/* BEWARE: This function gets called for both client and server SIDs !!
* If the unreferenced sid is not in the cache, Free sid and its contents.
*/
static void
ssl_DestroySID(sslSessionID *sid)
{
SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
PORT_Assert((sid->references == 0));
if (sid->cached == in_client_cache)
return; /* it will get taken care of next time cache is traversed. */
if (sid->version < SSL_LIBRARY_VERSION_3_0) {
SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
}
if (sid->peerID != NULL)
PORT_Free((void *)sid->peerID); /* CONST */
if (sid->urlSvrName != NULL)
PORT_Free((void *)sid->urlSvrName); /* CONST */
if ( sid->peerCert ) {
CERT_DestroyCertificate(sid->peerCert);
}
if ( sid->localCert ) {
CERT_DestroyCertificate(sid->localCert);
}
if (sid->u.ssl3.sessionTicket.ticket.data) {
SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
}
PORT_ZFree(sid, sizeof(sslSessionID));
}
SECStatus
CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent)
{
PORT_Assert(inCertRepContent != NULL);
if (inCertRepContent != NULL) {
CMMFCertResponse **pResponse = inCertRepContent->response;
if (pResponse != NULL) {
for (; *pResponse != NULL; pResponse++) {
CMMFCertifiedKeyPair *certKeyPair = (*pResponse)->certifiedKeyPair;
/* XXX Why not call CMMF_DestroyCertifiedKeyPair or
** XXX cmmf_DestroyCertOrEncCert ?
*/
if (certKeyPair != NULL &&
certKeyPair->certOrEncCert.choice == cmmfCertificate &&
certKeyPair->certOrEncCert.cert.certificate != NULL) {
CERT_DestroyCertificate(certKeyPair->certOrEncCert.cert.certificate);
certKeyPair->certOrEncCert.cert.certificate = NULL;
}
}
}
if (inCertRepContent->caPubs) {
CERTCertificate **caPubs = inCertRepContent->caPubs;
for (; *caPubs; ++caPubs) {
CERT_DestroyCertificate(*caPubs);
*caPubs = NULL;
}
}
if (inCertRepContent->poolp != NULL) {
PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);
}
}
return SECSuccess;
}
/**
*
* Check that the Peer certificate's issuer certificate matches the one found
* by issuer_nickname. This is not exactly the way OpenSSL and GNU TLS do the
* issuer check, so we provide comments that mimic the OpenSSL
* X509_check_issued function (in x509v3/v3_purp.c)
*/
static SECStatus check_issuer_cert(PRFileDesc *sock,
char *issuer_nickname)
{
CERTCertificate *cert,*cert_issuer,*issuer;
SECStatus res=SECSuccess;
void *proto_win = NULL;
/*
PRArenaPool *tmpArena = NULL;
CERTAuthKeyID *authorityKeyID = NULL;
SECITEM *caname = NULL;
*/
cert = SSL_PeerCertificate(sock);
cert_issuer = CERT_FindCertIssuer(cert,PR_Now(),certUsageObjectSigner);
proto_win = SSL_RevealPinArg(sock);
issuer = PK11_FindCertFromNickname(issuer_nickname, proto_win);
if((!cert_issuer) || (!issuer))
res = SECFailure;
else if(SECITEM_CompareItem(&cert_issuer->derCert,
&issuer->derCert)!=SECEqual)
res = SECFailure;
CERT_DestroyCertificate(cert);
CERT_DestroyCertificate(issuer);
CERT_DestroyCertificate(cert_issuer);
return res;
}
/* Reset sec back to its initial state.
** Caller holds any relevant locks.
*/
void
ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
{
if (sec->localCert) {
CERT_DestroyCertificate(sec->localCert);
sec->localCert = NULL;
}
if (sec->peerCert) {
CERT_DestroyCertificate(sec->peerCert);
sec->peerCert = NULL;
}
if (sec->peerKey) {
SECKEY_DestroyPublicKey(sec->peerKey);
sec->peerKey = NULL;
}
/* cleanup the ci */
if (sec->ci.sid != NULL) {
ssl_FreeSID(sec->ci.sid);
}
PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
if (doMemset) {
memset(&sec->ci, 0, sizeof sec->ci);
}
}
/* BEWARE: This function gets called for both client and server SIDs !!
* If the unreferenced sid is not in the cache, Free sid and its contents.
*/
static void
ssl_DestroySID(sslSessionID *sid)
{
int i;
SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
PORT_Assert(sid->references == 0);
PORT_Assert(sid->cached != in_client_cache);
if (sid->version < SSL_LIBRARY_VERSION_3_0) {
SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
} else {
if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
PR_FALSE);
}
if (sid->u.ssl3.srvName.data) {
SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
}
if (sid->u.ssl3.originalHandshakeHash.data) {
SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
}
if (sid->u.ssl3.signedCertTimestamps.data) {
SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
}
if (sid->u.ssl3.lock) {
NSSRWLock_Destroy(sid->u.ssl3.lock);
}
}
if (sid->peerID != NULL)
PORT_Free((void *)sid->peerID); /* CONST */
if (sid->urlSvrName != NULL)
PORT_Free((void *)sid->urlSvrName); /* CONST */
if ( sid->peerCert ) {
CERT_DestroyCertificate(sid->peerCert);
}
for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
CERT_DestroyCertificate(sid->peerCertChain[i]);
}
if (sid->peerCertStatus.items) {
SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE);
}
if ( sid->localCert ) {
CERT_DestroyCertificate(sid->localCert);
}
PORT_ZFree(sid, sizeof(sslSessionID));
}
/* Reset sec back to its initial state.
** Caller holds any relevant locks.
*/
void
ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
{
/* Destroy MAC */
if (sec->hash && sec->hashcx) {
(*sec->hash->destroy)(sec->hashcx, PR_TRUE);
sec->hashcx = NULL;
sec->hash = NULL;
}
SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);
/* Destroy ciphers */
if (sec->destroy) {
(*sec->destroy)(sec->readcx, PR_TRUE);
(*sec->destroy)(sec->writecx, PR_TRUE);
sec->readcx = NULL;
sec->writecx = NULL;
} else {
PORT_Assert(sec->readcx == 0);
PORT_Assert(sec->writecx == 0);
}
sec->readcx = 0;
sec->writecx = 0;
if (sec->localCert) {
CERT_DestroyCertificate(sec->localCert);
sec->localCert = NULL;
}
if (sec->peerCert) {
CERT_DestroyCertificate(sec->peerCert);
sec->peerCert = NULL;
}
if (sec->peerKey) {
SECKEY_DestroyPublicKey(sec->peerKey);
sec->peerKey = NULL;
}
/* cleanup the ci */
if (sec->ci.sid != NULL) {
ssl_FreeSID(sec->ci.sid);
}
PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
if (doMemset) {
memset(&sec->ci, 0, sizeof sec->ci);
}
}
static CERTCertificate *
FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
char *certNickName)
{
CERTCertificate *cert = NULL, *certTemp = NULL;
SECStatus rv = SECFailure;
CERTAuthKeyID *authorityKeyID = NULL;
SECItem *subject = NULL;
PORT_Assert(certHandle != NULL);
if (!certHandle || (!signCrl && !certNickName)) {
SECU_PrintError(progName, "invalid args for function "
"FindSigningCert \n");
return NULL;
}
if (signCrl) {
#if 0
authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
#endif
subject = &signCrl->crl.derName;
} else {
certTemp = CERT_FindCertByNickname(certHandle, certNickName);
if (!certTemp) {
SECU_PrintError(progName, "could not find certificate \"%s\" "
"in database",
certNickName);
goto loser;
}
subject = &certTemp->derSubject;
}
cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
if (!cert) {
SECU_PrintError(progName, "could not find signing certificate "
"in database");
goto loser;
} else {
rv = SECSuccess;
}
loser:
if (certTemp)
CERT_DestroyCertificate(certTemp);
if (cert && rv != SECSuccess)
CERT_DestroyCertificate(cert);
return cert;
}
static SECStatus nss_bad_cert_cb(void *arg, PRFileDesc *fd) {
struct tls_connection *conn = arg;
SECStatus res = SECSuccess;
PRErrorCode err;
CERTCertificate *cert;
char *subject, *issuer;
err = PR_GetError();
if (IS_SEC_ERROR(err))
wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (sec err "
"%d)", err - SEC_ERROR_BASE);
else
wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (err %d)",
err);
cert = SSL_PeerCertificate(fd);
subject = CERT_NameToAscii(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
wpa_printf(MSG_DEBUG, "NSS: Peer certificate subject='%s' issuer='%s'",
subject, issuer);
CERT_DestroyCertificate(cert);
PR_Free(subject);
PR_Free(issuer);
if (conn->verify_peer)
res = SECFailure;
return res;
}
SECStatus TransportLayerDtls::GetClientAuthDataHook(void *arg, PRFileDesc *fd,
CERTDistNames *caNames,
CERTCertificate **pRetCert,
SECKEYPrivateKey **pRetKey) {
MOZ_MTLOG(ML_DEBUG, "Server requested client auth");
TransportLayerDtls *stream = reinterpret_cast<TransportLayerDtls *>(arg);
stream->CheckThread();
if (!stream->identity_) {
MOZ_MTLOG(ML_ERROR, "No identity available");
PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);
return SECFailure;
}
*pRetCert = CERT_DupCertificate(stream->identity_->cert());
if (!*pRetCert) {
PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
return SECFailure;
}
*pRetKey = SECKEY_CopyPrivateKey(stream->identity_->privkey());
if (!*pRetKey) {
CERT_DestroyCertificate(*pRetCert);
*pRetCert = nullptr;
PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
return SECFailure;
}
return SECSuccess;
}
/*
* Host name checking according to RFC 2595.
*/
static enum okay
nss_check_host(const char *server, struct sock *sp)
{
CERTCertificate *cert;
char *cn = NULL;
enum okay ok = STOP;
PRArenaPool *arena;
CERTGeneralName *gn;
SECItem altname;
CERTAltNameEncodedContext ec;
int i;
const SEC_ASN1Template gntempl[] = {
{ SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
};
if ((cert = SSL_PeerCertificate(sp->s_prfd)) == NULL) {
fprintf(stderr, "no certificate from \"%s\"\n", server);
return STOP;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
&altname) == SECSuccess &&
SEC_ASN1DecodeItem(arena, &ec, gntempl,
&altname) == SECSuccess &&
ec.encodedGenName != NULL) {
for (i = 0; ec.encodedGenName[i] != NULL; i++) {
gn = CERT_DecodeGeneralName(arena, ec.encodedGenName[i],
NULL);
if (gn->type == certDNSName) {
char *dn = ac_alloc(gn->name.other.len + 1);
memcpy(dn, gn->name.other.data,
gn->name.other.len);
dn[gn->name.other.len] = '\0';
if (verbose)
fprintf(stderr,
"Comparing DNS name: \"%s\"\n",
dn);
if (rfc2595_hostname_match(server, dn)
== OKAY) {
ac_free(dn);
goto out;
}
ac_free(dn);
}
}
}
if ((cn = CERT_GetCommonName(&cert->subject)) != NULL) {
if (verbose)
fprintf(stderr, "Comparing common name: \"%s\"\n", cn);
ok = rfc2595_hostname_match(server, cn);
}
if (ok == STOP)
fprintf(stderr, "host certificate does not match \"%s\"\n",
server);
out: if (cn)
PORT_Free(cn);
PORT_FreeArena(arena, PR_FALSE);
CERT_DestroyCertificate(cert);
return ok;
}
/**
* Loads the public key for the specified cert name from the NSS store.
*
* @param certData The DER-encoded X509 certificate to extract the key from.
* @param certDataSize The size of certData.
* @param publicKey Out parameter for the public key to use.
* @return CryptoX_Success on success, CryptoX_Error on error.
*/
CryptoX_Result
NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,
SECKEYPublicKey **publicKey)
{
CERTCertificate * cert;
SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };
if (!certData || !publicKey) {
return CryptoX_Error;
}
cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,
PR_FALSE, PR_TRUE);
/* Get the cert and embedded public key out of the database */
if (!cert) {
return CryptoX_Error;
}
*publicKey = CERT_ExtractPublicKey(cert);
CERT_DestroyCertificate(cert);
if (!*publicKey) {
return CryptoX_Error;
}
return CryptoX_Success;
}
static X509*
nss_get_cert(NSS_CTX *ctx, const char *s) {
X509 *x509 = NULL;
CERTCertificate *cert = NULL;
CALL_TRACE("nss_get_cert...\n");
if (ctx == NULL) {
NSSerr(NSS_F_GET_CERT, NSS_R_INVALID_ARGUMENT);
goto done;
}
if (!NSS_IsInitialized()) {
NSSerr(NSS_F_GET_CERT, NSS_R_DB_IS_NOT_INITIALIZED);
goto done;
}
nss_debug(ctx, "search certificate '%s'", s);
cert = PK11_FindCertFromNickname(s, NULL);
nss_trace(ctx, "found certificate mem='%p'", cert);
if (cert == NULL) goto done;
x509 = X509_from_CERTCertificate(cert);
done:
if (cert) CERT_DestroyCertificate(cert);
nss_debug(ctx, "certificate %s", (x509 ? "found": "not found"));
return(x509);
}
/* Returns NULL if "encoding" cannot be decoded. */
NSS_IMPLEMENT nssDecodedCert *
nssDecodedPKIXCertificate_Create (
NSSArena *arenaOpt,
NSSDER *encoding
)
{
nssDecodedCert *rvDC = NULL;
CERTCertificate *cert;
SECItem secDER;
SECITEM_FROM_NSSITEM(&secDER, encoding);
cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
if (cert) {
rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
if (rvDC) {
rvDC->type = NSSCertificateType_PKIX;
rvDC->data = (void *)cert;
rvDC->getIdentifier = nss3certificate_getIdentifier;
rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
rvDC->matchIdentifier = nss3certificate_matchIdentifier;
rvDC->isValidIssuer = nss3certificate_isValidIssuer;
rvDC->getUsage = nss3certificate_getUsage;
rvDC->isValidAtTime = nss3certificate_isValidAtTime;
rvDC->isNewerThan = nss3certificate_isNewerThan;
rvDC->matchUsage = nss3certificate_matchUsage;
rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
rvDC->getEmailAddress = nss3certificate_getEmailAddress;
rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
} else {
CERT_DestroyCertificate(cert);
}
}
return rvDC;
}
static SECStatus
ssl_PopulateServerCert(sslServerCert *sc, CERTCertificate *cert,
const CERTCertificateList *certChain)
{
if (sc->serverCert) {
CERT_DestroyCertificate(sc->serverCert);
}
if (sc->serverCertChain) {
CERT_DestroyCertificateList(sc->serverCertChain);
}
if (!cert) {
sc->serverCert = NULL;
sc->serverCertChain = NULL;
return SECSuccess;
}
sc->serverCert = CERT_DupCertificate(cert);
if (certChain) {
sc->serverCertChain = CERT_DupCertList(certChain);
} else {
sc->serverCertChain =
CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer,
PR_TRUE);
}
return sc->serverCertChain ? SECSuccess : SECFailure;
}
/*
* SecCmsSignerInfoDestroy - destroy a SignerInfo data structure
*/
void
SecCmsSignerInfoDestroy(SecCmsSignerInfoRef si)
{
if (si->cert != NULL) {
dprintfRC("SecCmsSignerInfoDestroy top: certp %p cert.rc %d\n",
si->cert, (int)CFGetRetainCount(si->cert));
CERT_DestroyCertificate(si->cert);
}
if (si->certList != NULL) {
dprintfRC("SecCmsSignerInfoDestroy top: certList.rc %d\n",
(int)CFGetRetainCount(si->certList));
CFRelease(si->certList);
}
if (si->timestampCertList != NULL) {
dprintfRC("SecCmsSignerInfoDestroy top: timestampCertList.rc %d\n",
(int)CFGetRetainCount(si->timestampCertList));
CFRelease(si->timestampCertList);
}
if (si->hashAgilityAttrValue != NULL) {
dprintfRC("SecCmsSignerInfoDestroy top: hashAgilityAttrValue.rc %d\n",
(int)CFGetRetainCount(si->hashAgilityAttrValue));
CFRelease(si->hashAgilityAttrValue);
}
/* XXX storage ??? */
}
/* This invokes the "default" AuthCert handler in libssl.
** The only reason to use this one is that it prints out info as it goes.
*/
static SECStatus
mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
PRBool isServer)
{
SECStatus rv;
CERTCertificate * peerCert;
const SECItemArray *csa;
if (MakeCertOK>=2) {
return SECSuccess;
}
peerCert = SSL_PeerCertificate(fd);
PRINTF("strsclnt: Subject: %s\nstrsclnt: Issuer : %s\n",
peerCert->subjectName, peerCert->issuerName);
csa = SSL_PeerStapledOCSPResponses(fd);
if (csa) {
PRINTF("Received %d Cert Status items (OCSP stapled data)\n",
csa->len);
}
/* invoke the "default" AuthCert handler. */
rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
PR_ATOMIC_INCREMENT(&certsTested);
if (rv == SECSuccess) {
fputs("strsclnt: -- SSL: Server Certificate Validated.\n", stderr);
}
CERT_DestroyCertificate(peerCert);
/* error, if any, will be displayed by the Bad Cert Handler. */
return rv;
}
/*
* NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
*/
SECStatus
NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,
CERTCertDBHandle *certdb,
SECCertUsage usage)
{
CERTCertificate *cert;
SECStatus rv = SECSuccess;
int i;
int count;
PRTime now;
if (!sigd || !certdb || !sigd->rawCerts) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
count = NSS_CMSArray_Count((void**)sigd->rawCerts);
now = PR_Now();
for (i=0; i < count; i++) {
if (sigd->certs && sigd->certs[i]) {
cert = CERT_DupCertificate(sigd->certs[i]);
} else {
cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
if (!cert) {
rv = SECFailure;
break;
}
}
rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now,
NULL, NULL);
CERT_DestroyCertificate(cert);
}
return rv;
}
int sxi_vcrypt_print_cert_info(sxc_client_t *sx, const char *file, int batch_mode)
{
struct PK11_ctx ctx;
CERTCertificate *cert = load_cert_file(sx, file, &ctx);
if(!cert) {
free_PK11_ctx(&ctx);
return -1;
}
if (cert && !batch_mode) {
char *subject = CERT_NameToAscii(&cert->subject);
char *issuer = CERT_NameToAscii(&cert->issuer);
char *common_name = CERT_GetCommonName(&cert->subject);
struct sxi_fmt fmt;
char hash[SXI_SHA1_TEXT_LEN+1];
sxi_fmt_start(&fmt);
sxi_fmt_msg(&fmt, "\tSubject: %s\n", subject);
sxi_fmt_msg(&fmt, "\tIssuer: %s\n", issuer);
if (!sxi_conns_hashcalc_core(sx, NULL, 0,
cert->derCert.data,
cert->derCert.len, hash)) {
sxi_fmt_msg(&fmt, "\tSHA1 Fingerprint: %s\n", hash);
}
sxi_info(sx, "%s", fmt.buf);
PR_Free(subject);
PR_Free(issuer);
PR_Free(common_name);
}
CERT_DestroyCertificate(cert);
free_PK11_ctx(&ctx);
return 0;
}
static void
trust_prompt_free_certificate (gpointer cert)
{
if (!cert)
return;
CERT_DestroyCertificate (cert);
}
/*
* Callback from SSL for checking certificate the peer (other end of
* the socket) presents.
*/
SECStatus
JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
PRBool isServer)
{
char * hostname = NULL;
SECStatus rv = SECFailure;
SECCertUsage certUsage;
CERTCertificate *peerCert=NULL;
certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
/* SSL_PeerCertificate() returns a shallow copy of the cert, so we
must destroy it before we exit this function */
peerCert = SSL_PeerCertificate(fd);
if (peerCert) {
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert,
checkSig, certUsage, NULL /*pinarg*/);
}
/* if we're a server, then we don't need to check the CN of the
certificate, so we can just return whatever returncode we
have now
*/
if ( rv != SECSuccess || isServer ) {
if (peerCert) CERT_DestroyCertificate(peerCert);
return (int)rv;
}
/* cert is OK. This is the client side of an SSL connection.
* Now check the name field in the cert against the desired hostname.
* NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
*/
hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
if (hostname && hostname[0]) {
rv = CERT_VerifyCertName(peerCert, hostname);
PORT_Free(hostname);
} else
rv = SECFailure;
if (peerCert) CERT_DestroyCertificate(peerCert);
return rv;
}
static void
add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
PRBool validOnly, PRTime sorttime)
{
SECStatus secrv;
if (!validOnly ||
CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) ==
secCertTimeValid) {
secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity,
(void *)&sorttime);
if (secrv != SECSuccess) {
CERT_DestroyCertificate(cert);
}
} else {
CERT_DestroyCertificate(cert);
}
}
static
int
__pkcs11h_crypto_nss_certificate_is_issuer (
IN void * const global_data,
IN const unsigned char * const issuer_blob,
IN const size_t issuer_blob_size,
IN const unsigned char * const cert_blob,
IN const size_t cert_blob_size
) {
PKCS11H_BOOL is_issuer = FALSE;
CERTCertificate *cert = NULL;
CERTCertificate *issuer = NULL;
(void)global_data;
/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
_PKCS11H_ASSERT (issuer_blob!=NULL);
_PKCS11H_ASSERT (cert_blob!=NULL);
if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) {
goto cleanup;
}
if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) {
goto cleanup;
}
is_issuer = CERT_VerifySignedDataWithPublicKeyInfo (
&cert->signatureWrap,
&issuer->subjectPublicKeyInfo,
NULL
) == SECSuccess;
cleanup:
if (cert != NULL) {
CERT_DestroyCertificate (cert);
}
if (issuer != NULL) {
CERT_DestroyCertificate (issuer);
}
return is_issuer;
}
/*
* FUNCTION: pkix_pl_OcspResponse_Destroy
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
*/
static PKIX_Error *
pkix_pl_OcspResponse_Destroy(
PKIX_PL_Object *object,
void *plContext)
{
PKIX_PL_OcspResponse *ocspRsp = NULL;
const SEC_HttpClientFcn *httpClient = NULL;
const SEC_HttpClientFcnV1 *hcv1 = NULL;
PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy");
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
PKIX_OBJECTNOTANOCSPRESPONSE);
ocspRsp = (PKIX_PL_OcspResponse *)object;
if (ocspRsp->nssOCSPResponse != NULL) {
CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse);
ocspRsp->nssOCSPResponse = NULL;
}
if (ocspRsp->signerCert != NULL) {
CERT_DestroyCertificate(ocspRsp->signerCert);
ocspRsp->signerCert = NULL;
}
httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient);
if (httpClient && (httpClient->version == 1)) {
hcv1 = &(httpClient->fcnTable.ftable1);
if (ocspRsp->sessionRequest != NULL) {
(*hcv1->freeFcn)(ocspRsp->sessionRequest);
ocspRsp->sessionRequest = NULL;
}
if (ocspRsp->serverSession != NULL) {
(*hcv1->freeSessionFcn)(ocspRsp->serverSession);
ocspRsp->serverSession = NULL;
}
}
if (ocspRsp->arena != NULL) {
PORT_FreeArena(ocspRsp->arena, PR_FALSE);
ocspRsp->arena = NULL;
}
PKIX_DECREF(ocspRsp->producedAtDate);
PKIX_DECREF(ocspRsp->pkixSignerCert);
PKIX_DECREF(ocspRsp->request);
cleanup:
PKIX_RETURN(OCSPRESPONSE);
}
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
{
SECStatus result = SECFailure;
struct connectdata *conn = (struct connectdata *)arg;
PRErrorCode err = PR_GetError();
CERTCertificate *cert = NULL;
char *subject, *subject_cn, *issuer;
conn->data->set.ssl.certverifyresult=err;
cert = SSL_PeerCertificate(sock);
subject = CERT_NameToAscii(&cert->subject);
subject_cn = CERT_GetCommonName(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
CERT_DestroyCertificate(cert);
switch(err) {
case SEC_ERROR_CA_CERT_INVALID:
infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer);
break;
case SEC_ERROR_UNTRUSTED_ISSUER:
infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n",
issuer);
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
if(conn->data->set.ssl.verifyhost) {
failf(conn->data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", subject_cn, conn->host.dispname);
}
else {
result = SECSuccess;
infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
"match target host name '%s'\n", subject_cn, conn->host.dispname);
}
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
infof(conn->data, "Remote Certificate has expired.\n");
break;
case SEC_ERROR_UNKNOWN_ISSUER:
infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
issuer);
break;
default:
infof(conn->data, "Bad certificate received. Subject = '%s', "
"Issuer = '%s'\n", subject, issuer);
break;
}
if(result == SECSuccess)
infof(conn->data, "SSL certificate verify ok.\n");
PR_Free(subject);
PR_Free(subject_cn);
PR_Free(issuer);
return result;
}
int main(int argc, char **argv)
{
if (NSS_NoDB_Init(NULL) != SECSuccess) {
printf(" >>> NSS_NoDB_Init() failed.\n");
return 1;
}
if (argc < 3) {
printf(" >>> I need a DER encoded file to read and have to know what to do with it [decode, private]!\n");
return 1;
}
PRFileDesc* file = PR_Open(argv[1], PR_RDONLY, 0);
SECItem data = {0, NULL, 0};
if (SECU_ReadDERFromFile(&data, file, PR_FALSE, PR_FALSE) != SECSuccess) {
printf(" >>> SECU_ReadDERFromFile() failed.\n");
return 1;
}
PR_Close(file);
if (strcmp(argv[2], "decode") == 0) {
CERTCertificate *cert = CERT_DecodeCertFromPackage((char*)data.data, data.len);
if (cert){
printf(" >>> read cert!\n");
printf(" >>> SN: %s\n", cert->subjectName);
printf(" >>> IN: %s\n", cert->issuerName);
CERT_DestroyCertificate(cert);
} else {
printf(" >>> CERT_DecodeCertFromPackage failed.\n");
SECITEM_FreeItem(&data, PR_FALSE);
return 1;
}
}
if (argv[2] == "private") {
PK11SlotInfo* slot = PK11_GetInternalSlot();
if (!slot) {
printf(" >>> PK11_GetInternalSlot() failed.\n");
SECITEM_FreeItem(&data, PR_FALSE);
return 1;
}
SECKEYPrivateKey* privKey;
if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &data, NULL, NULL, PR_FALSE, PR_FALSE, KU_ALL, &privKey, NULL) != SECSuccess) {
printf(" >>> PK11_ImportDERPrivateKeyInfoAndReturnKey() failed.\n");
SECITEM_FreeItem(&data, PR_FALSE);
return 1;
}
}
printf(" !!! Done.\n");
return 0;
}
/*
* NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
*/
void
NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
{
if (si->cert != NULL)
CERT_DestroyCertificate(si->cert);
if (si->certList != NULL)
CERT_DestroyCertificateList(si->certList);
/* XXX storage ??? */
}
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
{
SECStatus success = SECSuccess;
struct connectdata *conn = (struct connectdata *)arg;
PRErrorCode err = PR_GetError();
CERTCertificate *cert = NULL;
char *subject, *issuer;
if(conn->data->set.ssl.certverifyresult!=0)
return success;
conn->data->set.ssl.certverifyresult=err;
cert = SSL_PeerCertificate(sock);
subject = CERT_NameToAscii(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
CERT_DestroyCertificate(cert);
switch(err) {
case SEC_ERROR_CA_CERT_INVALID:
infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer);
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
break;
case SEC_ERROR_UNTRUSTED_ISSUER:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n",
issuer);
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "common name: %s (does not match '%s')\n",
subject, conn->host.dispname);
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "Remote Certificate has expired.\n");
break;
default:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "Bad certificate received. Subject = '%s', "
"Issuer = '%s'\n", subject, issuer);
break;
}
if(success == SECSuccess)
infof(conn->data, "SSL certificate verify ok.\n");
PR_Free(subject);
PR_Free(issuer);
return success;
}
CERTDistNames *
CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
int nnames)
{
CERTDistNames *dnames = NULL;
PLArenaPool *arena;
int i, rv;
SECItem *names = NULL;
CERTCertificate *cert = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
goto loser;
dnames = PORT_ArenaZNew(arena, CERTDistNames);
if (dnames == NULL)
goto loser;
dnames->arena = arena;
dnames->nnames = nnames;
dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames);
if (names == NULL)
goto loser;
for (i = 0; i < nnames; i++) {
cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
if (cert == NULL)
goto loser;
rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
if (rv == SECFailure)
goto loser;
CERT_DestroyCertificate(cert);
}
return dnames;
loser:
if (cert != NULL)
CERT_DestroyCertificate(cert);
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
void
CryptoMac_FreeCertificate(CryptoX_Certificate* aCertificate)
{
if (!OnLionOrLater()) {
return CERT_DestroyCertificate((CERTCertificate*)*aCertificate);
}
if (!aCertificate || !*aCertificate) {
return;
}
CFRelease((SecKeyRef)*aCertificate);
}
CERTVerifyLogContentsCleaner::~CERTVerifyLogContentsCleaner()
{
if (!m_cvl)
return;
CERTVerifyLogNode *i_node;
for (i_node = m_cvl->head; i_node; i_node = i_node->next)
{
if (i_node->cert)
CERT_DestroyCertificate(i_node->cert);
}
}