The Tor Browser / annotate

security/nss/cmd/signtool/list.c@141e0f1194b1 (annotated)

security/nss/cmd/signtool/list.c

Wed, 31 Dec 2014 07:16:47 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 07:16:47 +0100
branch
TOR_BUG_9701
changeset 3
141e0f1194b1
permissions
-rw-r--r--

Revert simplistic fix pending revisit of Mozilla integration attempt.

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 #include "signtool.h"
michael@0 6 #include "pk11func.h"
michael@0 7 #include "certdb.h"
michael@0 8
michael@0 9 static int num_trav_certs = 0;
michael@0 10 static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k,
michael@0 11 void *data);
michael@0 12
michael@0 13 /*********************************************************************
michael@0 14 *
michael@0 15 * L i s t C e r t s
michael@0 16 */
michael@0 17 int
michael@0 18 ListCerts(char *key, int list_certs)
michael@0 19 {
michael@0 20 int failed = 0;
michael@0 21 SECStatus rv;
michael@0 22 char *ugly_list;
michael@0 23 CERTCertDBHandle * db;
michael@0 24
michael@0 25 CERTCertificate * cert;
michael@0 26 CERTVerifyLog errlog;
michael@0 27
michael@0 28 errlog.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0 29 if ( errlog.arena == NULL) {
michael@0 30 out_of_memory();
michael@0 31 }
michael@0 32 errlog.head = NULL;
michael@0 33 errlog.tail = NULL;
michael@0 34 errlog.count = 0;
michael@0 35
michael@0 36 ugly_list = PORT_ZAlloc (16);
michael@0 37
michael@0 38 if (ugly_list == NULL) {
michael@0 39 out_of_memory();
michael@0 40 }
michael@0 41
michael@0 42 *ugly_list = 0;
michael@0 43
michael@0 44 db = CERT_GetDefaultCertDB();
michael@0 45
michael@0 46 if (list_certs == 2) {
michael@0 47 PR_fprintf(outputFD, "\nS Certificates\n");
michael@0 48 PR_fprintf(outputFD, "- ------------\n");
michael@0 49 } else {
michael@0 50 PR_fprintf(outputFD, "\nObject signing certificates\n");
michael@0 51 PR_fprintf(outputFD, "---------------------------------------\n");
michael@0 52 }
michael@0 53
michael@0 54 num_trav_certs = 0;
michael@0 55
michael@0 56 /* Traverse ALL tokens in all slots, authenticating to them all */
michael@0 57 rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs,
michael@0 58 &pwdata);
michael@0 59
michael@0 60 if (rv) {
michael@0 61 PR_fprintf(outputFD, "**Traverse of ALL slots & tokens failed**\n");
michael@0 62 return - 1;
michael@0 63 }
michael@0 64
michael@0 65 if (num_trav_certs == 0) {
michael@0 66 PR_fprintf(outputFD,
michael@0 67 "You don't appear to have any object signing certificates.\n");
michael@0 68 }
michael@0 69
michael@0 70 if (list_certs == 2) {
michael@0 71 PR_fprintf(outputFD, "- ------------\n");
michael@0 72 } else {
michael@0 73 PR_fprintf(outputFD, "---------------------------------------\n");
michael@0 74 }
michael@0 75
michael@0 76 if (list_certs == 1) {
michael@0 77 PR_fprintf(outputFD,
michael@0 78 "For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME);
michael@0 79 }
michael@0 80
michael@0 81 if (list_certs == 2) {
michael@0 82 PR_fprintf(outputFD,
michael@0 83 "Certificates that can be used to sign objects have *'s to "
michael@0 84 "their left.\n");
michael@0 85 }
michael@0 86
michael@0 87 if (key) {
michael@0 88 /* Do an analysis of the given cert */
michael@0 89
michael@0 90 cert = PK11_FindCertFromNickname(key, &pwdata);
michael@0 91
michael@0 92 if (cert) {
michael@0 93 PR_fprintf(outputFD,
michael@0 94 "\nThe certificate with nickname \"%s\" was found:\n",
michael@0 95 cert->nickname);
michael@0 96 PR_fprintf(outputFD, "\tsubject name: %s\n", cert->subjectName);
michael@0 97 PR_fprintf(outputFD, "\tissuer name: %s\n", cert->issuerName);
michael@0 98
michael@0 99 PR_fprintf(outputFD, "\n");
michael@0 100
michael@0 101 rv = CERT_CertTimesValid (cert);
michael@0 102 if (rv != SECSuccess) {
michael@0 103 PR_fprintf(outputFD, "**This certificate is expired**\n");
michael@0 104 } else {
michael@0 105 PR_fprintf(outputFD, "This certificate is not expired.\n");
michael@0 106 }
michael@0 107
michael@0 108 rv = CERT_VerifyCert (db, cert, PR_TRUE,
michael@0 109 certUsageObjectSigner, PR_Now(), &pwdata, &errlog);
michael@0 110
michael@0 111 if (rv != SECSuccess) {
michael@0 112 failed = 1;
michael@0 113 if (errlog.count > 0) {
michael@0 114 PR_fprintf(outputFD,
michael@0 115 "**Certificate validation failed for the "
michael@0 116 "following reason(s):**\n");
michael@0 117 } else {
michael@0 118 PR_fprintf(outputFD, "**Certificate validation failed**");
michael@0 119 }
michael@0 120 } else {
michael@0 121 PR_fprintf(outputFD, "This certificate is valid.\n");
michael@0 122 }
michael@0 123 displayVerifyLog(&errlog);
michael@0 124
michael@0 125
michael@0 126 } else {
michael@0 127 failed = 1;
michael@0 128 PR_fprintf(outputFD,
michael@0 129 "The certificate with nickname \"%s\" was NOT FOUND\n", key);
michael@0 130 }
michael@0 131 }
michael@0 132
michael@0 133 if (errlog.arena != NULL) {
michael@0 134 PORT_FreeArena(errlog.arena, PR_FALSE);
michael@0 135 }
michael@0 136
michael@0 137 if (failed) {
michael@0 138 return - 1;
michael@0 139 }
michael@0 140 return 0;
michael@0 141 }
michael@0 142
michael@0 143
michael@0 144 /********************************************************************
michael@0 145 *
michael@0 146 * c e r t _ t r a v _ c a l l b a c k
michael@0 147 */
michael@0 148 static SECStatus
michael@0 149 cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data)
michael@0 150 {
michael@0 151 int list_certs = 1;
michael@0 152 char *name;
michael@0 153
michael@0 154 if (data) {
michael@0 155 list_certs = *((int * )data);
michael@0 156 }
michael@0 157
michael@0 158 #define LISTING_USER_SIGNING_CERTS (list_certs == 1)
michael@0 159 #define LISTING_ALL_CERTS (list_certs == 2)
michael@0 160
michael@0 161 name = cert->nickname;
michael@0 162 if (name) {
michael@0 163 int isSigningCert;
michael@0 164
michael@0 165 isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING;
michael@0 166 if (!isSigningCert && LISTING_USER_SIGNING_CERTS)
michael@0 167 return (SECSuccess);
michael@0 168
michael@0 169 /* Display this name or email address */
michael@0 170 num_trav_certs++;
michael@0 171
michael@0 172 if (LISTING_ALL_CERTS) {
michael@0 173 PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " ");
michael@0 174 }
michael@0 175 PR_fprintf(outputFD, "%s\n", name);
michael@0 176
michael@0 177 if (LISTING_USER_SIGNING_CERTS) {
michael@0 178 int rv = SECFailure;
michael@0 179 if (rv) {
michael@0 180 CERTCertificate * issuerCert;
michael@0 181 issuerCert = CERT_FindCertIssuer(cert, PR_Now(),
michael@0 182 certUsageObjectSigner);
michael@0 183 if (issuerCert) {
michael@0 184 if (issuerCert->nickname && issuerCert->nickname[0]) {
michael@0 185 PR_fprintf(outputFD, " Issued by: %s\n",
michael@0 186 issuerCert->nickname);
michael@0 187 rv = SECSuccess;
michael@0 188 }
michael@0 189 CERT_DestroyCertificate(issuerCert);
michael@0 190 }
michael@0 191 }
michael@0 192 if (rv && cert->issuerName && cert->issuerName[0]) {
michael@0 193 PR_fprintf(outputFD, " Issued by: %s \n", cert->issuerName);
michael@0 194 }
michael@0 195 {
michael@0 196 char *expires;
michael@0 197 expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
michael@0 198 if (expires) {
michael@0 199 PR_fprintf(outputFD, " Expires: %s\n", expires);
michael@0 200 PORT_Free(expires);
michael@0 201 }
michael@0 202 }
michael@0 203
michael@0 204 rv = CERT_VerifyCertNow (cert->dbhandle, cert,
michael@0 205 PR_TRUE, certUsageObjectSigner, &pwdata);
michael@0 206
michael@0 207 if (rv != SECSuccess) {
michael@0 208 rv = PORT_GetError();
michael@0 209 PR_fprintf(outputFD,
michael@0 210 " ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n",
michael@0 211 secErrorString(rv));
michael@0 212 }
michael@0 213 }
michael@0 214 }
michael@0 215
michael@0 216 return (SECSuccess);
michael@0 217 }
michael@0 218
michael@0 219

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial