diff options
Diffstat (limited to 'security/nss/cmd/crlutil')
-rw-r--r-- | security/nss/cmd/crlutil/Makefile | 53 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlgen.c | 1542 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlgen.h | 178 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlgen_lex.c | 1773 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlgen_lex_fix.sed | 6 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlgen_lex_orig.l | 181 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlutil.c | 1153 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/crlutil.gyp | 32 | ||||
-rw-r--r-- | security/nss/cmd/crlutil/manifest.mn | 25 |
9 files changed, 4943 insertions, 0 deletions
diff --git a/security/nss/cmd/crlutil/Makefile b/security/nss/cmd/crlutil/Makefile new file mode 100644 index 000000000..a61ae1c4c --- /dev/null +++ b/security/nss/cmd/crlutil/Makefile @@ -0,0 +1,53 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +# +# crlgen_lex can be generated on linux by flex or solaris by lex +# +crlgen_lex: + ${LEX} -t crlgen_lex_orig.l > crlgen_lex_fix.c + sed -f crlgen_lex_fix.sed < crlgen_lex_fix.c > crlgen_lex.c + rm -f crlgen_lex_fix.c + +include ../platrules.mk diff --git a/security/nss/cmd/crlutil/crlgen.c b/security/nss/cmd/crlutil/crlgen.c new file mode 100644 index 000000000..1f9dc4b43 --- /dev/null +++ b/security/nss/cmd/crlutil/crlgen.c @@ -0,0 +1,1542 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* +** crlgen.c +** +** utility for managing certificates revocation lists generation +** +*/ + +#include <stdio.h> +#include <math.h> + +#include "nspr.h" +#include "plgetopt.h" +#include "nss.h" +#include "secutil.h" +#include "cert.h" +#include "certi.h" +#include "certdb.h" +#include "pk11func.h" +#include "crlgen.h" + +/* Destroys extHandle and data. data was create on heap. + * extHandle creaded by CERT_StartCRLEntryExtensions. entry + * was allocated on arena.*/ +static void +destroyEntryData(CRLGENEntryData *data) +{ + if (!data) + return; + PORT_Assert(data->entry); + if (data->extHandle) + CERT_FinishExtensions(data->extHandle); + PORT_Free(data); +} + +/* Prints error messages along with line number */ +void +crlgen_PrintError(int line, char *msg, ...) +{ + va_list args; + + va_start(args, msg); + + fprintf(stderr, "crlgen: (line: %d) ", line); + vfprintf(stderr, msg, args); + + va_end(args); +} +/* Finds CRLGENEntryData in hashtable according PRUint64 value + * - certId : cert serial number*/ +static CRLGENEntryData * +crlgen_FindEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) +{ + if (!crlGenData->entryDataHashTable || !certId) + return NULL; + return (CRLGENEntryData *) + PL_HashTableLookup(crlGenData->entryDataHashTable, + certId); +} + +/* Removes CRLGENEntryData from hashtable according to certId + * - certId : cert serial number*/ +static SECStatus +crlgen_RmEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) +{ + CRLGENEntryData *data = NULL; + SECStatus rv = SECSuccess; + + if (!crlGenData->entryDataHashTable) { + return SECSuccess; + } + + data = crlgen_FindEntry(crlGenData, certId); + if (!data) { + return SECSuccess; + } + + if (!PL_HashTableRemove(crlGenData->entryDataHashTable, certId)) { + rv = SECFailure; + } + + destroyEntryData(data); + return rv; +} + +/* Stores CRLGENEntryData in hashtable according to certId + * - certId : cert serial number*/ +static CRLGENEntryData * +crlgen_PlaceAnEntry(CRLGENGeneratorData *crlGenData, + CERTCrlEntry *entry, SECItem *certId) +{ + CRLGENEntryData *newData = NULL; + + PORT_Assert(crlGenData && crlGenData->entryDataHashTable && + entry); + if (!crlGenData || !crlGenData->entryDataHashTable || !entry) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + newData = PORT_ZNew(CRLGENEntryData); + if (!newData) { + return NULL; + } + newData->entry = entry; + newData->certId = certId; + if (!PL_HashTableAdd(crlGenData->entryDataHashTable, + newData->certId, newData)) { + crlgen_PrintError(crlGenData->parsedLineNum, + "Can not add entryData structure\n"); + return NULL; + } + return newData; +} + +/* Use this structure to keep pointer when commiting entries extensions */ +struct commitData { + int pos; + CERTCrlEntry **entries; +}; + +/* HT PL_HashTableEnumerateEntries callback. Sorts hashtable entries of the + * table he. Returns value through arg parameter*/ +static PRIntn PR_CALLBACK +crlgen_CommitEntryData(PLHashEntry *he, PRIntn i, void *arg) +{ + CRLGENEntryData *data = NULL; + + PORT_Assert(he); + if (!he) { + return HT_ENUMERATE_NEXT; + } + data = (CRLGENEntryData *)he->value; + + PORT_Assert(data); + PORT_Assert(arg); + + if (data) { + struct commitData *dt = (struct commitData *)arg; + dt->entries[dt->pos++] = data->entry; + destroyEntryData(data); + } + return HT_ENUMERATE_NEXT; +} + +/* Copy char * datainto allocated in arena SECItem */ +static SECStatus +crlgen_SetString(PLArenaPool *arena, const char *dataIn, SECItem *value) +{ + SECItem item; + + PORT_Assert(arena && dataIn); + if (!arena || !dataIn) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + item.data = (void *)dataIn; + item.len = PORT_Strlen(dataIn); + + return SECITEM_CopyItem(arena, value, &item); +} + +/* Creates CERTGeneralName from parsed data for the Authority Key Extension */ +static CERTGeneralName * +crlgen_GetGeneralName(PLArenaPool *arena, CRLGENGeneratorData *crlGenData, + const char *data) +{ + CERTGeneralName *namesList = NULL; + CERTGeneralName *current; + CERTGeneralName *tail = NULL; + SECStatus rv = SECSuccess; + const char *nextChunk = NULL; + const char *currData = NULL; + int intValue; + char buffer[512]; + void *mark; + + if (!data) + return NULL; + PORT_Assert(arena); + if (!arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + mark = PORT_ArenaMark(arena); + + nextChunk = data; + currData = data; + do { + int nameLen = 0; + char name[128]; + const char *sepPrt = NULL; + nextChunk = PORT_Strchr(currData, '|'); + if (!nextChunk) + nextChunk = data + strlen(data); + sepPrt = PORT_Strchr(currData, ':'); + if (sepPrt == NULL || sepPrt >= nextChunk) { + *buffer = '\0'; + sepPrt = nextChunk; + } else { + PORT_Memcpy(buffer, sepPrt + 1, + (nextChunk - sepPrt - 1)); + buffer[nextChunk - sepPrt - 1] = '\0'; + } + nameLen = PR_MIN(sepPrt - currData, sizeof(name) - 1); + PORT_Memcpy(name, currData, nameLen); + name[nameLen] = '\0'; + currData = nextChunk + 1; + + if (!PORT_Strcmp(name, "otherName")) + intValue = certOtherName; + else if (!PORT_Strcmp(name, "rfc822Name")) + intValue = certRFC822Name; + else if (!PORT_Strcmp(name, "dnsName")) + intValue = certDNSName; + else if (!PORT_Strcmp(name, "x400Address")) + intValue = certX400Address; + else if (!PORT_Strcmp(name, "directoryName")) + intValue = certDirectoryName; + else if (!PORT_Strcmp(name, "ediPartyName")) + intValue = certEDIPartyName; + else if (!PORT_Strcmp(name, "URI")) + intValue = certURI; + else if (!PORT_Strcmp(name, "ipAddress")) + intValue = certIPAddress; + else if (!PORT_Strcmp(name, "registerID")) + intValue = certRegisterID; + else + intValue = -1; + + if (intValue >= certOtherName && intValue <= certRegisterID) { + if (namesList == NULL) { + namesList = current = tail = PORT_ArenaZNew(arena, + CERTGeneralName); + } else { + current = PORT_ArenaZNew(arena, CERTGeneralName); + } + if (current == NULL) { + rv = SECFailure; + break; + } + } else { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + break; + } + current->type = intValue; + switch (current->type) { + case certURI: + case certDNSName: + case certRFC822Name: + current->name.other.data = PORT_ArenaAlloc(arena, strlen(buffer)); + if (current->name.other.data == NULL) { + rv = SECFailure; + break; + } + PORT_Memcpy(current->name.other.data, buffer, + current->name.other.len = strlen(buffer)); + break; + + case certEDIPartyName: + case certIPAddress: + case certOtherName: + case certRegisterID: + case certX400Address: { + + current->name.other.data = PORT_ArenaAlloc(arena, strlen(buffer) + 2); + if (current->name.other.data == NULL) { + rv = SECFailure; + break; + } + + PORT_Memcpy(current->name.other.data + 2, buffer, strlen(buffer)); + /* This may not be accurate for all cases.For now, use this tag type */ + current->name.other.data[0] = (char)(((current->type - 1) & 0x1f) | 0x80); + current->name.other.data[1] = (char)strlen(buffer); + current->name.other.len = strlen(buffer) + 2; + break; + } + + case certDirectoryName: { + CERTName *directoryName = NULL; + + directoryName = CERT_AsciiToName(buffer); + if (!directoryName) { + rv = SECFailure; + break; + } + + rv = CERT_CopyName(arena, ¤t->name.directoryName, directoryName); + CERT_DestroyName(directoryName); + + break; + } + } + if (rv != SECSuccess) + break; + current->l.next = &(namesList->l); + current->l.prev = &(tail->l); + tail->l.next = &(current->l); + tail = current; + + } while (nextChunk != data + strlen(data)); + + if (rv != SECSuccess) { + PORT_ArenaRelease(arena, mark); + namesList = NULL; + } + return (namesList); +} + +/* Creates CERTGeneralName from parsed data for the Authority Key Extension */ +static CERTGeneralName * +crlgen_DistinguishedName(PLArenaPool *arena, CRLGENGeneratorData *crlGenData, + const char *data) +{ + CERTName *directoryName = NULL; + CERTGeneralName *current; + SECStatus rv = SECFailure; + void *mark; + + if (!data) + return NULL; + PORT_Assert(arena); + if (!arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + mark = PORT_ArenaMark(arena); + + current = PORT_ArenaZNew(arena, CERTGeneralName); + if (current == NULL) { + goto loser; + } + current->type = certDirectoryName; + current->l.next = ¤t->l; + current->l.prev = ¤t->l; + + directoryName = CERT_AsciiToName((char *)data); + if (!directoryName) { + goto loser; + } + + rv = CERT_CopyName(arena, ¤t->name.directoryName, directoryName); + CERT_DestroyName(directoryName); + +loser: + if (rv != SECSuccess) { + PORT_SetError(rv); + PORT_ArenaRelease(arena, mark); + current = NULL; + } + return (current); +} + +/* Adding Authority Key ID extension to extension handle. */ +static SECStatus +crlgen_AddAuthKeyID(CRLGENGeneratorData *crlGenData, + const char **dataArr) +{ + void *extHandle = NULL; + CERTAuthKeyID *authKeyID = NULL; + PLArenaPool *arena = NULL; + SECStatus rv = SECSuccess; + + PORT_Assert(dataArr && crlGenData); + if (!crlGenData || !dataArr) { + return SECFailure; + } + + extHandle = crlGenData->crlExtHandle; + + if (!dataArr[0] || !dataArr[1] || !dataArr[2]) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of parameters.\n"); + return SECFailure; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + return SECFailure; + } + + authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID); + if (authKeyID == NULL) { + rv = SECFailure; + goto loser; + } + + if (dataArr[3] == NULL) { + rv = crlgen_SetString(arena, dataArr[2], &authKeyID->keyID); + if (rv != SECSuccess) + goto loser; + } else { + rv = crlgen_SetString(arena, dataArr[3], + &authKeyID->authCertSerialNumber); + if (rv != SECSuccess) + goto loser; + + authKeyID->authCertIssuer = + crlgen_DistinguishedName(arena, crlGenData, dataArr[2]); + if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError()) { + crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n"); + rv = SECFailure; + goto loser; + } + } + + rv = + SECU_EncodeAndAddExtensionValue(arena, extHandle, authKeyID, + (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE, + SEC_OID_X509_AUTH_KEY_ID, + (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeAuthKeyID); +loser: + if (arena) + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* Creates and add Subject Alternative Names extension */ +static SECStatus +crlgen_AddIssuerAltNames(CRLGENGeneratorData *crlGenData, + const char **dataArr) +{ + CERTGeneralName *nameList = NULL; + PLArenaPool *arena = NULL; + void *extHandle = NULL; + SECStatus rv = SECSuccess; + + PORT_Assert(dataArr && crlGenData); + if (!crlGenData || !dataArr) { + return SECFailure; + } + + if (!dataArr || !dataArr[0] || !dataArr[1] || !dataArr[2]) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + return SECFailure; + } + + PORT_Assert(dataArr && crlGenData); + if (!crlGenData || !dataArr) { + return SECFailure; + } + + extHandle = crlGenData->crlExtHandle; + + if (!dataArr[0] || !dataArr[1] || !dataArr[2]) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of parameters.\n"); + return SECFailure; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + return SECFailure; + } + + nameList = crlgen_GetGeneralName(arena, crlGenData, dataArr[2]); + if (nameList == NULL) { + crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n"); + rv = SECFailure; + goto loser; + } + + rv = + SECU_EncodeAndAddExtensionValue(arena, extHandle, nameList, + (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE, + SEC_OID_X509_ISSUER_ALT_NAME, + (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeAltNameExtension); +loser: + if (arena) + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* Creates and adds CRLNumber extension to extension handle. + * Since, this is CRL extension, extension handle is the one + * related to CRL extensions */ +static SECStatus +crlgen_AddCrlNumber(CRLGENGeneratorData *crlGenData, const char **dataArr) +{ + PLArenaPool *arena = NULL; + SECItem encodedItem; + void *dummy; + SECStatus rv = SECFailure; + int code = 0; + + PORT_Assert(dataArr && crlGenData); + if (!crlGenData || !dataArr) { + goto loser; + } + + if (!dataArr[0] || !dataArr[1] || !dataArr[2]) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + goto loser; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + code = atoi(dataArr[2]); + if (code == 0 && *dataArr[2] != '0') { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + + dummy = SEC_ASN1EncodeInteger(arena, &encodedItem, code); + if (!dummy) { + rv = SECFailure; + goto loser; + } + + rv = CERT_AddExtension(crlGenData->crlExtHandle, SEC_OID_X509_CRL_NUMBER, + &encodedItem, + (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE, + PR_TRUE); + +loser: + if (arena) + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* Creates Cert Revocation Reason code extension. Encodes it and + * returns as SECItem structure */ +static SECItem * +crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr, + int *extCode) +{ + SECItem *encodedItem; + void *dummy; + void *mark = NULL; + int code = 0; + + PORT_Assert(arena && dataArr); + if (!arena || !dataArr) { + goto loser; + } + + mark = PORT_ArenaMark(arena); + + encodedItem = PORT_ArenaZNew(arena, SECItem); + if (encodedItem == NULL) { + goto loser; + } + + if (dataArr[2] == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + + code = atoi(dataArr[2]); + /* aACompromise(10) is the last possible of the values + * for the Reason Core Extension */ + if ((code == 0 && *dataArr[2] != '0') || code > 10) { + + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + + dummy = SEC_ASN1EncodeInteger(arena, encodedItem, code); + if (!dummy) { + goto loser; + } + + *extCode = SEC_OID_X509_REASON_CODE; + return encodedItem; + +loser: + if (mark) { + PORT_ArenaRelease(arena, mark); + } + return NULL; +} + +/* Creates Cert Invalidity Date extension. Encodes it and + * returns as SECItem structure */ +static SECItem * +crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr, + int *extCode) +{ + SECItem *encodedItem; + int length = 0; + void *mark = NULL; + + PORT_Assert(arena && dataArr); + if (!arena || !dataArr) { + goto loser; + } + + mark = PORT_ArenaMark(arena); + + encodedItem = PORT_ArenaZNew(arena, SECItem); + if (encodedItem == NULL) { + goto loser; + } + + length = PORT_Strlen(dataArr[2]); + + encodedItem->type = siGeneralizedTime; + encodedItem->data = PORT_ArenaAlloc(arena, length); + if (!encodedItem->data) { + goto loser; + } + + PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) * + sizeof(char)); + + *extCode = SEC_OID_X509_INVALID_DATE; + return encodedItem; + +loser: + if (mark) { + PORT_ArenaRelease(arena, mark); + } + return NULL; +} + +/* Creates(by calling extCreator function) and adds extension to a set + * of already added certs. Uses values of rangeFrom and rangeTo from + * CRLGENCrlGenCtl structure for identifying the inclusive set of certs */ +static SECStatus +crlgen_AddEntryExtension(CRLGENGeneratorData *crlGenData, + const char **dataArr, char *extName, + SECItem *(*extCreator)(PLArenaPool *arena, + const char **dataArr, + int *extCode)) +{ + PRUint64 i = 0; + SECStatus rv = SECFailure; + int extCode = 0; + PRUint64 lastRange; + SECItem *ext = NULL; + PLArenaPool *arena = NULL; + + PORT_Assert(crlGenData && dataArr); + if (!crlGenData || !dataArr) { + goto loser; + } + + if (!dataArr[0] || !dataArr[1]) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + } + + lastRange = crlGenData->rangeTo - crlGenData->rangeFrom + 1; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + ext = extCreator(arena, dataArr, &extCode); + if (ext == NULL) { + crlgen_PrintError(crlGenData->parsedLineNum, + "got error while creating extension: %s\n", + extName); + goto loser; + } + + for (i = 0; i < lastRange; i++) { + CRLGENEntryData *extData = NULL; + void *extHandle = NULL; + SECItem *certIdItem = + SEC_ASN1EncodeInteger(arena, NULL, + crlGenData->rangeFrom + i); + if (!certIdItem) { + rv = SECFailure; + goto loser; + } + + extData = crlgen_FindEntry(crlGenData, certIdItem); + if (!extData) { + crlgen_PrintError(crlGenData->parsedLineNum, + "can not add extension: crl entry " + "(serial number: %d) is not in the list yet.\n", + crlGenData->rangeFrom + i); + continue; + } + + extHandle = extData->extHandle; + if (extHandle == NULL) { + extHandle = extData->extHandle = + CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl, + (CERTCrlEntry *)extData->entry); + } + rv = CERT_AddExtension(extHandle, extCode, ext, + (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE, + PR_TRUE); + if (rv == SECFailure) { + goto loser; + } + } + +loser: + if (arena) + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* Commits all added entries and their's extensions into CRL. */ +SECStatus +CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData) +{ + int size = 0; + CERTCrl *crl; + PLArenaPool *arena; + SECStatus rv = SECSuccess; + void *mark; + + PORT_Assert(crlGenData && crlGenData->signCrl && crlGenData->signCrl->arena); + if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + arena = crlGenData->signCrl->arena; + crl = &crlGenData->signCrl->crl; + + mark = PORT_ArenaMark(arena); + + if (crlGenData->crlExtHandle) + CERT_FinishExtensions(crlGenData->crlExtHandle); + + size = crlGenData->entryDataHashTable->nentries; + crl->entries = NULL; + if (size) { + crl->entries = PORT_ArenaZNewArray(arena, CERTCrlEntry *, size + 1); + if (!crl->entries) { + rv = SECFailure; + } else { + struct commitData dt; + dt.entries = crl->entries; + dt.pos = 0; + PL_HashTableEnumerateEntries(crlGenData->entryDataHashTable, + &crlgen_CommitEntryData, &dt); + /* Last should be NULL */ + crl->entries[size] = NULL; + } + } + + if (rv != SECSuccess) + PORT_ArenaRelease(arena, mark); + return rv; +} + +/* Initializes extHandle with data from extensions array */ +static SECStatus +crlgen_InitExtensionHandle(void *extHandle, + CERTCertExtension **extensions) +{ + CERTCertExtension *extension = NULL; + + if (!extensions) + return SECSuccess; + + PORT_Assert(extHandle != NULL); + if (!extHandle) { + return SECFailure; + } + + extension = *extensions; + while (extension) { + SECOidTag oidTag = SECOID_FindOIDTag(&extension->id); + /* shell we skip unknown extensions? */ + CERT_AddExtension(extHandle, oidTag, &extension->value, + (extension->critical.len != 0) ? PR_TRUE : PR_FALSE, + PR_FALSE); + extension = *(++extensions); + } + return SECSuccess; +} + +/* Used for initialization of extension handles for crl and certs + * extensions from existing CRL data then modifying existing CRL.*/ +SECStatus +CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData) +{ + CERTCrl *crl = NULL; + PRUint64 maxSN = 0; + + PORT_Assert(crlGenData && crlGenData->signCrl && + crlGenData->entryDataHashTable); + if (!crlGenData || !crlGenData->signCrl || + !crlGenData->entryDataHashTable) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + crl = &crlGenData->signCrl->crl; + crlGenData->crlExtHandle = CERT_StartCRLExtensions(crl); + crlgen_InitExtensionHandle(crlGenData->crlExtHandle, + crl->extensions); + crl->extensions = NULL; + + if (crl->entries) { + CERTCrlEntry **entry = crl->entries; + while (*entry) { + PRUint64 sn = DER_GetInteger(&(*entry)->serialNumber); + CRLGENEntryData *extData = + crlgen_PlaceAnEntry(crlGenData, *entry, &(*entry)->serialNumber); + if ((*entry)->extensions) { + extData->extHandle = + CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl, + (CERTCrlEntry *)extData->entry); + if (crlgen_InitExtensionHandle(extData->extHandle, + (*entry)->extensions) == SECFailure) + return SECFailure; + } + (*entry)->extensions = NULL; + entry++; + maxSN = PR_MAX(maxSN, sn); + } + } + + crlGenData->rangeFrom = crlGenData->rangeTo = maxSN + 1; + return SECSuccess; +} + +/***************************************************************************** + * Parser trigger functions start here + */ + +/* Sets new internal range value for add/rm certs.*/ +static SECStatus +crlgen_SetNewRangeField(CRLGENGeneratorData *crlGenData, char *value) +{ + long rangeFrom = 0, rangeTo = 0; + char *dashPos = NULL; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (value == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + return SECFailure; + } + + if ((dashPos = strchr(value, '-')) != NULL) { + char *rangeToS, *rangeFromS = value; + *dashPos = '\0'; + rangeFrom = atoi(rangeFromS); + *dashPos = '-'; + + rangeToS = (char *)(dashPos + 1); + rangeTo = atol(rangeToS); + } else { + rangeFrom = atol(value); + rangeTo = rangeFrom; + } + + if (rangeFrom < 1 || rangeTo < rangeFrom) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "bad cert id range: %s.\n", value); + return SECFailure; + } + + crlGenData->rangeFrom = rangeFrom; + crlGenData->rangeTo = rangeTo; + + return SECSuccess; +} + +/* Changes issuer subject field in CRL. By default this data is taken from + * issuer cert subject field.Not yet implemented */ +static SECStatus +crlgen_SetIssuerField(CRLGENGeneratorData *crlGenData, char *value) +{ + crlgen_PrintError(crlGenData->parsedLineNum, + "Can not change CRL issuer field.\n"); + return SECFailure; +} + +/* Encode and sets CRL thisUpdate and nextUpdate time fields*/ +static SECStatus +crlgen_SetTimeField(CRLGENGeneratorData *crlGenData, char *value, + PRBool setThisUpdate) +{ + CERTSignedCrl *signCrl; + PLArenaPool *arena; + CERTCrl *crl; + int length = 0; + SECItem *timeDest = NULL; + + PORT_Assert(crlGenData && crlGenData->signCrl && + crlGenData->signCrl->arena); + if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + signCrl = crlGenData->signCrl; + arena = signCrl->arena; + crl = &signCrl->crl; + + if (value == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + return SECFailure; + } + length = PORT_Strlen(value); + + if (setThisUpdate == PR_TRUE) { + timeDest = &crl->lastUpdate; + } else { + timeDest = &crl->nextUpdate; + } + + timeDest->type = siGeneralizedTime; + timeDest->data = PORT_ArenaAlloc(arena, length); + if (!timeDest->data) { + return SECFailure; + } + PORT_Memcpy(timeDest->data, value, length); + timeDest->len = length; + + return SECSuccess; +} + +/* Adds new extension into CRL or added cert handles */ +static SECStatus +crlgen_AddExtension(CRLGENGeneratorData *crlGenData, const char **extData) +{ + PORT_Assert(crlGenData && crlGenData->crlExtHandle); + if (!crlGenData || !crlGenData->crlExtHandle) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (extData == NULL || *extData == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + return SECFailure; + } + if (!PORT_Strcmp(*extData, "authKeyId")) + return crlgen_AddAuthKeyID(crlGenData, extData); + else if (!PORT_Strcmp(*extData, "issuerAltNames")) + return crlgen_AddIssuerAltNames(crlGenData, extData); + else if (!PORT_Strcmp(*extData, "crlNumber")) + return crlgen_AddCrlNumber(crlGenData, extData); + else if (!PORT_Strcmp(*extData, "reasonCode")) + return crlgen_AddEntryExtension(crlGenData, extData, "reasonCode", + crlgen_CreateReasonCode); + else if (!PORT_Strcmp(*extData, "invalidityDate")) + return crlgen_AddEntryExtension(crlGenData, extData, "invalidityDate", + crlgen_CreateInvalidityDate); + else { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + return SECFailure; + } +} + +/* Created CRLGENEntryData for cert with serial number certId and + * adds it to entryDataHashTable. certId can be a single cert serial + * number or an inclusive rage of certs */ +static SECStatus +crlgen_AddCert(CRLGENGeneratorData *crlGenData, + char *certId, char *revocationDate) +{ + CERTSignedCrl *signCrl; + SECItem *certIdItem; + PLArenaPool *arena; + PRUint64 rangeFrom = 0, rangeTo = 0, i = 0; + int timeValLength = -1; + SECStatus rv = SECFailure; + void *mark; + + PORT_Assert(crlGenData && crlGenData->signCrl && + crlGenData->signCrl->arena); + if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + signCrl = crlGenData->signCrl; + arena = signCrl->arena; + + if (!certId || !revocationDate) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "insufficient number of arguments.\n"); + return SECFailure; + } + + timeValLength = strlen(revocationDate); + + if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure && + certId) { + return SECFailure; + } + rangeFrom = crlGenData->rangeFrom; + rangeTo = crlGenData->rangeTo; + + for (i = 0; i < rangeTo - rangeFrom + 1; i++) { + CERTCrlEntry *entry; + mark = PORT_ArenaMark(arena); + entry = PORT_ArenaZNew(arena, CERTCrlEntry); + if (entry == NULL) { + goto loser; + } + + certIdItem = SEC_ASN1EncodeInteger(arena, &entry->serialNumber, + rangeFrom + i); + if (!certIdItem) { + goto loser; + } + + if (crlgen_FindEntry(crlGenData, certIdItem)) { + crlgen_PrintError(crlGenData->parsedLineNum, + "entry already exists. Use \"range\" " + "and \"rmcert\" before adding a new one with the " + "same serial number %ld\n", + rangeFrom + i); + goto loser; + } + + entry->serialNumber.type = siBuffer; + + entry->revocationDate.type = siGeneralizedTime; + + entry->revocationDate.data = + PORT_ArenaAlloc(arena, timeValLength); + if (entry->revocationDate.data == NULL) { + goto loser; + } + + PORT_Memcpy(entry->revocationDate.data, revocationDate, + timeValLength * sizeof(char)); + entry->revocationDate.len = timeValLength; + + entry->extensions = NULL; + if (!crlgen_PlaceAnEntry(crlGenData, entry, certIdItem)) { + goto loser; + } + mark = NULL; + } + + rv = SECSuccess; +loser: + if (mark) { + PORT_ArenaRelease(arena, mark); + } + return rv; +} + +/* Removes certs from entryDataHashTable which have certId serial number. + * certId can have value of a range of certs */ +static SECStatus +crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId) +{ + PRUint64 i = 0; + + PORT_Assert(crlGenData && certId); + if (!crlGenData || !certId) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure && + certId) { + return SECFailure; + } + + for (i = 0; i < crlGenData->rangeTo - crlGenData->rangeFrom + 1; i++) { + SECItem *certIdItem = SEC_ASN1EncodeInteger(NULL, NULL, + crlGenData->rangeFrom + i); + if (certIdItem) { + CRLGENEntryData *extData = + crlgen_FindEntry(crlGenData, certIdItem); + if (!extData) { + printf("Cert with id %s is not in the list\n", certId); + } else { + crlgen_RmEntry(crlGenData, certIdItem); + } + SECITEM_FreeItem(certIdItem, PR_TRUE); + } + } + + return SECSuccess; +} + +/************************************************************************* + * Lex Parser Helper functions are used to store parsed information + * in context related structures. Context(or state) is identified base on + * a type of a instruction parser currently is going through. New context + * is identified by first token in a line. It can be addcert context, + * addext context, etc. */ + +/* Updates CRL field depending on current context */ +static SECStatus +crlgen_updateCrlFn_field(CRLGENGeneratorData *crlGenData, void *str) +{ + CRLGENCrlField *fieldStr = (CRLGENCrlField *)str; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (crlGenData->contextId) { + case CRLGEN_ISSUER_CONTEXT: + crlgen_SetIssuerField(crlGenData, fieldStr->value); + break; + case CRLGEN_UPDATE_CONTEXT: + return crlgen_SetTimeField(crlGenData, fieldStr->value, PR_TRUE); + break; + case CRLGEN_NEXT_UPDATE_CONTEXT: + return crlgen_SetTimeField(crlGenData, fieldStr->value, PR_FALSE); + break; + case CRLGEN_CHANGE_RANGE_CONTEXT: + return crlgen_SetNewRangeField(crlGenData, fieldStr->value); + break; + default: + crlgen_PrintError(crlGenData->parsedLineNum, + "syntax error (unknow token type: %d)\n", + crlGenData->contextId); + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return SECSuccess; +} + +/* Sets parsed data for CRL field update into temporary structure */ +static SECStatus +crlgen_setNextDataFn_field(CRLGENGeneratorData *crlGenData, void *str, + void *data, unsigned short dtype) +{ + CRLGENCrlField *fieldStr = (CRLGENCrlField *)str; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (crlGenData->contextId) { + case CRLGEN_CHANGE_RANGE_CONTEXT: + if (dtype != CRLGEN_TYPE_DIGIT && dtype != CRLGEN_TYPE_DIGIT_RANGE) { + crlgen_PrintError(crlGenData->parsedLineNum, + "range value should have " + "numeric or numeric range values.\n"); + return SECFailure; + } + break; + case CRLGEN_NEXT_UPDATE_CONTEXT: + case CRLGEN_UPDATE_CONTEXT: + if (dtype != CRLGEN_TYPE_ZDATE) { + crlgen_PrintError(crlGenData->parsedLineNum, + "bad formated date. Should be " + "YYYYMMDDHHMMSSZ.\n"); + return SECFailure; + } + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "syntax error (unknow token type: %d).\n", + crlGenData->contextId, data); + return SECFailure; + } + fieldStr->value = PORT_Strdup(data); + if (!fieldStr->value) { + return SECFailure; + } + return SECSuccess; +} + +/* Triggers cert entries update depending on current context */ +static SECStatus +crlgen_updateCrlFn_cert(CRLGENGeneratorData *crlGenData, void *str) +{ + CRLGENCertEntry *certStr = (CRLGENCertEntry *)str; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (crlGenData->contextId) { + case CRLGEN_ADD_CERT_CONTEXT: + return crlgen_AddCert(crlGenData, certStr->certId, + certStr->revocationTime); + case CRLGEN_RM_CERT_CONTEXT: + return crlgen_RmCert(crlGenData, certStr->certId); + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "syntax error (unknow token type: %d).\n", + crlGenData->contextId); + return SECFailure; + } +} + +/* Sets parsed data for CRL entries update into temporary structure */ +static SECStatus +crlgen_setNextDataFn_cert(CRLGENGeneratorData *crlGenData, void *str, + void *data, unsigned short dtype) +{ + CRLGENCertEntry *certStr = (CRLGENCertEntry *)str; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (dtype) { + case CRLGEN_TYPE_DIGIT: + case CRLGEN_TYPE_DIGIT_RANGE: + certStr->certId = PORT_Strdup(data); + if (!certStr->certId) { + return SECFailure; + } + break; + case CRLGEN_TYPE_DATE: + case CRLGEN_TYPE_ZDATE: + certStr->revocationTime = PORT_Strdup(data); + if (!certStr->revocationTime) { + return SECFailure; + } + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "syntax error (unknow token type: %d).\n", + crlGenData->contextId); + return SECFailure; + } + return SECSuccess; +} + +/* Triggers cert entries/crl extension update */ +static SECStatus +crlgen_updateCrlFn_extension(CRLGENGeneratorData *crlGenData, void *str) +{ + CRLGENExtensionEntry *extStr = (CRLGENExtensionEntry *)str; + + return crlgen_AddExtension(crlGenData, (const char **)extStr->extData); +} + +/* Defines maximum number of fields extension may have */ +#define MAX_EXT_DATA_LENGTH 10 + +/* Sets parsed extension data for CRL entries/CRL extensions update + * into temporary structure */ +static SECStatus +crlgen_setNextDataFn_extension(CRLGENGeneratorData *crlGenData, void *str, + void *data, unsigned short dtype) +{ + CRLGENExtensionEntry *extStr = (CRLGENExtensionEntry *)str; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (extStr->extData == NULL) { + extStr->extData = PORT_ZNewArray(char *, MAX_EXT_DATA_LENGTH); + if (!extStr->extData) { + return SECFailure; + } + } + if (extStr->nextUpdatedData >= MAX_EXT_DATA_LENGTH) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + crlgen_PrintError(crlGenData->parsedLineNum, + "number of fields in extension " + "exceeded maximum allowed data length: %d.\n", + MAX_EXT_DATA_LENGTH); + return SECFailure; + } + extStr->extData[extStr->nextUpdatedData] = PORT_Strdup(data); + if (!extStr->extData[extStr->nextUpdatedData]) { + return SECFailure; + } + extStr->nextUpdatedData += 1; + + return SECSuccess; +} + +/**************************************************************************************** + * Top level functions are triggered directly by parser. + */ + +/* + * crl generation script parser recreates a temporary data staructure + * for each line it is going through. This function cleans temp structure. + */ +void +crlgen_destroyTempData(CRLGENGeneratorData *crlGenData) +{ + if (crlGenData->contextId != CRLGEN_UNKNOWN_CONTEXT) { + switch (crlGenData->contextId) { + case CRLGEN_ISSUER_CONTEXT: + case CRLGEN_UPDATE_CONTEXT: + case CRLGEN_NEXT_UPDATE_CONTEXT: + case CRLGEN_CHANGE_RANGE_CONTEXT: + if (crlGenData->crlField->value) + PORT_Free(crlGenData->crlField->value); + PORT_Free(crlGenData->crlField); + break; + case CRLGEN_ADD_CERT_CONTEXT: + case CRLGEN_RM_CERT_CONTEXT: + if (crlGenData->certEntry->certId) + PORT_Free(crlGenData->certEntry->certId); + if (crlGenData->certEntry->revocationTime) + PORT_Free(crlGenData->certEntry->revocationTime); + PORT_Free(crlGenData->certEntry); + break; + case CRLGEN_ADD_EXTENSION_CONTEXT: + if (crlGenData->extensionEntry->extData) { + int i = 0; + for (; i < crlGenData->extensionEntry->nextUpdatedData; i++) + PORT_Free(*(crlGenData->extensionEntry->extData + i)); + PORT_Free(crlGenData->extensionEntry->extData); + } + PORT_Free(crlGenData->extensionEntry); + break; + } + crlGenData->contextId = CRLGEN_UNKNOWN_CONTEXT; + } +} + +SECStatus +crlgen_updateCrl(CRLGENGeneratorData *crlGenData) +{ + SECStatus rv = SECSuccess; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (crlGenData->contextId) { + case CRLGEN_ISSUER_CONTEXT: + case CRLGEN_UPDATE_CONTEXT: + case CRLGEN_NEXT_UPDATE_CONTEXT: + case CRLGEN_CHANGE_RANGE_CONTEXT: + rv = crlGenData->crlField->updateCrlFn(crlGenData, crlGenData->crlField); + break; + case CRLGEN_RM_CERT_CONTEXT: + case CRLGEN_ADD_CERT_CONTEXT: + rv = crlGenData->certEntry->updateCrlFn(crlGenData, crlGenData->certEntry); + break; + case CRLGEN_ADD_EXTENSION_CONTEXT: + rv = crlGenData->extensionEntry->updateCrlFn(crlGenData, crlGenData->extensionEntry); + break; + case CRLGEN_UNKNOWN_CONTEXT: + break; + default: + crlgen_PrintError(crlGenData->parsedLineNum, + "unknown lang context type code: %d.\n", + crlGenData->contextId); + PORT_Assert(0); + return SECFailure; + } + /* Clrean structures after crl update */ + crlgen_destroyTempData(crlGenData); + + crlGenData->parsedLineNum += 1; + + return rv; +} + +SECStatus +crlgen_setNextData(CRLGENGeneratorData *crlGenData, void *data, + unsigned short dtype) +{ + SECStatus rv = SECSuccess; + + PORT_Assert(crlGenData); + if (!crlGenData) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (crlGenData->contextId) { + case CRLGEN_ISSUER_CONTEXT: + case CRLGEN_UPDATE_CONTEXT: + case CRLGEN_NEXT_UPDATE_CONTEXT: + case CRLGEN_CHANGE_RANGE_CONTEXT: + rv = crlGenData->crlField->setNextDataFn(crlGenData, crlGenData->crlField, + data, dtype); + break; + case CRLGEN_ADD_CERT_CONTEXT: + case CRLGEN_RM_CERT_CONTEXT: + rv = crlGenData->certEntry->setNextDataFn(crlGenData, crlGenData->certEntry, + data, dtype); + break; + case CRLGEN_ADD_EXTENSION_CONTEXT: + rv = + crlGenData->extensionEntry->setNextDataFn(crlGenData, crlGenData->extensionEntry, data, dtype); + break; + case CRLGEN_UNKNOWN_CONTEXT: + break; + default: + crlgen_PrintError(crlGenData->parsedLineNum, + "unknown context type: %d.\n", + crlGenData->contextId); + PORT_Assert(0); + return SECFailure; + } + return rv; +} + +SECStatus +crlgen_createNewLangStruct(CRLGENGeneratorData *crlGenData, + unsigned structType) +{ + PORT_Assert(crlGenData && + crlGenData->contextId == CRLGEN_UNKNOWN_CONTEXT); + if (!crlGenData || + crlGenData->contextId != CRLGEN_UNKNOWN_CONTEXT) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + switch (structType) { + case CRLGEN_ISSUER_CONTEXT: + case CRLGEN_UPDATE_CONTEXT: + case CRLGEN_NEXT_UPDATE_CONTEXT: + case CRLGEN_CHANGE_RANGE_CONTEXT: + crlGenData->crlField = PORT_New(CRLGENCrlField); + if (!crlGenData->crlField) { + return SECFailure; + } + crlGenData->contextId = structType; + crlGenData->crlField->value = NULL; + crlGenData->crlField->updateCrlFn = &crlgen_updateCrlFn_field; + crlGenData->crlField->setNextDataFn = &crlgen_setNextDataFn_field; + break; + case CRLGEN_RM_CERT_CONTEXT: + case CRLGEN_ADD_CERT_CONTEXT: + crlGenData->certEntry = PORT_New(CRLGENCertEntry); + if (!crlGenData->certEntry) { + return SECFailure; + } + crlGenData->contextId = structType; + crlGenData->certEntry->certId = 0; + crlGenData->certEntry->revocationTime = NULL; + crlGenData->certEntry->updateCrlFn = &crlgen_updateCrlFn_cert; + crlGenData->certEntry->setNextDataFn = &crlgen_setNextDataFn_cert; + break; + case CRLGEN_ADD_EXTENSION_CONTEXT: + crlGenData->extensionEntry = PORT_New(CRLGENExtensionEntry); + if (!crlGenData->extensionEntry) { + return SECFailure; + } + crlGenData->contextId = structType; + crlGenData->extensionEntry->extData = NULL; + crlGenData->extensionEntry->nextUpdatedData = 0; + crlGenData->extensionEntry->updateCrlFn = + &crlgen_updateCrlFn_extension; + crlGenData->extensionEntry->setNextDataFn = + &crlgen_setNextDataFn_extension; + break; + case CRLGEN_UNKNOWN_CONTEXT: + break; + default: + crlgen_PrintError(crlGenData->parsedLineNum, + "unknown context type: %d.\n", structType); + PORT_Assert(0); + return SECFailure; + } + return SECSuccess; +} + +/* Parser initialization function */ +CRLGENGeneratorData * +CRLGEN_InitCrlGeneration(CERTSignedCrl *signCrl, PRFileDesc *src) +{ + CRLGENGeneratorData *crlGenData = NULL; + + PORT_Assert(signCrl && src); + if (!signCrl || !src) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + crlGenData = PORT_ZNew(CRLGENGeneratorData); + if (!crlGenData) { + return NULL; + } + + crlGenData->entryDataHashTable = + PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, + PL_CompareValues, NULL, NULL); + if (!crlGenData->entryDataHashTable) { + PORT_Free(crlGenData); + return NULL; + } + + crlGenData->src = src; + crlGenData->parsedLineNum = 1; + crlGenData->contextId = CRLGEN_UNKNOWN_CONTEXT; + crlGenData->signCrl = signCrl; + crlGenData->rangeFrom = 0; + crlGenData->rangeTo = 0; + crlGenData->crlExtHandle = NULL; + + PORT_SetError(0); + + return crlGenData; +} + +void +CRLGEN_FinalizeCrlGeneration(CRLGENGeneratorData *crlGenData) +{ + if (!crlGenData) + return; + if (crlGenData->src) + PR_Close(crlGenData->src); + PL_HashTableDestroy(crlGenData->entryDataHashTable); + PORT_Free(crlGenData); +} diff --git a/security/nss/cmd/crlutil/crlgen.h b/security/nss/cmd/crlutil/crlgen.h new file mode 100644 index 000000000..3ec792108 --- /dev/null +++ b/security/nss/cmd/crlutil/crlgen.h @@ -0,0 +1,178 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _CRLGEN_H_ +#define _CRLGEN_H_ + +#include "prio.h" +#include "prprf.h" +#include "plhash.h" +#include "seccomon.h" +#include "certt.h" +#include "secoidt.h" + +#define CRLGEN_UNKNOWN_CONTEXT 0 +#define CRLGEN_ISSUER_CONTEXT 1 +#define CRLGEN_UPDATE_CONTEXT 2 +#define CRLGEN_NEXT_UPDATE_CONTEXT 3 +#define CRLGEN_ADD_EXTENSION_CONTEXT 4 +#define CRLGEN_ADD_CERT_CONTEXT 6 +#define CRLGEN_CHANGE_RANGE_CONTEXT 7 +#define CRLGEN_RM_CERT_CONTEXT 8 + +#define CRLGEN_TYPE_DATE 0 +#define CRLGEN_TYPE_ZDATE 1 +#define CRLGEN_TYPE_DIGIT 2 +#define CRLGEN_TYPE_DIGIT_RANGE 3 +#define CRLGEN_TYPE_OID 4 +#define CRLGEN_TYPE_STRING 5 +#define CRLGEN_TYPE_ID 6 + +typedef struct CRLGENGeneratorDataStr CRLGENGeneratorData; +typedef struct CRLGENEntryDataStr CRLGENEntryData; +typedef struct CRLGENExtensionEntryStr CRLGENExtensionEntry; +typedef struct CRLGENCertEntrySrt CRLGENCertEntry; +typedef struct CRLGENCrlFieldStr CRLGENCrlField; +typedef struct CRLGENEntriesSortedDataStr CRLGENEntriesSortedData; + +/* Exported functions */ + +/* Used for initialization of extension handles for crl and certs + * extensions from existing CRL data then modifying existing CRL.*/ +extern SECStatus CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData); + +/* Commits all added entries and their's extensions into CRL. */ +extern SECStatus CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData); + +/* Lunches the crl generation script parse */ +extern SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *crlGenData); + +/* Closes crl generation script file and frees crlGenData */ +extern void CRLGEN_FinalizeCrlGeneration(CRLGENGeneratorData *crlGenData); + +/* Parser initialization function. Creates CRLGENGeneratorData structure + * for the current thread */ +extern CRLGENGeneratorData *CRLGEN_InitCrlGeneration(CERTSignedCrl *newCrl, + PRFileDesc *src); + +/* This lock is defined in crlgen_lex.c(derived from crlgen_lex.l). + * It controls access to invocation of yylex, allows to parse one + * script at a time */ +extern void CRLGEN_InitCrlGenParserLock(); +extern void CRLGEN_DestroyCrlGenParserLock(); + +/* The following function types are used to define functions for each of + * CRLGENExtensionEntryStr, CRLGENCertEntrySrt, CRLGENCrlFieldStr to + * provide functionality needed for these structures*/ +typedef SECStatus updateCrlFn_t(CRLGENGeneratorData *crlGenData, void *str); +typedef SECStatus setNextDataFn_t(CRLGENGeneratorData *crlGenData, void *str, + void *data, unsigned short dtype); +typedef SECStatus createNewLangStructFn_t(CRLGENGeneratorData *crlGenData, + void *str, unsigned i); + +/* Sets reports failure to parser if anything goes wrong */ +extern void crlgen_setFailure(CRLGENGeneratorData *str, char *); + +/* Collects data in to one of the current data structure that corresponds + * to the correct context type. This function gets called after each token + * is found for a particular line */ +extern SECStatus crlgen_setNextData(CRLGENGeneratorData *str, void *data, + unsigned short dtype); + +/* initiates crl update with collected data. This function is called at the + * end of each line */ +extern SECStatus crlgen_updateCrl(CRLGENGeneratorData *str); + +/* Creates new context structure depending on token that was parsed + * at the beginning of a line */ +extern SECStatus crlgen_createNewLangStruct(CRLGENGeneratorData *str, + unsigned structType); + +/* CRLGENExtensionEntry is used to store addext request data for either + * CRL extensions or CRL entry extensions. The differentiation between + * is based on order and type of extension been added. + * - extData : all data in request staring from name of the extension are + * in saved here. + * - nextUpdatedData: counter of elements added to extData + */ +struct CRLGENExtensionEntryStr { + char **extData; + int nextUpdatedData; + updateCrlFn_t *updateCrlFn; + setNextDataFn_t *setNextDataFn; +}; + +/* CRLGENCeryestEntry is used to store addcert request data + * - certId : certificate id or range of certificate with dash as a delimiter + * All certs from range will be inclusively added to crl + * - revocationTime: revocation time of cert(s) + */ +struct CRLGENCertEntrySrt { + char *certId; + char *revocationTime; + updateCrlFn_t *updateCrlFn; + setNextDataFn_t *setNextDataFn; +}; + +/* CRLGENCrlField is used to store crl fields record like update time, next + * update time, etc. + * - value: value of the parsed field data*/ +struct CRLGENCrlFieldStr { + char *value; + updateCrlFn_t *updateCrlFn; + setNextDataFn_t *setNextDataFn; +}; + +/* Can not create entries extension until completely done with parsing. + * Therefore need to keep joined data + * - certId : serial number of certificate + * - extHandle: head pointer to a list of extensions that belong to + * entry + * - entry : CERTCrlEntry structure pointer*/ +struct CRLGENEntryDataStr { + SECItem *certId; + void *extHandle; + CERTCrlEntry *entry; +}; + +/* Crl generator/parser main structure. Keeps info regarding current state of + * parser(context, status), parser helper functions pointers, parsed data and + * generated data. + * - contextId : current parsing context. Context in this parser environment + * defines what type of crl operations parser is going through + * in the current line of crl generation script. + * setting or new cert or an extension addition, etc. + * - createNewLangStructFn: pointer to top level function which creates + * data structures according contextId + * - setNextDataFn : pointer to top level function which sets new parsed data + * in temporary structure + * - updateCrlFn : pointer to top level function which triggers actual + * crl update functions with gathered data + * - union : data union create according to contextId + * - rangeFrom, rangeTo : holds last range in which certs was added + * - newCrl : pointer to CERTSignedCrl newly created crl + * - crlExtHandle : pointer to crl extension handle + * - entryDataHashTable: hash of CRLGENEntryData. + * key: cert serial number + * data: CRLGENEntryData pointer + * - parserStatus : current status of parser. Triggers parser to abort when + * set to SECFailure + * - src : PRFileDesc structure pointer of crl generator config file + * - parsedLineNum : currently parsing line. Keeping it to report errors */ +struct CRLGENGeneratorDataStr { + unsigned short contextId; + CRLGENCrlField *crlField; + CRLGENCertEntry *certEntry; + CRLGENExtensionEntry *extensionEntry; + PRUint64 rangeFrom; + PRUint64 rangeTo; + CERTSignedCrl *signCrl; + void *crlExtHandle; + PLHashTable *entryDataHashTable; + + PRFileDesc *src; + int parsedLineNum; +}; + +#endif /* _CRLGEN_H_ */ diff --git a/security/nss/cmd/crlutil/crlgen_lex.c b/security/nss/cmd/crlutil/crlgen_lex.c new file mode 100644 index 000000000..fb53ec844 --- /dev/null +++ b/security/nss/cmd/crlutil/crlgen_lex.c @@ -0,0 +1,1773 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* A lexical scanner generated by flex */ + +#define FLEX_SCANNER +#define YY_FLEX_MAJOR_VERSION 2 +#define YY_FLEX_MINOR_VERSION 5 + +#include <stdio.h> +#ifdef _WIN32 +#include <io.h> +#else +#include <unistd.h> +#endif + +/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */ +#ifdef c_plusplus +#ifndef __cplusplus +#define __cplusplus +#endif +#endif + +#ifdef __cplusplus + +#include <stdlib.h> + +/* Use prototypes in function declarations. */ +#define YY_USE_PROTOS + +/* The "const" storage-class-modifier is valid. */ +#define YY_USE_CONST + +#else /* ! __cplusplus */ + +#if __STDC__ + +#define YY_USE_PROTOS +#define YY_USE_CONST + +#endif /* __STDC__ */ +#endif /* ! __cplusplus */ + +#ifdef __TURBOC__ +#pragma warn - rch +#pragma warn - use +#include <io.h> +#include <stdlib.h> +#define YY_USE_CONST +#define YY_USE_PROTOS +#endif + +#ifdef YY_USE_CONST +#define yyconst const +#else +#define yyconst +#endif + +#ifdef YY_USE_PROTOS +#define YY_PROTO(proto) proto +#else +#define YY_PROTO(proto) () +#endif + +/* Returned upon end-of-file. */ +#define YY_NULL 0 + +/* Promotes a possibly negative, possibly signed char to an unsigned + * integer for use as an array index. If the signed char is negative, + * we want to instead treat it as an 8-bit unsigned char, hence the + * double cast. + */ +#define YY_SC_TO_UI(c) ((unsigned int)(unsigned char)c) + +/* Enter a start condition. This macro really ought to take a parameter, + * but we do it the disgusting crufty way forced on us by the ()-less + * definition of BEGIN. + */ +#define BEGIN yy_start = 1 + 2 * + +/* Translate the current start state into a value that can be later handed + * to BEGIN to return to the state. The YYSTATE alias is for lex + * compatibility. + */ +#define YY_START ((yy_start - 1) / 2) +#define YYSTATE YY_START + +/* Action number for EOF rule of a given start state. */ +#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1) + +/* Special action meaning "start processing a new file". */ +#define YY_NEW_FILE yyrestart(yyin) + +#define YY_END_OF_BUFFER_CHAR 0 + +/* Size of default input buffer. */ +#define YY_BUF_SIZE 16384 + +typedef struct yy_buffer_state *YY_BUFFER_STATE; + +extern int yyleng; +extern FILE *yyin, *yyout; + +#define EOB_ACT_CONTINUE_SCAN 0 +#define EOB_ACT_END_OF_FILE 1 +#define EOB_ACT_LAST_MATCH 2 + +/* The funky do-while in the following #define is used to turn the definition + * int a single C statement (which needs a semi-colon terminator). This + * avoids problems with code like: + * + * if ( condition_holds ) + * yyless( 5 ); + * else + * do_something_else(); + * + * Prior to using the do-while the compiler would get upset at the + * "else" because it interpreted the "if" statement as being all + * done when it reached the ';' after the yyless() call. + */ + +/* Return all but the first 'n' matched characters back to the input stream. */ + +#define yyless(n) \ + do { \ + /* Undo effects of setting up yytext. */ \ + *yy_cp = yy_hold_char; \ + YY_RESTORE_YY_MORE_OFFSET \ + yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \ + YY_DO_BEFORE_ACTION; /* set up yytext again */ \ + } while (0) + +#define unput(c) yyunput(c, yytext_ptr) + +/* The following is because we cannot portably get our hands on size_t + * (without autoconf's help, which isn't available because we want + * flex-generated scanners to compile on their own). + */ +typedef unsigned int yy_size_t; + +struct yy_buffer_state { + FILE *yy_input_file; + + char *yy_ch_buf; /* input buffer */ + char *yy_buf_pos; /* current position in input buffer */ + + /* Size of input buffer in bytes, not including room for EOB + * characters. + */ + yy_size_t yy_buf_size; + + /* Number of characters read into yy_ch_buf, not including EOB + * characters. + */ + int yy_n_chars; + + /* Whether we "own" the buffer - i.e., we know we created it, + * and can realloc() it to grow it, and should free() it to + * delete it. + */ + int yy_is_our_buffer; + + /* Whether this is an "interactive" input source; if so, and + * if we're using stdio for input, then we want to use getc() + * instead of fread(), to make sure we stop fetching input after + * each newline. + */ + int yy_is_interactive; + + /* Whether we're considered to be at the beginning of a line. + * If so, '^' rules will be active on the next match, otherwise + * not. + */ + int yy_at_bol; + + /* Whether to try to fill the input buffer when we reach the + * end of it. + */ + int yy_fill_buffer; + + int yy_buffer_status; +#define YY_BUFFER_NEW 0 +#define YY_BUFFER_NORMAL 1 +/* When an EOF's been seen but there's still some text to process + * then we mark the buffer as YY_EOF_PENDING, to indicate that we + * shouldn't try reading from the input source any more. We might + * still have a bunch of tokens to match, though, because of + * possible backing-up. + * + * When we actually see the EOF, we change the status to "new" + * (via yyrestart()), so that the user can continue scanning by + * just pointing yyin at a new input file. + */ +#define YY_BUFFER_EOF_PENDING 2 +}; + +static YY_BUFFER_STATE yy_current_buffer = 0; + +/* We provide macros for accessing buffer states in case in the + * future we want to put the buffer states in a more general + * "scanner state". + */ +#define YY_CURRENT_BUFFER yy_current_buffer + +/* yy_hold_char holds the character lost when yytext is formed. */ +static char yy_hold_char; + +static int yy_n_chars; /* number of characters read into yy_ch_buf */ + +int yyleng; + +/* Points to current character in buffer. */ +static char *yy_c_buf_p = (char *)0; +static int yy_init = 1; /* whether we need to initialize */ +static int yy_start = 0; /* start state number */ + +/* Flag which is used to allow yywrap()'s to do buffer switches + * instead of setting up a fresh yyin. A bit of a hack ... + */ +static int yy_did_buffer_switch_on_eof; + +void yyrestart YY_PROTO((FILE * input_file)); + +void yy_switch_to_buffer YY_PROTO((YY_BUFFER_STATE new_buffer)); +void yy_load_buffer_state YY_PROTO((void)); +YY_BUFFER_STATE yy_create_buffer YY_PROTO((FILE * file, int size)); +void yy_delete_buffer YY_PROTO((YY_BUFFER_STATE b)); +void yy_init_buffer YY_PROTO((YY_BUFFER_STATE b, FILE *file)); +void yy_flush_buffer YY_PROTO((YY_BUFFER_STATE b)); +#define YY_FLUSH_BUFFER yy_flush_buffer(yy_current_buffer) + +YY_BUFFER_STATE yy_scan_buffer YY_PROTO((char *base, yy_size_t size)); +YY_BUFFER_STATE yy_scan_string YY_PROTO((yyconst char *yy_str)); +YY_BUFFER_STATE yy_scan_bytes YY_PROTO((yyconst char *bytes, int len)); + +static void *yy_flex_alloc YY_PROTO((yy_size_t)); +static void *yy_flex_realloc YY_PROTO((void *, yy_size_t)); +static void yy_flex_free YY_PROTO((void *)); + +#define yy_new_buffer yy_create_buffer + +#define yy_set_interactive(is_interactive) \ + { \ + if (!yy_current_buffer) \ + yy_current_buffer = yy_create_buffer(yyin, YY_BUF_SIZE); \ + yy_current_buffer->yy_is_interactive = is_interactive; \ + } + +#define yy_set_bol(at_bol) \ + { \ + if (!yy_current_buffer) \ + yy_current_buffer = yy_create_buffer(yyin, YY_BUF_SIZE); \ + yy_current_buffer->yy_at_bol = at_bol; \ + } + +#define YY_AT_BOL() (yy_current_buffer->yy_at_bol) + +typedef unsigned char YY_CHAR; +FILE *yyin = (FILE *)0, *yyout = (FILE *)0; +typedef int yy_state_type; +extern char *yytext; +#define yytext_ptr yytext + +static yy_state_type yy_get_previous_state YY_PROTO((void)); +static yy_state_type yy_try_NUL_trans YY_PROTO((yy_state_type current_state)); +static int yy_get_next_buffer YY_PROTO((void)); +static void yy_fatal_error YY_PROTO((yyconst char msg[])); + +/* Done after the current pattern has been matched and before the + * corresponding action - sets up yytext. + */ +#define YY_DO_BEFORE_ACTION \ + yytext_ptr = yy_bp; \ + yytext_ptr -= yy_more_len; \ + yyleng = (int)(yy_cp - yytext_ptr); \ + yy_hold_char = *yy_cp; \ + *yy_cp = '\0'; \ + yy_c_buf_p = yy_cp; + +#define YY_NUM_RULES 17 +#define YY_END_OF_BUFFER 18 +/* clang-format off */ +static yyconst short int yy_accept[67] = + { 0, + 0, 0, 18, 16, 14, 15, 16, 11, 12, 2, + 10, 9, 9, 9, 9, 9, 13, 14, 15, 11, + 12, 0, 12, 2, 9, 9, 9, 9, 9, 13, + 3, 4, 2, 9, 9, 9, 9, 2, 9, 9, + 9, 9, 2, 2, 9, 9, 8, 9, 2, 5, + 9, 6, 2, 9, 2, 9, 2, 9, 2, 7, + 2, 2, 2, 2, 1, 0 + } ; + +static yyconst int yy_ec[256] = + { 0, + 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, + 1, 1, 4, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 2, 1, 5, 6, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 7, 8, 1, 9, 9, 10, + 11, 12, 12, 12, 13, 13, 13, 14, 1, 1, + 15, 1, 1, 1, 16, 16, 16, 16, 16, 16, + 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, + 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, + 1, 1, 1, 1, 1, 1, 18, 16, 16, 19, + + 20, 16, 21, 16, 22, 16, 16, 16, 16, 23, + 16, 24, 16, 25, 26, 27, 28, 16, 16, 29, + 16, 16, 1, 14, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1 + } ; + +static yyconst int yy_meta[30] = + { 0, + 1, 1, 2, 1, 3, 1, 1, 4, 5, 5, + 5, 5, 5, 4, 1, 4, 4, 4, 4, 4, + 4, 4, 4, 4, 4, 4, 4, 4, 4 + } ; + +static yyconst short int yy_base[72] = + { 0, + 0, 149, 154, 205, 138, 205, 103, 0, 0, 23, + 205, 29, 30, 31, 32, 33, 0, 99, 205, 0, + 0, 0, 50, 55, 34, 61, 41, 63, 64, 0, + 0, 0, 79, 65, 68, 86, 66, 99, 105, 88, + 106, 90, 118, 76, 107, 110, 89, 125, 43, 91, + 127, 128, 138, 144, 113, 129, 154, 160, 160, 130, + 172, 166, 177, 144, 0, 205, 190, 192, 194, 199, + 76 + } ; + +static yyconst short int yy_def[72] = + { 0, + 66, 1, 66, 66, 66, 66, 66, 67, 68, 68, + 66, 69, 69, 69, 69, 69, 70, 66, 66, 67, + 68, 71, 68, 10, 69, 69, 69, 69, 69, 70, + 71, 23, 10, 69, 69, 69, 69, 10, 69, 69, + 69, 69, 10, 38, 69, 69, 69, 69, 38, 69, + 69, 69, 38, 69, 38, 69, 38, 69, 38, 69, + 38, 38, 38, 38, 68, 0, 66, 66, 66, 66, + 66 + } ; + +static yyconst short int yy_nxt[235] = + { 0, + 4, 5, 6, 7, 8, 4, 4, 9, 10, 10, + 10, 10, 10, 9, 11, 12, 12, 12, 12, 12, + 12, 13, 14, 12, 15, 12, 12, 16, 12, 22, + 23, 24, 24, 24, 24, 24, 21, 21, 21, 21, + 21, 21, 21, 21, 21, 21, 21, 21, 21, 28, + 27, 53, 53, 53, 21, 26, 29, 32, 32, 32, + 32, 32, 32, 33, 33, 33, 33, 33, 21, 35, + 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, + 31, 21, 37, 42, 44, 36, 34, 38, 38, 38, + 38, 38, 39, 21, 40, 21, 21, 21, 21, 21, + + 18, 21, 21, 21, 21, 19, 41, 43, 44, 44, + 44, 44, 21, 21, 21, 46, 48, 21, 21, 21, + 21, 57, 57, 21, 45, 47, 49, 49, 49, 49, + 49, 50, 21, 51, 21, 21, 21, 21, 21, 18, + 21, 21, 21, 21, 52, 54, 55, 55, 55, 55, + 55, 21, 44, 66, 17, 58, 66, 21, 66, 66, + 65, 56, 59, 59, 59, 59, 59, 21, 61, 61, + 61, 61, 66, 21, 63, 63, 63, 63, 66, 60, + 62, 62, 62, 62, 62, 64, 64, 64, 64, 64, + 20, 20, 66, 20, 20, 21, 21, 25, 25, 30, + + 66, 30, 30, 30, 3, 66, 66, 66, 66, 66, + 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, + 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, + 66, 66, 66, 66 + } ; + +static yyconst short int yy_chk[235] = + { 0, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 10, + 10, 10, 10, 10, 10, 10, 12, 13, 14, 15, + 16, 25, 12, 13, 14, 15, 16, 25, 27, 15, + 14, 49, 49, 49, 27, 13, 16, 23, 23, 23, + 23, 23, 23, 24, 24, 24, 24, 24, 26, 27, + 28, 29, 34, 37, 26, 35, 28, 29, 34, 37, + 71, 35, 29, 37, 44, 28, 26, 33, 33, 33, + 33, 33, 34, 36, 35, 40, 47, 42, 50, 36, + + 18, 40, 47, 42, 50, 7, 36, 38, 38, 38, + 38, 38, 39, 41, 45, 40, 42, 46, 39, 41, + 45, 55, 55, 46, 39, 41, 43, 43, 43, 43, + 43, 45, 48, 46, 51, 52, 56, 60, 48, 5, + 51, 52, 56, 60, 48, 51, 53, 53, 53, 53, + 53, 54, 64, 3, 2, 56, 0, 54, 0, 0, + 64, 54, 57, 57, 57, 57, 57, 58, 59, 59, + 59, 59, 0, 58, 62, 62, 62, 62, 0, 58, + 61, 61, 61, 61, 61, 63, 63, 63, 63, 63, + 67, 67, 0, 67, 67, 68, 68, 69, 69, 70, + + 0, 70, 70, 70, 66, 66, 66, 66, 66, 66, + 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, + 66, 66, 66, 66, 66, 66, 66, 66, 66, 66, + 66, 66, 66, 66 + } ; +/* clang-format on */ + +static yy_state_type yy_last_accepting_state; +static char *yy_last_accepting_cpos; + +/* The intent behind this definition is that it'll catch + * any uses of REJECT which flex missed. + */ +#define REJECT reject_used_but_not_detected +static int yy_more_flag = 0; +static int yy_more_len = 0; +#define yymore() (yy_more_flag = 1) +#define YY_MORE_ADJ yy_more_len +#define YY_RESTORE_YY_MORE_OFFSET +char *yytext; +#line 1 "crlgen_lex_orig.l" +#define INITIAL 0 +#line 2 "crlgen_lex_orig.l" + +#include "crlgen.h" + +static SECStatus parserStatus = SECSuccess; +static CRLGENGeneratorData *parserData; +static PRFileDesc *src; + +#define YY_INPUT(buf, result, max_size) \ + if (parserStatus != SECFailure) { \ + if (((result = PR_Read(src, buf, max_size)) == 0) && \ + ferror(yyin)) \ + return SECFailure; \ + } else { \ + return SECFailure; \ + } + +/* Macros after this point can all be overridden by user definitions in + * section 1. + */ + +#ifndef YY_SKIP_YYWRAP +#ifdef __cplusplus +extern "C" int yywrap YY_PROTO((void)); +#else +extern int yywrap YY_PROTO((void)); +#endif +#endif + +#ifndef YY_NO_UNPUT +static void yyunput YY_PROTO((int c, char *buf_ptr)); +#endif + +#ifndef yytext_ptr +static void yy_flex_strncpy YY_PROTO((char *, yyconst char *, int)); +#endif + +#ifdef YY_NEED_STRLEN +static int yy_flex_strlen YY_PROTO((yyconst char *)); +#endif + +#ifndef YY_NO_INPUT +#ifdef __cplusplus +static int yyinput YY_PROTO((void)); +#else +static int input YY_PROTO((void)); +#endif +#endif + +#if YY_STACK_USED +static int yy_start_stack_ptr = 0; +static int yy_start_stack_depth = 0; +static int *yy_start_stack = 0; +#ifndef YY_NO_PUSH_STATE +static void yy_push_state YY_PROTO((int new_state)); +#endif +#ifndef YY_NO_POP_STATE +static void yy_pop_state YY_PROTO((void)); +#endif +#ifndef YY_NO_TOP_STATE +static int yy_top_state YY_PROTO((void)); +#endif + +#else +#define YY_NO_PUSH_STATE 1 +#define YY_NO_POP_STATE 1 +#define YY_NO_TOP_STATE 1 +#endif + +#ifdef YY_MALLOC_DECL +YY_MALLOC_DECL +#else +#if __STDC__ +#ifndef __cplusplus +#include <stdlib.h> +#endif +#else +/* Just try to get by without declaring the routines. This will fail + * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int) + * or sizeof(void*) != sizeof(int). + */ +#endif +#endif + +/* Amount of stuff to slurp up with each read. */ +#ifndef YY_READ_BUF_SIZE +#define YY_READ_BUF_SIZE 8192 +#endif + +/* Copy whatever the last rule matched to the standard output. */ + +#ifndef ECHO +/* This used to be an fputs(), but since the string might contain NUL's, + * we now use fwrite(). + */ +#define ECHO (void)fwrite(yytext, yyleng, 1, yyout) +#endif + +/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL, + * is returned in "result". + */ +#ifndef YY_INPUT +#define YY_INPUT(buf, result, max_size) \ + if (yy_current_buffer->yy_is_interactive) { \ + int c = '*', n; \ + for (n = 0; n < max_size && \ + (c = getc(yyin)) != EOF && c != '\n'; \ + ++n) \ + buf[n] = (char)c; \ + if (c == '\n') \ + buf[n++] = (char)c; \ + if (c == EOF && ferror(yyin)) \ + YY_FATAL_ERROR("input in flex scanner failed"); \ + result = n; \ + } else if (((result = fread(buf, 1, max_size, yyin)) == 0) && \ + ferror(yyin)) \ + YY_FATAL_ERROR("input in flex scanner failed"); +#endif + +/* No semi-colon after return; correct usage is to write "yyterminate();" - + * we don't want an extra ';' after the "return" because that will cause + * some compilers to complain about unreachable statements. + */ +#ifndef yyterminate +#define yyterminate() return YY_NULL +#endif + +/* Number of entries by which start-condition stack grows. */ +#ifndef YY_START_STACK_INCR +#define YY_START_STACK_INCR 25 +#endif + +/* Report a fatal error. */ +#ifndef YY_FATAL_ERROR +#define YY_FATAL_ERROR(msg) yy_fatal_error(msg) +#endif + +/* Default declaration of generated scanner - a define so the user can + * easily add parameters. + */ +#ifndef YY_DECL +#define YY_DECL int yylex YY_PROTO((void)) +#endif + +/* Code executed at the beginning of each rule, after yytext and yyleng + * have been set up. + */ +#ifndef YY_USER_ACTION +#define YY_USER_ACTION +#endif + +/* Code executed at the end of each rule. */ +#ifndef YY_BREAK +#define YY_BREAK break; +#endif + +#define YY_RULE_SETUP \ + if (yyleng > 0) \ + yy_current_buffer->yy_at_bol = \ + (yytext[yyleng - 1] == '\n'); \ + YY_USER_ACTION + +YY_DECL +{ + register yy_state_type yy_current_state; + register char *yy_cp = NULL, *yy_bp = NULL; + register int yy_act; + +#line 28 "crlgen_lex_orig.l" + + if (yy_init) { + yy_init = 0; + +#ifdef YY_USER_INIT + YY_USER_INIT; +#endif + + if (!yy_start) + yy_start = 1; /* first start state */ + + if (!yyin) + yyin = stdin; + + if (!yyout) + yyout = stdout; + + if (!yy_current_buffer) + yy_current_buffer = + yy_create_buffer(yyin, YY_BUF_SIZE); + + yy_load_buffer_state(); + } + + while (1) /* loops until end-of-file is reached */ + { + yy_more_len = 0; + if (yy_more_flag) { + yy_more_len = yy_c_buf_p - yytext_ptr; + yy_more_flag = 0; + } + yy_cp = yy_c_buf_p; + + /* Support of yytext. */ + *yy_cp = yy_hold_char; + + /* yy_bp points to the position in yy_ch_buf of the start of + * the current run. + */ + yy_bp = yy_cp; + + yy_current_state = yy_start; + yy_current_state += YY_AT_BOL(); + yy_match: + do { + register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)]; + if (yy_accept[yy_current_state]) { + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; + } + while (yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state) { + yy_current_state = (int)yy_def[yy_current_state]; + if (yy_current_state >= 67) + yy_c = yy_meta[(unsigned int)yy_c]; + } + yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int)yy_c]; + ++yy_cp; + } while (yy_base[yy_current_state] != 205); + + yy_find_action: + yy_act = yy_accept[yy_current_state]; + if (yy_act == 0) { /* have to back up */ + yy_cp = yy_last_accepting_cpos; + yy_current_state = yy_last_accepting_state; + yy_act = yy_accept[yy_current_state]; + } + + YY_DO_BEFORE_ACTION; + + do_action: /* This label is used only to access EOF actions. */ + + switch (yy_act) { /* beginning of action switch */ + case 0: /* must back up */ + /* undo the effects of YY_DO_BEFORE_ACTION */ + *yy_cp = yy_hold_char; + yy_cp = yy_last_accepting_cpos; + yy_current_state = yy_last_accepting_state; + goto yy_find_action; + + case 1: + YY_RULE_SETUP +#line 30 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ZDATE); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 2: + YY_RULE_SETUP +#line 36 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 3: + YY_RULE_SETUP +#line 42 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT_RANGE); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 4: + YY_RULE_SETUP +#line 48 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_OID); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 5: + YY_RULE_SETUP +#line 54 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_createNewLangStruct(parserData, CRLGEN_ISSUER_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 6: + YY_RULE_SETUP +#line 60 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_createNewLangStruct(parserData, CRLGEN_UPDATE_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 7: + YY_RULE_SETUP +#line 65 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_createNewLangStruct(parserData, CRLGEN_NEXT_UPDATE_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 8: + YY_RULE_SETUP +#line 71 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_createNewLangStruct(parserData, CRLGEN_CHANGE_RANGE_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 9: + YY_RULE_SETUP +#line 77 "crlgen_lex_orig.l" + { + if (strcmp(yytext, "addcert") == + 0) { + parserStatus = + crlgen_createNewLangStruct(parserData, + CRLGEN_ADD_CERT_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } else if (strcmp(yytext, "rmcert") == + 0) { + parserStatus = + crlgen_createNewLangStruct(parserData, + CRLGEN_RM_CERT_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } else if (strcmp(yytext, "addext") == + 0) { + parserStatus = + crlgen_createNewLangStruct(parserData, + CRLGEN_ADD_EXTENSION_CONTEXT); + if (parserStatus != + SECSuccess) + return parserStatus; + } else { + parserStatus = + crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ID); + if (parserStatus != + SECSuccess) + return parserStatus; + } + } + YY_BREAK + case 10: + YY_RULE_SETUP +#line 100 "crlgen_lex_orig.l" + + YY_BREAK + case 11: + YY_RULE_SETUP +#line 102 "crlgen_lex_orig.l" + { + if (yytext[yyleng - + 1] == + '\\') { + yymore(); + } else { + register int c; + c = + input(); + if (c != + '\"') { + printf("Error: Line ending \" is missing: %c\n", c); + unput(c); + } else { + parserStatus = + crlgen_setNextData(parserData, yytext + 1, + CRLGEN_TYPE_STRING); + if (parserStatus != + SECSuccess) + return parserStatus; + } + } + } + YY_BREAK + case 12: + YY_RULE_SETUP +#line 120 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_STRING); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 13: + YY_RULE_SETUP +#line 128 "crlgen_lex_orig.l" + /* eat up one-line comments */ {} + YY_BREAK + case 14: + YY_RULE_SETUP +#line 130 "crlgen_lex_orig.l" + { + } + YY_BREAK + case 15: + YY_RULE_SETUP +#line 132 "crlgen_lex_orig.l" + { + parserStatus = + crlgen_updateCrl(parserData); + if (parserStatus != + SECSuccess) + return parserStatus; + } + YY_BREAK + case 16: + YY_RULE_SETUP +#line 138 "crlgen_lex_orig.l" + { + fprintf(stderr, "Syntax error at line %d: unknown token %s\n", + parserData->parsedLineNum, yytext); + return SECFailure; + } + YY_BREAK + case 17: + YY_RULE_SETUP +#line 144 "crlgen_lex_orig.l" + ECHO; + YY_BREAK + case YY_STATE_EOF(INITIAL): + yyterminate(); + + case YY_END_OF_BUFFER: { + /* Amount of text matched not including the EOB char. */ + int yy_amount_of_matched_text = (int)(yy_cp - yytext_ptr) - 1; + + /* Undo the effects of YY_DO_BEFORE_ACTION. */ + *yy_cp = yy_hold_char; + YY_RESTORE_YY_MORE_OFFSET + + if (yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW) { + /* We're scanning a new file or input source. It's + * possible that this happened because the user + * just pointed yyin at a new source and called + * yylex(). If so, then we have to assure + * consistency between yy_current_buffer and our + * globals. Here is the right place to do so, because + * this is the first action (other than possibly a + * back-up) that will match for the new input source. + */ + yy_n_chars = yy_current_buffer->yy_n_chars; + yy_current_buffer->yy_input_file = yyin; + yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL; + } + + /* Note that here we test for yy_c_buf_p "<=" to the position + * of the first EOB in the buffer, since yy_c_buf_p will + * already have been incremented past the NUL character + * (since all states make transitions on EOB to the + * end-of-buffer state). Contrast this with the test + * in input(). + */ + if (yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars]) { /* This was really a NUL. */ + yy_state_type yy_next_state; + + yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text; + + yy_current_state = yy_get_previous_state(); + + /* Okay, we're now positioned to make the NUL + * transition. We couldn't have + * yy_get_previous_state() go ahead and do it + * for us because it doesn't know how to deal + * with the possibility of jamming (and we don't + * want to build jamming into it because then it + * will run more slowly). + */ + + yy_next_state = yy_try_NUL_trans(yy_current_state); + + yy_bp = yytext_ptr + YY_MORE_ADJ; + + if (yy_next_state) { + /* Consume the NUL. */ + yy_cp = ++yy_c_buf_p; + yy_current_state = yy_next_state; + goto yy_match; + } + + else { + yy_cp = yy_c_buf_p; + goto yy_find_action; + } + } + + else + switch (yy_get_next_buffer()) { + case EOB_ACT_END_OF_FILE: { + yy_did_buffer_switch_on_eof = 0; + + if (yywrap()) { + /* Note: because we've taken care in + * yy_get_next_buffer() to have set up + * yytext, we can now set up + * yy_c_buf_p so that if some total + * hoser (like flex itself) wants to + * call the scanner after we return the + * YY_NULL, it'll still work - another + * YY_NULL will get returned. + */ + yy_c_buf_p = yytext_ptr + YY_MORE_ADJ; + + yy_act = YY_STATE_EOF(YY_START); + goto do_action; + } + + else { + if (!yy_did_buffer_switch_on_eof) + YY_NEW_FILE; + } + break; + } + + case EOB_ACT_CONTINUE_SCAN: + yy_c_buf_p = + yytext_ptr + yy_amount_of_matched_text; + + yy_current_state = yy_get_previous_state(); + + yy_cp = yy_c_buf_p; + yy_bp = yytext_ptr + YY_MORE_ADJ; + goto yy_match; + + case EOB_ACT_LAST_MATCH: + yy_c_buf_p = + &yy_current_buffer->yy_ch_buf[yy_n_chars]; + + yy_current_state = yy_get_previous_state(); + + yy_cp = yy_c_buf_p; + yy_bp = yytext_ptr + YY_MORE_ADJ; + goto yy_find_action; + } + break; + } + + default: + YY_FATAL_ERROR( + "fatal flex scanner internal error--no action found"); + } /* end of action switch */ + } /* end of scanning one token */ +} /* end of yylex */ + +/* yy_get_next_buffer - try to read in a new buffer + * + * Returns a code representing an action: + * EOB_ACT_LAST_MATCH - + * EOB_ACT_CONTINUE_SCAN - continue scanning from current position + * EOB_ACT_END_OF_FILE - end of file + */ + +static int +yy_get_next_buffer() +{ + register char *dest = yy_current_buffer->yy_ch_buf; + register char *source = yytext_ptr; + register int number_to_move, i; + int ret_val; + + if (yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1]) + YY_FATAL_ERROR( + "fatal flex scanner internal error--end of buffer missed"); + + if (yy_current_buffer->yy_fill_buffer == 0) { /* Don't try to fill the buffer, so this is an EOF. */ + if (yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1) { + /* We matched a single character, the EOB, so + * treat this as a final EOF. + */ + return EOB_ACT_END_OF_FILE; + } + + else { + /* We matched some text prior to the EOB, first + * process it. + */ + return EOB_ACT_LAST_MATCH; + } + } + + /* Try to read more data. */ + + /* First move last chars to start of buffer. */ + number_to_move = (int)(yy_c_buf_p - yytext_ptr) - 1; + + for (i = 0; i < number_to_move; ++i) + *(dest++) = *(source++); + + if (yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + yy_current_buffer->yy_n_chars = yy_n_chars = 0; + + else { + int num_to_read = + yy_current_buffer->yy_buf_size - number_to_move - 1; + + while (num_to_read <= 0) { /* Not enough room in the buffer - grow it. */ +#ifdef YY_USES_REJECT + YY_FATAL_ERROR( + "input buffer overflow, can't enlarge buffer because scanner uses REJECT"); +#else + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = yy_current_buffer; + + int yy_c_buf_p_offset = + (int)(yy_c_buf_p - b->yy_ch_buf); + + if (b->yy_is_our_buffer) { + int new_size = b->yy_buf_size * 2; + + if (new_size <= 0) + b->yy_buf_size += b->yy_buf_size / 8; + else + b->yy_buf_size *= 2; + + b->yy_ch_buf = (char *) + /* Include room in for 2 EOB chars. */ + yy_flex_realloc((void *)b->yy_ch_buf, + b->yy_buf_size + 2); + } else + /* Can't grow it, we don't own it. */ + b->yy_ch_buf = 0; + + if (!b->yy_ch_buf) + YY_FATAL_ERROR( + "fatal error - scanner input buffer overflow"); + + yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset]; + + num_to_read = yy_current_buffer->yy_buf_size - + number_to_move - 1; +#endif + } + + if (num_to_read > YY_READ_BUF_SIZE) + num_to_read = YY_READ_BUF_SIZE; + + /* Read in more data. */ + YY_INPUT((&yy_current_buffer->yy_ch_buf[number_to_move]), + yy_n_chars, num_to_read); + + yy_current_buffer->yy_n_chars = yy_n_chars; + } + + if (yy_n_chars == 0) { + if (number_to_move == YY_MORE_ADJ) { + ret_val = EOB_ACT_END_OF_FILE; + yyrestart(yyin); + } + + else { + ret_val = EOB_ACT_LAST_MATCH; + yy_current_buffer->yy_buffer_status = + YY_BUFFER_EOF_PENDING; + } + } + + else + ret_val = EOB_ACT_CONTINUE_SCAN; + + yy_n_chars += number_to_move; + yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR; + yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR; + + yytext_ptr = &yy_current_buffer->yy_ch_buf[0]; + + return ret_val; +} + +/* yy_get_previous_state - get the state just before the EOB char was reached */ + +static yy_state_type +yy_get_previous_state() +{ + register yy_state_type yy_current_state; + register char *yy_cp; + + yy_current_state = yy_start; + yy_current_state += YY_AT_BOL(); + + for (yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp) { + register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1); + if (yy_accept[yy_current_state]) { + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; + } + while (yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state) { + yy_current_state = (int)yy_def[yy_current_state]; + if (yy_current_state >= 67) + yy_c = yy_meta[(unsigned int)yy_c]; + } + yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int)yy_c]; + } + + return yy_current_state; +} + +/* yy_try_NUL_trans - try to make a transition on the NUL character + * + * synopsis + * next_state = yy_try_NUL_trans( current_state ); + */ + +#ifdef YY_USE_PROTOS +static yy_state_type +yy_try_NUL_trans(yy_state_type yy_current_state) +#else +static yy_state_type yy_try_NUL_trans(yy_current_state) + yy_state_type yy_current_state; +#endif +{ + register int yy_is_jam; + register char *yy_cp = yy_c_buf_p; + + register YY_CHAR yy_c = 1; + if (yy_accept[yy_current_state]) { + yy_last_accepting_state = yy_current_state; + yy_last_accepting_cpos = yy_cp; + } + while (yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state) { + yy_current_state = (int)yy_def[yy_current_state]; + if (yy_current_state >= 67) + yy_c = yy_meta[(unsigned int)yy_c]; + } + yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int)yy_c]; + yy_is_jam = (yy_current_state == 66); + + return yy_is_jam ? 0 : yy_current_state; +} + +#ifndef YY_NO_UNPUT +#ifdef YY_USE_PROTOS +static void +yyunput(int c, register char *yy_bp) +#else +static void yyunput(c, yy_bp) int c; +register char *yy_bp; +#endif +{ + register char *yy_cp = yy_c_buf_p; + + /* undo effects of setting up yytext */ + *yy_cp = yy_hold_char; + + if (yy_cp < yy_current_buffer->yy_ch_buf + 2) { /* need to shift things up to make room */ + /* +2 for EOB chars. */ + register int number_to_move = yy_n_chars + 2; + register char *dest = &yy_current_buffer->yy_ch_buf[yy_current_buffer->yy_buf_size + + 2]; + register char *source = + &yy_current_buffer->yy_ch_buf[number_to_move]; + + while (source > yy_current_buffer->yy_ch_buf) + *--dest = *--source; + + yy_cp += (int)(dest - source); + yy_bp += (int)(dest - source); + yy_current_buffer->yy_n_chars = + yy_n_chars = yy_current_buffer->yy_buf_size; + + if (yy_cp < yy_current_buffer->yy_ch_buf + 2) + YY_FATAL_ERROR("flex scanner push-back overflow"); + } + + *--yy_cp = (char)c; + + yytext_ptr = yy_bp; + yy_hold_char = *yy_cp; + yy_c_buf_p = yy_cp; +} +#endif /* ifndef YY_NO_UNPUT */ + +#ifndef YY_NO_INPUT +#ifdef __cplusplus +static int +yyinput() +#else +static int +input() +#endif +{ + int c; + + *yy_c_buf_p = yy_hold_char; + + if (*yy_c_buf_p == YY_END_OF_BUFFER_CHAR) { + /* yy_c_buf_p now points to the character we want to return. + * If this occurs *before* the EOB characters, then it's a + * valid NUL; if not, then we've hit the end of the buffer. + */ + if (yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars]) + /* This was really a NUL. */ + *yy_c_buf_p = '\0'; + + else { /* need more input */ + int offset = yy_c_buf_p - yytext_ptr; + ++yy_c_buf_p; + + switch (yy_get_next_buffer()) { + case EOB_ACT_LAST_MATCH: + /* This happens because yy_g_n_b() + * sees that we've accumulated a + * token and flags that we need to + * try matching the token before + * proceeding. But for input(), + * there's no matching to consider. + * So convert the EOB_ACT_LAST_MATCH + * to EOB_ACT_END_OF_FILE. + */ + + /* Reset buffer status. */ + yyrestart(yyin); + + /* fall through */ + + case EOB_ACT_END_OF_FILE: { + if (yywrap()) + return EOF; + + if (!yy_did_buffer_switch_on_eof) + YY_NEW_FILE; +#ifdef __cplusplus + return yyinput(); +#else + return input(); +#endif + } + + case EOB_ACT_CONTINUE_SCAN: + yy_c_buf_p = yytext_ptr + offset; + break; + } + } + } + + c = *(unsigned char *)yy_c_buf_p; /* cast for 8-bit char's */ + *yy_c_buf_p = '\0'; /* preserve yytext */ + yy_hold_char = *++yy_c_buf_p; + + yy_current_buffer->yy_at_bol = (c == '\n'); + + return c; +} +#endif /* YY_NO_INPUT */ + +#ifdef YY_USE_PROTOS +void +yyrestart(FILE *input_file) +#else +void yyrestart(input_file) + FILE *input_file; +#endif +{ + if (!yy_current_buffer) + yy_current_buffer = yy_create_buffer(yyin, YY_BUF_SIZE); + + yy_init_buffer(yy_current_buffer, input_file); + yy_load_buffer_state(); +} + +#ifdef YY_USE_PROTOS +void +yy_switch_to_buffer(YY_BUFFER_STATE new_buffer) +#else +void yy_switch_to_buffer(new_buffer) + YY_BUFFER_STATE new_buffer; +#endif +{ + if (yy_current_buffer == new_buffer) + return; + + if (yy_current_buffer) { + /* Flush out information for old buffer. */ + *yy_c_buf_p = yy_hold_char; + yy_current_buffer->yy_buf_pos = yy_c_buf_p; + yy_current_buffer->yy_n_chars = yy_n_chars; + } + + yy_current_buffer = new_buffer; + yy_load_buffer_state(); + + /* We don't actually know whether we did this switch during + * EOF (yywrap()) processing, but the only time this flag + * is looked at is after yywrap() is called, so it's safe + * to go ahead and always set it. + */ + yy_did_buffer_switch_on_eof = 1; +} + +#ifdef YY_USE_PROTOS +void +yy_load_buffer_state(void) +#else +void +yy_load_buffer_state() +#endif +{ + yy_n_chars = yy_current_buffer->yy_n_chars; + yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos; + yyin = yy_current_buffer->yy_input_file; + yy_hold_char = *yy_c_buf_p; +} + +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE +yy_create_buffer(FILE *file, int size) +#else +YY_BUFFER_STATE yy_create_buffer(file, size) + FILE *file; +int size; +#endif +{ + YY_BUFFER_STATE b; + + b = (YY_BUFFER_STATE)yy_flex_alloc(sizeof(struct yy_buffer_state)); + if (!b) + YY_FATAL_ERROR("out of dynamic memory in yy_create_buffer()"); + + b->yy_buf_size = size; + + /* yy_ch_buf has to be 2 characters longer than the size given because + * we need to put in 2 end-of-buffer characters. + */ + b->yy_ch_buf = (char *)yy_flex_alloc(b->yy_buf_size + 2); + if (!b->yy_ch_buf) + YY_FATAL_ERROR("out of dynamic memory in yy_create_buffer()"); + + b->yy_is_our_buffer = 1; + + yy_init_buffer(b, file); + + return b; +} + +#ifdef YY_USE_PROTOS +void +yy_delete_buffer(YY_BUFFER_STATE b) +#else +void yy_delete_buffer(b) + YY_BUFFER_STATE b; +#endif +{ + if (!b) + return; + + if (b == yy_current_buffer) + yy_current_buffer = (YY_BUFFER_STATE)0; + + if (b->yy_is_our_buffer) + yy_flex_free((void *)b->yy_ch_buf); + + yy_flex_free((void *)b); +} + +#ifdef YY_USE_PROTOS +void +yy_init_buffer(YY_BUFFER_STATE b, FILE *file) +#else +void yy_init_buffer(b, file) + YY_BUFFER_STATE b; +FILE *file; +#endif + +{ + yy_flush_buffer(b); + + b->yy_input_file = file; + b->yy_fill_buffer = 1; + +#if YY_ALWAYS_INTERACTIVE + b->yy_is_interactive = 1; +#else +#if YY_NEVER_INTERACTIVE + b->yy_is_interactive = 0; +#else + b->yy_is_interactive = file ? (isatty(fileno(file)) > 0) : 0; +#endif +#endif +} + +#ifdef YY_USE_PROTOS +void +yy_flush_buffer(YY_BUFFER_STATE b) +#else +void yy_flush_buffer(b) + YY_BUFFER_STATE b; +#endif + +{ + if (!b) + return; + + b->yy_n_chars = 0; + + /* We always need two end-of-buffer characters. The first causes + * a transition to the end-of-buffer state. The second causes + * a jam in that state. + */ + b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR; + b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR; + + b->yy_buf_pos = &b->yy_ch_buf[0]; + + b->yy_at_bol = 1; + b->yy_buffer_status = YY_BUFFER_NEW; + + if (b == yy_current_buffer) + yy_load_buffer_state(); +} + +#ifndef YY_NO_SCAN_BUFFER +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE +yy_scan_buffer(char *base, yy_size_t size) +#else +YY_BUFFER_STATE yy_scan_buffer(base, size) char *base; +yy_size_t size; +#endif +{ + YY_BUFFER_STATE b; + + if (size < 2 || + base[size - 2] != YY_END_OF_BUFFER_CHAR || + base[size - 1] != YY_END_OF_BUFFER_CHAR) + /* They forgot to leave room for the EOB's. */ + return 0; + + b = (YY_BUFFER_STATE)yy_flex_alloc(sizeof(struct yy_buffer_state)); + if (!b) + YY_FATAL_ERROR("out of dynamic memory in yy_scan_buffer()"); + + b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */ + b->yy_buf_pos = b->yy_ch_buf = base; + b->yy_is_our_buffer = 0; + b->yy_input_file = 0; + b->yy_n_chars = b->yy_buf_size; + b->yy_is_interactive = 0; + b->yy_at_bol = 1; + b->yy_fill_buffer = 0; + b->yy_buffer_status = YY_BUFFER_NEW; + + yy_switch_to_buffer(b); + + return b; +} +#endif + +#ifndef YY_NO_SCAN_STRING +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE +yy_scan_string(yyconst char *yy_str) +#else +YY_BUFFER_STATE yy_scan_string(yy_str) + yyconst char *yy_str; +#endif +{ + int len; + for (len = 0; yy_str[len]; ++len) + ; + + return yy_scan_bytes(yy_str, len); +} +#endif + +#ifndef YY_NO_SCAN_BYTES +#ifdef YY_USE_PROTOS +YY_BUFFER_STATE +yy_scan_bytes(yyconst char *bytes, int len) +#else +YY_BUFFER_STATE yy_scan_bytes(bytes, len) + yyconst char *bytes; +int len; +#endif +{ + YY_BUFFER_STATE b; + char *buf; + yy_size_t n; + int i; + + /* Get memory for full buffer, including space for trailing EOB's. */ + n = len + 2; + buf = (char *)yy_flex_alloc(n); + if (!buf) + YY_FATAL_ERROR("out of dynamic memory in yy_scan_bytes()"); + + for (i = 0; i < len; ++i) + buf[i] = bytes[i]; + + buf[len] = buf[len + 1] = YY_END_OF_BUFFER_CHAR; + + b = yy_scan_buffer(buf, n); + if (!b) + YY_FATAL_ERROR("bad buffer in yy_scan_bytes()"); + + /* It's okay to grow etc. this buffer, and we should throw it + * away when we're done. + */ + b->yy_is_our_buffer = 1; + + return b; +} +#endif + +#ifndef YY_NO_PUSH_STATE +#ifdef YY_USE_PROTOS +static void +yy_push_state(int new_state) +#else +static void yy_push_state(new_state) int new_state; +#endif +{ + if (yy_start_stack_ptr >= yy_start_stack_depth) { + yy_size_t new_size; + + yy_start_stack_depth += YY_START_STACK_INCR; + new_size = yy_start_stack_depth * sizeof(int); + + if (!yy_start_stack) + yy_start_stack = (int *)yy_flex_alloc(new_size); + + else + yy_start_stack = (int *)yy_flex_realloc( + (void *)yy_start_stack, new_size); + + if (!yy_start_stack) + YY_FATAL_ERROR( + "out of memory expanding start-condition stack"); + } + + yy_start_stack[yy_start_stack_ptr++] = YY_START; + + BEGIN(new_state); +} +#endif + +#ifndef YY_NO_POP_STATE +static void +yy_pop_state() +{ + if (--yy_start_stack_ptr < 0) + YY_FATAL_ERROR("start-condition stack underflow"); + + BEGIN(yy_start_stack[yy_start_stack_ptr]); +} +#endif + +#ifndef YY_NO_TOP_STATE +static int +yy_top_state() +{ + return yy_start_stack[yy_start_stack_ptr - 1]; +} +#endif + +#ifndef YY_EXIT_FAILURE +#define YY_EXIT_FAILURE 2 +#endif + +#ifdef YY_USE_PROTOS +static void +yy_fatal_error(yyconst char msg[]) +#else +static void yy_fatal_error(msg) char msg[]; +#endif +{ + (void)fprintf(stderr, "%s\n", msg); + exit(YY_EXIT_FAILURE); +} + +/* Redefine yyless() so it works in section 3 code. */ + +#undef yyless +#define yyless(n) \ + do { \ + /* Undo effects of setting up yytext. */ \ + yytext[yyleng] = yy_hold_char; \ + yy_c_buf_p = yytext + n; \ + yy_hold_char = *yy_c_buf_p; \ + *yy_c_buf_p = '\0'; \ + yyleng = n; \ + } while (0) + +/* Internal utility routines. */ + +#ifndef yytext_ptr +#ifdef YY_USE_PROTOS +static void +yy_flex_strncpy(char *s1, yyconst char *s2, int n) +#else +static void yy_flex_strncpy(s1, s2, n) char *s1; +yyconst char *s2; +int n; +#endif +{ + register int i; + for (i = 0; i < n; ++i) + s1[i] = s2[i]; +} +#endif + +#ifdef YY_NEED_STRLEN +#ifdef YY_USE_PROTOS +static int +yy_flex_strlen(yyconst char *s) +#else +static int yy_flex_strlen(s) + yyconst char *s; +#endif +{ + register int n; + for (n = 0; s[n]; ++n) + ; + + return n; +} +#endif + +#ifdef YY_USE_PROTOS +static void * +yy_flex_alloc(yy_size_t size) +#else +static void *yy_flex_alloc(size) + yy_size_t size; +#endif +{ + return (void *)malloc(size); +} + +#ifdef YY_USE_PROTOS +static void * +yy_flex_realloc(void *ptr, yy_size_t size) +#else +static void *yy_flex_realloc(ptr, size) void *ptr; +yy_size_t size; +#endif +{ + /* The cast to (char *) in the following accommodates both + * implementations that use char* generic pointers, and those + * that use void* generic pointers. It works with the latter + * because both ANSI C and C++ allow castless assignment from + * any pointer type to void*, and deal with argument conversions + * as though doing an assignment. + */ + return (void *)realloc((char *)ptr, size); +} + +#ifdef YY_USE_PROTOS +static void +yy_flex_free(void *ptr) +#else +static void yy_flex_free(ptr) void *ptr; +#endif +{ + free(ptr); +} + +#if YY_MAIN +int +main() +{ + yylex(); + return 0; +} +#endif +#line 144 "crlgen_lex_orig.l" + +#include "prlock.h" + +static PRLock *parserInvocationLock; + +void +CRLGEN_InitCrlGenParserLock() +{ + parserInvocationLock = PR_NewLock(); +} + +void +CRLGEN_DestroyCrlGenParserLock() +{ + PR_DestroyLock(parserInvocationLock); +} + +SECStatus +CRLGEN_StartCrlGen(CRLGENGeneratorData *parserCtlData) +{ + SECStatus rv; + + PR_Lock(parserInvocationLock); + + parserStatus = SECSuccess; + parserData = parserCtlData; + src = parserCtlData->src; + + rv = yylex(); + + PR_Unlock(parserInvocationLock); + + return rv; +} + +int +yywrap() +{ + return 1; +} diff --git a/security/nss/cmd/crlutil/crlgen_lex_fix.sed b/security/nss/cmd/crlutil/crlgen_lex_fix.sed new file mode 100644 index 000000000..603dd2d1b --- /dev/null +++ b/security/nss/cmd/crlutil/crlgen_lex_fix.sed @@ -0,0 +1,6 @@ +/<unistd.h>/ { + i #ifdef _WIN32 + i #include <io.h> + i #else + a #endif +} diff --git a/security/nss/cmd/crlutil/crlgen_lex_orig.l b/security/nss/cmd/crlutil/crlgen_lex_orig.l new file mode 100644 index 000000000..a412e9892 --- /dev/null +++ b/security/nss/cmd/crlutil/crlgen_lex_orig.l @@ -0,0 +1,181 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +%{ + +#include "crlgen.h" + +static SECStatus parserStatus = SECSuccess; +static CRLGENGeneratorData *parserData; +static PRFileDesc *src; + +#define YY_INPUT(buf,result,max_size) \ + if ( parserStatus != SECFailure) { \ + if (((result = PR_Read(src, buf, max_size)) == 0) && \ + ferror( yyin )) \ + return SECFailure; \ + } else { return SECFailure; } + + +%} + +%a 5000 +DIGIT [0-9]+ +DIGIT_RANGE [0-9]+-[0-9]+ +ID [a-zA-Z][a-zA-Z0-9]* +OID [0-9]+\.[\.0-9]+ +DATE [0-9]{4}[01][0-9][0-3][0-9][0-2][0-9][0-6][0-9][0-6][0-9] +ZDATE [0-9]{4}[01][0-9][0-3][0-9][0-2][0-9][0-6][0-9][0-6][0-9]Z +N_SP_STRING [a-zA-Z0-9\:\|\.]+ + +%% + +{ZDATE} { +parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ZDATE); +if (parserStatus != SECSuccess) + return parserStatus; +} + +{DIGIT} { +parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT); +if (parserStatus != SECSuccess) + return parserStatus; +} + +{DIGIT_RANGE} { +parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT_RANGE); +if (parserStatus != SECSuccess) + return parserStatus; +} + +{OID} { +parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_OID); +if (parserStatus != SECSuccess) + return parserStatus; +} + +issuer { +parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_ISSUER_CONTEXT); +if (parserStatus != SECSuccess) + return parserStatus; +} + +update { +parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_UPDATE_CONTEXT); +if (parserStatus != SECSuccess) + return parserStatus; +} +nextupdate { +parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_NEXT_UPDATE_CONTEXT); +if (parserStatus != SECSuccess) + return parserStatus; +} + +range { +parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_CHANGE_RANGE_CONTEXT); +if (parserStatus != SECSuccess) + return parserStatus; +} + +{ID} { +if (strcmp(yytext, "addcert") == 0) { + parserStatus = crlgen_createNewLangStruct(parserData, + CRLGEN_ADD_CERT_CONTEXT); + if (parserStatus != SECSuccess) + return parserStatus; +} else if (strcmp(yytext, "rmcert") == 0) { + parserStatus = crlgen_createNewLangStruct(parserData, + CRLGEN_RM_CERT_CONTEXT); + if (parserStatus != SECSuccess) + return parserStatus; +} else if (strcmp(yytext, "addext") == 0) { + parserStatus = crlgen_createNewLangStruct(parserData, + CRLGEN_ADD_EXTENSION_CONTEXT); + if (parserStatus != SECSuccess) + return parserStatus; +} else { + parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ID); + if (parserStatus != SECSuccess) + return parserStatus; +} +} + +"=" + +\"[^\"]* { +if (yytext[yyleng-1] == '\\') { + yymore(); +} else { + register int c; + c = input(); + if (c != '\"') { + printf( "Error: Line ending \" is missing: %c\n", c); + unput(c); + } else { + parserStatus = crlgen_setNextData(parserData, yytext + 1, + CRLGEN_TYPE_STRING); + if (parserStatus != SECSuccess) + return parserStatus; + } +} +} + +{N_SP_STRING} { +parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_STRING); +if (parserStatus != SECSuccess) + return parserStatus; +} + + + +^#[^\n]* /* eat up one-line comments */ {} + +[ \t]+ {} + +(\n|\r\n) { +parserStatus = crlgen_updateCrl(parserData); +if (parserStatus != SECSuccess) + return parserStatus; +} + +. { + fprintf(stderr, "Syntax error at line %d: unknown token %s\n", + parserData->parsedLineNum, yytext); + return SECFailure; +} + +%% +#include "prlock.h" + +static PRLock *parserInvocationLock; + +void CRLGEN_InitCrlGenParserLock() +{ + parserInvocationLock = PR_NewLock(); +} + +void CRLGEN_DestroyCrlGenParserLock() +{ + PR_DestroyLock(parserInvocationLock); +} + + +SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *parserCtlData) +{ + SECStatus rv; + + PR_Lock(parserInvocationLock); + + parserStatus = SECSuccess; + parserData = parserCtlData; + src = parserCtlData->src; + + rv = yylex(); + + PR_Unlock(parserInvocationLock); + + return rv; +} + +int yywrap() {return 1;} diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c new file mode 100644 index 000000000..bdf112b4a --- /dev/null +++ b/security/nss/cmd/crlutil/crlutil.c @@ -0,0 +1,1153 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* +** certutil.c +** +** utility for managing certificates and the cert database +** +*/ +/* test only */ + +#include "nspr.h" +#include "plgetopt.h" +#include "secutil.h" +#include "cert.h" +#include "certi.h" +#include "certdb.h" +#include "nss.h" +#include "pk11func.h" +#include "crlgen.h" + +#define SEC_CERT_DB_EXISTS 0 +#define SEC_CREATE_CERT_DB 1 + +static char *progName; + +static CERTSignedCrl * +FindCRL(CERTCertDBHandle *certHandle, char *name, int type) +{ + CERTSignedCrl *crl = NULL; + CERTCertificate *cert = NULL; + SECItem derName; + + derName.data = NULL; + derName.len = 0; + + cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name); + if (!cert) { + CERTName *certName = NULL; + PLArenaPool *arena = NULL; + SECStatus rv = SECSuccess; + + certName = CERT_AsciiToName(name); + if (certName) { + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena) { + SECItem *nameItem = + SEC_ASN1EncodeItem(arena, NULL, (void *)certName, + SEC_ASN1_GET(CERT_NameTemplate)); + if (nameItem) { + rv = SECITEM_CopyItem(NULL, &derName, nameItem); + } + PORT_FreeArena(arena, PR_FALSE); + } + CERT_DestroyName(certName); + } + + if (rv != SECSuccess) { + SECU_PrintError(progName, "SECITEM_CopyItem failed, out of memory"); + return ((CERTSignedCrl *)NULL); + } + + if (!derName.len || !derName.data) { + SECU_PrintError(progName, "could not find certificate named '%s'", name); + return ((CERTSignedCrl *)NULL); + } + } else { + SECITEM_CopyItem(NULL, &derName, &cert->derSubject); + CERT_DestroyCertificate(cert); + } + + crl = SEC_FindCrlByName(certHandle, &derName, type); + if (crl == NULL) + SECU_PrintError(progName, "could not find %s's CRL", name); + if (derName.data) { + SECITEM_FreeItem(&derName, PR_FALSE); + } + return (crl); +} + +static SECStatus +DisplayCRL(CERTCertDBHandle *certHandle, char *nickName, int crlType) +{ + CERTSignedCrl *crl = NULL; + + crl = FindCRL(certHandle, nickName, crlType); + + if (crl) { + SECU_PrintCRLInfo(stdout, &crl->crl, "CRL Info:\n", 0); + SEC_DestroyCrl(crl); + return SECSuccess; + } + return SECFailure; +} + +static void +ListCRLNames(CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls) +{ + CERTCrlHeadNode *crlList = NULL; + CERTCrlNode *crlNode = NULL; + CERTName *name = NULL; + PLArenaPool *arena = NULL; + SECStatus rv; + + do { + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) { + fprintf(stderr, "%s: fail to allocate memory\n", progName); + break; + } + + name = PORT_ArenaZAlloc(arena, sizeof(*name)); + if (name == NULL) { + fprintf(stderr, "%s: fail to allocate memory\n", progName); + break; + } + name->arena = arena; + + rv = SEC_LookupCrls(certHandle, &crlList, crlType); + if (rv != SECSuccess) { + fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName, + SECU_Strerror(PORT_GetError())); + break; + } + + /* just in case */ + if (!crlList) + break; + + crlNode = crlList->first; + + fprintf(stdout, "\n"); + fprintf(stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type"); + while (crlNode) { + char *asciiname = NULL; + CERTCertificate *cert = NULL; + if (crlNode->crl && crlNode->crl->crl.derName.data != NULL) { + cert = CERT_FindCertByName(certHandle, + &crlNode->crl->crl.derName); + if (!cert) { + SECU_PrintError(progName, "could not find signing " + "certificate in database"); + } + } + if (cert) { + char *certName = NULL; + if (cert->nickname && PORT_Strlen(cert->nickname) > 0) { + certName = cert->nickname; + } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) { + certName = cert->emailAddr; + } + if (certName) { + asciiname = PORT_Strdup(certName); + } + CERT_DestroyCertificate(cert); + } + + if (!asciiname) { + name = &crlNode->crl->crl.name; + if (!name) { + SECU_PrintError(progName, "fail to get the CRL " + "issuer name"); + continue; + } + asciiname = CERT_NameToAscii(name); + } + fprintf(stdout, "%-40s %-5s\n", asciiname, "CRL"); + if (asciiname) { + PORT_Free(asciiname); + } + if (PR_TRUE == deletecrls) { + CERTSignedCrl *acrl = NULL; + SECItem *issuer = &crlNode->crl->crl.derName; + acrl = SEC_FindCrlByName(certHandle, issuer, crlType); + if (acrl) { + SEC_DeletePermCRL(acrl); + SEC_DestroyCrl(acrl); + } + } + crlNode = crlNode->next; + } + + } while (0); + if (crlList) + PORT_FreeArena(crlList->arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); +} + +static SECStatus +ListCRL(CERTCertDBHandle *certHandle, char *nickName, int crlType) +{ + if (nickName == NULL) { + ListCRLNames(certHandle, crlType, PR_FALSE); + return SECSuccess; + } + + return DisplayCRL(certHandle, nickName, crlType); +} + +static SECStatus +DeleteCRL(CERTCertDBHandle *certHandle, char *name, int type) +{ + CERTSignedCrl *crl = NULL; + SECStatus rv = SECFailure; + + crl = FindCRL(certHandle, name, type); + if (!crl) { + SECU_PrintError(progName, "could not find the issuer %s's CRL", name); + return SECFailure; + } + rv = SEC_DeletePermCRL(crl); + SEC_DestroyCrl(crl); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to delete the issuer %s's CRL " + "from the perm database (reason: %s)", + name, SECU_Strerror(PORT_GetError())); + return SECFailure; + } + return (rv); +} + +SECStatus +ImportCRL(CERTCertDBHandle *certHandle, char *url, int type, + PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions, + secuPWData *pwdata) +{ + CERTSignedCrl *crl = NULL; + SECItem crlDER; + PK11SlotInfo *slot = NULL; + int rv; +#if defined(DEBUG_jp96085) + PRIntervalTime starttime, endtime, elapsed; + PRUint32 mins, secs, msecs; +#endif + + crlDER.data = NULL; + + /* Read in the entire file specified with the -f argument */ + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "unable to read input file"); + return (SECFailure); + } + + decodeOptions |= CRL_DECODE_DONT_COPY_DER; + + slot = PK11_GetInternalKeySlot(); + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) + goto loser; + } + +#if defined(DEBUG_jp96085) + starttime = PR_IntervalNow(); +#endif + crl = PK11_ImportCRL(slot, &crlDER, url, type, + NULL, importOptions, NULL, decodeOptions); +#if defined(DEBUG_jp96085) + endtime = PR_IntervalNow(); + elapsed = endtime - starttime; + mins = PR_IntervalToSeconds(elapsed) / 60; + secs = PR_IntervalToSeconds(elapsed) % 60; + msecs = PR_IntervalToMilliseconds(elapsed) % 1000; + printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs); +#endif + if (!crl) { + const char *errString; + + rv = SECFailure; + errString = SECU_Strerror(PORT_GetError()); + if (errString && PORT_Strlen(errString) == 0) + SECU_PrintError(progName, + "CRL is not imported (error: input CRL is not up to date.)"); + else + SECU_PrintError(progName, "unable to import CRL"); + } else { + SEC_DestroyCrl(crl); + } +loser: + if (slot) { + PK11_FreeSlot(slot); + } + SECITEM_FreeItem(&crlDER, PR_FALSE); + return (rv); +} + +SECStatus +DumpCRL(PRFileDesc *inFile) +{ + int rv; + PLArenaPool *arena = NULL; + CERTSignedCrl *newCrl = NULL; + + SECItem crlDER; + crlDER.data = NULL; + + /* Read in the entire file specified with the -f argument */ + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "unable to read input file"); + return (SECFailure); + } + + rv = SEC_ERROR_NO_MEMORY; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) + return rv; + + newCrl = CERT_DecodeDERCrlWithFlags(arena, &crlDER, SEC_CRL_TYPE, + CRL_DECODE_DEFAULT_OPTIONS); + if (!newCrl) + return SECFailure; + + SECU_PrintCRLInfo(stdout, &newCrl->crl, "CRL file contents", 0); + + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +static CERTCertificate * +FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl, + char *certNickName) +{ + CERTCertificate *cert = NULL, *certTemp = NULL; + SECStatus rv = SECFailure; + CERTAuthKeyID *authorityKeyID = NULL; + SECItem *subject = NULL; + + PORT_Assert(certHandle != NULL); + if (!certHandle || (!signCrl && !certNickName)) { + SECU_PrintError(progName, "invalid args for function " + "FindSigningCert \n"); + return NULL; + } + + if (signCrl) { +#if 0 + authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl); +#endif + subject = &signCrl->crl.derName; + } else { + certTemp = CERT_FindCertByNickname(certHandle, certNickName); + if (!certTemp) { + SECU_PrintError(progName, "could not find certificate \"%s\" " + "in database", + certNickName); + goto loser; + } + subject = &certTemp->derSubject; + } + + cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now()); + if (!cert) { + SECU_PrintError(progName, "could not find signing certificate " + "in database"); + goto loser; + } else { + rv = SECSuccess; + } + +loser: + if (certTemp) + CERT_DestroyCertificate(certTemp); + if (cert && rv != SECSuccess) + CERT_DestroyCertificate(cert); + return cert; +} + +static CERTSignedCrl * +CreateModifiedCRLCopy(PLArenaPool *arena, CERTCertDBHandle *certHandle, + CERTCertificate **cert, char *certNickName, + PRFileDesc *inFile, PRInt32 decodeOptions, + PRInt32 importOptions, secuPWData *pwdata) +{ + SECItem crlDER = { 0, NULL, 0 }; + CERTSignedCrl *signCrl = NULL; + CERTSignedCrl *modCrl = NULL; + PLArenaPool *modArena = NULL; + SECStatus rv = SECSuccess; + + if (!arena || !certHandle || !certNickName) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n"); + return NULL; + } + + modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (!modArena) { + SECU_PrintError(progName, "fail to allocate memory\n"); + return NULL; + } + + if (inFile != NULL) { + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "unable to read input file"); + PORT_FreeArena(modArena, PR_FALSE); + goto loser; + } + + decodeOptions |= CRL_DECODE_DONT_COPY_DER; + + modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE, + decodeOptions); + if (!modCrl) { + SECU_PrintError(progName, "fail to decode CRL"); + goto loser; + } + + if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)) { + /* If caCert is a v2 certificate, make sure that it + * can be used for crl signing purpose */ + *cert = FindSigningCert(certHandle, modCrl, NULL); + if (!*cert) { + goto loser; + } + + rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert, + PR_Now(), pwdata); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to verify signed data\n"); + goto loser; + } + } + } else { + modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE); + if (!modCrl) { + SECU_PrintError(progName, "fail to find crl %s in database\n", + certNickName); + goto loser; + } + } + + signCrl = PORT_ArenaZNew(arena, CERTSignedCrl); + if (signCrl == NULL) { + SECU_PrintError(progName, "fail to allocate memory\n"); + goto loser; + } + + rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl); + if (rv != SECSuccess) { + SECU_PrintError(progName, "unable to dublicate crl for " + "modification."); + goto loser; + } + + /* Make sure the update time is current. It can be modified later + * by "update <time>" command from crl generation script */ + rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now()); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to encode current time\n"); + goto loser; + } + + signCrl->arena = arena; + signCrl->referenceCount = 1; + +loser: + if (crlDER.data) { + SECITEM_FreeItem(&crlDER, PR_FALSE); + } + if (modArena && (!modCrl || modCrl->arena != modArena)) { + PORT_FreeArena(modArena, PR_FALSE); + } + if (modCrl) + SEC_DestroyCrl(modCrl); + if (rv != SECSuccess && signCrl) { + SEC_DestroyCrl(signCrl); + signCrl = NULL; + } + return signCrl; +} + +static CERTSignedCrl * +CreateNewCrl(PLArenaPool *arena, CERTCertDBHandle *certHandle, + CERTCertificate *cert) +{ + CERTSignedCrl *signCrl = NULL; + void *dummy = NULL; + SECStatus rv; + void *mark = NULL; + + /* if the CERTSignedCrl structure changes, this function will need to be + updated as well */ + if (!cert || !arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + SECU_PrintError(progName, "invalid args for function " + "CreateNewCrl\n"); + return NULL; + } + + mark = PORT_ArenaMark(arena); + + signCrl = PORT_ArenaZNew(arena, CERTSignedCrl); + if (signCrl == NULL) { + SECU_PrintError(progName, "fail to allocate memory\n"); + return NULL; + } + + dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version, + SEC_CRL_VERSION_2); + /* set crl->version */ + if (!dummy) { + SECU_PrintError(progName, "fail to create crl version data " + "container\n"); + goto loser; + } + + /* copy SECItem name from cert */ + rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to duplicate der name from " + "certificate.\n"); + goto loser; + } + + /* copy CERTName name structure from cert issuer */ + rv = CERT_CopyName(arena, &signCrl->crl.name, &cert->subject); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to duplicate RD name from " + "certificate.\n"); + goto loser; + } + + rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now()); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to encode current time\n"); + goto loser; + } + + /* set fields */ + signCrl->arena = arena; + signCrl->dbhandle = certHandle; + signCrl->crl.arena = arena; + + PORT_ArenaUnmark(arena, mark); + + return signCrl; + +loser: + PORT_ArenaRelease(arena, mark); + return NULL; +} + +static SECStatus +UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile) +{ + CRLGENGeneratorData *crlGenData = NULL; + SECStatus rv; + + if (!signCrl || !inCrlInitFile) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + SECU_PrintError(progName, "invalid args for function " + "CreateNewCrl\n"); + return SECFailure; + } + + crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile); + if (!crlGenData) { + SECU_PrintError(progName, "can not initialize parser structure.\n"); + return SECFailure; + } + + rv = CRLGEN_ExtHandleInit(crlGenData); + if (rv == SECFailure) { + SECU_PrintError(progName, "can not initialize entries handle.\n"); + goto loser; + } + + rv = CRLGEN_StartCrlGen(crlGenData); + if (rv != SECSuccess) { + SECU_PrintError(progName, "crl generation failed"); + goto loser; + } + +loser: + /* CommitExtensionsAndEntries is partially responsible for freeing + * up memory that was used for CRL generation. Should be called regardless + * of previouse call status, but only after initialization of + * crlGenData was done. It will commit all changes that was done before + * an error has occurred. + */ + if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) { + SECU_PrintError(progName, "crl generation failed"); + rv = SECFailure; + } + CRLGEN_FinalizeCrlGeneration(crlGenData); + return rv; +} + +static SECStatus +SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert, + char *outFileName, SECOidTag hashAlgTag, int ascii, + char *slotName, char *url, secuPWData *pwdata) +{ + PK11SlotInfo *slot = NULL; + PRFileDesc *outFile = NULL; + SECStatus rv; + SignAndEncodeFuncExitStat errCode; + + PORT_Assert(signCrl && (!ascii || outFileName)); + if (!signCrl || (ascii && !outFileName)) { + SECU_PrintError(progName, "invalid args for function " + "SignAndStoreCrl\n"); + return SECFailure; + } + + if (!slotName || !PL_strcmp(slotName, "internal")) + slot = PK11_GetInternalKeySlot(); + else + slot = PK11_FindSlotByName(slotName); + if (!slot) { + SECU_PrintError(progName, "can not find requested slot"); + return SECFailure; + } + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) + goto loser; + } + + rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode); + if (rv != SECSuccess) { + char *errMsg = NULL; + switch (errCode) { + case noKeyFound: + errMsg = "No private key found of signing cert"; + break; + + case noSignatureMatch: + errMsg = "Key and Algorithm OId are do not match"; + break; + + default: + case failToEncode: + errMsg = "Failed to encode crl structure"; + break; + + case failToSign: + errMsg = "Failed to sign crl structure"; + break; + + case noMem: + errMsg = "Can not allocate memory"; + break; + } + SECU_PrintError(progName, "%s\n", errMsg); + goto loser; + } + + if (outFileName) { + outFile = PR_Open(outFileName, PR_WRONLY | PR_CREATE_FILE, PR_IRUSR | PR_IWUSR); + if (!outFile) { + SECU_PrintError(progName, "unable to open \"%s\" for writing\n", + outFileName); + goto loser; + } + } + + rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to save CRL\n"); + } + +loser: + if (outFile) + PR_Close(outFile); + if (slot) + PK11_FreeSlot(slot); + return rv; +} + +static SECStatus +GenerateCRL(CERTCertDBHandle *certHandle, char *certNickName, + PRFileDesc *inCrlInitFile, PRFileDesc *inFile, + char *outFileName, int ascii, char *slotName, + PRInt32 importOptions, char *alg, PRBool quiet, + PRInt32 decodeOptions, char *url, secuPWData *pwdata, + int modifyFlag) +{ + CERTCertificate *cert = NULL; + CERTSignedCrl *signCrl = NULL; + PLArenaPool *arena = NULL; + SECStatus rv; + SECOidTag hashAlgTag = SEC_OID_UNKNOWN; + + if (alg) { + hashAlgTag = SECU_StringToSignatureAlgTag(alg); + if (hashAlgTag == SEC_OID_UNKNOWN) { + SECU_PrintError(progName, "%s -Z: %s is not a recognized type.\n", + progName, alg); + return SECFailure; + } + } else { + hashAlgTag = SEC_OID_UNKNOWN; + } + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (!arena) { + SECU_PrintError(progName, "fail to allocate memory\n"); + return SECFailure; + } + + if (modifyFlag == PR_TRUE) { + signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName, + inFile, decodeOptions, importOptions, + pwdata); + if (signCrl == NULL) { + rv = SECFailure; + goto loser; + } + } + + if (!cert) { + cert = FindSigningCert(certHandle, signCrl, certNickName); + if (cert == NULL) { + rv = SECFailure; + goto loser; + } + } + + if (!signCrl) { + if (modifyFlag == PR_TRUE) { + if (!outFileName) { + int len = strlen(certNickName) + 5; + outFileName = PORT_ArenaAlloc(arena, len); + PR_snprintf(outFileName, len, "%s.crl", certNickName); + } + SECU_PrintError(progName, "Will try to generate crl. " + "It will be saved in file: %s", + outFileName); + } + signCrl = CreateNewCrl(arena, certHandle, cert); + if (!signCrl) { + rv = SECFailure; + goto loser; + } + } + + rv = UpdateCrl(signCrl, inCrlInitFile); + if (rv != SECSuccess) { + goto loser; + } + + rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii, + slotName, url, pwdata); + if (rv != SECSuccess) { + goto loser; + } + + if (signCrl && !quiet) { + SECU_PrintCRLInfo(stdout, &signCrl->crl, "CRL Info:\n", 0); + } + +loser: + if (arena && (!signCrl || !signCrl->arena)) + PORT_FreeArena(arena, PR_FALSE); + if (signCrl) + SEC_DestroyCrl(signCrl); + if (cert) + CERT_DestroyCertificate(cert); + return (rv); +} + +static void +Usage(char *progName) +{ + fprintf(stderr, + "Usage: %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n" + " %s -D -n nickname [-d keydir] [-P dbprefix]\n" + " %s -S -i crl\n" + " %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] " + "[-p pwd-file] -w [pwd-string]\n" + " %s -E -t crlType [-d keydir] [-P dbprefix]\n" + " %s -T\n" + " %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] " + "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] " + "[-a] [-B]\n", + progName, progName, progName, progName, progName, progName, progName); + + fprintf(stderr, "%-15s List CRL\n", "-L"); + fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n", + "-n nickname"); + fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n", + "-d keydir"); + fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n", + "-P dbprefix"); + + fprintf(stderr, "%-15s Delete a CRL from the cert database\n", "-D"); + fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n", + "-n nickname"); + fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType"); + fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n", + "-d keydir"); + fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n", + "-P dbprefix"); + + fprintf(stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E"); + fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType"); + fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n", + "-d keydir"); + fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n", + "-P dbprefix"); + + fprintf(stderr, "%-15s Show contents of a CRL file (without database)\n", "-S"); + fprintf(stderr, "%-20s Specify the file which contains the CRL to show\n", + "-i crl"); + + fprintf(stderr, "%-15s Import a CRL to the cert database\n", "-I"); + fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n", + "-i crl"); + fprintf(stderr, "%-20s Specify the url.\n", "-u url"); + fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType"); + fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n", + "-d keydir"); + fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n", + "-P dbprefix"); +#ifdef DEBUG + fprintf(stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T"); +#endif + fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " "); + fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " "); + fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " "); + fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B"); + fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p"); + fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>"); + fprintf(stderr, "\n%-15s Create CRL\n", "-G"); + fprintf(stderr, "%-15s Modify CRL\n", "-M"); + fprintf(stderr, "%-20s Specify crl initialization file\n", + "-c crl-conf-file"); + fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n", + "-n nickname"); + fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n", + "-i crl"); + fprintf(stderr, "%-20s Specify a CRL output file\n", + "-o crl-output-file"); + fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n", + "-a"); + fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n", + "-d keydir"); + fprintf(stderr, "%-20s Provide path to a default pwd file\n", + "-f pwd-file"); + fprintf(stderr, "%-20s Provide db password in command line\n", + "-w pwd-string"); + fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n", + "-P dbprefix"); + fprintf(stderr, "%-20s Specify the url.\n", "-u url"); + fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B"); + + exit(-1); +} + +int +main(int argc, char **argv) +{ + CERTCertDBHandle *certHandle; + PRFileDesc *inFile; + PRFileDesc *inCrlInitFile = NULL; + int generateCRL; + int modifyCRL; + int listCRL; + int importCRL; + int showFileCRL; + int deleteCRL; + int rv; + char *nickName; + char *url; + char *dbPrefix = PORT_Strdup(""); + char *alg = NULL; + char *outFile = NULL; + char *slotName = NULL; + int ascii = 0; + int crlType; + PLOptState *optstate; + PLOptStatus status; + SECStatus secstatus; + PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS; + PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS; + PRBool quiet = PR_FALSE; + PRBool test = PR_FALSE; + PRBool erase = PR_FALSE; + PRInt32 i = 0; + PRInt32 iterations = 1; + PRBool readonly = PR_FALSE; + + secuPWData pwdata = { PW_NONE, 0 }; + + progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + rv = 0; + deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0; + inFile = NULL; + nickName = url = NULL; + certHandle = NULL; + crlType = SEC_CRL_TYPE; + /* + * Parse command line arguments + */ + optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case '?': + Usage(progName); + break; + + case 'T': + test = PR_TRUE; + break; + + case 'E': + erase = PR_TRUE; + break; + + case 'B': + importOptions |= CRL_IMPORT_BYPASS_CHECKS; + break; + + case 'G': + generateCRL = 1; + break; + + case 'M': + modifyCRL = 1; + break; + + case 'D': + deleteCRL = 1; + break; + + case 'I': + importCRL = 1; + break; + + case 'S': + showFileCRL = 1; + break; + + case 'C': + case 'L': + listCRL = 1; + break; + + case 'P': + PORT_Free(dbPrefix); + dbPrefix = PORT_Strdup(optstate->value); + break; + + case 'Z': + alg = PORT_Strdup(optstate->value); + break; + + case 'a': + ascii = 1; + break; + + case 'c': + inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0); + if (!inCrlInitFile) { + PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n", + progName, optstate->value); + rv = SECFailure; + goto loser; + } + break; + + case 'd': + SECU_ConfigDirectory(optstate->value); + break; + + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup(optstate->value); + break; + + case 'h': + slotName = PORT_Strdup(optstate->value); + break; + + case 'i': + inFile = PR_Open(optstate->value, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n", + progName, optstate->value); + rv = SECFailure; + goto loser; + } + break; + + case 'n': + nickName = PORT_Strdup(optstate->value); + break; + + case 'o': + outFile = PORT_Strdup(optstate->value); + break; + + case 'p': + decodeOptions |= CRL_DECODE_SKIP_ENTRIES; + break; + + case 'r': { + const char *str = optstate->value; + if (str && atoi(str) > 0) + iterations = atoi(str); + } break; + + case 't': { + crlType = atoi(optstate->value); + if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) { + PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName); + rv = SECFailure; + goto loser; + } + break; + + case 'q': + quiet = PR_TRUE; + break; + + case 'w': + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup(optstate->value); + break; + + case 'u': + url = PORT_Strdup(optstate->value); + break; + } + } + } + + if (deleteCRL && !nickName) + Usage(progName); + if (importCRL && !inFile) + Usage(progName); + if (showFileCRL && !inFile) + Usage(progName); + if ((generateCRL && !nickName) || + (modifyCRL && !inFile && !nickName)) + Usage(progName); + if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL || + modifyCRL || test || erase)) + Usage(progName); + + if (listCRL || showFileCRL) { + readonly = PR_TRUE; + } + + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + PK11_SetPasswordFunc(SECU_GetModulePassword); + + if (showFileCRL) { + NSS_NoDB_Init(NULL); + } else { + secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix, + "secmod.db", readonly ? NSS_INIT_READONLY : 0); + if (secstatus != SECSuccess) { + SECU_PrintPRandOSError(progName); + rv = SECFailure; + goto loser; + } + } + + SECU_RegisterDynamicOids(); + + certHandle = CERT_GetDefaultCertDB(); + if (certHandle == NULL) { + SECU_PrintError(progName, "unable to open the cert db"); + rv = SECFailure; + goto loser; + } + + CRLGEN_InitCrlGenParserLock(); + + for (i = 0; i < iterations; i++) { + /* Read in the private key info */ + if (deleteCRL) + DeleteCRL(certHandle, nickName, crlType); + else if (listCRL) { + rv = ListCRL(certHandle, nickName, crlType); + } else if (importCRL) { + rv = ImportCRL(certHandle, url, crlType, inFile, importOptions, + decodeOptions, &pwdata); + } else if (showFileCRL) { + rv = DumpCRL(inFile); + } else if (generateCRL || modifyCRL) { + if (!inCrlInitFile) + inCrlInitFile = PR_STDIN; + rv = GenerateCRL(certHandle, nickName, inCrlInitFile, + inFile, outFile, ascii, slotName, + importOptions, alg, quiet, + decodeOptions, url, &pwdata, + modifyCRL); + } else if (erase) { + /* list and delete all CRLs */ + ListCRLNames(certHandle, crlType, PR_TRUE); + } +#ifdef DEBUG + else if (test) { + /* list and delete all CRLs */ + ListCRLNames(certHandle, crlType, PR_TRUE); + /* list CRLs */ + ListCRLNames(certHandle, crlType, PR_FALSE); + /* import CRL as a blob */ + rv = ImportCRL(certHandle, url, crlType, inFile, importOptions, + decodeOptions, &pwdata); + /* list CRLs */ + ListCRLNames(certHandle, crlType, PR_FALSE); + } +#endif + } + + CRLGEN_DestroyCrlGenParserLock(); + +loser: + PL_DestroyOptState(optstate); + + if (inFile) { + PR_Close(inFile); + } + if (alg) { + PORT_Free(alg); + } + if (slotName) { + PORT_Free(slotName); + } + if (nickName) { + PORT_Free(nickName); + } + if (outFile) { + PORT_Free(outFile); + } + if (url) { + PORT_Free(url); + } + if (pwdata.data) { + PORT_Free(pwdata.data); + } + + PORT_Free(dbPrefix); + + if (NSS_Shutdown() != SECSuccess) { + rv = SECFailure; + } + + return (rv != SECSuccess); +} diff --git a/security/nss/cmd/crlutil/crlutil.gyp b/security/nss/cmd/crlutil/crlutil.gyp new file mode 100644 index 000000000..470449b0c --- /dev/null +++ b/security/nss/cmd/crlutil/crlutil.gyp @@ -0,0 +1,32 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../../cmd/platlibs.gypi' + ], + 'targets': [ + { + 'target_name': 'crlutil', + 'type': 'executable', + 'sources': [ + 'crlgen.c', + 'crlgen_lex.c', + 'crlutil.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:dbm_exports', + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'NSPR20' + ] + }, + 'variables': { + 'module': 'nss' + } +}
\ No newline at end of file diff --git a/security/nss/cmd/crlutil/manifest.mn b/security/nss/cmd/crlutil/manifest.mn new file mode 100644 index 000000000..cd0549c6d --- /dev/null +++ b/security/nss/cmd/crlutil/manifest.mn @@ -0,0 +1,25 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CORE_DEPTH = ../.. + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +# This next line is used by .mk files +# and gets translated into $LINCS in manifest.mnw +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. +REQUIRES = seccmd dbm + +DEFINES = -DNSPR20 + +CSRCS = crlgen_lex.c crlgen.c crlutil.c + +# this has to be different for NT and UNIX. +# PROGRAM = ./$(OBJDIR)/crlutil.exe +PROGRAM = crlutil + +#USE_STATIC_LIBS = 1 |