/*

   Copyright 2005 Red Hat, Inc.

   This program is free software; you can redistribute it and/or modify

   it under the terms of the GNU General Public License as published by

   the Free Software Foundation; either version 2 of the License, or

   (at your option) any later version.

   This program is distributed in the hope that it will be useful,

   but WITHOUT ANY WARRANTY; without even the implied warranty of

   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License

   along with this program; if not, write to the Free Software

   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

   In addition, as a special exception, Red Hat, Inc. gives permission

   to link the code of this program with the OpenSSL library (or with

   modified versions of OpenSSL that use the same license as OpenSSL),

   and distribute linked combinations including the two. You must obey

   the GNU General Public License in all respects for all of the code

   used other than OpenSSL. If you modify this file, you may extend

   this exception to your version of the file, but you are not

   obligated to do so. If you do not wish to do so, delete this

   exception statement from your version.

*/

/* ***** BEGIN LICENSE BLOCK *****

 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

 *

 * The contents of this file are subject to the Mozilla Public License Version

 * 1.1 (the "License"); you may not use this file except in compliance with

 * the License. You may obtain a copy of the License at

 * http://www.mozilla.org/MPL/

 *

 * Software distributed under the License is distributed on an "AS IS" basis,

 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License

 * for the specific language governing rights and limitations under the

 * License.

 *

 * The Original Code is the Netscape security libraries.

 *

 * The Initial Developer of the Original Code is

 * Netscape Communications Corporation.

 * Portions created by the Initial Developer are Copyright (C) 1994-2000

 * the Initial Developer. All Rights Reserved.

 *

 * Contributor(s):

 *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories

 *

 * Alternatively, the contents of this file may be used under the terms of

 * either the GNU General Public License Version 2 or later (the "GPL"), or

 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),

 * in which case the provisions of the GPL or the LGPL are applicable instead

 * of those above. If you wish to allow use of your version of this file only

 * under the terms of either the GPL or the LGPL, and not to allow others to

 * use your version of this file under the terms of the MPL, indicate your

 * decision by deleting the provisions above and replace them with the notice

 * and other provisions required by the GPL or the LGPL. If you do not delete

 * the provisions above, a recipient may use your version of this file under

 * the terms of any one of the MPL, the GPL or the LGPL.

 *

 * ***** END LICENSE BLOCK ***** */

/*

 * keyutil.c

 *

 * Command line utility for generating certificates and certificate signing requests.

 * It is invoked by crypto-utils' genkey when used in OpenSSL compatibility mode.

 *

 * Key generation, encryption, and certificate utility code based on

 * on code from NSS's security utilities and the certutil application.

 * Pem file key and certificate loading code based on code from the

 * NSS-enabled libcurl.

 * Elio Maldonado <emaldona@redhat.com>

 *

 */

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <unistd.h>

#include <sys/time.h>

#include <termios.h>

#include <prerror.h>

#include <secerr.h>

#include <secport.h>

#include <nspr.h>

#include <nss.h>

#include <cert.h>

#include <certt.h>

#include <prio.h>

#include <prlong.h>

#include <prtime.h>

#include <pkcs11.h>

#include <pk11pub.h>

#include <pkcs11t.h>

#include <assert.h>

#include <secmod.h>

#include <base64.h>

#include <seccomon.h>

#include <secmodt.h>

#include <secoidt.h>

#include <keythi.h>

#include <keyhi.h>

#include <cryptohi.h>

#include <plarenas.h>

#include <secasn1.h>

#include <secpkcs5.h>

#include <keythi.h>

#include <secmodt.h>

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <getopt.h>

#include <time.h>

#include "keyutil.h"

#include "secutil.h"

#define MIN_KEY_BITS        512

/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */

#define MAX_KEY_BITS        8192

#define DEFAULT_KEY_BITS    1024

#define SEC_CT_PRIVATE_KEY      "private-key"

#define SEC_CT_PUBLIC_KEY       "public-key"

#define SEC_CT_CERTIFICATE      "certificate"

#define SEC_CT_CERTIFICATE_REQUEST  "certificate-request"

#define SEC_CT_PKCS7            "pkcs7"

#define SEC_CT_CRL          "crl"

#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"

#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"

#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"

#define NS_CERT_TRAILER "-----END CERTIFICATE-----"

#define NS_CRL_HEADER  "-----BEGIN CRL-----"

#define NS_CRL_TRAILER "-----END CRL-----"

#define KEY_HEADER  "-----BEGIN PRIVATE KEY-----"

#define KEY_TRAILER "-----END PRIVATE KEY-----"

#define ENCRYPTED_KEY_HEADER  "-----BEGIN ENCRYPTED PRIVATE KEY-----"

#define ENCRYPTED_KEY_TRAILER "-----END ENCRYPTED PRIVATE KEY-----"

#define REP_MECHANISM mechanism[testId/2/2%46]

#define NUM_KEYSTROKES 120

#define RAND_BUF_SIZE 60

#define ERROR_BREAK rv = SECFailure;break;

#define GEN_BREAK(e) rv=e; break;

struct tuple_str {

    PRErrorCode  errNum;

    const char * errString;

};

typedef struct tuple_str tuple_str;

#define ER2(a,b)   {a, b},

#define ER3(a,b,c) {a, c},

#include "secerr.h"

#include "sslerr.h"

#ifndef PK11_SETATTRS

#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \

		(x)->pValue=(v); (x)->ulValueLen = (l);

#endif

SECMODModule* mod = NULL; /* the pem module */

static const char* pem_library = "libnsspem.so";

/* will use this slot only */

CK_SLOT_ID slotID = 1;

char *progName;

static const struct option options[] = {

    { "command",    required_argument, NULL, 'c' },

    { "renew",      required_argument, NULL, 'r' },

    { "subject",    required_argument, NULL, 's' },

    { "gkeysize",   required_argument, NULL, 'g' },

    { "validity",   required_argument, NULL, 'v' },

    { "encpwd",     required_argument, NULL, 'e' },

    { "filepwdnss", required_argument, NULL, 'f' },

    { "digest",     required_argument, NULL, 'd' },

    { "znoisefile", required_argument, NULL, 'z' },

    { "input",      required_argument, NULL, 'i' }, /* key in */

    { "passout",    required_argument, NULL, 'p' },

    { "output",     required_argument, NULL, 'o' }, /* reg, cert, enckey */

    { "keyout",     required_argument, NULL, 'k' }, /* plaintext key */

    { "ascii",      no_argument,       NULL, 'a' }, /* ascii */

    { "cacert",     no_argument,       NULL, 't' }, /* ca cert renewal */

    { "help",       no_argument,       NULL, 'h' },

    { NULL }

};

static certutilExtnList keyutil_extns;

static void

Usage(char *progName)

{

    fprintf(stderr, "Usage: %s [options] arguments\n", progName);

    fprintf(stderr, "{-c|--command} command, one of [genreq|makecert]\n");

    fprintf(stderr, "{-r|--renew} cert-to-renew     the file with the certifificast to renew\n");

    fprintf(stderr, "{-s|--subject} subject         subject distinguished name");

    fprintf(stderr, "{-g|--gsize} key_size          size in bitsof the rsa key to generate\n");

    fprintf(stderr, "{-v|--validity} months         cert validity in months");

    fprintf(stderr, "{-z|--znoisefile} noisefile    seed file for use in key generation\n");

    fprintf(stderr, "{-e|--encpwd} keypwd           key encryption_password\n");

    fprintf(stderr, "{-f|--filepwdnss} modpwdfile   file with the module access_password\n");

    fprintf(stderr, "{-d|--digest} digest-algorithm digest algorithm\n");

    fprintf(stderr, "{-i|--input} inputkey-file     file with key with which to encrypt or to sign a request\n");

    fprintf(stderr, "{-p|--passout} pbe-password    the password for encrypting of the key\n");

    fprintf(stderr, "{-o|--output} out-file         output file for a csr or cert\n");

    fprintf(stderr, "{-k|--keyfile} out-key-file    output key file, with csr or certgen\n");

    fprintf(stderr, "{-t|--cacert}                  indicates that cert renewal is for a ca\n");

    fprintf(stderr, "{-h|--help}                    print this help message\n");

    fprintf(stderr, "\n");

    exit(1);

}

/*

 * Authenticates to any token that may require it.

 * It also checks that the NSS database ahs been initialized.

 * This function is modeled after the one in libcurl.

 */

static SECStatus nss_Init_Tokens(secuPWData *pwdata)

{

    PK11SlotList *slotList;

    PK11SlotListElement *listEntry;

    SECStatus ret, status = SECSuccess;

    PK11_SetPasswordFunc(SECU_GetModulePassword);

    /* List all currently available tokens and traverse

     * the list authenticating to them

     */

    slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL);

    for (listEntry = PK11_GetFirstSafe(slotList);

         listEntry; listEntry = listEntry->next) {

        PK11SlotInfo *slot = listEntry->slot;

        if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {

            if (slot == PK11_GetInternalKeySlot()) {

                SECU_PrintError(progName ? progName : "keyutil",

                    "The NSS database has not been initialized\n");

            } else {

            	SECU_PrintError(progName,

                    "The token %s has not been initialized",

                    PK11_GetTokenName(slot));

            }

            PK11_FreeSlot(slot);

            continue;

        }

        ret = PK11_Authenticate(slot, PR_TRUE, &pwdata);

        if (SECSuccess != ret) {

            if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) {

        	    SECU_PrintError(progName ? progName : "keyutil",

        	    "The password for token '%s' is incorrect\n",

        	    PK11_GetTokenName(slot));

            }

            status = SECFailure;

            break;

        }

        PK11_FreeSlot(slot);

    }

    return status;

}

/*

 * Loads the cert from the specified file into the module at

 * the specified slot.

 *

 * This function is modelled after the one in libcurl.

 *

 * @param slot the slot to load the cert into

 * @param cacert true if the cert is for a ca, false otherwise

 * @param certfile pem encoded file with the certificate

 * @param nickname the certificate niskanme

 */

static SECStatus loadCert(

    PK11SlotInfo *slot,

    PRBool cacert,

    const char *certfile,

    const char *nickname)

{

    SECStatus rv = SECSuccess;

    PK11GenericObject *genericObjCert;

    CK_ATTRIBUTE theCertTemplate[20];

    CK_ATTRIBUTE *attrs = NULL;

    CK_BBOOL cktrue = CK_TRUE;

    CK_BBOOL ckfalse = CK_FALSE;

    CK_OBJECT_CLASS certObjClass = CKO_CERTIFICATE;

    CERTCertificate *cert = NULL;

    do {

        /*

         * Load the certificate

         */

        attrs = theCertTemplate;

        PK11_SETATTRS(attrs, CKA_CLASS, &certObjClass, sizeof(certObjClass)); attrs++;

        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); attrs++;

        PK11_SETATTRS(attrs, CKA_LABEL, (unsigned char *)certfile, strlen(certfile)+1); attrs++;

        if (cacert) {

            PK11_SETATTRS(attrs, CKA_TRUST, &cktrue, sizeof(CK_BBOOL) ); attrs++;

        } else {

            PK11_SETATTRS(attrs, CKA_TRUST, &ckfalse, sizeof(CK_BBOOL) ); attrs++;

        }

        /* Load the certificate in our PEM module into the appropriate slot. */

        genericObjCert = PK11_CreateGenericObject(slot, theCertTemplate, 4, PR_FALSE /* isPerm */);

        if (!genericObjCert) {

            rv = PR_GetError();

            SECU_PrintError(progName,

                "Unable to create object for cert, (%s)", PORT_ErrorToString(rv));

            break;

        }

        if (!cacert) {

            /* Double-check that the certificate or nickname requested exists in

             * either the token or the NSS certificate database.

             */

            cert = PK11_FindCertFromNickname((char *)nickname, NULL);

            if (!cert) {

            	SECU_PrintError(progName ? progName : "keyutil",

                    "Can't find cert named (%s), bailing out\n", nickname);

                rv = 255;

        	    break;

        	} else {

        	   rv = SECSuccess;

        	}

        } else {

        	rv = SECSuccess;

        }

    } while (0);

    if (cert)

        CERT_DestroyCertificate(cert);

    return rv;

}

/*

 * Loads the key from the specified file into the module at

 * the specified slot.

 *

 * function is modelled after the one in libcurl.

 * @param slot the slot into which the key will be loaded

 * @param keyfile the file from which the key will be read

 * @param nickname the nickname of the matching certificate

 */

static SECStatus loadKey(

    PK11SlotInfo *slot,

    const char *keyfile,

    const char *nickname,

    secuPWData *pwdata)

{

	SECStatus rv = SECSuccess;

    CK_ATTRIBUTE *attrs = NULL;

    CK_BBOOL cktrue = CK_TRUE;

	PRBool isPresent;

    PK11GenericObject *object;

    CK_ATTRIBUTE theTemplate[20];

    CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY;

    CERTCertificate *cert = NULL;

    SECKEYPrivateKey *privkey = NULL;

    do {

        attrs = theTemplate;

        PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++;

        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++;

        PK11_SETATTRS(attrs, CKA_LABEL, (unsigned char *)keyfile, strlen(keyfile)+1); attrs++;

        /* When adding an encrypted key the PKCS#11 will be set as removed */

        object = PK11_CreateGenericObject(slot, theTemplate, 3, PR_FALSE /* isPerm */);

        if (!object) {

            rv = SEC_ERROR_BAD_KEY;

            PR_SetError(rv, 0);

            SECU_PrintError(progName ? progName : "keyutil",

                "Unable to create key object (%s)\n", PORT_ErrorToString(rv));

            break;

        }

        /* This will force the token to be seen as re-inserted */

        (void) SECMOD_WaitForAnyTokenEvent(mod, 0, 0);

        isPresent = PK11_IsPresent(slot);

        assert(isPresent);

        rv = PK11_Authenticate(slot, PR_TRUE, pwdata);

        if (rv != SECSuccess) {

            SECU_PrintError(progName ? progName : "keyutil",

                "Can't authenticate\n");

            break;

        }

        /* must find it again because "reinsertion" */

        cert = PK11_FindCertFromNickname((char *)nickname, NULL);

        assert(cert);

        /* Can we find the key? */

        privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);

        if (!privkey) {

            rv = PR_GetError();

            SECU_PrintError(progName ? progName : "keyutil",

                "Unable to find the key for cert, (%s)\n", PORT_ErrorToString(rv));

            GEN_BREAK(SECFailure);

        }

        rv = SECSuccess;

    } while (0);

    if (cert)

        CERT_DestroyCertificate(cert);

    return rv;

}

/*

 * Loads the certificate and private key from the specified files into

 * the PEM the module at the specified slot.

 *

 * @param slot the slot to load into

 * @param certfile the certificate file

 * @param nickname the certificate nickname

 * @param keyfile the key file

 * @param pwdata access password

 */

static SECStatus

loadCertAndKey(

    PK11SlotInfo *slot,

    PRBool cacert,

    const char *certfile,

    const char *nickname,

    const char *keyfile,

    secuPWData *pwdata)

{

    SECStatus rv = SECSuccess;

    /*

     * Load the certificate first

     */

    rv = loadCert(slot, cacert, certfile, nickname);

    if (rv != SECSuccess) return rv;

    /*

     * Load the private key next

     */

    rv = loadKey(slot, keyfile, nickname, pwdata);

    return rv;

}

/*

 * Extract the public and private keys and the subject

 * distinguished from the cert with the given nickname

 * in the given slot.

 *

 * @param nickname the certificate nickname

 * @param slot the slot where keys it was loaded

 * @param pwdat module authentication password

 * @param privkey private key out

 * @param pubkey public key out

 * @param subject subject out

 */

static SECStatus extractRSAKeysAndSubject(

	const char *nickname,

	PK11SlotInfo *slot,

	secuPWData *pwdata,

    SECKEYPrivateKey **privkey,

    SECKEYPublicKey **pubkey,

    CERTName **subject)

{

    SECStatus rv = SECSuccess;

    CERTCertificate *cert = NULL;

    do {

        cert = PK11_FindCertFromNickname((char *)nickname, NULL);

        if (!cert) {

            GEN_BREAK(SECFailure);

        }

        *pubkey = CERT_ExtractPublicKey(cert);

        if (!*pubkey) {

            SECU_PrintError(progName,

                "Could not get public key from cert, (%s)\n",

                PORT_ErrorToString(PR_GetError()));

            GEN_BREAK(SECFailure);

        }

        *privkey = PK11_FindKeyByDERCert(slot, cert, pwdata);

        if (!*privkey) {

            rv = PR_GetError();

            SECU_PrintError(progName,

                "Unable to find the key with PK11_FindKeyByDERCert, (%s)\n",

                PORT_ErrorToString(rv));

            *privkey= PK11_FindKeyByAnyCert(cert, &pwdata);

            rv = PR_GetError();

            SECU_PrintError(progName,

                "Unable to find the key with PK11_FindKeyByAnyCert, (%s)\n",

                PORT_ErrorToString(rv));

            GEN_BREAK(SECFailure);

        }

        assert(((*privkey)->keyType) == rsaKey);

        *subject = CERT_AsciiToName(cert->subjectName);

        if (!*subject) {

            SECU_PrintError(progName,

                "Improperly formatted name: \"%s\"\n",

                cert->subjectName);

            GEN_BREAK(SECFailure);

        }

        rv = SECSuccess;

    } while (0);

    if (cert)

        CERT_DestroyCertificate(cert);

    return rv;

}

/*

 * GetCertRequest, CertReq, MakeV1Cert, SignCert, and CreateCert

 * are modeled after the corresponding ones in certutil.

 */

static CERTCertificateRequest *

GetCertRequest(PRFileDesc *inFile, PRBool ascii)

{

    CERTCertificateRequest *certReq = NULL;

    CERTSignedData signedData;

    PRArenaPool *arena = NULL;

    SECItem reqDER;

    SECStatus rv;

    reqDER.data = NULL;

    do {

        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

        if (arena == NULL) {

            GEN_BREAK(SECFailure);

        }

        rv = SECU_ReadDERFromFile(&reqDER, inFile, ascii);

        if (rv) {

        	GEN_BREAK(rv);

        }

        certReq = (CERTCertificateRequest*) PORT_ArenaZAlloc

          (arena, sizeof(CERTCertificateRequest));

        if (!certReq) {

            GEN_BREAK(SECFailure);

        }

        certReq->arena = arena;

        /* Since cert request is a signed data, must decode to get the inner

           data

         */

        PORT_Memset(&signedData, 0, sizeof(signedData));

        rv = SEC_ASN1DecodeItem(arena, &signedData,

            SEC_ASN1_GET(CERT_SignedDataTemplate), &reqDER);

        if (rv) {

            GEN_BREAK(rv);

        }

        rv = SEC_ASN1DecodeItem(arena, certReq,

                SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data);

        if (rv) {

            GEN_BREAK(rv);

        }

        rv = CERT_VerifySignedDataWithPublicKeyInfo(&signedData,

                &certReq->subjectPublicKeyInfo, NULL /* wincx */);

    } while (0);

    if (reqDER.data) {

        SECITEM_FreeItem(&reqDER, PR_FALSE);

    }

    if (rv) {

        SECU_PrintError(progName, "bad certificate request\n");

        if (arena) {

            PORT_FreeArena(arena, PR_FALSE);

        }

        certReq = NULL;

    }

    return certReq;

}

static SECStatus

CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,

        SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii,

        const char *emailAddrs, const char *dnsNames,

        certutilExtnList extnList,

        PRFileDesc *outFile)

{

    CERTSubjectPublicKeyInfo *spki;

    CERTCertificateRequest *cr;

    SECItem *encoding;

    SECOidTag signAlgTag;

    SECItem result;

    SECStatus rv;

    PRArenaPool *arena;

    PRInt32 numBytes;

    void *extHandle;

    /* Create info about public key */

    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);

    if (!spki) {

        SECU_PrintError(progName, "unable to create subject public key");

        return SECFailure;

    }

    /* Generate certificate request */

    cr = CERT_CreateCertificateRequest(subject, spki, NULL);

    if (!cr) {

        SECU_PrintError(progName, "unable to make certificate request");

        return SECFailure;

    }

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if ( !arena ) {

        SECU_PrintError(progName, "out of memory");

        return SECFailure;

    }

    extHandle = CERT_StartCertificateRequestAttributes(cr);

    if (extHandle == NULL) {

        PORT_FreeArena (arena, PR_FALSE);

        return SECFailure;

    }

    if (AddExtensions(extHandle, emailAddrs, dnsNames, extnList)

                  != SECSuccess) {

        PORT_FreeArena (arena, PR_FALSE);

        return SECFailure;

    }

    CERT_FinishExtensions(extHandle);

    CERT_FinishCertificateRequestAttributes(cr);

    /* Der encode the request */

    encoding = SEC_ASN1EncodeItem(arena, NULL, cr,

                                  SEC_ASN1_GET(CERT_CertificateRequestTemplate));

    if (encoding == NULL) {

        SECU_PrintError(progName, "der encoding of request failed");

        return SECFailure;

    }

    /* Sign the request */

    signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);

    if (signAlgTag == SEC_OID_UNKNOWN) {

        SECU_PrintError(progName, "unknown Key or Hash type");

        return SECFailure;

    }

    rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len,

             privk, signAlgTag);

    if (rv) {

        SECU_PrintError(progName, "signing of data failed");

        return SECFailure;

    }

    /* Encode request in specified format */

    if (ascii) {

        char *obuf;

        char *name, *email, *org, *state, *country;

        SECItem *it;

        int total;

        it = &result;

        obuf = BTOA_ConvertItemToAscii(it);

        total = PL_strlen(obuf);

        name = CERT_GetCommonName(subject);

        if (!name) {

            name = strdup("(not specified)");

        }

        if (!phone)

            phone = strdup("(not specified)");

        email = CERT_GetCertEmailAddress(subject);

        if (!email)

            email = strdup("(not specified)");

        org = CERT_GetOrgName(subject);

        if (!org)

            org = strdup("(not specified)");

        state = CERT_GetStateName(subject);

        if (!state)

            state = strdup("(not specified)");

	    country = CERT_GetCountryName(subject);

	    if (!country)

	        country = strdup("(not specified)");

	    PR_fprintf(outFile, "%s\n", NS_CERTREQ_HEADER);

	    numBytes = PR_Write(outFile, obuf, total);

	    if (numBytes != total) {

	        SECU_PrintSystemError(progName, "write error");

	        return SECFailure;

	    }

	    PR_fprintf(outFile, "\n%s\n", NS_CERTREQ_TRAILER);

	} else {

	    numBytes = PR_Write(outFile, result.data, result.len);

	    if (numBytes != (int)result.len) {

	        SECU_PrintSystemError(progName, "write error");

	        return SECFailure;