mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 03:30:17 +01:00
1073 lines
32 KiB
C
1073 lines
32 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "prtime.h"
|
|
|
|
#include "cert.h"
|
|
#include "certi.h"
|
|
#include "certdb.h"
|
|
#include "secitem.h"
|
|
#include "secder.h"
|
|
|
|
/* Call to PK11_FreeSlot below */
|
|
|
|
#include "secasn1.h"
|
|
#include "secerr.h"
|
|
#include "nssilock.h"
|
|
#include "prmon.h"
|
|
#include "base64.h"
|
|
#include "sechash.h"
|
|
#include "plhash.h"
|
|
#include "pk11func.h" /* sigh */
|
|
|
|
#include "nsspki.h"
|
|
#include "pki.h"
|
|
#include "pkim.h"
|
|
#include "pki3hack.h"
|
|
#include "ckhelper.h"
|
|
#include "base.h"
|
|
#include "pkistore.h"
|
|
#include "dev3hack.h"
|
|
#include "dev.h"
|
|
|
|
PRBool
|
|
SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject,
|
|
CERTCertDBHandle *handle)
|
|
{
|
|
CERTCertificate *cert;
|
|
PRBool conflict = PR_FALSE;
|
|
|
|
cert=CERT_FindCertByNickname(handle, nickname);
|
|
|
|
if (!cert) {
|
|
return conflict;
|
|
}
|
|
|
|
conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject);
|
|
CERT_DestroyCertificate(cert);
|
|
return conflict;
|
|
}
|
|
|
|
SECStatus
|
|
SEC_DeletePermCertificate(CERTCertificate *cert)
|
|
{
|
|
PRStatus nssrv;
|
|
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
|
|
NSSCertificate *c = STAN_GetNSSCertificate(cert);
|
|
CERTCertTrust *certTrust;
|
|
|
|
if (c == NULL) {
|
|
/* error code is set */
|
|
return SECFailure;
|
|
}
|
|
|
|
certTrust = nssTrust_GetCERTCertTrustForCert(c, cert);
|
|
if (certTrust) {
|
|
NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
|
|
if (nssTrust) {
|
|
nssrv = STAN_DeleteCertTrustMatchingSlot(c);
|
|
if (nssrv != PR_SUCCESS) {
|
|
CERT_MapStanError();
|
|
}
|
|
/* This call always returns PR_SUCCESS! */
|
|
(void) nssTrust_Destroy(nssTrust);
|
|
}
|
|
}
|
|
|
|
/* get rid of the token instances */
|
|
nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
|
|
|
|
/* get rid of the cache entry */
|
|
nssTrustDomain_LockCertCache(td);
|
|
nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
|
|
nssTrustDomain_UnlockCertCache(td);
|
|
|
|
return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
|
|
}
|
|
|
|
SECStatus
|
|
CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust)
|
|
{
|
|
SECStatus rv;
|
|
CERT_LockCertTrust(cert);
|
|
if ( cert->trust == NULL ) {
|
|
rv = SECFailure;
|
|
} else {
|
|
*trust = *cert->trust;
|
|
rv = SECSuccess;
|
|
}
|
|
CERT_UnlockCertTrust(cert);
|
|
return(rv);
|
|
}
|
|
|
|
extern const NSSError NSS_ERROR_NO_ERROR;
|
|
extern const NSSError NSS_ERROR_INTERNAL_ERROR;
|
|
extern const NSSError NSS_ERROR_NO_MEMORY;
|
|
extern const NSSError NSS_ERROR_INVALID_POINTER;
|
|
extern const NSSError NSS_ERROR_INVALID_ARENA;
|
|
extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
|
|
extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
|
|
extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
|
|
extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
|
|
extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
|
|
extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
|
|
extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
|
|
extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
|
|
extern const NSSError NSS_ERROR_BUFFER_TOO_SHORT;
|
|
extern const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT;
|
|
extern const NSSError NSS_ERROR_INVALID_BASE64;
|
|
extern const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT;
|
|
extern const NSSError NSS_ERROR_INVALID_ITEM;
|
|
extern const NSSError NSS_ERROR_INVALID_STRING;
|
|
extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
|
|
extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
|
|
extern const NSSError NSS_ERROR_INVALID_BER;
|
|
extern const NSSError NSS_ERROR_INVALID_ATAV;
|
|
extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
|
|
extern const NSSError NSS_ERROR_INVALID_UTF8;
|
|
extern const NSSError NSS_ERROR_INVALID_NSSOID;
|
|
extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
|
|
extern const NSSError NSS_ERROR_NOT_FOUND;
|
|
extern const NSSError NSS_ERROR_INVALID_PASSWORD;
|
|
extern const NSSError NSS_ERROR_USER_CANCELED;
|
|
extern const NSSError NSS_ERROR_MAXIMUM_FOUND;
|
|
extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
|
|
extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE;
|
|
extern const NSSError NSS_ERROR_HASH_COLLISION;
|
|
extern const NSSError NSS_ERROR_DEVICE_ERROR;
|
|
extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
|
|
extern const NSSError NSS_ERROR_BUSY;
|
|
extern const NSSError NSS_ERROR_ALREADY_INITIALIZED;
|
|
extern const NSSError NSS_ERROR_PKCS11;
|
|
|
|
|
|
/* Look at the stan error stack and map it to NSS 3 errors */
|
|
#define STAN_MAP_ERROR(x,y) \
|
|
else if (error == (x)) { \
|
|
secError = y; \
|
|
} \
|
|
|
|
/*
|
|
* map Stan errors into NSS errors
|
|
* This function examines the stan error stack and automatically sets
|
|
* PORT_SetError(); to the appropriate SEC_ERROR value.
|
|
*/
|
|
void
|
|
CERT_MapStanError()
|
|
{
|
|
PRInt32 *errorStack;
|
|
NSSError error, prevError;
|
|
int secError;
|
|
int i;
|
|
|
|
error = 0;
|
|
|
|
errorStack = NSS_GetErrorStack();
|
|
if (errorStack == 0) {
|
|
PORT_SetError(0);
|
|
return;
|
|
}
|
|
error = prevError = CKR_GENERAL_ERROR;
|
|
/* get the 'top 2' error codes from the stack */
|
|
for (i=0; errorStack[i]; i++) {
|
|
prevError = error;
|
|
error = errorStack[i];
|
|
}
|
|
if (error == NSS_ERROR_PKCS11) {
|
|
/* map it */
|
|
secError = PK11_MapError(prevError);
|
|
}
|
|
STAN_MAP_ERROR(NSS_ERROR_NO_ERROR, 0)
|
|
STAN_MAP_ERROR(NSS_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_BASE64, SEC_ERROR_BAD_DATA)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_BER, SEC_ERROR_BAD_DER)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ATAV, SEC_ERROR_INVALID_AVA)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_PASSWORD,SEC_ERROR_BAD_PASSWORD)
|
|
STAN_MAP_ERROR(NSS_ERROR_BUSY, SEC_ERROR_BUSY)
|
|
STAN_MAP_ERROR(NSS_ERROR_DEVICE_ERROR, SEC_ERROR_IO)
|
|
STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND,
|
|
SEC_ERROR_UNKNOWN_ISSUER)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_CERTIFICATE, SEC_ERROR_CERT_NOT_VALID)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_UTF8, SEC_ERROR_BAD_DATA)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_NSSOID, SEC_ERROR_BAD_DATA)
|
|
|
|
/* these are library failure for lack of a better error code */
|
|
STAN_MAP_ERROR(NSS_ERROR_NOT_FOUND, SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_IN_CACHE,
|
|
SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_MAXIMUM_FOUND, SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_USER_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_INITIALIZED,
|
|
SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_ALREADY_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD,
|
|
SEC_ERROR_LIBRARY_FAILURE)
|
|
STAN_MAP_ERROR(NSS_ERROR_HASH_COLLISION, SEC_ERROR_LIBRARY_FAILURE)
|
|
|
|
STAN_MAP_ERROR(NSS_ERROR_INTERNAL_ERROR, SEC_ERROR_LIBRARY_FAILURE)
|
|
|
|
/* these are all invalid arguments */
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ARGUMENT, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_POINTER, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA_MARK, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_DUPLICATE_POINTER, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_POINTER_NOT_REGISTERED, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_EMPTY, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_VALUE_TOO_LARGE, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_UNSUPPORTED_TYPE, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_BUFFER_TOO_SHORT, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ATOB_CONTEXT, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_BTOA_CONTEXT, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ITEM, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_STRING, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1ENCODER, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1DECODER, SEC_ERROR_INVALID_ARGS)
|
|
STAN_MAP_ERROR(NSS_ERROR_UNKNOWN_ATTRIBUTE, SEC_ERROR_INVALID_ARGS)
|
|
else {
|
|
secError = SEC_ERROR_LIBRARY_FAILURE;
|
|
}
|
|
PORT_SetError(secError);
|
|
}
|
|
|
|
|
|
|
|
SECStatus
|
|
CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
|
|
CERTCertTrust *trust)
|
|
{
|
|
SECStatus rv = SECSuccess;
|
|
PRStatus ret;
|
|
|
|
ret = STAN_ChangeCertTrust(cert, trust);
|
|
if (ret != PR_SUCCESS) {
|
|
rv = SECFailure;
|
|
CERT_MapStanError();
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
|
|
|
|
SECStatus
|
|
__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
|
|
CERTCertTrust *trust)
|
|
{
|
|
NSSUTF8 *stanNick;
|
|
PK11SlotInfo *slot;
|
|
NSSToken *internal;
|
|
NSSCryptoContext *context;
|
|
nssCryptokiObject *permInstance;
|
|
NSSCertificate *c = STAN_GetNSSCertificate(cert);
|
|
nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
|
|
nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
|
|
SECStatus rv;
|
|
PRStatus ret;
|
|
|
|
if (c == NULL) {
|
|
CERT_MapStanError();
|
|
return SECFailure;
|
|
}
|
|
|
|
context = c->object.cryptoContext;
|
|
if (!context) {
|
|
PORT_SetError(SEC_ERROR_ADDING_CERT);
|
|
return SECFailure; /* wasn't a temp cert */
|
|
}
|
|
stanNick = nssCertificate_GetNickname(c, NULL);
|
|
if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
|
|
/* different: take the new nickname */
|
|
cert->nickname = NULL;
|
|
nss_ZFreeIf(stanNick);
|
|
stanNick = NULL;
|
|
}
|
|
if (!stanNick && nickname) {
|
|
/* Either there was no nickname yet, or we have a new nickname */
|
|
stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, NULL);
|
|
} /* else: old stanNick is identical to new nickname */
|
|
/* Delete the temp instance */
|
|
nssCertificateStore_Lock(context->certStore, &lockTrace);
|
|
nssCertificateStore_RemoveCertLOCKED(context->certStore, c);
|
|
nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace);
|
|
c->object.cryptoContext = NULL;
|
|
/* Import the perm instance onto the internal token */
|
|
slot = PK11_GetInternalKeySlot();
|
|
internal = PK11Slot_GetNSSToken(slot);
|
|
permInstance = nssToken_ImportCertificate(internal, NULL,
|
|
NSSCertificateType_PKIX,
|
|
&c->id,
|
|
stanNick,
|
|
&c->encoding,
|
|
&c->issuer,
|
|
&c->subject,
|
|
&c->serial,
|
|
cert->emailAddr,
|
|
PR_TRUE);
|
|
nss_ZFreeIf(stanNick);
|
|
stanNick = NULL;
|
|
PK11_FreeSlot(slot);
|
|
if (!permInstance) {
|
|
if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
|
|
PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
|
|
}
|
|
return SECFailure;
|
|
}
|
|
nssPKIObject_AddInstance(&c->object, permInstance);
|
|
nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
|
|
/* reset the CERTCertificate fields */
|
|
cert->nssCertificate = NULL;
|
|
cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */
|
|
if (!cert) {
|
|
CERT_MapStanError();
|
|
return SECFailure;
|
|
}
|
|
cert->istemp = PR_FALSE;
|
|
cert->isperm = PR_TRUE;
|
|
if (!trust) {
|
|
return SECSuccess;
|
|
}
|
|
ret = STAN_ChangeCertTrust(cert, trust);
|
|
rv = SECSuccess;
|
|
if (ret != PR_SUCCESS) {
|
|
rv = SECFailure;
|
|
CERT_MapStanError();
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
SECStatus
|
|
CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
|
|
CERTCertTrust *trust)
|
|
{
|
|
return __CERT_AddTempCertToPerm(cert, nickname, trust);
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
|
|
char *nickname, PRBool isperm, PRBool copyDER)
|
|
{
|
|
NSSCertificate *c;
|
|
CERTCertificate *cc;
|
|
NSSCertificate *tempCert = NULL;
|
|
nssPKIObject *pkio;
|
|
NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
|
|
NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
|
|
if (!isperm) {
|
|
NSSDER encoding;
|
|
NSSITEM_FROM_SECITEM(&encoding, derCert);
|
|
/* First, see if it is already a temp cert */
|
|
c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC,
|
|
&encoding);
|
|
if (!c) {
|
|
/* Then, see if it is already a perm cert */
|
|
c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
|
|
&encoding);
|
|
}
|
|
if (c) {
|
|
/* actually, that search ends up going by issuer/serial,
|
|
* so it is still possible to return a cert with the same
|
|
* issuer/serial but a different encoding, and we're
|
|
* going to reject that
|
|
*/
|
|
if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
|
|
nssCertificate_Destroy(c);
|
|
PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
|
|
cc = NULL;
|
|
} else {
|
|
cc = STAN_GetCERTCertificateOrRelease(c);
|
|
if (cc == NULL) {
|
|
CERT_MapStanError();
|
|
}
|
|
}
|
|
return cc;
|
|
}
|
|
}
|
|
pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC, nssPKIMonitor);
|
|
if (!pkio) {
|
|
CERT_MapStanError();
|
|
return NULL;
|
|
}
|
|
c = nss_ZNEW(pkio->arena, NSSCertificate);
|
|
if (!c) {
|
|
CERT_MapStanError();
|
|
nssPKIObject_Destroy(pkio);
|
|
return NULL;
|
|
}
|
|
c->object = *pkio;
|
|
if (copyDER) {
|
|
nssItem_Create(c->object.arena, &c->encoding,
|
|
derCert->len, derCert->data);
|
|
} else {
|
|
NSSITEM_FROM_SECITEM(&c->encoding, derCert);
|
|
}
|
|
/* Forces a decoding of the cert in order to obtain the parts used
|
|
* below
|
|
*/
|
|
/* 'c' is not adopted here, if we fail loser frees what has been
|
|
* allocated so far for 'c' */
|
|
cc = STAN_GetCERTCertificate(c);
|
|
if (!cc) {
|
|
CERT_MapStanError();
|
|
goto loser;
|
|
}
|
|
nssItem_Create(c->object.arena,
|
|
&c->issuer, cc->derIssuer.len, cc->derIssuer.data);
|
|
nssItem_Create(c->object.arena,
|
|
&c->subject, cc->derSubject.len, cc->derSubject.data);
|
|
if (PR_TRUE) {
|
|
/* CERTCertificate stores serial numbers decoded. I need the DER
|
|
* here. sigh.
|
|
*/
|
|
SECItem derSerial = { 0 };
|
|
CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
|
|
if (!derSerial.data) goto loser;
|
|
nssItem_Create(c->object.arena, &c->serial, derSerial.len, derSerial.data);
|
|
PORT_Free(derSerial.data);
|
|
}
|
|
if (nickname) {
|
|
c->object.tempName = nssUTF8_Create(c->object.arena,
|
|
nssStringType_UTF8String,
|
|
(NSSUTF8 *)nickname,
|
|
PORT_Strlen(nickname));
|
|
}
|
|
if (cc->emailAddr && cc->emailAddr[0]) {
|
|
c->email = nssUTF8_Create(c->object.arena,
|
|
nssStringType_PrintableString,
|
|
(NSSUTF8 *)cc->emailAddr,
|
|
PORT_Strlen(cc->emailAddr));
|
|
}
|
|
|
|
tempCert = NSSCryptoContext_FindOrImportCertificate(gCC, c);
|
|
if (!tempCert) {
|
|
CERT_MapStanError();
|
|
goto loser;
|
|
}
|
|
/* destroy our copy */
|
|
NSSCertificate_Destroy(c);
|
|
/* and use the stored entry */
|
|
c = tempCert;
|
|
cc = STAN_GetCERTCertificateOrRelease(c);
|
|
if (!cc) {
|
|
/* STAN_GetCERTCertificateOrRelease destroys c on failure. */
|
|
CERT_MapStanError();
|
|
return NULL;
|
|
}
|
|
|
|
cc->istemp = PR_TRUE;
|
|
cc->isperm = PR_FALSE;
|
|
return cc;
|
|
loser:
|
|
/* Perhaps this should be nssCertificate_Destroy(c) */
|
|
nssPKIObject_Destroy(&c->object);
|
|
return NULL;
|
|
}
|
|
|
|
/* This symbol is exported for backward compatibility. */
|
|
CERTCertificate *
|
|
__CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
|
|
char *nickname, PRBool isperm, PRBool copyDER)
|
|
{
|
|
return CERT_NewTempCertificate(handle, derCert, nickname,
|
|
isperm, copyDER);
|
|
}
|
|
|
|
/* maybe all the wincx's should be some const for internal token login? */
|
|
CERTCertificate *
|
|
CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
|
|
{
|
|
PK11SlotInfo *slot;
|
|
CERTCertificate *cert;
|
|
|
|
cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL);
|
|
if (cert && slot) {
|
|
PK11_FreeSlot(slot);
|
|
}
|
|
|
|
return cert;
|
|
}
|
|
|
|
static NSSCertificate *
|
|
get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
|
|
{
|
|
NSSUsage usage;
|
|
NSSCertificate *arr[3];
|
|
if (!ct) {
|
|
return nssCertificate_AddRef(cp);
|
|
} else if (!cp) {
|
|
return nssCertificate_AddRef(ct);
|
|
}
|
|
arr[0] = ct;
|
|
arr[1] = cp;
|
|
arr[2] = NULL;
|
|
usage.anyUsage = PR_TRUE;
|
|
return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
|
|
{
|
|
NSSCertificate *cp, *ct, *c;
|
|
NSSDER subject;
|
|
NSSUsage usage;
|
|
NSSCryptoContext *cc;
|
|
NSSITEM_FROM_SECITEM(&subject, name);
|
|
usage.anyUsage = PR_TRUE;
|
|
cc = STAN_GetDefaultCryptoContext();
|
|
ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject,
|
|
NULL, &usage, NULL);
|
|
cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject,
|
|
NULL, &usage, NULL);
|
|
c = get_best_temp_or_perm(ct, cp);
|
|
if (ct) {
|
|
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
|
|
}
|
|
if (cp) {
|
|
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(cp));
|
|
}
|
|
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
|
|
{
|
|
CERTCertList *list;
|
|
CERTCertificate *cert = NULL;
|
|
CERTCertListNode *node, *head;
|
|
|
|
list = CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE);
|
|
if (list == NULL) return NULL;
|
|
|
|
node = head = CERT_LIST_HEAD(list);
|
|
if (head) {
|
|
do {
|
|
if (node->cert &&
|
|
SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID) ) {
|
|
cert = CERT_DupCertificate(node->cert);
|
|
goto done;
|
|
}
|
|
node = CERT_LIST_NEXT(node);
|
|
} while (node && head != node);
|
|
}
|
|
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
|
|
done:
|
|
if (list) {
|
|
CERT_DestroyCertList(list);
|
|
}
|
|
return cert;
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_FindCertByNickname(CERTCertDBHandle *handle, const char *nickname)
|
|
{
|
|
NSSCryptoContext *cc;
|
|
NSSCertificate *c, *ct;
|
|
CERTCertificate *cert;
|
|
NSSUsage usage;
|
|
usage.anyUsage = PR_TRUE;
|
|
cc = STAN_GetDefaultCryptoContext();
|
|
ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname,
|
|
NULL, &usage, NULL);
|
|
cert = PK11_FindCertFromNickname(nickname, NULL);
|
|
c = NULL;
|
|
if (cert) {
|
|
c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
|
|
CERT_DestroyCertificate(cert);
|
|
if (ct) {
|
|
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
|
|
}
|
|
} else {
|
|
c = ct;
|
|
}
|
|
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
|
|
{
|
|
NSSCryptoContext *cc;
|
|
NSSCertificate *c;
|
|
NSSDER encoding;
|
|
NSSITEM_FROM_SECITEM(&encoding, derCert);
|
|
cc = STAN_GetDefaultCryptoContext();
|
|
c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
|
|
if (!c) {
|
|
c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
|
|
&encoding);
|
|
if (!c) return NULL;
|
|
}
|
|
return STAN_GetCERTCertificateOrRelease(c);
|
|
}
|
|
|
|
static CERTCertificate *
|
|
common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
|
|
const char *name,
|
|
PRBool anyUsage,
|
|
SECCertUsage lookingForUsage)
|
|
{
|
|
NSSCryptoContext *cc;
|
|
NSSCertificate *c, *ct;
|
|
CERTCertificate *cert = NULL;
|
|
NSSUsage usage;
|
|
CERTCertList *certlist;
|
|
|
|
if (NULL == name) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
|
|
usage.anyUsage = anyUsage;
|
|
|
|
if (!anyUsage) {
|
|
usage.nss3lookingForCA = PR_FALSE;
|
|
usage.nss3usage = lookingForUsage;
|
|
}
|
|
|
|
cc = STAN_GetDefaultCryptoContext();
|
|
ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name,
|
|
NULL, &usage, NULL);
|
|
if (!ct && PORT_Strchr(name, '@') != NULL) {
|
|
char* lowercaseName = CERT_FixupEmailAddr(name);
|
|
if (lowercaseName) {
|
|
ct = NSSCryptoContext_FindBestCertificateByEmail(cc, lowercaseName,
|
|
NULL, &usage, NULL);
|
|
PORT_Free(lowercaseName);
|
|
}
|
|
}
|
|
|
|
if (anyUsage) {
|
|
cert = PK11_FindCertFromNickname(name, NULL);
|
|
}
|
|
else {
|
|
if (ct) {
|
|
/* Does ct really have the required usage? */
|
|
nssDecodedCert *dc;
|
|
dc = nssCertificate_GetDecoding(ct);
|
|
if (!dc->matchUsage(dc, &usage)) {
|
|
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
|
|
ct = NULL;
|
|
}
|
|
}
|
|
|
|
certlist = PK11_FindCertsFromNickname(name, NULL);
|
|
if (certlist) {
|
|
SECStatus rv = CERT_FilterCertListByUsage(certlist,
|
|
lookingForUsage,
|
|
PR_FALSE);
|
|
if (SECSuccess == rv &&
|
|
!CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) {
|
|
cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert);
|
|
}
|
|
CERT_DestroyCertList(certlist);
|
|
}
|
|
}
|
|
|
|
if (cert) {
|
|
c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
|
|
CERT_DestroyCertificate(cert);
|
|
if (ct) {
|
|
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
|
|
}
|
|
} else {
|
|
c = ct;
|
|
}
|
|
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
|
|
{
|
|
return common_FindCertByNicknameOrEmailAddrForUsage(handle, name,
|
|
PR_TRUE, 0);
|
|
}
|
|
|
|
CERTCertificate *
|
|
CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
|
|
const char *name,
|
|
SECCertUsage lookingForUsage)
|
|
{
|
|
return common_FindCertByNicknameOrEmailAddrForUsage(handle, name,
|
|
PR_FALSE,
|
|
lookingForUsage);
|
|
}
|
|
|
|
static void
|
|
add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
|
|
PRBool validOnly, PRTime sorttime)
|
|
{
|
|
SECStatus secrv;
|
|
if (!validOnly ||
|
|
CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE)
|
|
== secCertTimeValid) {
|
|
secrv = CERT_AddCertToListSorted(certList, cert,
|
|
CERT_SortCBValidity,
|
|
(void *)&sorttime);
|
|
if (secrv != SECSuccess) {
|
|
CERT_DestroyCertificate(cert);
|
|
}
|
|
} else {
|
|
CERT_DestroyCertificate(cert);
|
|
}
|
|
}
|
|
|
|
CERTCertList *
|
|
CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
|
|
const SECItem *name, PRTime sorttime,
|
|
PRBool validOnly)
|
|
{
|
|
NSSCryptoContext *cc;
|
|
NSSCertificate **tSubjectCerts, **pSubjectCerts;
|
|
NSSCertificate **ci;
|
|
CERTCertificate *cert;
|
|
NSSDER subject;
|
|
PRBool myList = PR_FALSE;
|
|
cc = STAN_GetDefaultCryptoContext();
|
|
NSSITEM_FROM_SECITEM(&subject, name);
|
|
/* Collect both temp and perm certs for the subject */
|
|
tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
|
|
&subject,
|
|
NULL,
|
|
0,
|
|
NULL);
|
|
pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle,
|
|
&subject,
|
|
NULL,
|
|
0,
|
|
NULL);
|
|
if (!tSubjectCerts && !pSubjectCerts) {
|
|
return NULL;
|
|
}
|
|
if (certList == NULL) {
|
|
certList = CERT_NewCertList();
|
|
myList = PR_TRUE;
|
|
if (!certList) goto loser;
|
|
}
|
|
/* Iterate over the matching temp certs. Add them to the list */
|
|
ci = tSubjectCerts;
|
|
while (ci && *ci) {
|
|
cert = STAN_GetCERTCertificateOrRelease(*ci);
|
|
/* *ci may be invalid at this point, don't reference it again */
|
|
if (cert) {
|
|
/* NOTE: add_to_subject_list adopts the incoming cert. */
|
|
add_to_subject_list(certList, cert, validOnly, sorttime);
|
|
}
|
|
ci++;
|
|
}
|
|
/* Iterate over the matching perm certs. Add them to the list */
|
|
ci = pSubjectCerts;
|
|
while (ci && *ci) {
|
|
cert = STAN_GetCERTCertificateOrRelease(*ci);
|
|
/* *ci may be invalid at this point, don't reference it again */
|
|
if (cert) {
|
|
/* NOTE: add_to_subject_list adopts the incoming cert. */
|
|
add_to_subject_list(certList, cert, validOnly, sorttime);
|
|
}
|
|
ci++;
|
|
}
|
|
/* all the references have been adopted or freed at this point, just
|
|
* free the arrays now */
|
|
nss_ZFreeIf(tSubjectCerts);
|
|
nss_ZFreeIf(pSubjectCerts);
|
|
return certList;
|
|
loser:
|
|
/* need to free the references in tSubjectCerts and pSubjectCerts! */
|
|
nssCertificateArray_Destroy(tSubjectCerts);
|
|
nssCertificateArray_Destroy(pSubjectCerts);
|
|
if (myList && certList != NULL) {
|
|
CERT_DestroyCertList(certList);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
void
|
|
CERT_DestroyCertificate(CERTCertificate *cert)
|
|
{
|
|
if ( cert ) {
|
|
/* don't use STAN_GetNSSCertificate because we don't want to
|
|
* go to the trouble of translating the CERTCertificate into
|
|
* an NSSCertificate just to destroy it. If it hasn't been done
|
|
* yet, don't do it at all.
|
|
*/
|
|
NSSCertificate *tmp = cert->nssCertificate;
|
|
if (tmp) {
|
|
/* delete the NSSCertificate */
|
|
NSSCertificate_Destroy(tmp);
|
|
} else if (cert->arena) {
|
|
PORT_FreeArena(cert->arena, PR_FALSE);
|
|
}
|
|
}
|
|
return;
|
|
}
|
|
|
|
int
|
|
CERT_GetDBContentVersion(CERTCertDBHandle *handle)
|
|
{
|
|
/* should read the DB content version from the pkcs #11 device */
|
|
return 0;
|
|
}
|
|
|
|
SECStatus
|
|
certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr,
|
|
SECItem *emailProfile, SECItem *profileTime)
|
|
{
|
|
PRTime oldtime;
|
|
PRTime newtime;
|
|
SECStatus rv = SECFailure;
|
|
PRBool saveit;
|
|
SECItem oldprof, oldproftime;
|
|
SECItem *oldProfile = NULL;
|
|
SECItem *oldProfileTime = NULL;
|
|
PK11SlotInfo *slot = NULL;
|
|
NSSCertificate *c;
|
|
NSSCryptoContext *cc;
|
|
nssSMIMEProfile *stanProfile = NULL;
|
|
PRBool freeOldProfile = PR_FALSE;
|
|
|
|
c = STAN_GetNSSCertificate(cert);
|
|
if (!c) return SECFailure;
|
|
cc = c->object.cryptoContext;
|
|
if (cc != NULL) {
|
|
stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
|
|
if (stanProfile) {
|
|
PORT_Assert(stanProfile->profileData);
|
|
SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
|
|
oldProfile = &oldprof;
|
|
SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
|
|
oldProfileTime = &oldproftime;
|
|
}
|
|
} else {
|
|
oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr,
|
|
&cert->derSubject, &oldProfileTime);
|
|
freeOldProfile = PR_TRUE;
|
|
}
|
|
|
|
saveit = PR_FALSE;
|
|
|
|
/* both profileTime and emailProfile have to exist or not exist */
|
|
if ( emailProfile == NULL ) {
|
|
profileTime = NULL;
|
|
} else if ( profileTime == NULL ) {
|
|
emailProfile = NULL;
|
|
}
|
|
|
|
if ( oldProfileTime == NULL ) {
|
|
saveit = PR_TRUE;
|
|
} else {
|
|
/* there was already a profile for this email addr */
|
|
if ( profileTime ) {
|
|
/* we have an old and new profile - save whichever is more recent*/
|
|
if ( oldProfileTime->len == 0 ) {
|
|
/* always replace if old entry doesn't have a time */
|
|
oldtime = LL_MININT;
|
|
} else {
|
|
rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
|
|
if ( rv != SECSuccess ) {
|
|
goto loser;
|
|
}
|
|
}
|
|
|
|
rv = DER_UTCTimeToTime(&newtime, profileTime);
|
|
if ( rv != SECSuccess ) {
|
|
goto loser;
|
|
}
|
|
|
|
if ( LL_CMP(newtime, >, oldtime ) ) {
|
|
/* this is a newer profile, save it and cert */
|
|
saveit = PR_TRUE;
|
|
}
|
|
} else {
|
|
saveit = PR_TRUE;
|
|
}
|
|
}
|
|
|
|
|
|
if (saveit) {
|
|
if (cc) {
|
|
if (stanProfile) {
|
|
/* stanProfile is already stored in the crypto context,
|
|
* overwrite the data
|
|
*/
|
|
NSSArena *arena = stanProfile->object.arena;
|
|
stanProfile->profileTime = nssItem_Create(arena,
|
|
NULL,
|
|
profileTime->len,
|
|
profileTime->data);
|
|
stanProfile->profileData = nssItem_Create(arena,
|
|
NULL,
|
|
emailProfile->len,
|
|
emailProfile->data);
|
|
} else if (profileTime && emailProfile) {
|
|
PRStatus nssrv;
|
|
NSSItem profTime, profData;
|
|
NSSITEM_FROM_SECITEM(&profTime, profileTime);
|
|
NSSITEM_FROM_SECITEM(&profData, emailProfile);
|
|
stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData);
|
|
if (!stanProfile) goto loser;
|
|
nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
|
|
rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
|
|
}
|
|
} else {
|
|
rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr,
|
|
&cert->derSubject, emailProfile, profileTime);
|
|
}
|
|
} else {
|
|
rv = SECSuccess;
|
|
}
|
|
|
|
loser:
|
|
if (oldProfile && freeOldProfile) {
|
|
SECITEM_FreeItem(oldProfile,PR_TRUE);
|
|
}
|
|
if (oldProfileTime && freeOldProfile) {
|
|
SECITEM_FreeItem(oldProfileTime,PR_TRUE);
|
|
}
|
|
if (stanProfile) {
|
|
nssSMIMEProfile_Destroy(stanProfile);
|
|
}
|
|
if (slot) {
|
|
PK11_FreeSlot(slot);
|
|
}
|
|
|
|
return(rv);
|
|
}
|
|
|
|
/*
|
|
*
|
|
* Manage S/MIME profiles
|
|
*
|
|
*/
|
|
|
|
SECStatus
|
|
CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
|
|
SECItem *profileTime)
|
|
{
|
|
const char *emailAddr;
|
|
SECStatus rv;
|
|
|
|
if (!cert) {
|
|
return SECFailure;
|
|
}
|
|
|
|
if (cert->slot && !PK11_IsInternal(cert->slot)) {
|
|
/* this cert comes from an external source, we need to add it
|
|
to the cert db before creating an S/MIME profile */
|
|
PK11SlotInfo* internalslot = PK11_GetInternalKeySlot();
|
|
if (!internalslot) {
|
|
return SECFailure;
|
|
}
|
|
rv = PK11_ImportCert(internalslot, cert,
|
|
CK_INVALID_HANDLE, NULL, PR_FALSE);
|
|
|
|
PK11_FreeSlot(internalslot);
|
|
if (rv != SECSuccess ) {
|
|
return SECFailure;
|
|
}
|
|
}
|
|
|
|
if (cert->slot && cert->isperm && CERT_IsUserCert(cert) &&
|
|
(!emailProfile || !emailProfile->len)) {
|
|
/* Don't clobber emailProfile for user certs. */
|
|
return SECSuccess;
|
|
}
|
|
|
|
for (emailAddr = CERT_GetFirstEmailAddress(cert); emailAddr != NULL;
|
|
emailAddr = CERT_GetNextEmailAddress(cert,emailAddr)) {
|
|
rv = certdb_SaveSingleProfile(cert,emailAddr,emailProfile,profileTime);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
}
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
SECItem *
|
|
CERT_FindSMimeProfile(CERTCertificate *cert)
|
|
{
|
|
PK11SlotInfo *slot = NULL;
|
|
NSSCertificate *c;
|
|
NSSCryptoContext *cc;
|
|
SECItem *rvItem = NULL;
|
|
|
|
if (!cert || !cert->emailAddr || !cert->emailAddr[0]) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
c = STAN_GetNSSCertificate(cert);
|
|
if (!c) return NULL;
|
|
cc = c->object.cryptoContext;
|
|
if (cc != NULL) {
|
|
nssSMIMEProfile *stanProfile;
|
|
stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
|
|
if (stanProfile) {
|
|
rvItem = SECITEM_AllocItem(NULL, NULL,
|
|
stanProfile->profileData->size);
|
|
if (rvItem) {
|
|
rvItem->data = stanProfile->profileData->data;
|
|
}
|
|
nssSMIMEProfile_Destroy(stanProfile);
|
|
}
|
|
return rvItem;
|
|
}
|
|
rvItem =
|
|
PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
|
|
if (slot) {
|
|
PK11_FreeSlot(slot);
|
|
}
|
|
return rvItem;
|
|
}
|
|
|
|
/*
|
|
* deprecated functions that are now just stubs.
|
|
*/
|
|
/*
|
|
* Close the database
|
|
*/
|
|
void
|
|
__CERT_ClosePermCertDB(CERTCertDBHandle *handle)
|
|
{
|
|
PORT_Assert("CERT_ClosePermCertDB is Deprecated" == NULL);
|
|
return;
|
|
}
|
|
|
|
SECStatus
|
|
CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
|
|
PRBool readOnly)
|
|
{
|
|
PORT_Assert("CERT_OpenCertDBFilename is Deprecated" == NULL);
|
|
PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
return SECFailure;
|
|
}
|
|
|
|
SECItem *
|
|
SECKEY_HashPassword(char *pw, SECItem *salt)
|
|
{
|
|
PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL);
|
|
PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
return NULL;
|
|
}
|
|
|
|
SECStatus
|
|
__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
|
|
SECItem *derSubject,
|
|
void *cb, void *cbarg)
|
|
{
|
|
PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL);
|
|
PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
return SECFailure;
|
|
}
|
|
|
|
|
|
SECStatus
|
|
__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
|
|
void *cb, void *cbarg)
|
|
{
|
|
PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL);
|
|
PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
return SECFailure;
|
|
}
|
|
|
|
|
|
|