/*
* void deleteCertificate(in nsIX509Cert aCert);
*/
NS_IMETHODIMP
nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
CERTCertificate *cert = nssCert->GetCert();
if (!cert) return NS_ERROR_FAILURE;
CERTCertificateCleaner certCleaner(cert);
SECStatus srv = SECSuccess;
PRUint32 certType;
nssCert->GetCertType(&certType);
if (NS_FAILED(nssCert->MarkForPermDeletion()))
{
return NS_ERROR_FAILURE;
}
if (cert->slot && certType != nsIX509Cert::USER_CERT) {
// To delete a cert of a slot (builtin, most likely), mark it as
// completely untrusted. This way we keep a copy cached in the
// local database, and next time we try to load it off of the
// external token/slot, we'll know not to trust it. We don't
// want to do that with user certs, because a user may re-store
// the cert onto the card again at which point we *will* want to
// trust that cert if it chains up properly.
nsNSSCertTrust trust(0, 0, 0);
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
cert, trust.GetTrust());
}
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("cert deleted: %d", srv));
return (srv) ? NS_ERROR_FAILURE : NS_OK;
}
NS_IMETHODIMP
nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
PRUint32 certType,
PRUint32 trustType,
PRBool *_isTrusted)
{
NS_ENSURE_ARG_POINTER(_isTrusted);
*_isTrusted = PR_FALSE;
nsNSSShutDownPreventionLock locker;
SECStatus srv;
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
CERTCertificate *nsscert = pipCert->GetCert();
CERTCertTrust nsstrust;
srv = CERT_GetCertTrust(nsscert, &nsstrust);
if (srv != SECSuccess)
return NS_ERROR_FAILURE;
nsNSSCertTrust trust(&nsstrust);
CERT_DestroyCertificate(nsscert);
if (certType == nsIX509Cert::CA_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE);
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE);
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE);
} else {
return NS_ERROR_FAILURE;
}
} else if (certType == nsIX509Cert::SERVER_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE);
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE);
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE);
} else {
return NS_ERROR_FAILURE;
}
} else if (certType == nsIX509Cert::EMAIL_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE);
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE);
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE);
} else {
return NS_ERROR_FAILURE;
}
} /* user: ignore */
return NS_OK;
}
/*
* PSEUDO CODE:
*
* EXTRACT INFO FROM XML NODE
* RETRIEVE PROBE DEFINITION RECORD FROM DATABASE
* RETRIEVE PRECEDING RAW RECORD FROM DATABASE
* STORE RAW RESULTS
* IF THIS IS THE FIRST RESULT EVER FOR THIS PROBE
* CREATE PR_STATUS RECORD
* ELSE
* IF WE HAVEN'T PROCESSED THIS RECORD BEFORE
* IF COLOR DIFFERS FROM PRECEDING RAW RECORD
* CREATE PR_HIST
* RETRIEVE FOLLOWING RAW RECORD
* IF FOUND AND COLOR OF FOLLOWING IS THE SAME AS CURRENT
* DELETE POSSIBLE HISTORY RECORDS FOR FOLLOWING RECORD
* ENDIF
* IF THIS RAW RECORD IS THE MOST RECENT EVER RECEIVED
* WRITE NEW RECENT TIME INTO PROBE DEFINITION RECORD
* UPDATE PR_STATUS
* UPDATE SERVER COLOR
* ENDIF
* ELSE
* IF THIS RAW RECORD IS THE MOST RECENT EVER RECEIVED
* WRITE NEW RECENT TIME INTO PROBE DEFINITION RECORD
* ENDIF
* ENDIF
* IF CURRENT RAW RECORD IS THE MOST RECENT
* FOR EACH PERIOD
* IF WE ENTERED A NEW SLOT
* SUMMARIZE PREVIOUS SLOT
* ENDIF
* ENDFOR
* ELSE
* FOR EACH PERIOD
* IF THE LAST RECORD FOR THIS SLOT HAS BEEN SEEN
* RE-SUMMARIZE CURRENT SLOT
* ENDIF
* ENDFOR
* ENDIF
* ENDIF
* ENDIF
*
* returns:
* 1 in case of success
* 0 in case of database failure where trying again later might help
* -1 in case of malformed input, never try again
* -2 in case of a fatal error, just skip this batch
*/
int process(trx *t)
{
int must_update_def=0;
struct probe_result *prv=NULL;
int err = 1; /* default ok */
if (!realm_exists(t->res->realm)) {
return -1;
}
if (t->res->realm && t->res->realm[0]) {
t->probe->db = open_realm(t->res->realm);
} else {
if (t->probe->find_realm) {
t->probe->find_realm(t);
} else {
t->probe->db = open_realm(NULL);
}
}
if (!t->probe->db) return -2;
if (t->probe->resultcount % 400 == 0) {
update_last_seen(t->probe);
}
if (debug > 3) fprintf(stderr, "accept_result\n");
if (t->probe->accept_result) {
t->probe->accept_result(t); // do some final calculations on the result
}
if (debug > 3) fprintf(stderr, "get_def\n");
if (t->probe->get_def) {
if (debug > 3) fprintf(stderr, "RETRIEVE PROBE DEFINITION RECORD FROM DATABASE\n");
t->def = t->probe->get_def(t, trust(t->res->name)); // RETRIEVE PROBE DEFINITION RECORD FROM DATABASE
} else {
t->def = get_def(t, trust(t->res->name));
}
if (!t->def) { // Oops, def record not found. Skip this probe
if (debug > 3) fprintf(stderr, "def NOT found\n");
err = -1; /* malformed input FIXME should make distinction between db errors and def not found */
goto exit_with_res;
}
if (t->probe->adjust_result) {
t->probe->adjust_result(t);
}
if (debug > 3) fprintf(stderr, "STORE RAW RESULTS\n");
if (t->probe->store_results) {
int ret = t->probe->store_results(t); // STORE RAW RESULTS
if (!ret) { /* error return? */
if (debug > 3) fprintf(stderr, "error in store_results\n");
err = -2; /* database fatal error - try again later */
goto exit_with_res;
}
} else {
t->seen_before = FALSE;
}
if (t->res->stattime > t->def->newest) { // IF CURRENT RAW RECORD IS THE MOST RECENT
if (debug > 3) fprintf(stderr, "CURRENT RAW RECORD IS THE MOST RECENT\n");
prv = g_malloc0(sizeof(struct probe_result));
prv->color = t->def->color; // USE PREVIOUS COLOR FROM DEF RECORD
prv->stattime = t->def->newest;
} else {
if (debug > 3) fprintf(stderr, "RETRIEVE PRECEDING RAW RECORD FROM DATABASE\n");
prv = get_previous_record(t); // RETRIEVE PRECEDING RAW RECORD FROM DATABASE
}
set_result_prev_color(t, prv); // indicate previous color in result set
if (t->def->email[0]) { // and if email address given, add simple notification record
xmlNodePtr notify;
notify = xmlNewChild(t->cur, NULL, "notify", NULL);
xmlSetProp(notify, "proto", "smtp");
xmlSetProp(notify, "target", t->def->email);
}
if (t->def->newest == 0) { // IF THIS IS THE FIRST RESULT EVER FOR THIS PROBE
if (debug > 3) fprintf(stderr, "THIS IS THE FIRST RESULT EVER FOR THIS PROBE\n");
insert_pr_status(t);
must_update_def = TRUE;
goto finish;
}
if (t->seen_before) {
goto finish;
}
// Extra debugging, be sure what colors are processed here
if ( debug > 3 ) fprintf(stderr, "PREVIOUS COLOR %d - NEW COLOR %d\n", prv->color, t->res->color);
// IF COLOR DIFFERS FROM PRECEDING RAW RECORD
if (t->res->color != prv->color) {
struct probe_result *nxt;
if (t->probe->fuse) {
if (t->res->color > prv->color || prv->color == STAT_PURPLE) {
if (debug > 3) fprintf(stderr, "FUSE WITH HIGHER COLOR - CREATE PR_HIST\n");
create_pr_hist(t, prv); // CREATE PR_HIST
}
} else {
if (debug > 3) fprintf(stderr, "COLOR DIFFERS FROM PRECEDING RAW RECORD - CREATE PR_HIST\n");
create_pr_hist(t, prv); // CREATE PR_HIST
}
if (t->res->stattime > t->def->newest) { // IF THIS RAW RECORD IS THE MOST RECENT EVER RECEIVED
dbi_result result;
if (debug > 3) fprintf(stderr, "THIS RAW RECORD IS THE MOST RECENT EVER RECEIVED - UPDATE PR_STATUS\n");
result = update_pr_status(t, prv); // UPDATE PR_STATUS
if (dbi_result_get_numrows_affected(result) == 0) { // nothing was actually updated, need to insert new
insert_pr_status(t);
}
dbi_result_free(result);
if (debug > 3) fprintf(stderr, "UPDATE SERVER COLOR\n");
update_server_color(t, prv); // UPDATE SERVER COLOR
must_update_def = TRUE;
} else {
if (debug > 3) fprintf(stderr, "RETRIEVE FOLLOWING RAW RECORD\n");
nxt = get_following_record(t); // RETRIEVE FOLLOWING RAW RECORD
if (nxt && nxt->color) { // IF FOUND
if (debug > 3) fprintf(stderr, "FOLLOWING RECORD IS FOUND\n");
if (nxt->color == t->res->color) { // IF COLOR OF FOLLOWING IS THE SAME AS CURRENT
if (debug > 3) fprintf(stderr, "SAME COLOR: DELETE POSSIBLE HISTORY RECORDS\n");
delete_history(t, nxt); // DELETE POSSIBLE HISTORY RECORDS FOR FOLLOWING RECORD
}
g_free(nxt);
}
}
} else {
if (debug > 3) fprintf(stderr, "COLOR SAME AS PRECEDING RAW RECORD\n");
if (t->res->stattime > t->def->newest) { // IF THIS RAW RECORD IS THE MOST RECENT EVER RECEIVED
dbi_result result;
if (debug > 3) fprintf(stderr, "THIS RAW RECORD IS THE MOST RECENT EVER RECEIVED - UPDATE PR_STATUS\n");
result = update_pr_status(t, prv); // UPDATE PR_STATUS (not for the color, but for the expiry time)
if (dbi_result_get_numrows_affected(result) == 0) { // nothing was actually updated, need to insert new
insert_pr_status(t);
}
dbi_result_free(result);
must_update_def = TRUE;
}
}
if (t->def->email[0] || t->def->sms[0]) { // if we have an address
// RETRIEVE LAST HIST ENTRY FOR THIS PROBE
get_previous_pr_hist(t);
// notify if needed
if (strcmp(t->res->notified, "yes")) { // not already notified
if (notify(t)) {
set_pr_hist_notified(t);
}
}
}
if (t->probe->summarize && t->res->color != STAT_PURPLE) {
if (t->res->stattime > t->def->newest) { // IF CURRENT RAW RECORD IS THE MOST RECENT
guint cur_slot, prev_slot;
gulong slotlow, slothigh;
gulong dummy_low, dummy_high;
gint i;
if (debug > 3) fprintf(stderr, "SUMMARIZING. CURRENT RAW RECORD IS THE MOST RECENT\n");
for (i=0; summ_info[i].period != -1; i++) { // FOR EACH PERIOD
prev_slot = uw_slot(summ_info[i].period, prv->stattime, &slotlow, &slothigh);
cur_slot = uw_slot(summ_info[i].period, t->res->stattime, &dummy_low, &dummy_high);
if (cur_slot != prev_slot) { // IF WE ENTERED A NEW SLOT, SUMMARIZE PREVIOUS SLOT
if (debug > 3) fprintf(stderr, "cur(%u for %u) != prv(%u for %u), summarizing %s from %lu to %lu",
cur_slot, t->res->stattime, prev_slot, prv->stattime,
summ_info[i].from, slotlow, slothigh);
t->probe->summarize(t, summ_info[i].from, summ_info[i].to,
cur_slot, slotlow, slothigh, 0);
}
}
} else {
guint cur_slot;
gulong slotlow, slothigh;
gulong not_later_then = UINT_MAX;
gint i;
if (debug > 3) {
fprintf(stderr, "SUMMARIZING. CURRENT RAW RECORD IS AN OLD ONE\n");
LOG(LOG_DEBUG, "stattime = %u, newest = %u for %s %u", t->res->stattime, t->def->newest,
t->res->name, t->def->probeid);
}
for (i=0; summ_info[i].period != -1; i++) { // FOR EACH PERIOD
cur_slot = uw_slot(summ_info[i].period, t->res->stattime, &slotlow, &slothigh);
if (slothigh > not_later_then) continue; // we already know there are none later then this
// IF THIS SLOT IS COMPLETE
if (slot_is_complete(t, i, slotlow, slothigh)) {
// RE-SUMMARIZE CURRENT SLOT
if (debug > 3) fprintf(stderr, "SLOT IS COMPLETE - RE-SUMMARIZE CURRENT SLOT\n");
t->probe->summarize(t, summ_info[i].from, summ_info[i].to,
cur_slot, slotlow, slothigh, 0);
} else {
not_later_then = slothigh;
}
}
}
}
finish:
if (must_update_def) {
t->def->newest = t->res->stattime;
t->def->color = t->res->color;
}
g_free(prv);
exit_with_res:
if (t->probe->end_result) {
t->probe->end_result(t);
}
// free the result block
if (t->res) {
if (t->probe->free_res) {
t->probe->free_res(t->res); // the probe specific part...
}
free_res(t->res); // .. and the generic part
}
// note we don't free the *t->def here, because that structure is owned by the hashtable
// except if the module does not use caching, we try to free it ourselves
if (!t->probe->needs_cache) {
if (t->probe->free_def) {
t->probe->free_def(t->def);
} else {
free(t->def);
}
}
return err;
}
