Esempio n. 1
0
void SslContext::bind(SslSocket *socket)
{
	TRACE("bind() (cn=\"%s\")", commonName().c_str());

	socket->context_ = this;
	gnutls_certificate_server_set_request(socket->session_, clientVerifyMode_);
	gnutls_credentials_set(socket->session_, GNUTLS_CRD_CERTIFICATE, certs_);
	gnutls_credentials_set(socket->session_, GNUTLS_CRD_ANON, anonCreds_);

	// XXX following function is marked deprecated and has no replacement API it seems.
	//const int cprio[] = { GNUTLS_CRT_X509, 0 };
	//gnutls_certificate_type_set_priority(socket->session_, cprio);
}
Esempio n. 2
0
static void
AppendErrorTextMismatch(const nsString &host,
                        nsIX509Cert* ix509,
                        nsINSSComponent *component,
                        bool wantsHtml,
                        nsString &returnedMessage)
{
    const char16_t *params[1];
    nsresult rv;

    ScopedCERTCertificate nssCert(ix509->GetCert());

    if (!nssCert) {
        // We are unable to extract the valid names, say "not valid for name".
        params[0] = host.get();
        nsString formattedString;
        rv = component->PIPBundleFormatStringFromName("certErrorMismatch",
                params, 1,
                formattedString);
        if (NS_SUCCEEDED(rv)) {
            returnedMessage.Append(formattedString);
            returnedMessage.Append('\n');
        }
        return;
    }

    nsString allNames;
    uint32_t nameCount = 0;
    bool useSAN = false;

    if (nssCert)
        useSAN = GetSubjectAltNames(nssCert.get(), component, allNames, nameCount);

    if (!useSAN) {
        char *certName = CERT_GetCommonName(&nssCert->subject);
        if (certName) {
            nsDependentCSubstring commonName(certName, strlen(certName));
            if (IsUTF8(commonName)) {
                // Bug 1024781
                // We should actually check that the common name is a valid dns name or
                // ip address and not any string value before adding it to the display
                // list.
                ++nameCount;
                allNames.Assign(NS_ConvertUTF8toUTF16(commonName));
            }
            PORT_Free(certName);
        }
    }

    if (nameCount > 1) {
        nsString message;
        rv = component->GetPIPNSSBundleString("certErrorMismatchMultiple",
                                              message);
        if (NS_SUCCEEDED(rv)) {
            returnedMessage.Append(message);
            returnedMessage.AppendLiteral("\n  ");
            returnedMessage.Append(allNames);
            returnedMessage.AppendLiteral("  \n");
        }
    }
    else if (nameCount == 1) {
        const char16_t *params[1];
        params[0] = allNames.get();

        const char *stringID;
        if (wantsHtml)
            stringID = "certErrorMismatchSingle2";
        else
            stringID = "certErrorMismatchSinglePlain";

        nsString formattedString;
        rv = component->PIPBundleFormatStringFromName(stringID,
                params, 1,
                formattedString);
        if (NS_SUCCEEDED(rv)) {
            returnedMessage.Append(formattedString);
            returnedMessage.Append('\n');
        }
    }
    else { // nameCount == 0
        nsString message;
        nsresult rv = component->GetPIPNSSBundleString("certErrorMismatchNoNames",
                      message);
        if (NS_SUCCEEDED(rv)) {
            returnedMessage.Append(message);
            returnedMessage.Append('\n');
        }
    }
}
static void
AppendErrorTextMismatch(const nsString &host,
                        nsIX509Cert* ix509,
                        nsINSSComponent *component,
                        bool wantsHtml,
                        nsString &returnedMessage)
{
  const char16_t *params[1];
  nsresult rv;

  mozilla::pkix::ScopedCERTCertificate nssCert;

  nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
  if (cert2)
    nssCert = cert2->GetCert();

  if (!nssCert) {
    // We are unable to extract the valid names, say "not valid for name".
    params[0] = host.get();
    nsString formattedString;
    rv = component->PIPBundleFormatStringFromName("certErrorMismatch", 
                                                  params, 1, 
                                                  formattedString);
    if (NS_SUCCEEDED(rv)) {
      returnedMessage.Append(formattedString);
      returnedMessage.Append(NS_LITERAL_STRING("\n"));
    }
    return;
  }

  nsString allNames;
  uint32_t nameCount = 0;
  bool useSAN = false;

  if (nssCert)
    useSAN = GetSubjectAltNames(nssCert.get(), component, allNames, nameCount);

  if (!useSAN) {
    char *certName = nullptr;
    // currently CERT_FindNSStringExtension is not being exported by NSS.
    // If it gets exported, enable the following line.
    //   certName = CERT_FindNSStringExtension(nssCert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
    // However, it has been discussed to treat the extension as obsolete and ignore it.
    if (!certName)
      certName = CERT_GetCommonName(&nssCert->subject);
    if (certName) {
      nsDependentCSubstring commonName(certName, strlen(certName));
      if (IsUTF8(commonName)) {
        // Bug 1024781
        // We should actually check that the common name is a valid dns name or
        // ip address and not any string value before adding it to the display
        // list.
        ++nameCount;
        allNames.Assign(NS_ConvertUTF8toUTF16(commonName));
      }
      PORT_Free(certName);
    }
  }

  if (nameCount > 1) {
    nsString message;
    rv = component->GetPIPNSSBundleString("certErrorMismatchMultiple", 
                                          message);
    if (NS_SUCCEEDED(rv)) {
      returnedMessage.Append(message);
      returnedMessage.Append(NS_LITERAL_STRING("\n  "));
      returnedMessage.Append(allNames);
      returnedMessage.Append(NS_LITERAL_STRING("  \n"));
    }
  }
  else if (nameCount == 1) {
    const char16_t *params[1];
    params[0] = allNames.get();
    
    const char *stringID;
    if (wantsHtml)
      stringID = "certErrorMismatchSingle2";
    else
      stringID = "certErrorMismatchSinglePlain";

    nsString formattedString;
    rv = component->PIPBundleFormatStringFromName(stringID, 
                                                  params, 1, 
                                                  formattedString);
    if (NS_SUCCEEDED(rv)) {
      returnedMessage.Append(formattedString);
      returnedMessage.Append(NS_LITERAL_STRING("\n"));
    }
  }
  else { // nameCount == 0
    nsString message;
    nsresult rv = component->GetPIPNSSBundleString("certErrorMismatchNoNames",
                                                   message);
    if (NS_SUCCEEDED(rv)) {
      returnedMessage.Append(message);
      returnedMessage.Append(NS_LITERAL_STRING("\n"));
    }
  }
}