Source code
Revision control
Copy as Markdown
Other Tools
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
/* To edit this file, set TABSTOPS to 4 spaces.
* This is not the normal NSS convention.
*/
#include "modutil.h"
#include "pk11func.h"
/*************************************************************************
*
* F i p s M o d e
* If arg=="true", enable FIPS mode on the internal module. If arg=="false",
* disable FIPS mode on the internal module.
*/
Error
FipsMode(char *arg)
{
char *internal_name;
if (!PORT_Strcasecmp(arg, "true")) {
if (!PK11_IsFIPS()) {
internal_name = PR_smprintf("%s",
SECMOD_GetInternalModule()->commonName);
if (SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
PR_smprintf_free(internal_name);
PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
return FIPS_SWITCH_FAILED_ERR;
}
PR_smprintf_free(internal_name);
if (!PK11_IsFIPS()) {
PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
return FIPS_SWITCH_FAILED_ERR;
}
PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
} else {
PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]);
return FIPS_ALREADY_ON_ERR;
}
} else if (!PORT_Strcasecmp(arg, "false")) {
if (PK11_IsFIPS()) {
internal_name = PR_smprintf("%s",
SECMOD_GetInternalModule()->commonName);
if (SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
PR_smprintf_free(internal_name);
PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
return FIPS_SWITCH_FAILED_ERR;
}
PR_smprintf_free(internal_name);
if (PK11_IsFIPS()) {
PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
return FIPS_SWITCH_FAILED_ERR;
}
PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
} else {
PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_OFF_ERR]);
return FIPS_ALREADY_OFF_ERR;
}
} else {
PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
return INVALID_FIPS_ARG;
}
return SUCCESS;
}
/*************************************************************************
*
* C h k F i p s M o d e
* If arg=="true", verify FIPS mode is enabled on the internal module.
* If arg=="false", verify FIPS mode is disabled on the internal module.
*/
Error
ChkFipsMode(char *arg)
{
if (!PORT_Strcasecmp(arg, "true")) {
if (PK11_IsFIPS()) {
PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
} else {
PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
return FIPS_SWITCH_FAILED_ERR;
}
} else if (!PORT_Strcasecmp(arg, "false")) {
if (!PK11_IsFIPS()) {
PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
} else {
PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
return FIPS_SWITCH_FAILED_ERR;
}
} else {
PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
return INVALID_FIPS_ARG;
}
return SUCCESS;
}
/************************************************************************
* Cipher and Mechanism name-bitmask translation tables
*/
typedef struct {
const char *name;
unsigned long mask;
} MaskString;
static const MaskString cipherStrings[] = {
{ "FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG }
};
static const int numCipherStrings =
sizeof(cipherStrings) / sizeof(cipherStrings[0]);
/* Initialized by LoadMechanismList */
static MaskString *mechanismStrings = NULL;
static int numMechanismStrings = 0;
const static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
static int pk11_DefaultArraySize = 0;
/* Maximum length of a colon-separated list of all the strings in an
* array. */
#define MAX_STRING_LIST_LEN 240 /* or less */
Error
LoadMechanismList(void)
{
int i;
if (pk11_DefaultArray == NULL) {
pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
if (pk11_DefaultArray == NULL) {
/* should assert. This shouldn't happen */
return UNSPECIFIED_ERR;
}
}
if (mechanismStrings != NULL) {
return SUCCESS;
}
/* build the mechanismStrings array */
mechanismStrings = PORT_NewArray(MaskString, pk11_DefaultArraySize);
if (mechanismStrings == NULL) {
return OUT_OF_MEM_ERR;
}
numMechanismStrings = pk11_DefaultArraySize;
for (i = 0; i < numMechanismStrings; i++) {
const char *name = pk11_DefaultArray[i].name;
unsigned long flag = pk11_DefaultArray[i].flag;
/* map new name to old */
switch (flag) {
case SECMOD_FORTEZZA_FLAG:
name = "FORTEZZA";
break;
case SECMOD_SHA1_FLAG:
name = "SHA1";
break;
case SECMOD_CAMELLIA_FLAG:
name = "CAMELLIA";
break;
case SECMOD_RANDOM_FLAG:
name = "RANDOM";
break;
case SECMOD_FRIENDLY_FLAG:
name = "FRIENDLY";
break;
default:
break;
}
mechanismStrings[i].name = name;
mechanismStrings[i].mask = SECMOD_InternaltoPubMechFlags(flag);
}
return SUCCESS;
}
/************************************************************************
*
* g e t F l a g s F r o m S t r i n g
*
* Parses a mechanism list passed on the command line and converts it
* to an unsigned long bitmask.
* string is a colon-separated string of constants
* array is an array of MaskStrings.
* elements is the number of elements in array.
*/
static unsigned long
getFlagsFromString(char *string, const MaskString array[], int elements)
{
unsigned long ret = 0;
short i = 0;
char *cp;
char *buf;
char *end;
if (!string || !string[0]) {
return ret;
}
/* Make a temporary copy of the string */
buf = PR_Malloc(strlen(string) + 1);
if (!buf) {
out_of_memory();
}
strcpy(buf, string);
/* Look at each element of the list passed in */
for (cp = buf; cp && *cp; cp = (end ? end + 1 : NULL)) {
/* Look at the string up to the next colon */
end = strchr(cp, ':');
if (end) {
*end = '\0';
}
/* Find which element this is */
for (i = 0; i < elements; i++) {
if (!PORT_Strcasecmp(cp, array[i].name)) {
break;
}
}
if (i == elements) {
/* Skip a bogus string, but print a warning message */
PR_fprintf(PR_STDERR, errStrings[INVALID_CONSTANT_ERR], cp);
continue;
}
ret |= array[i].mask;
}
PR_Free(buf);
return ret;
}
/**********************************************************************
*
* g e t S t r i n g F r o m F l a g s
*
* The return string's memory is owned by this function. Copy it
* if you need it permanently or you want to change it.
*/
static char *
getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
{
static char buf[MAX_STRING_LIST_LEN];
int i;
int count = 0;
buf[0] = '\0';
for (i = 0; i < elements; i++) {
if (flags & array[i].mask) {
++count;
if (count != 1) {
strcat(buf, ":");
}
strcat(buf, array[i].name);
}
}
return buf;
}
static PRBool
IsP11KitProxyModule(SECMODModule *module)
{
CK_INFO modinfo;
static const char p11KitManufacturerID[33] =
"PKCS#11 Kit ";
static const char p11KitLibraryDescription[33] =
"PKCS#11 Kit Proxy Module ";
if (PK11_GetModInfo(module, &modinfo) == SECSuccess &&
PORT_Memcmp(modinfo.manufacturerID,
p11KitManufacturerID,
sizeof(modinfo.manufacturerID)) == 0 &&
PORT_Memcmp(modinfo.libraryDescription,
p11KitLibraryDescription,
sizeof(modinfo.libraryDescription)) == 0) {
return PR_TRUE;
}
return PR_FALSE;
}
PRBool
IsP11KitEnabled(void)
{
SECMODListLock *lock;
SECMODModuleList *mlp;
PRBool found = PR_FALSE;
lock = SECMOD_GetDefaultModuleListLock();
if (!lock) {
PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
return found;
}
SECMOD_GetReadLock(lock);
mlp = SECMOD_GetDefaultModuleList();
for (; mlp != NULL; mlp = mlp->next) {
if (IsP11KitProxyModule(mlp->module)) {
found = PR_TRUE;
break;
}
}
SECMOD_ReleaseReadLock(lock);
return found;
}
/**********************************************************************
*
* A d d M o d u l e
*
* Add the named module, with the given library file, ciphers, and
* default mechanism flags
*/
Error
AddModule(char *moduleName, char *libFile, char *cipherString,
char *mechanismString, char *modparms)
{
unsigned long ciphers;
unsigned long mechanisms;
SECStatus status;
mechanisms =
getFlagsFromString(mechanismString, mechanismStrings,
numMechanismStrings);
ciphers =
getFlagsFromString(cipherString, cipherStrings, numCipherStrings);
status =
SECMOD_AddNewModuleEx(moduleName, libFile,
SECMOD_PubMechFlagstoInternal(mechanisms),
SECMOD_PubCipherFlagstoInternal(ciphers),
modparms, NULL);
if (status != SECSuccess) {
char *errtxt = NULL;
PRInt32 copied = 0;
if (PR_GetErrorTextLength()) {
errtxt = PR_Malloc(PR_GetErrorTextLength() + 1);
copied = PR_GetErrorText(errtxt);
}
if (copied && errtxt) {
PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR],
moduleName, errtxt);
PR_Free(errtxt);
} else {
PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR],
moduleName, SECU_Strerror(PORT_GetError()));
}
return ADD_MODULE_FAILED_ERR;
} else {
PR_fprintf(PR_STDOUT, msgStrings[ADD_MODULE_SUCCESS_MSG], moduleName);
return SUCCESS;
}
}
/***********************************************************************
*
* D e l e t e M o d u l e
*
* Deletes the named module from the database.
*/
Error
DeleteModule(char *moduleName)
{
SECStatus status;
int type;
status = SECMOD_DeleteModule(moduleName, &type);
if (status != SECSuccess) {
if (type == SECMOD_FIPS || type == SECMOD_INTERNAL) {
PR_fprintf(PR_STDERR, errStrings[DELETE_INTERNAL_ERR]);
return DELETE_INTERNAL_ERR;
} else {
PR_fprintf(PR_STDERR, errStrings[DELETE_FAILED_ERR], moduleName);
return DELETE_FAILED_ERR;
}
}
PR_fprintf(PR_STDOUT, msgStrings[DELETE_SUCCESS_MSG], moduleName);
return SUCCESS;
}
/************************************************************************
*
* R a w L i s t M o d u l e s
*
* Lists all the modules in the database, along with their slots and tokens.
*/
Error
RawListModule(char *modulespec)
{
SECMODModule *module;
char **moduleSpecList;
module = SECMOD_LoadModule(modulespec, NULL, PR_FALSE);
if (module == NULL) {
/* handle error */
return NO_SUCH_MODULE_ERR;
}
moduleSpecList = SECMOD_GetModuleSpecList(module);
if (!moduleSpecList || !moduleSpecList[0]) {
SECU_PrintError("modutil",
"no specs in secmod DB");
return NO_SUCH_MODULE_ERR;
}
for (; *moduleSpecList; moduleSpecList++) {
printf("%s\n\n", *moduleSpecList);
}
return SUCCESS;
}
Error
RawAddModule(char *dbmodulespec, char *modulespec)
{
SECMODModule *module;
SECMODModule *dbmodule;
dbmodule = SECMOD_LoadModule(dbmodulespec, NULL, PR_TRUE);
if (dbmodule == NULL) {
/* handle error */
return NO_SUCH_MODULE_ERR;
}
module = SECMOD_LoadModule(modulespec, dbmodule, PR_FALSE);
if (module == NULL) {
/* handle error */
return NO_SUCH_MODULE_ERR;
}
if (SECMOD_UpdateModule(module) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], modulespec);
return UPDATE_MOD_FAILED_ERR;
}
return SUCCESS;
}
static void
printModule(SECMODModule *module, int *count)
{
int slotCount = module->loaded ? module->slotCount : 0;
char *modUri;
int i;
if ((*count)++) {
PR_fprintf(PR_STDOUT, "\n");
}
PR_fprintf(PR_STDOUT, "%3d. %s\n", *count, module->commonName);
if (module->dllName) {
PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName);
}
modUri = PK11_GetModuleURI(module);
if (modUri) {
PR_fprintf(PR_STDOUT, "\t uri: %s\n", modUri);
PORT_Free(modUri);
}
if (slotCount == 0) {
PR_fprintf(PR_STDOUT,
"\t slots: There are no slots attached to this module\n");
} else {
PR_fprintf(PR_STDOUT, "\t slots: %d slot%s attached\n",
slotCount, (slotCount == 1 ? "" : "s"));
}
if (module->loaded == 0) {
PR_fprintf(PR_STDOUT, "\tstatus: Not loaded\n");
} else {
PR_fprintf(PR_STDOUT, "\tstatus: loaded\n");
}
/* Print slot and token names */
for (i = 0; i < slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
char *tokenUri = PK11_GetTokenURI(slot);
PR_fprintf(PR_STDOUT, "\n");
PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot));
PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot));
PR_fprintf(PR_STDOUT, "\t uri: %s\n", tokenUri);
PORT_Free(tokenUri);
}
return;
}
/************************************************************************
*
* L i s t M o d u l e s
*
* Lists all the modules in the database, along with their slots and tokens.
*/
Error
ListModules()
{
SECMODListLock *lock;
SECMODModuleList *list;
SECMODModuleList *deadlist;
SECMODModuleList *mlp;
Error ret = UNSPECIFIED_ERR;
int count = 0;
lock = SECMOD_GetDefaultModuleListLock();
if (!lock) {
PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
return NO_LIST_LOCK_ERR;
}
SECMOD_GetReadLock(lock);
list = SECMOD_GetDefaultModuleList();
deadlist = SECMOD_GetDeadModuleList();
if (!list && !deadlist) {
PR_fprintf(PR_STDERR, errStrings[NO_MODULE_LIST_ERR]);
ret = NO_MODULE_LIST_ERR;
goto loser;
}
PR_fprintf(PR_STDOUT,
"\nListing of PKCS #11 Modules\n"
"-----------------------------------------------------------\n");
for (mlp = list; mlp != NULL; mlp = mlp->next) {
printModule(mlp->module, &count);
}
for (mlp = deadlist; mlp != NULL; mlp = mlp->next) {
printModule(mlp->module, &count);
}
PR_fprintf(PR_STDOUT,
"-----------------------------------------------------------\n");
ret = SUCCESS;
loser:
SECMOD_ReleaseReadLock(lock);
return ret;
}
/* Strings describing PK11DisableReasons */
static char *disableReasonStr[] = {
"no reason",
"user disabled",
"could not initialize token",
"could not verify token",
"token not present"
};
static size_t numDisableReasonStr =
sizeof(disableReasonStr) / sizeof(disableReasonStr[0]);
/***********************************************************************
*
* L i s t M o d u l e
*
* Lists detailed information about the named module.
*/
Error
ListModule(char *moduleName)
{
SECMODModule *module = NULL;
PK11SlotInfo *slot;
int slotnum;
CK_INFO modinfo;
CK_SLOT_INFO slotinfo;
CK_TOKEN_INFO tokeninfo;
char *ciphers, *mechanisms;
size_t reasonIdx;
Error rv = SUCCESS;
if (!moduleName) {
return SUCCESS;
}
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
rv = NO_SUCH_MODULE_ERR;
goto loser;
}
if ((module->loaded) &&
(PK11_GetModInfo(module, &modinfo) != SECSuccess)) {
PR_fprintf(PR_STDERR, errStrings[MOD_INFO_ERR], moduleName);
rv = MOD_INFO_ERR;
goto loser;
}
/* Module info */
PR_fprintf(PR_STDOUT,
"\n-----------------------------------------------------------\n");
PR_fprintf(PR_STDOUT, "Name: %s\n", module->commonName);
if (module->internal || !module->dllName) {
PR_fprintf(PR_STDOUT, "Library file: **Internal ONLY module**\n");
} else {
PR_fprintf(PR_STDOUT, "Library file: %s\n", module->dllName);
}
if (module->loaded) {
PR_fprintf(PR_STDOUT, "Manufacturer: %.32s\n", modinfo.manufacturerID);
PR_fprintf(PR_STDOUT, "Description: %.32s\n", modinfo.libraryDescription);
PR_fprintf(PR_STDOUT, "PKCS #11 Version %d.%d\n",
modinfo.cryptokiVersion.major, modinfo.cryptokiVersion.minor);
PR_fprintf(PR_STDOUT, "Library Version: %d.%d\n",
modinfo.libraryVersion.major, modinfo.libraryVersion.minor);
} else {
PR_fprintf(PR_STDOUT, "* Module not loaded\n");
}
/* Get cipher and mechanism flags */
ciphers = getStringFromFlags(module->ssl[0], cipherStrings,
numCipherStrings);
if (ciphers[0] == '\0') {
ciphers = "None";
}
PR_fprintf(PR_STDOUT, "Cipher Enable Flags: %s\n", ciphers);
mechanisms = NULL;
if (module->slotCount > 0) {
mechanisms = getStringFromFlags(
PK11_GetDefaultFlags(module->slots[0]),
mechanismStrings, numMechanismStrings);
}
if ((mechanisms == NULL) || (mechanisms[0] == '\0')) {
mechanisms = "None";
}
PR_fprintf(PR_STDOUT, "Default Mechanism Flags: %s\n", mechanisms);
#define PAD " "
/* Loop over each slot */
for (slotnum = 0; slotnum < module->slotCount; slotnum++) {
slot = module->slots[slotnum];
if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[SLOT_INFO_ERR],
PK11_GetSlotName(slot));
rv = SLOT_INFO_ERR;
continue;
}
/* Slot Info */
PR_fprintf(PR_STDOUT, "\n" PAD "Slot: %s\n", PK11_GetSlotName(slot));
mechanisms = getStringFromFlags(PK11_GetDefaultFlags(slot),
mechanismStrings, numMechanismStrings);
if (mechanisms[0] == '\0') {
mechanisms = "None";
}
PR_fprintf(PR_STDOUT, PAD "Slot Mechanism Flags: %s\n", mechanisms);
PR_fprintf(PR_STDOUT, PAD "Manufacturer: %.32s\n",
slotinfo.manufacturerID);
if (PK11_IsHW(slot)) {
PR_fprintf(PR_STDOUT, PAD "Type: Hardware\n");
} else {
PR_fprintf(PR_STDOUT, PAD "Type: Software\n");
}
PR_fprintf(PR_STDOUT, PAD "Version Number: %d.%d\n",
slotinfo.hardwareVersion.major, slotinfo.hardwareVersion.minor);
PR_fprintf(PR_STDOUT, PAD "Firmware Version: %d.%d\n",
slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor);
if (PK11_IsDisabled(slot)) {
reasonIdx = PK11_GetDisabledReason(slot);
if (reasonIdx < numDisableReasonStr) {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED (%s)\n",
disableReasonStr[reasonIdx]);
} else {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED\n");
}
} else {
PR_fprintf(PR_STDOUT, PAD "Status: Enabled\n");
}
if (PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[TOKEN_INFO_ERR],
PK11_GetTokenName(slot));
rv = TOKEN_INFO_ERR;
continue;
}
/* Token Info */
PR_fprintf(PR_STDOUT, PAD "Token Name: %.32s\n",
tokeninfo.label);
PR_fprintf(PR_STDOUT, PAD "Token Manufacturer: %.32s\n",
tokeninfo.manufacturerID);
PR_fprintf(PR_STDOUT, PAD "Token Model: %.16s\n", tokeninfo.model);
PR_fprintf(PR_STDOUT, PAD "Token Serial Number: %.16s\n",
tokeninfo.serialNumber);
PR_fprintf(PR_STDOUT, PAD "Token Version: %d.%d\n",
tokeninfo.hardwareVersion.major, tokeninfo.hardwareVersion.minor);
PR_fprintf(PR_STDOUT, PAD "Token Firmware Version: %d.%d\n",
tokeninfo.firmwareVersion.major, tokeninfo.firmwareVersion.minor);
if (tokeninfo.flags & CKF_WRITE_PROTECTED) {
PR_fprintf(PR_STDOUT, PAD "Access: Write Protected\n");
} else {
PR_fprintf(PR_STDOUT, PAD "Access: NOT Write Protected\n");
}
if (tokeninfo.flags & CKF_LOGIN_REQUIRED) {
PR_fprintf(PR_STDOUT, PAD "Login Type: Login required\n");
} else {
PR_fprintf(PR_STDOUT, PAD
"Login Type: Public (no login required)\n");
}
if (tokeninfo.flags & CKF_USER_PIN_INITIALIZED) {
PR_fprintf(PR_STDOUT, PAD "User Pin: Initialized\n");
} else {
PR_fprintf(PR_STDOUT, PAD "User Pin: NOT Initialized\n");
}
}
PR_fprintf(PR_STDOUT,
"\n-----------------------------------------------------------\n");
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return rv;
}
/************************************************************************
*
* I n i t P W
*/
Error
InitPW(void)
{
PK11SlotInfo *slot;
Error ret = UNSPECIFIED_ERR;
slot = PK11_GetInternalKeySlot();
if (!slot) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal");
return NO_SUCH_TOKEN_ERR;
}
/* Set the initial password to empty */
if (PK11_NeedUserInit(slot)) {
if (PK11_InitPin(slot, NULL, "") != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]);
ret = INITPW_FAILED_ERR;
goto loser;
}
}
ret = SUCCESS;
loser:
PK11_FreeSlot(slot);
return ret;
}
/************************************************************************
*
* C h a n g e P W
*/
Error
ChangePW(char *tokenName, char *pwFile, char *newpwFile)
{
char *oldpw = NULL, *newpw = NULL, *newpw2 = NULL;
PK11SlotInfo *slot;
Error ret = UNSPECIFIED_ERR;
PRBool matching;
slot = PK11_FindSlotByName(tokenName);
if (!slot) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], tokenName);
return NO_SUCH_TOKEN_ERR;
}
/* Get old password */
if (!PK11_NeedUserInit(slot)) {
if (pwFile) {
oldpw = SECU_FilePasswd(NULL, PR_FALSE, pwFile);
if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[BAD_PW_ERR]);
ret = BAD_PW_ERR;
goto loser;
}
} else if (PK11_NeedLogin(slot)) {
for (matching = PR_FALSE; !matching;) {
oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
matching = PR_TRUE;
} else {
PR_fprintf(PR_STDOUT, msgStrings[BAD_PW_MSG]);
}
}
}
}
/* Get new password */
if (newpwFile) {
newpw = SECU_FilePasswd(NULL, PR_FALSE, newpwFile);
} else {
for (matching = PR_FALSE; !matching;) {
newpw = SECU_GetPasswordString(NULL, "Enter new password: ");
newpw2 = SECU_GetPasswordString(NULL, "Re-enter new password: ");
if (strcmp(newpw, newpw2)) {
PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]);
PORT_ZFree(newpw, strlen(newpw));
PORT_ZFree(newpw2, strlen(newpw2));
} else {
matching = PR_TRUE;
}
}
}
/* Change the password */
if (PK11_NeedUserInit(slot)) {
if (PK11_InitPin(slot, NULL /*ssopw*/, newpw) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
ret = CHANGEPW_FAILED_ERR;
goto loser;
}
} else {
if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
ret = CHANGEPW_FAILED_ERR;
goto loser;
}
}
PR_fprintf(PR_STDOUT, msgStrings[CHANGEPW_SUCCESS_MSG], tokenName);
ret = SUCCESS;
loser:
if (oldpw) {
PORT_ZFree(oldpw, strlen(oldpw));
}
if (newpw) {
PORT_ZFree(newpw, strlen(newpw));
}
if (newpw2) {
PORT_ZFree(newpw2, strlen(newpw2));
}
PK11_FreeSlot(slot);
return ret;
}
/***********************************************************************
*
* E n a b l e M o d u l e
*
* If enable==PR_TRUE, enables the module or slot.
* If enable==PR_FALSE, disables the module or slot.
* moduleName is the name of the module.
* slotName is the name of the slot. It is optional.
*/
Error
EnableModule(char *moduleName, char *slotName, PRBool enable)
{
int i;
SECMODModule *module = NULL;
PK11SlotInfo *slot = NULL;
PRBool found = PR_FALSE;
Error rv;
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
rv = NO_SUCH_MODULE_ERR;
goto loser;
}
for (i = 0; i < module->slotCount; i++) {
slot = module->slots[i];
if (slotName && strcmp(PK11_GetSlotName(slot), slotName)) {
/* Not the right slot */
continue;
}
if (enable) {
if (!PK11_UserEnableSlot(slot)) {
PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
"enable", PK11_GetSlotName(slot));
rv = ENABLE_FAILED_ERR;
goto loser;
} else {
found = PR_TRUE;
PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
PK11_GetSlotName(slot), "enabled");
}
} else {
if (!PK11_UserDisableSlot(slot)) {
PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
"disable", PK11_GetSlotName(slot));
rv = ENABLE_FAILED_ERR;
goto loser;
} else {
found = PR_TRUE;
PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
PK11_GetSlotName(slot), "disabled");
}
}
}
if (slotName && !found) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
rv = NO_SUCH_SLOT_ERR;
goto loser;
}
/* Delete and re-add module to save changes */
if (SECMOD_UpdateModule(module) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], moduleName);
rv = UPDATE_MOD_FAILED_ERR;
goto loser;
}
rv = SUCCESS;
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return rv;
}
/*************************************************************************
*
* S e t D e f a u l t M o d u l e
*
*/
Error
SetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
{
SECMODModule *module = NULL;
PK11SlotInfo *slot;
int s, i;
unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
numMechanismStrings);
PRBool found = PR_FALSE;
Error errcode = UNSPECIFIED_ERR;
mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
errcode = NO_SUCH_MODULE_ERR;
goto loser;
}
/* Go through each slot */
for (s = 0; s < module->slotCount; s++) {
slot = module->slots[s];
if ((slotName != NULL) &&
!((strcmp(PK11_GetSlotName(slot), slotName) == 0) ||
(strcmp(PK11_GetTokenName(slot), slotName) == 0))) {
/* we are only interested in changing the one slot */
continue;
}
found = PR_TRUE;
/* Go through each mechanism */
for (i = 0; i < pk11_DefaultArraySize; i++) {
if (pk11_DefaultArray[i].flag & mechFlags) {
/* Enable this default mechanism */
PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
PR_TRUE);
}
}
}
if (slotName && !found) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
errcode = NO_SUCH_SLOT_ERR;
goto loser;
}
/* Delete and re-add module to save changes */
if (SECMOD_UpdateModule(module) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[DEFAULT_FAILED_ERR],
moduleName);
errcode = DEFAULT_FAILED_ERR;
goto loser;
}
PR_fprintf(PR_STDOUT, msgStrings[DEFAULT_SUCCESS_MSG]);
errcode = SUCCESS;
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return errcode;
}
/************************************************************************
*
* U n s e t D e f a u l t M o d u l e
*/
Error
UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
{
SECMODModule *module = NULL;
PK11SlotInfo *slot;
int s, i;
unsigned long mechFlags = getFlagsFromString(mechanisms,
mechanismStrings, numMechanismStrings);
PRBool found = PR_FALSE;
Error rv;
mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
rv = NO_SUCH_MODULE_ERR;
goto loser;
}
for (s = 0; s < module->slotCount; s++) {
slot = module->slots[s];
if ((slotName != NULL) &&
!((strcmp(PK11_GetSlotName(slot), slotName) == 0) ||
(strcmp(PK11_GetTokenName(slot), slotName) == 0))) {
/* we are only interested in changing the one slot */
continue;
}
for (i = 0; i < pk11_DefaultArraySize; i++) {
if (pk11_DefaultArray[i].flag & mechFlags) {
PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
PR_FALSE);
}
}
}
if (slotName && !found) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
rv = NO_SUCH_SLOT_ERR;
goto loser;
}
/* Delete and re-add module to save changes */
if (SECMOD_UpdateModule(module) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[UNDEFAULT_FAILED_ERR],
moduleName);
rv = UNDEFAULT_FAILED_ERR;
goto loser;
}
PR_fprintf(PR_STDOUT, msgStrings[UNDEFAULT_SUCCESS_MSG]);
rv = SUCCESS;
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return rv;
}