/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

** crlgen.c

**

** utility for managing certificates revocation lists generation

**

*/

#include <stdio.h>

#include <math.h>

#include "nspr.h"

#include "plgetopt.h"

#include "nss.h"

#include "secutil.h"

#include "cert.h"

#include "certi.h"

#include "certdb.h"

#include "pk11func.h"

#include "crlgen.h"

/* Destroys extHandle and data. data was create on heap.

 * extHandle creaded by CERT_StartCRLEntryExtensions. entry

 * was allocated on arena.*/

static void

destroyEntryData(CRLGENEntryData *data)

{

    if (!data)

        return;

    PORT_Assert(data->entry);

    if (data->extHandle)

        CERT_FinishExtensions(data->extHandle);

    PORT_Free(data);

}

/* Prints error messages along with line number */

void 

crlgen_PrintError(int line, char *msg, ...)

{

    va_list args;

    va_start(args, msg);

    fprintf(stderr, "crlgen: (line: %d) ", line);

    vfprintf(stderr, msg, args);

    va_end(args);

}

/* Finds CRLGENEntryData in hashtable according PRUint64 value

 * - certId : cert serial number*/

static CRLGENEntryData*

crlgen_FindEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) 

{

    if (!crlGenData->entryDataHashTable || !certId)

        return NULL;

    return (CRLGENEntryData*)

        PL_HashTableLookup(crlGenData->entryDataHashTable,

                           certId);

}

/* Removes CRLGENEntryData from hashtable according to certId

 * - certId : cert serial number*/

static SECStatus

crlgen_RmEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) 

{

    CRLGENEntryData *data = NULL;

    if (!crlGenData->entryDataHashTable)

        return SECSuccess;

    data = crlgen_FindEntry(crlGenData, certId);

    if (!data)

        return SECSuccess;

    if (PL_HashTableRemove(crlGenData->entryDataHashTable, certId))

        return SECSuccess;

    destroyEntryData(data);

    return SECFailure;

}

/* Stores CRLGENEntryData in hashtable according to certId

 * - certId : cert serial number*/

static CRLGENEntryData*

crlgen_PlaceAnEntry(CRLGENGeneratorData *crlGenData,

                    CERTCrlEntry *entry, SECItem *certId)

{

    CRLGENEntryData *newData = NULL;

    PORT_Assert(crlGenData && crlGenData->entryDataHashTable &&

                entry);

    if (!crlGenData || !crlGenData->entryDataHashTable || !entry) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return NULL;

    }

    newData = PORT_ZNew(CRLGENEntryData);

    if (!newData) {

        return NULL;

    }

    newData->entry = entry;

    newData->certId = certId;

    if (!PL_HashTableAdd(crlGenData->entryDataHashTable,

                         newData->certId, newData)) { 

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "Can not add entryData structure\n");

        return NULL;

    }

    return newData;

}

/* Use this structure to keep pointer when commiting entries extensions */

struct commitData {

    int pos;

    CERTCrlEntry **entries;

};

/* HT PL_HashTableEnumerateEntries callback. Sorts hashtable entries of the

 * table he. Returns value through arg parameter*/

static PRIntn PR_CALLBACK 

crlgen_CommitEntryData(PLHashEntry *he, PRIntn i, void *arg)

{

    CRLGENEntryData *data = NULL;

    PORT_Assert(he);

    if (!he) {

        return HT_ENUMERATE_NEXT;

    }

    data = (CRLGENEntryData*)he->value;

    PORT_Assert(data);

    PORT_Assert(arg);

    if (data) {

        struct commitData *dt = (struct commitData*)arg;

        dt->entries[dt->pos++] = data->entry;

        destroyEntryData(data);

    }

    return HT_ENUMERATE_NEXT;

}

/* Copy char * datainto allocated in arena SECItem */

static SECStatus 

crlgen_SetString(PLArenaPool *arena, const char *dataIn, SECItem *value)

{

    SECItem item;

    PORT_Assert(arena && dataIn);

    if (!arena || !dataIn) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    item.data = (void*)dataIn;

    item.len = PORT_Strlen(dataIn);

    return SECITEM_CopyItem(arena, value, &item);

}

/* Creates CERTGeneralName from parsed data for the Authority Key Extension */

static CERTGeneralName *

crlgen_GetGeneralName (PLArenaPool *arena, CRLGENGeneratorData *crlGenData,

                       const char *data)

{

    CERTGeneralName *namesList = NULL;

    CERTGeneralName *current;

    CERTGeneralName *tail = NULL;

    SECStatus rv = SECSuccess;

    const char *nextChunk = NULL;

    const char *currData = NULL;

    int intValue;

    char buffer[512];

    void *mark;

    if (!data)

        return NULL;

    PORT_Assert (arena);

    if (!arena) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return NULL;

    }

    mark = PORT_ArenaMark (arena);

    nextChunk = data;

    currData = data;

    do {

        int nameLen = 0;

        char name[128];

        const char *sepPrt = NULL;

        nextChunk = PORT_Strchr(currData, '|');

        if (!nextChunk)

            nextChunk = data + strlen(data);

        sepPrt = PORT_Strchr(currData, ':');

        if (sepPrt == NULL || sepPrt >= nextChunk) {

            *buffer = '\0';

            sepPrt = nextChunk;

        } else {

            PORT_Memcpy(buffer, sepPrt + 1,

                        (nextChunk - sepPrt - 1));

            buffer[nextChunk - sepPrt - 1] = '\0';

        }

        nameLen = PR_MIN(sepPrt - currData, sizeof(name) - 1 );

        PORT_Memcpy(name, currData, nameLen);

        name[nameLen] = '\0';

        currData = nextChunk + 1;

        if (!PORT_Strcmp(name, "otherName"))

            intValue = certOtherName;

        else if (!PORT_Strcmp(name, "rfc822Name"))

            intValue = certRFC822Name;

        else if (!PORT_Strcmp(name, "dnsName"))

            intValue = certDNSName;

        else if (!PORT_Strcmp(name, "x400Address"))

            intValue = certX400Address;

        else if (!PORT_Strcmp(name, "directoryName"))

            intValue = certDirectoryName;

        else if (!PORT_Strcmp(name, "ediPartyName"))

            intValue = certEDIPartyName;

        else if (!PORT_Strcmp(name, "URI"))

            intValue = certURI;

        else if (!PORT_Strcmp(name, "ipAddress"))

            intValue = certIPAddress;

        else if (!PORT_Strcmp(name, "registerID"))

            intValue = certRegisterID;

        else intValue = -1;

        if (intValue >= certOtherName && intValue <= certRegisterID) {

            if (namesList == NULL) {

                namesList = current = tail = PORT_ArenaZNew(arena,

                                                            CERTGeneralName);

            } else {

                current = PORT_ArenaZNew(arena, CERTGeneralName);

            }

            if (current == NULL) {

                rv = SECFailure;

                break;

            }

        } else {

            PORT_SetError(SEC_ERROR_INVALID_ARGS);

            break;

        }

        current->type = intValue;

        switch (current->type) {

          case certURI:

          case certDNSName:

          case certRFC822Name:

              current->name.other.data = PORT_ArenaAlloc (arena, strlen (buffer));

              if (current->name.other.data == NULL) {

                  rv = SECFailure;

                  break;

              }

              PORT_Memcpy(current->name.other.data, buffer,

                          current->name.other.len = strlen(buffer));

              break;

          case certEDIPartyName:

          case certIPAddress:

          case certOtherName:

          case certRegisterID:

          case certX400Address: {

              current->name.other.data = PORT_ArenaAlloc (arena, strlen (buffer) + 2);

              if (current->name.other.data == NULL) {

                  rv = SECFailure;

                  break;

              }

              PORT_Memcpy (current->name.other.data + 2, buffer, strlen (buffer));

/* This may not be accurate for all cases.For now, use this tag type */

              current->name.other.data[0] = (char)(((current->type - 1) & 0x1f)| 0x80);

              current->name.other.data[1] = (char)strlen (buffer);

              current->name.other.len = strlen (buffer) + 2;

              break;

          }

          case certDirectoryName: {

              CERTName *directoryName = NULL;

              directoryName = CERT_AsciiToName (buffer);

              if (!directoryName) {

                  rv = SECFailure;

                  break;

              }

              rv = CERT_CopyName (arena, &current->name.directoryName, directoryName);

              CERT_DestroyName (directoryName);

              break;

          }

        }

        if (rv != SECSuccess)

            break;

        current->l.next = &(namesList->l);

        current->l.prev = &(tail->l);

        tail->l.next = &(current->l);

        tail = current;

    } while(nextChunk != data + strlen(data));

    if (rv != SECSuccess) {

        PORT_ArenaRelease (arena, mark);

        namesList = NULL;

    }

    return (namesList);

}

/* Creates CERTGeneralName from parsed data for the Authority Key Extension */

static CERTGeneralName *

crlgen_DistinguishedName (PLArenaPool *arena, CRLGENGeneratorData *crlGenData,

                          const char *data)

{

    CERTName *directoryName = NULL;

    CERTGeneralName *current;

    SECStatus rv = SECFailure;

    void *mark;

    if (!data)

        return NULL;

    PORT_Assert (arena);

    if (!arena) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return NULL;

    }

    mark = PORT_ArenaMark (arena);

    current = PORT_ArenaZNew(arena, CERTGeneralName);

    if (current == NULL) {

        goto loser;

    }

    current->type = certDirectoryName;

    current->l.next = &current->l;

    current->l.prev = &current->l;

    directoryName = CERT_AsciiToName ((char*)data);

    if (!directoryName) {

        goto loser;

    }

    rv = CERT_CopyName (arena, &current->name.directoryName, directoryName);

    CERT_DestroyName (directoryName);

  loser:

    if (rv != SECSuccess) {

        PORT_SetError (rv);

        PORT_ArenaRelease (arena, mark);

        current = NULL;

    }

    return (current);

}

/* Adding Authority Key ID extension to extension handle. */

static SECStatus 

crlgen_AddAuthKeyID (CRLGENGeneratorData *crlGenData,

                     const char **dataArr)

{

    void *extHandle = NULL;

    CERTAuthKeyID *authKeyID = NULL;

    PLArenaPool *arena = NULL;

    SECStatus rv = SECSuccess;

    PORT_Assert(dataArr && crlGenData);

    if (!crlGenData || !dataArr) {

        return SECFailure;

    }

    extHandle = crlGenData->crlExtHandle;

    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "insufficient number of parameters.\n");

        return SECFailure;

    }

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (!arena) {

        return SECFailure;

    }

    authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);

    if (authKeyID == NULL) {

        rv = SECFailure;

        goto loser;

    }

    if (dataArr[3] == NULL) {

        rv = crlgen_SetString (arena, dataArr[2], &authKeyID->keyID);

        if (rv != SECSuccess)

            goto loser;

    } else {

        rv = crlgen_SetString (arena, dataArr[3],

                               &authKeyID->authCertSerialNumber);

        if (rv != SECSuccess)

            goto loser;

        authKeyID->authCertIssuer = 

            crlgen_DistinguishedName (arena, crlGenData, dataArr[2]);

        if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError ()){

            crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n");

            rv = SECFailure;

            goto loser;

        }

    }

    rv =

        SECU_EncodeAndAddExtensionValue(arena, extHandle, authKeyID,

                                        (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,

                                        SEC_OID_X509_AUTH_KEY_ID, 

                                        (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);

  loser:

    if (arena)

        PORT_FreeArena (arena, PR_FALSE);

    return rv;

} 

/* Creates and add Subject Alternative Names extension */

static SECStatus 

crlgen_AddIssuerAltNames(CRLGENGeneratorData *crlGenData,

                          const char **dataArr)

{

    CERTGeneralName *nameList = NULL;

    PLArenaPool *arena = NULL;

    void *extHandle = NULL;

    SECStatus rv = SECSuccess;

    PORT_Assert(dataArr && crlGenData);

    if (!crlGenData || !dataArr) {

        return SECFailure;

    }

    if (!dataArr || !dataArr[0] || !dataArr[1] || !dataArr[2]) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "insufficient number of arguments.\n");

        return SECFailure;

    }

    PORT_Assert(dataArr && crlGenData);

    if (!crlGenData || !dataArr) {

        return SECFailure;

    }

    extHandle = crlGenData->crlExtHandle;

    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "insufficient number of parameters.\n");

        return SECFailure;

    }

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (!arena) {

        return SECFailure;

    }

    nameList = crlgen_GetGeneralName(arena, crlGenData, dataArr[2]);

    if (nameList == NULL) {

        crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n");

        rv = SECFailure;

        goto loser;

    }

    rv =

        SECU_EncodeAndAddExtensionValue(arena, extHandle, nameList,

                                        (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,

                                        SEC_OID_X509_ISSUER_ALT_NAME, 

                                        (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeAltNameExtension);

  loser:

    if (arena)

        PORT_FreeArena (arena, PR_FALSE);

    return rv;

}

/* Creates and adds CRLNumber extension to extension handle.

 * Since, this is CRL extension, extension handle is the one 

 * related to CRL extensions */

static SECStatus

crlgen_AddCrlNumber(CRLGENGeneratorData *crlGenData, const char **dataArr)

{

    PLArenaPool *arena = NULL;

    SECItem encodedItem;

    void *extHandle = crlGenData->crlExtHandle;

    void *dummy;

    SECStatus rv = SECFailure;

    int code = 0;

    PORT_Assert(dataArr && crlGenData);

    if (!crlGenData || !dataArr) {

        goto loser;

    }

    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "insufficient number of arguments.\n");

        goto loser;

    }

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (arena == NULL) {

        goto loser;

    }

    code = atoi(dataArr[2]);

    if (code == 0 && *dataArr[2] != '0') {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        goto loser;

    }

    dummy = SEC_ASN1EncodeInteger(arena, &encodedItem, code);

    if (!dummy) {

        rv = SECFailure;

        goto loser;

    }

    rv = CERT_AddExtension (extHandle, SEC_OID_X509_CRL_NUMBER, &encodedItem, 

                            (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,

                            PR_TRUE);

  loser:

    if (arena)

        PORT_FreeArena(arena, PR_FALSE);

    return rv;

}

/* Creates Cert Revocation Reason code extension. Encodes it and

 * returns as SECItem structure */

static SECItem*

crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr,

                        int *extCode)

{

    SECItem *encodedItem;

    void *dummy;

    void *mark;

    int code = 0;

    PORT_Assert(arena && dataArr);

    if (!arena || !dataArr) {

        goto loser;

    } 

    mark = PORT_ArenaMark(arena);

    encodedItem = PORT_ArenaZNew (arena, SECItem);

    if (encodedItem == NULL) {

        goto loser;

    }

    if (dataArr[2] == NULL) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        goto loser;

    }

    code = atoi(dataArr[2]);

    /* aACompromise(10) is the last possible of the values 

     * for the Reason Core Extension */

    if ((code == 0 && *dataArr[2] != '0') || code > 10) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        goto loser;

    }

    dummy = SEC_ASN1EncodeInteger(arena, encodedItem, code);

    if (!dummy) {

        goto loser;

    }

    *extCode = SEC_OID_X509_REASON_CODE;

    return encodedItem;

  loser:

    PORT_ArenaRelease (arena, mark);

    return NULL;

}

/* Creates Cert Invalidity Date extension. Encodes it and

 * returns as SECItem structure */

static SECItem*

crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,

                       int *extCode)

{

    SECItem *encodedItem;

    int length = 0;

    void *mark;

    PORT_Assert(arena && dataArr);

    if (!arena || !dataArr) {

        goto loser;

    } 

    mark = PORT_ArenaMark(arena);

    encodedItem = PORT_ArenaZNew(arena, SECItem);

    if (encodedItem == NULL) {

        goto loser;

    }

    length = PORT_Strlen(dataArr[2]);

    encodedItem->type = siGeneralizedTime;

    encodedItem->data = PORT_ArenaAlloc(arena, length);

    if (!encodedItem->data) {

        goto loser;

    }

    PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) *

                sizeof(char));

    *extCode = SEC_OID_X509_INVALID_DATE;

    return encodedItem;

  loser:

    PORT_ArenaRelease(arena, mark);

    return NULL;

}

/* Creates(by calling extCreator function) and adds extension to a set

 * of already added certs. Uses values of rangeFrom and rangeTo from

 * CRLGENCrlGenCtl structure for identifying the inclusive set of certs */

static SECStatus

crlgen_AddEntryExtension(CRLGENGeneratorData *crlGenData,

                         const char **dataArr, char *extName,

                         SECItem* (*extCreator)(PLArenaPool *arena,

                                                const char **dataArr,

                                                int *extCode))

{

    PRUint64 i = 0;

    SECStatus rv = SECFailure;

    int extCode = 0;

    PRUint64 lastRange ;

    SECItem *ext = NULL;

    PLArenaPool *arena = NULL;

    PORT_Assert(crlGenData &&  dataArr);

    if (!crlGenData || !dataArr) {

        goto loser;

    } 

    if (!dataArr[0] || !dataArr[1]) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum, 

                          "insufficient number of arguments.\n");

    }

    lastRange = crlGenData->rangeTo - crlGenData->rangeFrom + 1;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (arena == NULL) {

        goto loser;

    }

    ext = extCreator(arena, dataArr, &extCode);

    if (ext == NULL) {

        crlgen_PrintError(crlGenData->parsedLineNum, 

                          "got error while creating extension: %s\n",

                          extName);

        goto loser;

    }

    for (i = 0;i < lastRange;i++) {

        CRLGENEntryData * extData = NULL;

        void *extHandle = NULL;

        SECItem * certIdItem =

            SEC_ASN1EncodeInteger(arena, NULL,

                                  crlGenData->rangeFrom + i);

        if (!certIdItem) {

            rv = SECFailure;

            goto loser;

        }

        extData = crlgen_FindEntry(crlGenData, certIdItem);

        if (!extData) {

            crlgen_PrintError(crlGenData->parsedLineNum,

                              "can not add extension: crl entry "

                              "(serial number: %d) is not in the list yet.\n",

                              crlGenData->rangeFrom + i);

            continue;

        }

        extHandle = extData->extHandle;

        if (extHandle == NULL) {

            extHandle = extData->extHandle =

                CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl,

                                             (CERTCrlEntry*)extData->entry);

        }

        rv = CERT_AddExtension (extHandle, extCode, ext, 

                               (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,

                               PR_TRUE);

        if (rv == SECFailure) {

            goto loser;

        }

    }

  loser:

    if (arena)

        PORT_FreeArena(arena, PR_FALSE);

    return rv;

}

/* Commits all added entries and their's extensions into CRL. */

SECStatus

CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData)

{

    int size = 0;

    CERTCrl *crl;

    PLArenaPool *arena;

    SECStatus rv = SECSuccess;

    void *mark;

    PORT_Assert(crlGenData && crlGenData->signCrl && crlGenData->signCrl->arena);

    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    arena = crlGenData->signCrl->arena;

    crl = &crlGenData->signCrl->crl;

    mark = PORT_ArenaMark(arena);

    if (crlGenData->crlExtHandle)

        CERT_FinishExtensions(crlGenData->crlExtHandle);

    size = crlGenData->entryDataHashTable->nentries;

    crl->entries = NULL;

    if (size) {

        crl->entries = PORT_ArenaZNewArray(arena, CERTCrlEntry*, size + 1);

        if (!crl->entries) {

            rv = SECFailure;

        } else {

            struct commitData dt;

            dt.entries = crl->entries;

            dt.pos = 0;

            PL_HashTableEnumerateEntries(crlGenData->entryDataHashTable,

                                         &crlgen_CommitEntryData, &dt);

            /* Last should be NULL */

            crl->entries[size] = NULL;

        }

    }

    if (rv != SECSuccess)

        PORT_ArenaRelease(arena, mark);

    return rv;

}

/* Initializes extHandle with data from extensions array */

static SECStatus

crlgen_InitExtensionHandle(void *extHandle,

                           CERTCertExtension **extensions)

{

    CERTCertExtension *extension = NULL;

    if (!extensions)

        return SECSuccess;

    PORT_Assert(extHandle != NULL);

    if (!extHandle) {

        return SECFailure;

    }

    extension = *extensions;

    while (extension) {

        SECOidTag oidTag = SECOID_FindOIDTag (&extension->id);

/* shell we skip unknown extensions? */

        CERT_AddExtension (extHandle, oidTag, &extension->value, 

                           (extension->critical.len != 0) ? PR_TRUE : PR_FALSE,

                           PR_FALSE);

        extension = *(++extensions);

    }

    return SECSuccess;

}

/* Used for initialization of extension handles for crl and certs

 * extensions from existing CRL data then modifying existing CRL.*/

SECStatus

CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData)

{

    CERTCrl *crl = NULL;

    PRUint64 maxSN = 0;

    PORT_Assert(crlGenData && crlGenData->signCrl &&

                crlGenData->entryDataHashTable);

    if (!crlGenData || !crlGenData->signCrl ||

        !crlGenData->entryDataHashTable) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    crl = &crlGenData->signCrl->crl;

    crlGenData->crlExtHandle = CERT_StartCRLExtensions(crl);

    crlgen_InitExtensionHandle(crlGenData->crlExtHandle,

                               crl->extensions);

    crl->extensions = NULL;

    if (crl->entries) {

        CERTCrlEntry **entry = crl->entries;

        while (*entry) {

            PRUint64 sn = DER_GetInteger(&(*entry)->serialNumber);

            CRLGENEntryData *extData =

                crlgen_PlaceAnEntry(crlGenData, *entry, &(*entry)->serialNumber);

            if ((*entry)->extensions) {

                extData->extHandle = 

                    CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl,

                                                 (CERTCrlEntry*)extData->entry);

                if (crlgen_InitExtensionHandle(extData->extHandle,

                                               (*entry)->extensions) == SECFailure)

                    return SECFailure;

            }

            (*entry)->extensions = NULL;

            entry++;

            maxSN = PR_MAX(maxSN, sn);

        }

    }

    crlGenData->rangeFrom = crlGenData->rangeTo = maxSN + 1;

    return SECSuccess;

}

/*****************************************************************************

 * Parser trigger functions start here

 */

/* Sets new internal range value for add/rm certs.*/

static SECStatus

crlgen_SetNewRangeField(CRLGENGeneratorData *crlGenData, char *value)

{

    long rangeFrom = 0, rangeTo = 0;

    char *dashPos = NULL;

    PORT_Assert(crlGenData);

    if (!crlGenData) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        return SECFailure;

    }

    if (value == NULL) {

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "insufficient number of arguments.\n");

        return SECFailure;

    }

    if ((dashPos = strchr(value, '-')) != NULL) {

        char *rangeToS, *rangeFromS = value;

        *dashPos = '\0';

        rangeFrom = atoi(rangeFromS);

        *dashPos = '-';

        rangeToS = (char*)(dashPos + 1);

        rangeTo = atol(rangeToS);

    } else {

        rangeFrom = atol(value);

        rangeTo = rangeFrom;

    }

    if (rangeFrom < 1 || rangeTo

        PORT_SetError(SEC_ERROR_INVALID_ARGS);

        crlgen_PrintError(crlGenData->parsedLineNum,

                          "bad cert id range: %s.\n", value);

        return SECFailure;

    }

    crlGenData->rangeFrom = rangeFrom;