예제 #1
0
NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName)
{
  NS_ENSURE_ARG_POINTER(aBase64);
  nsCOMPtr <nsIX509Cert> newCert;

  nsNSSCertTrust trust;

  // need to calculate the trust bits from the aTrust string.
  nsresult rv = CERT_DecodeTrustString(trust.GetTrust(), /* this is const, but not declared that way */(char *) aTrust);
  NS_ENSURE_SUCCESS(rv, rv); // if bad trust passed in, return error.


  rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
  NS_ENSURE_SUCCESS(rv, rv);

  SECItem der;
  rv = newCert->GetRawDER(&der.len, (PRUint8 **)&der.data);
  NS_ENSURE_SUCCESS(rv, rv);

  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
  CERTCertificate *tmpCert;
  CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
  tmpCert = CERT_FindCertByDERCert(certdb, &der);
  if (!tmpCert) 
    tmpCert = CERT_NewTempCertificate(certdb, &der,
                                      nsnull, PR_FALSE, PR_TRUE);
  nsMemory::Free(der.data);
  der.data = nsnull;
  der.len = 0;

  if (!tmpCert) {
    NS_ASSERTION(0,"Couldn't create cert from DER blob\n");
    return NS_ERROR_FAILURE;
  }

  if (tmpCert->isperm) {
    CERT_DestroyCertificate(tmpCert);
    return NS_OK;
  }

  CERTCertificateCleaner tmpCertCleaner(tmpCert);

  nsXPIDLCString nickname;
  nickname.Adopt(CERT_MakeCANickname(tmpCert));

  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));

  SECStatus srv = CERT_AddTempCertToPerm(tmpCert, 
                                         const_cast<char*>(nickname.get()), 
                                         trust.GetTrust()); 


  return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
}
예제 #2
0
파일: nss.c 프로젝트: flashfoxter/sx
int sxi_ssl_usertrusted(sxc_client_t *sx, curlev_t *ev, const struct curl_tlssessioninfo *info)
{
    CERTCertificate *cert;
    int rc = cert_from_sessioninfo(sx, info, &cert);
    if (rc)
        return rc;
    /* workaround for NSS cache:
     * if we run with verify_peer on, it remember that certificate was
     * not trusted because it was self-signed.
     * Then even if we explicitly add it as trusted in curl, it still
     * considers it as untrusted.
     * So explicitly set trust settings here. If we reached this place
     * then NSS already validated the certificate and the user accepted the certificate.
     * */
    CERTCertTrust none;
    CERT_DecodeTrustString(&none, "PT,PT,PT");
    CERT_ChangeCertTrust(NULL, cert, &none);
    return 0;
}
예제 #3
0
int main(int argc, char **argv)
{
    SECStatus rv;
    char *nickname = NULL;
    char *trusts = NULL;
    char *progName;
    PRFileDesc *infile;
    CERTCertTrust trust = { 0 };
    SECItem derItem = { 0 };
    PRInt32 crlentry = 0;
    PRInt32 mutuallyExclusiveOpts = 0;
    PRBool decodeTrust = PR_FALSE;

    secuCommand addbuiltin = { 0 };
    addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
    addbuiltin.options = addbuiltin_options;

    progName = strrchr(argv[0], '/');
    progName = progName ? progName+1 : argv[0];

    rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);

    if (rv != SECSuccess)
	Usage(progName);
    
    if (addbuiltin.options[opt_Trust].activated)
      ++mutuallyExclusiveOpts;
    if (addbuiltin.options[opt_Distrust].activated)
      ++mutuallyExclusiveOpts;
    if (addbuiltin.options[opt_DistrustCRL].activated)
      ++mutuallyExclusiveOpts;

    if (mutuallyExclusiveOpts != 1) {
        fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
                progName);
        Usage(progName);
    }
    
    if (addbuiltin.options[opt_DistrustCRL].activated) {
	if (!addbuiltin.options[opt_CRLEnry].activated) {
	    fprintf(stderr, "%s: you must specify the CRL entry number.\n",
		    progName);
	    Usage(progName);
	}
	else {
	    crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
	    if (crlentry < 1) {
		fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
			progName);
		Usage(progName);
	    }
	}
    }

    if (!addbuiltin.options[opt_Nickname].activated) {
        fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
                progName);
        Usage(progName);
    }

    if (addbuiltin.options[opt_Input].activated) {
	infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
	if (!infile) {
	    fprintf(stderr, "%s: failed to open input file.\n", progName);
	    exit(1);
	}
    } else {
#if defined(WIN32)
	/* If we're going to read binary data from stdin, we must put stdin
	** into O_BINARY mode or else incoming \r\n's will become \n's,
	** and latin-1 characters will be altered.
	*/

	int smrv = _setmode(_fileno(stdin), _O_BINARY);
	if (smrv == -1) {
	    fprintf(stderr,
	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
	            progName);
	    exit(1);
	}
#endif
	infile = PR_STDIN;
    }

    nickname = strdup(addbuiltin.options[opt_Nickname].arg);
    
    NSS_NoDB_Init(NULL);

    if (addbuiltin.options[opt_Distrust].activated ||
        addbuiltin.options[opt_DistrustCRL].activated) {
      addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
      addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
    }
    
    if (addbuiltin.options[opt_Distrust].activated) {
        trusts = strdup("p,p,p");
	decodeTrust = PR_TRUE;
    }
    else if (addbuiltin.options[opt_Trust].activated) {
        trusts = strdup(addbuiltin.options[opt_Trust].arg);
	decodeTrust = PR_TRUE;
    }
    
    if (decodeTrust) {
	rv = CERT_DecodeTrustString(&trust, trusts);
	if (rv) {
	    fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
	    Usage(progName);
	}
    }
    
    if (addbuiltin.options[opt_Trust].activated &&
        addbuiltin.options[opt_ExcludeHash].activated) {
	if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) 
	    != CERTDB_TERMINAL_RECORD) {
	    fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
	    Usage(progName);
	}
    }

    SECU_FileToItem(&derItem, infile);
    
    /*printheader();*/
    
    if (addbuiltin.options[opt_DistrustCRL].activated) {
	rv = ConvertCRLEntry(&derItem, crlentry, nickname);
    }
    else {
	rv = ConvertCertificate(&derItem, nickname, &trust, 
				addbuiltin.options[opt_ExcludeCert].activated,
				addbuiltin.options[opt_ExcludeHash].activated);
	if (rv) {
	    fprintf(stderr, "%s: failed to convert certificate.\n", progName);
	    exit(1);
	}
    }
    
    if (NSS_Shutdown() != SECSuccess) {
        exit(1);
    }

    return(SECSuccess);
}
예제 #4
0
NS_IMETHODIMP 
nsCertTree::DeleteEntryObject(PRUint32 index)
{
  if (!mTreeArray) {
    return NS_ERROR_FAILURE;
  }

  nsCOMPtr<nsIX509CertDB> certdb = 
    do_GetService("@mozilla.org/security/x509certdb;1");
  if (!certdb) {
    return NS_ERROR_FAILURE;
  }

  int i;
  PRUint32 idx = 0, cIndex = 0, nc;
  // Loop over the threads
  for (i=0; i<mNumOrgs; i++) {
    if (index == idx)
      return NS_OK; // index is for thread
    idx++; // get past the thread
    nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;
    if (index < idx + nc) { // cert is within range of this thread
      PRInt32 certIndex = cIndex + index - idx;

      bool canRemoveEntry = false;
      nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.SafeElementAt(certIndex, NULL);
      
      // We will remove the element from the visual tree.
      // Only if we have a certdi, then we can check for additional actions.
      nsCOMPtr<nsIX509Cert> cert = nsnull;
      if (certdi) {
        if (certdi->mAddonInfo) {
          cert = certdi->mAddonInfo->mCert;
        }
        nsCertAddonInfo *addonInfo = certdi->mAddonInfo ? certdi->mAddonInfo : nsnull;
        if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
          mOverrideService->ClearValidityOverride(certdi->mAsciiHost, certdi->mPort);
          if (addonInfo) {
            addonInfo->mUsageCount--;
            if (addonInfo->mUsageCount == 0) {
              // The certificate stored in the database is no longer
              // referenced by any other object displayed.
              // That means we no longer need to keep it around
              // and really can remove it.
              canRemoveEntry = true;
            }
          } 
        }
        else {
          if (addonInfo && addonInfo->mUsageCount > 1) {
            // user is trying to delete a perm trusted cert,
            // although there are still overrides stored,
            // so, we keep the cert, but remove the trust

            CERTCertificate *nsscert = nsnull;
            CERTCertificateCleaner nsscertCleaner(nsscert);

            nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
            if (cert2) {
              nsscert = cert2->GetCert();
            }

            if (nsscert) {
              CERTCertTrust trust;
              memset((void*)&trust, 0, sizeof(trust));
            
              SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override 
              if (srv == SECSuccess) {
                CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
              }
            }
          }
          else {
            canRemoveEntry = true;
          }
        }
      }

      mDispInfo.RemoveElementAt(certIndex);

      if (canRemoveEntry) {
        RemoveCacheEntry(cert);
        certdb->DeleteCertificate(cert);
      }

      delete [] mTreeArray;
      mTreeArray = nsnull;
      return UpdateUIContents();
    }
    if (mTreeArray[i].open)
      idx += mTreeArray[i].numChildren;
    cIndex += mTreeArray[i].numChildren;
    if (idx > index)
      break;
  }
  return NS_ERROR_FAILURE;
}
예제 #5
0
int main(int argc, char **argv)
{
    SECStatus rv;
    char *nickname;
    char *trusts;
    char *progName;
    PRFileDesc *infile;
    CERTCertTrust trust = { 0 };
    SECItem derCert = { 0 };

    secuCommand addbuiltin = { 0 };
    addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
    addbuiltin.options = addbuiltin_options;

    progName = strrchr(argv[0], '/');
    progName = progName ? progName+1 : argv[0];

    rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);

    if (rv != SECSuccess)
        Usage(progName);

    if (!addbuiltin.options[opt_Nickname].activated &&
            !addbuiltin.options[opt_Trust].activated) {
        fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
                progName);
        Usage(progName);
    }

    if (addbuiltin.options[opt_Input].activated) {
        infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
        if (!infile) {
            fprintf(stderr, "%s: failed to open input file.\n", progName);
            exit(1);
        }
    } else {
#if defined(WIN32)
        /* If we're going to read binary data from stdin, we must put stdin
        ** into O_BINARY mode or else incoming \r\n's will become \n's,
        ** and latin-1 characters will be altered.
        */

        int smrv = _setmode(_fileno(stdin), _O_BINARY);
        if (smrv == -1) {
            fprintf(stderr,
                    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
                    progName);
            exit(1);
        }
#endif
        infile = PR_STDIN;
    }

    nickname = strdup(addbuiltin.options[opt_Nickname].arg);
    trusts = strdup(addbuiltin.options[opt_Trust].arg);

    NSS_NoDB_Init(NULL);

    rv = CERT_DecodeTrustString(&trust, trusts);
    if (rv) {
        fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
        Usage(progName);
    }

    SECU_FileToItem(&derCert, infile);

    /*printheader();*/

    rv = ConvertCertificate(&derCert, nickname, &trust);
    if (rv) {
        fprintf(stderr, "%s: failed to convert certificate.\n", progName);
        exit(1);
    }

    if (NSS_Shutdown() != SECSuccess) {
        exit(1);
    }

    return(SECSuccess);
}