PKIX_Error * PKIX_PL_Date_CreateFromPRTime( PRTime prtime, PKIX_PL_Date **pDate, void *plContext) { PKIX_ENTER(DATE, "PKIX_PL_Date_CreateFromPRTime"); PKIX_CHECK( pkix_pl_Date_CreateFromPRTime(prtime, pDate, plContext), PKIX_DATECREATEFROMPRTIMEFAILED); cleanup: PKIX_RETURN(DATE); }
int test_pk11certstore(int argc, char *argv[]) { PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_PL_Date *validityDate = NULL; PKIX_PL_Date *betweenDate = NULL; char *crlDir = NULL; char *expectedProfAscii = "([\n" "\tVersion: v3\n" "\tSerialNumber: 00ca\n" "\tIssuer: CN=chemistry,O=mit,C=us\n" "\tSubject: CN=prof noall,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 14:14:06 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(6)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ", [\n" "\tVersion: v3\n" "\tSerialNumber: 03\n" "\tIssuer: CN=physics,O=mit,C=us\n" "\tSubject: CN=prof noall,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 12:52:26 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(0)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ")"; char *expectedValidityAscii = "([\n" "\tVersion: v3\n" "\tSerialNumber: 03\n" "\tIssuer: CN=physics,O=mit,C=us\n" "\tSubject: CN=prof noall,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 12:52:26 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(0)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ")"; char *expectedMinPathAscii = "([\n" "\tVersion: v3\n" "\tSerialNumber: 01\n" "\tIssuer: CN=science,O=mit,C=us\n" "\tSubject: CN=science,O=mit,C=us\n" "\tValidity: [From: Fri Feb 11 12:47:58 2005\n" "\t To: Mon Jan 18, 2105]\n" "\tSubjectAltNames: (null)\n" "\tAuthorityKeyId: (null)\n" "\tSubjectKeyId: (null)\n" "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n" "\tCritExtOIDs: (2.5.29.15, 2.5.29.19)\n" "\tExtKeyUsages: (null)\n" "\tBasicConstraint: CA(10)\n" "\tCertPolicyInfo: (null)\n" "\tPolicyMappings: (null)\n" "\tExplicitPolicy: -1\n" "\tInhibitMapping: -1\n" "\tInhibitAnyPolicy:-1\n" "\tNameConstraints: (null)\n" "]\n" ")"; char *expectedIssuerAscii = "([\n" "\tVersion: v2\n" "\tIssuer: CN=physics,O=mit,C=us\n" "\tUpdate: [Last: Fri Feb 11 13:51:38 2005\n" "\t Next: Mon Jan 18, 2105]\n" "\tSignatureAlgId: 1.2.840.10040.4.3\n" "\tCRL Number : (null)\n" "\n" "\tEntry List: (\n" "\t[\n" "\tSerialNumber: 67\n" "\tReasonCode: 257\n" "\tRevocationDate: Fri Feb 11 13:51:38 2005\n" "\tCritExtOIDs: (EMPTY)\n" "\t]\n" "\t)\n" "\n" "\tCritExtOIDs: (EMPTY)\n" "]\n" ")"; char *expectedDateAscii = "([\n" "\tVersion: v2\n" "\tIssuer: CN=science,O=mit,C=us\n" "\tUpdate: [Last: Fri Feb 11 13:34:40 2005\n" "\t Next: Mon Jan 18, 2105]\n" "\tSignatureAlgId: 1.2.840.10040.4.3\n" "\tCRL Number : (null)\n" "\n" "\tEntry List: (\n" "\t[\n" "\tSerialNumber: 65\n" "\tReasonCode: 260\n" "\tRevocationDate: Fri Feb 11 13:34:40 2005\n" "\tCritExtOIDs: (EMPTY)\n" "\t]\n" "\t)\n" "\n" "\tCritExtOIDs: (EMPTY)\n" "]\n" ", [\n" "\tVersion: v2\n" "\tIssuer: CN=testing CRL,O=test,C=us\n" "\tUpdate: [Last: Fri Feb 11 13:14:38 2005\n" "\t Next: Mon Jan 18, 2105]\n" "\tSignatureAlgId: 1.2.840.10040.4.3\n" "\tCRL Number : (null)\n" "\n" "\tEntry List: (\n" "\t[\n" "\tSerialNumber: 67\n" "\tReasonCode: 258\n" "\tRevocationDate: Fri Feb 11 13:14:38 2005\n" "\tCritExtOIDs: (EMPTY)\n" "\t]\n" "\t)\n" "\n" "\tCritExtOIDs: (EMPTY)\n" "]\n" ")"; PKIX_TEST_STD_VARS(); startTests("Pk11CertStore"); if (argc < 3) { printUsage(argv[0]); return (0); } PKIX_TEST_EXPECT_NO_ERROR( PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); crlDir = argv[j + 2]; /* Two certs for prof should be valid now */ PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime(PR_Now(), &validityDate, plContext)); subTest("Searching Certs for Subject"); testMatchCertSubject(crlDir, "phy2prof.crt", NULL, /* expectedProfAscii, */ validityDate, plContext); /* One of the certs was not yet valid at this time. */ betweenDate = createDate("050210184000Z", plContext); subTest("Searching Certs for Subject and Validity"); testMatchCertSubject(crlDir, "phy2prof.crt", NULL, /* expectedValidityAscii, */ betweenDate, plContext); testMatchCertMinPath(9, NULL, /* expectedMinPathAscii, */ plContext); testMatchCrlIssuer(crlDir, "phys.crl", NULL, /* expectedIssuerAscii, */ plContext); testMatchCrlDate("050211184000Z", NULL, /* expectedDateAscii, */ plContext); cleanup: PKIX_TEST_DECREF_AC(validityDate); PKIX_TEST_DECREF_AC(betweenDate); PKIX_TEST_RETURN(); endTests("Pk11CertStore"); return (0); }
/* * FUNCTION: pkix_pl_OcspResponse_VerifySignature * DESCRIPTION: * * This function verifies the ocspResponse signature field in the OcspResponse * pointed to by "response", storing PKIX_TRUE at "pPassed" if verification * is successful and PKIX_FALSE otherwise. If verification is unsuccessful an * error code (an enumeration of type SECErrorCodes) is stored at *pReturnCode. * * PARAMETERS * "response" * The address of the OcspResponse whose signature field is to be * retrieved. Must be non-NULL. * "cert" * The address of the Cert for which the OCSP query was made. Must be * non-NULL. * "procParams" * Address of ProcessingParams used to initialize the ExpirationChecker * and TargetCertChecker. Must be non-NULL. * "pPassed" * Address at which the Boolean result is stored. Must be non-NULL. * "pNBIOContext" * Address at which the NBIOContext is stored indicating whether the * checking is complete. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: * Thread Safe (see Thread Safety Definitions in Programmer's Guide) * RETURNS: * Returns NULL if the function succeeds. * Returns an OcspResponse Error if the function fails in a non-fatal way. * Returns a Fatal Error if the function fails in an unrecoverable way. */ PKIX_Error * pkix_pl_OcspResponse_VerifySignature( PKIX_PL_OcspResponse *response, PKIX_PL_Cert *cert, PKIX_ProcessingParams *procParams, PKIX_Boolean *pPassed, void **pNBIOContext, void *plContext) { SECStatus rv = SECFailure; CERTOCSPResponse *nssOCSPResponse = NULL; CERTCertificate *issuerCert = NULL; PKIX_BuildResult *buildResult = NULL; void *nbio = NULL; void *state = NULL; ocspSignature *signature = NULL; ocspResponseData *tbsData = NULL; SECItem *tbsResponseDataDER = NULL; PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_VerifySignature"); PKIX_NULLCHECK_FOUR(response, cert, pPassed, pNBIOContext); nbio = *pNBIOContext; *pNBIOContext = NULL; nssOCSPResponse = response->nssOCSPResponse; if (nssOCSPResponse == NULL) { PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); goto cleanup; } tbsData = ocsp_GetResponseData(nssOCSPResponse, &tbsResponseDataDER); signature = ocsp_GetResponseSignature(nssOCSPResponse); /* Are we resuming after a WOULDBLOCK response? */ if (nbio == NULL) { /* No, this is a new query */ issuerCert = CERT_FindCertIssuer(cert->nssCert, PR_Now(), certUsageAnyCA); /* * If this signature has already gone through verification, * just return the cached result. */ if (signature->wasChecked) { if (signature->status == SECSuccess) { response->signerCert = CERT_DupCertificate(signature->cert); } else { PORT_SetError(signature->failureReason); goto cleanup; } } response->signerCert = ocsp_GetSignerCertificate(response->handle, tbsData, signature, issuerCert); if (response->signerCert == NULL) { PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER); goto cleanup; } PKIX_CHECK( PKIX_PL_Cert_CreateFromCERTCertificate(response->signerCert, &(response->pkixSignerCert), plContext), PKIX_CERTCREATEWITHNSSCERTFAILED); /* * We could mark this true at the top of this function, or * always below at "finish", but if the problem was just that * we could not find the signer's cert, leave that as if the * signature hasn't been checked. Maybe a subsequent call will * have better luck. */ signature->wasChecked = PR_TRUE; /* * We are about to verify the signer certificate; we need to * specify *when* that certificate must be valid -- for our * purposes we expect it to be valid when the response was * signed. The value of "producedAt" is the signing time. */ rv = DER_GeneralizedTimeToTime(&response->producedAt, &tbsData->producedAt); if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); goto cleanup; } /* * We need producedAtDate and pkixSignerCert if we are calling a * user-supplied verification function. Let's put their * creation before the code that gets repeated when * non-blocking I/O is used. */ PKIX_CHECK( pkix_pl_Date_CreateFromPRTime((PRTime)response->producedAt, &(response->producedAtDate), plContext), PKIX_DATECREATEFROMPRTIMEFAILED); } /* * Just because we have a cert does not mean it is any good; check * it for validity, trust and usage. Use the caller-supplied * verification function, if one was supplied. */ if (ocsp_CertIsOCSPDefaultResponder(response->handle, response->signerCert)) { rv = SECSuccess; } else { SECCertUsage certUsage; if (CERT_IsCACert(response->signerCert, NULL)) { certUsage = certUsageAnyCA; } else { certUsage = certUsageStatusResponder; } PKIX_CHECK_ONLY_FATAL( pkix_pl_OcspResponse_VerifyResponse(response, procParams, certUsage, &state, &buildResult, &nbio, plContext), PKIX_CERTVERIFYKEYUSAGEFAILED); if (pkixTempErrorReceived) { rv = SECFailure; goto cleanup; } if (nbio != NULL) { *pNBIOContext = nbio; goto cleanup; } } rv = ocsp_VerifyResponseSignature(response->signerCert, signature, tbsResponseDataDER, NULL); cleanup: if (rv == SECSuccess) { *pPassed = PKIX_TRUE; } else { *pPassed = PKIX_FALSE; } if (signature) { if (signature->wasChecked) { signature->status = rv; } if (rv != SECSuccess) { signature->failureReason = PORT_GetError(); if (response->signerCert != NULL) { CERT_DestroyCertificate(response->signerCert); response->signerCert = NULL; } } else { /* Save signer's certificate in signature. */ signature->cert = CERT_DupCertificate(response->signerCert); } } if (issuerCert) CERT_DestroyCertificate(issuerCert); PKIX_RETURN(OCSPRESPONSE); }
static PKIX_Error * testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir) { PKIX_PL_String *dirString = NULL; PKIX_CertStore *certStore = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_PL_Date *validity = NULL; PKIX_List *revCheckers = NULL; PKIX_RevocationChecker *ocspChecker = NULL; PKIX_TEST_STD_VARS(); subTest("PKIX_PL_CollectionCertStoreContext_Create"); /* Create CollectionCertStore */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create (PKIX_ESCASCII, crlDir, 0, &dirString, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create (dirString, &certStore, plContext)); /* Create CertStore */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams (valParams, &procParams, plContext)); subTest("PKIX_ProcessingParams_AddCertStore"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore (procParams, certStore, plContext)); subTest("PKIX_ProcessingParams_SetRevocationEnabled"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled (procParams, PKIX_TRUE, plContext)); /* create current Date */ PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime (PR_Now(), &validity, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext)); /* create revChecker */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize (validity, NULL, /* pwArg */ NULL, /* Use default responder */ &ocspChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem (revCheckers, (PKIX_PL_Object *)ocspChecker, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers (procParams, revCheckers, plContext)); cleanup: PKIX_TEST_DECREF_AC(dirString); PKIX_TEST_DECREF_AC(procParams); PKIX_TEST_DECREF_AC(certStore); PKIX_TEST_DECREF_AC(revCheckers); PKIX_TEST_DECREF_AC(ocspChecker); PKIX_TEST_RETURN(); return (0); }