static void
test_KeyUsages(void)
{
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_PL_OID *ekuOid = NULL;
PKIX_List *setExtKeyUsage = NULL;
PKIX_List *getExtKeyUsage = NULL;
PKIX_UInt32 getKeyUsage = 0;
PKIX_UInt32 setKeyUsage = 0x1FF;
PKIX_Boolean isEqual = PKIX_FALSE;
PKIX_TEST_STD_VARS();
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
subTest("PKIX_ComCertSelParams_SetKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, setKeyUsage, plContext));
subTest("PKIX_ComCertSelParams_GetKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetKeyUsage(goodParams, &getKeyUsage, plContext));
if (setKeyUsage != getKeyUsage) {
testError("unexpected KeyUsage mismatch <expect equal>");
}
subTest("PKIX_PL_OID List create and append");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setExtKeyUsage, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.1", &ekuOid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
PKIX_TEST_DECREF_BC(ekuOid);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.8", &ekuOid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
PKIX_TEST_DECREF_BC(ekuOid);
subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, setExtKeyUsage, plContext));
subTest("PKIX_ComCertSelParams_GetExtendedKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetExtendedKeyUsage(goodParams, &getExtKeyUsage, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setExtKeyUsage,
(PKIX_PL_Object *)getExtKeyUsage,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected ExtKeyUsage mismatch <expect equal>");
}
cleanup:
PKIX_TEST_DECREF_AC(ekuOid);
PKIX_TEST_DECREF_AC(setExtKeyUsage);
PKIX_TEST_DECREF_AC(getExtKeyUsage);
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: PKIX_ProcessingParams_AddCertStore
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_AddCertStore(
PKIX_ProcessingParams *params,
PKIX_CertStore *store,
void *plContext)
{
PKIX_List *certStores = NULL;
PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_AddCertStore");
PKIX_NULLCHECK_TWO(params, store);
PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
(params, &certStores, plContext),
PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(certStores, (PKIX_PL_Object *)store, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)params, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
cleanup:
PKIX_DECREF(certStores);
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: PKIX_ComCertSelParams_AddPathToName
* (see comments in pkix_certsel.h)
*/
PKIX_Error *
PKIX_ComCertSelParams_AddPathToName(
PKIX_ComCertSelParams *params,
PKIX_PL_GeneralName *name,
void *plContext)
{
PKIX_List *pathToNamesList = NULL;
PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddPathToName");
PKIX_NULLCHECK_ONE(params);
if (name == NULL) {
goto cleanup;
}
if (params->pathToNames == NULL) {
/* Create a list for name item */
PKIX_CHECK(PKIX_List_Create(&pathToNamesList, plContext),
PKIX_LISTCREATEFAILED);
params->pathToNames = pathToNamesList;
}
PKIX_CHECK(PKIX_List_AppendItem
(params->pathToNames, (PKIX_PL_Object *)name, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)params, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
cleanup:
PKIX_RETURN(COMCERTSELPARAMS);
}
/*
* FUNCTION: PKIX_ComCertSelParams_AddSubjAltNames
* (see comments in pkix_certsel.h)
*/
PKIX_Error *
PKIX_ComCertSelParams_AddSubjAltName(
PKIX_ComCertSelParams *params,
PKIX_PL_GeneralName *name,
void *plContext)
{
PKIX_List *list = NULL;
PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddSubjAltName");
PKIX_NULLCHECK_TWO(params, name);
if (params->subjAltNames == NULL) {
PKIX_CHECK(PKIX_List_Create(&list, plContext),
PKIX_LISTCREATEFAILED);
params->subjAltNames = list;
}
PKIX_CHECK(PKIX_List_AppendItem
(params->subjAltNames, (PKIX_PL_Object *)name, plContext),
PKIX_LISTAPPENDITEMFAILED);
cleanup:
PKIX_RETURN(COMCERTSELPARAMS)
}
static
void testLogErrors(
PKIX_ERRORCLASS module,
PKIX_UInt32 loggingLevel,
PKIX_List *loggers,
void *plContext)
{
PKIX_Logger *logger = NULL;
PKIX_PL_String *component = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create
(loggerCallback, NULL, &logger, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
(logger, module, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
(logger, loggingLevel, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(loggers, (PKIX_PL_Object *) logger, plContext));
cleanup:
PKIX_TEST_DECREF_AC(logger);
PKIX_TEST_DECREF_AC(component);
PKIX_TEST_RETURN();
}
/*
* This function creates a crlSelector with ComCrlSelParams set up to
* select entries whose Issuer Name matches that in the given Crl.
*/
static void
test_makeIssuerCRLSelector(
PKIX_PL_CRL *crlNameToMatch,
PKIX_CRLSelector **pSelector,
void *plContext)
{
PKIX_CRLSelector *selector = NULL;
PKIX_ComCRLSelParams *issuerParams = NULL;
PKIX_PL_X500Name *issuerName = NULL;
PKIX_List *names = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(NULL, NULL, &selector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&issuerParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer(crlNameToMatch, &issuerName, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&names, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(names, (PKIX_PL_Object *)issuerName, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames(issuerParams, names, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(selector, issuerParams, plContext));
*pSelector = selector;
cleanup:
PKIX_TEST_DECREF_AC(issuerParams);
PKIX_TEST_DECREF_AC(issuerName);
PKIX_TEST_DECREF_AC(names);
PKIX_TEST_RETURN();
}
static
void testGetSetCertChainCheckers(
PKIX_ProcessingParams *goodObject,
PKIX_ProcessingParams *equalObject){
PKIX_CertChainChecker *checker = NULL;
PKIX_List *setCheckersList = NULL;
PKIX_List *getCheckersList = NULL;
PKIX_PL_Date *date = NULL;
char *asciiDate = "040329134847Z";
PKIX_TEST_STD_VARS();
subTest("PKIX_ProcessingParams_Get/SetCertChainCheckers");
date = createDate(asciiDate, plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(userChecker1cb,
PKIX_FALSE,
PKIX_FALSE,
NULL,
(PKIX_PL_Object *) date,
&checker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&setCheckersList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(setCheckersList, (PKIX_PL_Object *) checker, plContext));
PKIX_TEST_DECREF_BC(checker);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertChainCheckers
(goodObject, setCheckersList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(userChecker1cb,
PKIX_FALSE,
PKIX_FALSE,
NULL,
(PKIX_PL_Object *) date,
&checker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
(goodObject, checker, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetCertChainCheckers
(goodObject, &getCheckersList, plContext));
cleanup:
PKIX_TEST_DECREF_AC(setCheckersList);
PKIX_TEST_DECREF_AC(getCheckersList);
PKIX_TEST_DECREF_AC(date);
PKIX_TEST_DECREF_BC(checker);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: PKIX_List_ReverseList (see comments in pkix_util.h)
*/
PKIX_Error *
PKIX_List_ReverseList(
PKIX_List *list,
PKIX_List **pReversedList,
void *plContext)
{
PKIX_List *reversedList = NULL;
PKIX_PL_Object *item = NULL;
PKIX_PL_Object *duplicateItem = NULL;
PKIX_UInt32 length, i;
PKIX_ENTER(LIST, "pkix_List_ReverseList");
PKIX_NULLCHECK_TWO(list, pReversedList);
if (!list->isHeader){
PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
}
length = list->length;
/* Create a new list object */
PKIX_CHECK(PKIX_List_Create(&reversedList, plContext),
PKIX_LISTCREATEINTERNALFAILED);
/*
* Starting with the last item and traversing backwards (from
* the original list), append each item to the reversed list
*/
for (i = 1; i <= length; i++){
PKIX_CHECK(PKIX_List_GetItem
(list, (length - i), &item, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(PKIX_PL_Object_Duplicate
(item, &duplicateItem, plContext),
PKIX_LISTDUPLICATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(reversedList, duplicateItem, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(item);
PKIX_DECREF(duplicateItem);
}
*pReversedList = reversedList;
cleanup:
PKIX_DECREF(item);
PKIX_DECREF(duplicateItem);
if (PKIX_ERROR_RECEIVED){
PKIX_DECREF(reversedList);
}
PKIX_RETURN(LIST);
}
PKIX_List *
createCertChain(
char *dirName,
char *firstCertFileName,
char *secondCertFileName,
void *plContext)
{
PKIX_PL_Cert *firstCert = NULL;
PKIX_PL_Cert *secondCert = NULL;
PKIX_List *certList = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
firstCert = createCert(dirName, firstCertFileName, plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(certList, (PKIX_PL_Object *)firstCert, plContext));
if (secondCertFileName){
secondCert = createCert(dirName, secondCertFileName, plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(certList, (PKIX_PL_Object *)secondCert, plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
(certList, plContext));
cleanup:
if (PKIX_TEST_ERROR_RECEIVED){
PKIX_TEST_DECREF_AC(certList);
}
PKIX_TEST_DECREF_AC(firstCert);
PKIX_TEST_DECREF_AC(secondCert);
PKIX_TEST_RETURN();
return (certList);
}
PKIX_List *
createCertChainPlus(
char *dirName,
char *certNames[],
PKIX_PL_Cert *certs[],
PKIX_UInt32 numCerts,
void *plContext)
{
PKIX_List *certList = NULL;
PKIX_UInt32 i;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
for (i = 0; i < numCerts; i++) {
certs[i] = createCert(dirName, certNames[i], plContext);
/* Create Cert may fail */
if (certs[i] == NULL) {
PKIX_TEST_DECREF_BC(certList);
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(certList,
(PKIX_PL_Object *)certs[i],
plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
(certList, plContext));
cleanup:
if (PKIX_TEST_ERROR_RECEIVED){
PKIX_TEST_DECREF_AC(certList);
}
for (i = 0; i < numCerts; i++) {
PKIX_TEST_DECREF_AC(certs[i]);
}
PKIX_TEST_RETURN();
return (certList);
}
/*
* FUNCTION: pkix_pl_OID_GetCriticalExtensionOIDs
* DESCRIPTION:
*
* Converts the extensions in "extensions" array that are critical to
* PKIX_PL_OID and returns the result as a PKIX_List in "pPidList".
* If there is no critical extension, an empty list is returned.
*
* PARAMETERS
* "extension"
* an array of extension pointers. May be NULL.
* "pOidsList"
* Address where the list of OIDs is returned. Must be non-NULL.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CRL Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_OID_GetCriticalExtensionOIDs(
CERTCertExtension **extensions,
PKIX_List **pOidsList,
void *plContext)
{
PKIX_List *oidsList = NULL;
PKIX_PL_OID *pkixOID = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs");
PKIX_NULLCHECK_ONE(pOidsList);
PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
PKIX_LISTCREATEFAILED);
if (extensions) {
while (*extensions) {
CERTCertExtension *extension = NULL;
SECItem *critical = NULL;
SECItem *oid = NULL;
extension = *extensions++;
/* extension is critical ? */
critical = &extension->critical;
if (critical->len == 0 || critical->data[0] == 0) {
continue;
}
oid = &extension->id;
PKIX_CHECK(
PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(
PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(pkixOID);
}
}
*pOidsList = oidsList;
oidsList = NULL;
cleanup:
PKIX_DECREF(oidsList);
PKIX_DECREF(pkixOID);
PKIX_RETURN(OID);
}
/*
* FUNCTION: pkix_EkuChecker_Initialize
* (see comments in pkix_sample_modules.h)
*/
PKIX_Error *
PKIX_EkuChecker_Create(
PKIX_ProcessingParams *params,
PKIX_CertChainChecker **pEkuChecker,
void *plContext)
{
pkix_EkuChecker *state = NULL;
PKIX_List *critExtOIDsList = NULL;
PKIX_ENTER(EKUCHECKER, "PKIX_EkuChecker_Initialize");
PKIX_NULLCHECK_ONE(params);
/*
* This function and functions in this file provide an example of how
* an application defined checker can be hooked into libpkix.
*/
PKIX_CHECK(pkix_EkuChecker_Create
(params, &state, plContext),
PKIX_EKUCHECKERSTATECREATEFAILED);
PKIX_CHECK(PKIX_List_Create(&critExtOIDsList, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(critExtOIDsList,
(PKIX_PL_Object *)state->ekuOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_CHECK(PKIX_CertChainChecker_Create
(pkix_EkuChecker_Check,
PKIX_TRUE, /* forwardCheckingSupported */
PKIX_FALSE, /* forwardDirectionExpected */
critExtOIDsList,
(PKIX_PL_Object *) state,
pEkuChecker,
plContext),
PKIX_CERTCHAINCHECKERCREATEFAILED);
cleanup:
PKIX_DECREF(critExtOIDsList);
PKIX_DECREF(state);
PKIX_RETURN(EKUCHECKER);
}
/*
* FUNCTION: pkix_PolicyNode_AddToParent
* DESCRIPTION:
*
* Adds the PolicyNode pointed to by "child" to the List of children of
* the PolicyNode pointed to by "parentNode". If "parentNode" had a
* NULL pointer for the List of children, a new List is created containing
* "child". Otherwise "child" is appended to the existing List. The
* parent field in "child" is set to "parent", and the depth field is
* set to one more than the corresponding value in "parent".
*
* Depth, in this context, means distance from the root node, which
* is at depth zero.
*
* PARAMETERS:
* "parentNode"
* Address of PolicyNode whose List of child PolicyNodes is to be
* created or appended to. Must be non-NULL.
* "child"
* Address of PolicyNode to be added to parentNode's List. Must be
* non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a PolicyNode Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_PolicyNode_AddToParent(
PKIX_PolicyNode *parentNode,
PKIX_PolicyNode *child,
void *plContext)
{
PKIX_List *listOfChildren = NULL;
PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_AddToParent");
PKIX_NULLCHECK_TWO(parentNode, child);
listOfChildren = parentNode->children;
if (listOfChildren == NULL) {
PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
PKIX_LISTCREATEFAILED);
parentNode->children = listOfChildren;
}
/*
* Note: this link is not reference-counted. The link from parent
* to child is counted (actually, the parent "owns" a List which
* "owns" children), but the children do not "own" the parent.
* Otherwise, there would be loops.
*/
child->parent = parentNode;
child->depth = 1 + (parentNode->depth);
PKIX_CHECK(PKIX_List_AppendItem
(listOfChildren, (PKIX_PL_Object *)child, plContext),
PKIX_COULDNOTAPPENDCHILDTOPARENTSPOLICYNODELIST);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)parentNode, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)child, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
cleanup:
PKIX_RETURN(CERTPOLICYNODE);
}
static
void test_CreateOIDList(PKIX_List *certPolicyInfos, PKIX_List **pPolicyOIDs)
{
PKIX_UInt32 i = 0;
PKIX_UInt32 numInfos = 0;
PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
PKIX_PL_OID *policyOID = NULL;
PKIX_List *certPolicies = NULL;
PKIX_TEST_STD_VARS();
/* Convert from List of CertPolicyInfos to List of OIDs */
if (certPolicyInfos) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
(certPolicyInfos, &numInfos, plContext));
}
if (numInfos > 0) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&certPolicies, plContext));
}
for (i = 0; i < numInfos; i++) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
(certPolicyInfos,
i,
(PKIX_PL_Object **)&certPolicyInfo,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
(certPolicyInfo, &policyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(certPolicies, (PKIX_PL_Object *)policyOID, plContext));
PKIX_TEST_DECREF_BC(certPolicyInfo);
PKIX_TEST_DECREF_BC(policyOID);
}
*pPolicyOIDs = certPolicies;
cleanup:
PKIX_TEST_DECREF_AC(certPolicyInfo);
PKIX_TEST_DECREF_AC(policyOID);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_List_AppendList
* DESCRIPTION:
*
* Append items on "fromList" to the "toList". Item reference count on
* "toList" is not incremented, but items appended from "fromList" are
* incremented.
*
* PARAMETERS:
* "toList"
* Address of list to be appended to. Must be non-NULL.
* "fromList"
* Address of list to be appended from. May be NULL or empty.
* "plContext"
* platform-specific context pointer
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a List Error if the functions fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_List_AppendList(
PKIX_List *toList,
PKIX_List *fromList,
void *plContext)
{
PKIX_PL_Object *item = NULL;
PKIX_UInt32 numItems = 0;
PKIX_UInt32 i;
PKIX_ENTER(LIST, "pkix_List_AppendList");
PKIX_NULLCHECK_ONE(toList);
/* if fromList is NULL or is an empty list, no action */
if (fromList == NULL) {
goto cleanup;
}
PKIX_CHECK(PKIX_List_GetLength(fromList, &numItems, plContext),
PKIX_LISTGETLENGTHFAILED);
if (numItems == 0) {
goto cleanup;
}
for (i = 0; i < numItems; i++) {
PKIX_CHECK(PKIX_List_GetItem
(fromList, i, &item, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(PKIX_List_AppendItem(toList, item, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(item);
}
cleanup:
PKIX_DECREF(item);
PKIX_RETURN(LIST);
}
static
void testGetSetInitialPolicies(
PKIX_ProcessingParams *goodObject,
char *asciiPolicyOID)
{
PKIX_PL_OID *policyOID = NULL;
PKIX_List* setPolicyList = NULL;
PKIX_List* getPolicyList = NULL;
PKIX_TEST_STD_VARS();
subTest("PKIX_ProcessingParams_Get/SetInitialPolicies");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(asciiPolicyOID, &policyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setPolicyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(setPolicyList, (PKIX_PL_Object *)policyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_SetImmutable(setPolicyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
(goodObject, setPolicyList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetInitialPolicies
(goodObject, &getPolicyList, plContext));
testEqualsHelper
((PKIX_PL_Object *)setPolicyList,
(PKIX_PL_Object *)getPolicyList,
PKIX_TRUE,
plContext);
cleanup:
PKIX_TEST_DECREF_AC(policyOID);
PKIX_TEST_DECREF_AC(setPolicyList);
PKIX_TEST_DECREF_AC(getPolicyList);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_List_AppendUnique
* DESCRIPTION:
*
* Adds each Object in the List pointed to by "fromList" to the List pointed
* to by "toList", if it is not already a member of that List. In other words,
* "toList" becomes the union of the two sets.
*
* PARAMETERS:
* "toList"
* Address of a List of Objects to be augmented by "fromList". Must be
* non-NULL, but may be empty.
* "fromList"
* Address of a List of Objects to be added, if not already present, to
* "toList". Must be non-NULL, but may be empty.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe - assumes exclusive access to "toList"
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_List_AppendUnique(
PKIX_List *toList,
PKIX_List *fromList,
void *plContext)
{
PKIX_Boolean isContained = PKIX_FALSE;
PKIX_UInt32 listLen = 0;
PKIX_UInt32 listIx = 0;
PKIX_PL_Object *object = NULL;
PKIX_ENTER(BUILD, "pkix_List_AppendUnique");
PKIX_NULLCHECK_TWO(fromList, toList);
PKIX_CHECK(PKIX_List_GetLength(fromList, &listLen, plContext),
PKIX_LISTGETLENGTHFAILED);
for (listIx = 0; listIx < listLen; listIx++) {
PKIX_CHECK(PKIX_List_GetItem
(fromList, listIx, &object, plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_List_Contains
(toList, object, &isContained, plContext),
PKIX_LISTCONTAINSFAILED);
if (isContained == PKIX_FALSE) {
PKIX_CHECK(PKIX_List_AppendItem
(toList, object, plContext),
PKIX_LISTAPPENDITEMFAILED);
}
PKIX_DECREF(object);
}
cleanup:
PKIX_DECREF(object);
PKIX_RETURN(LIST);
}
/*
* FUNCTION: pkix_VerifyNode_AddToTree
* DESCRIPTION:
*
* Adds the VerifyNode pointed to by "child" to the List of children of the
* VerifyNode pointed to by "parentNode". If "parentNode" has a NULL pointer
* for the List of children, a new List is created containing "child".
* Otherwise "child" is appended to the existing List. The depth field of
* "child" is set to one more than the corresponding value in "parent", and
* if the "child" itself has child nodes, their depth fields are updated
* accordingly.
*
* Depth, in this context, means distance from the root node, which
* is at depth zero.
*
* PARAMETERS:
* "parentNode"
* Address of VerifyNode whose List of child VerifyNodes is to be
* created or appended to. Must be non-NULL.
* "child"
* Address of VerifyNode to be added to parentNode's List. Must be
* non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_AddToTree(
PKIX_VerifyNode *parentNode,
PKIX_VerifyNode *child,
void *plContext)
{
PKIX_List *listOfChildren = NULL;
PKIX_UInt32 parentDepth = 0;
PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToTree");
PKIX_NULLCHECK_TWO(parentNode, child);
parentDepth = parentNode->depth;
listOfChildren = parentNode->children;
if (listOfChildren == NULL) {
PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
PKIX_LISTCREATEFAILED);
parentNode->children = listOfChildren;
}
child->depth = parentDepth + 1;
PKIX_CHECK(PKIX_List_AppendItem
(parentNode->children, (PKIX_PL_Object *)child, plContext),
PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);
if (child->children != NULL) {
PKIX_CHECK(pkix_VerifyNode_SetDepth
(child->children, child->depth + 1, plContext),
PKIX_VERIFYNODESETDEPTHFAILED);
}
cleanup:
PKIX_RETURN(VERIFYNODE);
}
/*
* FUNCTION: PKIX_ProcessingParams_AddCertChainCheckers
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_AddCertChainChecker(
PKIX_ProcessingParams *params,
PKIX_CertChainChecker *checker,
void *plContext)
{
PKIX_List *list = NULL;
PKIX_ENTER(PROCESSINGPARAMS,
"PKIX_ProcessingParams_AddCertChainChecker");
PKIX_NULLCHECK_TWO(params, checker);
if (params->certChainCheckers == NULL) {
PKIX_CHECK(PKIX_List_Create(&list, plContext),
PKIX_LISTCREATEFAILED);
params->certChainCheckers = list;
}
PKIX_CHECK(PKIX_List_AppendItem
(params->certChainCheckers, (PKIX_PL_Object *)checker, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)params, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
list = NULL;
cleanup:
if (list && params) {
PKIX_DECREF(params->certChainCheckers);
}
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: pkix_pl_CRL_CreateToList
* DESCRIPTION:
*
* This function decodes a DER-encoded Certificate Revocation List pointed to
* by "derCrlItem", adding the resulting PKIX_PL_CRL, if the decoding was
* successful, to the List (possibly empty) pointed to by "crlList".
*
* PARAMETERS:
* "derCrlItem"
* The address of the SECItem containing the DER-encoded Certificate
* Revocation List. Must be non-NULL.
* "crlList"
* The address of the List to which the decoded CRL is added. May be
* empty, but must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertStore Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_CRL_CreateToList(
SECItem *derCrlItem,
PKIX_List *crlList,
void *plContext)
{
CERTSignedCrl *nssCrl = NULL;
PKIX_PL_CRL *crl = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_CreateToList");
PKIX_NULLCHECK_TWO(derCrlItem, crlList);
nssCrl = CERT_DecodeDERCrl(NULL, derCrlItem, SEC_CRL_TYPE);
if (nssCrl == NULL) {
goto cleanup;
}
PKIX_CHECK(pkix_pl_CRL_CreateWithSignedCRL
(nssCrl, &crl, plContext),
PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
nssCrl = NULL;
PKIX_CHECK(PKIX_List_AppendItem
(crlList, (PKIX_PL_Object *) crl, plContext),
PKIX_LISTAPPENDITEMFAILED);
cleanup:
if (nssCrl) {
SEC_DestroyCrl(nssCrl);
}
PKIX_DECREF(crl);
PKIX_RETURN(CRL);
}
/*
* FUNCTION: pkix_pl_LdapCertStore_BuildCrlList
* DESCRIPTION:
*
* This function takes a List of LdapResponse objects pointed to by
* "responseList" and extracts and decodes the CRLs in those responses, storing
* the List of those CRLs at "pCrls". If none of the objects can be decoded
* into a CRL, the returned List is empty.
*
* PARAMETERS:
* "responseList"
* The address of the List of LdapResponses. Must be non-NULL.
* "pCrls"
* The address at which the result is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertStore Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_LdapCertStore_BuildCrlList(
PKIX_List *responseList,
PKIX_List **pCrls,
void *plContext)
{
PKIX_UInt32 numResponses = 0;
PKIX_UInt32 respIx = 0;
LdapAttrMask attrBits = 0;
CERTSignedCrl *nssCrl = NULL;
PKIX_PL_LdapResponse *response = NULL;
PKIX_List *crlList = NULL;
PKIX_PL_CRL *crl = NULL;
LDAPMessage *message = NULL;
LDAPSearchResponseEntry *sre = NULL;
LDAPSearchResponseAttr **sreAttrArray = NULL;
LDAPSearchResponseAttr *sreAttr = NULL;
SECItem *attrType = NULL;
SECItem **attrVal = NULL;
SECItem *derCrlCopy = NULL;
SECItem *derCrlItem = NULL;
PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCrlList");
PKIX_NULLCHECK_TWO(responseList, pCrls);
PKIX_CHECK(PKIX_List_Create(&crlList, plContext),
PKIX_LISTCREATEFAILED);
/* extract crls from response */
PKIX_CHECK(PKIX_List_GetLength
(responseList, &numResponses, plContext),
PKIX_LISTGETLENGTHFAILED);
for (respIx = 0; respIx < numResponses; respIx++) {
PKIX_CHECK(PKIX_List_GetItem
(responseList,
respIx,
(PKIX_PL_Object **)&response,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_pl_LdapResponse_GetMessage
(response, &message, plContext),
PKIX_LDAPRESPONSEGETMESSAGEFAILED);
sre = &(message->protocolOp.op.searchResponseEntryMsg);
sreAttrArray = sre->attributes;
/* Get next element of null-terminated array */
sreAttr = *sreAttrArray++;
while (sreAttr != NULL) {
attrType = &(sreAttr->attrType);
PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit
(attrType, &attrBits, plContext),
PKIX_LDAPREQUESTATTRTYPETOBITFAILED);
/* Is this attrVal a Revocation List? */
if (((LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST) &
attrBits) == attrBits) {
attrVal = sreAttr->val;
derCrlItem = *attrVal++;
while (derCrlItem != 0) {
/* create a PKIX_PL_Crl from derCrl */
derCrlCopy = SECITEM_DupItem(derCrlItem);
if (!derCrlCopy) {
PKIX_ERROR(PKIX_ALLOCERROR);
}
/* crl will be based on derCrlCopy, but wont
* own the der. */
nssCrl =
CERT_DecodeDERCrlWithFlags(NULL, derCrlCopy,
SEC_CRL_TYPE,
CRL_DECODE_DONT_COPY_DER |
CRL_DECODE_SKIP_ENTRIES);
if (!nssCrl) {
SECITEM_FreeItem(derCrlCopy, PKIX_TRUE);
continue;
}
/* pkix crl own the der. */
PKIX_CHECK(
pkix_pl_CRL_CreateWithSignedCRL(nssCrl,
derCrlCopy, NULL, &crl, plContext),
PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
/* Left control over memory pointed by derCrlCopy and
* nssCrl to pkix crl. */
derCrlCopy = NULL;
nssCrl = NULL;
PKIX_CHECK(PKIX_List_AppendItem
(crlList, (PKIX_PL_Object *) crl, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(crl);
derCrlItem = *attrVal++;
}
/* Clean up after PKIX_CHECK_ONLY_FATAL */
pkixTempErrorReceived = PKIX_FALSE;
}
sreAttr = *sreAttrArray++;
}
PKIX_DECREF(response);
}
*pCrls = crlList;
crlList = NULL;
cleanup:
if (derCrlCopy) {
SECITEM_FreeItem(derCrlCopy, PKIX_TRUE);
}
if (nssCrl) {
SEC_DestroyCrl(nssCrl);
}
PKIX_DECREF(crl);
PKIX_DECREF(crlList);
PKIX_DECREF(response);
PKIX_RETURN(CERTSTORE);
}
static
PKIX_List *policySetParse(char *policyString)
{
char *p = NULL;
char *oid = NULL;
char c = '\0';
PKIX_Boolean validString = PKIX_FALSE;
PKIX_PL_OID *plOID = NULL;
PKIX_List *policySet = NULL;
PKIX_TEST_STD_VARS();
p = policyString;
/*
* There may or may not be quotes around the initial-policy-set
* string. If they are omitted, dbx will strip off the curly braces.
* If they are included, dbx will strip off the quotes, but if you
* are running directly from a script, without dbx, the quotes will
* not be stripped. We need to be able to handle both cases.
*/
if (*p == '"') {
p++;
}
if ('{' != *p++) {
return (NULL);
}
oid = p;
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));
/* scan to the end of policyString */
while (!validString) {
/* scan to the end of the current OID string */
c = *oid;
while ((c != '\0') && (c != ':') && (c != '}')) {
c = *++oid;
}
if ((c != ':') || (c != '}')) {
*oid = '\0'; /* store a null terminator */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(p, &plOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(policySet,
(PKIX_PL_Object *)plOID,
plContext));
PKIX_TEST_DECREF_BC(plOID);
plOID = NULL;
if (c == '}') {
/*
* Any exit but this one means
* we were given a badly-formed string.
*/
validString = PKIX_TRUE;
}
p = ++oid;
}
}
cleanup:
if (!validString) {
PKIX_TEST_DECREF_AC(plOID);
PKIX_TEST_DECREF_AC(policySet);
policySet = NULL;
}
PKIX_TEST_RETURN();
return (policySet);
}
/*
* FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
*/
PKIX_Error *
PKIX_RevocationChecker_CreateAndAddMethod(
PKIX_RevocationChecker *revChecker,
PKIX_ProcessingParams *params,
PKIX_RevocationMethodType methodType,
PKIX_UInt32 flags,
PKIX_UInt32 priority,
PKIX_PL_VerifyCallback verificationFn,
PKIX_Boolean isLeafMethod,
void *plContext)
{
PKIX_List **methodList = NULL;
PKIX_List *unsortedList = NULL;
PKIX_List *certStores = NULL;
pkix_RevocationMethod *method = NULL;
pkix_LocalRevocationCheckFn *localRevChecker = NULL;
pkix_ExternalRevocationCheckFn *externRevChecker = NULL;
PKIX_UInt32 miFlags;
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");
PKIX_NULLCHECK_ONE(revChecker);
/* If the caller has said "Either one is sufficient, then don't let the
* absence of any one method's info lead to an overall failure.
*/
miFlags = isLeafMethod ? revChecker->leafMethodListFlags
: revChecker->chainMethodListFlags;
if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)
flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
switch (methodType) {
case PKIX_RevocationMethod_CRL:
localRevChecker = pkix_CrlChecker_CheckLocal;
externRevChecker = pkix_CrlChecker_CheckExternal;
PKIX_CHECK(
PKIX_ProcessingParams_GetCertStores(params, &certStores,
plContext),
PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
PKIX_CHECK(
pkix_CrlChecker_Create(methodType, flags, priority,
localRevChecker, externRevChecker,
certStores, verificationFn,
&method,
plContext),
PKIX_COULDNOTCREATECRLCHECKEROBJECT);
break;
case PKIX_RevocationMethod_OCSP:
localRevChecker = pkix_OcspChecker_CheckLocal;
externRevChecker = pkix_OcspChecker_CheckExternal;
PKIX_CHECK(
pkix_OcspChecker_Create(methodType, flags, priority,
localRevChecker, externRevChecker,
verificationFn,
&method,
plContext),
PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);
break;
default:
PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);
}
if (isLeafMethod) {
methodList = &revChecker->leafMethodList;
} else {
methodList = &revChecker->chainMethodList;
}
if (*methodList == NULL) {
PKIX_CHECK(
PKIX_List_Create(methodList, plContext),
PKIX_LISTCREATEFAILED);
}
unsortedList = *methodList;
PKIX_CHECK(
PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_CHECK(
pkix_List_BubbleSort(unsortedList,
pkix_RevocationChecker_SortComparator,
methodList, plContext),
PKIX_LISTBUBBLESORTFAILED);
cleanup:
PKIX_DECREF(method);
PKIX_DECREF(unsortedList);
PKIX_DECREF(certStores);
PKIX_RETURN(REVOCATIONCHECKER);
}
static
void testNistTest2(char *dirName)
{
#define PKIX_TEST_NUM_CERTS 2
char *trustAnchor =
"TrustAnchorRootCertificate.crt";
char *intermediateCert =
"GoodCACert.crt";
char *endEntityCert =
"ValidCertificatePathTest1EE.crt";
char *certNames[PKIX_TEST_NUM_CERTS];
char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_List *chain = NULL;
PKIX_PL_OID *Nist1PolicyOID = NULL;
PKIX_List *initialPolicies = NULL;
char *anchorName = NULL;
PKIX_TEST_STD_VARS();
subTest("testNistTest2: Creating the cert chain");
/*
* Create a chain, but don't include the first certName.
* That's the anchor, and is supplied separately from
* the chain.
*/
certNames[0] = intermediateCert;
certNames[1] = endEntityCert;
chain = createCertChainPlus
(dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
subTest("testNistTest2: Creating the Validate Parameters");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(asciiNist1Policy, &Nist1PolicyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_Create(&initialPolicies, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
(initialPolicies, plContext));
valParams = createValidateParams
(dirName,
trustAnchor,
NULL,
NULL,
initialPolicies,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
PKIX_FALSE,
chain,
plContext);
subTest("testNistTest2: Validating the chain");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, NULL, plContext));
cleanup:
PKIX_PL_Free(anchorName, plContext);
PKIX_TEST_DECREF_AC(Nist1PolicyOID);
PKIX_TEST_DECREF_AC(initialPolicies);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_TEST_DECREF_AC(chain);
PKIX_TEST_RETURN();
}
int
test_buildchain(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_PL_PublicKey *trustedPubKey = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_RevocationChecker *revChecker = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_CertStore *ldapCertStore = NULL;
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
/* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
PKIX_List *revCheckers = NULL;
char *asciiResult = NULL;
PKIX_Boolean result = PKIX_FALSE;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_List *expectedCerts = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
void *state = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
PRPollDesc *pollDesc = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("BuildChain");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* arguments:
* [optional] -arenas
* [optional] usebind
* servername or servername:port ( - for no server)
* testname
* EE or ENE
* cert directory
* target cert (end entity)
* intermediate certs
* trust anchor
*/
/* optional argument "usebind" for Ldap CertStore */
if (argv[j + 1]) {
if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
usebind = PKIX_TRUE;
j++;
}
}
if (PORT_Strcmp(argv[++j], "-") == 0) {
useLDAP = PKIX_FALSE;
} else {
serverName = argv[j];
useLDAP = PKIX_TRUE;
}
subTest(argv[++j]);
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[++j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
dirName = argv[++j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
for (k = ++j; k < (PKIX_UInt32)argc; k++) {
dirCert = createCert(dirName, argv[k], plContext);
if (k == (PKIX_UInt32)(argc - 1)) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == j) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
if (useLDAP == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
(PKIX_PL_Object *)ldapCertStore,
plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores,
NULL, /* testDate, may be NULL */
trustedPubKey,
numCerts,
&revChecker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext));
#ifdef debuggingWithoutRevocation
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
#endif
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
while (pollDesc != NULL) {
if (PR_Poll(pollDesc, 1, 0) < 0) {
testError("PR_Poll failed");
}
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
}
if (pkixTestErrorResult) {
if (testValid == PKIX_FALSE) { /* EE */
(void)printf("EXPECTED ERROR RECEIVED!\n");
} else { /* ENE */
testError("UNEXPECTED ERROR RECEIVED");
}
} else {
if (testValid == PKIX_TRUE) { /* ENE */
(void)printf("EXPECTED NON-ERROR RECEIVED!\n");
} else { /* EE */
(void)printf("UNEXPECTED NON-ERROR RECEIVED!\n");
}
}
subTest("Displaying VerifyNode objects");
if (verifyTree == NULL) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
}
(void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
if (pkixTestErrorResult) {
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
goto cleanup;
}
if (buildResult) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs,
i,
(PKIX_PL_Object **)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
/* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs,
(PKIX_PL_Object *)expectedCerts,
&result,
plContext));
if (!result) {
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext);
if (actualCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext);
if (expectedCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void)printf("Actual value:\t%s\n", actualCertsAscii);
(void)printf("Expected value:\t%s\n",
expectedCertsAscii);
}
}
cleanup:
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_PL_Free(asciiResult, NULL);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(state);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(revCheckers);
PKIX_TEST_DECREF_AC(revChecker);
PKIX_TEST_DECREF_AC(ldapCertStore);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(trustedPubKey);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain");
return (0);
}
static PKIX_Error *
testEkuSetup(
PKIX_ValidateParams *valParams,
char *ekuOidString,
PKIX_Boolean *only4EE)
{
PKIX_ProcessingParams *procParams = NULL;
PKIX_List *ekuList = NULL;
PKIX_PL_OID *ekuOid = NULL;
PKIX_ComCertSelParams *selParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_Boolean last_token = PKIX_FALSE;
PKIX_UInt32 i, tokeni;
PKIX_TEST_STD_VARS();
subTest("PKIX_ValidateParams_GetProcessingParams");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
(valParams, &procParams, plContext));
/* Get extended key usage OID(s) from command line, separated by "," */
if (ekuOidString[0] == '"') {
/* erase doble quotes, if any */
i = 1;
while (ekuOidString[i] != '"' && ekuOidString[i] != '\0') {
ekuOidString[i-1] = ekuOidString[i];
i++;
}
ekuOidString[i-1] = '\0';
}
if (ekuOidString[0] == '\0') {
ekuList = NULL;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&ekuList, plContext));
/* if OID string start with E, only check for last cert */
if (ekuOidString[0] == 'E') {
*only4EE = PKIX_TRUE;
tokeni = 2;
i = 1;
} else {
*only4EE = PKIX_FALSE;
tokeni = 1;
i = 0;
}
while (last_token != PKIX_TRUE) {
while (ekuOidString[tokeni] != ',' &&
ekuOidString[tokeni] != '\0') {
tokeni++;
}
if (ekuOidString[tokeni] == '\0') {
last_token = PKIX_TRUE;
} else {
ekuOidString[tokeni] = '\0';
tokeni++;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(&ekuOidString[i], &ekuOid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(ekuList, (PKIX_PL_Object *)ekuOid, plContext));
PKIX_TEST_DECREF_BC(ekuOid);
i = tokeni;
}
}
/* Set extended key usage link to processing params */
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
(&selParams, plContext));
subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
(selParams, ekuList, plContext));
subTest("PKIX_CertSelector_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
(testCertSelectorMatchCallback,
NULL,
&certSelector,
plContext));
subTest("PKIX_CertSelector_SetCommonCertSelectorParams");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, selParams, plContext));
subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
cleanup:
PKIX_TEST_DECREF_AC(selParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(ekuOid);
PKIX_TEST_DECREF_AC(ekuList);
PKIX_TEST_RETURN();
return (0);
}
int test_buildchain_uchecker(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_CertChainChecker *checker = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_UInt32 chainLength = 0;
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
char * asciiResult = NULL;
PKIX_Boolean result;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_Boolean supportForward = PKIX_FALSE;
PKIX_List *expectedCerts = NULL;
PKIX_List *userOIDs = NULL;
PKIX_PL_OID *oid = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
char *oidString = NULL;
void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */
PKIX_TEST_STD_VARS();
if (argc < 5){
printUsage();
return (0);
}
startTests("BuildChain_UserChecker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
/* OID specified at argv[3+j] */
if (*argv[3+j] != '-') {
if (*argv[3+j] == 'F') {
supportForward = PKIX_TRUE;
oidString = argv[3+j]+1;
} else {
oidString = argv[3+j];
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&userOIDs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(oidString, &oid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(userOIDs, (PKIX_PL_Object *)oid, plContext));
PKIX_TEST_DECREF_BC(oid);
}
subTest(argv[1+j]);
dirName = argv[4+j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
chainLength = argc - j - 5;
for (k = 0; k < chainLength; k++){
dirCert = createCert(dirName, argv[5+k+j], plContext);
if (k == (chainLength - 1)){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == 0){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert,
plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_SetCertificate
(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertSelector_Create
(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(testUserChecker,
supportForward,
PKIX_FALSE,
userOIDs,
NULL,
&checker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
(procParams, checker, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII,
dirName,
0,
&dirNameString,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirNameString, &certStore, plContext));
#if 0
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
(&certStore, plContext));
#endif
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
(procParams, certStores, plContext));
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain
(procParams,
&nbioContext,
&buildState,
&buildResult,
NULL,
plContext);
if (testValid == PKIX_TRUE) { /* ENE */
if (pkixTestErrorResult){
(void) printf("UNEXPECTED RESULT RECEIVED!\n");
} else {
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
}
} else { /* EE */
if (pkixTestErrorResult){
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
} else {
testError("UNEXPECTED RESULT RECEIVED");
}
}
if (buildResult){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_BuildResult_GetCertChain
(buildResult, &certs, NULL));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetItem
(certs,
i,
(PKIX_PL_Object**)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Free(asciiResult, plContext));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_Equals
((PKIX_PL_Object*)certs,
(PKIX_PL_Object*)expectedCerts,
&result,
plContext));
if (!result){
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII
(actualCertsString, plContext);
if (actualCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII
(expectedCertsString, plContext);
if (expectedCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void) printf("Actual value:\t%s\n", actualCertsAscii);
(void) printf("Expected value:\t%s\n",
expectedCertsAscii);
if (chainLength - 1 != numUserCheckerCalled) {
pkixTestErrorMsg =
"PKIX user defined checker not called";
}
goto cleanup;
}
}
cleanup:
PKIX_PL_Free(asciiResult, plContext);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(userOIDs);
PKIX_TEST_DECREF_AC(checker);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain_UserChecker");
return (0);
}
/*
* FUNCTION: pkix_VerifyNode_AddToChain
* DESCRIPTION:
*
* Adds the VerifyNode pointed to by "child", at the appropriate depth, to the
* List of children of the VerifyNode pointed to by "parentNode". The chain of
* VerifyNodes is traversed until a VerifyNode is found at a depth one less
* than that specified in "child". An Error is returned if there is no parent
* at a suitable depth.
*
* If "parentNode" has a NULL pointer for the List of children, a new List is
* created containing "child". Otherwise "child" is appended to the existing
* List.
*
* Depth, in this context, means distance from the root node, which
* is at depth zero.
*
* PARAMETERS:
* "parentNode"
* Address of VerifyNode whose List of child VerifyNodes is to be
* created or appended to. Must be non-NULL.
* "child"
* Address of VerifyNode to be added to parentNode's List. Must be
* non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a VerifyNode Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_VerifyNode_AddToChain(
PKIX_VerifyNode *parentNode,
PKIX_VerifyNode *child,
void *plContext)
{
PKIX_VerifyNode *successor = NULL;
PKIX_List *listOfChildren = NULL;
PKIX_UInt32 numChildren = 0;
PKIX_UInt32 parentDepth = 0;
PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToChain");
PKIX_NULLCHECK_TWO(parentNode, child);
parentDepth = parentNode->depth;
listOfChildren = parentNode->children;
if (listOfChildren == NULL) {
if (parentDepth != (child->depth - 1)) {
PKIX_ERROR(PKIX_NODESMISSINGFROMCHAIN);
}
PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(listOfChildren, (PKIX_PL_Object *)child, plContext),
PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);
parentNode->children = listOfChildren;
} else {
/* get number of children */
PKIX_CHECK(PKIX_List_GetLength
(listOfChildren, &numChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
if (numChildren != 1) {
PKIX_ERROR(PKIX_AMBIGUOUSPARENTAGEOFVERIFYNODE);
}
/* successor = listOfChildren[0] */
PKIX_CHECK(PKIX_List_GetItem
(listOfChildren,
0,
(PKIX_PL_Object **)&successor,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_VerifyNode_AddToChain
(successor, child, plContext),
PKIX_VERIFYNODEADDTOCHAINFAILED);
}
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)parentNode, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
cleanup:
PKIX_DECREF(successor);
PKIX_RETURN(VERIFYNODE);
}
int test_validatechain_bc(int argc, char *argv[])
{
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_ValidateParams *valParams = NULL;
PKIX_ValidateResult *valResult = NULL;
PKIX_PL_X500Name *subject = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
char *trustedCertFile = NULL;
char *chainCertFile = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *chainCert = NULL;
PKIX_UInt32 chainLength = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 actualMinorVersion;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_TEST_STD_VARS();
if (argc < 3){
printUsage();
return (0);
}
startTests("ValidateChainBasicConstraints");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
chainLength = (argc - j) - 2;
/* create processing params with list of trust anchors */
trustedCertFile = argv[1+j];
trustedCert = createCert(trustedCertFile);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
(certSelParams, -1, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertSelector_Create
(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, certSelParams, plContext));
PKIX_TEST_DECREF_BC(subject);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
(anchors, &procParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
(procParams, PKIX_FALSE, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
PKIX_TEST_DECREF_BC(certSelector);
/* create cert chain */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
for (i = 0; i < chainLength; i++){
chainCertFile = argv[i + (2+j)];
chainCert = createCert(chainCertFile);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(certs, (PKIX_PL_Object *)chainCert, plContext));
PKIX_TEST_DECREF_BC(chainCert);
}
/* create validate params with processing params and cert chain */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
(procParams, certs, &valParams, plContext));
/* validate cert chain using processing params and return valResult */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
if (valResult != NULL){
printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
printf("Cert Selector minimum path length to be -1\n");
PKIX_TEST_DECREF_BC(valResult);
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
(void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
PKIX_TEST_DECREF_BC(verifyString);
PKIX_TEST_DECREF_BC(verifyTree);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
(certSelParams, 6, plContext));
/* validate cert chain using processing params and return valResult */
PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
(valParams, &valResult, &verifyTree, plContext));
if (valResult != NULL){
printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
printf("Cert Selector minimum path length to be 6\n");
}
PKIX_TEST_DECREF_BC(trustedCert);
PKIX_TEST_DECREF_BC(anchor);
PKIX_TEST_DECREF_BC(anchors);
PKIX_TEST_DECREF_BC(certs);
PKIX_TEST_DECREF_BC(procParams);
cleanup:
if (PKIX_TEST_ERROR_RECEIVED){
printf("FAILED TO VALIDATE\n");
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
(void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(valResult);
PKIX_TEST_DECREF_AC(valParams);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("ValidateChainBasicConstraints");
return (0);
}
static void
test_SubjAltNames(void)
{
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_List *setGenNames = NULL;
PKIX_List *getGenNames = NULL;
PKIX_PL_GeneralName *rfc822GenName = NULL;
PKIX_PL_GeneralName *dnsGenName = NULL;
PKIX_PL_GeneralName *dirGenName = NULL;
PKIX_PL_GeneralName *uriGenName = NULL;
PKIX_PL_GeneralName *oidGenName = NULL;
PKIX_Boolean matchAll = PKIX_TRUE;
char *rfc822Name = "*****@*****.**";
char *dnsName = "comcast.net";
char *dirName = "cn=john, ou=labs, o=sun, c=us";
char *uriName = "http://comcast.net";
char *oidName = "1.2.840.11";
char *expectedAscii =
"([email protected], "
"comcast.net, "
"CN=john,OU=labs,O=sun,C=us, "
"http://comcast.net)";
char *expectedAsciiAll =
"([email protected], "
"comcast.net, "
"CN=john,OU=labs,O=sun,C=us, "
"http://comcast.net, "
"1.2.840.11)";
PKIX_TEST_STD_VARS();
subTest("PKIX_PL_GeneralName_Create");
dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext);
uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext);
oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext);
dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext);
rfc822GenName = createGeneralName(PKIX_RFC822_NAME,
rfc822Name,
plContext);
subTest("PKIX_PL_GeneralName List create and append");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dnsGenName, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dirGenName, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)uriGenName, plContext));
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
subTest("PKIX_ComCertSelParams_SetSubjAltNames");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames(goodParams, setGenNames, plContext));
subTest("PKIX_ComCertSelParams_GetSubjAltNames");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames(goodParams, &getGenNames, plContext));
subTest("Compare GeneralName List");
testEqualsHelper((PKIX_PL_Object *)setGenNames,
(PKIX_PL_Object *)getGenNames,
PKIX_TRUE,
plContext);
subTest("Compare GeneralName List with canned string");
testToStringHelper((PKIX_PL_Object *)getGenNames,
expectedAscii,
plContext);
subTest("PKIX_ComCertSelParams_AddSubjAltName");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(goodParams, oidGenName, plContext));
PKIX_TEST_DECREF_BC(getGenNames);
subTest("PKIX_ComCertSelParams_GetSubjAltNames");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames(goodParams, &getGenNames, plContext));
subTest("Compare GeneralName List with canned string");
testToStringHelper((PKIX_PL_Object *)getGenNames,
expectedAsciiAll,
plContext);
subTest("PKIX_ComCertSelParams_GetMatchAllSubjAltNames");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames(goodParams, &matchAll, plContext));
if (matchAll != PKIX_TRUE) {
testError("unexpected mismatch <expect TRUE>");
}
subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(goodParams, PKIX_FALSE, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames(goodParams, &matchAll, plContext));
if (matchAll != PKIX_FALSE) {
testError("unexpected mismatch <expect FALSE>");
}
cleanup:
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_DECREF_AC(setGenNames);
PKIX_TEST_DECREF_AC(getGenNames);
PKIX_TEST_DECREF_AC(rfc822GenName);
PKIX_TEST_DECREF_AC(dnsGenName);
PKIX_TEST_DECREF_AC(dirGenName);
PKIX_TEST_DECREF_AC(uriGenName);
PKIX_TEST_DECREF_AC(oidGenName);
PKIX_TEST_RETURN();
}