int
find_certificate(cms_context *ctx)
{
if (!ctx->certname || !*ctx->certname)
return -1;
typedef struct {
enum {
PW_NONE = 0,
PW_FROMFILE = 1,
PW_PLAINTEXT = 2,
PW_EXTERNAL = 3
} source;
char *data;
} secuPWData;
secuPWData pwdata = { 0, 0 };
CERTCertificate *cert = NULL;
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), ctx->certname,
certUsageObjectSigner, PR_FALSE, &pwdata);
if (cert == NULL) {
fprintf(stderr, "Could not find certificate\n");
exit(1);
}
ctx->cert = cert;
return 0;
}
/* string getCertByPrefID (in string certID); */
NS_IMETHODIMP nsCMSSecureMessage::
GetCertByPrefID(const char *certID, char **_retval)
{
nsNSSShutDownPreventionLock locker;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::GetCertByPrefID\n"));
nsresult rv = NS_OK;
CERTCertificate *cert = 0;
nsXPIDLCString nickname;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
*_retval = 0;
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
if (NS_FAILED(rv)) {
goto done;
}
rv = prefs->GetCharPref(certID,
getter_Copies(nickname));
if (NS_FAILED(rv)) goto done;
/* Find a good cert in the user's database */
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), const_cast<char*>(nickname.get()),
certUsageEmailRecipient, PR_TRUE, ctx);
if (!cert) {
/* Success, but no value */
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::GetCertByPrefID - can't find user cert\n"));
goto done;
}
/* Convert the DER to a BASE64 String */
encode(cert->derCert.data, cert->derCert.len, _retval);
done:
if (cert) CERT_DestroyCertificate(cert);
return rv;
}
/* nsIX509Cert getDefaultEmailSigningCert (); */
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval)
{
if (!_retval)
return NS_ERROR_FAILURE;
*_retval = 0;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
CERTCertificate *cert = 0;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsNSSCertificate *nssCert = nsnull;
char *asciiname = NULL;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailSigner, PR_TRUE, ctx);
if (!cert) { goto loser; }
nssCert = new nsNSSCertificate(cert);
if (nssCert == nsnull) {
rv = NS_ERROR_OUT_OF_MEMORY;
}
NS_ADDREF(nssCert);
*_retval = static_cast<nsIX509Cert*>(nssCert);
loser:
if (cert) CERT_DestroyCertificate(cert);
return rv;
}
/*
* This callback used by SSL to pull client sertificate upon
* server request
*/
SECStatus
NSS_GetClientAuthData(void * arg,
PRFileDesc * socket,
struct CERTDistNamesStr * caNames,
struct CERTCertificateStr ** pRetCert,
struct SECKEYPrivateKeyStr **pRetKey)
{
CERTCertificate * cert = NULL;
SECKEYPrivateKey * privkey = NULL;
char * chosenNickName = (char *)arg; /* CONST */
void * proto_win = NULL;
SECStatus rv = SECFailure;
proto_win = SSL_RevealPinArg(socket);
if (chosenNickName) {
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
chosenNickName, certUsageSSLClient,
PR_FALSE, proto_win);
if ( cert ) {
privkey = PK11_FindKeyByAnyCert(cert, proto_win);
if ( privkey ) {
rv = SECSuccess;
} else {
CERT_DestroyCertificate(cert);
}
}
} else { /* no name given, automatically find the right cert. */
CERTCertNicknames * names;
int i;
names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
SEC_CERT_NICKNAMES_USER, proto_win);
if (names != NULL) {
for (i = 0; i < names->numnicknames; i++) {
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
names->nicknames[i], certUsageSSLClient,
PR_FALSE, proto_win);
if ( !cert )
continue;
/* Only check unexpired certs */
if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) !=
secCertTimeValid ) {
CERT_DestroyCertificate(cert);
continue;
}
rv = NSS_CmpCertChainWCANames(cert, caNames);
if ( rv == SECSuccess ) {
privkey = PK11_FindKeyByAnyCert(cert, proto_win);
if ( privkey )
break;
}
rv = SECFailure;
CERT_DestroyCertificate(cert);
}
CERT_FreeNicknames(names);
}
}
if (rv == SECSuccess) {
*pRetCert = cert;
*pRetKey = privkey;
}
return rv;
}
static NSSCMSMessage *
sm_signing_cmsmessage(CamelSMIMEContext *context, const char *nick, SECOidTag hash, int detached, CamelException *ex)
{
struct _CamelSMIMEContextPrivate *p = context->priv;
NSSCMSMessage *cmsg = NULL;
NSSCMSContentInfo *cinfo;
NSSCMSSignedData *sigd;
NSSCMSSignerInfo *signerinfo;
CERTCertificate *cert= NULL, *ekpcert = NULL;
if ((cert = CERT_FindUserCertByUsage(p->certdb,
(char *)nick,
certUsageEmailSigner,
PR_FALSE,
NULL)) == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate for '%s'"), nick);
return NULL;
}
cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
if (cmsg == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS message"));
goto fail;
}
if ((sigd = NSS_CMSSignedData_Create(cmsg)) == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS signed data"));
goto fail;
}
cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS signed data"));
goto fail;
}
/* if !detatched, the contentinfo will alloc a data item for us */
cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, detached) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS data"));
goto fail;
}
signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, hash);
if (signerinfo == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS Signer information"));
goto fail;
}
/* we want the cert chain included for this one */
if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain, certUsageEmailSigner) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate chain"));
goto fail;
}
/* SMIME RFC says signing time should always be added */
if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Signing time"));
goto fail;
}
#if 0
/* this can but needn't be added. not sure what general usage is */
if (NSS_CMSSignerInfo_AddSMIMECaps(signerinfo) != SECSuccess) {
fprintf(stderr, "ERROR: cannot add SMIMECaps attribute.\n");
goto loser;
}
#endif
/* Check if we need to send along our return encrypt cert, rfc2633 2.5.3 */
if (p->send_encrypt_key_prefs) {
CERTCertificate *enccert = NULL;
if (p->encrypt_key) {
/* encrypt key has its own nick */
if ((ekpcert = CERT_FindUserCertByUsage(
p->certdb,
p->encrypt_key,
certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Encryption certificate for '%s' does not exist"), p->encrypt_key);
goto fail;
}
enccert = ekpcert;
} else if (CERT_CheckCertUsage(cert, certUsageEmailRecipient) == SECSuccess) {
/* encrypt key is signing key */
enccert = cert;
} else {
/* encrypt key uses same nick */
if ((ekpcert = CERT_FindUserCertByUsage(
p->certdb, (char *)nick,
certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Encryption certificate for '%s' does not exist"), nick);
goto fail;
}
enccert = ekpcert;
}
if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, enccert, p->certdb) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add SMIMEEncKeyPrefs attribute"));
goto fail;
}
if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, enccert, p->certdb) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add MS SMIMEEncKeyPrefs attribute"));
goto fail;
}
if (ekpcert != NULL && NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add encryption certificate"));
goto fail;
}
}
if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Signer information"));
goto fail;
}
if (ekpcert)
CERT_DestroyCertificate(ekpcert);
if (cert)
CERT_DestroyCertificate(cert);
return cmsg;
fail:
if (ekpcert)
CERT_DestroyCertificate(ekpcert);
if (cert)
CERT_DestroyCertificate(cert);
NSS_CMSMessage_Destroy(cmsg);
return NULL;
}
