index.rst (1800B)
1 .. _mozilla_projects_nss_certverify_log: 2 3 NSS CERTVerify Log 4 ================== 5 6 `CERTVerifyLog <#certverifylog>`__ 7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8 9 .. container:: 10 11 All the NSS verify functions except, the \*VerifyNow() functions, take a parameter called 12 'CERTVerifyLog'. If you supply the log parameter, NSS will continue chain validation after each 13 error . The log tells you what the problem was with the chain and what certificate in the chain 14 failed. 15 16 To create a log: 17 18 .. code:: 19 20 #include "secport.h" 21 #include "certt.h" 22 23 CERTVerifyLog *log; 24 25 arena = PORT_NewArena(512); 26 log = PORT_ArenaZNew(arena,log); 27 log->arena = arena; 28 29 You can then pass this log into your favorite cert verify function. On return: 30 31 - log->count is the number of entries. 32 - log->head is the first entry; 33 - log->tail is the last entry. 34 35 Each entry is a CERTVerifyLogNode. Defined in certt.h: 36 37 .. code:: 38 39 /* 40 * This structure is used to keep a log of errors when verifying 41 * a cert chain. This allows multiple errors to be reported all at 42 * once. 43 */ 44 struct CERTVerifyLogNodeStr { 45 CERTCertificate *cert; /* what cert had the error */ 46 long error; /* what error was it? */ 47 unsigned int depth; /* how far up the chain are we */ 48 void *arg; /* error specific argument */ 49 struct CERTVerifyLogNodeStr *next; /* next in the list */ 50 struct CERTVerifyLogNodeStr *prev; /* next in the list */ 51 }; 52 53 The list is a doubly linked NULL terminated list sorted from low to high based on depth into the 54 cert chain. When you are through, you will need to walk the list and free all the cert entries, 55 then free the arena.