1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/cmd/libpkix/sample_apps/validate_chain.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,234 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * validateChain.c
1.9 + *
1.10 + * Tests Cert Chain Validation
1.11 + *
1.12 + */
1.13 +
1.14 +#include <stdio.h>
1.15 +#include <string.h>
1.16 +#include <stddef.h>
1.17 +
1.18 +#include "pkix_pl_generalname.h"
1.19 +#include "pkix_pl_cert.h"
1.20 +#include "pkix.h"
1.21 +#include "testutil.h"
1.22 +#include "prlong.h"
1.23 +#include "plstr.h"
1.24 +#include "prthread.h"
1.25 +#include "nspr.h"
1.26 +#include "prtypes.h"
1.27 +#include "prtime.h"
1.28 +#include "pk11func.h"
1.29 +#include "secasn1.h"
1.30 +#include "cert.h"
1.31 +#include "cryptohi.h"
1.32 +#include "secoid.h"
1.33 +#include "certdb.h"
1.34 +#include "secitem.h"
1.35 +#include "keythi.h"
1.36 +#include "nss.h"
1.37 +
1.38 +static void *plContext = NULL;
1.39 +
1.40 +static
1.41 +void printUsage(void){
1.42 + (void) printf("\nUSAGE:\tvalidateChain <trustedCert> "
1.43 + "<cert_1> <cert_2> ... <cert_n>\n");
1.44 + (void) printf("\tValidates a chain of n certificates "
1.45 + "using the given trust anchor.\n");
1.46 +
1.47 +}
1.48 +
1.49 +static PKIX_PL_Cert *
1.50 +createCert(char *inFileName)
1.51 +{
1.52 + PKIX_PL_ByteArray *byteArray = NULL;
1.53 + void *buf = NULL;
1.54 + PRFileDesc *inFile = NULL;
1.55 + PKIX_UInt32 len;
1.56 + SECItem certDER;
1.57 + SECStatus rv;
1.58 + /* default: NULL cert (failure case) */
1.59 + PKIX_PL_Cert *cert = NULL;
1.60 +
1.61 + PKIX_TEST_STD_VARS();
1.62 +
1.63 + certDER.data = NULL;
1.64 +
1.65 + inFile = PR_Open(inFileName, PR_RDONLY, 0);
1.66 +
1.67 + if (!inFile){
1.68 + pkixTestErrorMsg = "Unable to open cert file";
1.69 + goto cleanup;
1.70 + } else {
1.71 + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
1.72 + if (!rv){
1.73 + buf = (void *)certDER.data;
1.74 + len = certDER.len;
1.75 +
1.76 + PKIX_TEST_EXPECT_NO_ERROR
1.77 + (PKIX_PL_ByteArray_Create
1.78 + (buf, len, &byteArray, plContext));
1.79 +
1.80 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
1.81 + (byteArray, &cert, plContext));
1.82 +
1.83 + SECITEM_FreeItem(&certDER, PR_FALSE);
1.84 + } else {
1.85 + pkixTestErrorMsg = "Unable to read DER from cert file";
1.86 + goto cleanup;
1.87 + }
1.88 + }
1.89 +
1.90 +cleanup:
1.91 +
1.92 + if (inFile){
1.93 + PR_Close(inFile);
1.94 + }
1.95 +
1.96 + if (PKIX_TEST_ERROR_RECEIVED){
1.97 + SECITEM_FreeItem(&certDER, PR_FALSE);
1.98 + }
1.99 +
1.100 + PKIX_TEST_DECREF_AC(byteArray);
1.101 +
1.102 + PKIX_TEST_RETURN();
1.103 +
1.104 + return (cert);
1.105 +}
1.106 +
1.107 +int validate_chain(int argc, char *argv[])
1.108 +{
1.109 + PKIX_TrustAnchor *anchor = NULL;
1.110 + PKIX_List *anchors = NULL;
1.111 + PKIX_List *certs = NULL;
1.112 + PKIX_ProcessingParams *procParams = NULL;
1.113 + PKIX_ValidateParams *valParams = NULL;
1.114 + PKIX_ValidateResult *valResult = NULL;
1.115 + PKIX_PL_X500Name *subject = NULL;
1.116 + PKIX_ComCertSelParams *certSelParams = NULL;
1.117 + PKIX_CertSelector *certSelector = NULL;
1.118 + PKIX_VerifyNode *verifyTree = NULL;
1.119 + PKIX_PL_String *verifyString = NULL;
1.120 +
1.121 + char *trustedCertFile = NULL;
1.122 + char *chainCertFile = NULL;
1.123 + PKIX_PL_Cert *trustedCert = NULL;
1.124 + PKIX_PL_Cert *chainCert = NULL;
1.125 + PKIX_UInt32 chainLength = 0;
1.126 + PKIX_UInt32 i = 0;
1.127 + PKIX_UInt32 j = 0;
1.128 + PKIX_UInt32 actualMinorVersion;
1.129 +
1.130 + PKIX_TEST_STD_VARS();
1.131 +
1.132 + if (argc < 3){
1.133 + printUsage();
1.134 + return (0);
1.135 + }
1.136 +
1.137 + PKIX_TEST_EXPECT_NO_ERROR(
1.138 + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
1.139 +
1.140 + chainLength = (argc - j) - 2;
1.141 +
1.142 + /* create processing params with list of trust anchors */
1.143 + trustedCertFile = argv[1+j];
1.144 + trustedCert = createCert(trustedCertFile);
1.145 +
1.146 + PKIX_TEST_EXPECT_NO_ERROR
1.147 + (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
1.148 +
1.149 + PKIX_TEST_EXPECT_NO_ERROR
1.150 + (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
1.151 +
1.152 +#if 0
1.153 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
1.154 + (certSelParams, subject, plContext));
1.155 +#endif
1.156 +
1.157 + PKIX_TEST_EXPECT_NO_ERROR
1.158 + (PKIX_CertSelector_Create
1.159 + (NULL, NULL, &certSelector, plContext));
1.160 +
1.161 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
1.162 + (certSelector, certSelParams, plContext));
1.163 +
1.164 + PKIX_TEST_DECREF_BC(subject);
1.165 + PKIX_TEST_DECREF_BC(certSelParams);
1.166 +
1.167 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
1.168 + (trustedCert, &anchor, plContext));
1.169 +
1.170 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
1.171 + PKIX_TEST_EXPECT_NO_ERROR
1.172 + (PKIX_List_AppendItem
1.173 + (anchors, (PKIX_PL_Object *)anchor, plContext));
1.174 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
1.175 + (anchors, &procParams, plContext));
1.176 +
1.177 + PKIX_TEST_EXPECT_NO_ERROR
1.178 + (PKIX_ProcessingParams_SetTargetCertConstraints
1.179 + (procParams, certSelector, plContext));
1.180 +
1.181 + PKIX_TEST_DECREF_BC(certSelector);
1.182 +
1.183 + /* create cert chain */
1.184 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
1.185 + for (i = 0; i < chainLength; i++){
1.186 + chainCertFile = argv[(i + j) + 2];
1.187 + chainCert = createCert(chainCertFile);
1.188 +
1.189 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
1.190 + (certs,
1.191 + (PKIX_PL_Object *)chainCert,
1.192 + plContext));
1.193 +
1.194 + PKIX_TEST_DECREF_BC(chainCert);
1.195 + chainCert = NULL;
1.196 + }
1.197 + /* create validate params with processing params and cert chain */
1.198 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
1.199 + (procParams, certs, &valParams, plContext));
1.200 +
1.201 + PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL;
1.202 + PKIX_TEST_DECREF_BC(anchor); anchor = NULL;
1.203 + PKIX_TEST_DECREF_BC(anchors); anchors = NULL;
1.204 + PKIX_TEST_DECREF_BC(certs); certs = NULL;
1.205 + PKIX_TEST_DECREF_BC(procParams); procParams = NULL;
1.206 +
1.207 + /* validate cert chain using processing params and return valResult */
1.208 +
1.209 + PKIX_TEST_EXPECT_NO_ERROR
1.210 + (PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
1.211 +
1.212 + if (valResult != NULL){
1.213 + (void) printf("SUCCESSFULLY VALIDATED\n");
1.214 + }
1.215 +
1.216 +cleanup:
1.217 +
1.218 + if (PKIX_TEST_ERROR_RECEIVED){
1.219 + (void) printf("FAILED TO VALIDATE\n");
1.220 + (void) PKIX_PL_Object_ToString
1.221 + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext);
1.222 + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
1.223 + PKIX_TEST_DECREF_AC(verifyString);
1.224 +
1.225 + }
1.226 +
1.227 + PKIX_TEST_DECREF_AC(verifyTree);
1.228 + PKIX_TEST_DECREF_AC(valResult);
1.229 + PKIX_TEST_DECREF_AC(valParams);
1.230 +
1.231 + PKIX_TEST_RETURN();
1.232 +
1.233 + PKIX_Shutdown(plContext);
1.234 +
1.235 + return (0);
1.236 +
1.237 +}
