• file
• revisions
• annotate
• diff
• comparison
• raw

security/nss/cmd/signtool/list.c@6474c204b198 (annotated)

security/nss/cmd/signtool/list.c

Wed, 31 Dec 2014 06:09:35 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Wed, 31 Dec 2014 06:09:35 +0100

changeset 0

6474c204b198

permissions

-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0	1	/* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	2	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	4
michael@0	5	#include "signtool.h"
michael@0	6	#include "pk11func.h"
michael@0	7	#include "certdb.h"
michael@0	8
michael@0	9	static int num_trav_certs = 0;
michael@0	10	static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k,
michael@0	11	void *data);
michael@0	12
michael@0	13	/*********************************************************************
michael@0	14	*
michael@0	15	* L i s t C e r t s
michael@0	16	*/
michael@0	17	int
michael@0	18	ListCerts(char *key, int list_certs)
michael@0	19	{
michael@0	20	int failed = 0;
michael@0	21	SECStatus rv;
michael@0	22	char *ugly_list;
michael@0	23	CERTCertDBHandle * db;
michael@0	24
michael@0	25	CERTCertificate * cert;
michael@0	26	CERTVerifyLog errlog;
michael@0	27
michael@0	28	errlog.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
michael@0	29	if ( errlog.arena == NULL) {
michael@0	30	out_of_memory();
michael@0	31	}
michael@0	32	errlog.head = NULL;
michael@0	33	errlog.tail = NULL;
michael@0	34	errlog.count = 0;
michael@0	35
michael@0	36	ugly_list = PORT_ZAlloc (16);
michael@0	37
michael@0	38	if (ugly_list == NULL) {
michael@0	39	out_of_memory();
michael@0	40	}
michael@0	41
michael@0	42	*ugly_list = 0;
michael@0	43
michael@0	44	db = CERT_GetDefaultCertDB();
michael@0	45
michael@0	46	if (list_certs == 2) {
michael@0	47	PR_fprintf(outputFD, "\nS Certificates\n");
michael@0	48	PR_fprintf(outputFD, "- ------------\n");
michael@0	49	} else {
michael@0	50	PR_fprintf(outputFD, "\nObject signing certificates\n");
michael@0	51	PR_fprintf(outputFD, "---------------------------------------\n");
michael@0	52	}
michael@0	53
michael@0	54	num_trav_certs = 0;
michael@0	55
michael@0	56	/* Traverse ALL tokens in all slots, authenticating to them all */
michael@0	57	rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs,
michael@0	58	&pwdata);
michael@0	59
michael@0	60	if (rv) {
michael@0	61	PR_fprintf(outputFD, "**Traverse of ALL slots & tokens failed**\n");
michael@0	62	return - 1;
michael@0	63	}
michael@0	64
michael@0	65	if (num_trav_certs == 0) {
michael@0	66	PR_fprintf(outputFD,
michael@0	67	"You don't appear to have any object signing certificates.\n");
michael@0	68	}
michael@0	69
michael@0	70	if (list_certs == 2) {
michael@0	71	PR_fprintf(outputFD, "- ------------\n");
michael@0	72	} else {
michael@0	73	PR_fprintf(outputFD, "---------------------------------------\n");
michael@0	74	}
michael@0	75
michael@0	76	if (list_certs == 1) {
michael@0	77	PR_fprintf(outputFD,
michael@0	78	"For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME);
michael@0	79	}
michael@0	80
michael@0	81	if (list_certs == 2) {
michael@0	82	PR_fprintf(outputFD,
michael@0	83	"Certificates that can be used to sign objects have *'s to "
michael@0	84	"their left.\n");
michael@0	85	}
michael@0	86
michael@0	87	if (key) {
michael@0	88	/* Do an analysis of the given cert */
michael@0	89
michael@0	90	cert = PK11_FindCertFromNickname(key, &pwdata);
michael@0	91
michael@0	92	if (cert) {
michael@0	93	PR_fprintf(outputFD,
michael@0	94	"\nThe certificate with nickname \"%s\" was found:\n",
michael@0	95	cert->nickname);
michael@0	96	PR_fprintf(outputFD, "\tsubject name: %s\n", cert->subjectName);
michael@0	97	PR_fprintf(outputFD, "\tissuer name: %s\n", cert->issuerName);
michael@0	98
michael@0	99	PR_fprintf(outputFD, "\n");
michael@0	100
michael@0	101	rv = CERT_CertTimesValid (cert);
michael@0	102	if (rv != SECSuccess) {
michael@0	103	PR_fprintf(outputFD, "**This certificate is expired**\n");
michael@0	104	} else {
michael@0	105	PR_fprintf(outputFD, "This certificate is not expired.\n");
michael@0	106	}
michael@0	107
michael@0	108	rv = CERT_VerifyCert (db, cert, PR_TRUE,
michael@0	109	certUsageObjectSigner, PR_Now(), &pwdata, &errlog);
michael@0	110
michael@0	111	if (rv != SECSuccess) {
michael@0	112	failed = 1;
michael@0	113	if (errlog.count > 0) {
michael@0	114	PR_fprintf(outputFD,
michael@0	115	"**Certificate validation failed for the "
michael@0	116	"following reason(s):**\n");
michael@0	117	} else {
michael@0	118	PR_fprintf(outputFD, "**Certificate validation failed**");
michael@0	119	}
michael@0	120	} else {
michael@0	121	PR_fprintf(outputFD, "This certificate is valid.\n");
michael@0	122	}
michael@0	123	displayVerifyLog(&errlog);
michael@0	124
michael@0	125
michael@0	126	} else {
michael@0	127	failed = 1;
michael@0	128	PR_fprintf(outputFD,
michael@0	129	"The certificate with nickname \"%s\" was NOT FOUND\n", key);
michael@0	130	}
michael@0	131	}
michael@0	132
michael@0	133	if (errlog.arena != NULL) {
michael@0	134	PORT_FreeArena(errlog.arena, PR_FALSE);
michael@0	135	}
michael@0	136
michael@0	137	if (failed) {
michael@0	138	return - 1;
michael@0	139	}
michael@0	140	return 0;
michael@0	141	}
michael@0	142
michael@0	143
michael@0	144	/********************************************************************
michael@0	145	*
michael@0	146	* c e r t _ t r a v _ c a l l b a c k
michael@0	147	*/
michael@0	148	static SECStatus
michael@0	149	cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data)
michael@0	150	{
michael@0	151	int list_certs = 1;
michael@0	152	char *name;
michael@0	153
michael@0	154	if (data) {
michael@0	155	list_certs = *((int * )data);
michael@0	156	}
michael@0	157
michael@0	158	#define LISTING_USER_SIGNING_CERTS (list_certs == 1)
michael@0	159	#define LISTING_ALL_CERTS (list_certs == 2)
michael@0	160
michael@0	161	name = cert->nickname;
michael@0	162	if (name) {
michael@0	163	int isSigningCert;
michael@0	164
michael@0	165	isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING;
michael@0	166	if (!isSigningCert && LISTING_USER_SIGNING_CERTS)
michael@0	167	return (SECSuccess);
michael@0	168
michael@0	169	/* Display this name or email address */
michael@0	170	num_trav_certs++;
michael@0	171
michael@0	172	if (LISTING_ALL_CERTS) {
michael@0	173	PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " ");
michael@0	174	}
michael@0	175	PR_fprintf(outputFD, "%s\n", name);
michael@0	176
michael@0	177	if (LISTING_USER_SIGNING_CERTS) {
michael@0	178	int rv = SECFailure;
michael@0	179	if (rv) {
michael@0	180	CERTCertificate * issuerCert;
michael@0	181	issuerCert = CERT_FindCertIssuer(cert, PR_Now(),
michael@0	182	certUsageObjectSigner);
michael@0	183	if (issuerCert) {
michael@0	184	if (issuerCert->nickname && issuerCert->nickname[0]) {
michael@0	185	PR_fprintf(outputFD, " Issued by: %s\n",
michael@0	186	issuerCert->nickname);
michael@0	187	rv = SECSuccess;
michael@0	188	}
michael@0	189	CERT_DestroyCertificate(issuerCert);
michael@0	190	}
michael@0	191	}
michael@0	192	if (rv && cert->issuerName && cert->issuerName[0]) {
michael@0	193	PR_fprintf(outputFD, " Issued by: %s \n", cert->issuerName);
michael@0	194	}
michael@0	195	{
michael@0	196	char *expires;
michael@0	197	expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
michael@0	198	if (expires) {
michael@0	199	PR_fprintf(outputFD, " Expires: %s\n", expires);
michael@0	200	PORT_Free(expires);
michael@0	201	}
michael@0	202	}
michael@0	203
michael@0	204	rv = CERT_VerifyCertNow (cert->dbhandle, cert,
michael@0	205	PR_TRUE, certUsageObjectSigner, &pwdata);
michael@0	206
michael@0	207	if (rv != SECSuccess) {
michael@0	208	rv = PORT_GetError();
michael@0	209	PR_fprintf(outputFD,
michael@0	210	" ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n",
michael@0	211	secErrorString(rv));
michael@0	212	}
michael@0	213	}
michael@0	214	}
michael@0	215
michael@0	216	return (SECSuccess);
michael@0	217	}
michael@0	218
michael@0	219