| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| enum { |
| dbInvalidCert = 0, |
| dbNoSMimeProfile, |
| dbOlderCert, |
| dbBadCertificate, |
| dbCertNotWrittenToDB |
| }; |
| |
| typedef struct dbRestoreInfoStr { |
| NSSLOWCERTCertDBHandle *handle; |
| PRBool verbose; |
| PRFileDesc *out; |
| int nCerts; |
| int nOldCerts; |
| int dbErrors[5]; |
| PRBool removeType[3]; |
| PRBool promptUser[3]; |
| } dbRestoreInfo; |
| |
| char * |
| IsEmailCert(CERTCertificate *cert) |
| { |
| char *email, *tmp1, *tmp2; |
| PRBool isCA; |
| int len; |
| |
| if (!cert->subjectName) { |
| return NULL; |
| } |
| |
| tmp1 = PORT_Strstr(cert->subjectName, "E="); |
| tmp2 = PORT_Strstr(cert->subjectName, "MAIL="); |
| /* XXX Nelson has cert for KTrilli which does not have either |
| * of above but is email cert (has cert->emailAddr). |
| */ |
| if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) { |
| return NULL; |
| } |
| |
| /* Server or CA cert, not personal email. */ |
| isCA = CERT_IsCACert(cert, NULL); |
| if (isCA) |
| return NULL; |
| |
| /* XXX CERT_IsCACert advertises checking the key usage ext., |
| but doesn't appear to. */ |
| /* Check the key usage extension. */ |
| if (cert->keyUsagePresent) { |
| /* Must at least be able to sign or encrypt (not neccesarily |
| * both if it is one of a dual cert). |
| */ |
| if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || |
| (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT))) |
| return NULL; |
| |
| /* CA cert, not personal email. */ |
| if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) |
| return NULL; |
| } |
| |
| if (cert->emailAddr && cert->emailAddr[0]) { |
| email = PORT_Strdup(cert->emailAddr); |
| } else { |
| if (tmp1) |
| tmp1 += 2; /* "E=" */ |
| else |
| tmp1 = tmp2 + 5; /* "MAIL=" */ |
| len = strcspn(tmp1, ", "); |
| email = (char *)PORT_Alloc(len + 1); |
| PORT_Strncpy(email, tmp1, len); |
| email[len] = '\0'; |
| } |
| |
| return email; |
| } |
| |
| SECStatus |
| deleteit(CERTCertificate *cert, void *arg) |
| { |
| return SEC_DeletePermCertificate(cert); |
| } |
| |
| /* Different than DeleteCertificate - has the added bonus of removing |
| * all certs with the same DN. |
| */ |
| SECStatus |
| deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert, |
| PRFileDesc *outfile) |
| { |
| #if 0 |
| certDBEntrySubject *subjectEntry; |
| certDBEntryNickname *nicknameEntry; |
| certDBEntrySMime *smimeEntry; |
| int i; |
| #endif |
| |
| if (outfile) { |
| PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n"); |
| PR_fprintf(outfile, "Deleting redundant certificate:\n"); |
| dumpCertificate(cert, -1, outfile); |
| } |
| |
| CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL); |
| #if 0 |
| CERT_LockDB(handle); |
| subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject); |
| /* It had better be there, or created a bad db. */ |
| PORT_Assert(subjectEntry); |
| for (i=0; i<subjectEntry->ncerts; i++) { |
| DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]); |
| } |
| DeleteDBSubjectEntry(handle, &cert->derSubject); |
| if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) { |
| smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr); |
| if (smimeEntry) { |
| if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject, |
| &smimeEntry->subjectName)) |
| /* Only delete it if it's for this subject! */ |
| DeleteDBSMimeEntry(handle, subjectEntry->emailAddr); |
| SEC_DestroyDBEntry((certDBEntry*)smimeEntry); |
| } |
| } |
| if (subjectEntry->nickname) { |
| nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname); |
| if (nicknameEntry) { |
| if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject, |
| &nicknameEntry->subjectName)) |
| /* Only delete it if it's for this subject! */ |
| DeleteDBNicknameEntry(handle, subjectEntry->nickname); |
| SEC_DestroyDBEntry((certDBEntry*)nicknameEntry); |
| } |
| } |
| SEC_DestroyDBEntry((certDBEntry*)subjectEntry); |
| CERT_UnlockDB(handle); |
| #endif |
| return SECSuccess; |
| } |
| |
| void |
| getCertsToDelete(char *numlist, int len, int *certNums, int nCerts) |
| { |
| int j, num; |
| char *numstr, *numend, *end; |
| |
| numstr = numlist; |
| end = numstr + len - 1; |
| while (numstr != end) { |
| numend = strpbrk(numstr, ", \n"); |
| *numend = '\0'; |
| if (PORT_Strlen(numstr) == 0) |
| return; |
| num = PORT_Atoi(numstr); |
| if (numstr == numlist) |
| certNums[0] = num; |
| for (j = 1; j < nCerts + 1; j++) { |
| if (num == certNums[j]) { |
| certNums[j] = -1; |
| break; |
| } |
| } |
| if (numend == end) |
| break; |
| numstr = strpbrk(numend + 1, "0123456789"); |
| } |
| } |
| |
| PRBool |
| userSaysDeleteCert(CERTCertificate **certs, int nCerts, |
| int errtype, dbRestoreInfo *info, int *certNums) |
| { |
| char response[32]; |
| PRInt32 nb; |
| int i; |
| /* User wants to remove cert without prompting. */ |
| if (info->promptUser[errtype] == PR_FALSE) |
| return (info->removeType[errtype]); |
| switch (errtype) { |
| case dbInvalidCert: |
| PR_fprintf(PR_STDOUT, "******** Expired ********\n"); |
| PR_fprintf(PR_STDOUT, "Cert has expired.\n\n"); |
| dumpCertificate(certs[0], -1, PR_STDOUT); |
| PR_fprintf(PR_STDOUT, |
| "Keep it? (y/n - this one, Y/N - all expired certs) [n] "); |
| break; |
| case dbNoSMimeProfile: |
| PR_fprintf(PR_STDOUT, "******** No Profile ********\n"); |
| PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n"); |
| dumpCertificate(certs[0], -1, PR_STDOUT); |
| PR_fprintf(PR_STDOUT, |
| "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] "); |
| break; |
| case dbOlderCert: |
| PR_fprintf(PR_STDOUT, "******* Redundant nickname/email *******\n\n"); |
| PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n"); |
| for (i = 0; i < nCerts; i++) |
| dumpCertificate(certs[i], i, PR_STDOUT); |
| PR_fprintf(PR_STDOUT, |
| "Enter the certs you would like to keep from those listed above.\n"); |
| PR_fprintf(PR_STDOUT, |
| "Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n"); |
| PR_fprintf(PR_STDOUT, |
| "The first cert in the list will be the primary cert\n"); |
| PR_fprintf(PR_STDOUT, |
| " accessed by the nickname/email handle.\n"); |
| PR_fprintf(PR_STDOUT, |
| "List cert numbers to keep here, or hit enter\n"); |
| PR_fprintf(PR_STDOUT, |
| " to always keep only the newest cert: "); |
| break; |
| default: |
| } |
| nb = PR_Read(PR_STDIN, response, sizeof(response)); |
| PR_fprintf(PR_STDOUT, "\n\n"); |
| if (errtype == dbOlderCert) { |
| if (!isdigit(response[0])) { |
| info->promptUser[errtype] = PR_FALSE; |
| info->removeType[errtype] = PR_TRUE; |
| return PR_TRUE; |
| } |
| getCertsToDelete(response, nb, certNums, nCerts); |
| return PR_TRUE; |
| } |
| /* User doesn't want to be prompted for this type anymore. */ |
| if (response[0] == 'Y') { |
| info->promptUser[errtype] = PR_FALSE; |
| info->removeType[errtype] = PR_FALSE; |
| return PR_FALSE; |
| } else if (response[0] == 'N') { |
| info->promptUser[errtype] = PR_FALSE; |
| info->removeType[errtype] = PR_TRUE; |
| return PR_TRUE; |
| } |
| return (response[0] != 'y') ? PR_TRUE : PR_FALSE; |
| } |
| |
| SECStatus |
| addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, |
| NSSLOWCERTCertDBHandle *oldhandle) |
| { |
| SECStatus rv = SECSuccess; |
| PRBool allowOverride; |
| PRBool userCert; |
| SECCertTimeValidity validity; |
| CERTCertificate *oldCert = NULL; |
| CERTCertificate *dbCert = NULL; |
| CERTCertificate *newCert = NULL; |
| CERTCertTrust *trust; |
| certDBEntrySMime *smimeEntry = NULL; |
| char *email = NULL; |
| char *nickname = NULL; |
| int nCertsForSubject = 1; |
| |
| oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE, |
| certEntry->nickname); |
| if (!oldCert) { |
| info->dbErrors[dbBadCertificate]++; |
| SEC_DestroyDBEntry((certDBEntry *)certEntry); |
| return SECSuccess; |
| } |
| |
| oldCert->dbEntry = certEntry; |
| oldCert->trust = &certEntry->trust; |
| oldCert->dbhandle = oldhandle; |
| |
| trust = oldCert->trust; |
| |
| info->nOldCerts++; |
| |
| if (info->verbose) |
| PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n"); |
| |
| if (oldCert->nickname) |
| nickname = PORT_Strdup(oldCert->nickname); |
| |
| /* Always keep user certs. Skip ahead. */ |
| /* XXX if someone sends themselves a signed message, it is possible |
| for their cert to be imported as an "other" cert, not a user cert. |
| this mucks with smime entries... */ |
| userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) || |
| (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) || |
| (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER); |
| if (userCert) |
| goto createcert; |
| |
| /* If user chooses so, ignore expired certificates. */ |
| allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) || |
| (oldCert->keyUsage == certUsageSSLServerWithStepUp) || |
| (oldCert->keyUsage == certUsageIPsec)); |
| validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride); |
| /* If cert expired and user wants to delete it, ignore it. */ |
| if ((validity != secCertTimeValid) && |
| userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) { |
| info->dbErrors[dbInvalidCert]++; |
| if (info->verbose) { |
| PR_fprintf(info->out, "Deleting expired certificate:\n"); |
| dumpCertificate(oldCert, -1, info->out); |
| } |
| goto cleanup; |
| } |
| |
| /* New database will already have default certs, don't attempt |
| to overwrite them. */ |
| dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert); |
| if (dbCert) { |
| info->nCerts++; |
| if (info->verbose) { |
| PR_fprintf(info->out, "Added certificate to database:\n"); |
| dumpCertificate(oldCert, -1, info->out); |
| } |
| goto cleanup; |
| } |
| |
| /* Determine if cert is S/MIME and get its email if so. */ |
| email = IsEmailCert(oldCert); |
| |
| /* |
| XXX Just create empty profiles? |
| if (email) { |
| SECItem *profile = CERT_FindSMimeProfile(oldCert); |
| if (!profile && |
| userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) { |
| info->dbErrors[dbNoSMimeProfile]++; |
| if (info->verbose) { |
| PR_fprintf(info->out, |
| "Deleted cert missing S/MIME profile.\n"); |
| dumpCertificate(oldCert, -1, info->out); |
| } |
| goto cleanup; |
| } else { |
| SECITEM_FreeItem(profile); |
| } |
| } |
| */ |
| |
| createcert: |
| |
| /* Sometimes happens... */ |
| if (!nickname && userCert) |
| nickname = PORT_Strdup(oldCert->subjectName); |
| |
| /* Create a new certificate, copy of the old one. */ |
| newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, |
| nickname, PR_FALSE, PR_TRUE); |
| if (!newCert) { |
| PR_fprintf(PR_STDERR, "Unable to create new certificate.\n"); |
| dumpCertificate(oldCert, -1, PR_STDERR); |
| info->dbErrors[dbBadCertificate]++; |
| goto cleanup; |
| } |
| |
| /* Add the cert to the new database. */ |
| rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust); |
| if (rv) { |
| PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n"); |
| dumpCertificate(oldCert, -1, PR_STDERR); |
| info->dbErrors[dbCertNotWrittenToDB]++; |
| goto cleanup; |
| } |
| |
| if (info->verbose) { |
| PR_fprintf(info->out, "Added certificate to database:\n"); |
| dumpCertificate(oldCert, -1, info->out); |
| } |
| |
| /* If the cert is an S/MIME cert, and the first with it's subject, |
| * modify the subject entry to include the email address, |
| * CERT_AddTempCertToPerm does not do email addresses and S/MIME entries. |
| */ |
| if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */ |
| #if 0 |
| UpdateSubjectWithEmailAddr(newCert, email); |
| #endif |
| SECItem emailProfile, profileTime; |
| rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime); |
| /* calls UpdateSubjectWithEmailAddr */ |
| if (rv == SECSuccess) |
| rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime); |
| } |
| |
| info->nCerts++; |
| |
| cleanup: |
| |
| if (nickname) |
| PORT_Free(nickname); |
| if (email) |
| PORT_Free(email); |
| if (oldCert) |
| CERT_DestroyCertificate(oldCert); |
| if (dbCert) |
| CERT_DestroyCertificate(dbCert); |
| if (newCert) |
| CERT_DestroyCertificate(newCert); |
| if (smimeEntry) |
| SEC_DestroyDBEntry((certDBEntry *)smimeEntry); |
| return SECSuccess; |
| } |
| |
| #if 0 |
| SECStatus |
| copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata) |
| { |
| SECStatus rv; |
| NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata; |
| certDBEntryCommon common; |
| SECItem dbkey; |
| |
| common.type = type; |
| common.version = CERT_DB_FILE_VERSION; |
| common.flags = data->data[2]; |
| common.arena = NULL; |
| |
| dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN; |
| dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char)); |
| PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len); |
| dbkey.data[0] = type; |
| |
| rv = WriteDBEntry(newdb, &common, &dbkey, data); |
| |
| PORT_Free(dbkey.data); |
| return rv; |
| } |
| #endif |
| |
| int |
| certIsOlder(CERTCertificate **cert1, CERTCertificate **cert2) |
| { |
| return !CERT_IsNewer(*cert1, *cert2); |
| } |
| |
| int |
| findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum, |
| certDBArray *dbArray, dbRestoreInfo *info, |
| int *subjectWithSMime, int *smimeForSubject) |
| { |
| int newestSubject; |
| int subjectsForEmail[50]; |
| int i, j, ns, sNum; |
| certDBEntryListNode *subjects = &dbArray->subjects; |
| certDBEntryListNode *smime = &dbArray->smime; |
| certDBEntrySubject *subjectEntry1, *subjectEntry2; |
| certDBEntrySMime *smimeEntry; |
| CERTCertificate **certs; |
| CERTCertificate *cert; |
| CERTCertTrust *trust; |
| PRBool userCert; |
| int *certNums; |
| |
| ns = 0; |
| subjectEntry1 = (certDBEntrySubject *)&subjects.entries[subjectNum]; |
| subjectsForEmail[ns++] = subjectNum; |
| |
| *subjectWithSMime = -1; |
| *smimeForSubject = -1; |
| newestSubject = subjectNum; |
| |
| cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]); |
| if (cert) { |
| trust = cert->trust; |
| userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) || |
| (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) || |
| (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER); |
| CERT_DestroyCertificate(cert); |
| } |
| |
| /* |
| * XXX Should we make sure that subjectEntry1->emailAddr is not |
| * a null pointer or an empty string before going into the next |
| * two for loops, which pass it to PORT_Strcmp? |
| */ |
| |
| /* Loop over the remaining subjects. */ |
| for (i = subjectNum + 1; i < subjects.numEntries; i++) { |
| subjectEntry2 = (certDBEntrySubject *)&subjects.entries[i]; |
| if (!subjectEntry2) |
| continue; |
| if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] && |
| PORT_Strcmp(subjectEntry1->emailAddr, |
| subjectEntry2->emailAddr) == 0) { |
| /* Found a subject using the same email address. */ |
| subjectsForEmail[ns++] = i; |
| } |
| } |
| |
| /* Find the S/MIME entry for this email address. */ |
| for (i = 0; i < smime.numEntries; i++) { |
| smimeEntry = (certDBEntrySMime *)&smime.entries[i]; |
| if (smimeEntry->common.arena == NULL) |
| continue; |
| if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && |
| PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) { |
| /* Find which of the subjects uses this S/MIME entry. */ |
| for (j = 0; j < ns && *subjectWithSMime < 0; j++) { |
| sNum = subjectsForEmail[j]; |
| subjectEntry2 = (certDBEntrySubject *)&subjects.entries[sNum]; |
| if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName, |
| &subjectEntry2->derSubject)) { |
| /* Found the subject corresponding to the S/MIME entry. */ |
| *subjectWithSMime = sNum; |
| *smimeForSubject = i; |
| } |
| } |
| SEC_DestroyDBEntry((certDBEntry *)smimeEntry); |
| PORT_Memset(smimeEntry, 0, sizeof(certDBEntry)); |
| break; |
| } |
| } |
| |
| if (ns <= 1) |
| return subjectNum; |
| |
| if (userCert) |
| return *subjectWithSMime; |
| |
| /* Now find which of the subjects has the newest cert. */ |
| certs = (CERTCertificate **)PORT_Alloc(ns * sizeof(CERTCertificate *)); |
| certNums = (int *)PORT_Alloc((ns + 1) * sizeof(int)); |
| certNums[0] = 0; |
| for (i = 0; i < ns; i++) { |
| sNum = subjectsForEmail[i]; |
| subjectEntry1 = (certDBEntrySubject *)&subjects.entries[sNum]; |
| certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]); |
| certNums[i + 1] = i; |
| } |
| /* Sort the array by validity. */ |
| qsort(certs, ns, sizeof(CERTCertificate *), |
| (int (*)(const void *, const void *))certIsOlder); |
| newestSubject = -1; |
| for (i = 0; i < ns; i++) { |
| sNum = subjectsForEmail[i]; |
| subjectEntry1 = (certDBEntrySubject *)&subjects.entries[sNum]; |
| if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject, |
| &certs[0]->derSubject)) |
| newestSubject = sNum; |
| else |
| SEC_DestroyDBEntry((certDBEntry *)subjectEntry1); |
| } |
| if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) { |
| for (i = 1; i < ns + 1; i++) { |
| if (certNums[i] >= 0 && certNums[i] != certNums[0]) { |
| deleteAllEntriesForCert(handle, certs[certNums[i]], info->out); |
| info->dbErrors[dbOlderCert]++; |
| } |
| } |
| } |
| CERT_DestroyCertArray(certs, ns); |
| return newestSubject; |
| } |
| |
| NSSLOWCERTCertDBHandle * |
| DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname, |
| PRFileDesc *outfile, PRBool removeExpired, |
| PRBool requireProfile, PRBool singleEntry, |
| PRBool promptUser) |
| { |
| SECStatus rv; |
| dbRestoreInfo info; |
| certDBEntryContentVersion *oldContentVersion; |
| certDBArray dbArray; |
| int i; |
| |
| PORT_Memset(&dbArray, 0, sizeof(dbArray)); |
| PORT_Memset(&info, 0, sizeof(info)); |
| info.verbose = (outfile) ? PR_TRUE : PR_FALSE; |
| info.out = (outfile) ? outfile : PR_STDOUT; |
| info.removeType[dbInvalidCert] = removeExpired; |
| info.removeType[dbNoSMimeProfile] = requireProfile; |
| info.removeType[dbOlderCert] = singleEntry; |
| info.promptUser[dbInvalidCert] = promptUser; |
| info.promptUser[dbNoSMimeProfile] = promptUser; |
| info.promptUser[dbOlderCert] = promptUser; |
| |
| /* Allocate a handle to fill with CERT_OpenCertDB below. */ |
| info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle); |
| if (!info.handle) { |
| fprintf(stderr, "unable to get database handle"); |
| return NULL; |
| } |
| |
| /* Create a certdb with the most recent set of roots. */ |
| rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE); |
| |
| if (rv) { |
| fprintf(stderr, "could not open certificate database"); |
| goto loser; |
| } |
| |
| /* Create certificate, subject, nickname, and email records. |
| * mcom_db seems to have a sequential access bug. Though reads and writes |
| * should be allowed during traversal, they seem to screw up the sequence. |
| * So, stuff all the cert entries into an array, and loop over the array |
| * doing read/writes in the db. |
| */ |
| fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs); |
| for (elem = PR_LIST_HEAD(&dbArray->certs.link); |
| elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) { |
| node = LISTNODE_CAST(elem); |
| addCertToDB((certDBEntryCert *)&node->entry, &info, oldhandle); |
| /* entries get destroyed in addCertToDB */ |
| } |
| #if 0 |
| rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, |
| copyDBEntry, info.handle); |
| #endif |
| |
| /* Fix up the pointers between (nickname|S/MIME) --> (subject). |
| * Create S/MIME entries for S/MIME certs. |
| * Have the S/MIME entry point to the last-expiring cert using |
| * an email address. |
| */ |
| #if 0 |
| CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info); |
| #endif |
| |
| freeDBEntryList(&dbArray.certs.link); |
| |
| /* Copy over the version record. */ |
| /* XXX Already exists - and _must_ be correct... */ |
| /* |
| versionEntry = ReadDBVersionEntry(oldhandle); |
| rv = WriteDBVersionEntry(info.handle, versionEntry); |
| */ |
| |
| /* Copy over the content version record. */ |
| /* XXX Can probably get useful info from old content version? |
| * Was this db created before/after this tool? etc. |
| */ |
| #if 0 |
| oldContentVersion = ReadDBContentVersionEntry(oldhandle); |
| CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); |
| #endif |
| |
| #if 0 |
| /* Copy over the CRL & KRL records. */ |
| rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, |
| copyDBEntry, info.handle); |
| /* XXX Only one KRL, just do db->get? */ |
| rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, |
| copyDBEntry, info.handle); |
| #endif |
| |
| PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts); |
| |
| PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts); |
| PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", |
| info.dbErrors[dbInvalidCert]); |
| PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", |
| info.dbErrors[dbNoSMimeProfile]); |
| PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", |
| info.dbErrors[dbOlderCert]); |
| PR_fprintf(info.out, " Rejected %d corrupt certificates.\n", |
| info.dbErrors[dbBadCertificate]); |
| PR_fprintf(info.out, " Rejected %d certificates which did not write to the DB.\n", |
| info.dbErrors[dbCertNotWrittenToDB]); |
| |
| if (rv) |
| goto loser; |
| |
| return info.handle; |
| |
| loser: |
| if (info.handle) |
| PORT_Free(info.handle); |
| return NULL; |
| } |