Source code
Revision control
Copy as Markdown
Other Tools
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
/*
* ocspresp - self test for OCSP response creation
*/
#include "nspr.h"
#include "secutil.h"
#include "secpkcs7.h"
#include "cert.h"
#include "certdb.h"
#include "nss.h"
#include "pk11func.h"
#include "cryptohi.h"
#include "ocsp.h"
#if defined(XP_UNIX)
#include <unistd.h>
#endif
#include <stdio.h>
#include <string.h>
secuPWData pwdata = { PW_NONE, 0 };
static PRBool
getCaAndSubjectCert(CERTCertDBHandle *certHandle,
const char *caNick, const char *eeNick,
CERTCertificate **outCA, CERTCertificate **outCert)
{
*outCA = CERT_FindCertByNickname(certHandle, caNick);
*outCert = CERT_FindCertByNickname(certHandle, eeNick);
return *outCA && *outCert;
}
static SECItem *
encode(PLArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
{
SECItem *response;
PRTime now = PR_Now();
PRTime nextUpdate;
CERTOCSPSingleResponse **responses;
CERTOCSPSingleResponse *sr;
if (!arena)
return NULL;
nextUpdate = now + 10 * PR_USEC_PER_SEC; /* in the future */
sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now, &nextUpdate);
/* meaning of value 2: one entry + one end marker */
responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse *, 2);
if (responses == NULL)
return NULL;
responses[0] = sr;
responses[1] = NULL;
response = CERT_CreateEncodedOCSPSuccessResponse(
arena, ca, ocspResponderID_byName, now, responses, &pwdata);
return response;
}
static SECItem *
encodeRevoked(PLArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
{
SECItem *response;
PRTime now = PR_Now();
PRTime revocationTime;
CERTOCSPSingleResponse **responses;
CERTOCSPSingleResponse *sr;
if (!arena)
return NULL;
revocationTime = now - 10 * PR_USEC_PER_SEC; /* in the past */
sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now, NULL,
revocationTime, NULL);
/* meaning of value 2: one entry + one end marker */
responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse *, 2);
if (responses == NULL)
return NULL;
responses[0] = sr;
responses[1] = NULL;
response = CERT_CreateEncodedOCSPSuccessResponse(
arena, ca, ocspResponderID_byName, now, responses, &pwdata);
return response;
}
int
Usage(void)
{
PRFileDesc *pr_stderr = PR_STDERR;
PR_fprintf(pr_stderr, "ocspresp runs an internal selftest for OCSP response creation");
PR_fprintf(pr_stderr, "Usage:");
PR_fprintf(pr_stderr,
"\tocspresp <dbdir> <CA-nick> <EE-nick> [-p <pass>] [-f <file>]\n");
PR_fprintf(pr_stderr,
"\tdbdir: Find security databases in \"dbdir\"\n");
PR_fprintf(pr_stderr,
"\tCA-nick: nickname of a trusted CA certificate with private key\n");
PR_fprintf(pr_stderr,
"\tEE-nick: nickname of a entity cert issued by CA\n");
PR_fprintf(pr_stderr,
"\t-p: a password for db\n");
PR_fprintf(pr_stderr,
"\t-f: a filename containing the password for db\n");
return -1;
}
int
main(int argc, char **argv)
{
SECStatus rv;
int retval = -1;
CERTCertDBHandle *certHandle = NULL;
CERTCertificate *caCert = NULL, *cert = NULL;
CERTOCSPCertID *cid = NULL;
PLArenaPool *arena = NULL;
PRTime now = PR_Now();
SECItem *encoded = NULL;
CERTOCSPResponse *decoded = NULL;
SECItem *encodedRev = NULL;
CERTOCSPResponse *decodedRev = NULL;
SECItem *encodedFail = NULL;
CERTOCSPResponse *decodedFail = NULL;
CERTCertificate *obtainedSignerCert = NULL;
if (argc != 4 && argc != 6) {
return Usage();
}
if (argc == 6) {
if (!strcmp(argv[4], "-p")) {
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(argv[5]);
} else if (!strcmp(argv[4], "-f")) {
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(argv[5]);
} else
return Usage();
}
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/*rv = NSS_Init(SECU_ConfigDirectory(NULL));*/
rv = NSS_Init(argv[1]);
if (rv != SECSuccess) {
SECU_PrintPRandOSError(argv[0]);
goto loser;
}
PK11_SetPasswordFunc(SECU_GetModulePassword);
certHandle = CERT_GetDefaultCertDB();
if (!certHandle)
goto loser;
if (!getCaAndSubjectCert(certHandle, argv[2], argv[3], &caCert, &cert))
goto loser;
cid = CERT_CreateOCSPCertID(cert, now);
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
encoded = encode(arena, cid, caCert);
PORT_Assert(encoded);
decoded = CERT_DecodeOCSPResponse(encoded);
PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decoded));
PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
&obtainedSignerCert, caCert));
PORT_CheckSuccess(CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
obtainedSignerCert, now));
CERT_DestroyCertificate(obtainedSignerCert);
encodedRev = encodeRevoked(arena, cid, caCert);
PORT_Assert(encodedRev);
decodedRev = CERT_DecodeOCSPResponse(encodedRev);
PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decodedRev));
PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
&obtainedSignerCert, caCert));
#ifdef DEBUG
{
rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
}
#else
(void)CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
#endif
CERT_DestroyCertificate(obtainedSignerCert);
encodedFail = CERT_CreateEncodedOCSPErrorResponse(
arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
PORT_Assert(encodedFail);
decodedFail = CERT_DecodeOCSPResponse(encodedFail);
#ifdef DEBUG
{
rv = CERT_GetOCSPResponseStatus(decodedFail);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
}
#else
(void)CERT_GetOCSPResponseStatus(decodedFail);
#endif
retval = 0;
loser:
if (retval != 0)
SECU_PrintError(argv[0], "tests failed");
if (cid)
CERT_DestroyOCSPCertID(cid);
if (cert)
CERT_DestroyCertificate(cert);
if (caCert)
CERT_DestroyCertificate(caCert);
if (arena)
PORT_FreeArena(arena, PR_FALSE);
if (decoded)
CERT_DestroyOCSPResponse(decoded);
if (decodedRev)
CERT_DestroyOCSPResponse(decodedRev);
if (decodedFail)
CERT_DestroyOCSPResponse(decodedFail);
if (pwdata.data) {
PORT_Free(pwdata.data);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError(argv[0], "NSS shutdown:");
if (retval == 0)
retval = -2;
}
return retval;
}