Bug 876352 - certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust, r=rrelyea
authorKai Engert <kaie@kuix.de>
Tue, 11 Jun 2013 21:14:37 +0200
changeset 10809 edcb5af30559f674311bd0de0f45f137ec4d6327
parent 10808 d23a241f9ab54b228c46f6d7e59b56749a62a933
child 10810 7f527629198a0b75ebca8ee3ed7a4756cac04472
push id117
push userkaie@kuix.de
push dateTue, 11 Jun 2013 19:14:44 +0000
reviewersrrelyea
bugs876352
Bug 876352 - certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust, r=rrelyea
cmd/certutil/certutil.c
cmd/checkcert/checkcert.c
cmd/crlutil/crlutil.c
cmd/derdump/derdump.c
cmd/lib/secutil.c
cmd/lib/secutil.h
cmd/libpkix/pkix/top/test_validatechain_bc.c
cmd/libpkix/sample_apps/build_chain.c
cmd/libpkix/sample_apps/dumpcert.c
cmd/libpkix/sample_apps/dumpcrl.c
cmd/libpkix/sample_apps/validate_chain.c
cmd/libpkix/testutil/testutil_nss.c
cmd/ocspclnt/ocspclnt.c
cmd/p7content/p7content.c
cmd/p7sign/p7sign.c
cmd/p7verify/p7verify.c
cmd/pk1sign/pk1sign.c
cmd/pp/pp.c
cmd/selfserv/selfserv.c
cmd/signver/signver.c
cmd/vfychain/vfychain.c
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -3153,17 +3153,18 @@ merge_fail:
     }
 
     /* -A -C or -E    Read inFile */
     if (certutil.commands[cmd_CreateNewCert].activated ||
 	certutil.commands[cmd_AddCert].activated ||
 	certutil.commands[cmd_AddEmailCert].activated) {
 	PRBool isCreate = certutil.commands[cmd_CreateNewCert].activated;
 	rv = SECU_ReadDERFromFile(isCreate ? &certReqDER : &certDER, inFile,
-				  certutil.options[opt_ASCIIForIO].activated);
+				  certutil.options[opt_ASCIIForIO].activated,
+				  PR_TRUE);
 	if (rv)
 	    goto shutdown;
     }
 
     /*
      *  Certificate request
      */
 
@@ -3224,16 +3225,20 @@ merge_fail:
     /* 
      * Adding a cert to the database (or slot)
      */
 
     /* -A -E or -S    Add the cert to the DB */
     if (certutil.commands[cmd_CreateAndAddCert].activated ||
          certutil.commands[cmd_AddCert].activated ||
 	 certutil.commands[cmd_AddEmailCert].activated) {
+	if (strstr(certutil.options[opt_Trust].arg, "u")) {
+	    fprintf(stderr, "Notice: Trust flag u is set automatically if the "
+			    "private key is present.\n");
+	}
 	rv = AddCert(slot, certHandle, name, 
 	             certutil.options[opt_Trust].arg,
 	             &certDER,
 	             certutil.commands[cmd_AddEmailCert].activated,&pwdata);
 	if (rv) 
 	    goto shutdown;
     }
 
--- a/cmd/checkcert/checkcert.c
+++ b/cmd/checkcert/checkcert.c
@@ -297,31 +297,31 @@ int main(int argc, char **argv)
 
     issuerCertFile = PR_Open(issuerCertFileName, PR_RDONLY, 0);
     if (!issuerCertFile) {
 	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
 	                 progName, issuerCertFileName);
 	exit(1);
     }
 
-    if (SECU_ReadDERFromFile(&derCert, inFile, ascii) != SECSuccess) {
+    if (SECU_ReadDERFromFile(&derCert, inFile, ascii, PR_FALSE) != SECSuccess) {
 	printf("Couldn't read input certificate as DER binary or base64\n");
 	exit(1);
     }
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == 0) {
 	fprintf(stderr,"%s: can't allocate scratch arena!", progName);
 	exit(1);
     }
 
     if (issuerCertFile) {
 	CERTSignedData *issuerCertSD=0;
-	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii)
-	    != SECSuccess) {
+	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii,
+	                         PR_FALSE) != SECSuccess) {
 	    printf("Couldn't read issuer certificate as DER binary or base64.\n");
 	    exit(1);
 	}
 	issuerCertSD = PORT_ArenaZNew(arena, CERTSignedData);
 	if (!issuerCertSD) {
 	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
 	    exit(1);
 	}
--- a/cmd/crlutil/crlutil.c
+++ b/cmd/crlutil/crlutil.c
@@ -227,17 +227,17 @@ SECStatus ImportCRL (CERTCertDBHandle *c
     PRIntervalTime starttime, endtime, elapsed;
     PRUint32 mins, secs, msecs;
 #endif
 
     crlDER.data = NULL;
 
 
     /* Read in the entire file specified with the -f argument */
-    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "unable to read input file");
 	return (SECFailure);
     }
 
     decodeOptions |= CRL_DECODE_DONT_COPY_DER;
 
     slot = PK11_GetInternalKeySlot();
@@ -286,17 +286,17 @@ SECStatus DumpCRL(PRFileDesc *inFile)
     int rv;
     PLArenaPool *arena = NULL;
     CERTSignedCrl *newCrl = NULL;
     
     SECItem crlDER;
     crlDER.data = NULL;
 
     /* Read in the entire file specified with the -f argument */
-    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "unable to read input file");
 	return (SECFailure);
     }
     
     rv = SEC_ERROR_NO_MEMORY;
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (!arena)
@@ -381,17 +381,17 @@ CreateModifiedCRLCopy(PLArenaPool *arena
 
     modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (!modArena) {
         SECU_PrintError(progName, "fail to allocate memory\n");
         return NULL;
     }
     
     if (inFile != NULL) {
-        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
         if (rv != SECSuccess) {
             SECU_PrintError(progName, "unable to read input file");
             PORT_FreeArena(modArena, PR_FALSE);
             goto loser;
         }
         
         decodeOptions |= CRL_DECODE_DONT_COPY_DER;
         
--- a/cmd/derdump/derdump.c
+++ b/cmd/derdump/derdump.c
@@ -82,17 +82,17 @@ int main(int argc, char **argv)
     if (!outFile) outFile = stdout;
 
     rv = NSS_NoDB_Init(NULL);	/* XXX */
     if (rv != SECSuccess) {
 	SECU_PrintPRandOSError(progName);
 	return -1;
     }
 
-	rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE);
+	rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE, PR_FALSE);
     if (rv == SECSuccess) {
 	rv = DER_PrettyPrint(outFile, &der, raw);
 	if (rv == SECSuccess)
 	    return 0;
     }
 
     xp_error = PORT_GetError();
     if (xp_error) {
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -489,17 +489,18 @@ SECU_GetClientAuthData(void *arg, PRFile
 
     *pRetCert = cert;
     *pRetKey = key;
 
     return 0;
 }
 
 SECStatus
-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
+		     PRBool warnOnPrivateKeyInAsciiFile)
 {
     SECStatus rv;
     if (ascii) {
 	/* First convert ascii to binary */
 	SECItem filedata;
 	char *asc, *body;
 
 	/* Read in ascii data */
@@ -507,16 +508,21 @@ SECU_ReadDERFromFile(SECItem *der, PRFil
 	if (rv != SECSuccess)
 	    return rv;
 	asc = (char *)filedata.data;
 	if (!asc) {
 	    fprintf(stderr, "unable to read data from input file\n");
 	    return SECFailure;
 	}
 
+	if (warnOnPrivateKeyInAsciiFile && strstr(asc, "PRIVATE KEY")) {
+	    fprintf(stderr, "Warning: ignoring private key. Consider to use "
+	                    "pk12util.\n");
+	}
+
 	/* check for headers and trailers and remove them */
 	if ((body = strstr(asc, "-----BEGIN")) != NULL) {
 	    char *trailer = NULL;
 	    asc = body;
 	    body = PORT_Strchr(body, '\n');
 	    if (!body)
 		body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
 	    if (body)
@@ -3546,17 +3552,17 @@ SECU_FindCertByNicknameOrFilename(CERTCe
         /* Don't have a cert with name "name" in the DB. Try to
          * open a file with such name and get the cert from there.*/
         SECStatus rv;
         SECItem item = {0, NULL, 0};
         PRFileDesc* fd = PR_Open(name, PR_RDONLY, 0777); 
         if (!fd) {
             return NULL;
         }
-        rv = SECU_ReadDERFromFile(&item, fd, ascii);
+        rv = SECU_ReadDERFromFile(&item, fd, ascii, PR_FALSE);
         PR_Close(fd);
         if (rv != SECSuccess || !item.len) {
             PORT_Free(item.data);
             return NULL;
         }
         the_cert = CERT_NewTempCertificate(handle, &item, 
                                            NULL     /* nickname */, 
                                            PR_FALSE /* isPerm */, 
--- a/cmd/lib/secutil.h
+++ b/cmd/lib/secutil.h
@@ -155,17 +155,18 @@ SECU_printCertProblemsOnDate(FILE *outfi
 
 /* print out CERTVerifyLog info. */
 extern void
 SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
                       PRBool verbose);
 
 /* Read in a DER from a file, may be ascii  */
 extern SECStatus 
-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
+		     PRBool warnOnPrivateKeyInAsciiFile);
 
 /* Print integer value and hex */
 extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m,
                               int level);
 
 /* Print ObjectIdentifier symbolically */
 extern SECOidTag SECU_PrintObjectID(FILE *out, const SECItem *oid,
                                     const char *m, int level);
--- a/cmd/libpkix/pkix/top/test_validatechain_bc.c
+++ b/cmd/libpkix/pkix/top/test_validatechain_bc.c
@@ -56,17 +56,17 @@ createCert(char *inFileName)
         certDER.data = NULL;
 
         inFile = PR_Open(inFileName, PR_RDONLY, 0);
 
         if (!inFile){
                 pkixTestErrorMsg = "Unable to open cert file";
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)certDER.data;
                         len = certDER.len;
 
                         PKIX_TEST_EXPECT_NO_ERROR
                                 (PKIX_PL_ByteArray_Create
                                 (buf, len, &byteArray, plContext));
 
--- a/cmd/libpkix/sample_apps/build_chain.c
+++ b/cmd/libpkix/sample_apps/build_chain.c
@@ -61,17 +61,17 @@ createCert(char *inFileName)
         certDER.data = NULL;
 
         inFile = PR_Open(inFileName, PR_RDONLY, 0);
 
         if (!inFile){
                 pkixTestErrorMsg = "Unable to open cert file";
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)certDER.data;
                         len = certDER.len;
 
                         PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
                                         (buf, len, &byteArray, plContext));
 
                         PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
--- a/cmd/libpkix/sample_apps/dumpcert.c
+++ b/cmd/libpkix/sample_apps/dumpcert.c
@@ -50,17 +50,17 @@ createCert(char *inFileName)
         certDER.data = NULL;
 
         inFile = PR_Open(inFileName, PR_RDONLY, 0);
 
         if (!inFile){
                 printFailure("Unable to open cert file");
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)certDER.data;
                         len = certDER.len;
 
                         error = PKIX_PL_ByteArray_Create
                                 (buf, len, &byteArray, plContext);
 
                         if (error){
--- a/cmd/libpkix/sample_apps/dumpcrl.c
+++ b/cmd/libpkix/sample_apps/dumpcrl.c
@@ -52,17 +52,17 @@ createCRL(char *inFileName)
         crlDER.data = NULL;
 
         inFile = PR_Open(inFileName, PR_RDONLY, 0);
 
         if (!inFile){
                 printFailure("Unable to open crl file");
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)crlDER.data;
                         len = crlDER.len;
 
                         error = PKIX_PL_ByteArray_Create
                                 (buf, len, &byteArray, plContext);
 
                         if (error){
--- a/cmd/libpkix/sample_apps/validate_chain.c
+++ b/cmd/libpkix/sample_apps/validate_chain.c
@@ -60,17 +60,17 @@ createCert(char *inFileName)
         certDER.data = NULL;
 
         inFile = PR_Open(inFileName, PR_RDONLY, 0);
 
         if (!inFile){
                 pkixTestErrorMsg = "Unable to open cert file";
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)certDER.data;
                         len = certDER.len;
 
                         PKIX_TEST_EXPECT_NO_ERROR
                                 (PKIX_PL_ByteArray_Create
                                 (buf, len, &byteArray, plContext));
 
--- a/cmd/libpkix/testutil/testutil_nss.c
+++ b/cmd/libpkix/testutil/testutil_nss.c
@@ -84,17 +84,17 @@ createCert(
 
         pathName = catDirName(dirName, certFileName, plContext);
         certFile = PR_Open(pathName, PR_RDONLY, 0);
 
         if (!certFile){
                 pkixTestErrorMsg = "Unable to open cert file";
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)certDER.data;
                         len = certDER.len;
 
                         PKIX_TEST_EXPECT_NO_ERROR
                                 (PKIX_PL_ByteArray_Create
                                 (buf, len, &byteArray, plContext));
 
@@ -149,17 +149,17 @@ createCRL(
 
         pathName = catDirName(dirName, crlFileName, plContext);
         inFile = PR_Open(pathName, PR_RDONLY, 0);
 
         if (!inFile){
                 pkixTestErrorMsg = "Unable to open crl file";
                 goto cleanup;
         } else {
-                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
                 if (!rv){
                         buf = (void *)crlDER.data;
                         len = crlDER.len;
 
                         error = PKIX_PL_ByteArray_Create
                                 (buf, len, &byteArray, plContext);
 
                         if (error){
--- a/cmd/ocspclnt/ocspclnt.c
+++ b/cmd/ocspclnt/ocspclnt.c
@@ -480,17 +480,17 @@ find_certificate(CERTCertDBHandle *handl
             return cert;
     }
 
     certFile = PR_Open(name, PR_RDONLY, 0);
     if (certFile == NULL) {
         return NULL;
     }
 
-    if (SECU_ReadDERFromFile(&der, certFile, ascii) == SECSuccess) {
+    if (SECU_ReadDERFromFile(&der, certFile, ascii, PR_FALSE) == SECSuccess) {
         cert = CERT_DecodeCertFromPackage((char*)der.data, der.len);
         SECITEM_FreeItem(&der, PR_FALSE);
     }
     PR_Close(certFile);
 
     return cert;
 }
 
--- a/cmd/p7content/p7content.c
+++ b/cmd/p7content/p7content.c
@@ -73,17 +73,17 @@ decryption_allowed(SECAlgorithmID *algid
 
 int
 DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName)
 {
     SECItem derdata;
     SEC_PKCS7ContentInfo *cinfo = NULL;
     SEC_PKCS7DecoderContext *dcx;
 
-    if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE)) {
+    if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE, PR_FALSE)) {
         SECU_PrintError(progName, "error converting der");
 	return -1;
     }
 
     fprintf(out,
 	    "Content printed between bars (newline added before second bar):");
     fprintf(out, "\n---------------------------------------------\n");
 
--- a/cmd/p7sign/p7sign.c
+++ b/cmd/p7sign/p7sign.c
@@ -91,17 +91,18 @@ SignFile(FILE *outFile, PRFileDesc *inFi
     SECItem digest, data2sign;
     SEC_PKCS7ContentInfo *cinfo;
     SECStatus rv;
 
     if (outFile == NULL || inFile == NULL || cert == NULL)
 	return -1;
 
     /* suck the file in */
-	if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess)
+	if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE,
+	                         PR_FALSE) != SECSuccess)
 	return -1;
 
     if (!encapsulated) {
 	/* unfortunately, we must create the digest ourselves */
 	/* SEC_PKCS7CreateSignedData should have a flag to not include */
 	/* the content for non-encapsulated content at encode time, but */
 	/* should always compute the hash itself */
 	if (CreateDigest(&data2sign, digestdata, &len, 32) < 0)
--- a/cmd/p7verify/p7verify.c
+++ b/cmd/p7verify/p7verify.c
@@ -128,17 +128,18 @@ HashDecodeAndVerify(FILE *out, FILE *con
 {
     SECItem derdata;
     SEC_PKCS7ContentInfo *cinfo;
     SEC_PKCS7SignedData *signedData;
     HASH_HashType digestType;
     SECItem digest;
     unsigned char buffer[32];
 
-    if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE) != SECSuccess) {
+    if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE,
+                             PR_FALSE) != SECSuccess) {
 	SECU_PrintError(progName, "error reading signature file");
 	return -1;
     }
 
     cinfo = SEC_PKCS7DecodeItem(&derdata, NULL, NULL, NULL, NULL,
 				NULL, NULL, NULL);
     if (cinfo == NULL)
 	return -1;
--- a/cmd/pk1sign/pk1sign.c
+++ b/cmd/pk1sign/pk1sign.c
@@ -111,17 +111,18 @@ SignFile(FILE *outFile, PRFileDesc *inFi
     PLArenaPool *arena;
     CERTSignedData sd;
     SECItem *result;
 
     if (outFile == NULL || inFile == NULL || cert == NULL)
         return -1;
 
     /* suck the file in */
-    if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess)
+    if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE,
+                             PR_FALSE) != SECSuccess)
         return -1;
 
     privKey = NULL;    
     privKey = PK11_FindKeyByAnyCert(cert, NULL);
 
     algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, SEC_OID_SHA1);
     if (algID == SEC_OID_UNKNOWN)
         return -1;
--- a/cmd/pp/pp.c
+++ b/cmd/pp/pp.c
@@ -100,17 +100,17 @@ int main(int argc, char **argv)
     rv = NSS_NoDB_Init(NULL);
     if (rv != SECSuccess) {
 	fprintf(stderr, "%s: NSS_NoDB_Init failed (%s)\n",
 		progName, SECU_Strerror(PORT_GetError()));
 	exit(1);
     }
     SECU_RegisterDynamicOids();
 
-    rv = SECU_ReadDERFromFile(&der, inFile, ascii);
+    rv = SECU_ReadDERFromFile(&der, inFile, ascii, PR_FALSE);
     if (rv != SECSuccess) {
 	fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
 	exit(1);
     }
 
     /* Data is untyped, using the specified type */
     data.data = der.data;
     data.len = der.len;
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -1023,17 +1023,17 @@ reload_crl(PRFileDesc *crlFile)
 
     /* Read in the entire file specified with the -f argument */
     crlDer = PORT_Malloc(sizeof(SECItem));
     if (!crlDer) {
         errWarn("Can not allocate memory.");
         return SECFailure;
     }
 
-    rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE);
+    rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE, PR_FALSE);
     if (rv != SECSuccess) {
         errWarn("Unable to read input file.");
         PORT_Free(crlDer);
         return SECFailure;
     }
 
     PR_Lock(lastLoadedCrlLock);
     rv = CERT_CacheCRL(certHandle, crlDer);
--- a/cmd/signver/signver.c
+++ b/cmd/signver/signver.c
@@ -199,17 +199,17 @@ int main(int argc, char **argv)
 	    PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n",
 		       progName, signver.options[opt_OutputFile].arg);
 	    goto cleanup;
 	}
     }
 
     /* read in the input files' contents */
     rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
-			      signver.options[opt_ASCII].activated);
+			      signver.options[opt_ASCII].activated, PR_FALSE);
     if (signFile != PR_STDIN)
 	PR_Close(signFile);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "problem reading PKCS7 input");
 	goto cleanup;
     }
     if (contentFile) {
 	rv = SECU_FileToItem(&content, contentFile);
--- a/cmd/vfychain/vfychain.c
+++ b/cmd/vfychain/vfychain.c
@@ -179,17 +179,17 @@ getCert(const char *name, PRBool isAscii
     fd = PR_Open(name, PR_RDONLY, 0777); 
     if (!fd) {
 	PRErrorCode err = PR_GetError();
     	fprintf(stderr, "open of %s failed, %d = %s\n", 
 	        name, err, SECU_Strerror(err));
 	return cert;
     }
 
-    rv = SECU_ReadDERFromFile(&item, fd, isAscii);
+    rv = SECU_ReadDERFromFile(&item, fd, isAscii, PR_FALSE);
     PR_Close(fd);
     if (rv != SECSuccess) {
 	fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
 	return cert;
     }
 
     if (!item.len) { /* file was empty */
 	fprintf(stderr, "cert file %s was empty.\n", name);