← Back to branch summary

~ubuntu-branches/ubuntu/precise/xulrunner-1.9/precise

« back to all changes in this revision

Viewing changes to mozilla/security/nss/cmd/certutil/certutil.c

  • Committer: Bazaar Package Importer
  • Author(s): Alexander Sack
  • Date: 2009-08-03 12:46:20 UTC
  • mfrom: (1.1.22 upstream)
  • Revision ID: james.westby@ubuntu.com-20090803124620-e6fe7ftw5lbswb0z
Tags: 1.9.0.13+nobinonly-0ubuntu1
* New upstream release v1.9.0.13 (FIREFOX_3_0_13_RELEASE)
  - see USN-811-1
* drop update-alternative --remove-all hack (which ensured that non-existing alternatives dont end
  up in "manual" mode in the past) now that dpkg fails on them - also the "auto" mode seems to be fixed
  - update debian/xulrunner-1.9.2.prerm.in
* enable support for "extensions" in build-system
  - update debian/create-build-system.sh

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/cmd/certutil/certutil.c
177
177
            GEN_BREAK(SECFailure);
178
178
        }
179
179
 
180
 
        if (PK11_IsFIPS() || !PK11_IsInternal(slot)) {
181
 
            rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
182
 
            if (rv != SECSuccess) {
183
 
                SECU_PrintError(progName, "could not authenticate to token %s.",
184
 
                                PK11_GetTokenName(slot));
185
 
                GEN_BREAK(SECFailure);
186
 
            }
187
 
        }
188
 
 
189
180
        rv =  PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, name, PR_FALSE);
190
181
        if (rv != SECSuccess) {
191
 
            SECU_PrintError(progName, "could not add certificate to token or database");
192
 
            GEN_BREAK(SECFailure);
 
182
            /* sigh, PK11_Import Cert and CERT_ChangeCertTrust should have 
 
183
             * been coded to take a password arg. */
 
184
            if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
 
185
                rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
 
186
                if (rv != SECSuccess) {
 
187
                    SECU_PrintError(progName, 
 
188
                                "could not authenticate to token %s.",
 
189
                                PK11_GetTokenName(slot));
 
190
                    GEN_BREAK(SECFailure);
 
191
                }
 
192
                rv = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, 
 
193
                                     name, PR_FALSE);
 
194
            }
 
195
            if (rv != SECSuccess) {
 
196
                SECU_PrintError(progName, 
 
197
                        "could not add certificate to token or database");
 
198
                GEN_BREAK(SECFailure);
 
199
            }
193
200
        }
194
201
 
195
202
        rv = CERT_ChangeCertTrust(handle, cert, trust);
197
204
            if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
198
205
                rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
199
206
                if (rv != SECSuccess) {
200
 
                    SECU_PrintError(progName, "could not authenticate to token %s.",
201
 
                                    PK11_GetTokenName(slot));
 
207
                    SECU_PrintError(progName, 
 
208
                                "could not authenticate to token %s.",
 
209
                                PK11_GetTokenName(slot));
202
210
                    GEN_BREAK(SECFailure);
203
211
                }
204
212
                rv = CERT_ChangeCertTrust(handle, cert, trust);
803
811
            keyName = NULL;
804
812
            cert = PK11_GetCertFromPrivateKey(node->key);
805
813
            if (cert) {
806
 
                if (cert->nickname && !cert->nickname[0]) {
 
814
                if (cert->nickname && cert->nickname[0]) {
807
815
                    keyName = PORT_Strdup(cert->nickname);
808
816
                } else if (cert->emailAddr && cert->emailAddr[0]) {
809
817
                    keyName = PORT_Strdup(cert->emailAddr);
940
948
    FPS "\t%s -B -i batch-file\n", progName);
941
949
    FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
942
950
        "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
943
 
        "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n"
944
 
        "\t\t [-6] [-7 emailAddrs] [-8 dns-names] [-a]\n",
 
951
        "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
 
952
        "\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
 
953
        "\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
 
954
        "\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
 
955
        "\t\t [-8 dns-names] [-a]\n",
945
956
        progName);
946
957
    FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
947
958
    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
1049
1060
        "   -d certdir");
1050
1061
    FPS "%-20s Cert & Key database prefix\n",
1051
1062
        "   -P dbprefix");
1052
 
    FPS "%-20s Create key usage extension\n",
1053
 
        "   -1 ");
 
1063
    FPS "%-20s \n"
 
1064
              "%-20s Create key usage extension. Possible keywords:\n"
 
1065
              "%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
 
1066
              "%-20s \"dataEncipherment\", \"keyAgreement\", \"certSigning\",\n"
 
1067
              "%-20s \"crlSigning\", \"critical\"\n",
 
1068
        "   -1 | --keyUsage keyword,keyword,...", "", "", "", "");
1054
1069
    FPS "%-20s Create basic constraint extension\n",
1055
1070
        "   -2 ");
1056
1071
    FPS "%-20s Create authority key ID extension\n",
1057
1072
        "   -3 ");
1058
1073
    FPS "%-20s Create crl distribution point extension\n",
1059
1074
        "   -4 ");
1060
 
    FPS "%-20s Create netscape cert type extension\n",
1061
 
        "   -5 ");
1062
 
    FPS "%-20s Create extended key usage extension\n",
1063
 
        "   -6 ");
 
1075
    FPS "%-20s \n"
 
1076
              "%-20s Create netscape cert type extension. Possible keywords:\n"
 
1077
              "%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
 
1078
              "%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n",
 
1079
        "   -5 | -nsCertType keyword,keyword,... ", "", "", "");
 
1080
    FPS "%-20s \n"
 
1081
              "%-20s Create extended key usage extension. Possible keywords:\n"
 
1082
              "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
 
1083
              "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
 
1084
              "%-20s \"stepUp\", \"critical\"\n",
 
1085
        "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
1064
1086
    FPS "%-20s Create an email subject alt name extension\n",
1065
1087
        "   -7 emailAddrs");
1066
1088
    FPS "%-20s Create an dns subject alt name extension\n",
1803
1825
    opt_AddPolicyConstrExt,
1804
1826
    opt_AddInhibAnyExt,
1805
1827
    opt_AddSubjectKeyIDExt,
 
1828
    opt_AddCmdKeyUsageExt,
 
1829
    opt_AddCmdNSCertTypeExt,
 
1830
    opt_AddCmdExtKeyUsageExt,
1806
1831
    opt_SourceDir,
1807
1832
    opt_SourcePrefix,
1808
1833
    opt_UpgradeID,
1888
1913
        { /* opt_AddInhibAnyExt      */  0,   PR_FALSE, 0, PR_FALSE, "extIA" },
1889
1914
        { /* opt_AddSubjectKeyIDExt  */  0,   PR_FALSE, 0, PR_FALSE, 
1890
1915
                                                   "extSKID" },
 
1916
        { /* opt_AddCmdKeyUsageExt   */  0,   PR_TRUE,  0, PR_FALSE,
 
1917
                                                   "keyUsage" },
 
1918
        { /* opt_AddCmdNSCertTypeExt */   0,   PR_TRUE,  0, PR_FALSE,
 
1919
                                                   "nsCertType" },
 
1920
        { /* opt_AddCmdExtKeyUsageExt*/  0,   PR_TRUE,  0, PR_FALSE,
 
1921
                                                   "extKeyUsage" },
 
1922
 
1891
1923
        { /* opt_SourceDir           */  0,   PR_TRUE,  0, PR_FALSE,
1892
1924
                                                   "source-dir"},
1893
1925
        { /* opt_SourcePrefix        */  0,   PR_TRUE,  0, PR_FALSE, 
2551
2583
    }
2552
2584
    /*  Modify trust attribute for cert (-M)  */
2553
2585
    if (certutil.commands[cmd_ModifyCertTrust].activated) {
2554
 
        if (PK11_IsFIPS() || !PK11_IsFriendly(slot)) {
2555
 
            rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
2556
 
            if (rv != SECSuccess) {
2557
 
                SECU_PrintError(progName, "could not authenticate to token %s.",
2558
 
                                PK11_GetTokenName(slot));
2559
 
                goto shutdown;
2560
 
            }
2561
 
        }
2562
2586
        rv = ChangeTrustAttributes(certHandle, slot, name, 
2563
2587
                                   certutil.options[opt_Trust].arg, &pwdata);
2564
2588
        goto shutdown;
2676
2700
    if (certutil.commands[cmd_CertReq].activated ||
2677
2701
        certutil.commands[cmd_CreateAndAddCert].activated ||
2678
2702
        certutil.commands[cmd_CreateNewCert].activated) {
2679
 
        certutil_extns[ext_keyUsage] =
2680
 
                                certutil.options[opt_AddKeyUsageExt].activated;
2681
 
        certutil_extns[ext_basicConstraint] =
 
2703
        certutil_extns[ext_keyUsage].activated =
 
2704
            certutil.options[opt_AddCmdKeyUsageExt].activated;
 
2705
        if (!certutil_extns[ext_keyUsage].activated) {
 
2706
            certutil_extns[ext_keyUsage].activated =
 
2707
                certutil.options[opt_AddKeyUsageExt].activated;
 
2708
        } else {
 
2709
            certutil_extns[ext_keyUsage].arg =
 
2710
                certutil.options[opt_AddCmdKeyUsageExt].arg;
 
2711
        }
 
2712
        certutil_extns[ext_basicConstraint].activated =
2682
2713
                                certutil.options[opt_AddBasicConstraintExt].activated;
2683
 
        certutil_extns[ext_authorityKeyID] =
 
2714
        certutil_extns[ext_authorityKeyID].activated =
2684
2715
                                certutil.options[opt_AddAuthorityKeyIDExt].activated;
2685
 
        certutil_extns[ext_subjectKeyID] =
 
2716
        certutil_extns[ext_subjectKeyID].activated =
2686
2717
                                certutil.options[opt_AddSubjectKeyIDExt].activated;
2687
 
        certutil_extns[ext_CRLDistPts] =
 
2718
        certutil_extns[ext_CRLDistPts].activated =
2688
2719
                                certutil.options[opt_AddCRLDistPtsExt].activated;
2689
 
        certutil_extns[ext_NSCertType] =
2690
 
                                certutil.options[opt_AddNSCertTypeExt].activated;
2691
 
        certutil_extns[ext_extKeyUsage] =
2692
 
                                certutil.options[opt_AddExtKeyUsageExt].activated;
2693
 
        certutil_extns[ext_authInfoAcc] =
 
2720
        certutil_extns[ext_NSCertType].activated =
 
2721
            certutil.options[opt_AddCmdNSCertTypeExt].activated;
 
2722
        if (!certutil_extns[ext_NSCertType].activated) {
 
2723
            certutil_extns[ext_NSCertType].activated =
 
2724
                certutil.options[opt_AddNSCertTypeExt].activated;
 
2725
        } else {
 
2726
            certutil_extns[ext_NSCertType].arg =
 
2727
                certutil.options[opt_AddCmdNSCertTypeExt].arg;
 
2728
        }
 
2729
 
 
2730
        certutil_extns[ext_extKeyUsage].activated =
 
2731
            certutil.options[opt_AddCmdExtKeyUsageExt].activated;
 
2732
        if (!certutil_extns[ext_extKeyUsage].activated) {
 
2733
            certutil_extns[ext_extKeyUsage].activated =
 
2734
                certutil.options[opt_AddExtKeyUsageExt].activated;
 
2735
        } else {
 
2736
            certutil_extns[ext_extKeyUsage].arg =
 
2737
                certutil.options[opt_AddCmdExtKeyUsageExt].arg;
 
2738
        }
 
2739
 
 
2740
        certutil_extns[ext_authInfoAcc].activated =
2694
2741
                                certutil.options[opt_AddAuthInfoAccExt].activated;
2695
 
        certutil_extns[ext_subjInfoAcc] =
 
2742
        certutil_extns[ext_subjInfoAcc].activated =
2696
2743
                                certutil.options[opt_AddSubjInfoAccExt].activated;
2697
 
        certutil_extns[ext_certPolicies] =
 
2744
        certutil_extns[ext_certPolicies].activated =
2698
2745
                                certutil.options[opt_AddCertPoliciesExt].activated;
2699
 
        certutil_extns[ext_policyMappings] =
 
2746
        certutil_extns[ext_policyMappings].activated =
2700
2747
                                certutil.options[opt_AddPolicyMapExt].activated;
2701
 
        certutil_extns[ext_policyConstr] =
 
2748
        certutil_extns[ext_policyConstr].activated =
2702
2749
                                certutil.options[opt_AddPolicyConstrExt].activated;
2703
 
        certutil_extns[ext_inhibitAnyPolicy] =
 
2750
        certutil_extns[ext_inhibitAnyPolicy].activated =
2704
2751
                                certutil.options[opt_AddInhibAnyExt].activated;
2705
2752
    }
2706
2753
    /*
2730
2777
     *  and output the cert to another file.
2731
2778
     */
2732
2779
    if (certutil.commands[cmd_CreateAndAddCert].activated) {
2733
 
        static certutilExtnList nullextnlist = {PR_FALSE};
 
2780
        static certutilExtnList nullextnlist = {{PR_FALSE, NULL}};
2734
2781
        rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
2735
2782
                     certutil.options[opt_PhoneNumber].arg,
2736
2783
                     certutil.options[opt_ASCIIForIO].activated,