Link certutil dynamically.

security/nss/cmd/certutil/certutil.c

@@ -233,13 +233,13 @@ GetCertRequest(PRFileDesc *inFile, PRBool ascii)
 	   data
 	 */
 	PORT_Memset(&signedData, 0, sizeof(signedData));
-	rv = SEC_ASN1DecodeItem(arena, &signedData, CERT_SignedDataTemplate, 
-				&reqDER);
+	rv = SEC_ASN1DecodeItem(arena, &signedData, 
+		SEC_ASN1_GET(CERT_SignedDataTemplate), &reqDER);
 	if (rv)
 	    break;
 	
-        rv = SEC_ASN1DecodeItem(arena, certReq, CERT_CertificateRequestTemplate,
-				&signedData.data);
+        rv = SEC_ASN1DecodeItem(arena, certReq, 
+		SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data);
    } while (0);
 
    if (rv) {
@@ -409,7 +409,7 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
     
     /* Der encode the request */
     encoding = SEC_ASN1EncodeItem(arena, NULL, cr,
-				  CERT_CertificateRequestTemplate);
+		  SEC_ASN1_GET(CERT_CertificateRequestTemplate));
     if (encoding == NULL) {
 	SECU_PrintError(progName, "der encoding of request failed");
 	return SECFailure;
@@ -599,84 +599,49 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
     PRInt32 numBytes;
     SECStatus rv;
 
-#ifdef nodef
-    /* For now, split handling of slot to internal vs. other.  slot should
-     * probably be allowed to be NULL so that all slots can be listed.
-     * In that case, need to add a call to PK11_TraverseSlotCerts().
-     */
-    if (PK11_IsInternal(slot)) {
-	if (name == NULL) {
-	    /* Print all certs in internal slot db. */
-	    rv = SECU_PrintCertificateNames(handle, PR_STDOUT, 
-	                                    PR_FALSE, PR_TRUE);
-	    if (rv) {
-		SECU_PrintError(progName, 
-		                "problem printing certificate nicknames");
-		return SECFailure;
-	    }
-	} else if (raw || ascii) {
-	    /* Dump binary or ascii DER for the cert to stdout. */
-	    cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
-	    if (!cert) {
-		SECU_PrintError(progName,
-		               "could not find certificate named \"%s\"", name);
-		return SECFailure;
-	    }
-	    data.data = cert->derCert.data;
-	    data.len = cert->derCert.len;
-	    if (ascii) {
-		PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
-		        BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
-	    } else if (raw) {
-	        numBytes = PR_Write(outfile, data.data, data.len);
-	        if (numBytes != data.len) {
-		    SECU_PrintSystemError(progName, "error writing raw cert");
-		    return SECFailure;
-		}
-	    }
-	} else {
-	    /* Pretty-print cert. */
-	    rv = CERT_TraversePermCertsForNickname(handle, name, printCertCB,
-	                                           NULL);
-	}
-    } else {
-#endif
-	/* List certs on a non-internal slot. */
-	if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot))
+    /* List certs on a non-internal slot. */
+    if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot))
 	    PK11_Authenticate(slot, PR_TRUE, pwarg);
-	if (name) {
-	    CERTCertificate *the_cert;
-	    the_cert = PK11_FindCertFromNickname(name, NULL);
-	    if (!the_cert) {
-		SECU_PrintError(progName, "Could not find: %s\n", name);
-		return SECFailure;
-	    }
-	    data.data = the_cert->derCert.data;
-	    data.len = the_cert->derCert.len;
-	    if (ascii) {
-		PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
-		        BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
-		rv = SECSuccess;
-	    } else if (raw) {
-		numBytes = PR_Write(outfile, data.data, data.len);
-	        if (numBytes != data.len) {
-		    SECU_PrintSystemError(progName, "error writing raw cert");
-		    rv = SECFailure;
-		}
-		rv = SECSuccess;
-	    } else {
-	        rv = printCertCB(the_cert, the_cert->trust);
-	    }
-	} else {
-	    rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout);
-	}
-	if (rv) {
-	    SECU_PrintError(progName, "problem printing certificate nicknames");
+    if (name) {
+	CERTCertificate *the_cert;
+	the_cert = PK11_FindCertFromNickname(name, NULL);
+	if (!the_cert) {
+	    SECU_PrintError(progName, "Could not find: %s\n", name);
 	    return SECFailure;
 	}
-#ifdef notdef
+	data.data = the_cert->derCert.data;
+	data.len = the_cert->derCert.len;
+	if (ascii) {
+	    PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
+		        BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
+	    rv = SECSuccess;
+	} else if (raw) {
+	    numBytes = PR_Write(outfile, data.data, data.len);
+	    if (numBytes != data.len) {
+		SECU_PrintSystemError(progName, "error writing raw cert");
+		rv = SECFailure;
+	    }
+	    rv = SECSuccess;
+	} else {
+	    rv = printCertCB(the_cert, the_cert->trust);
+	}
+    } else {
+	CERTCertList *certs;
+	CERTCertListNode *node;
+
+	certs = PK11_ListCertsInSlot(slot);
+	if (certs) {
+	    for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
+						node = CERT_LIST_NEXT(node)) {
+		SECU_PrintCertNickname(node->cert,stdout);
+	    }
+	    CERT_DestroyCertList(certs);
+	}
+    }
+    if (rv) {
+	SECU_PrintError(progName, "problem printing certificate nicknames");
+	return SECFailure;
     }
-#endif
 
     return SECSuccess;	/* not rv ?? */
 }
@@ -936,31 +901,19 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg)
     return SECSuccess;
 }
 
-struct secuCBData {
-    FILE *file;
-    int	keycount;
-    void *wincx;
-};
-
 /* callback for listing certs through pkcs11 */
 static SECStatus
-secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
+secu_PrintKey(FILE *out, int count, SECKEYPrivateKey *key)
 {
-    FILE *out;
-    struct secuCBData *cbdata;
-    SECKEYPrivateKey *key;
+    char *name;
 
-    cbdata = (struct secuCBData *)data;
-    out = cbdata->file;
-    key = PK11_FindPrivateKeyFromCert(cert->slot, cert, cbdata->wincx);
-    if (!key) {
-	fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
-	return SECFailure;
+    name = PK11_GetPrivateKeyNickname(key);
+    if (name == NULL) {
+	/* should look up associated cert */
+	name = PORT_Strdup("< orphaned >");
     }
-    /* XXX should have a type field also */
-    fprintf(out, "<%d> %s\n", 0, cert->nickname);
-
-    cbdata->keycount++;
+    fprintf(out, "<%d> %s\n", count, name);
+    PORT_Free(name);
 
     return SECSuccess;
 }
@@ -968,43 +921,24 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
 static SECStatus
 listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
 {
-    SECStatus rv = SECSuccess;
-    struct secuCBData cbdata;
+    SECKEYPrivateKeyList *list;
+    SECKEYPrivateKeyListNode *node;
+    int count;
 
-    cbdata.keycount = 0;
-    cbdata.file = stdout;
-    cbdata.wincx = pwarg;
-
-#ifdef notdef
-    if (PK11_IsInternal(slot)) {
-	/* Print all certs in internal slot db. */
-	rv = SECU_PrintKeyNames(SECKEY_GetDefaultKeyDB(), stdout);
-	if (rv) {
-	    SECU_PrintError(progName, "problem listing keys");
-	    return SECFailure;
-	}
-    } else {
-#endif
-	/* XXX need a function as below */
-	/* could iterate over certs on slot and print keys */
-	/* this would miss stranded keys */
-    /*rv = PK11_TraverseSlotKeys(slotname, keyType, printKeyCB, NULL, NULL);*/
-	if (PK11_NeedLogin(slot))
+    if (PK11_NeedLogin(slot))
 	    PK11_Authenticate(slot, PR_TRUE, pwarg);
-	rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, &cbdata);
-	if (rv) {
+
+    list = PK11_ListPrivateKeysInSlot(slot);
+    if (list == NULL) {
 	    SECU_PrintError(progName, "problem listing keys");
 	    return SECFailure;
-	}
-	if (cbdata.keycount == 0) {
-	    SECU_PrintError(progName, "no keys found");
-	    return SECFailure;
-	}
-	return SECSuccess;
-#ifdef notdef
     }
-    return rv;
-#endif
+    for (count=0, node=PRIVKEY_LIST_HEAD(list) ; !PRIVKEY_LIST_END(node,list);
+			  node= PRIVKEY_LIST_NEXT(node),count++) {
+	secu_PrintKey(stdout, count, node->key);
+    }
+    SECKEY_DestroyPrivateKeyList(list);
+    return SECSuccess;
 }
 
 static SECStatus
@@ -1013,19 +947,6 @@ ListKeys(PK11SlotInfo *slot, char *keyname, int index,
 {
     SECStatus rv = SECSuccess;
 
-#ifdef notdef
-    if (keyname) {
-	if (dopriv) {
-	    return DumpPrivateKey(index, keyname, stdout);
-	} else {
-	    return DumpPublicKey(index, keyname, stdout);
-	}
-    }
-#endif
-    /* For now, split handling of slot to internal vs. other.  slot should
-     * probably be allowed to be NULL so that all slots can be listed.
-     * In that case, need to add a call to PK11_TraverseSlotCerts().
-     */
     if (slot == NULL) {
 	PK11SlotList *list;
 	PK11SlotListElement *le;
@@ -1565,6 +1486,14 @@ CreateOidSequence(void)
   return (CERTOidSequence *)NULL;
 }
 
+static void
+DestroyOidSequence(CERTOidSequence *os)
+{
+  if (os->arena) {
+    PORT_FreeArena(os->arena, PR_FALSE);
+  }
+}
+
 static SECStatus
 AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
 {
@@ -1604,11 +1533,19 @@ AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
   return SECSuccess;
 }
 
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate);
+
+const SEC_ASN1Template CERT_OidSeqTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN,
+	  offsetof(CERTOidSequence, oids),
+	  SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
+};
+
+
 static SECItem *
 EncodeOidSequence(CERTOidSequence *os)
 {
   SECItem *rv;
-  extern const SEC_ASN1Template CERT_OidSeqTemplate[];
 
   rv = (SECItem *)PORT_ArenaZAlloc(os->arena, sizeof(SECItem));
   if( (SECItem *)NULL == rv ) {
@@ -1697,7 +1634,7 @@ AddExtKeyUsage (void *extHandle)
                           ? PR_TRUE : PR_FALSE), PR_TRUE);
   /*FALLTHROUGH*/
  loser:
-  CERT_DestroyOidSequence(os);
+  DestroyOidSequence(os);
   return rv;
 }
 
@@ -1864,7 +1801,8 @@ SECKEYPrivateKey *selfsignprivkey, char *issuerNickName, void *pwarg)
 
     der.len = 0;
     der.data = NULL;
-    dummy = SEC_ASN1EncodeItem (arena, &der, cert, CERT_CertificateTemplate);
+    dummy = SEC_ASN1EncodeItem (arena, &der, cert,
+			 	SEC_ASN1_GET(CERT_CertificateTemplate));
     if (!dummy) {
 	fprintf (stderr, "Could not encode certificate.\n");
 	goto done;

security/nss/cmd/certutil/keystuff.c

@@ -68,6 +68,14 @@ extern char *sys_errlist[];
 
 #define ERROR_BREAK rv = SECFailure;break;
 
+const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
+    { 0, }
+};
+
 /* returns 0 for success, -1 for failure (EOF encountered) */
 static int
 UpdateRNG(void)
@@ -126,8 +134,7 @@ UpdateRNG(void)
 	    rv = -1;
 	    break;
 	}
-	RNG_GetNoise(&randbuf[1], sizeof(randbuf)-1);
-	RNG_RandomUpdate(randbuf, sizeof(randbuf));
+	PK11_RandomUpdate(randbuf, sizeof(randbuf));
 	if (c != randbuf[0]) {
 	    randbuf[0] = c;
 	    FPS "\r|");
@@ -189,27 +196,27 @@ static unsigned char G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a,
 			     0x8c, 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88,
 			     0x02 };
 
-static PQGParams default_pqg_params = {
+static SECKEYPQGParams default_pqg_params = {
     NULL,
     { 0, P, sizeof(P) },
     { 0, Q, sizeof(Q) },
     { 0, G, sizeof(G) }
 };
 
-static PQGParams *
+static SECKEYPQGParams *
 decode_pqg_params(char *str)
 {
     char *buf;
     unsigned int len;
     PRArenaPool *arena;
-    PQGParams *params;
+    SECKEYPQGParams *params;
     SECStatus status;
  
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL)
         return NULL;
  
-    params = PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+    params = PORT_ArenaZAlloc(arena, sizeof(SECKEYPQGParams));
     if (params == NULL)
         goto loser;
     params->arena = arena;
@@ -229,11 +236,19 @@ loser:
         PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
- 
+
+void  
+CERTUTIL_DestroyParamsPQG(SECKEYPQGParams *params)
+{
+    if (params->arena) {
+        PORT_FreeArena(params->arena, PR_FALSE);
+    }
+}
+
 static int
 pqg_prime_bits(char *str)
 {
-    PQGParams *params = NULL;
+    SECKEYPQGParams *params = NULL;
     int primeBits = 0, i;
  
     params = decode_pqg_params(str);
@@ -246,7 +261,7 @@ pqg_prime_bits(char *str)
  
 done:
     if (params != NULL)
-        PQG_DestroyParams(params);
+        CERTUTIL_DestroyParamsPQG(params);
     return primeBits;
 }
 
@@ -270,7 +285,7 @@ SECU_GetpqgString(char *filename)
     return NULL;
 }
 
-PQGParams*
+SECKEYPQGParams*
 getpqgfromfile(int keyBits, char *pqgFile)
 {
     char *end, *str, *pqgString;
@@ -302,6 +317,26 @@ found_match:
     return decode_pqg_params(str);
 }
 
+void CERTUTIL_FileForRNG(char *noise)
+{
+    char buf[2048];
+    PRFileDesc *fd;
+    PRInt32 count;
+
+    fd = PR_OpenFile(noise,PR_RDONLY,0666);
+    if (!fd) return;
+
+    do {
+	count = PR_Read(fd,buf,sizeof(buf));
+	if (count > 0) {
+	    PK11_RandomUpdate(buf,count);
+	}
+    } while (count > 0);
+
+    PR_Close(fd);
+   
+}
+
 SECKEYPrivateKey *
 CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
 			    int publicExponent, char *noise, 
@@ -311,17 +346,16 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
     CK_MECHANISM_TYPE mechanism;
     SECOidTag algtag;
     PK11RSAGenParams rsaparams;
-    PQGParams *dsaparams = NULL;
+    SECKEYPQGParams *dsaparams = NULL;
     void *params;
     PRArenaPool *dsaparena;
 
     /*
      * Do some random-number initialization.
      */
-    RNG_SystemInfoForRNG();
 
     if (noise) {
-    	RNG_FileForRNG(noise);
+    	CERTUTIL_FileForRNG(noise);
     } else {
 	int rv = UpdateRNG();
 	if (rv) {
@@ -346,7 +380,7 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
 	} else {
 	    dsaparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	    if (dsaparena == NULL) return NULL;
-	    dsaparams = PORT_ArenaZAlloc(dsaparena, sizeof(PQGParams));
+	    dsaparams = PORT_ArenaZAlloc(dsaparena, sizeof(SECKEYPQGParams));
 	    if (dsaparams == NULL) return NULL;
 	    dsaparams->arena = dsaparena;
 	    SECITEM_AllocItem(dsaparena, &dsaparams->prime, sizeof P);

security/nss/cmd/certutil/manifest.mn

@@ -49,4 +49,4 @@ REQUIRES = dbm seccmd
 
 PROGRAM = certutil
 
-USE_STATIC_LIBS = 1
+#USE_STATIC_LIBS = 1