diff options
author | kaie%kuix.de <devnull@localhost> | 2008-04-03 19:53:38 +0000 |
---|---|---|
committer | kaie%kuix.de <devnull@localhost> | 2008-04-03 19:53:38 +0000 |
commit | d0a806080e4f57caad45f970dbba670b37d903df (patch) | |
tree | 0f70c32952b22eadee6f4e1072372a3e7add3bd7 | |
parent | 85e0490e5d31c8d2150eaa73cdee0c4ca0aa4214 (diff) | |
download | nss-hg-d0a806080e4f57caad45f970dbba670b37d903df.tar.gz |
Bug 425801, vfychain: Add support for OCSP checking
r=nelson
-rw-r--r-- | security/nss/cmd/vfychain/vfychain.c | 50 |
1 files changed, 46 insertions, 4 deletions
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c index ebb4b45cf..486c4e548 100644 --- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -56,6 +56,7 @@ #include "secmod.h" #include "secitem.h" #include "cert.h" +#include "ocsp.h" /* #include <stdlib.h> */ @@ -108,6 +109,10 @@ Usage(const char *progName) "\t\t\t * CERT_VerifyCertificate if specified once,\n" "\t\t\t * CERT_PKIXVerifyCert if specified twice and more.\n" "\t-r\t\t Following certfile is raw binary DER (default)\n" + "\t-s\t\t Status checking, following a configuration description.\n" + "\t\t\t Implemented as of today are:\n" + "\t\t\t * allow-crl (default)\n" + "\t\t\t * allow-crl-and-ocsp\n" "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n" "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n" "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n" @@ -262,6 +267,21 @@ getCert(const char *name, PRBool isAscii) return cert; } +#define REVCONFIG_ALLOW_CRL "allow-crl" +#define REVCONFIG_ALLOW_CRL_OCSP "allow-crl-and-ocsp" + +PRBool +isAllowedRevConfig(const char *name) +{ + if (strcmp(REVCONFIG_ALLOW_CRL, name) == 0) + return PR_TRUE; + + if (strcmp(REVCONFIG_ALLOW_CRL_OCSP, name) == 0) + return PR_TRUE; + + return PR_FALSE; +} + int main(int argc, char *argv[], char *envp[]) { @@ -284,12 +304,13 @@ main(int argc, char *argv[], char *envp[]) int usage; CERTVerifyLog log; CERTCertList *builtChain = NULL; + char * revConfig = NULL; PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PL_strdup(argv[0]); - optstate = PL_CreateOptState(argc, argv, "ab:d:o:prtu:w:v"); + optstate = PL_CreateOptState(argc, argv, "ab:d:o:prs:tu:w:v"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 0 : /* positional parameter */ goto breakout; @@ -300,6 +321,7 @@ main(int argc, char *argv[], char *envp[]) case 'o' : oidStr = PL_strdup(optstate->value); break; case 'p' : usePkix += 1; break; case 'r' : isAscii = PR_FALSE; break; + case 's' : revConfig = PL_strdup(optstate->value); break; case 'u' : usage = PORT_Atoi(optstate->value); if (usage < 0 || usage > 62) Usage(progName); certUsage = ((SECCertificateUsage)1) << usage; @@ -314,6 +336,11 @@ breakout: if (status != PL_OPT_OK) Usage(progName); + if (revConfig && !isAllowedRevConfig(revConfig)) { + fprintf(stderr, "Invalid revocation configuration specified.\n"); + goto punt; + } + /* Set our password function callback. */ PK11_SetPasswordFunc(myPasswd); @@ -330,6 +357,10 @@ breakout: exitErr("NSS_Init"); } SECU_RegisterDynamicOids(); + if (revConfig && strcmp(REVCONFIG_ALLOW_CRL_OCSP, revConfig) == 0) { + CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); + CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()); + } while (status == PL_OPT_OK) { switch(optstate->option) { @@ -380,7 +411,7 @@ breakout: SECOidTag oidTag; int inParamIndex = 0; CERTRevocationFlags rev; - PRUint64 revFlags[1]; + PRUint64 revFlags[2]; if (oidStr) { PRArenaPool *arena; @@ -434,14 +465,25 @@ breakout: revFlags[cert_revocation_method_crl] = CERT_REV_M_TEST_USING_THIS_METHOD; + rev.leafTests.number_of_defined_methods = + cert_revocation_method_crl +1; + rev.chainTests.number_of_defined_methods = + cert_revocation_method_crl +1; + + if (revConfig && strcmp(REVCONFIG_ALLOW_CRL_OCSP, revConfig) == 0) { + revFlags[cert_revocation_method_ocsp] = + CERT_REV_M_TEST_USING_THIS_METHOD; + rev.leafTests.number_of_defined_methods = + cert_revocation_method_ocsp +1; + rev.chainTests.number_of_defined_methods = + cert_revocation_method_ocsp +1; + } - rev.leafTests.number_of_defined_methods = cert_revocation_method_crl +1; rev.leafTests.cert_rev_flags_per_method = revFlags; rev.leafTests.number_of_preferred_methods = 0; rev.leafTests.preferred_methods = 0; rev.leafTests.cert_rev_method_independent_flags = 0; - rev.chainTests.number_of_defined_methods = cert_revocation_method_crl +1; rev.chainTests.cert_rev_flags_per_method = revFlags; rev.chainTests.number_of_preferred_methods = 0; rev.chainTests.preferred_methods = 0; |