search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nss: import at 3.0.1 beta 1
[mozilla-nss.git] / security / nss / cmd / signtool / list.c
blob5594c5ef1bba7e83ca7ce64f993bf5bbcd4d6593
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
36
37 #include "signtool.h"
38 #include "pk11func.h"
39 #include "certdb.h"
40
41 static int num_trav_certs = 0;
42 static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k,
43 void *data);
44
45 /*********************************************************************
46 *
47 * L i s t C e r t s
48 */
49 int
50 ListCerts(char *key, int list_certs)
51 {
52 int failed = 0;
53 SECStatus rv;
54 char *ugly_list;
55 CERTCertDBHandle * db;
56
57 CERTCertificate * cert;
58 CERTVerifyLog errlog;
59
60 errlog.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
61 if ( errlog.arena == NULL) {
62 out_of_memory();
63 }
64 errlog.head = NULL;
65 errlog.tail = NULL;
66 errlog.count = 0;
67
68 ugly_list = PORT_ZAlloc (16);
69
70 if (ugly_list == NULL) {
71 out_of_memory();
72 }
73
74 *ugly_list = 0;
75
76 db = CERT_GetDefaultCertDB();
77
78 if (list_certs == 2) {
79 PR_fprintf(outputFD, "\nS Certificates\n");
80 PR_fprintf(outputFD, "- ------------\n");
81 } else {
82 PR_fprintf(outputFD, "\nObject signing certificates\n");
83 PR_fprintf(outputFD, "---------------------------------------\n");
84 }
85
86 num_trav_certs = 0;
87
88 /* Traverse non-internal DBs */
89 rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs,
90 NULL /*wincx*/);
91
92 if (rv) {
93 PR_fprintf(outputFD, "**Traverse of non-internal DBs failed**\n");
94 return - 1;
95 }
96
97 if (num_trav_certs == 0) {
98 PR_fprintf(outputFD,
99 "You don't appear to have any object signing certificates.\n");
100 }
101
102 if (list_certs == 2) {
103 PR_fprintf(outputFD, "- ------------\n");
104 } else {
105 PR_fprintf(outputFD, "---------------------------------------\n");
106 }
107
108 if (list_certs == 1) {
109 PR_fprintf(outputFD,
110 "For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME);
111 }
112
113 if (list_certs == 2) {
114 PR_fprintf(outputFD,
115 "Certificates that can be used to sign objects have *'s to "
116 "their left.\n");
117 }
118
119 if (key) {
120 /* Do an analysis of the given cert */
121
122 cert = PK11_FindCertFromNickname(key, NULL /*wincx*/);
123
124 if (cert) {
125 PR_fprintf(outputFD,
126 "\nThe certificate with nickname \"%s\" was found:\n",
127 cert->nickname);
128 PR_fprintf(outputFD, "\tsubject name: %s\n", cert->subjectName);
129 PR_fprintf(outputFD, "\tissuer name: %s\n", cert->issuerName);
130
131 PR_fprintf(outputFD, "\n");
132
133 rv = CERT_CertTimesValid (cert);
134 if (rv != SECSuccess) {
135 PR_fprintf(outputFD, "**This certificate is expired**\n");
136 } else {
137 PR_fprintf(outputFD, "This certificate is not expired.\n");
138 }
139
140 rv = CERT_VerifyCert (db, cert, PR_TRUE,
141 certUsageObjectSigner, PR_Now(), NULL, &errlog);
142
143 if (rv != SECSuccess) {
144 failed = 1;
145 if (errlog.count > 0) {
146 PR_fprintf(outputFD,
147 "**Certificate validation failed for the "
148 "following reason(s):**\n");
149 } else {
150 PR_fprintf(outputFD, "**Certificate validation failed**");
151 }
152 } else {
153 PR_fprintf(outputFD, "This certificate is valid.\n");
154 }
155 displayVerifyLog(&errlog);
156
157
158 } else {
159 failed = 1;
160 PR_fprintf(outputFD,
161 "The certificate with nickname \"%s\" was NOT FOUND\n", key);
162 }
163 }
164
165 if (errlog.arena != NULL) {
166 PORT_FreeArena(errlog.arena, PR_FALSE);
167 }
168
169 if (failed) {
170 return - 1;
171 }
172 return 0;
173 }
174
175
176 /********************************************************************
177 *
178 * c e r t _ t r a v _ c a l l b a c k
179 */
180 static SECStatus
181 cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data)
182 {
183 int isSigningCert;
184 int list_certs = 1;
185
186 char *name, *issuerCN, *expires;
187 CERTCertificate * issuerCert = NULL;
188
189 if (data) {
190 list_certs = *((int * )data);
191 }
192
193 if (cert->nickname) {
194 name = cert->nickname;
195
196 isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING;
197 issuerCert = CERT_FindCertIssuer (cert, PR_Now(), certUsageObjectSigner);
198 issuerCN = CERT_GetCommonName (&cert->issuer);
199
200 if (!isSigningCert && list_certs == 1)
201 return (SECSuccess);
202
203 /* Add this name or email to list */
204
205 if (name) {
206 int rv;
207
208 num_trav_certs++;
209 if (list_certs == 2) {
210 PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " ");
211 }
212 PR_fprintf(outputFD, "%s\n", name);
213
214 if (list_certs == 1) {
215 if (issuerCert == NULL) {
216 PR_fprintf(outputFD,
217 "\t++ Error ++ Unable to find issuer certificate\n");
218 return SECSuccess;
219 /*function was a success even if cert is bogus*/
220 }
221 if (issuerCN == NULL)
222 PR_fprintf(outputFD, " Issued by: %s\n",
223 issuerCert->nickname);
224 else
225 PR_fprintf(outputFD,
226 " Issued by: %s (%s)\n", issuerCert->nickname,
227 issuerCN);
228
229 expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
230
231 if (expires)
232 PR_fprintf(outputFD, " Expires: %s\n", expires);
233
234 rv = CERT_CertTimesValid (cert);
235
236 if (rv != SECSuccess)
237 PR_fprintf(outputFD,
238 " ++ Error ++ THIS CERTIFICATE IS EXPIRED\n");
239
240 if (rv == SECSuccess) {
241 rv = CERT_VerifyCertNow (cert->dbhandle, cert,
242 PR_TRUE, certUsageObjectSigner, NULL);
243
244 if (rv != SECSuccess) {
245 rv = PORT_GetError();
246 PR_fprintf(outputFD,
247 " ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n",
248 secErrorString(rv));
249 }
250 }
251
252 expires = DER_TimeChoiceDayToAscii(&issuerCert->validity.notAfter);
253 if (expires == NULL)
254 expires = "(unknown)";
255
256 rv = CERT_CertTimesValid (issuerCert);
257
258 if (rv != SECSuccess)
259 PR_fprintf(outputFD,
260 " ++ Error ++ ISSUER CERT \"%s\" EXPIRED ON %s\n",
261 issuerCert->nickname, expires);
262
263 if (rv == SECSuccess) {
264 rv = CERT_VerifyCertNow (issuerCert->dbhandle, issuerCert,
265 PR_TRUE, certUsageVerifyCA, NULL);
266 if (rv != SECSuccess) {
267 rv = PORT_GetError();
268 PR_fprintf(outputFD,
269 " ++ Error ++ ISSUER CERT \"%s\" IS NOT VALID (%s)\n",
270 issuerCert->nickname, secErrorString(rv));
271 }
272 }
273 }
274 }
275 }
276
277 return (SECSuccess);
278 }
279
280
Mozilla NSS module