wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 813418 - Centralize certificate validation (Part 4 remove verifycertnow). r=bsmith

Browse Source 
--HG--
extra : rebase_source : 15e6d3b1f70e24384914dfc71b393a00ac5ddf1e
This commit is contained in:
Camilo Viecco 2013-02-27 10:30:10 -08:00
parent 7f5d477b04
commit 4febdbc832
3 changed files with 59 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -825,8 +825,45 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
nsresult rv;
/* Get the cert chain from NSS */
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
ScopedCERTCertList nssChain;
nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
SECStatus srv;
nssChain = nullptr;
RefPtr<CertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
CERTCertList *pkixNssChain = nullptr;
// We want to test all usages, but we start with server because most of the
// time Firefox users care about server certs.
srv = certVerifier->VerifyCert(mCert,
certificateUsageSSLServer, PR_Now(),
nullptr, /*XXX fixme*/
CertVerifier::FLAG_LOCAL_ONLY,
&pkixNssChain);
for (int usage = certificateUsageSSLClient;
usage < certificateUsageAnyCA && !pkixNssChain;
usage = usage << 1) {
if (usage == certificateUsageSSLServer) {
continue;
}
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: PKIX attempting chain(%d) for '%s'\n",usage, mCert->nickname));
srv = certVerifier->VerifyCert(mCert,
certificateUsageSSLClient, PR_Now(),
nullptr, /*XXX fixme*/
CertVerifier::FLAG_LOCAL_ONLY,
&pkixNssChain);
}
if (!pkixNssChain) {
// There is not verified path for the chain, howeever we still want to
// present to the user as much of a possible chain as possible, in the case
// where there was a problem with the cert or the issuers.
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: getchain :CertVerify failed to get chain for '%s'\n", mCert->nickname));
nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
} else {
nssChain = pkixNssChain;
}
if (!nssChain)
return NS_ERROR_FAILURE;
/* enumerate the chain for scripting purposes */

10
security/manager/ssl/src/nsNSSCertificateDB.cpp
View File

@ -487,20 +487,20 @@ ImportCertsIntoPermanentStorage(const ScopedCERTCertList &certChain, const SECCe
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
const PRTime now = PR_Now();
int chainLen=0;
int chainLen = 0;
for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
!CERT_LIST_END(chainNode, certChain);
chainNode = CERT_LIST_NEXT(chainNode)) {
chainLen++;
}
SECItem **rawArray;
rawArray = (SECItem **) PORT_Alloc(chainLen * sizeof(SECItem *));
if (!rawArray) {
return SECFailure;
}
int i=0;
int i = 0;
for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
!CERT_LIST_END(chainNode, certChain);
chainNode = CERT_LIST_NEXT(chainNode), i++) {
@ -509,9 +509,7 @@ ImportCertsIntoPermanentStorage(const ScopedCERTCertList &certChain, const SECCe
CERT_ImportCerts(certdb, usage, chainLen,
rawArray, nullptr, true, caOnly, nullptr);
PORT_Free(rawArray);
PORT_Free(rawArray);
return SECSuccess;
}

135
security/manager/ssl/src/nsUsageArrayHelper.cpp
View File

@ -32,66 +32,6 @@ nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
nssComponent = do_GetService(kNSSComponentCID, &m_rv);
}
// XXX: old, non-libpkix version of check that will be removed after the switch
// to libpkix is final.
void
nsUsageArrayHelper::check(const char *suffix,
SECCertificateUsage aCertUsage,
uint32_t &aCounter,
PRUnichar **outUsages)
{
if (!aCertUsage) return;
nsAutoCString typestr;
switch (aCertUsage) {
case certificateUsageSSLClient:
typestr = "VerifySSLClient";
break;
case certificateUsageSSLServer:
typestr = "VerifySSLServer";
break;
case certificateUsageSSLServerWithStepUp:
typestr = "VerifySSLStepUp";
break;
case certificateUsageEmailSigner:
typestr = "VerifyEmailSigner";
break;
case certificateUsageEmailRecipient:
typestr = "VerifyEmailRecip";
break;
case certificateUsageObjectSigner:
typestr = "VerifyObjSign";
break;
case certificateUsageProtectedObjectSigner:
typestr = "VerifyProtectObjSign";
break;
case certificateUsageUserCertImport:
typestr = "VerifyUserImport";
break;
case certificateUsageSSLCA:
typestr = "VerifySSLCA";
break;
case certificateUsageVerifyCA:
typestr = "VerifyCAVerifier";
break;
case certificateUsageStatusResponder:
typestr = "VerifyStatusResponder";
break;
case certificateUsageAnyCA:
typestr = "VerifyAnyCA";
break;
default:
break;
}
if (!typestr.IsEmpty()) {
typestr.Append(suffix);
nsAutoString verifyDesc;
m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
if (NS_SUCCEEDED(m_rv)) {
outUsages[aCounter++] = ToNewUnicode(verifyDesc);
}
}
}
namespace {
// Some validation errors are non-fatal in that, we should keep checking the
@ -259,67 +199,21 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
if (outArraySize < max_returned_out_array_size)
return NS_ERROR_FAILURE;
// Bug 860076, this disabling ocsp for all NSS is incorrect.
if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
nsresult rv;
nssComponent = do_GetService(kNSSComponentCID, &rv);
if (NS_FAILED(rv))
return rv;
if (nssComponent) {
nssComponent->SkipOcsp();
}
}
uint32_t &count = *_count;
count = 0;
// TODO: This block will be removed as soon as the switch to libpkix is
// complete.
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
if (localOnly) {
nssComponent->SkipOcsp();
}
SECCertificateUsage usages = 0;
int err = 0;
// CERT_VerifyCertificateNow returns SECFailure unless the certificate is
// valid for all the given usages. Hoewver, we are only looking for the list
// of usages for which the cert *is* valid.
(void)
CERT_VerifyCertificateNow(defaultcertdb, mCert, true,
certificateUsageSSLClient |
certificateUsageSSLServer |
certificateUsageSSLServerWithStepUp |
certificateUsageEmailSigner |
certificateUsageEmailRecipient |
certificateUsageObjectSigner |
certificateUsageSSLCA |
certificateUsageStatusResponder,
nullptr, &usages);
err = PR_GetError();
if (localOnly) {
nssComponent->SkipOcspOff();
}
// The following list of checks must be < max_returned_out_array_size
check(suffix, usages & certificateUsageSSLClient, count, outUsages);
check(suffix, usages & certificateUsageSSLServer, count, outUsages);
check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
#if 0
check(suffix, usages & certificateUsageProtectedObjectSigner, count, outUsages);
check(suffix, usages & certificateUsageUserCertImport, count, outUsages);
#endif
check(suffix, usages & certificateUsageSSLCA, count, outUsages);
#if 0
check(suffix, usages & certificateUsageVerifyCA, count, outUsages);
#endif
check(suffix, usages & certificateUsageStatusResponder, count, outUsages);
#if 0
check(suffix, usages & certificateUsageAnyCA, count, outUsages);
#endif
if (count == 0) {
verifyFailed(_verified, err);
} else {
*_verified = nsNSSCertificate::VERIFIED_OK;
}
return NS_OK;
}
RefPtr<CertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
@ -359,6 +253,11 @@ if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
certificateUsageAnyCA, now, flags, count, outUsages);
#endif
// Bug 860076, this disabling ocsp for all NSS is incorrect
if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
nssComponent->SkipOcspOff();
}
if (isFatalError(result) || count == 0) {
MOZ_ASSERT(result != nsIX509Cert::VERIFIED_OK);