NS_IMETHODIMP
nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEmailAddress, nsIX509Cert **_retval)
{
nsNSSShutDownPreventionLock locker;
CERTCertificate *any_cert = CERT_FindCertByNicknameOrEmailAddr(CERT_GetDefaultCertDB(), (char*)aEmailAddress);
if (!any_cert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner certCleaner(any_cert);
// any_cert now contains a cert with the right subject, but it might not have the correct usage
CERTCertList *certlist = CERT_CreateSubjectCertList(
nsnull, CERT_GetDefaultCertDB(), &any_cert->derSubject, PR_Now(), PR_TRUE);
if (!certlist)
return NS_ERROR_FAILURE;
CERTCertListCleaner listCleaner(certlist);
if (SECSuccess != CERT_FilterCertListByUsage(certlist, certUsageEmailRecipient, PR_FALSE))
return NS_ERROR_FAILURE;
if (CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist))
return NS_ERROR_FAILURE;
nsNSSCertificate *nssCert = new nsNSSCertificate(CERT_LIST_HEAD(certlist)->cert);
if (!nssCert)
return NS_ERROR_OUT_OF_MEMORY;
NS_ADDREF(nssCert);
*_retval = static_cast<nsIX509Cert*>(nssCert);
return NS_OK;
}
/*
* Find all user certificates that match the given criteria.
*
* "handle" - database to search
* "usage" - certificate usage to match
* "oneCertPerName" - if set then only return the "best" cert per
* name
* "validOnly" - only return certs that are curently valid
* "proto_win" - window handle passed to pkcs11
*/
CERTCertList *
CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
SECCertUsage usage,
PRBool oneCertPerName,
PRBool validOnly,
void *proto_win)
{
CERTCertNicknames *nicknames = NULL;
char **nnptr;
int nn;
CERTCertificate *cert = NULL;
CERTCertList *certList = NULL;
SECStatus rv;
int64 time;
CERTCertListNode *node = NULL;
CERTCertListNode *freenode = NULL;
int n;
time = PR_Now();
nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER,
proto_win);
if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) {
goto loser;
}
nnptr = nicknames->nicknames;
nn = nicknames->numnicknames;
while ( nn > 0 ) {
cert = NULL;
/* use the pk11 call so that we pick up any certs on tokens,
* which may require login
*/
if ( proto_win != NULL ) {
cert = PK11_FindCertFromNickname(*nnptr,proto_win);
}
/* Sigh, It turns out if the cert is already in the temp db, because
* it's in the perm db, then the nickname lookup doesn't work.
* since we already have the cert here, though, than we can just call
* CERT_CreateSubjectCertList directly. For those cases where we didn't
* find the cert in pkcs #11 (because we didn't have a password arg,
* or because the nickname is for a peer, server, or CA cert, then we
* go look the cert up.
*/
if (cert == NULL) {
cert = CERT_FindCertByNickname(handle,*nnptr);
}
if ( cert != NULL ) {
/* collect certs for this nickname, sorting them into the list */
certList = CERT_CreateSubjectCertList(certList, handle,
&cert->derSubject, time, validOnly);
CERT_FilterCertListForUserCerts(certList);
/* drop the extra reference */
CERT_DestroyCertificate(cert);
}
nnptr++;
nn--;
}
/* remove certs with incorrect usage */
rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
if ( rv != SECSuccess ) {
goto loser;
}
/* remove any extra certs for each name */
if ( oneCertPerName ) {
PRBool *flags;
nn = nicknames->numnicknames;
nnptr = nicknames->nicknames;
flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
if ( flags == NULL ) {
goto loser;
}
node = CERT_LIST_HEAD(certList);
/* treverse all certs in the list */
while ( !CERT_LIST_END(node, certList) ) {
/* find matching nickname index */
for ( n = 0; n < nn; n++ ) {
if ( CERT_MatchNickname(nnptr[n], node->cert->nickname) ) {
/* We found a match. If this is the first one, then
* set the flag and move on to the next cert. If this
* is not the first one then delete it from the list.
*/
if ( flags[n] ) {
/* We have already seen a cert with this nickname,
* so delete this one.
*/
freenode = node;
node = CERT_LIST_NEXT(node);
CERT_RemoveCertListNode(freenode);
} else {
/* keep the first cert for each nickname, but set the
* flag so we know to delete any others with the same
* nickname.
*/
flags[n] = PR_TRUE;
node = CERT_LIST_NEXT(node);
}
break;
}
}
if ( n == nn ) {
/* if we get here it means that we didn't find a matching
* nickname, which should not happen.
*/
PORT_Assert(0);
node = CERT_LIST_NEXT(node);
}
}
PORT_Free(flags);
}
goto done;
loser:
if ( certList != NULL ) {
CERT_DestroyCertList(certList);
certList = NULL;
}
done:
if ( nicknames != NULL ) {
CERT_FreeNicknames(nicknames);
}
return(certList);
}
/*
* Find a user certificate that matchs the given criteria.
*
* "handle" - database to search
* "nickname" - nickname to match
* "usage" - certificate usage to match
* "validOnly" - only return certs that are curently valid
* "proto_win" - window handle passed to pkcs11
*/
CERTCertificate *
CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
const char *nickname,
SECCertUsage usage,
PRBool validOnly,
void *proto_win)
{
CERTCertificate *cert = NULL;
CERTCertList *certList = NULL;
SECStatus rv;
int64 time;
time = PR_Now();
/* use the pk11 call so that we pick up any certs on tokens,
* which may require login
*/
/* XXX - why is this restricted? */
if ( proto_win != NULL ) {
cert = PK11_FindCertFromNickname(nickname,proto_win);
}
/* sigh, There are still problems find smart cards from the temp
* db. This will get smart cards working again. The real fix
* is to make sure we can search the temp db by their token nickname.
*/
if (cert == NULL) {
cert = CERT_FindCertByNickname(handle,nickname);
}
if ( cert != NULL ) {
unsigned int requiredKeyUsage;
unsigned int requiredCertType;
rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE,
&requiredKeyUsage, &requiredCertType);
if ( rv != SECSuccess ) {
/* drop the extra reference */
CERT_DestroyCertificate(cert);
cert = NULL;
goto loser;
}
/* If we already found the right cert, just return it */
if ( (!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE)
== secCertTimeValid) &&
(CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) &&
(cert->nsCertType & requiredCertType) &&
CERT_IsUserCert(cert) ) {
return(cert);
}
/* collect certs for this nickname, sorting them into the list */
certList = CERT_CreateSubjectCertList(certList, handle,
&cert->derSubject, time, validOnly);
CERT_FilterCertListForUserCerts(certList);
/* drop the extra reference */
CERT_DestroyCertificate(cert);
cert = NULL;
}
if ( certList == NULL ) {
goto loser;
}
/* remove certs with incorrect usage */
rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
if ( rv != SECSuccess ) {
goto loser;
}
if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) {
cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
}
loser:
if ( certList != NULL ) {
CERT_DestroyCertList(certList);
}
return(cert);
}
static CERTCertificate *
common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
const char *name, PRBool anyUsage,
SECCertUsage lookingForUsage)
{
NSSCryptoContext *cc;
NSSCertificate *c, *ct;
CERTCertificate *cert = NULL;
NSSUsage usage;
CERTCertList *certlist;
if (NULL == name) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
usage.anyUsage = anyUsage;
if (!anyUsage) {
usage.nss3lookingForCA = PR_FALSE;
usage.nss3usage = lookingForUsage;
}
cc = STAN_GetDefaultCryptoContext();
ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, NULL, &usage,
NULL);
if (!ct && PORT_Strchr(name, '@') != NULL) {
char *lowercaseName = CERT_FixupEmailAddr(name);
if (lowercaseName) {
ct = NSSCryptoContext_FindBestCertificateByEmail(
cc, lowercaseName, NULL, &usage, NULL);
PORT_Free(lowercaseName);
}
}
if (anyUsage) {
cert = PK11_FindCertFromNickname(name, NULL);
} else {
if (ct) {
/* Does ct really have the required usage? */
nssDecodedCert *dc;
dc = nssCertificate_GetDecoding(ct);
if (!dc->matchUsage(dc, &usage)) {
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
ct = NULL;
}
}
certlist = PK11_FindCertsFromNickname(name, NULL);
if (certlist) {
SECStatus rv =
CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE);
if (SECSuccess == rv &&
!CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) {
cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert);
}
CERT_DestroyCertList(certlist);
}
}
if (cert) {
c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
CERT_DestroyCertificate(cert);
if (ct) {
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
}
} else {
c = ct;
}
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
}
SECStatus
NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
SECCertUsage certusage, PRBool keepcerts)
{
int certcount;
CERTCertificate **certArray = NULL;
CERTCertList *certList = NULL;
CERTCertListNode *node;
SECStatus rv;
SECItem **rawArray;
int i;
PRTime now;
if (!sigd) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
/* get the certs in the temp DB */
rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts,
&certArray, PR_FALSE, PR_FALSE, NULL);
if (rv != SECSuccess) {
goto loser;
}
/* save the certs so they don't get destroyed */
for (i = 0; i < certcount; i++) {
CERTCertificate *cert = certArray[i];
if (cert)
NSS_CMSSignedData_AddTempCertificate(sigd, cert);
}
if (!keepcerts) {
goto done;
}
/* build a CertList for filtering */
certList = CERT_NewCertList();
if (certList == NULL) {
rv = SECFailure;
goto loser;
}
for (i = 0; i < certcount; i++) {
CERTCertificate *cert = certArray[i];
if (cert)
cert = CERT_DupCertificate(cert);
if (cert)
CERT_AddCertToListTail(certList, cert);
}
/* filter out the certs we don't want */
rv = CERT_FilterCertListByUsage(certList, certusage, PR_FALSE);
if (rv != SECSuccess) {
goto loser;
}
/* go down the remaining list of certs and verify that they have
* valid chains, then import them.
*/
now = PR_Now();
for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
node = CERT_LIST_NEXT(node)) {
CERTCertificateList *certChain;
if (CERT_VerifyCert(certdb, node->cert,
PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) {
continue;
}
certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE);
if (!certChain) {
continue;
}
/*
* CertChain returns an array of SECItems, import expects an array of
* SECItem pointers. Create the SECItem Pointers from the array of
* SECItems.
*/
rawArray = (SECItem **)PORT_Alloc(certChain->len * sizeof(SECItem *));
if (!rawArray) {
CERT_DestroyCertificateList(certChain);
continue;
}
for (i = 0; i < certChain->len; i++) {
rawArray[i] = &certChain->certs[i];
}
(void)CERT_ImportCerts(certdb, certusage, certChain->len,
rawArray, NULL, keepcerts, PR_FALSE, NULL);
PORT_Free(rawArray);
CERT_DestroyCertificateList(certChain);
}
rv = SECSuccess;
/* XXX CRL handling */
done:
if (sigd->signerInfos != NULL) {
/* fill in all signerinfo's certs */
for (i = 0; sigd->signerInfos[i] != NULL; i++)
(void)NSS_CMSSignerInfo_GetSigningCertificate(
sigd->signerInfos[i], certdb);
}
loser:
/* now free everything */
if (certArray) {
CERT_DestroyCertArray(certArray, certcount);
}
if (certList) {
CERT_DestroyCertList(certList);
}
return rv;
}
nsresult
nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfaceRequestor *ctx)
{
SECItem **rawArray;
/* filter out the certs we don't want */
SECStatus srv = CERT_FilterCertListByUsage(certList, certUsageAnyCA, PR_TRUE);
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
/* go down the remaining list of certs and verify that they have
* valid chains, if yes, then import.
*/
PRTime now = PR_Now();
CERTCertListNode *node;
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node,certList);
node = CERT_LIST_NEXT(node)) {
bool alert_and_skip = false;
if (CERT_VerifyCert(CERT_GetDefaultCertDB(), node->cert,
PR_TRUE, certUsageVerifyCA, now, ctx, NULL) != SECSuccess) {
alert_and_skip = true;
}
CERTCertificateList *certChain = nsnull;
CERTCertificateListCleaner chainCleaner(certChain);
if (!alert_and_skip) {
certChain = CERT_CertChainFromCert(node->cert, certUsageAnyCA, PR_FALSE);
if (!certChain) {
alert_and_skip = true;
}
}
if (alert_and_skip) {
nsCOMPtr<nsIX509Cert> certToShow = new nsNSSCertificate(node->cert);
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow);
continue;
}
/*
* CertChain returns an array of SECItems, import expects an array of
* SECItem pointers. Create the SECItem Pointers from the array of
* SECItems.
*/
rawArray = (SECItem **) PORT_Alloc(certChain->len * sizeof(SECItem *));
if (!rawArray) {
continue;
}
for (int i=0; i < certChain->len; i++) {
rawArray[i] = &certChain->certs[i];
}
CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageAnyCA, certChain->len,
rawArray, NULL, PR_TRUE, PR_TRUE, NULL);
PORT_Free(rawArray);
}
return NS_OK;
}
