1 : /* ***** BEGIN LICENSE BLOCK *****
2 : * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 : *
4 : * The contents of this file are subject to the Mozilla Public License Version
5 : * 1.1 (the "License"); you may not use this file except in compliance with
6 : * the License. You may obtain a copy of the License at
7 : * http://www.mozilla.org/MPL/
8 : *
9 : * Software distributed under the License is distributed on an "AS IS" basis,
10 : * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 : * for the specific language governing rights and limitations under the
12 : * License.
13 : *
14 : * The Original Code is mozilla.org code.
15 : *
16 : * The Initial Developer of the Original Code is
17 : * Red Hat, Inc.
18 : * Portions created by the Initial Developer are Copyright (C) 2011
19 : * the Initial Developer. All Rights Reserved.
20 : *
21 : * Contributor(s):
22 : * Kai Engert <kengert@redhat.com>
23 : *
24 : * Alternatively, the contents of this file may be used under the terms of
25 : * either the GNU General Public License Version 2 or later (the "GPL"), or
26 : * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 : * in which case the provisions of the GPL or the LGPL are applicable instead
28 : * of those above. If you wish to allow use of your version of this file only
29 : * under the terms of either the GPL or the LGPL, and not to allow others to
30 : * use your version of this file under the terms of the MPL, indicate your
31 : * decision by deleting the provisions above and replace them with the notice
32 : * and other provisions required by the GPL or the LGPL. If you do not delete
33 : * the provisions above, a recipient may use your version of this file under
34 : * the terms of any one of the MPL, the GPL or the LGPL.
35 : *
36 : * ***** END LICENSE BLOCK ***** */
37 :
38 : #include "nsCERTValInParamWrapper.h"
39 :
40 984 : NS_IMPL_THREADSAFE_ADDREF(nsCERTValInParamWrapper)
41 984 : NS_IMPL_THREADSAFE_RELEASE(nsCERTValInParamWrapper)
42 :
43 656 : nsCERTValInParamWrapper::nsCERTValInParamWrapper()
44 : :mAlreadyConstructed(false)
45 : ,mCVIN(nsnull)
46 656 : ,mRev(nsnull)
47 : {
48 656 : MOZ_COUNT_CTOR(nsCERTValInParamWrapper);
49 656 : }
50 :
51 1312 : nsCERTValInParamWrapper::~nsCERTValInParamWrapper()
52 : {
53 656 : MOZ_COUNT_DTOR(nsCERTValInParamWrapper);
54 656 : if (mRev) {
55 656 : CERT_DestroyCERTRevocationFlags(mRev);
56 : }
57 656 : if (mCVIN)
58 656 : PORT_Free(mCVIN);
59 2624 : }
60 :
61 656 : nsresult nsCERTValInParamWrapper::Construct(missing_cert_download_config mcdc,
62 : crl_download_config cdc,
63 : ocsp_download_config odc,
64 : ocsp_strict_config osc,
65 : any_revo_fresh_config arfc,
66 : const char *firstNetworkRevocationMethod)
67 : {
68 656 : if (mAlreadyConstructed)
69 0 : return NS_ERROR_FAILURE;
70 :
71 656 : CERTValInParam *p = (CERTValInParam*)PORT_Alloc(3 * sizeof(CERTValInParam));
72 656 : if (!p)
73 0 : return NS_ERROR_OUT_OF_MEMORY;
74 :
75 : CERTRevocationFlags *rev = CERT_AllocCERTRevocationFlags(
76 : cert_revocation_method_ocsp +1, 1,
77 656 : cert_revocation_method_ocsp +1, 1);
78 :
79 656 : if (!rev) {
80 0 : PORT_Free(p);
81 0 : return NS_ERROR_OUT_OF_MEMORY;
82 : }
83 :
84 656 : p[0].type = cert_pi_useAIACertFetch;
85 656 : p[0].value.scalar.b = (mcdc == missing_cert_download_on);
86 656 : p[1].type = cert_pi_revocationFlags;
87 656 : p[1].value.pointer.revocation = rev;
88 656 : p[2].type = cert_pi_end;
89 :
90 656 : rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
91 1312 : rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
92 : // implicit default source - makes no sense for CRLs
93 : CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
94 :
95 : // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
96 : | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
97 :
98 : // no fresh CRL? well, let other flag decide whether to fail or not
99 : | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
100 :
101 : // testing using local CRLs is always allowed
102 : | CERT_REV_M_TEST_USING_THIS_METHOD
103 :
104 : // no local crl and don't know where to get it from? ignore
105 : | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
106 :
107 : // crl download based on parameter
108 : | ((cdc == crl_download_allowed) ?
109 : CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
110 1312 : ;
111 :
112 656 : rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
113 1312 : rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
114 : // is ocsp enabled at all?
115 : ((odc == ocsp_on) ?
116 : CERT_REV_M_TEST_USING_THIS_METHOD : CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD)
117 :
118 : // ocsp enabled controls network fetching, too
119 : | ((odc == ocsp_on) ?
120 : CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
121 :
122 : // ocsp set to strict==required?
123 : | ((osc == ocsp_strict) ?
124 : CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
125 :
126 : // if app has a default OCSP responder configured, let's use it
127 : | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
128 :
129 : // of course OCSP doesn't work without a source. let's accept such certs
130 : | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
131 :
132 : // ocsp success is sufficient
133 : | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
134 1312 : ;
135 :
136 : bool wantsCrlFirst = (firstNetworkRevocationMethod != nsnull)
137 656 : && (strcmp("crl", firstNetworkRevocationMethod) == 0);
138 :
139 656 : rev->leafTests.preferred_methods[0] =
140 1312 : rev->chainTests.preferred_methods[0] =
141 1312 : wantsCrlFirst ? cert_revocation_method_crl : cert_revocation_method_ocsp;
142 :
143 : rev->leafTests.cert_rev_method_independent_flags =
144 : rev->chainTests.cert_rev_method_independent_flags =
145 : // avoiding the network is good, let's try local first
146 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
147 :
148 : // is overall revocation requirement strict or relaxed?
149 : | ((arfc == any_revo_strict) ?
150 : CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE : CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT)
151 656 : ;
152 :
153 656 : mAlreadyConstructed = true;
154 656 : mCVIN = p;
155 656 : mRev = rev;
156 656 : return NS_OK;
157 : }
|