1 : /* ***** BEGIN LICENSE BLOCK *****
2 : * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 : *
4 : * The contents of this file are subject to the Mozilla Public License Version
5 : * 1.1 (the "License"); you may not use this file except in compliance with
6 : * the License. You may obtain a copy of the License at
7 : * http://www.mozilla.org/MPL/
8 : *
9 : * Software distributed under the License is distributed on an "AS IS" basis,
10 : * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 : * for the specific language governing rights and limitations under the
12 : * License.
13 : *
14 : * The Original Code is the Netscape security libraries.
15 : *
16 : * The Initial Developer of the Original Code is
17 : * Netscape Communications Corporation.
18 : * Portions created by the Initial Developer are Copyright (C) 2000
19 : * the Initial Developer. All Rights Reserved.
20 : *
21 : * Contributor(s):
22 : * John Gardiner Myers <jgmyers@speakeasy.net>
23 : *
24 : * Alternatively, the contents of this file may be used under the terms of
25 : * either the GNU General Public License Version 2 or later (the "GPL"), or
26 : * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 : * in which case the provisions of the GPL or the LGPL are applicable instead
28 : * of those above. If you wish to allow use of your version of this file only
29 : * under the terms of either the GPL or the LGPL, and not to allow others to
30 : * use your version of this file under the terms of the MPL, indicate your
31 : * decision by deleting the provisions above and replace them with the notice
32 : * and other provisions required by the GPL or the LGPL. If you do not delete
33 : * the provisions above, a recipient may use your version of this file under
34 : * the terms of any one of the MPL, the GPL or the LGPL.
35 : *
36 : * ***** END LICENSE BLOCK ***** */
37 :
38 : #include "nsUsageArrayHelper.h"
39 :
40 : #include "nsCOMPtr.h"
41 : #include "nsIDateTimeFormat.h"
42 : #include "nsDateTimeFormatCID.h"
43 : #include "nsComponentManagerUtils.h"
44 : #include "nsReadableUtils.h"
45 : #include "nsNSSCertificate.h"
46 :
47 : #include "nspr.h"
48 : #include "nsNSSCertHeader.h"
49 :
50 : extern "C" {
51 : #include "secerr.h"
52 : }
53 :
54 : static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
55 :
56 0 : nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
57 0 : :mCert(aCert)
58 : {
59 0 : nsNSSShutDownPreventionLock locker;
60 0 : defaultcertdb = CERT_GetDefaultCertDB();
61 0 : nssComponent = do_GetService(kNSSComponentCID, &m_rv);
62 0 : }
63 :
64 : void
65 0 : nsUsageArrayHelper::check(const char *suffix,
66 : SECCertificateUsage aCertUsage,
67 : PRUint32 &aCounter,
68 : PRUnichar **outUsages)
69 : {
70 0 : if (!aCertUsage) return;
71 0 : nsCAutoString typestr;
72 0 : switch (aCertUsage) {
73 : case certificateUsageSSLClient:
74 0 : typestr = "VerifySSLClient";
75 0 : break;
76 : case certificateUsageSSLServer:
77 0 : typestr = "VerifySSLServer";
78 0 : break;
79 : case certificateUsageSSLServerWithStepUp:
80 0 : typestr = "VerifySSLStepUp";
81 0 : break;
82 : case certificateUsageEmailSigner:
83 0 : typestr = "VerifyEmailSigner";
84 0 : break;
85 : case certificateUsageEmailRecipient:
86 0 : typestr = "VerifyEmailRecip";
87 0 : break;
88 : case certificateUsageObjectSigner:
89 0 : typestr = "VerifyObjSign";
90 0 : break;
91 : case certificateUsageProtectedObjectSigner:
92 0 : typestr = "VerifyProtectObjSign";
93 0 : break;
94 : case certificateUsageUserCertImport:
95 0 : typestr = "VerifyUserImport";
96 0 : break;
97 : case certificateUsageSSLCA:
98 0 : typestr = "VerifySSLCA";
99 0 : break;
100 : case certificateUsageVerifyCA:
101 0 : typestr = "VerifyCAVerifier";
102 0 : break;
103 : case certificateUsageStatusResponder:
104 0 : typestr = "VerifyStatusResponder";
105 0 : break;
106 : case certificateUsageAnyCA:
107 0 : typestr = "VerifyAnyCA";
108 0 : break;
109 : default:
110 0 : break;
111 : }
112 0 : if (!typestr.IsEmpty()) {
113 0 : typestr.Append(suffix);
114 0 : nsAutoString verifyDesc;
115 0 : m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
116 0 : if (NS_SUCCEEDED(m_rv)) {
117 0 : outUsages[aCounter++] = ToNewUnicode(verifyDesc);
118 : }
119 : }
120 : }
121 :
122 : void
123 0 : nsUsageArrayHelper::verifyFailed(PRUint32 *_verified, int err)
124 : {
125 0 : switch (err) {
126 : /* For these cases, verify only failed for the particular usage */
127 : case SEC_ERROR_INADEQUATE_KEY_USAGE:
128 : case SEC_ERROR_INADEQUATE_CERT_TYPE:
129 0 : *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
130 : /* These are the cases that have individual error messages */
131 : case SEC_ERROR_REVOKED_CERTIFICATE:
132 0 : *_verified = nsNSSCertificate::CERT_REVOKED; break;
133 : case SEC_ERROR_EXPIRED_CERTIFICATE:
134 0 : *_verified = nsNSSCertificate::CERT_EXPIRED; break;
135 : case SEC_ERROR_UNTRUSTED_CERT:
136 0 : *_verified = nsNSSCertificate::CERT_NOT_TRUSTED; break;
137 : case SEC_ERROR_UNTRUSTED_ISSUER:
138 0 : *_verified = nsNSSCertificate::ISSUER_NOT_TRUSTED; break;
139 : case SEC_ERROR_UNKNOWN_ISSUER:
140 0 : *_verified = nsNSSCertificate::ISSUER_UNKNOWN; break;
141 : case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
142 : // XXX are there other error for this?
143 0 : *_verified = nsNSSCertificate::INVALID_CA; break;
144 : case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this?
145 : // there are some OCSP errors from PSM 1.x to add here
146 : case SECSuccess:
147 : // this means, no verification result has ever been received
148 : default:
149 0 : *_verified = nsNSSCertificate::NOT_VERIFIED_UNKNOWN; break;
150 : }
151 0 : }
152 :
153 : nsresult
154 0 : nsUsageArrayHelper::GetUsagesArray(const char *suffix,
155 : bool localOnly,
156 : PRUint32 outArraySize,
157 : PRUint32 *_verified,
158 : PRUint32 *_count,
159 : PRUnichar **outUsages)
160 : {
161 0 : nsNSSShutDownPreventionLock locker;
162 0 : if (NS_FAILED(m_rv))
163 0 : return m_rv;
164 :
165 0 : if (outArraySize < max_returned_out_array_size)
166 0 : return NS_ERROR_FAILURE;
167 :
168 0 : nsCOMPtr<nsINSSComponent> nssComponent;
169 :
170 0 : if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
171 : nsresult rv;
172 0 : nssComponent = do_GetService(kNSSComponentCID, &rv);
173 0 : if (NS_FAILED(rv))
174 0 : return rv;
175 :
176 0 : if (nssComponent) {
177 0 : nssComponent->SkipOcsp();
178 : }
179 : }
180 :
181 0 : PRUint32 &count = *_count;
182 0 : count = 0;
183 0 : SECCertificateUsage usages = 0;
184 0 : int err = 0;
185 :
186 0 : if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
187 : // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
188 : // valid for all the given usages. Hoewver, we are only looking for the list
189 : // of usages for which the cert *is* valid.
190 : (void)
191 : CERT_VerifyCertificateNow(defaultcertdb, mCert, true,
192 : certificateUsageSSLClient |
193 : certificateUsageSSLServer |
194 : certificateUsageSSLServerWithStepUp |
195 : certificateUsageEmailSigner |
196 : certificateUsageEmailRecipient |
197 : certificateUsageObjectSigner |
198 : certificateUsageSSLCA |
199 : certificateUsageStatusResponder,
200 0 : NULL, &usages);
201 0 : err = PR_GetError();
202 : }
203 : else {
204 : nsresult nsrv;
205 0 : nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
206 0 : if (!inss)
207 0 : return nsrv;
208 0 : nsRefPtr<nsCERTValInParamWrapper> survivingParams;
209 0 : if (localOnly)
210 0 : nsrv = inss->GetDefaultCERTValInParamLocalOnly(survivingParams);
211 : else
212 0 : nsrv = inss->GetDefaultCERTValInParam(survivingParams);
213 :
214 0 : if (NS_FAILED(nsrv))
215 0 : return nsrv;
216 :
217 : CERTValOutParam cvout[2];
218 0 : cvout[0].type = cert_po_usages;
219 0 : cvout[0].value.scalar.usages = 0;
220 0 : cvout[1].type = cert_po_end;
221 :
222 : CERT_PKIXVerifyCert(mCert, certificateUsageCheckAllUsages,
223 : survivingParams->GetRawPointerForNSS(),
224 0 : cvout, NULL);
225 0 : err = PR_GetError();
226 0 : usages = cvout[0].value.scalar.usages;
227 : }
228 :
229 : // The following list of checks must be < max_returned_out_array_size
230 :
231 0 : check(suffix, usages & certificateUsageSSLClient, count, outUsages);
232 0 : check(suffix, usages & certificateUsageSSLServer, count, outUsages);
233 0 : check(suffix, usages & certificateUsageSSLServerWithStepUp, count, outUsages);
234 0 : check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
235 0 : check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
236 0 : check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
237 : #if 0
238 : check(suffix, usages & certificateUsageProtectedObjectSigner, count, outUsages);
239 : check(suffix, usages & certificateUsageUserCertImport, count, outUsages);
240 : #endif
241 0 : check(suffix, usages & certificateUsageSSLCA, count, outUsages);
242 : #if 0
243 : check(suffix, usages & certificateUsageVerifyCA, count, outUsages);
244 : #endif
245 0 : check(suffix, usages & certificateUsageStatusResponder, count, outUsages);
246 : #if 0
247 : check(suffix, usages & certificateUsageAnyCA, count, outUsages);
248 : #endif
249 :
250 0 : if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly && nssComponent) {
251 0 : nssComponent->SkipOcspOff();
252 : }
253 :
254 0 : if (count == 0) {
255 0 : verifyFailed(_verified, err);
256 : } else {
257 0 : *_verified = nsNSSCertificate::VERIFIED_OK;
258 : }
259 0 : return NS_OK;
260 : }
|