From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- security/nss/cmd/libpkix/sample_apps/Makefile | 46 ++++ security/nss/cmd/libpkix/sample_apps/build_chain.c | 242 +++++++++++++++++++++ security/nss/cmd/libpkix/sample_apps/dumpcert.c | 182 ++++++++++++++++ security/nss/cmd/libpkix/sample_apps/dumpcrl.c | 186 ++++++++++++++++ security/nss/cmd/libpkix/sample_apps/manifest.mn | 23 ++ .../nss/cmd/libpkix/sample_apps/validate_chain.c | 220 +++++++++++++++++++ 6 files changed, 899 insertions(+) create mode 100644 security/nss/cmd/libpkix/sample_apps/Makefile create mode 100644 security/nss/cmd/libpkix/sample_apps/build_chain.c create mode 100644 security/nss/cmd/libpkix/sample_apps/dumpcert.c create mode 100644 security/nss/cmd/libpkix/sample_apps/dumpcrl.c create mode 100644 security/nss/cmd/libpkix/sample_apps/manifest.mn create mode 100644 security/nss/cmd/libpkix/sample_apps/validate_chain.c (limited to 'security/nss/cmd/libpkix/sample_apps') diff --git a/security/nss/cmd/libpkix/sample_apps/Makefile b/security/nss/cmd/libpkix/sample_apps/Makefile new file mode 100644 index 0000000000..daa8765778 --- /dev/null +++ b/security/nss/cmd/libpkix/sample_apps/Makefile @@ -0,0 +1,46 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +include $(PKIX_DEPTH)/config.mk + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include $(PLAT_DEPTH)/platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include $(PLAT_DEPTH)/platrules.mk diff --git a/security/nss/cmd/libpkix/sample_apps/build_chain.c b/security/nss/cmd/libpkix/sample_apps/build_chain.c new file mode 100644 index 0000000000..38bf1d9f3a --- /dev/null +++ b/security/nss/cmd/libpkix/sample_apps/build_chain.c @@ -0,0 +1,242 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * buildChain.c + * + * Tests Cert Chain Building + * + */ + +#include +#include +#include + +#include "pkix_pl_generalname.h" +#include "pkix_pl_cert.h" +#include "pkix.h" +#include "testutil.h" +#include "prlong.h" +#include "plstr.h" +#include "prthread.h" +#include "nspr.h" +#include "prtypes.h" +#include "prtime.h" +#include "pk11func.h" +#include "secasn1.h" +#include "cert.h" +#include "cryptohi.h" +#include "secoid.h" +#include "certdb.h" +#include "secitem.h" +#include "keythi.h" +#include "nss.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\tbuildChain " + " \n\n"); + (void)printf("Builds a chain of certificates between " + " and \n" + "using the certs and CRLs in .\n"); +} + +static PKIX_PL_Cert * +createCert(char *inFileName) +{ + PKIX_PL_ByteArray *byteArray = NULL; + void *buf = NULL; + PRFileDesc *inFile = NULL; + PKIX_UInt32 len; + SECItem certDER; + SECStatus rv; + /* default: NULL cert (failure case) */ + PKIX_PL_Cert *cert = NULL; + + PKIX_TEST_STD_VARS(); + + certDER.data = NULL; + + inFile = PR_Open(inFileName, PR_RDONLY, 0); + + if (!inFile) { + pkixTestErrorMsg = "Unable to open cert file"; + goto cleanup; + } else { + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); + if (!rv) { + buf = (void *)certDER.data; + len = certDER.len; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext)); + + SECITEM_FreeItem(&certDER, PR_FALSE); + } else { + pkixTestErrorMsg = "Unable to read DER from cert file"; + goto cleanup; + } + } + +cleanup: + + if (inFile) { + PR_Close(inFile); + } + + if (PKIX_TEST_ERROR_RECEIVED) { + SECITEM_FreeItem(&certDER, PR_FALSE); + } + + PKIX_TEST_DECREF_AC(byteArray); + + PKIX_TEST_RETURN(); + + return (cert); +} + +int +build_chain(int argc, char *argv[]) +{ + PKIX_BuildResult *buildResult = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *certs = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_ProcessingParams *procParams = NULL; + char *trustedCertFile = NULL; + char *targetCertFile = NULL; + char *storeDirAscii = NULL; + PKIX_PL_String *storeDirString = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *targetCert = NULL; + PKIX_UInt32 actualMinorVersion, numCerts, i; + PKIX_UInt32 j = 0; + PKIX_CertStore *certStore = NULL; + PKIX_List *certStores = NULL; + char *asciiResult = NULL; + PKIX_Boolean useArenas = PKIX_FALSE; + void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */ + void *nbioContext = NULL; + + PKIX_TEST_STD_VARS(); + + if (argc < 4) { + printUsage(); + return (0); + } + + useArenas = PKIX_TEST_ARENAS_ARG(argv[1]); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */ + useArenas, + PKIX_MAJOR_VERSION, + PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, + &actualMinorVersion, + &plContext)); + + /* create processing params with list of trust anchors */ + trustedCertFile = argv[j + 1]; + trustedCert = createCert(trustedCertFile); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + /* create CertSelector with target certificate in params */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + + targetCertFile = argv[j + 2]; + targetCert = createCert(targetCertFile); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + /* create CertStores */ + + storeDirAscii = argv[j + 3]; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(storeDirString, &certStore, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); + + /* build cert chain using processing params and return buildResult */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain(procParams, + &nbioContext, + &buildState, + &buildResult, + NULL, + plContext)); + + /* + * As long as we use only CertStores with blocking I/O, we can omit + * checking for completion with nbioContext. + */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); + + printf("\n"); + + for (i = 0; i < numCerts; i++) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); + + asciiResult = PKIX_Cert2ASCII(cert); + + printf("CERT[%d]:\n%s\n", i, asciiResult); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext)); + asciiResult = NULL; + + PKIX_TEST_DECREF_BC(cert); + } + +cleanup: + + if (PKIX_TEST_ERROR_RECEIVED) { + (void)printf("FAILED TO BUILD CHAIN\n"); + } else { + (void)printf("SUCCESSFULLY BUILT CHAIN\n"); + } + + PKIX_PL_Free(asciiResult, plContext); + + PKIX_TEST_DECREF_AC(certs); + PKIX_TEST_DECREF_AC(cert); + PKIX_TEST_DECREF_AC(certStore); + PKIX_TEST_DECREF_AC(certStores); + PKIX_TEST_DECREF_AC(storeDirString); + PKIX_TEST_DECREF_AC(trustedCert); + PKIX_TEST_DECREF_AC(targetCert); + PKIX_TEST_DECREF_AC(anchor); + PKIX_TEST_DECREF_AC(anchors); + PKIX_TEST_DECREF_AC(procParams); + PKIX_TEST_DECREF_AC(certSelParams); + PKIX_TEST_DECREF_AC(certSelector); + PKIX_TEST_DECREF_AC(buildResult); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + return (0); +} diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcert.c b/security/nss/cmd/libpkix/sample_apps/dumpcert.c new file mode 100644 index 0000000000..6ff5f83779 --- /dev/null +++ b/security/nss/cmd/libpkix/sample_apps/dumpcert.c @@ -0,0 +1,182 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * dumpcert.c + * + * dump certificate sample application + * + */ + +#include + +#include "pkix.h" +#include "testutil.h" +#include "prlong.h" +#include "plstr.h" +#include "prthread.h" +#include "plarena.h" +#include "seccomon.h" +#include "secdert.h" +#include "secasn1t.h" +#include "certt.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\tdumpcert \n"); + (void)printf("\tParses a certificate located at " + "and displays it.\n"); +} + +static void +printFailure(char *msg) +{ + (void)printf("FAILURE: %s\n", msg); +} + +static PKIX_PL_Cert * +createCert(char *inFileName) +{ + PKIX_PL_ByteArray *byteArray = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_Error *error = NULL; + PRFileDesc *inFile = NULL; + SECItem certDER; + void *buf = NULL; + PKIX_UInt32 len; + SECStatus rv = SECFailure; + + certDER.data = NULL; + + inFile = PR_Open(inFileName, PR_RDONLY, 0); + + if (!inFile) { + printFailure("Unable to open cert file"); + goto cleanup; + } else { + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); + if (!rv) { + buf = (void *)certDER.data; + len = certDER.len; + + error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext); + + if (error) { + printFailure("PKIX_PL_ByteArray_Create failed"); + goto cleanup; + } + + error = PKIX_PL_Cert_Create(byteArray, &cert, plContext); + + if (error) { + printFailure("PKIX_PL_Cert_Create failed"); + goto cleanup; + } + } else { + printFailure("Unable to read DER from cert file"); + goto cleanup; + } + } + +cleanup: + + if (inFile) { + PR_Close(inFile); + } + + if (rv == SECSuccess) { + SECITEM_FreeItem(&certDER, PR_FALSE); + } + + if (byteArray) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext); + } + + return (cert); +} + +int +dumpcert(int argc, char *argv[]) +{ + + PKIX_PL_String *string = NULL; + PKIX_PL_Cert *cert = NULL; + PKIX_Error *error = NULL; + char *ascii = NULL; + PKIX_UInt32 length = 0; + PKIX_UInt32 j = 0; + PKIX_Boolean useArenas = PKIX_FALSE; + PKIX_UInt32 actualMinorVersion; + + PKIX_TEST_STD_VARS(); + + if (argc == 1) { + printUsage(); + return (0); + } + + useArenas = PKIX_TEST_ARENAS_ARG(argv[1]); + + PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */ + useArenas, + PKIX_MAJOR_VERSION, + PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, + &actualMinorVersion, + &plContext); + + cert = createCert(argv[1 + j]); + + if (cert) { + + error = PKIX_PL_Object_ToString((PKIX_PL_Object *)cert, &string, plContext); + + if (error) { + printFailure("Unable to get string representation " + "of cert"); + goto cleanup; + } + + error = PKIX_PL_String_GetEncoded(string, + PKIX_ESCASCII, + (void **)&ascii, + &length, + plContext); + + if (error || !ascii) { + printFailure("Unable to get ASCII encoding of string"); + goto cleanup; + } + + (void)printf("OUTPUT:\n%s\n", ascii); + + } else { + printFailure("Unable to create certificate"); + goto cleanup; + } + +cleanup: + + if (cert) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)(cert), plContext); + } + + if (string) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext); + } + + if (ascii) { + PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext); + } + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("DUMPCERT"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcrl.c b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c new file mode 100644 index 0000000000..642601409a --- /dev/null +++ b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c @@ -0,0 +1,186 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * dumpcrl.c + * + * dump CRL sample application + * + */ + +#include + +#include "pkix.h" +#include "testutil.h" +#include "prlong.h" +#include "plstr.h" +#include "prthread.h" +#include "plarena.h" +#include "seccomon.h" +#include "secdert.h" +#include "secasn1t.h" +#include "certt.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\tdumpcrl \n"); + (void)printf("\tParses a CRL located at " + "and displays it.\n"); +} + +static void +printFailure(char *msg) +{ + (void)printf("FAILURE: %s\n", msg); +} + +static PKIX_PL_CRL * +createCRL(char *inFileName) +{ + PKIX_PL_ByteArray *byteArray = NULL; + PKIX_PL_CRL *crl = NULL; + PKIX_Error *error = NULL; + PRFileDesc *inFile = NULL; + SECItem crlDER; + void *buf = NULL; + PKIX_UInt32 len; + SECStatus rv; + + PKIX_TEST_STD_VARS(); + + crlDER.data = NULL; + + inFile = PR_Open(inFileName, PR_RDONLY, 0); + + if (!inFile) { + printFailure("Unable to open crl file"); + goto cleanup; + } else { + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); + if (!rv) { + buf = (void *)crlDER.data; + len = crlDER.len; + + error = PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext); + + if (error) { + printFailure("PKIX_PL_ByteArray_Create failed"); + goto cleanup; + } + + error = PKIX_PL_CRL_Create(byteArray, &crl, plContext); + if (error) { + printFailure("PKIX_PL_CRL_Create failed"); + goto cleanup; + } + + SECITEM_FreeItem(&crlDER, PR_FALSE); + } else { + printFailure("Unable to read DER from crl file"); + goto cleanup; + } + } + +cleanup: + + if (inFile) { + PR_Close(inFile); + } + + if (error) { + SECITEM_FreeItem(&crlDER, PR_FALSE); + } + + if (byteArray) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext); + } + + PKIX_TEST_RETURN(); + + return (crl); +} + +int +dumpcrl(int argc, char *argv[]) +{ + + PKIX_PL_String *string = NULL; + PKIX_PL_CRL *crl = NULL; + PKIX_Error *error = NULL; + char *ascii = NULL; + PKIX_UInt32 length; + PKIX_UInt32 actualMinorVersion; + PKIX_UInt32 j = 0; + PKIX_Boolean useArenas = PKIX_FALSE; + + PKIX_TEST_STD_VARS(); + + if (argc == 1) { + printUsage(); + return (0); + } + + useArenas = PKIX_TEST_ARENAS_ARG(argv[1]); + + PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */ + useArenas, + PKIX_MAJOR_VERSION, + PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, + &actualMinorVersion, + &plContext); + + crl = createCRL(argv[j + 1]); + + if (crl) { + + error = PKIX_PL_Object_ToString((PKIX_PL_Object *)crl, &string, plContext); + + if (error) { + printFailure("Unable to get string representation " + "of crl"); + goto cleanup; + } + + error = PKIX_PL_String_GetEncoded(string, + PKIX_ESCASCII, + (void **)&ascii, + &length, + plContext); + if (error || !ascii) { + printFailure("Unable to get ASCII encoding of string"); + goto cleanup; + } + + (void)printf("OUTPUT:\n%s\n", ascii); + + } else { + printFailure("Unable to create CRL"); + goto cleanup; + } + +cleanup: + + if (crl) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)(crl), plContext); + } + + if (string) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext); + } + + if (ascii) { + PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext); + } + + PKIX_Shutdown(plContext); + + PKIX_TEST_RETURN(); + + endTests("DUMPCRL"); + + return (0); +} diff --git a/security/nss/cmd/libpkix/sample_apps/manifest.mn b/security/nss/cmd/libpkix/sample_apps/manifest.mn new file mode 100644 index 0000000000..32926cc1bb --- /dev/null +++ b/security/nss/cmd/libpkix/sample_apps/manifest.mn @@ -0,0 +1,23 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +PKIX_DEPTH = .. +PLAT_DEPTH = $(PKIX_DEPTH)/.. +CORE_DEPTH = $(PKIX_DEPTH)/../../.. + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = dumpcert.c \ + dumpcrl.c \ + validate_chain.c \ + build_chain.c \ + $(NULL) + +LIBRARY_NAME=pkixtoolsmplapps + +SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR) + +NO_MD_RELEASE = 1 diff --git a/security/nss/cmd/libpkix/sample_apps/validate_chain.c b/security/nss/cmd/libpkix/sample_apps/validate_chain.c new file mode 100644 index 0000000000..1ccf364e0c --- /dev/null +++ b/security/nss/cmd/libpkix/sample_apps/validate_chain.c @@ -0,0 +1,220 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * validateChain.c + * + * Tests Cert Chain Validation + * + */ + +#include +#include +#include + +#include "pkix_pl_generalname.h" +#include "pkix_pl_cert.h" +#include "pkix.h" +#include "testutil.h" +#include "prlong.h" +#include "plstr.h" +#include "prthread.h" +#include "nspr.h" +#include "prtypes.h" +#include "prtime.h" +#include "pk11func.h" +#include "secasn1.h" +#include "cert.h" +#include "cryptohi.h" +#include "secoid.h" +#include "certdb.h" +#include "secitem.h" +#include "keythi.h" +#include "nss.h" + +static void *plContext = NULL; + +static void +printUsage(void) +{ + (void)printf("\nUSAGE:\tvalidateChain " + " ... \n"); + (void)printf("\tValidates a chain of n certificates " + "using the given trust anchor.\n"); +} + +static PKIX_PL_Cert * +createCert(char *inFileName) +{ + PKIX_PL_ByteArray *byteArray = NULL; + void *buf = NULL; + PRFileDesc *inFile = NULL; + PKIX_UInt32 len; + SECItem certDER; + SECStatus rv; + /* default: NULL cert (failure case) */ + PKIX_PL_Cert *cert = NULL; + + PKIX_TEST_STD_VARS(); + + certDER.data = NULL; + + inFile = PR_Open(inFileName, PR_RDONLY, 0); + + if (!inFile) { + pkixTestErrorMsg = "Unable to open cert file"; + goto cleanup; + } else { + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); + if (!rv) { + buf = (void *)certDER.data; + len = certDER.len; + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext)); + + SECITEM_FreeItem(&certDER, PR_FALSE); + } else { + pkixTestErrorMsg = "Unable to read DER from cert file"; + goto cleanup; + } + } + +cleanup: + + if (inFile) { + PR_Close(inFile); + } + + if (PKIX_TEST_ERROR_RECEIVED) { + SECITEM_FreeItem(&certDER, PR_FALSE); + } + + PKIX_TEST_DECREF_AC(byteArray); + + PKIX_TEST_RETURN(); + + return (cert); +} + +int +validate_chain(int argc, char *argv[]) +{ + PKIX_TrustAnchor *anchor = NULL; + PKIX_List *anchors = NULL; + PKIX_List *certs = NULL; + PKIX_ProcessingParams *procParams = NULL; + PKIX_ValidateParams *valParams = NULL; + PKIX_ValidateResult *valResult = NULL; + PKIX_PL_X500Name *subject = NULL; + PKIX_ComCertSelParams *certSelParams = NULL; + PKIX_CertSelector *certSelector = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; + + char *trustedCertFile = NULL; + char *chainCertFile = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_PL_Cert *chainCert = NULL; + PKIX_UInt32 chainLength = 0; + PKIX_UInt32 i = 0; + PKIX_UInt32 j = 0; + PKIX_UInt32 actualMinorVersion; + + PKIX_TEST_STD_VARS(); + + if (argc < 3) { + printUsage(); + return (0); + } + + PKIX_TEST_EXPECT_NO_ERROR( + PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); + + chainLength = (argc - j) - 2; + + /* create processing params with list of trust anchors */ + trustedCertFile = argv[1 + j]; + trustedCert = createCert(trustedCertFile); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); + +#if 0 + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject + (certSelParams, subject, plContext)); +#endif + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); + + PKIX_TEST_DECREF_BC(subject); + PKIX_TEST_DECREF_BC(certSelParams); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); + + PKIX_TEST_DECREF_BC(certSelector); + + /* create cert chain */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); + for (i = 0; i < chainLength; i++) { + chainCertFile = argv[(i + j) + 2]; + chainCert = createCert(chainCertFile); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs, + (PKIX_PL_Object *)chainCert, + plContext)); + + PKIX_TEST_DECREF_BC(chainCert); + chainCert = NULL; + } + /* create validate params with processing params and cert chain */ + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext)); + + PKIX_TEST_DECREF_BC(trustedCert); + trustedCert = NULL; + PKIX_TEST_DECREF_BC(anchor); + anchor = NULL; + PKIX_TEST_DECREF_BC(anchors); + anchors = NULL; + PKIX_TEST_DECREF_BC(certs); + certs = NULL; + PKIX_TEST_DECREF_BC(procParams); + procParams = NULL; + + /* validate cert chain using processing params and return valResult */ + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); + + if (valResult != NULL) { + (void)printf("SUCCESSFULLY VALIDATED\n"); + } + +cleanup: + + if (PKIX_TEST_ERROR_RECEIVED) { + (void)printf("FAILED TO VALIDATE\n"); + (void)PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext); + (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); + PKIX_TEST_DECREF_AC(verifyString); + } + + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(valResult); + PKIX_TEST_DECREF_AC(valParams); + + PKIX_TEST_RETURN(); + + PKIX_Shutdown(plContext); + + return (0); +} -- cgit v1.2.3