int find_certificate(cms_context *ctx) { if (!ctx->certname || !*ctx->certname) return -1; typedef struct { enum { PW_NONE = 0, PW_FROMFILE = 1, PW_PLAINTEXT = 2, PW_EXTERNAL = 3 } source; char *data; } secuPWData; secuPWData pwdata = { 0, 0 }; CERTCertificate *cert = NULL; cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), ctx->certname, certUsageObjectSigner, PR_FALSE, &pwdata); if (cert == NULL) { fprintf(stderr, "Could not find certificate\n"); exit(1); } ctx->cert = cert; return 0; }
/* string getCertByPrefID (in string certID); */ NS_IMETHODIMP nsCMSSecureMessage:: GetCertByPrefID(const char *certID, char **_retval) { nsNSSShutDownPreventionLock locker; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::GetCertByPrefID\n")); nsresult rv = NS_OK; CERTCertificate *cert = 0; nsXPIDLCString nickname; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); *_retval = 0; nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv); if (NS_FAILED(rv)) { goto done; } rv = prefs->GetCharPref(certID, getter_Copies(nickname)); if (NS_FAILED(rv)) goto done; /* Find a good cert in the user's database */ cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), const_cast<char*>(nickname.get()), certUsageEmailRecipient, PR_TRUE, ctx); if (!cert) { /* Success, but no value */ PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::GetCertByPrefID - can't find user cert\n")); goto done; } /* Convert the DER to a BASE64 String */ encode(cert->derCert.data, cert->derCert.len, _retval); done: if (cert) CERT_DestroyCertificate(cert); return rv; }
/* nsIX509Cert getDefaultEmailSigningCert (); */ NS_IMETHODIMP nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval) { if (!_retval) return NS_ERROR_FAILURE; *_retval = 0; if (aNickname.IsEmpty()) return NS_OK; nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; CERTCertificate *cert = 0; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); nsNSSCertificate *nssCert = nsnull; char *asciiname = NULL; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailSigner, PR_TRUE, ctx); if (!cert) { goto loser; } nssCert = new nsNSSCertificate(cert); if (nssCert == nsnull) { rv = NS_ERROR_OUT_OF_MEMORY; } NS_ADDREF(nssCert); *_retval = static_cast<nsIX509Cert*>(nssCert); loser: if (cert) CERT_DestroyCertificate(cert); return rv; }
/* * This callback used by SSL to pull client sertificate upon * server request */ SECStatus NSS_GetClientAuthData(void * arg, PRFileDesc * socket, struct CERTDistNamesStr * caNames, struct CERTCertificateStr ** pRetCert, struct SECKEYPrivateKeyStr **pRetKey) { CERTCertificate * cert = NULL; SECKEYPrivateKey * privkey = NULL; char * chosenNickName = (char *)arg; /* CONST */ void * proto_win = NULL; SECStatus rv = SECFailure; proto_win = SSL_RevealPinArg(socket); if (chosenNickName) { cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), chosenNickName, certUsageSSLClient, PR_FALSE, proto_win); if ( cert ) { privkey = PK11_FindKeyByAnyCert(cert, proto_win); if ( privkey ) { rv = SECSuccess; } else { CERT_DestroyCertificate(cert); } } } else { /* no name given, automatically find the right cert. */ CERTCertNicknames * names; int i; names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, proto_win); if (names != NULL) { for (i = 0; i < names->numnicknames; i++) { cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), names->nicknames[i], certUsageSSLClient, PR_FALSE, proto_win); if ( !cert ) continue; /* Only check unexpired certs */ if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != secCertTimeValid ) { CERT_DestroyCertificate(cert); continue; } rv = NSS_CmpCertChainWCANames(cert, caNames); if ( rv == SECSuccess ) { privkey = PK11_FindKeyByAnyCert(cert, proto_win); if ( privkey ) break; } rv = SECFailure; CERT_DestroyCertificate(cert); } CERT_FreeNicknames(names); } } if (rv == SECSuccess) { *pRetCert = cert; *pRetKey = privkey; } return rv; }
static NSSCMSMessage * sm_signing_cmsmessage(CamelSMIMEContext *context, const char *nick, SECOidTag hash, int detached, CamelException *ex) { struct _CamelSMIMEContextPrivate *p = context->priv; NSSCMSMessage *cmsg = NULL; NSSCMSContentInfo *cinfo; NSSCMSSignedData *sigd; NSSCMSSignerInfo *signerinfo; CERTCertificate *cert= NULL, *ekpcert = NULL; if ((cert = CERT_FindUserCertByUsage(p->certdb, (char *)nick, certUsageEmailSigner, PR_FALSE, NULL)) == NULL) { camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate for '%s'"), nick); return NULL; } cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */ if (cmsg == NULL) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS message")); goto fail; } if ((sigd = NSS_CMSSignedData_Create(cmsg)) == NULL) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS signed data")); goto fail; } cinfo = NSS_CMSMessage_GetContentInfo(cmsg); if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS signed data")); goto fail; } /* if !detatched, the contentinfo will alloc a data item for us */ cinfo = NSS_CMSSignedData_GetContentInfo(sigd); if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, detached) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS data")); goto fail; } signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, hash); if (signerinfo == NULL) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS Signer information")); goto fail; } /* we want the cert chain included for this one */ if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain, certUsageEmailSigner) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate chain")); goto fail; } /* SMIME RFC says signing time should always be added */ if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Signing time")); goto fail; } #if 0 /* this can but needn't be added. not sure what general usage is */ if (NSS_CMSSignerInfo_AddSMIMECaps(signerinfo) != SECSuccess) { fprintf(stderr, "ERROR: cannot add SMIMECaps attribute.\n"); goto loser; } #endif /* Check if we need to send along our return encrypt cert, rfc2633 2.5.3 */ if (p->send_encrypt_key_prefs) { CERTCertificate *enccert = NULL; if (p->encrypt_key) { /* encrypt key has its own nick */ if ((ekpcert = CERT_FindUserCertByUsage( p->certdb, p->encrypt_key, certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) { camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Encryption certificate for '%s' does not exist"), p->encrypt_key); goto fail; } enccert = ekpcert; } else if (CERT_CheckCertUsage(cert, certUsageEmailRecipient) == SECSuccess) { /* encrypt key is signing key */ enccert = cert; } else { /* encrypt key uses same nick */ if ((ekpcert = CERT_FindUserCertByUsage( p->certdb, (char *)nick, certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) { camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Encryption certificate for '%s' does not exist"), nick); goto fail; } enccert = ekpcert; } if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, enccert, p->certdb) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add SMIMEEncKeyPrefs attribute")); goto fail; } if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, enccert, p->certdb) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add MS SMIMEEncKeyPrefs attribute")); goto fail; } if (ekpcert != NULL && NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add encryption certificate")); goto fail; } } if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) { camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Signer information")); goto fail; } if (ekpcert) CERT_DestroyCertificate(ekpcert); if (cert) CERT_DestroyCertificate(cert); return cmsg; fail: if (ekpcert) CERT_DestroyCertificate(ekpcert); if (cert) CERT_DestroyCertificate(cert); NSS_CMSMessage_Destroy(cmsg); return NULL; }