diff options
author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-03-27 21:56:25 +0000 |
---|---|---|
committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2008-03-27 21:56:25 +0000 |
commit | 98e07d1dc7aa409f68129458c16cd088660baf69 (patch) | |
tree | a6b50f7336dd0be1e70a674cfcde56b04edad877 | |
parent | ad1864497a47cd243e4b4cf3677ea8a452e8a9c2 (diff) | |
download | nss-hg-98e07d1dc7aa409f68129458c16cd088660baf69.tar.gz |
412468 - modify certutil, vfychain and vfyserv utilities to use CERT_PKIXVerifyCert function. r=nelson
-rw-r--r-- | security/nss/cmd/vfychain/vfychain.c | 25 | ||||
-rw-r--r-- | security/nss/lib/certdb/certt.h | 12 | ||||
-rw-r--r-- | security/nss/lib/certhigh/certvfypkix.c | 19 |
3 files changed, 46 insertions, 10 deletions
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c index bf3794d0b..ebb4b45cf 100644 --- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -283,6 +283,7 @@ main(int argc, char *argv[], char *envp[]) int rv = 1; int usage; CERTVerifyLog log; + CERTCertList *builtChain = NULL; PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); @@ -374,7 +375,7 @@ breakout: &log, /* error log */ NULL);/* returned usages */ } else do { - CERTValOutParam cvout[3]; + CERTValOutParam cvout[4]; CERTValInParam cvin[5]; SECOidTag oidTag; int inParamIndex = 0; @@ -453,13 +454,14 @@ breakout: cvin[inParamIndex].type = cert_pi_end; cvout[0].type = cert_po_trustAnchor; + cvout[1].type = cert_po_certList; /* setting pointer to CERTVerifyLog. Initialized structure * will be used CERT_PKIXVerifyCert */ - cvout[1].type = cert_po_errorLog; - cvout[1].value.pointer.log = &log; + cvout[2].type = cert_po_errorLog; + cvout[2].value.pointer.log = &log; - cvout[2].type = cert_po_end; + cvout[3].type = cert_po_end; secStatus = CERT_PKIXVerifyCert(firstCert, certUsage, cvin, cvout, NULL); @@ -467,6 +469,7 @@ breakout: break; } issuerCert = cvout[0].value.pointer.cert; + builtChain = cvout[1].value.pointer.chain; } while (0); /* Display validation results */ @@ -498,6 +501,20 @@ breakout: } CERT_DestroyCertificate(issuerCert); } + if (builtChain) { + CERTCertListNode *node; + int count = 0; + char buff[256]; + + if (verbose) { + for(node = CERT_LIST_HEAD(builtChain); !CERT_LIST_END(node, builtChain); + node = CERT_LIST_NEXT(node), count++ ) { + sprintf(buff, "Certificate %d Subject", count + 1); + SECU_PrintName(stdout, &node->cert->subject, buff, 0); + } + } + CERT_DestroyCertList(builtChain); + } rv = 0; } diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h index 4ccbcde67..dc321f1dc 100644 --- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -1180,7 +1180,7 @@ typedef struct CERTValParamInValueStr { const void* p; const char* s; const CERTCertificate* cert; - const CERTCertList *chain; + const CERTCertList *chain; const CERTRevocationFlags *revocation; } pointer; union { @@ -1188,7 +1188,7 @@ typedef struct CERTValParamInValueStr { const PRUint32 *pui; const PRInt64 *pl; const PRUint64 *pul; - const SECOidTag *oids; + const SECOidTag *oids; } array; int arraySize; } CERTValParamInValue; @@ -1206,13 +1206,13 @@ typedef struct CERTValParamOutValueStr { union { void* p; char* s; - CERTVerifyLog *log; + CERTVerifyLog *log; CERTCertificate* cert; - CERTCertList *chain; + CERTCertList *chain; } pointer; union { - void *p; - SECOidTag *oids; + void *p; + SECOidTag *oids; } array; int arraySize; } CERTValParamOutValue; diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 705d9ef25..dfca700b2 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -2004,6 +2004,7 @@ SECStatus CERT_PKIXVerifyCert( PKIX_VerifyNode * verifyNode = NULL; PKIX_TrustAnchor * trustAnchor = NULL; PKIX_PL_Cert * trustAnchorCert = NULL; + PKIX_List * builtCertList = NULL; CERTValOutParam * oparam = NULL; int i=0; @@ -2138,6 +2139,20 @@ do { cert_NSSCertFromPKIXCert(trustAnchorCert,plContext); } + error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList, + plContext); + if (error != NULL) { + goto cleanup; + } + + oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList); + if (oparam != NULL) { + error = cert_PkixToNssCertsChain(builtCertList, + &oparam->value.pointer.chain, + plContext); + if (error) goto cleanup; + } + r = SECSuccess; cleanup: @@ -2176,12 +2191,16 @@ cleanup: if (certSelector != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); + if (builtCertList != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext); + if (error != NULL) { SECErrorCodes nssErrorCode = 0; cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); PORT_SetError(nssErrorCode); PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); + /* XXX Destroy output params in case of error. See bug 425516. */ } PKIX_PL_NssContext_Destroy(plContext); |