/security/nss/cmd/certutil/certext.c
C | 1817 lines | 1471 code | 238 blank | 108 comment | 385 complexity | 80abf726914889ad06d1182531db211d MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, LGPL-3.0, AGPL-1.0, LGPL-2.1, BSD-3-Clause, GPL-2.0, JSON, Apache-2.0, 0BSD
- /* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
- /*
- ** certext.c
- **
- ** part of certutil for managing certificates extensions
- **
- */
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
- #if defined(WIN32)
- #include "fcntl.h"
- #include "io.h"
- #endif
- #include "secutil.h"
- #if defined(XP_UNIX)
- #include <unistd.h>
- #endif
- #include "cert.h"
- #include "xconst.h"
- #include "prprf.h"
- #include "certutil.h"
- #define GEN_BREAK(e) rv=e; break;
- static char *
- Gets_s(char *buff, size_t size) {
- char *str;
-
- if (buff == NULL || size < 1) {
- PORT_Assert(0);
- return NULL;
- }
- if ((str = fgets(buff, size, stdin)) != NULL) {
- int len = PORT_Strlen(str);
- /*
- * fgets() automatically converts native text file
- * line endings to '\n'. As defensive programming
- * (just in case fgets has a bug or we put stdin in
- * binary mode by mistake), we handle three native
- * text file line endings here:
- * '\n' Unix (including Linux and Mac OS X)
- * '\r''\n' DOS/Windows & OS/2
- * '\r' Mac OS Classic
- * len can not be less then 1, since in case with
- * empty string it has at least '\n' in the buffer
- */
- if (buff[len - 1] == '\n' || buff[len - 1] == '\r') {
- buff[len - 1] = '\0';
- if (len > 1 && buff[len - 2] == '\r')
- buff[len - 2] = '\0';
- }
- } else {
- buff[0] = '\0';
- }
- return str;
- }
- static SECStatus
- PrintChoicesAndGetAnswer(char* str, char* rBuff, int rSize)
- {
- fputs(str, stdout);
- fputs(" > ", stdout);
- fflush (stdout);
- if (Gets_s(rBuff, rSize) == NULL) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- return SECFailure;
- }
- return SECSuccess;
- }
- static CERTGeneralName *
- GetGeneralName (PRArenaPool *arena)
- {
- CERTGeneralName *namesList = NULL;
- CERTGeneralName *current;
- CERTGeneralName *tail = NULL;
- SECStatus rv = SECSuccess;
- int intValue;
- char buffer[512];
- void *mark;
- PORT_Assert (arena);
- mark = PORT_ArenaMark (arena);
- do {
- if (PrintChoicesAndGetAnswer(
- "\nSelect one of the following general name type: \n"
- "\t2 - rfc822Name\n"
- "\t3 - dnsName\n"
- "\t5 - directoryName\n"
- "\t7 - uniformResourceidentifier\n"
- "\t8 - ipAddress\n"
- "\t9 - registerID\n"
- "\tAny other number to finish\n"
- "\t\tChoice:", buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- intValue = PORT_Atoi (buffer);
- /*
- * Should use ZAlloc instead of Alloc to avoid problem with garbage
- * initialized pointers in CERT_CopyName
- */
- switch (intValue) {
- case certRFC822Name:
- case certDNSName:
- case certDirectoryName:
- case certURI:
- case certIPAddress:
- case certRegisterID:
- break;
- default:
- intValue = 0; /* force a break for anything else */
- }
- if (intValue == 0)
- break;
-
- if (namesList == NULL) {
- namesList = current = tail =
- PORT_ArenaZNew(arena, CERTGeneralName);
- } else {
- current = PORT_ArenaZNew(arena, CERTGeneralName);
- }
- if (current == NULL) {
- GEN_BREAK (SECFailure);
- }
- current->type = intValue;
- puts ("\nEnter data:");
- fflush (stdout);
- if (Gets_s (buffer, sizeof(buffer)) == NULL) {
- PORT_SetError(SEC_ERROR_INPUT_LEN);
- GEN_BREAK (SECFailure);
- }
- switch (current->type) {
- case certURI:
- case certDNSName:
- case certRFC822Name:
- current->name.other.data =
- PORT_ArenaAlloc (arena, strlen (buffer));
- if (current->name.other.data == NULL) {
- GEN_BREAK (SECFailure);
- }
- PORT_Memcpy(current->name.other.data, buffer,
- current->name.other.len = strlen(buffer));
- break;
- case certEDIPartyName:
- case certIPAddress:
- case certOtherName:
- case certRegisterID:
- case certX400Address: {
- current->name.other.data =
- PORT_ArenaAlloc (arena, strlen (buffer) + 2);
- if (current->name.other.data == NULL) {
- GEN_BREAK (SECFailure);
- }
-
- PORT_Memcpy (current->name.other.data + 2, buffer,
- strlen (buffer));
- /* This may not be accurate for all cases. For now,
- * use this tag type */
- current->name.other.data[0] =
- (char)(((current->type - 1) & 0x1f)| 0x80);
- current->name.other.data[1] = (char)strlen (buffer);
- current->name.other.len = strlen (buffer) + 2;
- break;
- }
- case certDirectoryName: {
- CERTName *directoryName = NULL;
-
- directoryName = CERT_AsciiToName (buffer);
- if (!directoryName) {
- fprintf(stderr, "certutil: improperly formatted name: "
- "\"%s\"\n", buffer);
- break;
- }
-
- rv = CERT_CopyName (arena, ¤t->name.directoryName,
- directoryName);
- CERT_DestroyName (directoryName);
-
- break;
- }
- }
- if (rv != SECSuccess)
- break;
- current->l.next = &(namesList->l);
- current->l.prev = &(tail->l);
- tail->l.next = &(current->l);
- tail = current;
-
- }while (1);
- if (rv != SECSuccess) {
- PORT_ArenaRelease (arena, mark);
- namesList = NULL;
- }
- return (namesList);
- }
- static SECStatus
- GetString(PRArenaPool *arena, char *prompt, SECItem *value)
- {
- char buffer[251];
- char *buffPrt;
- buffer[0] = '\0';
- value->data = NULL;
- value->len = 0;
-
- puts (prompt);
- buffPrt = Gets_s (buffer, sizeof(buffer));
- /* returned NULL here treated the same way as empty string */
- if (buffPrt && strlen (buffer) > 0) {
- value->data = PORT_ArenaAlloc (arena, strlen (buffer));
- if (value->data == NULL) {
- PORT_SetError (SEC_ERROR_NO_MEMORY);
- return (SECFailure);
- }
- PORT_Memcpy (value->data, buffer, value->len = strlen(buffer));
- }
- return (SECSuccess);
- }
- static PRBool
- GetYesNo(char *prompt)
- {
- char buf[3];
- char *buffPrt;
- buf[0] = 'n';
- puts(prompt);
- buffPrt = Gets_s(buf, sizeof(buf));
- return (buffPrt && (buf[0] == 'y' || buf[0] == 'Y')) ? PR_TRUE : PR_FALSE;
- }
- /* Parses comma separated values out of the string pointed by nextPos.
- * Parsed value is compared to an array of possible values(valueArray).
- * If match is found, a value index is returned, otherwise returns SECFailue.
- * nextPos is set to the token after found comma separator or to NULL.
- * NULL in nextPos should be used as indication of the last parsed token.
- * A special value "critical" can be parsed out from the supplied sting.*/
- static SECStatus
- parseNextCmdInput(const char * const *valueArray, int *value, char **nextPos,
- PRBool *critical)
- {
- char *thisPos = *nextPos;
- int keyLen = 0;
- int arrIndex = 0;
- if (!valueArray || !value || !nextPos || !critical) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- while (1) {
- if ((*nextPos = strchr(thisPos, ',')) == NULL) {
- keyLen = strlen(thisPos);
- } else {
- keyLen = *nextPos - thisPos;
- *nextPos += 1;
- }
- /* if critical keyword is found, go for another loop,
- * but check, if it is the last keyword of
- * the string.*/
- if (!strncmp("critical", thisPos, keyLen)) {
- *critical = PR_TRUE;
- if (*nextPos == NULL) {
- return SECSuccess;
- }
- thisPos = *nextPos;
- continue;
- }
- break;
- }
- for (arrIndex = 0; valueArray[arrIndex]; arrIndex++) {
- if (!strncmp(valueArray[arrIndex], thisPos, keyLen)) {
- *value = arrIndex;
- return SECSuccess;
- }
- }
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- static const char * const
- keyUsageKeyWordArray[] = { "digitalSignature",
- "nonRepudiation",
- "keyEncipherment",
- "dataEncipherment",
- "keyAgreement",
- "certSigning",
- "crlSigning",
- NULL};
- static SECStatus
- AddKeyUsage (void *extHandle, const char *userSuppliedValue)
- {
- SECItem bitStringValue;
- unsigned char keyUsage = 0x0;
- char buffer[5];
- int value;
- char *nextPos = (char*)userSuppliedValue;
- PRBool isCriticalExt = PR_FALSE;
- if (!userSuppliedValue) {
- while (1) {
- if (PrintChoicesAndGetAnswer(
- "\t\t0 - Digital Signature\n"
- "\t\t1 - Non-repudiation\n"
- "\t\t2 - Key encipherment\n"
- "\t\t3 - Data encipherment\n"
- "\t\t4 - Key agreement\n"
- "\t\t5 - Cert signing key\n"
- "\t\t6 - CRL signing key\n"
- "\t\tOther to finish\n",
- buffer, sizeof(buffer)) == SECFailure) {
- return SECFailure;
- }
- value = PORT_Atoi (buffer);
- if (value < 0 || value > 6)
- break;
- if (value == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- continue;
- }
- }
- keyUsage |= (0x80 >> value);
- }
- isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
- } else {
- while (1) {
- if (parseNextCmdInput(keyUsageKeyWordArray, &value, &nextPos,
- &isCriticalExt) == SECFailure) {
- return SECFailure;
- }
- keyUsage |= (0x80 >> value);
- if (!nextPos)
- break;
- }
- }
- bitStringValue.data = &keyUsage;
- bitStringValue.len = 1;
- return (CERT_EncodeAndAddBitStrExtension
- (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
- isCriticalExt));
- }
- static CERTOidSequence *
- CreateOidSequence(void)
- {
- CERTOidSequence *rv = (CERTOidSequence *)NULL;
- PRArenaPool *arena = (PRArenaPool *)NULL;
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if( (PRArenaPool *)NULL == arena ) {
- goto loser;
- }
- rv = (CERTOidSequence *)PORT_ArenaZNew(arena, CERTOidSequence);
- if( (CERTOidSequence *)NULL == rv ) {
- goto loser;
- }
- rv->oids = (SECItem **)PORT_ArenaZNew(arena, SECItem *);
- if( (SECItem **)NULL == rv->oids ) {
- goto loser;
- }
- rv->arena = arena;
- return rv;
- loser:
- if( (PRArenaPool *)NULL != arena ) {
- PORT_FreeArena(arena, PR_FALSE);
- }
- return (CERTOidSequence *)NULL;
- }
- static void
- DestroyOidSequence(CERTOidSequence *os)
- {
- if (os->arena) {
- PORT_FreeArena(os->arena, PR_FALSE);
- }
- }
- static SECStatus
- AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
- {
- SECItem **oids;
- PRUint32 count = 0;
- SECOidData *od;
- od = SECOID_FindOIDByTag(oidTag);
- if( (SECOidData *)NULL == od ) {
- return SECFailure;
- }
- for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
- if (*oids == &od->oid) {
- /* We already have this oid */
- return SECSuccess;
- }
- count++;
- }
- /* ArenaZRealloc */
- {
- PRUint32 i;
- oids = (SECItem **)PORT_ArenaZNewArray(os->arena, SECItem *, count + 2);
- if( (SECItem **)NULL == oids ) {
- return SECFailure;
- }
-
- for( i = 0; i < count; i++ ) {
- oids[i] = os->oids[i];
- }
- /* ArenaZFree(os->oids); */
- }
- os->oids = oids;
- os->oids[count] = &od->oid;
- return SECSuccess;
- }
- SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
- const SEC_ASN1Template CERT_OidSeqTemplate[] = {
- { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),
- SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
- };
- static SECItem *
- EncodeOidSequence(CERTOidSequence *os)
- {
- SECItem *rv;
- rv = (SECItem *)PORT_ArenaZNew(os->arena, SECItem);
- if( (SECItem *)NULL == rv ) {
- goto loser;
- }
- if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {
- goto loser;
- }
- return rv;
- loser:
- return (SECItem *)NULL;
- }
- static const char * const
- extKeyUsageKeyWordArray[] = { "serverAuth",
- "clientAuth",
- "codeSigning",
- "emailProtection",
- "timeStamp",
- "ocspResponder",
- "stepUp",
- NULL};
- static SECStatus
- AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
- {
- char buffer[5];
- int value;
- CERTOidSequence *os;
- SECStatus rv;
- SECItem *item;
- PRBool isCriticalExt = PR_FALSE;
- char *nextPos = (char*)userSuppliedValue;
-
- os = CreateOidSequence();
- if( (CERTOidSequence *)NULL == os ) {
- return SECFailure;
- }
- while (1) {
- if (!userSuppliedValue) {
- if (PrintChoicesAndGetAnswer(
- "\t\t0 - Server Auth\n"
- "\t\t1 - Client Auth\n"
- "\t\t2 - Code Signing\n"
- "\t\t3 - Email Protection\n"
- "\t\t4 - Timestamp\n"
- "\t\t5 - OCSP Responder\n"
- "\t\t6 - Step-up\n"
- "\t\tOther to finish\n",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- value = PORT_Atoi(buffer);
-
- if (value == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- continue;
- }
- }
- } else {
- if (parseNextCmdInput(extKeyUsageKeyWordArray, &value, &nextPos,
- &isCriticalExt) == SECFailure) {
- return SECFailure;
- }
- }
- switch( value ) {
- case 0:
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
- break;
- case 1:
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
- break;
- case 2:
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
- break;
- case 3:
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
- break;
- case 4:
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
- break;
- case 5:
- rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
- break;
- case 6:
- rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
- break;
- default:
- goto endloop;
- }
- if (userSuppliedValue && !nextPos)
- break;
- if( SECSuccess != rv )
- goto loser;
- }
- endloop:
- item = EncodeOidSequence(os);
- if (!userSuppliedValue) {
- isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
- }
- rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,
- isCriticalExt, PR_TRUE);
- /*FALLTHROUGH*/
- loser:
- DestroyOidSequence(os);
- return rv;
- }
- static const char * const
- nsCertTypeKeyWordArray[] = { "sslClient",
- "sslServer",
- "smime",
- "objectSigning",
- "Not!Used",
- "sslCA",
- "smimeCA",
- "objectSigningCA",
- NULL };
- static SECStatus
- AddNscpCertType (void *extHandle, const char *userSuppliedValue)
- {
- SECItem bitStringValue;
- unsigned char keyUsage = 0x0;
- char buffer[5];
- int value;
- char *nextPos = (char*)userSuppliedValue;
- PRBool isCriticalExt = PR_FALSE;
- if (!userSuppliedValue) {
- while (1) {
- if (PrintChoicesAndGetAnswer(
- "\t\t0 - SSL Client\n"
- "\t\t1 - SSL Server\n"
- "\t\t2 - S/MIME\n"
- "\t\t3 - Object Signing\n"
- "\t\t4 - Reserved for future use\n"
- "\t\t5 - SSL CA\n"
- "\t\t6 - S/MIME CA\n"
- "\t\t7 - Object Signing CA\n"
- "\t\tOther to finish\n",
- buffer, sizeof(buffer)) == SECFailure) {
- return SECFailure;
- }
- value = PORT_Atoi (buffer);
- if (value < 0 || value > 7)
- break;
- if (value == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- continue;
- }
- }
- keyUsage |= (0x80 >> value);
- }
- isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
- } else {
- while (1) {
- if (parseNextCmdInput(nsCertTypeKeyWordArray, &value, &nextPos,
- &isCriticalExt) == SECFailure) {
- return SECFailure;
- }
- keyUsage |= (0x80 >> value);
- if (!nextPos)
- break;
- }
- }
- bitStringValue.data = &keyUsage;
- bitStringValue.len = 1;
- return (CERT_EncodeAndAddBitStrExtension
- (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
- isCriticalExt));
- }
- static SECStatus
- AddSubjectAltNames(PRArenaPool *arena, CERTGeneralName **existingListp,
- const char *names, CERTGeneralNameType type)
- {
- CERTGeneralName *nameList = NULL;
- CERTGeneralName *current = NULL;
- PRCList *prev = NULL;
- const char *cp;
- char *tbuf;
- SECStatus rv = SECSuccess;
- /*
- * walk down the comma separated list of names. NOTE: there is
- * no sanity checks to see if the email address look like
- * email addresses.
- */
- for (cp=names; cp; cp = PORT_Strchr(cp,',')) {
- int len;
- char *end;
- if (*cp == ',') {
- cp++;
- }
- end = PORT_Strchr(cp,',');
- len = end ? end-cp : PORT_Strlen(cp);
- if (len <= 0) {
- continue;
- }
- tbuf = PORT_ArenaAlloc(arena,len+1);
- PORT_Memcpy(tbuf,cp,len);
- tbuf[len] = 0;
- current = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName));
- if (!current) {
- rv = SECFailure;
- break;
- }
- if (prev) {
- current->l.prev = prev;
- prev->next = &(current->l);
- } else {
- nameList = current;
- }
- current->type = type;
- current->name.other.data = (unsigned char *)tbuf;
- current->name.other.len = PORT_Strlen(tbuf);
- prev = &(current->l);
- }
- /* at this point nameList points to the head of a doubly linked,
- * but not yet circular, list and current points to its tail. */
- if (rv == SECSuccess && nameList) {
- if (*existingListp != NULL) {
- PRCList *existingprev;
- /* add nameList to the end of the existing list */
- existingprev = (*existingListp)->l.prev;
- (*existingListp)->l.prev = &(current->l);
- nameList->l.prev = existingprev;
- existingprev->next = &(nameList->l);
- current->l.next = &((*existingListp)->l);
- }
- else {
- /* make nameList circular and set it as the new existingList */
- nameList->l.prev = prev;
- current->l.next = &(nameList->l);
- *existingListp = nameList;
- }
- }
- return rv;
- }
- static SECStatus
- AddEmailSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
- const char *emailAddrs)
- {
- return AddSubjectAltNames(arena, existingListp, emailAddrs,
- certRFC822Name);
- }
- static SECStatus
- AddDNSSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
- const char *dnsNames)
- {
- return AddSubjectAltNames(arena, existingListp, dnsNames, certDNSName);
- }
- static SECStatus
- AddBasicConstraint(void *extHandle)
- {
- CERTBasicConstraints basicConstraint;
- SECStatus rv;
- char buffer[10];
- PRBool yesNoAns;
- do {
- basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
- basicConstraint.isCA = GetYesNo ("Is this a CA certificate [y/N]?");
- buffer[0] = '\0';
- if (PrintChoicesAndGetAnswer("Enter the path length constraint, "
- "enter to skip [<0 for unlimited path]:",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- if (PORT_Strlen (buffer) > 0)
- basicConstraint.pathLenConstraint = PORT_Atoi (buffer);
- yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
- rv = SECU_EncodeAndAddExtensionValue(NULL, extHandle,
- &basicConstraint, yesNoAns, SEC_OID_X509_BASIC_CONSTRAINTS,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeBasicConstraintValue);
- } while (0);
- return (rv);
- }
- static SECStatus
- AddAuthKeyID (void *extHandle)
- {
- CERTAuthKeyID *authKeyID = NULL;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- PRBool yesNoAns;
- do {
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- GEN_BREAK (SECFailure);
- }
- if (GetYesNo ("Enter value for the authKeyID extension [y/N]?") == 0)
- break;
- authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);
- if (authKeyID == NULL) {
- GEN_BREAK (SECFailure);
- }
- rv = GetString (arena, "Enter value for the key identifier fields,"
- "enter to omit:", &authKeyID->keyID);
- if (rv != SECSuccess)
- break;
- SECU_SECItemHexStringToBinary(&authKeyID->keyID);
- authKeyID->authCertIssuer = GetGeneralName (arena);
- if (authKeyID->authCertIssuer == NULL &&
- SECFailure == PORT_GetError ())
- break;
- rv = GetString (arena, "Enter value for the authCertSerial field, "
- "enter to omit:", &authKeyID->authCertSerialNumber);
- yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
- authKeyID, yesNoAns, SEC_OID_X509_AUTH_KEY_ID,
- (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);
- if (rv)
- break;
- } while (0);
- if (arena)
- PORT_FreeArena (arena, PR_FALSE);
- return (rv);
- }
-
- static SECStatus
- AddSubjKeyID (void *extHandle)
- {
- SECItem keyID;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- PRBool yesNoAns;
- do {
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- GEN_BREAK (SECFailure);
- }
- printf("Adding Subject Key ID extension.\n");
- rv = GetString (arena, "Enter value for the key identifier fields,"
- "enter to omit:", &keyID);
- if (rv != SECSuccess)
- break;
- SECU_SECItemHexStringToBinary(&keyID);
- yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
- &keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID,
- (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID);
- if (rv)
- break;
- } while (0);
- if (arena)
- PORT_FreeArena (arena, PR_FALSE);
- return (rv);
- }
- static SECStatus
- AddCrlDistPoint(void *extHandle)
- {
- PRArenaPool *arena = NULL;
- CERTCrlDistributionPoints *crlDistPoints = NULL;
- CRLDistributionPoint *current;
- SECStatus rv = SECSuccess;
- int count = 0, intValue;
- char buffer[512];
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena )
- return (SECFailure);
- do {
- current = NULL;
- current = PORT_ArenaZNew(arena, CRLDistributionPoint);
- if (current == NULL) {
- GEN_BREAK (SECFailure);
- }
- /* Get the distributionPointName fields - this field is optional */
- if (PrintChoicesAndGetAnswer(
- "Enter the type of the distribution point name:\n"
- "\t1 - Full Name\n\t2 - Relative Name\n\tAny other "
- "number to finish\n\t\tChoice: ",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- intValue = PORT_Atoi (buffer);
- switch (intValue) {
- case generalName:
- current->distPointType = intValue;
- current->distPoint.fullName = GetGeneralName (arena);
- rv = PORT_GetError();
- break;
- case relativeDistinguishedName: {
- CERTName *name;
- current->distPointType = intValue;
- puts ("Enter the relative name: ");
- fflush (stdout);
- if (Gets_s (buffer, sizeof(buffer)) == NULL) {
- GEN_BREAK (SECFailure);
- }
- /* For simplicity, use CERT_AsciiToName to converse from a string
- to NAME, but we only interest in the first RDN */
- name = CERT_AsciiToName (buffer);
- if (!name) {
- GEN_BREAK (SECFailure);
- }
- rv = CERT_CopyRDN (arena, ¤t->distPoint.relativeName,
- name->rdns[0]);
- CERT_DestroyName (name);
- break;
- }
- }
- if (rv != SECSuccess)
- break;
- /* Get the reason flags */
- if (PrintChoicesAndGetAnswer(
- "\nSelect one of the following for the reason flags\n"
- "\t0 - unused\n\t1 - keyCompromise\n"
- "\t2 - caCompromise\n\t3 - affiliationChanged\n"
- "\t4 - superseded\n\t5 - cessationOfOperation\n"
- "\t6 - certificateHold\n"
- "\tAny other number to finish\t\tChoice: ",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- intValue = PORT_Atoi (buffer);
- if (intValue == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- intValue = -1;
- }
- }
- if (intValue >= 0 && intValue <8) {
- current->reasons.data = PORT_ArenaAlloc (arena, sizeof(char));
- if (current->reasons.data == NULL) {
- GEN_BREAK (SECFailure);
- }
- *current->reasons.data = (char)(0x80 >> intValue);
- current->reasons.len = 1;
- }
- puts ("Enter value for the CRL Issuer name:\n");
- current->crlIssuer = GetGeneralName (arena);
- if (current->crlIssuer == NULL && (rv = PORT_GetError()) == SECFailure)
- break;
- if (crlDistPoints == NULL) {
- crlDistPoints = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
- if (crlDistPoints == NULL) {
- GEN_BREAK (SECFailure);
- }
- }
- crlDistPoints->distPoints =
- PORT_ArenaGrow (arena, crlDistPoints->distPoints,
- sizeof (*crlDistPoints->distPoints) * count,
- sizeof (*crlDistPoints->distPoints) *(count + 1));
- if (crlDistPoints->distPoints == NULL) {
- GEN_BREAK (SECFailure);
- }
- crlDistPoints->distPoints[count] = current;
- ++count;
- if (GetYesNo("Enter another value for the CRLDistributionPoint "
- "extension [y/N]?") == 0) {
- /* Add null to the end to mark end of data */
- crlDistPoints->distPoints =
- PORT_ArenaGrow(arena, crlDistPoints->distPoints,
- sizeof (*crlDistPoints->distPoints) * count,
- sizeof (*crlDistPoints->distPoints) *(count + 1));
- crlDistPoints->distPoints[count] = NULL;
- break;
- }
- } while (1);
-
- if (rv == SECSuccess) {
- PRBool yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
- crlDistPoints, yesNoAns, SEC_OID_X509_CRL_DIST_POINTS,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCRLDistributionPoints);
- }
- if (arena)
- PORT_FreeArena (arena, PR_FALSE);
- return (rv);
- }
- static SECStatus
- AddPolicyConstraints(void *extHandle)
- {
- CERTCertificatePolicyConstraints *policyConstr;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- SECItem *item, *dummy;
- char buffer[512];
- int value;
- PRBool yesNoAns;
- PRBool skipExt = PR_TRUE;
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- return SECFailure;
- }
- policyConstr = PORT_ArenaZNew(arena, CERTCertificatePolicyConstraints);
- if (policyConstr == NULL) {
- SECU_PrintError(progName, "out of memory");
- goto loser;
- }
- if (PrintChoicesAndGetAnswer("for requireExplicitPolicy enter the number "
- "of certs in path\nbefore explicit policy is required\n"
- "(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
- goto loser;
- }
- if (PORT_Strlen(buffer)) {
- value = PORT_Atoi(buffer);
- if (value < 0) {
- goto loser;
- }
- item = &policyConstr->explicitPolicySkipCerts;
- dummy = SEC_ASN1EncodeInteger(arena, item, value);
- if (!dummy) {
- goto loser;
- }
- skipExt = PR_FALSE;
- }
- if (PrintChoicesAndGetAnswer("for inihibitPolicyMapping enter "
- "the number of certs in path\n"
- "after which policy mapping is not allowed\n"
- "(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
- goto loser;
- }
- if (PORT_Strlen(buffer)) {
- value = PORT_Atoi(buffer);
- if (value < 0) {
- goto loser;
- }
- item = &policyConstr->inhibitMappingSkipCerts;
- dummy = SEC_ASN1EncodeInteger(arena, item, value);
- if (!dummy) {
- goto loser;
- }
- skipExt = PR_FALSE;
- }
-
-
- if (!skipExt) {
- yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, policyConstr,
- yesNoAns, SEC_OID_X509_POLICY_CONSTRAINTS,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyConstraintsExtension);
- } else {
- fprintf(stdout, "Policy Constraint extensions must contain "
- "at least one policy field\n");
- rv = SECFailure;
- }
-
- loser:
- if (arena) {
- PORT_FreeArena (arena, PR_FALSE);
- }
- return (rv);
- }
- static SECStatus
- AddInhibitAnyPolicy(void *extHandle)
- {
- CERTCertificateInhibitAny certInhibitAny;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- SECItem *item, *dummy;
- char buffer[10];
- int value;
- PRBool yesNoAns;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- return SECFailure;
- }
- if (PrintChoicesAndGetAnswer("Enter the number of certs in the path "
- "permitted to use anyPolicy.\n"
- "(press Enter for 0)",
- buffer, sizeof(buffer)) == SECFailure) {
- goto loser;
- }
- item = &certInhibitAny.inhibitAnySkipCerts;
- value = PORT_Atoi(buffer);
- if (value < 0) {
- goto loser;
- }
- dummy = SEC_ASN1EncodeInteger(arena, item, value);
- if (!dummy) {
- goto loser;
- }
-
- yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &certInhibitAny,
- yesNoAns, SEC_OID_X509_INHIBIT_ANY_POLICY,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInhibitAnyExtension);
- loser:
- if (arena) {
- PORT_FreeArena (arena, PR_FALSE);
- }
- return (rv);
- }
- static SECStatus
- AddPolicyMappings(void *extHandle)
- {
- CERTPolicyMap **policyMapArr = NULL;
- CERTPolicyMap *current;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- int count = 0;
- char buffer[512];
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- return SECFailure;
- }
- do {
- if (PrintChoicesAndGetAnswer("Enter an Object Identifier (dotted "
- "decimal format) for Issuer Domain Policy",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- current = PORT_ArenaZNew(arena, CERTPolicyMap);
- if (current == NULL) {
- GEN_BREAK(SECFailure);
- }
- rv = SEC_StringToOID(arena, ¤t->issuerDomainPolicy, buffer, 0);
- if (rv == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- if (PrintChoicesAndGetAnswer("Enter an Object Identifier for "
- "Subject Domain Policy",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- rv = SEC_StringToOID(arena, ¤t->subjectDomainPolicy, buffer, 0);
- if (rv == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- if (policyMapArr == NULL) {
- policyMapArr = PORT_ArenaZNew(arena, CERTPolicyMap *);
- if (policyMapArr == NULL) {
- GEN_BREAK (SECFailure);
- }
- }
- policyMapArr = PORT_ArenaGrow(arena, policyMapArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- if (policyMapArr == NULL) {
- GEN_BREAK (SECFailure);
- }
-
- policyMapArr[count] = current;
- ++count;
-
- if (!GetYesNo("Enter another Policy Mapping [y/N]")) {
- /* Add null to the end to mark end of data */
- policyMapArr = PORT_ArenaGrow (arena, policyMapArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- if (policyMapArr == NULL) {
- GEN_BREAK (SECFailure);
- }
- policyMapArr[count] = NULL;
- break;
- }
- } while (1);
- if (rv == SECSuccess) {
- CERTCertificatePolicyMappings mappings;
- PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
- mappings.arena = arena;
- mappings.policyMaps = policyMapArr;
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &mappings,
- yesNoAns, SEC_OID_X509_POLICY_MAPPINGS,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyMappingExtension);
- }
- if (arena)
- PORT_FreeArena (arena, PR_FALSE);
- return (rv);
- }
- enum PoliciQualifierEnum {
- cpsPointer = 1,
- userNotice = 2
- };
- static CERTPolicyQualifier **
- RequestPolicyQualifiers(PRArenaPool *arena, SECItem *policyID)
- {
- CERTPolicyQualifier **policyQualifArr = NULL;
- CERTPolicyQualifier *current;
- SECStatus rv = SECSuccess;
- int count = 0;
- char buffer[512];
- void *mark;
- SECOidData *oid = NULL;
- int intValue = 0;
- int inCount = 0;
- PORT_Assert(arena);
- mark = PORT_ArenaMark(arena);
- do {
- current = PORT_ArenaZNew(arena, CERTPolicyQualifier);
- if (current == NULL) {
- GEN_BREAK(SECFailure);
- }
- /* Get the accessMethod fields */
- SECU_PrintObjectID(stdout, policyID,
- "Choose the type of qualifier for policy" , 0);
- if (PrintChoicesAndGetAnswer(
- "\t1 - CPS Pointer qualifier\n"
- "\t2 - User notice qualifier\n"
- "\tAny other number to finish\n"
- "\t\tChoice: ", buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- intValue = PORT_Atoi(buffer);
- switch (intValue) {
- case cpsPointer: {
- SECItem input;
- oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CPS_POINTER_QUALIFIER);
- if (PrintChoicesAndGetAnswer("Enter CPS pointer URI: ",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- input.len = PORT_Strlen(buffer);
- input.data = (void*)PORT_ArenaStrdup(arena, buffer);
- if (input.data == NULL ||
- SEC_ASN1EncodeItem(arena, ¤t->qualifierValue, &input,
- SEC_ASN1_GET(SEC_IA5StringTemplate)) == NULL) {
- GEN_BREAK (SECFailure);
- }
- break;
- }
- case userNotice: {
- SECItem **noticeNumArr;
- CERTUserNotice *notice = PORT_ArenaZNew(arena, CERTUserNotice);
- if (!notice) {
- GEN_BREAK(SECFailure);
- }
-
- oid = SECOID_FindOIDByTag(SEC_OID_PKIX_USER_NOTICE_QUALIFIER);
- if (GetYesNo("\t add a User Notice reference? [y/N]")) {
- if (PrintChoicesAndGetAnswer("Enter user organization string: ",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- notice->noticeReference.organization.type = siAsciiString;
- notice->noticeReference.organization.len =
- PORT_Strlen(buffer);
- notice->noticeReference.organization.data =
- (void*)PORT_ArenaStrdup(arena, buffer);
- noticeNumArr = PORT_ArenaZNewArray(arena, SECItem *, 2);
- if (!noticeNumArr) {
- GEN_BREAK (SECFailure);
- }
-
- do {
- SECItem *noticeNum;
-
- noticeNum = PORT_ArenaZNew(arena, SECItem);
-
- if (PrintChoicesAndGetAnswer(
- "Enter User Notice reference number "
- "(or -1 to quit): ",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
-
- intValue = PORT_Atoi(buffer);
- if (noticeNum == NULL) {
- if (intValue < 0) {
- fprintf(stdout, "a noticeReference must have at "
- "least one reference number\n");
- GEN_BREAK (SECFailure);
- }
- } else {
- if (intValue >= 0) {
- noticeNumArr = PORT_ArenaGrow(arena, noticeNumArr,
- sizeof (current) * inCount,
- sizeof (current) *(inCount + 1));
- if (noticeNumArr == NULL) {
- GEN_BREAK (SECFailure);
- }
- } else {
- break;
- }
- }
- if (!SEC_ASN1EncodeInteger(arena, noticeNum, intValue)) {
- GEN_BREAK (SECFailure);
- }
- noticeNumArr[inCount++] = noticeNum;
- noticeNumArr[inCount] = NULL;
-
- } while (1);
- if (rv == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- notice->noticeReference.noticeNumbers = noticeNumArr;
- rv = CERT_EncodeNoticeReference(arena, ¬ice->noticeReference,
- ¬ice->derNoticeReference);
- if (rv == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- }
- if (GetYesNo("\t EnterUser Notice explicit text? [y/N]")) {
- /* Getting only 200 bytes - RFC limitation */
- if (PrintChoicesAndGetAnswer(
- "\t", buffer, 200) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- notice->displayText.type = siAsciiString;
- notice->displayText.len = PORT_Strlen(buffer);
- notice->displayText.data =
- (void*)PORT_ArenaStrdup(arena, buffer);
- if (notice->displayText.data == NULL) {
- GEN_BREAK(SECFailure);
- }
- }
- rv = CERT_EncodeUserNotice(arena, notice, ¤t->qualifierValue);
- if (rv == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- break;
- }
- }
- if (rv == SECFailure || oid == NULL ||
- SECITEM_CopyItem(arena, ¤t->qualifierID, &oid->oid)
- == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- if (!policyQualifArr) {
- policyQualifArr = PORT_ArenaZNew(arena, CERTPolicyQualifier *);
- } else {
- policyQualifArr = PORT_ArenaGrow (arena, policyQualifArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- }
- if (policyQualifArr == NULL) {
- GEN_BREAK (SECFailure);
- }
-
- policyQualifArr[count] = current;
- ++count;
- if (!GetYesNo ("Enter another policy qualifier [y/N]")) {
- /* Add null to the end to mark end of data */
- policyQualifArr = PORT_ArenaGrow(arena, policyQualifArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- if (policyQualifArr == NULL) {
- GEN_BREAK (SECFailure);
- }
- policyQualifArr[count] = NULL;
- break;
- }
- } while (1);
- if (rv != SECSuccess) {
- PORT_ArenaRelease (arena, mark);
- policyQualifArr = NULL;
- }
- return (policyQualifArr);
- }
- static SECStatus
- AddCertPolicies(void *extHandle)
- {
- CERTPolicyInfo **certPoliciesArr = NULL;
- CERTPolicyInfo *current;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- int count = 0;
- char buffer[512];
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- return SECFailure;
- }
- do {
- current = PORT_ArenaZNew(arena, CERTPolicyInfo);
- if (current == NULL) {
- GEN_BREAK(SECFailure);
- }
- if (PrintChoicesAndGetAnswer("Enter a CertPolicy Object Identifier "
- "(dotted decimal format)\n"
- "or \"any\" for AnyPolicy:",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK (SECFailure);
- }
-
- if (strncmp(buffer, "any", 3) == 0) {
- /* use string version of X509_CERTIFICATE_POLICIES.anyPolicy */
- strcpy(buffer, "OID.2.5.29.32.0");
- }
- rv = SEC_StringToOID(arena, ¤t->policyID, buffer, 0);
- if (rv == SECFailure) {
- GEN_BREAK(SECFailure);
- }
-
- current->policyQualifiers =
- RequestPolicyQualifiers(arena, ¤t->policyID);
- if (!certPoliciesArr) {
- certPoliciesArr = PORT_ArenaZNew(arena, CERTPolicyInfo *);
- } else {
- certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- }
- if (certPoliciesArr == NULL) {
- GEN_BREAK (SECFailure);
- }
-
- certPoliciesArr[count] = current;
- ++count;
-
- if (!GetYesNo ("Enter another PolicyInformation field [y/N]?")) {
- /* Add null to the end to mark end of data */
- certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- if (certPoliciesArr == NULL) {
- GEN_BREAK (SECFailure);
- }
- certPoliciesArr[count] = NULL;
- break;
- }
- } while (1);
- if (rv == SECSuccess) {
- CERTCertificatePolicies policies;
- PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
- policies.arena = arena;
- policies.policyInfos = certPoliciesArr;
-
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &policies,
- yesNoAns, SEC_OID_X509_CERTIFICATE_POLICIES,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCertPoliciesExtension);
- }
- if (arena)
- PORT_FreeArena(arena, PR_FALSE);
- return (rv);
- }
- enum AuthInfoAccessTypesEnum {
- caIssuers = 1,
- ocsp = 2
- };
- enum SubjInfoAccessTypesEnum {
- caRepository = 1,
- timeStamping = 2
- };
-
- /* Encode and add an AIA or SIA extension */
- static SECStatus
- AddInfoAccess(void *extHandle, PRBool addSIAExt, PRBool isCACert)
- {
- CERTAuthInfoAccess **infoAccArr = NULL;
- CERTAuthInfoAccess *current;
- PRArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- int count = 0;
- char buffer[512];
- SECOidData *oid = NULL;
- int intValue = 0;
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ( !arena ) {
- SECU_PrintError(progName, "out of memory");
- return SECFailure;
- }
- do {
- current = NULL;
- current = PORT_ArenaZNew(arena, CERTAuthInfoAccess);
- if (current == NULL) {
- GEN_BREAK(SECFailure);
- }
- /* Get the accessMethod fields */
- if (addSIAExt) {
- if (isCACert) {
- puts("Adding \"CA Repository\" access method type for "
- "Subject Information Access extension:\n");
- intValue = caRepository;
- } else {
- puts("Adding \"Time Stamping Services\" access method type for "
- "Subject Information Access extension:\n");
- intValue = timeStamping;
- }
- } else {
- PrintChoicesAndGetAnswer("Enter access method type "
- "for Authority Information Access extension:\n"
- "\t1 - CA Issuers\n\t2 - OCSP\n\tAny"
- "other number to finish\n\tChoice",
- buffer, sizeof(buffer));
- intValue = PORT_Atoi(buffer);
- }
- if (addSIAExt) {
- switch (intValue) {
- case caRepository:
- oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_REPOSITORY);
- break;
-
- case timeStamping:
- oid = SECOID_FindOIDByTag(SEC_OID_PKIX_TIMESTAMPING);
- break;
- }
- } else {
- switch (intValue) {
- case caIssuers:
- oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_ISSUERS);
- break;
-
- case ocsp:
- oid = SECOID_FindOIDByTag(SEC_OID_PKIX_OCSP);
- break;
- }
- }
- if (oid == NULL ||
- SECITEM_CopyItem(arena, ¤t->method, &oid->oid)
- == SECFailure) {
- GEN_BREAK (SECFailure);
- }
- current->location = GetGeneralName(arena);
- if (!current->location) {
- GEN_BREAK(SECFailure);
- }
-
- if (infoAccArr == NULL) {
- infoAccArr = PORT_ArenaZNew(arena, CERTAuthInfoAccess *);
- } else {
- infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- }
- if (infoAccArr == NULL) {
- GEN_BREAK (SECFailure);
- }
-
- infoAccArr[count] = current;
- ++count;
-
- PR_snprintf(buffer, sizeof(buffer), "Add another location to the %s"
- " Information Access extension [y/N]",
- (addSIAExt) ? "Subject" : "Authority");
- if (GetYesNo (buffer) == 0) {
- /* Add null to the end to mark end of data */
- infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
- sizeof (current) * count,
- sizeof (current) *(count + 1));
- if (infoAccArr == NULL) {
- GEN_BREAK (SECFailure);
- }
- infoAccArr[count] = NULL;
- break;
- }
- } while (1);
- if (rv == SECSuccess) {
- int oidIdent = SEC_OID_X509_AUTH_INFO_ACCESS;
- PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-
- if (addSIAExt) {
- oidIdent = SEC_OID_X509_SUBJECT_INFO_ACCESS;
- }
- rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, infoAccArr,
- yesNoAns, oidIdent,
- (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInfoAccessExtension);
- }
- if (arena)
- PORT_FreeArena(arena, PR_FALSE);
- return (rv);
- }
- SECStatus
- AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
- certutilExtnList extList)
- {
- SECStatus rv = SECSuccess;
- char *errstring = NULL;
-
- do {
- /* Add key usage extension */
- if (extList[ext_keyUsage].activated) {
- rv = AddKeyUsage(extHandle, extList[ext_keyUsage].arg);
- if (rv) {
- errstring = "KeyUsage";
- break;
- }
- }
- /* Add extended key usage extension */
- if (extList[ext_extKeyUsage].activated) {
- rv = AddExtKeyUsage(extHandle, extList[ext_extKeyUsage].arg);
- if (rv) {
- errstring = "ExtendedKeyUsage";
- break;
- }
- }
- /* Add basic constraint extension */
- if (extList[ext_basicConstraint].activated) {
- rv = AddBasicConstraint(extHandle);
- if (rv) {
- errstring = "BasicConstraint";
- break;
- }
- }
- if (extList[ext_authorityKeyID].activated) {
- rv = AddAuthKeyID(extHandle);
- if (rv) {
- errstring = "AuthorityKeyID";
- break;
- }
- }
- if (extList[ext_subjectKeyID].activated) {
- rv = AddSubjKeyID(extHandle);
- if (rv) {
- errstring = "SubjectKeyID";
- break;
- }
- }
- if (extList[ext_CRLDistPts].activated) {
- rv = AddCrlDistPoint(extHandle);
- if (rv) {
- errstring = "CRLDistPoints";
- break;
- }
- }
- if (extList[ext_NSCertType].activated) {
- rv = AddNscpCertType(extHandle, extList[ext_NSCertType].arg);
- if (rv) {
- errstring = "NSCertType";
- break;
- }
- }
- if (extList[ext_authInfoAcc].activated ||
- extList[ext_subjInfoAcc].activated) {
- rv = AddInfoAccess(extHandle, extList[ext_subjInfoAcc].activated,
- extList[ext_basicConstraint].activated);
- if (rv) {
- errstring = "InformationAccess";
- break;
- }
- }
- if (extList[ext_certPolicies].activated) {
- rv = AddCertPolicies(extHandle);
- if (rv) {
- errstring = "Policies";
- break;
- }
- }
- if (extList[ext_policyMappings].activated) {
- rv = AddPolicyMappings(extHandle);
- if (rv) {
- errstring = "PolicyMappings";
- break;
- }
- }
- if (extList[ext_policyConstr].activated) {
- rv = AddPolicyConstraints(extHandle);
- if (rv) {
- errstring = "PolicyConstraints";
- break;
- }
- }
- if (extList[ext_inhibitAnyPolicy].activated) {
- rv = AddInhibitAnyPolicy(extHandle);
- if (rv) {
- errstring = "InhibitAnyPolicy";
- break;
- }
- }
- if (emailAddrs || dnsNames) {
- PRArenaPool *arena;
- CERTGeneralName *namelist = NULL;
- SECItem item = { 0, NULL, 0 };
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) {
- rv = SECFailure;
- break;
- }
- rv = AddEmailSubjectAlt(arena, &namelist, emailAddrs);
- rv |= AddDNSSubjectAlt(arena, &namelist, dnsNames);
- if (rv == SECSuccess) {
- rv = CERT_EncodeAltNameExtension(arena, namelist, &item);
- if (rv == SECSuccess) {
- rv = CERT_AddExtension(extHandle,
- SEC_OID_X509_SUBJECT_ALT_NAME,
- &item, PR_FALSE, PR_TRUE);
- }
- }
- PORT_FreeArena(arena, PR_FALSE);
- if (rv) {
- errstring = "SubjectAltName";
- break;
- }
- }
- } while (0);
-
- if (rv != SECSuccess) {
- SECU_PrintError(progName, "Problem creating %s extension", errstring);
- }
- return rv;
- }