michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* michael@0: * Tool for converting builtin CA certs. michael@0: */ michael@0: michael@0: #include "nssrenam.h" michael@0: #include "nss.h" michael@0: #include "cert.h" michael@0: #include "certdb.h" michael@0: #include "secutil.h" michael@0: #include "pk11func.h" michael@0: michael@0: #if defined(WIN32) michael@0: #include michael@0: #include michael@0: #endif michael@0: michael@0: void dumpbytes(unsigned char *buf, int len) michael@0: { michael@0: int i; michael@0: for (i=0; i < len; i++) { michael@0: if ((i !=0) && ((i & 0xf) == 0)) { michael@0: printf("\n"); michael@0: } michael@0: printf("\\%03o",buf[i]); michael@0: } michael@0: printf("\n"); michael@0: } michael@0: michael@0: char *getTrustString(unsigned int trust) michael@0: { michael@0: if (trust & CERTDB_TRUSTED) { michael@0: if (trust & CERTDB_TRUSTED_CA) { michael@0: return "CKT_NSS_TRUSTED_DELEGATOR"; michael@0: } else { michael@0: return "CKT_NSS_TRUSTED"; michael@0: } michael@0: } else { michael@0: if (trust & CERTDB_TRUSTED_CA) { michael@0: return "CKT_NSS_TRUSTED_DELEGATOR"; michael@0: } else if (trust & CERTDB_VALID_CA) { michael@0: return "CKT_NSS_VALID_DELEGATOR"; michael@0: } else if (trust & CERTDB_TERMINAL_RECORD) { michael@0: return "CKT_NSS_NOT_TRUSTED"; michael@0: } else { michael@0: return "CKT_NSS_MUST_VERIFY_TRUST"; michael@0: } michael@0: } michael@0: return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */ michael@0: } michael@0: michael@0: static const SEC_ASN1Template serialTemplate[] = { michael@0: { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) }, michael@0: { 0 } michael@0: }; michael@0: michael@0: void print_crl_info(CERTName *name, SECItem *serial) michael@0: { michael@0: PRBool saveWrapeState = SECU_GetWrapEnabled(); michael@0: SECU_EnableWrap(PR_FALSE); michael@0: michael@0: SECU_PrintNameQuotesOptional(stdout, name, "# Issuer", 0, PR_FALSE); michael@0: printf("\n"); michael@0: michael@0: SECU_PrintInteger(stdout, serial, "# Serial Number", 0); michael@0: michael@0: SECU_EnableWrap(saveWrapeState); michael@0: } michael@0: michael@0: static SECStatus michael@0: ConvertCRLEntry(SECItem *sdder, PRInt32 crlentry, char *nickname) michael@0: { michael@0: int rv; michael@0: PLArenaPool *arena = NULL; michael@0: CERTSignedCrl *newCrl = NULL; michael@0: CERTCrlEntry *entry; michael@0: michael@0: CERTName *name = NULL; michael@0: SECItem *derName = NULL; michael@0: SECItem *serial = NULL; michael@0: michael@0: rv = SEC_ERROR_NO_MEMORY; michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: if (!arena) michael@0: return rv; michael@0: michael@0: newCrl = CERT_DecodeDERCrlWithFlags(arena, sdder, SEC_CRL_TYPE, michael@0: CRL_DECODE_DEFAULT_OPTIONS); michael@0: if (!newCrl) michael@0: return SECFailure; michael@0: michael@0: name = &newCrl->crl.name; michael@0: derName = &newCrl->crl.derName; michael@0: michael@0: if (newCrl->crl.entries != NULL) { michael@0: PRInt32 iv = 0; michael@0: while ((entry = newCrl->crl.entries[iv++]) != NULL) { michael@0: if (crlentry == iv) { michael@0: serial = &entry->serialNumber; michael@0: break; michael@0: } michael@0: } michael@0: } michael@0: michael@0: if (!name || !derName || !serial) michael@0: return SECFailure; michael@0: michael@0: printf("\n# Distrust \"%s\"\n",nickname); michael@0: print_crl_info(name, serial); michael@0: michael@0: printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n"); michael@0: printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); michael@0: printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); michael@0: printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); michael@0: printf("CKA_LABEL UTF8 \"%s\"\n",nickname); michael@0: michael@0: printf("CKA_ISSUER MULTILINE_OCTAL\n"); michael@0: dumpbytes(derName->data,derName->len); michael@0: printf("END\n"); michael@0: printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); michael@0: printf("\\002\\%03o", serial->len); /* 002: type integer; len >=3 digits */ michael@0: dumpbytes(serial->data,serial->len); michael@0: printf("END\n"); michael@0: michael@0: printf("CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED\n"); michael@0: printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED\n"); michael@0: printf("CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED\n"); michael@0: printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE\n"); michael@0: michael@0: PORT_FreeArena (arena, PR_FALSE); michael@0: return rv; michael@0: } michael@0: michael@0: void print_info(SECItem *sdder, CERTCertificate *c) michael@0: { michael@0: PRBool saveWrapeState = SECU_GetWrapEnabled(); michael@0: SECU_EnableWrap(PR_FALSE); michael@0: michael@0: SECU_PrintNameQuotesOptional(stdout, &c->issuer, "# Issuer", 0, PR_FALSE); michael@0: printf("\n"); michael@0: michael@0: SECU_PrintInteger(stdout, &c->serialNumber, "# Serial Number", 0); michael@0: michael@0: SECU_PrintNameQuotesOptional(stdout, &c->subject, "# Subject", 0, PR_FALSE); michael@0: printf("\n"); michael@0: michael@0: SECU_PrintTimeChoice(stdout, &c->validity.notBefore, "# Not Valid Before", 0); michael@0: SECU_PrintTimeChoice(stdout, &c->validity.notAfter, "# Not Valid After ", 0); michael@0: michael@0: SECU_PrintFingerprints(stdout, sdder, "# Fingerprint", 0); michael@0: michael@0: SECU_EnableWrap(saveWrapeState); michael@0: } michael@0: michael@0: static SECStatus michael@0: ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, michael@0: PRBool excludeCert, PRBool excludeHash) michael@0: { michael@0: SECStatus rv = SECSuccess; michael@0: CERTCertificate *cert; michael@0: unsigned char sha1_hash[SHA1_LENGTH]; michael@0: unsigned char md5_hash[MD5_LENGTH]; michael@0: SECItem *serial = NULL; michael@0: PRBool step_up = PR_FALSE; michael@0: const char *trust_info; michael@0: michael@0: cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname); michael@0: if (!cert) { michael@0: return SECFailure; michael@0: } michael@0: serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate); michael@0: if (!serial) { michael@0: return SECFailure; michael@0: } michael@0: michael@0: if (!excludeCert) { michael@0: printf("\n#\n# Certificate \"%s\"\n#\n",nickname); michael@0: print_info(sdder, cert); michael@0: printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"); michael@0: printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); michael@0: printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); michael@0: printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); michael@0: printf("CKA_LABEL UTF8 \"%s\"\n",nickname); michael@0: printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"); michael@0: printf("CKA_SUBJECT MULTILINE_OCTAL\n"); michael@0: dumpbytes(cert->derSubject.data,cert->derSubject.len); michael@0: printf("END\n"); michael@0: printf("CKA_ID UTF8 \"0\"\n"); michael@0: printf("CKA_ISSUER MULTILINE_OCTAL\n"); michael@0: dumpbytes(cert->derIssuer.data,cert->derIssuer.len); michael@0: printf("END\n"); michael@0: printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); michael@0: dumpbytes(serial->data,serial->len); michael@0: printf("END\n"); michael@0: printf("CKA_VALUE MULTILINE_OCTAL\n"); michael@0: dumpbytes(sdder->data,sdder->len); michael@0: printf("END\n"); michael@0: } michael@0: michael@0: if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) michael@0: == CERTDB_TERMINAL_RECORD) michael@0: trust_info = "Distrust"; michael@0: else michael@0: trust_info = "Trust for"; michael@0: michael@0: printf("\n# %s \"%s\"\n", trust_info, nickname); michael@0: print_info(sdder, cert); michael@0: michael@0: printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n"); michael@0: printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); michael@0: printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); michael@0: printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); michael@0: printf("CKA_LABEL UTF8 \"%s\"\n",nickname); michael@0: michael@0: if (!excludeHash) { michael@0: PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len); michael@0: printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n"); michael@0: dumpbytes(sha1_hash,SHA1_LENGTH); michael@0: printf("END\n"); michael@0: PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len); michael@0: printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n"); michael@0: dumpbytes(md5_hash,MD5_LENGTH); michael@0: printf("END\n"); michael@0: } michael@0: michael@0: printf("CKA_ISSUER MULTILINE_OCTAL\n"); michael@0: dumpbytes(cert->derIssuer.data,cert->derIssuer.len); michael@0: printf("END\n"); michael@0: printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); michael@0: dumpbytes(serial->data,serial->len); michael@0: printf("END\n"); michael@0: michael@0: printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n", michael@0: getTrustString(trust->sslFlags)); michael@0: printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n", michael@0: getTrustString(trust->emailFlags)); michael@0: printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n", michael@0: getTrustString(trust->objectSigningFlags)); michael@0: #ifdef notdef michael@0: printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n"); michael@0: printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); michael@0: printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); michael@0: printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); michael@0: printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); michael@0: printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); michael@0: printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); michael@0: #endif michael@0: michael@0: step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA); michael@0: printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n", michael@0: step_up ? "CK_TRUE" : "CK_FALSE"); michael@0: michael@0: PORT_Free(sdder->data); michael@0: return(rv); michael@0: michael@0: } michael@0: michael@0: void printheader() { michael@0: printf("# \n" michael@0: "# This Source Code Form is subject to the terms of the Mozilla Public\n" michael@0: "# License, v. 2.0. If a copy of the MPL was not distributed with this\n" michael@0: "# file, You can obtain one at http://mozilla.org/MPL/2.0/.\n" michael@0: "#\n" michael@0: "CVS_ID \"@(#) $RCSfile$ $Revision$ $Date$\"\n" michael@0: "\n" michael@0: "#\n" michael@0: "# certdata.txt\n" michael@0: "#\n" michael@0: "# This file contains the object definitions for the certs and other\n" michael@0: "# information \"built into\" NSS.\n" michael@0: "#\n" michael@0: "# Object definitions:\n" michael@0: "#\n" michael@0: "# Certificates\n" michael@0: "#\n" michael@0: "# -- Attribute -- -- type -- -- value --\n" michael@0: "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" michael@0: "# CKA_TOKEN CK_BBOOL CK_TRUE\n" michael@0: "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" michael@0: "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" michael@0: "# CKA_LABEL UTF8 (varies)\n" michael@0: "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" michael@0: "# CKA_SUBJECT DER+base64 (varies)\n" michael@0: "# CKA_ID byte array (varies)\n" michael@0: "# CKA_ISSUER DER+base64 (varies)\n" michael@0: "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" michael@0: "# CKA_VALUE DER+base64 (varies)\n" michael@0: "# CKA_NSS_EMAIL ASCII7 (unused here)\n" michael@0: "#\n" michael@0: "# Trust\n" michael@0: "#\n" michael@0: "# -- Attribute -- -- type -- -- value --\n" michael@0: "# CKA_CLASS CK_OBJECT_CLASS CKO_TRUST\n" michael@0: "# CKA_TOKEN CK_BBOOL CK_TRUE\n" michael@0: "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" michael@0: "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" michael@0: "# CKA_LABEL UTF8 (varies)\n" michael@0: "# CKA_ISSUER DER+base64 (varies)\n" michael@0: "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" michael@0: "# CKA_CERT_HASH binary+base64 (varies)\n" michael@0: "# CKA_EXPIRES CK_DATE (not used here)\n" michael@0: "# CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_NON_REPUDIATION CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_KEY_AGREEMENT CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_KEY_CERT_SIGN CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_CRL_SIGN CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_SERVER_AUTH CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_CLIENT_AUTH CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_CODE_SIGNING CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_EMAIL_PROTECTION CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_IPSEC_END_SYSTEM CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_IPSEC_TUNNEL CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_IPSEC_USER CK_TRUST (varies)\n" michael@0: "# CKA_TRUST_TIME_STAMPING CK_TRUST (varies)\n" michael@0: "# (other trust attributes can be defined)\n" michael@0: "#\n" michael@0: "\n" michael@0: "#\n" michael@0: "# The object to tell NSS that this is a root list and we don't\n" michael@0: "# have to go looking for others.\n" michael@0: "#\n" michael@0: "BEGINDATA\n" michael@0: "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n" michael@0: "CKA_TOKEN CK_BBOOL CK_TRUE\n" michael@0: "CKA_PRIVATE CK_BBOOL CK_FALSE\n" michael@0: "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" michael@0: "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n"); michael@0: } michael@0: michael@0: static void Usage(char *progName) michael@0: { michael@0: fprintf(stderr, "%s -t trust -n nickname [-i certfile] [-c] [-h]\n", progName); michael@0: fprintf(stderr, michael@0: "\tRead a der-encoded cert from certfile or stdin, and output\n" michael@0: "\tit to stdout in a format suitable for the builtin root module.\n" michael@0: "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n", michael@0: progName); michael@0: fprintf(stderr, "%s -D -n label [-i certfile]\n", progName); michael@0: fprintf(stderr, michael@0: "\tRead a der-encoded cert from certfile or stdin, and output\n" michael@0: "\ta distrust record.\n" michael@0: "\t(-D is equivalent to -t p,p,p -c -h)\n"); michael@0: fprintf(stderr, "%s -C -e crl-entry-number -n label [-i crlfile]\n", progName); michael@0: fprintf(stderr, michael@0: "\tRead a CRL from crlfile or stdin, and output\n" michael@0: "\ta distrust record (issuer+serial).\n" michael@0: "\t(-C implies -c -h)\n"); michael@0: fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust"); michael@0: fprintf(stderr, "%-15s nickname to assign to builtin cert, or\n", michael@0: "-n nickname"); michael@0: fprintf(stderr, "%-15s a label for the distrust record.\n", ""); michael@0: fprintf(stderr, "%-15s exclude the certificate (only add a trust record)\n", "-c"); michael@0: fprintf(stderr, "%-15s exclude hash from trust record\n", "-h"); michael@0: fprintf(stderr, "%-15s (useful to distrust any matching issuer/serial)\n", ""); michael@0: fprintf(stderr, "%-15s (not allowed when adding positive trust)\n", ""); michael@0: fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e"); michael@0: fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file"); michael@0: fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", ""); michael@0: exit(-1); michael@0: } michael@0: michael@0: enum { michael@0: opt_Input = 0, michael@0: opt_Nickname, michael@0: opt_Trust, michael@0: opt_Distrust, michael@0: opt_ExcludeCert, michael@0: opt_ExcludeHash, michael@0: opt_DistrustCRL, michael@0: opt_CRLEnry michael@0: }; michael@0: michael@0: static secuCommandFlag addbuiltin_options[] = michael@0: { michael@0: { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, michael@0: { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, michael@0: { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, michael@0: { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, michael@0: { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, michael@0: { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, michael@0: { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, michael@0: { /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE }, michael@0: }; michael@0: michael@0: int main(int argc, char **argv) michael@0: { michael@0: SECStatus rv; michael@0: char *nickname = NULL; michael@0: char *trusts = NULL; michael@0: char *progName; michael@0: PRFileDesc *infile; michael@0: CERTCertTrust trust = { 0 }; michael@0: SECItem derItem = { 0 }; michael@0: PRInt32 crlentry = 0; michael@0: PRInt32 mutuallyExclusiveOpts = 0; michael@0: PRBool decodeTrust = PR_FALSE; michael@0: michael@0: secuCommand addbuiltin = { 0 }; michael@0: addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag); michael@0: addbuiltin.options = addbuiltin_options; michael@0: michael@0: progName = strrchr(argv[0], '/'); michael@0: progName = progName ? progName+1 : argv[0]; michael@0: michael@0: rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin); michael@0: michael@0: if (rv != SECSuccess) michael@0: Usage(progName); michael@0: michael@0: if (addbuiltin.options[opt_Trust].activated) michael@0: ++mutuallyExclusiveOpts; michael@0: if (addbuiltin.options[opt_Distrust].activated) michael@0: ++mutuallyExclusiveOpts; michael@0: if (addbuiltin.options[opt_DistrustCRL].activated) michael@0: ++mutuallyExclusiveOpts; michael@0: michael@0: if (mutuallyExclusiveOpts != 1) { michael@0: fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n", michael@0: progName); michael@0: Usage(progName); michael@0: } michael@0: michael@0: if (addbuiltin.options[opt_DistrustCRL].activated) { michael@0: if (!addbuiltin.options[opt_CRLEnry].activated) { michael@0: fprintf(stderr, "%s: you must specify the CRL entry number.\n", michael@0: progName); michael@0: Usage(progName); michael@0: } michael@0: else { michael@0: crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); michael@0: if (crlentry < 1) { michael@0: fprintf(stderr, "%s: The CRL entry number must be > 0.\n", michael@0: progName); michael@0: Usage(progName); michael@0: } michael@0: } michael@0: } michael@0: michael@0: if (!addbuiltin.options[opt_Nickname].activated) { michael@0: fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n", michael@0: progName); michael@0: Usage(progName); michael@0: } michael@0: michael@0: if (addbuiltin.options[opt_Input].activated) { michael@0: infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660); michael@0: if (!infile) { michael@0: fprintf(stderr, "%s: failed to open input file.\n", progName); michael@0: exit(1); michael@0: } michael@0: } else { michael@0: #if defined(WIN32) michael@0: /* If we're going to read binary data from stdin, we must put stdin michael@0: ** into O_BINARY mode or else incoming \r\n's will become \n's, michael@0: ** and latin-1 characters will be altered. michael@0: */ michael@0: michael@0: int smrv = _setmode(_fileno(stdin), _O_BINARY); michael@0: if (smrv == -1) { michael@0: fprintf(stderr, michael@0: "%s: Cannot change stdin to binary mode. Use -i option instead.\n", michael@0: progName); michael@0: exit(1); michael@0: } michael@0: #endif michael@0: infile = PR_STDIN; michael@0: } michael@0: michael@0: #if defined(WIN32) michael@0: /* We must put stdout into O_BINARY mode or else the output will include michael@0: ** carriage returns. michael@0: */ michael@0: { michael@0: int smrv = _setmode(_fileno(stdout), _O_BINARY); michael@0: if (smrv == -1) { michael@0: fprintf(stderr, "%s: Cannot change stdout to binary mode.\n", progName); michael@0: exit(1); michael@0: } michael@0: } michael@0: #endif michael@0: michael@0: nickname = strdup(addbuiltin.options[opt_Nickname].arg); michael@0: michael@0: NSS_NoDB_Init(NULL); michael@0: michael@0: if (addbuiltin.options[opt_Distrust].activated || michael@0: addbuiltin.options[opt_DistrustCRL].activated) { michael@0: addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE; michael@0: addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE; michael@0: } michael@0: michael@0: if (addbuiltin.options[opt_Distrust].activated) { michael@0: trusts = strdup("p,p,p"); michael@0: decodeTrust = PR_TRUE; michael@0: } michael@0: else if (addbuiltin.options[opt_Trust].activated) { michael@0: trusts = strdup(addbuiltin.options[opt_Trust].arg); michael@0: decodeTrust = PR_TRUE; michael@0: } michael@0: michael@0: if (decodeTrust) { michael@0: rv = CERT_DecodeTrustString(&trust, trusts); michael@0: if (rv) { michael@0: fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); michael@0: Usage(progName); michael@0: } michael@0: } michael@0: michael@0: if (addbuiltin.options[opt_Trust].activated && michael@0: addbuiltin.options[opt_ExcludeHash].activated) { michael@0: if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) michael@0: != CERTDB_TERMINAL_RECORD) { michael@0: fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName); michael@0: Usage(progName); michael@0: } michael@0: } michael@0: michael@0: SECU_FileToItem(&derItem, infile); michael@0: michael@0: /*printheader();*/ michael@0: michael@0: if (addbuiltin.options[opt_DistrustCRL].activated) { michael@0: rv = ConvertCRLEntry(&derItem, crlentry, nickname); michael@0: } michael@0: else { michael@0: rv = ConvertCertificate(&derItem, nickname, &trust, michael@0: addbuiltin.options[opt_ExcludeCert].activated, michael@0: addbuiltin.options[opt_ExcludeHash].activated); michael@0: if (rv) { michael@0: fprintf(stderr, "%s: failed to convert certificate.\n", progName); michael@0: exit(1); michael@0: } michael@0: } michael@0: michael@0: if (NSS_Shutdown() != SECSuccess) { michael@0: exit(1); michael@0: } michael@0: michael@0: return(SECSuccess); michael@0: }