LCOV - code coverage report
Current view: directory - security/manager/ssl/src - nsUsageArrayHelper.cpp (source / functions) Found Hit Coverage
Test: app.info Lines: 101 0 0.0 %
Date: 2012-06-02 Functions: 4 0 0.0 %

       1                 : /* ***** BEGIN LICENSE BLOCK *****
       2                 :  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
       3                 :  *
       4                 :  * The contents of this file are subject to the Mozilla Public License Version
       5                 :  * 1.1 (the "License"); you may not use this file except in compliance with
       6                 :  * the License. You may obtain a copy of the License at
       7                 :  * http://www.mozilla.org/MPL/
       8                 :  *
       9                 :  * Software distributed under the License is distributed on an "AS IS" basis,
      10                 :  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
      11                 :  * for the specific language governing rights and limitations under the
      12                 :  * License.
      13                 :  *
      14                 :  * The Original Code is the Netscape security libraries.
      15                 :  *
      16                 :  * The Initial Developer of the Original Code is
      17                 :  * Netscape Communications Corporation.
      18                 :  * Portions created by the Initial Developer are Copyright (C) 2000
      19                 :  * the Initial Developer. All Rights Reserved.
      20                 :  *
      21                 :  * Contributor(s):
      22                 :  *  John Gardiner Myers <jgmyers@speakeasy.net>
      23                 :  *
      24                 :  * Alternatively, the contents of this file may be used under the terms of
      25                 :  * either the GNU General Public License Version 2 or later (the "GPL"), or
      26                 :  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
      27                 :  * in which case the provisions of the GPL or the LGPL are applicable instead
      28                 :  * of those above. If you wish to allow use of your version of this file only
      29                 :  * under the terms of either the GPL or the LGPL, and not to allow others to
      30                 :  * use your version of this file under the terms of the MPL, indicate your
      31                 :  * decision by deleting the provisions above and replace them with the notice
      32                 :  * and other provisions required by the GPL or the LGPL. If you do not delete
      33                 :  * the provisions above, a recipient may use your version of this file under
      34                 :  * the terms of any one of the MPL, the GPL or the LGPL.
      35                 :  *
      36                 :  * ***** END LICENSE BLOCK ***** */
      37                 : 
      38                 : #include "nsUsageArrayHelper.h"
      39                 : 
      40                 : #include "nsCOMPtr.h"
      41                 : #include "nsIDateTimeFormat.h"
      42                 : #include "nsDateTimeFormatCID.h"
      43                 : #include "nsComponentManagerUtils.h"
      44                 : #include "nsReadableUtils.h"
      45                 : #include "nsNSSCertificate.h"
      46                 : 
      47                 : #include "nspr.h"
      48                 : #include "nsNSSCertHeader.h"
      49                 : 
      50                 : extern "C" {
      51                 : #include "secerr.h"
      52                 : }
      53                 : 
      54                 : static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
      55                 : 
      56               0 : nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
      57               0 : :mCert(aCert)
      58                 : {
      59               0 :   nsNSSShutDownPreventionLock locker;
      60               0 :   defaultcertdb = CERT_GetDefaultCertDB();
      61               0 :   nssComponent = do_GetService(kNSSComponentCID, &m_rv);
      62               0 : }
      63                 : 
      64                 : void
      65               0 : nsUsageArrayHelper::check(const char *suffix,
      66                 :                         SECCertificateUsage aCertUsage,
      67                 :                         PRUint32 &aCounter,
      68                 :                         PRUnichar **outUsages)
      69                 : {
      70               0 :   if (!aCertUsage) return;
      71               0 :   nsCAutoString typestr;
      72               0 :   switch (aCertUsage) {
      73                 :   case certificateUsageSSLClient:
      74               0 :     typestr = "VerifySSLClient";
      75               0 :     break;
      76                 :   case certificateUsageSSLServer:
      77               0 :     typestr = "VerifySSLServer";
      78               0 :     break;
      79                 :   case certificateUsageSSLServerWithStepUp:
      80               0 :     typestr = "VerifySSLStepUp";
      81               0 :     break;
      82                 :   case certificateUsageEmailSigner:
      83               0 :     typestr = "VerifyEmailSigner";
      84               0 :     break;
      85                 :   case certificateUsageEmailRecipient:
      86               0 :     typestr = "VerifyEmailRecip";
      87               0 :     break;
      88                 :   case certificateUsageObjectSigner:
      89               0 :     typestr = "VerifyObjSign";
      90               0 :     break;
      91                 :   case certificateUsageProtectedObjectSigner:
      92               0 :     typestr = "VerifyProtectObjSign";
      93               0 :     break;
      94                 :   case certificateUsageUserCertImport:
      95               0 :     typestr = "VerifyUserImport";
      96               0 :     break;
      97                 :   case certificateUsageSSLCA:
      98               0 :     typestr = "VerifySSLCA";
      99               0 :     break;
     100                 :   case certificateUsageVerifyCA:
     101               0 :     typestr = "VerifyCAVerifier";
     102               0 :     break;
     103                 :   case certificateUsageStatusResponder:
     104               0 :     typestr = "VerifyStatusResponder";
     105               0 :     break;
     106                 :   case certificateUsageAnyCA:
     107               0 :     typestr = "VerifyAnyCA";
     108               0 :     break;
     109                 :   default:
     110               0 :     break;
     111                 :   }
     112               0 :   if (!typestr.IsEmpty()) {
     113               0 :     typestr.Append(suffix);
     114               0 :     nsAutoString verifyDesc;
     115               0 :     m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
     116               0 :     if (NS_SUCCEEDED(m_rv)) {
     117               0 :       outUsages[aCounter++] = ToNewUnicode(verifyDesc);
     118                 :     }
     119                 :   }
     120                 : }
     121                 : 
     122                 : void
     123               0 : nsUsageArrayHelper::verifyFailed(PRUint32 *_verified, int err)
     124                 : {
     125               0 :   switch (err) {
     126                 :   /* For these cases, verify only failed for the particular usage */
     127                 :   case SEC_ERROR_INADEQUATE_KEY_USAGE:
     128                 :   case SEC_ERROR_INADEQUATE_CERT_TYPE:
     129               0 :     *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
     130                 :   /* These are the cases that have individual error messages */
     131                 :   case SEC_ERROR_REVOKED_CERTIFICATE:
     132               0 :     *_verified = nsNSSCertificate::CERT_REVOKED; break;
     133                 :   case SEC_ERROR_EXPIRED_CERTIFICATE:
     134               0 :     *_verified = nsNSSCertificate::CERT_EXPIRED; break;
     135                 :   case SEC_ERROR_UNTRUSTED_CERT:
     136               0 :     *_verified = nsNSSCertificate::CERT_NOT_TRUSTED; break;
     137                 :   case SEC_ERROR_UNTRUSTED_ISSUER:
     138               0 :     *_verified = nsNSSCertificate::ISSUER_NOT_TRUSTED; break;
     139                 :   case SEC_ERROR_UNKNOWN_ISSUER:
     140               0 :     *_verified = nsNSSCertificate::ISSUER_UNKNOWN; break;
     141                 :   case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     142                 :     // XXX are there other error for this?
     143               0 :     *_verified = nsNSSCertificate::INVALID_CA; break;
     144                 :   case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this?
     145                 :   // there are some OCSP errors from PSM 1.x to add here
     146                 :   case SECSuccess:
     147                 :     // this means, no verification result has ever been received
     148                 :   default:
     149               0 :     *_verified = nsNSSCertificate::NOT_VERIFIED_UNKNOWN; break;
     150                 :   }
     151               0 : }
     152                 : 
     153                 : nsresult
     154               0 : nsUsageArrayHelper::GetUsagesArray(const char *suffix,
     155                 :                       bool localOnly,
     156                 :                       PRUint32 outArraySize,
     157                 :                       PRUint32 *_verified,
     158                 :                       PRUint32 *_count,
     159                 :                       PRUnichar **outUsages)
     160                 : {
     161               0 :   nsNSSShutDownPreventionLock locker;
     162               0 :   if (NS_FAILED(m_rv))
     163               0 :     return m_rv;
     164                 : 
     165               0 :   if (outArraySize < max_returned_out_array_size)
     166               0 :     return NS_ERROR_FAILURE;
     167                 : 
     168               0 :   nsCOMPtr<nsINSSComponent> nssComponent;
     169                 : 
     170               0 :   if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
     171                 :     nsresult rv;
     172               0 :     nssComponent = do_GetService(kNSSComponentCID, &rv);
     173               0 :     if (NS_FAILED(rv))
     174               0 :       return rv;
     175                 :     
     176               0 :     if (nssComponent) {
     177               0 :       nssComponent->SkipOcsp();
     178                 :     }
     179                 :   }
     180                 :   
     181               0 :   PRUint32 &count = *_count;
     182               0 :   count = 0;
     183               0 :   SECCertificateUsage usages = 0;
     184               0 :   int err = 0;
     185                 :   
     186               0 : if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
     187                 :   // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
     188                 :   // valid for all the given usages. Hoewver, we are only looking for the list
     189                 :   // of usages for which the cert *is* valid.
     190                 :   (void)
     191                 :   CERT_VerifyCertificateNow(defaultcertdb, mCert, true,
     192                 :                             certificateUsageSSLClient |
     193                 :                             certificateUsageSSLServer |
     194                 :                             certificateUsageSSLServerWithStepUp |
     195                 :                             certificateUsageEmailSigner |
     196                 :                             certificateUsageEmailRecipient |
     197                 :                             certificateUsageObjectSigner |
     198                 :                             certificateUsageSSLCA |
     199                 :                             certificateUsageStatusResponder,
     200               0 :                             NULL, &usages);
     201               0 :   err = PR_GetError();
     202                 : }
     203                 : else {
     204                 :   nsresult nsrv;
     205               0 :   nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
     206               0 :   if (!inss)
     207               0 :     return nsrv;
     208               0 :   nsRefPtr<nsCERTValInParamWrapper> survivingParams;
     209               0 :   if (localOnly)
     210               0 :     nsrv = inss->GetDefaultCERTValInParamLocalOnly(survivingParams);
     211                 :   else
     212               0 :     nsrv = inss->GetDefaultCERTValInParam(survivingParams);
     213                 :   
     214               0 :   if (NS_FAILED(nsrv))
     215               0 :     return nsrv;
     216                 : 
     217                 :   CERTValOutParam cvout[2];
     218               0 :   cvout[0].type = cert_po_usages;
     219               0 :   cvout[0].value.scalar.usages = 0;
     220               0 :   cvout[1].type = cert_po_end;
     221                 :   
     222                 :   CERT_PKIXVerifyCert(mCert, certificateUsageCheckAllUsages,
     223                 :                       survivingParams->GetRawPointerForNSS(),
     224               0 :                       cvout, NULL);
     225               0 :   err = PR_GetError();
     226               0 :   usages = cvout[0].value.scalar.usages;
     227                 : }
     228                 : 
     229                 :   // The following list of checks must be < max_returned_out_array_size
     230                 :   
     231               0 :   check(suffix, usages & certificateUsageSSLClient, count, outUsages);
     232               0 :   check(suffix, usages & certificateUsageSSLServer, count, outUsages);
     233               0 :   check(suffix, usages & certificateUsageSSLServerWithStepUp, count, outUsages);
     234               0 :   check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
     235               0 :   check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
     236               0 :   check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
     237                 : #if 0
     238                 :   check(suffix, usages & certificateUsageProtectedObjectSigner, count, outUsages);
     239                 :   check(suffix, usages & certificateUsageUserCertImport, count, outUsages);
     240                 : #endif
     241               0 :   check(suffix, usages & certificateUsageSSLCA, count, outUsages);
     242                 : #if 0
     243                 :   check(suffix, usages & certificateUsageVerifyCA, count, outUsages);
     244                 : #endif
     245               0 :   check(suffix, usages & certificateUsageStatusResponder, count, outUsages);
     246                 : #if 0
     247                 :   check(suffix, usages & certificateUsageAnyCA, count, outUsages);
     248                 : #endif
     249                 : 
     250               0 :   if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly && nssComponent) {
     251               0 :     nssComponent->SkipOcspOff();
     252                 :   }
     253                 : 
     254               0 :   if (count == 0) {
     255               0 :     verifyFailed(_verified, err);
     256                 :   } else {
     257               0 :     *_verified = nsNSSCertificate::VERIFIED_OK;
     258                 :   }
     259               0 :   return NS_OK;
     260                 : }

Generated by: LCOV version 1.7