The Tor Browser / annotate

security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
michael@0 2 /* vim: set ts=2 sw=2 tw=80 et: */
michael@0 3 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 6
michael@0 7 /* This simple program takes a database directory, and one or more tuples like
michael@0 8 * <typeOfResponse> <CertNick> <ExtraCertNick> <outPutFilename>
michael@0 9 * to generate (one or more) ocsp responses.
michael@0 10 */
michael@0 11
michael@0 12 #include <stdio.h>
michael@0 13
michael@0 14 #include "mozilla/ArrayUtils.h"
michael@0 15
michael@0 16 #include "nspr.h"
michael@0 17 #include "nss.h"
michael@0 18 #include "plarenas.h"
michael@0 19 #include "prerror.h"
michael@0 20 #include "ssl.h"
michael@0 21 #include "secerr.h"
michael@0 22
michael@0 23 #include "OCSPCommon.h"
michael@0 24 #include "ScopedNSSTypes.h"
michael@0 25 #include "TLSServer.h"
michael@0 26
michael@0 27 using namespace mozilla;
michael@0 28 using namespace mozilla::test;
michael@0 29
michael@0 30 struct OCSPResponseName
michael@0 31 {
michael@0 32 const char *mTypeString;
michael@0 33 const OCSPResponseType mORT;
michael@0 34 };
michael@0 35
michael@0 36 const static OCSPResponseName kOCSPResponseNameList[] = {
michael@0 37 { "good", ORTGood }, // the certificate is good
michael@0 38 { "revoked", ORTRevoked}, // the certificate has been revoked
michael@0 39 { "unknown", ORTUnknown}, // the responder doesn't know if the
michael@0 40 // cert is good
michael@0 41 { "goodotherca", ORTGoodOtherCA}, // the wrong CA has signed the
michael@0 42 // response
michael@0 43 { "expiredresponse", ORTExpired}, // the signature on the response has
michael@0 44 // expired
michael@0 45 { "oldvalidperiod", ORTExpiredFreshCA}, // fresh signature, but old validity
michael@0 46 // period
michael@0 47 { "empty", ORTEmpty}, // an empty stapled response
michael@0 48
michael@0 49 { "malformed", ORTMalformed}, // the response from the responder
michael@0 50 // was malformed
michael@0 51 { "serverr", ORTSrverr}, // the response indicates there was a
michael@0 52 // server error
michael@0 53 { "trylater", ORTTryLater}, // the responder replied with
michael@0 54 // "try again later"
michael@0 55 { "resp-unsigned", ORTNeedsSig}, // the response needs a signature
michael@0 56 { "unauthorized", ORTUnauthorized}, // the responder does not know about
michael@0 57 // the cert
michael@0 58 { "bad-signature", ORTBadSignature}, // the response has a bad signature
michael@0 59 { "longvalidityalmostold", ORTLongValidityAlmostExpired}, // the response is
michael@0 60 // still valid, but the generation
michael@0 61 // is almost a year old
michael@0 62 { "ancientstillvalid", ORTAncientAlmostExpired}, // The response is still
michael@0 63 // valid but the generation is almost
michael@0 64 // two years old
michael@0 65 };
michael@0 66
michael@0 67
michael@0 68 bool
michael@0 69 stringToOCSPResponseType(const char* respText,
michael@0 70 /*out*/ OCSPResponseType* OCSPType)
michael@0 71 {
michael@0 72 if (!OCSPType) {
michael@0 73 return false;
michael@0 74 }
michael@0 75 for (uint32_t i = 0; i < mozilla::ArrayLength(kOCSPResponseNameList); i++) {
michael@0 76 if (strcmp(respText, kOCSPResponseNameList[i].mTypeString) == 0) {
michael@0 77 *OCSPType = kOCSPResponseNameList[i].mORT;
michael@0 78 return true;
michael@0 79 }
michael@0 80 }
michael@0 81 return false;
michael@0 82 }
michael@0 83
michael@0 84 bool
michael@0 85 WriteResponse(const char* filename, const SECItem* item)
michael@0 86 {
michael@0 87 if (!filename || !item || !item->data) {
michael@0 88 PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse");
michael@0 89 return false;
michael@0 90 }
michael@0 91
michael@0 92 ScopedPRFileDesc outFile(PR_Open(filename,
michael@0 93 PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
michael@0 94 0644));
michael@0 95 if (!outFile) {
michael@0 96 PrintPRError("cannot open file for writing");
michael@0 97 return false;
michael@0 98 }
michael@0 99 int32_t rv = PR_Write(outFile, item->data, item->len);
michael@0 100 if (rv < 0 || (uint32_t) rv != item->len) {
michael@0 101 PrintPRError("File write failure");
michael@0 102 return false;
michael@0 103 }
michael@0 104
michael@0 105 return true;
michael@0 106 }
michael@0 107
michael@0 108
michael@0 109
michael@0 110 int
michael@0 111 main(int argc, char* argv[])
michael@0 112 {
michael@0 113
michael@0 114 if (argc < 6 || (argc - 6) % 4 != 0) {
michael@0 115 PR_fprintf(PR_STDERR, "usage: %s <NSS DB directory> <responsetype> "
michael@0 116 "<cert_nick> <extranick> <outfilename> [<resptype> "
michael@0 117 "<cert_nick> <extranick> <outfilename>]* \n",
michael@0 118 argv[0]);
michael@0 119 exit(EXIT_FAILURE);
michael@0 120 }
michael@0 121 const char* dbdir = argv[1];
michael@0 122
michael@0 123 SECStatus rv;
michael@0 124 rv = NSS_Init(dbdir);
michael@0 125 if (rv != SECSuccess) {
michael@0 126 PrintPRError("Failed to initialize NSS");
michael@0 127 exit(EXIT_FAILURE);
michael@0 128 }
michael@0 129 PLArenaPool* arena = PORT_NewArena(256 * argc);
michael@0 130 if (!arena) {
michael@0 131 PrintPRError("PORT_NewArena failed");
michael@0 132 exit(EXIT_FAILURE);
michael@0 133 }
michael@0 134
michael@0 135 for (int i = 2; i + 3 < argc; i += 4) {
michael@0 136 const char* ocspTypeText = argv[i];
michael@0 137 const char* certNick = argv[i + 1];
michael@0 138 const char* extraCertname = argv[i + 2];
michael@0 139 const char* filename = argv[i + 3];
michael@0 140
michael@0 141 OCSPResponseType ORT;
michael@0 142 if (!stringToOCSPResponseType(ocspTypeText, &ORT)) {
michael@0 143 PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n",
michael@0 144 ocspTypeText);
michael@0 145 exit(EXIT_FAILURE);
michael@0 146 }
michael@0 147
michael@0 148 ScopedCERTCertificate cert;
michael@0 149 cert = PK11_FindCertFromNickname(certNick, nullptr);
michael@0 150 if (!cert) {
michael@0 151 PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n",
michael@0 152 certNick);
michael@0 153 exit(EXIT_FAILURE);
michael@0 154 }
michael@0 155
michael@0 156 SECItemArray* response = GetOCSPResponseForType(ORT, cert, arena,
michael@0 157 extraCertname);
michael@0 158 if (!response) {
michael@0 159 PR_fprintf(PR_STDERR, "Failed to generate OCSP response of type %s "
michael@0 160 "for %s\n", ocspTypeText, certNick);
michael@0 161 exit(EXIT_FAILURE);
michael@0 162 }
michael@0 163
michael@0 164 if (!WriteResponse(filename, &response->items[0])) {
michael@0 165 PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename);
michael@0 166 exit(EXIT_FAILURE);
michael@0 167 }
michael@0 168 }
michael@0 169 return 0;
michael@0 170 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial