412468 - modify certutil, vfychain and vfyserv utilities to use CERT_PKIXVerifyCert function. r=nelson

3 files changed, 46 insertions, 10 deletions

diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
index bf3794d0b..ebb4b45cf 100644
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -283,6 +283,7 @@ main(int argc, char *argv[], char *envp[])
     int                  rv           = 1;
     int                  usage;
     CERTVerifyLog        log;
+    CERTCertList        *builtChain = NULL;
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
@@ -374,7 +375,7 @@ breakout:
                                            &log, /* error log */
                                            NULL);/* returned usages */
     } else do {
-        CERTValOutParam cvout[3];
+        CERTValOutParam cvout[4];
         CERTValInParam cvin[5];
         SECOidTag oidTag;
         int inParamIndex = 0;
@@ -453,13 +454,14 @@ breakout:
         cvin[inParamIndex].type = cert_pi_end;
         
         cvout[0].type = cert_po_trustAnchor;
+        cvout[1].type = cert_po_certList;
 
         /* setting pointer to CERTVerifyLog. Initialized structure
          * will be used CERT_PKIXVerifyCert */
-        cvout[1].type = cert_po_errorLog;
-        cvout[1].value.pointer.log = &log;
+        cvout[2].type = cert_po_errorLog;
+        cvout[2].value.pointer.log = &log;
 
-        cvout[2].type = cert_po_end;
+        cvout[3].type = cert_po_end;
         
         secStatus = CERT_PKIXVerifyCert(firstCert, certUsage,
                                         cvin, cvout, NULL);
@@ -467,6 +469,7 @@ breakout:
             break;
         }
         issuerCert = cvout[0].value.pointer.cert;
+        builtChain = cvout[1].value.pointer.chain;
     } while (0);
 
     /* Display validation results */
@@ -498,6 +501,20 @@ breakout:
     	   }
     	   CERT_DestroyCertificate(issuerCert);
     	}
+         if (builtChain) {
+            CERTCertListNode *node;
+            int count = 0;
+            char buff[256];
+
+            if (verbose) { 
+                for(node = CERT_LIST_HEAD(builtChain); !CERT_LIST_END(node, builtChain);
+                    node = CERT_LIST_NEXT(node), count++ ) {
+                    sprintf(buff, "Certificate %d Subject", count + 1);
+                    SECU_PrintName(stdout, &node->cert->subject, buff, 0);
+                }
+            }
+            CERT_DestroyCertList(builtChain);
+         }
 	rv = 0;
     }
 
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 4ccbcde67..dc321f1dc 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -1180,7 +1180,7 @@ typedef struct CERTValParamInValueStr {
         const void*    p;
         const char*    s;
         const CERTCertificate* cert;
-	const CERTCertList *chain;
+        const CERTCertList *chain;
         const CERTRevocationFlags *revocation;
     } pointer;
     union {
@@ -1188,7 +1188,7 @@ typedef struct CERTValParamInValueStr {
         const PRUint32 *pui;
         const PRInt64  *pl;
         const PRUint64 *pul;
-	const SECOidTag *oids;
+        const SECOidTag *oids;
     } array;
     int arraySize;
 } CERTValParamInValue;
@@ -1206,13 +1206,13 @@ typedef struct CERTValParamOutValueStr {
     union {
         void*    p;
         char*    s;
-	CERTVerifyLog *log;
+        CERTVerifyLog *log;
         CERTCertificate* cert;
-	CERTCertList *chain;
+        CERTCertList *chain;
     } pointer;
     union {
-	void 	  *p;
-	SECOidTag *oids;
+        void 	  *p;
+        SECOidTag *oids;
     } array;
     int arraySize;
 } CERTValParamOutValue;
diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c
index 705d9ef25..dfca700b2 100644
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -2004,6 +2004,7 @@ SECStatus CERT_PKIXVerifyCert(
     PKIX_VerifyNode     * verifyNode = NULL;
     PKIX_TrustAnchor *    trustAnchor = NULL;
     PKIX_PL_Cert *        trustAnchorCert = NULL;
+    PKIX_List *           builtCertList = NULL;
     CERTValOutParam *     oparam = NULL;
     int i=0;
 
@@ -2138,6 +2139,20 @@ do {
                 cert_NSSCertFromPKIXCert(trustAnchorCert,plContext);
     }
 
+    error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList,
+                                                plContext);
+    if (error != NULL) {
+        goto cleanup;
+    }
+
+    oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
+    if (oparam != NULL) {
+        error = cert_PkixToNssCertsChain(builtCertList,
+                                         &oparam->value.pointer.chain,
+                                         plContext);
+        if (error) goto cleanup;
+    }
+
     r = SECSuccess;
 
 cleanup:
@@ -2176,12 +2191,16 @@ cleanup:
     if (certSelector != NULL) 
        PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
 
+    if (builtCertList != NULL) 
+       PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
+
     if (error != NULL) {
         SECErrorCodes         nssErrorCode = 0;
 
         cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
         PORT_SetError(nssErrorCode);
         PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+        /* XXX Destroy output params in case of error. See bug 425516. */
     }
 
     PKIX_PL_NssContext_Destroy(plContext);