/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/* To edit this file, set TABSTOPS to 4 spaces. 

 * This is not the normal NSS convention. 

 */

#include "modutil.h"

#include "install.h"

#include <plstr.h>

#include "certdb.h" /* for CERT_DB_FILE_VERSION */

#include "nss.h"

static void install_error(char *message);

static char* PR_fgets(char *buf, int size, PRFileDesc *file);

static char *progName;

/* This enum must be kept in sync with the commandNames list */

typedef enum {

	NO_COMMAND,

	ADD_COMMAND,

	CHANGEPW_COMMAND,

	CREATE_COMMAND,

	DEFAULT_COMMAND,

	DELETE_COMMAND,

	DISABLE_COMMAND,

	ENABLE_COMMAND,

	FIPS_COMMAND,

	JAR_COMMAND,

	LIST_COMMAND,

	RAW_LIST_COMMAND,

	RAW_ADD_COMMAND,

	CHKFIPS_COMMAND,

	UNDEFAULT_COMMAND

} Command;

/* This list must be kept in sync with the Command enum */

static char *commandNames[] = {

	"(no command)",

	"-add",

	"-changepw",

	"-create",

	"-default",

	"-delete",

	"-disable",

	"-enable",

	"-fips",

	"-jar",

	"-list",

	"-rawlist",

	"-rawadd",

	"-chkfips",

	"-undefault"

};

/* this enum must be kept in sync with the optionStrings list */

typedef enum {

	ADD_ARG=0,

	RAW_ADD_ARG,

	CHANGEPW_ARG,

	CIPHERS_ARG,

	CREATE_ARG,

	DBDIR_ARG,

	DBPREFIX_ARG,

	DEFAULT_ARG,

	DELETE_ARG,

	DISABLE_ARG,

	ENABLE_ARG,

	FIPS_ARG,

	FORCE_ARG,

	JAR_ARG,

	LIBFILE_ARG,

	LIST_ARG,

	RAW_LIST_ARG,

	MECHANISMS_ARG,

	NEWPWFILE_ARG,

	PWFILE_ARG,

	SLOT_ARG,

	UNDEFAULT_ARG,

	INSTALLDIR_ARG,

	TEMPDIR_ARG,

	SECMOD_ARG,

	NOCERTDB_ARG,

	STRING_ARG,

	CHKFIPS_ARG,

	NUM_ARGS	/* must be last */

} Arg;

/* This list must be kept in sync with the Arg enum */

static char *optionStrings[] = {

	"-add",

	"-rawadd",

	"-changepw",

	"-ciphers",

	"-create",

	"-dbdir",

	"-dbprefix",

	"-default",

	"-delete",

	"-disable",

	"-enable",

	"-fips",

	"-force",

	"-jar",

	"-libfile",

	"-list",

	"-rawlist",

	"-mechanisms",

	"-newpwfile",

	"-pwfile",

	"-slot",

	"-undefault",

	"-installdir",

	"-tempdir",

	"-secmod",

	"-nocertdb",

	"-string",

	"-chkfips",

};

/* Increment i if doing so would have i still be less than j.  If you

   are able to do this, return 0.  Otherwise return 1. */

#define TRY_INC(i,j)  ( ((i+1)

/********************************************************************

 *

 * file-wide variables obtained from the command line

 */

static Command command = NO_COMMAND;

static char* pwFile = NULL;

static char* newpwFile = NULL;

static char* moduleName = NULL;

static char* moduleSpec = NULL;

static char* slotName = NULL;

static char* secmodName = NULL;

static char* tokenName = NULL;

static char* libFile = NULL;

static char* dbdir = NULL;

static char* dbprefix = "";

static char* secmodString = NULL;

static char* mechanisms = NULL;

static char* ciphers = NULL;

static char* fipsArg = NULL;

static char* jarFile = NULL;

static char* installDir = NULL;

static char* tempDir = NULL;

static short force = 0;

static PRBool nocertdb = PR_FALSE;

/*******************************************************************

 *

 * p a r s e _ a r g s

 */

static Error

parse_args(int argc, char *argv[])

{

	int i;

	char *arg;

	int optionType;

	/* Loop over all arguments */

	for(i=1; i < argc; i++) {

		arg = argv[i];

		/* Make sure this is an option and not some floating argument */

		if(arg[0] != '-') {

			PR_fprintf(PR_STDERR, errStrings[UNEXPECTED_ARG_ERR], argv[i]);

			return UNEXPECTED_ARG_ERR;

		}

		/* Find which option this is */

		for(optionType=0; optionType < NUM_ARGS; optionType++) {

			if(! strcmp(arg, optionStrings[optionType])) {

				break;

			}

		}

		/* Deal with this specific option */

		switch(optionType) {

		case NUM_ARGS:

		default:

			PR_fprintf(PR_STDERR, errStrings[UNKNOWN_OPTION_ERR], arg);

			return UNKNOWN_OPTION_ERR;

			break;

		case ADD_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = ADD_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			moduleName = argv[i];

			break;

		case CHANGEPW_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = CHANGEPW_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			tokenName = argv[i];

			break;

		case CIPHERS_ARG:

			if(ciphers != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			ciphers = argv[i];

			break;

		case CREATE_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = CREATE_COMMAND;

			break;

		case DBDIR_ARG:

			if(dbdir != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			dbdir = argv[i];

			break;

		case DBPREFIX_ARG:

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			dbprefix = argv[i];

			break;

		case UNDEFAULT_ARG:

		case DEFAULT_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			if(optionType == DEFAULT_ARG) {

				command = DEFAULT_COMMAND;

			} else {

				command = UNDEFAULT_COMMAND;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			moduleName = argv[i];

			break;

		case DELETE_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = DELETE_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			moduleName = argv[i];

			break;

		case DISABLE_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = DISABLE_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			moduleName = argv[i];

			break;

		case ENABLE_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = ENABLE_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			moduleName = argv[i];

			break;

		case FIPS_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = FIPS_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			fipsArg = argv[i];

			break;

		case CHKFIPS_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = CHKFIPS_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			fipsArg = argv[i];

			break;

		case FORCE_ARG:

			force = 1;

			break;

		case NOCERTDB_ARG:

			nocertdb = PR_TRUE;

			break;

		case INSTALLDIR_ARG:

			if(installDir != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			installDir = argv[i];

			break;

		case TEMPDIR_ARG:

			if(tempDir != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			tempDir = argv[i];

			break;

		case JAR_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = JAR_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			jarFile = argv[i];

			break;

		case LIBFILE_ARG:

			if(libFile != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			libFile = argv[i];

			break;

		case LIST_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = LIST_COMMAND;

			/* This option may or may not have an argument */

			if( (i+1 < argc) && (argv[i+1][0] != '-') ) {

				moduleName = argv[++i];

			}

			break;

		case RAW_LIST_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = RAW_LIST_COMMAND;

			/* This option may or may not have an argument */

			if( (i+1 < argc) && (argv[i+1][0] != '-') ) {

				moduleName = argv[++i];

			}

			break;

		case RAW_ADD_ARG:

			if(command != NO_COMMAND) {

				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);

				return MULTIPLE_COMMAND_ERR;

			}

			command = RAW_ADD_COMMAND;

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			moduleSpec = argv[i];

			break;

		case MECHANISMS_ARG:

			if(mechanisms != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			mechanisms = argv[i];

			break;

		case NEWPWFILE_ARG:

			if(newpwFile != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			newpwFile = argv[i];

			break;

		case PWFILE_ARG:

			if(pwFile != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			pwFile = argv[i];

			break;

		case SLOT_ARG:

			if(slotName != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			slotName = argv[i];

			break;

		case SECMOD_ARG:

			if(secmodName != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			secmodName = argv[i];

			break;

		case STRING_ARG:

			if(secmodString != NULL) {

				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);

				return DUPLICATE_OPTION_ERR;

			}

			if(TRY_INC(i, argc)) {

				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);

				return OPTION_NEEDS_ARG_ERR;

			}

			secmodString = argv[i];

			break;

		}

	}

	return SUCCESS;

}

/************************************************************************

 *

 * v e r i f y _ p a r a m s

 */

static Error

verify_params()

{

	switch(command) {

	case ADD_COMMAND:

		if(libFile == NULL) {

			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],

				commandNames[ADD_COMMAND], optionStrings[LIBFILE_ARG]);

			return MISSING_PARAM_ERR;

		}

		break;

	case CHANGEPW_COMMAND:

		break;

	case CREATE_COMMAND:

		break;

	case DELETE_COMMAND:

		break;

	case DISABLE_COMMAND:

		break;

	case ENABLE_COMMAND:

		break;

	case FIPS_COMMAND:

	case CHKFIPS_COMMAND:

		if(PL_strcasecmp(fipsArg, "true") &&

			PL_strcasecmp(fipsArg, "false")) {

			PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);

			return INVALID_FIPS_ARG;

		}

		break;

	case JAR_COMMAND:

		if(installDir == NULL) {

			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],

				commandNames[JAR_COMMAND], optionStrings[INSTALLDIR_ARG]);

			return MISSING_PARAM_ERR;

		}

		break;

	case LIST_COMMAND:

	case RAW_LIST_COMMAND:

		break;

	case RAW_ADD_COMMAND:

		break;

	case UNDEFAULT_COMMAND:

	case DEFAULT_COMMAND:

		if(mechanisms == NULL) {

			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],

				commandNames[command], optionStrings[MECHANISMS_ARG]);

			return MISSING_PARAM_ERR;

		}

		break;

	default:

		/* Ignore this here */

		break;

	}

	return SUCCESS;

}

/********************************************************************

 *

 * i n i t _ c r y p t o

 *

 * Does crypto initialization that all commands will require.

 * If -nocertdb option is specified, don't open key or cert db (we don't

 * need them if we aren't going to be verifying signatures).  This is

 * because serverland doesn't always have cert and key database files

 * available.

 *

 * This function is ill advised. Names and locations of databases are

 * private to NSS proper. Such functions only confuse other users.

 *

 */

static Error

check_crypto(PRBool create, PRBool readOnly)

{

	char *dir;

	char *moddbname=NULL;

	Error retval;

	static const char multiaccess[] = { "multiaccess:" };

	dir = SECU_ConfigDirectory(dbdir); /* dir is never NULL */

	if (dir[0] == '\0') {

		PR_fprintf(PR_STDERR, errStrings[NO_DBDIR_ERR]);

		retval=NO_DBDIR_ERR;

		goto loser;

	}

	if (strncmp(dir, multiaccess, sizeof multiaccess - 1) == 0) {

		/* won't attempt to handle the multiaccess case. */

		return SUCCESS;

	}

#ifdef notdef

	/* Make sure db directory exists and is readable */

	if(PR_Access(dir, PR_ACCESS_EXISTS) != PR_SUCCESS) {

		PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dir);

		retval = DIR_DOESNT_EXIST_ERR;

		goto loser;

	} else if(PR_Access(dir, PR_ACCESS_READ_OK) != PR_SUCCESS) {

		PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dir);

		retval = DIR_NOT_READABLE_ERR;

		goto loser;

	}

	if (secmodName == NULL) {

		secmodName = "secmod.db";

	}

	moddbname = PR_smprintf("%s/%s", dir, secmodName);

	if (!moddbname)

	    return OUT_OF_MEM_ERR;

	/* Check for the proper permissions on databases */

	if(create) {

		/* Make sure dbs don't already exist, and the directory is

			writeable */

		if(PR_Access(moddbname, PR_ACCESS_EXISTS)==PR_SUCCESS) {

			PR_fprintf(PR_STDERR, errStrings[FILE_ALREADY_EXISTS_ERR],

			           moddbname);

			retval=FILE_ALREADY_EXISTS_ERR;

			goto loser;

		} else 

		if(PR_Access(dir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {

			PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dir);

			retval=DIR_NOT_WRITEABLE_ERR;

			goto loser;

		}

	} else {

		/* Make sure dbs are readable and writeable */

		if(PR_Access(moddbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {

			PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], moddbname);

			retval=FILE_NOT_READABLE_ERR;

			goto loser;

		}

		/* Check for write access if we'll be making changes */

		if( !readOnly ) {

			if(PR_Access(moddbname, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {

				PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],

							moddbname);

				retval=FILE_NOT_WRITEABLE_ERR;

				goto loser;

			}

		}

		PR_fprintf(PR_STDOUT, msgStrings[USING_DBDIR_MSG],

		  SECU_ConfigDirectory(NULL));

	}

#endif

	retval=SUCCESS;

loser:

	if (moddbname) {

		PR_Free(moddbname);

	}

	return retval;

}

static Error

init_crypto(PRBool create, PRBool readOnly)

{

	PRUint32  flags = 0;

	SECStatus rv;

	Error     retval;

	/* Open/create key database */

	if (readOnly) flags |= NSS_INIT_READONLY;

	if (nocertdb) flags |= NSS_INIT_NOCERTDB;

	rv = NSS_Initialize(SECU_ConfigDirectory(NULL), dbprefix, dbprefix,

		       secmodName, flags);

	if (rv != SECSuccess) {

		SECU_PrintPRandOSError(progName);

		retval=NSS_INITIALIZE_FAILED_ERR;

	} else 

		retval=SUCCESS;

	return retval;

}

/*************************************************************************

 *

 * u s a g e

 */

static void

usage()

{

	PR_fprintf(PR_STDOUT,

"\nNetscape Cryptographic Module Utility\n"

"Usage: modutil [command] [options]\n\n"

"                            COMMANDS\n"

"---------------------------------------------------------------------------\n"

"-add MODULE_NAME                 Add the named module to the module database\n"

"   -libfile LIBRARY_FILE         The name of the file (.so or .dll)\n"

"                                 containing the implementation of PKCS #11\n"

"   [-ciphers CIPHER_LIST]        Enable the given ciphers on this module\n"

"   [-mechanisms MECHANISM_LIST]  Make the module a default provider of the\n"

"                                 given mechanisms\n"

"   [-string CONFIG_STRING]       Pass a configuration string to this module\n"

"-changepw TOKEN                  Change the password on the named token\n"

"   [-pwfile FILE]                The old password is in this file\n"

"   [-newpwfile FILE]             The new password is in this file\n"

"-chkfips [ true | false ]        If true, verify  FIPS mode.  If false,\n"

"                                 verify not FIPS mode\n"

"-create                          Create a new set of security databases\n"

"-default MODULE                  Make the given module a default provider\n"

"   -mechanisms MECHANISM_LIST    of the given mechanisms\n"

"   [-slot SLOT]                  limit change to only the given slot\n"

"-delete MODULE                   Remove the named module from the module\n"

"                                 database\n"

"-disable MODULE                  Disable the named module\n"

"   [-slot SLOT]                  Disable only the named slot on the module\n"

"-enable MODULE                   Enable the named module\n"

"   [-slot SLOT]                  Enable only the named slot on the module\n"

"-fips [ true | false ]           If true, enable FIPS mode.  If false,\n"

"                                 disable FIPS mode\n"

"-force                           Do not run interactively\n"

"-jar JARFILE                     Install a PKCS #11 module from the given\n"

"                                 JAR file in the PKCS #11 JAR format\n"

"   -installdir DIR               Use DIR as the root directory of the\n"

"                                 installation\n"

"   [-tempdir DIR]                Use DIR as the temporary installation\n"

"                                 directory. If not specified, the current\n"

"                                 directory is used\n"

"-list [MODULE]                   Lists information about the specified module\n"

"                                 or about all modules if none is specified\n"

"-rawadd MODULESPEC               Add module spec string to secmod DB\n"

"-rawlist [MODULE]                Display module spec(s) for one or all\n"

"                                 loadable modules\n"

"-undefault MODULE                The given module is NOT a default provider\n"

"   -mechanisms MECHANISM_LIST    of the listed mechanisms\n"

"   [-slot SLOT]                  limit change to only the given slot\n"

"---------------------------------------------------------------------------\n"

"\n"

"                             OPTIONS\n"

"---------------------------------------------------------------------------\n"

"-dbdir DIR                       Directory DIR contains the security databases\n"

"-dbprefix prefix                 Prefix for the security databases\n"

"-nocertdb                        Do not load certificate or key databases. No\n"

"                                 verification will be performed on JAR files.\n"

"-secmod secmodName               Name of the security modules file\n"

"---------------------------------------------------------------------------\n"

"\n"

"Mechanism lists are colon-separated.  The following mechanisms are recognized:\n"

"RSA, DSA, DH, RC2, RC4, RC5, AES, CAMELLIA, DES, MD2, MD5, SHA1, SHA256, SHA512,\n"

"SSL, TLS, RANDOM, and FRIENDLY\n"

"\n"

"Cipher lists are colon-separated.  The following ciphers are recognized:\n"

"\n"

"\nQuestions or bug reports should be sent to modutil-support@netscape.com.\n"

);

}

/*************************************************************************

 *

 * m a i n

 */

int

main(int argc, char *argv[])

{

	int errcode = SUCCESS;

	PRBool createdb, readOnly;

#define STDINBUF_SIZE 80

	char stdinbuf[STDINBUF_SIZE];

	progName = strrchr(argv[0], '/');

	progName = progName ? progName+1 : argv[0];

	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);

	if(parse_args(argc, argv) != SUCCESS) {

		usage();

		errcode = INVALID_USAGE_ERR;

		goto loser;

	}

	if(verify_params() != SUCCESS) {

		usage();

		errcode = INVALID_USAGE_ERR;

		goto loser;

	}

	if(command==NO_COMMAND) {

		PR_fprintf(PR_STDERR, errStrings[NO_COMMAND_ERR]);

		usage();

		errcode = INVALID_USAGE_ERR;

		goto loser;

	}

	/* Set up crypto stuff */

	createdb = command==CREATE_COMMAND;

	readOnly = ((command == LIST_COMMAND) || 

	            (command == CHKFIPS_COMMAND) ||

	            (command == RAW_LIST_COMMAND));

	/* Make sure browser is not running if we're writing to a database */

	/* Do this before initializing crypto */

	if(!readOnly && !force) {

		char *response;

		PR_fprintf(PR_STDOUT, msgStrings[BROWSER_RUNNING_MSG]);

		if( ! PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {

			PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);

			errcode = STDIN_READ_ERR;

			goto loser;

		}

		if( (response=strtok(stdinbuf, " \r\n\t")) ) {

			if(!PL_strcasecmp(response, "q")) {

				PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);

				errcode = SUCCESS;

				goto loser;

			}

		}

		PR_fprintf(PR_STDOUT, "\n");

	}

	errcode = check_crypto(createdb, readOnly);

	if( errcode != SUCCESS) {

		goto loser;

	}

	if ((command == RAW_LIST_COMMAND) || (command == RAW_ADD_COMMAND)) {

		if(!moduleName) {

			char *readOnlyStr, *noCertDBStr, *sep;

			if (!secmodName) secmodName="secmod.db";

			if (!dbprefix) dbprefix = "";

			sep = ((command == RAW_LIST_COMMAND) && nocertdb) ? "," : " ";

			readOnlyStr = (command == RAW_LIST_COMMAND) ? "readOnly" : "" ;

			noCertDBStr = nocertdb ? "noCertDB" : "";

			SECU_ConfigDirectory(dbdir);

			moduleName=PR_smprintf(

    "name=\"NSS default Module DB\" parameters=\"configdir=%s certPrefix=%s "

    "keyPrefix=%s secmod=%s flags=%s%s%s\" NSS=\"flags=internal,moduleDB,"

    "moduleDBOnly,critical\"",

			                       SECU_ConfigDirectory(NULL),dbprefix,dbprefix,

			                       secmodName, readOnlyStr,sep, noCertDBStr);

		}

		if (command == RAW_LIST_COMMAND) {

			errcode = RawListModule(moduleName);

		} else {

			PORT_Assert(moduleSpec);

			errcode = RawAddModule(moduleName,moduleSpec);

		}

		goto loser;

	}

	errcode = init_crypto(createdb, readOnly);

	if( errcode != SUCCESS) {

		goto loser;

	}

	errcode = LoadMechanismList();

	if (errcode != SUCCESS) {

		goto loser;

	}

	/* Execute the command */

	switch(command) {

	case ADD_COMMAND:

		errcode = AddModule(moduleName, libFile, ciphers, mechanisms, secmodString);

		break;

	case CHANGEPW_COMMAND:

		errcode = ChangePW(tokenName, pwFile, newpwFile);

		break;

	case CREATE_COMMAND:

		/* The work was already done in init_crypto() */

		break;

	case DEFAULT_COMMAND:

		errcode = SetDefaultModule(moduleName, slotName, mechanisms);

		break;

	case DELETE_COMMAND:

		errcode = DeleteModule(moduleName);

		break;

	case DISABLE_COMMAND:

		errcode = EnableModule(moduleName, slotName, PR_FALSE);

		break;

	case ENABLE_COMMAND:

		errcode = EnableModule(moduleName, slotName, PR_TRUE);

		break;

	case FIPS_COMMAND:

		errcode = FipsMode(fipsArg);

		break;

	case CHKFIPS_COMMAND:

		errcode = ChkFipsMode(fipsArg);

		break;

	case JAR_COMMAND:

		Pk11Install_SetErrorHandler(install_error);

		errcode = Pk11Install_DoInstall(jarFile, installDir, tempDir,

		                                PR_STDOUT, force, nocertdb);

		break;

	case LIST_COMMAND:

		if(moduleName) {

			errcode = ListModule(moduleName);

		} else {

			errcode = ListModules();

		}