diff options
author | nelson%bolyard.com <devnull@localhost> | 2007-03-14 05:41:29 +0000 |
---|---|---|
committer | nelson%bolyard.com <devnull@localhost> | 2007-03-14 05:41:29 +0000 |
commit | b1f15b26ca9b33309f4583e599033555d0a81a65 (patch) | |
tree | 90e4d085a4cd659e4d72a6469a307c45421dff56 | |
parent | e86ce6661a338487ae246cbf9a5f89b52f86f8a3 (diff) | |
download | nss-hg-b1f15b26ca9b33309f4583e599033555d0a81a65.tar.gz |
Bug 371470 ? vfychain needs option to verify for specific date
-rw-r--r-- | security/nss/cmd/lib/secutil.c | 16 | ||||
-rw-r--r-- | security/nss/cmd/lib/secutil.h | 8 | ||||
-rw-r--r-- | security/nss/cmd/vfychain/vfychain.c | 34 |
3 files changed, 47 insertions, 11 deletions
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 069f81f30..e4db1ff85 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -3235,9 +3235,10 @@ bestCertName(CERTCertificate *cert) { } void -SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, +SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checksig, - SECCertificateUsage certUsage, void *pinArg, PRBool verbose) + SECCertificateUsage certUsage, void *pinArg, PRBool verbose, + PRTime datetime) { CERTVerifyLog log; CERTVerifyLogNode *node = NULL; @@ -3249,7 +3250,7 @@ SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, log.arena = PORT_NewArena(512); log.head = log.tail = NULL; log.count = 0; - CERT_VerifyCertificate(handle, cert, checksig, certUsage, PR_Now(), pinArg, &log, NULL); + CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL); if (log.count > 0) { fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); @@ -3335,6 +3336,15 @@ SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, PORT_SetError(err); /* restore original error code */ } +void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose) +{ + SECU_printCertProblemsOnDate(outfile, handle, cert, checksig, + certUsage, pinArg, verbose, PR_Now()); +} + SECOidTag SECU_StringToSignatureAlgTag(const char *alg) { diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index 4cede1cce..3252d691f 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -168,12 +168,18 @@ extern void SECU_PrintSystemError(char *progName, char *msg, ...); /* Return informative error string */ extern const char * SECU_Strerror(PRErrorCode errNum); -/* print information about cert verification failure */ +/* print information about cert verification failure at time == now */ extern void SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, void *pinArg, PRBool verbose); +/* print information about cert verification failure at specified time */ +extern void +SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, + void *pinArg, PRBool verbose, PRTime datetime); + /* Read the contents of a file into a SECItem */ extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c index 8f8757f3b..17fc34507 100644 --- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -99,8 +99,18 @@ static void Usage(const char *progName) { fprintf(stderr, - "Usage: %s [-d dbdir] certfile [certfile ...]\n", - progName); + "Usage: %s [options] certfile [[options] certfile] ...\n" + "\twhere options are:\n" + "\t-a\t\t following certfile is base64 encoded\n" + "\t-b YYMMDDHHMMZ Validate date (default: now)\n" + "\t-d directory\t Database directory\n" + "\t-r\t\t following certfile is raw binary DER (default)\n" + "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n" + "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n" + "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n" + "\t-v\t\t verbose mode\n" + "\t-w password\t Database password\n", + progName); exit(1); } @@ -240,21 +250,27 @@ main(int argc, char *argv[], char *envp[]) SECStatus secStatus; SECCertificateUsage certUsage = certificateUsageSSLServer; PLOptState * optstate; + PRTime time = 0; PLOptStatus status; int rv = 1; + int usage; PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PL_strdup(argv[0]); - optstate = PL_CreateOptState(argc, argv, "ad:ru:w:v"); + optstate = PL_CreateOptState(argc, argv, "ab:d:ru:w:v"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 0 : /* positional parameter */ goto breakout; case 'a' : isAscii = PR_TRUE; break; + case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); + if (secStatus != SECSuccess) Usage(progName); break; case 'd' : certDir = PL_strdup(optstate->value); break; case 'r' : isAscii = PR_FALSE; break; - case 'u' : certUsage = ((SECCertificateUsage) 1) << PORT_Atoi(optstate->value); break; + case 'u' : usage = PORT_Atoi(optstate->value); + if (usage < 0 || usage > 62) Usage(progName); + certUsage = ((SECCertificateUsage)1) << usage; break; case 'w' : password = PL_strdup(optstate->value); break; case 'v' : verbose++; break; default : Usage(progName); break; @@ -297,15 +313,19 @@ breakout: } status = PL_GetNextOpt(optstate); } + PL_DestroyOptState(optstate); if (status == PL_OPT_BAD || !firstCert) Usage(progName); + if (!time) + time = PR_Now(); + /* NOW, verify the cert chain. */ defaultDB = CERT_GetDefaultCertDB(); secStatus = CERT_VerifyCertificate(defaultDB, firstCert, PR_TRUE /* check sig */, certUsage, - PR_Now(), + time, NULL, /* wincx */ NULL, /* error log */ NULL); /* returned usages */ @@ -313,8 +333,8 @@ breakout: if (secStatus != SECSuccess) { PRIntn err = PR_GetError(); fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err)); - SECU_printCertProblems(stderr, defaultDB, firstCert, - PR_TRUE, certUsage, NULL, verbose); + SECU_printCertProblemsOnDate(stderr, defaultDB, firstCert, + PR_TRUE, certUsage, NULL, verbose, time); rv = 1; } else { fprintf(stderr, "Chain is good!\n"); |