1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/cmd/addbuiltin/addbuiltin.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,545 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +/*
1.9 + * Tool for converting builtin CA certs.
1.10 + */
1.11 +
1.12 +#include "nssrenam.h"
1.13 +#include "nss.h"
1.14 +#include "cert.h"
1.15 +#include "certdb.h"
1.16 +#include "secutil.h"
1.17 +#include "pk11func.h"
1.18 +
1.19 +#if defined(WIN32)
1.20 +#include <fcntl.h>
1.21 +#include <io.h>
1.22 +#endif
1.23 +
1.24 +void dumpbytes(unsigned char *buf, int len)
1.25 +{
1.26 + int i;
1.27 + for (i=0; i < len; i++) {
1.28 + if ((i !=0) && ((i & 0xf) == 0)) {
1.29 + printf("\n");
1.30 + }
1.31 + printf("\\%03o",buf[i]);
1.32 + }
1.33 + printf("\n");
1.34 +}
1.35 +
1.36 +char *getTrustString(unsigned int trust)
1.37 +{
1.38 + if (trust & CERTDB_TRUSTED) {
1.39 + if (trust & CERTDB_TRUSTED_CA) {
1.40 + return "CKT_NSS_TRUSTED_DELEGATOR";
1.41 + } else {
1.42 + return "CKT_NSS_TRUSTED";
1.43 + }
1.44 + } else {
1.45 + if (trust & CERTDB_TRUSTED_CA) {
1.46 + return "CKT_NSS_TRUSTED_DELEGATOR";
1.47 + } else if (trust & CERTDB_VALID_CA) {
1.48 + return "CKT_NSS_VALID_DELEGATOR";
1.49 + } else if (trust & CERTDB_TERMINAL_RECORD) {
1.50 + return "CKT_NSS_NOT_TRUSTED";
1.51 + } else {
1.52 + return "CKT_NSS_MUST_VERIFY_TRUST";
1.53 + }
1.54 + }
1.55 + return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
1.56 +}
1.57 +
1.58 +static const SEC_ASN1Template serialTemplate[] = {
1.59 + { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
1.60 + { 0 }
1.61 +};
1.62 +
1.63 +void print_crl_info(CERTName *name, SECItem *serial)
1.64 +{
1.65 + PRBool saveWrapeState = SECU_GetWrapEnabled();
1.66 + SECU_EnableWrap(PR_FALSE);
1.67 +
1.68 + SECU_PrintNameQuotesOptional(stdout, name, "# Issuer", 0, PR_FALSE);
1.69 + printf("\n");
1.70 +
1.71 + SECU_PrintInteger(stdout, serial, "# Serial Number", 0);
1.72 +
1.73 + SECU_EnableWrap(saveWrapeState);
1.74 +}
1.75 +
1.76 +static SECStatus
1.77 +ConvertCRLEntry(SECItem *sdder, PRInt32 crlentry, char *nickname)
1.78 +{
1.79 + int rv;
1.80 + PLArenaPool *arena = NULL;
1.81 + CERTSignedCrl *newCrl = NULL;
1.82 + CERTCrlEntry *entry;
1.83 +
1.84 + CERTName *name = NULL;
1.85 + SECItem *derName = NULL;
1.86 + SECItem *serial = NULL;
1.87 +
1.88 + rv = SEC_ERROR_NO_MEMORY;
1.89 + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1.90 + if (!arena)
1.91 + return rv;
1.92 +
1.93 + newCrl = CERT_DecodeDERCrlWithFlags(arena, sdder, SEC_CRL_TYPE,
1.94 + CRL_DECODE_DEFAULT_OPTIONS);
1.95 + if (!newCrl)
1.96 + return SECFailure;
1.97 +
1.98 + name = &newCrl->crl.name;
1.99 + derName = &newCrl->crl.derName;
1.100 +
1.101 + if (newCrl->crl.entries != NULL) {
1.102 + PRInt32 iv = 0;
1.103 + while ((entry = newCrl->crl.entries[iv++]) != NULL) {
1.104 + if (crlentry == iv) {
1.105 + serial = &entry->serialNumber;
1.106 + break;
1.107 + }
1.108 + }
1.109 + }
1.110 +
1.111 + if (!name || !derName || !serial)
1.112 + return SECFailure;
1.113 +
1.114 + printf("\n# Distrust \"%s\"\n",nickname);
1.115 + print_crl_info(name, serial);
1.116 +
1.117 + printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
1.118 + printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
1.119 + printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
1.120 + printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
1.121 + printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
1.122 +
1.123 + printf("CKA_ISSUER MULTILINE_OCTAL\n");
1.124 + dumpbytes(derName->data,derName->len);
1.125 + printf("END\n");
1.126 + printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
1.127 + printf("\\002\\%03o", serial->len); /* 002: type integer; len >=3 digits */
1.128 + dumpbytes(serial->data,serial->len);
1.129 + printf("END\n");
1.130 +
1.131 + printf("CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED\n");
1.132 + printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED\n");
1.133 + printf("CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED\n");
1.134 + printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE\n");
1.135 +
1.136 + PORT_FreeArena (arena, PR_FALSE);
1.137 + return rv;
1.138 +}
1.139 +
1.140 +void print_info(SECItem *sdder, CERTCertificate *c)
1.141 +{
1.142 + PRBool saveWrapeState = SECU_GetWrapEnabled();
1.143 + SECU_EnableWrap(PR_FALSE);
1.144 +
1.145 + SECU_PrintNameQuotesOptional(stdout, &c->issuer, "# Issuer", 0, PR_FALSE);
1.146 + printf("\n");
1.147 +
1.148 + SECU_PrintInteger(stdout, &c->serialNumber, "# Serial Number", 0);
1.149 +
1.150 + SECU_PrintNameQuotesOptional(stdout, &c->subject, "# Subject", 0, PR_FALSE);
1.151 + printf("\n");
1.152 +
1.153 + SECU_PrintTimeChoice(stdout, &c->validity.notBefore, "# Not Valid Before", 0);
1.154 + SECU_PrintTimeChoice(stdout, &c->validity.notAfter, "# Not Valid After ", 0);
1.155 +
1.156 + SECU_PrintFingerprints(stdout, sdder, "# Fingerprint", 0);
1.157 +
1.158 + SECU_EnableWrap(saveWrapeState);
1.159 +}
1.160 +
1.161 +static SECStatus
1.162 +ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
1.163 + PRBool excludeCert, PRBool excludeHash)
1.164 +{
1.165 + SECStatus rv = SECSuccess;
1.166 + CERTCertificate *cert;
1.167 + unsigned char sha1_hash[SHA1_LENGTH];
1.168 + unsigned char md5_hash[MD5_LENGTH];
1.169 + SECItem *serial = NULL;
1.170 + PRBool step_up = PR_FALSE;
1.171 + const char *trust_info;
1.172 +
1.173 + cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
1.174 + if (!cert) {
1.175 + return SECFailure;
1.176 + }
1.177 + serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate);
1.178 + if (!serial) {
1.179 + return SECFailure;
1.180 + }
1.181 +
1.182 + if (!excludeCert) {
1.183 + printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
1.184 + print_info(sdder, cert);
1.185 + printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
1.186 + printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
1.187 + printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
1.188 + printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
1.189 + printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
1.190 + printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
1.191 + printf("CKA_SUBJECT MULTILINE_OCTAL\n");
1.192 + dumpbytes(cert->derSubject.data,cert->derSubject.len);
1.193 + printf("END\n");
1.194 + printf("CKA_ID UTF8 \"0\"\n");
1.195 + printf("CKA_ISSUER MULTILINE_OCTAL\n");
1.196 + dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
1.197 + printf("END\n");
1.198 + printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
1.199 + dumpbytes(serial->data,serial->len);
1.200 + printf("END\n");
1.201 + printf("CKA_VALUE MULTILINE_OCTAL\n");
1.202 + dumpbytes(sdder->data,sdder->len);
1.203 + printf("END\n");
1.204 + }
1.205 +
1.206 + if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags)
1.207 + == CERTDB_TERMINAL_RECORD)
1.208 + trust_info = "Distrust";
1.209 + else
1.210 + trust_info = "Trust for";
1.211 +
1.212 + printf("\n# %s \"%s\"\n", trust_info, nickname);
1.213 + print_info(sdder, cert);
1.214 +
1.215 + printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
1.216 + printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
1.217 + printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
1.218 + printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
1.219 + printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
1.220 +
1.221 + if (!excludeHash) {
1.222 + PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
1.223 + printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
1.224 + dumpbytes(sha1_hash,SHA1_LENGTH);
1.225 + printf("END\n");
1.226 + PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
1.227 + printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
1.228 + dumpbytes(md5_hash,MD5_LENGTH);
1.229 + printf("END\n");
1.230 + }
1.231 +
1.232 + printf("CKA_ISSUER MULTILINE_OCTAL\n");
1.233 + dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
1.234 + printf("END\n");
1.235 + printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
1.236 + dumpbytes(serial->data,serial->len);
1.237 + printf("END\n");
1.238 +
1.239 + printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
1.240 + getTrustString(trust->sslFlags));
1.241 + printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
1.242 + getTrustString(trust->emailFlags));
1.243 + printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
1.244 + getTrustString(trust->objectSigningFlags));
1.245 +#ifdef notdef
1.246 + printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
1.247 + printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
1.248 + printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
1.249 + printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
1.250 + printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
1.251 + printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
1.252 + printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
1.253 +#endif
1.254 +
1.255 + step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
1.256 + printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
1.257 + step_up ? "CK_TRUE" : "CK_FALSE");
1.258 +
1.259 + PORT_Free(sdder->data);
1.260 + return(rv);
1.261 +
1.262 +}
1.263 +
1.264 +void printheader() {
1.265 + printf("# \n"
1.266 +"# This Source Code Form is subject to the terms of the Mozilla Public\n"
1.267 +"# License, v. 2.0. If a copy of the MPL was not distributed with this\n"
1.268 +"# file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
1.269 + "#\n"
1.270 + "CVS_ID \"@(#) $RCSfile$ $Revision$ $Date$\"\n"
1.271 + "\n"
1.272 + "#\n"
1.273 + "# certdata.txt\n"
1.274 + "#\n"
1.275 + "# This file contains the object definitions for the certs and other\n"
1.276 + "# information \"built into\" NSS.\n"
1.277 + "#\n"
1.278 + "# Object definitions:\n"
1.279 + "#\n"
1.280 + "# Certificates\n"
1.281 + "#\n"
1.282 + "# -- Attribute -- -- type -- -- value --\n"
1.283 + "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"
1.284 + "# CKA_TOKEN CK_BBOOL CK_TRUE\n"
1.285 + "# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
1.286 + "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
1.287 + "# CKA_LABEL UTF8 (varies)\n"
1.288 + "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"
1.289 + "# CKA_SUBJECT DER+base64 (varies)\n"
1.290 + "# CKA_ID byte array (varies)\n"
1.291 + "# CKA_ISSUER DER+base64 (varies)\n"
1.292 + "# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
1.293 + "# CKA_VALUE DER+base64 (varies)\n"
1.294 + "# CKA_NSS_EMAIL ASCII7 (unused here)\n"
1.295 + "#\n"
1.296 + "# Trust\n"
1.297 + "#\n"
1.298 + "# -- Attribute -- -- type -- -- value --\n"
1.299 + "# CKA_CLASS CK_OBJECT_CLASS CKO_TRUST\n"
1.300 + "# CKA_TOKEN CK_BBOOL CK_TRUE\n"
1.301 + "# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
1.302 + "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
1.303 + "# CKA_LABEL UTF8 (varies)\n"
1.304 + "# CKA_ISSUER DER+base64 (varies)\n"
1.305 + "# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
1.306 + "# CKA_CERT_HASH binary+base64 (varies)\n"
1.307 + "# CKA_EXPIRES CK_DATE (not used here)\n"
1.308 + "# CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST (varies)\n"
1.309 + "# CKA_TRUST_NON_REPUDIATION CK_TRUST (varies)\n"
1.310 + "# CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST (varies)\n"
1.311 + "# CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST (varies)\n"
1.312 + "# CKA_TRUST_KEY_AGREEMENT CK_TRUST (varies)\n"
1.313 + "# CKA_TRUST_KEY_CERT_SIGN CK_TRUST (varies)\n"
1.314 + "# CKA_TRUST_CRL_SIGN CK_TRUST (varies)\n"
1.315 + "# CKA_TRUST_SERVER_AUTH CK_TRUST (varies)\n"
1.316 + "# CKA_TRUST_CLIENT_AUTH CK_TRUST (varies)\n"
1.317 + "# CKA_TRUST_CODE_SIGNING CK_TRUST (varies)\n"
1.318 + "# CKA_TRUST_EMAIL_PROTECTION CK_TRUST (varies)\n"
1.319 + "# CKA_TRUST_IPSEC_END_SYSTEM CK_TRUST (varies)\n"
1.320 + "# CKA_TRUST_IPSEC_TUNNEL CK_TRUST (varies)\n"
1.321 + "# CKA_TRUST_IPSEC_USER CK_TRUST (varies)\n"
1.322 + "# CKA_TRUST_TIME_STAMPING CK_TRUST (varies)\n"
1.323 + "# (other trust attributes can be defined)\n"
1.324 + "#\n"
1.325 + "\n"
1.326 + "#\n"
1.327 + "# The object to tell NSS that this is a root list and we don't\n"
1.328 + "# have to go looking for others.\n"
1.329 + "#\n"
1.330 + "BEGINDATA\n"
1.331 + "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
1.332 + "CKA_TOKEN CK_BBOOL CK_TRUE\n"
1.333 + "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
1.334 + "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
1.335 + "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
1.336 +}
1.337 +
1.338 +static void Usage(char *progName)
1.339 +{
1.340 + fprintf(stderr, "%s -t trust -n nickname [-i certfile] [-c] [-h]\n", progName);
1.341 + fprintf(stderr,
1.342 + "\tRead a der-encoded cert from certfile or stdin, and output\n"
1.343 + "\tit to stdout in a format suitable for the builtin root module.\n"
1.344 + "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n",
1.345 + progName);
1.346 + fprintf(stderr, "%s -D -n label [-i certfile]\n", progName);
1.347 + fprintf(stderr,
1.348 + "\tRead a der-encoded cert from certfile or stdin, and output\n"
1.349 + "\ta distrust record.\n"
1.350 + "\t(-D is equivalent to -t p,p,p -c -h)\n");
1.351 + fprintf(stderr, "%s -C -e crl-entry-number -n label [-i crlfile]\n", progName);
1.352 + fprintf(stderr,
1.353 + "\tRead a CRL from crlfile or stdin, and output\n"
1.354 + "\ta distrust record (issuer+serial).\n"
1.355 + "\t(-C implies -c -h)\n");
1.356 + fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
1.357 + fprintf(stderr, "%-15s nickname to assign to builtin cert, or\n",
1.358 + "-n nickname");
1.359 + fprintf(stderr, "%-15s a label for the distrust record.\n", "");
1.360 + fprintf(stderr, "%-15s exclude the certificate (only add a trust record)\n", "-c");
1.361 + fprintf(stderr, "%-15s exclude hash from trust record\n", "-h");
1.362 + fprintf(stderr, "%-15s (useful to distrust any matching issuer/serial)\n", "");
1.363 + fprintf(stderr, "%-15s (not allowed when adding positive trust)\n", "");
1.364 + fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
1.365 + fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
1.366 + fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", "");
1.367 + exit(-1);
1.368 +}
1.369 +
1.370 +enum {
1.371 + opt_Input = 0,
1.372 + opt_Nickname,
1.373 + opt_Trust,
1.374 + opt_Distrust,
1.375 + opt_ExcludeCert,
1.376 + opt_ExcludeHash,
1.377 + opt_DistrustCRL,
1.378 + opt_CRLEnry
1.379 +};
1.380 +
1.381 +static secuCommandFlag addbuiltin_options[] =
1.382 +{
1.383 + { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
1.384 + { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE },
1.385 + { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE },
1.386 + { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE },
1.387 + { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE },
1.388 + { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE },
1.389 + { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE },
1.390 + { /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE },
1.391 +};
1.392 +
1.393 +int main(int argc, char **argv)
1.394 +{
1.395 + SECStatus rv;
1.396 + char *nickname = NULL;
1.397 + char *trusts = NULL;
1.398 + char *progName;
1.399 + PRFileDesc *infile;
1.400 + CERTCertTrust trust = { 0 };
1.401 + SECItem derItem = { 0 };
1.402 + PRInt32 crlentry = 0;
1.403 + PRInt32 mutuallyExclusiveOpts = 0;
1.404 + PRBool decodeTrust = PR_FALSE;
1.405 +
1.406 + secuCommand addbuiltin = { 0 };
1.407 + addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
1.408 + addbuiltin.options = addbuiltin_options;
1.409 +
1.410 + progName = strrchr(argv[0], '/');
1.411 + progName = progName ? progName+1 : argv[0];
1.412 +
1.413 + rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
1.414 +
1.415 + if (rv != SECSuccess)
1.416 + Usage(progName);
1.417 +
1.418 + if (addbuiltin.options[opt_Trust].activated)
1.419 + ++mutuallyExclusiveOpts;
1.420 + if (addbuiltin.options[opt_Distrust].activated)
1.421 + ++mutuallyExclusiveOpts;
1.422 + if (addbuiltin.options[opt_DistrustCRL].activated)
1.423 + ++mutuallyExclusiveOpts;
1.424 +
1.425 + if (mutuallyExclusiveOpts != 1) {
1.426 + fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
1.427 + progName);
1.428 + Usage(progName);
1.429 + }
1.430 +
1.431 + if (addbuiltin.options[opt_DistrustCRL].activated) {
1.432 + if (!addbuiltin.options[opt_CRLEnry].activated) {
1.433 + fprintf(stderr, "%s: you must specify the CRL entry number.\n",
1.434 + progName);
1.435 + Usage(progName);
1.436 + }
1.437 + else {
1.438 + crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
1.439 + if (crlentry < 1) {
1.440 + fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
1.441 + progName);
1.442 + Usage(progName);
1.443 + }
1.444 + }
1.445 + }
1.446 +
1.447 + if (!addbuiltin.options[opt_Nickname].activated) {
1.448 + fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
1.449 + progName);
1.450 + Usage(progName);
1.451 + }
1.452 +
1.453 + if (addbuiltin.options[opt_Input].activated) {
1.454 + infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
1.455 + if (!infile) {
1.456 + fprintf(stderr, "%s: failed to open input file.\n", progName);
1.457 + exit(1);
1.458 + }
1.459 + } else {
1.460 +#if defined(WIN32)
1.461 + /* If we're going to read binary data from stdin, we must put stdin
1.462 + ** into O_BINARY mode or else incoming \r\n's will become \n's,
1.463 + ** and latin-1 characters will be altered.
1.464 + */
1.465 +
1.466 + int smrv = _setmode(_fileno(stdin), _O_BINARY);
1.467 + if (smrv == -1) {
1.468 + fprintf(stderr,
1.469 + "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
1.470 + progName);
1.471 + exit(1);
1.472 + }
1.473 +#endif
1.474 + infile = PR_STDIN;
1.475 + }
1.476 +
1.477 +#if defined(WIN32)
1.478 + /* We must put stdout into O_BINARY mode or else the output will include
1.479 + ** carriage returns.
1.480 + */
1.481 + {
1.482 + int smrv = _setmode(_fileno(stdout), _O_BINARY);
1.483 + if (smrv == -1) {
1.484 + fprintf(stderr, "%s: Cannot change stdout to binary mode.\n", progName);
1.485 + exit(1);
1.486 + }
1.487 + }
1.488 +#endif
1.489 +
1.490 + nickname = strdup(addbuiltin.options[opt_Nickname].arg);
1.491 +
1.492 + NSS_NoDB_Init(NULL);
1.493 +
1.494 + if (addbuiltin.options[opt_Distrust].activated ||
1.495 + addbuiltin.options[opt_DistrustCRL].activated) {
1.496 + addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
1.497 + addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
1.498 + }
1.499 +
1.500 + if (addbuiltin.options[opt_Distrust].activated) {
1.501 + trusts = strdup("p,p,p");
1.502 + decodeTrust = PR_TRUE;
1.503 + }
1.504 + else if (addbuiltin.options[opt_Trust].activated) {
1.505 + trusts = strdup(addbuiltin.options[opt_Trust].arg);
1.506 + decodeTrust = PR_TRUE;
1.507 + }
1.508 +
1.509 + if (decodeTrust) {
1.510 + rv = CERT_DecodeTrustString(&trust, trusts);
1.511 + if (rv) {
1.512 + fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
1.513 + Usage(progName);
1.514 + }
1.515 + }
1.516 +
1.517 + if (addbuiltin.options[opt_Trust].activated &&
1.518 + addbuiltin.options[opt_ExcludeHash].activated) {
1.519 + if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags)
1.520 + != CERTDB_TERMINAL_RECORD) {
1.521 + fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
1.522 + Usage(progName);
1.523 + }
1.524 + }
1.525 +
1.526 + SECU_FileToItem(&derItem, infile);
1.527 +
1.528 + /*printheader();*/
1.529 +
1.530 + if (addbuiltin.options[opt_DistrustCRL].activated) {
1.531 + rv = ConvertCRLEntry(&derItem, crlentry, nickname);
1.532 + }
1.533 + else {
1.534 + rv = ConvertCertificate(&derItem, nickname, &trust,
1.535 + addbuiltin.options[opt_ExcludeCert].activated,
1.536 + addbuiltin.options[opt_ExcludeHash].activated);
1.537 + if (rv) {
1.538 + fprintf(stderr, "%s: failed to convert certificate.\n", progName);
1.539 + exit(1);
1.540 + }
1.541 + }
1.542 +
1.543 + if (NSS_Shutdown() != SECSuccess) {
1.544 + exit(1);
1.545 + }
1.546 +
1.547 + return(SECSuccess);
1.548 +}
