sslSessionID * ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, const char * urlSvrName) { sslSessionID **sidp; sslSessionID * sid; PRUint32 now; if (!urlSvrName) return NULL; now = ssl_Time(); LOCK_CACHE; sidp = &cache; while ((sid = *sidp) != 0) { PORT_Assert(sid->cached == in_client_cache); PORT_Assert(sid->references >= 1); SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid)); if (sid->expirationTime < now || !sid->references) { /* ** This session-id timed out, or was orphaned. ** Don't even care who it belongs to, blow it out of our cache. */ SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d", now - sid->creationTime, sid->references)); *sidp = sid->next; /* delink it from the list. */ sid->cached = invalid_cache; /* mark not on list. */ if (!sid->references) ssl_DestroySID(sid); else ssl_FreeLockedSID(sid); /* drop ref count, free. */ } else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */ (sid->port == port) && /* server port matches */ /* proxy (peerID) matches */ (((peerID == NULL) && (sid->peerID == NULL)) || ((peerID != NULL) && (sid->peerID != NULL) && PORT_Strcmp(sid->peerID, peerID) == 0)) && /* is cacheable */ (sid->version < SSL_LIBRARY_VERSION_3_0 || sid->u.ssl3.keys.resumable) && /* server hostname matches. */ (sid->urlSvrName != NULL) && ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) || ((sid->peerCert != NULL) && (SECSuccess == CERT_VerifyCertName(sid->peerCert, urlSvrName))) ) ) { /* Hit */ sid->lastAccessTime = now; sid->references++; break; } else { sidp = &sid->next; } } UNLOCK_CACHE; return sid; }
/* * find a module by name, and add a reference to it. * return that module. */ SECMODModule * SECMOD_FindModule(const char *name) { SECMODModuleList *mlp; SECMODModule *module = NULL; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return module; } SECMOD_GetReadLock(moduleLock); for(mlp = modules; mlp != NULL; mlp = mlp->next) { if (PORT_Strcmp(name,mlp->module->commonName) == 0) { module = mlp->module; SECMOD_ReferenceModule(module); break; } } if (module) { goto found; } for(mlp = modulesUnload; mlp != NULL; mlp = mlp->next) { if (PORT_Strcmp(name,mlp->module->commonName) == 0) { module = mlp->module; SECMOD_ReferenceModule(module); break; } } found: SECMOD_ReleaseReadLock(moduleLock); return module; }
PRBool CERT_MatchNickname(char *name1, char *name2) { char *nickname1= NULL; char *nickname2 = NULL; char *token1; char *token2; /* first deal with the straight comparison */ if (PORT_Strcmp(name1, name2) == 0) { return PR_TRUE; } /* we need to handle the case where one name has an explicit token and the other * doesn't */ token1 = PORT_Strchr(name1,':'); token2 = PORT_Strchr(name2,':'); if ((token1 && token2) || (!token1 && !token2)) { /* either both token names are specified or neither are, not match */ return PR_FALSE; } if (token1) { nickname1=token1; nickname2=name2; } else { nickname1=token2; nickname2=name1; } nickname1++; if (PORT_Strcmp(nickname1,nickname2) != 0) { return PR_FALSE; } /* Bug 1192443 - compare the other token with the internal slot here */ return PR_TRUE; }
PK11SlotInfo * SECMOD_FindSlot(SECMODModule *module,const char *name) { int i; char *string; PK11SlotInfo *retSlot = NULL; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return retSlot; } SECMOD_GetReadLock(moduleLock); for (i=0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; if (PK11_IsPresent(slot)) { string = PK11_GetTokenName(slot); } else { string = PK11_GetSlotName(slot); } if (PORT_Strcmp(name,string) == 0) { retSlot = PK11_ReferenceSlot(slot); break; } } SECMOD_ReleaseReadLock(moduleLock); if (retSlot == NULL) { PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); } return retSlot; }
JAR_Signer * jar_get_signer(JAR *jar, char *basename) { JAR_Item *it; JAR_Context *ctx = JAR_find(jar, NULL, jarTypeOwner); JAR_Signer *candidate; JAR_Signer *signer = NULL; if (ctx == NULL) return NULL; while (JAR_find_next(ctx, &it) >= 0) { candidate = (JAR_Signer *)it->data; if (*basename == '*' || !PORT_Strcmp(candidate->owner, basename)) { signer = candidate; break; } } JAR_find_end(ctx); return signer; }
/* * FUNCTION: pkix_pl_UInt32_Overflows * DESCRIPTION: * * Returns a PKIX_Boolean indicating whether the unsigned integer * represented by "string" is too large to fit in 32-bits (i.e. * whether it overflows). With the exception of the string "0", * all other strings are stripped of any leading zeros. It is assumed * that every character in "string" is from the set {'0' - '9'}. * * PARAMETERS * "string" * Address of array of bytes representing PKIX_UInt32 that's being tested * for 32-bit overflow * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * PKIX_TRUE if PKIX_UInt32 represented by "string" overflows; * PKIX_FALSE otherwise */ PKIX_Boolean pkix_pl_UInt32_Overflows(char *string){ char *firstNonZero = NULL; PKIX_UInt32 length, i; char *MAX_UINT32_STRING = "4294967295"; PKIX_DEBUG_ENTER(OID); PKIX_OID_DEBUG("\tCalling PL_strlen).\n"); length = PL_strlen(string); if (length < MAX_DIGITS_32){ return (PKIX_FALSE); } firstNonZero = string; for (i = 0; i < length; i++){ if (*string == '0'){ firstNonZero++; } } PKIX_OID_DEBUG("\tCalling PL_strlen).\n"); length = PL_strlen(firstNonZero); if (length > MAX_DIGITS_32){ return (PKIX_TRUE); } PKIX_OID_DEBUG("\tCalling PL_strlen).\n"); if (length == MAX_DIGITS_32){ PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n"); if (PORT_Strcmp(firstNonZero, MAX_UINT32_STRING) > 0){ return (PKIX_TRUE); } } return (PKIX_FALSE); }
int test_ekuchecker(int argc, char *argv[]) { PKIX_List *chain = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; char *dirName = NULL; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_Boolean testValid = PKIX_FALSE; PKIX_Boolean only4EE = PKIX_FALSE; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage1(argv[0]); return (0); } startTests("EKU Checker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage1(argv[0]); return (0); } dirName = argv[4+j]; chainLength = (argc - j) - 6; if (chainLength > PKIX_TEST_MAX_CERTS) { printUsageMax(chainLength); } for (i = 0; i < chainLength; i++) { certNames[i] = argv[6+i+j]; certs[i] = NULL; } subTest(argv[1+j]); subTest("Extended-Key-Usage-Checker"); subTest("Extended-Key-Usage-Checker - Create Cert Chain"); chain = createCertChainPlus (dirName, certNames, certs, chainLength, plContext); subTest("Extended-Key-Usage-Checker - Create Params"); valParams = createValidateParams (dirName, argv[5+j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chain, plContext); subTest("Default CertStore"); testEkuSetup(valParams, argv[3+j], &only4EE); testEkuChecker(valParams, only4EE); subTest("Extended-Key-Usage-Checker - Validate Chain"); if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, NULL, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, NULL, plContext)); } cleanup: PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("EKU Checker"); return (0); }
int test_defaultcrlchecker2stores(int argc, char *argv[]){ PKIX_List *chain = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_Boolean testValid = PKIX_TRUE; char *dirName = NULL; char *anchorName = NULL; PKIX_TEST_STD_VARS(); if (argc < 6) { printUsage1(argv[0]); return (0); } startTests("CRL Checker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage1(argv[0]); return (0); } chainLength = (argc - j) - 7; if (chainLength > PKIX_TEST_MAX_CERTS) { printUsageMax(chainLength); } for (i = 0; i < chainLength; i++) { certNames[i] = argv[(7+j)+i]; certs[i] = NULL; } subTest(argv[1+j]); subTest("Default-CRL-Checker"); subTest("Default-CRL-Checker - Create Cert Chain"); dirName = argv[3+j]; chain = createCertChainPlus (dirName, certNames, certs, chainLength, plContext); subTest("Default-CRL-Checker - Create Params"); anchorName = argv[6+j]; valParams = createValidateParams (dirName, anchorName, NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chain, plContext); subTest("Multiple-CertStores"); testDefaultMultipleCertStores(valParams, argv[4+j], argv[5+j]); subTest("Default-CRL-Checker - Validate Chain"); if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(chain); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("CRL Checker"); return (0); }
int test_buildchain_resourcelimits(int argc, char *argv[]) { PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_CertChainChecker *checker = NULL; PKIX_ResourceLimits *resourceLimits = NULL; char *dirName = NULL; PKIX_PL_String *dirNameString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_UInt32 actualMinorVersion = 0; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_CertStore *ldapCertStore = NULL; PRIntervalTime timeout = 0; /* 0 for non-blocking */ PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; PKIX_List *expectedCerts = NULL; PKIX_Boolean testValid = PKIX_FALSE; PKIX_Boolean usebind = PKIX_FALSE; PKIX_Boolean useLDAP = PKIX_FALSE; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("BuildChain_ResourceLimits"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* * arguments: * [optional] -arenas * [optional] usebind * servername or servername:port ( - for no server) * testname * EE or ENE * cert directory * target cert (end entity) * intermediate certs * trust anchor */ /* optional argument "usebind" for Ldap CertStore */ if (argv[j + 1]) { if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { usebind = PKIX_TRUE; j++; } } if (PORT_Strcmp(argv[++j], "-") == 0) { useLDAP = PKIX_FALSE; } else { serverName = argv[j]; } subTest(argv[++j]); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[++j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } dirName = argv[++j]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); for (k = ++j; k < argc; k++) { dirCert = createCert(dirName, argv[k], plContext); if (k == (argc - 1)) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); trustedCert = dirCert; } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, (PKIX_PL_Object *)dirCert, plContext)); if (k == j) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); targetCert = dirCert; } } PKIX_TEST_DECREF_BC(dirCert); } /* create processing params with list of trust anchors */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); /* create CertStores */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); #if 0 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create (&certStore, plContext)); #endif PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); if (useLDAP == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)ldapCertStore, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); /* set resource limits */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create(&resourceLimits, plContext)); /* need longer time when running dbx for memory leak checking */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 60, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits(procParams, resourceLimits, plContext)); /* build cert chain using processing params and return buildResult */ subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>"); Test_BuildResult(procParams, testValid, expectedCerts, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 1, plContext)); subTest("Testing ResourceLimits MaxFanout - <fail>"); Test_BuildResult(procParams, PKIX_FALSE, expectedCerts, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 1, plContext)); subTest("Testing ResourceLimits MaxDepth - <fail>"); Test_BuildResult(procParams, PKIX_FALSE, expectedCerts, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 0, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 0, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 0, plContext)); subTest("Testing ResourceLimits No checking - <pass>"); Test_BuildResult(procParams, testValid, expectedCerts, plContext); cleanup: PKIX_TEST_DECREF_AC(expectedCerts); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(ldapCertStore); PKIX_TEST_DECREF_AC(dirNameString); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(checker); PKIX_TEST_DECREF_AC(resourceLimits); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("BuildChain_UserChecker"); return (0); }
static SECStatus getTestArguments(int argc, char **argv, mainTestFn *ptestFn, char **pdbPath, int *pargc, char ***pargv) { PLOptState *optstate = NULL; PLOptStatus status; mainTestFn testFunction = NULL; char **wArgv = NULL; char *dbPath = NULL; char *fnName = NULL; int wArgc = 0; int fnCounter = 0; if (argc < 2) { printf("ERROR: insufficient number of arguments: %s.\n", fnName); return SECFailure; } fnName = argv[1]; while (testFnRefTable[fnCounter].fnName != NULL) { if (!PORT_Strcmp(fnName, testFnRefTable[fnCounter].fnName)) { testFunction = testFnRefTable[fnCounter].fnPointer; break; } fnCounter += 1; } if (!testFunction) { printf("ERROR: unknown name of the test: %s.\n", fnName); return SECFailure; } wArgv = PORT_ZNewArray(char*, argc); if (!wArgv) { return SECFailure; } /* set name of the function as a first arg and increment arg count. */ wArgv[0] = fnName; wArgc += 1; optstate = PL_CreateOptState(argc - 1, argv + 1, "d:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case 'd': dbPath = (char*)optstate->value; break; default: wArgv[wArgc] = (char*)optstate->value; wArgc += 1; break; } } PL_DestroyOptState(optstate); *ptestFn = testFunction; *pdbPath = dbPath; *pargc = wArgc; *pargv = wArgv; return SECSuccess; }
static PRStatus CollectNicknames( NSSCertificate *c, void *data) { CERTCertNicknames *names; PRBool saveit = PR_FALSE; stringNode *node; int len; #ifdef notdef NSSTrustDomain *td; NSSTrust *trust; #endif char *stanNickname; char *nickname = NULL; names = (CERTCertNicknames *)data; stanNickname = nssCertificate_GetNickname(c,NULL); if ( stanNickname ) { nss_ZFreeIf(stanNickname); stanNickname = NULL; if (names->what == SEC_CERT_NICKNAMES_USER) { saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL); } #ifdef notdef else { td = NSSCertificate_GetTrustDomain(c); if (!td) { return PR_SUCCESS; } trust = nssTrustDomain_FindTrustForCertificate(td,c); switch(names->what) { case SEC_CERT_NICKNAMES_ALL: if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) || (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) || (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER))) { saveit = PR_TRUE; } break; case SEC_CERT_NICKNAMES_SERVER: if ( trust->sslFlags & CERTDB_VALID_PEER ) { saveit = PR_TRUE; } break; case SEC_CERT_NICKNAMES_CA: if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)|| ((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) || ((trust->objectSigningFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)) { saveit = PR_TRUE; } break; } } #endif } /* traverse the list of collected nicknames and make sure we don't make * a duplicate */ if ( saveit ) { nickname = STAN_GetCERTCertificateName(NULL, c); /* nickname can only be NULL here if we are having memory * alloc problems */ if (nickname == NULL) { return PR_FAILURE; } node = (stringNode *)names->head; while ( node != NULL ) { if ( PORT_Strcmp(nickname, node->string) == 0 ) { /* if the string matches, then don't save this one */ saveit = PR_FALSE; break; } node = node->next; } } if ( saveit ) { /* allocate the node */ node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode)); if ( node == NULL ) { PORT_Free(nickname); return PR_FAILURE; } /* copy the string */ len = PORT_Strlen(nickname) + 1; node->string = (char*)PORT_ArenaAlloc(names->arena, len); if ( node->string == NULL ) { PORT_Free(nickname); return PR_FAILURE; } PORT_Memcpy(node->string, nickname, len); /* link it into the list */ node->next = (stringNode *)names->head; names->head = (void *)node; /* bump the count */ names->numnicknames++; } if (nickname) PORT_Free(nickname); return(PR_SUCCESS); }
int JAR_find_next (JAR_Context *ctx, JAR_Item **it) { JAR *jar; ZZList *list = NULL; int finding; JAR_Signer *signer = NULL; PORT_Assert( ctx != NULL ); PORT_Assert( ctx->jar != NULL ); jar = ctx->jar; /* Internally, convert jarTypeSign to jarTypeSF, and return the actual attached certificate later */ finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding; if (ctx->nextsign) { if (ZZ_ListIterDone (jar->signers, ctx->nextsign)) { *it = NULL; return -1; } PORT_Assert (ctx->nextsign->thing != NULL); signer = (JAR_Signer*)ctx->nextsign->thing->data; } /* Find out which linked list to traverse. Then if necessary, advance to the next linked list. */ while (1) { switch (finding) { case jarTypeSign: /* not any more */ PORT_Assert( finding != jarTypeSign ); list = signer->certs; break; case jarTypeSect: list = jar->manifest; break; case jarTypePhy: list = jar->phy; break; case jarTypeSF: /* signer, not jar */ PORT_Assert( signer != NULL ); list = signer->sf; break; case jarTypeMF: list = jar->hashes; break; case jarTypeOwner: list = jar->signers; break; case jarTypeMeta: list = jar->metainfo; break; default: PORT_Assert( 1 != 2 ); break; } if (list == NULL) { *it = NULL; return -1; } /* When looping over lists of lists, advance to the next signer. This is done when multiple signers are possible. */ if (ZZ_ListIterDone (list, ctx->next)) { if (ctx->nextsign && jar->signers) { ctx->nextsign = ctx->nextsign->next; if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) { PORT_Assert (ctx->nextsign->thing != NULL); signer = (JAR_Signer*)ctx->nextsign->thing->data; PORT_Assert( signer != NULL ); ctx->next = NULL; continue; } } *it = NULL; return -1; } /* if the signer changed, still need to fill in the "next" link */ if (ctx->nextsign && ctx->next == NULL) { switch (finding) { case jarTypeSF: ctx->next = ZZ_ListHead (signer->sf); break; case jarTypeSign: ctx->next = ZZ_ListHead (signer->certs); break; } } PORT_Assert( ctx->next != NULL ); while (!ZZ_ListIterDone (list, ctx->next)) { *it = ctx->next->thing; ctx->next = ctx->next->next; if (!*it || (*it)->type != finding) continue; if (ctx->pattern && *ctx->pattern) { if (PORT_Strcmp ((*it)->pathname, ctx->pattern)) continue; } /* We have a valid match. If this is a jarTypeSign return the certificate instead.. */ if (ctx->finding == jarTypeSign) { JAR_Item *itt; /* just the first one for now */ if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) { *it = itt; return 0; } continue; } return 0; } } /* end while */ }
int test_buildchain_uchecker(int argc, char *argv[]) { PKIX_BuildResult *buildResult = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_PL_Cert *cert = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_CertChainChecker *checker = NULL; char *dirName = NULL; PKIX_PL_String *dirNameString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_UInt32 chainLength = 0; PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; char * asciiResult = NULL; PKIX_Boolean result; PKIX_Boolean testValid = PKIX_TRUE; PKIX_Boolean supportForward = PKIX_FALSE; PKIX_List *expectedCerts = NULL; PKIX_List *userOIDs = NULL; PKIX_PL_OID *oid = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_PL_String *actualCertsString = NULL; PKIX_PL_String *expectedCertsString = NULL; char *actualCertsAscii = NULL; char *expectedCertsAscii = NULL; char *oidString = NULL; void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */ void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */ PKIX_TEST_STD_VARS(); if (argc < 5){ printUsage(); return (0); } startTests("BuildChain_UserChecker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } /* OID specified at argv[3+j] */ if (*argv[3+j] != '-') { if (*argv[3+j] == 'F') { supportForward = PKIX_TRUE; oidString = argv[3+j]+1; } else { oidString = argv[3+j]; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create (&userOIDs, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create (oidString, &oid, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (userOIDs, (PKIX_PL_Object *)oid, plContext)); PKIX_TEST_DECREF_BC(oid); } subTest(argv[1+j]); dirName = argv[4+j]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); chainLength = argc - j - 5; for (k = 0; k < chainLength; k++){ dirCert = createCert(dirName, argv[5+k+j], plContext); if (k == (chainLength - 1)){ PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Object_IncRef ((PKIX_PL_Object *)dirCert, plContext)); trustedCert = dirCert; } else { PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (expectedCerts, (PKIX_PL_Object *)dirCert, plContext)); if (k == 0){ PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Object_IncRef ((PKIX_PL_Object *)dirCert, plContext)); targetCert = dirCert; } } PKIX_TEST_DECREF_BC(dirCert); } /* create processing params with list of trust anchors */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert (trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create (anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ComCertSelParams_SetCertificate (certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_Create (NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams (certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_ProcessingParams_SetTargetCertConstraints (procParams, certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create (testUserChecker, supportForward, PKIX_FALSE, userOIDs, NULL, &checker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker (procParams, checker, plContext)); /* create CertStores */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirNameString, &certStore, plContext)); #if 0 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create (&certStore, plContext)); #endif PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (certStores, (PKIX_PL_Object *)certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores (procParams, certStores, plContext)); /* build cert chain using processing params and return buildResult */ pkixTestErrorResult = PKIX_BuildChain (procParams, &nbioContext, &buildState, &buildResult, NULL, plContext); if (testValid == PKIX_TRUE) { /* ENE */ if (pkixTestErrorResult){ (void) printf("UNEXPECTED RESULT RECEIVED!\n"); } else { (void) printf("EXPECTED RESULT RECEIVED!\n"); PKIX_TEST_DECREF_BC(pkixTestErrorResult); } } else { /* EE */ if (pkixTestErrorResult){ (void) printf("EXPECTED RESULT RECEIVED!\n"); PKIX_TEST_DECREF_BC(pkixTestErrorResult); } else { testError("UNEXPECTED RESULT RECEIVED"); } } if (buildResult){ PKIX_TEST_EXPECT_NO_ERROR (PKIX_BuildResult_GetCertChain (buildResult, &certs, NULL)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_GetLength(certs, &numCerts, plContext)); printf("\n"); for (i = 0; i < numCerts; i++){ PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_GetItem (certs, i, (PKIX_PL_Object**)&cert, plContext)); asciiResult = PKIX_Cert2ASCII(cert); printf("CERT[%d]:\n%s\n", i, asciiResult); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Free(asciiResult, plContext)); asciiResult = NULL; PKIX_TEST_DECREF_BC(cert); } PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Object_Equals ((PKIX_PL_Object*)certs, (PKIX_PL_Object*)expectedCerts, &result, plContext)); if (!result){ testError("BUILT CERTCHAIN IS " "NOT THE ONE THAT WAS EXPECTED"); PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Object_ToString ((PKIX_PL_Object *)certs, &actualCertsString, plContext)); actualCertsAscii = PKIX_String2ASCII (actualCertsString, plContext); if (actualCertsAscii == NULL){ pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR (PKIX_PL_Object_ToString ((PKIX_PL_Object *)expectedCerts, &expectedCertsString, plContext)); expectedCertsAscii = PKIX_String2ASCII (expectedCertsString, plContext); if (expectedCertsAscii == NULL){ pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } (void) printf("Actual value:\t%s\n", actualCertsAscii); (void) printf("Expected value:\t%s\n", expectedCertsAscii); if (chainLength - 1 != numUserCheckerCalled) { pkixTestErrorMsg = "PKIX user defined checker not called"; } goto cleanup; } } cleanup: PKIX_PL_Free(asciiResult, plContext); PKIX_PL_Free(actualCertsAscii, plContext); PKIX_PL_Free(expectedCertsAscii, plContext); PKIX_TEST_DECREF_AC(actualCertsString); PKIX_TEST_DECREF_AC(expectedCertsString); PKIX_TEST_DECREF_AC(expectedCerts); PKIX_TEST_DECREF_AC(certs); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(dirNameString); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(buildResult); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(userOIDs); PKIX_TEST_DECREF_AC(checker); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("BuildChain_UserChecker"); return (0); }
int test_validatechain_NB(int argc, char *argv[]){ PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_UInt32 chainLength = 0; PKIX_Boolean testValid = PKIX_TRUE; PKIX_List *chainCerts = NULL; PKIX_PL_Cert *dirCert = NULL; char *dirCertName = NULL; char *anchorCertName = NULL; char *dirName = NULL; PKIX_UInt32 certIndex = 0; PKIX_UInt32 anchorIndex = 0; PKIX_UInt32 checkerIndex = 0; PKIX_Boolean revChecking = PKIX_FALSE; PKIX_List *checkers = NULL; PRPollDesc *pollDesc = NULL; PRErrorCode errorCode = 0; PKIX_PL_Socket *socket = NULL; char *ldapName = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_List *loggers = NULL; PKIX_Logger *logger = NULL; char *logging = NULL; PKIX_PL_String *component = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("ValidateChain_NB"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } subTest(argv[1+j]); dirName = argv[3+j]; chainLength = argc - j - 5; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); for (k = 0; k < chainLength; k++){ dirCert = createCert(dirName, argv[5+k+j], plContext); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (chainCerts, (PKIX_PL_Object *)dirCert, plContext)); PKIX_TEST_DECREF_BC(dirCert); } valParams = createValidateParams (dirName, argv[4+j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chainCerts, plContext); ldapName = PR_GetEnv("LDAP"); /* Is LDAP set in the environment? */ if ((ldapName == NULL) || (*ldapName == '\0')) { testError("LDAP not set in environment"); goto cleanup; } pkixTestErrorResult = pkix_pl_Socket_CreateByName (PKIX_FALSE, /* isServer */ PR_SecondsToInterval(30), /* try 30 secs for connect */ ldapName, &errorCode, &socket, plContext); if (pkixTestErrorResult != NULL) { PKIX_PL_Object_DecRef ((PKIX_PL_Object *)pkixTestErrorResult, plContext); pkixTestErrorResult = NULL; testError("Unable to connect to LDAP Server"); goto cleanup; } PKIX_TEST_DECREF_BC(socket); testSetupCertStore(valParams, ldapName); logging = PR_GetEnv("LOGGING"); /* Is LOGGING set in the environment? */ if ((logging != NULL) && (*logging != '\0')) { PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_Create(&loggers, plContext)); testLogErrors (PKIX_VALIDATE_ERROR, 2, loggers, plContext); testLogErrors (PKIX_CERTCHAINCHECKER_ERROR, 2, loggers, plContext); testLogErrors (PKIX_LDAPDEFAULTCLIENT_ERROR, 2, loggers, plContext); testLogErrors (PKIX_CERTSTORE_ERROR, 2, loggers, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggers, plContext)); } pkixTestErrorResult = PKIX_ValidateChain_NB (valParams, &certIndex, &anchorIndex, &checkerIndex, &revChecking, &checkers, (void **)&pollDesc, &valResult, &verifyTree, plContext); while (pollDesc != NULL) { if (PR_Poll(pollDesc, 1, 0) < 0) { testError("PR_Poll failed"); } pkixTestErrorResult = PKIX_ValidateChain_NB (valParams, &certIndex, &anchorIndex, &checkerIndex, &revChecking, &checkers, (void **)&pollDesc, &valResult, &verifyTree, plContext); } if (pkixTestErrorResult) { if (testValid == PKIX_FALSE) { /* EE */ (void) printf("EXPECTED ERROR RECEIVED!\n"); } else { /* ENE */ testError("UNEXPECTED ERROR RECEIVED"); } PKIX_TEST_DECREF_BC(pkixTestErrorResult); } else { if (testValid == PKIX_TRUE) { /* ENE */ (void) printf("EXPECTED NON-ERROR RECEIVED!\n"); } else { /* EE */ (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n"); } } cleanup: if (verifyTree) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); } PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(checkers); PKIX_TEST_DECREF_AC(chainCerts); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("ValidateChain_NB"); return (0); }
/* * a d d _ m e t a * * Parse the metainfo file, and add any details * necessary to the manifest file. In most cases you * should be using the -i option (ie, for SmartUpdate). * */ static int add_meta (FILE *fp, char *name) { FILE * met; char buf [BUFSIZ]; int place; char *pattern, *meta; int num = 0; if ((met = fopen (metafile, "r")) != NULL) { while (fgets (buf, BUFSIZ, met)) { char *s; for (s = buf; *s && *s != '\n' && *s != '\r'; s++) ; *s = 0; if (*buf == 0) continue; pattern = buf; /* skip to whitespace */ for (s = buf; *s && *s != ' ' && *s != '\t'; s++) ; /* terminate pattern */ if (*s == ' ' || *s == '\t') *s++ = 0; /* eat through whitespace */ while (*s == ' ' || *s == '\t') s++; meta = s; /* this will eventually be regexp matching */ place = 0; if (!PORT_Strcmp (pattern, name)) place = 1; if (place) { num++; if (verbosity >= 0) { PR_fprintf(outputFD, "[%s] %s\n", name, meta); } fprintf (fp, "%s\n", meta); } } fclose (met); } else { PR_fprintf(errorFD, "%s: can't open metafile: %s\n", PROGRAM_NAME, metafile); errorCount++; exit (ERRX); } return num; }
/* * m a n i f e s t o _ f n * * Called by pointer from manifesto(), once for * each file within the directory. * */ static int manifesto_fn (char *relpath, char *basedir, char *reldir, char *filename, void *arg) { int use_js; JAR_Digest dig; char fullname [FNSIZE]; if (verbosity >= 0) { PR_fprintf(outputFD, "--> %s\n", relpath); } /* extension matching */ if (extensionsGiven) { char *ext = PL_strrchr(relpath, '.'); if (!ext) return 0; if (!PL_HashTableLookup(extensions, ext)) return 0; } sprintf (fullname, "%s/%s", basedir, relpath); fprintf (mf, "\n"); use_js = 0; if (scriptdir && !PORT_Strcmp (scriptdir, reldir)) use_js++; /* sign non-.js files inside .arc directories using the javascript magic */ if ( (PL_strcaserstr(filename, ".js") != filename + strlen(filename) - 3) && (PL_strcaserstr(reldir, ".arc") == reldir + strlen(filename) - 4)) use_js++; if (use_js) { fprintf (mf, "Name: %s\n", filename); fprintf (mf, "Magic: javascript\n"); if (optimize == 0) fprintf (mf, "javascript.id: %s\n", filename); if (metafile) add_meta (mf, filename); } else { fprintf (mf, "Name: %s\n", relpath); if (metafile) add_meta (mf, relpath); } JAR_digest_file (fullname, &dig); if (optimize == 0) { fprintf (mf, "Digest-Algorithms: MD5 SHA1\n"); fprintf (mf, "MD5-Digest: %s\n", BTOA_DataToAscii (dig.md5, MD5_LENGTH)); } fprintf (mf, "SHA1-Digest: %s\n", BTOA_DataToAscii (dig.sha1, SHA1_LENGTH)); if (!use_js) { JzipAdd(fullname, relpath, zipfile, compression_level); } return 0; }
int test_policychecker(int argc, char *argv[]) { PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; PKIX_Boolean expectedResult = PKIX_FALSE; PKIX_UInt32 chainLength = 0; PKIX_UInt32 initArgs = 0; PKIX_UInt32 firstCert = 0; PKIX_UInt32 i = 0; PKIX_Int32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_ProcessingParams *procParams = NULL; char *firstTrustAnchor = "yassir2yassir"; char *secondTrustAnchor = "yassir2bcn"; char *dateAscii = "991201000000Z"; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */ char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; PKIX_List *chain = NULL; PKIX_Error *validationError = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; char *dirName = NULL; char *dataCentralDir = NULL; char *anchorName = NULL; PKIX_TEST_STD_VARS(); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* * Perform hard-coded tests if no command line args. * If command line args are provided, they must be: * arg[1]: test name * arg[2]: "ENE" or "EE", for "expect no error" or "expect error" * arg[3]: directory for certificates * arg[4]: user-initial-policy-set, consisting of braces * containing zero or more OID sequences, separated by commas * arg[5]: (optional) "E", indicating initialExplicitPolicy * arg[firstCert]: the path and filename of the trust anchor certificate * arg[firstCert+1..(n-1)]: successive certificates in the chain * arg[n]: the end entity certificate * * Example: test_policychecker test1EE ENE * {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity */ dirName = argv[3+j]; dataCentralDir = argv[4+j]; if (argc <= 5 || ((6 == argc) && (j))) { testPass (dataCentralDir, firstTrustAnchor, secondTrustAnchor, dateAscii); testNistTest1(dirName); testNistTest2(dirName); goto cleanup; } if (argc < (7 + j)) { printUsage(argv[0]); pkixTestErrorMsg = "Invalid command line arguments."; goto cleanup; } if (PORT_Strcmp(argv[2+j], "ENE") == 0) { expectedResult = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { expectedResult = PKIX_FALSE; } else { printUsage(argv[0]); pkixTestErrorMsg = "Invalid command line arguments."; goto cleanup; } userInitialPolicySet = policySetParse(argv[5+j]); if (!userInitialPolicySet) { printUsage(argv[0]); pkixTestErrorMsg = "Invalid command line arguments."; goto cleanup; } for (initArgs = 0; initArgs < 3; initArgs++) { if (PORT_Strcmp(argv[6+j+initArgs], "A") == 0) { initialAnyPolicyInhibit = PKIX_TRUE; } else if (PORT_Strcmp(argv[6+j+initArgs], "E") == 0) { initialExplicitPolicy = PKIX_TRUE; } else if (PORT_Strcmp(argv[6+j+initArgs], "P") == 0) { initialPolicyMappingInhibit = PKIX_TRUE; } else { break; } } firstCert = initArgs + j + 6; chainLength = argc - (firstCert + 1); if (chainLength > PKIX_TEST_MAX_CERTS) { printUsageMax(chainLength); pkixTestErrorMsg = "Invalid command line arguments."; goto cleanup; } /* * Create a chain, but don't include the first certName. * That's the anchor, and is supplied separately from * the chain. */ for (i = 0; i < chainLength; i++) { certNames[i] = argv[i + (firstCert + 1)]; certs[i] = NULL; } chain = createCertChainPlus (dirName, certNames, certs, chainLength, plContext); subTest(argv[1+j]); valParams = createValidateParams (dirName, argv[firstCert], NULL, NULL, userInitialPolicySet, initialPolicyMappingInhibit, initialAnyPolicyInhibit, initialExplicitPolicy, PKIX_FALSE, chain, plContext); if (expectedResult == PKIX_TRUE) { subTest(" (expecting successful validation)"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); printValidPolicyTree(valResult); } else { subTest(" (expecting validation to fail)"); validationError = PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext); if (!validationError) { printValidPolicyTree(valResult); pkixTestErrorMsg = "Should have thrown an error here."; } PKIX_TEST_DECREF_BC(validationError); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: PKIX_PL_Free(anchorName, plContext); PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(userInitialPolicySet); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(validationError); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("PolicyChecker"); return (0); }
int test_subjaltnamechecker(int argc, char *argv[]){ PKIX_List *chain = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_CertSelector *selector = NULL; PKIX_ComCertSelParams *selParams = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_PL_GeneralName *name = NULL; PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; char *nameStr; char *nameEnd; char *names[PKIX_TEST_MAX_CERTS]; PKIX_UInt32 numNames = 0; PKIX_UInt32 nameType; PKIX_Boolean matchAll = PKIX_TRUE; PKIX_Boolean testValid = PKIX_TRUE; char *dirName = NULL; char *anchorName = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage1(argv[0]); return (0); } startTests("SubjAltNameConstraintChecker"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); j++; /* skip test-purpose string */ /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage1(argv[0]); return (0); } /* taking out leading and trailing ", if any */ nameStr = argv[1+j]; subTest(nameStr); if (*nameStr == '"'){ nameStr++; nameEnd = nameStr; while (*nameEnd != '"' && *nameEnd != '\0') { nameEnd++; } *nameEnd = '\0'; } /* extract first [0|1] inidcating matchAll or not */ matchAll = (*nameStr == '0')?PKIX_FALSE:PKIX_TRUE; nameStr++; numNames = 0; while (*nameStr != '\0') { names[numNames++] = nameStr; while (*nameStr != '+' && *nameStr != '\0') { nameStr++; } if (*nameStr == '+') { *nameStr = '\0'; nameStr++; } } chainLength = (argc - j) - 4; if (chainLength > PKIX_TEST_MAX_CERTS) { printUsageMax(chainLength); } for (i = 0; i < chainLength; i++) { certNames[i] = argv[(4+j)+i]; certs[i] = NULL; } /* SubjAltName for validation */ subTest("Add Subject Alt Name for NameConstraint checking"); subTest("Create Selector and ComCertSelParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create (NULL, NULL, &selector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create (&selParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR (PKIX_CertSelector_SetCommonCertSelectorParams (selector, selParams, plContext)); subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames (selParams, matchAll, plContext)); subTest("PKIX_ComCertSelParams_AddSubjAltName(s)"); for (i = 0; i < numNames; i++) { nameType = getNameType(names[i]); if (nameType == 0xFFFF) { return (0); } nameStr = names[i] + 2; name = createGeneralName(nameType, nameStr, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName (selParams, name, plContext)); PKIX_TEST_DECREF_BC(name); } subTest("SubjAltName-Constraints - Create Cert Chain"); dirName = argv[3+j]; chain = createCertChainPlus (dirName, certNames, certs, chainLength, plContext); subTest("SubjAltName-Constraints - Create Params"); valParams = createValidateParams (dirName, argv[4+j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chain, plContext); subTest("PKIX_ValidateParams_getProcessingParams"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams (valParams, &procParams, plContext)); subTest("PKIX_ProcessingParams_SetTargetCertConstraints"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints (procParams, selector, plContext)); subTest("Subject Alt Name - Validate Chain"); if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } cleanup: PKIX_PL_Free(anchorName, plContext); PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(selector); PKIX_TEST_DECREF_AC(selParams); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(name); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("SubjAltNameConstraintsChecker"); return (0); }
int test_validatechain(int argc, char *argv[]){ PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; PKIX_UInt32 actualMinorVersion; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_UInt32 chainLength = 0; PKIX_Boolean testValid = PKIX_TRUE; PKIX_List *chainCerts = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; char *dirCertName = NULL; char *anchorCertName = NULL; char *dirName = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("ValidateChain"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[2+j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[2+j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } subTest(argv[1+j]); dirName = argv[3+j]; chainLength = argc - j - 5; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext)); for (k = 0; k < chainLength; k++) { dirCert = createCert(dirName, argv[5+k+j], plContext); PKIX_TEST_EXPECT_NO_ERROR (PKIX_List_AppendItem (chainCerts, (PKIX_PL_Object *)dirCert, plContext)); PKIX_TEST_DECREF_BC(dirCert); } valParams = createValidateParams (dirName, argv[4+j], NULL, NULL, NULL, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, PKIX_FALSE, chainCerts, plContext); testDefaultCertStore(valParams, dirName); if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain (valParams, &valResult, &verifyTree, plContext)); } subTest("Displaying VerifyNode objects"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chainCerts); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_Shutdown(plContext); PKIX_TEST_RETURN(); endTests("ValidateChain"); return (0); }
int test_buildchain(int argc, char *argv[]) { PKIX_BuildResult *buildResult = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_TrustAnchor *anchor = NULL; PKIX_PL_PublicKey *trustedPubKey = NULL; PKIX_List *anchors = NULL; PKIX_List *certs = NULL; PKIX_RevocationChecker *revChecker = NULL; PKIX_PL_Cert *cert = NULL; PKIX_ProcessingParams *procParams = NULL; char *dirName = NULL; PKIX_PL_String *dirNameString = NULL; PKIX_PL_Cert *trustedCert = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_UInt32 actualMinorVersion = 0; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; PKIX_UInt32 k = 0; PKIX_CertStore *ldapCertStore = NULL; PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */ /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */ PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; PKIX_List *revCheckers = NULL; char *asciiResult = NULL; PKIX_Boolean result = PKIX_FALSE; PKIX_Boolean testValid = PKIX_TRUE; PKIX_List *expectedCerts = NULL; PKIX_PL_Cert *dirCert = NULL; PKIX_VerifyNode *verifyTree = NULL; PKIX_PL_String *verifyString = NULL; PKIX_PL_String *actualCertsString = NULL; PKIX_PL_String *expectedCertsString = NULL; void *state = NULL; char *actualCertsAscii = NULL; char *expectedCertsAscii = NULL; PRPollDesc *pollDesc = NULL; PKIX_TEST_STD_VARS(); if (argc < 5) { printUsage(); return (0); } startTests("BuildChain"); PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); /* * arguments: * [optional] -arenas * [optional] usebind * servername or servername:port ( - for no server) * testname * EE or ENE * cert directory * target cert (end entity) * intermediate certs * trust anchor */ /* optional argument "usebind" for Ldap CertStore */ if (argv[j + 1]) { if (PORT_Strcmp(argv[j + 1], "usebind") == 0) { usebind = PKIX_TRUE; j++; } } if (PORT_Strcmp(argv[++j], "-") == 0) { useLDAP = PKIX_FALSE; } else { serverName = argv[j]; useLDAP = PKIX_TRUE; } subTest(argv[++j]); /* ENE = expect no error; EE = expect error */ if (PORT_Strcmp(argv[++j], "ENE") == 0) { testValid = PKIX_TRUE; } else if (PORT_Strcmp(argv[j], "EE") == 0) { testValid = PKIX_FALSE; } else { printUsage(); return (0); } dirName = argv[++j]; PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext)); for (k = ++j; k < (PKIX_UInt32)argc; k++) { dirCert = createCert(dirName, argv[k], plContext); if (k == (PKIX_UInt32)(argc - 1)) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); trustedCert = dirCert; } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts, (PKIX_PL_Object *)dirCert, plContext)); if (k == j) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext)); targetCert = dirCert; } } PKIX_TEST_DECREF_BC(dirCert); } /* create processing params with list of trust anchors */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext)); /* create CertSelector with target certificate in params */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext)); /* create CertStores */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext)); if (useLDAP == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)ldapCertStore, plContext)); } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext)); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext)); PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores, NULL, /* testDate, may be NULL */ trustedPubKey, numCerts, &revChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext)); #ifdef debuggingWithoutRevocation PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext)); #endif /* build cert chain using processing params and return buildResult */ pkixTestErrorResult = PKIX_BuildChain(procParams, (void **)&pollDesc, &state, &buildResult, &verifyTree, plContext); while (pollDesc != NULL) { if (PR_Poll(pollDesc, 1, 0) < 0) { testError("PR_Poll failed"); } pkixTestErrorResult = PKIX_BuildChain(procParams, (void **)&pollDesc, &state, &buildResult, &verifyTree, plContext); } if (pkixTestErrorResult) { if (testValid == PKIX_FALSE) { /* EE */ (void)printf("EXPECTED ERROR RECEIVED!\n"); } else { /* ENE */ testError("UNEXPECTED ERROR RECEIVED"); } } else { if (testValid == PKIX_TRUE) { /* ENE */ (void)printf("EXPECTED NON-ERROR RECEIVED!\n"); } else { /* EE */ (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n"); } } subTest("Displaying VerifyNode objects"); if (verifyTree == NULL) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext)); } else { PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext)); } (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString); if (pkixTestErrorResult) { PKIX_TEST_DECREF_BC(pkixTestErrorResult); goto cleanup; } if (buildResult) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext)); printf("\n"); for (i = 0; i < numCerts; i++) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext)); asciiResult = PKIX_Cert2ASCII(cert); printf("CERT[%d]:\n%s\n", i, asciiResult); /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL)); asciiResult = NULL; PKIX_TEST_DECREF_BC(cert); } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs, (PKIX_PL_Object *)expectedCerts, &result, plContext)); if (!result) { testError("BUILT CERTCHAIN IS " "NOT THE ONE THAT WAS EXPECTED"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs, &actualCertsString, plContext)); actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext); if (actualCertsAscii == NULL) { pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts, &expectedCertsString, plContext)); expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext); if (expectedCertsAscii == NULL) { pkixTestErrorMsg = "PKIX_String2ASCII Failed"; goto cleanup; } (void)printf("Actual value:\t%s\n", actualCertsAscii); (void)printf("Expected value:\t%s\n", expectedCertsAscii); } } cleanup: PKIX_TEST_DECREF_AC(verifyString); PKIX_TEST_DECREF_AC(verifyTree); PKIX_PL_Free(asciiResult, NULL); PKIX_PL_Free(actualCertsAscii, plContext); PKIX_PL_Free(expectedCertsAscii, plContext); PKIX_TEST_DECREF_AC(state); PKIX_TEST_DECREF_AC(actualCertsString); PKIX_TEST_DECREF_AC(expectedCertsString); PKIX_TEST_DECREF_AC(expectedCerts); PKIX_TEST_DECREF_AC(buildResult); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStores); PKIX_TEST_DECREF_AC(revCheckers); PKIX_TEST_DECREF_AC(revChecker); PKIX_TEST_DECREF_AC(ldapCertStore); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(dirNameString); PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(certSelector); PKIX_TEST_DECREF_AC(anchors); PKIX_TEST_DECREF_AC(anchor); PKIX_TEST_DECREF_AC(trustedCert); PKIX_TEST_DECREF_AC(trustedPubKey); PKIX_TEST_DECREF_AC(certs); PKIX_TEST_DECREF_AC(cert); PKIX_TEST_DECREF_AC(targetCert); PKIX_TEST_RETURN(); PKIX_Shutdown(plContext); endTests("BuildChain"); return (0); }
/* * find a module by name or module pointer and delete it off the module list. * optionally remove it from secmod.db. */ SECStatus SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, int *type, PRBool permdb) { SECMODModuleList *mlp; SECMODModuleList **mlpp; SECStatus rv = SECFailure; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return rv; } *type = SECMOD_EXTERNAL; SECMOD_GetWriteLock(moduleLock); for (mlpp = &modules,mlp = modules; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) || mod == mlp->module) { /* don't delete the internal module */ if (!mlp->module->internal) { SECMOD_RemoveList(mlpp,mlp); /* delete it after we release the lock */ rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module); } else if (mlp->module->isFIPS) { *type = SECMOD_FIPS; } else { *type = SECMOD_INTERNAL; } break; } } if (mlp) { goto found; } /* not on the internal list, check the unload list */ for (mlpp = &modulesUnload,mlp = modulesUnload; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) || mod == mlp->module) { /* don't delete the internal module */ if (!mlp->module->internal) { SECMOD_RemoveList(mlpp,mlp); rv = SECSuccess; } else if (mlp->module->isFIPS) { *type = SECMOD_FIPS; } else { *type = SECMOD_INTERNAL; } break; } } found: SECMOD_ReleaseWriteLock(moduleLock); if (rv == SECSuccess) { if (permdb) { SECMOD_DeletePermDB(mlp->module); } SECMOD_DestroyModuleListElement(mlp); } return rv; }
SECStatus parseRevMethodsAndFlags() { int i; uint testType = 0; for(i = 0;i < REV_METHOD_INDEX_MAX;i++) { /* testType */ if (revMethodsData[i].testTypeStr) { char *typeStr = revMethodsData[i].testTypeStr; testType = 0; if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_LEAF_STR)) { testType = REVCONFIG_TEST_LEAF; } else if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_CHAIN_STR)) { testType = REVCONFIG_TEST_CHAIN; } } if (!testType) { return SECFailure; } revMethodsData[i].testType = testType; /* testFlags */ if (revMethodsData[i].testFlagsStr) { char *flagStr = revMethodsData[i].testFlagsStr; uint testFlags = 0; if (PORT_Strstr(flagStr, REVCONFIG_TEST_TESTLOCALINFOFIRST_STR)) { testFlags |= CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; } if (PORT_Strstr(flagStr, REVCONFIG_TEST_REQUIREFRESHINFO_STR)) { testFlags |= CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; } revMethodsData[i].testFlags = testFlags; } /* method type */ if (revMethodsData[i].methodTypeStr) { char *methodStr = revMethodsData[i].methodTypeStr; uint methodType = 0; if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_CRL_STR)) { methodType = REVCONFIG_METHOD_CRL; } else if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_OCSP_STR)) { methodType = REVCONFIG_METHOD_OCSP; } if (!methodType) { return SECFailure; } revMethodsData[i].methodType = methodType; } if (!revMethodsData[i].methodType) { revMethodsData[i].testType = REVCONFIG_TEST_UNDEFINED; continue; } /* method flags */ if (revMethodsData[i].methodFlagsStr) { char *flagStr = revMethodsData[i].methodFlagsStr; uint methodFlags = 0; if (!PORT_Strstr(flagStr, REVCONFIG_METHOD_DONOTUSEMETHOD_STR)) { methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD; } if (PORT_Strstr(flagStr, REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR)) { methodFlags |= CERT_REV_M_FORBID_NETWORK_FETCHING; } if (PORT_Strstr(flagStr, REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR)) { methodFlags |= CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; } if (PORT_Strstr(flagStr, REVCONFIG_METHOD_REQUIREINFO_STR)) { methodFlags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; } if (PORT_Strstr(flagStr, REVCONFIG_METHOD_FAILIFNOINFO_STR)) { methodFlags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO; } revMethodsData[i].methodFlags = methodFlags; } else { revMethodsData[i].methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD; } } return SECSuccess; }
/* * find a module by name and delete it off the module list */ SECStatus SECMOD_DeleteInternalModule(const char *name) { SECMODModuleList *mlp; SECMODModuleList **mlpp; SECStatus rv = SECFailure; if (pendingModule) { PORT_SetError(SEC_ERROR_MODULE_STUCK); return rv; } if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return rv; } SECMOD_GetWriteLock(moduleLock); for(mlpp = &modules,mlp = modules; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { if (PORT_Strcmp(name,mlp->module->commonName) == 0) { /* don't delete the internal module */ if (mlp->module->internal) { SECMOD_RemoveList(mlpp,mlp); rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module); } break; } } SECMOD_ReleaseWriteLock(moduleLock); if (rv == SECSuccess) { SECMODModule *newModule,*oldModule; if (mlp->module->isFIPS) { newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME, NULL, SECMOD_INT_FLAGS); } else { newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME, NULL, SECMOD_FIPS_FLAGS); } if (newModule) { PK11SlotInfo *slot; newModule->libraryParams = PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams); /* if an explicit internal key slot has been set, reset it */ slot = pk11_SwapInternalKeySlot(NULL); if (slot) { secmod_SetInternalKeySlotFlag(newModule, PR_TRUE); } rv = SECMOD_AddModule(newModule); if (rv != SECSuccess) { /* load failed, restore the internal key slot */ pk11_SetInternalKeySlot(slot); SECMOD_DestroyModule(newModule); newModule = NULL; } /* free the old explicit internal key slot, we now have a new one */ if (slot) { PK11_FreeSlot(slot); } } if (newModule == NULL) { SECMODModuleList *last = NULL,*mlp2; /* we're in pretty deep trouble if this happens...Security * not going to work well... try to put the old module back on * the list */ SECMOD_GetWriteLock(moduleLock); for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) { last = mlp2; } if (last == NULL) { modules = mlp; } else { SECMOD_AddList(last,mlp,NULL); } SECMOD_ReleaseWriteLock(moduleLock); return SECFailure; } pendingModule = oldModule = internalModule; internalModule = NULL; SECMOD_DestroyModule(oldModule); SECMOD_DeletePermDB(mlp->module); SECMOD_DestroyModuleListElement(mlp); internalModule = newModule; /* adopt the module */ } return rv; }
int main(int argc, char **argv) { int rv, ascii; char *progName; FILE *outFile; PRFileDesc *inFile; SECItem der, data; char *typeTag; PLOptState *optstate; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; ascii = 0; inFile = 0; outFile = 0; typeTag = 0; optstate = PL_CreateOptState(argc, argv, "at:i:o:"); while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) { switch (optstate->option) { case '?': Usage(progName); break; case 'a': ascii = 1; break; case 'i': inFile = PR_Open(optstate->value, PR_RDONLY, 0); if (!inFile) { fprintf(stderr, "%s: unable to open \"%s\" for reading\n", progName, optstate->value); return -1; } break; case 'o': outFile = fopen(optstate->value, "w"); if (!outFile) { fprintf(stderr, "%s: unable to open \"%s\" for writing\n", progName, optstate->value); return -1; } break; case 't': typeTag = strdup(optstate->value); break; } } PL_DestroyOptState(optstate); if (!typeTag) Usage(progName); if (!inFile) inFile = PR_STDIN; if (!outFile) outFile = stdout; PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); rv = NSS_NoDB_Init(NULL); if (rv != SECSuccess) { fprintf(stderr, "%s: NSS_NoDB_Init failed (%s)\n", progName, SECU_Strerror(PORT_GetError())); exit(1); } SECU_RegisterDynamicOids(); rv = SECU_ReadDERFromFile(&der, inFile, ascii, PR_FALSE); if (rv != SECSuccess) { fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName); exit(1); } /* Data is untyped, using the specified type */ data.data = der.data; data.len = der.len; /* Pretty print it */ if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) { rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0, SECU_PrintCertificate); } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0) { PRBool saveWrapeState = SECU_GetWrapEnabled(); SECU_EnableWrap(PR_FALSE); rv = SECU_PrintSignedContent(outFile, &data, 0, 0, SECU_PrintDumpDerIssuerAndSerial); SECU_EnableWrap(saveWrapeState); } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) { rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0, SECU_PrintCertificateRequest); } else if (PORT_Strcmp (typeTag, SEC_CT_CRL) == 0) { rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl); #ifdef HAVE_EPV_TEMPLATE } else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) { rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0); #endif } else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) { rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0); } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) { rv = SECU_PrintPKCS7ContentInfo(outFile, &data, "PKCS #7 Content Info", 0); } else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) { rv = SECU_PrintDERName(outFile, &data, "Name", 0); } else { fprintf(stderr, "%s: don't know how to print out '%s' files\n", progName, typeTag); SECU_PrintAny(outFile, &data, "File contains", 0); return -1; } if (inFile != PR_STDIN) PR_Close(inFile); PORT_Free(der.data); if (rv) { fprintf(stderr, "%s: problem converting data (%s)\n", progName, SECU_Strerror(PORT_GetError())); } if (NSS_Shutdown() != SECSuccess) { fprintf(stderr, "%s: NSS_Shutdown failed (%s)\n", progName, SECU_Strerror(PORT_GetError())); rv = SECFailure; } PR_Cleanup(); return rv; }
/* * read an old style ascii or binary certificate chain */ SECStatus CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f, void *arg) { unsigned char *cp; unsigned char *bincert = NULL; char * ascCert = NULL; SECStatus rv; if ( certbuf == NULL ) { return(SECFailure); } cp = (unsigned char *)certbuf; /* is a DER encoded certificate of some type? */ if ( ( *cp & 0x1f ) == SEC_ASN1_SEQUENCE ) { SECItem certitem; SECItem *pcertitem = &certitem; int seqLen, seqLenLen; cp++; if ( *cp & 0x80) { /* Multibyte length */ seqLenLen = cp[0] & 0x7f; switch (seqLenLen) { case 4: seqLen = ((unsigned long)cp[1]<<24) | ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4]; break; case 3: seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3]; break; case 2: seqLen = (cp[1]<<8) | cp[2]; break; case 1: seqLen = cp[1]; break; default: /* indefinite length */ seqLen = 0; } cp += ( seqLenLen + 1 ); } else { seqLenLen = 0; seqLen = *cp; cp++; } /* check entire length if definite length */ if ( seqLen || seqLenLen ) { if ( certlen != ( seqLen + seqLenLen + 2 ) ) { if (certlen > ( seqLen + seqLenLen + 2 )) PORT_SetError(SEC_ERROR_EXTRA_INPUT); else PORT_SetError(SEC_ERROR_INPUT_LEN); goto notder; } } /* check the type string */ /* netscape wrapped DER cert */ if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) && ( cp[1] == CERTIFICATE_TYPE_LEN ) && ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) { cp += ( CERTIFICATE_TYPE_LEN + 2 ); /* it had better be a certificate by now!! */ certitem.data = cp; certitem.len = certlen - ( cp - (unsigned char *)certbuf ); rv = (* f)(arg, &pcertitem, 1); return(rv); } else if ( cp[0] == SEC_ASN1_OBJECT_ID ) { SECOidData *oiddata; SECItem oiditem; /* XXX - assume DER encoding of OID len!! */ oiditem.len = cp[1]; oiditem.data = (unsigned char *)&cp[2]; oiddata = SECOID_FindOID(&oiditem); if ( oiddata == NULL ) { return(SECFailure); } certitem.data = (unsigned char*)certbuf; certitem.len = certlen; switch ( oiddata->offset ) { case SEC_OID_PKCS7_SIGNED_DATA: return(SEC_ReadPKCS7Certs(&certitem, f, arg)); break; case SEC_OID_NS_TYPE_CERT_SEQUENCE: return(SEC_ReadCertSequence(&certitem, f, arg)); break; default: break; } } else { /* it had better be a certificate by now!! */ certitem.data = (unsigned char*)certbuf; certitem.len = certlen; rv = (* f)(arg, &pcertitem, 1); return(rv); } } /* now look for a netscape base64 ascii encoded cert */ notder: { unsigned char *certbegin = NULL; unsigned char *certend = NULL; char *pc; int cl; /* Convert the ASCII data into a nul-terminated string */ ascCert = (char *)PORT_Alloc(certlen + 1); if (!ascCert) { rv = SECFailure; goto loser; } PORT_Memcpy(ascCert, certbuf, certlen); ascCert[certlen] = '\0'; pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */ if (!pc) { /* maybe this is a MAC file */ pc = ascCert; while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) { *pc++ = '\n'; } } cp = (unsigned char *)ascCert; cl = certlen; /* find the beginning marker */ while ( cl > NS_CERT_HEADER_LEN ) { if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER, NS_CERT_HEADER_LEN) ) { cl -= NS_CERT_HEADER_LEN; cp += NS_CERT_HEADER_LEN; certbegin = cp; break; } /* skip to next eol */ do { cp++; cl--; } while ( ( *cp != '\n') && cl ); /* skip all blank lines */ while ( ( *cp == '\n') && cl ) { cp++; cl--; } } if ( certbegin ) { /* find the ending marker */ while ( cl > NS_CERT_TRAILER_LEN ) { if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER, NS_CERT_TRAILER_LEN) ) { certend = (unsigned char *)cp; break; } /* skip to next eol */ do { cp++; cl--; } while ( ( *cp != '\n') && cl ); /* skip all blank lines */ while ( ( *cp == '\n') && cl ) { cp++; cl--; } } } if ( certbegin && certend ) { unsigned int binLen; *certend = 0; /* convert to binary */ bincert = ATOB_AsciiToData(certbegin, &binLen); if (!bincert) { rv = SECFailure; goto loser; } /* now recurse to decode the binary */ rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg); } else { rv = SECFailure; } } loser: if ( bincert ) { PORT_Free(bincert); } if ( ascCert ) { PORT_Free(ascCert); } return(rv); }