michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: /*
michael@0: ** certutil.c
michael@0: **
michael@0: ** utility for managing certificates and the cert database
michael@0: **
michael@0: */
michael@0: /* test only */
michael@0: 
michael@0: #include "nspr.h"
michael@0: #include "plgetopt.h"
michael@0: #include "secutil.h"
michael@0: #include "cert.h"
michael@0: #include "certi.h"
michael@0: #include "certdb.h"
michael@0: #include "nss.h"
michael@0: #include "pk11func.h"
michael@0: #include "crlgen.h"
michael@0: 
michael@0: #define SEC_CERT_DB_EXISTS 0
michael@0: #define SEC_CREATE_CERT_DB 1
michael@0: 
michael@0: static char *progName;
michael@0: 
michael@0: static CERTSignedCrl *FindCRL
michael@0:    (CERTCertDBHandle *certHandle, char *name, int type)
michael@0: {
michael@0:     CERTSignedCrl *crl = NULL;    
michael@0:     CERTCertificate *cert = NULL;
michael@0:     SECItem derName;
michael@0: 
michael@0:     derName.data = NULL;
michael@0:     derName.len = 0;
michael@0: 
michael@0:     cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
michael@0:     if (!cert) {
michael@0:         CERTName *certName = NULL;
michael@0:         PLArenaPool *arena = NULL;
michael@0:     
michael@0:         certName = CERT_AsciiToName(name);
michael@0:         if (certName) {
michael@0:             arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0:             if (arena) {
michael@0:                 SECItem *nameItem = 
michael@0:                     SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
michael@0:                                         SEC_ASN1_GET(CERT_NameTemplate));
michael@0:                 if (nameItem) {
michael@0:                     SECITEM_CopyItem(NULL, &derName, nameItem);
michael@0:                 }
michael@0:                 PORT_FreeArena(arena, PR_FALSE);
michael@0:             }
michael@0:             CERT_DestroyName(certName);
michael@0:         }
michael@0: 
michael@0:         if (!derName.len || !derName.data) {
michael@0:             SECU_PrintError(progName, "could not find certificate named '%s'", name);
michael@0:             return ((CERTSignedCrl *)NULL);
michael@0:         }
michael@0:     } else {
michael@0:         SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
michael@0:         CERT_DestroyCertificate (cert);
michael@0:     }
michael@0:  
michael@0:     crl = SEC_FindCrlByName(certHandle, &derName, type);
michael@0:     if (crl ==NULL) 
michael@0: 	SECU_PrintError
michael@0: 		(progName, "could not find %s's CRL", name);
michael@0:     if (derName.data) {
michael@0:         SECITEM_FreeItem(&derName, PR_FALSE);
michael@0:     }
michael@0:     return (crl);
michael@0: }
michael@0: 
michael@0: static SECStatus DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
michael@0: {
michael@0:     CERTSignedCrl *crl = NULL;
michael@0: 
michael@0:     crl = FindCRL (certHandle, nickName, crlType);
michael@0: 	
michael@0:     if (crl) {
michael@0: 	SECU_PrintCRLInfo (stdout, &crl->crl, "CRL Info:\n", 0);
michael@0: 	SEC_DestroyCrl (crl);
michael@0: 	return SECSuccess;
michael@0:     }
michael@0:     return SECFailure;
michael@0: }
michael@0: 
michael@0: static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls)
michael@0: {
michael@0:     CERTCrlHeadNode *crlList = NULL;
michael@0:     CERTCrlNode *crlNode = NULL;
michael@0:     CERTName *name = NULL;
michael@0:     PLArenaPool *arena = NULL;
michael@0:     SECStatus rv;
michael@0: 
michael@0:     do {
michael@0: 	arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0: 	if (arena == NULL) {
michael@0: 	    fprintf(stderr, "%s: fail to allocate memory\n", progName);
michael@0: 	    break;
michael@0: 	}
michael@0: 	
michael@0: 	name = PORT_ArenaZAlloc (arena, sizeof(*name));
michael@0: 	if (name == NULL) {
michael@0: 	    fprintf(stderr, "%s: fail to allocate memory\n", progName);
michael@0: 	    break;
michael@0: 	}
michael@0: 	name->arena = arena;
michael@0: 	    
michael@0: 	rv = SEC_LookupCrls (certHandle, &crlList, crlType);
michael@0: 	if (rv != SECSuccess) {
michael@0: 	    fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName,
michael@0: 	    SECU_Strerror(PORT_GetError()));
michael@0: 	    break;
michael@0: 	}
michael@0: 	
michael@0: 	/* just in case */
michael@0: 	if (!crlList)
michael@0: 	    break;
michael@0: 
michael@0: 	crlNode  = crlList->first;
michael@0: 
michael@0:         fprintf (stdout, "\n");
michael@0: 	fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
michael@0: 	while (crlNode) {
michael@0: 	    char* asciiname = NULL;
michael@0: 	    CERTCertificate *cert = NULL;
michael@0: 	    if (crlNode->crl && &crlNode->crl->crl.derName) {
michael@0: 	        cert = CERT_FindCertByName(certHandle,
michael@0: 	                                   &crlNode->crl->crl.derName);
michael@0: 	        if (!cert) {
michael@0: 	            SECU_PrintError(progName, "could not find signing "
michael@0: 	                         "certificate in database");
michael@0: 	        }
michael@0: 	    }
michael@0: 	    if (cert) {
michael@0: 	        char* certName = NULL;
michael@0:                  if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
michael@0: 	            certName = cert->nickname;
michael@0: 	        } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
michael@0: 	            certName = cert->emailAddr;
michael@0: 	        }
michael@0: 	        if (certName) {
michael@0: 	            asciiname = PORT_Strdup(certName);
michael@0: 	        }
michael@0: 	        CERT_DestroyCertificate(cert);
michael@0: 	    }
michael@0:                 
michael@0: 	    if (!asciiname) {
michael@0: 	        name = &crlNode->crl->crl.name;
michael@0: 	        if (!name){
michael@0: 	            SECU_PrintError(progName, "fail to get the CRL "
michael@0: 	                           "issuer name");
michael@0: 	            continue;
michael@0: 	        }
michael@0: 	        asciiname = CERT_NameToAscii(name);
michael@0: 	    }
michael@0: 	    fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
michael@0: 	    if (asciiname) {
michael@0: 		PORT_Free(asciiname);
michael@0: 	    }
michael@0:             if ( PR_TRUE == deletecrls) {
michael@0:                 CERTSignedCrl* acrl = NULL;
michael@0:                 SECItem* issuer = &crlNode->crl->crl.derName;
michael@0:                 acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
michael@0:                 if (acrl)
michael@0:                 {
michael@0:                     SEC_DeletePermCRL(acrl);
michael@0:                     SEC_DestroyCrl(acrl);
michael@0:                 }
michael@0:             }
michael@0:             crlNode = crlNode->next;
michael@0: 	} 
michael@0: 	
michael@0:     } while (0);
michael@0:     if (crlList)
michael@0: 	PORT_FreeArena (crlList->arena, PR_FALSE);
michael@0:     PORT_FreeArena (arena, PR_FALSE);
michael@0: }
michael@0: 
michael@0: static SECStatus ListCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
michael@0: {
michael@0:     if (nickName == NULL) {
michael@0: 	ListCRLNames (certHandle, crlType, PR_FALSE);
michael@0: 	return SECSuccess;
michael@0:     } 
michael@0: 
michael@0:     return DisplayCRL (certHandle, nickName, crlType);
michael@0: }
michael@0: 
michael@0: 
michael@0: 
michael@0: static SECStatus DeleteCRL (CERTCertDBHandle *certHandle, char *name, int type)
michael@0: {
michael@0:     CERTSignedCrl *crl = NULL;    
michael@0:     SECStatus rv = SECFailure;
michael@0: 
michael@0:     crl = FindCRL (certHandle, name, type);
michael@0:     if (!crl) {
michael@0: 	SECU_PrintError
michael@0: 		(progName, "could not find the issuer %s's CRL", name);
michael@0: 	return SECFailure;
michael@0:     }
michael@0:     rv = SEC_DeletePermCRL (crl);
michael@0:     SEC_DestroyCrl(crl);
michael@0:     if (rv != SECSuccess) {
michael@0: 	SECU_PrintError(progName, "fail to delete the issuer %s's CRL "
michael@0: 	                "from the perm database (reason: %s)",
michael@0: 	                name, SECU_Strerror(PORT_GetError()));
michael@0: 	return SECFailure;
michael@0:     }
michael@0:     return (rv);
michael@0: }
michael@0: 
michael@0: SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, 
michael@0:                      PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions,
michael@0:                      secuPWData *pwdata)
michael@0: {
michael@0:     CERTSignedCrl *crl = NULL;
michael@0:     SECItem crlDER;
michael@0:     PK11SlotInfo* slot = NULL;
michael@0:     int rv;
michael@0: #if defined(DEBUG_jp96085)
michael@0:     PRIntervalTime starttime, endtime, elapsed;
michael@0:     PRUint32 mins, secs, msecs;
michael@0: #endif
michael@0: 
michael@0:     crlDER.data = NULL;
michael@0: 
michael@0: 
michael@0:     /* Read in the entire file specified with the -f argument */
michael@0:     rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
michael@0:     if (rv != SECSuccess) {
michael@0: 	SECU_PrintError(progName, "unable to read input file");
michael@0: 	return (SECFailure);
michael@0:     }
michael@0: 
michael@0:     decodeOptions |= CRL_DECODE_DONT_COPY_DER;
michael@0: 
michael@0:     slot = PK11_GetInternalKeySlot();
michael@0: 
michael@0:     if (PK11_NeedLogin(slot)) {
michael@0: 	rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
michael@0:     if (rv != SECSuccess)
michael@0: 	goto loser;
michael@0:     }
michael@0:  
michael@0: #if defined(DEBUG_jp96085)
michael@0:     starttime = PR_IntervalNow();
michael@0: #endif
michael@0:     crl = PK11_ImportCRL(slot, &crlDER, url, type,
michael@0:           NULL, importOptions, NULL, decodeOptions);
michael@0: #if defined(DEBUG_jp96085)
michael@0:     endtime = PR_IntervalNow();
michael@0:     elapsed = endtime - starttime;
michael@0:     mins = PR_IntervalToSeconds(elapsed) / 60;
michael@0:     secs = PR_IntervalToSeconds(elapsed) % 60;
michael@0:     msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
michael@0:     printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
michael@0: #endif
michael@0:     if (!crl) {
michael@0: 	const char *errString;
michael@0: 
michael@0: 	rv = SECFailure;
michael@0: 	errString = SECU_Strerror(PORT_GetError());
michael@0: 	if ( errString && PORT_Strlen (errString) == 0)
michael@0: 	    SECU_PrintError (progName, 
michael@0: 	        "CRL is not imported (error: input CRL is not up to date.)");
michael@0: 	else    
michael@0: 	    SECU_PrintError (progName, "unable to import CRL");
michael@0:     } else {
michael@0: 	SEC_DestroyCrl (crl);
michael@0:     }
michael@0:   loser:
michael@0:     if (slot) {
michael@0:         PK11_FreeSlot(slot);
michael@0:     }
michael@0:     return (rv);
michael@0: }
michael@0: 
michael@0: SECStatus DumpCRL(PRFileDesc *inFile)
michael@0: {
michael@0:     int rv;
michael@0:     PLArenaPool *arena = NULL;
michael@0:     CERTSignedCrl *newCrl = NULL;
michael@0:     
michael@0:     SECItem crlDER;
michael@0:     crlDER.data = NULL;
michael@0: 
michael@0:     /* Read in the entire file specified with the -f argument */
michael@0:     rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
michael@0:     if (rv != SECSuccess) {
michael@0: 	SECU_PrintError(progName, "unable to read input file");
michael@0: 	return (SECFailure);
michael@0:     }
michael@0:     
michael@0:     rv = SEC_ERROR_NO_MEMORY;
michael@0:     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0:     if (!arena)
michael@0:     	return rv;
michael@0: 
michael@0:     newCrl = CERT_DecodeDERCrlWithFlags(arena, &crlDER, SEC_CRL_TYPE,
michael@0: 					CRL_DECODE_DEFAULT_OPTIONS);
michael@0:     if (!newCrl)
michael@0:     	return SECFailure;
michael@0:     
michael@0:     SECU_PrintCRLInfo (stdout, &newCrl->crl, "CRL file contents", 0);
michael@0:     
michael@0:     PORT_FreeArena (arena, PR_FALSE);
michael@0:     return rv;
michael@0: }
michael@0: 
michael@0: static CERTCertificate*
michael@0: FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
michael@0:                 char *certNickName)
michael@0: {                   
michael@0:     CERTCertificate *cert = NULL, *certTemp = NULL;
michael@0:     SECStatus rv = SECFailure;
michael@0:     CERTAuthKeyID* authorityKeyID = NULL;
michael@0:     SECItem* subject = NULL;
michael@0: 
michael@0:     PORT_Assert(certHandle != NULL);
michael@0:     if (!certHandle || (!signCrl && !certNickName)) {
michael@0:         SECU_PrintError(progName, "invalid args for function "
michael@0:                         "FindSigningCert \n");
michael@0:         return NULL;
michael@0:     }
michael@0: 
michael@0:     if (signCrl) {
michael@0: #if 0
michael@0:         authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
michael@0: #endif
michael@0:         subject = &signCrl->crl.derName;
michael@0:     } else {
michael@0:         certTemp = CERT_FindCertByNickname(certHandle, certNickName);
michael@0:         if (!certTemp) {
michael@0:             SECU_PrintError(progName, "could not find certificate \"%s\" "
michael@0:                             "in database", certNickName);
michael@0:             goto loser;
michael@0:         }
michael@0:         subject = &certTemp->derSubject;
michael@0:     }
michael@0: 
michael@0:     cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
michael@0:     if (!cert) {
michael@0:         SECU_PrintError(progName, "could not find signing certificate "
michael@0:                         "in database");
michael@0:         goto loser;
michael@0:     } else {
michael@0:         rv = SECSuccess;
michael@0:     }
michael@0: 
michael@0:   loser:
michael@0:     if (certTemp)
michael@0:         CERT_DestroyCertificate(certTemp);
michael@0:     if (cert && rv != SECSuccess)
michael@0:         CERT_DestroyCertificate(cert);
michael@0:     return cert;
michael@0: }
michael@0: 
michael@0: static CERTSignedCrl*
michael@0: CreateModifiedCRLCopy(PLArenaPool *arena, CERTCertDBHandle *certHandle,
michael@0:                 CERTCertificate **cert, char *certNickName,
michael@0:                 PRFileDesc *inFile, PRInt32 decodeOptions,
michael@0:                 PRInt32 importOptions)
michael@0: {
michael@0:     SECItem crlDER = {0, NULL, 0};
michael@0:     CERTSignedCrl *signCrl = NULL;
michael@0:     CERTSignedCrl *modCrl = NULL;
michael@0:     PLArenaPool *modArena = NULL;
michael@0:     SECStatus rv = SECSuccess;
michael@0: 
michael@0:     if (!arena || !certHandle || !certNickName) {
michael@0:         PORT_SetError(SEC_ERROR_INVALID_ARGS);
michael@0:         SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
michael@0:         return NULL;
michael@0:     }
michael@0: 
michael@0:     modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0:     if (!modArena) {
michael@0:         SECU_PrintError(progName, "fail to allocate memory\n");
michael@0:         return NULL;
michael@0:     }
michael@0:     
michael@0:     if (inFile != NULL) {
michael@0:         rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
michael@0:         if (rv != SECSuccess) {
michael@0:             SECU_PrintError(progName, "unable to read input file");
michael@0:             PORT_FreeArena(modArena, PR_FALSE);
michael@0:             goto loser;
michael@0:         }
michael@0:         
michael@0:         decodeOptions |= CRL_DECODE_DONT_COPY_DER;
michael@0:         
michael@0:         modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE,
michael@0:                                             decodeOptions);
michael@0:         if (!modCrl) {
michael@0:             SECU_PrintError(progName, "fail to decode CRL");
michael@0:             goto loser;
michael@0:         }
michael@0:         
michael@0:         if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
michael@0:             /* If caCert is a v2 certificate, make sure that it
michael@0:              * can be used for crl signing purpose */
michael@0:             *cert = FindSigningCert(certHandle, modCrl, NULL);
michael@0:             if (!*cert) {
michael@0:                 goto loser;
michael@0:             }
michael@0: 
michael@0:             rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert,
michael@0:                                        PR_Now(), NULL);
michael@0:             if (rv != SECSuccess) {
michael@0:                 SECU_PrintError(progName, "fail to verify signed data\n");
michael@0:                 goto loser;
michael@0:             }
michael@0:         }
michael@0:     } else {
michael@0:         modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE);
michael@0:         if (!modCrl) {
michael@0:             SECU_PrintError(progName, "fail to find crl %s in database\n",
michael@0:                             certNickName);
michael@0:             goto loser;
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
michael@0:     if (signCrl == NULL) {
michael@0:         SECU_PrintError(progName, "fail to allocate memory\n");
michael@0:         goto loser;
michael@0:     }
michael@0: 
michael@0:     rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
michael@0:     if (rv != SECSuccess) {
michael@0:         SECU_PrintError(progName, "unable to dublicate crl for "
michael@0:                         "modification.");
michael@0:         goto loser;
michael@0:     }  
michael@0: 
michael@0:     /* Make sure the update time is current. It can be modified later
michael@0:      * by "update <time>" command from crl generation script */
michael@0:     rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
michael@0:     if (rv != SECSuccess) {
michael@0:         SECU_PrintError(progName, "fail to encode current time\n");
michael@0:         goto loser;
michael@0:     }
michael@0: 
michael@0:     signCrl->arena = arena;
michael@0: 
michael@0:   loser:
michael@0:     if (crlDER.data) {
michael@0:         SECITEM_FreeItem(&crlDER, PR_FALSE);
michael@0:     }
michael@0:     if (modCrl)
michael@0:         SEC_DestroyCrl(modCrl);
michael@0:     if (rv != SECSuccess && signCrl) {
michael@0:         SEC_DestroyCrl(signCrl);
michael@0:         signCrl = NULL;
michael@0:     }
michael@0:     return signCrl;
michael@0: }
michael@0: 
michael@0: 
michael@0: static CERTSignedCrl*
michael@0: CreateNewCrl(PLArenaPool *arena, CERTCertDBHandle *certHandle,
michael@0:              CERTCertificate *cert)
michael@0: { 
michael@0:     CERTSignedCrl *signCrl = NULL;
michael@0:     void *dummy = NULL;
michael@0:     SECStatus rv;
michael@0:     void* mark = NULL;
michael@0: 
michael@0:     /* if the CERTSignedCrl structure changes, this function will need to be
michael@0:        updated as well */
michael@0:     if (!cert || !arena) {
michael@0:         PORT_SetError(SEC_ERROR_INVALID_ARGS);
michael@0:         SECU_PrintError(progName, "invalid args for function "
michael@0:                         "CreateNewCrl\n");
michael@0:         return NULL;
michael@0:     }
michael@0: 
michael@0:     mark = PORT_ArenaMark(arena);
michael@0:         
michael@0:     signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
michael@0:     if (signCrl == NULL) {
michael@0:         SECU_PrintError(progName, "fail to allocate memory\n");
michael@0:         return NULL;
michael@0:     }
michael@0: 
michael@0:     dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version,
michael@0:                                   SEC_CRL_VERSION_2);
michael@0:     /* set crl->version */
michael@0:     if (!dummy) {
michael@0:         SECU_PrintError(progName, "fail to create crl version data "
michael@0:                         "container\n");
michael@0:         goto loser;
michael@0:     }
michael@0:     
michael@0:     /* copy SECItem name from cert */
michael@0:     rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject);
michael@0:     if (rv != SECSuccess) {
michael@0:         SECU_PrintError(progName, "fail to duplicate der name from "
michael@0:                         "certificate.\n");
michael@0:         goto loser;
michael@0:     }
michael@0:         
michael@0:     /* copy CERTName name structure from cert issuer */
michael@0:     rv = CERT_CopyName (arena, &signCrl->crl.name, &cert->subject);
michael@0:     if (rv != SECSuccess) {
michael@0:         SECU_PrintError(progName, "fail to duplicate RD name from "
michael@0:                         "certificate.\n");
michael@0:         goto loser;
michael@0:     }
michael@0: 
michael@0:     rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
michael@0:     if (rv != SECSuccess) {
michael@0:         SECU_PrintError(progName, "fail to encode current time\n");
michael@0:         goto loser;
michael@0:     }
michael@0: 
michael@0:     /* set fields */
michael@0:     signCrl->arena = arena;
michael@0:     signCrl->dbhandle = certHandle;
michael@0:     signCrl->crl.arena = arena;
michael@0: 
michael@0:     return signCrl;
michael@0: 
michael@0:   loser:
michael@0:     PORT_ArenaRelease(arena, mark);
michael@0:     return NULL;
michael@0: }
michael@0: 
michael@0: 
michael@0: static SECStatus
michael@0: UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
michael@0: {
michael@0:     CRLGENGeneratorData *crlGenData = NULL;
michael@0:     SECStatus rv;
michael@0:     
michael@0:     if (!signCrl || !inCrlInitFile) {
michael@0:         PORT_SetError(SEC_ERROR_INVALID_ARGS);
michael@0:         SECU_PrintError(progName, "invalid args for function "
michael@0:                         "CreateNewCrl\n");
michael@0:         return SECFailure;
michael@0:     }
michael@0: 
michael@0:     crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
michael@0:     if (!crlGenData) {
michael@0: 	SECU_PrintError(progName, "can not initialize parser structure.\n");
michael@0: 	return SECFailure;
michael@0:     }
michael@0: 
michael@0:     rv = CRLGEN_ExtHandleInit(crlGenData);
michael@0:     if (rv == SECFailure) {
michael@0: 	SECU_PrintError(progName, "can not initialize entries handle.\n");
michael@0: 	goto loser;
michael@0:     }
michael@0: 	
michael@0:     rv = CRLGEN_StartCrlGen(crlGenData);
michael@0:     if (rv != SECSuccess) {
michael@0: 	SECU_PrintError(progName, "crl generation failed");
michael@0: 	goto loser;
michael@0:     }
michael@0: 
michael@0:   loser:
michael@0:     /* CommitExtensionsAndEntries is partially responsible for freeing
michael@0:      * up memory that was used for CRL generation. Should be called regardless
michael@0:      * of previouse call status, but only after initialization of
michael@0:      * crlGenData was done. It will commit all changes that was done before
michael@0:      * an error has occurred.
michael@0:      */
michael@0:     if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) {
michael@0:         SECU_PrintError(progName, "crl generation failed");
michael@0:         rv = SECFailure;
michael@0:     }
michael@0:     CRLGEN_FinalizeCrlGeneration(crlGenData);    
michael@0:     return rv;
michael@0: }
michael@0: 
michael@0: static SECStatus
michael@0: SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert,
michael@0:                 char *outFileName, SECOidTag hashAlgTag, int ascii,
michael@0:                 char *slotName, char *url, secuPWData *pwdata)
michael@0: {
michael@0:     PK11SlotInfo *slot = NULL;
michael@0:     PRFileDesc   *outFile = NULL;
michael@0:     SECStatus rv;
michael@0:     SignAndEncodeFuncExitStat errCode;
michael@0: 
michael@0:     PORT_Assert(signCrl && (!ascii || outFileName));
michael@0:     if (!signCrl || (ascii && !outFileName)) {
michael@0:         SECU_PrintError(progName, "invalid args for function "
michael@0:                         "SignAndStoreCrl\n");
michael@0:         return SECFailure;
michael@0:     }
michael@0: 
michael@0:     if (!slotName || !PL_strcmp(slotName, "internal"))
michael@0: 	slot = PK11_GetInternalKeySlot();
michael@0:     else
michael@0: 	slot = PK11_FindSlotByName(slotName);
michael@0:     if (!slot) {
michael@0: 	SECU_PrintError(progName, "can not find requested slot");
michael@0: 	return SECFailure;
michael@0:     }
michael@0: 
michael@0:     if (PK11_NeedLogin(slot)) {
michael@0:         rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
michael@0: 	if (rv != SECSuccess)
michael@0: 	    goto loser;
michael@0:     }
michael@0: 
michael@0:     rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode);
michael@0:     if (rv != SECSuccess) {
michael@0:         char* errMsg = NULL;
michael@0:         switch (errCode)
michael@0:         {
michael@0:             case noKeyFound:
michael@0:                 errMsg = "No private key found of signing cert";
michael@0:                 break;
michael@0: 
michael@0:             case noSignatureMatch:
michael@0:                 errMsg = "Key and Algorithm OId are do not match";
michael@0:                 break;
michael@0: 
michael@0:             default:
michael@0:             case failToEncode:
michael@0:                 errMsg = "Failed to encode crl structure";
michael@0:                 break;
michael@0: 
michael@0:             case failToSign:
michael@0:                 errMsg = "Failed to sign crl structure";
michael@0:                 break;
michael@0: 
michael@0:             case noMem:
michael@0:                 errMsg = "Can not allocate memory";
michael@0:                 break;
michael@0:         }
michael@0: 	SECU_PrintError(progName, "%s\n", errMsg);
michael@0: 	goto loser;
michael@0:     }
michael@0: 
michael@0:     if (outFileName) {
michael@0: 	outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR);
michael@0: 	if (!outFile) {
michael@0: 	    SECU_PrintError(progName, "unable to open \"%s\" for writing\n",
michael@0: 			    outFileName);
michael@0: 	    goto loser;
michael@0: 	}
michael@0:     }
michael@0: 
michael@0:     rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url);
michael@0:     if (rv != SECSuccess) {
michael@0:         SECU_PrintError(progName, "fail to save CRL\n");
michael@0:     }
michael@0: 
michael@0:   loser:
michael@0:     if (outFile)
michael@0: 	PR_Close(outFile);
michael@0:     if (slot)
michael@0: 	PK11_FreeSlot(slot);
michael@0:     return rv;
michael@0: }
michael@0: 
michael@0: static SECStatus
michael@0: GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName, 
michael@0: 	     PRFileDesc *inCrlInitFile,  PRFileDesc *inFile,
michael@0: 	     char *outFileName, int ascii, char *slotName,
michael@0: 	     PRInt32 importOptions, char *alg, PRBool quiet,
michael@0:              PRInt32 decodeOptions, char *url, secuPWData *pwdata,
michael@0:              int modifyFlag)
michael@0: {
michael@0:     CERTCertificate *cert = NULL;
michael@0:     CERTSignedCrl *signCrl = NULL;
michael@0:     PLArenaPool *arena = NULL;
michael@0:     SECStatus rv;
michael@0:     SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
michael@0: 
michael@0:     if (alg) {
michael@0:         hashAlgTag = SECU_StringToSignatureAlgTag(alg);
michael@0:         if (hashAlgTag == SEC_OID_UNKNOWN) {
michael@0:             SECU_PrintError(progName, "%s -Z:  %s is not a recognized type.\n",
michael@0:                             progName, alg);
michael@0:             return SECFailure;
michael@0:         }
michael@0:     } else {
michael@0:         hashAlgTag = SEC_OID_UNKNOWN;
michael@0:     }
michael@0: 
michael@0:     arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
michael@0:     if (!arena) {
michael@0:         SECU_PrintError(progName, "fail to allocate memory\n");
michael@0:         return SECFailure;
michael@0:     }
michael@0: 
michael@0:     if (modifyFlag == PR_TRUE) {
michael@0:         signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
michael@0:                                          inFile, decodeOptions, importOptions);
michael@0:         if (signCrl == NULL) {
michael@0:             goto loser;
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     if (!cert) {
michael@0:         cert = FindSigningCert(certHandle, signCrl, certNickName);
michael@0:         if (cert == NULL) {
michael@0:             goto loser;
michael@0:         }
michael@0:     }
michael@0: 
michael@0:     if (!signCrl) {
michael@0:         if (modifyFlag == PR_TRUE) {
michael@0:             if (!outFileName) {
michael@0:                 int len = strlen(certNickName) + 5;
michael@0:                 outFileName = PORT_ArenaAlloc(arena, len);
michael@0:                 PR_snprintf(outFileName, len, "%s.crl", certNickName);
michael@0:             }
michael@0:             SECU_PrintError(progName, "Will try to generate crl. "
michael@0:                             "It will be saved in file: %s",
michael@0:                             outFileName);
michael@0:         }
michael@0:         signCrl = CreateNewCrl(arena, certHandle, cert);
michael@0:         if (!signCrl)
michael@0:             goto loser;
michael@0:     }
michael@0: 
michael@0:     rv = UpdateCrl(signCrl, inCrlInitFile);
michael@0:     if (rv != SECSuccess) {
michael@0:         goto loser;
michael@0:     }
michael@0: 
michael@0:     rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
michael@0:                          slotName, url, pwdata);
michael@0:     if (rv != SECSuccess) {
michael@0:         goto loser;
michael@0:     }
michael@0: 
michael@0:     if (signCrl && !quiet) {
michael@0: 	SECU_PrintCRLInfo (stdout, &signCrl->crl, "CRL Info:\n", 0);
michael@0:     }
michael@0: 
michael@0:   loser:
michael@0:     if (arena && (!signCrl || !signCrl->arena))
michael@0:         PORT_FreeArena (arena, PR_FALSE);
michael@0:     if (signCrl)
michael@0: 	SEC_DestroyCrl (signCrl);
michael@0:     if (cert)
michael@0: 	CERT_DestroyCertificate (cert);
michael@0:     return (rv);
michael@0: }
michael@0: 
michael@0: static void Usage(char *progName)
michael@0: {
michael@0:     fprintf(stderr,
michael@0: 	    "Usage:  %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
michael@0: 	    "        %s -D -n nickname [-d keydir] [-P dbprefix]\n"
michael@0: 	    "        %s -S -i crl\n"
michael@0: 	    "        %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
michael@0:             "[-p pwd-file] -w [pwd-string]\n"
michael@0: 	    "        %s -E -t crlType [-d keydir] [-P dbprefix]\n"
michael@0: 	    "        %s -T\n"
michael@0: 	    "        %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] "
michael@0:             "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] "
michael@0:             "[-a] [-B]\n",
michael@0: 	    progName, progName, progName, progName, progName, progName, progName);
michael@0: 
michael@0:     fprintf (stderr, "%-15s List CRL\n", "-L");
michael@0:     fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
michael@0: 	    "-n nickname");
michael@0:     fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0: 	    "-d keydir");
michael@0:     fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0: 	    "-P dbprefix");
michael@0:    
michael@0:     fprintf (stderr, "%-15s Delete a CRL from the cert database\n", "-D");    
michael@0:     fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n",
michael@0: 	    "-n nickname");
michael@0:     fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
michael@0:     fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0: 	    "-d keydir");
michael@0:     fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0: 	    "-P dbprefix");
michael@0: 
michael@0:     fprintf (stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E");
michael@0:     fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
michael@0:     fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0: 	    "-d keydir");
michael@0:     fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0: 	    "-P dbprefix");
michael@0:     
michael@0:     fprintf (stderr, "%-15s Show contents of a CRL file (without database)\n", "-S");
michael@0:     fprintf(stderr, "%-20s Specify the file which contains the CRL to show\n",
michael@0: 	    "-i crl");
michael@0: 
michael@0:     fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I");    
michael@0:     fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
michael@0: 	    "-i crl");
michael@0:     fprintf(stderr, "%-20s Specify the url.\n", "-u url");
michael@0:     fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
michael@0:     fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0: 	    "-d keydir");
michael@0:     fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0: 	    "-P dbprefix");
michael@0: #ifdef DEBUG
michael@0:     fprintf (stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T");
michael@0: #endif
michael@0:     fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " ");
michael@0:     fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " ");
michael@0:     fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " ");        
michael@0:     fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
michael@0:     fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p");
michael@0:     fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>");
michael@0:     fprintf(stderr, "\n%-15s Create CRL\n", "-G");
michael@0:     fprintf(stderr, "%-15s Modify CRL\n", "-M");
michael@0:     fprintf(stderr, "%-20s Specify crl initialization file\n",
michael@0: 	    "-c crl-conf-file");
michael@0:     fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
michael@0: 	    "-n nickname");
michael@0:     fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
michael@0: 	    "-i crl");
michael@0:     fprintf(stderr, "%-20s Specify a CRL output file\n",
michael@0: 	    "-o crl-output-file");
michael@0:     fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n",
michael@0: 	    "-a");
michael@0:     fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
michael@0: 	    "-d keydir");
michael@0:     fprintf(stderr, "%-20s Provide path to a default pwd file\n",
michael@0: 	    "-f pwd-file");
michael@0:     fprintf(stderr, "%-20s Provide db password in command line\n",
michael@0: 	    "-w pwd-string");
michael@0:     fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
michael@0: 	    "-P dbprefix");
michael@0:     fprintf(stderr, "%-20s Specify the url.\n", "-u url");
michael@0:     fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
michael@0: 
michael@0:     exit(-1);
michael@0: }
michael@0: 
michael@0: int main(int argc, char **argv)
michael@0: {
michael@0:     CERTCertDBHandle *certHandle;
michael@0:     PRFileDesc *inFile;
michael@0:     PRFileDesc *inCrlInitFile = NULL;
michael@0:     int generateCRL;
michael@0:     int modifyCRL;
michael@0:     int listCRL;
michael@0:     int importCRL;
michael@0:     int showFileCRL;
michael@0:     int deleteCRL;
michael@0:     int rv;
michael@0:     char *nickName;
michael@0:     char *url;
michael@0:     char *dbPrefix = "";
michael@0:     char *alg = NULL;
michael@0:     char *outFile = NULL;
michael@0:     char *slotName = NULL;
michael@0:     int ascii = 0;
michael@0:     int crlType;
michael@0:     PLOptState *optstate;
michael@0:     PLOptStatus status;
michael@0:     SECStatus secstatus;
michael@0:     PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
michael@0:     PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
michael@0:     PRBool quiet = PR_FALSE;
michael@0:     PRBool test = PR_FALSE;
michael@0:     PRBool erase = PR_FALSE;
michael@0:     PRInt32 i = 0;
michael@0:     PRInt32 iterations = 1;
michael@0:     PRBool readonly = PR_FALSE;
michael@0: 
michael@0:     secuPWData  pwdata          = { PW_NONE, 0 };
michael@0: 
michael@0:     progName = strrchr(argv[0], '/');
michael@0:     progName = progName ? progName+1 : argv[0];
michael@0: 
michael@0:     rv = 0;
michael@0:     deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0;
michael@0:     inFile = NULL;
michael@0:     nickName = url = NULL;
michael@0:     certHandle = NULL;
michael@0:     crlType = SEC_CRL_TYPE;
michael@0:     /*
michael@0:      * Parse command line arguments
michael@0:      */
michael@0:     optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
michael@0:     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
michael@0: 	switch (optstate->option) {
michael@0: 	  case '?':
michael@0: 	    Usage(progName);
michael@0: 	    break;
michael@0: 
michael@0:           case 'T':
michael@0:             test = PR_TRUE;
michael@0:             break;
michael@0: 
michael@0:           case 'E':
michael@0:             erase = PR_TRUE;
michael@0:             break;
michael@0: 
michael@0: 	  case 'B':
michael@0:             importOptions |= CRL_IMPORT_BYPASS_CHECKS;
michael@0:             break;
michael@0: 
michael@0: 	  case 'G':
michael@0: 	    generateCRL = 1;
michael@0: 	    break;
michael@0: 
michael@0:           case 'M':
michael@0:             modifyCRL = 1;
michael@0:             break;
michael@0: 
michael@0: 	  case 'D':
michael@0: 	      deleteCRL = 1;
michael@0: 	      break;
michael@0: 
michael@0: 	  case 'I':
michael@0: 	      importCRL = 1;
michael@0: 	      break;
michael@0: 	      
michael@0: 	  case 'S':
michael@0: 	      showFileCRL = 1;
michael@0: 	      break;
michael@0: 	           
michael@0: 	  case 'C':
michael@0: 	  case 'L':
michael@0: 	      listCRL = 1;
michael@0: 	      break;
michael@0: 
michael@0: 	  case 'P':
michael@0:  	    dbPrefix = strdup(optstate->value);
michael@0:  	    break;
michael@0:               
michael@0: 	  case 'Z':
michael@0:               alg = strdup(optstate->value);
michael@0:               break;
michael@0:               
michael@0: 	  case 'a':
michael@0: 	      ascii = 1;
michael@0: 	      break;
michael@0: 
michael@0: 	  case 'c':
michael@0:               inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
michael@0:               if (!inCrlInitFile) {
michael@0:                   PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
michael@0:                              progName, optstate->value);
michael@0:                   PL_DestroyOptState(optstate);
michael@0:                   return -1;
michael@0:               }
michael@0:               break;
michael@0: 	    
michael@0: 	  case 'd':
michael@0:               SECU_ConfigDirectory(optstate->value);
michael@0:               break;
michael@0: 
michael@0: 	  case 'f':
michael@0: 	      pwdata.source = PW_FROMFILE;
michael@0: 	      pwdata.data = strdup(optstate->value);
michael@0: 	      break;
michael@0: 
michael@0: 	  case 'h':
michael@0:               slotName = strdup(optstate->value);
michael@0:               break;
michael@0: 
michael@0: 	  case 'i':
michael@0: 	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
michael@0: 	    if (!inFile) {
michael@0: 		PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
michael@0: 			progName, optstate->value);
michael@0: 		PL_DestroyOptState(optstate);
michael@0: 		return -1;
michael@0: 	    }
michael@0: 	    break;
michael@0: 	    
michael@0: 	  case 'n':
michael@0: 	    nickName = strdup(optstate->value);
michael@0: 	    break;
michael@0: 
michael@0: 	  case 'o':
michael@0: 	    outFile = strdup(optstate->value);
michael@0: 	    break;
michael@0: 	    
michael@0: 	  case 'p':
michael@0: 	    decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
michael@0: 	    break;
michael@0: 
michael@0: 	  case 'r': {
michael@0: 	    const char* str = optstate->value;
michael@0: 	    if (str && atoi(str)>0)
michael@0: 		iterations = atoi(str);
michael@0: 	    }
michael@0: 	    break;
michael@0: 	    
michael@0: 	  case 't': {
michael@0: 	    crlType = atoi(optstate->value);
michael@0: 	    if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
michael@0: 		PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
michael@0: 		PL_DestroyOptState(optstate);
michael@0: 		return -1;
michael@0: 	    }
michael@0: 	    break;
michael@0: 
michael@0: 	  case 'q':
michael@0:             quiet = PR_TRUE;
michael@0: 	    break;
michael@0: 
michael@0: 	  case 'w':
michael@0: 	      pwdata.source = PW_PLAINTEXT;
michael@0: 	      pwdata.data = strdup(optstate->value);
michael@0: 	      break;
michael@0: 
michael@0: 	  case 'u':
michael@0: 	    url = strdup(optstate->value);
michael@0: 	    break;
michael@0: 
michael@0:           }
michael@0: 	}
michael@0:     }
michael@0:     PL_DestroyOptState(optstate);
michael@0: 
michael@0:     if (deleteCRL && !nickName) Usage (progName);
michael@0:     if (importCRL && !inFile) Usage (progName);
michael@0:     if (showFileCRL && !inFile) Usage (progName);
michael@0:     if ((generateCRL && !nickName) ||
michael@0:         (modifyCRL && !inFile && !nickName)) Usage (progName);
michael@0:     if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL ||
michael@0: 	  modifyCRL || test || erase)) Usage (progName);
michael@0: 
michael@0:     if (listCRL || showFileCRL) {
michael@0:         readonly = PR_TRUE;
michael@0:     }
michael@0:     
michael@0:     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
michael@0: 
michael@0:     PK11_SetPasswordFunc(SECU_GetModulePassword);
michael@0: 
michael@0:     if (showFileCRL) {
michael@0: 	NSS_NoDB_Init(NULL);
michael@0:     }
michael@0:     else {
michael@0: 	secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
michael@0: 				"secmod.db", readonly ? NSS_INIT_READONLY : 0);
michael@0: 	if (secstatus != SECSuccess) {
michael@0: 	    SECU_PrintPRandOSError(progName);
michael@0: 	    return -1;
michael@0: 	}
michael@0:     }
michael@0:     
michael@0:     SECU_RegisterDynamicOids();
michael@0: 
michael@0:     certHandle = CERT_GetDefaultCertDB();
michael@0:     if (certHandle == NULL) {
michael@0: 	SECU_PrintError(progName, "unable to open the cert db");	    	
michael@0: 	/*ignoring return value of NSS_Shutdown() as code returns -1*/
michael@0: 	(void) NSS_Shutdown();
michael@0: 	return (-1);
michael@0:     }
michael@0: 
michael@0:     CRLGEN_InitCrlGenParserLock();
michael@0: 
michael@0:     for (i=0; i<iterations; i++) {
michael@0: 	/* Read in the private key info */
michael@0: 	if (deleteCRL) 
michael@0: 	    DeleteCRL (certHandle, nickName, crlType);
michael@0: 	else if (listCRL) {
michael@0: 	    rv = ListCRL (certHandle, nickName, crlType);
michael@0: 	}
michael@0: 	else if (importCRL) {
michael@0: 	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
michael@0: 			    decodeOptions, &pwdata);
michael@0: 	}
michael@0: 	else if (showFileCRL) {
michael@0: 	    rv = DumpCRL (inFile);
michael@0: 	} else if (generateCRL || modifyCRL) {
michael@0: 	    if (!inCrlInitFile)
michael@0: 		inCrlInitFile = PR_STDIN;
michael@0: 	    rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
michael@0: 			      inFile, outFile, ascii,  slotName,
michael@0: 			      importOptions, alg, quiet,
michael@0: 			      decodeOptions, url, &pwdata,
michael@0: 			      modifyCRL);
michael@0: 	}
michael@0: 	else if (erase) {
michael@0: 	    /* list and delete all CRLs */
michael@0: 	    ListCRLNames (certHandle, crlType, PR_TRUE);
michael@0: 	}
michael@0: #ifdef DEBUG
michael@0: 	else if (test) {
michael@0: 	    /* list and delete all CRLs */
michael@0: 	    ListCRLNames (certHandle, crlType, PR_TRUE);
michael@0: 	    /* list CRLs */
michael@0: 	    ListCRLNames (certHandle, crlType, PR_FALSE);
michael@0: 	    /* import CRL as a blob */
michael@0: 	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
michael@0: 			    decodeOptions, &pwdata);
michael@0: 	    /* list CRLs */
michael@0: 	    ListCRLNames (certHandle, crlType, PR_FALSE);
michael@0: 	}
michael@0: #endif    
michael@0:     }
michael@0: 
michael@0:     CRLGEN_DestroyCrlGenParserLock();
michael@0: 
michael@0:     if (NSS_Shutdown() != SECSuccess) {
michael@0:         rv = SECFailure;
michael@0:     }
michael@0: 
michael@0:     return (rv != SECSuccess);
michael@0: }