1 files changed, 288 insertions, 0 deletions

diff --git a/security/nss/cmd/libpkix/pkix/top/test_ocsp.c b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c
new file mode 100644
index 0000000000..e97e57096e
--- /dev/null
+++ b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c
@@ -0,0 +1,288 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * test_ocspchecker.c
+ *
+ * Test OcspChecker function
+ *
+ */
+
+#include "testutil.h"
+#include "testutil_nss.h"
+
+static void *plContext = NULL;
+
+static void
+printUsage(void)
+{
+    (void)printf("\nUSAGE:\nOcspChecker -d <certStoreDirectory> TestName "
+                 "[ENE|EE] <certLocationDirectory> <trustedCert> "
+                 "<targetCert>\n\n");
+    (void)printf("Validates a chain of certificates between "
+                 "<trustedCert> and <targetCert>\n"
+                 "using the certs and CRLs in <certLocationDirectory> and "
+                 "pkcs11 db from <certStoreDirectory>. "
+                 "If ENE is specified,\n"
+                 "then an Error is Not Expected. "
+                 "If EE is specified, an Error is Expected.\n");
+}
+
+static char *
+createFullPathName(
+    char *dirName,
+    char *certFile,
+    void *plContext)
+{
+    PKIX_UInt32 certFileLen;
+    PKIX_UInt32 dirNameLen;
+    char *certPathName = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    certFileLen = PL_strlen(certFile);
+    dirNameLen = PL_strlen(dirName);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(dirNameLen +
+                                                 certFileLen +
+                                                 2,
+                                             (void **)&certPathName,
+                                             plContext));
+
+    PL_strcpy(certPathName, dirName);
+    PL_strcat(certPathName, "/");
+    PL_strcat(certPathName, certFile);
+    printf("certPathName = %s\n", certPathName);
+
+cleanup:
+
+    PKIX_TEST_RETURN();
+
+    return (certPathName);
+}
+
+static PKIX_Error *
+testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir)
+{
+    PKIX_PL_String *dirString = NULL;
+    PKIX_CertStore *certStore = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_PL_Date *validity = NULL;
+    PKIX_List *revCheckers = NULL;
+    PKIX_RevocationChecker *revChecker = NULL;
+    PKIX_PL_Object *revCheckerContext = NULL;
+    PKIX_OcspChecker *ocspChecker = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    subTest("PKIX_PL_CollectionCertStoreContext_Create");
+
+    /* Create CollectionCertStore */
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, crlDir, 0, &dirString, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString, &certStore, plContext));
+
+    /* Create CertStore */
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams(valParams, &procParams, plContext));
+
+    subTest("PKIX_ProcessingParams_AddCertStore");
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore(procParams, certStore, plContext));
+
+    subTest("PKIX_ProcessingParams_SetRevocationEnabled");
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
+
+    /* create current Date */
+    PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validity, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
+
+    /* create revChecker */
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize(validity,
+                                                          NULL, /* pwArg */
+                                                          NULL, /* Use default responder */
+                                                          &revChecker,
+                                                          plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_GetRevCheckerContext(revChecker, &revCheckerContext, plContext));
+
+    /* Check that this object is a ocsp checker */
+    PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType(revCheckerContext, PKIX_OCSPCHECKER_TYPE, plContext));
+
+    ocspChecker = (PKIX_OcspChecker *)revCheckerContext;
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_SetVerifyFcn(ocspChecker,
+                                                            PKIX_PL_OcspResponse_UseBuildChain,
+                                                            plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext));
+
+cleanup:
+
+    PKIX_TEST_DECREF_AC(dirString);
+    PKIX_TEST_DECREF_AC(procParams);
+    PKIX_TEST_DECREF_AC(certStore);
+    PKIX_TEST_DECREF_AC(revCheckers);
+    PKIX_TEST_DECREF_AC(revChecker);
+    PKIX_TEST_DECREF_AC(ocspChecker);
+    PKIX_TEST_DECREF_AC(validity);
+
+    PKIX_TEST_RETURN();
+
+    return (0);
+}
+
+int
+test_ocsp(int argc, char *argv[])
+{
+
+    PKIX_ValidateParams *valParams = NULL;
+    PKIX_ProcessingParams *procParams = NULL;
+    PKIX_ComCertSelParams *certSelParams = NULL;
+    PKIX_CertSelector *certSelector = NULL;
+    PKIX_ValidateResult *valResult = NULL;
+    PKIX_UInt32 actualMinorVersion;
+    PKIX_UInt32 j = 0;
+    PKIX_UInt32 k = 0;
+    PKIX_UInt32 chainLength = 0;
+    PKIX_Boolean testValid = PKIX_TRUE;
+    PKIX_List *chainCerts = NULL;
+    PKIX_VerifyNode *verifyTree = NULL;
+    PKIX_PL_String *verifyString = NULL;
+    PKIX_PL_Cert *dirCert = NULL;
+    PKIX_PL_Cert *trustedCert = NULL;
+    PKIX_PL_Cert *targetCert = NULL;
+    PKIX_TrustAnchor *anchor = NULL;
+    PKIX_List *anchors = NULL;
+    char *dirCertName = NULL;
+    char *anchorCertName = NULL;
+    char *dirName = NULL;
+    char *databaseDir = NULL;
+
+    PKIX_TEST_STD_VARS();
+
+    if (argc < 5) {
+        printUsage();
+        return (0);
+    }
+
+    startTests("OcspChecker");
+
+    PKIX_TEST_EXPECT_NO_ERROR(
+        PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
+
+    /* ENE = expect no error; EE = expect error */
+    if (PORT_Strcmp(argv[2 + j], "ENE") == 0) {
+        testValid = PKIX_TRUE;
+    } else if (PORT_Strcmp(argv[2 + j], "EE") == 0) {
+        testValid = PKIX_FALSE;
+    } else {
+        printUsage();
+        return (0);
+    }
+
+    subTest(argv[1 + j]);
+
+    dirName = argv[3 + j];
+
+    chainLength = argc - j - 5;
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
+
+    for (k = 0; k < chainLength; k++) {
+
+        dirCert = createCert(dirName, argv[5 + k + j], plContext);
+
+        if (k == 0) {
+            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
+            targetCert = dirCert;
+        }
+
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(chainCerts, (PKIX_PL_Object *)dirCert, plContext));
+
+        PKIX_TEST_DECREF_BC(dirCert);
+    }
+
+    /* create processing params with list of trust anchors */
+
+    anchorCertName = argv[4 + j];
+    trustedCert = createCert(dirName, anchorCertName, plContext);
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
+
+    /* create CertSelector with target certificate in params */
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
+
+    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, chainCerts, &valParams, plContext));
+
+    testDefaultCertStore(valParams, dirName);
+
+    pkixTestErrorResult = PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext);
+
+    if (pkixTestErrorResult) {
+        if (testValid == PKIX_FALSE) { /* EE */
+            (void)printf("EXPECTED ERROR RECEIVED!\n");
+        } else { /* ENE */
+            testError("UNEXPECTED ERROR RECEIVED");
+        }
+        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
+    } else {
+        if (testValid == PKIX_TRUE) { /* ENE */
+            (void)printf("EXPECTED SUCCESSFUL VALIDATION!\n");
+        } else { /* EE */
+            (void)printf("UNEXPECTED SUCCESSFUL VALIDATION!\n");
+        }
+    }
+
+    subTest("Displaying VerifyTree");
+
+    if (verifyTree == NULL) {
+        (void)printf("VerifyTree is NULL\n");
+    } else {
+        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
+        (void)printf("verifyTree is\n%s\n",
+                     verifyString->escAsciiString);
+        PKIX_TEST_DECREF_BC(verifyString);
+        PKIX_TEST_DECREF_BC(verifyTree);
+    }
+
+cleanup:
+
+    PKIX_TEST_DECREF_AC(valParams);
+    PKIX_TEST_DECREF_AC(procParams);
+    PKIX_TEST_DECREF_AC(certSelParams);
+    PKIX_TEST_DECREF_AC(certSelector);
+    PKIX_TEST_DECREF_AC(chainCerts);
+    PKIX_TEST_DECREF_AC(anchors);
+    PKIX_TEST_DECREF_AC(anchor);
+    PKIX_TEST_DECREF_AC(trustedCert);
+    PKIX_TEST_DECREF_AC(targetCert);
+    PKIX_TEST_DECREF_AC(valResult);
+
+    PKIX_Shutdown(plContext);
+
+    PKIX_TEST_RETURN();
+
+    endTests("OcspChecker");
+
+    return (0);
+}