diff options
author | Sune Vuorela <sune@vuorela.dk> | 2023-06-06 16:02:25 +0000 |
---|---|---|
committer | Albert Astals Cid <tsdgeos@yahoo.es> | 2023-06-06 16:02:25 +0000 |
commit | 8d4764b498d4f9798e9aaedbce5e442d382acb0a (patch) | |
tree | fd8ee089dfd6aea71055b2c65bae9ecd4dd0d4ab | |
parent | def45c82b36ec393fbaf16d9873db23bc9659b80 (diff) |
pdfsig: Allow show and select backend
-rw-r--r-- | utils/CMakeLists.txt | 6 | ||||
-rw-r--r-- | utils/pdfsig.1 | 8 | ||||
-rw-r--r-- | utils/pdfsig.cc | 52 |
3 files changed, 60 insertions, 6 deletions
diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt index 1c3ebcb1..d9795eb9 100644 --- a/utils/CMakeLists.txt +++ b/utils/CMakeLists.txt @@ -93,14 +93,16 @@ target_link_libraries(pdfinfo ${common_libs}) install(TARGETS pdfinfo DESTINATION bin) install(FILES pdfinfo.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) -if (ENABLE_NSS3) +if (ENABLE_SIGNATURES) # pdfsig set(pdfsig_SOURCES ${common_srcs} pdfsig.cc ) add_executable(pdfsig ${pdfsig_SOURCES}) - target_include_directories(pdfsig SYSTEM PRIVATE ${NSS3_INCLUDE_DIRS}) target_link_libraries(pdfsig ${common_libs}) + if (ENABLE_NSS3) + target_include_directories(pdfsig SYSTEM PRIVATE ${NSS3_INCLUDE_DIRS}) + endif() install(TARGETS pdfsig DESTINATION bin) install(FILES pdfsig.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) endif () diff --git a/utils/pdfsig.1 b/utils/pdfsig.1 index 2d84b0c6..3f6ede7f 100644 --- a/utils/pdfsig.1 +++ b/utils/pdfsig.1 @@ -62,7 +62,10 @@ Specifies the field name to be used when adding a new signature. A random ID wil Sign the document in the specified signature field present in the document (must be unsigned). Field can be specified by field name (string) or the n-th signature field in the document (integer). .TP .B \-nick " nickname" -Use the certificate with the given nickname for signing. If nickname starts with pkcs11:, it's treated as PKCS#11 URI. +Use the certificate with the given nickname for signing (NSS backend). If nickname starts with pkcs11:, it's treated as PKCS#11 URI (NSS backend). If the nickname is given as a fingerprint, it will be the certificate used (GPG backend) +.TP +.B \-backend " backend" +Use the specified backeng for cryptographic signatures .TP .B \-kpw " password" Use the given password for the signing key @@ -80,6 +83,9 @@ Create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached. .B \-list-nicks List available nicknames in the NSS database. .TP +.B \-list-backends +List available backends for cryptographic signatures +.TP .B \-v Print copyright and version information. .TP diff --git a/utils/pdfsig.cc b/utils/pdfsig.cc index 0baf0d09..047f8ba5 100644 --- a/utils/pdfsig.cc +++ b/utils/pdfsig.cc @@ -29,7 +29,6 @@ #include <cstddef> #include <cstring> #include <ctime> -#include <hasht.h> #include <fstream> #include <random> #include "parseargs.h" @@ -41,7 +40,9 @@ #include "PDFDocFactory.h" #include "Error.h" #include "GlobalParams.h" -#include "NSSCryptoSignBackend.h" +#ifdef ENABLE_NSS3 +# include "NSSCryptoSignBackend.h" +#endif #include "CryptoSignBackend.h" #include "SignatureInfo.h" #include "Win32Console.h" @@ -135,10 +136,12 @@ static char ownerPassword[33] = "\001"; static char userPassword[33] = "\001"; static bool printVersion = false; static bool printHelp = false; +static bool printCryptoSignBackends = false; static bool dontVerifyCert = false; static bool noOCSPRevocationCheck = false; static bool dumpSignatures = false; static bool etsiCAdESdetached = false; +static char backendString[256] = ""; static char signatureName[256] = ""; static char certNickname[256] = ""; static char password[256] = ""; @@ -159,11 +162,13 @@ static const ArgDesc argDesc[] = { { "-nssdir", argGooString, &nssDir, 0, "path { "-new-signature-field-name", argGooString, &newSignatureFieldName, 0, "field name used for the newly added signature. A random ID will be used if empty" }, { "-sign", argString, &signatureName, 256, "sign the document in the given signature field (by name or number)" }, { "-etsi", argFlag, &etsiCAdESdetached, 0, "create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached" }, - { "-nick", argString, &certNickname, 256, "use the certificate with the given nickname for signing" }, + { "-backend", argString, &backendString, 256, "use given backend for signing/verification" }, + { "-nick", argString, &certNickname, 256, "use the certificate with the given nickname/fingerprint for signing" }, { "-kpw", argString, &password, 256, "password for the signing key (might be missing if the key isn't password protected)" }, { "-digest", argString, &digestName, 256, "name of the digest algorithm (default: SHA256)" }, { "-reason", argGooString, &reason, 0, "reason for signing (default: no reason given)" }, { "-list-nicks", argFlag, &listNicknames, 0, "list available nicknames in the NSS database" }, + { "-list-backends", argFlag, &printCryptoSignBackends, 0, "print cryptographic signature backends" }, { "-opw", argString, ownerPassword, sizeof(ownerPassword), "owner password (for encrypted files)" }, { "-upw", argString, userPassword, sizeof(userPassword), "user password (for encrypted files)" }, { "-v", argFlag, &printVersion, 0, "print copyright and version info" }, @@ -183,8 +188,29 @@ static void print_version_usage(bool usage) } } +static void print_backends() +{ + fprintf(stderr, "pdfsig backends:\n"); + for (const auto &backend : CryptoSign::Factory::getAvailable()) { + switch (backend) { + case CryptoSign::Backend::Type::NSS3: + fprintf(stderr, "NSS"); + break; + case CryptoSign::Backend::Type::GPGME: + fprintf(stderr, "GPG"); + break; + } + if (backend == CryptoSign::Factory::getActive()) { + fprintf(stderr, " (active)\n"); + } else { + fprintf(stderr, "\n"); + } + } +} + static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCertificates(bool *error) { +#ifdef ENABLE_NSS3 bool wrongPassword = false; bool passwordNeeded = false; auto passwordCallback = [&passwordNeeded, &wrongPassword](const char *) -> char * { @@ -202,12 +228,14 @@ static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCert } }; NSSSignatureConfiguration::setNSSPasswordCallback(passwordCallback); +#endif auto backend = CryptoSign::Factory::createActive(); if (!backend) { *error = true; printf("No backends for cryptographic signatures available"); return {}; } +#ifdef ENABLE_NSS3 std::vector<std::unique_ptr<X509CertificateInfo>> vCerts = backend->getAvailableSigningCertificates(); NSSSignatureConfiguration::setNSSPasswordCallback({}); if (passwordNeeded) { @@ -223,6 +251,7 @@ static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCert return {}; } +#endif *error = false; return vCerts; } @@ -269,7 +298,24 @@ int main(int argc, char *argv[]) return 0; } + if (strlen(backendString) > 0) { + auto backend = CryptoSign::Factory::typeFromString(backendString); + if (backend) { + CryptoSign::Factory::setPreferredBackend(backend.value()); + } else { + fprintf(stderr, "Unsupported backend\n"); + return 98; + } + } + + if (printCryptoSignBackends) { + print_backends(); + return 0; + } + +#ifdef ENABLE_NSS3 NSSSignatureConfiguration::setNSSDir(nssDir); +#endif if (listNicknames) { bool getCertsError; |