sslSessionID *
ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
const char * urlSvrName)
{
sslSessionID **sidp;
sslSessionID * sid;
PRUint32 now;
if (!urlSvrName)
return NULL;
now = ssl_Time();
LOCK_CACHE;
sidp = &cache;
while ((sid = *sidp) != 0) {
PORT_Assert(sid->cached == in_client_cache);
PORT_Assert(sid->references >= 1);
SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
if (sid->expirationTime < now || !sid->references) {
/*
** This session-id timed out, or was orphaned.
** Don't even care who it belongs to, blow it out of our cache.
*/
SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
now - sid->creationTime, sid->references));
*sidp = sid->next; /* delink it from the list. */
sid->cached = invalid_cache; /* mark not on list. */
if (!sid->references)
ssl_DestroySID(sid);
else
ssl_FreeLockedSID(sid); /* drop ref count, free. */
} else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
(sid->port == port) && /* server port matches */
/* proxy (peerID) matches */
(((peerID == NULL) && (sid->peerID == NULL)) ||
((peerID != NULL) && (sid->peerID != NULL) &&
PORT_Strcmp(sid->peerID, peerID) == 0)) &&
/* is cacheable */
(sid->version < SSL_LIBRARY_VERSION_3_0 ||
sid->u.ssl3.keys.resumable) &&
/* server hostname matches. */
(sid->urlSvrName != NULL) &&
((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) ||
((sid->peerCert != NULL) && (SECSuccess ==
CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
) {
/* Hit */
sid->lastAccessTime = now;
sid->references++;
break;
} else {
sidp = &sid->next;
}
}
UNLOCK_CACHE;
return sid;
}
/*
* find a module by name, and add a reference to it.
* return that module.
*/
SECMODModule *
SECMOD_FindModule(const char *name)
{
SECMODModuleList *mlp;
SECMODModule *module = NULL;
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return module;
}
SECMOD_GetReadLock(moduleLock);
for(mlp = modules; mlp != NULL; mlp = mlp->next) {
if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
module = mlp->module;
SECMOD_ReferenceModule(module);
break;
}
}
if (module) {
goto found;
}
for(mlp = modulesUnload; mlp != NULL; mlp = mlp->next) {
if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
module = mlp->module;
SECMOD_ReferenceModule(module);
break;
}
}
found:
SECMOD_ReleaseReadLock(moduleLock);
return module;
}
PRBool
CERT_MatchNickname(char *name1, char *name2) {
char *nickname1= NULL;
char *nickname2 = NULL;
char *token1;
char *token2;
/* first deal with the straight comparison */
if (PORT_Strcmp(name1, name2) == 0) {
return PR_TRUE;
}
/* we need to handle the case where one name has an explicit token and the other
* doesn't */
token1 = PORT_Strchr(name1,':');
token2 = PORT_Strchr(name2,':');
if ((token1 && token2) || (!token1 && !token2)) {
/* either both token names are specified or neither are, not match */
return PR_FALSE;
}
if (token1) {
nickname1=token1;
nickname2=name2;
} else {
nickname1=token2;
nickname2=name1;
}
nickname1++;
if (PORT_Strcmp(nickname1,nickname2) != 0) {
return PR_FALSE;
}
/* Bug 1192443 - compare the other token with the internal slot here */
return PR_TRUE;
}
PK11SlotInfo *
SECMOD_FindSlot(SECMODModule *module,const char *name)
{
int i;
char *string;
PK11SlotInfo *retSlot = NULL;
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return retSlot;
}
SECMOD_GetReadLock(moduleLock);
for (i=0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
if (PK11_IsPresent(slot)) {
string = PK11_GetTokenName(slot);
} else {
string = PK11_GetSlotName(slot);
}
if (PORT_Strcmp(name,string) == 0) {
retSlot = PK11_ReferenceSlot(slot);
break;
}
}
SECMOD_ReleaseReadLock(moduleLock);
if (retSlot == NULL) {
PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
}
return retSlot;
}
JAR_Signer *
jar_get_signer(JAR *jar, char *basename)
{
JAR_Item *it;
JAR_Context *ctx = JAR_find(jar, NULL, jarTypeOwner);
JAR_Signer *candidate;
JAR_Signer *signer = NULL;
if (ctx == NULL)
return NULL;
while (JAR_find_next(ctx, &it) >= 0) {
candidate = (JAR_Signer *)it->data;
if (*basename == '*' || !PORT_Strcmp(candidate->owner, basename)) {
signer = candidate;
break;
}
}
JAR_find_end(ctx);
return signer;
}
/*
* FUNCTION: pkix_pl_UInt32_Overflows
* DESCRIPTION:
*
* Returns a PKIX_Boolean indicating whether the unsigned integer
* represented by "string" is too large to fit in 32-bits (i.e.
* whether it overflows). With the exception of the string "0",
* all other strings are stripped of any leading zeros. It is assumed
* that every character in "string" is from the set {'0' - '9'}.
*
* PARAMETERS
* "string"
* Address of array of bytes representing PKIX_UInt32 that's being tested
* for 32-bit overflow
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* PKIX_TRUE if PKIX_UInt32 represented by "string" overflows;
* PKIX_FALSE otherwise
*/
PKIX_Boolean
pkix_pl_UInt32_Overflows(char *string){
char *firstNonZero = NULL;
PKIX_UInt32 length, i;
char *MAX_UINT32_STRING = "4294967295";
PKIX_DEBUG_ENTER(OID);
PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
length = PL_strlen(string);
if (length < MAX_DIGITS_32){
return (PKIX_FALSE);
}
firstNonZero = string;
for (i = 0; i < length; i++){
if (*string == '0'){
firstNonZero++;
}
}
PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
length = PL_strlen(firstNonZero);
if (length > MAX_DIGITS_32){
return (PKIX_TRUE);
}
PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
if (length == MAX_DIGITS_32){
PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n");
if (PORT_Strcmp(firstNonZero, MAX_UINT32_STRING) > 0){
return (PKIX_TRUE);
}
}
return (PKIX_FALSE);
}
int test_ekuchecker(int argc, char *argv[]) {
PKIX_List *chain = NULL;
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_UInt32 actualMinorVersion;
char *certNames[PKIX_TEST_MAX_CERTS];
char *dirName = NULL;
PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
PKIX_UInt32 chainLength = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_Boolean testValid = PKIX_FALSE;
PKIX_Boolean only4EE = PKIX_FALSE;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage1(argv[0]);
return (0);
}
startTests("EKU Checker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage1(argv[0]);
return (0);
}
dirName = argv[4+j];
chainLength = (argc - j) - 6;
if (chainLength > PKIX_TEST_MAX_CERTS) {
printUsageMax(chainLength);
}
for (i = 0; i < chainLength; i++) {
certNames[i] = argv[6+i+j];
certs[i] = NULL;
}
subTest(argv[1+j]);
subTest("Extended-Key-Usage-Checker");
subTest("Extended-Key-Usage-Checker - Create Cert Chain");
chain = createCertChainPlus
(dirName, certNames, certs, chainLength, plContext);
subTest("Extended-Key-Usage-Checker - Create Params");
valParams = createValidateParams
(dirName,
argv[5+j],
NULL,
NULL,
NULL,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chain,
plContext);
subTest("Default CertStore");
testEkuSetup(valParams, argv[3+j], &only4EE);
testEkuChecker(valParams, only4EE);
subTest("Extended-Key-Usage-Checker - Validate Chain");
if (testValid == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, NULL, plContext));
} else {
PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
(valParams, &valResult, NULL, plContext));
}
cleanup:
PKIX_TEST_DECREF_AC(chain);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("EKU Checker");
return (0);
}
int test_defaultcrlchecker2stores(int argc, char *argv[]){
PKIX_List *chain = NULL;
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_UInt32 actualMinorVersion;
char *certNames[PKIX_TEST_MAX_CERTS];
PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_UInt32 chainLength = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_Boolean testValid = PKIX_TRUE;
char *dirName = NULL;
char *anchorName = NULL;
PKIX_TEST_STD_VARS();
if (argc < 6) {
printUsage1(argv[0]);
return (0);
}
startTests("CRL Checker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage1(argv[0]);
return (0);
}
chainLength = (argc - j) - 7;
if (chainLength > PKIX_TEST_MAX_CERTS) {
printUsageMax(chainLength);
}
for (i = 0; i < chainLength; i++) {
certNames[i] = argv[(7+j)+i];
certs[i] = NULL;
}
subTest(argv[1+j]);
subTest("Default-CRL-Checker");
subTest("Default-CRL-Checker - Create Cert Chain");
dirName = argv[3+j];
chain = createCertChainPlus
(dirName, certNames, certs, chainLength, plContext);
subTest("Default-CRL-Checker - Create Params");
anchorName = argv[6+j];
valParams = createValidateParams
(dirName,
anchorName,
NULL,
NULL,
NULL,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chain,
plContext);
subTest("Multiple-CertStores");
testDefaultMultipleCertStores(valParams, argv[4+j], argv[5+j]);
subTest("Default-CRL-Checker - Validate Chain");
if (testValid == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
} else {
PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
(void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
cleanup:
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_TEST_DECREF_AC(chain);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("CRL Checker");
return (0);
}
int
test_buildchain_resourcelimits(int argc, char *argv[])
{
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_CertChainChecker *checker = NULL;
PKIX_ResourceLimits *resourceLimits = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_CertStore *ldapCertStore = NULL;
PRIntervalTime timeout = 0; /* 0 for non-blocking */
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
PKIX_List *expectedCerts = NULL;
PKIX_Boolean testValid = PKIX_FALSE;
PKIX_Boolean usebind = PKIX_FALSE;
PKIX_Boolean useLDAP = PKIX_FALSE;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("BuildChain_ResourceLimits");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* arguments:
* [optional] -arenas
* [optional] usebind
* servername or servername:port ( - for no server)
* testname
* EE or ENE
* cert directory
* target cert (end entity)
* intermediate certs
* trust anchor
*/
/* optional argument "usebind" for Ldap CertStore */
if (argv[j + 1]) {
if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
usebind = PKIX_TRUE;
j++;
}
}
if (PORT_Strcmp(argv[++j], "-") == 0) {
useLDAP = PKIX_FALSE;
} else {
serverName = argv[j];
}
subTest(argv[++j]);
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[++j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
dirName = argv[++j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
for (k = ++j; k < argc; k++) {
dirCert = createCert(dirName, argv[k], plContext);
if (k == (argc - 1)) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == j) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII,
dirName,
0,
&dirNameString,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
#if 0
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
(&certStore, plContext));
#endif
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
if (useLDAP == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
(PKIX_PL_Object *)ldapCertStore,
plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
/* set resource limits */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create(&resourceLimits, plContext));
/* need longer time when running dbx for memory leak checking */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 60, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits(procParams, resourceLimits, plContext));
/* build cert chain using processing params and return buildResult */
subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>");
Test_BuildResult(procParams,
testValid,
expectedCerts,
plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 1, plContext));
subTest("Testing ResourceLimits MaxFanout - <fail>");
Test_BuildResult(procParams,
PKIX_FALSE,
expectedCerts,
plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 1, plContext));
subTest("Testing ResourceLimits MaxDepth - <fail>");
Test_BuildResult(procParams,
PKIX_FALSE,
expectedCerts,
plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 0, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 0, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 0, plContext));
subTest("Testing ResourceLimits No checking - <pass>");
Test_BuildResult(procParams,
testValid,
expectedCerts,
plContext);
cleanup:
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(ldapCertStore);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(checker);
PKIX_TEST_DECREF_AC(resourceLimits);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain_UserChecker");
return (0);
}
static SECStatus
getTestArguments(int argc,
char **argv,
mainTestFn *ptestFn,
char **pdbPath,
int *pargc,
char ***pargv)
{
PLOptState *optstate = NULL;
PLOptStatus status;
mainTestFn testFunction = NULL;
char **wArgv = NULL;
char *dbPath = NULL;
char *fnName = NULL;
int wArgc = 0;
int fnCounter = 0;
if (argc < 2) {
printf("ERROR: insufficient number of arguments: %s.\n", fnName);
return SECFailure;
}
fnName = argv[1];
while (testFnRefTable[fnCounter].fnName != NULL) {
if (!PORT_Strcmp(fnName, testFnRefTable[fnCounter].fnName)) {
testFunction = testFnRefTable[fnCounter].fnPointer;
break;
}
fnCounter += 1;
}
if (!testFunction) {
printf("ERROR: unknown name of the test: %s.\n", fnName);
return SECFailure;
}
wArgv = PORT_ZNewArray(char*, argc);
if (!wArgv) {
return SECFailure;
}
/* set name of the function as a first arg and increment arg count. */
wArgv[0] = fnName;
wArgc += 1;
optstate = PL_CreateOptState(argc - 1, argv + 1, "d:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case 'd':
dbPath = (char*)optstate->value;
break;
default:
wArgv[wArgc] = (char*)optstate->value;
wArgc += 1;
break;
}
}
PL_DestroyOptState(optstate);
*ptestFn = testFunction;
*pdbPath = dbPath;
*pargc = wArgc;
*pargv = wArgv;
return SECSuccess;
}
static PRStatus
CollectNicknames( NSSCertificate *c, void *data)
{
CERTCertNicknames *names;
PRBool saveit = PR_FALSE;
stringNode *node;
int len;
#ifdef notdef
NSSTrustDomain *td;
NSSTrust *trust;
#endif
char *stanNickname;
char *nickname = NULL;
names = (CERTCertNicknames *)data;
stanNickname = nssCertificate_GetNickname(c,NULL);
if ( stanNickname ) {
nss_ZFreeIf(stanNickname);
stanNickname = NULL;
if (names->what == SEC_CERT_NICKNAMES_USER) {
saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL);
}
#ifdef notdef
else {
td = NSSCertificate_GetTrustDomain(c);
if (!td) {
return PR_SUCCESS;
}
trust = nssTrustDomain_FindTrustForCertificate(td,c);
switch(names->what) {
case SEC_CERT_NICKNAMES_ALL:
if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
(trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
(trust->objectSigningFlags &
(CERTDB_VALID_CA|CERTDB_VALID_PEER))) {
saveit = PR_TRUE;
}
break;
case SEC_CERT_NICKNAMES_SERVER:
if ( trust->sslFlags & CERTDB_VALID_PEER ) {
saveit = PR_TRUE;
}
break;
case SEC_CERT_NICKNAMES_CA:
if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)||
((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) ||
((trust->objectSigningFlags & CERTDB_VALID_CA )
== CERTDB_VALID_CA)) {
saveit = PR_TRUE;
}
break;
}
}
#endif
}
/* traverse the list of collected nicknames and make sure we don't make
* a duplicate
*/
if ( saveit ) {
nickname = STAN_GetCERTCertificateName(NULL, c);
/* nickname can only be NULL here if we are having memory
* alloc problems */
if (nickname == NULL) {
return PR_FAILURE;
}
node = (stringNode *)names->head;
while ( node != NULL ) {
if ( PORT_Strcmp(nickname, node->string) == 0 ) {
/* if the string matches, then don't save this one */
saveit = PR_FALSE;
break;
}
node = node->next;
}
}
if ( saveit ) {
/* allocate the node */
node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
if ( node == NULL ) {
PORT_Free(nickname);
return PR_FAILURE;
}
/* copy the string */
len = PORT_Strlen(nickname) + 1;
node->string = (char*)PORT_ArenaAlloc(names->arena, len);
if ( node->string == NULL ) {
PORT_Free(nickname);
return PR_FAILURE;
}
PORT_Memcpy(node->string, nickname, len);
/* link it into the list */
node->next = (stringNode *)names->head;
names->head = (void *)node;
/* bump the count */
names->numnicknames++;
}
if (nickname) PORT_Free(nickname);
return(PR_SUCCESS);
}
int JAR_find_next (JAR_Context *ctx, JAR_Item **it)
{
JAR *jar;
ZZList *list = NULL;
int finding;
JAR_Signer *signer = NULL;
PORT_Assert( ctx != NULL );
PORT_Assert( ctx->jar != NULL );
jar = ctx->jar;
/* Internally, convert jarTypeSign to jarTypeSF, and return
the actual attached certificate later */
finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
if (ctx->nextsign) {
if (ZZ_ListIterDone (jar->signers, ctx->nextsign)) {
*it = NULL;
return -1;
}
PORT_Assert (ctx->nextsign->thing != NULL);
signer = (JAR_Signer*)ctx->nextsign->thing->data;
}
/* Find out which linked list to traverse. Then if
necessary, advance to the next linked list. */
while (1) {
switch (finding) {
case jarTypeSign: /* not any more */
PORT_Assert( finding != jarTypeSign );
list = signer->certs;
break;
case jarTypeSect:
list = jar->manifest;
break;
case jarTypePhy:
list = jar->phy;
break;
case jarTypeSF: /* signer, not jar */
PORT_Assert( signer != NULL );
list = signer->sf;
break;
case jarTypeMF:
list = jar->hashes;
break;
case jarTypeOwner:
list = jar->signers;
break;
case jarTypeMeta:
list = jar->metainfo;
break;
default:
PORT_Assert( 1 != 2 );
break;
}
if (list == NULL) {
*it = NULL;
return -1;
}
/* When looping over lists of lists, advance to the next signer.
This is done when multiple signers are possible. */
if (ZZ_ListIterDone (list, ctx->next)) {
if (ctx->nextsign && jar->signers) {
ctx->nextsign = ctx->nextsign->next;
if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) {
PORT_Assert (ctx->nextsign->thing != NULL);
signer = (JAR_Signer*)ctx->nextsign->thing->data;
PORT_Assert( signer != NULL );
ctx->next = NULL;
continue;
}
}
*it = NULL;
return -1;
}
/* if the signer changed, still need to fill in the "next" link */
if (ctx->nextsign && ctx->next == NULL) {
switch (finding) {
case jarTypeSF:
ctx->next = ZZ_ListHead (signer->sf);
break;
case jarTypeSign:
ctx->next = ZZ_ListHead (signer->certs);
break;
}
}
PORT_Assert( ctx->next != NULL );
while (!ZZ_ListIterDone (list, ctx->next)) {
*it = ctx->next->thing;
ctx->next = ctx->next->next;
if (!*it || (*it)->type != finding)
continue;
if (ctx->pattern && *ctx->pattern) {
if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
continue;
}
/* We have a valid match. If this is a jarTypeSign
return the certificate instead.. */
if (ctx->finding == jarTypeSign) {
JAR_Item *itt;
/* just the first one for now */
if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) {
*it = itt;
return 0;
}
continue;
}
return 0;
}
} /* end while */
}
int test_buildchain_uchecker(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_CertChainChecker *checker = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_UInt32 chainLength = 0;
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
char * asciiResult = NULL;
PKIX_Boolean result;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_Boolean supportForward = PKIX_FALSE;
PKIX_List *expectedCerts = NULL;
PKIX_List *userOIDs = NULL;
PKIX_PL_OID *oid = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
char *oidString = NULL;
void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */
PKIX_TEST_STD_VARS();
if (argc < 5){
printUsage();
return (0);
}
startTests("BuildChain_UserChecker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
/* OID specified at argv[3+j] */
if (*argv[3+j] != '-') {
if (*argv[3+j] == 'F') {
supportForward = PKIX_TRUE;
oidString = argv[3+j]+1;
} else {
oidString = argv[3+j];
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&userOIDs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(oidString, &oid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(userOIDs, (PKIX_PL_Object *)oid, plContext));
PKIX_TEST_DECREF_BC(oid);
}
subTest(argv[1+j]);
dirName = argv[4+j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
chainLength = argc - j - 5;
for (k = 0; k < chainLength; k++){
dirCert = createCert(dirName, argv[5+k+j], plContext);
if (k == (chainLength - 1)){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == 0){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert,
plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_SetCertificate
(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertSelector_Create
(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(testUserChecker,
supportForward,
PKIX_FALSE,
userOIDs,
NULL,
&checker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
(procParams, checker, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII,
dirName,
0,
&dirNameString,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirNameString, &certStore, plContext));
#if 0
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
(&certStore, plContext));
#endif
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
(procParams, certStores, plContext));
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain
(procParams,
&nbioContext,
&buildState,
&buildResult,
NULL,
plContext);
if (testValid == PKIX_TRUE) { /* ENE */
if (pkixTestErrorResult){
(void) printf("UNEXPECTED RESULT RECEIVED!\n");
} else {
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
}
} else { /* EE */
if (pkixTestErrorResult){
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
} else {
testError("UNEXPECTED RESULT RECEIVED");
}
}
if (buildResult){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_BuildResult_GetCertChain
(buildResult, &certs, NULL));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetItem
(certs,
i,
(PKIX_PL_Object**)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Free(asciiResult, plContext));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_Equals
((PKIX_PL_Object*)certs,
(PKIX_PL_Object*)expectedCerts,
&result,
plContext));
if (!result){
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII
(actualCertsString, plContext);
if (actualCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII
(expectedCertsString, plContext);
if (expectedCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void) printf("Actual value:\t%s\n", actualCertsAscii);
(void) printf("Expected value:\t%s\n",
expectedCertsAscii);
if (chainLength - 1 != numUserCheckerCalled) {
pkixTestErrorMsg =
"PKIX user defined checker not called";
}
goto cleanup;
}
}
cleanup:
PKIX_PL_Free(asciiResult, plContext);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(userOIDs);
PKIX_TEST_DECREF_AC(checker);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain_UserChecker");
return (0);
}
int test_validatechain_NB(int argc, char *argv[]){
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_UInt32 actualMinorVersion;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_UInt32 chainLength = 0;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_List *chainCerts = NULL;
PKIX_PL_Cert *dirCert = NULL;
char *dirCertName = NULL;
char *anchorCertName = NULL;
char *dirName = NULL;
PKIX_UInt32 certIndex = 0;
PKIX_UInt32 anchorIndex = 0;
PKIX_UInt32 checkerIndex = 0;
PKIX_Boolean revChecking = PKIX_FALSE;
PKIX_List *checkers = NULL;
PRPollDesc *pollDesc = NULL;
PRErrorCode errorCode = 0;
PKIX_PL_Socket *socket = NULL;
char *ldapName = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_List *loggers = NULL;
PKIX_Logger *logger = NULL;
char *logging = NULL;
PKIX_PL_String *component = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("ValidateChain_NB");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
subTest(argv[1+j]);
dirName = argv[3+j];
chainLength = argc - j - 5;
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
for (k = 0; k < chainLength; k++){
dirCert = createCert(dirName, argv[5+k+j], plContext);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(chainCerts, (PKIX_PL_Object *)dirCert, plContext));
PKIX_TEST_DECREF_BC(dirCert);
}
valParams = createValidateParams
(dirName,
argv[4+j],
NULL,
NULL,
NULL,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chainCerts,
plContext);
ldapName = PR_GetEnv("LDAP");
/* Is LDAP set in the environment? */
if ((ldapName == NULL) || (*ldapName == '\0')) {
testError("LDAP not set in environment");
goto cleanup;
}
pkixTestErrorResult = pkix_pl_Socket_CreateByName
(PKIX_FALSE, /* isServer */
PR_SecondsToInterval(30), /* try 30 secs for connect */
ldapName,
&errorCode,
&socket,
plContext);
if (pkixTestErrorResult != NULL) {
PKIX_PL_Object_DecRef
((PKIX_PL_Object *)pkixTestErrorResult, plContext);
pkixTestErrorResult = NULL;
testError("Unable to connect to LDAP Server");
goto cleanup;
}
PKIX_TEST_DECREF_BC(socket);
testSetupCertStore(valParams, ldapName);
logging = PR_GetEnv("LOGGING");
/* Is LOGGING set in the environment? */
if ((logging != NULL) && (*logging != '\0')) {
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_Create(&loggers, plContext));
testLogErrors
(PKIX_VALIDATE_ERROR, 2, loggers, plContext);
testLogErrors
(PKIX_CERTCHAINCHECKER_ERROR, 2, loggers, plContext);
testLogErrors
(PKIX_LDAPDEFAULTCLIENT_ERROR, 2, loggers, plContext);
testLogErrors
(PKIX_CERTSTORE_ERROR, 2, loggers, plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggers, plContext));
}
pkixTestErrorResult = PKIX_ValidateChain_NB
(valParams,
&certIndex,
&anchorIndex,
&checkerIndex,
&revChecking,
&checkers,
(void **)&pollDesc,
&valResult,
&verifyTree,
plContext);
while (pollDesc != NULL) {
if (PR_Poll(pollDesc, 1, 0) < 0) {
testError("PR_Poll failed");
}
pkixTestErrorResult = PKIX_ValidateChain_NB
(valParams,
&certIndex,
&anchorIndex,
&checkerIndex,
&revChecking,
&checkers,
(void **)&pollDesc,
&valResult,
&verifyTree,
plContext);
}
if (pkixTestErrorResult) {
if (testValid == PKIX_FALSE) { /* EE */
(void) printf("EXPECTED ERROR RECEIVED!\n");
} else { /* ENE */
testError("UNEXPECTED ERROR RECEIVED");
}
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
} else {
if (testValid == PKIX_TRUE) { /* ENE */
(void) printf("EXPECTED NON-ERROR RECEIVED!\n");
} else { /* EE */
(void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
}
}
cleanup:
if (verifyTree) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
(void) printf("verifyTree is\n%s\n",
verifyString->escAsciiString);
}
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_TEST_DECREF_AC(checkers);
PKIX_TEST_DECREF_AC(chainCerts);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("ValidateChain_NB");
return (0);
}
/*
* a d d _ m e t a
*
* Parse the metainfo file, and add any details
* necessary to the manifest file. In most cases you
* should be using the -i option (ie, for SmartUpdate).
*
*/
static int add_meta (FILE *fp, char *name)
{
FILE * met;
char buf [BUFSIZ];
int place;
char *pattern, *meta;
int num = 0;
if ((met = fopen (metafile, "r")) != NULL) {
while (fgets (buf, BUFSIZ, met)) {
char *s;
for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
;
*s = 0;
if (*buf == 0)
continue;
pattern = buf;
/* skip to whitespace */
for (s = buf; *s && *s != ' ' && *s != '\t'; s++)
;
/* terminate pattern */
if (*s == ' ' || *s == '\t')
*s++ = 0;
/* eat through whitespace */
while (*s == ' ' || *s == '\t')
s++;
meta = s;
/* this will eventually be regexp matching */
place = 0;
if (!PORT_Strcmp (pattern, name))
place = 1;
if (place) {
num++;
if (verbosity >= 0) {
PR_fprintf(outputFD, "[%s] %s\n", name, meta);
}
fprintf (fp, "%s\n", meta);
}
}
fclose (met);
} else {
PR_fprintf(errorFD, "%s: can't open metafile: %s\n", PROGRAM_NAME,
metafile);
errorCount++;
exit (ERRX);
}
return num;
}
/*
* m a n i f e s t o _ f n
*
* Called by pointer from manifesto(), once for
* each file within the directory.
*
*/
static int manifesto_fn
(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
{
int use_js;
JAR_Digest dig;
char fullname [FNSIZE];
if (verbosity >= 0) {
PR_fprintf(outputFD, "--> %s\n", relpath);
}
/* extension matching */
if (extensionsGiven) {
char *ext = PL_strrchr(relpath, '.');
if (!ext)
return 0;
if (!PL_HashTableLookup(extensions, ext))
return 0;
}
sprintf (fullname, "%s/%s", basedir, relpath);
fprintf (mf, "\n");
use_js = 0;
if (scriptdir && !PORT_Strcmp (scriptdir, reldir))
use_js++;
/* sign non-.js files inside .arc directories using the javascript magic */
if ( (PL_strcaserstr(filename, ".js") != filename + strlen(filename) - 3)
&& (PL_strcaserstr(reldir, ".arc") == reldir + strlen(filename) - 4))
use_js++;
if (use_js) {
fprintf (mf, "Name: %s\n", filename);
fprintf (mf, "Magic: javascript\n");
if (optimize == 0)
fprintf (mf, "javascript.id: %s\n", filename);
if (metafile)
add_meta (mf, filename);
} else {
fprintf (mf, "Name: %s\n", relpath);
if (metafile)
add_meta (mf, relpath);
}
JAR_digest_file (fullname, &dig);
if (optimize == 0) {
fprintf (mf, "Digest-Algorithms: MD5 SHA1\n");
fprintf (mf, "MD5-Digest: %s\n", BTOA_DataToAscii (dig.md5,
MD5_LENGTH));
}
fprintf (mf, "SHA1-Digest: %s\n", BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
if (!use_js) {
JzipAdd(fullname, relpath, zipfile, compression_level);
}
return 0;
}
int test_policychecker(int argc, char *argv[])
{
PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
PKIX_Boolean expectedResult = PKIX_FALSE;
PKIX_UInt32 chainLength = 0;
PKIX_UInt32 initArgs = 0;
PKIX_UInt32 firstCert = 0;
PKIX_UInt32 i = 0;
PKIX_Int32 j = 0;
PKIX_UInt32 actualMinorVersion;
PKIX_ProcessingParams *procParams = NULL;
char *firstTrustAnchor = "yassir2yassir";
char *secondTrustAnchor = "yassir2bcn";
char *dateAscii = "991201000000Z";
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */
char *certNames[PKIX_TEST_MAX_CERTS];
PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
PKIX_List *chain = NULL;
PKIX_Error *validationError = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
char *dirName = NULL;
char *dataCentralDir = NULL;
char *anchorName = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* Perform hard-coded tests if no command line args.
* If command line args are provided, they must be:
* arg[1]: test name
* arg[2]: "ENE" or "EE", for "expect no error" or "expect error"
* arg[3]: directory for certificates
* arg[4]: user-initial-policy-set, consisting of braces
* containing zero or more OID sequences, separated by commas
* arg[5]: (optional) "E", indicating initialExplicitPolicy
* arg[firstCert]: the path and filename of the trust anchor certificate
* arg[firstCert+1..(n-1)]: successive certificates in the chain
* arg[n]: the end entity certificate
*
* Example: test_policychecker test1EE ENE
* {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity
*/
dirName = argv[3+j];
dataCentralDir = argv[4+j];
if (argc <= 5 || ((6 == argc) && (j))) {
testPass
(dataCentralDir,
firstTrustAnchor,
secondTrustAnchor,
dateAscii);
testNistTest1(dirName);
testNistTest2(dirName);
goto cleanup;
}
if (argc < (7 + j)) {
printUsage(argv[0]);
pkixTestErrorMsg = "Invalid command line arguments.";
goto cleanup;
}
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
expectedResult = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
expectedResult = PKIX_FALSE;
} else {
printUsage(argv[0]);
pkixTestErrorMsg = "Invalid command line arguments.";
goto cleanup;
}
userInitialPolicySet = policySetParse(argv[5+j]);
if (!userInitialPolicySet) {
printUsage(argv[0]);
pkixTestErrorMsg = "Invalid command line arguments.";
goto cleanup;
}
for (initArgs = 0; initArgs < 3; initArgs++) {
if (PORT_Strcmp(argv[6+j+initArgs], "A") == 0) {
initialAnyPolicyInhibit = PKIX_TRUE;
} else if (PORT_Strcmp(argv[6+j+initArgs], "E") == 0) {
initialExplicitPolicy = PKIX_TRUE;
} else if (PORT_Strcmp(argv[6+j+initArgs], "P") == 0) {
initialPolicyMappingInhibit = PKIX_TRUE;
} else {
break;
}
}
firstCert = initArgs + j + 6;
chainLength = argc - (firstCert + 1);
if (chainLength > PKIX_TEST_MAX_CERTS) {
printUsageMax(chainLength);
pkixTestErrorMsg = "Invalid command line arguments.";
goto cleanup;
}
/*
* Create a chain, but don't include the first certName.
* That's the anchor, and is supplied separately from
* the chain.
*/
for (i = 0; i < chainLength; i++) {
certNames[i] = argv[i + (firstCert + 1)];
certs[i] = NULL;
}
chain = createCertChainPlus
(dirName, certNames, certs, chainLength, plContext);
subTest(argv[1+j]);
valParams = createValidateParams
(dirName,
argv[firstCert],
NULL,
NULL,
userInitialPolicySet,
initialPolicyMappingInhibit,
initialAnyPolicyInhibit,
initialExplicitPolicy,
PKIX_FALSE,
chain,
plContext);
if (expectedResult == PKIX_TRUE) {
subTest(" (expecting successful validation)");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
printValidPolicyTree(valResult);
} else {
subTest(" (expecting validation to fail)");
validationError = PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext);
if (!validationError) {
printValidPolicyTree(valResult);
pkixTestErrorMsg = "Should have thrown an error here.";
}
PKIX_TEST_DECREF_BC(validationError);
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
(void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
cleanup:
PKIX_PL_Free(anchorName, plContext);
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_TEST_DECREF_AC(userInitialPolicySet);
PKIX_TEST_DECREF_AC(chain);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_TEST_DECREF_AC(validationError);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("PolicyChecker");
return (0);
}
int test_subjaltnamechecker(int argc, char *argv[]){
PKIX_List *chain = NULL;
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_CertSelector *selector = NULL;
PKIX_ComCertSelParams *selParams = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_PL_GeneralName *name = NULL;
PKIX_UInt32 actualMinorVersion;
char *certNames[PKIX_TEST_MAX_CERTS];
PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
PKIX_UInt32 chainLength = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
char *nameStr;
char *nameEnd;
char *names[PKIX_TEST_MAX_CERTS];
PKIX_UInt32 numNames = 0;
PKIX_UInt32 nameType;
PKIX_Boolean matchAll = PKIX_TRUE;
PKIX_Boolean testValid = PKIX_TRUE;
char *dirName = NULL;
char *anchorName = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage1(argv[0]);
return (0);
}
startTests("SubjAltNameConstraintChecker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
j++; /* skip test-purpose string */
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage1(argv[0]);
return (0);
}
/* taking out leading and trailing ", if any */
nameStr = argv[1+j];
subTest(nameStr);
if (*nameStr == '"'){
nameStr++;
nameEnd = nameStr;
while (*nameEnd != '"' && *nameEnd != '\0') {
nameEnd++;
}
*nameEnd = '\0';
}
/* extract first [0|1] inidcating matchAll or not */
matchAll = (*nameStr == '0')?PKIX_FALSE:PKIX_TRUE;
nameStr++;
numNames = 0;
while (*nameStr != '\0') {
names[numNames++] = nameStr;
while (*nameStr != '+' && *nameStr != '\0') {
nameStr++;
}
if (*nameStr == '+') {
*nameStr = '\0';
nameStr++;
}
}
chainLength = (argc - j) - 4;
if (chainLength > PKIX_TEST_MAX_CERTS) {
printUsageMax(chainLength);
}
for (i = 0; i < chainLength; i++) {
certNames[i] = argv[(4+j)+i];
certs[i] = NULL;
}
/* SubjAltName for validation */
subTest("Add Subject Alt Name for NameConstraint checking");
subTest("Create Selector and ComCertSelParams");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
(NULL, NULL, &selector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
(&selParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertSelector_SetCommonCertSelectorParams
(selector, selParams, plContext));
subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
(selParams, matchAll, plContext));
subTest("PKIX_ComCertSelParams_AddSubjAltName(s)");
for (i = 0; i < numNames; i++) {
nameType = getNameType(names[i]);
if (nameType == 0xFFFF) {
return (0);
}
nameStr = names[i] + 2;
name = createGeneralName(nameType, nameStr, plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
(selParams, name, plContext));
PKIX_TEST_DECREF_BC(name);
}
subTest("SubjAltName-Constraints - Create Cert Chain");
dirName = argv[3+j];
chain = createCertChainPlus
(dirName, certNames, certs, chainLength, plContext);
subTest("SubjAltName-Constraints - Create Params");
valParams = createValidateParams
(dirName,
argv[4+j],
NULL,
NULL,
NULL,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chain,
plContext);
subTest("PKIX_ValidateParams_getProcessingParams");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
(valParams, &procParams, plContext));
subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, selector, plContext));
subTest("Subject Alt Name - Validate Chain");
if (testValid == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
} else {
PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
}
cleanup:
PKIX_PL_Free(anchorName, plContext);
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_TEST_DECREF_AC(chain);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_TEST_DECREF_AC(selector);
PKIX_TEST_DECREF_AC(selParams);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(name);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("SubjAltNameConstraintsChecker");
return (0);
}
int test_validatechain(int argc, char *argv[]){
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_UInt32 actualMinorVersion;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_UInt32 chainLength = 0;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_List *chainCerts = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
char *dirCertName = NULL;
char *anchorCertName = NULL;
char *dirName = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("ValidateChain");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
subTest(argv[1+j]);
dirName = argv[3+j];
chainLength = argc - j - 5;
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
for (k = 0; k < chainLength; k++) {
dirCert = createCert(dirName, argv[5+k+j], plContext);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(chainCerts, (PKIX_PL_Object *)dirCert, plContext));
PKIX_TEST_DECREF_BC(dirCert);
}
valParams = createValidateParams
(dirName,
argv[4+j],
NULL,
NULL,
NULL,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chainCerts,
plContext);
testDefaultCertStore(valParams, dirName);
if (testValid == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
} else {
PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
}
subTest("Displaying VerifyNode objects");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
(void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
cleanup:
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_TEST_DECREF_AC(chainCerts);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("ValidateChain");
return (0);
}
int
test_buildchain(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_PL_PublicKey *trustedPubKey = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_RevocationChecker *revChecker = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_CertStore *ldapCertStore = NULL;
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
/* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
PKIX_List *revCheckers = NULL;
char *asciiResult = NULL;
PKIX_Boolean result = PKIX_FALSE;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_List *expectedCerts = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
void *state = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
PRPollDesc *pollDesc = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("BuildChain");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* arguments:
* [optional] -arenas
* [optional] usebind
* servername or servername:port ( - for no server)
* testname
* EE or ENE
* cert directory
* target cert (end entity)
* intermediate certs
* trust anchor
*/
/* optional argument "usebind" for Ldap CertStore */
if (argv[j + 1]) {
if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
usebind = PKIX_TRUE;
j++;
}
}
if (PORT_Strcmp(argv[++j], "-") == 0) {
useLDAP = PKIX_FALSE;
} else {
serverName = argv[j];
useLDAP = PKIX_TRUE;
}
subTest(argv[++j]);
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[++j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
dirName = argv[++j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
for (k = ++j; k < (PKIX_UInt32)argc; k++) {
dirCert = createCert(dirName, argv[k], plContext);
if (k == (PKIX_UInt32)(argc - 1)) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == j) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
if (useLDAP == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
(PKIX_PL_Object *)ldapCertStore,
plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores,
NULL, /* testDate, may be NULL */
trustedPubKey,
numCerts,
&revChecker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext));
#ifdef debuggingWithoutRevocation
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
#endif
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
while (pollDesc != NULL) {
if (PR_Poll(pollDesc, 1, 0) < 0) {
testError("PR_Poll failed");
}
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
}
if (pkixTestErrorResult) {
if (testValid == PKIX_FALSE) { /* EE */
(void)printf("EXPECTED ERROR RECEIVED!\n");
} else { /* ENE */
testError("UNEXPECTED ERROR RECEIVED");
}
} else {
if (testValid == PKIX_TRUE) { /* ENE */
(void)printf("EXPECTED NON-ERROR RECEIVED!\n");
} else { /* EE */
(void)printf("UNEXPECTED NON-ERROR RECEIVED!\n");
}
}
subTest("Displaying VerifyNode objects");
if (verifyTree == NULL) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
}
(void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
if (pkixTestErrorResult) {
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
goto cleanup;
}
if (buildResult) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs,
i,
(PKIX_PL_Object **)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
/* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs,
(PKIX_PL_Object *)expectedCerts,
&result,
plContext));
if (!result) {
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext);
if (actualCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext);
if (expectedCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void)printf("Actual value:\t%s\n", actualCertsAscii);
(void)printf("Expected value:\t%s\n",
expectedCertsAscii);
}
}
cleanup:
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_PL_Free(asciiResult, NULL);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(state);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(revCheckers);
PKIX_TEST_DECREF_AC(revChecker);
PKIX_TEST_DECREF_AC(ldapCertStore);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(trustedPubKey);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain");
return (0);
}
/*
* find a module by name or module pointer and delete it off the module list.
* optionally remove it from secmod.db.
*/
SECStatus
SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod,
int *type, PRBool permdb)
{
SECMODModuleList *mlp;
SECMODModuleList **mlpp;
SECStatus rv = SECFailure;
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return rv;
}
*type = SECMOD_EXTERNAL;
SECMOD_GetWriteLock(moduleLock);
for (mlpp = &modules,mlp = modules;
mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
mod == mlp->module) {
/* don't delete the internal module */
if (!mlp->module->internal) {
SECMOD_RemoveList(mlpp,mlp);
/* delete it after we release the lock */
rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
} else if (mlp->module->isFIPS) {
*type = SECMOD_FIPS;
} else {
*type = SECMOD_INTERNAL;
}
break;
}
}
if (mlp) {
goto found;
}
/* not on the internal list, check the unload list */
for (mlpp = &modulesUnload,mlp = modulesUnload;
mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
mod == mlp->module) {
/* don't delete the internal module */
if (!mlp->module->internal) {
SECMOD_RemoveList(mlpp,mlp);
rv = SECSuccess;
} else if (mlp->module->isFIPS) {
*type = SECMOD_FIPS;
} else {
*type = SECMOD_INTERNAL;
}
break;
}
}
found:
SECMOD_ReleaseWriteLock(moduleLock);
if (rv == SECSuccess) {
if (permdb) {
SECMOD_DeletePermDB(mlp->module);
}
SECMOD_DestroyModuleListElement(mlp);
}
return rv;
}
SECStatus
parseRevMethodsAndFlags()
{
int i;
uint testType = 0;
for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
/* testType */
if (revMethodsData[i].testTypeStr) {
char *typeStr = revMethodsData[i].testTypeStr;
testType = 0;
if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_LEAF_STR)) {
testType = REVCONFIG_TEST_LEAF;
} else if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_CHAIN_STR)) {
testType = REVCONFIG_TEST_CHAIN;
}
}
if (!testType) {
return SECFailure;
}
revMethodsData[i].testType = testType;
/* testFlags */
if (revMethodsData[i].testFlagsStr) {
char *flagStr = revMethodsData[i].testFlagsStr;
uint testFlags = 0;
if (PORT_Strstr(flagStr, REVCONFIG_TEST_TESTLOCALINFOFIRST_STR)) {
testFlags |= CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
}
if (PORT_Strstr(flagStr, REVCONFIG_TEST_REQUIREFRESHINFO_STR)) {
testFlags |= CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
}
revMethodsData[i].testFlags = testFlags;
}
/* method type */
if (revMethodsData[i].methodTypeStr) {
char *methodStr = revMethodsData[i].methodTypeStr;
uint methodType = 0;
if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_CRL_STR)) {
methodType = REVCONFIG_METHOD_CRL;
} else if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_OCSP_STR)) {
methodType = REVCONFIG_METHOD_OCSP;
}
if (!methodType) {
return SECFailure;
}
revMethodsData[i].methodType = methodType;
}
if (!revMethodsData[i].methodType) {
revMethodsData[i].testType = REVCONFIG_TEST_UNDEFINED;
continue;
}
/* method flags */
if (revMethodsData[i].methodFlagsStr) {
char *flagStr = revMethodsData[i].methodFlagsStr;
uint methodFlags = 0;
if (!PORT_Strstr(flagStr, REVCONFIG_METHOD_DONOTUSEMETHOD_STR)) {
methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD;
}
if (PORT_Strstr(flagStr,
REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR)) {
methodFlags |= CERT_REV_M_FORBID_NETWORK_FETCHING;
}
if (PORT_Strstr(flagStr, REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR)) {
methodFlags |= CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
}
if (PORT_Strstr(flagStr, REVCONFIG_METHOD_REQUIREINFO_STR)) {
methodFlags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
}
if (PORT_Strstr(flagStr, REVCONFIG_METHOD_FAILIFNOINFO_STR)) {
methodFlags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO;
}
revMethodsData[i].methodFlags = methodFlags;
} else {
revMethodsData[i].methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD;
}
}
return SECSuccess;
}
/*
* find a module by name and delete it off the module list
*/
SECStatus
SECMOD_DeleteInternalModule(const char *name)
{
SECMODModuleList *mlp;
SECMODModuleList **mlpp;
SECStatus rv = SECFailure;
if (pendingModule) {
PORT_SetError(SEC_ERROR_MODULE_STUCK);
return rv;
}
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return rv;
}
SECMOD_GetWriteLock(moduleLock);
for(mlpp = &modules,mlp = modules;
mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
/* don't delete the internal module */
if (mlp->module->internal) {
SECMOD_RemoveList(mlpp,mlp);
rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
}
break;
}
}
SECMOD_ReleaseWriteLock(moduleLock);
if (rv == SECSuccess) {
SECMODModule *newModule,*oldModule;
if (mlp->module->isFIPS) {
newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME,
NULL, SECMOD_INT_FLAGS);
} else {
newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME,
NULL, SECMOD_FIPS_FLAGS);
}
if (newModule) {
PK11SlotInfo *slot;
newModule->libraryParams =
PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
/* if an explicit internal key slot has been set, reset it */
slot = pk11_SwapInternalKeySlot(NULL);
if (slot) {
secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
}
rv = SECMOD_AddModule(newModule);
if (rv != SECSuccess) {
/* load failed, restore the internal key slot */
pk11_SetInternalKeySlot(slot);
SECMOD_DestroyModule(newModule);
newModule = NULL;
}
/* free the old explicit internal key slot, we now have a new one */
if (slot) {
PK11_FreeSlot(slot);
}
}
if (newModule == NULL) {
SECMODModuleList *last = NULL,*mlp2;
/* we're in pretty deep trouble if this happens...Security
* not going to work well... try to put the old module back on
* the list */
SECMOD_GetWriteLock(moduleLock);
for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) {
last = mlp2;
}
if (last == NULL) {
modules = mlp;
} else {
SECMOD_AddList(last,mlp,NULL);
}
SECMOD_ReleaseWriteLock(moduleLock);
return SECFailure;
}
pendingModule = oldModule = internalModule;
internalModule = NULL;
SECMOD_DestroyModule(oldModule);
SECMOD_DeletePermDB(mlp->module);
SECMOD_DestroyModuleListElement(mlp);
internalModule = newModule; /* adopt the module */
}
return rv;
}
int main(int argc, char **argv)
{
int rv, ascii;
char *progName;
FILE *outFile;
PRFileDesc *inFile;
SECItem der, data;
char *typeTag;
PLOptState *optstate;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
ascii = 0;
inFile = 0;
outFile = 0;
typeTag = 0;
optstate = PL_CreateOptState(argc, argv, "at:i:o:");
while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
switch (optstate->option) {
case '?':
Usage(progName);
break;
case 'a':
ascii = 1;
break;
case 'i':
inFile = PR_Open(optstate->value, PR_RDONLY, 0);
if (!inFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
return -1;
}
break;
case 'o':
outFile = fopen(optstate->value, "w");
if (!outFile) {
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
progName, optstate->value);
return -1;
}
break;
case 't':
typeTag = strdup(optstate->value);
break;
}
}
PL_DestroyOptState(optstate);
if (!typeTag) Usage(progName);
if (!inFile) inFile = PR_STDIN;
if (!outFile) outFile = stdout;
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
rv = NSS_NoDB_Init(NULL);
if (rv != SECSuccess) {
fprintf(stderr, "%s: NSS_NoDB_Init failed (%s)\n",
progName, SECU_Strerror(PORT_GetError()));
exit(1);
}
SECU_RegisterDynamicOids();
rv = SECU_ReadDERFromFile(&der, inFile, ascii, PR_FALSE);
if (rv != SECSuccess) {
fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
exit(1);
}
/* Data is untyped, using the specified type */
data.data = der.data;
data.len = der.len;
/* Pretty print it */
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
SECU_PrintCertificate);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0) {
PRBool saveWrapeState = SECU_GetWrapEnabled();
SECU_EnableWrap(PR_FALSE);
rv = SECU_PrintSignedContent(outFile, &data, 0, 0,
SECU_PrintDumpDerIssuerAndSerial);
SECU_EnableWrap(saveWrapeState);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
SECU_PrintCertificateRequest);
} else if (PORT_Strcmp (typeTag, SEC_CT_CRL) == 0) {
rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl);
#ifdef HAVE_EPV_TEMPLATE
} else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) {
rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
#endif
} else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) {
rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
"PKCS #7 Content Info", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) {
rv = SECU_PrintDERName(outFile, &data, "Name", 0);
} else {
fprintf(stderr, "%s: don't know how to print out '%s' files\n",
progName, typeTag);
SECU_PrintAny(outFile, &data, "File contains", 0);
return -1;
}
if (inFile != PR_STDIN)
PR_Close(inFile);
PORT_Free(der.data);
if (rv) {
fprintf(stderr, "%s: problem converting data (%s)\n",
progName, SECU_Strerror(PORT_GetError()));
}
if (NSS_Shutdown() != SECSuccess) {
fprintf(stderr, "%s: NSS_Shutdown failed (%s)\n",
progName, SECU_Strerror(PORT_GetError()));
rv = SECFailure;
}
PR_Cleanup();
return rv;
}
/*
* read an old style ascii or binary certificate chain
*/
SECStatus
CERT_DecodeCertPackage(char *certbuf,
int certlen,
CERTImportCertificateFunc f,
void *arg)
{
unsigned char *cp;
unsigned char *bincert = NULL;
char * ascCert = NULL;
SECStatus rv;
if ( certbuf == NULL ) {
return(SECFailure);
}
cp = (unsigned char *)certbuf;
/* is a DER encoded certificate of some type? */
if ( ( *cp & 0x1f ) == SEC_ASN1_SEQUENCE ) {
SECItem certitem;
SECItem *pcertitem = &certitem;
int seqLen, seqLenLen;
cp++;
if ( *cp & 0x80) {
/* Multibyte length */
seqLenLen = cp[0] & 0x7f;
switch (seqLenLen) {
case 4:
seqLen = ((unsigned long)cp[1]<<24) |
((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
break;
case 3:
seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
break;
case 2:
seqLen = (cp[1]<<8) | cp[2];
break;
case 1:
seqLen = cp[1];
break;
default:
/* indefinite length */
seqLen = 0;
}
cp += ( seqLenLen + 1 );
} else {
seqLenLen = 0;
seqLen = *cp;
cp++;
}
/* check entire length if definite length */
if ( seqLen || seqLenLen ) {
if ( certlen != ( seqLen + seqLenLen + 2 ) ) {
if (certlen > ( seqLen + seqLenLen + 2 ))
PORT_SetError(SEC_ERROR_EXTRA_INPUT);
else
PORT_SetError(SEC_ERROR_INPUT_LEN);
goto notder;
}
}
/* check the type string */
/* netscape wrapped DER cert */
if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
( cp[1] == CERTIFICATE_TYPE_LEN ) &&
( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
cp += ( CERTIFICATE_TYPE_LEN + 2 );
/* it had better be a certificate by now!! */
certitem.data = cp;
certitem.len = certlen - ( cp - (unsigned char *)certbuf );
rv = (* f)(arg, &pcertitem, 1);
return(rv);
} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
SECOidData *oiddata;
SECItem oiditem;
/* XXX - assume DER encoding of OID len!! */
oiditem.len = cp[1];
oiditem.data = (unsigned char *)&cp[2];
oiddata = SECOID_FindOID(&oiditem);
if ( oiddata == NULL ) {
return(SECFailure);
}
certitem.data = (unsigned char*)certbuf;
certitem.len = certlen;
switch ( oiddata->offset ) {
case SEC_OID_PKCS7_SIGNED_DATA:
return(SEC_ReadPKCS7Certs(&certitem, f, arg));
break;
case SEC_OID_NS_TYPE_CERT_SEQUENCE:
return(SEC_ReadCertSequence(&certitem, f, arg));
break;
default:
break;
}
} else {
/* it had better be a certificate by now!! */
certitem.data = (unsigned char*)certbuf;
certitem.len = certlen;
rv = (* f)(arg, &pcertitem, 1);
return(rv);
}
}
/* now look for a netscape base64 ascii encoded cert */
notder:
{
unsigned char *certbegin = NULL;
unsigned char *certend = NULL;
char *pc;
int cl;
/* Convert the ASCII data into a nul-terminated string */
ascCert = (char *)PORT_Alloc(certlen + 1);
if (!ascCert) {
rv = SECFailure;
goto loser;
}
PORT_Memcpy(ascCert, certbuf, certlen);
ascCert[certlen] = '\0';
pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */
if (!pc) { /* maybe this is a MAC file */
pc = ascCert;
while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
*pc++ = '\n';
}
}
cp = (unsigned char *)ascCert;
cl = certlen;
/* find the beginning marker */
while ( cl > NS_CERT_HEADER_LEN ) {
if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
NS_CERT_HEADER_LEN) ) {
cl -= NS_CERT_HEADER_LEN;
cp += NS_CERT_HEADER_LEN;
certbegin = cp;
break;
}
/* skip to next eol */
do {
cp++;
cl--;
} while ( ( *cp != '\n') && cl );
/* skip all blank lines */
while ( ( *cp == '\n') && cl ) {
cp++;
cl--;
}
}
if ( certbegin ) {
/* find the ending marker */
while ( cl > NS_CERT_TRAILER_LEN ) {
if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
NS_CERT_TRAILER_LEN) ) {
certend = (unsigned char *)cp;
break;
}
/* skip to next eol */
do {
cp++;
cl--;
} while ( ( *cp != '\n') && cl );
/* skip all blank lines */
while ( ( *cp == '\n') && cl ) {
cp++;
cl--;
}
}
}
if ( certbegin && certend ) {
unsigned int binLen;
*certend = 0;
/* convert to binary */
bincert = ATOB_AsciiToData(certbegin, &binLen);
if (!bincert) {
rv = SECFailure;
goto loser;
}
/* now recurse to decode the binary */
rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
} else {
rv = SECFailure;
}
}
loser:
if ( bincert ) {
PORT_Free(bincert);
}
if ( ascCert ) {
PORT_Free(ascCert);
}
return(rv);
}
