X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b04fe171f0375ecd5d8a24747ca1dff85720a0ca..6b200bc335dc93c5516ccb52f14bd896d8c7fad7:/SecurityTests/clxutils/certcrl/script.cpp

diff --git a/SecurityTests/clxutils/certcrl/script.cpp b/SecurityTests/clxutils/certcrl/script.cpp
deleted file mode 100644
index 0f49fafb..00000000
--- a/SecurityTests/clxutils/certcrl/script.cpp
+++ /dev/null
@@ -1,923 +0,0 @@
-/*
- * script.cpp - run certcrl from script file
- */
- 
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <ctype.h>
-#include <Security/cssm.h>
-#include <clAppUtils/BlobList.h>
-#include <clAppUtils/certVerify.h>
-#include "script.h"
-
-/* Line type returned from parseLine */
-typedef enum {
-	LT_Empty,			// comments, whitespace
-	LT_TestName,
-	LT_DirName,	
-	LT_Cert,
-	LT_Root,
-	LT_CRL,
-	LT_CertDb,
-	LT_CrlDb,
-	LT_ExpectError,		// expected function return
-	LT_CertError,		// per-cert error string
-	LT_CertStatus,		// per-cert StatusBits
-	LT_SslHost,
-	LT_SslClient,
-	LT_SenderEmail,
-	LT_Policy,
-	LT_KeyUsage,
-	LT_RevokePolicy,
-	LT_RespURI,
-	LT_RespCert,
-	LT_EndOfSection,
-	LT_EndOfFile,
-	LT_BadLine,
-	LT_Globals,
-	LT_Echo,
-	LT_GenerateOcspNonce,
-	LT_RequireOcspNonce,
-	LT_AllowExpiredRoot,
-	LT_VerifyTime,
-	LT_ImplicitAnchors,
-	
-	/* variables which can be in globals or per-test */
-	LT_AllowUnverified,
-	LT_CrlNetFetchEnable,
-	LT_CertNetFetchEnable,
-	LT_UseSystemAnchors,
-	LT_UseTrustSettings,
-	LT_LeafCertIsCA,
-	LT_CacheDisable,
-	LT_OcspNetFetchDisable,
-	LT_RequireOcspIfPresent,
-	LT_RequireCrlIfPresent,
-	LT_RequireCrlForAll,
-	LT_RequireOcspForAll
-} LineType;
-
-/* table to map key names to LineType */
-typedef struct {
-	const char 	*keyName;
-	LineType	lineType;
-} KeyLineType;
-
-KeyLineType keyLineTypes[] = 
-{
-	{ "test", 				LT_TestName 			},
-	{ "dir",				LT_DirName 				},
-	{ "cert",				LT_Cert 				},
-	{ "root",				LT_Root 				},
-	{ "crl",				LT_CRL 					},
-	{ "certDb",				LT_CertDb				},
-	{ "crlDb",				LT_CrlDb				},	// no longer used
-	{ "error",				LT_ExpectError 			},
-	{ "certerror",			LT_CertError			},
-	{ "certstatus",			LT_CertStatus			},
-	{ "sslHost",			LT_SslHost				},
-	{ "sslClient",			LT_SslClient			},
-	{ "senderEmail",		LT_SenderEmail			},
-	{ "policy",				LT_Policy				},
-	{ "keyUsage",			LT_KeyUsage				},
-	{ "revokePolicy",		LT_RevokePolicy			},
-	{ "responderURI",		LT_RespURI				},
-	{ "responderCert",		LT_RespCert				},
-	{ "cacheDisable",       LT_CacheDisable			},
-	{ "echo",				LT_Echo					},
-	{ "globals",			LT_Globals				},
-	{ "end",				LT_EndOfSection			},
-	{ "allowUnverified",	LT_AllowUnverified 		},
-	{ "requireCrlIfPresent",LT_RequireCrlIfPresent  },
-	{ "crlNetFetchEnable",	LT_CrlNetFetchEnable	},
-	{ "certNetFetchEnable",	LT_CertNetFetchEnable 	},
-	{ "ocspNetFetchDisable",LT_OcspNetFetchDisable 	},
-	{ "requireCrlForAll",	LT_RequireCrlForAll		},
-	{ "requireOcspForAll",	LT_RequireOcspForAll	},
-	{ "useSystemAnchors",	LT_UseSystemAnchors	 	},
-	{ "useTrustSettings",	LT_UseTrustSettings		},
-	{ "leafCertIsCA",		LT_LeafCertIsCA			},
-	{ "requireOcspIfPresent",LT_RequireOcspIfPresent },
-	{ "generateOcspNonce",	LT_GenerateOcspNonce	},
-	{ "requireOcspNonce",	LT_RequireOcspNonce		},
-	{ "allowExpiredRoot",	LT_AllowExpiredRoot		},
-	{ "verifyTime",			LT_VerifyTime			},
-	{ "implicitAnchors",	LT_ImplicitAnchors		},
-};
-
-#define NUM_KEYS (sizeof(keyLineTypes) / sizeof(KeyLineType))
-
-/* map policy string to CertVerifyPolicy */
-typedef struct {
-	const char *str;
-	CertVerifyPolicy policy;
-} PolicyString;
-
-static const PolicyString policyStrings[] = 
-{
-	{ "basic",			CVP_Basic				},
-	{ "ssl",			CVP_SSL					},
-	{ "smime",			CVP_SMIME				},
-	{ "swuSign",		CVP_SWUpdateSign		},
-	{ "codeSign",		CVP_AppleCodeSigning	},
-	{ "pkgSign",		CVP_PackageSigning		},
-	{ "resourceSign",	CVP_ResourceSigning		},
-	{ "iChat",			CVP_iChat				},
-	{ "pkinitServer",	CVP_PKINIT_Server		},
-	{ "pkinitClient",	CVP_PKINIT_Client		},
-	{ "IPSec",			CVP_IPSec				},
-	{ NULL,				(CertVerifyPolicy)0		}
-};
-
-/* skip whitespace (but not line terminators) */
-static void skipWhite(
-	const unsigned char *&cp,
-	unsigned &bytesLeft)
-{
-	while(bytesLeft != 0) {
-		switch(*cp) {
-			case ' ':
-			case '\t':
-				cp++;
-				bytesLeft--;
-				break;
-			default:
-				return;
-		}
-	}
-}
-
-/* skip to next char after EOL */
-static void skipLine(
-	const unsigned char *&cp,
-	unsigned &bytesLeft)
-{
-	bool foundEol = false;
-	while(bytesLeft != 0) {
-		switch(*cp) {
-			case '\n':
-			case '\r':
-				foundEol = true;
-				cp++;
-				bytesLeft--;
-				break;
-			default:
-				if(foundEol) {
-					return;
-				}
-				cp++;
-				bytesLeft--;
-				break;
-		}
-	}
-}
-
-/* skip to end of current token (i.e., find next whitespace or '=') */
-static void skipToken(
-	const unsigned char *&cp,
-	unsigned &bytesLeft,
-	bool isQuoted)
-{
-	while(bytesLeft != 0) {
-		char c = *cp;
-		if(isQuoted) {
-			if(c == '"') {
-				/* end of quoted string, return still pointing to it */
-				return;
-			}
-		}
-		else {
-			if(isspace(c)) {
-				return;
-			}
-			if(c == '=') {
-				/* hopefully, end of key */
-				return;
-			}
-		}
-		cp++;
-		bytesLeft--;
-	}
-}
-
-/*
- * Parse one line, return value (following "=" and whitespace) as
- * mallocd C string. On return, scriptData points to next char after line
- * terminator(s).
- *
- * The basic form of a line is
- * [whitespace] key [whitespace] = [whitespace] value [whitespace] \n|\r...
- *
- * ...except for comments and blank lines. Comments contain '#' as the 
- * first non-whitespace char.
- */
-#define CHECK_EOF(bytesLeft)	\
-	if(bytesLeft == 0) {		\
-		return LT_BadLine;	\
-	}
-
-#define MAX_KEY_LEN		80
-
-static LineType parseLine(
-	const unsigned char	*&cp,			// IN/OUT
-	unsigned			&bytesLeft,		// IN/OUT bytes left in script
-	char				*&value,		// mallocd and RETURNED
-	CSSM_BOOL			verbose)
-{
-	if(bytesLeft == 0) {
-		if(verbose) {
-			printf("...EOF reached\n");
-		}
-		return LT_EndOfFile;
-	}
-	skipWhite(cp, bytesLeft);
-	if(bytesLeft == 0) {
-		return LT_Empty;
-	}
-	switch(*cp) {
-		case '#':
-		case '\n':
-		case '\r':
-		skipLine(cp, bytesLeft);
-		return LT_Empty;
-	}
-	
-	/* 
-	 * cp points to start of key
-	 * get key value as NULL terminated C string
-	 */
-	const unsigned char *tokenStart = cp;
-	skipToken(cp, bytesLeft, false);
-	CHECK_EOF(bytesLeft);
-	unsigned tokenLen = cp - tokenStart;
-	char key[MAX_KEY_LEN];
-	memmove(key, tokenStart, tokenLen);
-	key[tokenLen] = '\0';
-	
-	/* parse key */
-	LineType rtnType = LT_BadLine;
-	for(unsigned i=0; i<NUM_KEYS; i++) {
-		KeyLineType *klt = &keyLineTypes[i];
-		if(!strcmp(klt->keyName, key)) {
-			rtnType = klt->lineType;
-			break;
-		}	
-	}
-
-	/* these keys have no value */
-	bool noValue = false;
-	switch(rtnType) {
-		case LT_EndOfSection:
-			if(verbose) {
-				printf("...end of section\n");
-			}
-			noValue = true;
-			break;
-		case LT_Globals:
-			noValue = true;
-			break;
-		case LT_BadLine:
-			printf("***unknown key '%s'\n", key);
-			noValue = true;
-			break;
-		default:
-			break;
-	}
-	if(noValue) {
-		/* done with line */
-		skipLine(cp, bytesLeft);
-		return rtnType;
-	}
-	
-	/* get to start of value */
-	skipWhite(cp, bytesLeft);
-	CHECK_EOF(bytesLeft);
-	if(rtnType == LT_Echo) {
-		/* echo: value is everything from this char to end of line */
-		tokenStart = cp;
-		for( ; bytesLeft != 0; cp++, bytesLeft--) {
-			if((*cp == '\n') || (*cp == '\r')) {
-				break;
-			}
-		}
-		if(cp != tokenStart) {
-			tokenLen = cp - tokenStart;
-			value = (char *)malloc(tokenLen + 1);
-			memmove(value, tokenStart, tokenLen);
-			value[tokenLen] = '\0';
-		}
-		else {
-			value = NULL;
-		}
-		skipLine(cp, bytesLeft);
-		return LT_Echo;
-	}
-	
-	/* all other line types: value is first token after '=' */
-	if(*cp != '=') {
-		printf("===missing = after key\n");
-		return LT_BadLine;
-	}
-	cp++;
-	bytesLeft--;
-	skipWhite(cp, bytesLeft);
-	CHECK_EOF(bytesLeft);
-
-	/* cp points to start of value */
-	bool isQuoted = false;
-	if(*cp == '"') {
-		cp++;
-		bytesLeft--;
-		CHECK_EOF(bytesLeft)
-		isQuoted = true;
-	}
-	tokenStart = cp;
-	skipToken(cp, bytesLeft, isQuoted);
-	/* cp points to next char after end of value */
-	/* get value as mallocd C string */
-	tokenLen = cp - tokenStart;
-	if(tokenLen == 0) {
-		value = NULL;
-	}
-	else {
-		value = (char *)malloc(tokenLen + 1);
-		memmove(value, tokenStart, tokenLen);
-		value[tokenLen] = '\0';
-	}
-	skipLine(cp, bytesLeft);
-	if(verbose) {
-		printf("'%s' = '%s'\n", key, value);
-	}
-	return rtnType;
-}
-
-/* describe fate of one run of runOneTest() */
-typedef enum {
-	OTR_Success,
-	OTR_Fail,
-	OTR_EndOfScript
-} OneTestResult;
-
-/* parse boolean variable, in globals or per-test */
-OneTestResult parseVar(
-	LineType lineType, 
-	const char *value, 
-	ScriptVars &scriptVars)
-{
-	/* parse value  */
-	CSSM_BOOL cval;
-	if(!strcmp(value, "true")) {
-		cval = CSSM_TRUE;
-	}
-	else if(!strcmp(value, "false")) {
-		cval = CSSM_FALSE;
-	}
-	else {
-		printf("***boolean variables must be true or false, not '%s'\n", value);
-		return OTR_Fail;
-	}
-
-	switch(lineType) {
-		case LT_AllowUnverified:
-			scriptVars.allowUnverified = cval; 
-			break;
-		case LT_CrlNetFetchEnable:
-			scriptVars.crlNetFetchEnable = cval; 
-			break;
-		case LT_CertNetFetchEnable:
-			scriptVars.certNetFetchEnable = cval; 
-			break;
-		case LT_UseSystemAnchors:
-			scriptVars.useSystemAnchors = cval; 
-			break;
-		case LT_UseTrustSettings:
-			scriptVars.useTrustSettings = cval; 
-			break;
-		case LT_LeafCertIsCA:
-			scriptVars.leafCertIsCA = cval; 
-			break;
-		case LT_CacheDisable:
-			scriptVars.cacheDisable = cval;
-			break;
-		case LT_OcspNetFetchDisable:
-			scriptVars.ocspNetFetchDisable = cval;
-			break;
-		case LT_RequireOcspIfPresent:
-			scriptVars.requireOcspIfPresent = cval;
-			break;
-		case LT_RequireCrlIfPresent:
-			scriptVars.requireCrlIfPresent = cval;
-			break;
-		case LT_RequireCrlForAll:
-			scriptVars.requireCrlForAll = cval;
-			break;
-		case LT_RequireOcspForAll:
-			scriptVars.requireOcspForAll = cval;
-			break;
-		default:
-			return OTR_Fail;
-	}
-	return OTR_Success;
-}
-
-#if 0
-/* sure wish X had strnstr */
-static char *strnstr(
-	const char *big, 
-	const char *little, 
-	size_t len)
-{
-	const char *cp;
-	unsigned littleLen = strlen(little);
-	const char *end = big + len - littleLen;
-	char first = little[0];
-	
-	for(cp=big; cp<end; cp++) {
-		/* find first char of little in what's left of big */
-		if(*cp != first) {
-			continue;
-		}
-		if(memcmp(cp, little, littleLen) == 0) {
-			return (char *)cp;
-		}
-	} while(cp < end);
-	return NULL;
-}
-#endif
-
-OneTestResult fetchGlobals(
-	const unsigned char *&scriptData,	// IN/OUT
-	unsigned 			&bytesLeft,		// IN/OUT
-	ScriptVars			&scriptVars,	// may be modified
-	CSSM_BOOL			verbose)
-{
-	char *value;		// mallocd by parseLine
-	LineType lineType;
-	OneTestResult result;
-	
-	if(verbose) {
-		printf("...processing global section\n");
-	}
-	/* parse globals section until end encountered */
-	do {
-		value = NULL;
-		lineType = parseLine(scriptData, bytesLeft, value, verbose);
-		switch(lineType) {
-			case LT_Empty:
-			case LT_Globals:
-				break;					// nop
-			case LT_EndOfSection:
-				return OTR_Success;
-			case LT_EndOfFile:
-				printf("***Premature end of file in globals section.\n");
-				return OTR_EndOfScript;
-			case LT_BadLine:
-				return OTR_Fail;
-			default:
-				/* hopefully a variable */
-				result = parseVar(lineType, value, scriptVars);
-				if(result != OTR_Success) {
-					return OTR_Fail;
-				}
-				break;
-		}
-		if(value != NULL) {
-			free(value);
-		}
-	} while(1);
-	/* NOT REACHED */
-	return OTR_Success;
-}
-
-/* parse script fragment for one test, run it */
-OneTestResult runOneTest(
-	const unsigned char *&scriptData,			// IN/OUT
-	unsigned 			&bytesLeft,				// IN/OUT bytes left in script
-	CSSM_TP_HANDLE		tpHand, 
-	CSSM_CL_HANDLE 		clHand,
-	CSSM_CSP_HANDLE 	cspHand,
-	CSSM_DL_HANDLE 		dlHand,
-	ScriptVars 			&scriptVars,
-	CSSM_BOOL			quiet,
-	CSSM_BOOL			verbose)
-{
-	CertVerifyArgs vfyArgs;
-	memset(&vfyArgs, 0, sizeof(vfyArgs));
-
-	/* to be gathered from script */
-	char 			*testName = NULL;
-	char 			*dirName = NULL;
-	BlobList 		certs;
-	BlobList 		roots;
-	BlobList 		crls;
-	
-	LineType 		lineType;
-	char 			*value;			// mallocd by parseLine 
-	int 			blobErr;
-	ScriptVars 		localVars = scriptVars;
-	OneTestResult 	result;
-	char			pathName[300];
-	CSSM_RETURN		crtn;
-	CSSM_DL_DB_HANDLE_PTR currDlDb = NULL;
-	CSSM_DL_DB_LIST	dlDbList = {0, NULL};
-	
-	vfyArgs.version = CERT_VFY_ARGS_VERS;
-	vfyArgs.certs = &certs;
-	vfyArgs.roots = &roots;
-	vfyArgs.crls = &crls;
-	vfyArgs.quiet = quiet;
-	vfyArgs.tpHand = tpHand;
-	vfyArgs.clHand = clHand;
-	vfyArgs.cspHand = cspHand;
-	vfyArgs.quiet = quiet;
-	vfyArgs.revokePolicy = CRP_None;
-	vfyArgs.vfyPolicy = CVP_Basic;
-	vfyArgs.dlDbList = &dlDbList;
-	
-	/* parse script up to end of test */
-	do {
-		value = NULL;
-		blobErr = 0;
-		lineType = parseLine(scriptData, bytesLeft, value, verbose);
-		switch(lineType) {
-			case LT_Empty:
-				break;					// nop
-			case LT_TestName:
-				if(testName != NULL) {
-					printf("***Duplicate test name ignored\n");
-					free(value);
-				}
-				else {
-					testName = value;	// free after test
-				}
-				value = NULL;
-				break;
-			case LT_DirName:
-				if(dirName != NULL) {
-					printf("***Duplicate directory name ignored\n");
-					free(value);
-				}
-				else {
-					dirName = value;	// free after test
-				}
-				value = NULL;
-				break;
-			case LT_Cert:
-				blobErr = certs.addFile(value, dirName);
-				break;
-			case LT_Root:
-				blobErr = roots.addFile(value, dirName);
-				break;
-			case LT_CRL:
-				blobErr = crls.addFile(value, dirName);
-				break;
-			case LT_CertDb:
-			case LT_CrlDb:
-				/* these can be called multiple times */
-				if(dirName) {
-					sprintf(pathName, "%s/%s", dirName, value);
-				}
-				else {
-					strcpy(pathName, value);
-				}
-				dlDbList.NumHandles++;
-				dlDbList.DLDBHandle = (CSSM_DL_DB_HANDLE_PTR)realloc(
-					dlDbList.DLDBHandle, 
-					dlDbList.NumHandles * sizeof(CSSM_DL_DB_HANDLE));
-				currDlDb = &dlDbList.DLDBHandle[dlDbList.NumHandles-1];
-				currDlDb->DLHandle = dlHand;
-				crtn = CSSM_DL_DbOpen(dlHand,
-					pathName, 
-					NULL,			// DbLocation
-					CSSM_DB_ACCESS_READ | CSSM_DB_ACCESS_WRITE,
-					NULL, 			// CSSM_ACCESS_CREDENTIALS *AccessCred
-					NULL,			// void *OpenParameters
-					&currDlDb->DBHandle);
-				if(crtn) {
-					printError("CSSM_DL_DbOpen", crtn);
-					printf("***Error opening DB %s. Aborting.\n", value);
-					return OTR_Fail;
-				}
-				break;
-			case LT_ExpectError:
-				if(vfyArgs.expectedErrStr != NULL) {
-					printf("***Duplicate expected error ignored\n");
-					free(value);
-				}
-				else {
-					vfyArgs.expectedErrStr = value;	// free after test
-				}
-				value = NULL;
-				break;
-			case LT_CertError:
-				vfyArgs.numCertErrors++;
-				vfyArgs.certErrors = (const char **)realloc(vfyArgs.certErrors,
-					vfyArgs.numCertErrors * sizeof(char *));
-				vfyArgs.certErrors[vfyArgs.numCertErrors - 1] = value;
-				value = NULL;						// free after test 
-				break;
-			case LT_CertStatus:
-				vfyArgs.numCertStatus++;
-				vfyArgs.certStatus = (const char **)realloc(vfyArgs.certStatus,
-					vfyArgs.numCertStatus * sizeof(char *));
-				vfyArgs.certStatus[vfyArgs.numCertStatus - 1] = value;
-				value = NULL;						// // free after test 
-				break;
-			case LT_SslHost:
-				vfyArgs.sslHost = value;
-				value = NULL;			// free after test
-				vfyArgs.vfyPolicy = CVP_SSL;
-				break;
-			case LT_SenderEmail:
-				vfyArgs.senderEmail = value;
-				value = NULL;			// free after test
-				if(vfyArgs.vfyPolicy == CVP_Basic) {
-					/* don't overwrite if it's already been set to e.g. iChat */
-					vfyArgs.vfyPolicy = CVP_SMIME;
-				}
-				break;
-			case LT_Policy:
-				if(parsePolicyString(value, &vfyArgs.vfyPolicy)) {
-					printf("Bogus policyValue (%s)\n", value);
-					printPolicyStrings();
-					return OTR_Fail;
-				}
-				break;
-			case LT_KeyUsage:
-				vfyArgs.intendedKeyUse = hexToBin(value);
-				break;
-			case LT_RevokePolicy:
-				if(!strcmp(value, "none")) {
-					vfyArgs.revokePolicy = CRP_None;
-				}
-				else if(!strcmp(value, "crl")) {
-					vfyArgs.revokePolicy = CRP_CRL;
-				}
-				else if(!strcmp(value, "ocsp")) {
-					vfyArgs.revokePolicy = CRP_OCSP;
-				}
-				else if(!strcmp(value, "both")) {
-					vfyArgs.revokePolicy = CRP_CRL_OCSP;
-				}
-				else {
-					printf("***Illegal revokePolicy (%s)\n.", value);
-					return OTR_Fail;
-				}
-				break;
-			case LT_RespURI:
-				vfyArgs.responderURI = value;
-				value = NULL;			// free after test
-				break;
-			case LT_VerifyTime:
-				vfyArgs.vfyTime = value;
-				value = NULL;			// free after test
-				break;
-			case LT_RespCert:
-				if(readFile(value, (unsigned char **)&vfyArgs.responderCert, 
-						&vfyArgs.responderCertLen)) {
-					printf("***Error reading responderCert from %s\n", value);
-					return OTR_Fail;
-				}
-				break;
-			case LT_EndOfSection:
-				break;
-			case LT_EndOfFile:
-				/* only legal if we haven't gotten a test name */
-				if(testName == NULL) {
-					return OTR_EndOfScript;
-				}
-				printf("***Premature end of file.\n");
-				return OTR_Fail;
-			case LT_BadLine:
-				return OTR_Fail;
-			case LT_Globals:
-				result = fetchGlobals(scriptData, bytesLeft, scriptVars, verbose);
-				if(result != OTR_Success) {
-					printf("***Bad globals section\n");
-					return OTR_Fail;
-				}
-				/* and start over with these variables */
-				localVars = scriptVars;
-				break;
-			case LT_SslClient:
-				if(!strcmp(value, "true")) {
-					vfyArgs.sslClient = CSSM_TRUE;
-				}
-				else {
-					vfyArgs.sslClient = CSSM_FALSE;
-				}
-				vfyArgs.vfyPolicy = CVP_SSL;
-				break;
-			case LT_Echo:
-				if(!quiet) {
-					printf("%s\n", value);
-				}
-				break;
-			case LT_GenerateOcspNonce:
-				vfyArgs.generateOcspNonce = CSSM_TRUE;
-				break;
-			case LT_RequireOcspNonce:
-				vfyArgs.requireOcspRespNonce = CSSM_TRUE;
-				break;
-			case LT_AllowExpiredRoot:
-				if(!strcmp(value, "true")) {
-					vfyArgs.allowExpiredRoot = CSSM_TRUE;
-				}
-				else {
-					vfyArgs.allowExpiredRoot = CSSM_FALSE;
-				}
-				break;
-			case LT_ImplicitAnchors:
-				if(!strcmp(value, "true")) {
-					vfyArgs.implicitAnchors = CSSM_TRUE;
-				}
-				else {
-					vfyArgs.implicitAnchors = CSSM_FALSE;
-				}
-				break;
-			default:
-				/* hopefully a variable */
-				result = parseVar(lineType, value, localVars);
-				if(result != OTR_Success) {
-					printf("**Bogus line in script %u bytes from EOF\n",
-						bytesLeft);
-					return OTR_Fail;
-				}
-				break;
-
-		}
-		if(blobErr) {
-			return OTR_Fail;
-		}
-		if(value != NULL) {
-			free(value);
-		}
-	} while(lineType != LT_EndOfSection);
-	
-	/* some args: copy from ScriptVars -> CertVerifyArgs */
-	vfyArgs.allowUnverified = localVars.allowUnverified;
-	vfyArgs.requireOcspIfPresent = localVars.requireOcspIfPresent;
-	vfyArgs.requireCrlIfPresent = localVars.requireCrlIfPresent;
-	vfyArgs.crlNetFetchEnable = localVars.crlNetFetchEnable;
-	vfyArgs.certNetFetchEnable = localVars.certNetFetchEnable;
-	vfyArgs.useSystemAnchors = localVars.useSystemAnchors;
-	vfyArgs.useTrustSettings = localVars.useTrustSettings;
-	vfyArgs.leafCertIsCA = localVars.leafCertIsCA;
-	vfyArgs.disableCache = localVars.cacheDisable;
-	vfyArgs.disableOcspNet = localVars.ocspNetFetchDisable;
-	vfyArgs.requireCrlForAll = localVars.requireCrlForAll;
-	vfyArgs.requireOcspForAll = localVars.requireOcspForAll;
-	vfyArgs.verbose = verbose;
-	
-	/* here we go */
-	if(!quiet && (testName != NULL)) {
-		printf("%s\n", testName);
-	}
-	int rtn = certVerify(&vfyArgs);
-
-	OneTestResult ourRtn = OTR_Success;
-	if(rtn) {
-		printf("***Failure on %s\n", testName);
-		if(testError(quiet)) {
-			ourRtn = OTR_Fail;
-		}
-	}
-	/* free the stuff that didn't get freed and the end of the
-	 * main per-line loop */
-	if(dirName != NULL) {
-		free(dirName);
-	}
-	if(vfyArgs.expectedErrStr != NULL) {
-		free((void *)vfyArgs.expectedErrStr);
-	}
-	if(vfyArgs.certErrors != NULL) {
-		for(unsigned i=0; i<vfyArgs.numCertErrors; i++) {
-			free((void *)vfyArgs.certErrors[i]);		// mallocd by parseLine
-		}
-		free((void *)vfyArgs.certErrors);				// reallocd by us
-	}
-	if(vfyArgs.certStatus != NULL) {
-		for(unsigned i=0; i<vfyArgs.numCertStatus; i++) {
-			free((void *)vfyArgs.certStatus[i]);		// mallocd by parseLine
-		}
-		free((void *)vfyArgs.certStatus);				// reallocd by us
-	}
-	if(testName != NULL) {
-		free(testName);
-	}
-	if(vfyArgs.sslHost) {
-		free((void *)vfyArgs.sslHost);
-	}
-	if(vfyArgs.senderEmail) {
-		free((void *)vfyArgs.senderEmail);
-	}
-	if(vfyArgs.responderURI) {
-		free((void *)vfyArgs.responderURI);
-	}
-	if(vfyArgs.responderCert) {
-		free((void *)vfyArgs.responderCert);
-	}
-	if(vfyArgs.vfyTime) {
-		free((void *)vfyArgs.vfyTime);
-	}
-	if(dlDbList.DLDBHandle) {
-		for(unsigned dex=0; dex<dlDbList.NumHandles; dex++) {
-			CSSM_DL_DbClose(dlDbList.DLDBHandle[dex]);
-		}
-		free(dlDbList.DLDBHandle);
-	}
-	return ourRtn;
-}
-
-int runScript(
-	const char 		*fileName,
-	CSSM_TP_HANDLE	tpHand, 
-	CSSM_CL_HANDLE 	clHand,
-	CSSM_CSP_HANDLE cspHand,
-	CSSM_DL_HANDLE 	dlHand,
-	ScriptVars		*scriptVars,
-	CSSM_BOOL		quiet,
-	CSSM_BOOL		verbose,
-	CSSM_BOOL		doPause)
-{
-	const unsigned char *scriptData;
-	unsigned char *cp;
-	unsigned scriptDataLen;
-	int rtn;
-	ScriptVars localVars = *scriptVars;
-	
-	rtn = readFile(fileName, &cp, &scriptDataLen);
-	if(rtn) {
-		printf("***Error reading script file; aborting.\n");
-		printf("***Are you sure you're running this from the proper directory?\n");
-		return rtn;
-	}
-	scriptData = (const unsigned char *)cp;
-	OneTestResult result;
-	
-	do {
-		result = runOneTest(scriptData, scriptDataLen,
-			tpHand, clHand, cspHand, dlHand,
-			localVars, quiet, verbose);
-		if(result == OTR_Fail) {
-			rtn = 1;
-			break;
-		}
-		if(doPause) {
-			fpurge(stdin);
-			printf("CR to continue: ");
-			getchar();
-		}
-	} while(result == OTR_Success);
-	free(cp);
-	return rtn;
-}
-
-/* parse policy string; returns nonzero if not found */
-int parsePolicyString(
-	const char *str,
-	CertVerifyPolicy *policy)
-{
-	const PolicyString *ps;
-	for(ps=policyStrings; ps->str; ps++) {
-		if(!strcmp(ps->str, str)) {
-			*policy = ps->policy;
-			return 0;
-		}
-	}
-	return 1;
-}
-
-void printPolicyStrings()
-{
-	printf("Valid policy strings are:\n   ");
-	const PolicyString *ps;
-	unsigned i=0;
-	for(ps=policyStrings; ps->str; ps++, i++) {
-		printf("%s", ps->str);
-		if(ps[1].str == NULL) {
-			break;
-		}
-		if((i % 6)  == 5) {
-			printf(",\n   ");
-		}
-		else {
-			printf(", ");
-		}
-	}
-	printf("\n");
-}
-
-void printScriptVars()
-{
-	printf("The list of script variables is as follows:\n");
-	for(unsigned dex=0; dex<NUM_KEYS; dex++) {
-		printf("   %s\n", keyLineTypes[dex].keyName);
-	}
-	printPolicyStrings();
-	printf("Valid revokePolicy strings are:\n   none, crl, ocsp, both\n");
-}
-