PKIX_Error *
PKIX_PL_Date_CreateFromPRTime(
PRTime prtime,
PKIX_PL_Date **pDate,
void *plContext)
{
PKIX_ENTER(DATE, "PKIX_PL_Date_CreateFromPRTime");
PKIX_CHECK(
pkix_pl_Date_CreateFromPRTime(prtime, pDate, plContext),
PKIX_DATECREATEFROMPRTIMEFAILED);
cleanup:
PKIX_RETURN(DATE);
}
int
test_pk11certstore(int argc, char *argv[])
{
PKIX_UInt32 j = 0;
PKIX_UInt32 actualMinorVersion;
PKIX_PL_Date *validityDate = NULL;
PKIX_PL_Date *betweenDate = NULL;
char *crlDir = NULL;
char *expectedProfAscii = "([\n"
"\tVersion: v3\n"
"\tSerialNumber: 00ca\n"
"\tIssuer: CN=chemistry,O=mit,C=us\n"
"\tSubject: CN=prof noall,O=mit,C=us\n"
"\tValidity: [From: Fri Feb 11 14:14:06 2005\n"
"\t To: Mon Jan 18, 2105]\n"
"\tSubjectAltNames: (null)\n"
"\tAuthorityKeyId: (null)\n"
"\tSubjectKeyId: (null)\n"
"\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
"\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n"
"\tExtKeyUsages: (null)\n"
"\tBasicConstraint: CA(6)\n"
"\tCertPolicyInfo: (null)\n"
"\tPolicyMappings: (null)\n"
"\tExplicitPolicy: -1\n"
"\tInhibitMapping: -1\n"
"\tInhibitAnyPolicy:-1\n"
"\tNameConstraints: (null)\n"
"]\n"
", [\n"
"\tVersion: v3\n"
"\tSerialNumber: 03\n"
"\tIssuer: CN=physics,O=mit,C=us\n"
"\tSubject: CN=prof noall,O=mit,C=us\n"
"\tValidity: [From: Fri Feb 11 12:52:26 2005\n"
"\t To: Mon Jan 18, 2105]\n"
"\tSubjectAltNames: (null)\n"
"\tAuthorityKeyId: (null)\n"
"\tSubjectKeyId: (null)\n"
"\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
"\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n"
"\tExtKeyUsages: (null)\n"
"\tBasicConstraint: CA(0)\n"
"\tCertPolicyInfo: (null)\n"
"\tPolicyMappings: (null)\n"
"\tExplicitPolicy: -1\n"
"\tInhibitMapping: -1\n"
"\tInhibitAnyPolicy:-1\n"
"\tNameConstraints: (null)\n"
"]\n"
")";
char *expectedValidityAscii = "([\n"
"\tVersion: v3\n"
"\tSerialNumber: 03\n"
"\tIssuer: CN=physics,O=mit,C=us\n"
"\tSubject: CN=prof noall,O=mit,C=us\n"
"\tValidity: [From: Fri Feb 11 12:52:26 2005\n"
"\t To: Mon Jan 18, 2105]\n"
"\tSubjectAltNames: (null)\n"
"\tAuthorityKeyId: (null)\n"
"\tSubjectKeyId: (null)\n"
"\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
"\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n"
"\tExtKeyUsages: (null)\n"
"\tBasicConstraint: CA(0)\n"
"\tCertPolicyInfo: (null)\n"
"\tPolicyMappings: (null)\n"
"\tExplicitPolicy: -1\n"
"\tInhibitMapping: -1\n"
"\tInhibitAnyPolicy:-1\n"
"\tNameConstraints: (null)\n"
"]\n"
")";
char *expectedMinPathAscii = "([\n"
"\tVersion: v3\n"
"\tSerialNumber: 01\n"
"\tIssuer: CN=science,O=mit,C=us\n"
"\tSubject: CN=science,O=mit,C=us\n"
"\tValidity: [From: Fri Feb 11 12:47:58 2005\n"
"\t To: Mon Jan 18, 2105]\n"
"\tSubjectAltNames: (null)\n"
"\tAuthorityKeyId: (null)\n"
"\tSubjectKeyId: (null)\n"
"\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
"\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n"
"\tExtKeyUsages: (null)\n"
"\tBasicConstraint: CA(10)\n"
"\tCertPolicyInfo: (null)\n"
"\tPolicyMappings: (null)\n"
"\tExplicitPolicy: -1\n"
"\tInhibitMapping: -1\n"
"\tInhibitAnyPolicy:-1\n"
"\tNameConstraints: (null)\n"
"]\n"
")";
char *expectedIssuerAscii = "([\n"
"\tVersion: v2\n"
"\tIssuer: CN=physics,O=mit,C=us\n"
"\tUpdate: [Last: Fri Feb 11 13:51:38 2005\n"
"\t Next: Mon Jan 18, 2105]\n"
"\tSignatureAlgId: 1.2.840.10040.4.3\n"
"\tCRL Number : (null)\n"
"\n"
"\tEntry List: (\n"
"\t[\n"
"\tSerialNumber: 67\n"
"\tReasonCode: 257\n"
"\tRevocationDate: Fri Feb 11 13:51:38 2005\n"
"\tCritExtOIDs: (EMPTY)\n"
"\t]\n"
"\t)\n"
"\n"
"\tCritExtOIDs: (EMPTY)\n"
"]\n"
")";
char *expectedDateAscii = "([\n"
"\tVersion: v2\n"
"\tIssuer: CN=science,O=mit,C=us\n"
"\tUpdate: [Last: Fri Feb 11 13:34:40 2005\n"
"\t Next: Mon Jan 18, 2105]\n"
"\tSignatureAlgId: 1.2.840.10040.4.3\n"
"\tCRL Number : (null)\n"
"\n"
"\tEntry List: (\n"
"\t[\n"
"\tSerialNumber: 65\n"
"\tReasonCode: 260\n"
"\tRevocationDate: Fri Feb 11 13:34:40 2005\n"
"\tCritExtOIDs: (EMPTY)\n"
"\t]\n"
"\t)\n"
"\n"
"\tCritExtOIDs: (EMPTY)\n"
"]\n"
", [\n"
"\tVersion: v2\n"
"\tIssuer: CN=testing CRL,O=test,C=us\n"
"\tUpdate: [Last: Fri Feb 11 13:14:38 2005\n"
"\t Next: Mon Jan 18, 2105]\n"
"\tSignatureAlgId: 1.2.840.10040.4.3\n"
"\tCRL Number : (null)\n"
"\n"
"\tEntry List: (\n"
"\t[\n"
"\tSerialNumber: 67\n"
"\tReasonCode: 258\n"
"\tRevocationDate: Fri Feb 11 13:14:38 2005\n"
"\tCritExtOIDs: (EMPTY)\n"
"\t]\n"
"\t)\n"
"\n"
"\tCritExtOIDs: (EMPTY)\n"
"]\n"
")";
PKIX_TEST_STD_VARS();
startTests("Pk11CertStore");
if (argc < 3) {
printUsage(argv[0]);
return (0);
}
PKIX_TEST_EXPECT_NO_ERROR(
PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
crlDir = argv[j + 2];
/* Two certs for prof should be valid now */
PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validityDate, plContext));
subTest("Searching Certs for Subject");
testMatchCertSubject(crlDir,
"phy2prof.crt",
NULL, /* expectedProfAscii, */
validityDate,
plContext);
/* One of the certs was not yet valid at this time. */
betweenDate = createDate("050210184000Z", plContext);
subTest("Searching Certs for Subject and Validity");
testMatchCertSubject(crlDir,
"phy2prof.crt",
NULL, /* expectedValidityAscii, */
betweenDate,
plContext);
testMatchCertMinPath(9,
NULL, /* expectedMinPathAscii, */
plContext);
testMatchCrlIssuer(crlDir,
"phys.crl",
NULL, /* expectedIssuerAscii, */
plContext);
testMatchCrlDate("050211184000Z",
NULL, /* expectedDateAscii, */
plContext);
cleanup:
PKIX_TEST_DECREF_AC(validityDate);
PKIX_TEST_DECREF_AC(betweenDate);
PKIX_TEST_RETURN();
endTests("Pk11CertStore");
return (0);
}
/*
* FUNCTION: pkix_pl_OcspResponse_VerifySignature
* DESCRIPTION:
*
* This function verifies the ocspResponse signature field in the OcspResponse
* pointed to by "response", storing PKIX_TRUE at "pPassed" if verification
* is successful and PKIX_FALSE otherwise. If verification is unsuccessful an
* error code (an enumeration of type SECErrorCodes) is stored at *pReturnCode.
*
* PARAMETERS
* "response"
* The address of the OcspResponse whose signature field is to be
* retrieved. Must be non-NULL.
* "cert"
* The address of the Cert for which the OCSP query was made. Must be
* non-NULL.
* "procParams"
* Address of ProcessingParams used to initialize the ExpirationChecker
* and TargetCertChecker. Must be non-NULL.
* "pPassed"
* Address at which the Boolean result is stored. Must be non-NULL.
* "pNBIOContext"
* Address at which the NBIOContext is stored indicating whether the
* checking is complete. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns an OcspResponse Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_OcspResponse_VerifySignature(
PKIX_PL_OcspResponse *response,
PKIX_PL_Cert *cert,
PKIX_ProcessingParams *procParams,
PKIX_Boolean *pPassed,
void **pNBIOContext,
void *plContext)
{
SECStatus rv = SECFailure;
CERTOCSPResponse *nssOCSPResponse = NULL;
CERTCertificate *issuerCert = NULL;
PKIX_BuildResult *buildResult = NULL;
void *nbio = NULL;
void *state = NULL;
ocspSignature *signature = NULL;
ocspResponseData *tbsData = NULL;
SECItem *tbsResponseDataDER = NULL;
PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_VerifySignature");
PKIX_NULLCHECK_FOUR(response, cert, pPassed, pNBIOContext);
nbio = *pNBIOContext;
*pNBIOContext = NULL;
nssOCSPResponse = response->nssOCSPResponse;
if (nssOCSPResponse == NULL) {
PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
goto cleanup;
}
tbsData =
ocsp_GetResponseData(nssOCSPResponse, &tbsResponseDataDER);
signature = ocsp_GetResponseSignature(nssOCSPResponse);
/* Are we resuming after a WOULDBLOCK response? */
if (nbio == NULL) {
/* No, this is a new query */
issuerCert = CERT_FindCertIssuer(cert->nssCert, PR_Now(),
certUsageAnyCA);
/*
* If this signature has already gone through verification,
* just return the cached result.
*/
if (signature->wasChecked) {
if (signature->status == SECSuccess) {
response->signerCert =
CERT_DupCertificate(signature->cert);
} else {
PORT_SetError(signature->failureReason);
goto cleanup;
}
}
response->signerCert =
ocsp_GetSignerCertificate(response->handle, tbsData,
signature, issuerCert);
if (response->signerCert == NULL) {
PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
goto cleanup;
}
PKIX_CHECK(
PKIX_PL_Cert_CreateFromCERTCertificate(response->signerCert,
&(response->pkixSignerCert),
plContext),
PKIX_CERTCREATEWITHNSSCERTFAILED);
/*
* We could mark this true at the top of this function, or
* always below at "finish", but if the problem was just that
* we could not find the signer's cert, leave that as if the
* signature hasn't been checked. Maybe a subsequent call will
* have better luck.
*/
signature->wasChecked = PR_TRUE;
/*
* We are about to verify the signer certificate; we need to
* specify *when* that certificate must be valid -- for our
* purposes we expect it to be valid when the response was
* signed. The value of "producedAt" is the signing time.
*/
rv = DER_GeneralizedTimeToTime(&response->producedAt,
&tbsData->producedAt);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
goto cleanup;
}
/*
* We need producedAtDate and pkixSignerCert if we are calling a
* user-supplied verification function. Let's put their
* creation before the code that gets repeated when
* non-blocking I/O is used.
*/
PKIX_CHECK(
pkix_pl_Date_CreateFromPRTime((PRTime)response->producedAt,
&(response->producedAtDate),
plContext),
PKIX_DATECREATEFROMPRTIMEFAILED);
}
/*
* Just because we have a cert does not mean it is any good; check
* it for validity, trust and usage. Use the caller-supplied
* verification function, if one was supplied.
*/
if (ocsp_CertIsOCSPDefaultResponder(response->handle,
response->signerCert)) {
rv = SECSuccess;
} else {
SECCertUsage certUsage;
if (CERT_IsCACert(response->signerCert, NULL)) {
certUsage = certUsageAnyCA;
} else {
certUsage = certUsageStatusResponder;
}
PKIX_CHECK_ONLY_FATAL(
pkix_pl_OcspResponse_VerifyResponse(response, procParams,
certUsage, &state,
&buildResult, &nbio,
plContext),
PKIX_CERTVERIFYKEYUSAGEFAILED);
if (pkixTempErrorReceived) {
rv = SECFailure;
goto cleanup;
}
if (nbio != NULL) {
*pNBIOContext = nbio;
goto cleanup;
}
}
rv = ocsp_VerifyResponseSignature(response->signerCert, signature,
tbsResponseDataDER, NULL);
cleanup:
if (rv == SECSuccess) {
*pPassed = PKIX_TRUE;
} else {
*pPassed = PKIX_FALSE;
}
if (signature) {
if (signature->wasChecked) {
signature->status = rv;
}
if (rv != SECSuccess) {
signature->failureReason = PORT_GetError();
if (response->signerCert != NULL) {
CERT_DestroyCertificate(response->signerCert);
response->signerCert = NULL;
}
} else {
/* Save signer's certificate in signature. */
signature->cert = CERT_DupCertificate(response->signerCert);
}
}
if (issuerCert)
CERT_DestroyCertificate(issuerCert);
PKIX_RETURN(OCSPRESPONSE);
}
static PKIX_Error *
testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir)
{
PKIX_PL_String *dirString = NULL;
PKIX_CertStore *certStore = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_PL_Date *validity = NULL;
PKIX_List *revCheckers = NULL;
PKIX_RevocationChecker *ocspChecker = NULL;
PKIX_TEST_STD_VARS();
subTest("PKIX_PL_CollectionCertStoreContext_Create");
/* Create CollectionCertStore */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
(PKIX_ESCASCII, crlDir, 0, &dirString, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
(dirString, &certStore, plContext));
/* Create CertStore */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
(valParams, &procParams, plContext));
subTest("PKIX_ProcessingParams_AddCertStore");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
(procParams, certStore, plContext));
subTest("PKIX_ProcessingParams_SetRevocationEnabled");
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
(procParams, PKIX_TRUE, plContext));
/* create current Date */
PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
(PR_Now(), &validity, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
/* create revChecker */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize
(validity,
NULL, /* pwArg */
NULL, /* Use default responder */
&ocspChecker,
plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
(revCheckers, (PKIX_PL_Object *)ocspChecker, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
(procParams, revCheckers, plContext));
cleanup:
PKIX_TEST_DECREF_AC(dirString);
PKIX_TEST_DECREF_AC(procParams);
PKIX_TEST_DECREF_AC(certStore);
PKIX_TEST_DECREF_AC(revCheckers);
PKIX_TEST_DECREF_AC(ocspChecker);
PKIX_TEST_RETURN();
return (0);
}
