gecko/security/nss/cmd/certutil/certext.c
Wan-Teh Chang 8e431a056c Bug 504080: Update NSS from NSS_3_12_4_FIPS1_WITH_CKBI_1_75 to
NSS_3_12_4_FIPS4 in mozilla-central.  r=kaie.
2009-07-28 17:01:39 -07:00

1818 lines
54 KiB
C

/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
** certext.c
**
** part of certutil for managing certificates extensions
**
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#if defined(WIN32)
#include "fcntl.h"
#include "io.h"
#endif
#include "secutil.h"
#if defined(XP_UNIX)
#include <unistd.h>
#endif
#include "cert.h"
#include "xconst.h"
#include "prprf.h"
#include "certutil.h"
#define GEN_BREAK(e) rv=e; break;
static char *
Gets_s(char *buff, size_t size) {
char *str;
if (buff == NULL || size < 1) {
PORT_Assert(0);
return NULL;
}
if ((str = fgets(buff, size, stdin)) != NULL) {
int len = PORT_Strlen(str);
/*
* fgets() automatically converts native text file
* line endings to '\n'. As defensive programming
* (just in case fgets has a bug or we put stdin in
* binary mode by mistake), we handle three native
* text file line endings here:
* '\n' Unix (including Linux and Mac OS X)
* '\r''\n' DOS/Windows & OS/2
* '\r' Mac OS Classic
* len can not be less then 1, since in case with
* empty string it has at least '\n' in the buffer
*/
if (buff[len - 1] == '\n' || buff[len - 1] == '\r') {
buff[len - 1] = '\0';
if (len > 1 && buff[len - 2] == '\r')
buff[len - 2] = '\0';
}
} else {
buff[0] = '\0';
}
return str;
}
static SECStatus
PrintChoicesAndGetAnswer(char* str, char* rBuff, int rSize)
{
fprintf(stdout, str);
fprintf(stdout, " > ");
fflush (stdout);
if (Gets_s(rBuff, rSize) == NULL) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
return SECFailure;
}
return SECSuccess;
}
static CERTGeneralName *
GetGeneralName (PRArenaPool *arena)
{
CERTGeneralName *namesList = NULL;
CERTGeneralName *current;
CERTGeneralName *tail = NULL;
SECStatus rv = SECSuccess;
int intValue;
char buffer[512];
void *mark;
PORT_Assert (arena);
mark = PORT_ArenaMark (arena);
do {
if (PrintChoicesAndGetAnswer(
"\nSelect one of the following general name type: \n"
"\t2 - rfc822Name\n"
"\t3 - dnsName\n"
"\t5 - directoryName\n"
"\t7 - uniformResourceidentifier\n"
"\t8 - ipAddress\n"
"\t9 - registerID\n"
"\tAny other number to finish\n"
"\t\tChoice:", buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
intValue = PORT_Atoi (buffer);
/*
* Should use ZAlloc instead of Alloc to avoid problem with garbage
* initialized pointers in CERT_CopyName
*/
switch (intValue) {
case certRFC822Name:
case certDNSName:
case certDirectoryName:
case certURI:
case certIPAddress:
case certRegisterID:
break;
default:
intValue = 0; /* force a break for anything else */
}
if (intValue == 0)
break;
if (namesList == NULL) {
namesList = current = tail =
PORT_ArenaZNew(arena, CERTGeneralName);
} else {
current = PORT_ArenaZNew(arena, CERTGeneralName);
}
if (current == NULL) {
GEN_BREAK (SECFailure);
}
current->type = intValue;
puts ("\nEnter data:");
fflush (stdout);
if (Gets_s (buffer, sizeof(buffer)) == NULL) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
GEN_BREAK (SECFailure);
}
switch (current->type) {
case certURI:
case certDNSName:
case certRFC822Name:
current->name.other.data =
PORT_ArenaAlloc (arena, strlen (buffer));
if (current->name.other.data == NULL) {
GEN_BREAK (SECFailure);
}
PORT_Memcpy(current->name.other.data, buffer,
current->name.other.len = strlen(buffer));
break;
case certEDIPartyName:
case certIPAddress:
case certOtherName:
case certRegisterID:
case certX400Address: {
current->name.other.data =
PORT_ArenaAlloc (arena, strlen (buffer) + 2);
if (current->name.other.data == NULL) {
GEN_BREAK (SECFailure);
}
PORT_Memcpy (current->name.other.data + 2, buffer,
strlen (buffer));
/* This may not be accurate for all cases. For now,
* use this tag type */
current->name.other.data[0] =
(char)(((current->type - 1) & 0x1f)| 0x80);
current->name.other.data[1] = (char)strlen (buffer);
current->name.other.len = strlen (buffer) + 2;
break;
}
case certDirectoryName: {
CERTName *directoryName = NULL;
directoryName = CERT_AsciiToName (buffer);
if (!directoryName) {
fprintf(stderr, "certutil: improperly formatted name: "
"\"%s\"\n", buffer);
break;
}
rv = CERT_CopyName (arena, &current->name.directoryName,
directoryName);
CERT_DestroyName (directoryName);
break;
}
}
if (rv != SECSuccess)
break;
current->l.next = &(namesList->l);
current->l.prev = &(tail->l);
tail->l.next = &(current->l);
tail = current;
}while (1);
if (rv != SECSuccess) {
PORT_ArenaRelease (arena, mark);
namesList = NULL;
}
return (namesList);
}
static SECStatus
GetString(PRArenaPool *arena, char *prompt, SECItem *value)
{
char buffer[251];
char *buffPrt;
buffer[0] = '\0';
value->data = NULL;
value->len = 0;
puts (prompt);
buffPrt = Gets_s (buffer, sizeof(buffer));
/* returned NULL here treated the same way as empty string */
if (buffPrt && strlen (buffer) > 0) {
value->data = PORT_ArenaAlloc (arena, strlen (buffer));
if (value->data == NULL) {
PORT_SetError (SEC_ERROR_NO_MEMORY);
return (SECFailure);
}
PORT_Memcpy (value->data, buffer, value->len = strlen(buffer));
}
return (SECSuccess);
}
static PRBool
GetYesNo(char *prompt)
{
char buf[3];
char *buffPrt;
buf[0] = 'n';
puts(prompt);
buffPrt = Gets_s(buf, sizeof(buf));
return (buffPrt && (buf[0] == 'y' || buf[0] == 'Y')) ? PR_TRUE : PR_FALSE;
}
/* Parses comma separated values out of the string pointed by nextPos.
* Parsed value is compared to an array of possible values(valueArray).
* If match is found, a value index is returned, otherwise returns SECFailue.
* nextPos is set to the token after found comma separator or to NULL.
* NULL in nextPos should be used as indication of the last parsed token.
* A special value "critical" can be parsed out from the supplied sting.*/
static SECStatus
parseNextCmdInput(const char * const *valueArray, int *value, char **nextPos,
PRBool *critical)
{
char *thisPos = *nextPos;
int keyLen = 0;
int arrIndex = 0;
if (!valueArray || !value || !nextPos || !critical) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
while (1) {
if ((*nextPos = strchr(thisPos, ',')) == NULL) {
keyLen = strlen(thisPos);
} else {
keyLen = *nextPos - thisPos;
*nextPos += 1;
}
/* if critical keyword is found, go for another loop,
* but check, if it is the last keyword of
* the string.*/
if (!strncmp("critical", thisPos, keyLen)) {
*critical = PR_TRUE;
if (*nextPos == NULL) {
return SECSuccess;
}
thisPos = *nextPos;
continue;
}
break;
}
for (arrIndex = 0; valueArray[arrIndex]; arrIndex++) {
if (!strncmp(valueArray[arrIndex], thisPos, keyLen)) {
*value = arrIndex;
return SECSuccess;
}
}
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
static const char * const
keyUsageKeyWordArray[] = { "digitalSignature",
"nonRepudiation",
"keyEncipherment",
"dataEncipherment",
"keyAgreement",
"certSigning",
"crlSigning",
NULL};
static SECStatus
AddKeyUsage (void *extHandle, const char *userSuppliedValue)
{
SECItem bitStringValue;
unsigned char keyUsage = 0x0;
char buffer[5];
int value;
char *nextPos = (char*)userSuppliedValue;
PRBool isCriticalExt = PR_FALSE;
if (!userSuppliedValue) {
while (1) {
if (PrintChoicesAndGetAnswer(
"\t\t0 - Digital Signature\n"
"\t\t1 - Non-repudiation\n"
"\t\t2 - Key encipherment\n"
"\t\t3 - Data encipherment\n"
"\t\t4 - Key agreement\n"
"\t\t5 - Cert signing key\n"
"\t\t6 - CRL signing key\n"
"\t\tOther to finish\n",
buffer, sizeof(buffer)) == SECFailure) {
return SECFailure;
}
value = PORT_Atoi (buffer);
if (value < 0 || value > 6)
break;
if (value == 0) {
/* Checking that zero value of variable 'value'
* corresponds to '0' input made by user */
char *chPtr = strchr(buffer, '0');
if (chPtr == NULL) {
continue;
}
}
keyUsage |= (0x80 >> value);
}
isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
} else {
while (1) {
if (parseNextCmdInput(keyUsageKeyWordArray, &value, &nextPos,
&isCriticalExt) == SECFailure) {
return SECFailure;
}
keyUsage |= (0x80 >> value);
if (!nextPos)
break;
}
}
bitStringValue.data = &keyUsage;
bitStringValue.len = 1;
return (CERT_EncodeAndAddBitStrExtension
(extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
isCriticalExt));
}
static CERTOidSequence *
CreateOidSequence(void)
{
CERTOidSequence *rv = (CERTOidSequence *)NULL;
PRArenaPool *arena = (PRArenaPool *)NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if( (PRArenaPool *)NULL == arena ) {
goto loser;
}
rv = (CERTOidSequence *)PORT_ArenaZNew(arena, CERTOidSequence);
if( (CERTOidSequence *)NULL == rv ) {
goto loser;
}
rv->oids = (SECItem **)PORT_ArenaZNew(arena, SECItem *);
if( (SECItem **)NULL == rv->oids ) {
goto loser;
}
rv->arena = arena;
return rv;
loser:
if( (PRArenaPool *)NULL != arena ) {
PORT_FreeArena(arena, PR_FALSE);
}
return (CERTOidSequence *)NULL;
}
static void
DestroyOidSequence(CERTOidSequence *os)
{
if (os->arena) {
PORT_FreeArena(os->arena, PR_FALSE);
}
}
static SECStatus
AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
{
SECItem **oids;
PRUint32 count = 0;
SECOidData *od;
od = SECOID_FindOIDByTag(oidTag);
if( (SECOidData *)NULL == od ) {
return SECFailure;
}
for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
if (*oids == &od->oid) {
/* We already have this oid */
return SECSuccess;
}
count++;
}
/* ArenaZRealloc */
{
PRUint32 i;
oids = (SECItem **)PORT_ArenaZNewArray(os->arena, SECItem *, count + 2);
if( (SECItem **)NULL == oids ) {
return SECFailure;
}
for( i = 0; i < count; i++ ) {
oids[i] = os->oids[i];
}
/* ArenaZFree(os->oids); */
}
os->oids = oids;
os->oids[count] = &od->oid;
return SECSuccess;
}
SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
const SEC_ASN1Template CERT_OidSeqTemplate[] = {
{ SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),
SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
};
static SECItem *
EncodeOidSequence(CERTOidSequence *os)
{
SECItem *rv;
rv = (SECItem *)PORT_ArenaZNew(os->arena, SECItem);
if( (SECItem *)NULL == rv ) {
goto loser;
}
if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {
goto loser;
}
return rv;
loser:
return (SECItem *)NULL;
}
static const char * const
extKeyUsageKeyWordArray[] = { "serverAuth",
"clientAuth",
"codeSigning",
"emailProtection",
"timeStamp",
"ocspResponder",
"stepUp",
NULL};
static SECStatus
AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
{
char buffer[5];
int value;
CERTOidSequence *os;
SECStatus rv;
SECItem *item;
PRBool isCriticalExt = PR_FALSE;
char *nextPos = (char*)userSuppliedValue;
os = CreateOidSequence();
if( (CERTOidSequence *)NULL == os ) {
return SECFailure;
}
while (1) {
if (!userSuppliedValue) {
if (PrintChoicesAndGetAnswer(
"\t\t0 - Server Auth\n"
"\t\t1 - Client Auth\n"
"\t\t2 - Code Signing\n"
"\t\t3 - Email Protection\n"
"\t\t4 - Timestamp\n"
"\t\t5 - OCSP Responder\n"
"\t\t6 - Step-up\n"
"\t\tOther to finish\n",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK(SECFailure);
}
value = PORT_Atoi(buffer);
if (value == 0) {
/* Checking that zero value of variable 'value'
* corresponds to '0' input made by user */
char *chPtr = strchr(buffer, '0');
if (chPtr == NULL) {
continue;
}
}
} else {
if (parseNextCmdInput(extKeyUsageKeyWordArray, &value, &nextPos,
&isCriticalExt) == SECFailure) {
return SECFailure;
}
}
switch( value ) {
case 0:
rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
break;
case 1:
rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
break;
case 2:
rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
break;
case 3:
rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
break;
case 4:
rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
break;
case 5:
rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
break;
case 6:
rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
break;
default:
goto endloop;
}
if (userSuppliedValue && !nextPos)
break;
if( SECSuccess != rv )
goto loser;
}
endloop:
item = EncodeOidSequence(os);
if (!userSuppliedValue) {
isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
}
rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,
isCriticalExt, PR_TRUE);
/*FALLTHROUGH*/
loser:
DestroyOidSequence(os);
return rv;
}
static const char * const
nsCertTypeKeyWordArray[] = { "sslClient",
"sslServer",
"smime",
"objectSigning",
"Not!Used",
"sslCA",
"smimeCA",
"objectSigningCA",
NULL };
static SECStatus
AddNscpCertType (void *extHandle, const char *userSuppliedValue)
{
SECItem bitStringValue;
unsigned char keyUsage = 0x0;
char buffer[5];
int value;
char *nextPos = (char*)userSuppliedValue;
PRBool isCriticalExt = PR_FALSE;
if (!userSuppliedValue) {
while (1) {
if (PrintChoicesAndGetAnswer(
"\t\t0 - SSL Client\n"
"\t\t1 - SSL Server\n"
"\t\t2 - S/MIME\n"
"\t\t3 - Object Signing\n"
"\t\t4 - Reserved for future use\n"
"\t\t5 - SSL CA\n"
"\t\t6 - S/MIME CA\n"
"\t\t7 - Object Signing CA\n"
"\t\tOther to finish\n",
buffer, sizeof(buffer)) == SECFailure) {
return SECFailure;
}
value = PORT_Atoi (buffer);
if (value < 0 || value > 7)
break;
if (value == 0) {
/* Checking that zero value of variable 'value'
* corresponds to '0' input made by user */
char *chPtr = strchr(buffer, '0');
if (chPtr == NULL) {
continue;
}
}
keyUsage |= (0x80 >> value);
}
isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
} else {
while (1) {
if (parseNextCmdInput(nsCertTypeKeyWordArray, &value, &nextPos,
&isCriticalExt) == SECFailure) {
return SECFailure;
}
keyUsage |= (0x80 >> value);
if (!nextPos)
break;
}
}
bitStringValue.data = &keyUsage;
bitStringValue.len = 1;
return (CERT_EncodeAndAddBitStrExtension
(extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
isCriticalExt));
}
static SECStatus
AddSubjectAltNames(PRArenaPool *arena, CERTGeneralName **existingListp,
const char *names, CERTGeneralNameType type)
{
CERTGeneralName *nameList = NULL;
CERTGeneralName *current = NULL;
PRCList *prev = NULL;
const char *cp;
char *tbuf;
SECStatus rv = SECSuccess;
/*
* walk down the comma separated list of names. NOTE: there is
* no sanity checks to see if the email address look like
* email addresses.
*/
for (cp=names; cp; cp = PORT_Strchr(cp,',')) {
int len;
char *end;
if (*cp == ',') {
cp++;
}
end = PORT_Strchr(cp,',');
len = end ? end-cp : PORT_Strlen(cp);
if (len <= 0) {
continue;
}
tbuf = PORT_ArenaAlloc(arena,len+1);
PORT_Memcpy(tbuf,cp,len);
tbuf[len] = 0;
current = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName));
if (!current) {
rv = SECFailure;
break;
}
if (prev) {
current->l.prev = prev;
prev->next = &(current->l);
} else {
nameList = current;
}
current->type = type;
current->name.other.data = (unsigned char *)tbuf;
current->name.other.len = PORT_Strlen(tbuf);
prev = &(current->l);
}
/* at this point nameList points to the head of a doubly linked,
* but not yet circular, list and current points to its tail. */
if (rv == SECSuccess && nameList) {
if (*existingListp != NULL) {
PRCList *existingprev;
/* add nameList to the end of the existing list */
existingprev = (*existingListp)->l.prev;
(*existingListp)->l.prev = &(current->l);
nameList->l.prev = existingprev;
existingprev->next = &(nameList->l);
current->l.next = &((*existingListp)->l);
}
else {
/* make nameList circular and set it as the new existingList */
nameList->l.prev = prev;
current->l.next = &(nameList->l);
*existingListp = nameList;
}
}
return rv;
}
static SECStatus
AddEmailSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
const char *emailAddrs)
{
return AddSubjectAltNames(arena, existingListp, emailAddrs,
certRFC822Name);
}
static SECStatus
AddDNSSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
const char *dnsNames)
{
return AddSubjectAltNames(arena, existingListp, dnsNames, certDNSName);
}
static SECStatus
AddBasicConstraint(void *extHandle)
{
CERTBasicConstraints basicConstraint;
SECStatus rv;
char buffer[10];
PRBool yesNoAns;
do {
basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
basicConstraint.isCA = GetYesNo ("Is this a CA certificate [y/N]?");
buffer[0] = '\0';
if (PrintChoicesAndGetAnswer("Enter the path length constraint, "
"enter to skip [<0 for unlimited path]:",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK(SECFailure);
}
if (PORT_Strlen (buffer) > 0)
basicConstraint.pathLenConstraint = PORT_Atoi (buffer);
yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
rv = SECU_EncodeAndAddExtensionValue(NULL, extHandle,
&basicConstraint, yesNoAns, SEC_OID_X509_BASIC_CONSTRAINTS,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodeBasicConstraintValue);
} while (0);
return (rv);
}
static SECStatus
AddAuthKeyID (void *extHandle)
{
CERTAuthKeyID *authKeyID = NULL;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
PRBool yesNoAns;
do {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
GEN_BREAK (SECFailure);
}
if (GetYesNo ("Enter value for the authKeyID extension [y/N]?") == 0)
break;
authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);
if (authKeyID == NULL) {
GEN_BREAK (SECFailure);
}
rv = GetString (arena, "Enter value for the key identifier fields,"
"enter to omit:", &authKeyID->keyID);
if (rv != SECSuccess)
break;
SECU_SECItemHexStringToBinary(&authKeyID->keyID);
authKeyID->authCertIssuer = GetGeneralName (arena);
if (authKeyID->authCertIssuer == NULL &&
SECFailure == PORT_GetError ())
break;
rv = GetString (arena, "Enter value for the authCertSerial field, "
"enter to omit:", &authKeyID->authCertSerialNumber);
yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
authKeyID, yesNoAns, SEC_OID_X509_AUTH_KEY_ID,
(EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);
if (rv)
break;
} while (0);
if (arena)
PORT_FreeArena (arena, PR_FALSE);
return (rv);
}
static SECStatus
AddSubjKeyID (void *extHandle)
{
SECItem keyID;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
PRBool yesNoAns;
do {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
GEN_BREAK (SECFailure);
}
printf("Adding Subject Key ID extension.\n");
rv = GetString (arena, "Enter value for the key identifier fields,"
"enter to omit:", &keyID);
if (rv != SECSuccess)
break;
SECU_SECItemHexStringToBinary(&keyID);
yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
&keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID,
(EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID);
if (rv)
break;
} while (0);
if (arena)
PORT_FreeArena (arena, PR_FALSE);
return (rv);
}
static SECStatus
AddCrlDistPoint(void *extHandle)
{
PRArenaPool *arena = NULL;
CERTCrlDistributionPoints *crlDistPoints = NULL;
CRLDistributionPoint *current;
SECStatus rv = SECSuccess;
int count = 0, intValue;
char buffer[512];
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena )
return (SECFailure);
do {
current = NULL;
current = PORT_ArenaZNew(arena, CRLDistributionPoint);
if (current == NULL) {
GEN_BREAK (SECFailure);
}
/* Get the distributionPointName fields - this field is optional */
if (PrintChoicesAndGetAnswer(
"Enter the type of the distribution point name:\n"
"\t1 - Full Name\n\t2 - Relative Name\n\tAny other "
"number to finish\n\t\tChoice: ",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
intValue = PORT_Atoi (buffer);
switch (intValue) {
case generalName:
current->distPointType = intValue;
current->distPoint.fullName = GetGeneralName (arena);
rv = PORT_GetError();
break;
case relativeDistinguishedName: {
CERTName *name;
current->distPointType = intValue;
puts ("Enter the relative name: ");
fflush (stdout);
if (Gets_s (buffer, sizeof(buffer)) == NULL) {
GEN_BREAK (SECFailure);
}
/* For simplicity, use CERT_AsciiToName to converse from a string
to NAME, but we only interest in the first RDN */
name = CERT_AsciiToName (buffer);
if (!name) {
GEN_BREAK (SECFailure);
}
rv = CERT_CopyRDN (arena, &current->distPoint.relativeName,
name->rdns[0]);
CERT_DestroyName (name);
break;
}
}
if (rv != SECSuccess)
break;
/* Get the reason flags */
if (PrintChoicesAndGetAnswer(
"\nSelect one of the following for the reason flags\n"
"\t0 - unused\n\t1 - keyCompromise\n"
"\t2 - caCompromise\n\t3 - affiliationChanged\n"
"\t4 - superseded\n\t5 - cessationOfOperation\n"
"\t6 - certificateHold\n"
"\tAny other number to finish\t\tChoice: ",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK(SECFailure);
}
intValue = PORT_Atoi (buffer);
if (intValue == 0) {
/* Checking that zero value of variable 'value'
* corresponds to '0' input made by user */
char *chPtr = strchr(buffer, '0');
if (chPtr == NULL) {
intValue = -1;
}
}
if (intValue >= 0 && intValue <8) {
current->reasons.data = PORT_ArenaAlloc (arena, sizeof(char));
if (current->reasons.data == NULL) {
GEN_BREAK (SECFailure);
}
*current->reasons.data = (char)(0x80 >> intValue);
current->reasons.len = 1;
}
puts ("Enter value for the CRL Issuer name:\n");
current->crlIssuer = GetGeneralName (arena);
if (current->crlIssuer == NULL && (rv = PORT_GetError()) == SECFailure)
break;
if (crlDistPoints == NULL) {
crlDistPoints = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
if (crlDistPoints == NULL) {
GEN_BREAK (SECFailure);
}
}
crlDistPoints->distPoints =
PORT_ArenaGrow (arena, crlDistPoints->distPoints,
sizeof (*crlDistPoints->distPoints) * count,
sizeof (*crlDistPoints->distPoints) *(count + 1));
if (crlDistPoints->distPoints == NULL) {
GEN_BREAK (SECFailure);
}
crlDistPoints->distPoints[count] = current;
++count;
if (GetYesNo("Enter another value for the CRLDistributionPoint "
"extension [y/N]?") == 0) {
/* Add null to the end to mark end of data */
crlDistPoints->distPoints =
PORT_ArenaGrow(arena, crlDistPoints->distPoints,
sizeof (*crlDistPoints->distPoints) * count,
sizeof (*crlDistPoints->distPoints) *(count + 1));
crlDistPoints->distPoints[count] = NULL;
break;
}
} while (1);
if (rv == SECSuccess) {
PRBool yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
crlDistPoints, yesNoAns, SEC_OID_X509_CRL_DIST_POINTS,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCRLDistributionPoints);
}
if (arena)
PORT_FreeArena (arena, PR_FALSE);
return (rv);
}
static SECStatus
AddPolicyConstraints(void *extHandle)
{
CERTCertificatePolicyConstraints *policyConstr;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
SECItem *item, *dummy;
char buffer[512];
int value;
PRBool yesNoAns;
PRBool skipExt = PR_TRUE;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
policyConstr = PORT_ArenaZNew(arena, CERTCertificatePolicyConstraints);
if (policyConstr == NULL) {
SECU_PrintError(progName, "out of memory");
goto loser;
}
if (PrintChoicesAndGetAnswer("for requireExplicitPolicy enter the number "
"of certs in path\nbefore explicit policy is required\n"
"(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
goto loser;
}
if (PORT_Strlen(buffer)) {
value = PORT_Atoi(buffer);
if (value < 0) {
goto loser;
}
item = &policyConstr->explicitPolicySkipCerts;
dummy = SEC_ASN1EncodeInteger(arena, item, value);
if (!dummy) {
goto loser;
}
skipExt = PR_FALSE;
}
if (PrintChoicesAndGetAnswer("for inihibitPolicyMapping enter "
"the number of certs in path\n"
"after which policy mapping is not allowed\n"
"(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
goto loser;
}
if (PORT_Strlen(buffer)) {
value = PORT_Atoi(buffer);
if (value < 0) {
goto loser;
}
item = &policyConstr->inhibitMappingSkipCerts;
dummy = SEC_ASN1EncodeInteger(arena, item, value);
if (!dummy) {
goto loser;
}
skipExt = PR_FALSE;
}
if (!skipExt) {
yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, policyConstr,
yesNoAns, SEC_OID_X509_POLICY_CONSTRAINTS,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyConstraintsExtension);
} else {
fprintf(stdout, "Policy Constraint extensions must contain "
"at least one policy field\n");
rv = SECFailure;
}
loser:
if (arena) {
PORT_FreeArena (arena, PR_FALSE);
}
return (rv);
}
static SECStatus
AddInhibitAnyPolicy(void *extHandle)
{
CERTCertificateInhibitAny certInhibitAny;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
SECItem *item, *dummy;
char buffer[10];
int value;
PRBool yesNoAns;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
if (PrintChoicesAndGetAnswer("Enter the number of certs in the path "
"permitted to use anyPolicy.\n"
"(press Enter for 0)",
buffer, sizeof(buffer)) == SECFailure) {
goto loser;
}
item = &certInhibitAny.inhibitAnySkipCerts;
value = PORT_Atoi(buffer);
if (value < 0) {
goto loser;
}
dummy = SEC_ASN1EncodeInteger(arena, item, value);
if (!dummy) {
goto loser;
}
yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &certInhibitAny,
yesNoAns, SEC_OID_X509_INHIBIT_ANY_POLICY,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInhibitAnyExtension);
loser:
if (arena) {
PORT_FreeArena (arena, PR_FALSE);
}
return (rv);
}
static SECStatus
AddPolicyMappings(void *extHandle)
{
CERTPolicyMap **policyMapArr = NULL;
CERTPolicyMap *current;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
int count = 0;
char buffer[512];
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
do {
if (PrintChoicesAndGetAnswer("Enter an Object Identifier (dotted "
"decimal format) for Issuer Domain Policy",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
current = PORT_ArenaZNew(arena, CERTPolicyMap);
if (current == NULL) {
GEN_BREAK(SECFailure);
}
rv = SEC_StringToOID(arena, &current->issuerDomainPolicy, buffer, 0);
if (rv == SECFailure) {
GEN_BREAK(SECFailure);
}
if (PrintChoicesAndGetAnswer("Enter an Object Identifier for "
"Subject Domain Policy",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
rv = SEC_StringToOID(arena, &current->subjectDomainPolicy, buffer, 0);
if (rv == SECFailure) {
GEN_BREAK(SECFailure);
}
if (policyMapArr == NULL) {
policyMapArr = PORT_ArenaZNew(arena, CERTPolicyMap *);
if (policyMapArr == NULL) {
GEN_BREAK (SECFailure);
}
}
policyMapArr = PORT_ArenaGrow(arena, policyMapArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
if (policyMapArr == NULL) {
GEN_BREAK (SECFailure);
}
policyMapArr[count] = current;
++count;
if (!GetYesNo("Enter another Policy Mapping [y/N]")) {
/* Add null to the end to mark end of data */
policyMapArr = PORT_ArenaGrow (arena, policyMapArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
if (policyMapArr == NULL) {
GEN_BREAK (SECFailure);
}
policyMapArr[count] = NULL;
break;
}
} while (1);
if (rv == SECSuccess) {
CERTCertificatePolicyMappings mappings;
PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
mappings.arena = arena;
mappings.policyMaps = policyMapArr;
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &mappings,
yesNoAns, SEC_OID_X509_POLICY_MAPPINGS,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyMappingExtension);
}
if (arena)
PORT_FreeArena (arena, PR_FALSE);
return (rv);
}
enum PoliciQualifierEnum {
cpsPointer = 1,
userNotice = 2
};
static CERTPolicyQualifier **
RequestPolicyQualifiers(PRArenaPool *arena, SECItem *policyID)
{
CERTPolicyQualifier **policyQualifArr = NULL;
CERTPolicyQualifier *current;
SECStatus rv = SECSuccess;
int count = 0;
char buffer[512];
void *mark;
SECOidData *oid = NULL;
int intValue = 0;
int inCount = 0;
PORT_Assert(arena);
mark = PORT_ArenaMark(arena);
do {
current = PORT_ArenaZNew(arena, CERTPolicyQualifier);
if (current == NULL) {
GEN_BREAK(SECFailure);
}
/* Get the accessMethod fields */
SECU_PrintObjectID(stdout, policyID,
"Choose the type of qualifier for policy" , 0);
if (PrintChoicesAndGetAnswer(
"\t1 - CPS Pointer qualifier\n"
"\t2 - User notice qualifier\n"
"\tAny other number to finish\n"
"\t\tChoice: ", buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
intValue = PORT_Atoi(buffer);
switch (intValue) {
case cpsPointer: {
SECItem input;
oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CPS_POINTER_QUALIFIER);
if (PrintChoicesAndGetAnswer("Enter CPS pointer URI: ",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
input.len = PORT_Strlen(buffer);
input.data = (void*)PORT_ArenaStrdup(arena, buffer);
if (input.data == NULL ||
SEC_ASN1EncodeItem(arena, &current->qualifierValue, &input,
SEC_ASN1_GET(SEC_IA5StringTemplate)) == NULL) {
GEN_BREAK (SECFailure);
}
break;
}
case userNotice: {
SECItem **noticeNumArr;
CERTUserNotice *notice = PORT_ArenaZNew(arena, CERTUserNotice);
if (!notice) {
GEN_BREAK(SECFailure);
}
oid = SECOID_FindOIDByTag(SEC_OID_PKIX_USER_NOTICE_QUALIFIER);
if (GetYesNo("\t add a User Notice reference? [y/N]")) {
if (PrintChoicesAndGetAnswer("Enter user organization string: ",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
notice->noticeReference.organization.type = siAsciiString;
notice->noticeReference.organization.len =
PORT_Strlen(buffer);
notice->noticeReference.organization.data =
(void*)PORT_ArenaStrdup(arena, buffer);
noticeNumArr = PORT_ArenaZNewArray(arena, SECItem *, 2);
if (!noticeNumArr) {
GEN_BREAK (SECFailure);
}
do {
SECItem *noticeNum;
noticeNum = PORT_ArenaZNew(arena, SECItem);
if (PrintChoicesAndGetAnswer(
"Enter User Notice reference number "
"(or -1 to quit): ",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
intValue = PORT_Atoi(buffer);
if (noticeNum == NULL) {
if (intValue < 0) {
fprintf(stdout, "a noticeReference must have at "
"least one reference number\n");
GEN_BREAK (SECFailure);
}
} else {
if (intValue >= 0) {
noticeNumArr = PORT_ArenaGrow(arena, noticeNumArr,
sizeof (current) * inCount,
sizeof (current) *(inCount + 1));
if (noticeNumArr == NULL) {
GEN_BREAK (SECFailure);
}
} else {
break;
}
}
if (!SEC_ASN1EncodeInteger(arena, noticeNum, intValue)) {
GEN_BREAK (SECFailure);
}
noticeNumArr[inCount++] = noticeNum;
noticeNumArr[inCount] = NULL;
} while (1);
if (rv == SECFailure) {
GEN_BREAK(SECFailure);
}
notice->noticeReference.noticeNumbers = noticeNumArr;
rv = CERT_EncodeNoticeReference(arena, &notice->noticeReference,
&notice->derNoticeReference);
if (rv == SECFailure) {
GEN_BREAK(SECFailure);
}
}
if (GetYesNo("\t EnterUser Notice explicit text? [y/N]")) {
/* Getting only 200 bytes - RFC limitation */
if (PrintChoicesAndGetAnswer(
"\t", buffer, 200) == SECFailure) {
GEN_BREAK (SECFailure);
}
notice->displayText.type = siAsciiString;
notice->displayText.len = PORT_Strlen(buffer);
notice->displayText.data =
(void*)PORT_ArenaStrdup(arena, buffer);
if (notice->displayText.data == NULL) {
GEN_BREAK(SECFailure);
}
}
rv = CERT_EncodeUserNotice(arena, notice, &current->qualifierValue);
if (rv == SECFailure) {
GEN_BREAK(SECFailure);
}
break;
}
}
if (rv == SECFailure || oid == NULL ||
SECITEM_CopyItem(arena, &current->qualifierID, &oid->oid)
== SECFailure) {
GEN_BREAK (SECFailure);
}
if (!policyQualifArr) {
policyQualifArr = PORT_ArenaZNew(arena, CERTPolicyQualifier *);
} else {
policyQualifArr = PORT_ArenaGrow (arena, policyQualifArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
}
if (policyQualifArr == NULL) {
GEN_BREAK (SECFailure);
}
policyQualifArr[count] = current;
++count;
if (!GetYesNo ("Enter another policy qualifier [y/N]")) {
/* Add null to the end to mark end of data */
policyQualifArr = PORT_ArenaGrow(arena, policyQualifArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
if (policyQualifArr == NULL) {
GEN_BREAK (SECFailure);
}
policyQualifArr[count] = NULL;
break;
}
} while (1);
if (rv != SECSuccess) {
PORT_ArenaRelease (arena, mark);
policyQualifArr = NULL;
}
return (policyQualifArr);
}
static SECStatus
AddCertPolicies(void *extHandle)
{
CERTPolicyInfo **certPoliciesArr = NULL;
CERTPolicyInfo *current;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
int count = 0;
char buffer[512];
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
do {
current = PORT_ArenaZNew(arena, CERTPolicyInfo);
if (current == NULL) {
GEN_BREAK(SECFailure);
}
if (PrintChoicesAndGetAnswer("Enter a CertPolicy Object Identifier "
"(dotted decimal format)\n"
"or \"any\" for AnyPolicy:",
buffer, sizeof(buffer)) == SECFailure) {
GEN_BREAK (SECFailure);
}
if (strncmp(buffer, "any", 3) == 0) {
/* use string version of X509_CERTIFICATE_POLICIES.anyPolicy */
strcpy(buffer, "OID.2.5.29.32.0");
}
rv = SEC_StringToOID(arena, &current->policyID, buffer, 0);
if (rv == SECFailure) {
GEN_BREAK(SECFailure);
}
current->policyQualifiers =
RequestPolicyQualifiers(arena, &current->policyID);
if (!certPoliciesArr) {
certPoliciesArr = PORT_ArenaZNew(arena, CERTPolicyInfo *);
} else {
certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
}
if (certPoliciesArr == NULL) {
GEN_BREAK (SECFailure);
}
certPoliciesArr[count] = current;
++count;
if (!GetYesNo ("Enter another PolicyInformation field [y/N]?")) {
/* Add null to the end to mark end of data */
certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
if (certPoliciesArr == NULL) {
GEN_BREAK (SECFailure);
}
certPoliciesArr[count] = NULL;
break;
}
} while (1);
if (rv == SECSuccess) {
CERTCertificatePolicies policies;
PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
policies.arena = arena;
policies.policyInfos = certPoliciesArr;
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &policies,
yesNoAns, SEC_OID_X509_CERTIFICATE_POLICIES,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCertPoliciesExtension);
}
if (arena)
PORT_FreeArena(arena, PR_FALSE);
return (rv);
}
enum AuthInfoAccessTypesEnum {
caIssuers = 1,
ocsp = 2
};
enum SubjInfoAccessTypesEnum {
caRepository = 1,
timeStamping = 2
};
/* Encode and add an AIA or SIA extension */
static SECStatus
AddInfoAccess(void *extHandle, PRBool addSIAExt, PRBool isCACert)
{
CERTAuthInfoAccess **infoAccArr = NULL;
CERTAuthInfoAccess *current;
PRArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
int count = 0;
char buffer[512];
SECOidData *oid = NULL;
int intValue = 0;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
SECU_PrintError(progName, "out of memory");
return SECFailure;
}
do {
current = NULL;
current = PORT_ArenaZNew(arena, CERTAuthInfoAccess);
if (current == NULL) {
GEN_BREAK(SECFailure);
}
/* Get the accessMethod fields */
if (addSIAExt) {
if (isCACert) {
puts("Adding \"CA Repository\" access method type for "
"Subject Information Access extension:\n");
intValue = caRepository;
} else {
puts("Adding \"Time Stamping Services\" access method type for "
"Subject Information Access extension:\n");
intValue = timeStamping;
}
} else {
PrintChoicesAndGetAnswer("Enter access method type "
"for Authority Information Access extension:\n"
"\t1 - CA Issuers\n\t2 - OCSP\n\tAny"
"other number to finish\n\tChoice",
buffer, sizeof(buffer));
intValue = PORT_Atoi(buffer);
}
if (addSIAExt) {
switch (intValue) {
case caRepository:
oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_REPOSITORY);
break;
case timeStamping:
oid = SECOID_FindOIDByTag(SEC_OID_PKIX_TIMESTAMPING);
break;
}
} else {
switch (intValue) {
case caIssuers:
oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_ISSUERS);
break;
case ocsp:
oid = SECOID_FindOIDByTag(SEC_OID_PKIX_OCSP);
break;
}
}
if (oid == NULL ||
SECITEM_CopyItem(arena, &current->method, &oid->oid)
== SECFailure) {
GEN_BREAK (SECFailure);
}
current->location = GetGeneralName(arena);
if (!current->location) {
GEN_BREAK(SECFailure);
}
if (infoAccArr == NULL) {
infoAccArr = PORT_ArenaZNew(arena, CERTAuthInfoAccess *);
} else {
infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
}
if (infoAccArr == NULL) {
GEN_BREAK (SECFailure);
}
infoAccArr[count] = current;
++count;
PR_snprintf(buffer, sizeof(buffer), "Add another location to the %s"
" Information Access extension [y/N]",
(addSIAExt) ? "Subject" : "Authority");
if (GetYesNo (buffer) == 0) {
/* Add null to the end to mark end of data */
infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
sizeof (current) * count,
sizeof (current) *(count + 1));
if (infoAccArr == NULL) {
GEN_BREAK (SECFailure);
}
infoAccArr[count] = NULL;
break;
}
} while (1);
if (rv == SECSuccess) {
int oidIdent = SEC_OID_X509_AUTH_INFO_ACCESS;
PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
if (addSIAExt) {
oidIdent = SEC_OID_X509_SUBJECT_INFO_ACCESS;
}
rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, infoAccArr,
yesNoAns, oidIdent,
(EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInfoAccessExtension);
}
if (arena)
PORT_FreeArena(arena, PR_FALSE);
return (rv);
}
SECStatus
AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
certutilExtnList extList)
{
SECStatus rv = SECSuccess;
char *errstring = NULL;
do {
/* Add key usage extension */
if (extList[ext_keyUsage].activated) {
rv = AddKeyUsage(extHandle, extList[ext_keyUsage].arg);
if (rv) {
errstring = "KeyUsage";
break;
}
}
/* Add extended key usage extension */
if (extList[ext_extKeyUsage].activated) {
rv = AddExtKeyUsage(extHandle, extList[ext_extKeyUsage].arg);
if (rv) {
errstring = "ExtendedKeyUsage";
break;
}
}
/* Add basic constraint extension */
if (extList[ext_basicConstraint].activated) {
rv = AddBasicConstraint(extHandle);
if (rv) {
errstring = "BasicConstraint";
break;
}
}
if (extList[ext_authorityKeyID].activated) {
rv = AddAuthKeyID(extHandle);
if (rv) {
errstring = "AuthorityKeyID";
break;
}
}
if (extList[ext_subjectKeyID].activated) {
rv = AddSubjKeyID(extHandle);
if (rv) {
errstring = "SubjectKeyID";
break;
}
}
if (extList[ext_CRLDistPts].activated) {
rv = AddCrlDistPoint(extHandle);
if (rv) {
errstring = "CRLDistPoints";
break;
}
}
if (extList[ext_NSCertType].activated) {
rv = AddNscpCertType(extHandle, extList[ext_NSCertType].arg);
if (rv) {
errstring = "NSCertType";
break;
}
}
if (extList[ext_authInfoAcc].activated ||
extList[ext_subjInfoAcc].activated) {
rv = AddInfoAccess(extHandle, extList[ext_subjInfoAcc].activated,
extList[ext_basicConstraint].activated);
if (rv) {
errstring = "InformationAccess";
break;
}
}
if (extList[ext_certPolicies].activated) {
rv = AddCertPolicies(extHandle);
if (rv) {
errstring = "Policies";
break;
}
}
if (extList[ext_policyMappings].activated) {
rv = AddPolicyMappings(extHandle);
if (rv) {
errstring = "PolicyMappings";
break;
}
}
if (extList[ext_policyConstr].activated) {
rv = AddPolicyConstraints(extHandle);
if (rv) {
errstring = "PolicyConstraints";
break;
}
}
if (extList[ext_inhibitAnyPolicy].activated) {
rv = AddInhibitAnyPolicy(extHandle);
if (rv) {
errstring = "InhibitAnyPolicy";
break;
}
}
if (emailAddrs || dnsNames) {
PRArenaPool *arena;
CERTGeneralName *namelist = NULL;
SECItem item = { 0, NULL, 0 };
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
rv = SECFailure;
break;
}
rv = AddEmailSubjectAlt(arena, &namelist, emailAddrs);
rv |= AddDNSSubjectAlt(arena, &namelist, dnsNames);
if (rv == SECSuccess) {
rv = CERT_EncodeAltNameExtension(arena, namelist, &item);
if (rv == SECSuccess) {
rv = CERT_AddExtension(extHandle,
SEC_OID_X509_SUBJECT_ALT_NAME,
&item, PR_FALSE, PR_TRUE);
}
}
PORT_FreeArena(arena, PR_FALSE);
if (rv) {
errstring = "SubjectAltName";
break;
}
}
} while (0);
if (rv != SECSuccess) {
SECU_PrintError(progName, "Problem creating %s extension", errstring);
}
return rv;
}