Search completed in 0.84 seconds.
nss tech note5
ck_mechanism_type ciphermech = ckm_des_cbc_pad <big>(for example)</big> choose a slot on which to to do the operation pk11slotinfo* slot = pk11_getbestslot(ciphermech, null); or pk11slotinfo* slot = pk11_getinternalkeyslot(); /* alwys returns internal slot, may not be optimal */ prepare the key if using a raw key /* turn the raw key into a
secitem */
secitem keyitem; keyitem.data = /* ptr to an array of key bytes */ keyitem.len = /* length of the array of key bytes */ /* turn the
secitem into a key object */ pk11symkey* symkey = pk11_importsymkey(slot, ciphermech, pk11_originunwrap, cka_encrypt, &...
...if not using cbc mode, just pass a null iv parm to pk11_paramfromiv function
secitem ivitem; ivitem.data = /* ptr to an array of iv bytes */ ivitem.len = /* length of the array of iv bytes */
secitem *secparam = pk11_paramfromiv(ciphermech, &ivitem);</big> <big>now encrypt and decrypt using the key and parameter setup in above steps</big> create encryption context pk11context* enccontext = pk11_createcontextbysymkey(ciphermech, cka_encrypt or cka_decrypt, ...
...when all done with encrypt/decrypt ops, clean up</big> <big>pk11_freesymkey(symkey);
secitem_freeitem(secparam, pr_true); pk11_freeslot(slot);</big> note: aes encryption, a fixed blocksize of 16 bytes is used.
...And 18 more matches
Enc Dec MAC Output Public Key as CSR
put file.\n\n", ""); exit(-1); } /* map option letter enumerated commad type */ static commandtype option2command(const char* c) { switch (*c) { case 'g': return gen_csr; case 'e': return encrypt; case 'd': return decrypt; default: return unknown; } } /* * wrap the symkey using public key */ secstatus wrapkey(pk11symkey* key, seckeypublickey *pubkey,
secitem **wrappedkey) { secstatus rv;
secitem *data = (
secitem *)port_zalloc(sizeof(
secitem)); if (!data) { pr_fprintf(pr_stderr, "error while allocating memory\n"); rv = secfailure; goto cleanup; } data->len = seckey_publickeystrength(pubkey); data->data = (unsigned char*)port_zalloc((data->len)*sizeof(unsigned int)); if (!data->data) { pr_f...
...printf(pr_stderr, "error while allocating memory\n"); rv = secfailure; goto cleanup; } rv = pk11_pubwrapsymkey(ckm_rsa_pkcs, pubkey, key, data); if (rv != secsuccess) { rv = secfailure; } else { *wrappedkey = data; return secsuccess; } cleanup: if (data) {
secitem_freeitem(data, pr_true); } return rv; } /* * generate a symmetric key */ pk11symkey * generatesymkey(pk11slotinfo *slot, ck_mechanism_type mechanism, int keysize,
secitem *keyid, secupwdata *pwdata) { secstatus rv; pk11symkey *key; /* generate the symmetric key */ key = pk11_tokenkeygen(slot, mechanism, null, keysize, keyid, pr_false, pwdata); if (!key) { pr_fprintf(pr_stderr, "symmetric ...
... return secfailure; } pr_fprintf(outfile, "%s\n", header); printasascii(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * initialize for encryption or decryption - common code */ pk11context * cryptinit(pk11symkey *key, unsigned char *iv, unsigned int ivlen, ck_mechanism_type type, ck_attribute_type operation) {
secitem ivitem = { sibuffer, iv, ivlen }; pk11context *ctx = null;
secitem *secparam = pk11_paramfromiv(type, &ivitem); if (secparam == null) { pr_fprintf(pr_stderr, "crypt failed : secparam null\n"); return null; } ctx = pk11_createcontextbysymkey(type, operation, key, secparam); if (ctx == null) { pr_fprintf(pr_stderr, "crypt failed : can't create a cont...
...And 14 more matches
Enc Dec MAC Using Key Wrap CertReq PKCS10 CSR
progname, dbdir, headerfilename, encryptedfilename); validationfailed = pr_true; } if (validationfailed) { fprintf(stderr, "\nusage: %s %s \n\n", progname, "-d -d <dbdirpath> -b <headerfilename> -e <encryptfilename> -o <opfilename>\n"); exit(-1); } } /* * sign the contents of input file using private key and * return result as
secitem */ secstatus signdata(const char *infilename, seckeyprivatekey *pk,
secitem *res) { secstatus rv = secfailure; unsigned int nb; unsigned char ibuf[4096]; prfiledesc *infile = null; sgncontext *sgn = null; /* open the input file for reading */ infile = pr_open(infilename, pr_rdonly, 0); if (!infile) { pr_fprintf(pr_...
...); if (rv != secsuccess) { pr_fprintf(pr_stderr, "problem while sgn_end\n"); goto cleanup; } cleanup: if (infile) { pr_close(infile); } if (sgn) { sgn_destroycontext(sgn, pr_true); } return rv; } /* * verify the signature using public key */ secstatus verifydata(const char *infilename, seckeypublickey *pk,
secitem *sigitem, secupwdata *pwdata) { unsigned int nb; unsigned char ibuf[4096]; secstatus rv = secfailure; vfycontext *vfy = null; prfiledesc *infile = null; /* open the input file for reading */ infile = pr_open(infilename, pr_rdonly, 0); if (!infile) { pr_fprintf(pr_stderr, "unable to open \"%s\" for reading.\n", ...
...); return secsuccess; break; default: return secfailure; } pr_fprintf(outfile, "%s\n", header); printashex(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * read cryptographic parameters from the header file */ secstatus readfromheaderfile(const char *filename, headertype type,
secitem *item, prbool ishexdata) { secstatus rv = secsuccess; prfiledesc* file = null;
secitem filedata;
secitem outbuf; unsigned char *nonbody; unsigned char *body; char *header; char *trailer; outbuf.type = sibuffer; file = pr_open(filename, pr_rdonly, 0); if (!file) { pr_fprintf(pr_stderr, "failed ...
...And 12 more matches
NSS Sample Code Sample1
int exportpublickey(
secitem **pubkeydata); // export the encryption and key using the key // provided.
...(the admin should verify this.) // // in this example, the server must be started to perform // this function (see start()) int exportkeys(
secitem *pubkey,
secitem **wrappedenckey,
secitem **wrappedmackey); // import the keys received from another server in the // cluster.
... int importkeys(
secitem *wrappedenckey,
secitem *wrappedmackey); // start the server, loading the encryption and macing keys // from files int start(); // shut down the server.
...And 12 more matches
sample2
tderr, "%s -d -d %s -b %s -e %s -o : output file name is not found\n", progname, dbdir, headerfilename, encryptedfilename); validationfailed = pr_true; } if (validationfailed) { fprintf(stderr, "\nusage: %s %s \n\n", progname, "-d -d <dbdirpath> -b <headerfilename> -e <encryptfilename> -o <opfilename>\n"); exit(-1); } } /* * sign the contents of input file using private key and * return result as
secitem */ secstatus signdata(const char *infilename, seckeyprivatekey *pk,
secitem *res) { secstatus rv = secfailure; unsigned int nb; unsigned char ibuf[4096]; prfiledesc *infile = null; sgncontext *sgn = null; /* open the input file for reading */ infile = pr_open(infilename, pr_rdonly, 0); if (!infile) { pr_fprintf(pr_stderr, "unable to open \"%s\" for reading.\n", infilename); rv = secfailure; goto ...
...pr_fprintf(pr_stderr, "problem while sgn_update\n"); goto cleanup; } } rv = sgn_end(sgn, res); if (rv != secsuccess) { pr_fprintf(pr_stderr, "problem while sgn_end\n"); goto cleanup; } cleanup: if (infile) { pr_close(infile); } if (sgn) { sgn_destroycontext(sgn, pr_true); } return rv; } /* * verify the signature using public key */ secstatus verifydata(const char *infilename, seckeypublickey *pk,
secitem *sigitem, secupwdata *pwdata) { unsigned int nb; unsigned char ibuf[4096]; secstatus rv = secfailure; vfycontext *vfy = null; prfiledesc *infile = null; /* open the input file for reading */ infile = pr_open(infilename, pr_rdonly, 0); if (!infile) { pr_fprintf(pr_stderr, "unable to open \"%s\" for reading.\n", infilename); rv = secfailure; goto cleanup; } vfy = vfy_createcontext(pk, sigitem, sec_...
...\n", header); pr_fprintf(outfile, "%s\n", buf); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; break; default: return secfailure; } pr_fprintf(outfile, "%s\n", header); printashex(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * read cryptographic parameters from the header file */ secstatus readfromheaderfile(const char *filename, headertype type,
secitem *item, prbool ishexdata) { secstatus rv = secsuccess; prfiledesc* file = null;
secitem filedata;
secitem outbuf; unsigned char *nonbody; unsigned char *body; char *header; char *trailer; outbuf.type = sibuffer; file = pr_open(filename, pr_rdonly, 0); if (!file) { pr_fprintf(pr_stderr, "failed to open %s\n", filename); rv = secfailure; goto cleanup; } switch (type) { case pubkey: header = pubkey_h...
...And 12 more matches
Encrypt Decrypt MAC Keys As Session Objects
s\n", "note :"); fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", ""); fprintf(stderr, "%-7s for decrypt, it takes .enc and .header\n", ""); fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", ""); exit(-1); } /* * gather a cka_id */ secstatus gathercka_id(pk11symkey* key,
secitem* buf) { secstatus rv = pk11_readrawattribute(pk11_typesymkey, key, cka_id, buf); if (rv != secsuccess) { pr_fprintf(pr_stderr, "pk11_readrawattribute returned (%d)\n", rv); pr_fprintf(pr_stderr, "could not read symkey cka_id attribute\n"); return rv; } return rv; } /* * generate a symmetric key */ pk11symkey * generatesymkey(pk11slotinfo *slot, ck_mecha...
...nism_type mechanism, int keysize,
secitem *keyid, secupwdata *pwdata) { secstatus rv; pk11symkey *key; if (pk11_needlogin(slot)) { rv = pk11_authenticate(slot, pr_true, pwdata); if (rv != secsuccess) { pr_fprintf(pr_stderr, "could not authenticate to token %s.\n", pk11_gettokenname(slot)); return null; } } /* generate the symmetric key */ key = pk11_tokenkeygen(slot, mechanism, null, keysize, keyid, pr_true, pwdata); if (!key) { pr_fprintf(pr_stderr, "symmetric key generation failed \n"); } return key; } /* * macinit */ secstatus macinit(pk11context *ctx) { secstatus rv = pk11_digestbegin(ctx); if (rv != secsuccess) { ...
...railer); break; } pr_fprintf(outfile, "%s\n", header); printashex(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * initialize for encryption or decryption - common code */ pk11context * cryptinit(pk11symkey *key, unsigned char *iv, unsigned int ivlen, ck_mechanism_type type, ck_attribute_type operation) {
secitem ivitem = { sibuffer, iv, ivlen }; pk11context *ctx = null;
secitem *secparam = pk11_paramfromiv(ckm_aes_cbc, &ivitem); if (secparam == null) { pr_fprintf(pr_stderr, "crypt failed : secparam null\n"); return null; } ctx = pk11_createcontextbysymkey(ckm_aes_cbc, operation, key, secparam); if (ctx == null) { pr_fprintf(pr_stderr, "crypt failed : can't...
...And 9 more matches
Encrypt and decrypt MAC using token
s\n", "note :"); fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", ""); fprintf(stderr, "%-7s for decrypt, it takes .enc and .header\n", ""); fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", ""); exit(-1); } /* * gather a cka_id */ secstatus gathercka_id(pk11symkey* key,
secitem* buf) { secstatus rv = pk11_readrawattribute(pk11_typesymkey, key, cka_id, buf); if (rv != secsuccess) { pr_fprintf(pr_stderr, "pk11_readrawattribute returned (%d)\n", rv); pr_fprintf(pr_stderr, "could not read symkey cka_id attribute\n"); return rv; } return rv; } /* * generate a symmetric key */ pk11symkey * generatesymkey(pk11slotinfo *slot, ck_mecha...
...nism_type mechanism, int keysize,
secitem *keyid, secupwdata *pwdata) { secstatus rv; pk11symkey *key; if (pk11_needlogin(slot)) { rv = pk11_authenticate(slot, pr_true, pwdata); if (rv != secsuccess) { pr_fprintf(pr_stderr, "could not authenticate to token %s.\n", pk11_gettokenname(slot)); return null; } } /* generate the symmetric key */ key = pk11_tokenkeygen(slot, mechanism, null, keysize, keyid, pr_true, pwdata); if (!key) { pr_fprintf(pr_stderr, "symmetric key generation failed \n"); } return key; } /* * macinit */ secstatus macinit(pk11context *ctx) { secstatus rv = pk11_digestbegin(ctx); if (rv != secsuccess) { ...
...railer); break; } pr_fprintf(outfile, "%s\n", header); printashex(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * initialize for encryption or decryption - common code */ pk11context * cryptinit(pk11symkey *key, unsigned char *iv, unsigned int ivlen, ck_mechanism_type type, ck_attribute_type operation) {
secitem ivitem = { sibuffer, iv, ivlen }; pk11context *ctx = null;
secitem *secparam = pk11_paramfromiv(ckm_aes_cbc, &ivitem); if (secparam == null) { pr_fprintf(pr_stderr, "crypt failed : secparam null\n"); return null; } ctx = pk11_createcontextbysymkey(ckm_aes_cbc, operation, key, secparam); if (ctx == null) { pr_fprintf(pr_stderr, "crypt failed : can't...
...And 9 more matches
Encrypt Decrypt_MAC_Using Token
*/ secstatus gathercka_id(pk11symkey* key,
secitem* buf) { secstatus rv = pk11_readrawattribute(pk11_typesymkey, key, cka_id, buf); if (rv != secsuccess) { pr_fprintf(pr_stderr, "pk11_readrawattribute returned (%d)\n", rv); pr_fprintf(pr_stderr, "could not read symkey cka_id attribute\n"); return rv; } return rv; } /* * generate a symmetric key.
... */ pk11symkey * generatesymkey(pk11slotinfo *slot, ck_mechanism_type mechanism, int keysize,
secitem *keyid, secupwdata *pwdata) { secstatus rv; pk11symkey *key; if (pk11_needlogin(slot)) { rv = pk11_authenticate(slot, pr_true, pwdata); if (rv != secsuccess) { pr_fprintf(pr_stderr, "could not authenticate to token %s.\n", pk11_gettokenname(slot)); return null; } } /* generate the symmetric key.
... */ pk11context * cryptinit(pk11symkey *key, unsigned char *iv, unsigned int ivlen, ck_mechanism_type type, ck_attribute_type operation) {
secitem ivitem = { sibuffer, iv, ivlen }; pk11context *ctx = null;
secitem *secparam = pk11_paramfromiv(ckm_aes_cbc, &ivitem); if (secparam == null) { pr_fprintf(pr_stderr, "crypt failed : secparam null\n"); return null; } ctx = pk11_createcontextbysymkey(ckm_aes_cbc, operation, key, secparam); if (ctx == null) { pr_fprintf(pr_stderr, "crypt failed : can't...
...And 9 more matches
NSS Sample Code Sample_3_Basic Encryption and MACing
*/ /* nspr headers */ #include <prthread.h> #include <plgetopt.h> #include <prerror.h> #include <prinit.h> #include <prlog.h> #include <prtypes.h> #include <plstr.h> /* * gather a cka_id */ secstatus gathercka_id(pk11symkey* key,
secitem* buf) { secstatus rv = pk11_readrawattribute(pk11_typesymkey, key, cka_id, buf); if (rv != secsuccess) { pr_fprintf(pr_stderr, "pk11_readrawattribute returned (%d)\n", rv); pr_fprintf(pr_stderr, "could not read symkey cka_id attribute\n"); return rv; } return rv; } /* * generate a symmetric key */ pk11symkey * generatesymkey(pk11slotinfo *slot, ck_mecha...
...nism_type mechanism, int keysize,
secitem *keyid, secupwdata *pwdata) { secstatus rv; pk11symkey *key; if (pk11_needlogin(slot)) { rv = pk11_authenticate(slot, pr_true, pwdata); if (rv != secsuccess) { pr_fprintf(pr_stderr, "could not authenticate to token %s.\n", pk11_gettokenname(slot)); return null; } } /* generate the symmetric key */ key = pk11_tokenkeygen(slot, mechanism, null, keysize, keyid, pr_true, pwdata); if (!key) { pr_fprintf(pr_stderr, "symmetric key generation failed \n"); } return key; } /* * macinit */ secstatus macinit(pk11context *ctx) { secstatus rv = pk11_digestbegin(ctx); if (rv != secsuccess) { ...
...railer); break; } pr_fprintf(outfile, "%s\n", header); printashex(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * initialize for encryption or decryption - common code */ pk11context * cryptinit(pk11symkey *key, unsigned char *iv, unsigned int ivlen, ck_mechanism_type type, ck_attribute_type operation) {
secitem ivitem = { sibuffer, iv, ivlen }; pk11context *ctx = null;
secitem *secparam = pk11_paramfromiv(ckm_aes_cbc, &ivitem); if (secparam == null) { pr_fprintf(pr_stderr, "crypt failed : secparam null\n"); return null; } ctx = pk11_createcontextbysymkey(ckm_aes_cbc, operation, key, secparam); if (ctx == null) { pr_fprintf(pr_stderr, "crypt failed : can't...
...And 9 more matches
ssltyp.html
types and structures managing
secitem memory types and structures these types and structures are described here: certcertdbhandle certcertificate pk11slotinfo
secitem seckeyprivatekey secstatus additional types used by a single function only are described with the function's entry in each chapter.
... syntax #include <pk11expt.h> typedef struct pk11slotinfostr pk11slotinfo;
secitem a structure that points to other structures.
... syntax #include <seccomon.h> #include <prtypes.h> #include <secport.h> typedef enum { sibuffer, sicleardatabuffer, sicipherdatabuffer, sidercertbuffer, siencodedcertbuffer, sidernamebuffer, siencodednamebuffer, siasciinamestring, siasciistring, sideroid }
secitemtype; typedef struct
secitemstr
secitem; struct
secitemstr {
secitemtype type; unsigned char *data; unsigned int len; }; description a
secitem structure can be used to associate your own data with an ssl socket.
...And 9 more matches
nss tech note4
critical : indicates whether the extension is critical value : the value of the extension looping through all extensions certcertextension** extensions =cert->extensions; if (extensions) { while (*extensions) {
secitem *ext_oid = &(*extensions)->id;
secitem *ext_critical = &(*extensions)->critical;
secitem *ext_value = &(*extensions)->value; /* id attribute of the extension */ secoiddata *oiddata = secoid_findoid(ext_oid); if (oiddata == null) { /* oid not fo...
...und */ /*
secitem ext_oid has type (
secitemtype), data (unsigned char *) and len (unsigned int) fields - the application interprets these */ .......
...he extension */ if (ext_critical->len > 0) { if (ext_critical->data[0]) /* the extension is critical */ else /* the extension is not critical */ } /* value attribute of the extension */ /*
secitem ext_value has type (
secitemtype), data (unsigned char *) and len (unsigned int) fields - the application interprets these */ secoidtag oidtag = secoid_findoidtag(ext_oid); switch (oidtag) { case a_tag_that_app_recognizes: .....
...And 8 more matches
EncDecMAC using token object - sample 3
fprintf(stderr, "%-7s for encrypt, it takes as an input file and produces\n", "note :"); fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", ""); fprintf(stderr, "%-7s for decrypt, it takes .enc and .header\n", ""); fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", ""); exit(-1); } /* * gather a cka_id */ secstatus gathercka_id(pk11symkey* key,
secitem* buf) { secstatus rv = pk11_readrawattribute(pk11_typesymkey, key, cka_id, buf); if (rv != secsuccess) { pr_fprintf(pr_stderr, "pk11_readrawattribute returned (%d)\n", rv); pr_fprintf(pr_stderr, "could not read symkey cka_id attribute\n"); return rv; } return rv; } /* * generate a symmetric key */ pk11symkey * generatesymkey(pk11slotinfo *slot, ck_mechanism_type mechanism, int keysize,
secitem *k...
...e pad: strcpy(header, pad_header); strcpy(trailer, pad_trailer); break; } pr_fprintf(outfile, "%s\n", header); printashex(outfile, buf, len); pr_fprintf(outfile, "%s\n\n", trailer); return secsuccess; } /* * initialize for encryption or decryption - common code */ pk11context * cryptinit(pk11symkey *key, unsigned char *iv, unsigned int ivlen, ck_mechanism_type type, ck_attribute_type operation) {
secitem ivitem = { sibuffer, iv, ivlen }; pk11context *ctx = null;
secitem *secparam = pk11_paramfromiv(ckm_aes_cbc, &ivitem); if (secparam == null) { pr_fprintf(pr_stderr, "crypt failed : secparam null\n"); return null; } ctx = pk11_createcontextbysymkey(ckm_aes_cbc, operation, key, secparam); if (ctx == null) { pr_fprintf(pr_stderr, "crypt failed : can't create a context\n"); goto cleanup; } cleanup: i...
...f (secparam) {
secitem_freeitem(secparam, pr_true); } return ctx; } /* * common encryption and decryption code */ secstatus crypt(pk11context *ctx, unsigned char *out, unsigned int *outlen, unsigned int maxout, unsigned char *in, unsigned int inlen) { secstatus rv; rv = pk11_cipherop(ctx, out, outlen, maxout, in, inlen); if (rv != secsuccess) { pr_fprintf(pr_stderr, "crypt failed : pk11_cipherop returned %d\n", rv); goto cleanup; } cleanup: if (rv != secsuccess) { return rv; } return secsuccess; } /* * decrypt */ secstatus decrypt(pk11context *ctx, unsigned char *out, unsigned int *outlen, unsigned int maxout, unsigned char *in, unsigned int inlen) { return crypt(ctx, out, outlen, maxout, in, inlen); } /* * encrypt */ secstatus encrypt(pk11context* ctx, unsigned char *out, unsigned int *outlen, u...
...And 7 more matches
NSS 3.15 release notes
tls client applications may enable this via a call to ssl_optionsetdefault(ssl_enable_ocsp_stapling, pr_true); added function
secitem_reallocitemv2.
... it replaces function
secitem_reallocitem, which is now declared as obsolete.
... in
secitem.h
secitem_allocarray
secitem_duparray
secitem_freearray
secitem_zfreearray - utility functions to handle the allocation and deallocation of
secitemarrays
secitem_reallocitemv2 - replaces
secitem_reallocitem, which is now obsolete.
...And 5 more matches
Python binding for NSS
he following module functions were added: nss.create_pbev2_algorithm_id the following class methods were added: nss.algorithmid.get_pbe_crypto_mechanism nss.algorithmid.get_pbe_iv nss.pk11slot.pbe_key_gen nss.pk11slot.format_lines nss.pk11slot.format nss.pk11symkey.format_lines nss.pk11symkey.format nss.
secitem.to_base64 nss.
secitem.format_lines nss.
secitem.format the following files were added: doc/examples/pbkdf2_example.py the
secitem constructor added 'ascii' parameter to permit initialization from base64 and/or pem textual data.
... a
secitem now converts almost all der encoded data to a string when it's str method is invoked, formerly it was limited to only a few objects.
... the following classes were added: certattribute the following class methods were added: certattribute.format_lines certattribute.format nss.
secitem.get_integer the following class properties were added: certificaterequest.attributes certattribute.type_oid certattribute.type_tag certattribute.type_str certattribute.values the following module functions were added: base64_to_binary the following files were added: test_cert_request release 0.14.1 release date 2013-10-28 scm tag pynss_release_0_14_1 source download https://ftp.mozilla.org/pub/mozill...
...And 5 more matches
Utilities for nss samples
* password or the file to read it from */ } secupwdata; /* * printasascii */ extern void printasascii(prfiledesc* out, const unsigned char *data, unsigned int len); /* * printashex */ extern void printashex(prfiledesc* out, const unsigned char *data, unsigned int len); /* * getdigit */ extern int getdigit(char c); /* * hextobuf */ extern int hextobuf(unsigned char *instring,
secitem *outbuf, prbool ishexdata); /* * filetoitem */ extern secstatus filetoitem(
secitem *dst, prfiledesc *src); /* * checkpassword */ extern prbool checkpassword(char *cp); /* * getpassword */ extern char * getpassword(file *input, file *output, char *prompt, prbool (*ok)(char *)); /* * filepasswd extracts the password from a text file * * storing...
...ar * filepasswd(pk11slotinfo * slot, prbool retry, void *arg); /* * getmodulepassword */ extern char * getmodulepassword(pk11slotinfo *slot, int retry, void *pwdata); /* * generaterandom */ extern secstatus generaterandom(unsigned char *rbuf, int rsize); /* * filetoitem */ extern secstatus filetoitem(
secitem *dst, prfiledesc *src); /* * seedfromnoisefile */ extern secstatus seedfromnoisefile(const char *noisefilename); /* * filesize */ extern long filesize(const char* filename); /* * readderfromfile */ extern secstatus readderfromfile(
secitem *der, const char *infilename, prbool ascii); #endif /* _util_h */ util.c /* this source code form is subject to the terms of the mozil...
...= level) { newline(out); } } /* * getdigit */ int getdigit(char c) { if (c == 0) { return -1; } if (c <= '9' && c >= '0') { return c - '0'; } if (c <= 'f' && c >= 'a') { return c - 'a' + 0xa; } if (c <= 'f' && c >= 'a') { return c - 'a' + 0xa; } return -1; } /* * hextobuf */ int hextobuf(unsigned char *instring,
secitem *outbuf, prbool ishexdata) { int len = strlen((const char *)instring); int outlen = len+1/2; int truelen = 0; int digit1, digit2; outbuf->data = ishexdata ?
...And 4 more matches
NSS Sample Code Utilities_1
= level) { newline(out); } } /* * getdigit */ int getdigit(char c) { if (c == 0) { return -1; } if (c <= '9' && c >= '0') { return c - '0'; } if (c <= 'f' && c >= 'a') { return c - 'a' + 0xa; } if (c <= 'f' && c >= 'a') { return c - 'a' + 0xa; } return -1; } /* * hextobuf */ int hextobuf(unsigned char *instring,
secitem *outbuf, prbool ishexdata) { int len = strlen(instring); int outlen = len+1/2; int truelen = 0; int digit1, digit2; outbuf->data = ishexdata ?
...= digit1 << 4 | digit2; } } else { while (*instring) { if (*instring == '\n') { instring++; continue; } outbuf->data[truelen++] = *instring++; } outbuf->data[truelen] = '\0'; truelen = truelen-1; } outbuf->len = truelen; return 0; } /* * filetoitem */ secstatus filetoitem(
secitem *dst, prfiledesc *src) { prfileinfo info; print32 numbytes; prstatus prstatus; prstatus = pr_getopenfileinfo(src, &info); if (prstatus != pr_success) { return secfailure; } dst->data = 0; if (
secitem_allocitem(null, dst, info.size)) { numbytes = pr_read(src, dst->data, info.size); if (numbytes == info.size) { return secsuccess...
...; } }
secitem_freeitem(dst, pr_false); dst->data = null; return secfailure; } /* * echooff */ static void echooff(int fd) { if (isatty(fd)) { struct termios tio; tcgetattr(fd, &tio); tio.c_lflag &= ~echo; tcsetattr(fd, tcsaflush, &tio); } } /* * echoon */ static void echoon(int fd) { if (isatty(fd)) { struct termios tio; tcgetattr(fd, &tio); tio.c_lflag |= echo; tcsetattr(fd, tcsaflush, &tio); } } /* * checkpassword */ prbool checkpassword(char *cp) { int len; char *end; len = port_strlen(cp); if (len < 8) { return pr_false; } end = cp + len; while (cp < end) { unsigned char ch = *cp++; if (!((ch >= 'a') && (ch <= 'z')) && !((ch >= 'a...
...And 2 more matches
NSS 3.12.5 release_notes
additional documentation in pk11pub.h: the caller of pk11_derencodepublickey should free the returned
secitem with a
secitem_freeitem(..., pr_true) call.
...the caller of pk11_readrawattribute should free the data buffer pointed to by item using a
secitem_freeitem(item, pr_false) or port_free(item->data) call.
... in secasn1.h: if both pool and dest are null, the caller should free the returned
secitem with a
secitem_freeitem(..., pr_true) call.
... if pool is null but dest is not null, the caller should free the data buffer pointed to by dest with a
secitem_freeitem(dest, pr_false) or port_free(dest->data) call.
NSS_3.12_release_notes.html
) bug 401986: mac os x leopard build failure in legacydb bug 325805: diff considers mozilla/security/nss/cmd/pk11util/scripts/pkey a binary file bug 385151: remove the link time dependency from nss to softoken bug 387892: add entrust root ca certificate(s) to nss bug 433386: when system clock is off by more than two days, oscp check fails, can result in crash if user tries to view certificate [[@
secitem_compareitem_util] [[@ memcmp] bug 396256: certutil and pp do not print all the generalnames in a crldp extension bug 398019: correct confusing and erroneous comments in der_asciitotime bug 422866: vfychain -pp command crashes in nss_shutdown bug 345779: useless assignment statements in ec_gf2m_pt_mul_mont bug 349011: please stop exporting these crmf_ symbols bug 397178: crash when entering chrome...
...bug 401610: shared db fails on iopr tests bug 388120: build error due to sec_begin_protos / sec_end_protos are undefined bug 415264: make security use of new nspr rotate macros bug 317052: lib/base/whatnspr.c is obsolete bug 317323: set nspr31_lib_prefix to empty explicitly for win95 and wince builds bug 320336:
secitem_allocitem returns a non-null pointer if the allocation of its 'data' buffer fails bug 327529: can't pass 0 as an unnamed null pointer argument to cert_createrdn bug 334683: extraneous semicolons cause empty declaration compiler warnings bug 335275: compile with the gcc flag -werror-implicit-function-declaration bug 354565: fipstest sha_test needs to detect sha tests that are incorrectly configure...
...mation about trust arguments bug 410226: leak in create_objects_from_handles bug 415007: pk11_findcertfromdersubjectandnickname is dead code bug 416267: compiler warnings on solaris due to extra semicolon in sec_asn1_mksub bug 419763: logger thread should be joined on exit bug 424471: counter overflow in bltest bug 229335: remove certificates that expired in august 2004 from tree bug 346551: init
secitem dertemp in crmf_encode_popoprivkey bug 395080: double backslash in sysdir filenames causes problems on os/2 bug 341371: certutil lacks a way to request a certificate with an existing key bug 382292: add support for camellia to cmd/symkeyutil bug 385642: add additional cert usage(s) for certutil's -v -u option bug 175741: strict aliasing bugs in mozilla/dbm bug 210584: cert_asciitoname doesn't acc...
... 362278: lib/util includes header files from other nss directories bug 228190: remove unnecessary nss_enable_ecc defines from manifest.mn bug 412906: remove sha.c and sha.h from lib/freebl bug 353543: valgrind uninitialized memory read in nsspkiobjectcollection_addinstances bug 377548: nss qa test program certutil's default dsa prime is only 512 bits bug 333405: item cleanup is unused deadcode in
secitem_allocitem loser bug 288730: compiler warnings in certutil bug 337251: warning: /* within comment bug 362967: export secmod_deletemoduleex bug 389248: nss build failure when nss_enable_ecc is not defined bug 390451: remembered passwords lost when changing master password bug 418546: reference leak in cert_pkixverifycert bug 390074: os/2 sign.cmd doesn't find sqlite3.dll bug 417392: certutil -l -n ...
NSS Sample Code sample2
*/ #include "nss.h" #include "pk11pub.h" /* example key & iv */ unsigned char gkey[] = {0xe8, 0xa7, 0x7c, 0xe2, 0x05, 0x63, 0x6a, 0x31}; unsigned char giv[] = {0xe4, 0xbb, 0x3b, 0xd3, 0xc3, 0x71, 0x2e, 0x58}; int main(int argc, char **argv) { ck_mechanism_type ciphermech; pk11slotinfo* slot = null; pk11symkey* symkey = null;
secitem* secparam = null; pk11context* enccontext = null;
secitem keyitem, ivitem; secstatus rv, rv1, rv2; unsigned char data[1024], buf1[1024], buf2[1024]; int i, result_len, tmp1_outlen, tmp2_outlen; /* initialize nss * if your application code has already initialized nss, you can skip it * here.
...for * des ops, internal slot is typically the best slot */ if (slot == null) { fprintf(stderr, "unable to find security device (err %d)\n", pr_geterror()); goto out; } /* nss passes blobs around as
secitems.
...turn the raw key into a
secitem.
...len, result_len-tmp1_outlen); pk11_destroycontext(enccontext, pr_true); result_len = tmp1_outlen + tmp2_outlen; if (rv1 != secsuccess || rv2 != secsuccess) goto out; fprintf(stderr, "decrypted data: %s\n", buf2); /* =========================== end section ============================= */ out: if (symkey) pk11_freesymkey(symkey); if (secparam)
secitem_freeitem(secparam, pr_true); } ...
sslcrt.html
validating certificates manipulating certificates getting certificate information comparing
secitem objects validating certificates cert_verifycertnow cert_verifycertname cert_checkcertvalidtimes nss_cmpcertchainwcanames cert_verifycertnow checks that the current date is within the certificate's validity period and that the ca signature on the certificate is valid.
... syntax #include <cert.h> certcertificate *cert_findcertbyname ( certcertdbhandle *handle,
secitem *name); parameters this function has the following parameters: handle a pointer to the certificate database handle.
... returns the function returns one of these values: kt_null = 0 kt_rsa kt_dh kt_fortezza kt_kea_size comparing
secitem objects
secitem_compareitem compares two
secitem objects and returns a seccomparison enumerator that shows the difference between them.
... syntax #include <
secitem.h> #include <seccomon.h> seccomparison
secitem_compareitem(
secitem *a,
secitem *b); parameters this function has the following parameters: a a pointer to one of the items to be compared.
sslfnc.html
ssl_getsessionid returns a
secitem structure containing the ssl session id associated with a file descriptor.
... syntax #include "ssl.h"
secitem *ssl_getsessionid(prfiledesc *fd); parameter this function has the following parameter: fd a pointer to the file descriptor for the ssl socket.
... description this function returns a
secitem structure containing the ssl session id associated with the file descriptor fd.
... when the application is finished with the
secitem structure returned by this function, it should free the structure by calling
secitem_freeitem(item, pr_true).
NSS API Guidelines
the library supports base-64 encoding/decoding, reader-writer locks, the
secitem data type, der encoding/decoding, error types and numbers, oid handling, and secure random number generation.
... utility for any layer lib/util base64.h, ciferfam.h, nssb64.h, nssb64t.h, nsslocks.h, nssrwlk.h, nssrwlkt.h, portreg.h, pqgutil.h, secasn1.h, secasn1t.h, seccomon.h, secder.h, secdert.h, secdig.h, secdigt.h,
secitem.h, secoid.h, secoidt.h, secport.h, secrng.h, secrngt.h, secerr.h, watcomfx.h naming conventions this section describes the rules that (ideally) should be followed for naming and identifying new files, functions, and data types.
...for example, in container structures, such as
secitem, or maybe linked list data structures.
NSS Sample Code sample5
rv; certcertificate *cert = null; seckeypublickey *pubkey = null; certsubjectpublickeyinfo *spki = null; seckeyprivatekey *pvtkey = null; int modulus_len, i, outlen; char *buf1 = null; char *buf2 = null; char *pubkstr = base64_encoded_subjectpublickeyinfo; char *pvtkstr = base64_encoded_privatekeyinfo;
secitem der;
secitem nickname; pk11slotinfo *slot = null; /* initialize nss * you need to explicitly authenticate to the internal token if you use * nss_init insteadf of nss_nodb_init * invoke this after getting the internal token handle * pk11_authenticate(slot, pr_false, null); */ rv = nss_nodb_init("."); if (rv != secsuccess) { fprintf(st...
... get internal slot */ slot = pk11_getinternalkeyslot(); if (slot == null) { fprintf(stderr, "couldn't find slot (err %d)\n", pr_geterror()); goto cleanup; } rv = atob_convertasciitoitem(&der, pubkstr); if (rv!= secsuccess) { fprintf(stderr, "atob_convertasciitoitem failed %d\n", pr_geterror()); goto cleanup; } spki = seckey_decodedersubjectpublickeyinfo(&der);
secitem_freeitem(&der, pr_false); pubkey = seckey_extractpublickey(spki); if (pubkey == null) { fprintf(stderr, "couldn't extract public key (err %d)\n", pr_geterror()); goto cleanup; } modulus_len = seckey_publickeystrength(pubkey); fprintf(stderr, "public key modulus %d bytes\n", modulus_len); buf1 = (char *)malloc(modulus_len); buf2 = (char *)malloc(modulus_len); /* initia...
... * publicvalue arg (4th) can be null for rsa key - i think it is even * ignored */ pk11_importderprivatekeyinfoandreturnkey(slot, &der, null, null, pr_false, pr_true, ku_all, &pvtkey, null);
secitem_freeitem(&der, pr_false); if (pvtkey == null) { fprintf(stderr, "couldn't extract private key (err %d)\n", pr_geterror()); goto cleanup; } /* clear buf1 */ for (i=0;i<modulus_len;i++) { buf1[i]= '\0'; } /* decrypt buf2, result will be in buf1 */ rv = pk11_pubdecryptraw(pvtkey, buf1, &outlen, modulus_len, buf2, modulus_len); if (rv != se...
NSS functions
hm mxr 3.2 and later sec_pkcs5isalgorithmpbealg mxr 3.2 and later sec_pkcs5isalgorithmpbealgtag mxr 3.12 and later sec_registerdefaulthttpclient mxr 3.11.1 and later sec_signdata mxr 3.2 and later sec_stringtooid mxr 3.12 and later
secitem_allocitem mxr 3.2 and later
secitem_arenadupitem mxr 3.9 and later
secitem_compareitem mxr 3.2 and later
secitem_copyitem mxr 3.2 and later
secitem_dupitem mxr 3.2 and later
secitem_freeitem mxr 3.2 and later
secitem_itemsareequal ...
... mxr 3.8 and later
secitem_zfreeitem mxr 3.2 and later seckey_copyencryptedprivatekeyinfo mxr 3.2 and later seckey_copyprivatekeyinfo mxr 3.2 and later seckey_creatersaprivatekey mxr 3.2 and later seckey_destroyencryptedprivatekeyinfo mxr 3.2 and later seckey_destroyprivatekeyinfo mxr 3.2 and later seckey_destroypublickey mxr 3.2 and later seckey_publickeystrength mxr 3.2 and later seckey_updatecertpqg mxr 3.2 and later secmod_addnewmodule mxr 3.3 and later secmod_addnewmoduleex mxr ...
OLD SSL Reference
types and structures certcertdbhandle certcertificate pk11slotinfo
secitem seckeyprivatekey secstatus managing
secitem memory
secitem_freeitem
secitem_zfreeitem chapter 4 ssl functions this chapter describes the core ssl functions.
...tificates cert_dupcertificate cert_destroycertificate getting certificate information cert_findcertbyname cert_getcertnicknames cert_freenicknames cert_getdefaultcertdb nss_findcertkeatype comparing
secitem objects
secitem_compareitem chapter 6 key functions this chapter describes two functions used to manipulate private keys and key databases such as the key3.db database provided with communicator.
Utility functions
hm mxr 3.2 and later sec_pkcs5isalgorithmpbealg mxr 3.2 and later sec_pkcs5isalgorithmpbealgtag mxr 3.12 and later sec_registerdefaulthttpclient mxr 3.11.1 and later sec_signdata mxr 3.2 and later sec_stringtooid mxr 3.12 and later
secitem_allocitem mxr 3.2 and later
secitem_arenadupitem mxr 3.9 and later
secitem_compareitem mxr 3.2 and later
secitem_copyitem mxr 3.2 and later
secitem_dupitem mxr 3.2 and later
secitem_freeitem mxr 3.2 and later
secitem_itemsareequal ...
... mxr 3.8 and later
secitem_zfreeitem mxr 3.2 and later seckey_copyencryptedprivatekeyinfo mxr 3.2 and later seckey_copyprivatekeyinfo mxr 3.2 and later seckey_creatersaprivatekey mxr 3.2 and later seckey_destroyencryptedprivatekeyinfo mxr 3.2 and later seckey_destroyprivatekeyinfo mxr 3.2 and later seckey_destroypublickey mxr 3.2 and later seckey_publickeystrength mxr 3.2 and later seckey_updatecertpqg mxr 3.2 and later secmod_addnewmodule mxr 3.3 and later secmod_addnewmoduleex mxr ...
An overview of NSS Internals
the common structure to store such an untyped block is
secitem, which contains a size and an untyped c pointer variable.
Function_Name
syntax #include <headers.h> returntype function_name( paramtype paramname, paramtype paramname, ); parameters paramname sample: in pointer to a certcertdbhandle representing the certificate database to look in paramname sample: in pointer to an
secitem whose type must be sidercertbuffer and whose data contains a der-encoded certificate description long description of this function, what it does, and why you would use it.
CERT_FindCertByDERCert
syntax #include <cert.h> certcertificate *cert_findcertbydercert( certcertdbhandle *handle,
secitem *dercert ); parameters handle in pointer to a certcertdbhandle representing the certificate database to look in dercert in pointer to an
secitem whose type must be sidercertbuffer and whose data contains a der-encoded certificate description this function looks in the ?nsscryptocontext?
Index
the common structure to store such an untyped block is
secitem, which contains a size and an untyped c pointer variable.