зеркало из https://github.com/mozilla/gecko-dev.git
546 строки
18 KiB
C
546 строки
18 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
/*
|
|
* Tool for converting builtin CA certs.
|
|
*/
|
|
|
|
#include "nssrenam.h"
|
|
#include "nss.h"
|
|
#include "cert.h"
|
|
#include "certdb.h"
|
|
#include "secutil.h"
|
|
#include "pk11func.h"
|
|
|
|
#if defined(WIN32)
|
|
#include <fcntl.h>
|
|
#include <io.h>
|
|
#endif
|
|
|
|
void dumpbytes(unsigned char *buf, int len)
|
|
{
|
|
int i;
|
|
for (i=0; i < len; i++) {
|
|
if ((i !=0) && ((i & 0xf) == 0)) {
|
|
printf("\n");
|
|
}
|
|
printf("\\%03o",buf[i]);
|
|
}
|
|
printf("\n");
|
|
}
|
|
|
|
char *getTrustString(unsigned int trust)
|
|
{
|
|
if (trust & CERTDB_TRUSTED) {
|
|
if (trust & CERTDB_TRUSTED_CA) {
|
|
return "CKT_NSS_TRUSTED_DELEGATOR";
|
|
} else {
|
|
return "CKT_NSS_TRUSTED";
|
|
}
|
|
} else {
|
|
if (trust & CERTDB_TRUSTED_CA) {
|
|
return "CKT_NSS_TRUSTED_DELEGATOR";
|
|
} else if (trust & CERTDB_VALID_CA) {
|
|
return "CKT_NSS_VALID_DELEGATOR";
|
|
} else if (trust & CERTDB_TERMINAL_RECORD) {
|
|
return "CKT_NSS_NOT_TRUSTED";
|
|
} else {
|
|
return "CKT_NSS_MUST_VERIFY_TRUST";
|
|
}
|
|
}
|
|
return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
|
|
}
|
|
|
|
static const SEC_ASN1Template serialTemplate[] = {
|
|
{ SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
|
|
{ 0 }
|
|
};
|
|
|
|
void print_crl_info(CERTName *name, SECItem *serial)
|
|
{
|
|
PRBool saveWrapeState = SECU_GetWrapEnabled();
|
|
SECU_EnableWrap(PR_FALSE);
|
|
|
|
SECU_PrintNameQuotesOptional(stdout, name, "# Issuer", 0, PR_FALSE);
|
|
printf("\n");
|
|
|
|
SECU_PrintInteger(stdout, serial, "# Serial Number", 0);
|
|
|
|
SECU_EnableWrap(saveWrapeState);
|
|
}
|
|
|
|
static SECStatus
|
|
ConvertCRLEntry(SECItem *sdder, PRInt32 crlentry, char *nickname)
|
|
{
|
|
int rv;
|
|
PLArenaPool *arena = NULL;
|
|
CERTSignedCrl *newCrl = NULL;
|
|
CERTCrlEntry *entry;
|
|
|
|
CERTName *name = NULL;
|
|
SECItem *derName = NULL;
|
|
SECItem *serial = NULL;
|
|
|
|
rv = SEC_ERROR_NO_MEMORY;
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
if (!arena)
|
|
return rv;
|
|
|
|
newCrl = CERT_DecodeDERCrlWithFlags(arena, sdder, SEC_CRL_TYPE,
|
|
CRL_DECODE_DEFAULT_OPTIONS);
|
|
if (!newCrl)
|
|
return SECFailure;
|
|
|
|
name = &newCrl->crl.name;
|
|
derName = &newCrl->crl.derName;
|
|
|
|
if (newCrl->crl.entries != NULL) {
|
|
PRInt32 iv = 0;
|
|
while ((entry = newCrl->crl.entries[iv++]) != NULL) {
|
|
if (crlentry == iv) {
|
|
serial = &entry->serialNumber;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!name || !derName || !serial)
|
|
return SECFailure;
|
|
|
|
printf("\n# Distrust \"%s\"\n",nickname);
|
|
print_crl_info(name, serial);
|
|
|
|
printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
|
|
printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
|
|
printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
|
|
printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
|
|
printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
|
|
|
|
printf("CKA_ISSUER MULTILINE_OCTAL\n");
|
|
dumpbytes(derName->data,derName->len);
|
|
printf("END\n");
|
|
printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
|
|
printf("\\002\\%03o", serial->len); /* 002: type integer; len >=3 digits */
|
|
dumpbytes(serial->data,serial->len);
|
|
printf("END\n");
|
|
|
|
printf("CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED\n");
|
|
printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED\n");
|
|
printf("CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED\n");
|
|
printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE\n");
|
|
|
|
PORT_FreeArena (arena, PR_FALSE);
|
|
return rv;
|
|
}
|
|
|
|
void print_info(SECItem *sdder, CERTCertificate *c)
|
|
{
|
|
PRBool saveWrapeState = SECU_GetWrapEnabled();
|
|
SECU_EnableWrap(PR_FALSE);
|
|
|
|
SECU_PrintNameQuotesOptional(stdout, &c->issuer, "# Issuer", 0, PR_FALSE);
|
|
printf("\n");
|
|
|
|
SECU_PrintInteger(stdout, &c->serialNumber, "# Serial Number", 0);
|
|
|
|
SECU_PrintNameQuotesOptional(stdout, &c->subject, "# Subject", 0, PR_FALSE);
|
|
printf("\n");
|
|
|
|
SECU_PrintTimeChoice(stdout, &c->validity.notBefore, "# Not Valid Before", 0);
|
|
SECU_PrintTimeChoice(stdout, &c->validity.notAfter, "# Not Valid After ", 0);
|
|
|
|
SECU_PrintFingerprints(stdout, sdder, "# Fingerprint", 0);
|
|
|
|
SECU_EnableWrap(saveWrapeState);
|
|
}
|
|
|
|
static SECStatus
|
|
ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
|
|
PRBool excludeCert, PRBool excludeHash)
|
|
{
|
|
SECStatus rv = SECSuccess;
|
|
CERTCertificate *cert;
|
|
unsigned char sha1_hash[SHA1_LENGTH];
|
|
unsigned char md5_hash[MD5_LENGTH];
|
|
SECItem *serial = NULL;
|
|
PRBool step_up = PR_FALSE;
|
|
const char *trust_info;
|
|
|
|
cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
|
|
if (!cert) {
|
|
return SECFailure;
|
|
}
|
|
serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate);
|
|
if (!serial) {
|
|
return SECFailure;
|
|
}
|
|
|
|
if (!excludeCert) {
|
|
printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
|
|
print_info(sdder, cert);
|
|
printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
|
|
printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
|
|
printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
|
|
printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
|
|
printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
|
|
printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
|
|
printf("CKA_SUBJECT MULTILINE_OCTAL\n");
|
|
dumpbytes(cert->derSubject.data,cert->derSubject.len);
|
|
printf("END\n");
|
|
printf("CKA_ID UTF8 \"0\"\n");
|
|
printf("CKA_ISSUER MULTILINE_OCTAL\n");
|
|
dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
|
|
printf("END\n");
|
|
printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
|
|
dumpbytes(serial->data,serial->len);
|
|
printf("END\n");
|
|
printf("CKA_VALUE MULTILINE_OCTAL\n");
|
|
dumpbytes(sdder->data,sdder->len);
|
|
printf("END\n");
|
|
}
|
|
|
|
if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags)
|
|
== CERTDB_TERMINAL_RECORD)
|
|
trust_info = "Distrust";
|
|
else
|
|
trust_info = "Trust for";
|
|
|
|
printf("\n# %s \"%s\"\n", trust_info, nickname);
|
|
print_info(sdder, cert);
|
|
|
|
printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
|
|
printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
|
|
printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
|
|
printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
|
|
printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
|
|
|
|
if (!excludeHash) {
|
|
PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
|
|
printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
|
|
dumpbytes(sha1_hash,SHA1_LENGTH);
|
|
printf("END\n");
|
|
PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
|
|
printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
|
|
dumpbytes(md5_hash,MD5_LENGTH);
|
|
printf("END\n");
|
|
}
|
|
|
|
printf("CKA_ISSUER MULTILINE_OCTAL\n");
|
|
dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
|
|
printf("END\n");
|
|
printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
|
|
dumpbytes(serial->data,serial->len);
|
|
printf("END\n");
|
|
|
|
printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
|
|
getTrustString(trust->sslFlags));
|
|
printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
|
|
getTrustString(trust->emailFlags));
|
|
printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
|
|
getTrustString(trust->objectSigningFlags));
|
|
#ifdef notdef
|
|
printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
|
|
printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
|
|
printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
|
|
printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
|
|
printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
|
|
printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
|
|
printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
|
|
#endif
|
|
|
|
step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
|
|
printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
|
|
step_up ? "CK_TRUE" : "CK_FALSE");
|
|
|
|
PORT_Free(sdder->data);
|
|
return(rv);
|
|
|
|
}
|
|
|
|
void printheader() {
|
|
printf("# \n"
|
|
"# This Source Code Form is subject to the terms of the Mozilla Public\n"
|
|
"# License, v. 2.0. If a copy of the MPL was not distributed with this\n"
|
|
"# file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
|
|
"#\n"
|
|
"CVS_ID \"@(#) $RCSfile$ $Revision$ $Date$\"\n"
|
|
"\n"
|
|
"#\n"
|
|
"# certdata.txt\n"
|
|
"#\n"
|
|
"# This file contains the object definitions for the certs and other\n"
|
|
"# information \"built into\" NSS.\n"
|
|
"#\n"
|
|
"# Object definitions:\n"
|
|
"#\n"
|
|
"# Certificates\n"
|
|
"#\n"
|
|
"# -- Attribute -- -- type -- -- value --\n"
|
|
"# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"
|
|
"# CKA_TOKEN CK_BBOOL CK_TRUE\n"
|
|
"# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
|
|
"# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
|
|
"# CKA_LABEL UTF8 (varies)\n"
|
|
"# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"
|
|
"# CKA_SUBJECT DER+base64 (varies)\n"
|
|
"# CKA_ID byte array (varies)\n"
|
|
"# CKA_ISSUER DER+base64 (varies)\n"
|
|
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
|
|
"# CKA_VALUE DER+base64 (varies)\n"
|
|
"# CKA_NSS_EMAIL ASCII7 (unused here)\n"
|
|
"#\n"
|
|
"# Trust\n"
|
|
"#\n"
|
|
"# -- Attribute -- -- type -- -- value --\n"
|
|
"# CKA_CLASS CK_OBJECT_CLASS CKO_TRUST\n"
|
|
"# CKA_TOKEN CK_BBOOL CK_TRUE\n"
|
|
"# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
|
|
"# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
|
|
"# CKA_LABEL UTF8 (varies)\n"
|
|
"# CKA_ISSUER DER+base64 (varies)\n"
|
|
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
|
|
"# CKA_CERT_HASH binary+base64 (varies)\n"
|
|
"# CKA_EXPIRES CK_DATE (not used here)\n"
|
|
"# CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_NON_REPUDIATION CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_KEY_AGREEMENT CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_KEY_CERT_SIGN CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_CRL_SIGN CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_SERVER_AUTH CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_CLIENT_AUTH CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_CODE_SIGNING CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_EMAIL_PROTECTION CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_IPSEC_END_SYSTEM CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_IPSEC_TUNNEL CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_IPSEC_USER CK_TRUST (varies)\n"
|
|
"# CKA_TRUST_TIME_STAMPING CK_TRUST (varies)\n"
|
|
"# (other trust attributes can be defined)\n"
|
|
"#\n"
|
|
"\n"
|
|
"#\n"
|
|
"# The object to tell NSS that this is a root list and we don't\n"
|
|
"# have to go looking for others.\n"
|
|
"#\n"
|
|
"BEGINDATA\n"
|
|
"CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
|
|
"CKA_TOKEN CK_BBOOL CK_TRUE\n"
|
|
"CKA_PRIVATE CK_BBOOL CK_FALSE\n"
|
|
"CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
|
|
"CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
|
|
}
|
|
|
|
static void Usage(char *progName)
|
|
{
|
|
fprintf(stderr, "%s -t trust -n nickname [-i certfile] [-c] [-h]\n", progName);
|
|
fprintf(stderr,
|
|
"\tRead a der-encoded cert from certfile or stdin, and output\n"
|
|
"\tit to stdout in a format suitable for the builtin root module.\n"
|
|
"\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n",
|
|
progName);
|
|
fprintf(stderr, "%s -D -n label [-i certfile]\n", progName);
|
|
fprintf(stderr,
|
|
"\tRead a der-encoded cert from certfile or stdin, and output\n"
|
|
"\ta distrust record.\n"
|
|
"\t(-D is equivalent to -t p,p,p -c -h)\n");
|
|
fprintf(stderr, "%s -C -e crl-entry-number -n label [-i crlfile]\n", progName);
|
|
fprintf(stderr,
|
|
"\tRead a CRL from crlfile or stdin, and output\n"
|
|
"\ta distrust record (issuer+serial).\n"
|
|
"\t(-C implies -c -h)\n");
|
|
fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
|
|
fprintf(stderr, "%-15s nickname to assign to builtin cert, or\n",
|
|
"-n nickname");
|
|
fprintf(stderr, "%-15s a label for the distrust record.\n", "");
|
|
fprintf(stderr, "%-15s exclude the certificate (only add a trust record)\n", "-c");
|
|
fprintf(stderr, "%-15s exclude hash from trust record\n", "-h");
|
|
fprintf(stderr, "%-15s (useful to distrust any matching issuer/serial)\n", "");
|
|
fprintf(stderr, "%-15s (not allowed when adding positive trust)\n", "");
|
|
fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
|
|
fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
|
|
fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", "");
|
|
exit(-1);
|
|
}
|
|
|
|
enum {
|
|
opt_Input = 0,
|
|
opt_Nickname,
|
|
opt_Trust,
|
|
opt_Distrust,
|
|
opt_ExcludeCert,
|
|
opt_ExcludeHash,
|
|
opt_DistrustCRL,
|
|
opt_CRLEnry
|
|
};
|
|
|
|
static secuCommandFlag addbuiltin_options[] =
|
|
{
|
|
{ /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
|
|
{ /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE },
|
|
{ /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE },
|
|
{ /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE },
|
|
{ /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE },
|
|
{ /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE },
|
|
{ /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE },
|
|
{ /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE },
|
|
};
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
SECStatus rv;
|
|
char *nickname = NULL;
|
|
char *trusts = NULL;
|
|
char *progName;
|
|
PRFileDesc *infile;
|
|
CERTCertTrust trust = { 0 };
|
|
SECItem derItem = { 0 };
|
|
PRInt32 crlentry = 0;
|
|
PRInt32 mutuallyExclusiveOpts = 0;
|
|
PRBool decodeTrust = PR_FALSE;
|
|
|
|
secuCommand addbuiltin = { 0 };
|
|
addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
|
|
addbuiltin.options = addbuiltin_options;
|
|
|
|
progName = strrchr(argv[0], '/');
|
|
progName = progName ? progName+1 : argv[0];
|
|
|
|
rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
|
|
|
|
if (rv != SECSuccess)
|
|
Usage(progName);
|
|
|
|
if (addbuiltin.options[opt_Trust].activated)
|
|
++mutuallyExclusiveOpts;
|
|
if (addbuiltin.options[opt_Distrust].activated)
|
|
++mutuallyExclusiveOpts;
|
|
if (addbuiltin.options[opt_DistrustCRL].activated)
|
|
++mutuallyExclusiveOpts;
|
|
|
|
if (mutuallyExclusiveOpts != 1) {
|
|
fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
|
|
progName);
|
|
Usage(progName);
|
|
}
|
|
|
|
if (addbuiltin.options[opt_DistrustCRL].activated) {
|
|
if (!addbuiltin.options[opt_CRLEnry].activated) {
|
|
fprintf(stderr, "%s: you must specify the CRL entry number.\n",
|
|
progName);
|
|
Usage(progName);
|
|
}
|
|
else {
|
|
crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
|
|
if (crlentry < 1) {
|
|
fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
|
|
progName);
|
|
Usage(progName);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!addbuiltin.options[opt_Nickname].activated) {
|
|
fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
|
|
progName);
|
|
Usage(progName);
|
|
}
|
|
|
|
if (addbuiltin.options[opt_Input].activated) {
|
|
infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
|
|
if (!infile) {
|
|
fprintf(stderr, "%s: failed to open input file.\n", progName);
|
|
exit(1);
|
|
}
|
|
} else {
|
|
#if defined(WIN32)
|
|
/* If we're going to read binary data from stdin, we must put stdin
|
|
** into O_BINARY mode or else incoming \r\n's will become \n's,
|
|
** and latin-1 characters will be altered.
|
|
*/
|
|
|
|
int smrv = _setmode(_fileno(stdin), _O_BINARY);
|
|
if (smrv == -1) {
|
|
fprintf(stderr,
|
|
"%s: Cannot change stdin to binary mode. Use -i option instead.\n",
|
|
progName);
|
|
exit(1);
|
|
}
|
|
#endif
|
|
infile = PR_STDIN;
|
|
}
|
|
|
|
#if defined(WIN32)
|
|
/* We must put stdout into O_BINARY mode or else the output will include
|
|
** carriage returns.
|
|
*/
|
|
{
|
|
int smrv = _setmode(_fileno(stdout), _O_BINARY);
|
|
if (smrv == -1) {
|
|
fprintf(stderr, "%s: Cannot change stdout to binary mode.\n", progName);
|
|
exit(1);
|
|
}
|
|
}
|
|
#endif
|
|
|
|
nickname = strdup(addbuiltin.options[opt_Nickname].arg);
|
|
|
|
NSS_NoDB_Init(NULL);
|
|
|
|
if (addbuiltin.options[opt_Distrust].activated ||
|
|
addbuiltin.options[opt_DistrustCRL].activated) {
|
|
addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
|
|
addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
|
|
}
|
|
|
|
if (addbuiltin.options[opt_Distrust].activated) {
|
|
trusts = strdup("p,p,p");
|
|
decodeTrust = PR_TRUE;
|
|
}
|
|
else if (addbuiltin.options[opt_Trust].activated) {
|
|
trusts = strdup(addbuiltin.options[opt_Trust].arg);
|
|
decodeTrust = PR_TRUE;
|
|
}
|
|
|
|
if (decodeTrust) {
|
|
rv = CERT_DecodeTrustString(&trust, trusts);
|
|
if (rv) {
|
|
fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
|
|
Usage(progName);
|
|
}
|
|
}
|
|
|
|
if (addbuiltin.options[opt_Trust].activated &&
|
|
addbuiltin.options[opt_ExcludeHash].activated) {
|
|
if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags)
|
|
!= CERTDB_TERMINAL_RECORD) {
|
|
fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
|
|
Usage(progName);
|
|
}
|
|
}
|
|
|
|
SECU_FileToItem(&derItem, infile);
|
|
|
|
/*printheader();*/
|
|
|
|
if (addbuiltin.options[opt_DistrustCRL].activated) {
|
|
rv = ConvertCRLEntry(&derItem, crlentry, nickname);
|
|
}
|
|
else {
|
|
rv = ConvertCertificate(&derItem, nickname, &trust,
|
|
addbuiltin.options[opt_ExcludeCert].activated,
|
|
addbuiltin.options[opt_ExcludeHash].activated);
|
|
if (rv) {
|
|
fprintf(stderr, "%s: failed to convert certificate.\n", progName);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
if (NSS_Shutdown() != SECSuccess) {
|
|
exit(1);
|
|
}
|
|
|
|
return(SECSuccess);
|
|
}
|