Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 899 insertions, 0 deletions

diff --git a/security/nss/cmd/libpkix/sample_apps/Makefile b/security/nss/cmd/libpkix/sample_apps/Makefile
new file mode 100644
index 0000000000..daa8765778
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/Makefile
@@ -0,0 +1,46 @@
+#! gmake
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+include $(PKIX_DEPTH)/config.mk
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include $(PLAT_DEPTH)/platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/sample_apps/build_chain.c b/security/nss/cmd/libpkix/sample_apps/build_chain.c
new file mode 100644
index 0000000000..38bf1d9f3a
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/build_chain.c
@@ -0,0 +1,242 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * buildChain.c
+ *
+ * Tests Cert Chain Building
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+    (void)printf("\nUSAGE:\tbuildChain "
+                 "<trustedCert> <targetCert> <certStoreDirectory>\n\n");
+    (void)printf("Builds a chain of certificates between "
+                 "<trustedCert> and <targetCert>\n"
+                 "using the certs and CRLs in <certStoreDirectory>.\n");
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+    PKIX_PL_ByteArray *byteArray = NULL;
+    void *buf = NULL;
+    PRFileDesc *inFile = NULL;
+    PKIX_UInt32 len;
+    SECItem certDER;
+    SECStatus rv;
+    /* default: NULL cert (failure case) */
+    PKIX_PL_Cert *cert = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    certDER.data = NULL;
+
+    inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+    if (!inFile) {
+        pkixTestErrorMsg = "Unable to open cert file";
+        goto cleanup;
+    } else {
+        rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
+        if (!rv) {
+            buf = (void *)certDER.data;
+            len = certDER.len;
+
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
+
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
+
+            SECITEM_FreeItem(&certDER, PR_FALSE);
+        } else {
+            pkixTestErrorMsg = "Unable to read DER from cert file";
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    if (inFile) {
+        PR_Close(inFile);
+    }
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        SECITEM_FreeItem(&certDER, PR_FALSE);
+    }
+
+    PKIX_TEST_DECREF_AC(byteArray);
+
+    PKIX_TEST_RETURN();
+
+    return (cert);
+}
+
+int
+build_chain(int argc, char *argv[])
+{
+    PKIX_BuildResult *buildResult = NULL;
+    PKIX_ComCertSelParams *certSelParams = NULL;
+    PKIX_CertSelector *certSelector = NULL;
+    PKIX_TrustAnchor *anchor = NULL;
+    PKIX_List *anchors = NULL;
+    PKIX_List *certs = NULL;
+    PKIX_PL_Cert *cert = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    char *trustedCertFile = NULL;
+    char *targetCertFile = NULL;
+    char *storeDirAscii = NULL;
+    PKIX_PL_String *storeDirString = NULL;
+    PKIX_PL_Cert *trustedCert = NULL;
+    PKIX_PL_Cert *targetCert = NULL;
+    PKIX_UInt32 actualMinorVersion, numCerts, i;
+    PKIX_UInt32 j = 0;
+    PKIX_CertStore *certStore = NULL;
+    PKIX_List *certStores = NULL;
+    char *asciiResult = NULL;
+    PKIX_Boolean useArenas = PKIX_FALSE;
+    void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
+    void *nbioContext = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    if (argc < 4) {
+        printUsage();
+        return (0);
+    }
+
+    useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
+                                              useArenas,
+                                              PKIX_MAJOR_VERSION,
+                                              PKIX_MINOR_VERSION,
+                                              PKIX_MINOR_VERSION,
+                                              &actualMinorVersion,
+                                              &plContext));
+
+    /* create processing params with list of trust anchors */
+    trustedCertFile = argv[j + 1];
+    trustedCert = createCert(trustedCertFile);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
+
+    /* create CertSelector with target certificate in params */
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+    targetCertFile = argv[j + 2];
+    targetCert = createCert(targetCertFile);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
+
+    /* create CertStores */
+
+    storeDirAscii = argv[j + 3];
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(storeDirString, &certStore, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
+
+    /* build cert chain using processing params and return buildResult */
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain(procParams,
+                                              &nbioContext,
+                                              &buildState,
+                                              &buildResult,
+                                              NULL,
+                                              plContext));
+
+    /*
+         * As long as we use only CertStores with blocking I/O, we can omit
+         * checking for completion with nbioContext.
+         */
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
+
+    printf("\n");
+
+    for (i = 0; i < numCerts; i++) {
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext));
+
+        asciiResult = PKIX_Cert2ASCII(cert);
+
+        printf("CERT[%d]:\n%s\n", i, asciiResult);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext));
+        asciiResult = NULL;
+
+        PKIX_TEST_DECREF_BC(cert);
+    }
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        (void)printf("FAILED TO BUILD CHAIN\n");
+    } else {
+        (void)printf("SUCCESSFULLY BUILT CHAIN\n");
+    }
+
+    PKIX_PL_Free(asciiResult, plContext);
+
+    PKIX_TEST_DECREF_AC(certs);
+    PKIX_TEST_DECREF_AC(cert);
+    PKIX_TEST_DECREF_AC(certStore);
+    PKIX_TEST_DECREF_AC(certStores);
+    PKIX_TEST_DECREF_AC(storeDirString);
+    PKIX_TEST_DECREF_AC(trustedCert);
+    PKIX_TEST_DECREF_AC(targetCert);
+    PKIX_TEST_DECREF_AC(anchor);
+    PKIX_TEST_DECREF_AC(anchors);
+    PKIX_TEST_DECREF_AC(procParams);
+    PKIX_TEST_DECREF_AC(certSelParams);
+    PKIX_TEST_DECREF_AC(certSelector);
+    PKIX_TEST_DECREF_AC(buildResult);
+
+    PKIX_TEST_RETURN();
+
+    PKIX_Shutdown(plContext);
+
+    return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcert.c b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
new file mode 100644
index 0000000000..6ff5f83779
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
@@ -0,0 +1,182 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * dumpcert.c
+ *
+ * dump certificate sample application
+ *
+ */
+
+#include <stdio.h>
+
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secasn1t.h"
+#include "certt.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+    (void)printf("\nUSAGE:\tdumpcert <certFile>\n");
+    (void)printf("\tParses a certificate located at <certFile> "
+                 "and displays it.\n");
+}
+
+static void
+printFailure(char *msg)
+{
+    (void)printf("FAILURE: %s\n", msg);
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+    PKIX_PL_ByteArray *byteArray = NULL;
+    PKIX_PL_Cert *cert = NULL;
+    PKIX_Error *error = NULL;
+    PRFileDesc *inFile = NULL;
+    SECItem certDER;
+    void *buf = NULL;
+    PKIX_UInt32 len;
+    SECStatus rv = SECFailure;
+
+    certDER.data = NULL;
+
+    inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+    if (!inFile) {
+        printFailure("Unable to open cert file");
+        goto cleanup;
+    } else {
+        rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
+        if (!rv) {
+            buf = (void *)certDER.data;
+            len = certDER.len;
+
+            error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext);
+
+            if (error) {
+                printFailure("PKIX_PL_ByteArray_Create failed");
+                goto cleanup;
+            }
+
+            error = PKIX_PL_Cert_Create(byteArray, &cert, plContext);
+
+            if (error) {
+                printFailure("PKIX_PL_Cert_Create failed");
+                goto cleanup;
+            }
+        } else {
+            printFailure("Unable to read DER from cert file");
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    if (inFile) {
+        PR_Close(inFile);
+    }
+
+    if (rv == SECSuccess) {
+        SECITEM_FreeItem(&certDER, PR_FALSE);
+    }
+
+    if (byteArray) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
+    }
+
+    return (cert);
+}
+
+int
+dumpcert(int argc, char *argv[])
+{
+
+    PKIX_PL_String *string = NULL;
+    PKIX_PL_Cert *cert = NULL;
+    PKIX_Error *error = NULL;
+    char *ascii = NULL;
+    PKIX_UInt32 length = 0;
+    PKIX_UInt32 j = 0;
+    PKIX_Boolean useArenas = PKIX_FALSE;
+    PKIX_UInt32 actualMinorVersion;
+
+    PKIX_TEST_STD_VARS();
+
+    if (argc == 1) {
+        printUsage();
+        return (0);
+    }
+
+    useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+    PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
+                    useArenas,
+                    PKIX_MAJOR_VERSION,
+                    PKIX_MINOR_VERSION,
+                    PKIX_MINOR_VERSION,
+                    &actualMinorVersion,
+                    &plContext);
+
+    cert = createCert(argv[1 + j]);
+
+    if (cert) {
+
+        error = PKIX_PL_Object_ToString((PKIX_PL_Object *)cert, &string, plContext);
+
+        if (error) {
+            printFailure("Unable to get string representation "
+                         "of cert");
+            goto cleanup;
+        }
+
+        error = PKIX_PL_String_GetEncoded(string,
+                                          PKIX_ESCASCII,
+                                          (void **)&ascii,
+                                          &length,
+                                          plContext);
+
+        if (error || !ascii) {
+            printFailure("Unable to get ASCII encoding of string");
+            goto cleanup;
+        }
+
+        (void)printf("OUTPUT:\n%s\n", ascii);
+
+    } else {
+        printFailure("Unable to create certificate");
+        goto cleanup;
+    }
+
+cleanup:
+
+    if (cert) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)(cert), plContext);
+    }
+
+    if (string) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
+    }
+
+    if (ascii) {
+        PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
+    }
+
+    PKIX_Shutdown(plContext);
+
+    PKIX_TEST_RETURN();
+
+    endTests("DUMPCERT");
+
+    return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcrl.c b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
new file mode 100644
index 0000000000..642601409a
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
@@ -0,0 +1,186 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * dumpcrl.c
+ *
+ * dump CRL sample application
+ *
+ */
+
+#include <stdio.h>
+
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secasn1t.h"
+#include "certt.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+    (void)printf("\nUSAGE:\tdumpcrl <crlFile>\n");
+    (void)printf("\tParses a CRL located at <crlFile> "
+                 "and displays it.\n");
+}
+
+static void
+printFailure(char *msg)
+{
+    (void)printf("FAILURE: %s\n", msg);
+}
+
+static PKIX_PL_CRL *
+createCRL(char *inFileName)
+{
+    PKIX_PL_ByteArray *byteArray = NULL;
+    PKIX_PL_CRL *crl = NULL;
+    PKIX_Error *error = NULL;
+    PRFileDesc *inFile = NULL;
+    SECItem crlDER;
+    void *buf = NULL;
+    PKIX_UInt32 len;
+    SECStatus rv;
+
+    PKIX_TEST_STD_VARS();
+
+    crlDER.data = NULL;
+
+    inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+    if (!inFile) {
+        printFailure("Unable to open crl file");
+        goto cleanup;
+    } else {
+        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
+        if (!rv) {
+            buf = (void *)crlDER.data;
+            len = crlDER.len;
+
+            error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext);
+
+            if (error) {
+                printFailure("PKIX_PL_ByteArray_Create failed");
+                goto cleanup;
+            }
+
+            error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
+            if (error) {
+                printFailure("PKIX_PL_CRL_Create failed");
+                goto cleanup;
+            }
+
+            SECITEM_FreeItem(&crlDER, PR_FALSE);
+        } else {
+            printFailure("Unable to read DER from crl file");
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    if (inFile) {
+        PR_Close(inFile);
+    }
+
+    if (error) {
+        SECITEM_FreeItem(&crlDER, PR_FALSE);
+    }
+
+    if (byteArray) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
+    }
+
+    PKIX_TEST_RETURN();
+
+    return (crl);
+}
+
+int
+dumpcrl(int argc, char *argv[])
+{
+
+    PKIX_PL_String *string = NULL;
+    PKIX_PL_CRL *crl = NULL;
+    PKIX_Error *error = NULL;
+    char *ascii = NULL;
+    PKIX_UInt32 length;
+    PKIX_UInt32 actualMinorVersion;
+    PKIX_UInt32 j = 0;
+    PKIX_Boolean useArenas = PKIX_FALSE;
+
+    PKIX_TEST_STD_VARS();
+
+    if (argc == 1) {
+        printUsage();
+        return (0);
+    }
+
+    useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
+
+    PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
+                    useArenas,
+                    PKIX_MAJOR_VERSION,
+                    PKIX_MINOR_VERSION,
+                    PKIX_MINOR_VERSION,
+                    &actualMinorVersion,
+                    &plContext);
+
+    crl = createCRL(argv[j + 1]);
+
+    if (crl) {
+
+        error = PKIX_PL_Object_ToString((PKIX_PL_Object *)crl, &string, plContext);
+
+        if (error) {
+            printFailure("Unable to get string representation "
+                         "of crl");
+            goto cleanup;
+        }
+
+        error = PKIX_PL_String_GetEncoded(string,
+                                          PKIX_ESCASCII,
+                                          (void **)&ascii,
+                                          &length,
+                                          plContext);
+        if (error || !ascii) {
+            printFailure("Unable to get ASCII encoding of string");
+            goto cleanup;
+        }
+
+        (void)printf("OUTPUT:\n%s\n", ascii);
+
+    } else {
+        printFailure("Unable to create CRL");
+        goto cleanup;
+    }
+
+cleanup:
+
+    if (crl) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)(crl), plContext);
+    }
+
+    if (string) {
+        PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
+    }
+
+    if (ascii) {
+        PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
+    }
+
+    PKIX_Shutdown(plContext);
+
+    PKIX_TEST_RETURN();
+
+    endTests("DUMPCRL");
+
+    return (0);
+}
diff --git a/security/nss/cmd/libpkix/sample_apps/manifest.mn b/security/nss/cmd/libpkix/sample_apps/manifest.mn
new file mode 100644
index 0000000000..32926cc1bb
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/manifest.mn
@@ -0,0 +1,23 @@
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+PKIX_DEPTH = ..
+PLAT_DEPTH = $(PKIX_DEPTH)/..
+CORE_DEPTH = $(PKIX_DEPTH)/../../..
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = dumpcert.c \
+	dumpcrl.c \
+	validate_chain.c \
+	build_chain.c \
+	$(NULL)
+
+LIBRARY_NAME=pkixtoolsmplapps
+
+SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
+
+NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/sample_apps/validate_chain.c b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
new file mode 100644
index 0000000000..1ccf364e0c
--- /dev/null
+++ b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
@@ -0,0 +1,220 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * validateChain.c
+ *
+ * Tests Cert Chain Validation
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "pkix_pl_generalname.h"
+#include "pkix_pl_cert.h"
+#include "pkix.h"
+#include "testutil.h"
+#include "prlong.h"
+#include "plstr.h"
+#include "prthread.h"
+#include "nspr.h"
+#include "prtypes.h"
+#include "prtime.h"
+#include "pk11func.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "cryptohi.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "keythi.h"
+#include "nss.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+    (void)printf("\nUSAGE:\tvalidateChain <trustedCert> "
+                 "<cert_1> <cert_2> ... <cert_n>\n");
+    (void)printf("\tValidates a chain of n certificates "
+                 "using the given trust anchor.\n");
+}
+
+static PKIX_PL_Cert *
+createCert(char *inFileName)
+{
+    PKIX_PL_ByteArray *byteArray = NULL;
+    void *buf = NULL;
+    PRFileDesc *inFile = NULL;
+    PKIX_UInt32 len;
+    SECItem certDER;
+    SECStatus rv;
+    /* default: NULL cert (failure case) */
+    PKIX_PL_Cert *cert = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    certDER.data = NULL;
+
+    inFile = PR_Open(inFileName, PR_RDONLY, 0);
+
+    if (!inFile) {
+        pkixTestErrorMsg = "Unable to open cert file";
+        goto cleanup;
+    } else {
+        rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
+        if (!rv) {
+            buf = (void *)certDER.data;
+            len = certDER.len;
+
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
+
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
+
+            SECITEM_FreeItem(&certDER, PR_FALSE);
+        } else {
+            pkixTestErrorMsg = "Unable to read DER from cert file";
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    if (inFile) {
+        PR_Close(inFile);
+    }
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        SECITEM_FreeItem(&certDER, PR_FALSE);
+    }
+
+    PKIX_TEST_DECREF_AC(byteArray);
+
+    PKIX_TEST_RETURN();
+
+    return (cert);
+}
+
+int
+validate_chain(int argc, char *argv[])
+{
+    PKIX_TrustAnchor *anchor = NULL;
+    PKIX_List *anchors = NULL;
+    PKIX_List *certs = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_ValidateParams *valParams = NULL;
+    PKIX_ValidateResult *valResult = NULL;
+    PKIX_PL_X500Name *subject = NULL;
+    PKIX_ComCertSelParams *certSelParams = NULL;
+    PKIX_CertSelector *certSelector = NULL;
+    PKIX_VerifyNode *verifyTree = NULL;
+    PKIX_PL_String *verifyString = NULL;
+
+    char *trustedCertFile = NULL;
+    char *chainCertFile = NULL;
+    PKIX_PL_Cert *trustedCert = NULL;
+    PKIX_PL_Cert *chainCert = NULL;
+    PKIX_UInt32 chainLength = 0;
+    PKIX_UInt32 i = 0;
+    PKIX_UInt32 j = 0;
+    PKIX_UInt32 actualMinorVersion;
+
+    PKIX_TEST_STD_VARS();
+
+    if (argc < 3) {
+        printUsage();
+        return (0);
+    }
+
+    PKIX_TEST_EXPECT_NO_ERROR(
+        PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+    chainLength = (argc - j) - 2;
+
+    /* create processing params with list of trust anchors */
+    trustedCertFile = argv[1 + j];
+    trustedCert = createCert(trustedCertFile);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+#if 0
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
+                                    (certSelParams, subject, plContext));
+#endif
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
+
+    PKIX_TEST_DECREF_BC(subject);
+    PKIX_TEST_DECREF_BC(certSelParams);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
+
+    PKIX_TEST_DECREF_BC(certSelector);
+
+    /* create cert chain */
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
+    for (i = 0; i < chainLength; i++) {
+        chainCertFile = argv[(i + j) + 2];
+        chainCert = createCert(chainCertFile);
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs,
+                                                       (PKIX_PL_Object *)chainCert,
+                                                       plContext));
+
+        PKIX_TEST_DECREF_BC(chainCert);
+        chainCert = NULL;
+    }
+    /* create validate params with processing params and cert chain */
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext));
+
+    PKIX_TEST_DECREF_BC(trustedCert);
+    trustedCert = NULL;
+    PKIX_TEST_DECREF_BC(anchor);
+    anchor = NULL;
+    PKIX_TEST_DECREF_BC(anchors);
+    anchors = NULL;
+    PKIX_TEST_DECREF_BC(certs);
+    certs = NULL;
+    PKIX_TEST_DECREF_BC(procParams);
+    procParams = NULL;
+
+    /* validate cert chain using processing params and return valResult */
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
+
+    if (valResult != NULL) {
+        (void)printf("SUCCESSFULLY VALIDATED\n");
+    }
+
+cleanup:
+
+    if (PKIX_TEST_ERROR_RECEIVED) {
+        (void)printf("FAILED TO VALIDATE\n");
+        (void)PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext);
+        (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
+        PKIX_TEST_DECREF_AC(verifyString);
+    }
+
+    PKIX_TEST_DECREF_AC(verifyTree);
+    PKIX_TEST_DECREF_AC(valResult);
+    PKIX_TEST_DECREF_AC(valParams);
+
+    PKIX_TEST_RETURN();
+
+    PKIX_Shutdown(plContext);
+
+    return (0);
+}