Bug 371470 ? vfychain needs option to verify for specific date

3 files changed, 47 insertions, 11 deletions

diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index 069f81f30..e4db1ff85 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -3235,9 +3235,10 @@ bestCertName(CERTCertificate *cert) {
 }
 
 void
-SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
+SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, 
 	CERTCertificate *cert, PRBool checksig, 
-	SECCertificateUsage certUsage, void *pinArg, PRBool verbose)
+	SECCertificateUsage certUsage, void *pinArg, PRBool verbose,
+	PRTime datetime)
 {
     CERTVerifyLog      log;
     CERTVerifyLogNode *node   = NULL;
@@ -3249,7 +3250,7 @@ SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
     log.arena = PORT_NewArena(512);
     log.head = log.tail = NULL;
     log.count = 0;
-    CERT_VerifyCertificate(handle, cert, checksig, certUsage, PR_Now(), pinArg, &log, NULL);
+    CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL);
 
     if (log.count > 0) {
 	fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n");
@@ -3335,6 +3336,15 @@ SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
     PORT_SetError(err); /* restore original error code */
 }
 
+void
+SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
+	CERTCertificate *cert, PRBool checksig, 
+	SECCertificateUsage certUsage, void *pinArg, PRBool verbose)
+{
+    SECU_printCertProblemsOnDate(outfile, handle, cert, checksig, 
+	                         certUsage, pinArg, verbose, PR_Now());
+}
+
 SECOidTag 
 SECU_StringToSignatureAlgTag(const char *alg)
 {
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index 4cede1cce..3252d691f 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -168,12 +168,18 @@ extern void SECU_PrintSystemError(char *progName, char *msg, ...);
 /* Return informative error string */
 extern const char * SECU_Strerror(PRErrorCode errNum);
 
-/* print information about cert verification failure */
+/* print information about cert verification failure at time == now */
 extern void
 SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
 	CERTCertificate *cert, PRBool checksig, 
 	SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
 
+/* print information about cert verification failure at specified time */
+extern void
+SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, 
+	CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, 
+	void *pinArg, PRBool verbose, PRTime datetime);
+
 /* Read the contents of a file into a SECItem */
 extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
 extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
index 8f8757f3b..17fc34507 100644
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -99,8 +99,18 @@ static void
 Usage(const char *progName)
 {
     fprintf(stderr, 
-	    "Usage: %s [-d dbdir] certfile [certfile ...]\n",
-            progName);
+	"Usage: %s [options] certfile [[options] certfile] ...\n"
+	"\twhere options are:\n"
+	"\t-a\t\t following certfile is base64 encoded\n"
+	"\t-b YYMMDDHHMMZ Validate date (default: now)\n"
+	"\t-d directory\t Database directory\n"
+	"\t-r\t\t following certfile is raw binary DER (default)\n"
+	"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
+	"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
+	"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+	"\t-v\t\t verbose mode\n"
+	"\t-w password\t Database password\n",
+	progName);
     exit(1);
 }
 
@@ -240,21 +250,27 @@ main(int argc, char *argv[], char *envp[])
     SECStatus            secStatus;
     SECCertificateUsage  certUsage    = certificateUsageSSLServer;
     PLOptState *         optstate;
+    PRTime               time         = 0;
     PLOptStatus          status;
     int                  rv = 1;
+    int                  usage;
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     progName = PL_strdup(argv[0]);
 
-    optstate = PL_CreateOptState(argc, argv, "ad:ru:w:v");
+    optstate = PL_CreateOptState(argc, argv, "ab:d:ru:w:v");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch(optstate->option) {
 	case  0  : /* positional parameter */  goto breakout;
 	case 'a' : isAscii  = PR_TRUE;                        break;
+	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
+	           if (secStatus != SECSuccess) Usage(progName); break;
 	case 'd' : certDir  = PL_strdup(optstate->value);     break;
 	case 'r' : isAscii  = PR_FALSE;                       break;
-	case 'u' : certUsage = ((SECCertificateUsage) 1) << PORT_Atoi(optstate->value); break;
+	case 'u' : usage    = PORT_Atoi(optstate->value);
+	           if (usage < 0 || usage > 62) Usage(progName);
+		   certUsage = ((SECCertificateUsage)1) << usage; break;
 	case 'w' : password = PL_strdup(optstate->value);     break;
 	case 'v' : verbose++;                                 break;
 	default  : Usage(progName);                           break;
@@ -297,15 +313,19 @@ breakout:
 	}
         status = PL_GetNextOpt(optstate);
     }
+    PL_DestroyOptState(optstate);
     if (status == PL_OPT_BAD || !firstCert)
 	Usage(progName);
 
+    if (!time)
+    	time = PR_Now();
+
     /* NOW, verify the cert chain. */
     defaultDB = CERT_GetDefaultCertDB();
     secStatus = CERT_VerifyCertificate(defaultDB, firstCert, 
                                 PR_TRUE /* check sig */,
 				certUsage, 
-				PR_Now(), 
+				time, 
 				NULL, 		/* wincx  */
 				NULL,		/* error log */
                                 NULL);          /* returned usages */
@@ -313,8 +333,8 @@ breakout:
     if (secStatus != SECSuccess) {
 	PRIntn err = PR_GetError();
 	fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err));
-	SECU_printCertProblems(stderr, defaultDB, firstCert, 
-			  PR_TRUE, certUsage, NULL, verbose);
+	SECU_printCertProblemsOnDate(stderr, defaultDB, firstCert, 
+			  PR_TRUE, certUsage, NULL, verbose, time);
     	rv = 1;
     } else {
     	fprintf(stderr, "Chain is good!\n");