#include #include #include "nspr.h" #include "nss.h" #include "ssl.h" #include "cert.h" #include "certt.h" #include "pk11pub.h" #include "secerr.h" #include "prerror.h" #include "sslerr.h" #define NSS_DB_PATH "./NSSDB" #define CERT_NICKNAME "EE" void printError(void) { int e = PR_GetError(); if (e != 0) printf("\tError = %d", e); int ose = PR_GetOSError(); if (ose != 0) printf("\tOS Error = %d", PR_GetOSError()); if (e == -8172) printf("\tSEC_ERROR_UNTRUSTED_ISSUER Peer's certificate issuer has been marked as not trusted by the user."); printf("\n"); } void newFn(CERTCertificate *cert) { CERTValInParam paramsIn[2]; paramsIn[0].type = cert_pi_revocationFlags; CERTRevocationFlags rev; paramsIn[0].value.pointer.revocation = &rev; rev.leafTests.number_of_defined_methods = 1; rev.chainTests.number_of_defined_methods = 1; rev.leafTests.number_of_preferred_methods = 1; rev.chainTests.number_of_preferred_methods = 1; PRUint64 flags[] = { (CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING) }; rev.leafTests.cert_rev_flags_per_method = flags; rev.chainTests.cert_rev_flags_per_method = flags; CERTRevocationMethodIndex mthds[] = { cert_revocation_method_crl }; rev.leafTests.preferred_methods = mthds; rev.chainTests.preferred_methods = mthds; paramsIn[1].type = cert_pi_end; CERTValOutParam paramsOut[1]; paramsOut[0].type = cert_po_end; SECCertificateUsage usages = certificateUsageSSLServer; SECStatus status = CERT_PKIXVerifyCert(cert, usages, paramsIn, paramsOut, (void *)NULL); if(status != SECSuccess) { printf("ERROR: CERT_PKIXVerifyCert(EE) - FAILED !!\n"); printError(); } else printf("CERT_PKIXVerifyCert(EE) - PASSED.\n"); } void oldFn(CERTCertificate *cert) { SECCertUsage usage = certUsageSSLServer; CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); SECStatus status = CERT_VerifyCertNow(handle, cert, PR_TRUE, usage, NULL); if (status != SECSuccess) { printf("ERROR: CERT_VerifyCertNow(EE) - FAILED !!\n"); printError(); } else printf("CERT_VerifyCertNow(EE) - PASSED.\n"); } int main(int argc, char **argv) { PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_ConfigurePKCS11(NULL, NULL, NULL, "internal", NULL, NULL, NULL, NULL, 8, 1); PK11_SetPasswordFunc(NULL); SECStatus status = NSS_Initialize(NSS_DB_PATH, "", "", "secmod.db", NSS_INIT_READONLY); if (status != SECSuccess) { printf("ERROR in NSS_Initialize"); printError(); exit(-1); } CERTCertificate *cert = PK11_FindCertFromNickname(CERT_NICKNAME, NULL); if (cert == NULL) { printf("ERROR : PK11_FindCertFromNickname returned NULL cert"); printError(); exit(-1); } newFn(cert); oldFn(cert); return 0; }