tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

validate_chain.c (6265B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 /*
      5 * validateChain.c
      6 *
      7 * Tests Cert Chain Validation
      8 *
      9 */
     10 
     11 #include <stdio.h>
     12 #include <string.h>
     13 #include <stddef.h>
     14 
     15 #include "pkix_pl_generalname.h"
     16 #include "pkix_pl_cert.h"
     17 #include "pkix.h"
     18 #include "testutil.h"
     19 #include "prlong.h"
     20 #include "plstr.h"
     21 #include "prthread.h"
     22 #include "nspr.h"
     23 #include "prtypes.h"
     24 #include "prtime.h"
     25 #include "pk11func.h"
     26 #include "secasn1.h"
     27 #include "cert.h"
     28 #include "cryptohi.h"
     29 #include "secoid.h"
     30 #include "certdb.h"
     31 #include "secitem.h"
     32 #include "keythi.h"
     33 #include "nss.h"
     34 
     35 static void *plContext = NULL;
     36 
     37 static void
     38 printUsage(void)
     39 {
     40    (void)printf("\nUSAGE:\tvalidateChain <trustedCert> "
     41                 "<cert_1> <cert_2> ... <cert_n>\n");
     42    (void)printf("\tValidates a chain of n certificates "
     43                 "using the given trust anchor.\n");
     44 }
     45 
     46 static PKIX_PL_Cert *
     47 createCert(char *inFileName)
     48 {
     49    PKIX_PL_ByteArray *byteArray = NULL;
     50    void *buf = NULL;
     51    PRFileDesc *inFile = NULL;
     52    PKIX_UInt32 len;
     53    SECItem certDER;
     54    SECStatus rv;
     55    /* default: NULL cert (failure case) */
     56    PKIX_PL_Cert *cert = NULL;
     57 
     58    PKIX_TEST_STD_VARS();
     59 
     60    certDER.data = NULL;
     61 
     62    inFile = PR_Open(inFileName, PR_RDONLY, 0);
     63 
     64    if (!inFile) {
     65        pkixTestErrorMsg = "Unable to open cert file";
     66        goto cleanup;
     67    } else {
     68        rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
     69        if (!rv) {
     70            buf = (void *)certDER.data;
     71            len = certDER.len;
     72 
     73            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create(buf, len, &byteArray, plContext));
     74 
     75            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create(byteArray, &cert, plContext));
     76 
     77            SECITEM_FreeItem(&certDER, PR_FALSE);
     78        } else {
     79            pkixTestErrorMsg = "Unable to read DER from cert file";
     80            goto cleanup;
     81        }
     82    }
     83 
     84 cleanup:
     85 
     86    if (inFile) {
     87        PR_Close(inFile);
     88    }
     89 
     90    if (PKIX_TEST_ERROR_RECEIVED) {
     91        SECITEM_FreeItem(&certDER, PR_FALSE);
     92    }
     93 
     94    PKIX_TEST_DECREF_AC(byteArray);
     95 
     96    PKIX_TEST_RETURN();
     97 
     98    return (cert);
     99 }
    100 
    101 int
    102 validate_chain(int argc, char *argv[])
    103 {
    104    PKIX_TrustAnchor *anchor = NULL;
    105    PKIX_List *anchors = NULL;
    106    PKIX_List *certs = NULL;
    107    PKIX_ProcessingParams *procParams = NULL;
    108    PKIX_ValidateParams *valParams = NULL;
    109    PKIX_ValidateResult *valResult = NULL;
    110    PKIX_PL_X500Name *subject = NULL;
    111    PKIX_ComCertSelParams *certSelParams = NULL;
    112    PKIX_CertSelector *certSelector = NULL;
    113    PKIX_VerifyNode *verifyTree = NULL;
    114    PKIX_PL_String *verifyString = NULL;
    115 
    116    char *trustedCertFile = NULL;
    117    char *chainCertFile = NULL;
    118    PKIX_PL_Cert *trustedCert = NULL;
    119    PKIX_PL_Cert *chainCert = NULL;
    120    PKIX_UInt32 chainLength = 0;
    121    PKIX_UInt32 i = 0;
    122    PKIX_UInt32 j = 0;
    123    PKIX_UInt32 actualMinorVersion;
    124 
    125    PKIX_TEST_STD_VARS();
    126 
    127    if (argc < 3) {
    128        printUsage();
    129        return (0);
    130    }
    131 
    132    PKIX_TEST_EXPECT_NO_ERROR(
    133        PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
    134 
    135    chainLength = (argc - j) - 2;
    136 
    137    /* create processing params with list of trust anchors */
    138    trustedCertFile = argv[1 + j];
    139    trustedCert = createCert(trustedCertFile);
    140 
    141    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
    142 
    143    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create(&certSelParams, plContext));
    144 
    145 #if 0
    146        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
    147                                    (certSelParams, subject, plContext));
    148 #endif
    149 
    150    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
    151 
    152    PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext));
    153 
    154    PKIX_TEST_DECREF_BC(subject);
    155    PKIX_TEST_DECREF_BC(certSelParams);
    156 
    157    PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert(trustedCert, &anchor, plContext));
    158 
    159    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
    160    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, plContext));
    161    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create(anchors, &procParams, plContext));
    162 
    163    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext));
    164 
    165    PKIX_TEST_DECREF_BC(certSelector);
    166 
    167    /* create cert chain */
    168    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
    169    for (i = 0; i < chainLength; i++) {
    170        chainCertFile = argv[(i + j) + 2];
    171        chainCert = createCert(chainCertFile);
    172 
    173        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(certs,
    174                                                       (PKIX_PL_Object *)chainCert,
    175                                                       plContext));
    176 
    177        PKIX_TEST_DECREF_BC(chainCert);
    178        chainCert = NULL;
    179    }
    180    /* create validate params with processing params and cert chain */
    181    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create(procParams, certs, &valParams, plContext));
    182 
    183    PKIX_TEST_DECREF_BC(trustedCert);
    184    trustedCert = NULL;
    185    PKIX_TEST_DECREF_BC(anchor);
    186    anchor = NULL;
    187    PKIX_TEST_DECREF_BC(anchors);
    188    anchors = NULL;
    189    PKIX_TEST_DECREF_BC(certs);
    190    certs = NULL;
    191    PKIX_TEST_DECREF_BC(procParams);
    192    procParams = NULL;
    193 
    194    /* validate cert chain using processing params and return valResult */
    195 
    196    PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
    197 
    198    if (valResult != NULL) {
    199        (void)printf("SUCCESSFULLY VALIDATED\n");
    200    }
    201 
    202 cleanup:
    203 
    204    if (PKIX_TEST_ERROR_RECEIVED) {
    205        (void)printf("FAILED TO VALIDATE\n");
    206        (void)PKIX_PL_Object_ToString((PKIX_PL_Object *)verifyTree, &verifyString, plContext);
    207        (void)printf("verifyTree is\n%s\n", verifyString->escAsciiString);
    208        PKIX_TEST_DECREF_AC(verifyString);
    209    }
    210 
    211    PKIX_TEST_DECREF_AC(verifyTree);
    212    PKIX_TEST_DECREF_AC(valResult);
    213    PKIX_TEST_DECREF_AC(valParams);
    214 
    215    PKIX_TEST_RETURN();
    216 
    217    PKIX_Shutdown(plContext);
    218 
    219    return (0);
    220 }