summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSune Vuorela <sune@vuorela.dk>2023-06-06 16:02:25 +0000
committerAlbert Astals Cid <tsdgeos@yahoo.es>2023-06-06 16:02:25 +0000
commit8d4764b498d4f9798e9aaedbce5e442d382acb0a (patch)
treefd8ee089dfd6aea71055b2c65bae9ecd4dd0d4ab
parentdef45c82b36ec393fbaf16d9873db23bc9659b80 (diff)
pdfsig: Allow show and select backend
-rw-r--r--utils/CMakeLists.txt6
-rw-r--r--utils/pdfsig.18
-rw-r--r--utils/pdfsig.cc52
3 files changed, 60 insertions, 6 deletions
diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt
index 1c3ebcb1..d9795eb9 100644
--- a/utils/CMakeLists.txt
+++ b/utils/CMakeLists.txt
@@ -93,14 +93,16 @@ target_link_libraries(pdfinfo ${common_libs})
install(TARGETS pdfinfo DESTINATION bin)
install(FILES pdfinfo.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
-if (ENABLE_NSS3)
+if (ENABLE_SIGNATURES)
# pdfsig
set(pdfsig_SOURCES ${common_srcs}
pdfsig.cc
)
add_executable(pdfsig ${pdfsig_SOURCES})
- target_include_directories(pdfsig SYSTEM PRIVATE ${NSS3_INCLUDE_DIRS})
target_link_libraries(pdfsig ${common_libs})
+ if (ENABLE_NSS3)
+ target_include_directories(pdfsig SYSTEM PRIVATE ${NSS3_INCLUDE_DIRS})
+ endif()
install(TARGETS pdfsig DESTINATION bin)
install(FILES pdfsig.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
endif ()
diff --git a/utils/pdfsig.1 b/utils/pdfsig.1
index 2d84b0c6..3f6ede7f 100644
--- a/utils/pdfsig.1
+++ b/utils/pdfsig.1
@@ -62,7 +62,10 @@ Specifies the field name to be used when adding a new signature. A random ID wil
Sign the document in the specified signature field present in the document (must be unsigned). Field can be specified by field name (string) or the n-th signature field in the document (integer).
.TP
.B \-nick " nickname"
-Use the certificate with the given nickname for signing. If nickname starts with pkcs11:, it's treated as PKCS#11 URI.
+Use the certificate with the given nickname for signing (NSS backend). If nickname starts with pkcs11:, it's treated as PKCS#11 URI (NSS backend). If the nickname is given as a fingerprint, it will be the certificate used (GPG backend)
+.TP
+.B \-backend " backend"
+Use the specified backeng for cryptographic signatures
.TP
.B \-kpw " password"
Use the given password for the signing key
@@ -80,6 +83,9 @@ Create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached.
.B \-list-nicks
List available nicknames in the NSS database.
.TP
+.B \-list-backends
+List available backends for cryptographic signatures
+.TP
.B \-v
Print copyright and version information.
.TP
diff --git a/utils/pdfsig.cc b/utils/pdfsig.cc
index 0baf0d09..047f8ba5 100644
--- a/utils/pdfsig.cc
+++ b/utils/pdfsig.cc
@@ -29,7 +29,6 @@
#include <cstddef>
#include <cstring>
#include <ctime>
-#include <hasht.h>
#include <fstream>
#include <random>
#include "parseargs.h"
@@ -41,7 +40,9 @@
#include "PDFDocFactory.h"
#include "Error.h"
#include "GlobalParams.h"
-#include "NSSCryptoSignBackend.h"
+#ifdef ENABLE_NSS3
+# include "NSSCryptoSignBackend.h"
+#endif
#include "CryptoSignBackend.h"
#include "SignatureInfo.h"
#include "Win32Console.h"
@@ -135,10 +136,12 @@ static char ownerPassword[33] = "\001";
static char userPassword[33] = "\001";
static bool printVersion = false;
static bool printHelp = false;
+static bool printCryptoSignBackends = false;
static bool dontVerifyCert = false;
static bool noOCSPRevocationCheck = false;
static bool dumpSignatures = false;
static bool etsiCAdESdetached = false;
+static char backendString[256] = "";
static char signatureName[256] = "";
static char certNickname[256] = "";
static char password[256] = "";
@@ -159,11 +162,13 @@ static const ArgDesc argDesc[] = { { "-nssdir", argGooString, &nssDir, 0, "path
{ "-new-signature-field-name", argGooString, &newSignatureFieldName, 0, "field name used for the newly added signature. A random ID will be used if empty" },
{ "-sign", argString, &signatureName, 256, "sign the document in the given signature field (by name or number)" },
{ "-etsi", argFlag, &etsiCAdESdetached, 0, "create a signature of type ETSI.CAdES.detached instead of adbe.pkcs7.detached" },
- { "-nick", argString, &certNickname, 256, "use the certificate with the given nickname for signing" },
+ { "-backend", argString, &backendString, 256, "use given backend for signing/verification" },
+ { "-nick", argString, &certNickname, 256, "use the certificate with the given nickname/fingerprint for signing" },
{ "-kpw", argString, &password, 256, "password for the signing key (might be missing if the key isn't password protected)" },
{ "-digest", argString, &digestName, 256, "name of the digest algorithm (default: SHA256)" },
{ "-reason", argGooString, &reason, 0, "reason for signing (default: no reason given)" },
{ "-list-nicks", argFlag, &listNicknames, 0, "list available nicknames in the NSS database" },
+ { "-list-backends", argFlag, &printCryptoSignBackends, 0, "print cryptographic signature backends" },
{ "-opw", argString, ownerPassword, sizeof(ownerPassword), "owner password (for encrypted files)" },
{ "-upw", argString, userPassword, sizeof(userPassword), "user password (for encrypted files)" },
{ "-v", argFlag, &printVersion, 0, "print copyright and version info" },
@@ -183,8 +188,29 @@ static void print_version_usage(bool usage)
}
}
+static void print_backends()
+{
+ fprintf(stderr, "pdfsig backends:\n");
+ for (const auto &backend : CryptoSign::Factory::getAvailable()) {
+ switch (backend) {
+ case CryptoSign::Backend::Type::NSS3:
+ fprintf(stderr, "NSS");
+ break;
+ case CryptoSign::Backend::Type::GPGME:
+ fprintf(stderr, "GPG");
+ break;
+ }
+ if (backend == CryptoSign::Factory::getActive()) {
+ fprintf(stderr, " (active)\n");
+ } else {
+ fprintf(stderr, "\n");
+ }
+ }
+}
+
static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCertificates(bool *error)
{
+#ifdef ENABLE_NSS3
bool wrongPassword = false;
bool passwordNeeded = false;
auto passwordCallback = [&passwordNeeded, &wrongPassword](const char *) -> char * {
@@ -202,12 +228,14 @@ static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCert
}
};
NSSSignatureConfiguration::setNSSPasswordCallback(passwordCallback);
+#endif
auto backend = CryptoSign::Factory::createActive();
if (!backend) {
*error = true;
printf("No backends for cryptographic signatures available");
return {};
}
+#ifdef ENABLE_NSS3
std::vector<std::unique_ptr<X509CertificateInfo>> vCerts = backend->getAvailableSigningCertificates();
NSSSignatureConfiguration::setNSSPasswordCallback({});
if (passwordNeeded) {
@@ -223,6 +251,7 @@ static std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCert
return {};
}
+#endif
*error = false;
return vCerts;
}
@@ -269,7 +298,24 @@ int main(int argc, char *argv[])
return 0;
}
+ if (strlen(backendString) > 0) {
+ auto backend = CryptoSign::Factory::typeFromString(backendString);
+ if (backend) {
+ CryptoSign::Factory::setPreferredBackend(backend.value());
+ } else {
+ fprintf(stderr, "Unsupported backend\n");
+ return 98;
+ }
+ }
+
+ if (printCryptoSignBackends) {
+ print_backends();
+ return 0;
+ }
+
+#ifdef ENABLE_NSS3
NSSSignatureConfiguration::setNSSDir(nssDir);
+#endif
if (listNicknames) {
bool getCertsError;