static void
test_KeyUsages(void)
{
    PKIX_ComCertSelParams *goodParams = NULL;
    PKIX_PL_OID *ekuOid = NULL;
    PKIX_List *setExtKeyUsage = NULL;
    PKIX_List *getExtKeyUsage = NULL;
    PKIX_UInt32 getKeyUsage = 0;
    PKIX_UInt32 setKeyUsage = 0x1FF;
    PKIX_Boolean isEqual = PKIX_FALSE;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_ComCertSelParams_Create");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));

    subTest("PKIX_ComCertSelParams_SetKeyUsage");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage(goodParams, setKeyUsage, plContext));

    subTest("PKIX_ComCertSelParams_GetKeyUsage");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetKeyUsage(goodParams, &getKeyUsage, plContext));

    if (setKeyUsage != getKeyUsage) {
        testError("unexpected KeyUsage mismatch <expect equal>");
    }

    subTest("PKIX_PL_OID List create and append");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setExtKeyUsage, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.1", &ekuOid, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
    PKIX_TEST_DECREF_BC(ekuOid);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create("1.3.6.1.5.5.7.3.8", &ekuOid, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
    PKIX_TEST_DECREF_BC(ekuOid);

    subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage(goodParams, setExtKeyUsage, plContext));

    subTest("PKIX_ComCertSelParams_GetExtendedKeyUsage");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetExtendedKeyUsage(goodParams, &getExtKeyUsage, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setExtKeyUsage,
                                                    (PKIX_PL_Object *)getExtKeyUsage,
                                                    &isEqual,
                                                    plContext));

    if (isEqual == PKIX_FALSE) {
        testError("unexpected ExtKeyUsage mismatch <expect equal>");
    }

cleanup:

    PKIX_TEST_DECREF_AC(ekuOid);
    PKIX_TEST_DECREF_AC(setExtKeyUsage);
    PKIX_TEST_DECREF_AC(getExtKeyUsage);
    PKIX_TEST_DECREF_AC(goodParams);

    PKIX_TEST_RETURN();
}
Esempio n. 2
0
/*
 * FUNCTION: PKIX_ProcessingParams_AddCertStore
 * (see comments in pkix_params.h)
 */
PKIX_Error *
PKIX_ProcessingParams_AddCertStore(
        PKIX_ProcessingParams *params,
        PKIX_CertStore *store,
        void *plContext)
{
        PKIX_List *certStores = NULL;

        PKIX_ENTER(PROCESSINGPARAMS, "PKIX_ProcessingParams_AddCertStore");
        PKIX_NULLCHECK_TWO(params, store);

        PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
                    (params, &certStores, plContext),
                    PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);

        PKIX_CHECK(PKIX_List_AppendItem
                    (certStores, (PKIX_PL_Object *)store, plContext),
                    PKIX_LISTAPPENDITEMFAILED);

        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                    ((PKIX_PL_Object *)params, plContext),
                    PKIX_OBJECTINVALIDATECACHEFAILED);

cleanup:

        PKIX_DECREF(certStores);
        PKIX_RETURN(PROCESSINGPARAMS);
}
/*
 * FUNCTION: PKIX_ComCertSelParams_AddPathToName
 * (see comments in pkix_certsel.h)
 */
PKIX_Error *
PKIX_ComCertSelParams_AddPathToName(
        PKIX_ComCertSelParams *params,
        PKIX_PL_GeneralName *name,
        void *plContext)
{
        PKIX_List *pathToNamesList = NULL;

        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddPathToName");
        PKIX_NULLCHECK_ONE(params);

        if (name == NULL) {
                goto cleanup;
        }

        if (params->pathToNames == NULL) {
                /* Create a list for name item */
                PKIX_CHECK(PKIX_List_Create(&pathToNamesList, plContext),
                    PKIX_LISTCREATEFAILED);

                params->pathToNames = pathToNamesList;
        }

        PKIX_CHECK(PKIX_List_AppendItem
                    (params->pathToNames, (PKIX_PL_Object *)name, plContext),
                    PKIX_LISTAPPENDITEMFAILED);

        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                    ((PKIX_PL_Object *)params, plContext),
                    PKIX_OBJECTINVALIDATECACHEFAILED);

cleanup:

        PKIX_RETURN(COMCERTSELPARAMS);
}
/*
 * FUNCTION: PKIX_ComCertSelParams_AddSubjAltNames
 * (see comments in pkix_certsel.h)
 */
PKIX_Error *
PKIX_ComCertSelParams_AddSubjAltName(
        PKIX_ComCertSelParams *params,
        PKIX_PL_GeneralName *name,
        void *plContext)
{
        PKIX_List *list = NULL;

        PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_AddSubjAltName");
        PKIX_NULLCHECK_TWO(params, name);

        if (params->subjAltNames == NULL) {
                PKIX_CHECK(PKIX_List_Create(&list, plContext),
                        PKIX_LISTCREATEFAILED);
                params->subjAltNames = list;
        }

        PKIX_CHECK(PKIX_List_AppendItem
                    (params->subjAltNames, (PKIX_PL_Object *)name, plContext),
                    PKIX_LISTAPPENDITEMFAILED);

cleanup:

        PKIX_RETURN(COMCERTSELPARAMS)
}
static
void testLogErrors(
	PKIX_ERRORCLASS module,
	PKIX_UInt32 loggingLevel,
        PKIX_List *loggers,
	void *plContext)
{
        PKIX_Logger *logger = NULL;
        PKIX_PL_String *component = NULL;

        PKIX_TEST_STD_VARS();

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create
                (loggerCallback, NULL, &logger, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
                (logger, module, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
                (logger, loggingLevel, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (loggers, (PKIX_PL_Object *) logger, plContext));

cleanup:
        PKIX_TEST_DECREF_AC(logger);
        PKIX_TEST_DECREF_AC(component);

        PKIX_TEST_RETURN();
}
/*
 * This function creates a crlSelector with ComCrlSelParams set up to
 * select entries whose Issuer Name matches that in the given Crl.
 */
static void
test_makeIssuerCRLSelector(
    PKIX_PL_CRL *crlNameToMatch,
    PKIX_CRLSelector **pSelector,
    void *plContext)
{
    PKIX_CRLSelector *selector = NULL;
    PKIX_ComCRLSelParams *issuerParams = NULL;
    PKIX_PL_X500Name *issuerName = NULL;
    PKIX_List *names = NULL;

    PKIX_TEST_STD_VARS();

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(NULL, NULL, &selector, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create(&issuerParams, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer(crlNameToMatch, &issuerName, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&names, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(names, (PKIX_PL_Object *)issuerName, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames(issuerParams, names, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(selector, issuerParams, plContext));
    *pSelector = selector;

cleanup:

    PKIX_TEST_DECREF_AC(issuerParams);
    PKIX_TEST_DECREF_AC(issuerName);
    PKIX_TEST_DECREF_AC(names);

    PKIX_TEST_RETURN();
}
Esempio n. 7
0
static
void testGetSetCertChainCheckers(
        PKIX_ProcessingParams *goodObject,
        PKIX_ProcessingParams *equalObject){

        PKIX_CertChainChecker *checker = NULL;
        PKIX_List *setCheckersList = NULL;
        PKIX_List *getCheckersList = NULL;
        PKIX_PL_Date *date = NULL;
        char *asciiDate = "040329134847Z";

        PKIX_TEST_STD_VARS();
        subTest("PKIX_ProcessingParams_Get/SetCertChainCheckers");

        date = createDate(asciiDate, plContext);

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
                    (userChecker1cb,
                    PKIX_FALSE,
                    PKIX_FALSE,
                    NULL,
                    (PKIX_PL_Object *) date,
                    &checker,
                    plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
                (&setCheckersList, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (setCheckersList, (PKIX_PL_Object *) checker, plContext));
        PKIX_TEST_DECREF_BC(checker);

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertChainCheckers
                (goodObject, setCheckersList, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
                (userChecker1cb,
                PKIX_FALSE,
                PKIX_FALSE,
                NULL,
                (PKIX_PL_Object *) date,
                &checker,
                plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
                (goodObject, checker, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetCertChainCheckers
                (goodObject, &getCheckersList, plContext));

cleanup:

        PKIX_TEST_DECREF_AC(setCheckersList);
        PKIX_TEST_DECREF_AC(getCheckersList);
        PKIX_TEST_DECREF_AC(date);
        PKIX_TEST_DECREF_BC(checker);

        PKIX_TEST_RETURN();
}
Esempio n. 8
0
/*
 * FUNCTION: PKIX_List_ReverseList (see comments in pkix_util.h)
 */
PKIX_Error *
PKIX_List_ReverseList(
        PKIX_List *list,
        PKIX_List **pReversedList,
        void *plContext)
{
        PKIX_List *reversedList = NULL;
        PKIX_PL_Object *item = NULL;
        PKIX_PL_Object *duplicateItem = NULL;
        PKIX_UInt32 length, i;

        PKIX_ENTER(LIST, "pkix_List_ReverseList");
        PKIX_NULLCHECK_TWO(list, pReversedList);

        if (!list->isHeader){
                PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
        }

        length = list->length;

        /* Create a new list object */
        PKIX_CHECK(PKIX_List_Create(&reversedList, plContext),
                    PKIX_LISTCREATEINTERNALFAILED);

        /*
         * Starting with the last item and traversing backwards (from
         * the original list), append each item to the reversed list
         */

        for (i = 1; i <= length; i++){
                PKIX_CHECK(PKIX_List_GetItem
                            (list, (length - i), &item, plContext),
                            PKIX_LISTGETITEMFAILED);

                PKIX_CHECK(PKIX_PL_Object_Duplicate
                            (item, &duplicateItem, plContext),
                            PKIX_LISTDUPLICATEFAILED);

                PKIX_CHECK(PKIX_List_AppendItem
                            (reversedList, duplicateItem, plContext),
                            PKIX_LISTAPPENDITEMFAILED);

                PKIX_DECREF(item);
                PKIX_DECREF(duplicateItem);
        }

        *pReversedList = reversedList;

cleanup:

        PKIX_DECREF(item);
        PKIX_DECREF(duplicateItem);

        if (PKIX_ERROR_RECEIVED){
                PKIX_DECREF(reversedList);
        }

        PKIX_RETURN(LIST);
}
PKIX_List *
createCertChain(
        char *dirName,
        char *firstCertFileName,
        char *secondCertFileName,
        void *plContext)
{
        PKIX_PL_Cert *firstCert = NULL;
        PKIX_PL_Cert *secondCert = NULL;
        PKIX_List *certList = NULL;

        PKIX_TEST_STD_VARS();

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));

        firstCert = createCert(dirName, firstCertFileName, plContext);

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (certList, (PKIX_PL_Object *)firstCert, plContext));

        if (secondCertFileName){
                secondCert = createCert(dirName, secondCertFileName, plContext);

                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                        (certList, (PKIX_PL_Object *)secondCert, plContext));
        }

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
                                    (certList, plContext));

cleanup:

        if (PKIX_TEST_ERROR_RECEIVED){
                PKIX_TEST_DECREF_AC(certList);
        }

        PKIX_TEST_DECREF_AC(firstCert);
        PKIX_TEST_DECREF_AC(secondCert);

        PKIX_TEST_RETURN();

        return (certList);
}
PKIX_List *
createCertChainPlus(
        char *dirName,
        char *certNames[],
        PKIX_PL_Cert *certs[],
        PKIX_UInt32 numCerts,
        void *plContext)
{
        PKIX_List *certList = NULL;
        PKIX_UInt32 i;

        PKIX_TEST_STD_VARS();

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));

        for (i = 0; i < numCerts; i++) {

                certs[i] = createCert(dirName, certNames[i], plContext);

                /* Create Cert may fail */
                if (certs[i] == NULL) {
                        PKIX_TEST_DECREF_BC(certList);
                        goto cleanup;
                }

                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                                            (certList,
                                            (PKIX_PL_Object *)certs[i],
                                            plContext));
        }

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
                                    (certList, plContext));

cleanup:

        if (PKIX_TEST_ERROR_RECEIVED){
                PKIX_TEST_DECREF_AC(certList);
        }

        for (i = 0; i < numCerts; i++) {
                PKIX_TEST_DECREF_AC(certs[i]);
        }

        PKIX_TEST_RETURN();

        return (certList);

}
Esempio n. 11
0
/*
 * FUNCTION: pkix_pl_OID_GetCriticalExtensionOIDs
 * DESCRIPTION:
 *
 *  Converts the extensions in "extensions" array that are critical to
 *  PKIX_PL_OID and returns the result as a PKIX_List in "pPidList".
 *  If there is no critical extension, an empty list is returned.
 *
 * PARAMETERS
 *  "extension"
 *      an array of extension pointers. May be NULL.
 *  "pOidsList"
 *      Address where the list of OIDs is returned. Must be non-NULL.
 * THREAD SAFETY:
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a CRL Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
pkix_pl_OID_GetCriticalExtensionOIDs(
        CERTCertExtension **extensions,
        PKIX_List **pOidsList,
        void *plContext)
{
        PKIX_List *oidsList = NULL;
        PKIX_PL_OID *pkixOID = NULL;

        PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs");
        PKIX_NULLCHECK_ONE(pOidsList);

        PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
                    PKIX_LISTCREATEFAILED);

        if (extensions) {
            while (*extensions) {
                CERTCertExtension *extension = NULL;
                SECItem *critical = NULL;
                SECItem *oid = NULL;

                extension = *extensions++;
                /* extension is critical ? */
                critical = &extension->critical;
                if (critical->len == 0 || critical->data[0] == 0) {
                    continue;
                }
                oid = &extension->id;
                PKIX_CHECK(
                    PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext),
                    PKIX_OIDCREATEFAILED);
                PKIX_CHECK(
                    PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID,
                                         plContext),
                    PKIX_LISTAPPENDITEMFAILED);
                PKIX_DECREF(pkixOID);
            }
        }

        *pOidsList = oidsList;
        oidsList = NULL;
        
cleanup:
        PKIX_DECREF(oidsList);
        PKIX_DECREF(pkixOID);
        PKIX_RETURN(OID);
}
Esempio n. 12
0
/*
 * FUNCTION: pkix_EkuChecker_Initialize
 * (see comments in pkix_sample_modules.h)
 */
PKIX_Error *
PKIX_EkuChecker_Create(
        PKIX_ProcessingParams *params,
        PKIX_CertChainChecker **pEkuChecker,
        void *plContext)
{
        pkix_EkuChecker *state = NULL;
        PKIX_List *critExtOIDsList = NULL;

        PKIX_ENTER(EKUCHECKER, "PKIX_EkuChecker_Initialize");
        PKIX_NULLCHECK_ONE(params);

        /*
         * This function and functions in this file provide an example of how
         * an application defined checker can be hooked into libpkix.
         */

        PKIX_CHECK(pkix_EkuChecker_Create
                    (params, &state, plContext),
                    PKIX_EKUCHECKERSTATECREATEFAILED);

        PKIX_CHECK(PKIX_List_Create(&critExtOIDsList, plContext),
                    PKIX_LISTCREATEFAILED);

        PKIX_CHECK(PKIX_List_AppendItem
                    (critExtOIDsList,
                    (PKIX_PL_Object *)state->ekuOID,
                    plContext),
                    PKIX_LISTAPPENDITEMFAILED);

        PKIX_CHECK(PKIX_CertChainChecker_Create
                (pkix_EkuChecker_Check,
                PKIX_TRUE,                 /* forwardCheckingSupported */
                PKIX_FALSE,                /* forwardDirectionExpected */
                critExtOIDsList,
                (PKIX_PL_Object *) state,
                pEkuChecker,
                plContext),
                PKIX_CERTCHAINCHECKERCREATEFAILED);
cleanup:

        PKIX_DECREF(critExtOIDsList);
        PKIX_DECREF(state);

        PKIX_RETURN(EKUCHECKER);
}
Esempio n. 13
0
/*
 * FUNCTION: pkix_PolicyNode_AddToParent
 * DESCRIPTION:
 *
 *  Adds the PolicyNode pointed to by "child" to the List of children of
 *  the PolicyNode pointed to by "parentNode". If "parentNode" had a
 *  NULL pointer for the List of children, a new List is created containing
 *  "child". Otherwise "child" is appended to the existing List. The
 *  parent field in "child" is set to "parent", and the depth field is
 *  set to one more than the corresponding value in "parent".
 *
 *  Depth, in this context, means distance from the root node, which
 *  is at depth zero.
 *
 * PARAMETERS:
 *  "parentNode"
 *      Address of PolicyNode whose List of child PolicyNodes is to be
 *      created or appended to. Must be non-NULL.
 *  "child"
 *      Address of PolicyNode to be added to parentNode's List. Must be
 *      non-NULL.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a PolicyNode Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
pkix_PolicyNode_AddToParent(
    PKIX_PolicyNode *parentNode,
    PKIX_PolicyNode *child,
    void *plContext)
{
    PKIX_List *listOfChildren = NULL;

    PKIX_ENTER(CERTPOLICYNODE, "pkix_PolicyNode_AddToParent");

    PKIX_NULLCHECK_TWO(parentNode, child);

    listOfChildren = parentNode->children;
    if (listOfChildren == NULL) {
        PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
                   PKIX_LISTCREATEFAILED);
        parentNode->children = listOfChildren;
    }

    /*
     * Note: this link is not reference-counted. The link from parent
     * to child is counted (actually, the parent "owns" a List which
     * "owns" children), but the children do not "own" the parent.
     * Otherwise, there would be loops.
     */
    child->parent = parentNode;

    child->depth = 1 + (parentNode->depth);

    PKIX_CHECK(PKIX_List_AppendItem
               (listOfChildren, (PKIX_PL_Object *)child, plContext),
               PKIX_COULDNOTAPPENDCHILDTOPARENTSPOLICYNODELIST);

    PKIX_CHECK(PKIX_PL_Object_InvalidateCache
               ((PKIX_PL_Object *)parentNode, plContext),
               PKIX_OBJECTINVALIDATECACHEFAILED);

    PKIX_CHECK(PKIX_PL_Object_InvalidateCache
               ((PKIX_PL_Object *)child, plContext),
               PKIX_OBJECTINVALIDATECACHEFAILED);

cleanup:

    PKIX_RETURN(CERTPOLICYNODE);
}
static
void test_CreateOIDList(PKIX_List *certPolicyInfos, PKIX_List **pPolicyOIDs)
{
        PKIX_UInt32 i = 0;
        PKIX_UInt32 numInfos = 0;
        PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
        PKIX_PL_OID *policyOID = NULL;
        PKIX_List *certPolicies = NULL;

        PKIX_TEST_STD_VARS();

        /* Convert from List of CertPolicyInfos to List of OIDs */
        if (certPolicyInfos) {
                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
                        (certPolicyInfos, &numInfos, plContext));
        }

        if (numInfos > 0) {
                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
                        (&certPolicies, plContext));
        }
        for (i = 0; i < numInfos; i++) {
            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
                (certPolicyInfos,
                i,
                (PKIX_PL_Object **)&certPolicyInfo,
                plContext));
            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
                (certPolicyInfo, &policyOID, plContext));
            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (certPolicies, (PKIX_PL_Object *)policyOID, plContext));
            PKIX_TEST_DECREF_BC(certPolicyInfo);
            PKIX_TEST_DECREF_BC(policyOID);
        }

        *pPolicyOIDs = certPolicies;

cleanup:

        PKIX_TEST_DECREF_AC(certPolicyInfo);
        PKIX_TEST_DECREF_AC(policyOID);

        PKIX_TEST_RETURN();
}
Esempio n. 15
0
/*
 * FUNCTION: pkix_List_AppendList
 * DESCRIPTION:
 *
 *  Append items on "fromList" to the "toList". Item reference count on
 *  "toList" is not incremented, but items appended from "fromList" are
 *  incremented.
 *
 * PARAMETERS:
 *  "toList"
 *      Address of list to be appended to. Must be non-NULL.
 *  "fromList"
 *      Address of list to be appended from. May be NULL or empty.
 *  "plContext"
 *      platform-specific context pointer
 * THREAD SAFETY:
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds
 *  Returns a List Error if the functions fails in a non-fatal way
 *  Returns a Fatal Error if the function fails in an unrecoverable way
 */
PKIX_Error *
pkix_List_AppendList(
        PKIX_List *toList,
        PKIX_List *fromList,
        void *plContext)
{
        PKIX_PL_Object *item = NULL;
        PKIX_UInt32 numItems = 0;
        PKIX_UInt32 i;

        PKIX_ENTER(LIST, "pkix_List_AppendList");
        PKIX_NULLCHECK_ONE(toList);

        /* if fromList is NULL or is an empty list, no action */

        if (fromList == NULL) {
                goto cleanup;
        }

        PKIX_CHECK(PKIX_List_GetLength(fromList, &numItems, plContext),
                    PKIX_LISTGETLENGTHFAILED);

        if (numItems == 0) {
                goto cleanup;
        }

        for (i = 0; i < numItems; i++) {

                PKIX_CHECK(PKIX_List_GetItem
                        (fromList, i, &item, plContext),
                        PKIX_LISTGETITEMFAILED);

                PKIX_CHECK(PKIX_List_AppendItem(toList, item, plContext),
                            PKIX_LISTAPPENDITEMFAILED);

                PKIX_DECREF(item);
        }

cleanup:

        PKIX_DECREF(item);

        PKIX_RETURN(LIST);
}
Esempio n. 16
0
static
void testGetSetInitialPolicies(
        PKIX_ProcessingParams *goodObject,
        char *asciiPolicyOID)
{
        PKIX_PL_OID *policyOID = NULL;
        PKIX_List* setPolicyList = NULL;
        PKIX_List* getPolicyList = NULL;

        PKIX_TEST_STD_VARS();
        subTest("PKIX_ProcessingParams_Get/SetInitialPolicies");

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                (asciiPolicyOID, &policyOID, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setPolicyList, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (setPolicyList, (PKIX_PL_Object *)policyOID, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_SetImmutable(setPolicyList, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
                (goodObject, setPolicyList, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetInitialPolicies
                (goodObject, &getPolicyList, plContext));

        testEqualsHelper
                ((PKIX_PL_Object *)setPolicyList,
                (PKIX_PL_Object *)getPolicyList,
                PKIX_TRUE,
                plContext);

cleanup:
        PKIX_TEST_DECREF_AC(policyOID);
        PKIX_TEST_DECREF_AC(setPolicyList);
        PKIX_TEST_DECREF_AC(getPolicyList);

        PKIX_TEST_RETURN();
}
Esempio n. 17
0
/*
 * FUNCTION: pkix_List_AppendUnique
 * DESCRIPTION:
 *
 *  Adds each Object in the List pointed to by "fromList" to the List pointed
 *  to by "toList", if it is not already a member of that List. In other words,
 *  "toList" becomes the union of the two sets.
 *
 * PARAMETERS:
 *  "toList"
 *      Address of a List of Objects to be augmented by "fromList". Must be
 *      non-NULL, but may be empty.
 *  "fromList"
 *      Address of a List of Objects to be added, if not already present, to
 *      "toList". Must be non-NULL, but may be empty.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Not Thread Safe - assumes exclusive access to "toList"
 *  (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds
 *  Returns a Fatal Error if the function fails in an unrecoverable way
 */
PKIX_Error *
pkix_List_AppendUnique(
        PKIX_List *toList,
        PKIX_List *fromList,
        void *plContext)
{
        PKIX_Boolean isContained = PKIX_FALSE;
        PKIX_UInt32 listLen = 0;
        PKIX_UInt32 listIx = 0;
        PKIX_PL_Object *object = NULL;

        PKIX_ENTER(BUILD, "pkix_List_AppendUnique");
        PKIX_NULLCHECK_TWO(fromList, toList);

        PKIX_CHECK(PKIX_List_GetLength(fromList, &listLen, plContext),
                PKIX_LISTGETLENGTHFAILED);

        for (listIx = 0; listIx < listLen; listIx++) {

                PKIX_CHECK(PKIX_List_GetItem
                        (fromList, listIx, &object, plContext),
                        PKIX_LISTGETITEMFAILED);

                PKIX_CHECK(pkix_List_Contains
                        (toList, object, &isContained, plContext),
                        PKIX_LISTCONTAINSFAILED);

                if (isContained == PKIX_FALSE) {
                        PKIX_CHECK(PKIX_List_AppendItem
                                (toList, object, plContext),
                                PKIX_LISTAPPENDITEMFAILED);
                }

                PKIX_DECREF(object);
        }

cleanup:

        PKIX_DECREF(object);

        PKIX_RETURN(LIST);
}
Esempio n. 18
0
/*
 * FUNCTION: pkix_VerifyNode_AddToTree
 * DESCRIPTION:
 *
 *  Adds the VerifyNode pointed to by "child" to the List of children of the
 *  VerifyNode pointed to by "parentNode". If "parentNode" has a NULL pointer
 *  for the List of children, a new List is created containing "child".
 *  Otherwise "child" is appended to the existing List. The depth field of
 *  "child" is set to one more than the corresponding value in "parent", and
 *  if the "child" itself has child nodes, their depth fields are updated
 *  accordingly.
 *
 *  Depth, in this context, means distance from the root node, which
 *  is at depth zero.
 *
 * PARAMETERS:
 *  "parentNode"
 *      Address of VerifyNode whose List of child VerifyNodes is to be
 *      created or appended to. Must be non-NULL.
 *  "child"
 *      Address of VerifyNode to be added to parentNode's List. Must be
 *      non-NULL.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
pkix_VerifyNode_AddToTree(
        PKIX_VerifyNode *parentNode,
        PKIX_VerifyNode *child,
        void *plContext)
{
        PKIX_List *listOfChildren = NULL;
        PKIX_UInt32 parentDepth = 0;

        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToTree");
        PKIX_NULLCHECK_TWO(parentNode, child);

        parentDepth = parentNode->depth;
        listOfChildren = parentNode->children;
        if (listOfChildren == NULL) {

                PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
                        PKIX_LISTCREATEFAILED);

                parentNode->children = listOfChildren;
        }

        child->depth = parentDepth + 1;

        PKIX_CHECK(PKIX_List_AppendItem
                (parentNode->children, (PKIX_PL_Object *)child, plContext),
                PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);

        if (child->children != NULL) {
                PKIX_CHECK(pkix_VerifyNode_SetDepth
                        (child->children, child->depth + 1, plContext),
                        PKIX_VERIFYNODESETDEPTHFAILED);
        }


cleanup:

        PKIX_RETURN(VERIFYNODE);
}
Esempio n. 19
0
/*
 * FUNCTION: PKIX_ProcessingParams_AddCertChainCheckers
 * (see comments in pkix_params.h)
 */
PKIX_Error *
PKIX_ProcessingParams_AddCertChainChecker(
        PKIX_ProcessingParams *params,
        PKIX_CertChainChecker *checker,
        void *plContext)
{
        PKIX_List *list = NULL;

        PKIX_ENTER(PROCESSINGPARAMS,
                   "PKIX_ProcessingParams_AddCertChainChecker");
        PKIX_NULLCHECK_TWO(params, checker);

        if (params->certChainCheckers == NULL) {

                PKIX_CHECK(PKIX_List_Create(&list, plContext),
                    PKIX_LISTCREATEFAILED);

                params->certChainCheckers = list;
        }

        PKIX_CHECK(PKIX_List_AppendItem
            (params->certChainCheckers, (PKIX_PL_Object *)checker, plContext),
            PKIX_LISTAPPENDITEMFAILED);

        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
            ((PKIX_PL_Object *)params, plContext),
            PKIX_OBJECTINVALIDATECACHEFAILED);

        list = NULL;

cleanup:

        if (list && params) {
            PKIX_DECREF(params->certChainCheckers);
        }

        PKIX_RETURN(PROCESSINGPARAMS);
}
Esempio n. 20
0
/*
 * FUNCTION: pkix_pl_CRL_CreateToList
 * DESCRIPTION:
 *
 *  This function decodes a DER-encoded Certificate Revocation List pointed to
 *  by "derCrlItem", adding the resulting PKIX_PL_CRL, if the decoding was
 *  successful, to the List (possibly empty) pointed to by "crlList".
 *
 * PARAMETERS:
 *  "derCrlItem"
 *      The address of the SECItem containing the DER-encoded Certificate
 *      Revocation List. Must be non-NULL.
 *  "crlList"
 *      The address of the List to which the decoded CRL is added. May be
 *      empty, but must be non-NULL.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a CertStore Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
pkix_pl_CRL_CreateToList(
    SECItem *derCrlItem,
    PKIX_List *crlList,
    void *plContext)
{
    CERTSignedCrl *nssCrl = NULL;
    PKIX_PL_CRL *crl = NULL;

    PKIX_ENTER(CRL, "pkix_pl_CRL_CreateToList");
    PKIX_NULLCHECK_TWO(derCrlItem, crlList);

    nssCrl = CERT_DecodeDERCrl(NULL, derCrlItem, SEC_CRL_TYPE);
    if (nssCrl == NULL) {
        goto cleanup;
    }

    PKIX_CHECK(pkix_pl_CRL_CreateWithSignedCRL
               (nssCrl, &crl, plContext),
               PKIX_CRLCREATEWITHSIGNEDCRLFAILED);

    nssCrl = NULL;

    PKIX_CHECK(PKIX_List_AppendItem
               (crlList, (PKIX_PL_Object *) crl, plContext),
               PKIX_LISTAPPENDITEMFAILED);

cleanup:
    if (nssCrl) {
        SEC_DestroyCrl(nssCrl);
    }

    PKIX_DECREF(crl);

    PKIX_RETURN(CRL);
}
/*
 * FUNCTION: pkix_pl_LdapCertStore_BuildCrlList
 * DESCRIPTION:
 *
 *  This function takes a List of LdapResponse objects pointed to by
 *  "responseList" and extracts and decodes the CRLs in those responses, storing
 *  the List of those CRLs at "pCrls". If none of the objects can be decoded
 *  into a CRL, the returned List is empty.
 *
 * PARAMETERS:
 *  "responseList"
 *      The address of the List of LdapResponses. Must be non-NULL.
 *  "pCrls"
 *      The address at which the result is stored. Must be non-NULL.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a CertStore Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
pkix_pl_LdapCertStore_BuildCrlList(
        PKIX_List *responseList,
        PKIX_List **pCrls,
        void *plContext)
{
        PKIX_UInt32 numResponses = 0;
        PKIX_UInt32 respIx = 0;
        LdapAttrMask attrBits = 0;
        CERTSignedCrl *nssCrl = NULL;
        PKIX_PL_LdapResponse *response = NULL;
        PKIX_List *crlList = NULL;
        PKIX_PL_CRL *crl = NULL;
        LDAPMessage *message = NULL;
        LDAPSearchResponseEntry *sre = NULL;
        LDAPSearchResponseAttr **sreAttrArray = NULL;
        LDAPSearchResponseAttr *sreAttr = NULL;
        SECItem *attrType = NULL;
        SECItem **attrVal = NULL;
        SECItem *derCrlCopy = NULL;
        SECItem *derCrlItem = NULL;

        PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCrlList");
        PKIX_NULLCHECK_TWO(responseList, pCrls);

        PKIX_CHECK(PKIX_List_Create(&crlList, plContext),
                PKIX_LISTCREATEFAILED);

        /* extract crls from response */
        PKIX_CHECK(PKIX_List_GetLength
                (responseList, &numResponses, plContext),
                PKIX_LISTGETLENGTHFAILED);

        for (respIx = 0; respIx < numResponses; respIx++) {
                PKIX_CHECK(PKIX_List_GetItem
                        (responseList,
                        respIx,
                        (PKIX_PL_Object **)&response,
                        plContext),
                        PKIX_LISTGETITEMFAILED);

                PKIX_CHECK(pkix_pl_LdapResponse_GetMessage
                        (response, &message, plContext),
                        PKIX_LDAPRESPONSEGETMESSAGEFAILED);

                sre = &(message->protocolOp.op.searchResponseEntryMsg);
                sreAttrArray = sre->attributes;

                /* Get next element of null-terminated array */
                sreAttr = *sreAttrArray++;
                while (sreAttr != NULL) {
                    attrType = &(sreAttr->attrType);
                    PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit
                        (attrType, &attrBits, plContext),
                        PKIX_LDAPREQUESTATTRTYPETOBITFAILED);
                    /* Is this attrVal a Revocation List? */
                    if (((LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST) &
                            attrBits) == attrBits) {
                        attrVal = sreAttr->val;
                        derCrlItem = *attrVal++;
                        while (derCrlItem != 0) {
                            /* create a PKIX_PL_Crl from derCrl */
                            derCrlCopy = SECITEM_DupItem(derCrlItem);
                            if (!derCrlCopy) {
                                PKIX_ERROR(PKIX_ALLOCERROR);
                            }
                            /* crl will be based on derCrlCopy, but wont
                             * own the der. */
                            nssCrl =
                                CERT_DecodeDERCrlWithFlags(NULL, derCrlCopy,
                                                       SEC_CRL_TYPE,
                                                       CRL_DECODE_DONT_COPY_DER |
                                                       CRL_DECODE_SKIP_ENTRIES);
                            if (!nssCrl) {
                                SECITEM_FreeItem(derCrlCopy, PKIX_TRUE);
                                continue;
                            }
                            /* pkix crl own the der. */
                            PKIX_CHECK(
                                pkix_pl_CRL_CreateWithSignedCRL(nssCrl, 
                                       derCrlCopy, NULL, &crl, plContext),
                                PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
                            /* Left control over memory pointed by derCrlCopy and
                             * nssCrl to pkix crl. */
                            derCrlCopy = NULL;
                            nssCrl = NULL;
                            PKIX_CHECK(PKIX_List_AppendItem
                                       (crlList, (PKIX_PL_Object *) crl, plContext),
                                       PKIX_LISTAPPENDITEMFAILED);
                            PKIX_DECREF(crl);
                            derCrlItem = *attrVal++;
                        }
                        /* Clean up after PKIX_CHECK_ONLY_FATAL */
                        pkixTempErrorReceived = PKIX_FALSE;
                    }
                    sreAttr = *sreAttrArray++;
                }
                PKIX_DECREF(response);
        }

        *pCrls = crlList;
        crlList = NULL;
cleanup:
        if (derCrlCopy) {
            SECITEM_FreeItem(derCrlCopy, PKIX_TRUE);
        }
        if (nssCrl) {
            SEC_DestroyCrl(nssCrl);
        }
        PKIX_DECREF(crl);
        PKIX_DECREF(crlList);
        PKIX_DECREF(response);

        PKIX_RETURN(CERTSTORE);
}
static
PKIX_List *policySetParse(char *policyString)
{
        char *p = NULL;
        char *oid = NULL;
        char c = '\0';
        PKIX_Boolean validString = PKIX_FALSE;
        PKIX_PL_OID *plOID = NULL;
        PKIX_List *policySet = NULL;

        PKIX_TEST_STD_VARS();

        p = policyString;

        /*
         * There may or may not be quotes around the initial-policy-set
         * string. If they are omitted, dbx will strip off the curly braces.
         * If they are included, dbx will strip off the quotes, but if you
         * are running directly from a script, without dbx, the quotes will
         * not be stripped. We need to be able to handle both cases.
         */
        if (*p == '"') {
                p++;
        }

        if ('{' != *p++) {
                return (NULL);
        }
        oid = p;

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));

        /* scan to the end of policyString */
        while (!validString) {
                /* scan to the end of the current OID string */
                c = *oid;
                while ((c != '\0') && (c != ':') && (c != '}')) {
                        c = *++oid;
                }

                if ((c != ':') || (c != '}')) {
                        *oid = '\0'; /* store a null terminator */
                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                                (p, &plOID, plContext));

                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_List_AppendItem
                                (policySet,
                                (PKIX_PL_Object *)plOID,
                                plContext));

                        PKIX_TEST_DECREF_BC(plOID);
                        plOID = NULL;
                        if (c == '}') {
                                /*
                                * Any exit but this one means
                                * we were given a badly-formed string.
                                */
                                validString = PKIX_TRUE;
                        }
                        p = ++oid;
                }
        }


cleanup:
        if (!validString) {
                PKIX_TEST_DECREF_AC(plOID);
                PKIX_TEST_DECREF_AC(policySet);
                policySet = NULL;
        }

        PKIX_TEST_RETURN();

        return (policySet);
}
/*
 * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
 */
PKIX_Error *
PKIX_RevocationChecker_CreateAndAddMethod(
    PKIX_RevocationChecker *revChecker,
    PKIX_ProcessingParams *params,
    PKIX_RevocationMethodType methodType,
    PKIX_UInt32 flags,
    PKIX_UInt32 priority,
    PKIX_PL_VerifyCallback verificationFn,
    PKIX_Boolean isLeafMethod,
    void *plContext)
{
    PKIX_List **methodList = NULL;
    PKIX_List  *unsortedList = NULL;
    PKIX_List  *certStores = NULL;
    pkix_RevocationMethod *method = NULL;
    pkix_LocalRevocationCheckFn *localRevChecker = NULL;
    pkix_ExternalRevocationCheckFn *externRevChecker = NULL;
    PKIX_UInt32 miFlags;
    
    PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");
    PKIX_NULLCHECK_ONE(revChecker);

    /* If the caller has said "Either one is sufficient, then don't let the 
     * absence of any one method's info lead to an overall failure.
     */
    miFlags = isLeafMethod ? revChecker->leafMethodListFlags 
	                   : revChecker->chainMethodListFlags;
    if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)
	flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;

    switch (methodType) {
    case PKIX_RevocationMethod_CRL:
        localRevChecker = pkix_CrlChecker_CheckLocal;
        externRevChecker = pkix_CrlChecker_CheckExternal;
        PKIX_CHECK(
            PKIX_ProcessingParams_GetCertStores(params, &certStores,
                                                plContext),
            PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
        PKIX_CHECK(
            pkix_CrlChecker_Create(methodType, flags, priority,
                                   localRevChecker, externRevChecker,
                                   certStores, verificationFn,
                                   &method,
                                   plContext),
            PKIX_COULDNOTCREATECRLCHECKEROBJECT);
        break;
    case PKIX_RevocationMethod_OCSP:
        localRevChecker = pkix_OcspChecker_CheckLocal;
        externRevChecker = pkix_OcspChecker_CheckExternal;
        PKIX_CHECK(
            pkix_OcspChecker_Create(methodType, flags, priority,
                                    localRevChecker, externRevChecker,
                                    verificationFn,
                                    &method,
                                    plContext),
            PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);
        break;
    default:
        PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);
    }

    if (isLeafMethod) {
        methodList = &revChecker->leafMethodList;
    } else {
        methodList = &revChecker->chainMethodList;
    }
    
    if (*methodList == NULL) {
        PKIX_CHECK(
            PKIX_List_Create(methodList, plContext),
            PKIX_LISTCREATEFAILED);
    }
    unsortedList = *methodList;
    PKIX_CHECK(
        PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),
        PKIX_LISTAPPENDITEMFAILED);
    PKIX_CHECK(
        pkix_List_BubbleSort(unsortedList, 
                             pkix_RevocationChecker_SortComparator,
                             methodList, plContext),
        PKIX_LISTBUBBLESORTFAILED);

cleanup:
    PKIX_DECREF(method);
    PKIX_DECREF(unsortedList);
    PKIX_DECREF(certStores);
    
    PKIX_RETURN(REVOCATIONCHECKER);
}
static
void testNistTest2(char *dirName)
{
#define PKIX_TEST_NUM_CERTS     2
        char *trustAnchor =
                "TrustAnchorRootCertificate.crt";
        char *intermediateCert =
                "GoodCACert.crt";
        char *endEntityCert =
                "ValidCertificatePathTest1EE.crt";
        char *certNames[PKIX_TEST_NUM_CERTS];
        char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };

        PKIX_ValidateParams *valParams = NULL;
        PKIX_ValidateResult *valResult = NULL;
        PKIX_List *chain = NULL;
        PKIX_PL_OID *Nist1PolicyOID = NULL;
        PKIX_List *initialPolicies = NULL;
        char *anchorName = NULL;

        PKIX_TEST_STD_VARS();

        subTest("testNistTest2: Creating the cert chain");
        /*
         * Create a chain, but don't include the first certName.
         * That's the anchor, and is supplied separately from
         * the chain.
         */
        certNames[0] = intermediateCert;
        certNames[1] = endEntityCert;
        chain = createCertChainPlus
                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);

        subTest("testNistTest2: Creating the Validate Parameters");
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                (asciiNist1Policy, &Nist1PolicyOID, plContext));
        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_Create(&initialPolicies, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
                (initialPolicies, plContext));

        valParams = createValidateParams
                (dirName,
                trustAnchor,
                NULL,
                NULL,
                initialPolicies,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                chain,
                plContext);

        subTest("testNistTest2: Validating the chain");
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
                (valParams, &valResult, NULL, plContext));


cleanup:

        PKIX_PL_Free(anchorName, plContext);

        PKIX_TEST_DECREF_AC(Nist1PolicyOID);
        PKIX_TEST_DECREF_AC(initialPolicies);
        PKIX_TEST_DECREF_AC(valParams);
        PKIX_TEST_DECREF_AC(valResult);
        PKIX_TEST_DECREF_AC(chain);

        PKIX_TEST_RETURN();
}
Esempio n. 25
0
int
test_buildchain(int argc, char *argv[])
{
    PKIX_BuildResult *buildResult = NULL;
    PKIX_ComCertSelParams *certSelParams = NULL;
    PKIX_CertSelector *certSelector = NULL;
    PKIX_TrustAnchor *anchor = NULL;
    PKIX_PL_PublicKey *trustedPubKey = NULL;
    PKIX_List *anchors = NULL;
    PKIX_List *certs = NULL;
    PKIX_RevocationChecker *revChecker = NULL;
    PKIX_PL_Cert *cert = NULL;
    PKIX_ProcessingParams *procParams = NULL;
    char *dirName = NULL;
    PKIX_PL_String *dirNameString = NULL;
    PKIX_PL_Cert *trustedCert = NULL;
    PKIX_PL_Cert *targetCert = NULL;
    PKIX_UInt32 actualMinorVersion = 0;
    PKIX_UInt32 numCerts = 0;
    PKIX_UInt32 i = 0;
    PKIX_UInt32 j = 0;
    PKIX_UInt32 k = 0;
    PKIX_CertStore *ldapCertStore = NULL;
    PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
    /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
    PKIX_CertStore *certStore = NULL;
    PKIX_List *certStores = NULL;
    PKIX_List *revCheckers = NULL;
    char *asciiResult = NULL;
    PKIX_Boolean result = PKIX_FALSE;
    PKIX_Boolean testValid = PKIX_TRUE;
    PKIX_List *expectedCerts = NULL;
    PKIX_PL_Cert *dirCert = NULL;
    PKIX_VerifyNode *verifyTree = NULL;
    PKIX_PL_String *verifyString = NULL;
    PKIX_PL_String *actualCertsString = NULL;
    PKIX_PL_String *expectedCertsString = NULL;
    void *state = NULL;
    char *actualCertsAscii = NULL;
    char *expectedCertsAscii = NULL;
    PRPollDesc *pollDesc = NULL;

    PKIX_TEST_STD_VARS();

    if (argc < 5) {
        printUsage();
        return (0);
    }

    startTests("BuildChain");

    PKIX_TEST_EXPECT_NO_ERROR(
        PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));

    /*
         * arguments:
         * [optional] -arenas
         * [optional] usebind
         *            servername or servername:port ( - for no server)
         *            testname
         *            EE or ENE
         *            cert directory
         *            target cert (end entity)
         *            intermediate certs
         *            trust anchor
         */

    /* optional argument "usebind" for Ldap CertStore */
    if (argv[j + 1]) {
        if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
            usebind = PKIX_TRUE;
            j++;
        }
    }

    if (PORT_Strcmp(argv[++j], "-") == 0) {
        useLDAP = PKIX_FALSE;
    } else {
        serverName = argv[j];
        useLDAP = PKIX_TRUE;
    }

    subTest(argv[++j]);

    /* ENE = expect no error; EE = expect error */
    if (PORT_Strcmp(argv[++j], "ENE") == 0) {
        testValid = PKIX_TRUE;
    } else if (PORT_Strcmp(argv[j], "EE") == 0) {
        testValid = PKIX_FALSE;
    } else {
        printUsage();
        return (0);
    }

    dirName = argv[++j];

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));

    for (k = ++j; k < (PKIX_UInt32)argc; k++) {

        dirCert = createCert(dirName, argv[k], plContext);

        if (k == (PKIX_UInt32)(argc - 1)) {
            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
            trustedCert = dirCert;
        } else {

            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
                                                           (PKIX_PL_Object *)dirCert,
                                                           plContext));

            if (k == j) {
                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
                targetCert = dirCert;
            }
        }

        PKIX_TEST_DECREF_BC(dirCert);
    }

    /* create processing params with list of trust anchors */

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));

    /* create CertSelector with target certificate in params */

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));

    /* create CertStores */

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));

    if (useLDAP == PKIX_TRUE) {
        PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
                                                       (PKIX_PL_Object *)ldapCertStore,
                                                       plContext));
    } else {
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores,
                                                                NULL, /* testDate, may be NULL */
                                                                trustedPubKey,
                                                                numCerts,
                                                                &revChecker,
                                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext));

#ifdef debuggingWithoutRevocation
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
#endif

    /* build cert chain using processing params and return buildResult */

    pkixTestErrorResult = PKIX_BuildChain(procParams,
                                          (void **)&pollDesc,
                                          &state,
                                          &buildResult,
                                          &verifyTree,
                                          plContext);

    while (pollDesc != NULL) {

        if (PR_Poll(pollDesc, 1, 0) < 0) {
            testError("PR_Poll failed");
        }

        pkixTestErrorResult = PKIX_BuildChain(procParams,
                                              (void **)&pollDesc,
                                              &state,
                                              &buildResult,
                                              &verifyTree,
                                              plContext);
    }

    if (pkixTestErrorResult) {
        if (testValid == PKIX_FALSE) { /* EE */
            (void)printf("EXPECTED ERROR RECEIVED!\n");
        } else { /* ENE */
            testError("UNEXPECTED ERROR RECEIVED");
        }
    } else {
        if (testValid == PKIX_TRUE) { /* ENE */
            (void)printf("EXPECTED NON-ERROR RECEIVED!\n");
        } else { /* EE */
            (void)printf("UNEXPECTED NON-ERROR RECEIVED!\n");
        }
    }

    subTest("Displaying VerifyNode objects");

    if (verifyTree == NULL) {
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
    } else {
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
    }

    (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);

    if (pkixTestErrorResult) {
        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
        goto cleanup;
    }

    if (buildResult) {

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));

        printf("\n");

        for (i = 0; i < numCerts; i++) {
            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs,
                                                        i,
                                                        (PKIX_PL_Object **)&cert,
                                                        plContext));

            asciiResult = PKIX_Cert2ASCII(cert);

            printf("CERT[%d]:\n%s\n", i, asciiResult);

            /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL));
            asciiResult = NULL;

            PKIX_TEST_DECREF_BC(cert);
        }

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs,
                                                        (PKIX_PL_Object *)expectedCerts,
                                                        &result,
                                                        plContext));

        if (!result) {
            testError("BUILT CERTCHAIN IS "
                      "NOT THE ONE THAT WAS EXPECTED");

            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs,
                                                              &actualCertsString,
                                                              plContext));

            actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext);
            if (actualCertsAscii == NULL) {
                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
                goto cleanup;
            }

            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts,
                                                              &expectedCertsString,
                                                              plContext));

            expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext);
            if (expectedCertsAscii == NULL) {
                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
                goto cleanup;
            }

            (void)printf("Actual value:\t%s\n", actualCertsAscii);
            (void)printf("Expected value:\t%s\n",
                         expectedCertsAscii);
        }
    }

cleanup:
    PKIX_TEST_DECREF_AC(verifyString);
    PKIX_TEST_DECREF_AC(verifyTree);

    PKIX_PL_Free(asciiResult, NULL);
    PKIX_PL_Free(actualCertsAscii, plContext);
    PKIX_PL_Free(expectedCertsAscii, plContext);

    PKIX_TEST_DECREF_AC(state);
    PKIX_TEST_DECREF_AC(actualCertsString);
    PKIX_TEST_DECREF_AC(expectedCertsString);
    PKIX_TEST_DECREF_AC(expectedCerts);
    PKIX_TEST_DECREF_AC(buildResult);
    PKIX_TEST_DECREF_AC(procParams);
    PKIX_TEST_DECREF_AC(certStores);
    PKIX_TEST_DECREF_AC(revCheckers);
    PKIX_TEST_DECREF_AC(revChecker);
    PKIX_TEST_DECREF_AC(ldapCertStore);
    PKIX_TEST_DECREF_AC(certStore);
    PKIX_TEST_DECREF_AC(dirNameString);
    PKIX_TEST_DECREF_AC(certSelParams);
    PKIX_TEST_DECREF_AC(certSelector);
    PKIX_TEST_DECREF_AC(anchors);
    PKIX_TEST_DECREF_AC(anchor);
    PKIX_TEST_DECREF_AC(trustedCert);
    PKIX_TEST_DECREF_AC(trustedPubKey);

    PKIX_TEST_DECREF_AC(certs);
    PKIX_TEST_DECREF_AC(cert);
    PKIX_TEST_DECREF_AC(targetCert);

    PKIX_TEST_RETURN();

    PKIX_Shutdown(plContext);

    endTests("BuildChain");

    return (0);
}
Esempio n. 26
0
static PKIX_Error *
testEkuSetup(
    PKIX_ValidateParams *valParams,
    char *ekuOidString,
    PKIX_Boolean *only4EE)
{
    PKIX_ProcessingParams *procParams = NULL;
    PKIX_List *ekuList = NULL;
    PKIX_PL_OID *ekuOid = NULL;
    PKIX_ComCertSelParams *selParams = NULL;
    PKIX_CertSelector *certSelector = NULL;
    PKIX_Boolean last_token = PKIX_FALSE;
    PKIX_UInt32 i, tokeni;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_ValidateParams_GetProcessingParams");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
                              (valParams, &procParams, plContext));

    /* Get extended key usage OID(s) from command line, separated by ","  */

    if (ekuOidString[0] == '"') {
        /* erase doble quotes, if any */
        i = 1;
        while (ekuOidString[i] != '"' && ekuOidString[i] != '\0') {
            ekuOidString[i-1] = ekuOidString[i];
            i++;
        }
        ekuOidString[i-1] = '\0';
    }

    if (ekuOidString[0] == '\0') {
        ekuList = NULL;
    } else {

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
                                  (&ekuList, plContext));

        /* if OID string start with E, only check for last cert */
        if (ekuOidString[0] == 'E') {
            *only4EE = PKIX_TRUE;
            tokeni = 2;
            i = 1;
        } else {
            *only4EE = PKIX_FALSE;
            tokeni = 1;
            i = 0;
        }

        while (last_token != PKIX_TRUE) {
            while (ekuOidString[tokeni] != ',' &&
                    ekuOidString[tokeni] != '\0') {
                tokeni++;
            }
            if (ekuOidString[tokeni] == '\0') {
                last_token = PKIX_TRUE;
            } else {
                ekuOidString[tokeni] = '\0';
                tokeni++;
            }

            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                                      (&ekuOidString[i], &ekuOid, plContext));

            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                                      (ekuList, (PKIX_PL_Object *)ekuOid, plContext));

            PKIX_TEST_DECREF_BC(ekuOid);
            i = tokeni;

        }

    }

    /* Set extended key usage link to processing params */

    subTest("PKIX_ComCertSelParams_Create");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
                              (&selParams, plContext));

    subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
                              (selParams, ekuList, plContext));

    subTest("PKIX_CertSelector_Create");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
                              (testCertSelectorMatchCallback,
                               NULL,
                               &certSelector,
                               plContext));

    subTest("PKIX_CertSelector_SetCommonCertSelectorParams");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
                              (certSelector, selParams, plContext));

    subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
                              (procParams, certSelector, plContext));

cleanup:

    PKIX_TEST_DECREF_AC(selParams);
    PKIX_TEST_DECREF_AC(certSelector);
    PKIX_TEST_DECREF_AC(procParams);
    PKIX_TEST_DECREF_AC(ekuOid);
    PKIX_TEST_DECREF_AC(ekuList);

    PKIX_TEST_RETURN();

    return (0);
}
int test_buildchain_uchecker(int argc, char *argv[])
{
        PKIX_BuildResult *buildResult = NULL;
        PKIX_ComCertSelParams *certSelParams = NULL;
        PKIX_CertSelector *certSelector = NULL;
        PKIX_TrustAnchor *anchor = NULL;
        PKIX_List *anchors = NULL;
        PKIX_List *certs = NULL;
        PKIX_PL_Cert *cert = NULL;
        PKIX_ProcessingParams *procParams = NULL;
        PKIX_CertChainChecker *checker = NULL;
        char *dirName = NULL;
        PKIX_PL_String *dirNameString = NULL;
        PKIX_PL_Cert *trustedCert = NULL;
        PKIX_PL_Cert *targetCert = NULL;
        PKIX_UInt32 numCerts = 0;
        PKIX_UInt32 i = 0;
        PKIX_UInt32 j = 0;
        PKIX_UInt32 k = 0;
        PKIX_UInt32 chainLength = 0;
        PKIX_CertStore *certStore = NULL;
        PKIX_List *certStores = NULL;
        char * asciiResult = NULL;
        PKIX_Boolean result;
        PKIX_Boolean testValid = PKIX_TRUE;
        PKIX_Boolean supportForward = PKIX_FALSE;
        PKIX_List *expectedCerts = NULL;
        PKIX_List *userOIDs = NULL;
        PKIX_PL_OID *oid = NULL;
        PKIX_PL_Cert *dirCert = NULL;
        PKIX_PL_String *actualCertsString = NULL;
        PKIX_PL_String *expectedCertsString = NULL;
        char *actualCertsAscii = NULL;
        char *expectedCertsAscii = NULL;
        char *oidString = NULL;
        void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
        void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */

        PKIX_TEST_STD_VARS();

        if (argc < 5){
                printUsage();
                return (0);
        }

        startTests("BuildChain_UserChecker");

        PKIX_TEST_EXPECT_NO_ERROR(
            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));

        /* ENE = expect no error; EE = expect error */
        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
                testValid = PKIX_TRUE;
        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
                testValid = PKIX_FALSE;
        } else {
                printUsage();
                return (0);
        }

        /* OID specified at argv[3+j] */

        if (*argv[3+j] != '-') {

                if (*argv[3+j] == 'F') {
                        supportForward = PKIX_TRUE;
                        oidString = argv[3+j]+1;
                } else {
                        oidString = argv[3+j];
                }

                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
                                (&userOIDs, plContext));
                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                                (oidString, &oid, plContext));
                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                                (userOIDs, (PKIX_PL_Object *)oid, plContext));
                PKIX_TEST_DECREF_BC(oid);
        }

        subTest(argv[1+j]);

        dirName = argv[4+j];

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));

        chainLength = argc - j - 5;

        for (k = 0; k < chainLength; k++){

                dirCert = createCert(dirName, argv[5+k+j], plContext);

                if (k == (chainLength - 1)){
                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_PL_Object_IncRef
                                ((PKIX_PL_Object *)dirCert, plContext));
                        trustedCert = dirCert;
                } else {

                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_List_AppendItem
                                (expectedCerts,
                                (PKIX_PL_Object *)dirCert,
                                plContext));

                        if (k == 0){
                                PKIX_TEST_EXPECT_NO_ERROR
                                        (PKIX_PL_Object_IncRef
                                        ((PKIX_PL_Object *)dirCert,
                                        plContext));
                                targetCert = dirCert;
                        }
                }

                PKIX_TEST_DECREF_BC(dirCert);
        }

        /* create processing params with list of trust anchors */

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
                                    (trustedCert, &anchor, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_AppendItem
                (anchors, (PKIX_PL_Object *)anchor, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
                                    (anchors, &procParams, plContext));

        /* create CertSelector with target certificate in params */

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_ComCertSelParams_SetCertificate
                (certSelParams, targetCert, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_CertSelector_Create
                (NULL, NULL, &certSelector, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
                                (certSelector, certSelParams, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_ProcessingParams_SetTargetCertConstraints
                (procParams, certSelector, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
                                    (testUserChecker,
                                    supportForward,
                                    PKIX_FALSE,
                                    userOIDs,
                                    NULL,
                                    &checker,
                                    plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
                                  (procParams, checker, plContext));


        /* create CertStores */

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
                                    (PKIX_ESCASCII,
                                    dirName,
                                    0,
                                    &dirNameString,
                                    plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
                                    (dirNameString, &certStore, plContext));

#if 0
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
                                    (&certStore, plContext));
#endif


        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_AppendItem
                (certStores, (PKIX_PL_Object *)certStore, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
                                    (procParams, certStores, plContext));

        /* build cert chain using processing params and return buildResult */

        pkixTestErrorResult = PKIX_BuildChain
                (procParams,
                &nbioContext,
                &buildState,
                &buildResult,
                NULL,
                plContext);

        if (testValid == PKIX_TRUE) { /* ENE */
                if (pkixTestErrorResult){
                        (void) printf("UNEXPECTED RESULT RECEIVED!\n");
                } else {
                        (void) printf("EXPECTED RESULT RECEIVED!\n");
                        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
                }
        } else { /* EE */
                if (pkixTestErrorResult){
                        (void) printf("EXPECTED RESULT RECEIVED!\n");
                        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
                } else {
                        testError("UNEXPECTED RESULT RECEIVED");
                }
        }

        if (buildResult){

                PKIX_TEST_EXPECT_NO_ERROR
                        (PKIX_BuildResult_GetCertChain
                        (buildResult, &certs, NULL));

                PKIX_TEST_EXPECT_NO_ERROR
                        (PKIX_List_GetLength(certs, &numCerts, plContext));

                printf("\n");

                for (i = 0; i < numCerts; i++){
                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_List_GetItem
                                (certs,
                                i,
                                (PKIX_PL_Object**)&cert,
                                plContext));

                        asciiResult = PKIX_Cert2ASCII(cert);

                        printf("CERT[%d]:\n%s\n", i, asciiResult);

                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_PL_Free(asciiResult, plContext));
                        asciiResult = NULL;

                        PKIX_TEST_DECREF_BC(cert);
                }

                PKIX_TEST_EXPECT_NO_ERROR
                        (PKIX_PL_Object_Equals
                        ((PKIX_PL_Object*)certs,
                        (PKIX_PL_Object*)expectedCerts,
                        &result,
                        plContext));

                if (!result){
                        testError("BUILT CERTCHAIN IS "
                                    "NOT THE ONE THAT WAS EXPECTED");

                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_PL_Object_ToString
                                ((PKIX_PL_Object *)certs,
                                &actualCertsString,
                                plContext));

                        actualCertsAscii = PKIX_String2ASCII
                                (actualCertsString, plContext);
                        if (actualCertsAscii == NULL){
                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
                                goto cleanup;
                        }

                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_PL_Object_ToString
                                ((PKIX_PL_Object *)expectedCerts,
                                &expectedCertsString,
                                plContext));

                        expectedCertsAscii = PKIX_String2ASCII
                                (expectedCertsString, plContext);
                        if (expectedCertsAscii == NULL){
                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
                                goto cleanup;
                        }

                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
                        (void) printf("Expected value:\t%s\n",
                                        expectedCertsAscii);

                        if (chainLength - 1 != numUserCheckerCalled) {
                                pkixTestErrorMsg =
                                    "PKIX user defined checker not called";
                        }

                        goto cleanup;
                }

        }

cleanup:
        PKIX_PL_Free(asciiResult, plContext);
        PKIX_PL_Free(actualCertsAscii, plContext);
        PKIX_PL_Free(expectedCertsAscii, plContext);

        PKIX_TEST_DECREF_AC(actualCertsString);
        PKIX_TEST_DECREF_AC(expectedCertsString);
        PKIX_TEST_DECREF_AC(expectedCerts);
        PKIX_TEST_DECREF_AC(certs);
        PKIX_TEST_DECREF_AC(cert);
        PKIX_TEST_DECREF_AC(certStore);
        PKIX_TEST_DECREF_AC(certStores);
        PKIX_TEST_DECREF_AC(dirNameString);
        PKIX_TEST_DECREF_AC(trustedCert);
        PKIX_TEST_DECREF_AC(targetCert);
        PKIX_TEST_DECREF_AC(anchor);
        PKIX_TEST_DECREF_AC(anchors);
        PKIX_TEST_DECREF_AC(procParams);
        PKIX_TEST_DECREF_AC(certSelParams);
        PKIX_TEST_DECREF_AC(certSelector);
        PKIX_TEST_DECREF_AC(buildResult);
        PKIX_TEST_DECREF_AC(procParams);
        PKIX_TEST_DECREF_AC(userOIDs);
        PKIX_TEST_DECREF_AC(checker);

        PKIX_TEST_RETURN();

        PKIX_Shutdown(plContext);

        endTests("BuildChain_UserChecker");

        return (0);

}
Esempio n. 28
0
/*
 * FUNCTION: pkix_VerifyNode_AddToChain
 * DESCRIPTION:
 *
 *  Adds the VerifyNode pointed to by "child", at the appropriate depth, to the
 *  List of children of the VerifyNode pointed to by "parentNode". The chain of
 *  VerifyNodes is traversed until a VerifyNode is found at a depth one less
 *  than that specified in "child". An Error is returned if there is no parent
 *  at a suitable depth.
 *
 *  If "parentNode" has a NULL pointer for the List of children, a new List is
 *  created containing "child". Otherwise "child" is appended to the existing
 *  List.
 *
 *  Depth, in this context, means distance from the root node, which
 *  is at depth zero.
 *
 * PARAMETERS:
 *  "parentNode"
 *      Address of VerifyNode whose List of child VerifyNodes is to be
 *      created or appended to. Must be non-NULL.
 *  "child"
 *      Address of VerifyNode to be added to parentNode's List. Must be
 *      non-NULL.
 *  "plContext"
 *      Platform-specific context pointer.
 * THREAD SAFETY:
 *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 * RETURNS:
 *  Returns NULL if the function succeeds.
 *  Returns a VerifyNode Error if the function fails in a non-fatal way.
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 */
PKIX_Error *
pkix_VerifyNode_AddToChain(
        PKIX_VerifyNode *parentNode,
        PKIX_VerifyNode *child,
        void *plContext)
{
        PKIX_VerifyNode *successor = NULL;
        PKIX_List *listOfChildren = NULL;
        PKIX_UInt32 numChildren = 0;
        PKIX_UInt32 parentDepth = 0;

        PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_AddToChain");
        PKIX_NULLCHECK_TWO(parentNode, child);

        parentDepth = parentNode->depth;
        listOfChildren = parentNode->children;
        if (listOfChildren == NULL) {

                if (parentDepth != (child->depth - 1)) {
                        PKIX_ERROR(PKIX_NODESMISSINGFROMCHAIN);
                }

                PKIX_CHECK(PKIX_List_Create(&listOfChildren, plContext),
                        PKIX_LISTCREATEFAILED);

                PKIX_CHECK(PKIX_List_AppendItem
                        (listOfChildren, (PKIX_PL_Object *)child, plContext),
                        PKIX_COULDNOTAPPENDCHILDTOPARENTSVERIFYNODELIST);

                parentNode->children = listOfChildren;
        } else {
                /* get number of children */
                PKIX_CHECK(PKIX_List_GetLength
                        (listOfChildren, &numChildren, plContext),
                        PKIX_LISTGETLENGTHFAILED);

                if (numChildren != 1) {
                        PKIX_ERROR(PKIX_AMBIGUOUSPARENTAGEOFVERIFYNODE);
                }

                /* successor = listOfChildren[0] */
                PKIX_CHECK(PKIX_List_GetItem
                        (listOfChildren,
                        0,
                        (PKIX_PL_Object **)&successor,
                        plContext),
                        PKIX_LISTGETITEMFAILED);

                PKIX_CHECK(pkix_VerifyNode_AddToChain
                        (successor, child, plContext),
                        PKIX_VERIFYNODEADDTOCHAINFAILED);
        }

        PKIX_CHECK(PKIX_PL_Object_InvalidateCache
                ((PKIX_PL_Object *)parentNode, plContext),
                PKIX_OBJECTINVALIDATECACHEFAILED);

cleanup:
        PKIX_DECREF(successor);

        PKIX_RETURN(VERIFYNODE);
}
int test_validatechain_bc(int argc, char *argv[])
{

        PKIX_TrustAnchor *anchor = NULL;
        PKIX_List *anchors = NULL;
        PKIX_List *certs = NULL;
        PKIX_ProcessingParams *procParams = NULL;
        PKIX_ValidateParams *valParams = NULL;
        PKIX_ValidateResult *valResult = NULL;
        PKIX_PL_X500Name *subject = NULL;
        PKIX_ComCertSelParams *certSelParams = NULL;
        PKIX_CertSelector *certSelector = NULL;

        char *trustedCertFile = NULL;
        char *chainCertFile = NULL;
        PKIX_PL_Cert *trustedCert = NULL;
        PKIX_PL_Cert *chainCert = NULL;
        PKIX_UInt32 chainLength = 0;
        PKIX_UInt32 i = 0;
        PKIX_UInt32 j = 0;
        PKIX_UInt32 actualMinorVersion;
	PKIX_VerifyNode *verifyTree = NULL;
	PKIX_PL_String *verifyString = NULL;

        PKIX_TEST_STD_VARS();

        if (argc < 3){
                printUsage();
                return (0);
        }

        startTests("ValidateChainBasicConstraints");

        PKIX_TEST_EXPECT_NO_ERROR(
            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));

        chainLength = (argc - j) - 2;

        /* create processing params with list of trust anchors */
        trustedCertFile = argv[1+j];
        trustedCert = createCert(trustedCertFile);

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
                    (certSelParams, -1, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_CertSelector_Create
                (NULL, NULL, &certSelector, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
                                    (certSelector, certSelParams, plContext));

        PKIX_TEST_DECREF_BC(subject);

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
                                    (trustedCert, &anchor, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_AppendItem
                (anchors, (PKIX_PL_Object *)anchor, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
                                    (anchors, &procParams, plContext));

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
                                    (procParams, PKIX_FALSE, plContext));

        PKIX_TEST_EXPECT_NO_ERROR
                    (PKIX_ProcessingParams_SetTargetCertConstraints
                    (procParams, certSelector, plContext));

        PKIX_TEST_DECREF_BC(certSelector);

        /* create cert chain */
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
        for (i = 0; i < chainLength; i++){
                chainCertFile = argv[i + (2+j)];
                chainCert = createCert(chainCertFile);

                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                        (certs, (PKIX_PL_Object *)chainCert, plContext));

                PKIX_TEST_DECREF_BC(chainCert);
        }

        /* create validate params with processing params and cert chain */
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
                                    (procParams, certs, &valParams, plContext));


        /* validate cert chain using processing params and return valResult */

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
                (valParams, &valResult, &verifyTree, plContext));

        if (valResult != NULL){
                printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
                printf("Cert Selector minimum path length to be -1\n");
                PKIX_TEST_DECREF_BC(valResult);
        }

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
        PKIX_TEST_DECREF_BC(verifyString);
        PKIX_TEST_DECREF_BC(verifyTree);

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
                    (certSelParams, 6, plContext));

        /* validate cert chain using processing params and return valResult */

        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
                (valParams, &valResult, &verifyTree, plContext));

        if (valResult != NULL){
                printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
                printf("Cert Selector minimum path length to be 6\n");
        }

        PKIX_TEST_DECREF_BC(trustedCert);
        PKIX_TEST_DECREF_BC(anchor);
        PKIX_TEST_DECREF_BC(anchors);
        PKIX_TEST_DECREF_BC(certs);
        PKIX_TEST_DECREF_BC(procParams);

cleanup:

        if (PKIX_TEST_ERROR_RECEIVED){
                printf("FAILED TO VALIDATE\n");
        }

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
        PKIX_TEST_DECREF_AC(verifyString);
        PKIX_TEST_DECREF_AC(verifyTree);

        PKIX_TEST_DECREF_AC(certSelParams);
        PKIX_TEST_DECREF_AC(valResult);
        PKIX_TEST_DECREF_AC(valParams);

        PKIX_TEST_RETURN();

        PKIX_Shutdown(plContext);

        endTests("ValidateChainBasicConstraints");

        return (0);

}
static void
test_SubjAltNames(void)
{
    PKIX_ComCertSelParams *goodParams = NULL;
    PKIX_List *setGenNames = NULL;
    PKIX_List *getGenNames = NULL;
    PKIX_PL_GeneralName *rfc822GenName = NULL;
    PKIX_PL_GeneralName *dnsGenName = NULL;
    PKIX_PL_GeneralName *dirGenName = NULL;
    PKIX_PL_GeneralName *uriGenName = NULL;
    PKIX_PL_GeneralName *oidGenName = NULL;
    PKIX_Boolean matchAll = PKIX_TRUE;
    char *rfc822Name = "*****@*****.**";
    char *dnsName = "comcast.net";
    char *dirName = "cn=john, ou=labs, o=sun, c=us";
    char *uriName = "http://comcast.net";
    char *oidName = "1.2.840.11";
    char *expectedAscii =
        "([email protected], "
        "comcast.net, "
        "CN=john,OU=labs,O=sun,C=us, "
        "http://comcast.net)";
    char *expectedAsciiAll =
        "([email protected], "
        "comcast.net, "
        "CN=john,OU=labs,O=sun,C=us, "
        "http://comcast.net, "
        "1.2.840.11)";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_GeneralName_Create");
    dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext);
    uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext);
    oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext);
    dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext);
    rfc822GenName = createGeneralName(PKIX_RFC822_NAME,
                                      rfc822Name,
                                      plContext);

    subTest("PKIX_PL_GeneralName List create and append");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dnsGenName, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)dirGenName, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(setGenNames, (PKIX_PL_Object *)uriGenName, plContext));

    subTest("PKIX_ComCertSelParams_Create");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));

    subTest("PKIX_ComCertSelParams_SetSubjAltNames");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames(goodParams, setGenNames, plContext));

    subTest("PKIX_ComCertSelParams_GetSubjAltNames");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames(goodParams, &getGenNames, plContext));

    subTest("Compare GeneralName List");
    testEqualsHelper((PKIX_PL_Object *)setGenNames,
                     (PKIX_PL_Object *)getGenNames,
                     PKIX_TRUE,
                     plContext);

    subTest("Compare GeneralName List with canned string");
    testToStringHelper((PKIX_PL_Object *)getGenNames,
                       expectedAscii,
                       plContext);

    subTest("PKIX_ComCertSelParams_AddSubjAltName");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName(goodParams, oidGenName, plContext));

    PKIX_TEST_DECREF_BC(getGenNames);

    subTest("PKIX_ComCertSelParams_GetSubjAltNames");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames(goodParams, &getGenNames, plContext));

    subTest("Compare GeneralName List with canned string");
    testToStringHelper((PKIX_PL_Object *)getGenNames,
                       expectedAsciiAll,
                       plContext);

    subTest("PKIX_ComCertSelParams_GetMatchAllSubjAltNames");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames(goodParams, &matchAll, plContext));
    if (matchAll != PKIX_TRUE) {
        testError("unexpected mismatch <expect TRUE>");
    }

    subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames(goodParams, PKIX_FALSE, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames(goodParams, &matchAll, plContext));
    if (matchAll != PKIX_FALSE) {
        testError("unexpected mismatch <expect FALSE>");
    }

cleanup:

    PKIX_TEST_DECREF_AC(goodParams);
    PKIX_TEST_DECREF_AC(setGenNames);
    PKIX_TEST_DECREF_AC(getGenNames);
    PKIX_TEST_DECREF_AC(rfc822GenName);
    PKIX_TEST_DECREF_AC(dnsGenName);
    PKIX_TEST_DECREF_AC(dirGenName);
    PKIX_TEST_DECREF_AC(uriGenName);
    PKIX_TEST_DECREF_AC(oidGenName);

    PKIX_TEST_RETURN();
}