Beispiel #1
0
/* BEWARE: This function gets called for both client and server SIDs !!
 * If the unreferenced sid is not in the cache, Free sid and its contents.
 */
static void
ssl_DestroySID(sslSessionID *sid)
{
    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
    PORT_Assert((sid->references == 0));

    if (sid->cached == in_client_cache)
    	return;	/* it will get taken care of next time cache is traversed. */

    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
    }
    if (sid->peerID != NULL)
	PORT_Free((void *)sid->peerID);		/* CONST */

    if (sid->urlSvrName != NULL)
	PORT_Free((void *)sid->urlSvrName);	/* CONST */

    if ( sid->peerCert ) {
	CERT_DestroyCertificate(sid->peerCert);
    }
    if ( sid->localCert ) {
	CERT_DestroyCertificate(sid->localCert);
    }
    if (sid->u.ssl3.sessionTicket.ticket.data) {
	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
    }
    
    PORT_ZFree(sid, sizeof(sslSessionID));
}
Beispiel #2
0
SECStatus
CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent)
{
    PORT_Assert(inCertRepContent != NULL);
    if (inCertRepContent != NULL) {
        CMMFCertResponse **pResponse = inCertRepContent->response;
        if (pResponse != NULL) {
            for (; *pResponse != NULL; pResponse++) {
                CMMFCertifiedKeyPair *certKeyPair = (*pResponse)->certifiedKeyPair;
                /* XXX Why not call CMMF_DestroyCertifiedKeyPair or
                 ** XXX cmmf_DestroyCertOrEncCert ?
                 */
                if (certKeyPair != NULL &&
                    certKeyPair->certOrEncCert.choice == cmmfCertificate &&
                    certKeyPair->certOrEncCert.cert.certificate != NULL) {
                    CERT_DestroyCertificate(certKeyPair->certOrEncCert.cert.certificate);
                    certKeyPair->certOrEncCert.cert.certificate = NULL;
                }
            }
        }
        if (inCertRepContent->caPubs) {
            CERTCertificate **caPubs = inCertRepContent->caPubs;
            for (; *caPubs; ++caPubs) {
                CERT_DestroyCertificate(*caPubs);
                *caPubs = NULL;
            }
        }
        if (inCertRepContent->poolp != NULL) {
            PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);
        }
    }
    return SECSuccess;
}
Beispiel #3
0
/**
 *
 * Check that the Peer certificate's issuer certificate matches the one found
 * by issuer_nickname.  This is not exactly the way OpenSSL and GNU TLS do the
 * issuer check, so we provide comments that mimic the OpenSSL
 * X509_check_issued function (in x509v3/v3_purp.c)
 */
static SECStatus check_issuer_cert(PRFileDesc *sock,
                                   char *issuer_nickname)
{
  CERTCertificate *cert,*cert_issuer,*issuer;
  SECStatus res=SECSuccess;
  void *proto_win = NULL;

  /*
    PRArenaPool   *tmpArena = NULL;
    CERTAuthKeyID *authorityKeyID = NULL;
    SECITEM       *caname = NULL;
  */

  cert = SSL_PeerCertificate(sock);
  cert_issuer = CERT_FindCertIssuer(cert,PR_Now(),certUsageObjectSigner);

  proto_win = SSL_RevealPinArg(sock);
  issuer = PK11_FindCertFromNickname(issuer_nickname, proto_win);

  if((!cert_issuer) || (!issuer))
    res = SECFailure;
  else if(SECITEM_CompareItem(&cert_issuer->derCert,
                              &issuer->derCert)!=SECEqual)
    res = SECFailure;

  CERT_DestroyCertificate(cert);
  CERT_DestroyCertificate(issuer);
  CERT_DestroyCertificate(cert_issuer);
  return res;
}
Beispiel #4
0
/* Reset sec back to its initial state.
** Caller holds any relevant locks.
*/
void
ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
{
    if (sec->localCert) {
        CERT_DestroyCertificate(sec->localCert);
        sec->localCert = NULL;
    }
    if (sec->peerCert) {
        CERT_DestroyCertificate(sec->peerCert);
        sec->peerCert = NULL;
    }
    if (sec->peerKey) {
        SECKEY_DestroyPublicKey(sec->peerKey);
        sec->peerKey = NULL;
    }

    /* cleanup the ci */
    if (sec->ci.sid != NULL) {
        ssl_FreeSID(sec->ci.sid);
    }
    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
    if (doMemset) {
        memset(&sec->ci, 0, sizeof sec->ci);
    }
}
Beispiel #5
0
/* BEWARE: This function gets called for both client and server SIDs !!
 * If the unreferenced sid is not in the cache, Free sid and its contents.
 */
static void
ssl_DestroySID(sslSessionID *sid)
{
    int i;
    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
    PORT_Assert(sid->references == 0);
    PORT_Assert(sid->cached != in_client_cache);

    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
        SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
        SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
    } else {
        if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
            SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
                             PR_FALSE);
        }
        if (sid->u.ssl3.srvName.data) {
            SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
        }
        if (sid->u.ssl3.originalHandshakeHash.data) {
            SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
        }
        if (sid->u.ssl3.signedCertTimestamps.data) {
            SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
        }

        if (sid->u.ssl3.lock) {
            NSSRWLock_Destroy(sid->u.ssl3.lock);
        }
    }

    if (sid->peerID != NULL)
        PORT_Free((void *)sid->peerID);		/* CONST */

    if (sid->urlSvrName != NULL)
        PORT_Free((void *)sid->urlSvrName);	/* CONST */

    if ( sid->peerCert ) {
        CERT_DestroyCertificate(sid->peerCert);
    }
    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
        CERT_DestroyCertificate(sid->peerCertChain[i]);
    }
    if (sid->peerCertStatus.items) {
        SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE);
    }

    if ( sid->localCert ) {
        CERT_DestroyCertificate(sid->localCert);
    }

    PORT_ZFree(sid, sizeof(sslSessionID));
}
Beispiel #6
0
/* Reset sec back to its initial state.
** Caller holds any relevant locks.
*/
void 
ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
{
    /* Destroy MAC */
    if (sec->hash && sec->hashcx) {
	(*sec->hash->destroy)(sec->hashcx, PR_TRUE);
	sec->hashcx = NULL;
	sec->hash = NULL;
    }
    SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
    SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);

    /* Destroy ciphers */
    if (sec->destroy) {
	(*sec->destroy)(sec->readcx, PR_TRUE);
	(*sec->destroy)(sec->writecx, PR_TRUE);
	sec->readcx = NULL;
	sec->writecx = NULL;
    } else {
	PORT_Assert(sec->readcx == 0);
	PORT_Assert(sec->writecx == 0);
    }
    sec->readcx = 0;
    sec->writecx = 0;

    if (sec->localCert) {
	CERT_DestroyCertificate(sec->localCert);
	sec->localCert = NULL;
    }
    if (sec->peerCert) {
	CERT_DestroyCertificate(sec->peerCert);
	sec->peerCert = NULL;
    }
    if (sec->peerKey) {
	SECKEY_DestroyPublicKey(sec->peerKey);
	sec->peerKey = NULL;
    }

    /* cleanup the ci */
    if (sec->ci.sid != NULL) {
	ssl_FreeSID(sec->ci.sid);
    }
    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
    if (doMemset) {
        memset(&sec->ci, 0, sizeof sec->ci);
    }
    
}
Beispiel #7
0
Datei: crlutil.c Projekt: ekr/nss
static CERTCertificate *
FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
                char *certNickName)
{
    CERTCertificate *cert = NULL, *certTemp = NULL;
    SECStatus rv = SECFailure;
    CERTAuthKeyID *authorityKeyID = NULL;
    SECItem *subject = NULL;

    PORT_Assert(certHandle != NULL);
    if (!certHandle || (!signCrl && !certNickName)) {
        SECU_PrintError(progName, "invalid args for function "
                                  "FindSigningCert \n");
        return NULL;
    }

    if (signCrl) {
#if 0
        authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
#endif
        subject = &signCrl->crl.derName;
    } else {
        certTemp = CERT_FindCertByNickname(certHandle, certNickName);
        if (!certTemp) {
            SECU_PrintError(progName, "could not find certificate \"%s\" "
                                      "in database",
                            certNickName);
            goto loser;
        }
        subject = &certTemp->derSubject;
    }

    cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
    if (!cert) {
        SECU_PrintError(progName, "could not find signing certificate "
                                  "in database");
        goto loser;
    } else {
        rv = SECSuccess;
    }

loser:
    if (certTemp)
        CERT_DestroyCertificate(certTemp);
    if (cert && rv != SECSuccess)
        CERT_DestroyCertificate(cert);
    return cert;
}
Beispiel #8
0
static SECStatus nss_bad_cert_cb(void *arg, PRFileDesc *fd) {
    struct tls_connection *conn = arg;
    SECStatus res = SECSuccess;
    PRErrorCode err;
    CERTCertificate *cert;
    char *subject, *issuer;

    err = PR_GetError();
    if (IS_SEC_ERROR(err))
        wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (sec err "
            "%d)", err - SEC_ERROR_BASE);
    else
        wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (err %d)",
            err);
    cert = SSL_PeerCertificate(fd);
    subject = CERT_NameToAscii(&cert->subject);
    issuer = CERT_NameToAscii(&cert->issuer);
    wpa_printf(MSG_DEBUG, "NSS: Peer certificate subject='%s' issuer='%s'",
            subject, issuer);
    CERT_DestroyCertificate(cert);
    PR_Free(subject);
    PR_Free(issuer);
    if (conn->verify_peer)
        res = SECFailure;

    return res;
}
SECStatus TransportLayerDtls::GetClientAuthDataHook(void *arg, PRFileDesc *fd,
                                                    CERTDistNames *caNames,
                                                    CERTCertificate **pRetCert,
                                                    SECKEYPrivateKey **pRetKey) {
  MOZ_MTLOG(ML_DEBUG, "Server requested client auth");

  TransportLayerDtls *stream = reinterpret_cast<TransportLayerDtls *>(arg);
  stream->CheckThread();

  if (!stream->identity_) {
    MOZ_MTLOG(ML_ERROR, "No identity available");
    PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);
    return SECFailure;
  }

  *pRetCert = CERT_DupCertificate(stream->identity_->cert());
  if (!*pRetCert) {
    PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
    return SECFailure;
  }

  *pRetKey = SECKEY_CopyPrivateKey(stream->identity_->privkey());
  if (!*pRetKey) {
    CERT_DestroyCertificate(*pRetCert);
    *pRetCert = nullptr;
    PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
    return SECFailure;
  }

  return SECSuccess;
}
Beispiel #10
0
/*
 * Host name checking according to RFC 2595.
 */
static enum okay
nss_check_host(const char *server, struct sock *sp)
{
	CERTCertificate	*cert;
	char	*cn = NULL;
	enum okay	ok = STOP;
	PRArenaPool	*arena;
	CERTGeneralName	*gn;
	SECItem	altname;
	CERTAltNameEncodedContext	ec;
	int	i;
	const SEC_ASN1Template	gntempl[] = {
		{ SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
	};

	if ((cert = SSL_PeerCertificate(sp->s_prfd)) == NULL) {
		fprintf(stderr, "no certificate from \"%s\"\n", server);
		return STOP;
	}
	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
	if (CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
				&altname) == SECSuccess &&
			SEC_ASN1DecodeItem(arena, &ec, gntempl,
				&altname) == SECSuccess &&
			ec.encodedGenName != NULL) {
		for (i = 0; ec.encodedGenName[i] != NULL; i++) {
			gn = CERT_DecodeGeneralName(arena, ec.encodedGenName[i],
					NULL);
			if (gn->type == certDNSName) {
				char	*dn = ac_alloc(gn->name.other.len + 1);
				memcpy(dn, gn->name.other.data,
						gn->name.other.len);
				dn[gn->name.other.len] = '\0';
				if (verbose)
					fprintf(stderr,
						"Comparing DNS name: \"%s\"\n",
						dn);
				if (rfc2595_hostname_match(server, dn)
						== OKAY) {
					ac_free(dn);
					goto out;
				}
				ac_free(dn);
			}
		}
	}
	if ((cn = CERT_GetCommonName(&cert->subject)) != NULL) {
		if (verbose)
			fprintf(stderr, "Comparing common name: \"%s\"\n", cn);
		ok = rfc2595_hostname_match(server, cn);
	}
	if (ok == STOP)
		fprintf(stderr, "host certificate does not match \"%s\"\n",
				server);
out:	if (cn)
		PORT_Free(cn);
	PORT_FreeArena(arena, PR_FALSE);
	CERT_DestroyCertificate(cert);
	return ok;
}
Beispiel #11
0
/**
 * Loads the public key for the specified cert name from the NSS store.
 *
 * @param certData  The DER-encoded X509 certificate to extract the key from.
 * @param certDataSize The size of certData.
 * @param publicKey Out parameter for the public key to use.
 * @return CryptoX_Success on success, CryptoX_Error on error.
*/
CryptoX_Result
NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,
                  SECKEYPublicKey **publicKey)
{
  CERTCertificate * cert;
  SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };

  if (!certData || !publicKey) {
    return CryptoX_Error;
  }

  cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,
                                 PR_FALSE, PR_TRUE);
  /* Get the cert and embedded public key out of the database */
  if (!cert) {
    return CryptoX_Error;
  }
  *publicKey = CERT_ExtractPublicKey(cert);
  CERT_DestroyCertificate(cert);

  if (!*publicKey) {
    return CryptoX_Error;
  }
  return CryptoX_Success;
}
Beispiel #12
0
static X509*
nss_get_cert(NSS_CTX *ctx, const char *s) {
    X509 *x509 = NULL;
    CERTCertificate *cert = NULL;

    CALL_TRACE("nss_get_cert...\n");

    if (ctx == NULL) {
        NSSerr(NSS_F_GET_CERT, NSS_R_INVALID_ARGUMENT);
        goto done;
    }
    if (!NSS_IsInitialized()) {
        NSSerr(NSS_F_GET_CERT, NSS_R_DB_IS_NOT_INITIALIZED);
        goto done;
    }

    nss_debug(ctx, "search certificate '%s'", s);
    cert = PK11_FindCertFromNickname(s, NULL);
    nss_trace(ctx, "found certificate mem='%p'", cert);

    if (cert == NULL) goto done;

    x509 = X509_from_CERTCertificate(cert);

done:
    if (cert) CERT_DestroyCertificate(cert);

    nss_debug(ctx, "certificate %s", (x509 ? "found": "not found"));
    return(x509);
}
Beispiel #13
0
/* Returns NULL if "encoding" cannot be decoded. */
NSS_IMPLEMENT nssDecodedCert *
nssDecodedPKIXCertificate_Create (
  NSSArena *arenaOpt,
  NSSDER *encoding
)
{
    nssDecodedCert  *rvDC = NULL;
    CERTCertificate *cert;
    SECItem          secDER;

    SECITEM_FROM_NSSITEM(&secDER, encoding);
    cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
    if (cert) {
	rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
	if (rvDC) {
	    rvDC->type                = NSSCertificateType_PKIX;
	    rvDC->data                = (void *)cert;
	    rvDC->getIdentifier       = nss3certificate_getIdentifier;
	    rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
	    rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
	    rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
	    rvDC->getUsage            = nss3certificate_getUsage;
	    rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
	    rvDC->isNewerThan         = nss3certificate_isNewerThan;
	    rvDC->matchUsage          = nss3certificate_matchUsage;
	    rvDC->isTrustedForUsage   = nss3certificate_isTrustedForUsage;
	    rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
	    rvDC->getDERSerialNumber  = nss3certificate_getDERSerialNumber;
	} else {
	    CERT_DestroyCertificate(cert);
	}
    }
    return rvDC;
}
Beispiel #14
0
static SECStatus
ssl_PopulateServerCert(sslServerCert *sc, CERTCertificate *cert,
                       const CERTCertificateList *certChain)
{
    if (sc->serverCert) {
        CERT_DestroyCertificate(sc->serverCert);
    }
    if (sc->serverCertChain) {
        CERT_DestroyCertificateList(sc->serverCertChain);
    }

    if (!cert) {
        sc->serverCert = NULL;
        sc->serverCertChain = NULL;
        return SECSuccess;
    }

    sc->serverCert = CERT_DupCertificate(cert);
    if (certChain) {
        sc->serverCertChain = CERT_DupCertList(certChain);
    } else {
        sc->serverCertChain =
            CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer,
                                   PR_TRUE);
    }
    return sc->serverCertChain ? SECSuccess : SECFailure;
}
Beispiel #15
0
/*
 * SecCmsSignerInfoDestroy - destroy a SignerInfo data structure
 */
void
SecCmsSignerInfoDestroy(SecCmsSignerInfoRef si)
{
    if (si->cert != NULL) {
	dprintfRC("SecCmsSignerInfoDestroy top: certp %p cert.rc %d\n",
	    si->cert, (int)CFGetRetainCount(si->cert));
	CERT_DestroyCertificate(si->cert);
    }
    if (si->certList != NULL) {
	dprintfRC("SecCmsSignerInfoDestroy top: certList.rc %d\n",
	    (int)CFGetRetainCount(si->certList));
	CFRelease(si->certList);
    }
    if (si->timestampCertList != NULL) {
	dprintfRC("SecCmsSignerInfoDestroy top: timestampCertList.rc %d\n",
	    (int)CFGetRetainCount(si->timestampCertList));
	CFRelease(si->timestampCertList);
    }
    if (si->hashAgilityAttrValue != NULL) {
        dprintfRC("SecCmsSignerInfoDestroy top: hashAgilityAttrValue.rc %d\n",
                  (int)CFGetRetainCount(si->hashAgilityAttrValue));
        CFRelease(si->hashAgilityAttrValue);
    }
    /* XXX storage ??? */
}
Beispiel #16
0
/* This invokes the "default" AuthCert handler in libssl.
** The only reason to use this one is that it prints out info as it goes. 
*/
static SECStatus
mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
		     PRBool isServer)
{
    SECStatus rv;
    CERTCertificate *    peerCert;
    const SECItemArray *csa;

    if (MakeCertOK>=2) {
        return SECSuccess;
    }
    peerCert = SSL_PeerCertificate(fd);

    PRINTF("strsclnt: Subject: %s\nstrsclnt: Issuer : %s\n", 
           peerCert->subjectName, peerCert->issuerName); 
    csa = SSL_PeerStapledOCSPResponses(fd);
    if (csa) {
        PRINTF("Received %d Cert Status items (OCSP stapled data)\n",
               csa->len);
    }
    /* invoke the "default" AuthCert handler. */
    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);

    PR_ATOMIC_INCREMENT(&certsTested);
    if (rv == SECSuccess) {
	fputs("strsclnt: -- SSL: Server Certificate Validated.\n", stderr);
    }
    CERT_DestroyCertificate(peerCert);
    /* error, if any, will be displayed by the Bad Cert Handler. */
    return rv;  
}
/*
 * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
 */
SECStatus
NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,
                                  CERTCertDBHandle *certdb,
                                  SECCertUsage usage)
{
    CERTCertificate *cert;
    SECStatus rv = SECSuccess;
    int i;
    int count;
    PRTime now;

    if (!sigd || !certdb || !sigd->rawCerts) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }

    count = NSS_CMSArray_Count((void**)sigd->rawCerts);
    now = PR_Now();
    for (i=0; i < count; i++) {
        if (sigd->certs && sigd->certs[i]) {
            cert = CERT_DupCertificate(sigd->certs[i]);
        } else {
            cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
            if (!cert) {
                rv = SECFailure;
                break;
            }
        }
        rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now,
                              NULL, NULL);
        CERT_DestroyCertificate(cert);
    }

    return rv;
}
Beispiel #18
0
int sxi_vcrypt_print_cert_info(sxc_client_t *sx, const char *file, int batch_mode)
{
    struct PK11_ctx ctx;
    CERTCertificate *cert = load_cert_file(sx, file, &ctx);

    if(!cert) {
        free_PK11_ctx(&ctx);
        return -1;
    }

    if (cert && !batch_mode) {
        char *subject = CERT_NameToAscii(&cert->subject);
        char *issuer = CERT_NameToAscii(&cert->issuer);
        char *common_name = CERT_GetCommonName(&cert->subject);
        struct sxi_fmt fmt;
        char hash[SXI_SHA1_TEXT_LEN+1];

        sxi_fmt_start(&fmt);
        sxi_fmt_msg(&fmt, "\tSubject: %s\n", subject);
        sxi_fmt_msg(&fmt, "\tIssuer: %s\n", issuer);
        if (!sxi_conns_hashcalc_core(sx, NULL, 0,
                                     cert->derCert.data,
                                     cert->derCert.len, hash)) {
            sxi_fmt_msg(&fmt, "\tSHA1 Fingerprint: %s\n", hash);
        }
        sxi_info(sx, "%s", fmt.buf);
        PR_Free(subject);
        PR_Free(issuer);
        PR_Free(common_name);
    }

    CERT_DestroyCertificate(cert);
    free_PK11_ctx(&ctx);
    return 0;
}
static void
trust_prompt_free_certificate (gpointer cert)
{
	if (!cert)
		return;

	CERT_DestroyCertificate (cert);
}
Beispiel #20
0
/*
 * Callback from SSL for checking certificate the peer (other end of
 * the socket) presents.
 */
SECStatus
JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
             PRBool isServer)
{
    char *          hostname = NULL;
    SECStatus         rv    = SECFailure;
    SECCertUsage      certUsage;
    CERTCertificate   *peerCert=NULL;

    certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
 

    /* SSL_PeerCertificate() returns a shallow copy of the cert, so we
       must destroy it before we exit this function */

    peerCert   = SSL_PeerCertificate(fd);

    if (peerCert) {
        rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert,
                checkSig, certUsage, NULL /*pinarg*/);
    }

    /* if we're a server, then we don't need to check the CN of the
       certificate, so we can just return whatever returncode we
       have now
     */

    if ( rv != SECSuccess || isServer )  {
        if (peerCert) CERT_DestroyCertificate(peerCert);
            return (int)rv;
        }

    /* cert is OK.  This is the client side of an SSL connection.
     * Now check the name field in the cert against the desired hostname.
     * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
     */
    hostname = SSL_RevealURL(fd);    /* really is a hostname, not a URL */
    if (hostname && hostname[0]) {
        rv = CERT_VerifyCertName(peerCert, hostname);
        PORT_Free(hostname); 
    } else
        rv = SECFailure;

    if (peerCert) CERT_DestroyCertificate(peerCert);
    return rv;
}
Beispiel #21
0
static void
add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
                    PRBool validOnly, PRTime sorttime)
{
    SECStatus secrv;
    if (!validOnly ||
        CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) ==
            secCertTimeValid) {
        secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity,
                                         (void *)&sorttime);
        if (secrv != SECSuccess) {
            CERT_DestroyCertificate(cert);
        }
    } else {
        CERT_DestroyCertificate(cert);
    }
}
Beispiel #22
0
static
int
__pkcs11h_crypto_nss_certificate_is_issuer (
	IN void * const global_data,
	IN const unsigned char * const issuer_blob,
	IN const size_t issuer_blob_size,
	IN const unsigned char * const cert_blob,
	IN const size_t cert_blob_size
) {
	PKCS11H_BOOL is_issuer = FALSE;
	CERTCertificate *cert = NULL;
	CERTCertificate *issuer = NULL;

	(void)global_data;

	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
	_PKCS11H_ASSERT (issuer_blob!=NULL);
	_PKCS11H_ASSERT (cert_blob!=NULL);

	if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) {
		goto cleanup;
	}

	if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) {
		goto cleanup;
	}

	is_issuer = CERT_VerifySignedDataWithPublicKeyInfo (
		&cert->signatureWrap,
		&issuer->subjectPublicKeyInfo,
		NULL
	) == SECSuccess;

cleanup:

	if (cert != NULL) {
		CERT_DestroyCertificate (cert);
	}

	if (issuer != NULL) {
		CERT_DestroyCertificate (issuer);
	}

	return is_issuer;
}
/*
 * FUNCTION: pkix_pl_OcspResponse_Destroy
 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
 */
static PKIX_Error *
pkix_pl_OcspResponse_Destroy(
        PKIX_PL_Object *object,
        void *plContext)
{
        PKIX_PL_OcspResponse *ocspRsp = NULL;
        const SEC_HttpClientFcn *httpClient = NULL;
        const SEC_HttpClientFcnV1 *hcv1 = NULL;

        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy");
        PKIX_NULLCHECK_ONE(object);

        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
                    PKIX_OBJECTNOTANOCSPRESPONSE);

        ocspRsp = (PKIX_PL_OcspResponse *)object;

        if (ocspRsp->nssOCSPResponse != NULL) {
                CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse);
                ocspRsp->nssOCSPResponse = NULL;
        }

        if (ocspRsp->signerCert != NULL) {
                CERT_DestroyCertificate(ocspRsp->signerCert);
                ocspRsp->signerCert = NULL;
        }

        httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient);

        if (httpClient && (httpClient->version == 1)) {

                hcv1 = &(httpClient->fcnTable.ftable1);

                if (ocspRsp->sessionRequest != NULL) {
                    (*hcv1->freeFcn)(ocspRsp->sessionRequest);
                    ocspRsp->sessionRequest = NULL;
                }

                if (ocspRsp->serverSession != NULL) {
                    (*hcv1->freeSessionFcn)(ocspRsp->serverSession);
                    ocspRsp->serverSession = NULL;
                }
        }

        if (ocspRsp->arena != NULL) {
                PORT_FreeArena(ocspRsp->arena, PR_FALSE);
                ocspRsp->arena = NULL;
        }

	PKIX_DECREF(ocspRsp->producedAtDate);
	PKIX_DECREF(ocspRsp->pkixSignerCert);
	PKIX_DECREF(ocspRsp->request);

cleanup:

        PKIX_RETURN(OCSPRESPONSE);
}
Beispiel #24
0
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
{
  SECStatus result = SECFailure;
  struct connectdata *conn = (struct connectdata *)arg;
  PRErrorCode err = PR_GetError();
  CERTCertificate *cert = NULL;
  char *subject, *subject_cn, *issuer;

  conn->data->set.ssl.certverifyresult=err;
  cert = SSL_PeerCertificate(sock);
  subject = CERT_NameToAscii(&cert->subject);
  subject_cn = CERT_GetCommonName(&cert->subject);
  issuer = CERT_NameToAscii(&cert->issuer);
  CERT_DestroyCertificate(cert);

  switch(err) {
  case SEC_ERROR_CA_CERT_INVALID:
    infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer);
    break;
  case SEC_ERROR_UNTRUSTED_ISSUER:
    infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n",
          issuer);
    break;
  case SSL_ERROR_BAD_CERT_DOMAIN:
    if(conn->data->set.ssl.verifyhost) {
      failf(conn->data, "SSL: certificate subject name '%s' does not match "
            "target host name '%s'", subject_cn, conn->host.dispname);
    }
    else {
      result = SECSuccess;
      infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
            "match target host name '%s'\n", subject_cn, conn->host.dispname);
    }
    break;
  case SEC_ERROR_EXPIRED_CERTIFICATE:
    infof(conn->data, "Remote Certificate has expired.\n");
    break;
  case SEC_ERROR_UNKNOWN_ISSUER:
    infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
          issuer);
    break;
  default:
    infof(conn->data, "Bad certificate received. Subject = '%s', "
          "Issuer = '%s'\n", subject, issuer);
    break;
  }
  if(result == SECSuccess)
    infof(conn->data, "SSL certificate verify ok.\n");
  PR_Free(subject);
  PR_Free(subject_cn);
  PR_Free(issuer);

  return result;
}
int main(int argc, char **argv)
{
  if (NSS_NoDB_Init(NULL) != SECSuccess) {
    printf(" >>> NSS_NoDB_Init() failed.\n");
    return 1;
  }

  if (argc < 3) {
    printf(" >>> I need a DER encoded file to read and have to know what to do with it [decode, private]!\n");
    return 1;
  }

  PRFileDesc* file = PR_Open(argv[1], PR_RDONLY, 0);

  SECItem data = {0, NULL, 0};
  if (SECU_ReadDERFromFile(&data, file, PR_FALSE, PR_FALSE) != SECSuccess) {
    printf(" >>> SECU_ReadDERFromFile() failed.\n");
    return 1;
  }
  PR_Close(file);

  if (strcmp(argv[2], "decode") == 0) {
    CERTCertificate *cert = CERT_DecodeCertFromPackage((char*)data.data, data.len);
    if (cert){
      printf(" >>> read cert!\n");
      printf(" >>> SN: %s\n", cert->subjectName);
      printf(" >>> IN: %s\n", cert->issuerName);
      CERT_DestroyCertificate(cert);
    } else {
      printf(" >>> CERT_DecodeCertFromPackage failed.\n");
      SECITEM_FreeItem(&data, PR_FALSE);
      return 1;
    }
  }

  if (argv[2] == "private") {
    PK11SlotInfo* slot = PK11_GetInternalSlot();
    if (!slot) {
      printf(" >>> PK11_GetInternalSlot() failed.\n");
      SECITEM_FreeItem(&data, PR_FALSE);
      return 1;
    }

    SECKEYPrivateKey* privKey;
    if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &data, NULL, NULL, PR_FALSE, PR_FALSE, KU_ALL, &privKey, NULL) != SECSuccess) {
      printf(" >>> PK11_ImportDERPrivateKeyInfoAndReturnKey() failed.\n");
      SECITEM_FreeItem(&data, PR_FALSE);
      return 1;
    }
  }

  printf(" !!! Done.\n");
  return 0;
}
Beispiel #26
0
/*
 * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
 */
void
NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
{
    if (si->cert != NULL)
	CERT_DestroyCertificate(si->cert);

    if (si->certList != NULL) 
	CERT_DestroyCertificateList(si->certList);

    /* XXX storage ??? */
}
Beispiel #27
0
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
{
  SECStatus success = SECSuccess;
  struct connectdata *conn = (struct connectdata *)arg;
  PRErrorCode err = PR_GetError();
  CERTCertificate *cert = NULL;
  char *subject, *issuer;

  if(conn->data->set.ssl.certverifyresult!=0)
    return success;

  conn->data->set.ssl.certverifyresult=err;
  cert = SSL_PeerCertificate(sock);
  subject = CERT_NameToAscii(&cert->subject);
  issuer = CERT_NameToAscii(&cert->issuer);
  CERT_DestroyCertificate(cert);

  switch(err) {
  case SEC_ERROR_CA_CERT_INVALID:
    infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer);
    if(conn->data->set.ssl.verifypeer)
      success = SECFailure;
    break;
  case SEC_ERROR_UNTRUSTED_ISSUER:
    if(conn->data->set.ssl.verifypeer)
      success = SECFailure;
    infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n",
          issuer);
    break;
  case SSL_ERROR_BAD_CERT_DOMAIN:
    if(conn->data->set.ssl.verifypeer)
      success = SECFailure;
    infof(conn->data, "common name: %s (does not match '%s')\n",
          subject, conn->host.dispname);
    break;
  case SEC_ERROR_EXPIRED_CERTIFICATE:
    if(conn->data->set.ssl.verifypeer)
      success = SECFailure;
    infof(conn->data, "Remote Certificate has expired.\n");
    break;
  default:
    if(conn->data->set.ssl.verifypeer)
      success = SECFailure;
    infof(conn->data, "Bad certificate received. Subject = '%s', "
          "Issuer = '%s'\n", subject, issuer);
    break;
  }
  if(success == SECSuccess)
    infof(conn->data, "SSL certificate verify ok.\n");
  PR_Free(subject);
  PR_Free(issuer);

  return success;
}
Beispiel #28
0
CERTDistNames *
CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
                            int nnames)
{
    CERTDistNames *dnames = NULL;
    PLArenaPool *arena;
    int i, rv;
    SECItem *names = NULL;
    CERTCertificate *cert = NULL;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL)
        goto loser;
    dnames = PORT_ArenaZNew(arena, CERTDistNames);
    if (dnames == NULL)
        goto loser;

    dnames->arena = arena;
    dnames->nnames = nnames;
    dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames);
    if (names == NULL)
        goto loser;

    for (i = 0; i < nnames; i++) {
        cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
        if (cert == NULL)
            goto loser;
        rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
        if (rv == SECFailure)
            goto loser;
        CERT_DestroyCertificate(cert);
    }
    return dnames;

loser:
    if (cert != NULL)
        CERT_DestroyCertificate(cert);
    if (arena != NULL)
        PORT_FreeArena(arena, PR_FALSE);
    return NULL;
}
Beispiel #29
0
void
CryptoMac_FreeCertificate(CryptoX_Certificate* aCertificate)
{
  if (!OnLionOrLater()) {
    return CERT_DestroyCertificate((CERTCertificate*)*aCertificate);
  }

  if (!aCertificate || !*aCertificate) {
    return;
  }
  CFRelease((SecKeyRef)*aCertificate);
}
CERTVerifyLogContentsCleaner::~CERTVerifyLogContentsCleaner()
{
  if (!m_cvl)
    return;

  CERTVerifyLogNode *i_node;
  for (i_node = m_cvl->head; i_node; i_node = i_node->next)
  {
    if (i_node->cert)
      CERT_DestroyCertificate(i_node->cert);
  }
}