2018-05-04 16:08:28 +02:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* ocspresp - self test for OCSP response creation
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "nspr.h"
|
|
|
|
#include "secutil.h"
|
|
|
|
#include "secpkcs7.h"
|
|
|
|
#include "cert.h"
|
|
|
|
#include "certdb.h"
|
|
|
|
#include "nss.h"
|
|
|
|
#include "pk11func.h"
|
|
|
|
#include "cryptohi.h"
|
|
|
|
#include "ocsp.h"
|
|
|
|
|
|
|
|
#if defined(XP_UNIX)
|
|
|
|
#include <unistd.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
secuPWData pwdata = { PW_NONE, 0 };
|
|
|
|
|
|
|
|
static PRBool
|
|
|
|
getCaAndSubjectCert(CERTCertDBHandle *certHandle,
|
|
|
|
const char *caNick, const char *eeNick,
|
|
|
|
CERTCertificate **outCA, CERTCertificate **outCert)
|
|
|
|
{
|
|
|
|
*outCA = CERT_FindCertByNickname(certHandle, caNick);
|
|
|
|
*outCert = CERT_FindCertByNickname(certHandle, eeNick);
|
|
|
|
return *outCA && *outCert;
|
|
|
|
}
|
|
|
|
|
|
|
|
static SECItem *
|
|
|
|
encode(PLArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
|
|
|
|
{
|
|
|
|
SECItem *response;
|
|
|
|
PRTime now = PR_Now();
|
|
|
|
PRTime nextUpdate;
|
|
|
|
CERTOCSPSingleResponse **responses;
|
|
|
|
CERTOCSPSingleResponse *sr;
|
|
|
|
|
|
|
|
if (!arena)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
nextUpdate = now + 10 * PR_USEC_PER_SEC; /* in the future */
|
|
|
|
|
|
|
|
sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now, &nextUpdate);
|
|
|
|
|
|
|
|
/* meaning of value 2: one entry + one end marker */
|
|
|
|
responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
|
|
|
|
if (responses == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
responses[0] = sr;
|
|
|
|
responses[1] = NULL;
|
|
|
|
|
|
|
|
response = CERT_CreateEncodedOCSPSuccessResponse(
|
|
|
|
arena, ca, ocspResponderID_byName, now, responses, &pwdata);
|
|
|
|
|
|
|
|
return response;
|
|
|
|
}
|
|
|
|
|
|
|
|
static SECItem *
|
|
|
|
encodeRevoked(PLArenaPool *arena, CERTOCSPCertID *cid, CERTCertificate *ca)
|
|
|
|
{
|
|
|
|
SECItem *response;
|
|
|
|
PRTime now = PR_Now();
|
|
|
|
PRTime revocationTime;
|
|
|
|
CERTOCSPSingleResponse **responses;
|
|
|
|
CERTOCSPSingleResponse *sr;
|
|
|
|
|
|
|
|
if (!arena)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
revocationTime = now - 10 * PR_USEC_PER_SEC; /* in the past */
|
|
|
|
|
|
|
|
sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now, NULL,
|
|
|
|
revocationTime, NULL);
|
|
|
|
|
|
|
|
/* meaning of value 2: one entry + one end marker */
|
|
|
|
responses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
|
|
|
|
if (responses == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
responses[0] = sr;
|
|
|
|
responses[1] = NULL;
|
|
|
|
|
|
|
|
response = CERT_CreateEncodedOCSPSuccessResponse(
|
|
|
|
arena, ca, ocspResponderID_byName, now, responses, &pwdata);
|
|
|
|
|
|
|
|
return response;
|
|
|
|
}
|
|
|
|
|
|
|
|
int Usage(void)
|
|
|
|
{
|
|
|
|
PRFileDesc *pr_stderr = PR_STDERR;
|
|
|
|
PR_fprintf (pr_stderr, "ocspresp runs an internal selftest for OCSP response creation");
|
|
|
|
PR_fprintf (pr_stderr, "Usage:");
|
|
|
|
PR_fprintf (pr_stderr,
|
|
|
|
"\tocspresp <dbdir> <CA-nick> <EE-nick> [-p <pass>] [-f <file>]\n");
|
|
|
|
PR_fprintf (pr_stderr,
|
|
|
|
"\tdbdir: Find security databases in \"dbdir\"\n");
|
|
|
|
PR_fprintf (pr_stderr,
|
|
|
|
"\tCA-nick: nickname of a trusted CA certificate with private key\n");
|
|
|
|
PR_fprintf (pr_stderr,
|
|
|
|
"\tEE-nick: nickname of a entity cert issued by CA\n");
|
|
|
|
PR_fprintf (pr_stderr,
|
|
|
|
"\t-p: a password for db\n");
|
|
|
|
PR_fprintf (pr_stderr,
|
|
|
|
"\t-f: a filename containing the password for db\n");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
main(int argc, char **argv)
|
|
|
|
{
|
|
|
|
SECStatus rv;
|
|
|
|
int retval = -1;
|
|
|
|
CERTCertDBHandle *certHandle = NULL;
|
|
|
|
CERTCertificate *caCert = NULL, *cert = NULL;
|
|
|
|
CERTOCSPCertID *cid = NULL;
|
|
|
|
PLArenaPool *arena = NULL;
|
|
|
|
PRTime now = PR_Now();
|
|
|
|
|
|
|
|
SECItem *encoded = NULL;
|
|
|
|
CERTOCSPResponse *decoded = NULL;
|
|
|
|
|
|
|
|
SECItem *encodedRev = NULL;
|
|
|
|
CERTOCSPResponse *decodedRev = NULL;
|
|
|
|
|
|
|
|
SECItem *encodedFail = NULL;
|
|
|
|
CERTOCSPResponse *decodedFail = NULL;
|
|
|
|
|
|
|
|
CERTCertificate *obtainedSignerCert = NULL;
|
|
|
|
|
|
|
|
if (argc != 4 && argc != 6) {
|
|
|
|
return Usage();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (argc == 6) {
|
|
|
|
if (!strcmp(argv[4], "-p")) {
|
|
|
|
pwdata.source = PW_PLAINTEXT;
|
|
|
|
pwdata.data = PORT_Strdup(argv[5]);
|
|
|
|
}
|
|
|
|
else if (!strcmp(argv[4], "-f")) {
|
|
|
|
pwdata.source = PW_FROMFILE;
|
|
|
|
pwdata.data = PORT_Strdup(argv[5]);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
return Usage();
|
|
|
|
}
|
|
|
|
|
|
|
|
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
|
|
|
|
/*rv = NSS_Init(SECU_ConfigDirectory(NULL));*/
|
|
|
|
rv = NSS_Init(argv[1]);
|
|
|
|
if (rv != SECSuccess) {
|
|
|
|
SECU_PrintPRandOSError(argv[0]);
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
|
|
|
|
PK11_SetPasswordFunc(SECU_GetModulePassword);
|
|
|
|
|
|
|
|
certHandle = CERT_GetDefaultCertDB();
|
|
|
|
if (!certHandle)
|
|
|
|
goto loser;
|
|
|
|
|
|
|
|
if (!getCaAndSubjectCert(certHandle, argv[2], argv[3], &caCert, &cert))
|
|
|
|
goto loser;
|
|
|
|
|
|
|
|
cid = CERT_CreateOCSPCertID(cert, now);
|
|
|
|
|
|
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
|
|
encoded = encode(arena, cid, caCert);
|
|
|
|
PORT_Assert(encoded);
|
|
|
|
decoded = CERT_DecodeOCSPResponse(encoded);
|
cherry-picked mozilla NSS upstream changes (to rev bad5fd065fa1, which is on par with 3.20):
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
2018-07-12 15:44:51 +02:00
|
|
|
PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decoded));
|
|
|
|
|
|
|
|
PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
|
|
|
|
&obtainedSignerCert, caCert));
|
|
|
|
PORT_CheckSuccess(CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
|
|
|
|
obtainedSignerCert, now));
|
2018-05-04 16:08:28 +02:00
|
|
|
CERT_DestroyCertificate(obtainedSignerCert);
|
|
|
|
|
|
|
|
encodedRev = encodeRevoked(arena, cid, caCert);
|
|
|
|
PORT_Assert(encodedRev);
|
|
|
|
decodedRev = CERT_DecodeOCSPResponse(encodedRev);
|
cherry-picked mozilla NSS upstream changes (to rev bad5fd065fa1, which is on par with 3.20):
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
2018-07-12 15:44:51 +02:00
|
|
|
PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decodedRev));
|
2018-05-04 16:08:28 +02:00
|
|
|
|
cherry-picked mozilla NSS upstream changes (to rev bad5fd065fa1, which is on par with 3.20):
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
2018-07-12 15:44:51 +02:00
|
|
|
PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
|
|
|
|
&obtainedSignerCert, caCert));
|
|
|
|
#ifdef DEBUG
|
|
|
|
{
|
|
|
|
SECStatus rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
|
2018-05-04 16:08:28 +02:00
|
|
|
obtainedSignerCert, now);
|
cherry-picked mozilla NSS upstream changes (to rev bad5fd065fa1, which is on par with 3.20):
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
2018-07-12 15:44:51 +02:00
|
|
|
PORT_Assert(rv == SECFailure);
|
|
|
|
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
(void)CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
|
|
|
|
obtainedSignerCert, now);
|
|
|
|
#endif
|
2018-05-04 16:08:28 +02:00
|
|
|
CERT_DestroyCertificate(obtainedSignerCert);
|
|
|
|
|
|
|
|
encodedFail = CERT_CreateEncodedOCSPErrorResponse(
|
|
|
|
arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
|
|
|
|
PORT_Assert(encodedFail);
|
|
|
|
decodedFail = CERT_DecodeOCSPResponse(encodedFail);
|
cherry-picked mozilla NSS upstream changes (to rev bad5fd065fa1, which is on par with 3.20):
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
2018-07-12 15:44:51 +02:00
|
|
|
#ifdef DEBUG
|
|
|
|
{
|
|
|
|
SECStatus rv = CERT_GetOCSPResponseStatus(decodedFail);
|
|
|
|
PORT_Assert(rv == SECFailure);
|
|
|
|
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
(void)CERT_GetOCSPResponseStatus(decodedFail);
|
|
|
|
#endif
|
2018-05-04 16:08:28 +02:00
|
|
|
retval = 0;
|
|
|
|
loser:
|
|
|
|
if (retval != 0)
|
|
|
|
SECU_PrintError(argv[0], "tests failed");
|
|
|
|
|
|
|
|
if (cid)
|
|
|
|
CERT_DestroyOCSPCertID(cid);
|
|
|
|
if (cert)
|
|
|
|
CERT_DestroyCertificate(cert);
|
|
|
|
if (caCert)
|
|
|
|
CERT_DestroyCertificate(caCert);
|
|
|
|
if (arena)
|
|
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
|
|
if (decoded)
|
|
|
|
CERT_DestroyOCSPResponse(decoded);
|
|
|
|
if (decodedRev)
|
|
|
|
CERT_DestroyOCSPResponse(decodedRev);
|
|
|
|
if (decodedFail)
|
|
|
|
CERT_DestroyOCSPResponse(decodedFail);
|
|
|
|
if (pwdata.data) {
|
|
|
|
PORT_Free(pwdata.data);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (NSS_Shutdown() != SECSuccess) {
|
|
|
|
SECU_PrintError(argv[0], "NSS shutdown:");
|
|
|
|
if (retval == 0)
|
|
|
|
retval = -2;
|
|
|
|
}
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|