NS_IMETHODIMP nsSecretDecoderRing:: LogoutAndTeardown() { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; { nsNSSShutDownPreventionLock locker; PK11_LogoutAll(); SSL_ClearSessionCache(); } rv = nssComponent->LogoutAuthenticatedPK11(); // After we just logged out, we need to prune dead connections to make // sure that all connections that should be stopped, are stopped. See // bug 517584. nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); if (os) os->NotifyObservers(nsnull, "net:prune-dead-connections", nsnull); return rv; }
NS_IMETHODIMP nsNSSCertificate::GetTokenName(nsAString &aTokenName) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aTokenName.Truncate(); if (mCert) { // HACK alert // When the trust of a builtin cert is modified, NSS copies it into the // cert db. At this point, it is now "managed" by the user, and should // not be listed with the builtins. However, in the collection code // used by PK11_ListCerts, the cert is found in the temp db, where it // has been loaded from the token. Though the trust is correct (grabbed // from the cert db), the source is wrong. I believe this is a safe // way to work around this. if (mCert->slot) { char *token = PK11_GetTokenName(mCert->slot); if (token) { aTokenName = NS_ConvertUTF8toUTF16(token); } } else { nsresult rv; nsAutoString tok; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; rv = nssComponent->GetPIPNSSBundleString("InternalToken", tok); if (NS_SUCCEEDED(rv)) aTokenName = tok; } } return NS_OK; }
// nickname_collision // what to do when the nickname collides with one already in the db. // TODO: not handled, throw a dialog allowing the nick to be changed? SECItem * PR_CALLBACK nsPKCS12Blob::nickname_collision(SECItem *oldNick, PRBool *cancel, void *wincx) { nsNSSShutDownPreventionLock locker; *cancel = false; nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return nsnull; int count = 1; nsCString nickname; nsAutoString nickFromProp; nssComponent->GetPIPNSSBundleString("P12DefaultNickname", nickFromProp); NS_ConvertUTF16toUTF8 nickFromPropC(nickFromProp); // The user is trying to import a PKCS#12 file that doesn't have the // attribute we use to set the nickname. So in order to reduce the // number of interactions we require with the user, we'll build a nickname // for the user. The nickname isn't prominently displayed in the UI, // so it's OK if we generate one on our own here. // XXX If the NSS API were smarter and actually passed a pointer to // the CERTCertificate* we're importing we could actually just // call default_nickname (which is what the issuance code path // does) and come up with a reasonable nickname. Alas, the NSS // API limits our ability to produce a useful nickname without // bugging the user. :( while (1) { // If we've gotten this far, that means there isn't a certificate // in the database that has the same subject name as the cert we're // trying to import. So we need to come up with a "nickname" to // satisfy the NSS requirement or fail in trying to import. // Basically we use a default nickname from a properties file and // see if a certificate exists with that nickname. If there isn't, then // create update the count by one and append the string '#1' Or // whatever the count currently is, and look for a cert with // that nickname. Keep updating the count until we find a nickname // without a corresponding cert. // XXX If a user imports *many* certs without the 'friendly name' // attribute, then this may take a long time. :( if (count > 1) { nickname.Adopt(PR_smprintf("%s #%d", nickFromPropC.get(), count)); } else { nickname = nickFromPropC; } CERTCertificate *cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), const_cast<char*>(nickname.get())); if (!cert) { break; } CERT_DestroyCertificate(cert); count++; } SECItem *newNick = new SECItem; if (!newNick) return nsnull; newNick->type = siAsciiString; newNick->data = (unsigned char*) nsCRT::strdup(nickname.get()); newNick->len = strlen((char*)newNick->data); return newNick; }
NS_IMETHODIMP nsCRLManager::RescheduleCRLAutoUpdate(void) { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if(NS_FAILED(rv)){ return rv; } rv = nssComponent->DefineNextTimer(); return rv; }
TemporaryRef<CertVerifier> GetDefaultCertVerifier() { static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID)); RefPtr<CertVerifier> certVerifier; if (nssComponent) { (void) nssComponent->GetDefaultCertVerifier(certVerifier); } return certVerifier; }
NS_IMETHODIMP nsPK11Token::LogoutAndDropAuthenticatedResources() { nsresult rv = LogoutSimple(); if (NS_FAILED(rv)) return rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; return nssComponent->LogoutAuthenticatedPK11(); }
already_AddRefed<SharedCertVerifier> GetDefaultCertVerifier() { static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID)); RefPtr<SharedCertVerifier> certVerifier; if (nssComponent) { return nssComponent->GetDefaultCertVerifier(); } return nullptr; }
// // helper function to pass the event off to nsNSSComponent. // nsresult SmartCardMonitoringThread::SendEvent(const nsAString &eventType, const char *tokenName) { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; // NSS returns actual UTF8, not ASCII nssComponent->PostEvent(eventType, NS_ConvertUTF8toUTF16(tokenName)); return NS_OK; }
NS_IMETHODIMP nsSecretDecoderRing:: Logout() { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; { nsNSSShutDownPreventionLock locker; PK11_LogoutAll(); SSL_ClearSessionCache(); } return NS_OK; }
void nsNSSCertificateDB::DisplayCertificateAlert(nsIInterfaceRequestor *ctx, const char *stringID, nsIX509Cert *certToShow) { nsPSMUITracker tracker; if (!tracker.isUIForbidden()) { nsCOMPtr<nsIInterfaceRequestor> my_cxt = ctx; if (!my_cxt) my_cxt = new PipUIContext(); // This shall be replaced by embedding ovverridable prompts // as discussed in bug 310446, and should make use of certToShow. nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_SUCCEEDED(rv)) { nsAutoString tmpMessage; nssComponent->GetPIPNSSBundleString(stringID, tmpMessage); // The interface requestor object may not be safe, so proxy the call to get // the nsIPrompt. nsCOMPtr<nsIInterfaceRequestor> proxiedCallbacks; NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, NS_GET_IID(nsIInterfaceRequestor), my_cxt, NS_PROXY_SYNC, getter_AddRefs(proxiedCallbacks)); nsCOMPtr<nsIPrompt> prompt (do_GetInterface(proxiedCallbacks)); if (!prompt) return; // Finally, get a proxy for the nsIPrompt nsCOMPtr<nsIPrompt> proxyPrompt; NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, NS_GET_IID(nsIPrompt), prompt, NS_PROXY_SYNC, getter_AddRefs(proxyPrompt)); proxyPrompt->Alert(nsnull, tmpMessage.get()); } } }
NS_IMETHODIMP nsNSSCertificate::GetEmailAddress(nsAString &aEmailAddress) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (mCert->emailAddr) { CopyUTF8toUTF16(mCert->emailAddr, aEmailAddress); } else { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv) || !nssComponent) { return NS_ERROR_FAILURE; } nssComponent->GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress); } return NS_OK; }
NS_IMETHODIMP nsCRLManager::UpdateCRLFromURL( const PRUnichar *url, const PRUnichar* key, bool *res) { nsresult rv; nsAutoString downloadUrl(url); nsAutoString dbKey(key); nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if(NS_FAILED(rv)){ *res = false; return rv; } rv = nssComponent->DownloadCRLDirectly(downloadUrl, dbKey); if(NS_FAILED(rv)){ *res = false; } else { *res = true; } return NS_OK; }
// Add a new PKCS11 module to the user's profile. NS_IMETHODIMP nsPkcs11::AddModule(const nsAString& aModuleName, const nsAString& aLibraryFullPath, int32_t aCryptoMechanismFlags, int32_t aCipherFlags) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (aModuleName.IsEmpty()) { return NS_ERROR_INVALID_ARG; } NS_ConvertUTF16toUTF8 moduleName(aModuleName); nsCString fullPath; // NSS doesn't support Unicode path. Use native charset NS_CopyUnicodeToNative(aLibraryFullPath, fullPath); uint32_t mechFlags = SECMOD_PubMechFlagstoInternal(aCryptoMechanismFlags); uint32_t cipherFlags = SECMOD_PubCipherFlagstoInternal(aCipherFlags); SECStatus srv = SECMOD_AddNewModule(moduleName.get(), fullPath.get(), mechFlags, cipherFlags); if (srv != SECSuccess) { return NS_ERROR_FAILURE; } #ifndef MOZ_NO_SMART_CARDS mozilla::UniqueSECMODModule module(SECMOD_FindModule(moduleName.get())); if (!module) { return NS_ERROR_FAILURE; } nsCOMPtr<nsINSSComponent> nssComponent( do_GetService(PSM_COMPONENT_CONTRACTID)); nssComponent->LaunchSmartCardThread(module.get()); #endif return NS_OK; }
// Delete a PKCS11 module from the user's profile. NS_IMETHODIMP nsPkcs11::DeleteModule(const nsAString& aModuleName) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (aModuleName.IsEmpty()) { return NS_ERROR_INVALID_ARG; } NS_ConvertUTF16toUTF8 moduleName(aModuleName); // Introduce additional scope for module so all references to it are released // before we call SECMOD_DeleteModule, below. #ifndef MOZ_NO_SMART_CARDS { mozilla::UniqueSECMODModule module(SECMOD_FindModule(moduleName.get())); if (!module) { return NS_ERROR_FAILURE; } nsCOMPtr<nsINSSComponent> nssComponent( do_GetService(PSM_COMPONENT_CONTRACTID)); nssComponent->ShutdownSmartCardThread(module.get()); } #endif // modType is an output variable. We ignore it. int32_t modType; SECStatus srv = SECMOD_DeleteModule(moduleName.get(), &modType); if (srv != SECSuccess) { return NS_ERROR_FAILURE; } return NS_OK; }
NS_IMETHODIMP nsCRLManager::ImportCrl (PRUint8 *aData, PRUint32 aLength, nsIURI * aURI, PRUint32 aType, PRBool doSilentDonwload, const PRUnichar* crlKey) { nsNSSShutDownPreventionLock locker; nsresult rv; PRArenaPool *arena = NULL; CERTCertificate *caCert; SECItem derName = { siBuffer, NULL, 0 }; SECItem derCrl; CERTSignedData sd; SECStatus sec_rv; CERTSignedCrl *crl; nsCAutoString url; nsCOMPtr<nsICRLInfo> crlData; PRBool importSuccessful; PRInt32 errorCode; nsString errorMessage; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; aURI->GetSpec(url); arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { goto loser; } memset(&sd, 0, sizeof(sd)); derCrl.data = (unsigned char*)aData; derCrl.len = aLength; sec_rv = CERT_KeyFromDERCrl(arena, &derCrl, &derName); if (sec_rv != SECSuccess) { goto loser; } caCert = CERT_FindCertByName(CERT_GetDefaultCertDB(), &derName); if (!caCert) { if (aType == SEC_KRL_TYPE){ goto loser; } } else { sec_rv = SEC_ASN1DecodeItem(arena, &sd, SEC_ASN1_GET(CERT_SignedDataTemplate), &derCrl); if (sec_rv != SECSuccess) { goto loser; } sec_rv = CERT_VerifySignedData(&sd, caCert, PR_Now(), nsnull); if (sec_rv != SECSuccess) { goto loser; } } crl = SEC_NewCrl(CERT_GetDefaultCertDB(), const_cast<char*>(url.get()), &derCrl, aType); if (!crl) { goto loser; } crlData = new nsCRLInfo(crl); SSL_ClearSessionCache(); SEC_DestroyCrl(crl); importSuccessful = PR_TRUE; goto done; loser: importSuccessful = PR_FALSE; errorCode = PR_GetError(); switch (errorCode) { case SEC_ERROR_CRL_EXPIRED: nssComponent->GetPIPNSSBundleString("CrlImportFailureExpired", errorMessage); break; case SEC_ERROR_CRL_BAD_SIGNATURE: nssComponent->GetPIPNSSBundleString("CrlImportFailureBadSignature", errorMessage); break; case SEC_ERROR_CRL_INVALID: nssComponent->GetPIPNSSBundleString("CrlImportFailureInvalid", errorMessage); break; case SEC_ERROR_OLD_CRL: nssComponent->GetPIPNSSBundleString("CrlImportFailureOld", errorMessage); break; case SEC_ERROR_CRL_NOT_YET_VALID: nssComponent->GetPIPNSSBundleString("CrlImportFailureNotYetValid", errorMessage); break; default: nssComponent->GetPIPNSSBundleString("CrlImportFailureReasonUnknown", errorMessage); errorMessage.AppendInt(errorCode,16); break; } done: if(!doSilentDonwload){ if (!importSuccessful){ nsString message; nsString temp; nsCOMPtr<nsIWindowWatcher> wwatch(do_GetService(NS_WINDOWWATCHER_CONTRACTID)); nsCOMPtr<nsIPrompt> prompter; if (wwatch){ wwatch->GetNewPrompter(0, getter_AddRefs(prompter)); nssComponent->GetPIPNSSBundleString("CrlImportFailure1x", message); message.Append(NS_LITERAL_STRING("\n").get()); message.Append(errorMessage); nssComponent->GetPIPNSSBundleString("CrlImportFailure2", temp); message.Append(NS_LITERAL_STRING("\n").get()); message.Append(temp); if(prompter) { nsPSMUITracker tracker; if (!tracker.isUIForbidden()) { prompter->Alert(0, message.get()); } } } } else { nsCOMPtr<nsICertificateDialogs> certDialogs; // Not being able to display the success dialog should not // be a fatal error, so don't return a failure code. { nsPSMUITracker tracker; if (tracker.isUIForbidden()) { rv = NS_ERROR_NOT_AVAILABLE; } else { rv = ::getNSSDialogs(getter_AddRefs(certDialogs), NS_GET_IID(nsICertificateDialogs), NS_CERTIFICATEDIALOGS_CONTRACTID); } } if (NS_SUCCEEDED(rv)) { nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); certDialogs->CrlImportStatusDialog(cxt, crlData); } } } else { if(crlKey == nsnull){ return NS_ERROR_FAILURE; } nsCOMPtr<nsIPrefService> prefSvc = do_GetService(NS_PREFSERVICE_CONTRACTID,&rv); nsCOMPtr<nsIPrefBranch> pref = do_GetService(NS_PREFSERVICE_CONTRACTID,&rv); if (NS_FAILED(rv)){ return rv; } nsCAutoString updateErrCntPrefStr(CRL_AUTOUPDATE_ERRCNT_PREF); updateErrCntPrefStr.AppendWithConversion(crlKey); if(importSuccessful){ PRUnichar *updateTime; nsCAutoString updateTimeStr; nsCString updateURL; PRInt32 timingTypePref; double dayCnt; char *dayCntStr; nsCAutoString updateTypePrefStr(CRL_AUTOUPDATE_TIMIINGTYPE_PREF); nsCAutoString updateTimePrefStr(CRL_AUTOUPDATE_TIME_PREF); nsCAutoString updateUrlPrefStr(CRL_AUTOUPDATE_URL_PREF); nsCAutoString updateDayCntPrefStr(CRL_AUTOUPDATE_DAYCNT_PREF); nsCAutoString updateFreqCntPrefStr(CRL_AUTOUPDATE_FREQCNT_PREF); updateTypePrefStr.AppendWithConversion(crlKey); updateTimePrefStr.AppendWithConversion(crlKey); updateUrlPrefStr.AppendWithConversion(crlKey); updateDayCntPrefStr.AppendWithConversion(crlKey); updateFreqCntPrefStr.AppendWithConversion(crlKey); pref->GetIntPref(updateTypePrefStr.get(),&timingTypePref); //Compute and update the next download instant if(timingTypePref == TYPE_AUTOUPDATE_TIME_BASED){ pref->GetCharPref(updateDayCntPrefStr.get(),&dayCntStr); }else{ pref->GetCharPref(updateFreqCntPrefStr.get(),&dayCntStr); } dayCnt = atof(dayCntStr); nsMemory::Free(dayCntStr); PRBool toBeRescheduled = PR_FALSE; if(NS_SUCCEEDED(ComputeNextAutoUpdateTime(crlData, timingTypePref, dayCnt, &updateTime))){ updateTimeStr.AssignWithConversion(updateTime); nsMemory::Free(updateTime); pref->SetCharPref(updateTimePrefStr.get(),updateTimeStr.get()); //Now, check if this update time is already in the past. This would //imply we have downloaded the same crl, or there is something wrong //with the next update date. We will not reschedule this crl in this //session anymore - or else, we land into a loop. It would anyway be //imported once the browser is restarted. PRTime nextTime; PR_ParseTimeString(updateTimeStr.get(),PR_TRUE, &nextTime); if(LL_CMP(nextTime, > , PR_Now())){ toBeRescheduled = PR_TRUE; } } //Update the url to download from, next time crlData->GetLastFetchURL(updateURL); pref->SetCharPref(updateUrlPrefStr.get(),updateURL.get()); pref->SetIntPref(updateErrCntPrefStr.get(),0); if (toBeRescheduled) { nsAutoString hashKey(crlKey); nssComponent->RemoveCrlFromList(hashKey); nssComponent->DefineNextTimer(); } } else{
void PR_CALLBACK HandshakeCallback(PRFileDesc* fd, void* client_data) { nsNSSShutDownPreventionLock locker; PRInt32 sslStatus; char* signer = nsnull; char* cipherName = nsnull; PRInt32 keyLength; nsresult rv; PRInt32 encryptBits; if (SECSuccess != SSL_SecurityStatus(fd, &sslStatus, &cipherName, &keyLength, &encryptBits, &signer, nsnull)) { return; } PRInt32 secStatus; if (sslStatus == SSL_SECURITY_STATUS_OFF) secStatus = nsIWebProgressListener::STATE_IS_BROKEN; else if (encryptBits >= 90) secStatus = (nsIWebProgressListener::STATE_IS_SECURE | nsIWebProgressListener::STATE_SECURE_HIGH); else secStatus = (nsIWebProgressListener::STATE_IS_SECURE | nsIWebProgressListener::STATE_SECURE_LOW); CERTCertificate *peerCert = SSL_PeerCertificate(fd); const char* caName = nsnull; // caName is a pointer only, no ownership char* certOrgName = CERT_GetOrgName(&peerCert->issuer); CERT_DestroyCertificate(peerCert); caName = certOrgName ? certOrgName : signer; const char* verisignName = "Verisign, Inc."; // If the CA name is RSA Data Security, then change the name to the real // name of the company i.e. VeriSign, Inc. if (nsCRT::strcmp((const char*)caName, "RSA Data Security, Inc.") == 0) { caName = verisignName; } nsAutoString shortDesc; const PRUnichar* formatStrings[1] = { ToNewUnicode(NS_ConvertUTF8toUTF16(caName)) }; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_SUCCEEDED(rv)) { rv = nssComponent->PIPBundleFormatStringFromName("SignedBy", formatStrings, 1, shortDesc); nsMemory::Free(const_cast<PRUnichar*>(formatStrings[0])); nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret; infoObject->SetSecurityState(secStatus); infoObject->SetShortSecurityDescription(shortDesc.get()); /* Set the SSL Status information */ nsRefPtr<nsSSLStatus> status = infoObject->SSLStatus(); if (!status) { status = new nsSSLStatus(); infoObject->SetSSLStatus(status); } CERTCertificate *serverCert = SSL_PeerCertificate(fd); if (serverCert) { nsRefPtr<nsNSSCertificate> nssc = new nsNSSCertificate(serverCert); CERT_DestroyCertificate(serverCert); serverCert = nsnull; nsCOMPtr<nsIX509Cert> prevcert; infoObject->GetPreviousCert(getter_AddRefs(prevcert)); PRBool equals_previous = PR_FALSE; if (prevcert) { nsresult rv = nssc->Equals(prevcert, &equals_previous); if (NS_FAILED(rv)) { equals_previous = PR_FALSE; } } if (equals_previous) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("HandshakeCallback using PREV cert %p\n", prevcert.get())); infoObject->SetCert(prevcert); status->mServerCert = prevcert; } else { if (status->mServerCert) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("HandshakeCallback KEEPING cert %p\n", status->mServerCert.get())); infoObject->SetCert(status->mServerCert); } else { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("HandshakeCallback using NEW cert %p\n", nssc.get())); infoObject->SetCert(nssc); status->mServerCert = nssc; } } } status->mHaveKeyLengthAndCipher = PR_TRUE; status->mKeyLength = keyLength; status->mSecretKeyLength = encryptBits; status->mCipherName.Adopt(cipherName); } PR_FREEIF(certOrgName); PR_Free(signer); }
void nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx, nsCString &nickname) { nickname.Truncate(); nsNSSShutDownPreventionLock locker; nsresult rv; CK_OBJECT_HANDLE keyHandle; CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB(); nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return; nsCAutoString username; char *temp_un = CERT_GetCommonName(&cert->subject); if (temp_un) { username = temp_un; PORT_Free(temp_un); temp_un = nsnull; } nsCAutoString caname; char *temp_ca = CERT_GetOrgName(&cert->issuer); if (temp_ca) { caname = temp_ca; PORT_Free(temp_ca); temp_ca = nsnull; } nsAutoString tmpNickFmt; nssComponent->GetPIPNSSBundleString("nick_template", tmpNickFmt); NS_ConvertUTF16toUTF8 nickFmt(tmpNickFmt); nsCAutoString baseName; char *temp_nn = PR_smprintf(nickFmt.get(), username.get(), caname.get()); if (!temp_nn) { return; } else { baseName = temp_nn; PR_smprintf_free(temp_nn); temp_nn = nsnull; } nickname = baseName; /* * We need to see if the private key exists on a token, if it does * then we need to check for nicknames that already exist on the smart * card. */ PK11SlotInfo *slot = PK11_KeyForCertExists(cert, &keyHandle, ctx); PK11SlotInfoCleaner slotCleaner(slot); if (!slot) return; if (!PK11_IsInternal(slot)) { char *tmp = PR_smprintf("%s:%s", PK11_GetTokenName(slot), baseName.get()); if (!tmp) { nickname.Truncate(); return; } baseName = tmp; PR_smprintf_free(tmp); nickname = baseName; } int count = 1; while (true) { if ( count > 1 ) { char *tmp = PR_smprintf("%s #%d", baseName.get(), count); if (!tmp) { nickname.Truncate(); return; } nickname = tmp; PR_smprintf_free(tmp); } CERTCertificate *dummycert = nsnull; CERTCertificateCleaner dummycertCleaner(dummycert); if (PK11_IsInternal(slot)) { /* look up the nickname to make sure it isn't in use already */ dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get()); } else { /* * Check the cert against others that already live on the smart * card. */ dummycert = PK11_FindCertFromNickname(nickname.get(), ctx); if (dummycert != NULL) { /* * Make sure the subject names are different. */ if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual) { /* * There is another certificate with the same nickname and * the same subject name on the smart card, so let's use this * nickname. */ CERT_DestroyCertificate(dummycert); dummycert = NULL; } } } if (!dummycert) break; count++; } }
nsresult nsNSSCertificate::FormatUIStrings(const nsAutoString &nickname, nsAutoString &nickWithSerial, nsAutoString &details) { if (!NS_IsMainThread()) { NS_ERROR("nsNSSCertificate::FormatUIStrings called off the main thread"); return NS_ERROR_NOT_SAME_THREAD; } nsresult rv = NS_OK; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv) || !nssComponent) { return NS_ERROR_FAILURE; } nsAutoString info; nsAutoString temp1; nickWithSerial.Append(nickname); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoIssuedFor", info))) { details.Append(info); details.Append(PRUnichar(' ')); if (NS_SUCCEEDED(GetSubjectName(temp1)) && !temp1.IsEmpty()) { details.Append(temp1); } details.Append(PRUnichar('\n')); } if (NS_SUCCEEDED(GetSerialNumber(temp1)) && !temp1.IsEmpty()) { details.AppendLiteral(" "); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertDumpSerialNo", info))) { details.Append(info); details.AppendLiteral(": "); } details.Append(temp1); nickWithSerial.AppendLiteral(" ["); nickWithSerial.Append(temp1); nickWithSerial.Append(PRUnichar(']')); details.Append(PRUnichar('\n')); } nsCOMPtr<nsIX509CertValidity> validity; rv = GetValidity(getter_AddRefs(validity)); if (NS_SUCCEEDED(rv) && validity) { details.AppendLiteral(" "); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoValid", info))) { details.Append(info); } if (NS_SUCCEEDED(validity->GetNotBeforeLocalTime(temp1)) && !temp1.IsEmpty()) { details.Append(PRUnichar(' ')); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoFrom", info))) { details.Append(info); details.Append(PRUnichar(' ')); } details.Append(temp1); } if (NS_SUCCEEDED(validity->GetNotAfterLocalTime(temp1)) && !temp1.IsEmpty()) { details.Append(PRUnichar(' ')); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoTo", info))) { details.Append(info); details.Append(PRUnichar(' ')); } details.Append(temp1); } details.Append(PRUnichar('\n')); } if (NS_SUCCEEDED(GetKeyUsagesString(mCert, nssComponent, temp1)) && !temp1.IsEmpty()) { details.AppendLiteral(" "); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertDumpKeyUsage", info))) { details.Append(info); details.AppendLiteral(": "); } details.Append(temp1); details.Append(PRUnichar('\n')); } nsAutoString firstEmail; const char *aWalkAddr; for (aWalkAddr = CERT_GetFirstEmailAddress(mCert) ; aWalkAddr ; aWalkAddr = CERT_GetNextEmailAddress(mCert, aWalkAddr)) { NS_ConvertUTF8toUTF16 email(aWalkAddr); if (email.IsEmpty()) continue; if (firstEmail.IsEmpty()) { /* * If the first email address from the subject DN is also present * in the subjectAltName extension, GetEmailAddresses() will return * it twice (as received from NSS). Remember the first address so that * we can filter out duplicates later on. */ firstEmail = email; details.AppendLiteral(" "); if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoEmail", info))) { details.Append(info); details.AppendLiteral(": "); } details.Append(email); } else { // Append current address if it's different from the first one. if (!firstEmail.Equals(email)) { details.AppendLiteral(", "); details.Append(email); } } } if (!firstEmail.IsEmpty()) { // We got at least one email address, so we want a newline details.Append(PRUnichar('\n')); } if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoIssuedBy", info))) { details.Append(info); details.Append(PRUnichar(' ')); if (NS_SUCCEEDED(GetIssuerName(temp1)) && !temp1.IsEmpty()) { details.Append(temp1); } details.Append(PRUnichar('\n')); } if (NS_SUCCEEDED(nssComponent->GetPIPNSSBundleString("CertInfoStoredIn", info))) { details.Append(info); details.Append(PRUnichar(' ')); if (NS_SUCCEEDED(GetTokenName(temp1)) && !temp1.IsEmpty()) { details.Append(temp1); } } /* the above produces the following output: Issued to: $subjectName Serial number: $serialNumber Valid from: $starting_date to $expiration_date Certificate Key usage: $usages Email: $address(es) Issued by: $issuerName Stored in: $token */ return rv; }
void nsPKCS12Blob::handleError(int myerr) { nsPSMUITracker tracker; if (tracker.isUIForbidden()) { return; } nsresult rv; int prerr = PORT_GetError(); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("PKCS12: NSS/NSPR error(%d)", prerr)); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("PKCS12: I called(%d)", myerr)); nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return; nsCOMPtr<nsIPrompt> errPrompt; nsCOMPtr<nsIWindowWatcher> wwatch(do_GetService(NS_WINDOWWATCHER_CONTRACTID)); if (wwatch) { wwatch->GetNewPrompter(0, getter_AddRefs(errPrompt)); if (errPrompt) { nsCOMPtr<nsIPrompt> proxyPrompt; NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, NS_GET_IID(nsIPrompt), errPrompt, NS_PROXY_SYNC, getter_AddRefs(proxyPrompt)); if (!proxyPrompt) return; } else { return; } } else { return; } nsAutoString errorMsg; switch (myerr) { case PIP_PKCS12_RESTORE_OK: rv = nssComponent->GetPIPNSSBundleString("SuccessfulP12Restore", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); return; case PIP_PKCS12_BACKUP_OK: rv = nssComponent->GetPIPNSSBundleString("SuccessfulP12Backup", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); return; case PIP_PKCS12_USER_CANCELED: return; /* Just ignore it for now */ case PIP_PKCS12_NOSMARTCARD_EXPORT: rv = nssComponent->GetPIPNSSBundleString("PKCS12InfoNoSmartcardBackup", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); return; case PIP_PKCS12_RESTORE_FAILED: rv = nssComponent->GetPIPNSSBundleString("PKCS12UnknownErrRestore", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); return; case PIP_PKCS12_BACKUP_FAILED: rv = nssComponent->GetPIPNSSBundleString("PKCS12UnknownErrBackup", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); return; case PIP_PKCS12_NSS_ERROR: switch (prerr) { // The following errors have the potential to be "handled", by asking // the user (via a dialog) whether s/he wishes to continue case 0: break; case SEC_ERROR_PKCS12_CERT_COLLISION: /* pop a dialog saying the cert is already in the database */ /* ask to keep going? what happens if one collision but others ok? */ // The following errors cannot be "handled", notify the user (via an alert) // that the operation failed. #if 0 // XXX a boy can dream... // but the PKCS12 lib never throws this error // but then again, how would it? anyway, convey the info below case SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT: rv = nssComponent->GetPIPNSSBundleString("PKCS12PasswordInvalid", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); break; #endif case SEC_ERROR_BAD_PASSWORD: rv = nssComponent->GetPIPNSSBundleString("PK11BadPassword", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); break; case SEC_ERROR_BAD_DER: case SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE: case SEC_ERROR_PKCS12_INVALID_MAC: rv = nssComponent->GetPIPNSSBundleString("PKCS12DecodeErr", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); break; case SEC_ERROR_PKCS12_DUPLICATE_DATA: rv = nssComponent->GetPIPNSSBundleString("PKCS12DupData", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); break; default: rv = nssComponent->GetPIPNSSBundleString("PKCS12UnknownErr", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); } break; case 0: default: rv = nssComponent->GetPIPNSSBundleString("PKCS12UnknownErr", errorMsg); if (NS_FAILED(rv)) return; errPrompt->Alert(nsnull, errorMsg.get()); break; } }
char* PR_CALLBACK PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) { nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; PRUnichar *password = nsnull; PRBool value = PR_FALSE; nsIInterfaceRequestor *ir = static_cast<nsIInterfaceRequestor*>(arg); nsCOMPtr<nsIPrompt> proxyPrompt; /* TODO: Retry should generate a different dialog message */ /* if (retry) return nsnull; */ if (!ir) { nsCOMPtr<nsIWindowWatcher> wwatch(do_GetService(NS_WINDOWWATCHER_CONTRACTID)); if (!wwatch) return nsnull; nsCOMPtr<nsIPrompt> prompter; wwatch->GetNewPrompter(0, getter_AddRefs(prompter)); if (!prompter) return nsnull; NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, NS_GET_IID(nsIPrompt), prompter, NS_PROXY_SYNC, getter_AddRefs(proxyPrompt)); if (!proxyPrompt) return nsnull; } else { // The interface requestor object may not be safe, so // proxy the call to get the nsIPrompt. nsCOMPtr<nsIInterfaceRequestor> proxiedCallbacks; NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, NS_GET_IID(nsIInterfaceRequestor), ir, NS_PROXY_SYNC, getter_AddRefs(proxiedCallbacks)); // Get the desired interface nsCOMPtr<nsIPrompt> prompt(do_GetInterface(proxiedCallbacks)); if (!prompt) { NS_ASSERTION(PR_FALSE, "callbacks does not implement nsIPrompt"); return nsnull; } // Finally, get a proxy for the nsIPrompt NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, NS_GET_IID(nsIPrompt), prompt, NS_PROXY_SYNC, getter_AddRefs(proxyPrompt)); } if (PK11_ProtectedAuthenticationPath(slot)) return ShowProtectedAuthPrompt(slot, ir); nsAutoString promptString; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return nsnull; const PRUnichar* formatStrings[1] = { ToNewUnicode(NS_ConvertUTF8toUTF16(PK11_GetTokenName(slot))) }; rv = nssComponent->PIPBundleFormatStringFromName("CertPassPrompt", formatStrings, 1, promptString); nsMemory::Free(const_cast<PRUnichar*>(formatStrings[0])); if (NS_FAILED(rv)) return nsnull; { nsPSMUITracker tracker; if (tracker.isUIForbidden()) { rv = NS_ERROR_NOT_AVAILABLE; } else { rv = proxyPrompt->PromptPassword(nsnull, promptString.get(), &password, nsnull, nsnull, &value); } } if (NS_SUCCEEDED(rv) && value) { char* str = ToNewUTF8String(nsDependentString(password)); NS_Free(password); return str; } return nsnull; }