The Tor Browser / file comparison
comparison: security/nss/cmd/libpkix/sample_apps/validate_chain.c
security/nss/cmd/libpkix/sample_apps/validate_chain.c
- branch
- TOR_BUG_3246
- changeset 5
- 4ab42b5ab56c
equal
deleted
inserted
replaced
| -1:000000000000 | 0:99d1a695f8a0 |
|---|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 4 /* | |
| 5 * validateChain.c | |
| 6 * | |
| 7 * Tests Cert Chain Validation | |
| 8 * | |
| 9 */ | |
| 10 | |
| 11 #include <stdio.h> | |
| 12 #include <string.h> | |
| 13 #include <stddef.h> | |
| 14 | |
| 15 #include "pkix_pl_generalname.h" | |
| 16 #include "pkix_pl_cert.h" | |
| 17 #include "pkix.h" | |
| 18 #include "testutil.h" | |
| 19 #include "prlong.h" | |
| 20 #include "plstr.h" | |
| 21 #include "prthread.h" | |
| 22 #include "nspr.h" | |
| 23 #include "prtypes.h" | |
| 24 #include "prtime.h" | |
| 25 #include "pk11func.h" | |
| 26 #include "secasn1.h" | |
| 27 #include "cert.h" | |
| 28 #include "cryptohi.h" | |
| 29 #include "secoid.h" | |
| 30 #include "certdb.h" | |
| 31 #include "secitem.h" | |
| 32 #include "keythi.h" | |
| 33 #include "nss.h" | |
| 34 | |
| 35 static void *plContext = NULL; | |
| 36 | |
| 37 static | |
| 38 void printUsage(void){ | |
| 39 (void) printf("\nUSAGE:\tvalidateChain <trustedCert> " | |
| 40 "<cert_1> <cert_2> ... <cert_n>\n"); | |
| 41 (void) printf("\tValidates a chain of n certificates " | |
| 42 "using the given trust anchor.\n"); | |
| 43 | |
| 44 } | |
| 45 | |
| 46 static PKIX_PL_Cert * | |
| 47 createCert(char *inFileName) | |
| 48 { | |
| 49 PKIX_PL_ByteArray *byteArray = NULL; | |
| 50 void *buf = NULL; | |
| 51 PRFileDesc *inFile = NULL; | |
| 52 PKIX_UInt32 len; | |
| 53 SECItem certDER; | |
| 54 SECStatus rv; | |
| 55 /* default: NULL cert (failure case) */ | |
| 56 PKIX_PL_Cert *cert = NULL; | |
| 57 | |
| 58 PKIX_TEST_STD_VARS(); | |
| 59 | |
| 60 certDER.data = NULL; | |
| 61 | |
| 62 inFile = PR_Open(inFileName, PR_RDONLY, 0); | |
| 63 | |
| 64 if (!inFile){ | |
| 65 pkixTestErrorMsg = "Unable to open cert file"; | |
| 66 goto cleanup; | |
| 67 } else { | |
| 68 rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); | |
| 69 if (!rv){ | |
| 70 buf = (void *)certDER.data; | |
| 71 len = certDER.len; | |
| 72 | |
| 73 PKIX_TEST_EXPECT_NO_ERROR | |
| 74 (PKIX_PL_ByteArray_Create | |
| 75 (buf, len, &byteArray, plContext)); | |
| 76 | |
| 77 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create | |
| 78 (byteArray, &cert, plContext)); | |
| 79 | |
| 80 SECITEM_FreeItem(&certDER, PR_FALSE); | |
| 81 } else { | |
| 82 pkixTestErrorMsg = "Unable to read DER from cert file"; | |
| 83 goto cleanup; | |
| 84 } | |
| 85 } | |
| 86 | |
| 87 cleanup: | |
| 88 | |
| 89 if (inFile){ | |
| 90 PR_Close(inFile); | |
| 91 } | |
| 92 | |
| 93 if (PKIX_TEST_ERROR_RECEIVED){ | |
| 94 SECITEM_FreeItem(&certDER, PR_FALSE); | |
| 95 } | |
| 96 | |
| 97 PKIX_TEST_DECREF_AC(byteArray); | |
| 98 | |
| 99 PKIX_TEST_RETURN(); | |
| 100 | |
| 101 return (cert); | |
| 102 } | |
| 103 | |
| 104 int validate_chain(int argc, char *argv[]) | |
| 105 { | |
| 106 PKIX_TrustAnchor *anchor = NULL; | |
| 107 PKIX_List *anchors = NULL; | |
| 108 PKIX_List *certs = NULL; | |
| 109 PKIX_ProcessingParams *procParams = NULL; | |
| 110 PKIX_ValidateParams *valParams = NULL; | |
| 111 PKIX_ValidateResult *valResult = NULL; | |
| 112 PKIX_PL_X500Name *subject = NULL; | |
| 113 PKIX_ComCertSelParams *certSelParams = NULL; | |
| 114 PKIX_CertSelector *certSelector = NULL; | |
| 115 PKIX_VerifyNode *verifyTree = NULL; | |
| 116 PKIX_PL_String *verifyString = NULL; | |
| 117 | |
| 118 char *trustedCertFile = NULL; | |
| 119 char *chainCertFile = NULL; | |
| 120 PKIX_PL_Cert *trustedCert = NULL; | |
| 121 PKIX_PL_Cert *chainCert = NULL; | |
| 122 PKIX_UInt32 chainLength = 0; | |
| 123 PKIX_UInt32 i = 0; | |
| 124 PKIX_UInt32 j = 0; | |
| 125 PKIX_UInt32 actualMinorVersion; | |
| 126 | |
| 127 PKIX_TEST_STD_VARS(); | |
| 128 | |
| 129 if (argc < 3){ | |
| 130 printUsage(); | |
| 131 return (0); | |
| 132 } | |
| 133 | |
| 134 PKIX_TEST_EXPECT_NO_ERROR( | |
| 135 PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); | |
| 136 | |
| 137 chainLength = (argc - j) - 2; | |
| 138 | |
| 139 /* create processing params with list of trust anchors */ | |
| 140 trustedCertFile = argv[1+j]; | |
| 141 trustedCert = createCert(trustedCertFile); | |
| 142 | |
| 143 PKIX_TEST_EXPECT_NO_ERROR | |
| 144 (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); | |
| 145 | |
| 146 PKIX_TEST_EXPECT_NO_ERROR | |
| 147 (PKIX_ComCertSelParams_Create(&certSelParams, plContext)); | |
| 148 | |
| 149 #if 0 | |
| 150 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject | |
| 151 (certSelParams, subject, plContext)); | |
| 152 #endif | |
| 153 | |
| 154 PKIX_TEST_EXPECT_NO_ERROR | |
| 155 (PKIX_CertSelector_Create | |
| 156 (NULL, NULL, &certSelector, plContext)); | |
| 157 | |
| 158 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams | |
| 159 (certSelector, certSelParams, plContext)); | |
| 160 | |
| 161 PKIX_TEST_DECREF_BC(subject); | |
| 162 PKIX_TEST_DECREF_BC(certSelParams); | |
| 163 | |
| 164 PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert | |
| 165 (trustedCert, &anchor, plContext)); | |
| 166 | |
| 167 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); | |
| 168 PKIX_TEST_EXPECT_NO_ERROR | |
| 169 (PKIX_List_AppendItem | |
| 170 (anchors, (PKIX_PL_Object *)anchor, plContext)); | |
| 171 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create | |
| 172 (anchors, &procParams, plContext)); | |
| 173 | |
| 174 PKIX_TEST_EXPECT_NO_ERROR | |
| 175 (PKIX_ProcessingParams_SetTargetCertConstraints | |
| 176 (procParams, certSelector, plContext)); | |
| 177 | |
| 178 PKIX_TEST_DECREF_BC(certSelector); | |
| 179 | |
| 180 /* create cert chain */ | |
| 181 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); | |
| 182 for (i = 0; i < chainLength; i++){ | |
| 183 chainCertFile = argv[(i + j) + 2]; | |
| 184 chainCert = createCert(chainCertFile); | |
| 185 | |
| 186 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem | |
| 187 (certs, | |
| 188 (PKIX_PL_Object *)chainCert, | |
| 189 plContext)); | |
| 190 | |
| 191 PKIX_TEST_DECREF_BC(chainCert); | |
| 192 chainCert = NULL; | |
| 193 } | |
| 194 /* create validate params with processing params and cert chain */ | |
| 195 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create | |
| 196 (procParams, certs, &valParams, plContext)); | |
| 197 | |
| 198 PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL; | |
| 199 PKIX_TEST_DECREF_BC(anchor); anchor = NULL; | |
| 200 PKIX_TEST_DECREF_BC(anchors); anchors = NULL; | |
| 201 PKIX_TEST_DECREF_BC(certs); certs = NULL; | |
| 202 PKIX_TEST_DECREF_BC(procParams); procParams = NULL; | |
| 203 | |
| 204 /* validate cert chain using processing params and return valResult */ | |
| 205 | |
| 206 PKIX_TEST_EXPECT_NO_ERROR | |
| 207 (PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); | |
| 208 | |
| 209 if (valResult != NULL){ | |
| 210 (void) printf("SUCCESSFULLY VALIDATED\n"); | |
| 211 } | |
| 212 | |
| 213 cleanup: | |
| 214 | |
| 215 if (PKIX_TEST_ERROR_RECEIVED){ | |
| 216 (void) printf("FAILED TO VALIDATE\n"); | |
| 217 (void) PKIX_PL_Object_ToString | |
| 218 ((PKIX_PL_Object*)verifyTree, &verifyString, plContext); | |
| 219 (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); | |
| 220 PKIX_TEST_DECREF_AC(verifyString); | |
| 221 | |
| 222 } | |
| 223 | |
| 224 PKIX_TEST_DECREF_AC(verifyTree); | |
| 225 PKIX_TEST_DECREF_AC(valResult); | |
| 226 PKIX_TEST_DECREF_AC(valParams); | |
| 227 | |
| 228 PKIX_TEST_RETURN(); | |
| 229 | |
| 230 PKIX_Shutdown(plContext); | |
| 231 | |
| 232 return (0); | |
| 233 | |
| 234 } |
