The Tor Browser / annotate

security/nss/cmd/crlutil/crlutil.c@b8a032363ba2 (annotated)

security/nss/cmd/crlutil/crlutil.c

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 /*
michael@0 6 ** certutil.c
michael@0 7 **
michael@0 8 ** utility for managing certificates and the cert database
michael@0 9 **
michael@0 10 */
michael@0 11 /* test only */
michael@0 12
michael@0 13 #include "nspr.h"
michael@0 14 #include "plgetopt.h"
michael@0 15 #include "secutil.h"
michael@0 16 #include "cert.h"
michael@0 17 #include "certi.h"
michael@0 18 #include "certdb.h"
michael@0 19 #include "nss.h"
michael@0 20 #include "pk11func.h"
michael@0 21 #include "crlgen.h"
michael@0 22
michael@0 23 #define SEC_CERT_DB_EXISTS 0
michael@0 24 #define SEC_CREATE_CERT_DB 1
michael@0 25
michael@0 26 static char *progName;
michael@0 27
michael@0 28 static CERTSignedCrl *FindCRL
michael@0 29 (CERTCertDBHandle *certHandle, char *name, int type)
michael@0 30 {
michael@0 31 CERTSignedCrl *crl = NULL;
michael@0 32 CERTCertificate *cert = NULL;
michael@0 33 SECItem derName;
michael@0 34
michael@0 35 derName.data = NULL;
michael@0 36 derName.len = 0;
michael@0 37
michael@0 38 cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
michael@0 39 if (!cert) {
michael@0 40 CERTName *certName = NULL;
michael@0 41 PLArenaPool *arena = NULL;
michael@0 42
michael@0 43 certName = CERT_AsciiToName(name);
michael@0 44 if (certName) {
michael@0 45 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0 46 if (arena) {
michael@0 47 SECItem *nameItem =
michael@0 48 SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
michael@0 49 SEC_ASN1_GET(CERT_NameTemplate));
michael@0 50 if (nameItem) {
michael@0 51 SECITEM_CopyItem(NULL, &derName, nameItem);
michael@0 52 }
michael@0 53 PORT_FreeArena(arena, PR_FALSE);
michael@0 54 }
michael@0 55 CERT_DestroyName(certName);
michael@0 56 }
michael@0 57
michael@0 58 if (!derName.len || !derName.data) {
michael@0 59 SECU_PrintError(progName, "could not find certificate named '%s'", name);
michael@0 60 return ((CERTSignedCrl *)NULL);
michael@0 61 }
michael@0 62 } else {
michael@0 63 SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
michael@0 64 CERT_DestroyCertificate (cert);
michael@0 65 }
michael@0 66
michael@0 67 crl = SEC_FindCrlByName(certHandle, &derName, type);
michael@0 68 if (crl ==NULL)
michael@0 69 SECU_PrintError
michael@0 70 (progName, "could not find %s's CRL", name);
michael@0 71 if (derName.data) {
michael@0 72 SECITEM_FreeItem(&derName, PR_FALSE);
michael@0 73 }
michael@0 74 return (crl);
michael@0 75 }
michael@0 76
michael@0 77 static SECStatus DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
michael@0 78 {
michael@0 79 CERTSignedCrl *crl = NULL;
michael@0 80
michael@0 81 crl = FindCRL (certHandle, nickName, crlType);
michael@0 82
michael@0 83 if (crl) {
michael@0 84 SECU_PrintCRLInfo (stdout, &crl->crl, "CRL Info:\n", 0);
michael@0 85 SEC_DestroyCrl (crl);
michael@0 86 return SECSuccess;
michael@0 87 }
michael@0 88 return SECFailure;
michael@0 89 }
michael@0 90
michael@0 91 static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls)
michael@0 92 {
michael@0 93 CERTCrlHeadNode *crlList = NULL;
michael@0 94 CERTCrlNode *crlNode = NULL;
michael@0 95 CERTName *name = NULL;
michael@0 96 PLArenaPool *arena = NULL;
michael@0 97 SECStatus rv;
michael@0 98
michael@0 99 do {
michael@0 100 arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0 101 if (arena == NULL) {
michael@0 102 fprintf(stderr, "%s: fail to allocate memory\n", progName);
michael@0 103 break;
michael@0 104 }
michael@0 105
michael@0 106 name = PORT_ArenaZAlloc (arena, sizeof(*name));
michael@0 107 if (name == NULL) {
michael@0 108 fprintf(stderr, "%s: fail to allocate memory\n", progName);
michael@0 109 break;
michael@0 110 }
michael@0 111 name->arena = arena;
michael@0 112
michael@0 113 rv = SEC_LookupCrls (certHandle, &crlList, crlType);
michael@0 114 if (rv != SECSuccess) {
michael@0 115 fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName,
michael@0 116 SECU_Strerror(PORT_GetError()));
michael@0 117 break;
michael@0 118 }
michael@0 119
michael@0 120 /* just in case */
michael@0 121 if (!crlList)
michael@0 122 break;
michael@0 123
michael@0 124 crlNode = crlList->first;
michael@0 125
michael@0 126 fprintf (stdout, "\n");
michael@0 127 fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
michael@0 128 while (crlNode) {
michael@0 129 char* asciiname = NULL;
michael@0 130 CERTCertificate *cert = NULL;
michael@0 131 if (crlNode->crl && &crlNode->crl->crl.derName) {
michael@0 132 cert = CERT_FindCertByName(certHandle,
michael@0 133 &crlNode->crl->crl.derName);
michael@0 134 if (!cert) {
michael@0 135 SECU_PrintError(progName, "could not find signing "
michael@0 136 "certificate in database");
michael@0 137 }
michael@0 138 }
michael@0 139 if (cert) {
michael@0 140 char* certName = NULL;
michael@0 141 if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
michael@0 142 certName = cert->nickname;
michael@0 143 } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
michael@0 144 certName = cert->emailAddr;
michael@0 145 }
michael@0 146 if (certName) {
michael@0 147 asciiname = PORT_Strdup(certName);
michael@0 148 }
michael@0 149 CERT_DestroyCertificate(cert);
michael@0 150 }
michael@0 151
michael@0 152 if (!asciiname) {
michael@0 153 name = &crlNode->crl->crl.name;
michael@0 154 if (!name){
michael@0 155 SECU_PrintError(progName, "fail to get the CRL "
michael@0 156 "issuer name");
michael@0 157 continue;
michael@0 158 }
michael@0 159 asciiname = CERT_NameToAscii(name);
michael@0 160 }
michael@0 161 fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
michael@0 162 if (asciiname) {
michael@0 163 PORT_Free(asciiname);
michael@0 164 }
michael@0 165 if ( PR_TRUE == deletecrls) {
michael@0 166 CERTSignedCrl* acrl = NULL;
michael@0 167 SECItem* issuer = &crlNode->crl->crl.derName;
michael@0 168 acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
michael@0 169 if (acrl)
michael@0 170 {
michael@0 171 SEC_DeletePermCRL(acrl);
michael@0 172 SEC_DestroyCrl(acrl);
michael@0 173 }
michael@0 174 }
michael@0 175 crlNode = crlNode->next;
michael@0 176 }
michael@0 177
michael@0 178 } while (0);
michael@0 179 if (crlList)
michael@0 180 PORT_FreeArena (crlList->arena, PR_FALSE);
michael@0 181 PORT_FreeArena (arena, PR_FALSE);
michael@0 182 }
michael@0 183
michael@0 184 static SECStatus ListCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
michael@0 185 {
michael@0 186 if (nickName == NULL) {
michael@0 187 ListCRLNames (certHandle, crlType, PR_FALSE);
michael@0 188 return SECSuccess;
michael@0 189 }
michael@0 190
michael@0 191 return DisplayCRL (certHandle, nickName, crlType);
michael@0 192 }
michael@0 193
michael@0 194
michael@0 195
michael@0 196 static SECStatus DeleteCRL (CERTCertDBHandle *certHandle, char *name, int type)
michael@0 197 {
michael@0 198 CERTSignedCrl *crl = NULL;
michael@0 199 SECStatus rv = SECFailure;
michael@0 200
michael@0 201 crl = FindCRL (certHandle, name, type);
michael@0 202 if (!crl) {
michael@0 203 SECU_PrintError
michael@0 204 (progName, "could not find the issuer %s's CRL", name);
michael@0 205 return SECFailure;
michael@0 206 }
michael@0 207 rv = SEC_DeletePermCRL (crl);
michael@0 208 SEC_DestroyCrl(crl);
michael@0 209 if (rv != SECSuccess) {
michael@0 210 SECU_PrintError(progName, "fail to delete the issuer %s's CRL "
michael@0 211 "from the perm database (reason: %s)",
michael@0 212 name, SECU_Strerror(PORT_GetError()));
michael@0 213 return SECFailure;
michael@0 214 }
michael@0 215 return (rv);
michael@0 216 }
michael@0 217
michael@0 218 SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type,
michael@0 219 PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions,
michael@0 220 secuPWData *pwdata)
michael@0 221 {
michael@0 222 CERTSignedCrl *crl = NULL;
michael@0 223 SECItem crlDER;
michael@0 224 PK11SlotInfo* slot = NULL;
michael@0 225 int rv;
michael@0 226 #if defined(DEBUG_jp96085)
michael@0 227 PRIntervalTime starttime, endtime, elapsed;
michael@0 228 PRUint32 mins, secs, msecs;
michael@0 229 #endif
michael@0 230
michael@0 231 crlDER.data = NULL;
michael@0 232
michael@0 233
michael@0 234 /* Read in the entire file specified with the -f argument */
michael@0 235 rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
michael@0 236 if (rv != SECSuccess) {
michael@0 237 SECU_PrintError(progName, "unable to read input file");
michael@0 238 return (SECFailure);
michael@0 239 }
michael@0 240
michael@0 241 decodeOptions |= CRL_DECODE_DONT_COPY_DER;
michael@0 242
michael@0 243 slot = PK11_GetInternalKeySlot();
michael@0 244
michael@0 245 if (PK11_NeedLogin(slot)) {
michael@0 246 rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
michael@0 247 if (rv != SECSuccess)
michael@0 248 goto loser;
michael@0 249 }
michael@0 250
michael@0 251 #if defined(DEBUG_jp96085)
michael@0 252 starttime = PR_IntervalNow();
michael@0 253 #endif
michael@0 254 crl = PK11_ImportCRL(slot, &crlDER, url, type,
michael@0 255 NULL, importOptions, NULL, decodeOptions);
michael@0 256 #if defined(DEBUG_jp96085)
michael@0 257 endtime = PR_IntervalNow();
michael@0 258 elapsed = endtime - starttime;
michael@0 259 mins = PR_IntervalToSeconds(elapsed) / 60;
michael@0 260 secs = PR_IntervalToSeconds(elapsed) % 60;
michael@0 261 msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
michael@0 262 printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
michael@0 263 #endif
michael@0 264 if (!crl) {
michael@0 265 const char *errString;
michael@0 266
michael@0 267 rv = SECFailure;
michael@0 268 errString = SECU_Strerror(PORT_GetError());
michael@0 269 if ( errString && PORT_Strlen (errString) == 0)
michael@0 270 SECU_PrintError (progName,
michael@0 271 "CRL is not imported (error: input CRL is not up to date.)");
michael@0 272 else
michael@0 273 SECU_PrintError (progName, "unable to import CRL");
michael@0 274 } else {
michael@0 275 SEC_DestroyCrl (crl);
michael@0 276 }
michael@0 277 loser:
michael@0 278 if (slot) {
michael@0 279 PK11_FreeSlot(slot);
michael@0 280 }
michael@0 281 return (rv);
michael@0 282 }
michael@0 283
michael@0 284 SECStatus DumpCRL(PRFileDesc *inFile)
michael@0 285 {
michael@0 286 int rv;
michael@0 287 PLArenaPool *arena = NULL;
michael@0 288 CERTSignedCrl *newCrl = NULL;
michael@0 289
michael@0 290 SECItem crlDER;
michael@0 291 crlDER.data = NULL;
michael@0 292
michael@0 293 /* Read in the entire file specified with the -f argument */
michael@0 294 rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
michael@0 295 if (rv != SECSuccess) {
michael@0 296 SECU_PrintError(progName, "unable to read input file");
michael@0 297 return (SECFailure);
michael@0 298 }
michael@0 299
michael@0 300 rv = SEC_ERROR_NO_MEMORY;
michael@0 301 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0 302 if (!arena)
michael@0 303 return rv;
michael@0 304
michael@0 305 newCrl = CERT_DecodeDERCrlWithFlags(arena, &crlDER, SEC_CRL_TYPE,
michael@0 306 CRL_DECODE_DEFAULT_OPTIONS);
michael@0 307 if (!newCrl)
michael@0 308 return SECFailure;
michael@0 309
michael@0 310 SECU_PrintCRLInfo (stdout, &newCrl->crl, "CRL file contents", 0);
michael@0 311
michael@0 312 PORT_FreeArena (arena, PR_FALSE);
michael@0 313 return rv;
michael@0 314 }
michael@0 315
michael@0 316 static CERTCertificate*
michael@0 317 FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
michael@0 318 char *certNickName)
michael@0 319 {
michael@0 320 CERTCertificate *cert = NULL, *certTemp = NULL;
michael@0 321 SECStatus rv = SECFailure;
michael@0 322 CERTAuthKeyID* authorityKeyID = NULL;
michael@0 323 SECItem* subject = NULL;
michael@0 324
michael@0 325 PORT_Assert(certHandle != NULL);
michael@0 326 if (!certHandle || (!signCrl && !certNickName)) {
michael@0 327 SECU_PrintError(progName, "invalid args for function "
michael@0 328 "FindSigningCert \n");
michael@0 329 return NULL;
michael@0 330 }
michael@0 331
michael@0 332 if (signCrl) {
michael@0 333 #if 0
michael@0 334 authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
michael@0 335 #endif
michael@0 336 subject = &signCrl->crl.derName;
michael@0 337 } else {
michael@0 338 certTemp = CERT_FindCertByNickname(certHandle, certNickName);
michael@0 339 if (!certTemp) {
michael@0 340 SECU_PrintError(progName, "could not find certificate \"%s\" "
michael@0 341 "in database", certNickName);
michael@0 342 goto loser;
michael@0 343 }
michael@0 344 subject = &certTemp->derSubject;
michael@0 345 }
michael@0 346
michael@0 347 cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
michael@0 348 if (!cert) {
michael@0 349 SECU_PrintError(progName, "could not find signing certificate "
michael@0 350 "in database");
michael@0 351 goto loser;
michael@0 352 } else {
michael@0 353 rv = SECSuccess;
michael@0 354 }
michael@0 355
michael@0 356 loser:
michael@0 357 if (certTemp)
michael@0 358 CERT_DestroyCertificate(certTemp);
michael@0 359 if (cert && rv != SECSuccess)
michael@0 360 CERT_DestroyCertificate(cert);
michael@0 361 return cert;
michael@0 362 }
michael@0 363
michael@0 364 static CERTSignedCrl*
michael@0 365 CreateModifiedCRLCopy(PLArenaPool *arena, CERTCertDBHandle *certHandle,
michael@0 366 CERTCertificate **cert, char *certNickName,
michael@0 367 PRFileDesc *inFile, PRInt32 decodeOptions,
michael@0 368 PRInt32 importOptions)
michael@0 369 {
michael@0 370 SECItem crlDER = {0, NULL, 0};
michael@0 371 CERTSignedCrl *signCrl = NULL;
michael@0 372 CERTSignedCrl *modCrl = NULL;
michael@0 373 PLArenaPool *modArena = NULL;
michael@0 374 SECStatus rv = SECSuccess;
michael@0 375
michael@0 376 if (!arena || !certHandle || !certNickName) {
michael@0 377 PORT_SetError(SEC_ERROR_INVALID_ARGS);
michael@0 378 SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
michael@0 379 return NULL;
michael@0 380 }
michael@0 381
michael@0 382 modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0 383 if (!modArena) {
michael@0 384 SECU_PrintError(progName, "fail to allocate memory\n");
michael@0 385 return NULL;
michael@0 386 }
michael@0 387
michael@0 388 if (inFile != NULL) {
michael@0 389 rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
michael@0 390 if (rv != SECSuccess) {
michael@0 391 SECU_PrintError(progName, "unable to read input file");
michael@0 392 PORT_FreeArena(modArena, PR_FALSE);
michael@0 393 goto loser;
michael@0 394 }
michael@0 395
michael@0 396 decodeOptions |= CRL_DECODE_DONT_COPY_DER;
michael@0 397
michael@0 398 modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE,
michael@0 399 decodeOptions);
michael@0 400 if (!modCrl) {
michael@0 401 SECU_PrintError(progName, "fail to decode CRL");
michael@0 402 goto loser;
michael@0 403 }
michael@0 404
michael@0 405 if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
michael@0 406 /* If caCert is a v2 certificate, make sure that it
michael@0 407 * can be used for crl signing purpose */
michael@0 408 *cert = FindSigningCert(certHandle, modCrl, NULL);
michael@0 409 if (!*cert) {
michael@0 410 goto loser;
michael@0 411 }
michael@0 412
michael@0 413 rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert,
michael@0 414 PR_Now(), NULL);
michael@0 415 if (rv != SECSuccess) {
michael@0 416 SECU_PrintError(progName, "fail to verify signed data\n");
michael@0 417 goto loser;
michael@0 418 }
michael@0 419 }
michael@0 420 } else {
michael@0 421 modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE);
michael@0 422 if (!modCrl) {
michael@0 423 SECU_PrintError(progName, "fail to find crl %s in database\n",
michael@0 424 certNickName);
michael@0 425 goto loser;
michael@0 426 }
michael@0 427 }
michael@0 428
michael@0 429 signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
michael@0 430 if (signCrl == NULL) {
michael@0 431 SECU_PrintError(progName, "fail to allocate memory\n");
michael@0 432 goto loser;
michael@0 433 }
michael@0 434
michael@0 435 rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
michael@0 436 if (rv != SECSuccess) {
michael@0 437 SECU_PrintError(progName, "unable to dublicate crl for "
michael@0 438 "modification.");
michael@0 439 goto loser;
michael@0 440 }
michael@0 441
michael@0 442 /* Make sure the update time is current. It can be modified later
michael@0 443 * by "update <time>" command from crl generation script */
michael@0 444 rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
michael@0 445 if (rv != SECSuccess) {
michael@0 446 SECU_PrintError(progName, "fail to encode current time\n");
michael@0 447 goto loser;
michael@0 448 }
michael@0 449
michael@0 450 signCrl->arena = arena;
michael@0 451
michael@0 452 loser:
michael@0 453 if (crlDER.data) {
michael@0 454 SECITEM_FreeItem(&crlDER, PR_FALSE);
michael@0 455 }
michael@0 456 if (modCrl)
michael@0 457 SEC_DestroyCrl(modCrl);
michael@0 458 if (rv != SECSuccess && signCrl) {
michael@0 459 SEC_DestroyCrl(signCrl);
michael@0 460 signCrl = NULL;
michael@0 461 }
michael@0 462 return signCrl;
michael@0 463 }
michael@0 464
michael@0 465
michael@0 466 static CERTSignedCrl*
michael@0 467 CreateNewCrl(PLArenaPool *arena, CERTCertDBHandle *certHandle,
michael@0 468 CERTCertificate *cert)
michael@0 469 {
michael@0 470 CERTSignedCrl *signCrl = NULL;
michael@0 471 void *dummy = NULL;
michael@0 472 SECStatus rv;
michael@0 473 void* mark = NULL;
michael@0 474
michael@0 475 /* if the CERTSignedCrl structure changes, this function will need to be
michael@0 476 updated as well */
michael@0 477 if (!cert || !arena) {
michael@0 478 PORT_SetError(SEC_ERROR_INVALID_ARGS);
michael@0 479 SECU_PrintError(progName, "invalid args for function "
michael@0 480 "CreateNewCrl\n");
michael@0 481 return NULL;
michael@0 482 }
michael@0 483
michael@0 484 mark = PORT_ArenaMark(arena);
michael@0 485
michael@0 486 signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
michael@0 487 if (signCrl == NULL) {
michael@0 488 SECU_PrintError(progName, "fail to allocate memory\n");
michael@0 489 return NULL;
michael@0 490 }
michael@0 491
michael@0 492 dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version,
michael@0 493 SEC_CRL_VERSION_2);
michael@0 494 /* set crl->version */
michael@0 495 if (!dummy) {
michael@0 496 SECU_PrintError(progName, "fail to create crl version data "
michael@0 497 "container\n");
michael@0 498 goto loser;
michael@0 499 }
michael@0 500
michael@0 501 /* copy SECItem name from cert */
michael@0 502 rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject);
michael@0 503 if (rv != SECSuccess) {
michael@0 504 SECU_PrintError(progName, "fail to duplicate der name from "
michael@0 505 "certificate.\n");
michael@0 506 goto loser;
michael@0 507 }
michael@0 508
michael@0 509 /* copy CERTName name structure from cert issuer */
michael@0 510 rv = CERT_CopyName (arena, &signCrl->crl.name, &cert->subject);
michael@0 511 if (rv != SECSuccess) {
michael@0 512 SECU_PrintError(progName, "fail to duplicate RD name from "
michael@0 513 "certificate.\n");
michael@0 514 goto loser;
michael@0 515 }
michael@0 516
michael@0 517 rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
michael@0 518 if (rv != SECSuccess) {
michael@0 519 SECU_PrintError(progName, "fail to encode current time\n");
michael@0 520 goto loser;
michael@0 521 }
michael@0 522
michael@0 523 /* set fields */
michael@0 524 signCrl->arena = arena;
michael@0 525 signCrl->dbhandle = certHandle;
michael@0 526 signCrl->crl.arena = arena;
michael@0 527
michael@0 528 return signCrl;
michael@0 529
michael@0 530 loser:
michael@0 531 PORT_ArenaRelease(arena, mark);
michael@0 532 return NULL;
michael@0 533 }
michael@0 534
michael@0 535
michael@0 536 static SECStatus
michael@0 537 UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
michael@0 538 {
michael@0 539 CRLGENGeneratorData *crlGenData = NULL;
michael@0 540 SECStatus rv;
michael@0 541
michael@0 542 if (!signCrl || !inCrlInitFile) {
michael@0 543 PORT_SetError(SEC_ERROR_INVALID_ARGS);
michael@0 544 SECU_PrintError(progName, "invalid args for function "
michael@0 545 "CreateNewCrl\n");
michael@0 546 return SECFailure;
michael@0 547 }
michael@0 548
michael@0 549 crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
michael@0 550 if (!crlGenData) {
michael@0 551 SECU_PrintError(progName, "can not initialize parser structure.\n");
michael@0 552 return SECFailure;
michael@0 553 }
michael@0 554
michael@0 555 rv = CRLGEN_ExtHandleInit(crlGenData);
michael@0 556 if (rv == SECFailure) {
michael@0 557 SECU_PrintError(progName, "can not initialize entries handle.\n");
michael@0 558 goto loser;
michael@0 559 }
michael@0 560
michael@0 561 rv = CRLGEN_StartCrlGen(crlGenData);
michael@0 562 if (rv != SECSuccess) {
michael@0 563 SECU_PrintError(progName, "crl generation failed");
michael@0 564 goto loser;
michael@0 565 }
michael@0 566
michael@0 567 loser:
michael@0 568 /* CommitExtensionsAndEntries is partially responsible for freeing
michael@0 569 * up memory that was used for CRL generation. Should be called regardless
michael@0 570 * of previouse call status, but only after initialization of
michael@0 571 * crlGenData was done. It will commit all changes that was done before
michael@0 572 * an error has occurred.
michael@0 573 */
michael@0 574 if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) {
michael@0 575 SECU_PrintError(progName, "crl generation failed");
michael@0 576 rv = SECFailure;
michael@0 577 }
michael@0 578 CRLGEN_FinalizeCrlGeneration(crlGenData);
michael@0 579 return rv;
michael@0 580 }
michael@0 581
michael@0 582 static SECStatus
michael@0 583 SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert,
michael@0 584 char *outFileName, SECOidTag hashAlgTag, int ascii,
michael@0 585 char *slotName, char *url, secuPWData *pwdata)
michael@0 586 {
michael@0 587 PK11SlotInfo *slot = NULL;
michael@0 588 PRFileDesc *outFile = NULL;
michael@0 589 SECStatus rv;
michael@0 590 SignAndEncodeFuncExitStat errCode;
michael@0 591
michael@0 592 PORT_Assert(signCrl && (!ascii || outFileName));
michael@0 593 if (!signCrl || (ascii && !outFileName)) {
michael@0 594 SECU_PrintError(progName, "invalid args for function "
michael@0 595 "SignAndStoreCrl\n");
michael@0 596 return SECFailure;
michael@0 597 }
michael@0 598
michael@0 599 if (!slotName || !PL_strcmp(slotName, "internal"))
michael@0 600 slot = PK11_GetInternalKeySlot();
michael@0 601 else
michael@0 602 slot = PK11_FindSlotByName(slotName);
michael@0 603 if (!slot) {
michael@0 604 SECU_PrintError(progName, "can not find requested slot");
michael@0 605 return SECFailure;
michael@0 606 }
michael@0 607
michael@0 608 if (PK11_NeedLogin(slot)) {
michael@0 609 rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
michael@0 610 if (rv != SECSuccess)
michael@0 611 goto loser;
michael@0 612 }
michael@0 613
michael@0 614 rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode);
michael@0 615 if (rv != SECSuccess) {
michael@0 616 char* errMsg = NULL;
michael@0 617 switch (errCode)
michael@0 618 {
michael@0 619 case noKeyFound:
michael@0 620 errMsg = "No private key found of signing cert";
michael@0 621 break;
michael@0 622
michael@0 623 case noSignatureMatch:
michael@0 624 errMsg = "Key and Algorithm OId are do not match";
michael@0 625 break;
michael@0 626
michael@0 627 default:
michael@0 628 case failToEncode:
michael@0 629 errMsg = "Failed to encode crl structure";
michael@0 630 break;
michael@0 631
michael@0 632 case failToSign:
michael@0 633 errMsg = "Failed to sign crl structure";
michael@0 634 break;
michael@0 635
michael@0 636 case noMem:
michael@0 637 errMsg = "Can not allocate memory";
michael@0 638 break;
michael@0 639 }
michael@0 640 SECU_PrintError(progName, "%s\n", errMsg);
michael@0 641 goto loser;
michael@0 642 }
michael@0 643
michael@0 644 if (outFileName) {
michael@0 645 outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR);
michael@0 646 if (!outFile) {
michael@0 647 SECU_PrintError(progName, "unable to open \"%s\" for writing\n",
michael@0 648 outFileName);
michael@0 649 goto loser;
michael@0 650 }
michael@0 651 }
michael@0 652
michael@0 653 rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url);
michael@0 654 if (rv != SECSuccess) {
michael@0 655 SECU_PrintError(progName, "fail to save CRL\n");
michael@0 656 }
michael@0 657
michael@0 658 loser:
michael@0 659 if (outFile)
michael@0 660 PR_Close(outFile);
michael@0 661 if (slot)
michael@0 662 PK11_FreeSlot(slot);
michael@0 663 return rv;
michael@0 664 }
michael@0 665
michael@0 666 static SECStatus
michael@0 667 GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
michael@0 668 PRFileDesc *inCrlInitFile, PRFileDesc *inFile,
michael@0 669 char *outFileName, int ascii, char *slotName,
michael@0 670 PRInt32 importOptions, char *alg, PRBool quiet,
michael@0 671 PRInt32 decodeOptions, char *url, secuPWData *pwdata,
michael@0 672 int modifyFlag)
michael@0 673 {
michael@0 674 CERTCertificate *cert = NULL;
michael@0 675 CERTSignedCrl *signCrl = NULL;
michael@0 676 PLArenaPool *arena = NULL;
michael@0 677 SECStatus rv;
michael@0 678 SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
michael@0 679
michael@0 680 if (alg) {
michael@0 681 hashAlgTag = SECU_StringToSignatureAlgTag(alg);
michael@0 682 if (hashAlgTag == SEC_OID_UNKNOWN) {
michael@0 683 SECU_PrintError(progName, "%s -Z: %s is not a recognized type.\n",
michael@0 684 progName, alg);
michael@0 685 return SECFailure;
michael@0 686 }
michael@0 687 } else {
michael@0 688 hashAlgTag = SEC_OID_UNKNOWN;
michael@0 689 }
michael@0 690
michael@0 691 arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0 692 if (!arena) {
michael@0 693 SECU_PrintError(progName, "fail to allocate memory\n");
michael@0 694 return SECFailure;
michael@0 695 }
michael@0 696
michael@0 697 if (modifyFlag == PR_TRUE) {
michael@0 698 signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
michael@0 699 inFile, decodeOptions, importOptions);
michael@0 700 if (signCrl == NULL) {
michael@0 701 goto loser;
michael@0 702 }
michael@0 703 }
michael@0 704
michael@0 705 if (!cert) {
michael@0 706 cert = FindSigningCert(certHandle, signCrl, certNickName);
michael@0 707 if (cert == NULL) {
michael@0 708 goto loser;
michael@0 709 }
michael@0 710 }
michael@0 711
michael@0 712 if (!signCrl) {
michael@0 713 if (modifyFlag == PR_TRUE) {
michael@0 714 if (!outFileName) {
michael@0 715 int len = strlen(certNickName) + 5;
michael@0 716 outFileName = PORT_ArenaAlloc(arena, len);
michael@0 717 PR_snprintf(outFileName, len, "%s.crl", certNickName);
michael@0 718 }
michael@0 719 SECU_PrintError(progName, "Will try to generate crl. "
michael@0 720 "It will be saved in file: %s",
michael@0 721 outFileName);
michael@0 722 }
michael@0 723 signCrl = CreateNewCrl(arena, certHandle, cert);
michael@0 724 if (!signCrl)
michael@0 725 goto loser;
michael@0 726 }
michael@0 727
michael@0 728 rv = UpdateCrl(signCrl, inCrlInitFile);
michael@0 729 if (rv != SECSuccess) {
michael@0 730 goto loser;
michael@0 731 }
michael@0 732
michael@0 733 rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
michael@0 734 slotName, url, pwdata);
michael@0 735 if (rv != SECSuccess) {
michael@0 736 goto loser;
michael@0 737 }
michael@0 738
michael@0 739 if (signCrl && !quiet) {
michael@0 740 SECU_PrintCRLInfo (stdout, &signCrl->crl, "CRL Info:\n", 0);
michael@0 741 }
michael@0 742
michael@0 743 loser:
michael@0 744 if (arena && (!signCrl || !signCrl->arena))
michael@0 745 PORT_FreeArena (arena, PR_FALSE);
michael@0 746 if (signCrl)
michael@0 747 SEC_DestroyCrl (signCrl);
michael@0 748 if (cert)
michael@0 749 CERT_DestroyCertificate (cert);
michael@0 750 return (rv);
michael@0 751 }
michael@0 752
michael@0 753 static void Usage(char *progName)
michael@0 754 {
michael@0 755 fprintf(stderr,
michael@0 756 "Usage: %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
michael@0 757 " %s -D -n nickname [-d keydir] [-P dbprefix]\n"
michael@0 758 " %s -S -i crl\n"
michael@0 759 " %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
michael@0 760 "[-p pwd-file] -w [pwd-string]\n"
michael@0 761 " %s -E -t crlType [-d keydir] [-P dbprefix]\n"
michael@0 762 " %s -T\n"
michael@0 763 " %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] "
michael@0 764 "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] "
michael@0 765 "[-a] [-B]\n",
michael@0 766 progName, progName, progName, progName, progName, progName, progName);
michael@0 767
michael@0 768 fprintf (stderr, "%-15s List CRL\n", "-L");
michael@0 769 fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
michael@0 770 "-n nickname");
michael@0 771 fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0 772 "-d keydir");
michael@0 773 fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0 774 "-P dbprefix");
michael@0 775
michael@0 776 fprintf (stderr, "%-15s Delete a CRL from the cert database\n", "-D");
michael@0 777 fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n",
michael@0 778 "-n nickname");
michael@0 779 fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
michael@0 780 fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0 781 "-d keydir");
michael@0 782 fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0 783 "-P dbprefix");
michael@0 784
michael@0 785 fprintf (stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E");
michael@0 786 fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
michael@0 787 fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0 788 "-d keydir");
michael@0 789 fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0 790 "-P dbprefix");
michael@0 791
michael@0 792 fprintf (stderr, "%-15s Show contents of a CRL file (without database)\n", "-S");
michael@0 793 fprintf(stderr, "%-20s Specify the file which contains the CRL to show\n",
michael@0 794 "-i crl");
michael@0 795
michael@0 796 fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I");
michael@0 797 fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
michael@0 798 "-i crl");
michael@0 799 fprintf(stderr, "%-20s Specify the url.\n", "-u url");
michael@0 800 fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
michael@0 801 fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0 802 "-d keydir");
michael@0 803 fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0 804 "-P dbprefix");
michael@0 805 #ifdef DEBUG
michael@0 806 fprintf (stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T");
michael@0 807 #endif
michael@0 808 fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " ");
michael@0 809 fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " ");
michael@0 810 fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " ");
michael@0 811 fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
michael@0 812 fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p");
michael@0 813 fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>");
michael@0 814 fprintf(stderr, "\n%-15s Create CRL\n", "-G");
michael@0 815 fprintf(stderr, "%-15s Modify CRL\n", "-M");
michael@0 816 fprintf(stderr, "%-20s Specify crl initialization file\n",
michael@0 817 "-c crl-conf-file");
michael@0 818 fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
michael@0 819 "-n nickname");
michael@0 820 fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
michael@0 821 "-i crl");
michael@0 822 fprintf(stderr, "%-20s Specify a CRL output file\n",
michael@0 823 "-o crl-output-file");
michael@0 824 fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n",
michael@0 825 "-a");
michael@0 826 fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0 827 "-d keydir");
michael@0 828 fprintf(stderr, "%-20s Provide path to a default pwd file\n",
michael@0 829 "-f pwd-file");
michael@0 830 fprintf(stderr, "%-20s Provide db password in command line\n",
michael@0 831 "-w pwd-string");
michael@0 832 fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0 833 "-P dbprefix");
michael@0 834 fprintf(stderr, "%-20s Specify the url.\n", "-u url");
michael@0 835 fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
michael@0 836
michael@0 837 exit(-1);
michael@0 838 }
michael@0 839
michael@0 840 int main(int argc, char **argv)
michael@0 841 {
michael@0 842 CERTCertDBHandle *certHandle;
michael@0 843 PRFileDesc *inFile;
michael@0 844 PRFileDesc *inCrlInitFile = NULL;
michael@0 845 int generateCRL;
michael@0 846 int modifyCRL;
michael@0 847 int listCRL;
michael@0 848 int importCRL;
michael@0 849 int showFileCRL;
michael@0 850 int deleteCRL;
michael@0 851 int rv;
michael@0 852 char *nickName;
michael@0 853 char *url;
michael@0 854 char *dbPrefix = "";
michael@0 855 char *alg = NULL;
michael@0 856 char *outFile = NULL;
michael@0 857 char *slotName = NULL;
michael@0 858 int ascii = 0;
michael@0 859 int crlType;
michael@0 860 PLOptState *optstate;
michael@0 861 PLOptStatus status;
michael@0 862 SECStatus secstatus;
michael@0 863 PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
michael@0 864 PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
michael@0 865 PRBool quiet = PR_FALSE;
michael@0 866 PRBool test = PR_FALSE;
michael@0 867 PRBool erase = PR_FALSE;
michael@0 868 PRInt32 i = 0;
michael@0 869 PRInt32 iterations = 1;
michael@0 870 PRBool readonly = PR_FALSE;
michael@0 871
michael@0 872 secuPWData pwdata = { PW_NONE, 0 };
michael@0 873
michael@0 874 progName = strrchr(argv[0], '/');
michael@0 875 progName = progName ? progName+1 : argv[0];
michael@0 876
michael@0 877 rv = 0;
michael@0 878 deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0;
michael@0 879 inFile = NULL;
michael@0 880 nickName = url = NULL;
michael@0 881 certHandle = NULL;
michael@0 882 crlType = SEC_CRL_TYPE;
michael@0 883 /*
michael@0 884 * Parse command line arguments
michael@0 885 */
michael@0 886 optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
michael@0 887 while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
michael@0 888 switch (optstate->option) {
michael@0 889 case '?':
michael@0 890 Usage(progName);
michael@0 891 break;
michael@0 892
michael@0 893 case 'T':
michael@0 894 test = PR_TRUE;
michael@0 895 break;
michael@0 896
michael@0 897 case 'E':
michael@0 898 erase = PR_TRUE;
michael@0 899 break;
michael@0 900
michael@0 901 case 'B':
michael@0 902 importOptions |= CRL_IMPORT_BYPASS_CHECKS;
michael@0 903 break;
michael@0 904
michael@0 905 case 'G':
michael@0 906 generateCRL = 1;
michael@0 907 break;
michael@0 908
michael@0 909 case 'M':
michael@0 910 modifyCRL = 1;
michael@0 911 break;
michael@0 912
michael@0 913 case 'D':
michael@0 914 deleteCRL = 1;
michael@0 915 break;
michael@0 916
michael@0 917 case 'I':
michael@0 918 importCRL = 1;
michael@0 919 break;
michael@0 920
michael@0 921 case 'S':
michael@0 922 showFileCRL = 1;
michael@0 923 break;
michael@0 924
michael@0 925 case 'C':
michael@0 926 case 'L':
michael@0 927 listCRL = 1;
michael@0 928 break;
michael@0 929
michael@0 930 case 'P':
michael@0 931 dbPrefix = strdup(optstate->value);
michael@0 932 break;
michael@0 933
michael@0 934 case 'Z':
michael@0 935 alg = strdup(optstate->value);
michael@0 936 break;
michael@0 937
michael@0 938 case 'a':
michael@0 939 ascii = 1;
michael@0 940 break;
michael@0 941
michael@0 942 case 'c':
michael@0 943 inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
michael@0 944 if (!inCrlInitFile) {
michael@0 945 PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
michael@0 946 progName, optstate->value);
michael@0 947 PL_DestroyOptState(optstate);
michael@0 948 return -1;
michael@0 949 }
michael@0 950 break;
michael@0 951
michael@0 952 case 'd':
michael@0 953 SECU_ConfigDirectory(optstate->value);
michael@0 954 break;
michael@0 955
michael@0 956 case 'f':
michael@0 957 pwdata.source = PW_FROMFILE;
michael@0 958 pwdata.data = strdup(optstate->value);
michael@0 959 break;
michael@0 960
michael@0 961 case 'h':
michael@0 962 slotName = strdup(optstate->value);
michael@0 963 break;
michael@0 964
michael@0 965 case 'i':
michael@0 966 inFile = PR_Open(optstate->value, PR_RDONLY, 0);
michael@0 967 if (!inFile) {
michael@0 968 PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
michael@0 969 progName, optstate->value);
michael@0 970 PL_DestroyOptState(optstate);
michael@0 971 return -1;
michael@0 972 }
michael@0 973 break;
michael@0 974
michael@0 975 case 'n':
michael@0 976 nickName = strdup(optstate->value);
michael@0 977 break;
michael@0 978
michael@0 979 case 'o':
michael@0 980 outFile = strdup(optstate->value);
michael@0 981 break;
michael@0 982
michael@0 983 case 'p':
michael@0 984 decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
michael@0 985 break;
michael@0 986
michael@0 987 case 'r': {
michael@0 988 const char* str = optstate->value;
michael@0 989 if (str && atoi(str)>0)
michael@0 990 iterations = atoi(str);
michael@0 991 }
michael@0 992 break;
michael@0 993
michael@0 994 case 't': {
michael@0 995 crlType = atoi(optstate->value);
michael@0 996 if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
michael@0 997 PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
michael@0 998 PL_DestroyOptState(optstate);
michael@0 999 return -1;
michael@0 1000 }
michael@0 1001 break;
michael@0 1002
michael@0 1003 case 'q':
michael@0 1004 quiet = PR_TRUE;
michael@0 1005 break;
michael@0 1006
michael@0 1007 case 'w':
michael@0 1008 pwdata.source = PW_PLAINTEXT;
michael@0 1009 pwdata.data = strdup(optstate->value);
michael@0 1010 break;
michael@0 1011
michael@0 1012 case 'u':
michael@0 1013 url = strdup(optstate->value);
michael@0 1014 break;
michael@0 1015
michael@0 1016 }
michael@0 1017 }
michael@0 1018 }
michael@0 1019 PL_DestroyOptState(optstate);
michael@0 1020
michael@0 1021 if (deleteCRL && !nickName) Usage (progName);
michael@0 1022 if (importCRL && !inFile) Usage (progName);
michael@0 1023 if (showFileCRL && !inFile) Usage (progName);
michael@0 1024 if ((generateCRL && !nickName) ||
michael@0 1025 (modifyCRL && !inFile && !nickName)) Usage (progName);
michael@0 1026 if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL ||
michael@0 1027 modifyCRL || test || erase)) Usage (progName);
michael@0 1028
michael@0 1029 if (listCRL || showFileCRL) {
michael@0 1030 readonly = PR_TRUE;
michael@0 1031 }
michael@0 1032
michael@0 1033 PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
michael@0 1034
michael@0 1035 PK11_SetPasswordFunc(SECU_GetModulePassword);
michael@0 1036
michael@0 1037 if (showFileCRL) {
michael@0 1038 NSS_NoDB_Init(NULL);
michael@0 1039 }
michael@0 1040 else {
michael@0 1041 secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
michael@0 1042 "secmod.db", readonly ? NSS_INIT_READONLY : 0);
michael@0 1043 if (secstatus != SECSuccess) {
michael@0 1044 SECU_PrintPRandOSError(progName);
michael@0 1045 return -1;
michael@0 1046 }
michael@0 1047 }
michael@0 1048
michael@0 1049 SECU_RegisterDynamicOids();
michael@0 1050
michael@0 1051 certHandle = CERT_GetDefaultCertDB();
michael@0 1052 if (certHandle == NULL) {
michael@0 1053 SECU_PrintError(progName, "unable to open the cert db");
michael@0 1054 /*ignoring return value of NSS_Shutdown() as code returns -1*/
michael@0 1055 (void) NSS_Shutdown();
michael@0 1056 return (-1);
michael@0 1057 }
michael@0 1058
michael@0 1059 CRLGEN_InitCrlGenParserLock();
michael@0 1060
michael@0 1061 for (i=0; i<iterations; i++) {
michael@0 1062 /* Read in the private key info */
michael@0 1063 if (deleteCRL)
michael@0 1064 DeleteCRL (certHandle, nickName, crlType);
michael@0 1065 else if (listCRL) {
michael@0 1066 rv = ListCRL (certHandle, nickName, crlType);
michael@0 1067 }
michael@0 1068 else if (importCRL) {
michael@0 1069 rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
michael@0 1070 decodeOptions, &pwdata);
michael@0 1071 }
michael@0 1072 else if (showFileCRL) {
michael@0 1073 rv = DumpCRL (inFile);
michael@0 1074 } else if (generateCRL || modifyCRL) {
michael@0 1075 if (!inCrlInitFile)
michael@0 1076 inCrlInitFile = PR_STDIN;
michael@0 1077 rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
michael@0 1078 inFile, outFile, ascii, slotName,
michael@0 1079 importOptions, alg, quiet,
michael@0 1080 decodeOptions, url, &pwdata,
michael@0 1081 modifyCRL);
michael@0 1082 }
michael@0 1083 else if (erase) {
michael@0 1084 /* list and delete all CRLs */
michael@0 1085 ListCRLNames (certHandle, crlType, PR_TRUE);
michael@0 1086 }
michael@0 1087 #ifdef DEBUG
michael@0 1088 else if (test) {
michael@0 1089 /* list and delete all CRLs */
michael@0 1090 ListCRLNames (certHandle, crlType, PR_TRUE);
michael@0 1091 /* list CRLs */
michael@0 1092 ListCRLNames (certHandle, crlType, PR_FALSE);
michael@0 1093 /* import CRL as a blob */
michael@0 1094 rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
michael@0 1095 decodeOptions, &pwdata);
michael@0 1096 /* list CRLs */
michael@0 1097 ListCRLNames (certHandle, crlType, PR_FALSE);
michael@0 1098 }
michael@0 1099 #endif
michael@0 1100 }
michael@0 1101
michael@0 1102 CRLGEN_DestroyCrlGenParserLock();
michael@0 1103
michael@0 1104 if (NSS_Shutdown() != SECSuccess) {
michael@0 1105 rv = SECFailure;
michael@0 1106 }
michael@0 1107
michael@0 1108 return (rv != SECSuccess);
michael@0 1109 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial