SECStatus
SEC_DeletePermCertificate(CERTCertificate *cert)
{
PRStatus nssrv;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSCertificate *c = STAN_GetNSSCertificate(cert);
if (c == NULL) {
/* error code is set */
return SECFailure;
}
/* get rid of the token instances */
nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
/* get rid of the cache entry */
nssTrustDomain_LockCertCache(td);
nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
nssTrustDomain_UnlockCertCache(td);
return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
}
CERTCertificate *
CERT_FindCertByNickname(CERTCertDBHandle *handle, const char *nickname)
{
NSSCryptoContext *cc;
NSSCertificate *c, *ct;
CERTCertificate *cert;
NSSUsage usage;
usage.anyUsage = PR_TRUE;
cc = STAN_GetDefaultCryptoContext();
ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, NULL,
&usage, NULL);
cert = PK11_FindCertFromNickname(nickname, NULL);
c = NULL;
if (cert) {
c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
CERT_DestroyCertificate(cert);
if (ct) {
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
}
} else {
c = ct;
}
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
}
SECStatus
SEC_DeletePermCertificate(CERTCertificate *cert)
{
PRStatus nssrv;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSCertificate *c = STAN_GetNSSCertificate(cert);
CERTCertTrust *certTrust;
if (c == NULL) {
/* error code is set */
return SECFailure;
}
certTrust = nssTrust_GetCERTCertTrustForCert(c, cert);
if (certTrust) {
NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
if (nssTrust) {
nssrv = STAN_DeleteCertTrustMatchingSlot(c);
if (nssrv != PR_SUCCESS) {
CERT_MapStanError();
}
/* This call always returns PR_SUCCESS! */
(void)nssTrust_Destroy(nssTrust);
}
}
/* get rid of the token instances */
nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
/* get rid of the cache entry */
nssTrustDomain_LockCertCache(td);
nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
nssTrustDomain_UnlockCertCache(td);
return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
}
CERTCertificate *
CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
{
NSSCryptoContext *cc;
NSSCertificate *c, *ct;
CERTCertificate *cert;
NSSUsage usage;
if (NULL == name) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
usage.anyUsage = PR_TRUE;
cc = STAN_GetDefaultCryptoContext();
ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name,
NULL, &usage, NULL);
if (!ct && PORT_Strchr(name, '@') != NULL) {
char* lowercaseName = CERT_FixupEmailAddr(name);
if (lowercaseName) {
ct = NSSCryptoContext_FindBestCertificateByEmail(cc, lowercaseName,
NULL, &usage, NULL);
PORT_Free(lowercaseName);
}
}
cert = PK11_FindCertFromNickname(name, NULL);
if (cert) {
c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
CERT_DestroyCertificate(cert);
if (ct) {
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
}
} else {
c = ct;
}
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
}
CERTCertificateList *
CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
PRBool includeRoot)
{
CERTCertificateList *chain = NULL;
NSSCertificate **stanChain;
NSSCertificate *stanCert;
PRArenaPool *arena;
NSSUsage nssUsage;
int i, len;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSCryptoContext *cc = STAN_GetDefaultCryptoContext();
stanCert = STAN_GetNSSCertificate(cert);
if (!stanCert) {
/* error code is set */
return NULL;
}
nssUsage.anyUsage = PR_FALSE;
nssUsage.nss3usage = usage;
nssUsage.nss3lookingForCA = PR_FALSE;
stanChain = NSSCertificate_BuildChain(stanCert, NULL, &nssUsage, NULL, NULL,
CERT_MAX_CERT_CHAIN, NULL, NULL, td, cc);
if (!stanChain) {
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
return NULL;
}
len = 0;
stanCert = stanChain[0];
while (stanCert) {
stanCert = stanChain[++len];
}
arena = PORT_NewArena(4096);
if (arena == NULL) {
goto loser;
}
chain = (CERTCertificateList *)PORT_ArenaAlloc(arena,
sizeof(CERTCertificateList));
if (!chain) goto loser;
chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
if (!chain->certs) goto loser;
i = 0;
stanCert = stanChain[i];
while (stanCert) {
SECItem derCert;
CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
if (!cCert) {
goto loser;
}
derCert.len = (unsigned int)stanCert->encoding.size;
derCert.data = (unsigned char *)stanCert->encoding.data;
derCert.type = siBuffer;
SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
stanCert = stanChain[++i];
if (!stanCert && !cCert->isRoot) {
/* reached the end of the chain, but the final cert is
* not a root. Don't discard it.
*/
includeRoot = PR_TRUE;
}
CERT_DestroyCertificate(cCert);
}
if ( !includeRoot && len > 1) {
chain->len = len - 1;
} else {
chain->len = len;
}
chain->arena = arena;
nss_ZFreeIf(stanChain);
return chain;
loser:
i = 0;
stanCert = stanChain[i];
while (stanCert) {
CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
if (cCert) {
CERT_DestroyCertificate(cCert);
}
stanCert = stanChain[++i];
}
nss_ZFreeIf(stanChain);
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
return NULL;
}
NSS_EXTERN PRStatus
STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
{
PRStatus nssrv;
NSSCertificate *c = STAN_GetNSSCertificate(cc);
NSSToken *tok;
NSSTrustDomain *td;
NSSTrust *nssTrust;
NSSArena *arena;
CERTCertTrust *oldTrust;
CERTCertTrust *newTrust;
nssListIterator *tokens;
PRBool moving_object;
nssCryptokiObject *newInstance;
nssPKIObject *pkiob;
if (c == NULL) {
return PR_FAILURE;
}
oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
if (oldTrust) {
if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
/* ... and the new trust is no different, done) */
return PR_SUCCESS;
} else {
/* take over memory already allocated in cc's arena */
newTrust = oldTrust;
}
} else {
newTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
}
memcpy(newTrust, trust, sizeof(CERTCertTrust));
CERT_LockCertTrust(cc);
cc->trust = newTrust;
CERT_UnlockCertTrust(cc);
/* Set the NSSCerticate's trust */
arena = nssArena_Create();
if (!arena) return PR_FAILURE;
nssTrust = nss_ZNEW(arena, NSSTrust);
if (!nssTrust) {
nssArena_Destroy(arena);
return PR_FAILURE;
}
pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKILock);
if (!pkiob) {
nssArena_Destroy(arena);
return PR_FAILURE;
}
nssTrust->object = *pkiob;
nssTrust->certificate = c;
nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
nssTrust->stepUpApproved =
(PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
if (c->object.cryptoContext != NULL) {
/* The cert is in a context, set the trust there */
NSSCryptoContext *cc = c->object.cryptoContext;
nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
if (nssrv != PR_SUCCESS) {
goto done;
}
if (c->object.numInstances == 0) {
/* The context is the only instance, finished */
goto done;
}
}
td = STAN_GetDefaultTrustDomain();
tok = stan_GetTrustToken(c);
moving_object = PR_FALSE;
if (tok && PK11_IsReadOnly(tok->pk11slot)) {
NSSRWLock_LockRead(td->tokensLock);
tokens = nssList_CreateIterator(td->tokenList);
if (!tokens) {
nssrv = PR_FAILURE;
NSSRWLock_UnlockRead(td->tokensLock);
goto done;
}
for (tok = (NSSToken *)nssListIterator_Start(tokens);
tok != (NSSToken *)NULL;
tok = (NSSToken *)nssListIterator_Next(tokens))
{
if (!PK11_IsReadOnly(tok->pk11slot)) break;
}
nssListIterator_Finish(tokens);
nssListIterator_Destroy(tokens);
NSSRWLock_UnlockRead(td->tokensLock);
moving_object = PR_TRUE;
}
if (tok) {
if (moving_object) {
/* this is kind of hacky. the softoken needs the cert
* object in order to store trust. forcing it to be perm
*/
NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
NSSASCII7 *email = NULL;
if (PK11_IsInternal(tok->pk11slot)) {
email = c->email;
}
newInstance = nssToken_ImportCertificate(tok, NULL,
NSSCertificateType_PKIX,
&c->id,
nickname,
&c->encoding,
&c->issuer,
&c->subject,
&c->serial,
email,
PR_TRUE);
nss_ZFreeIf(nickname);
nickname = NULL;
if (!newInstance) {
nssrv = PR_FAILURE;
goto done;
}
nssPKIObject_AddInstance(&c->object, newInstance);
}
newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
&c->issuer, &c->serial,
nssTrust->serverAuth,
nssTrust->clientAuth,
nssTrust->codeSigning,
nssTrust->emailProtection,
nssTrust->stepUpApproved, PR_TRUE);
/* If the selected token can't handle trust, dump the trust on
* the internal token */
if (!newInstance && !PK11_IsInternalKeySlot(tok->pk11slot)) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
NSSASCII7 *email = c->email;
tok = PK11Slot_GetNSSToken(slot);
PK11_FreeSlot(slot);
newInstance = nssToken_ImportCertificate(tok, NULL,
NSSCertificateType_PKIX,
&c->id,
nickname,
&c->encoding,
&c->issuer,
&c->subject,
&c->serial,
email,
PR_TRUE);
nss_ZFreeIf(nickname);
nickname = NULL;
if (!newInstance) {
nssrv = PR_FAILURE;
goto done;
}
nssPKIObject_AddInstance(&c->object, newInstance);
newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
&c->issuer, &c->serial,
nssTrust->serverAuth,
nssTrust->clientAuth,
nssTrust->codeSigning,
nssTrust->emailProtection,
nssTrust->stepUpApproved, PR_TRUE);
}
if (newInstance) {
nssCryptokiObject_Destroy(newInstance);
nssrv = PR_SUCCESS;
} else {
nssrv = PR_FAILURE;
}
} else {
nssrv = PR_FAILURE;
}
done:
(void)nssTrust_Destroy(nssTrust);
return nssrv;
}
SECStatus
certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr,
SECItem *emailProfile, SECItem *profileTime)
{
PRTime oldtime;
PRTime newtime;
SECStatus rv = SECFailure;
PRBool saveit;
SECItem oldprof, oldproftime;
SECItem *oldProfile = NULL;
SECItem *oldProfileTime = NULL;
PK11SlotInfo *slot = NULL;
NSSCertificate *c;
NSSCryptoContext *cc;
nssSMIMEProfile *stanProfile = NULL;
PRBool freeOldProfile = PR_FALSE;
c = STAN_GetNSSCertificate(cert);
if (!c)
return SECFailure;
cc = c->object.cryptoContext;
if (cc != NULL) {
stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
if (stanProfile) {
PORT_Assert(stanProfile->profileData);
SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
oldProfile = &oldprof;
SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
oldProfileTime = &oldproftime;
}
} else {
oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr,
&cert->derSubject, &oldProfileTime);
freeOldProfile = PR_TRUE;
}
saveit = PR_FALSE;
/* both profileTime and emailProfile have to exist or not exist */
if (emailProfile == NULL) {
profileTime = NULL;
} else if (profileTime == NULL) {
emailProfile = NULL;
}
if (oldProfileTime == NULL) {
saveit = PR_TRUE;
} else {
/* there was already a profile for this email addr */
if (profileTime) {
/* we have an old and new profile - save whichever is more recent*/
if (oldProfileTime->len == 0) {
/* always replace if old entry doesn't have a time */
oldtime = LL_MININT;
} else {
rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
if (rv != SECSuccess) {
goto loser;
}
}
rv = DER_UTCTimeToTime(&newtime, profileTime);
if (rv != SECSuccess) {
goto loser;
}
if (LL_CMP(newtime, >, oldtime)) {
/* this is a newer profile, save it and cert */
saveit = PR_TRUE;
}
} else {
saveit = PR_TRUE;
}
}
static CERTCertificate *
common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
const char *name, PRBool anyUsage,
SECCertUsage lookingForUsage)
{
NSSCryptoContext *cc;
NSSCertificate *c, *ct;
CERTCertificate *cert = NULL;
NSSUsage usage;
CERTCertList *certlist;
if (NULL == name) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
usage.anyUsage = anyUsage;
if (!anyUsage) {
usage.nss3lookingForCA = PR_FALSE;
usage.nss3usage = lookingForUsage;
}
cc = STAN_GetDefaultCryptoContext();
ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, NULL, &usage,
NULL);
if (!ct && PORT_Strchr(name, '@') != NULL) {
char *lowercaseName = CERT_FixupEmailAddr(name);
if (lowercaseName) {
ct = NSSCryptoContext_FindBestCertificateByEmail(
cc, lowercaseName, NULL, &usage, NULL);
PORT_Free(lowercaseName);
}
}
if (anyUsage) {
cert = PK11_FindCertFromNickname(name, NULL);
} else {
if (ct) {
/* Does ct really have the required usage? */
nssDecodedCert *dc;
dc = nssCertificate_GetDecoding(ct);
if (!dc->matchUsage(dc, &usage)) {
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
ct = NULL;
}
}
certlist = PK11_FindCertsFromNickname(name, NULL);
if (certlist) {
SECStatus rv =
CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE);
if (SECSuccess == rv &&
!CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) {
cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert);
}
CERT_DestroyCertList(certlist);
}
}
if (cert) {
c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
CERT_DestroyCertificate(cert);
if (ct) {
CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
}
} else {
c = ct;
}
return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
}
SECStatus
__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
CERTCertTrust *trust)
{
NSSUTF8 *stanNick;
PK11SlotInfo *slot;
NSSToken *internal;
NSSCryptoContext *context;
nssCryptokiObject *permInstance;
NSSCertificate *c = STAN_GetNSSCertificate(cert);
nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
SECStatus rv;
PRStatus ret;
if (c == NULL) {
CERT_MapStanError();
return SECFailure;
}
context = c->object.cryptoContext;
if (!context) {
PORT_SetError(SEC_ERROR_ADDING_CERT);
return SECFailure; /* wasn't a temp cert */
}
stanNick = nssCertificate_GetNickname(c, NULL);
if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
/* different: take the new nickname */
cert->nickname = NULL;
nss_ZFreeIf(stanNick);
stanNick = NULL;
}
if (!stanNick && nickname) {
/* Either there was no nickname yet, or we have a new nickname */
stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, NULL);
} /* else: old stanNick is identical to new nickname */
/* Delete the temp instance */
nssCertificateStore_Lock(context->certStore, &lockTrace);
nssCertificateStore_RemoveCertLOCKED(context->certStore, c);
nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace);
c->object.cryptoContext = NULL;
/* Import the perm instance onto the internal token */
slot = PK11_GetInternalKeySlot();
internal = PK11Slot_GetNSSToken(slot);
permInstance = nssToken_ImportCertificate(
internal, NULL, NSSCertificateType_PKIX, &c->id, stanNick, &c->encoding,
&c->issuer, &c->subject, &c->serial, cert->emailAddr, PR_TRUE);
nss_ZFreeIf(stanNick);
stanNick = NULL;
PK11_FreeSlot(slot);
if (!permInstance) {
if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
}
return SECFailure;
}
nssPKIObject_AddInstance(&c->object, permInstance);
nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
/* reset the CERTCertificate fields */
cert->nssCertificate = NULL;
cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */
if (!cert) {
CERT_MapStanError();
return SECFailure;
}
cert->istemp = PR_FALSE;
cert->isperm = PR_TRUE;
if (!trust) {
return SECSuccess;
}
ret = STAN_ChangeCertTrust(cert, trust);
rv = SECSuccess;
if (ret != PR_SUCCESS) {
rv = SECFailure;
CERT_MapStanError();
}
return rv;
}
