2008-06-06 05:40:11 -07:00
|
|
|
/* ***** BEGIN LICENSE BLOCK *****
|
|
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
|
|
* the License. You may obtain a copy of the License at
|
|
|
|
* http://www.mozilla.org/MPL/
|
|
|
|
*
|
|
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
|
|
* for the specific language governing rights and limitations under the
|
|
|
|
* License.
|
|
|
|
*
|
|
|
|
* The Original Code is the Netscape security libraries.
|
|
|
|
*
|
|
|
|
* The Initial Developer of the Original Code is
|
|
|
|
* Netscape Communications Corporation.
|
|
|
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
|
|
* the Initial Developer. All Rights Reserved.
|
|
|
|
*
|
|
|
|
* Contributor(s):
|
|
|
|
*
|
|
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
|
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
|
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
|
|
* the provisions above, a recipient may use your version of this file under
|
|
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
|
|
*
|
|
|
|
* ***** END LICENSE BLOCK ***** */
|
|
|
|
|
|
|
|
#ifdef DEBUG
|
2009-08-19 06:59:06 -07:00
|
|
|
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.97 $ $Date: 2009/07/30 22:43:32 $";
|
2008-06-06 05:40:11 -07:00
|
|
|
#endif /* DEBUG */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Hacks to integrate NSS 3.4 and NSS 4.0 certificates.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef NSSPKI_H
|
|
|
|
#include "nsspki.h"
|
|
|
|
#endif /* NSSPKI_H */
|
|
|
|
|
|
|
|
#ifndef PKI_H
|
|
|
|
#include "pki.h"
|
|
|
|
#endif /* PKI_H */
|
|
|
|
|
|
|
|
#ifndef PKIM_H
|
|
|
|
#include "pkim.h"
|
|
|
|
#endif /* PKIM_H */
|
|
|
|
|
|
|
|
#ifndef DEV_H
|
|
|
|
#include "dev.h"
|
|
|
|
#endif /* DEV_H */
|
|
|
|
|
|
|
|
#ifndef DEVNSS3HACK_H
|
|
|
|
#include "dev3hack.h"
|
|
|
|
#endif /* DEVNSS3HACK_H */
|
|
|
|
|
|
|
|
#ifndef PKINSS3HACK_H
|
|
|
|
#include "pki3hack.h"
|
|
|
|
#endif /* PKINSS3HACK_H */
|
|
|
|
|
|
|
|
#include "secitem.h"
|
|
|
|
#include "certdb.h"
|
|
|
|
#include "certt.h"
|
|
|
|
#include "cert.h"
|
|
|
|
#include "certi.h"
|
|
|
|
#include "pk11func.h"
|
|
|
|
#include "pkistore.h"
|
|
|
|
#include "secmod.h"
|
|
|
|
#include "nssrwlk.h"
|
|
|
|
|
|
|
|
NSSTrustDomain *g_default_trust_domain = NULL;
|
|
|
|
|
|
|
|
NSSCryptoContext *g_default_crypto_context = NULL;
|
|
|
|
|
|
|
|
NSSTrustDomain *
|
|
|
|
STAN_GetDefaultTrustDomain()
|
|
|
|
{
|
|
|
|
return g_default_trust_domain;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSSCryptoContext *
|
|
|
|
STAN_GetDefaultCryptoContext()
|
|
|
|
{
|
|
|
|
return g_default_crypto_context;
|
|
|
|
}
|
|
|
|
|
|
|
|
extern const NSSError NSS_ERROR_ALREADY_INITIALIZED;
|
|
|
|
extern const NSSError NSS_ERROR_INTERNAL_ERROR;
|
|
|
|
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot)
|
|
|
|
{
|
|
|
|
NSSToken *token;
|
|
|
|
if (!td) {
|
|
|
|
td = g_default_trust_domain;
|
|
|
|
}
|
|
|
|
token = nssToken_CreateFromPK11SlotInfo(td, slot);
|
|
|
|
PK11Slot_SetNSSToken(slot, token);
|
2008-08-14 21:12:54 -07:00
|
|
|
/* Don't add non-existent token to TD's token list */
|
|
|
|
if (token) {
|
|
|
|
NSSRWLock_LockWrite(td->tokensLock);
|
|
|
|
nssList_Add(td->tokenList, token);
|
|
|
|
NSSRWLock_UnlockWrite(td->tokensLock);
|
|
|
|
}
|
2008-06-06 05:40:11 -07:00
|
|
|
return PR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
STAN_ResetTokenInterator(NSSTrustDomain *td)
|
|
|
|
{
|
|
|
|
if (!td) {
|
|
|
|
td = g_default_trust_domain;
|
|
|
|
}
|
|
|
|
NSSRWLock_LockWrite(td->tokensLock);
|
|
|
|
nssListIterator_Destroy(td->tokens);
|
|
|
|
td->tokens = nssList_CreateIterator(td->tokenList);
|
|
|
|
NSSRWLock_UnlockWrite(td->tokensLock);
|
|
|
|
return PR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
STAN_LoadDefaultNSS3TrustDomain (
|
|
|
|
void
|
|
|
|
)
|
|
|
|
{
|
|
|
|
NSSTrustDomain *td;
|
|
|
|
SECMODModuleList *mlp;
|
|
|
|
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (g_default_trust_domain || g_default_crypto_context) {
|
|
|
|
/* Stan is already initialized or a previous shutdown failed. */
|
|
|
|
nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
|
|
|
|
if (!td) {
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Deadlock warning: we should never acquire the moduleLock while
|
|
|
|
* we hold the tokensLock. We can use the NSSRWLock Rank feature to
|
|
|
|
* guarrentee this. tokensLock have a higher rank than module lock.
|
|
|
|
*/
|
|
|
|
td->tokenList = nssList_Create(td->arena, PR_TRUE);
|
|
|
|
if (!td->tokenList) {
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
SECMOD_GetReadLock(moduleLock);
|
|
|
|
NSSRWLock_LockWrite(td->tokensLock);
|
|
|
|
for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
|
|
|
|
for (i=0; i < mlp->module->slotCount; i++) {
|
|
|
|
STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
td->tokens = nssList_CreateIterator(td->tokenList);
|
|
|
|
NSSRWLock_UnlockWrite(td->tokensLock);
|
|
|
|
SECMOD_ReleaseReadLock(moduleLock);
|
|
|
|
if (!td->tokens) {
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
|
|
|
|
if (!g_default_crypto_context) {
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
g_default_trust_domain = td;
|
|
|
|
return PR_SUCCESS;
|
|
|
|
|
|
|
|
loser:
|
|
|
|
NSSTrustDomain_Destroy(td);
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* must be called holding the ModuleListLock (either read or write).
|
|
|
|
*/
|
|
|
|
NSS_IMPLEMENT SECStatus
|
|
|
|
STAN_AddModuleToDefaultTrustDomain (
|
|
|
|
SECMODModule *module
|
|
|
|
)
|
|
|
|
{
|
|
|
|
NSSTrustDomain *td;
|
|
|
|
int i;
|
|
|
|
td = STAN_GetDefaultTrustDomain();
|
|
|
|
for (i=0; i<module->slotCount; i++) {
|
|
|
|
STAN_InitTokenForSlotInfo(td, module->slots[i]);
|
|
|
|
}
|
|
|
|
STAN_ResetTokenInterator(td);
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* must be called holding the ModuleListLock (either read or write).
|
|
|
|
*/
|
|
|
|
NSS_IMPLEMENT SECStatus
|
|
|
|
STAN_RemoveModuleFromDefaultTrustDomain (
|
|
|
|
SECMODModule *module
|
|
|
|
)
|
|
|
|
{
|
|
|
|
NSSToken *token;
|
|
|
|
NSSTrustDomain *td;
|
|
|
|
int i;
|
|
|
|
td = STAN_GetDefaultTrustDomain();
|
|
|
|
NSSRWLock_LockWrite(td->tokensLock);
|
|
|
|
for (i=0; i<module->slotCount; i++) {
|
|
|
|
token = PK11Slot_GetNSSToken(module->slots[i]);
|
|
|
|
if (token) {
|
|
|
|
nssToken_NotifyCertsNotVisible(token);
|
|
|
|
nssList_Remove(td->tokenList, token);
|
|
|
|
PK11Slot_SetNSSToken(module->slots[i], NULL);
|
|
|
|
nssToken_Destroy(token);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nssListIterator_Destroy(td->tokens);
|
|
|
|
td->tokens = nssList_CreateIterator(td->tokenList);
|
|
|
|
NSSRWLock_UnlockWrite(td->tokensLock);
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
STAN_Shutdown()
|
|
|
|
{
|
|
|
|
PRStatus status = PR_SUCCESS;
|
|
|
|
if (g_default_trust_domain) {
|
|
|
|
if (NSSTrustDomain_Destroy(g_default_trust_domain) == PR_SUCCESS) {
|
|
|
|
g_default_trust_domain = NULL;
|
|
|
|
} else {
|
|
|
|
status = PR_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (g_default_crypto_context) {
|
|
|
|
if (NSSCryptoContext_Destroy(g_default_crypto_context) == PR_SUCCESS) {
|
|
|
|
g_default_crypto_context = NULL;
|
|
|
|
} else {
|
|
|
|
status = PR_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* this function should not be a hack; it will be needed in 4.0 (rename) */
|
|
|
|
NSS_IMPLEMENT NSSItem *
|
|
|
|
STAN_GetCertIdentifierFromDER(NSSArena *arenaOpt, NSSDER *der)
|
|
|
|
{
|
|
|
|
NSSItem *rvKey;
|
|
|
|
SECItem secDER;
|
|
|
|
SECItem secKey = { 0 };
|
|
|
|
SECStatus secrv;
|
|
|
|
PRArenaPool *arena;
|
|
|
|
|
|
|
|
SECITEM_FROM_NSSITEM(&secDER, der);
|
|
|
|
|
|
|
|
/* nss3 call uses nss3 arena's */
|
|
|
|
arena = PORT_NewArena(256);
|
|
|
|
if (!arena) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
secrv = CERT_KeyFromDERCert(arena, &secDER, &secKey);
|
|
|
|
if (secrv != SECSuccess) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
|
|
|
|
PORT_FreeArena(arena,PR_FALSE);
|
|
|
|
return rvKey;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena,
|
|
|
|
NSSDER *issuer, NSSDER *serial)
|
|
|
|
{
|
|
|
|
SECStatus secrv;
|
|
|
|
SECItem derCert;
|
|
|
|
SECItem derIssuer = { 0 };
|
|
|
|
SECItem derSerial = { 0 };
|
|
|
|
SECITEM_FROM_NSSITEM(&derCert, der);
|
|
|
|
secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
|
|
|
|
if (secrv != SECSuccess) {
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
(void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
|
|
|
|
secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
|
|
|
|
if (secrv != SECSuccess) {
|
|
|
|
PORT_Free(derSerial.data);
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
(void)nssItem_Create(arena, issuer, derIssuer.len, derIssuer.data);
|
|
|
|
PORT_Free(derSerial.data);
|
|
|
|
PORT_Free(derIssuer.data);
|
|
|
|
return PR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
static NSSItem *
|
|
|
|
nss3certificate_getIdentifier(nssDecodedCert *dc)
|
|
|
|
{
|
|
|
|
NSSItem *rvID;
|
|
|
|
CERTCertificate *c = (CERTCertificate *)dc->data;
|
|
|
|
rvID = nssItem_Create(NULL, NULL, c->certKey.len, c->certKey.data);
|
|
|
|
return rvID;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void *
|
|
|
|
nss3certificate_getIssuerIdentifier(nssDecodedCert *dc)
|
|
|
|
{
|
|
|
|
CERTCertificate *c = (CERTCertificate *)dc->data;
|
|
|
|
return (void *)c->authKeyID;
|
|
|
|
}
|
|
|
|
|
|
|
|
static nssCertIDMatch
|
|
|
|
nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
|
|
|
|
{
|
|
|
|
CERTCertificate *c = (CERTCertificate *)dc->data;
|
|
|
|
CERTAuthKeyID *authKeyID = (CERTAuthKeyID *)id;
|
|
|
|
SECItem skid;
|
|
|
|
nssCertIDMatch match = nssCertIDMatch_Unknown;
|
|
|
|
|
|
|
|
/* keyIdentifier */
|
2008-08-14 21:12:54 -07:00
|
|
|
if (authKeyID->keyID.len > 0 &&
|
|
|
|
CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
|
|
|
|
PRBool skiEqual;
|
|
|
|
skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
|
|
|
|
PORT_Free(skid.data);
|
|
|
|
if (skiEqual) {
|
|
|
|
/* change the state to positive match, but keep going */
|
|
|
|
match = nssCertIDMatch_Yes;
|
|
|
|
} else {
|
|
|
|
/* exit immediately on failure */
|
|
|
|
return nssCertIDMatch_No;
|
|
|
|
}
|
2008-06-06 05:40:11 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/* issuer/serial (treated as pair) */
|
|
|
|
if (authKeyID->authCertIssuer) {
|
|
|
|
SECItem *caName = NULL;
|
|
|
|
SECItem *caSN = &authKeyID->authCertSerialNumber;
|
|
|
|
|
|
|
|
caName = (SECItem *)CERT_GetGeneralNameByType(
|
|
|
|
authKeyID->authCertIssuer,
|
|
|
|
certDirectoryName, PR_TRUE);
|
2008-08-14 21:12:54 -07:00
|
|
|
if (caName != NULL &&
|
|
|
|
SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
|
2008-06-06 05:40:11 -07:00
|
|
|
SECITEM_ItemsAreEqual(&c->serialNumber, caSN))
|
|
|
|
{
|
|
|
|
match = nssCertIDMatch_Yes;
|
|
|
|
} else {
|
2008-08-14 21:12:54 -07:00
|
|
|
match = nssCertIDMatch_Unknown;
|
2008-06-06 05:40:11 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return match;
|
|
|
|
}
|
|
|
|
|
|
|
|
static PRBool
|
|
|
|
nss3certificate_isValidIssuer(nssDecodedCert *dc)
|
|
|
|
{
|
|
|
|
CERTCertificate *c = (CERTCertificate *)dc->data;
|
|
|
|
unsigned int ignore;
|
|
|
|
return CERT_IsCACert(c, &ignore);
|
|
|
|
}
|
|
|
|
|
|
|
|
static NSSUsage *
|
|
|
|
nss3certificate_getUsage(nssDecodedCert *dc)
|
|
|
|
{
|
|
|
|
/* CERTCertificate *c = (CERTCertificate *)dc->data; */
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static PRBool
|
|
|
|
nss3certificate_isValidAtTime(nssDecodedCert *dc, NSSTime *time)
|
|
|
|
{
|
|
|
|
SECCertTimeValidity validity;
|
|
|
|
CERTCertificate *c = (CERTCertificate *)dc->data;
|
|
|
|
validity = CERT_CheckCertValidTimes(c, NSSTime_GetPRTime(time), PR_TRUE);
|
|
|
|
if (validity == secCertTimeValid) {
|
|
|
|
return PR_TRUE;
|
|
|
|
}
|
|
|
|
return PR_FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
static PRBool
|
|
|
|
nss3certificate_isNewerThan(nssDecodedCert *dc, nssDecodedCert *cmpdc)
|
|
|
|
{
|
|
|
|
/* I know this isn't right, but this is glue code anyway */
|
|
|
|
if (cmpdc->type == dc->type) {
|
|
|
|
CERTCertificate *certa = (CERTCertificate *)dc->data;
|
|
|
|
CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
|
|
|
|
return CERT_IsNewer(certa, certb);
|
|
|
|
}
|
|
|
|
return PR_FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* CERT_FilterCertListByUsage */
|
|
|
|
static PRBool
|
|
|
|
nss3certificate_matchUsage(nssDecodedCert *dc, const NSSUsage *usage)
|
|
|
|
{
|
|
|
|
CERTCertificate *cc;
|
|
|
|
unsigned int requiredKeyUsage = 0;
|
|
|
|
unsigned int requiredCertType = 0;
|
|
|
|
SECStatus secrv;
|
|
|
|
PRBool match;
|
|
|
|
PRBool ca;
|
|
|
|
|
|
|
|
/* This is for NSS 3.3 functions that do not specify a usage */
|
|
|
|
if (usage->anyUsage) {
|
|
|
|
return PR_TRUE;
|
|
|
|
}
|
|
|
|
ca = usage->nss3lookingForCA;
|
|
|
|
secrv = CERT_KeyUsageAndTypeForCertUsage(usage->nss3usage, ca,
|
|
|
|
&requiredKeyUsage,
|
|
|
|
&requiredCertType);
|
|
|
|
if (secrv != SECSuccess) {
|
|
|
|
return PR_FALSE;
|
|
|
|
}
|
|
|
|
cc = (CERTCertificate *)dc->data;
|
|
|
|
secrv = CERT_CheckKeyUsage(cc, requiredKeyUsage);
|
|
|
|
match = (PRBool)(secrv == SECSuccess);
|
|
|
|
if (match) {
|
|
|
|
unsigned int certType = 0;
|
|
|
|
if (ca) {
|
|
|
|
(void)CERT_IsCACert(cc, &certType);
|
|
|
|
} else {
|
|
|
|
certType = cc->nsCertType;
|
|
|
|
}
|
|
|
|
if (!(certType & requiredCertType)) {
|
|
|
|
match = PR_FALSE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return match;
|
|
|
|
}
|
|
|
|
|
|
|
|
static NSSASCII7 *
|
|
|
|
nss3certificate_getEmailAddress(nssDecodedCert *dc)
|
|
|
|
{
|
|
|
|
CERTCertificate *cc = (CERTCertificate *)dc->data;
|
|
|
|
return (cc && cc->emailAddr && cc->emailAddr[0])
|
|
|
|
? (NSSASCII7 *)cc->emailAddr : NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static PRStatus
|
|
|
|
nss3certificate_getDERSerialNumber(nssDecodedCert *dc,
|
|
|
|
NSSDER *serial, NSSArena *arena)
|
|
|
|
{
|
|
|
|
CERTCertificate *cc = (CERTCertificate *)dc->data;
|
|
|
|
SECItem derSerial = { 0 };
|
|
|
|
SECStatus secrv;
|
|
|
|
secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
|
|
|
|
if (secrv == SECSuccess) {
|
|
|
|
(void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
|
|
|
|
PORT_Free(derSerial.data);
|
|
|
|
return PR_SUCCESS;
|
|
|
|
}
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Returns NULL if "encoding" cannot be decoded. */
|
|
|
|
NSS_IMPLEMENT nssDecodedCert *
|
|
|
|
nssDecodedPKIXCertificate_Create (
|
|
|
|
NSSArena *arenaOpt,
|
|
|
|
NSSDER *encoding
|
|
|
|
)
|
|
|
|
{
|
|
|
|
nssDecodedCert *rvDC = NULL;
|
|
|
|
CERTCertificate *cert;
|
|
|
|
SECItem secDER;
|
|
|
|
|
|
|
|
SECITEM_FROM_NSSITEM(&secDER, encoding);
|
|
|
|
cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
|
|
|
|
if (cert) {
|
|
|
|
rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
|
|
|
|
if (rvDC) {
|
|
|
|
rvDC->type = NSSCertificateType_PKIX;
|
|
|
|
rvDC->data = (void *)cert;
|
|
|
|
rvDC->getIdentifier = nss3certificate_getIdentifier;
|
|
|
|
rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
|
|
|
|
rvDC->matchIdentifier = nss3certificate_matchIdentifier;
|
|
|
|
rvDC->isValidIssuer = nss3certificate_isValidIssuer;
|
|
|
|
rvDC->getUsage = nss3certificate_getUsage;
|
|
|
|
rvDC->isValidAtTime = nss3certificate_isValidAtTime;
|
|
|
|
rvDC->isNewerThan = nss3certificate_isNewerThan;
|
|
|
|
rvDC->matchUsage = nss3certificate_matchUsage;
|
|
|
|
rvDC->getEmailAddress = nss3certificate_getEmailAddress;
|
|
|
|
rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
|
|
|
|
} else {
|
|
|
|
CERT_DestroyCertificate(cert);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return rvDC;
|
|
|
|
}
|
|
|
|
|
|
|
|
static nssDecodedCert *
|
|
|
|
create_decoded_pkix_cert_from_nss3cert (
|
|
|
|
NSSArena *arenaOpt,
|
|
|
|
CERTCertificate *cc
|
|
|
|
)
|
|
|
|
{
|
|
|
|
nssDecodedCert *rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
|
|
|
|
if (rvDC) {
|
|
|
|
rvDC->type = NSSCertificateType_PKIX;
|
|
|
|
rvDC->data = (void *)cc;
|
|
|
|
rvDC->getIdentifier = nss3certificate_getIdentifier;
|
|
|
|
rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
|
|
|
|
rvDC->matchIdentifier = nss3certificate_matchIdentifier;
|
|
|
|
rvDC->isValidIssuer = nss3certificate_isValidIssuer;
|
|
|
|
rvDC->getUsage = nss3certificate_getUsage;
|
|
|
|
rvDC->isValidAtTime = nss3certificate_isValidAtTime;
|
|
|
|
rvDC->isNewerThan = nss3certificate_isNewerThan;
|
|
|
|
rvDC->matchUsage = nss3certificate_matchUsage;
|
|
|
|
rvDC->getEmailAddress = nss3certificate_getEmailAddress;
|
|
|
|
}
|
|
|
|
return rvDC;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
nssDecodedPKIXCertificate_Destroy (
|
|
|
|
nssDecodedCert *dc
|
|
|
|
)
|
|
|
|
{
|
|
|
|
CERTCertificate *cert = (CERTCertificate *)dc->data;
|
|
|
|
|
|
|
|
/* The decoder may only be half initialized (the case where we find we
|
|
|
|
* could not decode the certificate). In this case, there is not cert to
|
|
|
|
* free, just free the dc structure. */
|
|
|
|
if (cert) {
|
|
|
|
PRBool freeSlot = cert->ownSlot;
|
|
|
|
PK11SlotInfo *slot = cert->slot;
|
|
|
|
PRArenaPool *arena = cert->arena;
|
|
|
|
/* zero cert before freeing. Any stale references to this cert
|
|
|
|
* after this point will probably cause an exception. */
|
|
|
|
PORT_Memset(cert, 0, sizeof *cert);
|
|
|
|
/* free the arena that contains the cert. */
|
|
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
|
|
if (slot && freeSlot) {
|
|
|
|
PK11_FreeSlot(slot);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nss_ZFreeIf(dc);
|
|
|
|
return PR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* see pk11cert.c:pk11_HandleTrustObject */
|
|
|
|
static unsigned int
|
|
|
|
get_nss3trust_from_nss4trust(CK_TRUST t)
|
|
|
|
{
|
|
|
|
unsigned int rt = 0;
|
|
|
|
if (t == nssTrustLevel_Trusted) {
|
|
|
|
rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
|
|
|
|
}
|
|
|
|
if (t == nssTrustLevel_TrustedDelegator) {
|
|
|
|
rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/;
|
|
|
|
}
|
|
|
|
if (t == nssTrustLevel_Valid) {
|
|
|
|
rt |= CERTDB_VALID_PEER;
|
|
|
|
}
|
|
|
|
if (t == nssTrustLevel_ValidDelegator) {
|
|
|
|
rt |= CERTDB_VALID_CA;
|
|
|
|
}
|
|
|
|
return rt;
|
|
|
|
}
|
|
|
|
|
|
|
|
static CERTCertTrust *
|
|
|
|
cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
|
|
|
|
{
|
|
|
|
CERTCertTrust *rvTrust;
|
|
|
|
unsigned int client;
|
|
|
|
if (!t) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
|
|
|
|
if (!rvTrust) return NULL;
|
|
|
|
rvTrust->sslFlags = get_nss3trust_from_nss4trust(t->serverAuth);
|
|
|
|
client = get_nss3trust_from_nss4trust(t->clientAuth);
|
|
|
|
if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
|
|
|
|
client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
|
|
|
|
rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
|
|
|
|
}
|
|
|
|
rvTrust->sslFlags |= client;
|
|
|
|
rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
|
|
|
|
rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning);
|
|
|
|
/* The cert is a valid step-up cert (in addition to/lieu of trust above */
|
|
|
|
if (t->stepUpApproved) {
|
|
|
|
rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA;
|
|
|
|
}
|
|
|
|
return rvTrust;
|
|
|
|
}
|
|
|
|
|
|
|
|
CERTCertTrust *
|
|
|
|
nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
|
|
|
|
{
|
|
|
|
CERTCertTrust *rvTrust = NULL;
|
|
|
|
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
|
|
|
|
NSSTrust *t;
|
|
|
|
t = nssTrustDomain_FindTrustForCertificate(td, c);
|
|
|
|
if (t) {
|
|
|
|
rvTrust = cert_trust_from_stan_trust(t, cc->arena);
|
|
|
|
if (!rvTrust) {
|
|
|
|
nssTrust_Destroy(t);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
nssTrust_Destroy(t);
|
|
|
|
} else {
|
|
|
|
rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
|
|
|
|
if (!rvTrust) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
memset(rvTrust, 0, sizeof(*rvTrust));
|
|
|
|
}
|
|
|
|
if (NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) {
|
|
|
|
rvTrust->sslFlags |= CERTDB_USER;
|
|
|
|
rvTrust->emailFlags |= CERTDB_USER;
|
|
|
|
rvTrust->objectSigningFlags |= CERTDB_USER;
|
|
|
|
}
|
|
|
|
return rvTrust;
|
|
|
|
}
|
|
|
|
|
|
|
|
static nssCryptokiInstance *
|
|
|
|
get_cert_instance(NSSCertificate *c)
|
|
|
|
{
|
|
|
|
nssCryptokiObject *instance, **ci;
|
|
|
|
nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
|
|
|
|
if (!instances) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
instance = NULL;
|
|
|
|
for (ci = instances; *ci; ci++) {
|
|
|
|
if (!instance) {
|
|
|
|
instance = nssCryptokiObject_Clone(*ci);
|
|
|
|
} else {
|
|
|
|
/* This only really works for two instances... But 3.4 can't
|
|
|
|
* handle more anyway. The logic is, if there are multiple
|
|
|
|
* instances, prefer the one that is not internal (e.g., on
|
|
|
|
* a hardware device.
|
|
|
|
*/
|
|
|
|
if (PK11_IsInternal(instance->token->pk11slot)) {
|
|
|
|
nssCryptokiObject_Destroy(instance);
|
|
|
|
instance = nssCryptokiObject_Clone(*ci);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nssCryptokiObjectArray_Destroy(instances);
|
|
|
|
return instance;
|
|
|
|
}
|
|
|
|
|
|
|
|
char *
|
|
|
|
STAN_GetCERTCertificateNameForInstance (
|
|
|
|
PLArenaPool *arenaOpt,
|
|
|
|
NSSCertificate *c,
|
|
|
|
nssCryptokiInstance *instance
|
|
|
|
)
|
|
|
|
{
|
|
|
|
NSSCryptoContext *context = c->object.cryptoContext;
|
|
|
|
PRStatus nssrv;
|
|
|
|
int nicklen, tokenlen, len;
|
|
|
|
NSSUTF8 *tokenName = NULL;
|
|
|
|
NSSUTF8 *stanNick = NULL;
|
|
|
|
char *nickname = NULL;
|
|
|
|
char *nick;
|
|
|
|
|
|
|
|
if (instance) {
|
|
|
|
stanNick = instance->label;
|
|
|
|
} else if (context) {
|
|
|
|
stanNick = c->object.tempName;
|
|
|
|
}
|
|
|
|
if (stanNick) {
|
|
|
|
/* fill other fields needed by NSS3 functions using CERTCertificate */
|
2009-08-19 06:59:06 -07:00
|
|
|
if (instance && (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
|
2008-06-06 05:40:11 -07:00
|
|
|
PORT_Strchr(stanNick, ':') != NULL) ) {
|
|
|
|
tokenName = nssToken_GetName(instance->token);
|
|
|
|
tokenlen = nssUTF8_Size(tokenName, &nssrv);
|
|
|
|
} else {
|
|
|
|
/* don't use token name for internal slot; 3.3 didn't */
|
|
|
|
tokenlen = 0;
|
|
|
|
}
|
|
|
|
nicklen = nssUTF8_Size(stanNick, &nssrv);
|
|
|
|
len = tokenlen + nicklen;
|
|
|
|
if (arenaOpt) {
|
|
|
|
nickname = PORT_ArenaAlloc(arenaOpt, len);
|
|
|
|
} else {
|
|
|
|
nickname = PORT_Alloc(len);
|
|
|
|
}
|
|
|
|
nick = nickname;
|
|
|
|
if (tokenName) {
|
|
|
|
memcpy(nick, tokenName, tokenlen-1);
|
|
|
|
nick += tokenlen-1;
|
|
|
|
*nick++ = ':';
|
|
|
|
}
|
|
|
|
memcpy(nick, stanNick, nicklen-1);
|
|
|
|
nickname[len-1] = '\0';
|
|
|
|
}
|
|
|
|
return nickname;
|
|
|
|
}
|
|
|
|
|
|
|
|
char *
|
|
|
|
STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c)
|
|
|
|
{
|
|
|
|
char * result;
|
|
|
|
nssCryptokiInstance *instance = get_cert_instance(c);
|
|
|
|
/* It's OK to call this function, even if instance is NULL */
|
|
|
|
result = STAN_GetCERTCertificateNameForInstance(arenaOpt, c, instance);
|
|
|
|
if (instance)
|
|
|
|
nssCryptokiObject_Destroy(instance);
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced)
|
|
|
|
{
|
|
|
|
CERTCertTrust* trust = NULL;
|
|
|
|
NSSTrust *nssTrust;
|
|
|
|
NSSCryptoContext *context = c->object.cryptoContext;
|
|
|
|
nssCryptokiInstance *instance;
|
|
|
|
NSSUTF8 *stanNick = NULL;
|
|
|
|
|
|
|
|
/* We are holding the base class object's lock on entry of this function
|
|
|
|
* This lock protects writes to fields of the CERTCertificate .
|
|
|
|
* It is also needed by some functions to compute values such as trust.
|
|
|
|
*/
|
|
|
|
instance = get_cert_instance(c);
|
|
|
|
|
|
|
|
if (instance) {
|
|
|
|
stanNick = instance->label;
|
|
|
|
} else if (context) {
|
|
|
|
stanNick = c->object.tempName;
|
|
|
|
}
|
|
|
|
/* fill other fields needed by NSS3 functions using CERTCertificate */
|
|
|
|
if ((!cc->nickname && stanNick) || forced) {
|
|
|
|
PRStatus nssrv;
|
|
|
|
int nicklen, tokenlen, len;
|
|
|
|
NSSUTF8 *tokenName = NULL;
|
|
|
|
char *nick;
|
|
|
|
if (instance &&
|
2009-08-19 06:59:06 -07:00
|
|
|
(!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
|
2008-06-06 05:40:11 -07:00
|
|
|
(stanNick && PORT_Strchr(stanNick, ':') != NULL))) {
|
|
|
|
tokenName = nssToken_GetName(instance->token);
|
|
|
|
tokenlen = nssUTF8_Size(tokenName, &nssrv);
|
|
|
|
} else {
|
|
|
|
/* don't use token name for internal slot; 3.3 didn't */
|
|
|
|
tokenlen = 0;
|
|
|
|
}
|
|
|
|
if (stanNick) {
|
|
|
|
nicklen = nssUTF8_Size(stanNick, &nssrv);
|
|
|
|
len = tokenlen + nicklen;
|
|
|
|
nick = PORT_ArenaAlloc(cc->arena, len);
|
|
|
|
if (tokenName) {
|
|
|
|
memcpy(nick, tokenName, tokenlen-1);
|
|
|
|
nick[tokenlen-1] = ':';
|
|
|
|
memcpy(nick+tokenlen, stanNick, nicklen-1);
|
|
|
|
} else {
|
|
|
|
memcpy(nick, stanNick, nicklen-1);
|
|
|
|
}
|
|
|
|
nick[len-1] = '\0';
|
|
|
|
cc->nickname = nick;
|
|
|
|
} else {
|
|
|
|
cc->nickname = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (context) {
|
|
|
|
/* trust */
|
|
|
|
nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
|
|
|
|
if (nssTrust) {
|
|
|
|
trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
|
|
|
|
if (trust) {
|
|
|
|
/* we should destroy cc->trust before replacing it, but it's
|
|
|
|
allocated in cc->arena, so memory growth will occur on each
|
|
|
|
refresh */
|
|
|
|
cc->trust = trust;
|
|
|
|
}
|
|
|
|
nssTrust_Destroy(nssTrust);
|
|
|
|
}
|
|
|
|
} else if (instance) {
|
|
|
|
/* slot */
|
|
|
|
if (cc->slot != instance->token->pk11slot) {
|
|
|
|
if (cc->slot) {
|
|
|
|
PK11_FreeSlot(cc->slot);
|
|
|
|
}
|
|
|
|
cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
|
|
|
|
}
|
|
|
|
cc->ownSlot = PR_TRUE;
|
|
|
|
/* pkcs11ID */
|
|
|
|
cc->pkcs11ID = instance->handle;
|
|
|
|
/* trust */
|
|
|
|
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
|
|
|
if (trust) {
|
|
|
|
/* we should destroy cc->trust before replacing it, but it's
|
|
|
|
allocated in cc->arena, so memory growth will occur on each
|
|
|
|
refresh */
|
|
|
|
cc->trust = trust;
|
|
|
|
}
|
|
|
|
nssCryptokiObject_Destroy(instance);
|
|
|
|
}
|
|
|
|
/* database handle is now the trust domain */
|
|
|
|
cc->dbhandle = c->object.trustDomain;
|
|
|
|
/* subjectList ? */
|
|
|
|
/* istemp and isperm are supported in NSS 3.4 */
|
|
|
|
cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */
|
|
|
|
cc->isperm = PR_TRUE; /* by default */
|
|
|
|
/* pointer back */
|
|
|
|
cc->nssCertificate = c;
|
|
|
|
if (trust) {
|
|
|
|
/* force the cert type to be recomputed to include trust info */
|
|
|
|
PRUint32 nsCertType = cert_ComputeCertType(cc);
|
|
|
|
|
|
|
|
/* Assert that it is safe to cast &cc->nsCertType to "PRInt32 *" */
|
|
|
|
PORT_Assert(sizeof(cc->nsCertType) == sizeof(PRInt32));
|
|
|
|
PR_AtomicSet((PRInt32 *)&cc->nsCertType, nsCertType);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static CERTCertificate *
|
|
|
|
stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
|
|
|
|
{
|
|
|
|
nssDecodedCert *dc = NULL;
|
|
|
|
CERTCertificate *cc = NULL;
|
|
|
|
|
|
|
|
nssPKIObject_Lock(&c->object);
|
|
|
|
|
|
|
|
dc = c->decoding;
|
|
|
|
if (!dc) {
|
|
|
|
dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
|
|
|
|
if (!dc) {
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
cc = (CERTCertificate *)dc->data;
|
|
|
|
PORT_Assert(cc); /* software error */
|
|
|
|
if (!cc) {
|
|
|
|
nssDecodedPKIXCertificate_Destroy(dc);
|
|
|
|
nss_SetError(NSS_ERROR_INTERNAL_ERROR);
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
PORT_Assert(!c->decoding);
|
|
|
|
if (!c->decoding) {
|
|
|
|
c->decoding = dc;
|
|
|
|
} else {
|
|
|
|
/* this should never happen. Fail. */
|
|
|
|
nssDecodedPKIXCertificate_Destroy(dc);
|
|
|
|
nss_SetError(NSS_ERROR_INTERNAL_ERROR);
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
cc = (CERTCertificate *)dc->data;
|
|
|
|
PORT_Assert(cc);
|
|
|
|
if (!cc) {
|
|
|
|
nss_SetError(NSS_ERROR_INTERNAL_ERROR);
|
|
|
|
goto loser;
|
|
|
|
}
|
|
|
|
if (!cc->nssCertificate || forceUpdate) {
|
|
|
|
fill_CERTCertificateFields(c, cc, forceUpdate);
|
|
|
|
} else if (!cc->trust && !c->object.cryptoContext) {
|
|
|
|
/* if it's a perm cert, it might have been stored before the
|
|
|
|
* trust, so look for the trust again. But a temp cert can be
|
|
|
|
* ignored.
|
|
|
|
*/
|
|
|
|
CERTCertTrust* trust = NULL;
|
|
|
|
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
|
|
|
cc->trust = trust;
|
|
|
|
}
|
|
|
|
|
|
|
|
loser:
|
|
|
|
nssPKIObject_Unlock(&c->object);
|
|
|
|
return cc;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT CERTCertificate *
|
|
|
|
STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
|
|
|
|
{
|
|
|
|
if (c->decoding) {
|
|
|
|
return stan_GetCERTCertificate(c, PR_TRUE);
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT CERTCertificate *
|
|
|
|
STAN_GetCERTCertificate(NSSCertificate *c)
|
|
|
|
{
|
|
|
|
return stan_GetCERTCertificate(c, PR_FALSE);
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* many callers of STAN_GetCERTCertificate() intend that
|
|
|
|
* the CERTCertificate returned inherits the reference to the
|
|
|
|
* NSSCertificate. For these callers it's convenient to have
|
|
|
|
* this function 'own' the reference and either return a valid
|
|
|
|
* CERTCertificate structure which inherits the reference or
|
|
|
|
* destroy the reference to NSSCertificate and returns NULL.
|
|
|
|
*/
|
|
|
|
NSS_IMPLEMENT CERTCertificate *
|
|
|
|
STAN_GetCERTCertificateOrRelease(NSSCertificate *c)
|
|
|
|
{
|
|
|
|
CERTCertificate *nss3cert = stan_GetCERTCertificate(c, PR_FALSE);
|
|
|
|
if (!nss3cert) {
|
|
|
|
nssCertificate_Destroy(c);
|
|
|
|
}
|
|
|
|
return nss3cert;
|
|
|
|
}
|
|
|
|
|
|
|
|
static nssTrustLevel
|
|
|
|
get_stan_trust(unsigned int t, PRBool isClientAuth)
|
|
|
|
{
|
|
|
|
if (isClientAuth) {
|
|
|
|
if (t & CERTDB_TRUSTED_CLIENT_CA) {
|
|
|
|
return nssTrustLevel_TrustedDelegator;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (t & CERTDB_TRUSTED_CA || t & CERTDB_NS_TRUSTED_CA) {
|
|
|
|
return nssTrustLevel_TrustedDelegator;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (t & CERTDB_TRUSTED) {
|
|
|
|
return nssTrustLevel_Trusted;
|
|
|
|
}
|
|
|
|
if (t & CERTDB_VALID_CA) {
|
|
|
|
return nssTrustLevel_ValidDelegator;
|
|
|
|
}
|
|
|
|
if (t & CERTDB_VALID_PEER) {
|
|
|
|
return nssTrustLevel_Valid;
|
|
|
|
}
|
|
|
|
return nssTrustLevel_NotTrusted;
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_EXTERN NSSCertificate *
|
|
|
|
STAN_GetNSSCertificate(CERTCertificate *cc)
|
|
|
|
{
|
|
|
|
NSSCertificate *c;
|
|
|
|
nssCryptokiInstance *instance;
|
|
|
|
nssPKIObject *pkiob;
|
|
|
|
NSSArena *arena;
|
|
|
|
c = cc->nssCertificate;
|
|
|
|
if (c) {
|
|
|
|
return c;
|
|
|
|
}
|
|
|
|
/* i don't think this should happen. but if it can, need to create
|
|
|
|
* NSSCertificate from CERTCertificate values here. */
|
|
|
|
/* Yup, it can happen. */
|
|
|
|
arena = NSSArena_Create();
|
|
|
|
if (!arena) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
c = nss_ZNEW(arena, NSSCertificate);
|
|
|
|
if (!c) {
|
|
|
|
nssArena_Destroy(arena);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
NSSITEM_FROM_SECITEM(&c->encoding, &cc->derCert);
|
|
|
|
c->type = NSSCertificateType_PKIX;
|
|
|
|
pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKIMonitor);
|
|
|
|
if (!pkiob) {
|
|
|
|
nssArena_Destroy(arena);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
c->object = *pkiob;
|
|
|
|
nssItem_Create(arena,
|
|
|
|
&c->issuer, cc->derIssuer.len, cc->derIssuer.data);
|
|
|
|
nssItem_Create(arena,
|
|
|
|
&c->subject, cc->derSubject.len, cc->derSubject.data);
|
|
|
|
if (PR_TRUE) {
|
|
|
|
/* CERTCertificate stores serial numbers decoded. I need the DER
|
|
|
|
* here. sigh.
|
|
|
|
*/
|
|
|
|
SECItem derSerial;
|
|
|
|
SECStatus secrv;
|
|
|
|
secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
|
|
|
|
if (secrv == SECFailure) {
|
|
|
|
nssArena_Destroy(arena);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
|
|
|
|
PORT_Free(derSerial.data);
|
|
|
|
}
|
|
|
|
if (cc->emailAddr && cc->emailAddr[0]) {
|
|
|
|
c->email = nssUTF8_Create(arena,
|
|
|
|
nssStringType_PrintableString,
|
|
|
|
(NSSUTF8 *)cc->emailAddr,
|
|
|
|
PORT_Strlen(cc->emailAddr));
|
|
|
|
}
|
|
|
|
if (cc->slot) {
|
|
|
|
instance = nss_ZNEW(arena, nssCryptokiInstance);
|
|
|
|
if (!instance) {
|
|
|
|
nssArena_Destroy(arena);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
|
|
|
|
instance->handle = cc->pkcs11ID;
|
|
|
|
instance->isTokenObject = PR_TRUE;
|
|
|
|
if (cc->nickname) {
|
|
|
|
instance->label = nssUTF8_Create(arena,
|
|
|
|
nssStringType_UTF8String,
|
|
|
|
(NSSUTF8 *)cc->nickname,
|
|
|
|
PORT_Strlen(cc->nickname));
|
|
|
|
}
|
|
|
|
nssPKIObject_AddInstance(&c->object, instance);
|
|
|
|
}
|
|
|
|
c->decoding = create_decoded_pkix_cert_from_nss3cert(NULL, cc);
|
|
|
|
cc->nssCertificate = c;
|
|
|
|
return c;
|
|
|
|
}
|
|
|
|
|
|
|
|
static NSSToken*
|
|
|
|
stan_GetTrustToken (
|
|
|
|
NSSCertificate *c
|
|
|
|
)
|
|
|
|
{
|
|
|
|
NSSToken *ttok = NULL;
|
|
|
|
NSSToken *rtok = NULL;
|
|
|
|
NSSToken *tok = NULL;
|
|
|
|
nssCryptokiObject **ip;
|
|
|
|
nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
|
|
|
|
if (!instances) {
|
|
|
|
return PR_FALSE;
|
|
|
|
}
|
|
|
|
for (ip = instances; *ip; ip++) {
|
|
|
|
nssCryptokiObject *instance = *ip;
|
|
|
|
nssCryptokiObject *to =
|
|
|
|
nssToken_FindTrustForCertificate(instance->token, NULL,
|
|
|
|
&c->encoding, &c->issuer, &c->serial,
|
|
|
|
nssTokenSearchType_TokenOnly);
|
|
|
|
NSSToken *ctok = instance->token;
|
|
|
|
PRBool ro = PK11_IsReadOnly(ctok->pk11slot);
|
|
|
|
|
|
|
|
if (to) {
|
|
|
|
nssCryptokiObject_Destroy(to);
|
|
|
|
ttok = ctok;
|
|
|
|
if (!ro) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (!rtok && ro) {
|
|
|
|
rtok = ctok;
|
|
|
|
}
|
|
|
|
if (!tok && !ro) {
|
|
|
|
tok = ctok;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nssCryptokiObjectArray_Destroy(instances);
|
|
|
|
return ttok ? ttok : (tok ? tok : rtok);
|
|
|
|
}
|
|
|
|
|
|
|
|
NSS_EXTERN PRStatus
|
|
|
|
STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
|
|
|
|
{
|
|
|
|
PRStatus nssrv;
|
|
|
|
NSSCertificate *c = STAN_GetNSSCertificate(cc);
|
|
|
|
NSSToken *tok;
|
|
|
|
NSSTrustDomain *td;
|
|
|
|
NSSTrust *nssTrust;
|
|
|
|
NSSArena *arena;
|
|
|
|
CERTCertTrust *oldTrust;
|
|
|
|
nssListIterator *tokens;
|
|
|
|
PRBool moving_object;
|
|
|
|
nssCryptokiObject *newInstance;
|
|
|
|
nssPKIObject *pkiob;
|
|
|
|
|
|
|
|
if (c == NULL) {
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
|
|
|
|
if (oldTrust) {
|
|
|
|
if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
|
|
|
|
/* ... and the new trust is no different, done) */
|
|
|
|
return PR_SUCCESS;
|
|
|
|
} else {
|
|
|
|
/* take over memory already allocated in cc's arena */
|
|
|
|
cc->trust = oldTrust;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
|
|
|
|
}
|
|
|
|
memcpy(cc->trust, trust, sizeof(CERTCertTrust));
|
|
|
|
/* Set the NSSCerticate's trust */
|
|
|
|
arena = nssArena_Create();
|
|
|
|
if (!arena) return PR_FAILURE;
|
|
|
|
nssTrust = nss_ZNEW(arena, NSSTrust);
|
|
|
|
if (!nssTrust) {
|
|
|
|
nssArena_Destroy(arena);
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKILock);
|
|
|
|
if (!pkiob) {
|
|
|
|
nssArena_Destroy(arena);
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
nssTrust->object = *pkiob;
|
|
|
|
nssTrust->certificate = c;
|
|
|
|
nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
|
|
|
|
nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
|
|
|
|
nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
|
|
|
|
nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
|
|
|
|
nssTrust->stepUpApproved =
|
|
|
|
(PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
|
|
|
|
if (c->object.cryptoContext != NULL) {
|
|
|
|
/* The cert is in a context, set the trust there */
|
|
|
|
NSSCryptoContext *cc = c->object.cryptoContext;
|
|
|
|
nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
|
|
|
|
if (nssrv != PR_SUCCESS) {
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if (c->object.numInstances == 0) {
|
|
|
|
/* The context is the only instance, finished */
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
td = STAN_GetDefaultTrustDomain();
|
|
|
|
tok = stan_GetTrustToken(c);
|
|
|
|
moving_object = PR_FALSE;
|
|
|
|
if (tok && PK11_IsReadOnly(tok->pk11slot)) {
|
|
|
|
NSSRWLock_LockRead(td->tokensLock);
|
|
|
|
tokens = nssList_CreateIterator(td->tokenList);
|
|
|
|
if (!tokens) {
|
|
|
|
nssrv = PR_FAILURE;
|
|
|
|
NSSRWLock_UnlockRead(td->tokensLock);
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
for (tok = (NSSToken *)nssListIterator_Start(tokens);
|
|
|
|
tok != (NSSToken *)NULL;
|
|
|
|
tok = (NSSToken *)nssListIterator_Next(tokens))
|
|
|
|
{
|
|
|
|
if (!PK11_IsReadOnly(tok->pk11slot)) break;
|
|
|
|
}
|
|
|
|
nssListIterator_Finish(tokens);
|
|
|
|
nssListIterator_Destroy(tokens);
|
|
|
|
NSSRWLock_UnlockRead(td->tokensLock);
|
|
|
|
moving_object = PR_TRUE;
|
|
|
|
}
|
|
|
|
if (tok) {
|
|
|
|
if (moving_object) {
|
|
|
|
/* this is kind of hacky. the softoken needs the cert
|
|
|
|
* object in order to store trust. forcing it to be perm
|
|
|
|
*/
|
|
|
|
NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
|
|
|
|
NSSASCII7 *email = NULL;
|
|
|
|
|
|
|
|
if (PK11_IsInternal(tok->pk11slot)) {
|
|
|
|
email = c->email;
|
|
|
|
}
|
|
|
|
newInstance = nssToken_ImportCertificate(tok, NULL,
|
|
|
|
NSSCertificateType_PKIX,
|
|
|
|
&c->id,
|
|
|
|
nickname,
|
|
|
|
&c->encoding,
|
|
|
|
&c->issuer,
|
|
|
|
&c->subject,
|
|
|
|
&c->serial,
|
|
|
|
email,
|
|
|
|
PR_TRUE);
|
|
|
|
if (!newInstance) {
|
|
|
|
nssrv = PR_FAILURE;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
nssPKIObject_AddInstance(&c->object, newInstance);
|
|
|
|
}
|
|
|
|
newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
|
|
|
|
&c->issuer, &c->serial,
|
|
|
|
nssTrust->serverAuth,
|
|
|
|
nssTrust->clientAuth,
|
|
|
|
nssTrust->codeSigning,
|
|
|
|
nssTrust->emailProtection,
|
|
|
|
nssTrust->stepUpApproved, PR_TRUE);
|
|
|
|
/* If the selected token can't handle trust, dump the trust on
|
|
|
|
* the internal token */
|
2009-08-19 06:59:06 -07:00
|
|
|
if (!newInstance && !PK11_IsInternalKeySlot(tok->pk11slot)) {
|
2008-06-06 05:40:11 -07:00
|
|
|
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
|
|
|
|
NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
|
|
|
|
NSSASCII7 *email = c->email;
|
|
|
|
tok = PK11Slot_GetNSSToken(slot);
|
|
|
|
PK11_FreeSlot(slot);
|
|
|
|
|
|
|
|
newInstance = nssToken_ImportCertificate(tok, NULL,
|
|
|
|
NSSCertificateType_PKIX,
|
|
|
|
&c->id,
|
|
|
|
nickname,
|
|
|
|
&c->encoding,
|
|
|
|
&c->issuer,
|
|
|
|
&c->subject,
|
|
|
|
&c->serial,
|
|
|
|
email,
|
|
|
|
PR_TRUE);
|
|
|
|
if (!newInstance) {
|
|
|
|
nssrv = PR_FAILURE;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
nssPKIObject_AddInstance(&c->object, newInstance);
|
|
|
|
newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
|
|
|
|
&c->issuer, &c->serial,
|
|
|
|
nssTrust->serverAuth,
|
|
|
|
nssTrust->clientAuth,
|
|
|
|
nssTrust->codeSigning,
|
|
|
|
nssTrust->emailProtection,
|
|
|
|
nssTrust->stepUpApproved, PR_TRUE);
|
|
|
|
}
|
|
|
|
if (newInstance) {
|
|
|
|
nssCryptokiObject_Destroy(newInstance);
|
|
|
|
nssrv = PR_SUCCESS;
|
|
|
|
} else {
|
|
|
|
nssrv = PR_FAILURE;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
nssrv = PR_FAILURE;
|
|
|
|
}
|
|
|
|
done:
|
|
|
|
(void)nssTrust_Destroy(nssTrust);
|
|
|
|
return nssrv;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* CERT_TraversePermCertsForSubject */
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
nssTrustDomain_TraverseCertificatesBySubject (
|
|
|
|
NSSTrustDomain *td,
|
|
|
|
NSSDER *subject,
|
|
|
|
PRStatus (*callback)(NSSCertificate *c, void *arg),
|
|
|
|
void *arg
|
|
|
|
)
|
|
|
|
{
|
|
|
|
PRStatus nssrv = PR_SUCCESS;
|
|
|
|
NSSArena *tmpArena;
|
|
|
|
NSSCertificate **subjectCerts;
|
|
|
|
NSSCertificate *c;
|
|
|
|
PRIntn i;
|
|
|
|
tmpArena = NSSArena_Create();
|
|
|
|
if (!tmpArena) {
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td, subject, NULL,
|
|
|
|
0, tmpArena);
|
|
|
|
if (subjectCerts) {
|
|
|
|
for (i=0, c = subjectCerts[i]; c; i++) {
|
|
|
|
nssrv = callback(c, arg);
|
|
|
|
if (nssrv != PR_SUCCESS) break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nssArena_Destroy(tmpArena);
|
|
|
|
return nssrv;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* CERT_TraversePermCertsForNickname */
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
|
|
nssTrustDomain_TraverseCertificatesByNickname (
|
|
|
|
NSSTrustDomain *td,
|
|
|
|
NSSUTF8 *nickname,
|
|
|
|
PRStatus (*callback)(NSSCertificate *c, void *arg),
|
|
|
|
void *arg
|
|
|
|
)
|
|
|
|
{
|
|
|
|
PRStatus nssrv = PR_SUCCESS;
|
|
|
|
NSSArena *tmpArena;
|
|
|
|
NSSCertificate **nickCerts;
|
|
|
|
NSSCertificate *c;
|
|
|
|
PRIntn i;
|
|
|
|
tmpArena = NSSArena_Create();
|
|
|
|
if (!tmpArena) {
|
|
|
|
return PR_FAILURE;
|
|
|
|
}
|
|
|
|
nickCerts = NSSTrustDomain_FindCertificatesByNickname(td, nickname, NULL,
|
|
|
|
0, tmpArena);
|
|
|
|
if (nickCerts) {
|
|
|
|
for (i=0, c = nickCerts[i]; c; i++) {
|
|
|
|
nssrv = callback(c, arg);
|
|
|
|
if (nssrv != PR_SUCCESS) break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nssArena_Destroy(tmpArena);
|
|
|
|
return nssrv;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void cert_dump_iter(const void *k, void *v, void *a)
|
|
|
|
{
|
|
|
|
NSSCertificate *c = (NSSCertificate *)k;
|
|
|
|
CERTCertificate *cert = STAN_GetCERTCertificate(c);
|
|
|
|
printf("[%2d] \"%s\"\n", c->object.refCount, cert->subjectName);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
nss_DumpCertificateCacheInfo()
|
|
|
|
{
|
|
|
|
NSSTrustDomain *td;
|
|
|
|
NSSCryptoContext *cc;
|
|
|
|
td = STAN_GetDefaultTrustDomain();
|
|
|
|
cc = STAN_GetDefaultCryptoContext();
|
|
|
|
printf("\n\nCertificates in the cache:\n");
|
|
|
|
nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
|
|
|
|
printf("\n\nCertificates in the temporary store:\n");
|
|
|
|
if (cc->certStore) {
|
|
|
|
nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|