[rs-commit] r48 - in /redwax-tool/trunk: redwax-tool.c redwax-tool.h redwax_nss.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sat Nov 20 15:12:02 CET 2021
Author: minfrin at redwax.eu
Date: Sat Nov 20 15:12:02 2021
New Revision: 48
Log:
NSS uses secret-token file for secrets.
Modified:
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_nss.c
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Sat Nov 20 15:12:02 2021
@@ -93,7 +93,8 @@
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_filter,
(redwax_tool_t * r, const char *arg), (r, arg), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_nss_out,
- (redwax_tool_t * r, const char *path, const char *token, const char *secret), (r, path, token, secret), DECLINED);
+ (redwax_tool_t * r, const char *path, const char *token, apr_hash_t *secrets),
+ (r, path, token, secrets), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, complete_nss_token_out,
(redwax_tool_t * r, apr_hash_t *tokens), (r, tokens), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pem_out,
@@ -1522,9 +1523,8 @@
apr_status_t redwax_token_out(redwax_tool_t *r, const char *path, const char *token,
apr_status_t (out)(redwax_tool_t *r, const char *path, const char *token,
- const char *secret))
-{
- char *dir, *base;
+ apr_hash_t *secrets))
+{
apr_status_t status;
if (!path) {
@@ -1536,10 +1536,7 @@
return APR_ENOENT;
}
- base = basename(apr_pstrdup(r->pool, path));
- dir = dirname(apr_pstrdup(r->pool, path));
-
- status = out(r, path, token, redwax_secret_path(r, dir, base, r->secret_suffix_out));
+ status = out(r, path, token, redwax_secrets_path(r, r->secret_token_out));
if (APR_SUCCESS != status) {
return status;
}
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Sat Nov 20 15:12:02 2021
@@ -385,7 +385,8 @@
* @param r The redwax-tool context.
*/
APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, process_nss_out,
- (redwax_tool_t *r, const char *path, const char *token, const char *secret));
+ (redwax_tool_t *r, const char *path, const char *token,
+ apr_hash_t *secrets));
/**
* Hook to complete outgoing NSS token.
Modified: redwax-tool/trunk/redwax_nss.c
==============================================================================
--- redwax-tool/trunk/redwax_nss.c (original)
+++ redwax-tool/trunk/redwax_nss.c Sat Nov 20 15:12:02 2021
@@ -51,7 +51,7 @@
redwax_tool_t *r;
apr_pool_t *pool;
const char *what;
- const char *secret;
+ apr_hash_t *secrets;
const char *file;
int verify;
} redwax_nss_secret_t;
@@ -117,10 +117,8 @@
redwax_tool_t *r = s->r;
- apr_file_t *sfile;
-
const char *what = s->what;
- const char *secret = s->secret;
+ apr_hash_t *secrets = s->secrets;
const char *file = s->file;
const char *name = PK11_GetSlotName(slot);
@@ -138,143 +136,52 @@
*
* Secret file specified and secret file exists, use that secret.
*
- * Secret file specified and secret file does not exist, generate
- * a random secret and write the secret to the file.
- *
* No secret file specified, ask for the secret twice.
*/
- do {
+ if (secrets) {
char *pin;
- int namelen = strlen(name);
- int intlen = strlen(REDWAX_NSS_INTERNAL_SOFTWARE_TOKEN);
-
- char *buf = apr_palloc(pool, max + 2);
- char *lf;
-
- status = apr_filepath_merge(&pin, file, "pin.txt",
- APR_FILEPATH_TRUENAME, pool);
- if (APR_SUCCESS != status) {
- break;
- }
-
- status = apr_file_open(&sfile, pin, APR_FOPEN_READ,
- APR_FPROT_OS_DEFAULT, pool);
- if (APR_SUCCESS != status) {
- break;
- }
-
-#if HAVE_APR_CRYPTO_CLEAR
- apr_crypto_clear(pool, buf, max + 2);
-#endif
-
- do {
-
- status = apr_file_gets(buf, max + 2, sfile);
-
- if (APR_EOF == status) {
- break;
- }
- else if (APR_SUCCESS != status) {
- redwax_print_error(r,
- "Could not read '%s': %pm\n", pin, &status);
+ if (PK11_IsInternal(slot)) {
+ pin = apr_hash_get(secrets, REDWAX_NSS_INTERNAL_SOFTWARE_TOKEN, APR_HASH_KEY_STRING);
+ name = REDWAX_NSS_INTERNAL_SOFTWARE_TOKEN;
+ }
+ else {
+ pin = apr_hash_get(secrets, name, APR_HASH_KEY_STRING);
+ }
+
+ /* pass this way just once */
+ s->secrets = NULL;
+
+ if (pin) {
+
+ int len;
+
+ len = strlen(pin);
+ if (len < min) {
+
+ redwax_print_error(r,
+ "Passphrase for '%s' is too short, must be at least %"
+ APR_SIZE_T_FMT " characters.\n",
+ name, min);
+ }
+ else if (len > max) {
+
+ redwax_print_error(r,
+ "Passphrase for '%s' is too long, must be at most %"
+ APR_SIZE_T_FMT " characters.\n",
+ name, max);
+ }
+ else {
+
+ char *passphrase = PORT_Strdup((char *)pin);
+
apr_pool_destroy(pool);
- return NULL;
- }
-
- lf = strrchr(buf, '\n');
- if (lf) {
- *lf = 0;
- }
-
- if (PK11_IsInternal(slot) &&
- !strncmp(buf, REDWAX_NSS_INTERNAL_SOFTWARE_TOKEN, intlen) &&
- buf[intlen] == ':') {
-
- char *passphrase = PORT_Strdup(buf + intlen + 1);
-
- apr_pool_destroy(pool);
return passphrase;
}
- if (!strncmp(buf, name, namelen) && buf[namelen] == ':') {
-
- char *passphrase = PORT_Strdup(buf + namelen + 1);
-
- apr_pool_destroy(pool);
-
- return passphrase;
- }
-
- } while (1);
-
- } while (0);
-
- /* next step, try the secret file */
- if (secret) {
-
- status = apr_file_open(&sfile, secret, APR_FOPEN_READ,
- APR_FPROT_OS_DEFAULT, pool);
-
- if (APR_SUCCESS == status) {
-
- char *buf = apr_palloc(pool, max + 2);
- char *lf;
- int len;
-
-#if HAVE_APR_CRYPTO_CLEAR
- apr_crypto_clear(pool, buf, max + 2);
-#endif
-
- status = apr_file_gets(buf, max + 2, sfile);
-
- if (APR_SUCCESS != status) {
- redwax_print_error(r,
- "Could not read '%s': %pm\n", secret, &status);
- apr_pool_destroy(pool);
- return NULL;
- }
-
- lf = strrchr(buf, '\n');
- if (lf) {
- *lf = 0;
- }
-
- len = strlen(buf);
- if (len < min) {
-
- redwax_print_error(r,
- "Passphrase in '%s' is too short, must be at least %"
- APR_SIZE_T_FMT " characters.\n",
- secret, min);
- }
- else if (len > max) {
-
- redwax_print_error(r,
- "Passphrase in '%s' is too long, must be at most %"
- APR_SIZE_T_FMT " characters.\n",
- secret, max);
- }
- else {
-
- char *passphrase = PORT_Strdup((char *)buf);
-
- apr_pool_destroy(pool);
-
- return passphrase;
-
- }
-
- }
- else if (APR_ENOENT == status) {
-
- }
- else {
- redwax_print_error(r,
- "Could not open '%s': %pm\n", secret, &status);
}
}
@@ -438,7 +345,7 @@
}
static apr_status_t redwax_nss_process_nss_out(redwax_tool_t *r,
- const char *file, const char *sname, const char *secret)
+ const char *file, const char *sname, apr_hash_t *secrets)
{
apr_pool_t *pool;
NSSInitContext *crypto_context;
@@ -505,7 +412,7 @@
s.r = r;
s.pool = pool;
s.file = file;
- s.secret = secret;
+ s.secrets = secrets;
s.what = apr_pstrndup(pool, (char*) token.label,
rtrim((char*) token.label, sizeof(token.label)));
More information about the rs-commit
mailing list