int testQuery( const CRYPT_KEYSET_TYPE keysetType, const C_STR keysetName )
{
CRYPT_KEYSET cryptKeyset;
int count = 0, status;
/* Open the database keyset */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, CRYPT_KEYOPT_READONLY );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
if( status == CRYPT_ERROR_OPEN )
return( CRYPT_ERROR_FAILED );
return( FALSE );
}
/* Send the query to the database and read back the results */
status = cryptSetAttributeString( cryptKeyset, CRYPT_KEYINFO_QUERY,
TEXT( "$C='US'" ),
paramStrlen( TEXT( "$C='US'" ) ) );
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "Keyset query", status,
__LINE__ ) );
do
{
CRYPT_CERTIFICATE cryptCert;
status = cryptGetPublicKey( cryptKeyset, &cryptCert,
CRYPT_KEYID_NONE, NULL );
if( cryptStatusOK( status ) )
{
count++;
cryptDestroyCert( cryptCert );
}
}
while( cryptStatusOK( status ) );
if( cryptStatusError( status ) && status != CRYPT_ERROR_COMPLETE )
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()", status,
__LINE__ ) );
if( count < 2 )
{
puts( "Only one certificate was returned, this indicates that the "
"database backend\nglue code isn't processing ongoing queries "
"correctly." );
return( FALSE );
}
printf( "%d certificate(s) matched the query.\n", count );
/* Close the keyset */
status = cryptKeysetClose( cryptKeyset );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetClose() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
return( TRUE );
}
static int checkKeysetCRL( const CRYPT_KEYSET cryptKeyset,
const CRYPT_CERTIFICATE cryptCert,
const BOOLEAN isCertChain )
{
int errorLocus, status;
/* Perform a revocation check against the CRL in the keyset */
printf( "Checking certificate%s against CRL.\n",
isCertChain ? " chain" : "" );
status = cryptCheckCert( cryptCert, cryptKeyset );
if( cryptStatusOK( status ) )
return( TRUE );
if( isCertChain )
{
/* Checking a chain against a keyset doesn't really make sense, so
this should be rejected */
if( status == CRYPT_ERROR_PARAM2 )
return( TRUE );
printf( "Check of certificate chain against keyset returned %d, "
"should have been %d.\n", status, CRYPT_ERROR_PARAM2 );
return( FALSE );
}
if( status != CRYPT_ERROR_INVALID )
{
return( extErrorExit( cryptKeyset, "cryptCheckCert() (for CRL in "
"keyset)", status, __LINE__ ) );
}
/* If the certificate has expired then it'll immediately be reported as
invalid without bothering to check the CRL, so we have to perform the
check in oblivious mode to avoid the expiry check */
status = cryptGetAttribute( cryptCert, CRYPT_ATTRIBUTE_ERRORLOCUS,
&errorLocus );
if( cryptStatusOK( status ) && errorLocus == CRYPT_CERTINFO_VALIDTO )
{
int complianceValue;
puts( " (Certificate has already expired, re-checking in oblivious "
"mode)." );
( void ) cryptGetAttribute( CRYPT_UNUSED,
CRYPT_OPTION_CERT_COMPLIANCELEVEL,
&complianceValue );
cryptSetAttribute( CRYPT_UNUSED, CRYPT_OPTION_CERT_COMPLIANCELEVEL,
CRYPT_COMPLIANCELEVEL_OBLIVIOUS );
status = cryptCheckCert( cryptCert, cryptKeyset );
cryptSetAttribute( CRYPT_UNUSED, CRYPT_OPTION_CERT_COMPLIANCELEVEL,
complianceValue );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptCheckCert() (for CRL in "
"keyset)", status, __LINE__ ) );
return( TRUE );
}
static int connectCertstoreClient( void )
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCert;
const C_STR cert1ID = TEXT( "*****@*****.**" );
const C_STR cert2ID = TEXT( "*****@*****.**" );
int status;
/* Open the keyset with a check to make sure this access method exists
so we can return an appropriate error message */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, CRYPT_KEYSET_HTTP,
TEXT( "localhost" ), CRYPT_KEYOPT_READONLY );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access not available */
return( CRYPT_ERROR_NOTAVAIL );
}
if( cryptStatusError( status ) )
{
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
return( CRYPT_ERROR_FAILED );
}
/* Read a present certificate from the keyset using the ASCII email
address */
status = cryptGetPublicKey( cryptKeyset, &cryptCert, CRYPT_KEYID_EMAIL,
cert1ID );
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()", status,
__LINE__ ) );
printf( "Successfully read certificate for '%s'.\n", cert1ID );
cryptDestroyCert( cryptCert );
/* Read a non-present certificate from the keyset */
status = cryptGetPublicKey( cryptKeyset, &cryptCert, CRYPT_KEYID_EMAIL,
cert2ID );
if( status == CRYPT_ERROR_NOTFOUND )
printf( "Successfully processed not-present code for '%s'.\n",
cert2ID );
else
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()", status,
__LINE__ ) );
/* Read the certificate from the keyset using the base64-encoded certID.
Since this uses an internal identifier, we can't actually do it from
here, this requires modifying the internal keyset read code to
substitute the different identifier type.
A second purpose for this call is to test the ability of the client
to recover from the CRYPT_ERROR_NOTFOUND in the previous call, i.e.
the error should be nonfatal with further requests possible */
status = cryptGetPublicKey( cryptKeyset, &cryptCert, CRYPT_KEYID_EMAIL,
cert1ID );
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()", status,
__LINE__ ) );
printf( "Successfully read certificate for '%s'.\n", cert1ID );
cryptDestroyCert( cryptCert );
/* Clean up */
cryptKeysetClose( cryptKeyset );
return( TRUE );
}
int testReadCert( void )
{
CRYPT_CERTIFICATE cryptCert;
C_CHR name[ CRYPT_MAX_TEXTSIZE + 1 ], email[ CRYPT_MAX_TEXTSIZE + 1 ];
C_CHR filenameBuffer[ FILENAME_BUFFER_SIZE ];
int length, status;
/* Get the DN from one of the test certs (the one that we wrote to the
keyset earlier with testKeysetWrite() */
status = importCertFromTemplate( &cryptCert, CERT_FILE_TEMPLATE,
EMAILADDR_CERT_NO );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate from file, status %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_COMMONNAME,
name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_EMAIL,
email, &length );
}
if( cryptStatusOK( status ) )
{
int i;
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
email[ length ] = TEXT( '\0' );
/* Mess up the case to make sure that case-insensitive matching is
working */
for( i = 0; i < length; i++ )
{
if( i & 1 )
email[ i ] = toupper( email[ i ] );
else
email[ i ] = tolower( email[ i ] );
}
}
else
{
return( extErrorExit( cryptCert, "cryptGetAttributeString()", status,
__LINE__ ) );
}
cryptDestroyCert( cryptCert );
puts( "Testing certificate database read..." );
status = testKeysetRead( DATABASE_KEYSET_TYPE, DATABASE_KEYSET_NAME,
CRYPT_KEYID_NAME, name,
CRYPT_CERTTYPE_CERTIFICATE,
READ_OPTION_NORMAL );
if( status == CRYPT_ERROR_NOTAVAIL )
{
/* Database keyset access not available */
return( CRYPT_ERROR_NOTAVAIL );
}
if( status == CRYPT_ERROR_FAILED )
{
puts( "This is probably because you haven't set up a database or "
"data source for use\nas a key database. For this test to "
"work, you need to set up a database/data\nsource with the "
"name '" DATABASE_KEYSET_NAME_ASCII "'.\n" );
return( TRUE );
}
if( !status )
return( FALSE );
puts( "Reading certs using cached query." );
status = testKeysetRead( DATABASE_KEYSET_TYPE, DATABASE_KEYSET_NAME,
CRYPT_KEYID_EMAIL, email,
CRYPT_CERTTYPE_CERTIFICATE,
READ_OPTION_MULTIPLE );
if( !status )
return( FALSE );
/* Get the DN from one of the test certificate chains */
filenameParamFromTemplate( filenameBuffer, CERTCHAIN_FILE_TEMPLATE,
CERT_CHAIN_NO );
status = importCertFile( &cryptCert, filenameBuffer );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate chain from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_COMMONNAME,
name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
}
cryptDestroyCert( cryptCert );
/* Now read the complete certificate chain */
puts( "Reading complete certificate chain." );
status = testKeysetRead( DATABASE_KEYSET_TYPE, DATABASE_KEYSET_NAME,
CRYPT_KEYID_NAME, name,
CRYPT_CERTTYPE_CERTCHAIN, READ_OPTION_NORMAL );
if( !status )
return( FALSE );
puts( "Certificate database read succeeded.\n" );
return( TRUE );
}
static int testKeysetWrite( const CRYPT_KEYSET_TYPE keysetType,
const C_STR keysetName )
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCert;
CRYPT_CONTEXT pubKeyContext, privKeyContext;
C_CHR filenameBuffer[ FILENAME_BUFFER_SIZE ];
C_CHR name[ CRYPT_MAX_TEXTSIZE + 1 ];
int length, status;
/* Import the certificate from a file - this is easier than creating one
from scratch. We use one of the later certs in the test set, since
this contains an email address, which the earlier ones don't */
status = importCertFromTemplate( &cryptCert, CERT_FILE_TEMPLATE,
EMAILADDR_CERT_NO );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate from file, status %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Make sure that the certificate does actually contain an email
address */
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_EMAIL,
name, &length );
if( cryptStatusError( status ) )
{
printf( "Certificate doesn't contain an email address and can't be "
"used for testing,\n line %d.\n", __LINE__ );
return( FALSE );
}
/* Create the database keyset with a check to make sure this access
method exists so we can return an appropriate error message. If the
database table already exists, this will return a duplicate data
error so we retry the open with no flags to open the existing database
keyset for write access */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, CRYPT_KEYOPT_CREATE );
if( cryptStatusOK( status ) )
printf( "Created new certificate database '%s'.\n", keysetName );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access isn't available, return a special error
code to indicate that the test wasn't performed, but that this
isn't a reason to abort processing */
cryptDestroyCert( cryptCert );
return( CRYPT_ERROR_NOTAVAIL );
}
if( status == CRYPT_ERROR_DUPLICATE )
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, 0 );
if( cryptStatusError( status ) )
{
cryptDestroyCert( cryptCert );
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
if( status == CRYPT_ERROR_OPEN )
return( CRYPT_ERROR_FAILED );
return( FALSE );
}
/* Write the key to the database */
puts( "Adding certificate." );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status == CRYPT_ERROR_DUPLICATE )
{
/* The key is already present, delete it and retry the write */
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_COMMONNAME, name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptDeleteKey()", status,
__LINE__ ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
}
if( cryptStatusError( status ) )
{
printExtError( cryptKeyset, "cryptAddPublicKey()", status, __LINE__ );
/* LDAP writes can fail due to the chosen directory not supporting the
schema du jour, so we're a bit more careful about cleaning up since
we'll skip the error and continue processing */
cryptDestroyCert( cryptCert );
cryptKeysetClose( cryptKeyset );
return( FALSE );
}
cryptDestroyCert( cryptCert );
/* Add a second certificate with C=US so that we've got enough certs to
properly exercise the query code. This certificate is highly unusual
in that it doesn't have a DN, so we have to move up the DN looking
for higher-up values, in this case the OU */
if( keysetType != CRYPT_KEYSET_LDAP )
{
status = importCertFromTemplate( &cryptCert, CERT_FILE_TEMPLATE, 2 );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status == CRYPT_ERROR_DUPLICATE )
{
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_COMMONNAME, name, &length );
if( cryptStatusError( status ) )
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
}
if( cryptStatusOK( status ) )
status = cryptAddPublicKey( cryptKeyset, cryptCert );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()",
status, __LINE__ ) );
cryptDestroyCert( cryptCert );
}
/* Add a third certificate with a DN that'll cause problems for some
storage technologies */
if( !loadRSAContexts( CRYPT_UNUSED, &pubKeyContext, &privKeyContext ) )
return( FALSE );
status = cryptCreateCert( &cryptCert, CRYPT_UNUSED,
CRYPT_CERTTYPE_CERTIFICATE );
if( cryptStatusError( status ) )
{
printf( "cryptCreateCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptSetAttribute( cryptCert,
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, pubKeyContext );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCert, "cryptSetAttribute()", status,
__LINE__ ) );
if( !addCertFields( cryptCert, sqlCertData, __LINE__ ) )
return( FALSE );
status = cryptSignCert( cryptCert, privKeyContext );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCert, "cryptSignCert()", status,
__LINE__ ) );
destroyContexts( CRYPT_UNUSED, pubKeyContext, privKeyContext );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) )
{
/* The key is already present, delete it and retry the write */
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_COMMONNAME, name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptDeleteKey()", status,
__LINE__ ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
}
if( cryptStatusError( status ) )
{
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()",
status, __LINE__ ) );
}
cryptDestroyCert( cryptCert );
/* Now try the same thing with a CRL. This code also tests the
duplicate-detection mechanism, if we don't get a duplicate error
there's a problem */
puts( "Adding CRL." );
status = importCertFromTemplate( &cryptCert, CRL_FILE_TEMPLATE, 1 );
if( cryptStatusError( status ) )
{
printf( "Couldn't read CRL from file, status %d, line %d.\n",
status, __LINE__ );
return( TRUE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status != CRYPT_ERROR_DUPLICATE )
{
printf( "Addition of duplicate item to keyset failed to produce "
"CRYPT_ERROR_DUPLICATE, status %d, line %d.\n", status,
__LINE__ );
return( FALSE );
}
cryptDestroyCert( cryptCert );
/* Finally, try it with a certificate chain */
puts( "Adding certificate chain." );
filenameParamFromTemplate( filenameBuffer, CERTCHAIN_FILE_TEMPLATE,
CERT_CHAIN_NO );
status = importCertFile( &cryptCert, filenameBuffer );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate chain from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
/* In addition to the other certs we also add the generic user
certificate, which is used later in other tests. Since it may have
been added earlier we try and delete it first (we can't use the
existing version since the issuerAndSerialNumber won't match the one
in the private-key keyset) */
status = getPublicKey( &cryptCert, USER_PRIVKEY_FILE,
USER_PRIVKEY_LABEL );
if( cryptStatusError( status ) )
{
printf( "Couldn't read user certificate from file, status %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_COMMONNAME,
name, &length );
if( cryptStatusError( status ) )
return( FALSE );
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
do
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
while( cryptStatusOK( status ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status == CRYPT_ERROR_NOTFOUND )
{
/* This can occur if a database keyset is defined but hasn't been
initialised yet so the necessary tables don't exist, it can be
opened but an attempt to add a key will return a not found error
since it's the table itself rather than any item within it that
isn't being found */
status = CRYPT_OK;
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
/* Finally, if ECC is enabled we also add ECC certificates that are used
later in other tests */
if( cryptStatusOK( cryptQueryCapability( CRYPT_ALGO_ECDSA, NULL ) ) )
{
#ifdef UNICODE_STRINGS
wchar_t wcBuffer[ FILENAME_BUFFER_SIZE ];
#endif /* UNICODE_STRINGS */
void *fileNamePtr = filenameBuffer;
/* Add the P256 certificate */
filenameFromTemplate( filenameBuffer,
SERVER_ECPRIVKEY_FILE_TEMPLATE, 256 );
#ifdef UNICODE_STRINGS
mbstowcs( wcBuffer, filenameBuffer, strlen( filenameBuffer ) + 1 );
fileNamePtr = wcBuffer;
#endif /* UNICODE_STRINGS */
status = getPublicKey( &cryptCert, fileNamePtr,
USER_PRIVKEY_LABEL );
if( cryptStatusError( status ) )
{
printf( "Couldn't read user certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
/* Add the P384 certificate */
filenameFromTemplate( filenameBuffer,
SERVER_ECPRIVKEY_FILE_TEMPLATE, 384 );
#ifdef UNICODE_STRINGS
mbstowcs( wcBuffer, filenameBuffer, strlen( filenameBuffer ) + 1 );
fileNamePtr = wcBuffer;
#endif /* UNICODE_STRINGS */
status = getPublicKey( &cryptCert, fileNamePtr,
USER_PRIVKEY_LABEL );
if( cryptStatusError( status ) )
{
printf( "Couldn't read user certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
}
/* Make sure the deletion code works properly. This is an artifact of
the way RDBMS' work, the delete query can execute successfully but
not delete anything so we make sure the glue code correctly
translates this into a CRYPT_DATA_NOTFOUND */
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME,
TEXT( "Mr.Not Appearing in this Keyset" ) );
if( status != CRYPT_ERROR_NOTFOUND )
{
puts( "Attempt to delete a nonexistant key reports success, the "
"database backend glue\ncode needs to be fixed to handle this "
"correctly." );
return( FALSE );
}
/* Close the keyset */
status = cryptKeysetClose( cryptKeyset );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetClose() failed with error code %d, line %d.\n",
status, __LINE__ );
}
return( TRUE );
}
static int testKeysetRead( const CRYPT_KEYSET_TYPE keysetType,
const C_STR keysetName,
const CRYPT_KEYID_TYPE keyType,
const C_STR keyName,
const CRYPT_CERTTYPE_TYPE type,
const int option )
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCert;
BOOLEAN isCertChain = FALSE;
int value, status;
/* Open the keyset with a check to make sure this access method exists
so we can return an appropriate error message */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, CRYPT_KEYOPT_READONLY );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access not available */
return( CRYPT_ERROR_NOTAVAIL );
}
if( cryptStatusError( status ) )
{
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
return( CRYPT_ERROR_FAILED );
}
/* Read the certificate from the keyset */
status = cryptGetPublicKey( cryptKeyset, &cryptCert, keyType, keyName );
if( cryptStatusError( status ) )
{
/* The access to network-accessible keysets can be rather
temperamental and can fail at this point even though it's not a
fatal error. The calling code knows this and will continue the
self-test with an appropriate warning, so we explicitly clean up
after ourselves to make sure we don't get a CRYPT_ORPHAN on
shutdown */
if( keysetType == CRYPT_KEYSET_HTTP && \
status == CRYPT_ERROR_NOTFOUND )
{
/* 404's are relatively common, and non-fatal */
extErrorExit( cryptKeyset, "cryptGetPublicKey()", status, __LINE__ );
puts( " (404 is a common HTTP error, and non-fatal)." );
return( TRUE );
}
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()", status,
__LINE__ ) );
}
/* Make sure that we got what we were expecting */
status = cryptGetAttribute( cryptCert, CRYPT_CERTINFO_CERTTYPE,
&value );
if( cryptStatusError( status ) || ( value != type ) )
{
printf( "Expecting certificate object type %d, got %d, line %d.",
type, value, __LINE__ );
return( FALSE );
}
if( value == CRYPT_CERTTYPE_CERTCHAIN )
isCertChain = TRUE;
if( value == CRYPT_CERTTYPE_CERTCHAIN || value == CRYPT_CERTTYPE_CRL )
{
value = 0;
cryptSetAttribute( cryptCert, CRYPT_CERTINFO_CURRENT_CERTIFICATE,
CRYPT_CURSOR_FIRST );
do
value++;
while( cryptSetAttribute( cryptCert,
CRYPT_CERTINFO_CURRENT_CERTIFICATE,
CRYPT_CURSOR_NEXT ) == CRYPT_OK );
printf( isCertChain ? "Certificate chain length = %d.\n" : \
"CRL has %d entries.\n", value );
}
/* Check the certificate against the CRL. Any kind of error is a
failure since the certificate isn't in the CRL */
if( keysetType != CRYPT_KEYSET_LDAP && \
keysetType != CRYPT_KEYSET_HTTP )
{
if( !checkKeysetCRL( cryptKeyset, cryptCert, isCertChain ) )
return( FALSE );
}
cryptDestroyCert( cryptCert );
/* If we're reading multiple certs using the same (cached) query type,
try re-reading the certificate. This can't be easily tested from the
outside because it's database back-end specific, so it'll require
attaching a debugger to the read code to make sure that the cacheing
is working as required */
if( option == READ_OPTION_MULTIPLE )
{
int i;
for( i = 0; i < 3; i++ )
{
status = cryptGetPublicKey( cryptKeyset, &cryptCert, keyType,
keyName );
if( cryptStatusError( status ) )
{
printf( "cryptGetPublicKey() with cached query failed with "
"error code %d, line %d.\n", status, __LINE__ );
return( FALSE );
}
cryptDestroyCert( cryptCert );
}
}
/* Close the keyset */
status = cryptKeysetClose( cryptKeyset );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetClose() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
return( TRUE );
}
