/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ enum { dbInvalidCert = 0, dbNoSMimeProfile, dbOlderCert, dbBadCertificate, dbCertNotWrittenToDB }; typedef struct dbRestoreInfoStr { NSSLOWCERTCertDBHandle *handle; PRBool verbose; PRFileDesc *out; int nCerts; int nOldCerts; int dbErrors[5]; PRBool removeType[3]; PRBool promptUser[3]; } dbRestoreInfo; char * IsEmailCert(CERTCertificate *cert) { char *email, *tmp1, *tmp2; PRBool isCA; int len; if (!cert->subjectName) { return NULL; } tmp1 = PORT_Strstr(cert->subjectName, "E="); tmp2 = PORT_Strstr(cert->subjectName, "MAIL="); /* XXX Nelson has cert for KTrilli which does not have either * of above but is email cert (has cert->emailAddr). */ if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) { return NULL; } /* Server or CA cert, not personal email. */ isCA = CERT_IsCACert(cert, NULL); if (isCA) return NULL; /* XXX CERT_IsCACert advertises checking the key usage ext., but doesn't appear to. */ /* Check the key usage extension. */ if (cert->keyUsagePresent) { /* Must at least be able to sign or encrypt (not neccesarily * both if it is one of a dual cert). */ if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT))) return NULL; /* CA cert, not personal email. */ if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) return NULL; } if (cert->emailAddr && cert->emailAddr[0]) { email = PORT_Strdup(cert->emailAddr); } else { if (tmp1) tmp1 += 2; /* "E=" */ else tmp1 = tmp2 + 5; /* "MAIL=" */ len = strcspn(tmp1, ", "); email = (char *)PORT_Alloc(len + 1); PORT_Strncpy(email, tmp1, len); email[len] = '\0'; } return email; } SECStatus deleteit(CERTCertificate *cert, void *arg) { return SEC_DeletePermCertificate(cert); } /* Different than DeleteCertificate - has the added bonus of removing * all certs with the same DN. */ SECStatus deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert, PRFileDesc *outfile) { #if 0 certDBEntrySubject *subjectEntry; certDBEntryNickname *nicknameEntry; certDBEntrySMime *smimeEntry; int i; #endif if (outfile) { PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n"); PR_fprintf(outfile, "Deleting redundant certificate:\n"); dumpCertificate(cert, -1, outfile); } CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL); #if 0 CERT_LockDB(handle); subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject); /* It had better be there, or created a bad db. */ PORT_Assert(subjectEntry); for (i=0; incerts; i++) { DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]); } DeleteDBSubjectEntry(handle, &cert->derSubject); if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) { smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr); if (smimeEntry) { if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject, &smimeEntry->subjectName)) /* Only delete it if it's for this subject! */ DeleteDBSMimeEntry(handle, subjectEntry->emailAddr); SEC_DestroyDBEntry((certDBEntry*)smimeEntry); } } if (subjectEntry->nickname) { nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname); if (nicknameEntry) { if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject, &nicknameEntry->subjectName)) /* Only delete it if it's for this subject! */ DeleteDBNicknameEntry(handle, subjectEntry->nickname); SEC_DestroyDBEntry((certDBEntry*)nicknameEntry); } } SEC_DestroyDBEntry((certDBEntry*)subjectEntry); CERT_UnlockDB(handle); #endif return SECSuccess; } void getCertsToDelete(char *numlist, int len, int *certNums, int nCerts) { int j, num; char *numstr, *numend, *end; numstr = numlist; end = numstr + len - 1; while (numstr != end) { numend = strpbrk(numstr, ", \n"); *numend = '\0'; if (PORT_Strlen(numstr) == 0) return; num = PORT_Atoi(numstr); if (numstr == numlist) certNums[0] = num; for (j = 1; j < nCerts + 1; j++) { if (num == certNums[j]) { certNums[j] = -1; break; } } if (numend == end) break; numstr = strpbrk(numend + 1, "0123456789"); } } PRBool userSaysDeleteCert(CERTCertificate **certs, int nCerts, int errtype, dbRestoreInfo *info, int *certNums) { char response[32]; PRInt32 nb; int i; /* User wants to remove cert without prompting. */ if (info->promptUser[errtype] == PR_FALSE) return (info->removeType[errtype]); switch (errtype) { case dbInvalidCert: PR_fprintf(PR_STDOUT, "******** Expired ********\n"); PR_fprintf(PR_STDOUT, "Cert has expired.\n\n"); dumpCertificate(certs[0], -1, PR_STDOUT); PR_fprintf(PR_STDOUT, "Keep it? (y/n - this one, Y/N - all expired certs) [n] "); break; case dbNoSMimeProfile: PR_fprintf(PR_STDOUT, "******** No Profile ********\n"); PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n"); dumpCertificate(certs[0], -1, PR_STDOUT); PR_fprintf(PR_STDOUT, "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] "); break; case dbOlderCert: PR_fprintf(PR_STDOUT, "******* Redundant nickname/email *******\n\n"); PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n"); for (i = 0; i < nCerts; i++) dumpCertificate(certs[i], i, PR_STDOUT); PR_fprintf(PR_STDOUT, "Enter the certs you would like to keep from those listed above.\n"); PR_fprintf(PR_STDOUT, "Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n"); PR_fprintf(PR_STDOUT, "The first cert in the list will be the primary cert\n"); PR_fprintf(PR_STDOUT, " accessed by the nickname/email handle.\n"); PR_fprintf(PR_STDOUT, "List cert numbers to keep here, or hit enter\n"); PR_fprintf(PR_STDOUT, " to always keep only the newest cert: "); break; default: } nb = PR_Read(PR_STDIN, response, sizeof(response)); PR_fprintf(PR_STDOUT, "\n\n"); if (errtype == dbOlderCert) { if (!isdigit(response[0])) { info->promptUser[errtype] = PR_FALSE; info->removeType[errtype] = PR_TRUE; return PR_TRUE; } getCertsToDelete(response, nb, certNums, nCerts); return PR_TRUE; } /* User doesn't want to be prompted for this type anymore. */ if (response[0] == 'Y') { info->promptUser[errtype] = PR_FALSE; info->removeType[errtype] = PR_FALSE; return PR_FALSE; } else if (response[0] == 'N') { info->promptUser[errtype] = PR_FALSE; info->removeType[errtype] = PR_TRUE; return PR_TRUE; } return (response[0] != 'y') ? PR_TRUE : PR_FALSE; } SECStatus addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, NSSLOWCERTCertDBHandle *oldhandle) { SECStatus rv = SECSuccess; PRBool allowOverride; PRBool userCert; SECCertTimeValidity validity; CERTCertificate *oldCert = NULL; CERTCertificate *dbCert = NULL; CERTCertificate *newCert = NULL; CERTCertTrust *trust; certDBEntrySMime *smimeEntry = NULL; char *email = NULL; char *nickname = NULL; int nCertsForSubject = 1; oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE, certEntry->nickname); if (!oldCert) { info->dbErrors[dbBadCertificate]++; SEC_DestroyDBEntry((certDBEntry *)certEntry); return SECSuccess; } oldCert->dbEntry = certEntry; oldCert->trust = &certEntry->trust; oldCert->dbhandle = oldhandle; trust = oldCert->trust; info->nOldCerts++; if (info->verbose) PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n"); if (oldCert->nickname) nickname = PORT_Strdup(oldCert->nickname); /* Always keep user certs. Skip ahead. */ /* XXX if someone sends themselves a signed message, it is possible for their cert to be imported as an "other" cert, not a user cert. this mucks with smime entries... */ userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) || (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) || (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER); if (userCert) goto createcert; /* If user chooses so, ignore expired certificates. */ allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) || (oldCert->keyUsage == certUsageSSLServerWithStepUp) || (oldCert->keyUsage == certUsageIPsec)); validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride); /* If cert expired and user wants to delete it, ignore it. */ if ((validity != secCertTimeValid) && userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) { info->dbErrors[dbInvalidCert]++; if (info->verbose) { PR_fprintf(info->out, "Deleting expired certificate:\n"); dumpCertificate(oldCert, -1, info->out); } goto cleanup; } /* New database will already have default certs, don't attempt to overwrite them. */ dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert); if (dbCert) { info->nCerts++; if (info->verbose) { PR_fprintf(info->out, "Added certificate to database:\n"); dumpCertificate(oldCert, -1, info->out); } goto cleanup; } /* Determine if cert is S/MIME and get its email if so. */ email = IsEmailCert(oldCert); /* XXX Just create empty profiles? if (email) { SECItem *profile = CERT_FindSMimeProfile(oldCert); if (!profile && userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) { info->dbErrors[dbNoSMimeProfile]++; if (info->verbose) { PR_fprintf(info->out, "Deleted cert missing S/MIME profile.\n"); dumpCertificate(oldCert, -1, info->out); } goto cleanup; } else { SECITEM_FreeItem(profile); } } */ createcert: /* Sometimes happens... */ if (!nickname && userCert) nickname = PORT_Strdup(oldCert->subjectName); /* Create a new certificate, copy of the old one. */ newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, nickname, PR_FALSE, PR_TRUE); if (!newCert) { PR_fprintf(PR_STDERR, "Unable to create new certificate.\n"); dumpCertificate(oldCert, -1, PR_STDERR); info->dbErrors[dbBadCertificate]++; goto cleanup; } /* Add the cert to the new database. */ rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust); if (rv) { PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n"); dumpCertificate(oldCert, -1, PR_STDERR); info->dbErrors[dbCertNotWrittenToDB]++; goto cleanup; } if (info->verbose) { PR_fprintf(info->out, "Added certificate to database:\n"); dumpCertificate(oldCert, -1, info->out); } /* If the cert is an S/MIME cert, and the first with it's subject, * modify the subject entry to include the email address, * CERT_AddTempCertToPerm does not do email addresses and S/MIME entries. */ if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */ #if 0 UpdateSubjectWithEmailAddr(newCert, email); #endif SECItem emailProfile, profileTime; rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime); /* calls UpdateSubjectWithEmailAddr */ if (rv == SECSuccess) rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime); } info->nCerts++; cleanup: if (nickname) PORT_Free(nickname); if (email) PORT_Free(email); if (oldCert) CERT_DestroyCertificate(oldCert); if (dbCert) CERT_DestroyCertificate(dbCert); if (newCert) CERT_DestroyCertificate(newCert); if (smimeEntry) SEC_DestroyDBEntry((certDBEntry *)smimeEntry); return SECSuccess; } #if 0 SECStatus copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata) { SECStatus rv; NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata; certDBEntryCommon common; SECItem dbkey; common.type = type; common.version = CERT_DB_FILE_VERSION; common.flags = data->data[2]; common.arena = NULL; dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN; dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char)); PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len); dbkey.data[0] = type; rv = WriteDBEntry(newdb, &common, &dbkey, data); PORT_Free(dbkey.data); return rv; } #endif int certIsOlder(CERTCertificate **cert1, CERTCertificate **cert2) { return !CERT_IsNewer(*cert1, *cert2); } int findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum, certDBArray *dbArray, dbRestoreInfo *info, int *subjectWithSMime, int *smimeForSubject) { int newestSubject; int subjectsForEmail[50]; int i, j, ns, sNum; certDBEntryListNode *subjects = &dbArray->subjects; certDBEntryListNode *smime = &dbArray->smime; certDBEntrySubject *subjectEntry1, *subjectEntry2; certDBEntrySMime *smimeEntry; CERTCertificate **certs; CERTCertificate *cert; CERTCertTrust *trust; PRBool userCert; int *certNums; ns = 0; subjectEntry1 = (certDBEntrySubject *)&subjects.entries[subjectNum]; subjectsForEmail[ns++] = subjectNum; *subjectWithSMime = -1; *smimeForSubject = -1; newestSubject = subjectNum; cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]); if (cert) { trust = cert->trust; userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) || (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) || (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER); CERT_DestroyCertificate(cert); } /* * XXX Should we make sure that subjectEntry1->emailAddr is not * a null pointer or an empty string before going into the next * two for loops, which pass it to PORT_Strcmp? */ /* Loop over the remaining subjects. */ for (i = subjectNum + 1; i < subjects.numEntries; i++) { subjectEntry2 = (certDBEntrySubject *)&subjects.entries[i]; if (!subjectEntry2) continue; if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] && PORT_Strcmp(subjectEntry1->emailAddr, subjectEntry2->emailAddr) == 0) { /* Found a subject using the same email address. */ subjectsForEmail[ns++] = i; } } /* Find the S/MIME entry for this email address. */ for (i = 0; i < smime.numEntries; i++) { smimeEntry = (certDBEntrySMime *)&smime.entries[i]; if (smimeEntry->common.arena == NULL) continue; if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) { /* Find which of the subjects uses this S/MIME entry. */ for (j = 0; j < ns && *subjectWithSMime < 0; j++) { sNum = subjectsForEmail[j]; subjectEntry2 = (certDBEntrySubject *)&subjects.entries[sNum]; if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName, &subjectEntry2->derSubject)) { /* Found the subject corresponding to the S/MIME entry. */ *subjectWithSMime = sNum; *smimeForSubject = i; } } SEC_DestroyDBEntry((certDBEntry *)smimeEntry); PORT_Memset(smimeEntry, 0, sizeof(certDBEntry)); break; } } if (ns <= 1) return subjectNum; if (userCert) return *subjectWithSMime; /* Now find which of the subjects has the newest cert. */ certs = (CERTCertificate **)PORT_Alloc(ns * sizeof(CERTCertificate *)); certNums = (int *)PORT_Alloc((ns + 1) * sizeof(int)); certNums[0] = 0; for (i = 0; i < ns; i++) { sNum = subjectsForEmail[i]; subjectEntry1 = (certDBEntrySubject *)&subjects.entries[sNum]; certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]); certNums[i + 1] = i; } /* Sort the array by validity. */ qsort(certs, ns, sizeof(CERTCertificate *), (int (*)(const void *, const void *))certIsOlder); newestSubject = -1; for (i = 0; i < ns; i++) { sNum = subjectsForEmail[i]; subjectEntry1 = (certDBEntrySubject *)&subjects.entries[sNum]; if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject, &certs[0]->derSubject)) newestSubject = sNum; else SEC_DestroyDBEntry((certDBEntry *)subjectEntry1); } if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) { for (i = 1; i < ns + 1; i++) { if (certNums[i] >= 0 && certNums[i] != certNums[0]) { deleteAllEntriesForCert(handle, certs[certNums[i]], info->out); info->dbErrors[dbOlderCert]++; } } } CERT_DestroyCertArray(certs, ns); return newestSubject; } NSSLOWCERTCertDBHandle * DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname, PRFileDesc *outfile, PRBool removeExpired, PRBool requireProfile, PRBool singleEntry, PRBool promptUser) { SECStatus rv; dbRestoreInfo info; certDBEntryContentVersion *oldContentVersion; certDBArray dbArray; int i; PORT_Memset(&dbArray, 0, sizeof(dbArray)); PORT_Memset(&info, 0, sizeof(info)); info.verbose = (outfile) ? PR_TRUE : PR_FALSE; info.out = (outfile) ? outfile : PR_STDOUT; info.removeType[dbInvalidCert] = removeExpired; info.removeType[dbNoSMimeProfile] = requireProfile; info.removeType[dbOlderCert] = singleEntry; info.promptUser[dbInvalidCert] = promptUser; info.promptUser[dbNoSMimeProfile] = promptUser; info.promptUser[dbOlderCert] = promptUser; /* Allocate a handle to fill with CERT_OpenCertDB below. */ info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle); if (!info.handle) { fprintf(stderr, "unable to get database handle"); return NULL; } /* Create a certdb with the most recent set of roots. */ rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE); if (rv) { fprintf(stderr, "could not open certificate database"); goto loser; } /* Create certificate, subject, nickname, and email records. * mcom_db seems to have a sequential access bug. Though reads and writes * should be allowed during traversal, they seem to screw up the sequence. * So, stuff all the cert entries into an array, and loop over the array * doing read/writes in the db. */ fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs); for (elem = PR_LIST_HEAD(&dbArray->certs.link); elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) { node = LISTNODE_CAST(elem); addCertToDB((certDBEntryCert *)&node->entry, &info, oldhandle); /* entries get destroyed in addCertToDB */ } #if 0 rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, copyDBEntry, info.handle); #endif /* Fix up the pointers between (nickname|S/MIME) --> (subject). * Create S/MIME entries for S/MIME certs. * Have the S/MIME entry point to the last-expiring cert using * an email address. */ #if 0 CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info); #endif freeDBEntryList(&dbArray.certs.link); /* Copy over the version record. */ /* XXX Already exists - and _must_ be correct... */ /* versionEntry = ReadDBVersionEntry(oldhandle); rv = WriteDBVersionEntry(info.handle, versionEntry); */ /* Copy over the content version record. */ /* XXX Can probably get useful info from old content version? * Was this db created before/after this tool? etc. */ #if 0 oldContentVersion = ReadDBContentVersionEntry(oldhandle); CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); #endif #if 0 /* Copy over the CRL & KRL records. */ rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, copyDBEntry, info.handle); /* XXX Only one KRL, just do db->get? */ rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, copyDBEntry, info.handle); #endif PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts); PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts); PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", info.dbErrors[dbInvalidCert]); PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", info.dbErrors[dbNoSMimeProfile]); PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", info.dbErrors[dbOlderCert]); PR_fprintf(info.out, " Rejected %d corrupt certificates.\n", info.dbErrors[dbBadCertificate]); PR_fprintf(info.out, " Rejected %d certificates which did not write to the DB.\n", info.dbErrors[dbCertNotWrittenToDB]); if (rv) goto loser; return info.handle; loser: if (info.handle) PORT_Free(info.handle); return NULL; }