void SslContext::bind(SslSocket *socket)
{
TRACE("bind() (cn=\"%s\")", commonName().c_str());
socket->context_ = this;
gnutls_certificate_server_set_request(socket->session_, clientVerifyMode_);
gnutls_credentials_set(socket->session_, GNUTLS_CRD_CERTIFICATE, certs_);
gnutls_credentials_set(socket->session_, GNUTLS_CRD_ANON, anonCreds_);
// XXX following function is marked deprecated and has no replacement API it seems.
//const int cprio[] = { GNUTLS_CRT_X509, 0 };
//gnutls_certificate_type_set_priority(socket->session_, cprio);
}
static void
AppendErrorTextMismatch(const nsString &host,
nsIX509Cert* ix509,
nsINSSComponent *component,
bool wantsHtml,
nsString &returnedMessage)
{
const char16_t *params[1];
nsresult rv;
ScopedCERTCertificate nssCert(ix509->GetCert());
if (!nssCert) {
// We are unable to extract the valid names, say "not valid for name".
params[0] = host.get();
nsString formattedString;
rv = component->PIPBundleFormatStringFromName("certErrorMismatch",
params, 1,
formattedString);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(formattedString);
returnedMessage.Append('\n');
}
return;
}
nsString allNames;
uint32_t nameCount = 0;
bool useSAN = false;
if (nssCert)
useSAN = GetSubjectAltNames(nssCert.get(), component, allNames, nameCount);
if (!useSAN) {
char *certName = CERT_GetCommonName(&nssCert->subject);
if (certName) {
nsDependentCSubstring commonName(certName, strlen(certName));
if (IsUTF8(commonName)) {
// Bug 1024781
// We should actually check that the common name is a valid dns name or
// ip address and not any string value before adding it to the display
// list.
++nameCount;
allNames.Assign(NS_ConvertUTF8toUTF16(commonName));
}
PORT_Free(certName);
}
}
if (nameCount > 1) {
nsString message;
rv = component->GetPIPNSSBundleString("certErrorMismatchMultiple",
message);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(message);
returnedMessage.AppendLiteral("\n ");
returnedMessage.Append(allNames);
returnedMessage.AppendLiteral(" \n");
}
}
else if (nameCount == 1) {
const char16_t *params[1];
params[0] = allNames.get();
const char *stringID;
if (wantsHtml)
stringID = "certErrorMismatchSingle2";
else
stringID = "certErrorMismatchSinglePlain";
nsString formattedString;
rv = component->PIPBundleFormatStringFromName(stringID,
params, 1,
formattedString);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(formattedString);
returnedMessage.Append('\n');
}
}
else { // nameCount == 0
nsString message;
nsresult rv = component->GetPIPNSSBundleString("certErrorMismatchNoNames",
message);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(message);
returnedMessage.Append('\n');
}
}
}
static void
AppendErrorTextMismatch(const nsString &host,
nsIX509Cert* ix509,
nsINSSComponent *component,
bool wantsHtml,
nsString &returnedMessage)
{
const char16_t *params[1];
nsresult rv;
mozilla::pkix::ScopedCERTCertificate nssCert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
if (cert2)
nssCert = cert2->GetCert();
if (!nssCert) {
// We are unable to extract the valid names, say "not valid for name".
params[0] = host.get();
nsString formattedString;
rv = component->PIPBundleFormatStringFromName("certErrorMismatch",
params, 1,
formattedString);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(formattedString);
returnedMessage.Append(NS_LITERAL_STRING("\n"));
}
return;
}
nsString allNames;
uint32_t nameCount = 0;
bool useSAN = false;
if (nssCert)
useSAN = GetSubjectAltNames(nssCert.get(), component, allNames, nameCount);
if (!useSAN) {
char *certName = nullptr;
// currently CERT_FindNSStringExtension is not being exported by NSS.
// If it gets exported, enable the following line.
// certName = CERT_FindNSStringExtension(nssCert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
// However, it has been discussed to treat the extension as obsolete and ignore it.
if (!certName)
certName = CERT_GetCommonName(&nssCert->subject);
if (certName) {
nsDependentCSubstring commonName(certName, strlen(certName));
if (IsUTF8(commonName)) {
// Bug 1024781
// We should actually check that the common name is a valid dns name or
// ip address and not any string value before adding it to the display
// list.
++nameCount;
allNames.Assign(NS_ConvertUTF8toUTF16(commonName));
}
PORT_Free(certName);
}
}
if (nameCount > 1) {
nsString message;
rv = component->GetPIPNSSBundleString("certErrorMismatchMultiple",
message);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(message);
returnedMessage.Append(NS_LITERAL_STRING("\n "));
returnedMessage.Append(allNames);
returnedMessage.Append(NS_LITERAL_STRING(" \n"));
}
}
else if (nameCount == 1) {
const char16_t *params[1];
params[0] = allNames.get();
const char *stringID;
if (wantsHtml)
stringID = "certErrorMismatchSingle2";
else
stringID = "certErrorMismatchSinglePlain";
nsString formattedString;
rv = component->PIPBundleFormatStringFromName(stringID,
params, 1,
formattedString);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(formattedString);
returnedMessage.Append(NS_LITERAL_STRING("\n"));
}
}
else { // nameCount == 0
nsString message;
nsresult rv = component->GetPIPNSSBundleString("certErrorMismatchNoNames",
message);
if (NS_SUCCEEDED(rv)) {
returnedMessage.Append(message);
returnedMessage.Append(NS_LITERAL_STRING("\n"));
}
}
}