static void display_cert_info(struct SessionHandle *data,
CERTCertificate *cert)
{
char *subject, *issuer, *common_name;
PRExplodedTime printableTime;
char timeString[256];
PRTime notBefore, notAfter;
subject = CERT_NameToAscii(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
common_name = CERT_GetCommonName(&cert->subject);
infof(data, "\tsubject: %s\n", subject);
CERT_GetCertTimes(cert, ¬Before, ¬After);
PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime);
PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
infof(data, "\tstart date: %s\n", timeString);
PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime);
PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
infof(data, "\texpire date: %s\n", timeString);
infof(data, "\tcommon name: %s\n", common_name);
infof(data, "\tissuer: %s\n", issuer);
PR_Free(subject);
PR_Free(issuer);
PR_Free(common_name);
}
static realtime_t get_nss_cert_notafter(CERTCertificate *cert)
{
PRTime notBefore, notAfter;
if (CERT_GetCertTimes(cert, ¬Before, ¬After) != SECSuccess)
return realtime(-1);
else
return realtime(notAfter / PR_USEC_PER_SEC);
}
nsX509CertValidity::nsX509CertValidity(CERTCertificate *cert) :
mTimesInitialized(false)
{
nsNSSShutDownPreventionLock locker;
if (cert) {
SECStatus rv = CERT_GetCertTimes(cert, &mNotBefore, &mNotAfter);
if (rv == SECSuccess)
mTimesInitialized = true;
}
}
/*
* Callback from SSL for checking a (possibly) expired
* certificate the peer presents.
*/
SECStatus
JSSL_ConfirmExpiredPeerCert(void *arg, PRFileDesc *fd, PRBool checkSig,
PRBool isServer)
{
SECStatus rv=SECFailure;
SECCertUsage certUsage;
CERTCertificate* peerCert=NULL;
int64 notAfter, notBefore;
certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
peerCert = SSL_PeerCertificate(fd);
if (peerCert) {
rv = CERT_GetCertTimes(peerCert, ¬Before, ¬After);
if (rv != SECSuccess) goto finish;
/*
* Verify the certificate based on it's expiry date. This should
* always succeed, if the cert is trusted. It doesn't care if
* the cert has expired.
*/
rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), peerCert,
checkSig, certUsage,
notAfter, NULL /*pinarg*/,
NULL /* log */);
}
if ( rv != SECSuccess ) goto finish;
if( ! isServer ) {
/* This is the client side of an SSL connection.
* Now check the name field in the cert against the desired hostname.
* NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
*/
if( peerCert == NULL ) {
rv = SECFailure;
} else {
char* hostname = NULL;
hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
if (hostname && hostname[0]) {
rv = CERT_VerifyCertName(peerCert, hostname);
PORT_Free(hostname);
} else {
rv = SECFailure;
}
}
}
finish:
if (peerCert!=NULL) CERT_DestroyCertificate(peerCert);
return rv;
}
static
int
__pkcs11h_crypto_nss_certificate_get_expiration (
IN void * const global_data,
IN const unsigned char * const blob,
IN const size_t blob_size,
OUT time_t * const expiration
) {
CERTCertificate *cert = NULL;
PRTime pr_notBefore, pr_notAfter;
time_t notBefore, notAfter;
time_t now = time (NULL);
(void)global_data;
*expiration = (time_t)0;
/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
_PKCS11H_ASSERT (blob!=NULL);
_PKCS11H_ASSERT (expiration!=NULL);
if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) {
goto cleanup;
}
if (CERT_GetCertTimes (cert, &pr_notBefore, &pr_notAfter) != SECSuccess) {
goto cleanup;
}
notBefore = pr_notBefore/1000000;
notAfter = pr_notAfter/1000000;
notBefore = mktime (gmtime (¬Before));
notBefore += (int)(mktime (localtime (¬Before)) - mktime (gmtime (¬Before)));
notAfter = mktime (gmtime (¬After));
notAfter += (int)(mktime (localtime (¬After)) - mktime (gmtime (¬After)));
if (
now >= notBefore &&
now <= notAfter
) {
*expiration = notAfter;
}
cleanup:
if (cert != NULL) {
CERT_DestroyCertificate (cert);
}
return *expiration != (time_t)0;
}
nsX509CertValidity::nsX509CertValidity(const mozilla::UniqueCERTCertificate& cert)
: mNotBefore(0)
, mNotAfter(0)
, mTimesInitialized(false)
{
MOZ_ASSERT(cert);
if (!cert) {
return;
}
if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) {
mTimesInitialized = true;
}
}
nsX509CertValidity::nsX509CertValidity(const mozilla::UniqueCERTCertificate& cert)
: mTimesInitialized(false)
{
MOZ_ASSERT(cert);
if (!cert) {
return;
}
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return;
}
if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) {
mTimesInitialized = true;
}
}
static void display_conn_info(struct connectdata *conn, PRFileDesc *sock)
{
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
CERTCertificate *cert;
char *subject, *issuer, *common_name;
PRExplodedTime printableTime;
char timeString[256];
PRTime notBefore, notAfter;
if(SSL_GetChannelInfo(sock, &channel, sizeof channel) ==
SECSuccess && channel.length == sizeof channel &&
channel.cipherSuite) {
if(SSL_GetCipherSuiteInfo(channel.cipherSuite,
&suite, sizeof suite) == SECSuccess) {
infof(conn->data, "SSL connection using %s\n", suite.cipherSuiteName);
}
}
infof(conn->data, "Server certificate:\n");
cert = SSL_PeerCertificate(sock);
subject = CERT_NameToAscii(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
common_name = CERT_GetCommonName(&cert->subject);
infof(conn->data, "\tsubject: %s\n", subject);
CERT_GetCertTimes(cert, ¬Before, ¬After);
PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime);
PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
infof(conn->data, "\tstart date: %s\n", timeString);
PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime);
PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
infof(conn->data, "\texpire date: %s\n", timeString);
infof(conn->data, "\tcommon name: %s\n", common_name);
infof(conn->data, "\tissuer: %s\n", issuer);
PR_Free(subject);
PR_Free(issuer);
PR_Free(common_name);
CERT_DestroyCertificate(cert);
return;
}
