summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd/libpkix/sample_apps
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 14:29:10 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 14:29:10 +0000
commit2aa4a82499d4becd2284cdb482213d541b8804dd (patch)
treeb80bf8bf13c3766139fbacc530efd0dd9d54394c /security/nss/cmd/libpkix/sample_apps
parentInitial commit. (diff)
downloadfirefox-upstream.tar.xz
firefox-upstream.zip
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/cmd/libpkix/sample_apps')
-rwxr-xr-xsecurity/nss/cmd/libpkix/sample_apps/Makefile46
-rw-r--r--security/nss/cmd/libpkix/sample_apps/build_chain.c242
-rw-r--r--security/nss/cmd/libpkix/sample_apps/dumpcert.c182
-rw-r--r--security/nss/cmd/libpkix/sample_apps/dumpcrl.c186
-rwxr-xr-xsecurity/nss/cmd/libpkix/sample_apps/manifest.mn23
-rw-r--r--security/nss/cmd/libpkix/sample_apps/validate_chain.c220
6 files changed, 899 insertions, 0 deletions
diff --git a/security/nss/cmd/libpkix/sample_apps/Makefile b/security/nss/cmd/libpkix/sample_apps/Makefile
new file mode 100755
index 0000000000..daa8765778
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/Makefile
@@ -0,0 +1,46 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/sample_apps/build_chain.c b/security/nss/cmd/libpkix/sample_apps/build_chain.c
new file mode 100644
index 0000000000..38bf1d9f3a
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/build_chain.c
@@ -0,0 +1,242 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * buildChain.c
+ *
+ * Tests Cert Chain Building
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+ (void)printf("\nUSAGE:\tbuildChain "
+ "<trustedCert> <targetCert> <certStoreDirectory>\n\n");
+ (void)printf("Builds a chain of certificates between "
+ "<trustedCert> and <targetCert>\n"
+ "using the certs and CRLs in <certStoreDirectory>.\n");
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+ PKIX_PL_ByteArray *byteArray = NULL;
+ void *buf = NULL;
+ PRFileDesc *inFile = NULL;
+ PKIX_UInt32 len;
+ SECItem certDER;
+ SECStatus rv;
+ /* default: NULL cert (failure case) */
+ PKIX_PL_Cert *cert = NULL;
+
+ PKIX_TEST_STD_VARS();
+
+ certDER.data = NULL;
+
+ inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+ if (!inFile) {
+ pkixTestErrorMsg = "Unable to open cert file";
+ goto cleanup;
+ } else {
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
+ if (!rv) {
+ buf = (void *)certDER.data;
+ len = certDER.len;
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
+
+ SECITEM_FreeItem(&certDER, PR_FALSE);
+ } else {
+ pkixTestErrorMsg = "Unable to read DER from cert file";
+ goto cleanup;
+ }
+ }
+
+cleanup:
+
+ if (inFile) {
+ PR_Close(inFile);
+ }
+
+ if (PKIX_TEST_ERROR_RECEIVED) {
+ SECITEM_FreeItem(&certDER, PR_FALSE);
+ }
+
+ PKIX_TEST_DECREF_AC(byteArray);
+
+ PKIX_TEST_RETURN();
+
+ return (cert);
+}
+
+int
+build_chain(int argc, char *argv[])
+{
+ PKIX_BuildResult *buildResult = NULL;
+ PKIX_ComCertSelParams *certSelParams = NULL;
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_TrustAnchor *anchor = NULL;
+ PKIX_List *anchors = NULL;
+ PKIX_List *certs = NULL;
+ PKIX_PL_Cert *cert = NULL;
+ PKIX_ProcessingParams *procParams = NULL;
+ char *trustedCertFile = NULL;
+ char *targetCertFile = NULL;
+ char *storeDirAscii = NULL;
+ PKIX_PL_String *storeDirString = NULL;
+ PKIX_PL_Cert *trustedCert = NULL;
+ PKIX_PL_Cert *targetCert = NULL;
+ PKIX_UInt32 actualMinorVersion, numCerts, i;
+ PKIX_UInt32 j = 0;
+ PKIX_CertStore *certStore = NULL;
+ PKIX_List *certStores = NULL;
+ char *asciiResult = NULL;
+ PKIX_Boolean useArenas = PKIX_FALSE;
+ void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
+ void *nbioContext = NULL;
+
+ PKIX_TEST_STD_VARS();
+
+ if (argc < 4) {
+ printUsage();
+ return (0);
+ }
+
+ useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
+ useArenas,
+ PKIX_MAJOR_VERSION,
+ PKIX_MINOR_VERSION,
+ PKIX_MINOR_VERSION,
+ &actualMinorVersion,
+ &plContext));
+
+ /* create processing params with list of trust anchors */
+ trustedCertFile = argv[j + 1];
+ trustedCert = createCert(trustedCertFile);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
+
+ /* create CertSelector with target certificate in params */
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+ targetCertFile = argv[j + 2];
+ targetCert = createCert(targetCertFile);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
+
+ /* create CertStores */
+
+ storeDirAscii = argv[j + 3];
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(storeDirString, &certStore, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
+
+ /* build cert chain using processing params and return buildResult */
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain(procParams,
+ &nbioContext,
+ &buildState,
+ &buildResult,
+ NULL,
+ plContext));
+
+ /*
+ * As long as we use only CertStores with blocking I/O, we can omit
+ * checking for completion with nbioContext.
+ */
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
+
+ printf("\n");
+
+ for (i = 0; i < numCerts; i++) {
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext));
+
+ asciiResult = PKIX_Cert2ASCII(cert);
+
+ printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext));
+ asciiResult = NULL;
+
+ PKIX_TEST_DECREF_BC(cert);
+ }
+
+cleanup:
+
+ if (PKIX_TEST_ERROR_RECEIVED) {
+ (void)printf("FAILED TO BUILD CHAIN\n");
+ } else {
+ (void)printf("SUCCESSFULLY BUILT CHAIN\n");
+ }
+
+ PKIX_PL_Free(asciiResult, plContext);
+
+ PKIX_TEST_DECREF_AC(certs);
+ PKIX_TEST_DECREF_AC(cert);
+ PKIX_TEST_DECREF_AC(certStore);
+ PKIX_TEST_DECREF_AC(certStores);
+ PKIX_TEST_DECREF_AC(storeDirString);
+ PKIX_TEST_DECREF_AC(trustedCert);
+ PKIX_TEST_DECREF_AC(targetCert);
+ PKIX_TEST_DECREF_AC(anchor);
+ PKIX_TEST_DECREF_AC(anchors);
+ PKIX_TEST_DECREF_AC(procParams);
+ PKIX_TEST_DECREF_AC(certSelParams);
+ PKIX_TEST_DECREF_AC(certSelector);
+ PKIX_TEST_DECREF_AC(buildResult);
+
+ PKIX_TEST_RETURN();
+
+ PKIX_Shutdown(plContext);
+
+ return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcert.c b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
new file mode 100644
index 0000000000..6ff5f83779
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
@@ -0,0 +1,182 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * dumpcert.c
+ *
+ * dump certificate sample application
+ *
+ */
+
+#include <stdio.h>
+
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secasn1t.h"
+#include "certt.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+ (void)printf("\nUSAGE:\tdumpcert <certFile>\n");
+ (void)printf("\tParses a certificate located at <certFile> "
+ "and displays it.\n");
+}
+
+static void
+printFailure(char *msg)
+{
+ (void)printf("FAILURE: %s\n", msg);
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+ PKIX_PL_ByteArray *byteArray = NULL;
+ PKIX_PL_Cert *cert = NULL;
+ PKIX_Error *error = NULL;
+ PRFileDesc *inFile = NULL;
+ SECItem certDER;
+ void *buf = NULL;
+ PKIX_UInt32 len;
+ SECStatus rv = SECFailure;
+
+ certDER.data = NULL;
+
+ inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+ if (!inFile) {
+ printFailure("Unable to open cert file");
+ goto cleanup;
+ } else {
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
+ if (!rv) {
+ buf = (void *)certDER.data;
+ len = certDER.len;
+
+ error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext);
+
+ if (error) {
+ printFailure("PKIX_PL_ByteArray_Create failed");
+ goto cleanup;
+ }
+
+ error = PKIX_PL_Cert_Create(byteArray, &cert, plContext);
+
+ if (error) {
+ printFailure("PKIX_PL_Cert_Create failed");
+ goto cleanup;
+ }
+ } else {
+ printFailure("Unable to read DER from cert file");
+ goto cleanup;
+ }
+ }
+
+cleanup:
+
+ if (inFile) {
+ PR_Close(inFile);
+ }
+
+ if (rv == SECSuccess) {
+ SECITEM_FreeItem(&certDER, PR_FALSE);
+ }
+
+ if (byteArray) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
+ }
+
+ return (cert);
+}
+
+int
+dumpcert(int argc, char *argv[])
+{
+
+ PKIX_PL_String *string = NULL;
+ PKIX_PL_Cert *cert = NULL;
+ PKIX_Error *error = NULL;
+ char *ascii = NULL;
+ PKIX_UInt32 length = 0;
+ PKIX_UInt32 j = 0;
+ PKIX_Boolean useArenas = PKIX_FALSE;
+ PKIX_UInt32 actualMinorVersion;
+
+ PKIX_TEST_STD_VARS();
+
+ if (argc == 1) {
+ printUsage();
+ return (0);
+ }
+
+ useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+ PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
+ useArenas,
+ PKIX_MAJOR_VERSION,
+ PKIX_MINOR_VERSION,
+ PKIX_MINOR_VERSION,
+ &actualMinorVersion,
+ &plContext);
+
+ cert = createCert(argv[1 + j]);
+
+ if (cert) {
+
+ error = PKIX_PL_Object_ToString((PKIX_PL_Object *)cert, &string, plContext);
+
+ if (error) {
+ printFailure("Unable to get string representation "
+ "of cert");
+ goto cleanup;
+ }
+
+ error = PKIX_PL_String_GetEncoded(string,
+ PKIX_ESCASCII,
+ (void **)&ascii,
+ &length,
+ plContext);
+
+ if (error || !ascii) {
+ printFailure("Unable to get ASCII encoding of string");
+ goto cleanup;
+ }
+
+ (void)printf("OUTPUT:\n%s\n", ascii);
+
+ } else {
+ printFailure("Unable to create certificate");
+ goto cleanup;
+ }
+
+cleanup:
+
+ if (cert) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)(cert), plContext);
+ }
+
+ if (string) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
+ }
+
+ if (ascii) {
+ PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
+ }
+
+ PKIX_Shutdown(plContext);
+
+ PKIX_TEST_RETURN();
+
+ endTests("DUMPCERT");
+
+ return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcrl.c b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
new file mode 100644
index 0000000000..642601409a
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
@@ -0,0 +1,186 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * dumpcrl.c
+ *
+ * dump CRL sample application
+ *
+ */
+
+#include <stdio.h>
+
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secasn1t.h"
+#include "certt.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+ (void)printf("\nUSAGE:\tdumpcrl <crlFile>\n");
+ (void)printf("\tParses a CRL located at <crlFile> "
+ "and displays it.\n");
+}
+
+static void
+printFailure(char *msg)
+{
+ (void)printf("FAILURE: %s\n", msg);
+}
+
+static PKIX_PL_CRL *
+createCRL(char *inFileName)
+{
+ PKIX_PL_ByteArray *byteArray = NULL;
+ PKIX_PL_CRL *crl = NULL;
+ PKIX_Error *error = NULL;
+ PRFileDesc *inFile = NULL;
+ SECItem crlDER;
+ void *buf = NULL;
+ PKIX_UInt32 len;
+ SECStatus rv;
+
+ PKIX_TEST_STD_VARS();
+
+ crlDER.data = NULL;
+
+ inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+ if (!inFile) {
+ printFailure("Unable to open crl file");
+ goto cleanup;
+ } else {
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
+ if (!rv) {
+ buf = (void *)crlDER.data;
+ len = crlDER.len;
+
+ error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext);
+
+ if (error) {
+ printFailure("PKIX_PL_ByteArray_Create failed");
+ goto cleanup;
+ }
+
+ error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
+ if (error) {
+ printFailure("PKIX_PL_CRL_Create failed");
+ goto cleanup;
+ }
+
+ SECITEM_FreeItem(&crlDER, PR_FALSE);
+ } else {
+ printFailure("Unable to read DER from crl file");
+ goto cleanup;
+ }
+ }
+
+cleanup:
+
+ if (inFile) {
+ PR_Close(inFile);
+ }
+
+ if (error) {
+ SECITEM_FreeItem(&crlDER, PR_FALSE);
+ }
+
+ if (byteArray) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
+ }
+
+ PKIX_TEST_RETURN();
+
+ return (crl);
+}
+
+int
+dumpcrl(int argc, char *argv[])
+{
+
+ PKIX_PL_String *string = NULL;
+ PKIX_PL_CRL *crl = NULL;
+ PKIX_Error *error = NULL;
+ char *ascii = NULL;
+ PKIX_UInt32 length;
+ PKIX_UInt32 actualMinorVersion;
+ PKIX_UInt32 j = 0;
+ PKIX_Boolean useArenas = PKIX_FALSE;
+
+ PKIX_TEST_STD_VARS();
+
+ if (argc == 1) {
+ printUsage();
+ return (0);
+ }
+
+ useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+ PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
+ useArenas,
+ PKIX_MAJOR_VERSION,
+ PKIX_MINOR_VERSION,
+ PKIX_MINOR_VERSION,
+ &actualMinorVersion,
+ &plContext);
+
+ crl = createCRL(argv[j + 1]);
+
+ if (crl) {
+
+ error = PKIX_PL_Object_ToString((PKIX_PL_Object *)crl, &string, plContext);
+
+ if (error) {
+ printFailure("Unable to get string representation "
+ "of crl");
+ goto cleanup;
+ }
+
+ error = PKIX_PL_String_GetEncoded(string,
+ PKIX_ESCASCII,
+ (void **)&ascii,
+ &length,
+ plContext);
+ if (error || !ascii) {
+ printFailure("Unable to get ASCII encoding of string");
+ goto cleanup;
+ }
+
+ (void)printf("OUTPUT:\n%s\n", ascii);
+
+ } else {
+ printFailure("Unable to create CRL");
+ goto cleanup;
+ }
+
+cleanup:
+
+ if (crl) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)(crl), plContext);
+ }
+
+ if (string) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
+ }
+
+ if (ascii) {
+ PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
+ }
+
+ PKIX_Shutdown(plContext);
+
+ PKIX_TEST_RETURN();
+
+ endTests("DUMPCRL");
+
+ return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/manifest.mn b/security/nss/cmd/libpkix/sample_apps/manifest.mn
new file mode 100755
index 0000000000..32926cc1bb
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/manifest.mn
@@ -0,0 +1,23 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+PKIX_DEPTH = ..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = dumpcert.c \
+ dumpcrl.c \
+ validate_chain.c \
+ build_chain.c \
+ $(NULL)
+
+LIBRARY_NAME=pkixtoolsmplapps
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/sample_apps/validate_chain.c b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
new file mode 100644
index 0000000000..1ccf364e0c
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
@@ -0,0 +1,220 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * validateChain.c
+ *
+ * Tests Cert Chain Validation
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+ (void)printf("\nUSAGE:\tvalidateChain <trustedCert> "
+ "<cert_1> <cert_2> ... <cert_n>\n");
+ (void)printf("\tValidates a chain of n certificates "
+ "using the given trust anchor.\n");
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+ PKIX_PL_ByteArray *byteArray = NULL;
+ void *buf = NULL;
+ PRFileDesc *inFile = NULL;
+ PKIX_UInt32 len;
+ SECItem certDER;
+ SECStatus rv;
+ /* default: NULL cert (failure case) */
+ PKIX_PL_Cert *cert = NULL;
+
+ PKIX_TEST_STD_VARS();
+
+ certDER.data = NULL;
+
+ inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+ if (!inFile) {
+ pkixTestErrorMsg = "Unable to open cert file";
+ goto cleanup;
+ } else {
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
+ if (!rv) {
+ buf = (void *)certDER.data;
+ len = certDER.len;
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
+
+ SECITEM_FreeItem(&certDER, PR_FALSE);
+ } else {
+ pkixTestErrorMsg = "Unable to read DER from cert file";
+ goto cleanup;
+ }
+ }
+
+cleanup:
+
+ if (inFile) {
+ PR_Close(inFile);
+ }
+
+ if (PKIX_TEST_ERROR_RECEIVED) {
+ SECITEM_FreeItem(&certDER, PR_FALSE);
+ }
+
+ PKIX_TEST_DECREF_AC(byteArray);
+
+ PKIX_TEST_RETURN();
+
+ return (cert);
+}
+
+int
+validate_chain(int argc, char *argv[])
+{
+ PKIX_TrustAnchor *anchor = NULL;
+ PKIX_List *anchors = NULL;
+ PKIX_List *certs = NULL;
+ PKIX_ProcessingParams *procParams = NULL;
+ PKIX_ValidateParams *valParams = NULL;
+ PKIX_ValidateResult *valResult = NULL;
+ PKIX_PL_X500Name *subject = NULL;
+ PKIX_ComCertSelParams *certSelParams = NULL;
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_VerifyNode *verifyTree = NULL;
+ PKIX_PL_String *verifyString = NULL;
+
+ char *trustedCertFile = NULL;
+ char *chainCertFile = NULL;
+ PKIX_PL_Cert *trustedCert = NULL;
+ PKIX_PL_Cert *chainCert = NULL;
+ PKIX_UInt32 chainLength = 0;
+ PKIX_UInt32 i = 0;
+ PKIX_UInt32 j = 0;
+ PKIX_UInt32 actualMinorVersion;
+
+ PKIX_TEST_STD_VARS();
+
+ if (argc < 3) {
+ printUsage();
+ return (0);
+ }
+
+ PKIX_TEST_EXPECT_NO_ERROR(
+ PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+ chainLength = (argc - j) - 2;
+
+ /* create processing params with list of trust anchors */
+ trustedCertFile = argv[1 + j];
+ trustedCert = createCert(trustedCertFile);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+#if 0
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
+ (certSelParams, subject, plContext));
+#endif
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
+
+ PKIX_TEST_DECREF_BC(subject);
+ PKIX_TEST_DECREF_BC(certSelParams);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
+
+ PKIX_TEST_DECREF_BC(certSelector);
+
+ /* create cert chain */
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
+ for (i = 0; i < chainLength; i++) {
+ chainCertFile = argv[(i + j) + 2];
+ chainCert = createCert(chainCertFile);
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs,
+ (PKIX_PL_Object *)chainCert,
+ plContext));
+
+ PKIX_TEST_DECREF_BC(chainCert);
+ chainCert = NULL;
+ }
+ /* create validate params with processing params and cert chain */
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext));
+
+ PKIX_TEST_DECREF_BC(trustedCert);
+ trustedCert = NULL;
+ PKIX_TEST_DECREF_BC(anchor);
+ anchor = NULL;
+ PKIX_TEST_DECREF_BC(anchors);
+ anchors = NULL;
+ PKIX_TEST_DECREF_BC(certs);
+ certs = NULL;
+ PKIX_TEST_DECREF_BC(procParams);
+ procParams = NULL;
+
+ /* validate cert chain using processing params and return valResult */
+
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
+
+ if (valResult != NULL) {
+ (void)printf("SUCCESSFULLY VALIDATED\n");
+ }
+
+cleanup:
+
+ if (PKIX_TEST_ERROR_RECEIVED) {
+ (void)printf("FAILED TO VALIDATE\n");
+ (void)PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext);
+ (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+ PKIX_TEST_DECREF_AC(verifyString);
+ }
+
+ PKIX_TEST_DECREF_AC(verifyTree);
+ PKIX_TEST_DECREF_AC(valResult);
+ PKIX_TEST_DECREF_AC(valParams);
+
+ PKIX_TEST_RETURN();
+
+ PKIX_Shutdown(plContext);
+
+ return (0);
+}