Back to index

lightning-sunbird  0.9+nobinonly
Defines | Functions | Variables
crlutil.c File Reference
#include "nspr.h"
#include "plgetopt.h"
#include "secutil.h"
#include "cert.h"
#include "certi.h"
#include "certdb.h"
#include "nss.h"
#include "pk11func.h"
#include "crlgen.h"

Go to the source code of this file.

Defines

#define SEC_CERT_DB_EXISTS   0
#define SEC_CREATE_CERT_DB   1

Functions

static CERTSignedCrl * FindCRL (CERTCertDBHandle *certHandle, char *name, int type)
static void DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls)
static void ListCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
static SECStatus DeleteCRL (CERTCertDBHandle *certHandle, char *name, int type)
SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
static CERTCertificate * FindSigningCert (CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl, char *certNickName)
static CERTSignedCrl * CreateModifiedCRLCopy (PRArenaPool *arena, CERTCertDBHandle *certHandle, CERTCertificate **cert, char *certNickName, PRFileDesc *inFile, PRInt32 decodeOptions, PRInt32 importOptions)
static CERTSignedCrl * CreateNewCrl (PRArenaPool *arena, CERTCertDBHandle *certHandle, CERTCertificate *cert)
static SECStatus UpdateCrl (CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
static SECStatus SignAndStoreCrl (CERTSignedCrl *signCrl, CERTCertificate *cert, char *outFileName, SECOidTag hashAlgTag, int ascii, char *slotName, char *url, secuPWData *pwdata)
static SECStatus GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName, PRFileDesc *inCrlInitFile, PRFileDesc *inFile, char *outFileName, int ascii, char *slotName, PRInt32 importOptions, char *alg, PRBool quiet, PRInt32 decodeOptions, char *url, secuPWData *pwdata, int modifyFlag)
static void Usage (char *progName)
int main (int argc, char **argv)
 The Xalan testcases app.

Variables

static char * progName

Define Documentation

Definition at line 55 of file crlutil.c.

Definition at line 56 of file crlutil.c.


Function Documentation

static CERTSignedCrl* CreateModifiedCRLCopy ( PRArenaPool arena,
CERTCertDBHandle *  certHandle,
CERTCertificate **  cert,
char *  certNickName,
PRFileDesc inFile,
PRInt32  decodeOptions,
PRInt32  importOptions 
) [static]

Definition at line 354 of file crlutil.c.

{
    SECItem crlDER;
    CERTSignedCrl *signCrl = NULL;
    CERTSignedCrl *modCrl = NULL;
    PRArenaPool *modArena = NULL;
    SECStatus rv = SECSuccess;

    PORT_Assert(arena != NULL && certHandle != NULL &&
                certNickName != NULL);
    if (!arena || !certHandle || !certNickName) {
        SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
        return NULL;
    }

    modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (!modArena) {
        SECU_PrintError(progName, "fail to allocate memory\n");
        return NULL;
    }
    
    if (inFile != NULL) {
        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
        if (rv != SECSuccess) {
            SECU_PrintError(progName, "unable to read input file");
            PORT_FreeArena(modArena, PR_FALSE);
            goto loser;
        }
        
        decodeOptions |= CRL_DECODE_DONT_COPY_DER;
        
        modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE,
                                            decodeOptions);
        if (!modCrl) {
            SECU_PrintError(progName, "fail to decode CRL");
            goto loser;
        }
        
        if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
            /* If caCert is a v2 certificate, make sure that it
             * can be used for crl signing purpose */
            *cert = FindSigningCert(certHandle, modCrl, NULL);
            if (!*cert) {
                goto loser;
            }

            rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert,
                                       PR_Now(), NULL);
            if (rv != SECSuccess) {
                SECU_PrintError(progName, "fail to verify signed data\n");
                goto loser;
            }
        }
    } else {
        modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE);
        if (!modCrl) {
            SECU_PrintError(progName, "fail to find crl %s in database\n",
                            certNickName);
            goto loser;
        }
    }

    signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
    if (signCrl == NULL) {
        SECU_PrintError(progName, "fail to allocate memory\n");
        goto loser;
    }

    rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
    if (rv != SECSuccess) {
        SECU_PrintError(progName, "unable to dublicate crl for "
                        "modification.");
        goto loser;
    }  

    /* Make sure the update time is current. It can be modified later
     * by "update <time>" command from crl generation script */
    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
    if (rv != SECSuccess) {
        SECU_PrintError(progName, "fail to encode current time\n");
        goto loser;
    }

    signCrl->arena = arena;

  loser:
    SECITEM_FreeItem(&crlDER, PR_FALSE);
    if (modCrl)
        SEC_DestroyCrl(modCrl);
    if (rv != SECSuccess && signCrl) {
        SEC_DestroyCrl(signCrl);
        signCrl = NULL;
    }
    return signCrl;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTSignedCrl* CreateNewCrl ( PRArenaPool arena,
CERTCertDBHandle *  certHandle,
CERTCertificate *  cert 
) [static]

Definition at line 455 of file crlutil.c.

{ 
    CERTSignedCrl *signCrl = NULL;
    void *dummy = NULL;
    SECStatus rv;
    void* mark = NULL;

    /* if the CERTSignedCrl structure changes, this function will need to be
       updated as well */
    PORT_Assert(cert != NULL);
    if (!cert || !arena) {
        SECU_PrintError(progName, "invalid args for function "
                        "CreateNewCrl\n");
        return NULL;
    }

    mark = PORT_ArenaMark(arena);
        
    signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
    if (signCrl == NULL) {
        SECU_PrintError(progName, "fail to allocate memory\n");
        return NULL;
    }

    dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version,
                                  SEC_CRL_VERSION_2);
    /* set crl->version */
    if (!dummy) {
        SECU_PrintError(progName, "fail to create crl version data "
                        "container\n");
        goto loser;
    }
    
    /* copy SECItem name from cert */
    rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject);
    if (rv != SECSuccess) {
        SECU_PrintError(progName, "fail to duplicate der name from "
                        "certificate.\n");
        goto loser;
    }
        
    /* copy CERTName name structure from cert issuer */
    rv = CERT_CopyName (arena, &signCrl->crl.name, &cert->subject);
    if (rv != SECSuccess) {
        SECU_PrintError(progName, "fail to duplicate RD name from "
                        "certificate.\n");
        goto loser;
    }

    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
    if (rv != SECSuccess) {
        SECU_PrintError(progName, "fail to encode current time\n");
        goto loser;
    }

    /* set fields */
    signCrl->arena = arena;
    signCrl->dbhandle = certHandle;
    signCrl->crl.arena = arena;

    return signCrl;

  loser:
    PORT_ArenaRelease(arena, mark);
    return NULL;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static SECStatus DeleteCRL ( CERTCertDBHandle *  certHandle,
char *  name,
int  type 
) [static]

Definition at line 224 of file crlutil.c.

{
    CERTSignedCrl *crl = NULL;    
    SECStatus rv = SECFailure;

    crl = FindCRL (certHandle, name, type);
    if (!crl) {
       SECU_PrintError
              (progName, "could not find the issuer %s's CRL", name);
       return SECFailure;
    }
    rv = SEC_DeletePermCRL (crl);
    SEC_DestroyCrl(crl);
    if (rv != SECSuccess) {
       SECU_PrintError(progName, "fail to delete the issuer %s's CRL "
                       "from the perm database (reason: %s)",
                       name, SECU_Strerror(PORT_GetError()));
       return SECFailure;
    }
    return (rv);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void DisplayCRL ( CERTCertDBHandle *  certHandle,
char *  nickName,
int  crlType 
) [static]

Definition at line 109 of file crlutil.c.

{
    CERTSignedCrl *crl = NULL;

    crl = FindCRL (certHandle, nickName, crlType);
       
    if (crl) {
       SECU_PrintCRLInfo (stdout, &crl->crl, "CRL Info:\n", 0);
       SEC_DestroyCrl (crl);
    }
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTSignedCrl* FindCRL ( CERTCertDBHandle *  certHandle,
char *  name,
int  type 
) [static]

Definition at line 61 of file crlutil.c.

{
    CERTSignedCrl *crl = NULL;    
    CERTCertificate *cert = NULL;
    SECItem derName;

    derName.data = NULL;
    derName.len = 0;

    cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
    if (!cert) {
        CERTName *certName = NULL;
        PRArenaPool *arena = NULL;
    
        certName = CERT_AsciiToName(name);
        if (certName) {
            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
            if (arena) {
                SECItem *nameItem = 
                    SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
                                        SEC_ASN1_GET(CERT_NameTemplate));
                if (nameItem) {
                    SECITEM_CopyItem(NULL, &derName, nameItem);
                }
                PORT_FreeArena(arena, PR_FALSE);
            }
            CERT_DestroyName(certName);
        }

        if (!derName.len || !derName.data) {
            SECU_PrintError(progName, "could not find certificate named '%s'", name);
            return ((CERTSignedCrl *)NULL);
        }
    } else {
        SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
        CERT_DestroyCertificate (cert);
    }
 
    crl = SEC_FindCrlByName(certHandle, &derName, type);
    if (crl ==NULL) 
       SECU_PrintError
              (progName, "could not find %s's CRL", name);
    if (derName.data) {
        SECITEM_FreeItem(&derName, PR_FALSE);
    }
    return (crl);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTCertificate* FindSigningCert ( CERTCertDBHandle *  certHandle,
CERTSignedCrl *  signCrl,
char *  certNickName 
) [static]

Definition at line 306 of file crlutil.c.

{                   
    CERTCertificate *cert = NULL, *certTemp = NULL;
    SECStatus rv = SECFailure;
    CERTAuthKeyID* authorityKeyID = NULL;
    SECItem* subject = NULL;

    PORT_Assert(certHandle != NULL);
    if (!certHandle || (!signCrl && !certNickName)) {
        SECU_PrintError(progName, "invalid args for function "
                        "FindSigningCert \n");
        return NULL;
    }

    if (signCrl) {
#if 0
        authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
#endif
        subject = &signCrl->crl.derName;
    } else {
        certTemp = CERT_FindCertByNickname(certHandle, certNickName);
        if (!certTemp) {
            SECU_PrintError(progName, "could not find certificate \"%s\" "
                            "in database", certNickName);
            goto loser;
        }
        subject = &certTemp->derSubject;
    }

    cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
    if (!cert) {
        SECU_PrintError(progName, "could not find signing certificate "
                        "in database");
        goto loser;
    } else {
        rv = SECSuccess;
    }

  loser:
    if (certTemp)
        CERT_DestroyCertificate(certTemp);
    if (cert && rv != SECSuccess)
        CERT_DestroyCertificate(cert);
    return cert;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static SECStatus GenerateCRL ( CERTCertDBHandle *  certHandle,
char *  certNickName,
PRFileDesc inCrlInitFile,
PRFileDesc inFile,
char *  outFileName,
int  ascii,
char *  slotName,
PRInt32  importOptions,
char *  alg,
PRBool  quiet,
PRInt32  decodeOptions,
char *  url,
secuPWData pwdata,
int  modifyFlag 
) [static]

Definition at line 655 of file crlutil.c.

{
    CERTCertificate *cert = NULL;
    CERTSignedCrl *signCrl = NULL;
    PRArenaPool *arena = NULL;
    SECStatus rv;
    SECOidTag hashAlgTag = SEC_OID_UNKNOWN;

    if (alg) {
        hashAlgTag = SECU_StringToSignatureAlgTag(alg);
        if (hashAlgTag == SEC_OID_UNKNOWN) {
            SECU_PrintError(progName, "%s -Z:  %s is not a recognized type.\n",
                            progName, alg);
            return SECFailure;
        }
    } else {
        hashAlgTag = SEC_OID_UNKNOWN;
    }

    arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (!arena) {
        SECU_PrintError(progName, "fail to allocate memory\n");
        return SECFailure;
    }

    if (modifyFlag == PR_TRUE) {
        signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
                                         inFile, decodeOptions, importOptions);
        if (signCrl == NULL) {
            goto loser;
        }
    }

    if (!cert) {
        cert = FindSigningCert(certHandle, signCrl, certNickName);
        if (cert == NULL) {
            goto loser;
        }
    }

    if (!signCrl) {
        if (modifyFlag == PR_TRUE) {
            if (!outFileName) {
                int len = strlen(certNickName) + 5;
                outFileName = PORT_ArenaAlloc(arena, len);
                PR_snprintf(outFileName, len, "%s.crl", certNickName);
            }
            SECU_PrintError(progName, "Will try to generate crl. "
                            "It will be saved in file: %s",
                            outFileName);
        }
        signCrl = CreateNewCrl(arena, certHandle, cert);
        if (!signCrl)
            goto loser;
    }

    rv = UpdateCrl(signCrl, inCrlInitFile);
    if (rv != SECSuccess) {
        goto loser;
    }

    rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
                         slotName, url, pwdata);
    if (rv != SECSuccess) {
        goto loser;
    }

    if (signCrl && !quiet) {
       SECU_PrintCRLInfo (stdout, &signCrl->crl, "CRL Info:\n", 0);
    }

  loser:
    if (arena && (!signCrl || !signCrl->arena))
        PORT_FreeArena (arena, PR_FALSE);
    if (signCrl)
       SEC_DestroyCrl (signCrl);
    if (cert)
       CERT_DestroyCertificate (cert);
    return (rv);
}

Here is the call graph for this function:

Here is the caller graph for this function:

SECStatus ImportCRL ( CERTCertDBHandle *  certHandle,
char *  url,
int  type,
PRFileDesc inFile,
PRInt32  importOptions,
PRInt32  decodeOptions 
)

Definition at line 246 of file crlutil.c.

{
    CERTSignedCrl *crl = NULL;
    SECItem crlDER;
    PK11SlotInfo* slot = NULL;
    int rv;
#if defined(DEBUG_jpierre)
    PRIntervalTime starttime, endtime, elapsed;
    PRUint32 mins, secs, msecs;
#endif

    crlDER.data = NULL;


    /* Read in the entire file specified with the -f argument */
    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
    if (rv != SECSuccess) {
       SECU_PrintError(progName, "unable to read input file");
       return (SECFailure);
    }

    decodeOptions |= CRL_DECODE_DONT_COPY_DER;

    slot = PK11_GetInternalKeySlot();
 
#if defined(DEBUG_jpierre)
    starttime = PR_IntervalNow();
#endif
    crl = PK11_ImportCRL(slot, &crlDER, url, type,
          NULL, importOptions, NULL, decodeOptions);
#if defined(DEBUG_jpierre)
    endtime = PR_IntervalNow();
    elapsed = endtime - starttime;
    mins = PR_IntervalToSeconds(elapsed) / 60;
    secs = PR_IntervalToSeconds(elapsed) % 60;
    msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
    printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
#endif
    if (!crl) {
       const char *errString;

       rv = SECFailure;
       errString = SECU_Strerror(PORT_GetError());
       if ( errString && PORT_Strlen (errString) == 0)
           SECU_PrintError (progName, 
               "CRL is not imported (error: input CRL is not up to date.)");
       else    
           SECU_PrintError (progName, "unable to import CRL");
    } else {
       SEC_DestroyCrl (crl);
    }
    if (slot) {
        PK11_FreeSlot(slot);
    }
    return (rv);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void ListCRL ( CERTCertDBHandle *  certHandle,
char *  nickName,
int  crlType 
) [static]

Definition at line 214 of file crlutil.c.

{
    if (nickName == NULL)
       ListCRLNames (certHandle, crlType, PR_FALSE);
    else
       DisplayCRL (certHandle, nickName, crlType);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void ListCRLNames ( CERTCertDBHandle *  certHandle,
int  crlType,
PRBool  deletecrls 
) [static]

Definition at line 121 of file crlutil.c.

{
    CERTCrlHeadNode *crlList = NULL;
    CERTCrlNode *crlNode = NULL;
    CERTName *name = NULL;
    PRArenaPool *arena = NULL;
    SECStatus rv;

    do {
       arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
       if (arena == NULL) {
           fprintf(stderr, "%s: fail to allocate memory\n", progName);
           break;
       }
       
       name = PORT_ArenaZAlloc (arena, sizeof(*name));
       if (name == NULL) {
           fprintf(stderr, "%s: fail to allocate memory\n", progName);
           break;
       }
       name->arena = arena;
           
       rv = SEC_LookupCrls (certHandle, &crlList, crlType);
       if (rv != SECSuccess) {
           fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName,
           SECU_Strerror(PORT_GetError()));
           break;
       }
       
       /* just in case */
       if (!crlList)
           break;

       crlNode  = crlList->first;

        fprintf (stdout, "\n");
       fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
       while (crlNode) {
           char* asciiname = NULL;
           CERTCertificate *cert = NULL;
           if (crlNode->crl && &crlNode->crl->crl.derName) {
               cert = CERT_FindCertByName(certHandle, 
                                          &crlNode->crl->crl.derName);
               if (!cert) {
                   SECU_PrintError(progName, "could not find signing "
                                "certificate in database");
               }
           }
           if (cert) {
               char* certName = NULL;
                 if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
                   certName = cert->nickname;
               } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
                   certName = cert->emailAddr;
               }
               if (certName) {
                   asciiname = PORT_Strdup(certName);
               }
               CERT_DestroyCertificate(cert);
           }
                
           if (!asciiname) {
               name = &crlNode->crl->crl.name;
               if (!name){
                   SECU_PrintError(progName, "fail to get the CRL "
                                  "issuer name");
                   continue;
               }
               asciiname = CERT_NameToAscii(name);
           }
           fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
           if (asciiname) {
              PORT_Free(asciiname);
           }
            if ( PR_TRUE == deletecrls) {
                CERTSignedCrl* acrl = NULL;
                SECItem* issuer = &crlNode->crl->crl.derName;
                acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
                if (acrl)
                {
                    SEC_DeletePermCRL(acrl);
                    SEC_DestroyCrl(acrl);
                }
            }
            crlNode = crlNode->next;
       } 
       
    } while (0);
    if (crlList)
       PORT_FreeArena (crlList->arena, PR_FALSE);
    PORT_FreeArena (arena, PR_FALSE);
}

Here is the call graph for this function:

Here is the caller graph for this function:

int main ( int  argc,
char **  argv 
)

The Xalan testcases app.

Definition at line 823 of file crlutil.c.

{
    SECItem privKeyDER;
    CERTCertDBHandle *certHandle;
    FILE *certFile;
    PRFileDesc *inFile;
    PRFileDesc *inCrlInitFile = NULL;
    int generateCRL;
    int modifyCRL;
    int listCRL;
    int importCRL;
    int deleteCRL;
    int rv;
    char *nickName;
    char *url;
    char *dbPrefix = "";
    char *alg = NULL;
    char *outFile = NULL;
    char *slotName = NULL;
    int ascii = 0;
    int crlType;
    PLOptState *optstate;
    PLOptStatus status;
    SECStatus secstatus;
    PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
    PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
    PRBool quiet = PR_FALSE;
    PRBool test = PR_FALSE;
    PRBool erase = PR_FALSE;
    PRInt32 i = 0;
    PRInt32 iterations = 1;

    secuPWData  pwdata          = { PW_NONE, 0 };

    progName = strrchr(argv[0], '/');
    progName = progName ? progName+1 : argv[0];

    rv = 0;
    deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = 0;
    certFile = NULL;
    inFile = NULL;
    nickName = url = NULL;
    privKeyDER.data = NULL;
    certHandle = NULL;
    crlType = SEC_CRL_TYPE;
    /*
     * Parse command line arguments
     */
    optstate = PL_CreateOptState(argc, argv, "sqBCDGILMTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
       switch (optstate->option) {
         case '?':
           Usage(progName);
           break;

          case 'T':
            test = PR_TRUE;
            break;

          case 'E':
            erase = PR_TRUE;
            break;

         case 'B':
            importOptions |= CRL_IMPORT_BYPASS_CHECKS;
            break;

         case 'G':
           generateCRL = 1;
           break;

          case 'M':
            modifyCRL = 1;
            break;

         case 'D':
             deleteCRL = 1;
             break;

         case 'I':
             importCRL = 1;
             break;
                  
         case 'C':
         case 'L':
             listCRL = 1;
             break;

         case 'P':
           dbPrefix = strdup(optstate->value);
           break;
              
         case 'Z':
              alg = strdup(optstate->value);
              break;
              
         case 'a':
             ascii = 1;
             break;

         case 'c':
              inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
              if (!inCrlInitFile) {
                  PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
                             progName, optstate->value);
                  PL_DestroyOptState(optstate);
                  return -1;
              }
              break;
           
         case 'd':
              SECU_ConfigDirectory(optstate->value);
              break;

         case 'f':
             pwdata.source = PW_FROMFILE;
             pwdata.data = strdup(optstate->value);
             break;

         case 'h':
              slotName = strdup(optstate->value);
              break;

         case 'i':
           inFile = PR_Open(optstate->value, PR_RDONLY, 0);
           if (!inFile) {
              PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
                     progName, optstate->value);
              PL_DestroyOptState(optstate);
              return -1;
           }
           break;
           
         case 'n':
           nickName = strdup(optstate->value);
           break;

         case 'o':
           outFile = strdup(optstate->value);
           break;
           
         case 'p':
           decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
           break;

         case 'r': {
           const char* str = optstate->value;
           if (str && atoi(str)>0)
              iterations = atoi(str);
           }
           break;
           
         case 't': {
           char *type;
           
           type = strdup(optstate->value);
           crlType = atoi (type);
           if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
              PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
              PL_DestroyOptState(optstate);
              return -1;
           }
           break;

         case 'q':
            quiet = PR_TRUE;
           break;

         case 'w':
             pwdata.source = PW_PLAINTEXT;
             pwdata.data = strdup(optstate->value);
             break;

         case 'u':
           url = strdup(optstate->value);
           break;

          }
       }
    }
    PL_DestroyOptState(optstate);

    if (deleteCRL && !nickName) Usage (progName);
    if (importCRL && !inFile) Usage (progName);
    if ((generateCRL && !nickName) ||
        (modifyCRL && !inFile && !nickName)) Usage (progName);
    if (!(listCRL || deleteCRL || importCRL || generateCRL ||
         modifyCRL || test || erase)) Usage (progName);
    
    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);

    PK11_SetPasswordFunc(SECU_GetModulePassword);

    secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
                            "secmod.db", 0);
    if (secstatus != SECSuccess) {
       SECU_PrintPRandOSError(progName);
       return -1;
    }
    SECU_RegisterDynamicOids();

    certHandle = CERT_GetDefaultCertDB();
    if (certHandle == NULL) {
       SECU_PrintError(progName, "unable to open the cert db");              
       /*ignoring return value of NSS_Shutdown() as code returns -1*/
       (void) NSS_Shutdown();
       return (-1);
    }

    CRLGEN_InitCrlGenParserLock();

    for (i=0; i<iterations; i++) {
       /* Read in the private key info */
       if (deleteCRL) 
           DeleteCRL (certHandle, nickName, crlType);
       else if (listCRL) {
           ListCRL (certHandle, nickName, crlType);
       }
       else if (importCRL) {
           rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
                         decodeOptions);
       } else if (generateCRL || modifyCRL) {
           if (!inCrlInitFile)
              inCrlInitFile = PR_STDIN;
           rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
                           inFile, outFile, ascii,  slotName,
                           importOptions, alg, quiet,
                           decodeOptions, url, &pwdata,
                           modifyCRL);
       }
       else if (erase) {
           /* list and delete all CRLs */
           ListCRLNames (certHandle, crlType, PR_TRUE);
       }
#ifdef DEBUG
       else if (test) {
           /* list and delete all CRLs */
           ListCRLNames (certHandle, crlType, PR_TRUE);
           /* list CRLs */
           ListCRLNames (certHandle, crlType, PR_FALSE);
           /* import CRL as a blob */
           rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
                         decodeOptions);
           /* list CRLs */
           ListCRLNames (certHandle, crlType, PR_FALSE);
       }
#endif    
    }

    CRLGEN_DestroyCrlGenParserLock();

    if (NSS_Shutdown() != SECSuccess) {
        rv = SECFailure;
    }

    return (rv != SECSuccess);
}

Here is the call graph for this function:

static SECStatus SignAndStoreCrl ( CERTSignedCrl *  signCrl,
CERTCertificate *  cert,
char *  outFileName,
SECOidTag  hashAlgTag,
int  ascii,
char *  slotName,
char *  url,
secuPWData pwdata 
) [static]

Definition at line 571 of file crlutil.c.

{
    PK11SlotInfo *slot = NULL;
    PRFileDesc   *outFile = NULL;
    SECStatus rv;
    SignAndEncodeFuncExitStat errCode;

    PORT_Assert(signCrl && (!ascii || outFileName));
    if (!signCrl || (ascii && !outFileName)) {
        SECU_PrintError(progName, "invalid args for function "
                        "SignAndStoreCrl\n");
        return SECFailure;
    }

    if (!slotName || !PL_strcmp(slotName, "internal"))
       slot = PK11_GetInternalKeySlot();
    else
       slot = PK11_FindSlotByName(slotName);
    if (!slot) {
       SECU_PrintError(progName, "can not find requested slot");
       return SECFailure;
    }

    if (PK11_NeedLogin(slot)) {
        rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
       if (rv != SECSuccess)
           goto loser;
    }

    rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode);
    if (rv != SECSuccess) {
        char* errMsg = NULL;
        switch (errCode)
        {
            case noKeyFound:
                errMsg = "No private key found of signing cert";
                break;

            case noSignatureMatch:
                errMsg = "Key and Algorithm OId are do not match";
                break;

            default:
            case failToEncode:
                errMsg = "Failed to encode crl structure";
                break;

            case failToSign:
                errMsg = "Failed to sign crl structure";
                break;

            case noMem:
                errMsg = "Can not allocate memory";
                break;
        }
       SECU_PrintError(progName, "%s\n", errMsg);
       goto loser;
    }

    if (outFileName) {
       outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR);
       if (!outFile) {
           SECU_PrintError(progName, "unable to open \"%s\" for writing\n",
                         outFileName);
           goto loser;
       }
    }

    rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url);
    if (rv != SECSuccess) {
        SECU_PrintError(progName, "fail to save CRL\n");
    }

  loser:
    if (outFile)
       PR_Close(outFile);
    if (slot)
       PK11_FreeSlot(slot);
    return rv;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static SECStatus UpdateCrl ( CERTSignedCrl *  signCrl,
PRFileDesc inCrlInitFile 
) [static]

Definition at line 525 of file crlutil.c.

{
    CRLGENGeneratorData *crlGenData = NULL;
    SECStatus rv;
    
    PORT_Assert(signCrl != NULL && inCrlInitFile != NULL);
    if (!signCrl || !inCrlInitFile) {
        SECU_PrintError(progName, "invalid args for function "
                        "CreateNewCrl\n");
        return SECFailure;
    }

    crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
    if (!crlGenData) {
       SECU_PrintError(progName, "can not initialize parser structure.\n");
       return SECFailure;
    }

    rv = CRLGEN_ExtHandleInit(crlGenData);
    if (rv == SECFailure) {
       SECU_PrintError(progName, "can not initialize entries handle.\n");
       goto loser;
    }
       
    rv = CRLGEN_StartCrlGen(crlGenData);
    if (rv != SECSuccess) {
       SECU_PrintError(progName, "crl generation failed");
       goto loser;
    }

  loser:
    /* CommitExtensionsAndEntries is partially responsible for freeing
     * up memory that was used for CRL generation. Should be called regardless
     * of previouse call status, but only after initialization of
     * crlGenData was done. It will commit all changes that was done before
     * an error has occured.
     */
    if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) {
        SECU_PrintError(progName, "crl generation failed");
        rv = SECFailure;
    }
    CRLGEN_FinalizeCrlGeneration(crlGenData);    
    return rv;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void Usage ( char *  progName) [static]

Definition at line 741 of file crlutil.c.

{
    fprintf(stderr,
           "Usage:  %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
           "        %s -D -n nickname [-d keydir] [-P dbprefix]\n"
           "        %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
            "[-p pwd-file] -w [pwd-string]\n"
           "        %s -E -t crlType [-d keydir] [-P dbprefix]\n"
           "        %s -T\n"
           "        %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] "
            "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] "
            "[-a] [-B]\n",
           progName, progName, progName, progName, progName, progName);

    fprintf (stderr, "%-15s List CRL\n", "-L");
    fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
           "-n nickname");
    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
           "-d keydir");
    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
           "-P dbprefix");
   
    fprintf (stderr, "%-15s Delete a CRL from the cert database\n", "-D");    
    fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n",
           "-n nickname");
    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
           "-d keydir");
    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
           "-P dbprefix");

    fprintf (stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E");
    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
           "-d keydir");
    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
           "-P dbprefix");

    fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I");    
    fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
           "-i crl");
    fprintf(stderr, "%-20s Specify the url.\n", "-u url");
    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
           "-d keydir");
    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
           "-P dbprefix");
#ifdef DEBUG
    fprintf (stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T");
#endif
    fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " ");
    fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " ");
    fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " ");        
    fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
    fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p");
    fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>");
    fprintf(stderr, "\n%-15s Create CRL\n", "-G");
    fprintf(stderr, "%-15s Modify CRL\n", "-M");
    fprintf(stderr, "%-20s Specify crl initialization file\n",
           "-c crl-conf-file");
    fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
           "-n nickname");
    fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
           "-i crl");
    fprintf(stderr, "%-20s Specify a CRL output file\n",
           "-o crl-output-file");
    fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n",
           "-a");
    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
           "-d keydir");
    fprintf(stderr, "%-20s Provide path to a default pwd file\n",
           "-f pwd-file");
    fprintf(stderr, "%-20s Provide db password in command line\n",
           "-w pwd-string");
    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
           "-P dbprefix");
    fprintf(stderr, "%-20s Specify the url.\n", "-u url");
    fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");

    exit(-1);
}

Here is the call graph for this function:


Variable Documentation

char* progName [static]

Definition at line 58 of file crlutil.c.