/* Returns NULL if "encoding" cannot be decoded. */ NSS_IMPLEMENT nssDecodedCert * nssDecodedPKIXCertificate_Create ( NSSArena *arenaOpt, NSSDER *encoding ) { nssDecodedCert *rvDC = NULL; CERTCertificate *cert; SECItem secDER; SECITEM_FROM_NSSITEM(&secDER, encoding); cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL); if (cert) { rvDC = nss_ZNEW(arenaOpt, nssDecodedCert); if (rvDC) { rvDC->type = NSSCertificateType_PKIX; rvDC->data = (void *)cert; rvDC->getIdentifier = nss3certificate_getIdentifier; rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier; rvDC->matchIdentifier = nss3certificate_matchIdentifier; rvDC->isValidIssuer = nss3certificate_isValidIssuer; rvDC->getUsage = nss3certificate_getUsage; rvDC->isValidAtTime = nss3certificate_isValidAtTime; rvDC->isNewerThan = nss3certificate_isNewerThan; rvDC->matchUsage = nss3certificate_matchUsage; rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage; rvDC->getEmailAddress = nss3certificate_getEmailAddress; rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber; } else { CERT_DestroyCertificate(cert); } } return rvDC; }
/* From certdb.c */ static SECStatus cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool trusted) { SECStatus rv; SECItem *derCert; CERTCertificate *cert = NULL; CERTCertificate *newcert = NULL; CERTCertDBHandle *handle; CERTCertTrust trust; PRBool isca; char *nickname; unsigned int certtype; handle = CERT_GetDefaultCertDB(); while (numcerts--) { derCert = certs; certs++; /* decode my certificate */ /* This use is ok -- only looks at decoded parts, calls NewTemp later */ newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); if ( newcert == NULL ) { goto loser; } if (!trusted) { /* make sure that cert is valid */ rv = CERT_CertTimesValid(newcert); if ( rv == SECFailure ) { goto endloop; } } /* does it have the CA extension */ /* * Make sure that if this is an intermediate CA in the chain that * it was given permission by its signer to be a CA. */ isca = CERT_IsCACert(newcert, &certtype); if ( !isca ) { if (!trusted) { goto endloop; } trust.sslFlags = CERTDB_VALID_CA; trust.emailFlags = CERTDB_VALID_CA; trust.objectSigningFlags = CERTDB_VALID_CA; } else { /* SSL ca's must have the ssl bit set */ if ( ( certUsage == certUsageSSLCA ) && (( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA )) { goto endloop; } /* it passed all of the tests, so lets add it to the database */ /* mark it as a CA */ PORT_Memset((void *)&trust, 0, sizeof(trust)); switch ( certUsage ) { case certUsageSSLCA: trust.sslFlags = CERTDB_VALID_CA; break; case certUsageUserCertImport: if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) { trust.sslFlags = CERTDB_VALID_CA; } if ((certtype & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA ) { trust.emailFlags = CERTDB_VALID_CA; } if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) == NS_CERT_TYPE_OBJECT_SIGNING_CA ) { trust.objectSigningFlags = CERTDB_VALID_CA; } break; default: PORT_Assert(0); break; } } cert = CERT_NewTempCertificate(handle, derCert, NULL, PR_FALSE, PR_FALSE); if ( cert == NULL ) { goto loser; } /* if the cert is temp, make it perm; otherwise we're done */ if (cert->istemp) { /* get a default nickname for it */ nickname = CERT_MakeCANickname(cert); rv = CERT_AddTempCertToPerm(cert, nickname, &trust); /* free the nickname */ if ( nickname ) { PORT_Free(nickname); } } else { rv = SECSuccess; } CERT_DestroyCertificate(cert); cert = NULL; if ( rv != SECSuccess ) { goto loser; } endloop: if ( newcert ) { CERT_DestroyCertificate(newcert); newcert = NULL; } } rv = SECSuccess; goto done; loser: rv = SECFailure; done: if ( newcert ) { CERT_DestroyCertificate(newcert); newcert = NULL; } if ( cert ) { CERT_DestroyCertificate(cert); cert = NULL; } return(rv); }
static SECStatus ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, PRBool excludeCert, PRBool excludeHash) { SECStatus rv = SECSuccess; CERTCertificate *cert; unsigned char sha1_hash[SHA1_LENGTH]; unsigned char md5_hash[MD5_LENGTH]; SECItem *serial = NULL; PRBool step_up = PR_FALSE; const char *trust_info; cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname); if (!cert) { return SECFailure; } serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate); if (!serial) { return SECFailure; } if (!excludeCert) { printf("\n#\n# Certificate \"%s\"\n#\n",nickname); print_info(sdder, cert); printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"); printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); printf("CKA_LABEL UTF8 \"%s\"\n",nickname); printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"); printf("CKA_SUBJECT MULTILINE_OCTAL\n"); dumpbytes(cert->derSubject.data,cert->derSubject.len); printf("END\n"); printf("CKA_ID UTF8 \"0\"\n"); printf("CKA_ISSUER MULTILINE_OCTAL\n"); dumpbytes(cert->derIssuer.data,cert->derIssuer.len); printf("END\n"); printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); dumpbytes(serial->data,serial->len); printf("END\n"); printf("CKA_VALUE MULTILINE_OCTAL\n"); dumpbytes(sdder->data,sdder->len); printf("END\n"); } if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == CERTDB_TERMINAL_RECORD) trust_info = "Distrust"; else trust_info = "Trust for"; printf("\n# %s \"%s\"\n", trust_info, nickname); print_info(sdder, cert); printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n"); printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); printf("CKA_LABEL UTF8 \"%s\"\n",nickname); if (!excludeHash) { PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len); printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n"); dumpbytes(sha1_hash,SHA1_LENGTH); printf("END\n"); PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len); printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n"); dumpbytes(md5_hash,MD5_LENGTH); printf("END\n"); } printf("CKA_ISSUER MULTILINE_OCTAL\n"); dumpbytes(cert->derIssuer.data,cert->derIssuer.len); printf("END\n"); printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); dumpbytes(serial->data,serial->len); printf("END\n"); printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n", getTrustString(trust->sslFlags)); printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n", getTrustString(trust->emailFlags)); printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n", getTrustString(trust->objectSigningFlags)); #ifdef notdef printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n"); printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); #endif step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA); printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n", step_up ? "CK_TRUE" : "CK_FALSE"); PORT_Free(sdder->data); return(rv); }