diff options
| author | richard.freedman%sun.com <devnull@localhost> | 2006-05-26 19:51:51 +0000 |
|---|---|---|
| committer | richard.freedman%sun.com <devnull@localhost> | 2006-05-26 19:51:51 +0000 |
| commit | deb0a2d0dc6df21aa4aa5a066d0734b5b049af0d (patch) | |
| tree | f652b65bc73afbadc8c163728f7e4a7a41c2f3fb | |
| parent | 5ef967aa8519bd2c9ed02ed921174b8ca981f7d4 (diff) | |
| download | nss-hg-deb0a2d0dc6df21aa4aa5a066d0734b5b049af0d.tar.gz | |
checkinmsg
22 files changed, 345 insertions, 53 deletions
diff --git a/security/nss/cmd/libpkix/pkix/results/manifest.mn b/security/nss/cmd/libpkix/pkix/results/manifest.mn index 89049c861..5f244ff1c 100755 --- a/security/nss/cmd/libpkix/pkix/results/manifest.mn +++ b/security/nss/cmd/libpkix/pkix/results/manifest.mn @@ -38,6 +38,6 @@ PKIX_DEPTH = ../.. # -DIRS = buildresult policynode valresult \ +DIRS = buildresult policynode verifynode valresult \ $(NULL) diff --git a/security/nss/cmd/libpkix/pkix/top/basicchecker/test_basicchecker.c b/security/nss/cmd/libpkix/pkix/top/basicchecker/test_basicchecker.c index 155eab978..936f7210b 100755 --- a/security/nss/cmd/libpkix/pkix/top/basicchecker/test_basicchecker.c +++ b/security/nss/cmd/libpkix/pkix/top/basicchecker/test_basicchecker.c @@ -51,6 +51,8 @@ void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){ PKIX_List *chain = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); @@ -75,10 +77,16 @@ void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){ plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); @@ -95,6 +103,8 @@ void testNameChainingFail( PKIX_List *chain = NULL; PKIX_ValidateParams *valParams = NULL; PKIX_ValidateResult *valResult = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); @@ -116,10 +126,12 @@ void testNameChainingFail( plContext); PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); @@ -152,7 +164,7 @@ void testDateFail(char *dirName, char *goodInput, char *diffInput){ plContext); PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); cleanup: @@ -193,7 +205,7 @@ void testSignatureFail( plContext); PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); cleanup: diff --git a/security/nss/cmd/libpkix/pkix/top/bc_checker/test_basicconstraintschecker.c b/security/nss/cmd/libpkix/pkix/top/bc_checker/test_basicconstraintschecker.c index 67ff8fc1c..c274c688a 100755 --- a/security/nss/cmd/libpkix/pkix/top/bc_checker/test_basicconstraintschecker.c +++ b/security/nss/cmd/libpkix/pkix/top/bc_checker/test_basicconstraintschecker.c @@ -66,6 +66,8 @@ int main(int argc, char *argv[]){ PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; @@ -158,14 +160,16 @@ int main(int argc, char *argv[]){ if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); diff --git a/security/nss/cmd/libpkix/pkix/top/customcrlchecker/test_customcrlchecker.c b/security/nss/cmd/libpkix/pkix/top/customcrlchecker/test_customcrlchecker.c index 2b2fb46f9..97079d155 100755 --- a/security/nss/cmd/libpkix/pkix/top/customcrlchecker/test_customcrlchecker.c +++ b/security/nss/cmd/libpkix/pkix/top/customcrlchecker/test_customcrlchecker.c @@ -406,6 +406,8 @@ int main(int argc, char *argv[]){ PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; @@ -488,14 +490,16 @@ int main(int argc, char *argv[]){ if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); diff --git a/security/nss/cmd/libpkix/pkix/top/defaultcrlchecker2/test_defaultcrlchecker2stores.c b/security/nss/cmd/libpkix/pkix/top/defaultcrlchecker2/test_defaultcrlchecker2stores.c index cc7f02122..4b6acf73f 100755 --- a/security/nss/cmd/libpkix/pkix/top/defaultcrlchecker2/test_defaultcrlchecker2stores.c +++ b/security/nss/cmd/libpkix/pkix/top/defaultcrlchecker2/test_defaultcrlchecker2stores.c @@ -164,6 +164,8 @@ int main(int argc, char *argv[]){ PKIX_UInt32 actualMinorVersion; char *certNames[PKIX_TEST_MAX_CERTS]; PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_UInt32 chainLength = 0; PKIX_UInt32 i = 0; PKIX_UInt32 j = 0; @@ -250,15 +252,21 @@ int main(int argc, char *argv[]){ if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(chain); diff --git a/security/nss/cmd/libpkix/pkix/top/policychecker/test_policychecker.c b/security/nss/cmd/libpkix/pkix/top/policychecker/test_policychecker.c index 92703a1ce..63b574d1f 100755 --- a/security/nss/cmd/libpkix/pkix/top/policychecker/test_policychecker.c +++ b/security/nss/cmd/libpkix/pkix/top/policychecker/test_policychecker.c @@ -217,7 +217,7 @@ void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){ plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); cleanup: @@ -286,7 +286,7 @@ void testNistTest1(char *dirName) subTest("testNistTest1: Validating the chain"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); cleanup: @@ -360,7 +360,7 @@ void testNistTest2(char *dirName) subTest("testNistTest2: Validating the chain"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); cleanup: @@ -428,6 +428,8 @@ int main(int argc, char *argv[]) PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS]; PKIX_List *chain = NULL; PKIX_Error *validationError = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; char *dirName = NULL; char *dataCentralDir = NULL; char *anchorName = NULL; @@ -555,14 +557,14 @@ int main(int argc, char *argv[]) subTest(" (expecting successful validation)"); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); printValidPolicyTree(valResult); } else { subTest(" (expecting validation to fail)"); validationError = PKIX_ValidateChain - (valParams, &valResult, plContext); + (valParams, &valResult, &verifyTree, plContext); if (!validationError) { printValidPolicyTree(valResult); pkixTestErrorMsg = "Should have thrown an error here."; @@ -570,10 +572,16 @@ int main(int argc, char *argv[]) PKIX_TEST_DECREF_BC(validationError); } + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); + cleanup: PKIX_PL_Free(anchorName, plContext); + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(userInitialPolicySet); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); diff --git a/security/nss/cmd/libpkix/pkix/top/subjaltnamechecker/test_subjaltnamechecker.c b/security/nss/cmd/libpkix/pkix/top/subjaltnamechecker/test_subjaltnamechecker.c index 1f4a621f1..33d91623b 100755 --- a/security/nss/cmd/libpkix/pkix/top/subjaltnamechecker/test_subjaltnamechecker.c +++ b/security/nss/cmd/libpkix/pkix/top/subjaltnamechecker/test_subjaltnamechecker.c @@ -136,6 +136,8 @@ int main(int argc, char *argv[]){ PKIX_Boolean useArenas = PKIX_FALSE; char *dirName = NULL; char *anchorName = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); @@ -234,7 +236,7 @@ int main(int argc, char *argv[]){ name = createGeneralName(nameType, nameStr, plContext); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName - (selParams, name, plContext)); + (selParams, name, plContext)); PKIX_TEST_DECREF_BC(name); } @@ -272,16 +274,18 @@ int main(int argc, char *argv[]){ if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } cleanup: PKIX_PL_Free(anchorName, plContext); + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chain); PKIX_TEST_DECREF_AC(valParams); PKIX_TEST_DECREF_AC(valResult); diff --git a/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c b/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c index 7c33a2d59..c64c32b82 100755 --- a/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c +++ b/security/nss/cmd/libpkix/pkix/top/validatechain/test_validatechain.c @@ -170,6 +170,8 @@ int main(int argc, char *argv[]){ PKIX_Boolean useArenas = PKIX_FALSE; PKIX_List *chainCerts = NULL; PKIX_PL_Cert *dirCert = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; char *dirCertName = NULL; char *anchorCertName = NULL; char *dirName = NULL; @@ -240,14 +242,21 @@ int main(int argc, char *argv[]){ if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); } + subTest("Displaying VerifyNode objects"); + + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); cleanup: + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(chainCerts); PKIX_TEST_DECREF_AC(valParams); diff --git a/security/nss/cmd/libpkix/pkix/top/validatechain_NB/test_validatechain_NB.c b/security/nss/cmd/libpkix/pkix/top/validatechain_NB/test_validatechain_NB.c index b8b877eba..37af69c3e 100644 --- a/security/nss/cmd/libpkix/pkix/top/validatechain_NB/test_validatechain_NB.c +++ b/security/nss/cmd/libpkix/pkix/top/validatechain_NB/test_validatechain_NB.c @@ -224,6 +224,8 @@ int main(int argc, char *argv[]){ PRErrorCode errorCode = 0; PKIX_PL_Socket *socket = NULL; char *ldapName = NULL; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_List *loggers = NULL; PKIX_Logger *logger = NULL; @@ -348,6 +350,7 @@ int main(int argc, char *argv[]){ &checkers, (void **)&pollDesc, &valResult, + &verifyTree, plContext); while (pollDesc != NULL) { @@ -365,6 +368,7 @@ int main(int argc, char *argv[]){ &checkers, (void **)&pollDesc, &valResult, + &verifyTree, plContext); } @@ -375,17 +379,26 @@ int main(int argc, char *argv[]){ testError("UNEXPECTED ERROR RECEIVED"); } PKIX_TEST_DECREF_BC(pkixTestErrorResult); - goto cleanup; - } + } else { - if (testValid == PKIX_TRUE) { /* ENE */ - (void) printf("EXPECTED NON-ERROR RECEIVED!\n"); - } else { /* EE */ - (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + if (testValid == PKIX_TRUE) { /* ENE */ + (void) printf("EXPECTED NON-ERROR RECEIVED!\n"); + } else { /* EE */ + (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n"); + } } cleanup: + if (verifyTree) { + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", + verifyString->escAsciiString); + } + + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); PKIX_TEST_DECREF_AC(checkers); PKIX_TEST_DECREF_AC(chainCerts); PKIX_TEST_DECREF_AC(valParams); diff --git a/security/nss/cmd/libpkix/pkix/top/validatechain_bc/test_validatechain_bc.c b/security/nss/cmd/libpkix/pkix/top/validatechain_bc/test_validatechain_bc.c index 0db75a99a..4f6cf49e7 100755 --- a/security/nss/cmd/libpkix/pkix/top/validatechain_bc/test_validatechain_bc.c +++ b/security/nss/cmd/libpkix/pkix/top/validatechain_bc/test_validatechain_bc.c @@ -151,6 +151,8 @@ int main(int argc, char *argv[]) PKIX_UInt32 j = 0; PKIX_UInt32 actualMinorVersion; PKIX_Boolean useArenas = PKIX_FALSE; + PKIX_VerifyNode *verifyTree = NULL; + PKIX_PL_String *verifyString = NULL; PKIX_TEST_STD_VARS(); @@ -235,7 +237,7 @@ int main(int argc, char *argv[]) /* validate cert chain using processing params and return valResult */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL){ printf("SUCCESSFULLY VALIDATED with Basic Constraint "); @@ -243,21 +245,25 @@ int main(int argc, char *argv[]) PKIX_TEST_DECREF_BC(valResult); } + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); + PKIX_TEST_DECREF_BC(verifyString); + PKIX_TEST_DECREF_BC(verifyTree); PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints (certSelParams, 6, plContext)); /* validate cert chain using processing params and return valResult */ - PKIX_TEST_EXPECT_ERROR - (PKIX_ValidateChain(valParams, &valResult, plContext)); + PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain + (valParams, &valResult, &verifyTree, plContext)); if (valResult != NULL){ printf("SUCCESSFULLY VALIDATED with Basic Constraint "); printf("Cert Selector minimum path length to be 6\n"); } - PKIX_TEST_DECREF_BC(trustedCert); PKIX_TEST_DECREF_BC(anchor); PKIX_TEST_DECREF_BC(anchors); @@ -270,6 +276,12 @@ cleanup: printf("FAILED TO VALIDATE\n"); } + PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString + ((PKIX_PL_Object*)verifyTree, &verifyString, plContext)); + (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString); + PKIX_TEST_DECREF_AC(verifyString); + PKIX_TEST_DECREF_AC(verifyTree); + PKIX_TEST_DECREF_AC(certSelParams); PKIX_TEST_DECREF_AC(valResult); PKIX_TEST_DECREF_AC(valParams); diff --git a/security/nss/cmd/libpkix/pkix_pl/module/ekuchecker/test_ekuchecker.c b/security/nss/cmd/libpkix/pkix_pl/module/ekuchecker/test_ekuchecker.c index 8ef2b9bd3..80713615b 100755 --- a/security/nss/cmd/libpkix/pkix_pl/module/ekuchecker/test_ekuchecker.c +++ b/security/nss/cmd/libpkix/pkix_pl/module/ekuchecker/test_ekuchecker.c @@ -306,10 +306,10 @@ int main(int argc, char *argv[]){ if (testValid == PKIX_TRUE) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); } else { PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain - (valParams, &valResult, plContext)); + (valParams, &valResult, NULL, plContext)); } diff --git a/security/nss/lib/libpkix/include/pkix.h b/security/nss/lib/libpkix/include/pkix.h index 924e82732..0de586bec 100755 --- a/security/nss/lib/libpkix/include/pkix.h +++ b/security/nss/lib/libpkix/include/pkix.h @@ -209,11 +209,18 @@ PKIX_Initialize_SetConfigDir( * the policy tree and the target's public key. If unsuccessful, an Error is * returned. Note: This function does not currently support non-blocking I/O. * + * If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which + * tracks the results of the validation. That is, either each node in the + * chain has a NULL Error component, or the last node contains an Error + * which indicates why the validation failed. + * * PARAMETERS: * "params" * Address of ValidateParams used to validate CertChain. Must be non-NULL. * "pResult" * Address where object pointer will be stored. Must be non-NULL. + * "pVerifyTree" + * Address where a VerifyTree is stored, if non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -227,11 +234,63 @@ PKIX_Error * PKIX_ValidateChain( PKIX_ValidateParams *params, PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, void *plContext); -PKIX_Error * +/* + * FUNCTION: PKIX_ValidateChain_NB + * DESCRIPTION: + * + * This function is the equivalent of PKIX_ValidateChain, except that it + * supports non-blocking I/O. When called with "pNBIOContext" pointing to NULL + * it initiates a new chain validation as in PKIX_ValidateChain, ignoring the + * value in all input variables except "params". If forced to suspend + * processing by a WOULDBLOCK return from some operation, such as a CertStore + * request, it stores the platform-dependent I/O context at "pNBIOContext" and + * stores other intermediate variables at "pCertIndex", "pAnchorIndex", + * "pCheckerIndex", "pRevChecking", and "pCheckers". + * + * When called subsequently with that non-NULL value at "pNBIOContext", it + * relies on those intermediate values to be untouched, and it resumes chain + * validation where it left off. Its behavior is undefined if any of the + * intermediate values was not preserved. + * + * PARAMETERS: + * "params" + * Address of ValidateParams used to validate CertChain. Must be non-NULL. + * "pCertIndex" + * The UInt32 value of the index to the Cert chain, indicating which Cert + * is currently being processed. + * "pAnchorIndex" + * The UInt32 value of the index to the Anchor chain, indicating which + * Trust Anchor is currently being processed. + * "pCheckerIndex" + * The UInt32 value of the index to the List of CertChainCheckers, + * indicating which Checker is currently processing. + * "pRevChecking" + * The Boolean flag indicating whether normal checking or revocation + * checking is occurring for the Cert indicated by "pCertIndex". + * "pCheckers" + * The address of the List of CertChainCheckers. Must be non-NULL. + * "pNBIOContext" + * The address of the platform-dependend I/O context. Must be a non-NULL + * pointer to a NULL value for the call to initiate chain validation. + * "pResult" + * Address where ValidateResult object pointer will be stored. Must be + * non-NULL. + * "pVerifyTree" + * Address where a VerifyTree is stored, if non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a VALIDATE Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */PKIX_Error * PKIX_ValidateChain_NB( - PKIX_ValidateParams *valParams, + PKIX_ValidateParams *params, PKIX_UInt32 *pCertIndex, PKIX_UInt32 *pAnchorIndex, PKIX_UInt32 *pCheckerIndex, @@ -239,6 +298,7 @@ PKIX_ValidateChain_NB( PKIX_List **pCheckers, void **pNBIOContext, PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, void *plContext); /* diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h index e4f735e05..590d0de93 100755 --- a/security/nss/lib/libpkix/include/pkixt.h +++ b/security/nss/lib/libpkix/include/pkixt.h @@ -119,6 +119,7 @@ typedef struct PKIX_ForwardBuilderStateStruct PKIX_ForwardBuilderState; typedef struct PKIX_DefaultRevocationCheckerStruct PKIX_DefaultRevocationChecker; typedef struct PKIX_OcspCheckerStruct PKIX_OcspChecker; +typedef struct PKIX_VerifyNodeStruct PKIX_VerifyNode; /* Portability Layer (PL) data types * @@ -250,7 +251,8 @@ typedef int PKIX_Boolean; TYPEMACRO(OCSPCHECKER), \ TYPEMACRO(OCSPREQUEST), \ TYPEMACRO(OCSPRESPONSE), \ - TYPEMACRO(HTTPDEFAULTCLIENT) + TYPEMACRO(HTTPDEFAULTCLIENT), \ + TYPEMACRO(VERIFYNODE) #define TYPEMACRO(type) PKIX_ ## type ## _TYPE @@ -342,7 +344,8 @@ typedef enum { /* Now invoke all those TYPEMACROs to assign the numbers */ ERRMACRO(OCSPCHECKER), \ ERRMACRO(OCSPREQUEST), \ ERRMACRO(OCSPRESPONSE), \ - ERRMACRO(HTTPDEFAULTCLIENT) + ERRMACRO(HTTPDEFAULTCLIENT), \ + ERRMACRO(VERIFYNODE) #define ERRMACRO(type) PKIX_ ## type ## _ERROR diff --git a/security/nss/lib/libpkix/pkix/results/manifest.mn b/security/nss/lib/libpkix/pkix/results/manifest.mn index b2586e265..cfafa50ba 100755 --- a/security/nss/lib/libpkix/pkix/results/manifest.mn +++ b/security/nss/lib/libpkix/pkix/results/manifest.mn @@ -43,14 +43,16 @@ PRIVATE_EXPORTS = \ pkix_buildresult.h \ pkix_policynode.h \ pkix_valresult.h \ + pkix_verifynode.h \ $(NULL) MODULE = nss CSRCS = \ + pkix_buildresult.c \ pkix_policynode.c \ pkix_valresult.c \ - pkix_buildresult.c \ + pkix_verifynode.c \ $(NULL) REQUIRES = dbm diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index 30d139d6a..6c490be13 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -1513,6 +1513,7 @@ pkix_Build_ValidateEntireChain( &nbioContext, &subjPubKey, &policyTree, + NULL, plContext), "pkix_CheckChain failed"); diff --git a/security/nss/lib/libpkix/pkix/top/pkix_validate.c b/security/nss/lib/libpkix/pkix/top/pkix_validate.c index 9fe24438d..4d9c92ca8 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_validate.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_validate.c @@ -46,6 +46,76 @@ /* --Private-Functions-------------------------------------------- */ /* + * FUNCTION: pkix_AddToVerifyLog + * DESCRIPTION: + * + * This function returns immediately if the address for the VerifyNode tree + * pointed to by "pVerifyTree" is NULL. Otherwise it creates a new VerifyNode + * from the Cert pointed to by "cert" and the Error pointed to by "error", + * and inserts it at the depth in the VerifyNode tree determined by "depth". A + * depth of zero means that this function creates the root node of a new tree. + * + * Note: this function does not include the means of choosing among branches + * of a tree. It is intended for non-branching trees, that is, where each + * parent node has only a single child node. + * + * PARAMETERS: + * "cert" + * The address of the Cert to be included in the new VerifyNode. Must be + * non-NULL. + * "depth" + * The UInt32 value of the depth. + * "error" + * The address of the Error to be included in the new VerifyNode. + * "pVerifyTree" + * The address of the VerifyNode tree into which the created VerifyNode + * is to be inserted. The node is not created if VerifyTree is NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Validate Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +static PKIX_Error * +pkix_AddToVerifyLog( + PKIX_PL_Cert *cert, + PKIX_UInt32 depth, + PKIX_Error *error, + PKIX_VerifyNode **pVerifyTree, + void *plContext) +{ + + PKIX_VerifyNode *verifyNode = NULL; + + PKIX_ENTER(VALIDATE, "pkix_AddToVerifyLog"); + PKIX_NULLCHECK_ONE(cert); + + if (pVerifyTree) { /* nothing to do if no address given for log */ + + PKIX_CHECK(pkix_VerifyNode_Create + (cert, depth, error, &verifyNode, plContext), + "pkix_VerifyNode_Create failed"); + + if (depth == 0) { + /* We just created the root node */ + *pVerifyTree = verifyNode; + } else { + PKIX_CHECK(pkix_VerifyNode_AddToChain + (*pVerifyTree, verifyNode, plContext), + "pkix_VerifyNode_AddToChain failed"); + } + } + +cleanup: + + PKIX_RETURN(VALIDATE); + +} + +/* * FUNCTION: pkix_CheckCert * DESCRIPTION: * @@ -142,17 +212,7 @@ pkix_CheckCert( plContext); if (checkerError) { - PKIX_PL_String *errorDesc = NULL; - void *enc = NULL; - PKIX_UInt32 len = 0; - (void)PKIX_Error_GetDescription - (checkerError, &errorDesc, plContext); - (void)PKIX_PL_String_GetEncoded - (errorDesc, PKIX_ESCASCII, &enc, &len, plContext); - PKIX_ERROR(enc); - /* PKIX_FREE(enc); */ - PKIX_DECREF(errorDesc); - PKIX_CHECK(checkerError, "checkerCheck failed"); + goto cleanup; } if (nbioContext != NULL) { @@ -211,6 +271,19 @@ cleanup: PKIX_DECREF(checker); PKIX_DECREF(unresCritExtOIDs); + if (checkerError) { + PKIX_PL_String *errorDesc = NULL; + void *enc = NULL; + PKIX_UInt32 len = 0; + (void)PKIX_Error_GetDescription + (checkerError, &errorDesc, plContext); + (void)PKIX_PL_String_GetEncoded + (errorDesc, PKIX_ESCASCII, &enc, &len, plContext); + PKIX_LOG_ERROR(enc); + PKIX_DECREF(errorDesc); + return (checkerError); + } + PKIX_RETURN(VALIDATE); } @@ -745,6 +818,11 @@ cleanup: * validPolicyTree, which could be NULL, is stored at pPolicyTree. If the List * of Certs fails to validate, an Error pointer is returned. * + * If "pVerifyTree" is non-NULL, a chain of VerifyNodes is created which + * tracks the results of the validation. That is, either each node in the + * chain has a NULL Error component, or the last node contains an Error + * which indicates why the validation failed. + * * The number of Certs in the List, represented by "numCerts", is used to * determine which Cert is the final Cert. * @@ -784,6 +862,8 @@ cleanup: * Address where the final public key will be stored. Must be non-NULL. * "pPolicyTree" * Address where the final validPolicyTree is stored. Must be non-NULL. + * "pVerifyTree" + * Address where a VerifyTree is stored, if non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -807,11 +887,13 @@ pkix_CheckChain( void **pNBIOContext, PKIX_PL_PublicKey **pFinalSubjPubKey, PKIX_PolicyNode **pPolicyTree, + PKIX_VerifyNode **pVerifyTree, void *plContext) { PKIX_UInt32 j = 0; PKIX_UInt32 reasonCode = 0; PKIX_Boolean revChecking = PKIX_FALSE; + PKIX_Error *checkCertError = NULL; void *nbioContext = NULL; PKIX_PL_Cert *cert = NULL; @@ -824,7 +906,7 @@ pkix_CheckChain( *pNBIOContext = NULL; revChecking = *pRevChecking; - for (j = *pCertCheckedIndex; j < numCerts; j++){ + for (j = *pCertCheckedIndex; j < numCerts; j++) { PKIX_CHECK(PKIX_List_GetItem (certs, j, (PKIX_PL_Object **)&cert, plContext), "PKIX_List_GetItem failed"); @@ -884,6 +966,8 @@ pkix_CheckChain( *pCheckerIndex = 0; } + PKIX_CHECK(pkix_AddToVerifyLog(cert, j, NULL, pVerifyTree, plContext), + "pkix_AddToVerifyLog failed"); PKIX_DECREF(cert); } @@ -896,6 +980,17 @@ pkix_CheckChain( cleanup: + if (PKIX_ERROR_RECEIVED) { + PKIX_INCREF(pkixErrorResult); + checkCertError = pkixErrorResult; + } + + if (checkCertError) { + pkixTempResult = pkix_AddToVerifyLog + (cert, j, checkCertError, pVerifyTree, plContext); + pkixErrorResult = checkCertError; + } + PKIX_DECREF(cert); PKIX_RETURN(VALIDATE); @@ -985,6 +1080,7 @@ PKIX_Error * PKIX_ValidateChain( PKIX_ValidateParams *valParams, PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, void *plContext) { PKIX_Error *chainFailed = NULL; @@ -1122,6 +1218,7 @@ PKIX_ValidateChain( &nbioContext, &finalPubKey, &validPolicyTree, + pVerifyTree, plContext); if (chainFailed || (reasonCode != 0)) { @@ -1173,7 +1270,31 @@ cleanup: PKIX_RETURN(VALIDATE); } -PKIX_Error * +/* + * FUNCTION: pkix_Validate_BuildUserOIDs + * DESCRIPTION: + * + * This function creates a List of the OIDs that are processed by the user + * checkers in the List pointed to by "userCheckers", storing the resulting + * List at "pUserCritOIDs". If the List of userCheckers is NULL, the output + * List will be NULL. Otherwise the output List will be non-NULL, but may be + * empty. + * + * PARAMETERS: + * "userCheckers" + * The address of the List of userCheckers. + * "pUserCritOIDs" + * The address at which the List is stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a VALIDATE Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +static PKIX_Error * pkix_Validate_BuildUserOIDs( PKIX_List *userCheckers, PKIX_List **pUserCritOIDs, @@ -1241,6 +1362,9 @@ cleanup: PKIX_RETURN(VALIDATE); } +/* + * FUNCTION: PKIX_ValidateChain_nb (see comments in pkix.h) + */ PKIX_Error * PKIX_ValidateChain_NB( PKIX_ValidateParams *valParams, @@ -1251,6 +1375,7 @@ PKIX_ValidateChain_NB( PKIX_List **pCheckers, void **pNBIOContext, PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, void *plContext) { PKIX_UInt32 numCerts = 0; @@ -1359,6 +1484,7 @@ PKIX_ValidateChain_NB( &nbioContext, &finalPubKey, &validPolicyTree, + pVerifyTree, plContext); if (nbioContext != NULL) { diff --git a/security/nss/lib/libpkix/pkix/top/pkix_validate.h b/security/nss/lib/libpkix/pkix/top/pkix_validate.h index 60a4d5679..78c5858c2 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_validate.h +++ b/security/nss/lib/libpkix/pkix/top/pkix_validate.h @@ -63,8 +63,10 @@ pkix_CheckChain( void **pNBIOContext, PKIX_PL_PublicKey **pFinalSubjPubKey, PKIX_PolicyNode **pPolicyTree, + PKIX_VerifyNode **pVerifyTree, void *plContext); +#if 0 PKIX_Error * PKIX_ValidateChain_NB( PKIX_ValidateParams *valParams, @@ -75,7 +77,9 @@ PKIX_ValidateChain_NB( PKIX_List **pCheckers, void **pNBIOContext, PKIX_ValidateResult **pResult, + PKIX_VerifyNode **pVerifyTree, void *plContext); +#endif #ifdef __cplusplus } diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.h b/security/nss/lib/libpkix/pkix/util/pkix_tools.h index c1044d2c1..7ab855a7b 100755 --- a/security/nss/lib/libpkix/pkix/util/pkix_tools.h +++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.h @@ -75,6 +75,7 @@ #include "pkix_targetcertchecker.h" #include "pkix_validate.h" #include "pkix_valresult.h" +#include "pkix_verifynode.h" #ifdef __cplusplus extern "C" { @@ -199,13 +200,18 @@ extern "C" { } \ } while (0) -#define PKIX_ERROR(desc) \ +#define PKIX_LOG_ERROR(desc) \ { \ if (pkixLoggersErrors) { \ (pkix_Logger_Check(pkixLoggersErrors, \ desc, NULL, pkixType, \ PKIX_LOGGER_LEVEL_ERROR, plContext)); \ } \ + } + +#define PKIX_ERROR(desc) \ + { \ + PKIX_LOG_ERROR(desc) \ pkixErrorReceived = PKIX_TRUE; \ pkixErrorMsg = (desc); \ goto cleanup; \ @@ -504,6 +510,7 @@ extern "C" { #define PKIX_OCSPRESPONSEDEBUG 1 #define PKIX_HTTPDEFAULTCLIENTDEBUG 1 #define PKIX_HTTPCERTSTORECONTEXTDEBUG 1 +#define PKIX_VERIFYNODEDEBUG 1 #endif /* @@ -1239,6 +1246,16 @@ extern "C" { #define PKIX_HTTPCERTSTORECONTEXT_DEBUG_ARG(expr, arg) #endif +#if PKIX_VERIFYNODEDEBUG +#define PKIX_VERIFYNODE_DEBUG(expr) \ + PKIX_DEBUG(expr) +#define PKIX_VERIFYNODE_DEBUG_ARG(expr, arg) \ + PKIX_DEBUG_ARG(expr, arg) +#else +#define PKIX_VERIFYNODE_DEBUG(expr) +#define PKIX_VERIFYNODE_DEBUG_ARG(expr, arg) +#endif + /* * All object types register themselves with the system using a * pkix_ClassTable_Entry, which consists of a set of functions for that diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c index 9ce9c85c6..ae3be7823 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c @@ -230,7 +230,7 @@ PKIX_PL_Initialize( pkix_pl_LdapDefaultClient_RegisterSelf(plContext); pkix_pl_Socket_RegisterSelf(plContext); - pkix_ResourceLimits_RegisterSelf(plContext); /* 51-58 */ + pkix_ResourceLimits_RegisterSelf(plContext); /* 51-59 */ (void) pkix_pl_MonitorLock_RegisterSelf(plContext); pkix_pl_InfoAccess_RegisterSelf(plContext); pkix_pl_AIAMgr_RegisterSelf(plContext); @@ -238,6 +238,7 @@ PKIX_PL_Initialize( pkix_pl_OcspRequest_RegisterSelf(plContext); pkix_pl_OcspResponse_RegisterSelf(plContext); pkix_pl_HttpDefaultClient_RegisterSelf(plContext); + pkix_VerifyNode_RegisterSelf(plContext); PKIX_CHECK(PKIX_PL_NssContext_Create (0x10, useArenas, NULL, &plContext), diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h index 3e470f9fb..c4b49a2b5 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h @@ -80,6 +80,7 @@ #include "pkix_procparams.h" #include "pkix_valparams.h" #include "pkix_valresult.h" +#include "pkix_verifynode.h" #include "pkix_resourcelimits.h" #include "pkix_certchainchecker.h" #include "pkix_revocationchecker.h" diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 5ad6af2d8..ea959beff 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -1165,6 +1165,8 @@ pkix_ValidateResult_Create; PKIX_ValidateResult_GetPolicyTree; PKIX_ValidateResult_GetPublicKey; PKIX_ValidateResult_GetTrustAnchor; +pkix_VerifyNode_AddToChain; +pkix_VerifyNode_Create; PKIX_ResourceLimits_Create; PKIX_ResourceLimits_GetMaxDepth; PKIX_ResourceLimits_GetMaxFanout; diff --git a/security/nss/tests/libpkix/pkix_tests/results/runTests.sh b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh index 1d9cf3058..d8111e20c 100755 --- a/security/nss/tests/libpkix/pkix_tests/results/runTests.sh +++ b/security/nss/tests/libpkix/pkix_tests/results/runTests.sh @@ -60,6 +60,7 @@ RunTests <<EOF test_policynode ${NIST} NIST-Test-Files-Used test_valresult ../../certs test_buildresult ../../certs +test_verifynode ${NIST} TrustAnchorRootCertificate.crt GoodCACert.crt ValidCertificatePathTest1EE.crt EOF totalErrors=$? |