first crack at certificate verification

author: ian.mcgreer%sun.com <devnull@localhost> 2002-09-06 16:10:32 +0000
committer: ian.mcgreer%sun.com <devnull@localhost> 2002-09-06 16:10:32 +0000
commit: 31c33c5087d39617e7a7a2a2bbf1564a5fad4089 (patch)
tree: acde2e002a02db87d23ee2e7281dea610ab25c8f /security/nss/cmd/pkiutil
parent: c0c3f6bf61c0fcd3ed60c62c859bc530e7d71e50 (diff)
download: nss-hg-31c33c5087d39617e7a7a2a2bbf1564a5fad4089.tar.gz
3 files changed, 84 insertions, 38 deletions
diff --git a/security/nss/cmd/pkiutil/pkiobject.c b/security/nss/cmd/pkiutil/pkiobject.c
index 32547f6f7..7ba97a229 100644
--- a/security/nss/cmd/pkiutil/pkiobject.c
+++ b/security/nss/cmd/pkiutil/pkiobject.c
@@ -125,7 +125,7 @@ list_nickname_certs
 	cert[0] = NSSTrustDomain_FindBestCertificateByNickname(td,
 	                                                       nickname, 
 	                                                       NSSTime_Now(),
-	                                                       NSSUsage_Any,
+	                                                       NULL,
 	                                                       NULL);
 	cert[1] = NULL;
 	certs = cert;
@@ -251,7 +251,8 @@ dump_cert_chain
     PRUint32 i, j;
     NSSCertificate **chain, **chainp;
 
-    chain = NSSCertificate_BuildChain(c, NSSTime_Now(), NSSUsage_Any,
+    chain = NSSCertificate_BuildChain(c, NSSTime_Now(), 
+                                      NULL, /* usage      */
                                       NULL, /* policies   */
                                       NULL, /* certs[]    */
                                       0,    /* rvLimit    */
@@ -315,14 +316,14 @@ DumpObject
 	if (chain) {
 	    c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, 
 	                                                     NSSTime_Now(), 
-	                                                     NSSUsage_Any,
+	                                                     NULL,
 	                                                     NULL);
 	    status = dump_cert_chain(td, c, rtData);
 	    NSSCertificate_Destroy(c);
 	} else if (info) {
 	    c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, 
 	                                                     NSSTime_Now(), 
-	                                                     NSSUsage_Any,
+	                                                     NULL,
 	                                                     NULL);
 	    status = dump_cert_info(td, c, rtData);
 	    NSSCertificate_Destroy(c);
@@ -342,44 +343,54 @@ DumpObject
     return status;
 }
 
-/* XXX make NSSItem methods public */
-#if 0
-static NSSItem *
-read_input
+PRStatus
+ValidateCert
 (
-  RunTimeData *rtData
+  NSSTrustDomain *td,
+  char *nickname,
+  char *usageStr,
+  PRBool info,
+  CMDRunTimeData *rtData
 )
 {
-    PRFileInfo info;
-    PRInt32 numBytes;
     PRStatus status;
-    NSSItem *dest = NULL;
-    PRFileDesc *src = rtData->input.file;
-    /* XXX handle base64 input */
-#ifdef nodef
-    if (src == PR_STDIN)
-	return secu_StdinToItem(dst);
-#endif
-    status = PR_GetOpenFileInfo(src, &info);
-    if (status != PR_SUCCESS) {
-	goto loser;
-    }
-    dest = PR_NEWZAP(NSSItem);
-    if (!dest) {
-	goto loser;
+    NSSCertificate *c;
+    char usage;
+    NSSUsages usages = { 0 };
+
+    if (usageStr) {
+	while ((usage = *usageStr++)) {
+	    switch (usage) {
+	    case 'c':  usages.peer |= NSSUsage_SSLClient;      break;
+	    case 'v':  usages.peer |= NSSUsage_SSLServer;      break;
+	    case 'r':  usages.peer |= NSSUsage_EmailRecipient; break;
+	    case 's':  usages.peer |= NSSUsage_EmailSigner;    break;
+	    case 'C':  usages.ca |= NSSUsage_SSLClient;        break;
+	    case 'V':  usages.ca |= NSSUsage_SSLServer;        break;
+	    case 'R':  usages.ca |= NSSUsage_EmailRecipient;   break;
+	    case 'S':  usages.ca |= NSSUsage_EmailSigner;      break;
+	    }
+	}
     }
-    numBytes = PR_Read(src, dest->data, info.size);
-    if (numBytes != info.size) {
-	goto loser;
+
+    c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, 
+                                                     NSSTime_Now(), 
+                                                     NULL,
+                                                     NULL);
+    if (!c) {
+	PR_fprintf(PR_STDERR, "Failed to locate cert %s\n", nickname);
+	return PR_FAILURE;
     }
-    return PR_SUCCESS;
-loser:
-    if (dest) {
-	PR_Free(dest);
+
+    status = NSSCertificate_Validate(c, NSSTime_Now(), &usages, NULL);
+    if (status == PR_SUCCESS) {
+	PR_fprintf(PR_STDOUT, "Certificate validated.\n");
+    } else {
+	PR_fprintf(PR_STDERR, "Validation failed.\n");
     }
-    return PR_FAILURE;
+
+    return status;
 }
-#endif
 
 static PRStatus
 import_certificate
diff --git a/security/nss/cmd/pkiutil/pkiutil.c b/security/nss/cmd/pkiutil/pkiutil.c
index c5e2fc64a..82642d73a 100644
--- a/security/nss/cmd/pkiutil/pkiutil.c
+++ b/security/nss/cmd/pkiutil/pkiutil.c
@@ -58,6 +58,7 @@ enum {
     cmd_Interactive,
     cmd_List,
     cmd_Print,
+    cmd_Validate,
     cmd_Version,
     pkiutil_num_commands
 };
@@ -77,6 +78,7 @@ enum {
     opt_Binary,
     opt_Trust,
     opt_Type,
+    opt_Usages,
     pkiutil_num_options
 };
 
@@ -97,9 +99,11 @@ static cmdCommandLineArg pkiutil_commands[] =
  { /* cmd_Delete */
    'D', "delete", 
    CMDNoArg, 0, PR_FALSE, 
-   { 0, 0, 0, 0 },
-   {
+   { 
      CMDBIT(opt_Nickname) |
+     0, 0, 0 
+   },
+   {
      CMDBIT(opt_ProfileDir) | 
      CMDBIT(opt_Orphans) | 
      CMDBIT(opt_TokenName),
@@ -167,13 +171,26 @@ static cmdCommandLineArg pkiutil_commands[] =
      CMDBIT(opt_Chain) | 
      CMDBIT(opt_Info) | 
      CMDBIT(opt_ProfileDir) | 
-     CMDBIT(opt_Nickname) | 
      CMDBIT(opt_OutputFile) | 
      CMDBIT(opt_Binary) | 
      CMDBIT(opt_Type),
      0, 0, 0
    },
  },
+ { /* cmd_Validate */
+   'V', "validate", 
+   CMDNoArg, 0, PR_FALSE,
+   {
+     CMDBIT(opt_Nickname),
+     0, 0, 0
+   },
+   {
+     CMDBIT(opt_Info) | 
+     CMDBIT(opt_ProfileDir) | 
+     CMDBIT(opt_Usages) | 
+     0, 0, 0
+   },
+ },
  { /* cmd_Version */  
    0, "version", 
    CMDNoArg, 0, PR_FALSE, 
@@ -197,6 +214,7 @@ static cmdCommandLineOpt pkiutil_options[] =
  { /* opt_Binary      */  'r', "raw",      CMDNoArg  },
  { /* opt_Trust       */  't', "trust",    CMDArgReq },
  { /* opt_Type        */   0 , "type",     CMDArgReq },
+ { /* opt_Usages      */  'u', "usages",   CMDArgReq },
 };
 
 void pkiutil_usage(cmdPrintState *ps, 
@@ -322,7 +340,7 @@ main(int argc, char **argv)
 	while (PR_TRUE) {
 	    cmdToRun = CMD_Interactive(&pkiutil);
 	    if (cmdToRun == cmd_Help) {
-		CMD_Usage(progName, &pkiutil);
+		CMD_InteractiveUsage(progName, &pkiutil);
 		continue;
 	    } else if (cmdToRun < 0) {
 		break;
@@ -424,6 +442,13 @@ pkiutil_command_dispatcher(cmdCommand *pkiutil, int cmdToRun)
 	                    pkiutil->opt[opt_Chain].on,
 	                    &rtData);
 	break;
+    case cmd_Validate:
+	status = ValidateCert(td,
+	                      pkiutil->opt[opt_Nickname].arg,
+			      pkiutil->opt[opt_Usages].arg,
+			      pkiutil->opt[opt_Info].on,
+	                      &rtData);
+	break;
     default:
 	status = PR_FAILURE;
 	break;
diff --git a/security/nss/cmd/pkiutil/pkiutil.h b/security/nss/cmd/pkiutil/pkiutil.h
index 482a5b8f5..813d4b593 100644
--- a/security/nss/cmd/pkiutil/pkiutil.h
+++ b/security/nss/cmd/pkiutil/pkiutil.h
@@ -57,6 +57,16 @@ DumpObject
 );
 
 PRStatus
+ValidateCert
+(
+  NSSTrustDomain *td,
+  char *nickname,
+  char *usages,
+  PRBool info,
+  CMDRunTimeData *rtData
+);
+
+PRStatus
 DeleteOrphanedKeyPairs
 (
   NSSTrustDomain *td,
author	ian.mcgreer%sun.com <devnull@localhost>	2002-09-06 16:10:32 +0000
committer	ian.mcgreer%sun.com <devnull@localhost>	2002-09-06 16:10:32 +0000
commit	31c33c5087d39617e7a7a2a2bbf1564a5fad4089 (patch)
tree	acde2e002a02db87d23ee2e7281dea610ab25c8f /security/nss/cmd/pkiutil
parent	c0c3f6bf61c0fcd3ed60c62c859bc530e7d71e50 (diff)
download	nss-hg-31c33c5087d39617e7a7a2a2bbf1564a5fad4089.tar.gz