Bug 67890: create self-signed cert with existing key that signed CSR

Patch by Alexei.volkov, r=julien.pierre,rrelyea git-svn-id: svn://10.0.0.236/trunk@251757 18797224-902f-48f8-a5cc-f745e15eee43
2008-05-21 21:58:07 +00:00 · 2008-05-21 21:58:07 +00:00 · 550222aad6
commit 550222aad6
parent d886677ace
1 changed files with 15 additions and 20 deletions
--- a/mozilla/security/nss/cmd/certutil/certutil.c
+++ b/mozilla/security/nss/cmd/certutil/certutil.c
@ -1517,10 +1517,11 @@ done:
 static SECStatus
 CreateCert(
 	CERTCertDBHandle *handle, 
+	PK11SlotInfo *slot,
 	char *  issuerNickName, 
 	PRFileDesc *inFile,
 	PRFileDesc *outFile, 
-	SECKEYPrivateKey *selfsignprivkey,
+	SECKEYPrivateKey **selfsignprivkey,
 	void 	*pwarg,
 	SECOidTag hashAlgTag,
 	unsigned int serialNumber, 
@ -1534,7 +1535,6 @@ CreateCert(
 {
    void *	extHandle;
    SECItem *	certDER;
-    PRArenaPool *arena			= NULL;
    CERTCertificate *subjectCert 	= NULL;
    CERTCertificateRequest *certReq	= NULL;
    SECStatus 	rv 			= SECSuccess;
@ -1543,11 +1543,6 @@ CreateCert(

    reqDER.data = NULL;
    do {
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (!arena) {
-	    GEN_BREAK (SECFailure);
-	}
-	
 	/* Create a certrequest object from the input cert request der */
 	certReq = GetCertRequest(inFile, ascii);
 	if (certReq == NULL) {
@ -1587,8 +1582,18 @@ CreateCert(

 	CERT_FinishExtensions(extHandle);

+	/* self-signing a cert request, find the private key */
+	if (selfsign && *selfsignprivkey == NULL) {
+	    *selfsignprivkey = PK11_FindKeyByDERCert(slot, subjectCert, pwarg);
+	    if (!*selfsignprivkey) {
+		fprintf(stderr, "Failed to locate private key.\n");
+		rv = SECFailure;
+		break;
+	    }
+	}
+
 	certDER = SignCert(handle, subjectCert, selfsign, hashAlgTag,
-	                   selfsignprivkey, issuerNickName,pwarg);
+	                   *selfsignprivkey, issuerNickName,pwarg);

 	if (certDER) {
 	   if (ascii) {
@ -1603,7 +1608,6 @@ CreateCert(
    } while (0);
    CERT_DestroyCertificateRequest (certReq);
    CERT_DestroyCertificate (subjectCert);
-    PORT_FreeArena (arena, PR_FALSE);
    if (rv != SECSuccess) {
 	PRErrorCode  perr = PR_GetError();
        fprintf(stderr, "%s: unable to create cert (%s)\n", progName,
@ -2180,15 +2184,6 @@ certutil_main(int argc, char **argv, PRBool initialize)
 	return 255;
    }

-    /*  For now, deny -C -x combination */
-    if (certutil.commands[cmd_CreateNewCert].activated &&
-        certutil.options[opt_SelfSign].activated) {
-	PR_fprintf(PR_STDERR,
-	           "%s: self-signing a cert request is not supported.\n",
-	           progName);
-	return 255;
-    }
-
    /*  If making a cert request, need a subject.  */
    if ((certutil.commands[cmd_CertReq].activated ||
         certutil.commands[cmd_CreateAndAddCert].activated) &&
@ -2733,9 +2728,9 @@ merge_fail:
    /*  Create a certificate (-C or -S).  */
    if (certutil.commands[cmd_CreateAndAddCert].activated ||
         certutil.commands[cmd_CreateNewCert].activated) {
-	rv = CreateCert(certHandle, 
+	rv = CreateCert(certHandle, slot,
 	                certutil.options[opt_IssuerName].arg,
-	                inFile, outFile, privkey, &pwdata, hashAlgTag,
+	                inFile, outFile, &privkey, &pwdata, hashAlgTag,
 	                serialNumber, warpmonths, validityMonths,
 		        certutil.options[opt_ExtendedEmailAddrs].arg,
 		        certutil.options[opt_ExtendedDNSNames].arg,