trustbridge: cinst/nss-installer.c comparison

comparison cinst/nss-installer.c @ 1175:e210ecc32d69

(issue128) Rename mozilla process to trustbridge-nss-installer

author	Andre Heinecke <andre.heinecke@intevation.de>
date	Mon, 22 Sep 2014 11:19:43 +0200
parents	cinst/mozilla.c@1e429faf7c84
children	12ed0b72e9f5

comparison

equal deleted inserted replaced

-:7175d117e69a
+:e210ecc32d69
+/* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
+* Software engineering by Intevation GmbH
+*
+* This file is Free Software under the GNU GPL (v>=2)
+* and comes with ABSOLUTELY NO WARRANTY!
+* See LICENSE.txt for details.
+*/
+/**
+* @file
+* @brief NSS store certificate installation process
+*
+* Reads from a file given on command line or stdin a list of
+* instructions in the form:
+*
+* I:\<base64 DER econded certificate\> <BR>
+* R:\<base64 DER econded certificate\>
+* ...
+*
+* With one instruction per line. the maximum size of an input
+* line is 9999 characters (including the \\r\\n) at the end of the line.
+*
+* Certificates marked with I: will be installed and the ones
+* marked with R: will be searched and if available removed from
+* the databases.
+*
+* This tool tries to find all NSS databases the user has
+* access to and to execute the instructions on all of them.
+*
+* If the tool is executed with a UID of 0 or with admin privileges under
+* windows it will not look into the user directories but instead try
+* to write the system wide defaults.
+*
+* If there are other processes accessing the databases the caller
+* has to ensure that those are terminated before this process is
+* executed.
+*
+* If the same certificate is marked to be installed and to be removed
+* in one call the behavior is undefined. This should be avoided and
+* may lead to errors.
+*
+* Returns 0 on success (Even when no stores where found) an error value
+* as defined in errorcodes.h otherwise.
+*
+* Success messages are written to stdout. Errors to stderr. For logging
+* purposes each installation / removal of a certificate will be reported
+* with the profile name that it modified.
+*
+* To get more verbose output add the --debug parameter
+* as the last parameter on the command line.
+*
+*/
+/**
+* @brief Needs to be defined to get strnlen()
+*/
+#define _POSIX_C_SOURCE 200809L
+/* REMOVEME: */
+#include <unistd.h>
+#include <cert.h>
+#include <certdb.h>
+#include <certt.h>
+#include <dirent.h>
+#include <nss.h>
+#include <pk11pub.h>
+#include <secerr.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#define DEBUGPREFIX "MOZ-"
+#include "logging.h"
+#include "certhelp.h"
+#include "errorcodes.h"
+#include "portpath.h"
+#include "strhelp.h"
+#include "nss-secitemlist.h"
+#include "util.h"
+#ifndef _WIN32
+#define CONFDIRS ".mozilla", ".thunderbird"
+/* Default installation directory of ubuntu 14.4 is respected */
+#define MOZILLA_DEFAULTS "/usr/lib/thunderbird/defaults", "/usr/lib/firefox/browser/defaults"
+#define MOZILLA_DBNAMES "cert8.db", "key3.db", "secmod.db"
+#define NSSSHARED ".pki/nssdb"
+#define NSSSHARED_GLOBAL "/etc/skel/.pki/nssdb"
+#define TARGET_LINUX 1
+#define DIRSEP "/"
+#else
+#define MOZILLA_DEFAULTS "Mozilla Firefox\\browser\\defaults", "Mozilla Thunderbird\\defaults"
+#define MOZILLA_DBNAMES NULL
+#define CONFDIRS "Mozilla", "Thunderbird"
+#define NSSSHARED ""
+#define TARGET_LINUX NULL
+#define DIRSEP "\\"
+#endif
+/**
+* @brief Length of string buffers used
+*
+* The maximal length of input is defined as 9999 (+ terminating \0).
+* We use it for other other input puffers besides the IPC input, too.
+* (One size fits all).
+*/
+#define LINEBUFLEN 10000
+#ifdef _WIN32
+#define STRTOK_R strtok_s
+#else
+#define STRTOK_R strtok_r
+#endif
+/**
+* @brief Global Return Code
+*
+* This will be retuned by the programm and might be set to an
+* error code on fatal errors and to and warning code on non-fatal
+* errors.  In case of mor than one warning the warning codes will be
+* ORed together.
+*/
+int exit_code = 0;
+/**
+* @brief Return configuration base directory.
+* @returns A pointer to a string containing the path to the base
+* directory holding the configuration directories for e.g. mozilla
+* and thunderbird.
+*/
+static char *
+get_conf_basedir()
+{
+char *cdir, *envvar;
+if (TARGET_LINUX)
+envvar = "HOME" ;
+else
+envvar = "APPDATA";
+if ((cdir = getenv(envvar)) != NULL)
+return cdir;
+else
+{
+ERRORPRINTF("FATAL!  No %s in environment.\n", envvar);
+exit(ERR_MOZ_HOMELESS);
+}
+}
+/**
+* @brief Get a list of all mozilla profile directories
+*
+* Parse the profiles.ini and extract all profile paths from that.
+* The expected data is in the form:
+*
+* [Profile99]<BR>
+* IsRelative=1<BR>
+* Path=Example/foo.bar
+*
+* or<BR>
+* [Profile0]<BR>
+* IsRelative=0<BR>
+* Path=c:\\foo\\bar\\baz
+*
+* Mozilla also accepts the ini file on Windows even if it is UTF-16
+* encoded but never writes UTF-16 on its own.  So currently we ignore
+* this special case.
+*
+* @param[in] inifile_name path of the profile.ini to read.
+* @return NULL terminated array of strings containing containing the
+* absolute path of the profile directories. The array needs to
+* be freed by the caller.
+*/
+static char **
+get_profile_dirs (char *inifile_name)
+{
+char **dirs = NULL;
+char *inifile_dirname;
+FILE *inifile;
+char line[LINEBUFLEN];
+char *key;
+char *value;
+char *path = NULL;
+char *fqpath;
+bool inprofile = false;
+bool relative_path = false;
+char *saveptr;
+if ((inifile = fopen(inifile_name, "r")) != NULL)
+{
+DEBUGPRINTF("Searching for profile paths in: '%s'\n", inifile_name);
+inifile_dirname = port_dirname(inifile_name);
+while (fgets(line, LINEBUFLEN, inifile) != NULL)
+{
+/* Determine if we are in an profile section */
+if (str_starts_with(line, "[Profile"))
+{
+relative_path = false;
+inprofile = true;
+}
+else if (line[0] == '[')
+inprofile = false;
+/* If we are in a profile parse path related stuff */
+if (inprofile)
+{
+saveptr = NULL;
+key = STRTOK_R(line, "=", &saveptr);
+value = STRTOK_R(NULL, "=", &saveptr);
+str_trim(&value);
+if (str_equal(key, "Path"))
+{
+if (relative_path)
+xasprintf(&path, "%s/%s", inifile_dirname, value);
+else
+xasprintf(&path, "%s", value);
+if ((fqpath = port_realpath(path)) != NULL)
+{
+DEBUGPRINTF("Found profile path: '%s'\n", fqpath);
+strv_append(&dirs, fqpath, strlen(fqpath));
+free (fqpath);
+}
+else
+{
+DEBUGPRINTF("WARN!  Non existent profile path: '%s'\n", path);
+exit_code |= WARN_MOZ_PROFILE_DOES_NOT_EXIST;
+}
+free(path);
+}
+else if (str_equal(key, "IsRelative") &&
+str_starts_with(value, "1"))
+relative_path = true;
+}
+}
+fclose(inifile);
+}
+else
+{
+DEBUGPRINTF("WARN!  Could not open ini file: '%s'\n", inifile_name);
+exit_code |= WARN_MOZ_FAILED_TO_OPEN_INI;
+}
+return dirs;
+}
+/**
+* @brief Search for mozilla profiles.ini files
+*
+* Use well known paths and heuristics to find the current users
+* profiles.ini files on GNU/Linux and Windows systems.
+*
+* @return NULL terminated array of strings containing the absolute
+* path of the profiles.ini files.  The array needs to be freed by the
+* caller.
+*/
+static char **
+get_profile_inis ()
+{
+char **inis = NULL;
+char *mozpath, *fqpath, *subpath, *ppath;
+DIR *mozdir;
+struct dirent *mozdirent;
+char *confbase = get_conf_basedir();
+const char *confdirs[] = { CONFDIRS, NULL };
+for (int i=0; confdirs[i] != NULL; i++)
+{
+xasprintf(&mozpath,"%s/%s", confbase, confdirs[i]);
+if ((mozdir = opendir(mozpath)) != NULL)
+{
+while ((mozdirent = readdir(mozdir)) != NULL)
+{
+xasprintf(&subpath, "%s/%s/%s",
+confbase,
+confdirs[i],
+mozdirent->d_name);
+if (port_isdir(subpath)
+&& (strcmp(mozdirent->d_name, "..") != 0))
+{
+xasprintf(&ppath, "%s/%s/%s/%s",
+confbase,
+confdirs[i],
+mozdirent->d_name,
+"profiles.ini");
+DEBUGPRINTF("checking for %s...\n", ppath);
+if ((fqpath = port_realpath(ppath)) != NULL)
+{
+strv_append(&inis, fqpath, strlen(fqpath));
+DEBUGPRINTF("Found mozilla ini file: '%s'\n", fqpath);
+free(fqpath);
+}
+free(ppath);
+}
+free(subpath);
+}
+closedir(mozdir);
+}
+else
+{
+DEBUGPRINTF("Could not open %s/%s\n", confbase, confdirs[i]);
+}
+free(mozpath);
+}
+if (inis == NULL)
+{
+DEBUGPRINTF("No ini files found - will do nothing!\n");
+}
+return inis;
+}
+/** @brief make the default nss databases readable.
+*
+*  This uses the static paths definied in this code to ensure
+*  that only the defaults are touched.
+*
+*/
+#ifndef WIN32
+static void
+make_defaults_readable()
+{
+const char *confdirs[] = { MOZILLA_DEFAULTS, NULL };
+const char *filenames[] = { MOZILLA_DBNAMES, NULL };
+mode_t access_mask = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
+for (int i=0; confdirs[i] != NULL; i++)
+{
+for (int j=0; filenames[j] != NULL; j++)
+{
+char *realpath = NULL,
+*path = NULL;
+xasprintf (&path, "%s/profile/%s", confdirs[i], filenames[j]);
+realpath = port_realpath(path);
+xfree(path);
+if (!realpath)
+{
+syslog_error_printf("Failed to find %s \n", realpath);
+continue;
+}
+if (chmod(realpath, access_mask))
+{
+syslog_error_printf("Failed to set access_mask on file.\n");
+}
+xfree (realpath);
+}
+}
+}
+#endif
+/**
+* @brief Collect the default profile directories for mozilla software
+*
+* If the default directory is found but not the profiles subdirectory
+* this will create the profiles subdirectory.
+*
+* @return NULL terminated array of strings containing the absolute path
+* to the default profile directories. Needs to be freed by the caller.
+*/
+static char**
+get_default_profile_dirs()
+{
+char **retval = NULL;
+const char *confdirs[] = { MOZILLA_DEFAULTS, NULL };
+#ifdef _WIN32
+char *program_files = get_program_files_folder();
+if (!program_files)
+{
+ERRORPRINTF ("Failed to look up program files folder.\n");
+return NULL;
+}
+#endif
+for (int i=0; confdirs[i] != NULL; i++)
+{
+char *realpath = NULL,
+*profile_dir = NULL;
+#ifndef _WIN32
+realpath = port_realpath(confdirs[i]);
+#else
+/* As on linux we only respect the default installation directory
+mozilla firefox and thunderbird change their registry key with
+each version as the key includes the version number. It would
+be error prone to search the system for every instance. So we
+only check the default installation directories. */
+xasprintf(&realpath, "%s" DIRSEP "%s", program_files, confdirs[i]);
+#endif
+if (realpath == NULL)
+{
+DEBUGPRINTF ("Did not find directory: '%s'\n", confdirs[i]);
+continue;
+}
+xasprintf(&profile_dir, "%s" DIRSEP "profile", realpath);
+xfree(realpath);
+if (port_isdir(profile_dir))
+{
+DEBUGPRINTF("Found default directory: '%s'\n", profile_dir);
+/* All is well */
+strv_append (&retval, profile_dir, strlen(profile_dir));
+xfree(profile_dir);
+profile_dir = NULL;
+continue;
+}
+else
+{
+/* Create the directory */
+if (port_fileexits(profile_dir))
+{
+DEBUGPRINTF ("Path: '%s' is not a directory but it exists. Skipping.\n",
+profile_dir);
+xfree(profile_dir);
+profile_dir = NULL;
+continue;
+}
+else
+{
+/* Lets create it */
+if (!port_mkdir_p(profile_dir, true))
+{
+ERRORPRINTF ("Failed to create directory: '%s'\n", profile_dir);
+xfree(profile_dir);
+profile_dir = NULL;
+continue;
+}
+strv_append (&retval, profile_dir, strlen(profile_dir));
+xfree(profile_dir);
+profile_dir = NULL;
+}
+}
+}
+#ifdef WIN32
+xfree (program_files);
+#endif
+return retval;
+}
+/**
+* @brief Collect all mozilla profile directories of current user.
+* @return NULL terminated array of strings containing the absolute
+* path of the profile directories.  The array needs to be freed by the
+* caller.
+*/
+static char**
+get_all_nssdb_dirs()
+{
+char **mozinis, **pdirs;
+char **alldirs = NULL;
+if (is_elevated())
+{
+#ifndef _WIN32
+/* NSS Shared db does not exist under windows. */
+if (!port_mkdir_p(NSSSHARED_GLOBAL, false))
+{
+ERRORPRINTF("Failed to create nssshared skeleton directory. \n");
+}
+else
+{
+strv_append(&alldirs, "sql:" NSSSHARED_GLOBAL, strlen("sql:" NSSSHARED_GLOBAL));
+}
+#endif
+pdirs = get_default_profile_dirs();
+if (pdirs != NULL)
+{
+for (int i=0; pdirs[i] != NULL; i++)
+{
+strv_append(&alldirs, pdirs[i], strlen(pdirs[i]));
+}
+strv_free(pdirs);
+}
+return alldirs;
+}
+/* Search Mozilla/Firefox/Thunderbird profiles */
+if ((mozinis = get_profile_inis()) != NULL)
+{
+for (int i=0; mozinis[i] != NULL; i++)
+{
+pdirs =
+get_profile_dirs(mozinis[i]);
+if (pdirs != NULL)
+{
+for (int i=0; pdirs[i] != NULL; i++)
+{
+strv_append(&alldirs, pdirs[i], strlen(pdirs[i]));
+}
+strv_free(pdirs);
+}
+}
+strv_free(mozinis);
+}
+/* Search for NSS shared DB (used by Chrome/Chromium on GNU/Linux) */
+if (TARGET_LINUX)
+{
+char *path, *fqpath, *sqlpath;
+xasprintf(&path, "%s/%s", get_conf_basedir(), NSSSHARED);
+if ((fqpath = port_realpath(path)) != NULL)
+{
+xasprintf(&sqlpath, "sql:%s", fqpath);
+strv_append(&alldirs, sqlpath, strlen(sqlpath));
+free(sqlpath);
+free(fqpath);
+}
+free(path);
+}
+return alldirs;
+}
+#ifdef DEBUGOUTPUT
+/**
+* @brief list certificates from nss certificate store
+* @param[in] confdir the directory with the certificate store
+*/
+static void
+DEBUG_nss_list_certs (char *confdir)
+{
+CERTCertList *list;
+CERTCertListNode *node;
+char *name;
+if (NSS_Initialize(confdir, "", "", "secmod.db", NSS_INIT_READONLY)
+== SECSuccess)
+{
+DEBUGPRINTF("Listing certs in \"%s\"\n", confdir);
+list = PK11_ListCerts(PK11CertListAll, NULL);
+for (node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
+node = CERT_LIST_NEXT(node))
+{
+name = node->appData;
+DEBUGPRINTF("Found certificate \"%s\"\n", name);
+}
+/* According to valgrind this leaks memory in the list.
+We could not find API documentation to better free this
+so we accept the leakage here in case of debug. */
+CERT_DestroyCertList(list);
+NSS_Shutdown();
+}
+else
+{
+DEBUGPRINTF("Could not open nss certificate store in %s!\n", confdir);
+}
+}
+#endif
+/**
+* @brief Create a string with the name for cert in SECItem.
+*
+* Should be freed by caller.
+* @param[in] secitemp ponts to an SECItem holding the DER certificate.
+* @returns a string of the from "CN of Subject - O of Subject"
+*/
+static char *
+nss_cert_name(SECItem *secitemp)
+{
+char *cn_str, *o_str, *name;
+size_t name_len;
+cn_str = x509_parse_subject(secitemp->data, secitemp->len, CERT_OID_CN);
+o_str = x509_parse_subject(secitemp->data, secitemp->len, CERT_OID_O);
+if (!cn_str || !o_str)
+{
+ERRORPRINTF("FATAL: Could not parse certificate!");
+exit(ERR_INVALID_CERT);
+}
+name_len = strlen(cn_str) + strlen(o_str) + 4;
+name = (char *)xmalloc(name_len);
+snprintf(name, name_len, "%s - %s", cn_str, o_str);
+free(cn_str);
+free(o_str);
+return name;
+}
+/**
+* @brief Convert a base64 encoded DER certificate to SECItem
+* @param[in] b64 pointer to the base64 encoded certificate
+* @param[in] b64len length of the base64 encoded certificate
+* @param[out] secitem pointer to the SECItem in which to store the
+* raw DER certifiacte.
+* @returns true on success and false on failure
+*/
+static bool
+base64_to_secitem(char *b64, size_t b64len, SECItem *secitem)
+{
+unsigned char *dercert = NULL;
+size_t dercertlen;
+if ((str_base64_decode((char **)(&dercert), &dercertlen,
+b64, b64len) == 0) &&
+(dercertlen > 0))
+{
+secitem->data = dercert;
+secitem->len = (unsigned int) dercertlen;
+return true;
+}
+else
+{
+DEBUGPRINTF("Base64 decode failed for: %s\n", b64);
+}
+return false;
+}
+/**
+* @brief Store DER certificate in mozilla store.
+* @param[in] pdir the mozilla profile directory with the certificate
+* store to manipulate.
+* @param[in] dercert pointer to a SECItem holding the DER certificate
+* to install
+* @returns true on success and false on failure
+*/
+static bool
+import_cert(char *pdir, SECItem *dercert)
+{
+PK11SlotInfo *pk11slot = NULL;
+CERTCertTrust *trust = NULL;
+CERTCertificate *cert = NULL;
+bool success = false;
+char *cert_name = nss_cert_name(dercert);
+DEBUGPRINTF("INSTALLING cert: '%s' to: %s\n", cert_name, pdir);
+pk11slot = PK11_GetInternalKeySlot();
+cert = CERT_DecodeCertFromPackage((char *)dercert->data,
+(int)dercert->len);
+trust = (CERTCertTrust *)xmalloc(sizeof(CERTCertTrust));
+CERT_DecodeTrustString(trust, "C,C,C");
+if (PK11_ImportCert(pk11slot, cert, CK_INVALID_HANDLE,
+cert_name, PR_FALSE) == SECSuccess)
+{
+if(CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust) == SECSuccess)
+{
+log_certificate_der (pdir, dercert->data, dercert->len, true);
+success = true;
+}
+}
+/* This could have happened on either the import cert or
+the cert change trust. If Import Cert fails with that
+error the certificate has in fact been added but with
+random trist bits. See NSS Bug 595861.
+Reference code can be found in gnome evolution under
+smime/lib/e-cert-db.c */
+if(PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN)
+{
+if (PK11_NeedUserInit (pk11slot))
+{
+PK11_InitPin (pk11slot, "", "");
+}
+if (PK11_Authenticate (pk11slot, PR_TRUE, NULL) != SECSuccess)
+{
+DEBUGPRINTF("Failed to authenticate.\n");
+}
+else if(CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust) == SECSuccess)
+{
+log_certificate_der (pdir, dercert->data, dercert->len, true);
+success = true;
+}
+}
+if (!success)
+{
+DEBUGPRINTF("Failed to install certificate '%s' to '%s'!\n", cert_name, pdir);
+ERRORPRINTF("Error installing certificate err: %i\n", PORT_GetError());
+}
+CERT_DestroyCertificate (cert);
+free(trust);
+PK11_FreeSlot(pk11slot);
+free(cert_name);
+return success;
+}
+/**
+* @brief Remove DER certificate from mozilla store.
+* @param[in] pdir the mozilla profile directory with the certificate
+* store to manipulate.
+* @param[in] dercert pointer to a SECItem holding the DER certificate
+* to remove
+* @returns true on success and false on failure
+*/
+static bool
+remove_cert(char *pdir, SECItem *dercert)
+{
+PK11SlotInfo *pk11slot = NULL;
+bool success = false;
+char *cert_name = nss_cert_name(dercert);
+CERTCertificate *cert = NULL;
+DEBUGPRINTF("REMOVING cert: '%s' from: %s\n", cert_name, pdir);
+if (NSS_Initialize(pdir, "", "", "secmod.db", 0) == SECSuccess)
+{
+pk11slot = PK11_GetInternalKeySlot();
+cert = PK11_FindCertFromDERCertItem(pk11slot,
+dercert, NULL);
+if (cert != NULL)
+{
+if (SEC_DeletePermCertificate(cert) == SECSuccess)
+{
+success = true;
+log_certificate_der (pdir, dercert->data, dercert->len, false);
+}
+else
+{
+DEBUGPRINTF("Failed to remove certificate '%s' from '%s'!\n", cert_name, pdir);
+}
+CERT_DestroyCertificate(cert);
+}
+else
+{
+DEBUGPRINTF("Could not find Certificate '%s' in store '%s'.\n", cert_name, pdir);
+}
+PK11_FreeSlot(pk11slot);
+NSS_Shutdown();
+}
+else
+{
+DEBUGPRINTF("Could not open nss certificate store in %s!\n", pdir);
+}
+free(cert_name);
+return success;
+}
+/**
+* @brief Apply a function to a list of certificates and profiles
+*
+* The function must have the signature:
+*
+*   bool function(char *pdir, SECItem der_cert)
+*
+* where pdir is the path of an profile and der_cert is an raw DER
+* formatted certificate.  The function must return true on success
+* and false on failure.
+*
+* This function is intended for use with the import_cert and
+* remove_cert functions.
+*
+* @param[in] fn the function to apply
+* @param[inout] certs a secitem list holding the certificates
+* the list will be change (emptied)!
+* @param[in] pdirs the NULL terminated list of profile directories
+* @returns true on success and false on failure
+*/
+bool
+apply_to_certs_and_profiles(bool fn(char *, SECItem *),
+seciteml_t **certs, char **pdirs)
+{
+bool success = true;
+for (int i=0; pdirs[i] != NULL; i++)
+{
+seciteml_t *iter = *certs;
+if (NSS_Initialize(pdirs[i], "", "", "secmod.db", 0) != SECSuccess)
+{
+DEBUGPRINTF("Could not open nss certificate store in %s!\n", pdirs[i]);
+continue;
+}
+while (iter != NULL && iter->item != NULL)
+{
+SECItem *cert = iter->item;
+if (! (*fn)(pdirs[i], cert))
+success = false;
+iter = iter->next;
+}
+NSS_Shutdown();
+}
+seciteml_free(certs);
+return success;
+}
+/**
+* @brief Parse IPC commands from standard input.
+*
+* Reads command lines (R: and I:) from standard input and puts the
+* certificates to process in two SECItem lists holding the
+* certificates in DER format.
+* @param[inout] stream from standard input
+* @param[inout] install_list list of SECItems with certifiactes to install
+* @param[inout] remove_list list of SECItems with certifiactes to remove
+*/
+static void
+parse_commands (FILE *stream,
+seciteml_t **install_list, seciteml_t **remove_list)
+{
+char inpl[LINEBUFLEN];
+size_t inpllen;
+bool parserr = true;
+SECItem secitem;
+while ( fgets(inpl, LINEBUFLEN, stream) != NULL )
+{
+inpllen = strnlen(inpl, LINEBUFLEN);
+/* Validate input line:
+* - must be (much) longer than 3 characters
+* - must start with "*:"
+*/
+if ((inpllen > 3) && (inpl[1] == ':'))
+/* Now parse Input */
+switch(inpl[0])
+{
+case 'R':
+parserr = true;
+DEBUGPRINTF("Request to remove certificate: %s\n", &inpl[2]);
+if (base64_to_secitem(&inpl[2], inpllen - 2, &secitem))
+{
+seciteml_push(remove_list, &secitem);
+parserr = false;
+}
+break;
+case 'I':
+parserr = true;
+DEBUGPRINTF("Request to install certificate: %s\n", &inpl[2]);
+if (base64_to_secitem(&inpl[2], inpllen - 2, &secitem))
+{
+seciteml_push(install_list, &secitem);
+parserr = false;
+}
+break;
+default:
+parserr = true;
+}
+else
+{
+parserr = true;
+}
+if (parserr)
+{
+ERRORPRINTF("FATAL: Invalid input: %s\n", inpl);
+exit(ERR_MOZ_INVALID_INPUT);
+}
+}
+}
+#ifdef DO_RELEASE_BUILD
+bool g_debug = false;
+#else
+bool g_debug = true;
+#endif
+int
+main (int argc, char **argv)
+{
+char **dbdirs;
+seciteml_t *certs_to_remove = NULL;
+seciteml_t *certs_to_add = NULL;
+FILE *input_stream;
+switch (argc)
+{
+case 1:
+DEBUGPRINTF("Opening STDIN for input...\n");
+input_stream = stdin;
+break;
+case 2:
+if (strcmp(argv[1], "--debug") == 0)
+{
+g_debug = true;
+DEBUGPRINTF("Opening STDIN for input...\n");
+input_stream = stdin;
+break;
+}
+case 3:
+DEBUGPRINTF("Opening %s for input...\n", argv[1]);
+if ((input_stream = fopen(argv[1], "r")) == NULL)
+{
+ERRORPRINTF ("FATAL: Could not open %s for reading!\n",
+argv[1]);
+exit_code = ERR_MOZ_FAILED_TO_OPEN_INPUT;
+goto exit;
+}
+if (argc == 3 && strcmp(argv[2], "--debug") == 0)
+{
+g_debug = true;
+}
+break;
+default:
+ERRORPRINTF("FATAL: Wrong number of arguments!\n");
+exit_code = ERR_MOZ_WRONG_ARGC;
+goto exit;
+}
+dbdirs =
+get_all_nssdb_dirs();
+if (dbdirs != NULL)
+{
+parse_commands(input_stream, &certs_to_add, &certs_to_remove);
+#ifdef DEBUGOUTPUT
+DEBUGPRINTF("OLD List of installed certs:\n");
+for (int i=0; dbdirs[i] != NULL; i++)
+DEBUG_nss_list_certs(dbdirs[i]);
+#endif
+if (! apply_to_certs_and_profiles(remove_cert, &certs_to_remove, dbdirs))
+exit_code |= WARN_MOZ_COULD_NOT_REMOVE_CERT;
+if (! apply_to_certs_and_profiles(import_cert, &certs_to_add, dbdirs))
+exit_code |= WARN_MOZ_COULD_NOT_ADD_CERT;
+#ifdef DEBUGOUTPUT
+DEBUGPRINTF("NEW List of installed certs:\n");
+for (int i=0; dbdirs[i] != NULL; i++)
+DEBUG_nss_list_certs(dbdirs[i]);
+#endif
+#ifndef WIN32
+if (is_elevated())
+{
+make_defaults_readable();
+}
+#endif
+strv_free(dbdirs);
+}
+fclose(input_stream);
+exit:
+exit(exit_code);
+}

Mercurial > trustbridge

comparison cinst/nss-installer.c @ 1175:e210ecc32d69