/*
* FUNCTION: pkix_pl_OID_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
* Use this function only for printing OIDs and not to make any
* critical security decision.
*/
static PKIX_Error *
pkix_pl_OID_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_OID *oid = NULL;
char *oidString = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_toString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
oid = (PKIX_PL_OID*)object;
oidString = CERT_GetOidString(&oid->derOid);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, oidString , 0, pString, plContext),
PKIX_STRINGCREATEFAILED);
cleanup:
PR_smprintf_free(oidString);
PKIX_RETURN(OID);
}
/*
* FUNCTION: PKIX_Error_GetDescription (see comments in pkix_util.h)
*/
PKIX_Error *
PKIX_Error_GetDescription(
PKIX_Error *error,
PKIX_PL_String **pDesc,
void *plContext)
{
PKIX_PL_String *descString = NULL;
#ifndef PKIX_ERROR_DESCRIPTION
char errorStr[32];
#endif
PKIX_ENTER(ERROR, "PKIX_Error_GetDescription");
PKIX_NULLCHECK_TWO(error, pDesc);
#ifndef PKIX_ERROR_DESCRIPTION
PR_snprintf(errorStr, 32, "Error code: %d", error->errCode);
#endif
PKIX_PL_String_Create(PKIX_ESCASCII,
#if defined PKIX_ERROR_DESCRIPTION
(void *)PKIX_ErrorText[error->errCode],
#else
errorStr,
#endif
0,
&descString,
plContext);
*pDesc = descString;
PKIX_RETURN(ERROR);
}
PKIX_PL_GeneralName *
createGeneralName(
PKIX_UInt32 nameType,
char *asciiName,
void *plContext)
{
PKIX_PL_GeneralName *generalName = NULL;
PKIX_PL_String *plString = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiName, 0, &plString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_GeneralName_Create
(nameType, plString, &generalName, plContext));
cleanup:
PKIX_TEST_DECREF_AC(plString);
PKIX_TEST_RETURN();
return (generalName);
}
static PKIX_PL_X500Name *
createX500Name(char *asciiName, PKIX_Boolean expectedToPass){
PKIX_PL_X500Name *x500Name = NULL;
PKIX_PL_String *plString = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiName, 0, &plString, plContext));
if (expectedToPass){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_X500Name_Create
(plString, &x500Name, plContext));
} else {
PKIX_TEST_EXPECT_ERROR
(PKIX_PL_X500Name_Create
(plString, &x500Name, plContext));
}
cleanup:
PKIX_TEST_DECREF_AC(plString);
PKIX_TEST_RETURN();
return (x500Name);
}
/*
* FUNCTION: pkix_pl_AiaMgr_FindLDAPClient
* DESCRIPTION:
*
* This function checks the collection of LDAPClient connections held by the
* AIAMgr pointed to by "aiaMgr" for one matching the domain name given by
* "domainName". The string may include a port number: e.g., "betty.nist.gov"
* or "nss.red.iplanet.com:1389". If a match is found, that LDAPClient is
* stored at "pClient". Otherwise, an LDAPClient is created and added to the
* collection, and then stored at "pClient".
*
* PARAMETERS:
* "aiaMgr"
* The AIAMgr whose LDAPClient connected are to be managed. Must be
* non-NULL.
* "domainName"
* Address of a string pointing to a server name. Must be non-NULL.
* "pClient"
* Address at which the returned LDAPClient is stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns an AIAMgr Error if the function fails in a non-fatal way
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_pl_AiaMgr_FindLDAPClient(
PKIX_PL_AIAMgr *aiaMgr,
char *domainName,
PKIX_PL_LdapClient **pClient,
void *plContext)
{
PKIX_PL_String *domainString = NULL;
PKIX_PL_LdapDefaultClient *client = NULL;
PKIX_ENTER(AIAMGR, "pkix_pl_AiaMgr_FindLDAPClient");
PKIX_NULLCHECK_THREE(aiaMgr, domainName, pClient);
/* create PKIX_PL_String from domain name */
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, domainName, 0, &domainString, plContext),
PKIX_STRINGCREATEFAILED);
/* Is this domainName already in cache? */
PKIX_CHECK(PKIX_PL_HashTable_Lookup
(aiaConnectionCache,
(PKIX_PL_Object *)domainString,
(PKIX_PL_Object **)&client,
plContext),
PKIX_HASHTABLELOOKUPFAILED);
if (client == NULL) {
/* No, create a connection (and cache it) */
PKIX_CHECK(PKIX_PL_LdapDefaultClient_CreateByName
(domainName,
/* Do not use NBIO until we verify, that
* it is working. For now use 1 min timeout. */
PR_SecondsToInterval(
((PKIX_PL_NssContext*)plContext)->timeoutSeconds),
NULL,
&client,
plContext),
PKIX_LDAPDEFAULTCLIENTCREATEBYNAMEFAILED);
PKIX_CHECK(PKIX_PL_HashTable_Add
(aiaConnectionCache,
(PKIX_PL_Object *)domainString,
(PKIX_PL_Object *)client,
plContext),
PKIX_HASHTABLEADDFAILED);
}
*pClient = (PKIX_PL_LdapClient *)client;
cleanup:
PKIX_DECREF(domainString);
PKIX_RETURN(AIAMGR);
}
static void
testGetCRL(char *crlDir)
{
PKIX_PL_String *dirString = NULL;
PKIX_CertStore_CRLCallback crlCallback;
PKIX_CertStore *certStore = NULL;
PKIX_CRLSelector *crlSelector = NULL;
PKIX_List *crlList = NULL;
PKIX_UInt32 numCrl = 0;
void *nbioContext = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII,
crlDir,
0,
&dirString,
plContext));
subTest("PKIX_PL_CollectionCertStore_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirString,
&certStore,
plContext));
subTest("PKIX_CRLSelector_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create(testCRLSelectorMatchCallback,
NULL,
&crlSelector,
plContext));
subTest("PKIX_CertStore_GetCRLCallback");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback(certStore, &crlCallback, NULL));
subTest("Getting data from CRL Callback");
PKIX_TEST_EXPECT_NO_ERROR(crlCallback(certStore,
crlSelector,
&nbioContext,
&crlList,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(crlList,
&numCrl,
plContext));
if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) {
pkixTestErrorMsg = "unexpected CRL number mismatch";
}
cleanup:
PKIX_TEST_DECREF_AC(dirString);
PKIX_TEST_DECREF_AC(crlList);
PKIX_TEST_DECREF_AC(crlSelector);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_pl_CertPolicyQualifier_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CertPolicyQualifier_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_CertPolicyQualifier *certPQ = NULL;
char *asciiFormat = "%s:%s";
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *pqIDString = NULL;
PKIX_PL_String *pqValString = NULL;
PKIX_PL_String *outString = NULL;
PKIX_ENTER(CERTPOLICYQUALIFIER, "pkix_pl_CertPolicyQualifier_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType
(object, PKIX_CERTPOLICYQUALIFIER_TYPE, plContext),
PKIX_OBJECTNOTCERTPOLICYQUALIFIER);
certPQ = (PKIX_PL_CertPolicyQualifier *)object;
/*
* The policyQualifierId is required. If there is no qualifier,
* we should have a ByteArray of zero length.
*/
PKIX_NULLCHECK_TWO(certPQ->policyQualifierId, certPQ->qualifier);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
PKIX_STRINGCREATEFAILED);
PKIX_TOSTRING(certPQ->policyQualifierId, &pqIDString, plContext,
PKIX_OIDTOSTRINGFAILED);
PKIX_CHECK(pkix_pl_ByteArray_ToHexString
(certPQ->qualifier, &pqValString, plContext),
PKIX_BYTEARRAYTOHEXSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&outString, plContext, formatString, pqIDString, pqValString),
PKIX_SPRINTFFAILED);
*pString = outString;
cleanup:
PKIX_DECREF(formatString);
PKIX_DECREF(pqIDString);
PKIX_DECREF(pqValString);
PKIX_RETURN(CERTPOLICYQUALIFIER);
}
/*
* FUNCTION: pkix_ResourceLimits_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ResourceLimits_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_ResourceLimits *rLimits = NULL;
char *asciiFormat = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *rLimitsString = NULL;
PKIX_ENTER(RESOURCELIMITS, "pkix_ResourceLimits_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_RESOURCELIMITS_TYPE, plContext),
PKIX_OBJECTNOTRESOURCELIMITS);
/* maxCertsNumber and maxCrlsNumber are not supported */
asciiFormat =
"[\n"
"\tMaxTime: \t\t%d\n"
"\tMaxFanout: \t\t%d\n"
"\tMaxDepth: \t\t%d\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
rLimits = (PKIX_ResourceLimits*)object;
PKIX_CHECK(PKIX_PL_Sprintf
(&rLimitsString,
plContext,
formatString,
rLimits->maxTime,
rLimits->maxFanout,
rLimits->maxDepth),
PKIX_SPRINTFFAILED);
*pString = rLimitsString;
cleanup:
PKIX_DECREF(formatString);
PKIX_RETURN(RESOURCELIMITS);
}
/*
* FUNCTION: pkix_pl_CertPolicyMap_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CertPolicyMap_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_CertPolicyMap *certMap = NULL;
PKIX_PL_String *format = NULL;
PKIX_PL_String *outString = NULL;
PKIX_PL_String *issuerString = NULL;
PKIX_PL_String *subjectString = NULL;
PKIX_ENTER(CERTPOLICYMAP, "pkix_pl_CertPolicyMap_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_CERTPOLICYMAP_TYPE, plContext),
PKIX_OBJECTNOTCERTPOLICYMAP);
certMap = (PKIX_PL_CertPolicyMap *)object;
PKIX_TOSTRING
(certMap->issuerDomainPolicy,
&issuerString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(certMap->subjectDomainPolicy,
&subjectString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
/* Put them together in the form issuerPolicy=>subjectPolicy */
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "%s=>%s", 0, &format, plContext),
PKIX_ERRORINSTRINGCREATE);
PKIX_CHECK(PKIX_PL_Sprintf
(&outString, plContext, format, issuerString, subjectString),
PKIX_ERRORINSPRINTF);
*pString = outString;
cleanup:
PKIX_DECREF(format);
PKIX_DECREF(issuerString);
PKIX_DECREF(subjectString);
PKIX_RETURN(CERTPOLICYMAP);
}
/*
* FUNCTION: pkix_pl_Date_ToString_Helper
* DESCRIPTION:
*
* Helper function that creates a string representation of the SECItem pointed
* to by "nssTime" (which represents a date) and stores it at "pString".
*
* PARAMETERS
* "nssTime"
* Address of SECItem whose string representation is desired.
* Must be non-NULL.
* "pString"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext" - Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Date Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_Date_ToString_Helper(
SECItem *nssTime,
PKIX_PL_String **pString,
void *plContext)
{
char *asciiDate = NULL;
PKIX_ENTER(DATE, "pkix_pl_Date_ToString_Helper");
PKIX_NULLCHECK_TWO(nssTime, pString);
switch (nssTime->type) {
case siUTCTime:
PKIX_PL_NSSCALLRV
(DATE, asciiDate, DER_UTCDayToAscii, (nssTime));
if (!asciiDate){
PKIX_ERROR(PKIX_DERUTCTIMETOASCIIFAILED);
}
break;
case siGeneralizedTime:
/*
* we don't currently have any way to create GeneralizedTime.
* this code is only here so that it will be in place when
* we do have the capability to create GeneralizedTime.
*/
PKIX_PL_NSSCALLRV
(DATE, asciiDate, DER_GeneralizedDayToAscii, (nssTime));
if (!asciiDate){
PKIX_ERROR(PKIX_DERGENERALIZEDDAYTOASCIIFAILED);
}
break;
default:
PKIX_ERROR(PKIX_UNRECOGNIZEDTIMETYPE);
}
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiDate, 0, pString, plContext),
PKIX_STRINGCREATEFAILED);
cleanup:
PR_Free(asciiDate);
PKIX_RETURN(DATE);
}
static PKIX_Error *
toStringCallback(
PKIX_PL_Object *obj,
PKIX_PL_String **pString,
/* ARGSUSED */ void *plContext)
{
PKIX_Error *errorResult;
PKIX_UInt32 type;
char *format = "(addr: %x, type: %d)";
PKIX_PL_String *formatString = NULL;
errorResult = PKIX_PL_String_Create(
PKIX_ESCASCII,
format,
PL_strlen(format),
&formatString,
plContext);
if (errorResult)
testError("PKIX_PL_String_Create failed");
if (pString == plContext)
testError("Null String");
type = (unsigned int)0;
(void)PKIX_PL_Object_GetType(obj, &type, plContext);
errorResult = PKIX_PL_Sprintf(pString, plContext,
formatString,
(int)obj, type);
if (errorResult)
testError("PKIX_PL_Sprintf failed");
errorResult = PKIX_PL_Object_DecRef((PKIX_PL_Object *)formatString,
plContext);
if (errorResult)
testError("PKIX_PL_Object_DecRef failed");
return (NULL);
}
/*
* FUNCTION: pkix_List_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_List_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_List *list = NULL;
PKIX_PL_String *listString = NULL;
PKIX_PL_String *format = NULL;
PKIX_ENTER(LIST, "pkix_List_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_LIST_TYPE, plContext),
PKIX_OBJECTNOTLIST);
list = (PKIX_List *)object;
if (!list->isHeader){
PKIX_ERROR(PKIX_INPUTLISTMUSTBEHEADER);
}
PKIX_CHECK(pkix_List_ToString_Helper(list, &listString, plContext),
PKIX_LISTTOSTRINGHELPERFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "(%s)", 0, &format, plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Sprintf(pString, plContext, format, listString),
PKIX_SPRINTFFAILED);
cleanup:
PKIX_DECREF(listString);
PKIX_DECREF(format);
PKIX_RETURN(LIST);
}
PKIX_PL_Date *
createDate(
char *asciiDate,
void *plContext)
{
PKIX_PL_Date *date = NULL;
PKIX_PL_String *plString = NULL;
PKIX_TEST_STD_VARS();
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII, asciiDate, 0, &plString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime
(plString, &date, plContext));
cleanup:
PKIX_TEST_DECREF_AC(plString);
PKIX_TEST_RETURN();
return (date);
}
/*
* FUNCTION: pkix_Error_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_Error_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_Error *error = NULL;
PKIX_Error *cause = NULL;
PKIX_PL_String *desc = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *causeString = NULL;
PKIX_PL_String *optCauseString = NULL;
PKIX_PL_String *errorNameString = NULL;
char *format = NULL;
PKIX_ERRORCLASS errClass;
PKIX_ENTER(ERROR, "pkix_Error_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_ERROR_TYPE, plContext),
PKIX_OBJECTNOTANERROR);
error = (PKIX_Error *)object;
/* Get this error's errClass, description and the string of its cause */
errClass = error->errClass;
/* Get the description string */
PKIX_Error_GetDescription(error, &desc, plContext);
/* Get the cause */
cause = error->cause;
/* Get the causes's description string */
if (cause != NULL) {
pkix_error_cause_depth++;
/* Get the cause string */
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)cause, &causeString, plContext),
PKIX_ERRORGETTINGCAUSESTRING);
format = "\n*** Cause (%d): %s";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
format,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
/* Create the optional Cause String */
PKIX_CHECK(PKIX_PL_Sprintf
(&optCauseString,
plContext,
formatString,
pkix_error_cause_depth,
causeString),
PKIX_SPRINTFFAILED);
PKIX_DECREF(formatString);
pkix_error_cause_depth--;
}
/* Create the Format String */
if (optCauseString != NULL) {
format = "*** %s Error- %s%s";
} else {
format = "*** %s Error- %s";
}
/* Ensure that error errClass is known, otherwise default to Object */
if (errClass >= PKIX_NUMERRORCLASSES) {
errClass = 0;
}
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
(void *)PKIX_ERRORCLASSNAMES[errClass],
0,
&errorNameString,
plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
format,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
/* Create the output String */
PKIX_CHECK(PKIX_PL_Sprintf
(pString,
plContext,
formatString,
errorNameString,
desc,
optCauseString),
PKIX_SPRINTFFAILED);
cleanup:
PKIX_DECREF(desc);
PKIX_DECREF(causeString);
PKIX_DECREF(formatString);
PKIX_DECREF(optCauseString);
PKIX_DECREF(errorNameString);
PKIX_RETURN(ERROR);
}
int
test_buildchain(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_PL_PublicKey *trustedPubKey = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_RevocationChecker *revChecker = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_CertStore *ldapCertStore = NULL;
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
/* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
PKIX_List *revCheckers = NULL;
char *asciiResult = NULL;
PKIX_Boolean result = PKIX_FALSE;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_List *expectedCerts = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_VerifyNode *verifyTree = NULL;
PKIX_PL_String *verifyString = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
void *state = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
PRPollDesc *pollDesc = NULL;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("BuildChain");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* arguments:
* [optional] -arenas
* [optional] usebind
* servername or servername:port ( - for no server)
* testname
* EE or ENE
* cert directory
* target cert (end entity)
* intermediate certs
* trust anchor
*/
/* optional argument "usebind" for Ldap CertStore */
if (argv[j + 1]) {
if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
usebind = PKIX_TRUE;
j++;
}
}
if (PORT_Strcmp(argv[++j], "-") == 0) {
useLDAP = PKIX_FALSE;
} else {
serverName = argv[j];
useLDAP = PKIX_TRUE;
}
subTest(argv[++j]);
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[++j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
dirName = argv[++j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
for (k = ++j; k < (PKIX_UInt32)argc; k++) {
dirCert = createCert(dirName, argv[k], plContext);
if (k == (PKIX_UInt32)(argc - 1)) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == j) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
if (useLDAP == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
(PKIX_PL_Object *)ldapCertStore,
plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(expectedCerts, &numCerts, plContext));
PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize(certStores,
NULL, /* testDate, may be NULL */
trustedPubKey,
numCerts,
&revChecker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(revCheckers, (PKIX_PL_Object *)revChecker, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers(procParams, revCheckers, plContext));
#ifdef debuggingWithoutRevocation
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled(procParams, PKIX_FALSE, plContext));
#endif
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
while (pollDesc != NULL) {
if (PR_Poll(pollDesc, 1, 0) < 0) {
testError("PR_Poll failed");
}
pkixTestErrorResult = PKIX_BuildChain(procParams,
(void **)&pollDesc,
&state,
&buildResult,
&verifyTree,
plContext);
}
if (pkixTestErrorResult) {
if (testValid == PKIX_FALSE) { /* EE */
(void)printf("EXPECTED ERROR RECEIVED!\n");
} else { /* ENE */
testError("UNEXPECTED ERROR RECEIVED");
}
} else {
if (testValid == PKIX_TRUE) { /* ENE */
(void)printf("EXPECTED NON-ERROR RECEIVED!\n");
} else { /* EE */
(void)printf("UNEXPECTED NON-ERROR RECEIVED!\n");
}
}
subTest("Displaying VerifyNode objects");
if (verifyTree == NULL) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
}
(void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
if (pkixTestErrorResult) {
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
goto cleanup;
}
if (buildResult) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs,
i,
(PKIX_PL_Object **)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
/* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, NULL));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)certs,
(PKIX_PL_Object *)expectedCerts,
&result,
plContext));
if (!result) {
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII(actualCertsString, plContext);
if (actualCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII(expectedCertsString, plContext);
if (expectedCertsAscii == NULL) {
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void)printf("Actual value:\t%s\n", actualCertsAscii);
(void)printf("Expected value:\t%s\n",
expectedCertsAscii);
}
}
cleanup:
PKIX_TEST_DECREF_AC(verifyString);
PKIX_TEST_DECREF_AC(verifyTree);
PKIX_PL_Free(asciiResult, NULL);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(state);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(revCheckers);
PKIX_TEST_DECREF_AC(revChecker);
PKIX_TEST_DECREF_AC(ldapCertStore);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(trustedPubKey);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain");
return (0);
}
/*
* FUNCTION: pkix_VerifyNode_ToString_Helper
* DESCRIPTION:
*
* Produces a String representation of a VerifyNode tree below the VerifyNode
* pointed to by "rootNode", with each line of output prefixed by the String
* pointed to by "indent", and stores the result at "pTreeString". It is
* called recursively, with ever-increasing indentation, for successively
* lower nodes on the tree.
*
* PARAMETERS:
* "rootNode"
* Address of VerifyNode subtree. Must be non-NULL.
* "indent"
* Address of String to be prefixed to each line of output. May be NULL
* if no indentation is desired
* "pTreeString"
* Address where the resulting String will be stored; must be non-NULL
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a VerifyNode Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_VerifyNode_ToString_Helper(
PKIX_VerifyNode *rootNode,
PKIX_PL_String *indent,
PKIX_PL_String **pTreeString,
void *plContext)
{
PKIX_PL_String *nextIndentFormat = NULL;
PKIX_PL_String *thisNodeFormat = NULL;
PKIX_PL_String *childrenFormat = NULL;
PKIX_PL_String *nextIndentString = NULL;
PKIX_PL_String *resultString = NULL;
PKIX_PL_String *thisItemString = NULL;
PKIX_PL_String *childString = NULL;
PKIX_VerifyNode *childNode = NULL;
PKIX_UInt32 numberOfChildren = 0;
PKIX_UInt32 childIndex = 0;
PKIX_ENTER(VERIFYNODE, "pkix_VerifyNode_ToString_Helper");
PKIX_NULLCHECK_TWO(rootNode, pTreeString);
/* Create a string for this node */
PKIX_CHECK(pkix_SingleVerifyNode_ToString
(rootNode, &thisItemString, plContext),
PKIX_ERRORINSINGLEVERIFYNODETOSTRING);
if (indent) {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"%s%s",
0,
&thisNodeFormat,
plContext),
PKIX_ERRORCREATINGFORMATSTRING);
PKIX_CHECK(PKIX_PL_Sprintf
(&resultString,
plContext,
thisNodeFormat,
indent,
thisItemString),
PKIX_ERRORINSPRINTF);
} else {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"%s",
0,
&thisNodeFormat,
plContext),
PKIX_ERRORCREATINGFORMATSTRING);
PKIX_CHECK(PKIX_PL_Sprintf
(&resultString,
plContext,
thisNodeFormat,
thisItemString),
PKIX_ERRORINSPRINTF);
}
PKIX_DECREF(thisItemString);
thisItemString = resultString;
/* if no children, we are done */
if (rootNode->children) {
PKIX_CHECK(PKIX_List_GetLength
(rootNode->children, &numberOfChildren, plContext),
PKIX_LISTGETLENGTHFAILED);
}
if (numberOfChildren != 0) {
/*
* We create a string for each child in turn,
* concatenating them to thisItemString.
*/
/* Prepare an indent string for each child */
if (indent) {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"%s. ",
0,
&nextIndentFormat,
plContext),
PKIX_ERRORCREATINGFORMATSTRING);
PKIX_CHECK(PKIX_PL_Sprintf
(&nextIndentString,
plContext,
nextIndentFormat,
indent),
PKIX_ERRORINSPRINTF);
} else {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
". ",
0,
&nextIndentString,
plContext),
PKIX_ERRORCREATINGINDENTSTRING);
}
/* Prepare the format for concatenation. */
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"%s\n%s",
0,
&childrenFormat,
plContext),
PKIX_ERRORCREATINGFORMATSTRING);
for (childIndex = 0;
childIndex < numberOfChildren;
childIndex++) {
PKIX_CHECK(PKIX_List_GetItem
(rootNode->children,
childIndex,
(PKIX_PL_Object **)&childNode,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_VerifyNode_ToString_Helper
(childNode,
nextIndentString,
&childString,
plContext),
PKIX_ERRORCREATINGCHILDSTRING);
PKIX_CHECK(PKIX_PL_Sprintf
(&resultString,
plContext,
childrenFormat,
thisItemString,
childString),
PKIX_ERRORINSPRINTF);
PKIX_DECREF(childNode);
PKIX_DECREF(childString);
PKIX_DECREF(thisItemString);
thisItemString = resultString;
}
}
*pTreeString = thisItemString;
cleanup:
if (PKIX_ERROR_RECEIVED) {
PKIX_DECREF(thisItemString);
}
PKIX_DECREF(nextIndentFormat);
PKIX_DECREF(thisNodeFormat);
PKIX_DECREF(childrenFormat);
PKIX_DECREF(nextIndentString);
PKIX_DECREF(childString);
PKIX_DECREF(childNode);
PKIX_RETURN(VERIFYNODE);
}
/*
* FUNCTION: pkix_SingleVerifyNode_ToString
* DESCRIPTION:
*
* Creates a String representation of the attributes of the VerifyNode pointed
* to by "node", other than its children, and stores the result at "pString".
*
* PARAMETERS:
* "node"
* Address of VerifyNode to be described by the string. Must be non-NULL.
* "pString"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if function succeeds
* Returns a VerifyNode Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in a fatal way
*/
PKIX_Error *
pkix_SingleVerifyNode_ToString(
PKIX_VerifyNode *node,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_String *fmtString = NULL;
PKIX_PL_String *errorString = NULL;
PKIX_PL_String *outString = NULL;
PKIX_PL_X500Name *issuerName = NULL;
PKIX_PL_X500Name *subjectName = NULL;
PKIX_PL_String *issuerString = NULL;
PKIX_PL_String *subjectString = NULL;
PKIX_ENTER(VERIFYNODE, "pkix_SingleVerifyNode_ToString");
PKIX_NULLCHECK_THREE(node, pString, node->verifyCert);
PKIX_TOSTRING(node->error, &errorString, plContext,
PKIX_ERRORTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetIssuer
(node->verifyCert, &issuerName, plContext),
PKIX_CERTGETISSUERFAILED);
PKIX_TOSTRING(issuerName, &issuerString, plContext,
PKIX_X500NAMETOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Cert_GetSubject
(node->verifyCert, &subjectName, plContext),
PKIX_CERTGETSUBJECTFAILED);
PKIX_TOSTRING(subjectName, &subjectString, plContext,
PKIX_X500NAMETOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"CERT[Issuer:%s, Subject:%s], depth=%d, error=%s",
0,
&fmtString,
plContext),
PKIX_CANTCREATESTRING);
PKIX_CHECK(PKIX_PL_Sprintf
(&outString,
plContext,
fmtString,
issuerString,
subjectString,
node->depth,
errorString),
PKIX_SPRINTFFAILED);
*pString = outString;
cleanup:
PKIX_DECREF(fmtString);
PKIX_DECREF(errorString);
PKIX_DECREF(issuerName);
PKIX_DECREF(subjectName);
PKIX_DECREF(issuerString);
PKIX_DECREF(subjectString);
PKIX_RETURN(VERIFYNODE);
}
int test_buildchain_uchecker(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_CertChainChecker *checker = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_UInt32 chainLength = 0;
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
char * asciiResult = NULL;
PKIX_Boolean result;
PKIX_Boolean testValid = PKIX_TRUE;
PKIX_Boolean supportForward = PKIX_FALSE;
PKIX_List *expectedCerts = NULL;
PKIX_List *userOIDs = NULL;
PKIX_PL_OID *oid = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_PL_String *actualCertsString = NULL;
PKIX_PL_String *expectedCertsString = NULL;
char *actualCertsAscii = NULL;
char *expectedCertsAscii = NULL;
char *oidString = NULL;
void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */
PKIX_TEST_STD_VARS();
if (argc < 5){
printUsage();
return (0);
}
startTests("BuildChain_UserChecker");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
/* OID specified at argv[3+j] */
if (*argv[3+j] != '-') {
if (*argv[3+j] == 'F') {
supportForward = PKIX_TRUE;
oidString = argv[3+j]+1;
} else {
oidString = argv[3+j];
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
(&userOIDs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
(oidString, &oid, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(userOIDs, (PKIX_PL_Object *)oid, plContext));
PKIX_TEST_DECREF_BC(oid);
}
subTest(argv[1+j]);
dirName = argv[4+j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
chainLength = argc - j - 5;
for (k = 0; k < chainLength; k++){
dirCert = createCert(dirName, argv[5+k+j], plContext);
if (k == (chainLength - 1)){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == 0){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_IncRef
((PKIX_PL_Object *)dirCert,
plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ComCertSelParams_SetCertificate
(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_CertSelector_Create
(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_ProcessingParams_SetTargetCertConstraints
(procParams, certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
(testUserChecker,
supportForward,
PKIX_FALSE,
userOIDs,
NULL,
&checker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
(procParams, checker, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII,
dirName,
0,
&dirNameString,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirNameString, &certStore, plContext));
#if 0
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
(&certStore, plContext));
#endif
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_AppendItem
(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
(procParams, certStores, plContext));
/* build cert chain using processing params and return buildResult */
pkixTestErrorResult = PKIX_BuildChain
(procParams,
&nbioContext,
&buildState,
&buildResult,
NULL,
plContext);
if (testValid == PKIX_TRUE) { /* ENE */
if (pkixTestErrorResult){
(void) printf("UNEXPECTED RESULT RECEIVED!\n");
} else {
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
}
} else { /* EE */
if (pkixTestErrorResult){
(void) printf("EXPECTED RESULT RECEIVED!\n");
PKIX_TEST_DECREF_BC(pkixTestErrorResult);
} else {
testError("UNEXPECTED RESULT RECEIVED");
}
}
if (buildResult){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_BuildResult_GetCertChain
(buildResult, &certs, NULL));
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++){
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_List_GetItem
(certs,
i,
(PKIX_PL_Object**)&cert,
plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Free(asciiResult, plContext));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_Equals
((PKIX_PL_Object*)certs,
(PKIX_PL_Object*)expectedCerts,
&result,
plContext));
if (!result){
testError("BUILT CERTCHAIN IS "
"NOT THE ONE THAT WAS EXPECTED");
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)certs,
&actualCertsString,
plContext));
actualCertsAscii = PKIX_String2ASCII
(actualCertsString, plContext);
if (actualCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
PKIX_TEST_EXPECT_NO_ERROR
(PKIX_PL_Object_ToString
((PKIX_PL_Object *)expectedCerts,
&expectedCertsString,
plContext));
expectedCertsAscii = PKIX_String2ASCII
(expectedCertsString, plContext);
if (expectedCertsAscii == NULL){
pkixTestErrorMsg = "PKIX_String2ASCII Failed";
goto cleanup;
}
(void) printf("Actual value:\t%s\n", actualCertsAscii);
(void) printf("Expected value:\t%s\n",
expectedCertsAscii);
if (chainLength - 1 != numUserCheckerCalled) {
pkixTestErrorMsg =
"PKIX user defined checker not called";
}
goto cleanup;
}
}
cleanup:
PKIX_PL_Free(asciiResult, plContext);
PKIX_PL_Free(actualCertsAscii, plContext);
PKIX_PL_Free(expectedCertsAscii, plContext);
PKIX_TEST_DECREF_AC(actualCertsString);
PKIX_TEST_DECREF_AC(expectedCertsString);
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(userOIDs);
PKIX_TEST_DECREF_AC(checker);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain_UserChecker");
return (0);
}
int
test_comcertselparams(int argc, char *argv[])
{
PKIX_UInt32 actualMinorVersion;
PKIX_UInt32 j = 0;
PKIX_PL_Cert *testCert = NULL;
PKIX_PL_Cert *goodCert = NULL;
PKIX_PL_Cert *equalCert = NULL;
PKIX_PL_Cert *diffCert = NULL;
PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
PKIX_List *testPolicyInfos = NULL; /* CertPolicyInfos */
PKIX_List *cert2PolicyInfos = NULL; /* CertPolicyInfos */
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_ComCertSelParams *equalParams = NULL;
PKIX_PL_X500Name *goodSubject = NULL;
PKIX_PL_X500Name *equalSubject = NULL;
PKIX_PL_X500Name *diffSubject = NULL;
PKIX_PL_X500Name *testSubject = NULL;
PKIX_Int32 goodMinPathLength = 0;
PKIX_Int32 equalMinPathLength = 0;
PKIX_Int32 diffMinPathLength = 0;
PKIX_Int32 testMinPathLength = 0;
PKIX_List *goodPolicies = NULL; /* OIDs */
PKIX_List *equalPolicies = NULL; /* OIDs */
PKIX_List *testPolicies = NULL; /* OIDs */
PKIX_List *cert2Policies = NULL; /* OIDs */
PKIX_PL_Date *testDate = NULL;
PKIX_PL_Date *goodDate = NULL;
PKIX_PL_Date *equalDate = NULL;
PKIX_PL_String *stringRep = NULL;
char *asciiRep = NULL;
char *dirName = NULL;
PKIX_TEST_STD_VARS();
if (argc < 2) {
printUsage();
return (0);
}
startTests("ComCertSelParams");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
dirName = argv[j + 1];
asciiRep = "050501000000Z";
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext));
testCert = createCert(dirName, "PoliciesP1234CACert.crt", plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(testCert, &testSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(testCert, &goodBasicConstraints, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(goodBasicConstraints, &testMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(testCert, &testPolicyInfos, plContext));
/* Convert from List of CertPolicyInfos to List of OIDs */
test_CreateOIDList(testPolicyInfos, &testPolicies);
subTest("Create goodParams and set its fields");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(goodParams, testSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(goodParams, testMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid(goodParams, testDate, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(goodParams, testPolicies, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(goodParams, testCert, plContext));
subTest("Duplicate goodParams and verify copy");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate((PKIX_PL_Object *)goodParams,
(PKIX_PL_Object **)&equalParams,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(goodParams, &goodSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(goodParams, &goodMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(goodParams, &goodCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(goodParams, &goodDate, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(goodParams, &goodPolicies, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate(equalParams, &equalCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid(equalParams, &equalDate, plContext));
testEqualsHelper((PKIX_PL_Object *)goodSubject,
(PKIX_PL_Object *)equalSubject,
PKIX_TRUE,
plContext);
if (goodMinPathLength != equalMinPathLength) {
testError("unexpected mismatch");
(void)printf("goodMinPathLength:\t%d\n", goodMinPathLength);
(void)printf("equalMinPathLength:\t%d\n", equalMinPathLength);
}
testEqualsHelper((PKIX_PL_Object *)goodPolicies,
(PKIX_PL_Object *)equalPolicies,
PKIX_TRUE,
plContext);
testEqualsHelper((PKIX_PL_Object *)goodCert,
(PKIX_PL_Object *)equalCert,
PKIX_TRUE,
plContext);
testEqualsHelper((PKIX_PL_Object *)goodDate,
(PKIX_PL_Object *)equalDate,
PKIX_TRUE,
plContext);
PKIX_TEST_DECREF_BC(equalSubject);
PKIX_TEST_DECREF_BC(equalPolicies);
PKIX_TEST_DECREF_BC(equalCert);
PKIX_TEST_DECREF_AC(equalDate);
subTest("Set different values and verify differences");
diffCert = createCert(dirName, "pathLenConstraint6CACert.crt", plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffCert, &diffSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(diffCert, &diffBasicConstraints, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(diffBasicConstraints, &diffMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &cert2PolicyInfos, plContext));
test_CreateOIDList(cert2PolicyInfos, &cert2Policies);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(
equalParams, diffSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints(equalParams, diffMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy(equalParams, cert2Policies, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject(equalParams, &equalSubject, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints(equalParams, &equalMinPathLength, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy(equalParams, &equalPolicies, plContext));
testEqualsHelper((PKIX_PL_Object *)goodSubject,
(PKIX_PL_Object *)equalSubject,
PKIX_FALSE,
plContext);
if (goodMinPathLength == equalMinPathLength) {
testError("unexpected match");
(void)printf("goodMinPathLength:\t%d\n", goodMinPathLength);
(void)printf("equalMinPathLength:\t%d\n", equalMinPathLength);
}
testEqualsHelper((PKIX_PL_Object *)goodPolicies,
(PKIX_PL_Object *)equalPolicies,
PKIX_FALSE,
plContext);
test_NameConstraints(dirName);
test_PathToNames();
test_SubjAltNames();
test_KeyUsages();
test_Version_Issuer_SerialNumber();
test_SubjKeyId_AuthKeyId();
test_SubjAlgId_SubjPublicKey(dirName);
cleanup:
PKIX_TEST_DECREF_AC(testSubject);
PKIX_TEST_DECREF_AC(goodSubject);
PKIX_TEST_DECREF_AC(equalSubject);
PKIX_TEST_DECREF_AC(diffSubject);
PKIX_TEST_DECREF_AC(testSubject);
PKIX_TEST_DECREF_AC(goodPolicies);
PKIX_TEST_DECREF_AC(equalPolicies);
PKIX_TEST_DECREF_AC(testPolicies);
PKIX_TEST_DECREF_AC(cert2Policies);
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_DECREF_AC(equalParams);
PKIX_TEST_DECREF_AC(goodCert);
PKIX_TEST_DECREF_AC(diffCert);
PKIX_TEST_DECREF_AC(testCert);
PKIX_TEST_DECREF_AC(goodBasicConstraints);
PKIX_TEST_DECREF_AC(diffBasicConstraints);
PKIX_TEST_DECREF_AC(testPolicyInfos);
PKIX_TEST_DECREF_AC(cert2PolicyInfos);
PKIX_TEST_DECREF_AC(stringRep);
PKIX_TEST_DECREF_AC(testDate);
PKIX_TEST_DECREF_AC(goodDate);
PKIX_Shutdown(plContext);
PKIX_TEST_RETURN();
endTests("ComCertSelParams");
return (0);
}
/*
* FUNCTION: pkix_Logger_CheckErrors
* DESCRIPTION:
*
* This function goes through each PKIX_Logger at "pkixLoggersList" and
* checks if "maxLevel" and "logComponent" satisfies what is specified in the
* PKIX_Logger. If satisfies, it invokes the callback in PKIX_Logger and
* passes a PKIX_PL_String that is the concatenation of "message" and
* "message2" to the application for processing.
* Since this call is inserted into a handful of PKIX macros, no macros are
* applied in this function, to avoid infinite recursion.
* If an error occurs, this call is aborted.
*
* PARAMETERS:
* "pkixLoggersList"
* A list of PKIX_Loggers to be examined for invoking callback. Must be
* non-NULL.
* "message"
* Address of "message" to be logged. Must be non-NULL.
* "message2"
* Address of "message2" to be concatenated and logged. May be NULL.
* "logComponent"
* A PKIX_UInt32 that indicates the component the message is from.
* "maxLevel"
* A PKIX_UInt32 that represents the level of severity of the message.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds
* Returns a Fatal Error if the function fails in an unrecoverable way
*/
PKIX_Error *
pkix_Logger_Check(
PKIX_List *pkixLoggersList,
const char *message,
const char *message2,
PKIX_ERRORCLASS logComponent,
PKIX_UInt32 currentLevel,
void *plContext)
{
PKIX_Logger *logger = NULL;
PKIX_List *savedPkixLoggersErrors = NULL;
PKIX_List *savedPkixLoggersDebugTrace = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *messageString = NULL;
PKIX_PL_String *message2String = NULL;
PKIX_PL_String *msgString = NULL;
PKIX_Error *error = NULL;
PKIX_Boolean needLogging = PKIX_FALSE;
PKIX_UInt32 i, length;
/*
* We cannot use any the PKIX_ macros here, since this function is
* called from some of these macros. It can create infinite recursion.
*/
if ((pkixLoggersList == NULL) || (message == NULL)) {
return(NULL);
}
/*
* Disable all subsequent loggings to avoid recursion. The result is
* if other thread is calling this function at the same time, there
* won't be any logging because the pkixLoggersErrors and
* pkixLoggersDebugTrace are set to null.
* It would be nice if we provide control per thread (e.g. make
* plContext threadable) then we can avoid the recursion by setting
* flag at plContext. Then other thread's logging won't be affected.
*
* Also we need to use a reentrant Lock. Although we avoid recursion
* for TRACE. When there is an ERROR occurs in subsequent call, this
* function will be called.
*/
error = PKIX_PL_MonitorLock_Enter(pkixLoggerLock, plContext);
if (error) { return(NULL); }
savedPkixLoggersDebugTrace = pkixLoggersDebugTrace;
pkixLoggersDebugTrace = NULL;
savedPkixLoggersErrors = pkixLoggersErrors;
pkixLoggersErrors = NULL;
/* Convert message and message2 to String */
error = PKIX_PL_String_Create
(PKIX_ESCASCII, message, 0, &messageString, plContext);
if (error) { goto cleanup; }
if (message2) {
error = PKIX_PL_String_Create
(PKIX_ESCASCII, message2, 0, &message2String, plContext);
if (error) { goto cleanup; }
error = PKIX_PL_String_Create
(PKIX_ESCASCII, "%s %s", 0, &formatString, plContext);
if (error) { goto cleanup; }
} else {
error = PKIX_PL_String_Create
(PKIX_ESCASCII, "%s", 0, &formatString, plContext);
if (error) { goto cleanup; }
}
error = PKIX_PL_Sprintf
(&msgString,
plContext,
formatString,
messageString,
message2String);
if (error) { goto cleanup; }
/* Go through the Logger list */
error = PKIX_List_GetLength(pkixLoggersList, &length, plContext);
if (error) { goto cleanup; }
for (i = 0; i < length; i++) {
error = PKIX_List_GetItem
(pkixLoggersList,
i,
(PKIX_PL_Object **) &logger,
plContext);
if (error) { goto cleanup; }
/* Intended logging level less or equal than the max */
needLogging = (currentLevel <= logger->maxLevel);
if (needLogging && (logger->callback)) {
/*
* We separate Logger into two lists based on log level
* but log level is not modified. We need to check here to
* avoid logging the higher log level (lower value) twice.
*/
if (pkixLoggersList == pkixLoggersErrors) {
needLogging = needLogging &&
(currentLevel <= PKIX_LOGGER_LEVEL_WARNING);
} else if (pkixLoggersList == pkixLoggersDebugTrace) {
needLogging = needLogging &&
(currentLevel > PKIX_LOGGER_LEVEL_WARNING);
}
if (needLogging) {
if (logComponent == logger->logComponent) {
needLogging = PKIX_TRUE;
} else {
needLogging = PKIX_FALSE;
}
}
if (needLogging) {
error = logger->callback
(logger,
msgString,
currentLevel,
logComponent,
plContext);
if (error) { goto cleanup; }
}
}
error = PKIX_PL_Object_DecRef
((PKIX_PL_Object *)logger, plContext);
logger = NULL;
if (error) { goto cleanup; }
}
cleanup:
if (formatString) {
error = PKIX_PL_Object_DecRef
((PKIX_PL_Object *)formatString, plContext);
}
if (messageString) {
error = PKIX_PL_Object_DecRef
((PKIX_PL_Object *)messageString, plContext);
}
if (message2String) {
error = PKIX_PL_Object_DecRef
((PKIX_PL_Object *)message2String, plContext);
}
if (msgString) {
error = PKIX_PL_Object_DecRef
((PKIX_PL_Object *)msgString, plContext);
}
if (logger) {
error = PKIX_PL_Object_DecRef
((PKIX_PL_Object *)logger, plContext);
}
if (pkixLoggersErrors == NULL && savedPkixLoggersErrors != NULL) {
pkixLoggersErrors = savedPkixLoggersErrors;
}
if (pkixLoggersDebugTrace == NULL &&
savedPkixLoggersDebugTrace != NULL) {
pkixLoggersDebugTrace = savedPkixLoggersDebugTrace;
}
error = PKIX_PL_MonitorLock_Exit(pkixLoggerLock, plContext);
if (error) { return(NULL); }
return(NULL);
}
int
build_chain(int argc, char *argv[])
{
PKIX_BuildResult *buildResult = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_List *certs = NULL;
PKIX_PL_Cert *cert = NULL;
PKIX_ProcessingParams *procParams = NULL;
char *trustedCertFile = NULL;
char *targetCertFile = NULL;
char *storeDirAscii = NULL;
PKIX_PL_String *storeDirString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_UInt32 actualMinorVersion, numCerts, i;
PKIX_UInt32 j = 0;
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
char *asciiResult = NULL;
PKIX_Boolean useArenas = PKIX_FALSE;
void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
void *nbioContext = NULL;
PKIX_TEST_STD_VARS();
if (argc < 4) {
printUsage();
return (0);
}
useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize(PKIX_TRUE, /* nssInitNeeded */
useArenas,
PKIX_MAJOR_VERSION,
PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION,
&actualMinorVersion,
&plContext));
/* create processing params with list of trust anchors */
trustedCertFile = argv[j + 1];
trustedCert = createCert(trustedCertFile);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
targetCertFile = argv[j + 2];
targetCert = createCert(targetCertFile);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
storeDirAscii = argv[j + 3];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(storeDirString, &certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
/* build cert chain using processing params and return buildResult */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain(procParams,
&nbioContext,
&buildState,
&buildResult,
NULL,
plContext));
/*
* As long as we use only CertStores with blocking I/O, we can omit
* checking for completion with nbioContext.
*/
PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(certs, &numCerts, plContext));
printf("\n");
for (i = 0; i < numCerts; i++) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(certs, i, (PKIX_PL_Object **)&cert, plContext));
asciiResult = PKIX_Cert2ASCII(cert);
printf("CERT[%d]:\n%s\n", i, asciiResult);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext));
asciiResult = NULL;
PKIX_TEST_DECREF_BC(cert);
}
cleanup:
if (PKIX_TEST_ERROR_RECEIVED) {
(void)printf("FAILED TO BUILD CHAIN\n");
} else {
(void)printf("SUCCESSFULLY BUILT CHAIN\n");
}
PKIX_PL_Free(asciiResult, plContext);
PKIX_TEST_DECREF_AC(certs);
PKIX_TEST_DECREF_AC(cert);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(storeDirString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(buildResult);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
return (0);
}
static PKIX_Error *
testDefaultMultipleCertStores(PKIX_ValidateParams *valParams,
char *crlDir1,
char *crlDir2)
{
PKIX_PL_String *dirString1 = NULL;
PKIX_PL_String *dirString2 = NULL;
PKIX_CertStore *certStore1 = NULL;
PKIX_CertStore *certStore2 = NULL;
PKIX_List *certStoreList = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_TEST_STD_VARS();
subTest("PKIX_PL_CollectionCertStore_Create");
/* Create CollectionCertStore */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII,
crlDir1,
0,
&dirString1,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirString1,
&certStore1,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII,
crlDir2,
0,
&dirString2,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirString2,
&certStore2,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
(valParams, &procParams, plContext));
/* Add multiple CollectionCertStores */
subTest("PKIX_ProcessingParams_SetCertStores");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStoreList, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(certStoreList, (PKIX_PL_Object *)certStore1, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
(procParams, certStoreList, plContext));
subTest("PKIX_ProcessingParams_AddCertStore");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
(procParams, certStore2, plContext));
subTest("PKIX_ProcessingParams_SetRevocationEnabled");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
(procParams, PKIX_TRUE, plContext));
cleanup:
PKIX_TEST_DECREF_AC(dirString1);
PKIX_TEST_DECREF_AC(dirString2);
PKIX_TEST_DECREF_AC(certStore1);
PKIX_TEST_DECREF_AC(certStore2);
PKIX_TEST_DECREF_AC(certStoreList);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_RETURN();
return (0);
}
/*
* FUNCTION: pkix_pl_CRL_ToString_Helper
* DESCRIPTION:
*
* Helper function that creates a string representation of the CRL pointed
* to by "crl" and stores it at "pString".
*
* PARAMETERS
* "crl"
* Address of CRL whose string representation is desired.
* Must be non-NULL.
* "pString"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CRL Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_pl_CRL_ToString_Helper(
PKIX_PL_CRL *crl,
PKIX_PL_String **pString,
void *plContext)
{
char *asciiFormat = NULL;
PKIX_UInt32 crlVersion;
PKIX_PL_X500Name *crlIssuer = NULL;
PKIX_PL_OID *nssSignatureAlgId = NULL;
PKIX_PL_BigInt *crlNumber = NULL;
PKIX_List *crlEntryList = NULL;
PKIX_List *critExtOIDs = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *crlIssuerString = NULL;
PKIX_PL_String *lastUpdateString = NULL;
PKIX_PL_String *nextUpdateString = NULL;
PKIX_PL_String *nssSignatureAlgIdString = NULL;
PKIX_PL_String *crlNumberString = NULL;
PKIX_PL_String *crlEntryListString = NULL;
PKIX_PL_String *critExtOIDsString = NULL;
PKIX_PL_String *crlString = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_ToString_Helper");
PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pString);
asciiFormat =
"[\n"
"\tVersion: v%d\n"
"\tIssuer: %s\n"
"\tUpdate: [Last: %s\n"
"\t Next: %s]\n"
"\tSignatureAlgId: %s\n"
"\tCRL Number : %s\n"
"\n"
"\tEntry List: %s\n"
"\n"
"\tCritExtOIDs: %s\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
/* Version */
PKIX_CHECK(pkix_pl_CRL_GetVersion(crl, &crlVersion, plContext),
PKIX_CRLGETVERSIONFAILED);
/* Issuer */
PKIX_CHECK(PKIX_PL_CRL_GetIssuer(crl, &crlIssuer, plContext),
PKIX_CRLGETISSUERFAILED);
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object *)crlIssuer, &crlIssuerString, plContext),
PKIX_X500NAMETOSTRINGFAILED);
/* This update - No Date object created, use nss data directly */
PKIX_CHECK(pkix_pl_Date_ToString_Helper
(&(crl->nssSignedCrl->crl.lastUpdate),
&lastUpdateString,
plContext),
PKIX_DATETOSTRINGHELPERFAILED);
/* Next update - No Date object created, use nss data directly */
PKIX_CHECK(pkix_pl_Date_ToString_Helper
(&(crl->nssSignedCrl->crl.nextUpdate),
&nextUpdateString,
plContext),
PKIX_DATETOSTRINGHELPERFAILED);
/* Signature Algorithm Id */
PKIX_CHECK(pkix_pl_CRL_GetSignatureAlgId
(crl, &nssSignatureAlgId, plContext),
PKIX_CRLGETSIGNATUREALGIDFAILED);
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object *)nssSignatureAlgId,
&nssSignatureAlgIdString,
plContext),
PKIX_OIDTOSTRINGFAILED);
/* CRL Number */
PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber
(crl, &crlNumber, plContext),
PKIX_CRLGETCRLNUMBERFAILED);
PKIX_TOSTRING(crlNumber, &crlNumberString, plContext,
PKIX_BIGINTTOSTRINGFAILED);
/* CRL Entries */
PKIX_CHECK(pkix_pl_CRL_GetCRLEntries(crl, &crlEntryList, plContext),
PKIX_CRLGETCRLENTRIESFAILED);
PKIX_TOSTRING(crlEntryList, &crlEntryListString, plContext,
PKIX_LISTTOSTRINGFAILED);
/* CriticalExtensionOIDs */
PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
(crl, &critExtOIDs, plContext),
PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
PKIX_TOSTRING(critExtOIDs, &critExtOIDsString, plContext,
PKIX_LISTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&crlString,
plContext,
formatString,
crlVersion + 1,
crlIssuerString,
lastUpdateString,
nextUpdateString,
nssSignatureAlgIdString,
crlNumberString,
crlEntryListString,
critExtOIDsString),
PKIX_SPRINTFFAILED);
*pString = crlString;
cleanup:
PKIX_DECREF(crlIssuer);
PKIX_DECREF(nssSignatureAlgId);
PKIX_DECREF(crlNumber);
PKIX_DECREF(crlEntryList);
PKIX_DECREF(critExtOIDs);
PKIX_DECREF(crlIssuerString);
PKIX_DECREF(lastUpdateString);
PKIX_DECREF(nextUpdateString);
PKIX_DECREF(nssSignatureAlgIdString);
PKIX_DECREF(crlNumberString);
PKIX_DECREF(crlEntryListString);
PKIX_DECREF(critExtOIDsString);
PKIX_DECREF(formatString);
PKIX_RETURN(CRL);
}
int
test_buildchain_resourcelimits(int argc, char *argv[])
{
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_TrustAnchor *anchor = NULL;
PKIX_List *anchors = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_CertChainChecker *checker = NULL;
PKIX_ResourceLimits *resourceLimits = NULL;
char *dirName = NULL;
PKIX_PL_String *dirNameString = NULL;
PKIX_PL_Cert *trustedCert = NULL;
PKIX_PL_Cert *targetCert = NULL;
PKIX_PL_Cert *dirCert = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_UInt32 j = 0;
PKIX_UInt32 k = 0;
PKIX_CertStore *ldapCertStore = NULL;
PRIntervalTime timeout = 0; /* 0 for non-blocking */
PKIX_CertStore *certStore = NULL;
PKIX_List *certStores = NULL;
PKIX_List *expectedCerts = NULL;
PKIX_Boolean testValid = PKIX_FALSE;
PKIX_Boolean usebind = PKIX_FALSE;
PKIX_Boolean useLDAP = PKIX_FALSE;
PKIX_TEST_STD_VARS();
if (argc < 5) {
printUsage();
return (0);
}
startTests("BuildChain_ResourceLimits");
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
/*
* arguments:
* [optional] -arenas
* [optional] usebind
* servername or servername:port ( - for no server)
* testname
* EE or ENE
* cert directory
* target cert (end entity)
* intermediate certs
* trust anchor
*/
/* optional argument "usebind" for Ldap CertStore */
if (argv[j + 1]) {
if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
usebind = PKIX_TRUE;
j++;
}
}
if (PORT_Strcmp(argv[++j], "-") == 0) {
useLDAP = PKIX_FALSE;
} else {
serverName = argv[j];
}
subTest(argv[++j]);
/* ENE = expect no error; EE = expect error */
if (PORT_Strcmp(argv[++j], "ENE") == 0) {
testValid = PKIX_TRUE;
} else if (PORT_Strcmp(argv[j], "EE") == 0) {
testValid = PKIX_FALSE;
} else {
printUsage();
return (0);
}
dirName = argv[++j];
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
for (k = ++j; k < argc; k++) {
dirCert = createCert(dirName, argv[k], plContext);
if (k == (argc - 1)) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
trustedCert = dirCert;
} else {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(expectedCerts,
(PKIX_PL_Object *)dirCert,
plContext));
if (k == j) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef((PKIX_PL_Object *)dirCert, plContext));
targetCert = dirCert;
}
}
PKIX_TEST_DECREF_BC(dirCert);
}
/* create processing params with list of trust anchors */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
/* create CertSelector with target certificate in params */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
/* create CertStores */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII,
dirName,
0,
&dirNameString,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create(dirNameString, &certStore, plContext));
#if 0
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
(&certStore, plContext));
#endif
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
if (useLDAP == PKIX_TRUE) {
PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore(serverName, timeout, &ldapCertStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores,
(PKIX_PL_Object *)ldapCertStore,
plContext));
}
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext));
/* set resource limits */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create(&resourceLimits, plContext));
/* need longer time when running dbx for memory leak checking */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 60, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits(procParams, resourceLimits, plContext));
/* build cert chain using processing params and return buildResult */
subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>");
Test_BuildResult(procParams,
testValid,
expectedCerts,
plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 1, plContext));
subTest("Testing ResourceLimits MaxFanout - <fail>");
Test_BuildResult(procParams,
PKIX_FALSE,
expectedCerts,
plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 1, plContext));
subTest("Testing ResourceLimits MaxDepth - <fail>");
Test_BuildResult(procParams,
PKIX_FALSE,
expectedCerts,
plContext);
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout(resourceLimits, 0, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth(resourceLimits, 0, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime(resourceLimits, 0, plContext));
subTest("Testing ResourceLimits No checking - <pass>");
Test_BuildResult(procParams,
testValid,
expectedCerts,
plContext);
cleanup:
PKIX_TEST_DECREF_AC(expectedCerts);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStores);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(ldapCertStore);
PKIX_TEST_DECREF_AC(dirNameString);
PKIX_TEST_DECREF_AC(trustedCert);
PKIX_TEST_DECREF_AC(targetCert);
PKIX_TEST_DECREF_AC(anchors);
PKIX_TEST_DECREF_AC(anchor);
PKIX_TEST_DECREF_AC(certSelParams);
PKIX_TEST_DECREF_AC(certSelector);
PKIX_TEST_DECREF_AC(checker);
PKIX_TEST_DECREF_AC(resourceLimits);
PKIX_TEST_RETURN();
PKIX_Shutdown(plContext);
endTests("BuildChain_UserChecker");
return (0);
}
/*
* FUNCTION: pkix_Logger_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_Logger_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_Logger *logger = NULL;
char *asciiFormat = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *contextString = NULL;
PKIX_PL_String *componentString = NULL;
PKIX_PL_String *loggerString = NULL;
PKIX_ENTER(LOGGER, "pkix_Logger_ToString_Helper");
PKIX_NULLCHECK_TWO(object, pString);
/* Check that this object is a logger */
PKIX_CHECK(pkix_CheckType(object, PKIX_LOGGER_TYPE, plContext),
PKIX_OBJECTNOTLOGGER);
logger = (PKIX_Logger *)object;
asciiFormat =
"[\n"
"\tLogger: \n"
"\tContext: %s\n"
"\tMaximum Level: %d\n"
"\tComponent Name: %s\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
PKIX_TOSTRING(logger->context, &contextString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
(void *)PKIX_ERRORCLASSNAMES[logger->logComponent],
0,
&componentString,
plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&loggerString,
plContext,
formatString,
contextString,
logger->maxLevel,
componentString),
PKIX_SPRINTFFAILED);
*pString = loggerString;
cleanup:
PKIX_DECREF(formatString);
PKIX_DECREF(contextString);
PKIX_RETURN(LOGGER);
}
/*
* FUNCTION: pkix_List_ToString_Helper
* DESCRIPTION:
*
* Helper function that creates a string representation of the List pointed
* to by "list" and stores its address in the object pointed to by "pString".
*
* PARAMETERS
* "list"
* Address of List whose string representation is desired.
* Must be non-NULL.
* "pString"
* Address of object pointer's destination. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a List Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_List_ToString_Helper(
PKIX_List *list,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_String *itemString = NULL;
PKIX_PL_String *nextString = NULL;
PKIX_PL_String *format = NULL;
PKIX_Boolean empty;
PKIX_ENTER(LIST, "pkix_List_ToString_Helper");
PKIX_NULLCHECK_TWO(list, pString);
/* special case when list is the header */
if (list->isHeader){
PKIX_CHECK(PKIX_List_IsEmpty(list, &empty, plContext),
PKIX_LISTISEMPTYFAILED);
if (empty){
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"EMPTY",
0,
&itemString,
plContext),
PKIX_ERRORCREATINGITEMSTRING);
(*pString) = itemString;
PKIX_DEBUG_EXIT(LIST);
return (NULL);
} else {
PKIX_CHECK(pkix_List_ToString_Helper
(list->next, &itemString, plContext),
PKIX_LISTTOSTRINGHELPERFAILED);
}
/* Create a string object from the format */
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, "%s", 0, &format, plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(pString, plContext, format, itemString),
PKIX_SPRINTFFAILED);
} else {
/* Get a string for this list's item */
if (list->item == NULL) {
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"(null)",
0,
&itemString,
plContext),
PKIX_STRINGCREATEFAILED);
} else {
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object*)list->item,
&itemString,
plContext),
PKIX_OBJECTTOSTRINGFAILED);
}
if (list->next == NULL) {
/* Just return the itemstring */
(*pString) = itemString;
PKIX_DEBUG_EXIT(LIST);
return (NULL);
}
/* Recursive call to get string for this list's next pointer */
PKIX_CHECK(pkix_List_ToString_Helper
(list->next, &nextString, plContext),
PKIX_LISTTOSTRINGHELPERFAILED);
/* Create a string object from the format */
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
"%s, %s",
0,
&format,
plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(pString,
plContext,
format,
itemString,
nextString),
PKIX_SPRINTFFAILED);
}
cleanup:
PKIX_DECREF(itemString);
PKIX_DECREF(nextString);
PKIX_DECREF(format);
PKIX_RETURN(LIST);
}
/*
* FUNCTION: pkix_pl_CertBasicConstraints_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_CertBasicConstraints_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_PL_String *certBasicConstraintsString = NULL;
PKIX_PL_CertBasicConstraints *certB = NULL;
PKIX_Boolean isCA = PKIX_FALSE;
PKIX_Int32 pathLen = 0;
PKIX_PL_String *outString = NULL;
char *fmtString = NULL;
PKIX_Boolean pathlenArg = PKIX_FALSE;
PKIX_ENTER(CERTBASICCONSTRAINTS,
"pkix_pl_CertBasicConstraints_toString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType
(object, PKIX_CERTBASICCONSTRAINTS_TYPE, plContext),
PKIX_FIRSTARGUMENTNOTCERTBASICCONSTRAINTSOBJECT);
certB = (PKIX_PL_CertBasicConstraints *)object;
/*
* if CA == TRUE
* if pathLen == CERT_UNLIMITED_PATH_CONSTRAINT
* print "CA(-1)"
* else print "CA(nnn)"
* if CA == FALSE, print "~CA"
*/
isCA = certB->isCA;
if (isCA) {
pathLen = certB->pathLen;
if (pathLen == CERT_UNLIMITED_PATH_CONSTRAINT) {
/* print "CA(-1)" */
fmtString = "CA(-1)";
pathlenArg = PKIX_FALSE;
} else {
/* print "CA(pathLen)" */
fmtString = "CA(%d)";
pathlenArg = PKIX_TRUE;
}
} else {
/* print "~CA" */
fmtString = "~CA";
pathlenArg = PKIX_FALSE;
}
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
fmtString,
0,
&certBasicConstraintsString,
plContext),
PKIX_STRINGCREATEFAILED);
if (pathlenArg) {
PKIX_CHECK(PKIX_PL_Sprintf
(&outString,
plContext,
certBasicConstraintsString,
pathLen),
PKIX_SPRINTFFAILED);
} else {
PKIX_CHECK(PKIX_PL_Sprintf
(&outString,
plContext,
certBasicConstraintsString),
PKIX_SPRINTFFAILED);
}
*pString = outString;
cleanup:
PKIX_DECREF(certBasicConstraintsString);
PKIX_RETURN(CERTBASICCONSTRAINTS);
}
static void
test_Version_Issuer_SerialNumber(void)
{
PKIX_ComCertSelParams *goodParams = NULL;
PKIX_UInt32 version = 0;
PKIX_PL_X500Name *setIssuer = NULL;
PKIX_PL_X500Name *getIssuer = NULL;
PKIX_PL_String *str = NULL;
PKIX_PL_BigInt *setSerialNumber = NULL;
PKIX_PL_BigInt *getSerialNumber = NULL;
PKIX_Boolean isEqual = PKIX_FALSE;
char *bigInt = "999999999999999999";
PKIX_TEST_STD_VARS();
subTest("PKIX_ComCertSelParams_Create");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&goodParams, plContext));
/* Version */
subTest("PKIX_ComCertSelParams_SetVersion");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion(goodParams, 2, plContext));
subTest("PKIX_ComCertSelParams_GetVersion");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetVersion(goodParams, &version, plContext));
if (version != 2) {
testError("unexpected Version mismatch <expect 2>");
}
/* Issuer */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, "CN=Test,O=Sun,C=US", 0, &str, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(str, &setIssuer, plContext));
PKIX_TEST_DECREF_BC(str);
subTest("PKIX_ComCertSelParams_SetIssuer");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer(goodParams, setIssuer, plContext));
subTest("PKIX_ComCertSelParams_GetIssuer");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetIssuer(goodParams, &getIssuer, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setIssuer,
(PKIX_PL_Object *)getIssuer,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected Issuer mismatch <expect equal>");
}
/* Serial Number */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, bigInt, PL_strlen(bigInt), &str, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(str, &setSerialNumber, plContext));
subTest("PKIX_ComCertSelParams_SetSerialNumber");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber(goodParams, setSerialNumber, plContext));
subTest("PKIX_ComCertSelParams_GetSerialNumber");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSerialNumber(goodParams, &getSerialNumber, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object *)setSerialNumber,
(PKIX_PL_Object *)getSerialNumber,
&isEqual,
plContext));
if (isEqual == PKIX_FALSE) {
testError("unexpected Serial Number mismatch <expect equal>");
}
cleanup:
PKIX_TEST_DECREF_AC(str);
PKIX_TEST_DECREF_AC(setIssuer);
PKIX_TEST_DECREF_AC(getIssuer);
PKIX_TEST_DECREF_AC(setSerialNumber);
PKIX_TEST_DECREF_AC(getSerialNumber);
PKIX_TEST_DECREF_AC(goodParams);
PKIX_TEST_RETURN();
}
/*
* FUNCTION: pkix_TrustAnchor_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_TrustAnchor_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_TrustAnchor *anchor = NULL;
char *asciiFormat = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *anchorString = NULL;
PKIX_PL_String *certString = NULL;
PKIX_PL_String *nameString = NULL;
PKIX_PL_String *pubKeyString = NULL;
PKIX_PL_String *nameConstraintsString = NULL;
PKIX_ENTER(TRUSTANCHOR, "pkix_TrustAnchor_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_TRUSTANCHOR_TYPE, plContext),
PKIX_OBJECTNOTTRUSTANCHOR);
anchor = (PKIX_TrustAnchor*)object;
if (anchor->trustedCert){
asciiFormat =
"[\n"
"\tTrusted Cert: %s\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object *)anchor->trustedCert,
&certString,
plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&anchorString,
plContext,
formatString,
certString),
PKIX_SPRINTFFAILED);
} else {
asciiFormat =
"[\n"
"\tTrusted CA Name: %s\n"
"\tTrusted CA PublicKey: %s\n"
"\tInitial Name Constraints:%s\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object *)anchor->caName,
&nameString,
plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Object_ToString
((PKIX_PL_Object *)anchor->caPubKey,
&pubKeyString,
plContext),
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(anchor->nameConstraints,
&nameConstraintsString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&anchorString,
plContext,
formatString,
nameString,
pubKeyString,
nameConstraintsString),
PKIX_SPRINTFFAILED);
}
*pString = anchorString;
cleanup:
PKIX_DECREF(formatString);
PKIX_DECREF(certString);
PKIX_DECREF(nameString);
PKIX_DECREF(pubKeyString);
PKIX_DECREF(nameConstraintsString);
PKIX_RETURN(TRUSTANCHOR);
}
/*
* FUNCTION: pkix_ProcessingParams_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_ProcessingParams_ToString(
PKIX_PL_Object *object,
PKIX_PL_String **pString,
void *plContext)
{
PKIX_ProcessingParams *procParams = NULL;
char *asciiFormat = NULL;
PKIX_PL_String *formatString = NULL;
PKIX_PL_String *procParamsString = NULL;
PKIX_PL_String *anchorsString = NULL;
PKIX_PL_String *dateString = NULL;
PKIX_PL_String *constraintsString = NULL;
PKIX_PL_String *InitialPoliciesString = NULL;
PKIX_PL_String *qualsRejectedString = NULL;
PKIX_List *certStores = NULL;
PKIX_PL_String *certStoresString = NULL;
PKIX_PL_String *resourceLimitsString = NULL;
PKIX_ENTER(PROCESSINGPARAMS, "pkix_ProcessingParams_ToString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType
(object, PKIX_PROCESSINGPARAMS_TYPE, plContext),
PKIX_OBJECTNOTPROCESSINGPARAMS);
asciiFormat =
"[\n"
"\tTrust Anchors: \n"
"\t********BEGIN LIST OF TRUST ANCHORS********\n"
"\t\t%s\n"
"\t********END LIST OF TRUST ANCHORS********\n"
"\tDate: \t\t%s\n"
"\tTarget Constraints: %s\n"
"\tInitial Policies: %s\n"
"\tQualifiers Rejected: %s\n"
"\tCert Stores: %s\n"
"\tResource Limits: %s\n"
"\tCRL Checking Enabled: %d\n"
"]\n";
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
asciiFormat,
0,
&formatString,
plContext),
PKIX_STRINGCREATEFAILED);
procParams = (PKIX_ProcessingParams*)object;
PKIX_TOSTRING(procParams->trustAnchors, &anchorsString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING(procParams->date, &dateString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING(procParams->constraints, &constraintsString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_TOSTRING
(procParams->initialPolicies, &InitialPoliciesString, plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII,
(procParams->qualifiersRejected)?"TRUE":"FALSE",
0,
&qualsRejectedString,
plContext),
PKIX_STRINGCREATEFAILED);
/* There is no ToString function for CertChainCheckers */
PKIX_CHECK(PKIX_ProcessingParams_GetCertStores
(procParams, &certStores, plContext),
PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
PKIX_TOSTRING(certStores, &certStoresString, plContext,
PKIX_LISTTOSTRINGFAILED);
PKIX_TOSTRING(procParams->resourceLimits,
&resourceLimitsString,
plContext,
PKIX_OBJECTTOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_Sprintf
(&procParamsString,
plContext,
formatString,
anchorsString,
dateString,
constraintsString,
InitialPoliciesString,
qualsRejectedString,
certStoresString,
resourceLimitsString,
procParams->isCrlRevocationCheckingEnabled,
procParams->isCrlRevocationCheckingEnabledWithNISTPolicy),
PKIX_SPRINTFFAILED);
*pString = procParamsString;
cleanup:
PKIX_DECREF(formatString);
PKIX_DECREF(anchorsString);
PKIX_DECREF(dateString);
PKIX_DECREF(constraintsString);
PKIX_DECREF(InitialPoliciesString);
PKIX_DECREF(qualsRejectedString);
PKIX_DECREF(certStores);
PKIX_DECREF(certStoresString);
PKIX_DECREF(resourceLimitsString);
PKIX_RETURN(PROCESSINGPARAMS);
}
