/security/nss/cmd/libpkix/sample_apps/validate_chain.c
C | 267 lines | 169 code | 51 blank | 47 comment | 11 complexity | ef2407d4fdc23986b696d66cc67b65ac MD5 | raw file
1/* ***** BEGIN LICENSE BLOCK ***** 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 3 * 4 * The contents of this file are subject to the Mozilla Public License Version 5 * 1.1 (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * http://www.mozilla.org/MPL/ 8 * 9 * Software distributed under the License is distributed on an "AS IS" basis, 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 11 * for the specific language governing rights and limitations under the 12 * License. 13 * 14 * The Original Code is the PKIX-C library. 15 * 16 * The Initial Developer of the Original Code is 17 * Sun Microsystems, Inc. 18 * Portions created by the Initial Developer are 19 * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved. 20 * 21 * Contributor(s): 22 * Sun Microsystems, Inc. 23 * 24 * Alternatively, the contents of this file may be used under the terms of 25 * either the GNU General Public License Version 2 or later (the "GPL"), or 26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 27 * in which case the provisions of the GPL or the LGPL are applicable instead 28 * of those above. If you wish to allow use of your version of this file only 29 * under the terms of either the GPL or the LGPL, and not to allow others to 30 * use your version of this file under the terms of the MPL, indicate your 31 * decision by deleting the provisions above and replace them with the notice 32 * and other provisions required by the GPL or the LGPL. If you do not delete 33 * the provisions above, a recipient may use your version of this file under 34 * the terms of any one of the MPL, the GPL or the LGPL. 35 * 36 * ***** END LICENSE BLOCK ***** */ 37/* 38 * validateChain.c 39 * 40 * Tests Cert Chain Validation 41 * 42 */ 43 44#include <stdio.h> 45#include <string.h> 46#include <stddef.h> 47 48#include "pkix_pl_generalname.h" 49#include "pkix_pl_cert.h" 50#include "pkix.h" 51#include "testutil.h" 52#include "prlong.h" 53#include "plstr.h" 54#include "prthread.h" 55#include "nspr.h" 56#include "prtypes.h" 57#include "prtime.h" 58#include "pk11func.h" 59#include "secasn1.h" 60#include "cert.h" 61#include "cryptohi.h" 62#include "secoid.h" 63#include "certdb.h" 64#include "secitem.h" 65#include "keythi.h" 66#include "nss.h" 67 68static void *plContext = NULL; 69 70static 71void printUsage(void){ 72 (void) printf("\nUSAGE:\tvalidateChain <trustedCert> " 73 "<cert_1> <cert_2> ... <cert_n>\n"); 74 (void) printf("\tValidates a chain of n certificates " 75 "using the given trust anchor.\n"); 76 77} 78 79static PKIX_PL_Cert * 80createCert(char *inFileName) 81{ 82 PKIX_PL_ByteArray *byteArray = NULL; 83 void *buf = NULL; 84 PRFileDesc *inFile = NULL; 85 PKIX_UInt32 len; 86 SECItem certDER; 87 SECStatus rv; 88 /* default: NULL cert (failure case) */ 89 PKIX_PL_Cert *cert = NULL; 90 91 PKIX_TEST_STD_VARS(); 92 93 certDER.data = NULL; 94 95 inFile = PR_Open(inFileName, PR_RDONLY, 0); 96 97 if (!inFile){ 98 pkixTestErrorMsg = "Unable to open cert file"; 99 goto cleanup; 100 } else { 101 rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE); 102 if (!rv){ 103 buf = (void *)certDER.data; 104 len = certDER.len; 105 106 PKIX_TEST_EXPECT_NO_ERROR 107 (PKIX_PL_ByteArray_Create 108 (buf, len, &byteArray, plContext)); 109 110 PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create 111 (byteArray, &cert, plContext)); 112 113 SECITEM_FreeItem(&certDER, PR_FALSE); 114 } else { 115 pkixTestErrorMsg = "Unable to read DER from cert file"; 116 goto cleanup; 117 } 118 } 119 120cleanup: 121 122 if (inFile){ 123 PR_Close(inFile); 124 } 125 126 if (PKIX_TEST_ERROR_RECEIVED){ 127 SECITEM_FreeItem(&certDER, PR_FALSE); 128 } 129 130 PKIX_TEST_DECREF_AC(byteArray); 131 132 PKIX_TEST_RETURN(); 133 134 return (cert); 135} 136 137int validate_chain(int argc, char *argv[]) 138{ 139 PKIX_TrustAnchor *anchor = NULL; 140 PKIX_List *anchors = NULL; 141 PKIX_List *certs = NULL; 142 PKIX_ProcessingParams *procParams = NULL; 143 PKIX_ValidateParams *valParams = NULL; 144 PKIX_ValidateResult *valResult = NULL; 145 PKIX_PL_X500Name *subject = NULL; 146 PKIX_ComCertSelParams *certSelParams = NULL; 147 PKIX_CertSelector *certSelector = NULL; 148 PKIX_VerifyNode *verifyTree = NULL; 149 PKIX_PL_String *verifyString = NULL; 150 151 char *trustedCertFile = NULL; 152 char *chainCertFile = NULL; 153 PKIX_PL_Cert *trustedCert = NULL; 154 PKIX_PL_Cert *chainCert = NULL; 155 PKIX_UInt32 chainLength = 0; 156 PKIX_UInt32 i = 0; 157 PKIX_UInt32 j = 0; 158 PKIX_UInt32 actualMinorVersion; 159 160 PKIX_TEST_STD_VARS(); 161 162 if (argc < 3){ 163 printUsage(); 164 return (0); 165 } 166 167 PKIX_TEST_EXPECT_NO_ERROR( 168 PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext)); 169 170 chainLength = (argc - j) - 2; 171 172 /* create processing params with list of trust anchors */ 173 trustedCertFile = argv[1+j]; 174 trustedCert = createCert(trustedCertFile); 175 176 PKIX_TEST_EXPECT_NO_ERROR 177 (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext)); 178 179 PKIX_TEST_EXPECT_NO_ERROR 180 (PKIX_ComCertSelParams_Create(&certSelParams, plContext)); 181 182#if 0 183 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject 184 (certSelParams, subject, plContext)); 185#endif 186 187 PKIX_TEST_EXPECT_NO_ERROR 188 (PKIX_CertSelector_Create 189 (NULL, NULL, &certSelector, plContext)); 190 191 PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams 192 (certSelector, certSelParams, plContext)); 193 194 PKIX_TEST_DECREF_BC(subject); 195 PKIX_TEST_DECREF_BC(certSelParams); 196 197 PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert 198 (trustedCert, &anchor, plContext)); 199 200 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext)); 201 PKIX_TEST_EXPECT_NO_ERROR 202 (PKIX_List_AppendItem 203 (anchors, (PKIX_PL_Object *)anchor, plContext)); 204 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create 205 (anchors, &procParams, plContext)); 206 207 PKIX_TEST_EXPECT_NO_ERROR 208 (PKIX_ProcessingParams_SetTargetCertConstraints 209 (procParams, certSelector, plContext)); 210 211 PKIX_TEST_DECREF_BC(certSelector); 212 213 /* create cert chain */ 214 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext)); 215 for (i = 0; i < chainLength; i++){ 216 chainCertFile = argv[(i + j) + 2]; 217 chainCert = createCert(chainCertFile); 218 219 PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem 220 (certs, 221 (PKIX_PL_Object *)chainCert, 222 plContext)); 223 224 PKIX_TEST_DECREF_BC(chainCert); 225 chainCert = NULL; 226 } 227 /* create validate params with processing params and cert chain */ 228 PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create 229 (procParams, certs, &valParams, plContext)); 230 231 PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL; 232 PKIX_TEST_DECREF_BC(anchor); anchor = NULL; 233 PKIX_TEST_DECREF_BC(anchors); anchors = NULL; 234 PKIX_TEST_DECREF_BC(certs); certs = NULL; 235 PKIX_TEST_DECREF_BC(procParams); procParams = NULL; 236 237 /* validate cert chain using processing params and return valResult */ 238 239 PKIX_TEST_EXPECT_NO_ERROR 240 (PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext)); 241 242 if (valResult != NULL){ 243 (void) printf("SUCCESSFULLY VALIDATED\n"); 244 } 245 246cleanup: 247 248 if (PKIX_TEST_ERROR_RECEIVED){ 249 (void) printf("FAILED TO VALIDATE\n"); 250 (void) PKIX_PL_Object_ToString 251 ((PKIX_PL_Object*)verifyTree, &verifyString, plContext); 252 (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); 253 PKIX_TEST_DECREF_AC(verifyString); 254 255 } 256 257 PKIX_TEST_DECREF_AC(verifyTree); 258 PKIX_TEST_DECREF_AC(valResult); 259 PKIX_TEST_DECREF_AC(valParams); 260 261 PKIX_TEST_RETURN(); 262 263 PKIX_Shutdown(plContext); 264 265 return (0); 266 267}