@@ -423,63 +423,9 @@ int crtmgr_add_roots(struct cl_engine *engine, crtmgr *m) {

     cli_crt *crt, *new_crt;

     /*

-     * Only add trusted (and revoked) root certs once. Copy certs

-     * from engine's root certs list.

+     * Certs are cached in engine->cmgr. Copy from there.

      */

-    if (m == &(engine->cmgr)) {

-        do {

-            if(cli_crt_init(&ca))

-                return 1;

-

-            memset(ca.issuer, '\xca', sizeof(ca.issuer));

-            memcpy(ca.subject, MSCA_SUBJECT, sizeof(ca.subject));

-            memset(ca.serial, '\xca', sizeof(ca.serial));

-            if(mp_read_unsigned_bin(&ca.n, MSCA_MOD, sizeof(MSCA_MOD)-1) || mp_read_unsigned_bin(&ca.e, MSCA_EXP, sizeof(MSCA_EXP)-1)) {

-                cli_errmsg("crtmgr_add_roots: failed to read MSCA key\n");

-                break;

-            }

-            ca.not_before = 0;

-            ca.not_after = (-1U)>>1;

-            ca.certSign = 1;

-            ca.codeSign = 1;

-            ca.timeSign = 1;

-            if(crtmgr_add(m, &ca))

-                break;

-

-            memcpy(ca.subject, MSA_SUBJECT, sizeof(ca.subject));

-            if(mp_read_unsigned_bin(&ca.n, MSA_MOD, sizeof(MSA_MOD)-1) || mp_read_unsigned_bin(&ca.e, MSA_EXP, sizeof(MSA_EXP)-1)) {

-                cli_errmsg("crtmgr_add_roots: failed to read MSA key\n");

-                break;

-            }

-            if(crtmgr_add(m, &ca))

-                break;

-

-            memcpy(ca.subject, VER_SUBJECT, sizeof(ca.subject));

-            if(mp_read_unsigned_bin(&ca.n, VER_MOD, sizeof(VER_MOD)-1) || mp_read_unsigned_bin(&ca.e, VER_EXP, sizeof(VER_EXP)-1)) {

-                cli_errmsg("crtmgr_add_roots: failed to read VER key\n");

-                break;

-            }

-            ca.timeSign = 0;

-            if(crtmgr_add(m, &ca))

-                break;

-

-            memcpy(ca.subject, THAW_SUBJECT, sizeof(ca.subject));

-            if(mp_read_unsigned_bin(&ca.n, THAW_MOD, sizeof(THAW_MOD)-1) || mp_read_unsigned_bin(&ca.e, THAW_EXP, sizeof(THAW_EXP)-1)) {

-                cli_errmsg("crtmgr_add_roots: failed to read THAW key\n");

-                break;

-            }

-            ca.codeSign = 0;

-            ca.timeSign = 1;

-            if(crtmgr_add(m, &ca))

-                break;

-

-            return 0;

-        } while(0);

-

-        cli_crt_clear(&ca);

-        crtmgr_free(m);

-        return 1;

-    } else {

+    if (m != &(engine->cmgr)) {

        for (crt = engine->cmgr.crts; crt != NULL; crt = crt->next) {

            if (crtmgr_add(m, crt)) {

                crtmgr_free(m);

@@ -490,5 +436,5 @@ int crtmgr_add_roots(struct cl_engine *engine, crtmgr *m) {

        return 0;

     }

-    return 1;

+    return 0;

 }

@@ -2362,6 +2362,118 @@ static int cli_loadcdb(FILE *fs, struct cl_engine *engine, unsigned int *signo,

     return CL_SUCCESS;

 }

+/* 

+ * Name;trusted:subject:pubkey;exponent;comment[;minFL;maxFL]

+ * Name and comment are ignored. They're just for the end user.

+ */

+#define CRT_TOKENS 11

+static int cli_loadcrt(FILE *fs, struct cl_engine *engine, struct cli_dbio *dbio) {

+    char buffer[FILEBUFF];

+    char *tokens[CRT_TOKENS+1];

+    size_t line=0, tokens_count, i, j;

+    cli_crt ca;

+    int ret=CL_SUCCESS;

+    char *subject, *pubkey, *exponent;

+    const uint8_t exp[] = "\x01\x00\x01";

+    char c;

+

+    cli_crt_init(&ca);

+    memset(ca.issuer, '\xca', sizeof(ca.issuer));

+    memset(ca.serial, '\xca', sizeof(ca.serial));

+

+    while (cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

+        line++;

+

+        if (buffer[0] == '#')

+            continue;

+

+        cli_chomp(buffer);

+        if (!strlen(buffer))

+            continue;

+

+        tokens_count = cli_strtokenize(buffer, ';', CRT_TOKENS + 1, (const char **)tokens);

+        if (tokens_count > CRT_TOKENS || tokens_count < CRT_TOKENS - 2) {

+            cli_errmsg("cli_loadcrt: line %u: Invalid number of tokens: %u\n", line, tokens_count);

+            ret = CL_EMALFDB;

+            goto end;

+        }

+

+        switch (tokens[1][0]) {

+            case '1':

+                ca.isBlacklisted = 0;

+                break;

+            case '0':

+                ca.isBlacklisted = 1;

+                break;

+            default:

+                cli_errmsg("cli_loadcrt: line %u: Invalid trust specification. Expected 0 or 1\n", line);

+                ret = CL_EMALFDB;

+                goto end;

+        }

+

+        subject = cli_hex2str(tokens[2]);

+        pubkey = cli_hex2str(tokens[3]);

+

+        if (!subject) {

+            cli_errmsg("cli_loadcrt: line %u: Cannot convert subject to binary string\n", line);

+            ret = CL_EMALFDB;

+            goto end;

+        }

+        if (!pubkey) {

+            cli_errmsg("cli_loadcrt: line %u: Cannot convert public key to binary string\n", line);

+            ret = CL_EMALFDB;

+            goto end;

+        }

+

+        memcpy(ca.subject, subject, sizeof(ca.subject));

+        if (mp_read_unsigned_bin(&(ca.n), pubkey, strlen(tokens[3])/2) || mp_read_unsigned_bin(&(ca.e), exp, sizeof(exp)-1)) {

+            cli_errmsg("cli_loadcrt: line %u: Cannot convert exponent to binary data\n", line);

+            ret = CL_EMALFDB;

+            goto end;

+        }

+

+        cli_dbgmsg("sizeof(exp): %u. sizeof(exp)-1: %u\n", sizeof(exp), sizeof(exp)-1);

+

+        switch (tokens[5][0]) {

+            case '1':

+                ca.codeSign = 1;

+                break;

+            case '0':

+                ca.codeSign = 0;

+                break;

+            default:

+                cli_errmsg("cli_loadcrt: line %u: Invalid code sign specification. Expected 0 or 1\n", line);

+                ret = CL_EMALFDB;

+                goto end;

+        }

+

+        switch (tokens[6][0]) {

+            case '1':

+                ca.timeSign = 1;

+                break;

+            case '0':

+                ca.timeSign = 0;

+                break;

+            default:

+                cli_errmsg("cli_loadcrt: line %u: Invalid time sign specification. Expected 0 or 1\n", line);

+                ret = CL_EMALFDB;

+                goto end;

+        }

+

+        if (strlen(tokens[7]))

+            ca.not_before = atoi(tokens[7]);

+        ca.not_after = (-1U)>>1;

+        ca.certSign = 1;

+

+        crtmgr_add(&(engine->cmgr), &ca);

+    }

+

+end:

+    cli_dbgmsg("Number of certs: %d\n", engine->cmgr.items);

+    cli_crt_clear(&ca);

+    return ret;

+}

+

 static int cli_loadmscat(FILE *fs, const char *dbname, struct cl_engine *engine, unsigned int options, struct cli_dbio *dbio) {

     fmap_t *map;

@@ -2422,6 +2534,9 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo

     } else if(cli_strbcasestr(dbname, ".cud")) {

 	ret = cli_cvdload(fs, engine, signo, options, 2, filename, 0);

+    } else if (cli_strbcasestr(dbname, ".crt")) {

+        ret = cli_loadcrt(fs, engine, dbio);

+

     } else if(cli_strbcasestr(dbname, ".hdb") || cli_strbcasestr(dbname, ".hsb")) {

 	ret = cli_loadhash(fs, engine, signo, MD5_HDB, options, dbio, dbname);

     } else if(cli_strbcasestr(dbname, ".hdu") || cli_strbcasestr(dbname, ".hsu")) {

@@ -60,6 +60,7 @@

 	cli_strbcasestr(ext, ".cud")   ||	\

 	cli_strbcasestr(ext, ".cdb")   ||	\

 	cli_strbcasestr(ext, ".cat")   ||	\

+	cli_strbcasestr(ext, ".crt")   ||	\

 	cli_strbcasestr(ext, ".idb")		\

     )