1 : /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 : *
3 : * ***** BEGIN LICENSE BLOCK *****
4 : * Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 : *
6 : * The contents of this file are subject to the Mozilla Public License Version
7 : * 1.1 (the "License"); you may not use this file except in compliance with
8 : * the License. You may obtain a copy of the License at
9 : * http://www.mozilla.org/MPL/
10 : *
11 : * Software distributed under the License is distributed on an "AS IS" basis,
12 : * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 : * for the specific language governing rights and limitations under the
14 : * License.
15 : *
16 : * The Original Code is mozilla.org code.
17 : *
18 : * The Initial Developer of the Original Code is
19 : * Red Hat, Inc.
20 : * Portions created by the Initial Developer are Copyright (C) 2008
21 : * the Initial Developer. All Rights Reserved.
22 : *
23 : * Contributor(s):
24 : * Kai Engert <kengert@redhat.com>
25 : *
26 : * Alternatively, the contents of this file may be used under the terms of
27 : * either the GNU General Public License Version 2 or later (the "GPL"), or
28 : * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29 : * in which case the provisions of the GPL or the LGPL are applicable instead
30 : * of those above. If you wish to allow use of your version of this file only
31 : * under the terms of either the GPL or the LGPL, and not to allow others to
32 : * use your version of this file under the terms of the MPL, indicate your
33 : * decision by deleting the provisions above and replace them with the notice
34 : * and other provisions required by the GPL or the LGPL. If you do not delete
35 : * the provisions above, a recipient may use your version of this file under
36 : * the terms of any one of the MPL, the GPL or the LGPL.
37 : *
38 : * ***** END LICENSE BLOCK ***** */
39 :
40 : #include "nsClientAuthRemember.h"
41 :
42 : #include "nsIX509Cert.h"
43 : #include "nsCRT.h"
44 : #include "nsNetUtil.h"
45 : #include "nsIObserverService.h"
46 : #include "nsNetUtil.h"
47 : #include "nsISupportsPrimitives.h"
48 : #include "nsPromiseFlatString.h"
49 : #include "nsThreadUtils.h"
50 : #include "nsStringBuffer.h"
51 : #include "nspr.h"
52 : #include "pk11pub.h"
53 : #include "certdb.h"
54 : #include "sechash.h"
55 :
56 : #include "nsNSSCleaner.h"
57 :
58 : using namespace mozilla;
59 :
60 : NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
61 :
62 4488 : NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService,
63 : nsIObserver,
64 : nsISupportsWeakReference)
65 :
66 328 : nsClientAuthRememberService::nsClientAuthRememberService()
67 328 : : monitor("nsClientAuthRememberService.monitor")
68 : {
69 328 : }
70 :
71 656 : nsClientAuthRememberService::~nsClientAuthRememberService()
72 : {
73 328 : RemoveAllFromMemory();
74 328 : }
75 :
76 : nsresult
77 328 : nsClientAuthRememberService::Init()
78 : {
79 328 : if (!NS_IsMainThread()) {
80 0 : NS_ERROR("nsClientAuthRememberService::Init called off the main thread");
81 0 : return NS_ERROR_NOT_SAME_THREAD;
82 : }
83 :
84 328 : if (!mSettingsTable.Init())
85 0 : return NS_ERROR_OUT_OF_MEMORY;
86 :
87 : nsCOMPtr<nsIObserverService> observerService =
88 656 : mozilla::services::GetObserverService();
89 328 : if (observerService) {
90 328 : observerService->AddObserver(this, "profile-before-change", true);
91 : }
92 :
93 328 : return NS_OK;
94 : }
95 :
96 : NS_IMETHODIMP
97 315 : nsClientAuthRememberService::Observe(nsISupports *aSubject,
98 : const char *aTopic,
99 : const PRUnichar *aData)
100 : {
101 : // check the topic
102 315 : if (!nsCRT::strcmp(aTopic, "profile-before-change")) {
103 : // The profile is about to change,
104 : // or is going away because the application is shutting down.
105 :
106 630 : ReentrantMonitorAutoEnter lock(monitor);
107 315 : RemoveAllFromMemory();
108 : }
109 :
110 315 : return NS_OK;
111 : }
112 :
113 470 : void nsClientAuthRememberService::ClearRememberedDecisions()
114 : {
115 940 : ReentrantMonitorAutoEnter lock(monitor);
116 470 : RemoveAllFromMemory();
117 470 : }
118 :
119 : void
120 1113 : nsClientAuthRememberService::RemoveAllFromMemory()
121 : {
122 1113 : mSettingsTable.Clear();
123 1113 : }
124 :
125 : static nsresult
126 0 : GetCertFingerprintByOidTag(CERTCertificate* nsscert,
127 : SECOidTag aOidTag,
128 : nsCString &fp)
129 : {
130 0 : unsigned int hash_len = HASH_ResultLenByOidTag(aOidTag);
131 0 : nsRefPtr<nsStringBuffer> fingerprint = nsStringBuffer::Alloc(hash_len);
132 0 : if (!fingerprint)
133 0 : return NS_ERROR_OUT_OF_MEMORY;
134 :
135 0 : PK11_HashBuf(aOidTag, (unsigned char*)fingerprint->Data(),
136 0 : nsscert->derCert.data, nsscert->derCert.len);
137 :
138 : SECItem fpItem;
139 0 : fpItem.data = (unsigned char*)fingerprint->Data();
140 0 : fpItem.len = hash_len;
141 :
142 0 : fp.Adopt(CERT_Hexify(&fpItem, 1));
143 0 : return NS_OK;
144 : }
145 :
146 : nsresult
147 0 : nsClientAuthRememberService::RememberDecision(const nsACString & aHostName,
148 : CERTCertificate *aServerCert, CERTCertificate *aClientCert)
149 : {
150 : // aClientCert == NULL means: remember that user does not want to use a cert
151 0 : NS_ENSURE_ARG_POINTER(aServerCert);
152 0 : if (aHostName.IsEmpty())
153 0 : return NS_ERROR_INVALID_ARG;
154 :
155 0 : nsCAutoString fpStr;
156 0 : nsresult rv = GetCertFingerprintByOidTag(aServerCert, SEC_OID_SHA256, fpStr);
157 0 : if (NS_FAILED(rv))
158 0 : return rv;
159 :
160 : {
161 0 : ReentrantMonitorAutoEnter lock(monitor);
162 0 : if (aClientCert) {
163 0 : nsNSSCertificate pipCert(aClientCert);
164 0 : char *dbkey = NULL;
165 0 : rv = pipCert.GetDbKey(&dbkey);
166 0 : if (NS_SUCCEEDED(rv) && dbkey) {
167 : AddEntryToList(aHostName, fpStr,
168 0 : nsDependentCString(dbkey));
169 : }
170 0 : if (dbkey) {
171 0 : PORT_Free(dbkey);
172 : }
173 : }
174 : else {
175 0 : nsCString empty;
176 0 : AddEntryToList(aHostName, fpStr, empty);
177 : }
178 : }
179 :
180 0 : return NS_OK;
181 : }
182 :
183 : nsresult
184 0 : nsClientAuthRememberService::HasRememberedDecision(const nsACString & aHostName,
185 : CERTCertificate *aCert,
186 : nsACString & aCertDBKey,
187 : bool *_retval)
188 : {
189 0 : if (aHostName.IsEmpty())
190 0 : return NS_ERROR_INVALID_ARG;
191 :
192 0 : NS_ENSURE_ARG_POINTER(aCert);
193 0 : NS_ENSURE_ARG_POINTER(_retval);
194 0 : *_retval = false;
195 :
196 : nsresult rv;
197 0 : nsCAutoString fpStr;
198 0 : rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
199 0 : if (NS_FAILED(rv))
200 0 : return rv;
201 :
202 0 : nsCAutoString hostCert;
203 0 : GetHostWithCert(aHostName, fpStr, hostCert);
204 0 : nsClientAuthRemember settings;
205 :
206 : {
207 0 : ReentrantMonitorAutoEnter lock(monitor);
208 0 : nsClientAuthRememberEntry *entry = mSettingsTable.GetEntry(hostCert.get());
209 0 : if (!entry)
210 0 : return NS_OK;
211 0 : settings = entry->mSettings; // copy
212 : }
213 :
214 0 : aCertDBKey = settings.mDBKey;
215 0 : *_retval = true;
216 0 : return NS_OK;
217 : }
218 :
219 : nsresult
220 0 : nsClientAuthRememberService::AddEntryToList(const nsACString &aHostName,
221 : const nsACString &fingerprint,
222 : const nsACString &db_key)
223 :
224 : {
225 0 : nsCAutoString hostCert;
226 0 : GetHostWithCert(aHostName, fingerprint, hostCert);
227 :
228 : {
229 0 : ReentrantMonitorAutoEnter lock(monitor);
230 0 : nsClientAuthRememberEntry *entry = mSettingsTable.PutEntry(hostCert.get());
231 :
232 0 : if (!entry) {
233 0 : NS_ERROR("can't insert a null entry!");
234 0 : return NS_ERROR_OUT_OF_MEMORY;
235 : }
236 :
237 0 : entry->mHostWithCert = hostCert;
238 :
239 0 : nsClientAuthRemember &settings = entry->mSettings;
240 0 : settings.mAsciiHost = aHostName;
241 0 : settings.mFingerprint = fingerprint;
242 0 : settings.mDBKey = db_key;
243 : }
244 :
245 0 : return NS_OK;
246 : }
247 :
248 : void
249 0 : nsClientAuthRememberService::GetHostWithCert(const nsACString & aHostName,
250 : const nsACString & fingerprint,
251 : nsACString& _retval)
252 : {
253 0 : nsCAutoString hostCert(aHostName);
254 0 : hostCert.AppendLiteral(":");
255 0 : hostCert.Append(fingerprint);
256 :
257 0 : _retval.Assign(hostCert);
258 0 : }
|