"Fossies" - the Fresh Open Source Software Archive

Member "nss-3.35/nss/cmd/addbuiltin/addbuiltin.c" (18 Jan 2018, 20424 Bytes) of package /linux/misc/nss-3.35.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "addbuiltin.c" see the Fossies "Dox" file reference documentation.

    1 /* This Source Code Form is subject to the terms of the Mozilla Public
    2  * License, v. 2.0. If a copy of the MPL was not distributed with this
    3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
    4 
    5 /*
    6  * Tool for converting builtin CA certs.
    7  */
    8 
    9 #include "nssrenam.h"
   10 #include "nss.h"
   11 #include "cert.h"
   12 #include "certdb.h"
   13 #include "secutil.h"
   14 #include "pk11func.h"
   15 
   16 #if defined(WIN32)
   17 #include <fcntl.h>
   18 #include <io.h>
   19 #endif
   20 
   21 void
   22 dumpbytes(unsigned char *buf, int len)
   23 {
   24     int i;
   25     for (i = 0; i < len; i++) {
   26         if ((i != 0) && ((i & 0xf) == 0)) {
   27             printf("\n");
   28         }
   29         printf("\\%03o", buf[i]);
   30     }
   31     printf("\n");
   32 }
   33 
   34 int
   35 hasPositiveTrust(unsigned int trust)
   36 {
   37     if (trust & CERTDB_TRUSTED) {
   38         if (trust & CERTDB_TRUSTED_CA) {
   39             return PR_TRUE;
   40         } else {
   41             return PR_FALSE;
   42         }
   43     } else {
   44         if (trust & CERTDB_TRUSTED_CA) {
   45             return PR_TRUE;
   46         } else if (trust & CERTDB_VALID_CA) {
   47             return PR_TRUE;
   48         } else if (trust & CERTDB_TERMINAL_RECORD) {
   49             return PR_FALSE;
   50         } else {
   51             return PR_FALSE;
   52         }
   53     }
   54     return PR_FALSE;
   55 }
   56 
   57 char *
   58 getTrustString(unsigned int trust)
   59 {
   60     if (trust & CERTDB_TRUSTED) {
   61         if (trust & CERTDB_TRUSTED_CA) {
   62             return "CKT_NSS_TRUSTED_DELEGATOR";
   63         } else {
   64             return "CKT_NSS_TRUSTED";
   65         }
   66     } else {
   67         if (trust & CERTDB_TRUSTED_CA) {
   68             return "CKT_NSS_TRUSTED_DELEGATOR";
   69         } else if (trust & CERTDB_VALID_CA) {
   70             return "CKT_NSS_VALID_DELEGATOR";
   71         } else if (trust & CERTDB_TERMINAL_RECORD) {
   72             return "CKT_NSS_NOT_TRUSTED";
   73         } else {
   74             return "CKT_NSS_MUST_VERIFY_TRUST";
   75         }
   76     }
   77     return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
   78 }
   79 
   80 static const SEC_ASN1Template serialTemplate[] = {
   81     { SEC_ASN1_INTEGER, offsetof(CERTCertificate, serialNumber) },
   82     { 0 }
   83 };
   84 
   85 void
   86 print_crl_info(CERTName *name, SECItem *serial)
   87 {
   88     PRBool saveWrapeState = SECU_GetWrapEnabled();
   89     SECU_EnableWrap(PR_FALSE);
   90 
   91     SECU_PrintNameQuotesOptional(stdout, name, "# Issuer", 0, PR_FALSE);
   92     printf("\n");
   93 
   94     SECU_PrintInteger(stdout, serial, "# Serial Number", 0);
   95 
   96     SECU_EnableWrap(saveWrapeState);
   97 }
   98 
   99 static SECStatus
  100 ConvertCRLEntry(SECItem *sdder, PRInt32 crlentry, char *nickname)
  101 {
  102     int rv;
  103     PLArenaPool *arena = NULL;
  104     CERTSignedCrl *newCrl = NULL;
  105     CERTCrlEntry *entry;
  106 
  107     CERTName *name = NULL;
  108     SECItem *derName = NULL;
  109     SECItem *serial = NULL;
  110 
  111     rv = SEC_ERROR_NO_MEMORY;
  112     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
  113     if (!arena)
  114         return rv;
  115 
  116     newCrl = CERT_DecodeDERCrlWithFlags(arena, sdder, SEC_CRL_TYPE,
  117                                         CRL_DECODE_DEFAULT_OPTIONS);
  118     if (!newCrl)
  119         return SECFailure;
  120 
  121     name = &newCrl->crl.name;
  122     derName = &newCrl->crl.derName;
  123 
  124     if (newCrl->crl.entries != NULL) {
  125         PRInt32 iv = 0;
  126         while ((entry = newCrl->crl.entries[iv++]) != NULL) {
  127             if (crlentry == iv) {
  128                 serial = &entry->serialNumber;
  129                 break;
  130             }
  131         }
  132     }
  133 
  134     if (!name || !derName || !serial)
  135         return SECFailure;
  136 
  137     printf("\n# Distrust \"%s\"\n", nickname);
  138     print_crl_info(name, serial);
  139 
  140     printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
  141     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
  142     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
  143     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
  144     printf("CKA_LABEL UTF8 \"%s\"\n", nickname);
  145 
  146     printf("CKA_ISSUER MULTILINE_OCTAL\n");
  147     dumpbytes(derName->data, derName->len);
  148     printf("END\n");
  149     printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
  150     printf("\\002\\%03o", serial->len); /* 002: type integer; len >=3 digits */
  151     dumpbytes(serial->data, serial->len);
  152     printf("END\n");
  153 
  154     printf("CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED\n");
  155     printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED\n");
  156     printf("CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED\n");
  157     printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE\n");
  158 
  159     PORT_FreeArena(arena, PR_FALSE);
  160     return rv;
  161 }
  162 
  163 void
  164 print_info(SECItem *sdder, CERTCertificate *c)
  165 {
  166     PRBool saveWrapeState = SECU_GetWrapEnabled();
  167     SECU_EnableWrap(PR_FALSE);
  168 
  169     SECU_PrintNameQuotesOptional(stdout, &c->issuer, "# Issuer", 0, PR_FALSE);
  170     printf("\n");
  171 
  172     SECU_PrintInteger(stdout, &c->serialNumber, "# Serial Number", 0);
  173 
  174     SECU_PrintNameQuotesOptional(stdout, &c->subject, "# Subject", 0, PR_FALSE);
  175     printf("\n");
  176 
  177     SECU_PrintTimeChoice(stdout, &c->validity.notBefore, "# Not Valid Before", 0);
  178     SECU_PrintTimeChoice(stdout, &c->validity.notAfter, "# Not Valid After ", 0);
  179 
  180     SECU_PrintFingerprints(stdout, sdder, "# Fingerprint", 0);
  181 
  182     SECU_EnableWrap(saveWrapeState);
  183 }
  184 
  185 static SECStatus
  186 ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
  187                    PRBool excludeCert, PRBool excludeHash)
  188 {
  189     SECStatus rv = SECSuccess;
  190     CERTCertificate *cert;
  191     unsigned char sha1_hash[SHA1_LENGTH];
  192     unsigned char md5_hash[MD5_LENGTH];
  193     SECItem *serial = NULL;
  194     PRBool step_up = PR_FALSE;
  195     const char *trust_info;
  196 
  197     cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
  198     if (!cert) {
  199         return SECFailure;
  200     }
  201     serial = SEC_ASN1EncodeItem(NULL, NULL, cert, serialTemplate);
  202     if (!serial) {
  203         return SECFailure;
  204     }
  205 
  206     if (!excludeCert) {
  207         printf("\n#\n# Certificate \"%s\"\n#\n", nickname);
  208         print_info(sdder, cert);
  209         printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
  210         printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
  211         printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
  212         printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
  213         printf("CKA_LABEL UTF8 \"%s\"\n", nickname);
  214         printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
  215         printf("CKA_SUBJECT MULTILINE_OCTAL\n");
  216         dumpbytes(cert->derSubject.data, cert->derSubject.len);
  217         printf("END\n");
  218         printf("CKA_ID UTF8 \"0\"\n");
  219         printf("CKA_ISSUER MULTILINE_OCTAL\n");
  220         dumpbytes(cert->derIssuer.data, cert->derIssuer.len);
  221         printf("END\n");
  222         printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
  223         dumpbytes(serial->data, serial->len);
  224         printf("END\n");
  225         printf("CKA_VALUE MULTILINE_OCTAL\n");
  226         dumpbytes(sdder->data, sdder->len);
  227         printf("END\n");
  228         if (hasPositiveTrust(trust->sslFlags) ||
  229             hasPositiveTrust(trust->emailFlags) ||
  230             hasPositiveTrust(trust->objectSigningFlags)) {
  231             printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
  232         }
  233     }
  234 
  235     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
  236         CERTDB_TERMINAL_RECORD)
  237         trust_info = "Distrust";
  238     else
  239         trust_info = "Trust for";
  240 
  241     printf("\n# %s \"%s\"\n", trust_info, nickname);
  242     print_info(sdder, cert);
  243 
  244     printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
  245     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
  246     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
  247     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
  248     printf("CKA_LABEL UTF8 \"%s\"\n", nickname);
  249 
  250     if (!excludeHash) {
  251         PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
  252         printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
  253         dumpbytes(sha1_hash, SHA1_LENGTH);
  254         printf("END\n");
  255         PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
  256         printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
  257         dumpbytes(md5_hash, MD5_LENGTH);
  258         printf("END\n");
  259     }
  260 
  261     printf("CKA_ISSUER MULTILINE_OCTAL\n");
  262     dumpbytes(cert->derIssuer.data, cert->derIssuer.len);
  263     printf("END\n");
  264     printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
  265     dumpbytes(serial->data, serial->len);
  266     printf("END\n");
  267 
  268     printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
  269            getTrustString(trust->sslFlags));
  270     printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
  271            getTrustString(trust->emailFlags));
  272     printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
  273            getTrustString(trust->objectSigningFlags));
  274 #ifdef notdef
  275     printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
  276     printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
  277     printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
  278     printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
  279     printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
  280     printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
  281     printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
  282 #endif
  283 
  284     step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
  285     printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
  286            step_up ? "CK_TRUE" : "CK_FALSE");
  287 
  288     PORT_Free(sdder->data);
  289     return (rv);
  290 }
  291 
  292 void
  293 printheader()
  294 {
  295     printf("# \n"
  296            "# This Source Code Form is subject to the terms of the Mozilla Public\n"
  297            "# License, v. 2.0. If a copy of the MPL was not distributed with this\n"
  298            "# file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
  299            "#\n"
  300            "# certdata.txt\n"
  301            "#\n"
  302            "# This file contains the object definitions for the certs and other\n"
  303            "# information \"built into\" NSS.\n"
  304            "#\n"
  305            "# Object definitions:\n"
  306            "#\n"
  307            "#    Certificates\n"
  308            "#\n"
  309            "#  -- Attribute --          -- type --              -- value --\n"
  310            "#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE\n"
  311            "#  CKA_TOKEN                CK_BBOOL                CK_TRUE\n"
  312            "#  CKA_PRIVATE              CK_BBOOL                CK_FALSE\n"
  313            "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
  314            "#  CKA_LABEL                UTF8                    (varies)\n"
  315            "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
  316            "#  CKA_SUBJECT              DER+base64              (varies)\n"
  317            "#  CKA_ID                   byte array              (varies)\n"
  318            "#  CKA_ISSUER               DER+base64              (varies)\n"
  319            "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
  320            "#  CKA_VALUE                DER+base64              (varies)\n"
  321            "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
  322            "#\n"
  323            "#    Trust\n"
  324            "#\n"
  325            "#  -- Attribute --              -- type --          -- value --\n"
  326            "#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST\n"
  327            "#  CKA_TOKEN                    CK_BBOOL            CK_TRUE\n"
  328            "#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE\n"
  329            "#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE\n"
  330            "#  CKA_LABEL                    UTF8                (varies)\n"
  331            "#  CKA_ISSUER                   DER+base64          (varies)\n"
  332            "#  CKA_SERIAL_NUMBER            DER+base64          (varies)\n"
  333            "#  CKA_CERT_HASH                binary+base64       (varies)\n"
  334            "#  CKA_EXPIRES                  CK_DATE             (not used here)\n"
  335            "#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)\n"
  336            "#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)\n"
  337            "#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)\n"
  338            "#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)\n"
  339            "#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)\n"
  340            "#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)\n"
  341            "#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)\n"
  342            "#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)\n"
  343            "#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)\n"
  344            "#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)\n"
  345            "#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)\n"
  346            "#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)\n"
  347            "#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)\n"
  348            "#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)\n"
  349            "#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)\n"
  350            "#  (other trust attributes can be defined)\n"
  351            "#\n"
  352            "\n"
  353            "#\n"
  354            "# The object to tell NSS that this is a root list and we don't\n"
  355            "# have to go looking for others.\n"
  356            "#\n"
  357            "BEGINDATA\n"
  358            "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
  359            "CKA_TOKEN CK_BBOOL CK_TRUE\n"
  360            "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
  361            "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
  362            "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
  363 }
  364 
  365 static void
  366 Usage(char *progName)
  367 {
  368     fprintf(stderr, "%s -t trust -n nickname [-i certfile] [-c] [-h]\n", progName);
  369     fprintf(stderr,
  370             "\tRead a der-encoded cert from certfile or stdin, and output\n"
  371             "\tit to stdout in a format suitable for the builtin root module.\n"
  372             "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n",
  373             progName);
  374     fprintf(stderr, "%s -D -n label [-i certfile]\n", progName);
  375     fprintf(stderr,
  376             "\tRead a der-encoded cert from certfile or stdin, and output\n"
  377             "\ta distrust record.\n"
  378             "\t(-D is equivalent to -t p,p,p -c -h)\n");
  379     fprintf(stderr, "%s -C -e crl-entry-number -n label [-i crlfile]\n", progName);
  380     fprintf(stderr,
  381             "\tRead a CRL from crlfile or stdin, and output\n"
  382             "\ta distrust record (issuer+serial).\n"
  383             "\t(-C implies -c -h)\n");
  384     fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
  385     fprintf(stderr, "%-15s nickname to assign to builtin cert, or\n",
  386             "-n nickname");
  387     fprintf(stderr, "%-15s a label for the distrust record.\n", "");
  388     fprintf(stderr, "%-15s exclude the certificate (only add a trust record)\n", "-c");
  389     fprintf(stderr, "%-15s exclude hash from trust record\n", "-h");
  390     fprintf(stderr, "%-15s     (useful to distrust any matching issuer/serial)\n", "");
  391     fprintf(stderr, "%-15s     (not allowed when adding positive trust)\n", "");
  392     fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
  393     fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
  394     fprintf(stderr, "%-15s     (pipe through atob if the cert is b64-encoded)\n", "");
  395     exit(-1);
  396 }
  397 
  398 enum {
  399     opt_Input = 0,
  400     opt_Nickname,
  401     opt_Trust,
  402     opt_Distrust,
  403     opt_ExcludeCert,
  404     opt_ExcludeHash,
  405     opt_DistrustCRL,
  406     opt_CRLEnry
  407 };
  408 
  409 static secuCommandFlag addbuiltin_options[] =
  410     {
  411       { /* opt_Input         */ 'i', PR_TRUE, 0, PR_FALSE },
  412       { /* opt_Nickname      */ 'n', PR_TRUE, 0, PR_FALSE },
  413       { /* opt_Trust         */ 't', PR_TRUE, 0, PR_FALSE },
  414       { /* opt_Distrust      */ 'D', PR_FALSE, 0, PR_FALSE },
  415       { /* opt_ExcludeCert   */ 'c', PR_FALSE, 0, PR_FALSE },
  416       { /* opt_ExcludeHash   */ 'h', PR_FALSE, 0, PR_FALSE },
  417       { /* opt_DistrustCRL   */ 'C', PR_FALSE, 0, PR_FALSE },
  418       { /* opt_CRLEnry       */ 'e', PR_TRUE, 0, PR_FALSE },
  419     };
  420 
  421 int
  422 main(int argc, char **argv)
  423 {
  424     SECStatus rv;
  425     char *nickname = NULL;
  426     char *trusts = NULL;
  427     char *progName;
  428     PRFileDesc *infile;
  429     CERTCertTrust trust = { 0 };
  430     SECItem derItem = { 0 };
  431     PRInt32 crlentry = 0;
  432     PRInt32 mutuallyExclusiveOpts = 0;
  433     PRBool decodeTrust = PR_FALSE;
  434 
  435     secuCommand addbuiltin = { 0 };
  436     addbuiltin.numOptions = sizeof(addbuiltin_options) / sizeof(secuCommandFlag);
  437     addbuiltin.options = addbuiltin_options;
  438 
  439     progName = strrchr(argv[0], '/');
  440     progName = progName ? progName + 1 : argv[0];
  441 
  442     rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
  443 
  444     if (rv != SECSuccess)
  445         Usage(progName);
  446 
  447     if (addbuiltin.options[opt_Trust].activated)
  448         ++mutuallyExclusiveOpts;
  449     if (addbuiltin.options[opt_Distrust].activated)
  450         ++mutuallyExclusiveOpts;
  451     if (addbuiltin.options[opt_DistrustCRL].activated)
  452         ++mutuallyExclusiveOpts;
  453 
  454     if (mutuallyExclusiveOpts != 1) {
  455         fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
  456                 progName);
  457         Usage(progName);
  458     }
  459 
  460     if (addbuiltin.options[opt_DistrustCRL].activated) {
  461         if (!addbuiltin.options[opt_CRLEnry].activated) {
  462             fprintf(stderr, "%s: you must specify the CRL entry number.\n",
  463                     progName);
  464             Usage(progName);
  465         } else {
  466             crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
  467             if (crlentry < 1) {
  468                 fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
  469                         progName);
  470                 Usage(progName);
  471             }
  472         }
  473     }
  474 
  475     if (!addbuiltin.options[opt_Nickname].activated) {
  476         fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
  477                 progName);
  478         Usage(progName);
  479     }
  480 
  481     if (addbuiltin.options[opt_Input].activated) {
  482         infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
  483         if (!infile) {
  484             fprintf(stderr, "%s: failed to open input file.\n", progName);
  485             exit(1);
  486         }
  487     } else {
  488 #if defined(WIN32)
  489         /* If we're going to read binary data from stdin, we must put stdin
  490     ** into O_BINARY mode or else incoming \r\n's will become \n's,
  491     ** and latin-1 characters will be altered.
  492     */
  493 
  494         int smrv = _setmode(_fileno(stdin), _O_BINARY);
  495         if (smrv == -1) {
  496             fprintf(stderr,
  497                     "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
  498                     progName);
  499             exit(1);
  500         }
  501 #endif
  502         infile = PR_STDIN;
  503     }
  504 
  505 #if defined(WIN32)
  506     /* We must put stdout into O_BINARY mode or else the output will include
  507     ** carriage returns.
  508     */
  509     {
  510         int smrv = _setmode(_fileno(stdout), _O_BINARY);
  511         if (smrv == -1) {
  512             fprintf(stderr, "%s: Cannot change stdout to binary mode.\n", progName);
  513             exit(1);
  514         }
  515     }
  516 #endif
  517 
  518     nickname = strdup(addbuiltin.options[opt_Nickname].arg);
  519 
  520     NSS_NoDB_Init(NULL);
  521 
  522     if (addbuiltin.options[opt_Distrust].activated ||
  523         addbuiltin.options[opt_DistrustCRL].activated) {
  524         addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
  525         addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
  526     }
  527 
  528     if (addbuiltin.options[opt_Distrust].activated) {
  529         trusts = strdup("p,p,p");
  530         decodeTrust = PR_TRUE;
  531     } else if (addbuiltin.options[opt_Trust].activated) {
  532         trusts = strdup(addbuiltin.options[opt_Trust].arg);
  533         decodeTrust = PR_TRUE;
  534     }
  535 
  536     if (decodeTrust) {
  537         rv = CERT_DecodeTrustString(&trust, trusts);
  538         if (rv) {
  539             fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
  540             Usage(progName);
  541         }
  542     }
  543 
  544     if (addbuiltin.options[opt_Trust].activated &&
  545         addbuiltin.options[opt_ExcludeHash].activated) {
  546         if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) !=
  547             CERTDB_TERMINAL_RECORD) {
  548             fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
  549             Usage(progName);
  550         }
  551     }
  552 
  553     SECU_FileToItem(&derItem, infile);
  554 
  555     /*printheader();*/
  556 
  557     if (addbuiltin.options[opt_DistrustCRL].activated) {
  558         rv = ConvertCRLEntry(&derItem, crlentry, nickname);
  559     } else {
  560         rv = ConvertCertificate(&derItem, nickname, &trust,
  561                                 addbuiltin.options[opt_ExcludeCert].activated,
  562                                 addbuiltin.options[opt_ExcludeHash].activated);
  563         if (rv) {
  564             fprintf(stderr, "%s: failed to convert certificate.\n", progName);
  565             exit(1);
  566         }
  567     }
  568 
  569     if (NSS_Shutdown() != SECSuccess) {
  570         exit(1);
  571     }
  572 
  573     return (SECSuccess);
  574 }