/*
* NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
*/
SECStatus
NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage)
{
if (signerinfo->cert == NULL)
return SECFailure;
/* don't leak if we get called twice */
if (signerinfo->certList != NULL) {
CERT_DestroyCertificateList(signerinfo->certList);
signerinfo->certList = NULL;
}
switch (cm) {
case NSSCMSCM_None:
signerinfo->certList = NULL;
break;
case NSSCMSCM_CertOnly:
signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
break;
case NSSCMSCM_CertChain:
signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
break;
case NSSCMSCM_CertChainWithRoot:
signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
break;
}
if (cm != NSSCMSCM_None && signerinfo->certList == NULL)
return SECFailure;
return SECSuccess;
}
/*
* SecCmsSignerInfoIncludeCerts - set cert chain inclusion mode for this signer
*/
OSStatus
SecCmsSignerInfoIncludeCerts(SecCmsSignerInfoRef signerinfo, SecCmsCertChainMode cm, SECCertUsage usage)
{
if (signerinfo->cert == NULL)
return SECFailure;
/* don't leak if we get called twice */
if (signerinfo->certList != NULL) {
CFRelease(signerinfo->certList);
signerinfo->certList = NULL;
}
switch (cm) {
case SecCmsCMNone:
signerinfo->certList = NULL;
break;
case SecCmsCMCertOnly:
signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
break;
case SecCmsCMCertChain:
signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
break;
case SecCmsCMCertChainWithRoot:
signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
break;
}
if (cm != SecCmsCMNone && signerinfo->certList == NULL)
return SECFailure;
return SECSuccess;
}
bool
RTCCertificate::WriteCertificate(JSStructuredCloneWriter* aWriter,
const nsNSSShutDownPreventionLock& /*proof*/) const
{
ScopedCERTCertificateList certs(CERT_CertListFromCert(mCertificate.get()));
if (!certs || certs->len <= 0) {
return false;
}
if (!JS_WriteUint32Pair(aWriter, certs->certs[0].len, 0)) {
return false;
}
return JS_WriteBytes(aWriter, certs->certs[0].data, certs->certs[0].len);
}
CFArrayRef CERT_CertChainFromCert(SecCertificateRef cert, SECCertUsage usage, Boolean includeRoot)
{
SecPolicySearchRef searchRef = NULL;
SecPolicyRef policy = NULL;
CFArrayRef wrappedCert = NULL;
SecTrustRef trust = NULL;
CFArrayRef certChain = NULL;
CSSM_TP_APPLE_EVIDENCE_INFO *statusChain;
CFDataRef actionData = NULL;
OSStatus status = 0;
if (!cert)
goto loser;
status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_X509_BASIC, NULL, &searchRef);
if (status)
goto loser;
status = SecPolicySearchCopyNext(searchRef, &policy);
if (status)
goto loser;
wrappedCert = CERT_CertListFromCert(cert);
status = SecTrustCreateWithCertificates(wrappedCert, policy, &trust);
if (status)
goto loser;
/* Tell SecTrust that we don't care if any certs in the chain have expired,
nor do we want to stop when encountering a cert with a trust setting;
we always want to build the full chain.
*/
CSSM_APPLE_TP_ACTION_DATA localActionData = {
CSSM_APPLE_TP_ACTION_VERSION,
CSSM_TP_ACTION_ALLOW_EXPIRED | CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT
};
actionData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)&localActionData, sizeof(localActionData), kCFAllocatorNull);
if (!actionData)
goto loser;
status = SecTrustSetParameters(trust, CSSM_TP_ACTION_DEFAULT, actionData);
if (status)
goto loser;
status = SecTrustEvaluate(trust, NULL);
if (status)
goto loser;
status = SecTrustGetResult(trust, NULL, &certChain, &statusChain);
if (status)
goto loser;
/* We don't drop the root if there is only 1 (self signed) certificate in the chain. */
if (!includeRoot && CFArrayGetCount(certChain) > 1)
{
CFMutableArrayRef subChain = CFArrayCreateMutableCopy(NULL, 0, certChain);
CFRelease(certChain);
certChain = subChain;
if (subChain)
CFArrayRemoveValueAtIndex(subChain, CFArrayGetCount(subChain) - 1);
}
loser:
if (searchRef)
CFRelease(searchRef);
if (policy)
CFRelease(policy);
if (wrappedCert)
CFRelease(wrappedCert);
if (trust)
CFRelease(trust);
if (actionData)
CFRelease(actionData);
if (certChain && status)
{
CFRelease(certChain);
certChain = NULL;
}
return certChain;
}
