NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName) { NS_ENSURE_ARG_POINTER(aBase64); nsCOMPtr <nsIX509Cert> newCert; nsNSSCertTrust trust; // need to calculate the trust bits from the aTrust string. nsresult rv = CERT_DecodeTrustString(trust.GetTrust(), /* this is const, but not declared that way */(char *) aTrust); NS_ENSURE_SUCCESS(rv, rv); // if bad trust passed in, return error. rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert)); NS_ENSURE_SUCCESS(rv, rv); SECItem der; rv = newCert->GetRawDER(&der.len, (PRUint8 **)&der.data); NS_ENSURE_SUCCESS(rv, rv); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n")); CERTCertificate *tmpCert; CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); tmpCert = CERT_FindCertByDERCert(certdb, &der); if (!tmpCert) tmpCert = CERT_NewTempCertificate(certdb, &der, nsnull, PR_FALSE, PR_TRUE); nsMemory::Free(der.data); der.data = nsnull; der.len = 0; if (!tmpCert) { NS_ASSERTION(0,"Couldn't create cert from DER blob\n"); return NS_ERROR_FAILURE; } if (tmpCert->isperm) { CERT_DestroyCertificate(tmpCert); return NS_OK; } CERTCertificateCleaner tmpCertCleaner(tmpCert); nsXPIDLCString nickname; nickname.Adopt(CERT_MakeCANickname(tmpCert)); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get())); SECStatus srv = CERT_AddTempCertToPerm(tmpCert, const_cast<char*>(nickname.get()), trust.GetTrust()); return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE; }
int sxi_ssl_usertrusted(sxc_client_t *sx, curlev_t *ev, const struct curl_tlssessioninfo *info) { CERTCertificate *cert; int rc = cert_from_sessioninfo(sx, info, &cert); if (rc) return rc; /* workaround for NSS cache: * if we run with verify_peer on, it remember that certificate was * not trusted because it was self-signed. * Then even if we explicitly add it as trusted in curl, it still * considers it as untrusted. * So explicitly set trust settings here. If we reached this place * then NSS already validated the certificate and the user accepted the certificate. * */ CERTCertTrust none; CERT_DecodeTrustString(&none, "PT,PT,PT"); CERT_ChangeCertTrust(NULL, cert, &none); return 0; }
int main(int argc, char **argv) { SECStatus rv; char *nickname = NULL; char *trusts = NULL; char *progName; PRFileDesc *infile; CERTCertTrust trust = { 0 }; SECItem derItem = { 0 }; PRInt32 crlentry = 0; PRInt32 mutuallyExclusiveOpts = 0; PRBool decodeTrust = PR_FALSE; secuCommand addbuiltin = { 0 }; addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag); addbuiltin.options = addbuiltin_options; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin); if (rv != SECSuccess) Usage(progName); if (addbuiltin.options[opt_Trust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_Distrust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_DistrustCRL].activated) ++mutuallyExclusiveOpts; if (mutuallyExclusiveOpts != 1) { fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n", progName); Usage(progName); } if (addbuiltin.options[opt_DistrustCRL].activated) { if (!addbuiltin.options[opt_CRLEnry].activated) { fprintf(stderr, "%s: you must specify the CRL entry number.\n", progName); Usage(progName); } else { crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); if (crlentry < 1) { fprintf(stderr, "%s: The CRL entry number must be > 0.\n", progName); Usage(progName); } } } if (!addbuiltin.options[opt_Nickname].activated) { fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n", progName); Usage(progName); } if (addbuiltin.options[opt_Input].activated) { infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660); if (!infile) { fprintf(stderr, "%s: failed to open input file.\n", progName); exit(1); } } else { #if defined(WIN32) /* If we're going to read binary data from stdin, we must put stdin ** into O_BINARY mode or else incoming \r\n's will become \n's, ** and latin-1 characters will be altered. */ int smrv = _setmode(_fileno(stdin), _O_BINARY); if (smrv == -1) { fprintf(stderr, "%s: Cannot change stdin to binary mode. Use -i option instead.\n", progName); exit(1); } #endif infile = PR_STDIN; } nickname = strdup(addbuiltin.options[opt_Nickname].arg); NSS_NoDB_Init(NULL); if (addbuiltin.options[opt_Distrust].activated || addbuiltin.options[opt_DistrustCRL].activated) { addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE; addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE; } if (addbuiltin.options[opt_Distrust].activated) { trusts = strdup("p,p,p"); decodeTrust = PR_TRUE; } else if (addbuiltin.options[opt_Trust].activated) { trusts = strdup(addbuiltin.options[opt_Trust].arg); decodeTrust = PR_TRUE; } if (decodeTrust) { rv = CERT_DecodeTrustString(&trust, trusts); if (rv) { fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); Usage(progName); } } if (addbuiltin.options[opt_Trust].activated && addbuiltin.options[opt_ExcludeHash].activated) { if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) != CERTDB_TERMINAL_RECORD) { fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName); Usage(progName); } } SECU_FileToItem(&derItem, infile); /*printheader();*/ if (addbuiltin.options[opt_DistrustCRL].activated) { rv = ConvertCRLEntry(&derItem, crlentry, nickname); } else { rv = ConvertCertificate(&derItem, nickname, &trust, addbuiltin.options[opt_ExcludeCert].activated, addbuiltin.options[opt_ExcludeHash].activated); if (rv) { fprintf(stderr, "%s: failed to convert certificate.\n", progName); exit(1); } } if (NSS_Shutdown() != SECSuccess) { exit(1); } return(SECSuccess); }
NS_IMETHODIMP nsCertTree::DeleteEntryObject(PRUint32 index) { if (!mTreeArray) { return NS_ERROR_FAILURE; } nsCOMPtr<nsIX509CertDB> certdb = do_GetService("@mozilla.org/security/x509certdb;1"); if (!certdb) { return NS_ERROR_FAILURE; } int i; PRUint32 idx = 0, cIndex = 0, nc; // Loop over the threads for (i=0; i<mNumOrgs; i++) { if (index == idx) return NS_OK; // index is for thread idx++; // get past the thread nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0; if (index < idx + nc) { // cert is within range of this thread PRInt32 certIndex = cIndex + index - idx; bool canRemoveEntry = false; nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.SafeElementAt(certIndex, NULL); // We will remove the element from the visual tree. // Only if we have a certdi, then we can check for additional actions. nsCOMPtr<nsIX509Cert> cert = nsnull; if (certdi) { if (certdi->mAddonInfo) { cert = certdi->mAddonInfo->mCert; } nsCertAddonInfo *addonInfo = certdi->mAddonInfo ? certdi->mAddonInfo : nsnull; if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) { mOverrideService->ClearValidityOverride(certdi->mAsciiHost, certdi->mPort); if (addonInfo) { addonInfo->mUsageCount--; if (addonInfo->mUsageCount == 0) { // The certificate stored in the database is no longer // referenced by any other object displayed. // That means we no longer need to keep it around // and really can remove it. canRemoveEntry = true; } } } else { if (addonInfo && addonInfo->mUsageCount > 1) { // user is trying to delete a perm trusted cert, // although there are still overrides stored, // so, we keep the cert, but remove the trust CERTCertificate *nsscert = nsnull; CERTCertificateCleaner nsscertCleaner(nsscert); nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert); if (cert2) { nsscert = cert2->GetCert(); } if (nsscert) { CERTCertTrust trust; memset((void*)&trust, 0, sizeof(trust)); SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override if (srv == SECSuccess) { CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); } } } else { canRemoveEntry = true; } } } mDispInfo.RemoveElementAt(certIndex); if (canRemoveEntry) { RemoveCacheEntry(cert); certdb->DeleteCertificate(cert); } delete [] mTreeArray; mTreeArray = nsnull; return UpdateUIContents(); } if (mTreeArray[i].open) idx += mTreeArray[i].numChildren; cIndex += mTreeArray[i].numChildren; if (idx > index) break; } return NS_ERROR_FAILURE; }
int main(int argc, char **argv) { SECStatus rv; char *nickname; char *trusts; char *progName; PRFileDesc *infile; CERTCertTrust trust = { 0 }; SECItem derCert = { 0 }; secuCommand addbuiltin = { 0 }; addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag); addbuiltin.options = addbuiltin_options; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin); if (rv != SECSuccess) Usage(progName); if (!addbuiltin.options[opt_Nickname].activated && !addbuiltin.options[opt_Trust].activated) { fprintf(stderr, "%s: you must specify both a nickname and trust.\n", progName); Usage(progName); } if (addbuiltin.options[opt_Input].activated) { infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660); if (!infile) { fprintf(stderr, "%s: failed to open input file.\n", progName); exit(1); } } else { #if defined(WIN32) /* If we're going to read binary data from stdin, we must put stdin ** into O_BINARY mode or else incoming \r\n's will become \n's, ** and latin-1 characters will be altered. */ int smrv = _setmode(_fileno(stdin), _O_BINARY); if (smrv == -1) { fprintf(stderr, "%s: Cannot change stdin to binary mode. Use -i option instead.\n", progName); exit(1); } #endif infile = PR_STDIN; } nickname = strdup(addbuiltin.options[opt_Nickname].arg); trusts = strdup(addbuiltin.options[opt_Trust].arg); NSS_NoDB_Init(NULL); rv = CERT_DecodeTrustString(&trust, trusts); if (rv) { fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); Usage(progName); } SECU_FileToItem(&derCert, infile); /*printheader();*/ rv = ConvertCertificate(&derCert, nickname, &trust); if (rv) { fprintf(stderr, "%s: failed to convert certificate.\n", progName); exit(1); } if (NSS_Shutdown() != SECSuccess) { exit(1); } return(SECSuccess); }