Bug 912155 - Adding new interface in nssCertifcateDB for testing. r=bsmith

security/manager/ssl/public/nsIX509CertDB.idl

@@ -13,6 +13,7 @@ interface nsIFile;
 interface nsIInterfaceRequestor;
 interface nsIZipReader;
 interface nsIRecentBadCerts;
+interface nsIX509CertList;
 
 %{C++
 #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
@@ -30,7 +31,7 @@ interface nsIOpenSignedJARFileCallback : nsISupports
  * This represents a service to access and manipulate 
  * X.509 certificates stored in a database.
  */
-[scriptable, uuid(ab0a1c52-f7fd-4fe7-9e65-7d3705a8580e)]
+[scriptable, uuid(3c2a5658-466a-11e3-a244-180373d97f23)]
 interface nsIX509CertDB : nsISupports {
 
   /**
@@ -298,4 +299,29 @@ interface nsIX509CertDB : nsISupports {
    * @param aName name of the cert for display purposes.
    */
   void addCert(in ACString certDER, in string aTrust, in string aName);
+
+  /** Warning: This interface is inteded to use only for testing only as:
+   *    1. It can create IO on the main thread.
+   *    2. It is in constant change, so in/out can change at any release.
+   *
+   *  Obtain the verification result for a cert given a particular usage.
+   *  On success, the call returns 0, the chain built during verification,
+   *  and whether the cert is good for EV usage.
+   *  On failure, the call returns the PRErrorCode for the verification failure
+   *
+   *  @param aCert Obtain the stored trust of this certificate
+   *  @param aUsage a integer representing the usage from NSS
+   *  @param aLocalOnly prevent network activity for revocation
+   *  @param verifedChain chain of verification up to the root if success
+   *  @param aHasEVPolicy bool that signified that the cert was an EV cert
+   *  @return 0 if success or the value or the error code for the verification
+   *          failure
+   */
+  int32_t /*PRErrorCode*/
+    verifyCertNow(in nsIX509Cert aCert,
+                  in int64_t /*SECCertificateUsage*/ aUsage,
+                  in bool aLocalOnly,
+                  out nsIX509CertList verifiedChain,
+                  out bool aHasEVPolicy);
+
 };

security/manager/ssl/src/nsNSSCertificateDB.cpp

@@ -1668,3 +1668,78 @@ nsNSSCertificateDB::GetRecentBadCerts(bool isPrivate, nsIRecentBadCerts** result
   }
   return NS_OK;
 }
+
+NS_IMETHODIMP
+nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
+                                  int64_t /*SECCertificateUsage*/ aUsage,
+                                  bool aLocalOnly,
+                                  nsIX509CertList** verifiedChain,
+                                  bool* aHasEVPolicy,
+                                  int32_t* /*PRErrorCode*/ _retval )
+{
+  NS_ENSURE_ARG_POINTER(aCert);
+  NS_ENSURE_ARG_POINTER(aHasEVPolicy);
+  NS_ENSURE_ARG_POINTER(verifiedChain);
+  NS_ENSURE_ARG_POINTER(_retval);
+
+  *verifiedChain = nullptr;
+  *aHasEVPolicy = false;
+  *_retval = PR_UNKNOWN_ERROR;
+
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  nsresult rv;
+#ifndef NSS_NO_LIBPKIX
+  nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
+  if (NS_FAILED(rv)) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  inss->EnsureIdentityInfoLoaded();
+#endif
+
+  nsCOMPtr<nsIX509Cert2> x509Cert = do_QueryInterface(aCert);
+  if (!x509Cert) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  ScopedCERTCertificate nssCert(x509Cert->GetCert());
+
+  RefPtr<CertVerifier> certVerifier(GetDefaultCertVerifier());
+  NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
+
+  CertVerifier::Flags flags = aLocalOnly ? CertVerifier::FLAG_LOCAL_ONLY : 0;
+  CERTCertList* resultChain = nullptr;
+  SECOidTag evOidPolicy;
+  SECStatus srv;
+
+  srv = certVerifier->VerifyCert(nssCert,
+                                 aUsage, PR_Now(),
+                                 nullptr, // Assume no context
+                                 flags,
+                                 &resultChain,
+                                 &evOidPolicy,
+                                 nullptr);
+
+  PRErrorCode error = PR_GetError();
+
+  nsCOMPtr<nsIX509CertList> nssCertList;
+  // This adopts the list
+  nssCertList = new nsNSSCertList(resultChain, locker);
+  NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
+
+  if (srv == SECSuccess) {
+    if (evOidPolicy != SEC_OID_UNKNOWN) {
+      *aHasEVPolicy = true;
+    }
+    *_retval = 0;
+  } else {
+    NS_ENSURE_TRUE(evOidPolicy == SEC_OID_UNKNOWN, NS_ERROR_FAILURE);
+    NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
+    *_retval = error;
+  }
+  nssCertList.forget(verifiedChain);
+
+  return NS_OK;
+}

security/manager/ssl/tests/unit/head_psm.js

@@ -31,6 +31,20 @@ const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE              = SEC_ERROR_BASE + 130;
 const SEC_ERROR_OCSP_OLD_RESPONSE                       = SEC_ERROR_BASE + 132;
 const SEC_ERROR_OCSP_INVALID_SIGNING_CERT               = SEC_ERROR_BASE + 144;
 
+// Certificate Usages
+const certificateUsageSSLClient              = 0x0001;
+const certificateUsageSSLServer              = 0x0002;
+const certificateUsageSSLServerWithStepUp    = 0x0004;
+const certificateUsageSSLCA                  = 0x0008;
+const certificateUsageEmailSigner            = 0x0010;
+const certificateUsageEmailRecipient         = 0x0020;
+const certificateUsageObjectSigner           = 0x0040;
+const certificateUsageUserCertImport         = 0x0080;
+const certificateUsageVerifyCA               = 0x0100;
+const certificateUsageProtectedObjectSigner  = 0x0200;
+const certificateUsageStatusResponder        = 0x0400;
+const certificateUsageAnyCA                  = 0x0800;
+
 function readFile(file) {
   let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
                   .createInstance(Ci.nsIFileInputStream);