static void display_cert_info(struct SessionHandle *data, CERTCertificate *cert) { char *subject, *issuer, *common_name; PRExplodedTime printableTime; char timeString[256]; PRTime notBefore, notAfter; subject = CERT_NameToAscii(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); common_name = CERT_GetCommonName(&cert->subject); infof(data, "\tsubject: %s\n", subject); CERT_GetCertTimes(cert, ¬Before, ¬After); PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime); PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); infof(data, "\tstart date: %s\n", timeString); PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime); PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); infof(data, "\texpire date: %s\n", timeString); infof(data, "\tcommon name: %s\n", common_name); infof(data, "\tissuer: %s\n", issuer); PR_Free(subject); PR_Free(issuer); PR_Free(common_name); }
static realtime_t get_nss_cert_notafter(CERTCertificate *cert) { PRTime notBefore, notAfter; if (CERT_GetCertTimes(cert, ¬Before, ¬After) != SECSuccess) return realtime(-1); else return realtime(notAfter / PR_USEC_PER_SEC); }
nsX509CertValidity::nsX509CertValidity(CERTCertificate *cert) : mTimesInitialized(false) { nsNSSShutDownPreventionLock locker; if (cert) { SECStatus rv = CERT_GetCertTimes(cert, &mNotBefore, &mNotAfter); if (rv == SECSuccess) mTimesInitialized = true; } }
/* * Callback from SSL for checking a (possibly) expired * certificate the peer presents. */ SECStatus JSSL_ConfirmExpiredPeerCert(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) { SECStatus rv=SECFailure; SECCertUsage certUsage; CERTCertificate* peerCert=NULL; int64 notAfter, notBefore; certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; peerCert = SSL_PeerCertificate(fd); if (peerCert) { rv = CERT_GetCertTimes(peerCert, ¬Before, ¬After); if (rv != SECSuccess) goto finish; /* * Verify the certificate based on it's expiry date. This should * always succeed, if the cert is trusted. It doesn't care if * the cert has expired. */ rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), peerCert, checkSig, certUsage, notAfter, NULL /*pinarg*/, NULL /* log */); } if ( rv != SECSuccess ) goto finish; if( ! isServer ) { /* This is the client side of an SSL connection. * Now check the name field in the cert against the desired hostname. * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! */ if( peerCert == NULL ) { rv = SECFailure; } else { char* hostname = NULL; hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ if (hostname && hostname[0]) { rv = CERT_VerifyCertName(peerCert, hostname); PORT_Free(hostname); } else { rv = SECFailure; } } } finish: if (peerCert!=NULL) CERT_DestroyCertificate(peerCert); return rv; }
static int __pkcs11h_crypto_nss_certificate_get_expiration ( IN void * const global_data, IN const unsigned char * const blob, IN const size_t blob_size, OUT time_t * const expiration ) { CERTCertificate *cert = NULL; PRTime pr_notBefore, pr_notAfter; time_t notBefore, notAfter; time_t now = time (NULL); (void)global_data; *expiration = (time_t)0; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (blob!=NULL); _PKCS11H_ASSERT (expiration!=NULL); if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) { goto cleanup; } if (CERT_GetCertTimes (cert, &pr_notBefore, &pr_notAfter) != SECSuccess) { goto cleanup; } notBefore = pr_notBefore/1000000; notAfter = pr_notAfter/1000000; notBefore = mktime (gmtime (¬Before)); notBefore += (int)(mktime (localtime (¬Before)) - mktime (gmtime (¬Before))); notAfter = mktime (gmtime (¬After)); notAfter += (int)(mktime (localtime (¬After)) - mktime (gmtime (¬After))); if ( now >= notBefore && now <= notAfter ) { *expiration = notAfter; } cleanup: if (cert != NULL) { CERT_DestroyCertificate (cert); } return *expiration != (time_t)0; }
nsX509CertValidity::nsX509CertValidity(const mozilla::UniqueCERTCertificate& cert) : mNotBefore(0) , mNotAfter(0) , mTimesInitialized(false) { MOZ_ASSERT(cert); if (!cert) { return; } if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) { mTimesInitialized = true; } }
nsX509CertValidity::nsX509CertValidity(const mozilla::UniqueCERTCertificate& cert) : mTimesInitialized(false) { MOZ_ASSERT(cert); if (!cert) { return; } nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) { mTimesInitialized = true; } }
static void display_conn_info(struct connectdata *conn, PRFileDesc *sock) { SSLChannelInfo channel; SSLCipherSuiteInfo suite; CERTCertificate *cert; char *subject, *issuer, *common_name; PRExplodedTime printableTime; char timeString[256]; PRTime notBefore, notAfter; if(SSL_GetChannelInfo(sock, &channel, sizeof channel) == SECSuccess && channel.length == sizeof channel && channel.cipherSuite) { if(SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof suite) == SECSuccess) { infof(conn->data, "SSL connection using %s\n", suite.cipherSuiteName); } } infof(conn->data, "Server certificate:\n"); cert = SSL_PeerCertificate(sock); subject = CERT_NameToAscii(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); common_name = CERT_GetCommonName(&cert->subject); infof(conn->data, "\tsubject: %s\n", subject); CERT_GetCertTimes(cert, ¬Before, ¬After); PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime); PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); infof(conn->data, "\tstart date: %s\n", timeString); PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime); PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); infof(conn->data, "\texpire date: %s\n", timeString); infof(conn->data, "\tcommon name: %s\n", common_name); infof(conn->data, "\tissuer: %s\n", issuer); PR_Free(subject); PR_Free(issuer); PR_Free(common_name); CERT_DestroyCertificate(cert); return; }