NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName)
{
NS_ENSURE_ARG_POINTER(aBase64);
nsCOMPtr <nsIX509Cert> newCert;
nsNSSCertTrust trust;
// need to calculate the trust bits from the aTrust string.
nsresult rv = CERT_DecodeTrustString(trust.GetTrust(), /* this is const, but not declared that way */(char *) aTrust);
NS_ENSURE_SUCCESS(rv, rv); // if bad trust passed in, return error.
rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
NS_ENSURE_SUCCESS(rv, rv);
SECItem der;
rv = newCert->GetRawDER(&der.len, (PRUint8 **)&der.data);
NS_ENSURE_SUCCESS(rv, rv);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertificate *tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert)
tmpCert = CERT_NewTempCertificate(certdb, &der,
nsnull, PR_FALSE, PR_TRUE);
nsMemory::Free(der.data);
der.data = nsnull;
der.len = 0;
if (!tmpCert) {
NS_ASSERTION(0,"Couldn't create cert from DER blob\n");
return NS_ERROR_FAILURE;
}
if (tmpCert->isperm) {
CERT_DestroyCertificate(tmpCert);
return NS_OK;
}
CERTCertificateCleaner tmpCertCleaner(tmpCert);
nsXPIDLCString nickname;
nickname.Adopt(CERT_MakeCANickname(tmpCert));
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));
SECStatus srv = CERT_AddTempCertToPerm(tmpCert,
const_cast<char*>(nickname.get()),
trust.GetTrust());
return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
}
int sxi_ssl_usertrusted(sxc_client_t *sx, curlev_t *ev, const struct curl_tlssessioninfo *info)
{
CERTCertificate *cert;
int rc = cert_from_sessioninfo(sx, info, &cert);
if (rc)
return rc;
/* workaround for NSS cache:
* if we run with verify_peer on, it remember that certificate was
* not trusted because it was self-signed.
* Then even if we explicitly add it as trusted in curl, it still
* considers it as untrusted.
* So explicitly set trust settings here. If we reached this place
* then NSS already validated the certificate and the user accepted the certificate.
* */
CERTCertTrust none;
CERT_DecodeTrustString(&none, "PT,PT,PT");
CERT_ChangeCertTrust(NULL, cert, &none);
return 0;
}
int main(int argc, char **argv)
{
SECStatus rv;
char *nickname = NULL;
char *trusts = NULL;
char *progName;
PRFileDesc *infile;
CERTCertTrust trust = { 0 };
SECItem derItem = { 0 };
PRInt32 crlentry = 0;
PRInt32 mutuallyExclusiveOpts = 0;
PRBool decodeTrust = PR_FALSE;
secuCommand addbuiltin = { 0 };
addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
addbuiltin.options = addbuiltin_options;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
if (rv != SECSuccess)
Usage(progName);
if (addbuiltin.options[opt_Trust].activated)
++mutuallyExclusiveOpts;
if (addbuiltin.options[opt_Distrust].activated)
++mutuallyExclusiveOpts;
if (addbuiltin.options[opt_DistrustCRL].activated)
++mutuallyExclusiveOpts;
if (mutuallyExclusiveOpts != 1) {
fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
progName);
Usage(progName);
}
if (addbuiltin.options[opt_DistrustCRL].activated) {
if (!addbuiltin.options[opt_CRLEnry].activated) {
fprintf(stderr, "%s: you must specify the CRL entry number.\n",
progName);
Usage(progName);
}
else {
crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
if (crlentry < 1) {
fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
progName);
Usage(progName);
}
}
}
if (!addbuiltin.options[opt_Nickname].activated) {
fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
progName);
Usage(progName);
}
if (addbuiltin.options[opt_Input].activated) {
infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
if (!infile) {
fprintf(stderr, "%s: failed to open input file.\n", progName);
exit(1);
}
} else {
#if defined(WIN32)
/* If we're going to read binary data from stdin, we must put stdin
** into O_BINARY mode or else incoming \r\n's will become \n's,
** and latin-1 characters will be altered.
*/
int smrv = _setmode(_fileno(stdin), _O_BINARY);
if (smrv == -1) {
fprintf(stderr,
"%s: Cannot change stdin to binary mode. Use -i option instead.\n",
progName);
exit(1);
}
#endif
infile = PR_STDIN;
}
nickname = strdup(addbuiltin.options[opt_Nickname].arg);
NSS_NoDB_Init(NULL);
if (addbuiltin.options[opt_Distrust].activated ||
addbuiltin.options[opt_DistrustCRL].activated) {
addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
}
if (addbuiltin.options[opt_Distrust].activated) {
trusts = strdup("p,p,p");
decodeTrust = PR_TRUE;
}
else if (addbuiltin.options[opt_Trust].activated) {
trusts = strdup(addbuiltin.options[opt_Trust].arg);
decodeTrust = PR_TRUE;
}
if (decodeTrust) {
rv = CERT_DecodeTrustString(&trust, trusts);
if (rv) {
fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
Usage(progName);
}
}
if (addbuiltin.options[opt_Trust].activated &&
addbuiltin.options[opt_ExcludeHash].activated) {
if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags)
!= CERTDB_TERMINAL_RECORD) {
fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
Usage(progName);
}
}
SECU_FileToItem(&derItem, infile);
/*printheader();*/
if (addbuiltin.options[opt_DistrustCRL].activated) {
rv = ConvertCRLEntry(&derItem, crlentry, nickname);
}
else {
rv = ConvertCertificate(&derItem, nickname, &trust,
addbuiltin.options[opt_ExcludeCert].activated,
addbuiltin.options[opt_ExcludeHash].activated);
if (rv) {
fprintf(stderr, "%s: failed to convert certificate.\n", progName);
exit(1);
}
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
return(SECSuccess);
}
NS_IMETHODIMP
nsCertTree::DeleteEntryObject(PRUint32 index)
{
if (!mTreeArray) {
return NS_ERROR_FAILURE;
}
nsCOMPtr<nsIX509CertDB> certdb =
do_GetService("@mozilla.org/security/x509certdb;1");
if (!certdb) {
return NS_ERROR_FAILURE;
}
int i;
PRUint32 idx = 0, cIndex = 0, nc;
// Loop over the threads
for (i=0; i<mNumOrgs; i++) {
if (index == idx)
return NS_OK; // index is for thread
idx++; // get past the thread
nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;
if (index < idx + nc) { // cert is within range of this thread
PRInt32 certIndex = cIndex + index - idx;
bool canRemoveEntry = false;
nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.SafeElementAt(certIndex, NULL);
// We will remove the element from the visual tree.
// Only if we have a certdi, then we can check for additional actions.
nsCOMPtr<nsIX509Cert> cert = nsnull;
if (certdi) {
if (certdi->mAddonInfo) {
cert = certdi->mAddonInfo->mCert;
}
nsCertAddonInfo *addonInfo = certdi->mAddonInfo ? certdi->mAddonInfo : nsnull;
if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
mOverrideService->ClearValidityOverride(certdi->mAsciiHost, certdi->mPort);
if (addonInfo) {
addonInfo->mUsageCount--;
if (addonInfo->mUsageCount == 0) {
// The certificate stored in the database is no longer
// referenced by any other object displayed.
// That means we no longer need to keep it around
// and really can remove it.
canRemoveEntry = true;
}
}
}
else {
if (addonInfo && addonInfo->mUsageCount > 1) {
// user is trying to delete a perm trusted cert,
// although there are still overrides stored,
// so, we keep the cert, but remove the trust
CERTCertificate *nsscert = nsnull;
CERTCertificateCleaner nsscertCleaner(nsscert);
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
if (cert2) {
nsscert = cert2->GetCert();
}
if (nsscert) {
CERTCertTrust trust;
memset((void*)&trust, 0, sizeof(trust));
SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override
if (srv == SECSuccess) {
CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
}
}
}
else {
canRemoveEntry = true;
}
}
}
mDispInfo.RemoveElementAt(certIndex);
if (canRemoveEntry) {
RemoveCacheEntry(cert);
certdb->DeleteCertificate(cert);
}
delete [] mTreeArray;
mTreeArray = nsnull;
return UpdateUIContents();
}
if (mTreeArray[i].open)
idx += mTreeArray[i].numChildren;
cIndex += mTreeArray[i].numChildren;
if (idx > index)
break;
}
return NS_ERROR_FAILURE;
}
int main(int argc, char **argv)
{
SECStatus rv;
char *nickname;
char *trusts;
char *progName;
PRFileDesc *infile;
CERTCertTrust trust = { 0 };
SECItem derCert = { 0 };
secuCommand addbuiltin = { 0 };
addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
addbuiltin.options = addbuiltin_options;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
if (rv != SECSuccess)
Usage(progName);
if (!addbuiltin.options[opt_Nickname].activated &&
!addbuiltin.options[opt_Trust].activated) {
fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
progName);
Usage(progName);
}
if (addbuiltin.options[opt_Input].activated) {
infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
if (!infile) {
fprintf(stderr, "%s: failed to open input file.\n", progName);
exit(1);
}
} else {
#if defined(WIN32)
/* If we're going to read binary data from stdin, we must put stdin
** into O_BINARY mode or else incoming \r\n's will become \n's,
** and latin-1 characters will be altered.
*/
int smrv = _setmode(_fileno(stdin), _O_BINARY);
if (smrv == -1) {
fprintf(stderr,
"%s: Cannot change stdin to binary mode. Use -i option instead.\n",
progName);
exit(1);
}
#endif
infile = PR_STDIN;
}
nickname = strdup(addbuiltin.options[opt_Nickname].arg);
trusts = strdup(addbuiltin.options[opt_Trust].arg);
NSS_NoDB_Init(NULL);
rv = CERT_DecodeTrustString(&trust, trusts);
if (rv) {
fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
Usage(progName);
}
SECU_FileToItem(&derCert, infile);
/*printheader();*/
rv = ConvertCertificate(&derCert, nickname, &trust);
if (rv) {
fprintf(stderr, "%s: failed to convert certificate.\n", progName);
exit(1);
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
return(SECSuccess);
}
