The Tor Browser / file diff

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/nss/cmd/signtool/list.c	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,219 @@
     1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.7 +
     1.8 +#include "signtool.h"
     1.9 +#include "pk11func.h"
    1.10 +#include "certdb.h"
    1.11 +
    1.12 +static int	num_trav_certs = 0;
    1.13 +static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k,
    1.14 +			void *data);
    1.15 +
    1.16 +/*********************************************************************
    1.17 + *
    1.18 + * L i s t C e r t s
    1.19 + */
    1.20 +int
    1.21 +ListCerts(char *key, int list_certs)
    1.22 +{
    1.23 +    int	failed = 0;
    1.24 +    SECStatus rv;
    1.25 +    char	*ugly_list;
    1.26 +    CERTCertDBHandle * db;
    1.27 +
    1.28 +    CERTCertificate * cert;
    1.29 +    CERTVerifyLog errlog;
    1.30 +
    1.31 +    errlog.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    1.32 +    if ( errlog.arena == NULL) {
    1.33 +	out_of_memory();
    1.34 +    }
    1.35 +    errlog.head = NULL;
    1.36 +    errlog.tail = NULL;
    1.37 +    errlog.count = 0;
    1.38 +
    1.39 +    ugly_list = PORT_ZAlloc (16);
    1.40 +
    1.41 +    if (ugly_list == NULL) {
    1.42 +	out_of_memory();
    1.43 +    }
    1.44 +
    1.45 +    *ugly_list = 0;
    1.46 +
    1.47 +    db = CERT_GetDefaultCertDB();
    1.48 +
    1.49 +    if (list_certs == 2) {
    1.50 +	PR_fprintf(outputFD, "\nS Certificates\n");
    1.51 +	PR_fprintf(outputFD, "- ------------\n");
    1.52 +    } else {
    1.53 +	PR_fprintf(outputFD, "\nObject signing certificates\n");
    1.54 +	PR_fprintf(outputFD, "---------------------------------------\n");
    1.55 +    }
    1.56 +
    1.57 +    num_trav_certs = 0;
    1.58 +
    1.59 +    /* Traverse ALL tokens in all slots, authenticating to them all */
    1.60 +    rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs,
    1.61 +         		&pwdata);
    1.62 +
    1.63 +    if (rv) {
    1.64 +	PR_fprintf(outputFD, "**Traverse of ALL slots & tokens failed**\n");
    1.65 +	return - 1;
    1.66 +    }
    1.67 +
    1.68 +    if (num_trav_certs == 0) {
    1.69 +	PR_fprintf(outputFD,
    1.70 +	    "You don't appear to have any object signing certificates.\n");
    1.71 +    }
    1.72 +
    1.73 +    if (list_certs == 2) {
    1.74 +	PR_fprintf(outputFD, "- ------------\n");
    1.75 +    } else {
    1.76 +	PR_fprintf(outputFD, "---------------------------------------\n");
    1.77 +    }
    1.78 +
    1.79 +    if (list_certs == 1) {
    1.80 +	PR_fprintf(outputFD,
    1.81 +	    "For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME);
    1.82 +    }
    1.83 +
    1.84 +    if (list_certs == 2) {
    1.85 +	PR_fprintf(outputFD,
    1.86 +	    "Certificates that can be used to sign objects have *'s to "
    1.87 +	    "their left.\n");
    1.88 +    }
    1.89 +
    1.90 +    if (key) {
    1.91 +	/* Do an analysis of the given cert */
    1.92 +
    1.93 +	cert = PK11_FindCertFromNickname(key, &pwdata);
    1.94 +
    1.95 +	if (cert) {
    1.96 +	    PR_fprintf(outputFD,
    1.97 +	        "\nThe certificate with nickname \"%s\" was found:\n",
    1.98 +	         			 cert->nickname);
    1.99 +	    PR_fprintf(outputFD, "\tsubject name: %s\n", cert->subjectName);
   1.100 +	    PR_fprintf(outputFD, "\tissuer name: %s\n", cert->issuerName);
   1.101 +
   1.102 +	    PR_fprintf(outputFD, "\n");
   1.103 +
   1.104 +	    rv = CERT_CertTimesValid (cert);
   1.105 +	    if (rv != SECSuccess) {
   1.106 +		PR_fprintf(outputFD, "**This certificate is expired**\n");
   1.107 +	    } else {
   1.108 +		PR_fprintf(outputFD, "This certificate is not expired.\n");
   1.109 +	    }
   1.110 +
   1.111 +	    rv = CERT_VerifyCert (db, cert, PR_TRUE,
   1.112 +	        certUsageObjectSigner, PR_Now(), &pwdata, &errlog);
   1.113 +
   1.114 +	    if (rv != SECSuccess) {
   1.115 +		failed = 1;
   1.116 +		if (errlog.count > 0) {
   1.117 +		    PR_fprintf(outputFD,
   1.118 +		        "**Certificate validation failed for the "
   1.119 +		        "following reason(s):**\n");
   1.120 +		} else {
   1.121 +		    PR_fprintf(outputFD, "**Certificate validation failed**");
   1.122 +		}
   1.123 +	    } else {
   1.124 +		PR_fprintf(outputFD, "This certificate is valid.\n");
   1.125 +	    }
   1.126 +	    displayVerifyLog(&errlog);
   1.127 +
   1.128 +
   1.129 +	} else {
   1.130 +	    failed = 1;
   1.131 +	    PR_fprintf(outputFD,
   1.132 +	        "The certificate with nickname \"%s\" was NOT FOUND\n", key);
   1.133 +	}
   1.134 +    }
   1.135 +
   1.136 +    if (errlog.arena != NULL) {
   1.137 +	PORT_FreeArena(errlog.arena, PR_FALSE);
   1.138 +    }
   1.139 +
   1.140 +    if (failed) {
   1.141 +	return - 1;
   1.142 +    }
   1.143 +    return 0;
   1.144 +}
   1.145 +
   1.146 +
   1.147 +/********************************************************************
   1.148 + *
   1.149 + * c e r t _ t r a v _ c a l l b a c k
   1.150 + */
   1.151 +static SECStatus
   1.152 +cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data)
   1.153 +{
   1.154 +    int	list_certs = 1;
   1.155 +    char *name;
   1.156 +
   1.157 +    if (data) {
   1.158 +	list_certs = *((int * )data);
   1.159 +    }
   1.160 +
   1.161 +#define LISTING_USER_SIGNING_CERTS (list_certs == 1)
   1.162 +#define LISTING_ALL_CERTS          (list_certs == 2)
   1.163 +
   1.164 +    name = cert->nickname;
   1.165 +    if (name) {
   1.166 +    	int     isSigningCert;
   1.167 +
   1.168 +	isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING;
   1.169 +	if (!isSigningCert && LISTING_USER_SIGNING_CERTS)
   1.170 +	    return (SECSuccess);
   1.171 +
   1.172 +	/* Display this name or email address */
   1.173 +	num_trav_certs++;
   1.174 +
   1.175 +	if (LISTING_ALL_CERTS) {
   1.176 +	    PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " ");
   1.177 +	}
   1.178 +	PR_fprintf(outputFD, "%s\n", name);
   1.179 +
   1.180 +	if (LISTING_USER_SIGNING_CERTS) {
   1.181 +	    int rv = SECFailure;
   1.182 +	    if (rv) {
   1.183 +		CERTCertificate * issuerCert;
   1.184 +		issuerCert = CERT_FindCertIssuer(cert, PR_Now(),
   1.185 +						 certUsageObjectSigner);
   1.186 +		if (issuerCert) {
   1.187 +		    if (issuerCert->nickname && issuerCert->nickname[0]) {
   1.188 +			PR_fprintf(outputFD, "    Issued by: %s\n",
   1.189 +			     issuerCert->nickname);
   1.190 +			rv = SECSuccess;
   1.191 +		    }
   1.192 +		    CERT_DestroyCertificate(issuerCert);
   1.193 +		}
   1.194 +	    }
   1.195 +	    if (rv && cert->issuerName && cert->issuerName[0]) {
   1.196 +		PR_fprintf(outputFD, "    Issued by: %s \n", cert->issuerName);
   1.197 +	    }
   1.198 +	    {
   1.199 +		char *expires;
   1.200 +		expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
   1.201 +		if (expires) {
   1.202 +		    PR_fprintf(outputFD, "    Expires: %s\n", expires);
   1.203 +		    PORT_Free(expires);
   1.204 +		}
   1.205 +	    }
   1.206 +
   1.207 +	    rv = CERT_VerifyCertNow (cert->dbhandle, cert,
   1.208 +		PR_TRUE, certUsageObjectSigner, &pwdata);
   1.209 +
   1.210 +	    if (rv != SECSuccess) {
   1.211 +		rv = PORT_GetError();
   1.212 +		PR_fprintf(outputFD,
   1.213 +		"    ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n",
   1.214 +						secErrorString(rv));            
   1.215 +	    }
   1.216 +	}
   1.217 +    }
   1.218 +
   1.219 +    return (SECSuccess);
   1.220 +}
   1.221 +
   1.222 +