177
177
GEN_BREAK(SECFailure);
180
if (PK11_IsFIPS() || !PK11_IsInternal(slot)) {
181
rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
182
if (rv != SECSuccess) {
183
SECU_PrintError(progName, "could not authenticate to token %s.",
184
PK11_GetTokenName(slot));
185
GEN_BREAK(SECFailure);
189
180
rv = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, name, PR_FALSE);
190
181
if (rv != SECSuccess) {
191
SECU_PrintError(progName, "could not add certificate to token or database");
192
GEN_BREAK(SECFailure);
182
/* sigh, PK11_Import Cert and CERT_ChangeCertTrust should have
183
* been coded to take a password arg. */
184
if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
185
rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
186
if (rv != SECSuccess) {
187
SECU_PrintError(progName,
188
"could not authenticate to token %s.",
189
PK11_GetTokenName(slot));
190
GEN_BREAK(SECFailure);
192
rv = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE,
195
if (rv != SECSuccess) {
196
SECU_PrintError(progName,
197
"could not add certificate to token or database");
198
GEN_BREAK(SECFailure);
195
202
rv = CERT_ChangeCertTrust(handle, cert, trust);
197
204
if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
198
205
rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
199
206
if (rv != SECSuccess) {
200
SECU_PrintError(progName, "could not authenticate to token %s.",
201
PK11_GetTokenName(slot));
207
SECU_PrintError(progName,
208
"could not authenticate to token %s.",
209
PK11_GetTokenName(slot));
202
210
GEN_BREAK(SECFailure);
204
212
rv = CERT_ChangeCertTrust(handle, cert, trust);
940
948
FPS "\t%s -B -i batch-file\n", progName);
941
949
FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
942
950
"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
943
"\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n"
944
"\t\t [-6] [-7 emailAddrs] [-8 dns-names] [-a]\n",
951
"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
952
"\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
953
"\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
954
"\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
955
"\t\t [-8 dns-names] [-a]\n",
946
957
FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
947
958
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
1049
1060
" -d certdir");
1050
1061
FPS "%-20s Cert & Key database prefix\n",
1051
1062
" -P dbprefix");
1052
FPS "%-20s Create key usage extension\n",
1064
"%-20s Create key usage extension. Possible keywords:\n"
1065
"%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
1066
"%-20s \"dataEncipherment\", \"keyAgreement\", \"certSigning\",\n"
1067
"%-20s \"crlSigning\", \"critical\"\n",
1068
" -1 | --keyUsage keyword,keyword,...", "", "", "", "");
1054
1069
FPS "%-20s Create basic constraint extension\n",
1056
1071
FPS "%-20s Create authority key ID extension\n",
1058
1073
FPS "%-20s Create crl distribution point extension\n",
1060
FPS "%-20s Create netscape cert type extension\n",
1062
FPS "%-20s Create extended key usage extension\n",
1076
"%-20s Create netscape cert type extension. Possible keywords:\n"
1077
"%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
1078
"%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n",
1079
" -5 | -nsCertType keyword,keyword,... ", "", "", "");
1081
"%-20s Create extended key usage extension. Possible keywords:\n"
1082
"%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
1083
"%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
1084
"%-20s \"stepUp\", \"critical\"\n",
1085
" -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
1064
1086
FPS "%-20s Create an email subject alt name extension\n",
1065
1087
" -7 emailAddrs");
1066
1088
FPS "%-20s Create an dns subject alt name extension\n",
1888
1913
{ /* opt_AddInhibAnyExt */ 0, PR_FALSE, 0, PR_FALSE, "extIA" },
1889
1914
{ /* opt_AddSubjectKeyIDExt */ 0, PR_FALSE, 0, PR_FALSE,
1916
{ /* opt_AddCmdKeyUsageExt */ 0, PR_TRUE, 0, PR_FALSE,
1918
{ /* opt_AddCmdNSCertTypeExt */ 0, PR_TRUE, 0, PR_FALSE,
1920
{ /* opt_AddCmdExtKeyUsageExt*/ 0, PR_TRUE, 0, PR_FALSE,
1891
1923
{ /* opt_SourceDir */ 0, PR_TRUE, 0, PR_FALSE,
1893
1925
{ /* opt_SourcePrefix */ 0, PR_TRUE, 0, PR_FALSE,
2552
2584
/* Modify trust attribute for cert (-M) */
2553
2585
if (certutil.commands[cmd_ModifyCertTrust].activated) {
2554
if (PK11_IsFIPS() || !PK11_IsFriendly(slot)) {
2555
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
2556
if (rv != SECSuccess) {
2557
SECU_PrintError(progName, "could not authenticate to token %s.",
2558
PK11_GetTokenName(slot));
2562
2586
rv = ChangeTrustAttributes(certHandle, slot, name,
2563
2587
certutil.options[opt_Trust].arg, &pwdata);
2676
2700
if (certutil.commands[cmd_CertReq].activated ||
2677
2701
certutil.commands[cmd_CreateAndAddCert].activated ||
2678
2702
certutil.commands[cmd_CreateNewCert].activated) {
2679
certutil_extns[ext_keyUsage] =
2680
certutil.options[opt_AddKeyUsageExt].activated;
2681
certutil_extns[ext_basicConstraint] =
2703
certutil_extns[ext_keyUsage].activated =
2704
certutil.options[opt_AddCmdKeyUsageExt].activated;
2705
if (!certutil_extns[ext_keyUsage].activated) {
2706
certutil_extns[ext_keyUsage].activated =
2707
certutil.options[opt_AddKeyUsageExt].activated;
2709
certutil_extns[ext_keyUsage].arg =
2710
certutil.options[opt_AddCmdKeyUsageExt].arg;
2712
certutil_extns[ext_basicConstraint].activated =
2682
2713
certutil.options[opt_AddBasicConstraintExt].activated;
2683
certutil_extns[ext_authorityKeyID] =
2714
certutil_extns[ext_authorityKeyID].activated =
2684
2715
certutil.options[opt_AddAuthorityKeyIDExt].activated;
2685
certutil_extns[ext_subjectKeyID] =
2716
certutil_extns[ext_subjectKeyID].activated =
2686
2717
certutil.options[opt_AddSubjectKeyIDExt].activated;
2687
certutil_extns[ext_CRLDistPts] =
2718
certutil_extns[ext_CRLDistPts].activated =
2688
2719
certutil.options[opt_AddCRLDistPtsExt].activated;
2689
certutil_extns[ext_NSCertType] =
2690
certutil.options[opt_AddNSCertTypeExt].activated;
2691
certutil_extns[ext_extKeyUsage] =
2692
certutil.options[opt_AddExtKeyUsageExt].activated;
2693
certutil_extns[ext_authInfoAcc] =
2720
certutil_extns[ext_NSCertType].activated =
2721
certutil.options[opt_AddCmdNSCertTypeExt].activated;
2722
if (!certutil_extns[ext_NSCertType].activated) {
2723
certutil_extns[ext_NSCertType].activated =
2724
certutil.options[opt_AddNSCertTypeExt].activated;
2726
certutil_extns[ext_NSCertType].arg =
2727
certutil.options[opt_AddCmdNSCertTypeExt].arg;
2730
certutil_extns[ext_extKeyUsage].activated =
2731
certutil.options[opt_AddCmdExtKeyUsageExt].activated;
2732
if (!certutil_extns[ext_extKeyUsage].activated) {
2733
certutil_extns[ext_extKeyUsage].activated =
2734
certutil.options[opt_AddExtKeyUsageExt].activated;
2736
certutil_extns[ext_extKeyUsage].arg =
2737
certutil.options[opt_AddCmdExtKeyUsageExt].arg;
2740
certutil_extns[ext_authInfoAcc].activated =
2694
2741
certutil.options[opt_AddAuthInfoAccExt].activated;
2695
certutil_extns[ext_subjInfoAcc] =
2742
certutil_extns[ext_subjInfoAcc].activated =
2696
2743
certutil.options[opt_AddSubjInfoAccExt].activated;
2697
certutil_extns[ext_certPolicies] =
2744
certutil_extns[ext_certPolicies].activated =
2698
2745
certutil.options[opt_AddCertPoliciesExt].activated;
2699
certutil_extns[ext_policyMappings] =
2746
certutil_extns[ext_policyMappings].activated =
2700
2747
certutil.options[opt_AddPolicyMapExt].activated;
2701
certutil_extns[ext_policyConstr] =
2748
certutil_extns[ext_policyConstr].activated =
2702
2749
certutil.options[opt_AddPolicyConstrExt].activated;
2703
certutil_extns[ext_inhibitAnyPolicy] =
2750
certutil_extns[ext_inhibitAnyPolicy].activated =
2704
2751
certutil.options[opt_AddInhibAnyExt].activated;
2730
2777
* and output the cert to another file.
2732
2779
if (certutil.commands[cmd_CreateAndAddCert].activated) {
2733
static certutilExtnList nullextnlist = {PR_FALSE};
2780
static certutilExtnList nullextnlist = {{PR_FALSE, NULL}};
2734
2781
rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
2735
2782
certutil.options[opt_PhoneNumber].arg,
2736
2783
certutil.options[opt_ASCIIForIO].activated,