/security/nss/cmd/libpkix/sample_apps/validate_chain.c

http://github.com/zpao/v8monkey · C · 267 lines · 169 code · 51 blank · 47 comment · 11 complexity · ef2407d4fdc23986b696d66cc67b65ac MD5 · raw file

  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is the PKIX-C library.
  15. *
  16. * The Initial Developer of the Original Code is
  17. * Sun Microsystems, Inc.
  18. * Portions created by the Initial Developer are
  19. * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. * Sun Microsystems, Inc.
  23. *
  24. * Alternatively, the contents of this file may be used under the terms of
  25. * either the GNU General Public License Version 2 or later (the "GPL"), or
  26. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  27. * in which case the provisions of the GPL or the LGPL are applicable instead
  28. * of those above. If you wish to allow use of your version of this file only
  29. * under the terms of either the GPL or the LGPL, and not to allow others to
  30. * use your version of this file under the terms of the MPL, indicate your
  31. * decision by deleting the provisions above and replace them with the notice
  32. * and other provisions required by the GPL or the LGPL. If you do not delete
  33. * the provisions above, a recipient may use your version of this file under
  34. * the terms of any one of the MPL, the GPL or the LGPL.
  35. *
  36. * ***** END LICENSE BLOCK ***** */
  37. /*
  38. * validateChain.c
  39. *
  40. * Tests Cert Chain Validation
  41. *
  42. */
  43. #include <stdio.h>
  44. #include <string.h>
  45. #include <stddef.h>
  46. #include "pkix_pl_generalname.h"
  47. #include "pkix_pl_cert.h"
  48. #include "pkix.h"
  49. #include "testutil.h"
  50. #include "prlong.h"
  51. #include "plstr.h"
  52. #include "prthread.h"
  53. #include "nspr.h"
  54. #include "prtypes.h"
  55. #include "prtime.h"
  56. #include "pk11func.h"
  57. #include "secasn1.h"
  58. #include "cert.h"
  59. #include "cryptohi.h"
  60. #include "secoid.h"
  61. #include "certdb.h"
  62. #include "secitem.h"
  63. #include "keythi.h"
  64. #include "nss.h"
  65. static void *plContext = NULL;
  66. static
  67. void printUsage(void){
  68. (void) printf("\nUSAGE:\tvalidateChain <trustedCert> "
  69. "<cert_1> <cert_2> ... <cert_n>\n");
  70. (void) printf("\tValidates a chain of n certificates "
  71. "using the given trust anchor.\n");
  72. }
  73. static PKIX_PL_Cert *
  74. createCert(char *inFileName)
  75. {
  76. PKIX_PL_ByteArray *byteArray = NULL;
  77. void *buf = NULL;
  78. PRFileDesc *inFile = NULL;
  79. PKIX_UInt32 len;
  80. SECItem certDER;
  81. SECStatus rv;
  82. /* default: NULL cert (failure case) */
  83. PKIX_PL_Cert *cert = NULL;
  84. PKIX_TEST_STD_VARS();
  85. certDER.data = NULL;
  86. inFile = PR_Open(inFileName, PR_RDONLY, 0);
  87. if (!inFile){
  88. pkixTestErrorMsg = "Unable to open cert file";
  89. goto cleanup;
  90. } else {
  91. rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
  92. if (!rv){
  93. buf = (void *)certDER.data;
  94. len = certDER.len;
  95. PKIX_TEST_EXPECT_NO_ERROR
  96. (PKIX_PL_ByteArray_Create
  97. (buf, len, &byteArray, plContext));
  98. PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
  99. (byteArray, &cert, plContext));
  100. SECITEM_FreeItem(&certDER, PR_FALSE);
  101. } else {
  102. pkixTestErrorMsg = "Unable to read DER from cert file";
  103. goto cleanup;
  104. }
  105. }
  106. cleanup:
  107. if (inFile){
  108. PR_Close(inFile);
  109. }
  110. if (PKIX_TEST_ERROR_RECEIVED){
  111. SECITEM_FreeItem(&certDER, PR_FALSE);
  112. }
  113. PKIX_TEST_DECREF_AC(byteArray);
  114. PKIX_TEST_RETURN();
  115. return (cert);
  116. }
  117. int validate_chain(int argc, char *argv[])
  118. {
  119. PKIX_TrustAnchor *anchor = NULL;
  120. PKIX_List *anchors = NULL;
  121. PKIX_List *certs = NULL;
  122. PKIX_ProcessingParams *procParams = NULL;
  123. PKIX_ValidateParams *valParams = NULL;
  124. PKIX_ValidateResult *valResult = NULL;
  125. PKIX_PL_X500Name *subject = NULL;
  126. PKIX_ComCertSelParams *certSelParams = NULL;
  127. PKIX_CertSelector *certSelector = NULL;
  128. PKIX_VerifyNode *verifyTree = NULL;
  129. PKIX_PL_String *verifyString = NULL;
  130. char *trustedCertFile = NULL;
  131. char *chainCertFile = NULL;
  132. PKIX_PL_Cert *trustedCert = NULL;
  133. PKIX_PL_Cert *chainCert = NULL;
  134. PKIX_UInt32 chainLength = 0;
  135. PKIX_UInt32 i = 0;
  136. PKIX_UInt32 j = 0;
  137. PKIX_UInt32 actualMinorVersion;
  138. PKIX_TEST_STD_VARS();
  139. if (argc < 3){
  140. printUsage();
  141. return (0);
  142. }
  143. PKIX_TEST_EXPECT_NO_ERROR(
  144. PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
  145. chainLength = (argc - j) - 2;
  146. /* create processing params with list of trust anchors */
  147. trustedCertFile = argv[1+j];
  148. trustedCert = createCert(trustedCertFile);
  149. PKIX_TEST_EXPECT_NO_ERROR
  150. (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
  151. PKIX_TEST_EXPECT_NO_ERROR
  152. (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
  153. #if 0
  154. PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
  155. (certSelParams, subject, plContext));
  156. #endif
  157. PKIX_TEST_EXPECT_NO_ERROR
  158. (PKIX_CertSelector_Create
  159. (NULL, NULL, &certSelector, plContext));
  160. PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
  161. (certSelector, certSelParams, plContext));
  162. PKIX_TEST_DECREF_BC(subject);
  163. PKIX_TEST_DECREF_BC(certSelParams);
  164. PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
  165. (trustedCert, &anchor, plContext));
  166. PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
  167. PKIX_TEST_EXPECT_NO_ERROR
  168. (PKIX_List_AppendItem
  169. (anchors, (PKIX_PL_Object *)anchor, plContext));
  170. PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
  171. (anchors, &procParams, plContext));
  172. PKIX_TEST_EXPECT_NO_ERROR
  173. (PKIX_ProcessingParams_SetTargetCertConstraints
  174. (procParams, certSelector, plContext));
  175. PKIX_TEST_DECREF_BC(certSelector);
  176. /* create cert chain */
  177. PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
  178. for (i = 0; i < chainLength; i++){
  179. chainCertFile = argv[(i + j) + 2];
  180. chainCert = createCert(chainCertFile);
  181. PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
  182. (certs,
  183. (PKIX_PL_Object *)chainCert,
  184. plContext));
  185. PKIX_TEST_DECREF_BC(chainCert);
  186. chainCert = NULL;
  187. }
  188. /* create validate params with processing params and cert chain */
  189. PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
  190. (procParams, certs, &valParams, plContext));
  191. PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL;
  192. PKIX_TEST_DECREF_BC(anchor); anchor = NULL;
  193. PKIX_TEST_DECREF_BC(anchors); anchors = NULL;
  194. PKIX_TEST_DECREF_BC(certs); certs = NULL;
  195. PKIX_TEST_DECREF_BC(procParams); procParams = NULL;
  196. /* validate cert chain using processing params and return valResult */
  197. PKIX_TEST_EXPECT_NO_ERROR
  198. (PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
  199. if (valResult != NULL){
  200. (void) printf("SUCCESSFULLY VALIDATED\n");
  201. }
  202. cleanup:
  203. if (PKIX_TEST_ERROR_RECEIVED){
  204. (void) printf("FAILED TO VALIDATE\n");
  205. (void) PKIX_PL_Object_ToString
  206. ((PKIX_PL_Object*)verifyTree, &verifyString, plContext);
  207. (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
  208. PKIX_TEST_DECREF_AC(verifyString);
  209. }
  210. PKIX_TEST_DECREF_AC(verifyTree);
  211. PKIX_TEST_DECREF_AC(valResult);
  212. PKIX_TEST_DECREF_AC(valParams);
  213. PKIX_TEST_RETURN();
  214. PKIX_Shutdown(plContext);
  215. return (0);
  216. }