1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the Netscape security libraries.
16
* The Initial Developer of the Original Code is
17
* Netscape Communications Corporation.
18
* Portions created by the Initial Developer are Copyright (C) 1994-2000
19
* the Initial Developer. All Rights Reserved.
23
* Alternatively, the contents of this file may be used under the terms of
24
* either the GNU General Public License Version 2 or later (the "GPL"), or
25
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26
* in which case the provisions of the GPL or the LGPL are applicable instead
27
* of those above. If you wish to allow use of your version of this file only
28
* under the terms of either the GPL or the LGPL, and not to allow others to
29
* use your version of this file under the terms of the MPL, indicate your
30
* decision by deleting the provisions above and replace them with the notice
31
* and other provisions required by the GPL or the LGPL. If you do not delete
32
* the provisions above, a recipient may use your version of this file under
33
* the terms of any one of the MPL, the GPL or the LGPL.
35
* ***** END LICENSE BLOCK ***** */
40
** utility for managing certificates and the cert database
55
#define SEC_CERT_DB_EXISTS 0
56
#define SEC_CREATE_CERT_DB 1
58
static char *progName;
60
static CERTSignedCrl *FindCRL
61
(CERTCertDBHandle *certHandle, char *name, int type)
63
CERTSignedCrl *crl = NULL;
64
CERTCertificate *cert = NULL;
70
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
72
CERTName *certName = NULL;
73
PRArenaPool *arena = NULL;
75
certName = CERT_AsciiToName(name);
77
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
80
SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
81
SEC_ASN1_GET(CERT_NameTemplate));
83
SECITEM_CopyItem(NULL, &derName, nameItem);
85
PORT_FreeArena(arena, PR_FALSE);
87
CERT_DestroyName(certName);
90
if (!derName.len || !derName.data) {
91
SECU_PrintError(progName, "could not find certificate named '%s'", name);
92
return ((CERTSignedCrl *)NULL);
95
SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
96
CERT_DestroyCertificate (cert);
99
crl = SEC_FindCrlByName(certHandle, &derName, type);
102
(progName, "could not find %s's CRL", name);
104
SECITEM_FreeItem(&derName, PR_FALSE);
109
static void DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
111
CERTSignedCrl *crl = NULL;
113
crl = FindCRL (certHandle, nickName, crlType);
116
SECU_PrintCRLInfo (stdout, &crl->crl, "CRL Info:\n", 0);
117
SEC_DestroyCrl (crl);
121
static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls)
123
CERTCrlHeadNode *crlList = NULL;
124
CERTCrlNode *crlNode = NULL;
125
CERTName *name = NULL;
126
PRArenaPool *arena = NULL;
130
arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
132
fprintf(stderr, "%s: fail to allocate memory\n", progName);
136
name = PORT_ArenaZAlloc (arena, sizeof(*name));
138
fprintf(stderr, "%s: fail to allocate memory\n", progName);
143
rv = SEC_LookupCrls (certHandle, &crlList, crlType);
144
if (rv != SECSuccess) {
145
fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName,
146
SECU_Strerror(PORT_GetError()));
154
crlNode = crlList->first;
156
fprintf (stdout, "\n");
157
fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
159
char* asciiname = NULL;
160
CERTCertificate *cert = NULL;
161
if (crlNode->crl && &crlNode->crl->crl.derName) {
162
cert = CERT_FindCertByName(certHandle,
163
&crlNode->crl->crl.derName);
165
SECU_PrintError(progName, "could not find signing "
166
"certificate in database");
170
char* certName = NULL;
171
if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
172
certName = cert->nickname;
173
} else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
174
certName = cert->emailAddr;
177
asciiname = PORT_Strdup(certName);
179
CERT_DestroyCertificate(cert);
183
name = &crlNode->crl->crl.name;
185
SECU_PrintError(progName, "fail to get the CRL "
189
asciiname = CERT_NameToAscii(name);
191
fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
193
PORT_Free(asciiname);
195
if ( PR_TRUE == deletecrls) {
196
CERTSignedCrl* acrl = NULL;
197
SECItem* issuer = &crlNode->crl->crl.derName;
198
acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
201
SEC_DeletePermCRL(acrl);
202
SEC_DestroyCrl(acrl);
205
crlNode = crlNode->next;
210
PORT_FreeArena (crlList->arena, PR_FALSE);
211
PORT_FreeArena (arena, PR_FALSE);
214
static void ListCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
216
if (nickName == NULL)
217
ListCRLNames (certHandle, crlType, PR_FALSE);
219
DisplayCRL (certHandle, nickName, crlType);
224
static SECStatus DeleteCRL (CERTCertDBHandle *certHandle, char *name, int type)
226
CERTSignedCrl *crl = NULL;
227
SECStatus rv = SECFailure;
229
crl = FindCRL (certHandle, name, type);
232
(progName, "could not find the issuer %s's CRL", name);
235
rv = SEC_DeletePermCRL (crl);
237
if (rv != SECSuccess) {
238
SECU_PrintError(progName, "fail to delete the issuer %s's CRL "
239
"from the perm database (reason: %s)",
240
name, SECU_Strerror(PORT_GetError()));
246
SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type,
247
PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
249
CERTSignedCrl *crl = NULL;
251
PK11SlotInfo* slot = NULL;
253
#if defined(DEBUG_jpierre)
254
PRIntervalTime starttime, endtime, elapsed;
255
PRUint32 mins, secs, msecs;
261
/* Read in the entire file specified with the -f argument */
262
rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
263
if (rv != SECSuccess) {
264
SECU_PrintError(progName, "unable to read input file");
268
decodeOptions |= CRL_DECODE_DONT_COPY_DER;
270
slot = PK11_GetInternalKeySlot();
272
#if defined(DEBUG_jpierre)
273
starttime = PR_IntervalNow();
275
crl = PK11_ImportCRL(slot, &crlDER, url, type,
276
NULL, importOptions, NULL, decodeOptions);
277
#if defined(DEBUG_jpierre)
278
endtime = PR_IntervalNow();
279
elapsed = endtime - starttime;
280
mins = PR_IntervalToSeconds(elapsed) / 60;
281
secs = PR_IntervalToSeconds(elapsed) % 60;
282
msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
283
printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
286
const char *errString;
289
errString = SECU_Strerror(PORT_GetError());
290
if ( errString && PORT_Strlen (errString) == 0)
291
SECU_PrintError (progName,
292
"CRL is not imported (error: input CRL is not up to date.)");
294
SECU_PrintError (progName, "unable to import CRL");
296
SEC_DestroyCrl (crl);
305
static CERTCertificate*
306
FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
309
CERTCertificate *cert = NULL, *certTemp = NULL;
310
SECStatus rv = SECFailure;
311
CERTAuthKeyID* authorityKeyID = NULL;
312
SECItem* subject = NULL;
314
PORT_Assert(certHandle != NULL);
315
if (!certHandle || (!signCrl && !certNickName)) {
316
SECU_PrintError(progName, "invalid args for function "
317
"FindSigningCert \n");
323
authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
325
subject = &signCrl->crl.derName;
327
certTemp = CERT_FindCertByNickname(certHandle, certNickName);
329
SECU_PrintError(progName, "could not find certificate \"%s\" "
330
"in database", certNickName);
333
subject = &certTemp->derSubject;
336
cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
338
SECU_PrintError(progName, "could not find signing certificate "
347
CERT_DestroyCertificate(certTemp);
348
if (cert && rv != SECSuccess)
349
CERT_DestroyCertificate(cert);
353
static CERTSignedCrl*
354
DuplicateModCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle,
355
CERTCertificate **cert, char *certNickName,
356
PRFileDesc *inFile, PRInt32 decodeOptions,
357
PRInt32 importOptions)
360
CERTSignedCrl *signCrl = NULL;
361
CERTSignedCrl *modCrl = NULL;
362
PRArenaPool *modArena = NULL;
363
SECStatus rv = SECSuccess;
365
PORT_Assert(arena != NULL && certHandle != NULL &&
366
certNickName != NULL);
367
if (!arena || !certHandle || !certNickName) {
368
SECU_PrintError(progName, "DuplicateModCrl: invalid args\n");
372
modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
374
SECU_PrintError(progName, "fail to allocate memory\n");
378
if (inFile != NULL) {
379
rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
380
if (rv != SECSuccess) {
381
SECU_PrintError(progName, "unable to read input file");
382
PORT_FreeArena(modArena, PR_FALSE);
386
decodeOptions |= CRL_DECODE_DONT_COPY_DER;
388
modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE,
391
SECU_PrintError(progName, "fail to decode CRL");
395
if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
396
/* If caCert is a v2 certificate, make sure that it
397
* can be used for crl signing purpose */
398
*cert = FindSigningCert(certHandle, modCrl, NULL);
403
rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert,
405
if (rv != SECSuccess) {
406
SECU_PrintError(progName, "fail to verify signed data\n");
411
modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE);
413
SECU_PrintError(progName, "fail to find crl %s in database\n",
419
signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
420
if (signCrl == NULL) {
421
SECU_PrintError(progName, "fail to allocate memory\n");
425
rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
426
if (rv != SECSuccess) {
427
SECU_PrintError(progName, "unable to dublicate crl for "
432
signCrl->arena = arena;
435
SECITEM_FreeItem(&crlDER, PR_FALSE);
437
SEC_DestroyCrl(modCrl);
438
if (rv != SECSuccess && signCrl) {
439
SEC_DestroyCrl(signCrl);
446
static CERTSignedCrl*
447
CreateNewCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle,
448
CERTCertificate *cert)
450
CERTSignedCrl *signCrl = NULL;
455
/* if the CERTSignedCrl structure changes, this function will need to be
457
PORT_Assert(cert != NULL);
458
if (!cert || !arena) {
459
SECU_PrintError(progName, "invalid args for function "
464
mark = PORT_ArenaMark(arena);
466
signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
467
if (signCrl == NULL) {
468
SECU_PrintError(progName, "fail to allocate memory\n");
472
dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version,
474
/* set crl->version */
476
SECU_PrintError(progName, "fail to create crl version data "
481
/* copy SECItem name from cert */
482
rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject);
483
if (rv != SECSuccess) {
484
SECU_PrintError(progName, "fail to duplicate der name from "
489
/* copy CERTName name structure from cert issuer */
490
rv = CERT_CopyName (arena, &signCrl->crl.name, &cert->subject);
491
if (rv != SECSuccess) {
492
SECU_PrintError(progName, "fail to duplicate RD name from "
497
rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
498
if (rv != SECSuccess) {
499
SECU_PrintError(progName, "fail to encode current time\n");
504
signCrl->arena = arena;
505
signCrl->dbhandle = certHandle;
506
signCrl->crl.arena = arena;
511
PORT_ArenaRelease(arena, mark);
517
UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
519
CRLGENGeneratorData *crlGenData = NULL;
522
PORT_Assert(signCrl != NULL && inCrlInitFile != NULL);
523
if (!signCrl || !inCrlInitFile) {
524
SECU_PrintError(progName, "invalid args for function "
529
crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
531
SECU_PrintError(progName, "can not initialize parser structure.\n");
535
rv = CRLGEN_ExtHandleInit(crlGenData);
536
if (rv == SECFailure) {
537
SECU_PrintError(progName, "can not initialize entries handle.\n");
541
rv = CRLGEN_StartCrlGen(crlGenData);
542
if (rv != SECSuccess) {
543
SECU_PrintError(progName, "crl generation failed");
548
/* CommitExtensionsAndEntries is partially responsible for freeing
549
* up memory that was used for CRL generation. Should be called regardless
550
* of previouse call status, but only after initialization of
551
* crlGenData was done. It will commit all changes that was done before
552
* an error has occured.
554
if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) {
555
SECU_PrintError(progName, "crl generation failed");
558
CRLGEN_FinalizeCrlGeneration(crlGenData);
563
SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert,
564
char *outFileName, SECOidTag hashAlgTag, int ascii,
565
char *slotName, char *url, secuPWData *pwdata)
567
PK11SlotInfo *slot = NULL;
568
PRFileDesc *outFile = NULL;
570
SignAndEncodeFuncExitStat errCode;
572
PORT_Assert(signCrl && (!ascii || outFileName));
573
if (!signCrl || (ascii && !outFileName)) {
574
SECU_PrintError(progName, "invalid args for function "
575
"SignAndStoreCrl\n");
579
if (!slotName || !PL_strcmp(slotName, "internal"))
580
slot = PK11_GetInternalKeySlot();
582
slot = PK11_FindSlotByName(slotName);
584
SECU_PrintError(progName, "can not find requested slot");
588
if (PK11_NeedLogin(slot)) {
589
rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
590
if (rv != SECSuccess)
594
rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode);
595
if (rv != SECSuccess) {
600
errMsg = "No private key found of signing cert";
603
case noSignatureMatch:
604
errMsg = "Key and Algorithm OId are do not match";
609
errMsg = "Failed to encode crl structure";
613
errMsg = "Failed to sign crl structure";
617
errMsg = "Can not allocate memory";
620
SECU_PrintError(progName, "%s\n", errMsg);
625
outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR);
627
SECU_PrintError(progName, "unable to open \"%s\" for writing\n",
633
rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url);
634
if (rv != SECSuccess) {
635
SECU_PrintError(progName, "fail to save CRL\n");
647
GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
648
PRFileDesc *inCrlInitFile, PRFileDesc *inFile,
649
char *outFileName, int ascii, char *slotName,
650
PRInt32 importOptions, char *alg, PRBool quiet,
651
PRInt32 decodeOptions, char *url, secuPWData *pwdata,
654
CERTCertificate *cert = NULL;
655
CERTSignedCrl *signCrl = NULL;
656
PRArenaPool *arena = NULL;
658
SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
661
hashAlgTag = SECU_StringToSignatureAlgTag(alg);
662
if (hashAlgTag == SEC_OID_UNKNOWN) {
663
SECU_PrintError(progName, "%s -Z: %s is not a recognized type.\n",
668
hashAlgTag = SEC_OID_UNKNOWN;
671
arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
673
SECU_PrintError(progName, "fail to allocate memory\n");
677
if (modifyFlag == PR_TRUE) {
678
signCrl = DuplicateModCrl(arena, certHandle, &cert, certNickName,
679
inFile, decodeOptions, importOptions);
680
if (signCrl == NULL) {
686
cert = FindSigningCert(certHandle, signCrl, certNickName);
693
if (modifyFlag == PR_TRUE) {
695
int len = strlen(certNickName) + 5;
696
outFileName = PORT_ArenaAlloc(arena, len);
697
PR_snprintf(outFileName, len, "%s.crl", certNickName);
699
SECU_PrintError(progName, "Will try to generate crl. "
700
"It will be saved in file: %s",
703
signCrl = CreateNewCrl(arena, certHandle, cert);
708
rv = UpdateCrl(signCrl, inCrlInitFile);
709
if (rv != SECSuccess) {
713
rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
714
slotName, url, pwdata);
715
if (rv != SECSuccess) {
719
if (signCrl && !quiet) {
720
SECU_PrintCRLInfo (stdout, &signCrl->crl, "CRL Info:\n", 0);
724
if (arena && (!signCrl || !signCrl->arena))
725
PORT_FreeArena (arena, PR_FALSE);
727
SEC_DestroyCrl (signCrl);
729
CERT_DestroyCertificate (cert);
733
static void Usage(char *progName)
736
"Usage: %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
737
" %s -D -n nickname [-d keydir] [-P dbprefix]\n"
738
" %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
739
"[-p pwd-file] -w [pwd-string]\n"
740
" %s -E -t crlType [-d keydir] [-P dbprefix]\n"
742
" %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] "
743
"[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] "
745
progName, progName, progName, progName, progName, progName);
747
fprintf (stderr, "%-15s List CRL\n", "-L");
748
fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
750
fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
752
fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
755
fprintf (stderr, "%-15s Delete a CRL from the cert database\n", "-D");
756
fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n",
758
fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
759
fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
761
fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
764
fprintf (stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E");
765
fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
766
fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
768
fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
771
fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I");
772
fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
774
fprintf(stderr, "%-20s Specify the url.\n", "-u url");
775
fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
776
fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
778
fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
781
fprintf (stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T");
783
fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " ");
784
fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " ");
785
fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " ");
786
fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
787
fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p");
788
fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>");
789
fprintf(stderr, "\n%-15s Create CRL\n", "-G");
790
fprintf(stderr, "%-15s Modify CRL\n", "-M");
791
fprintf(stderr, "%-20s Specify crl initialization file\n",
793
fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
795
fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
797
fprintf(stderr, "%-20s Specify a CRL output file\n",
798
"-o crl-output-file");
799
fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n",
801
fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
803
fprintf(stderr, "%-20s Provide path to a default pwd file\n",
805
fprintf(stderr, "%-20s Provide db password in command line\n",
807
fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
809
fprintf(stderr, "%-20s Specify the url.\n", "-u url");
810
fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
815
int main(int argc, char **argv)
818
CERTCertDBHandle *certHandle;
821
PRFileDesc *inCrlInitFile = NULL;
832
char *outFile = NULL;
833
char *slotName = NULL;
836
PLOptState *optstate;
839
PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
840
PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
841
PRBool quiet = PR_FALSE;
842
PRBool test = PR_FALSE;
843
PRBool erase = PR_FALSE;
845
PRInt32 iterations = 1;
847
secuPWData pwdata = { PW_NONE, 0 };
849
progName = strrchr(argv[0], '/');
850
progName = progName ? progName+1 : argv[0];
853
deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = 0;
856
nickName = url = NULL;
857
privKeyDER.data = NULL;
859
crlType = SEC_CRL_TYPE;
861
* Parse command line arguments
863
optstate = PL_CreateOptState(argc, argv, "sqBCDGILMTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
864
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
865
switch (optstate->option) {
879
importOptions |= CRL_IMPORT_BYPASS_CHECKS;
904
dbPrefix = strdup(optstate->value);
908
alg = strdup(optstate->value);
916
inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
917
if (!inCrlInitFile) {
918
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
919
progName, optstate->value);
920
PL_DestroyOptState(optstate);
926
SECU_ConfigDirectory(optstate->value);
930
pwdata.source = PW_FROMFILE;
931
pwdata.data = strdup(optstate->value);
935
slotName = strdup(optstate->value);
939
inFile = PR_Open(optstate->value, PR_RDONLY, 0);
941
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
942
progName, optstate->value);
943
PL_DestroyOptState(optstate);
949
nickName = strdup(optstate->value);
953
outFile = strdup(optstate->value);
957
decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
961
const char* str = optstate->value;
962
if (str && atoi(str)>0)
963
iterations = atoi(str);
970
type = strdup(optstate->value);
971
crlType = atoi (type);
972
if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
973
PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
974
PL_DestroyOptState(optstate);
984
pwdata.source = PW_PLAINTEXT;
985
pwdata.data = strdup(optstate->value);
989
url = strdup(optstate->value);
995
PL_DestroyOptState(optstate);
997
if (deleteCRL && !nickName) Usage (progName);
998
if (importCRL && !inFile) Usage (progName);
999
if ((generateCRL && !nickName) ||
1000
(modifyCRL && !inFile && !nickName)) Usage (progName);
1001
if (!(listCRL || deleteCRL || importCRL || generateCRL ||
1002
modifyCRL || test || erase)) Usage (progName);
1004
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
1006
PK11_SetPasswordFunc(SECU_GetModulePassword);
1008
secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
1010
if (secstatus != SECSuccess) {
1011
SECU_PrintPRandOSError(progName);
1014
SECU_RegisterDynamicOids();
1016
certHandle = CERT_GetDefaultCertDB();
1017
if (certHandle == NULL) {
1018
SECU_PrintError(progName, "unable to open the cert db");
1019
/*ignoring return value of NSS_Shutdown() as code returns -1*/
1020
(void) NSS_Shutdown();
1024
CRLGEN_InitCrlGenParserLock();
1026
for (i=0; i<iterations; i++) {
1027
/* Read in the private key info */
1029
DeleteCRL (certHandle, nickName, crlType);
1031
ListCRL (certHandle, nickName, crlType);
1033
else if (importCRL) {
1034
rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
1036
} else if (generateCRL || modifyCRL) {
1038
inCrlInitFile = PR_STDIN;
1039
rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
1040
inFile, outFile, ascii, slotName,
1041
importOptions, alg, quiet,
1042
decodeOptions, url, &pwdata,
1046
/* list and delete all CRLs */
1047
ListCRLNames (certHandle, crlType, PR_TRUE);
1051
/* list and delete all CRLs */
1052
ListCRLNames (certHandle, crlType, PR_TRUE);
1054
ListCRLNames (certHandle, crlType, PR_FALSE);
1055
/* import CRL as a blob */
1056
rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
1059
ListCRLNames (certHandle, crlType, PR_FALSE);
1064
CRLGEN_DestroyCrlGenParserLock();
1066
if (NSS_Shutdown() != SECSuccess) {
1070
return (rv != SECSuccess);