Index: net/tools/cert_verify_tool/cert_verify_tool.cc |
diff --git a/net/tools/cert_verify_tool/cert_verify_tool.cc b/net/tools/cert_verify_tool/cert_verify_tool.cc |
index 794fb5e2a3c4ed96bd8a05f4687ba5b3ab96e6a7..53de7622fdc6b65d7ba7507350063533b8a33729 100644 |
--- a/net/tools/cert_verify_tool/cert_verify_tool.cc |
+++ b/net/tools/cert_verify_tool/cert_verify_tool.cc |
@@ -11,6 +11,7 @@ |
#include "base/time/time.h" |
#include "net/tools/cert_verify_tool/cert_verify_tool_util.h" |
#include "net/tools/cert_verify_tool/verify_using_cert_verify_proc.h" |
+#include "net/tools/cert_verify_tool/verify_using_path_builder.h" |
namespace { |
@@ -24,6 +25,10 @@ void PrintUsage(const char* argv0) { |
std::cerr << " --intermediates=<certs path>\n"; |
std::cerr << " <certs path> should be a file containing a single DER cert or " |
"one or more PEM CERTIFICATE blocks.\n"; |
+ std::cerr << " --time=<localtime>\n"; |
+ std::cerr << " Use <localtime> instead of the current system time.\n"; |
eroman
2016/07/07 00:07:19
can you add an explanation of what the format is?
mattm
2016/07/07 00:49:55
Done.
|
+ std::cerr << " --utctime=<utctime>\n"; |
+ std::cerr << " Use <utctime> instead of the current system time.\n"; |
eroman
2016/07/07 00:07:19
I would say that --time is sufficient, since it ca
mattm
2016/07/07 00:49:55
I switched to just having one flag since it simpli
|
std::cerr << " --dump=<file prefix>\n"; |
std::cerr << " Dumps the verified chain to PEM files starting with <file " |
"prefix>.\n"; |
@@ -59,6 +64,27 @@ int main(int argc, char** argv) { |
return 1; |
} |
+ base::Time verify_time; |
+ std::string time_flag = command_line.GetSwitchValueASCII("time"); |
+ std::string utctime_flag = command_line.GetSwitchValueASCII("utctime"); |
+ if (!time_flag.empty() && !utctime_flag.empty()) { |
+ std::cerr << "ERROR: Only one of --time and --utctime may be specified.\n"; |
+ return 1; |
+ } |
+ if (!time_flag.empty()) { |
+ if (!base::Time::FromString(time_flag.c_str(), &verify_time)) { |
+ std::cerr << "Error parsing --time flag\n"; |
+ return 1; |
+ } |
+ } else if (!utctime_flag.empty()) { |
+ if (!base::Time::FromUTCString(utctime_flag.c_str(), &verify_time)) { |
+ std::cerr << "Error parsing --utctime flag\n"; |
+ return 1; |
+ } |
+ } else { |
+ verify_time = base::Time::Now(); |
+ } |
+ |
base::FilePath roots_path = command_line.GetSwitchValuePath("roots"); |
base::FilePath intermediates_path = |
command_line.GetSwitchValuePath("intermediates"); |
@@ -82,9 +108,20 @@ int main(int argc, char** argv) { |
} |
std::cout << "CertVerifyProc:\n"; |
- bool verify_ok = VerifyUsingCertVerifyProc(target_der_cert, hostname, |
- intermediate_der_certs, |
- root_der_certs, dump_prefix_path); |
+ bool cert_verify_proc_ok = true; |
+ if (!time_flag.empty() || !utctime_flag.empty()) { |
eroman
2016/07/07 00:07:19
nit: would !verify_time.is_null() be more concise?
mattm
2016/07/07 00:49:55
If the flags aren't present, verify_time is still
eroman
2016/07/07 01:21:44
acknowledged
|
+ std::cerr << "ERROR: --time/--utctime is not supported with " |
+ "CertVerifyProc, skipping.\n"; |
+ } else { |
+ cert_verify_proc_ok = VerifyUsingCertVerifyProc( |
+ target_der_cert, hostname, intermediate_der_certs, root_der_certs, |
+ dump_prefix_path); |
+ } |
+ |
+ std::cout << "\nCertPathBuilder:\n"; |
+ bool path_builder_ok = |
+ VerifyUsingPathBuilder(target_der_cert, intermediate_der_certs, |
+ root_der_certs, verify_time, dump_prefix_path); |
- return verify_ok ? 0 : 1; |
+ return (cert_verify_proc_ok && path_builder_ok) ? 0 : 1; |
} |