diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2002-09-06 16:10:32 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2002-09-06 16:10:32 +0000 |
commit | 31c33c5087d39617e7a7a2a2bbf1564a5fad4089 (patch) | |
tree | acde2e002a02db87d23ee2e7281dea610ab25c8f /security/nss/cmd/pkiutil | |
parent | c0c3f6bf61c0fcd3ed60c62c859bc530e7d71e50 (diff) | |
download | nss-hg-31c33c5087d39617e7a7a2a2bbf1564a5fad4089.tar.gz |
first crack at certificate verification
Diffstat (limited to 'security/nss/cmd/pkiutil')
-rw-r--r-- | security/nss/cmd/pkiutil/pkiobject.c | 79 | ||||
-rw-r--r-- | security/nss/cmd/pkiutil/pkiutil.c | 33 | ||||
-rw-r--r-- | security/nss/cmd/pkiutil/pkiutil.h | 10 |
3 files changed, 84 insertions, 38 deletions
diff --git a/security/nss/cmd/pkiutil/pkiobject.c b/security/nss/cmd/pkiutil/pkiobject.c index 32547f6f7..7ba97a229 100644 --- a/security/nss/cmd/pkiutil/pkiobject.c +++ b/security/nss/cmd/pkiutil/pkiobject.c @@ -125,7 +125,7 @@ list_nickname_certs cert[0] = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, NSSTime_Now(), - NSSUsage_Any, + NULL, NULL); cert[1] = NULL; certs = cert; @@ -251,7 +251,8 @@ dump_cert_chain PRUint32 i, j; NSSCertificate **chain, **chainp; - chain = NSSCertificate_BuildChain(c, NSSTime_Now(), NSSUsage_Any, + chain = NSSCertificate_BuildChain(c, NSSTime_Now(), + NULL, /* usage */ NULL, /* policies */ NULL, /* certs[] */ 0, /* rvLimit */ @@ -315,14 +316,14 @@ DumpObject if (chain) { c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, NSSTime_Now(), - NSSUsage_Any, + NULL, NULL); status = dump_cert_chain(td, c, rtData); NSSCertificate_Destroy(c); } else if (info) { c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, NSSTime_Now(), - NSSUsage_Any, + NULL, NULL); status = dump_cert_info(td, c, rtData); NSSCertificate_Destroy(c); @@ -342,44 +343,54 @@ DumpObject return status; } -/* XXX make NSSItem methods public */ -#if 0 -static NSSItem * -read_input +PRStatus +ValidateCert ( - RunTimeData *rtData + NSSTrustDomain *td, + char *nickname, + char *usageStr, + PRBool info, + CMDRunTimeData *rtData ) { - PRFileInfo info; - PRInt32 numBytes; PRStatus status; - NSSItem *dest = NULL; - PRFileDesc *src = rtData->input.file; - /* XXX handle base64 input */ -#ifdef nodef - if (src == PR_STDIN) - return secu_StdinToItem(dst); -#endif - status = PR_GetOpenFileInfo(src, &info); - if (status != PR_SUCCESS) { - goto loser; - } - dest = PR_NEWZAP(NSSItem); - if (!dest) { - goto loser; + NSSCertificate *c; + char usage; + NSSUsages usages = { 0 }; + + if (usageStr) { + while ((usage = *usageStr++)) { + switch (usage) { + case 'c': usages.peer |= NSSUsage_SSLClient; break; + case 'v': usages.peer |= NSSUsage_SSLServer; break; + case 'r': usages.peer |= NSSUsage_EmailRecipient; break; + case 's': usages.peer |= NSSUsage_EmailSigner; break; + case 'C': usages.ca |= NSSUsage_SSLClient; break; + case 'V': usages.ca |= NSSUsage_SSLServer; break; + case 'R': usages.ca |= NSSUsage_EmailRecipient; break; + case 'S': usages.ca |= NSSUsage_EmailSigner; break; + } + } } - numBytes = PR_Read(src, dest->data, info.size); - if (numBytes != info.size) { - goto loser; + + c = NSSTrustDomain_FindBestCertificateByNickname(td, nickname, + NSSTime_Now(), + NULL, + NULL); + if (!c) { + PR_fprintf(PR_STDERR, "Failed to locate cert %s\n", nickname); + return PR_FAILURE; } - return PR_SUCCESS; -loser: - if (dest) { - PR_Free(dest); + + status = NSSCertificate_Validate(c, NSSTime_Now(), &usages, NULL); + if (status == PR_SUCCESS) { + PR_fprintf(PR_STDOUT, "Certificate validated.\n"); + } else { + PR_fprintf(PR_STDERR, "Validation failed.\n"); } - return PR_FAILURE; + + return status; } -#endif static PRStatus import_certificate diff --git a/security/nss/cmd/pkiutil/pkiutil.c b/security/nss/cmd/pkiutil/pkiutil.c index c5e2fc64a..82642d73a 100644 --- a/security/nss/cmd/pkiutil/pkiutil.c +++ b/security/nss/cmd/pkiutil/pkiutil.c @@ -58,6 +58,7 @@ enum { cmd_Interactive, cmd_List, cmd_Print, + cmd_Validate, cmd_Version, pkiutil_num_commands }; @@ -77,6 +78,7 @@ enum { opt_Binary, opt_Trust, opt_Type, + opt_Usages, pkiutil_num_options }; @@ -97,9 +99,11 @@ static cmdCommandLineArg pkiutil_commands[] = { /* cmd_Delete */ 'D', "delete", CMDNoArg, 0, PR_FALSE, - { 0, 0, 0, 0 }, - { + { CMDBIT(opt_Nickname) | + 0, 0, 0 + }, + { CMDBIT(opt_ProfileDir) | CMDBIT(opt_Orphans) | CMDBIT(opt_TokenName), @@ -167,13 +171,26 @@ static cmdCommandLineArg pkiutil_commands[] = CMDBIT(opt_Chain) | CMDBIT(opt_Info) | CMDBIT(opt_ProfileDir) | - CMDBIT(opt_Nickname) | CMDBIT(opt_OutputFile) | CMDBIT(opt_Binary) | CMDBIT(opt_Type), 0, 0, 0 }, }, + { /* cmd_Validate */ + 'V', "validate", + CMDNoArg, 0, PR_FALSE, + { + CMDBIT(opt_Nickname), + 0, 0, 0 + }, + { + CMDBIT(opt_Info) | + CMDBIT(opt_ProfileDir) | + CMDBIT(opt_Usages) | + 0, 0, 0 + }, + }, { /* cmd_Version */ 0, "version", CMDNoArg, 0, PR_FALSE, @@ -197,6 +214,7 @@ static cmdCommandLineOpt pkiutil_options[] = { /* opt_Binary */ 'r', "raw", CMDNoArg }, { /* opt_Trust */ 't', "trust", CMDArgReq }, { /* opt_Type */ 0 , "type", CMDArgReq }, + { /* opt_Usages */ 'u', "usages", CMDArgReq }, }; void pkiutil_usage(cmdPrintState *ps, @@ -322,7 +340,7 @@ main(int argc, char **argv) while (PR_TRUE) { cmdToRun = CMD_Interactive(&pkiutil); if (cmdToRun == cmd_Help) { - CMD_Usage(progName, &pkiutil); + CMD_InteractiveUsage(progName, &pkiutil); continue; } else if (cmdToRun < 0) { break; @@ -424,6 +442,13 @@ pkiutil_command_dispatcher(cmdCommand *pkiutil, int cmdToRun) pkiutil->opt[opt_Chain].on, &rtData); break; + case cmd_Validate: + status = ValidateCert(td, + pkiutil->opt[opt_Nickname].arg, + pkiutil->opt[opt_Usages].arg, + pkiutil->opt[opt_Info].on, + &rtData); + break; default: status = PR_FAILURE; break; diff --git a/security/nss/cmd/pkiutil/pkiutil.h b/security/nss/cmd/pkiutil/pkiutil.h index 482a5b8f5..813d4b593 100644 --- a/security/nss/cmd/pkiutil/pkiutil.h +++ b/security/nss/cmd/pkiutil/pkiutil.h @@ -57,6 +57,16 @@ DumpObject ); PRStatus +ValidateCert +( + NSSTrustDomain *td, + char *nickname, + char *usages, + PRBool info, + CMDRunTimeData *rtData +); + +PRStatus DeleteOrphanedKeyPairs ( NSSTrustDomain *td, |