certdb);
 338     return JAR_ERR_GENERAL;
 339     }
 340
 341   sf_fp = JAR_FOPEN (sf, "rb");
 342   out_fp = JAR_FOPEN (outsig, "wb");
 343
 344   cert = CERT_FindCertByNickname (certdb, nickname);
 345
 346   if (cert && sf_fp && out_fp)
 347     {
 348     status = jar_create_pk7 (certdb, keydb, cert, password, sf_fp, out_fp);
 349     }
 350
 351   /* remove password from prying eyes */
 352   PORT_Memset (password, 0, PORT_Strlen (password));
 353
 354   JAR_FCLOSE (sf_fp);
 355   JAR_FCLOSE (out_fp);
 356
 357   JAR_close_database (certdb);
 358   jar_close_key_database (keydb);
 359
 360   return status;
 361   }