/* BEWARE: This function gets called for both client and server SIDs !! * If the unreferenced sid is not in the cache, Free sid and its contents. */ static void ssl_DestroySID(sslSessionID *sid) { SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); PORT_Assert((sid->references == 0)); if (sid->cached == in_client_cache) return; /* it will get taken care of next time cache is traversed. */ if (sid->version < SSL_LIBRARY_VERSION_3_0) { SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); } if (sid->peerID != NULL) PORT_Free((void *)sid->peerID); /* CONST */ if (sid->urlSvrName != NULL) PORT_Free((void *)sid->urlSvrName); /* CONST */ if ( sid->peerCert ) { CERT_DestroyCertificate(sid->peerCert); } if ( sid->localCert ) { CERT_DestroyCertificate(sid->localCert); } if (sid->u.ssl3.sessionTicket.ticket.data) { SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE); } PORT_ZFree(sid, sizeof(sslSessionID)); }
SECStatus CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent) { PORT_Assert(inCertRepContent != NULL); if (inCertRepContent != NULL) { CMMFCertResponse **pResponse = inCertRepContent->response; if (pResponse != NULL) { for (; *pResponse != NULL; pResponse++) { CMMFCertifiedKeyPair *certKeyPair = (*pResponse)->certifiedKeyPair; /* XXX Why not call CMMF_DestroyCertifiedKeyPair or ** XXX cmmf_DestroyCertOrEncCert ? */ if (certKeyPair != NULL && certKeyPair->certOrEncCert.choice == cmmfCertificate && certKeyPair->certOrEncCert.cert.certificate != NULL) { CERT_DestroyCertificate(certKeyPair->certOrEncCert.cert.certificate); certKeyPair->certOrEncCert.cert.certificate = NULL; } } } if (inCertRepContent->caPubs) { CERTCertificate **caPubs = inCertRepContent->caPubs; for (; *caPubs; ++caPubs) { CERT_DestroyCertificate(*caPubs); *caPubs = NULL; } } if (inCertRepContent->poolp != NULL) { PORT_FreeArena(inCertRepContent->poolp, PR_TRUE); } } return SECSuccess; }
/** * * Check that the Peer certificate's issuer certificate matches the one found * by issuer_nickname. This is not exactly the way OpenSSL and GNU TLS do the * issuer check, so we provide comments that mimic the OpenSSL * X509_check_issued function (in x509v3/v3_purp.c) */ static SECStatus check_issuer_cert(PRFileDesc *sock, char *issuer_nickname) { CERTCertificate *cert,*cert_issuer,*issuer; SECStatus res=SECSuccess; void *proto_win = NULL; /* PRArenaPool *tmpArena = NULL; CERTAuthKeyID *authorityKeyID = NULL; SECITEM *caname = NULL; */ cert = SSL_PeerCertificate(sock); cert_issuer = CERT_FindCertIssuer(cert,PR_Now(),certUsageObjectSigner); proto_win = SSL_RevealPinArg(sock); issuer = PK11_FindCertFromNickname(issuer_nickname, proto_win); if((!cert_issuer) || (!issuer)) res = SECFailure; else if(SECITEM_CompareItem(&cert_issuer->derCert, &issuer->derCert)!=SECEqual) res = SECFailure; CERT_DestroyCertificate(cert); CERT_DestroyCertificate(issuer); CERT_DestroyCertificate(cert_issuer); return res; }
/* Reset sec back to its initial state. ** Caller holds any relevant locks. */ void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset) { if (sec->localCert) { CERT_DestroyCertificate(sec->localCert); sec->localCert = NULL; } if (sec->peerCert) { CERT_DestroyCertificate(sec->peerCert); sec->peerCert = NULL; } if (sec->peerKey) { SECKEY_DestroyPublicKey(sec->peerKey); sec->peerKey = NULL; } /* cleanup the ci */ if (sec->ci.sid != NULL) { ssl_FreeSID(sec->ci.sid); } PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space); if (doMemset) { memset(&sec->ci, 0, sizeof sec->ci); } }
/* BEWARE: This function gets called for both client and server SIDs !! * If the unreferenced sid is not in the cache, Free sid and its contents. */ static void ssl_DestroySID(sslSessionID *sid) { int i; SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); PORT_Assert(sid->references == 0); PORT_Assert(sid->cached != in_client_cache); if (sid->version < SSL_LIBRARY_VERSION_3_0) { SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); } else { if (sid->u.ssl3.locked.sessionTicket.ticket.data) { SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket, PR_FALSE); } if (sid->u.ssl3.srvName.data) { SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); } if (sid->u.ssl3.originalHandshakeHash.data) { SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); } if (sid->u.ssl3.signedCertTimestamps.data) { SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE); } if (sid->u.ssl3.lock) { NSSRWLock_Destroy(sid->u.ssl3.lock); } } if (sid->peerID != NULL) PORT_Free((void *)sid->peerID); /* CONST */ if (sid->urlSvrName != NULL) PORT_Free((void *)sid->urlSvrName); /* CONST */ if ( sid->peerCert ) { CERT_DestroyCertificate(sid->peerCert); } for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { CERT_DestroyCertificate(sid->peerCertChain[i]); } if (sid->peerCertStatus.items) { SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE); } if ( sid->localCert ) { CERT_DestroyCertificate(sid->localCert); } PORT_ZFree(sid, sizeof(sslSessionID)); }
/* Reset sec back to its initial state. ** Caller holds any relevant locks. */ void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset) { /* Destroy MAC */ if (sec->hash && sec->hashcx) { (*sec->hash->destroy)(sec->hashcx, PR_TRUE); sec->hashcx = NULL; sec->hash = NULL; } SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE); SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE); /* Destroy ciphers */ if (sec->destroy) { (*sec->destroy)(sec->readcx, PR_TRUE); (*sec->destroy)(sec->writecx, PR_TRUE); sec->readcx = NULL; sec->writecx = NULL; } else { PORT_Assert(sec->readcx == 0); PORT_Assert(sec->writecx == 0); } sec->readcx = 0; sec->writecx = 0; if (sec->localCert) { CERT_DestroyCertificate(sec->localCert); sec->localCert = NULL; } if (sec->peerCert) { CERT_DestroyCertificate(sec->peerCert); sec->peerCert = NULL; } if (sec->peerKey) { SECKEY_DestroyPublicKey(sec->peerKey); sec->peerKey = NULL; } /* cleanup the ci */ if (sec->ci.sid != NULL) { ssl_FreeSID(sec->ci.sid); } PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space); if (doMemset) { memset(&sec->ci, 0, sizeof sec->ci); } }
static CERTCertificate * FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl, char *certNickName) { CERTCertificate *cert = NULL, *certTemp = NULL; SECStatus rv = SECFailure; CERTAuthKeyID *authorityKeyID = NULL; SECItem *subject = NULL; PORT_Assert(certHandle != NULL); if (!certHandle || (!signCrl && !certNickName)) { SECU_PrintError(progName, "invalid args for function " "FindSigningCert \n"); return NULL; } if (signCrl) { #if 0 authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl); #endif subject = &signCrl->crl.derName; } else { certTemp = CERT_FindCertByNickname(certHandle, certNickName); if (!certTemp) { SECU_PrintError(progName, "could not find certificate \"%s\" " "in database", certNickName); goto loser; } subject = &certTemp->derSubject; } cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now()); if (!cert) { SECU_PrintError(progName, "could not find signing certificate " "in database"); goto loser; } else { rv = SECSuccess; } loser: if (certTemp) CERT_DestroyCertificate(certTemp); if (cert && rv != SECSuccess) CERT_DestroyCertificate(cert); return cert; }
static SECStatus nss_bad_cert_cb(void *arg, PRFileDesc *fd) { struct tls_connection *conn = arg; SECStatus res = SECSuccess; PRErrorCode err; CERTCertificate *cert; char *subject, *issuer; err = PR_GetError(); if (IS_SEC_ERROR(err)) wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (sec err " "%d)", err - SEC_ERROR_BASE); else wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (err %d)", err); cert = SSL_PeerCertificate(fd); subject = CERT_NameToAscii(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); wpa_printf(MSG_DEBUG, "NSS: Peer certificate subject='%s' issuer='%s'", subject, issuer); CERT_DestroyCertificate(cert); PR_Free(subject); PR_Free(issuer); if (conn->verify_peer) res = SECFailure; return res; }
SECStatus TransportLayerDtls::GetClientAuthDataHook(void *arg, PRFileDesc *fd, CERTDistNames *caNames, CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey) { MOZ_MTLOG(ML_DEBUG, "Server requested client auth"); TransportLayerDtls *stream = reinterpret_cast<TransportLayerDtls *>(arg); stream->CheckThread(); if (!stream->identity_) { MOZ_MTLOG(ML_ERROR, "No identity available"); PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0); return SECFailure; } *pRetCert = CERT_DupCertificate(stream->identity_->cert()); if (!*pRetCert) { PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0); return SECFailure; } *pRetKey = SECKEY_CopyPrivateKey(stream->identity_->privkey()); if (!*pRetKey) { CERT_DestroyCertificate(*pRetCert); *pRetCert = nullptr; PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0); return SECFailure; } return SECSuccess; }
/* * Host name checking according to RFC 2595. */ static enum okay nss_check_host(const char *server, struct sock *sp) { CERTCertificate *cert; char *cn = NULL; enum okay ok = STOP; PRArenaPool *arena; CERTGeneralName *gn; SECItem altname; CERTAltNameEncodedContext ec; int i; const SEC_ASN1Template gntempl[] = { { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate } }; if ((cert = SSL_PeerCertificate(sp->s_prfd)) == NULL) { fprintf(stderr, "no certificate from \"%s\"\n", server); return STOP; } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, &altname) == SECSuccess && SEC_ASN1DecodeItem(arena, &ec, gntempl, &altname) == SECSuccess && ec.encodedGenName != NULL) { for (i = 0; ec.encodedGenName[i] != NULL; i++) { gn = CERT_DecodeGeneralName(arena, ec.encodedGenName[i], NULL); if (gn->type == certDNSName) { char *dn = ac_alloc(gn->name.other.len + 1); memcpy(dn, gn->name.other.data, gn->name.other.len); dn[gn->name.other.len] = '\0'; if (verbose) fprintf(stderr, "Comparing DNS name: \"%s\"\n", dn); if (rfc2595_hostname_match(server, dn) == OKAY) { ac_free(dn); goto out; } ac_free(dn); } } } if ((cn = CERT_GetCommonName(&cert->subject)) != NULL) { if (verbose) fprintf(stderr, "Comparing common name: \"%s\"\n", cn); ok = rfc2595_hostname_match(server, cn); } if (ok == STOP) fprintf(stderr, "host certificate does not match \"%s\"\n", server); out: if (cn) PORT_Free(cn); PORT_FreeArena(arena, PR_FALSE); CERT_DestroyCertificate(cert); return ok; }
/** * Loads the public key for the specified cert name from the NSS store. * * @param certData The DER-encoded X509 certificate to extract the key from. * @param certDataSize The size of certData. * @param publicKey Out parameter for the public key to use. * @return CryptoX_Success on success, CryptoX_Error on error. */ CryptoX_Result NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize, SECKEYPublicKey **publicKey) { CERTCertificate * cert; SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize }; if (!certData || !publicKey) { return CryptoX_Error; } cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL, PR_FALSE, PR_TRUE); /* Get the cert and embedded public key out of the database */ if (!cert) { return CryptoX_Error; } *publicKey = CERT_ExtractPublicKey(cert); CERT_DestroyCertificate(cert); if (!*publicKey) { return CryptoX_Error; } return CryptoX_Success; }
static X509* nss_get_cert(NSS_CTX *ctx, const char *s) { X509 *x509 = NULL; CERTCertificate *cert = NULL; CALL_TRACE("nss_get_cert...\n"); if (ctx == NULL) { NSSerr(NSS_F_GET_CERT, NSS_R_INVALID_ARGUMENT); goto done; } if (!NSS_IsInitialized()) { NSSerr(NSS_F_GET_CERT, NSS_R_DB_IS_NOT_INITIALIZED); goto done; } nss_debug(ctx, "search certificate '%s'", s); cert = PK11_FindCertFromNickname(s, NULL); nss_trace(ctx, "found certificate mem='%p'", cert); if (cert == NULL) goto done; x509 = X509_from_CERTCertificate(cert); done: if (cert) CERT_DestroyCertificate(cert); nss_debug(ctx, "certificate %s", (x509 ? "found": "not found")); return(x509); }
/* Returns NULL if "encoding" cannot be decoded. */ NSS_IMPLEMENT nssDecodedCert * nssDecodedPKIXCertificate_Create ( NSSArena *arenaOpt, NSSDER *encoding ) { nssDecodedCert *rvDC = NULL; CERTCertificate *cert; SECItem secDER; SECITEM_FROM_NSSITEM(&secDER, encoding); cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL); if (cert) { rvDC = nss_ZNEW(arenaOpt, nssDecodedCert); if (rvDC) { rvDC->type = NSSCertificateType_PKIX; rvDC->data = (void *)cert; rvDC->getIdentifier = nss3certificate_getIdentifier; rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier; rvDC->matchIdentifier = nss3certificate_matchIdentifier; rvDC->isValidIssuer = nss3certificate_isValidIssuer; rvDC->getUsage = nss3certificate_getUsage; rvDC->isValidAtTime = nss3certificate_isValidAtTime; rvDC->isNewerThan = nss3certificate_isNewerThan; rvDC->matchUsage = nss3certificate_matchUsage; rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage; rvDC->getEmailAddress = nss3certificate_getEmailAddress; rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber; } else { CERT_DestroyCertificate(cert); } } return rvDC; }
static SECStatus ssl_PopulateServerCert(sslServerCert *sc, CERTCertificate *cert, const CERTCertificateList *certChain) { if (sc->serverCert) { CERT_DestroyCertificate(sc->serverCert); } if (sc->serverCertChain) { CERT_DestroyCertificateList(sc->serverCertChain); } if (!cert) { sc->serverCert = NULL; sc->serverCertChain = NULL; return SECSuccess; } sc->serverCert = CERT_DupCertificate(cert); if (certChain) { sc->serverCertChain = CERT_DupCertList(certChain); } else { sc->serverCertChain = CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer, PR_TRUE); } return sc->serverCertChain ? SECSuccess : SECFailure; }
/* * SecCmsSignerInfoDestroy - destroy a SignerInfo data structure */ void SecCmsSignerInfoDestroy(SecCmsSignerInfoRef si) { if (si->cert != NULL) { dprintfRC("SecCmsSignerInfoDestroy top: certp %p cert.rc %d\n", si->cert, (int)CFGetRetainCount(si->cert)); CERT_DestroyCertificate(si->cert); } if (si->certList != NULL) { dprintfRC("SecCmsSignerInfoDestroy top: certList.rc %d\n", (int)CFGetRetainCount(si->certList)); CFRelease(si->certList); } if (si->timestampCertList != NULL) { dprintfRC("SecCmsSignerInfoDestroy top: timestampCertList.rc %d\n", (int)CFGetRetainCount(si->timestampCertList)); CFRelease(si->timestampCertList); } if (si->hashAgilityAttrValue != NULL) { dprintfRC("SecCmsSignerInfoDestroy top: hashAgilityAttrValue.rc %d\n", (int)CFGetRetainCount(si->hashAgilityAttrValue)); CFRelease(si->hashAgilityAttrValue); } /* XXX storage ??? */ }
/* This invokes the "default" AuthCert handler in libssl. ** The only reason to use this one is that it prints out info as it goes. */ static SECStatus mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) { SECStatus rv; CERTCertificate * peerCert; const SECItemArray *csa; if (MakeCertOK>=2) { return SECSuccess; } peerCert = SSL_PeerCertificate(fd); PRINTF("strsclnt: Subject: %s\nstrsclnt: Issuer : %s\n", peerCert->subjectName, peerCert->issuerName); csa = SSL_PeerStapledOCSPResponses(fd); if (csa) { PRINTF("Received %d Cert Status items (OCSP stapled data)\n", csa->len); } /* invoke the "default" AuthCert handler. */ rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); PR_ATOMIC_INCREMENT(&certsTested); if (rv == SECSuccess) { fputs("strsclnt: -- SSL: Server Certificate Validated.\n", stderr); } CERT_DestroyCertificate(peerCert); /* error, if any, will be displayed by the Bad Cert Handler. */ return rv; }
/* * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message */ SECStatus NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, SECCertUsage usage) { CERTCertificate *cert; SECStatus rv = SECSuccess; int i; int count; PRTime now; if (!sigd || !certdb || !sigd->rawCerts) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } count = NSS_CMSArray_Count((void**)sigd->rawCerts); now = PR_Now(); for (i=0; i < count; i++) { if (sigd->certs && sigd->certs[i]) { cert = CERT_DupCertificate(sigd->certs[i]); } else { cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]); if (!cert) { rv = SECFailure; break; } } rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, NULL, NULL); CERT_DestroyCertificate(cert); } return rv; }
int sxi_vcrypt_print_cert_info(sxc_client_t *sx, const char *file, int batch_mode) { struct PK11_ctx ctx; CERTCertificate *cert = load_cert_file(sx, file, &ctx); if(!cert) { free_PK11_ctx(&ctx); return -1; } if (cert && !batch_mode) { char *subject = CERT_NameToAscii(&cert->subject); char *issuer = CERT_NameToAscii(&cert->issuer); char *common_name = CERT_GetCommonName(&cert->subject); struct sxi_fmt fmt; char hash[SXI_SHA1_TEXT_LEN+1]; sxi_fmt_start(&fmt); sxi_fmt_msg(&fmt, "\tSubject: %s\n", subject); sxi_fmt_msg(&fmt, "\tIssuer: %s\n", issuer); if (!sxi_conns_hashcalc_core(sx, NULL, 0, cert->derCert.data, cert->derCert.len, hash)) { sxi_fmt_msg(&fmt, "\tSHA1 Fingerprint: %s\n", hash); } sxi_info(sx, "%s", fmt.buf); PR_Free(subject); PR_Free(issuer); PR_Free(common_name); } CERT_DestroyCertificate(cert); free_PK11_ctx(&ctx); return 0; }
static void trust_prompt_free_certificate (gpointer cert) { if (!cert) return; CERT_DestroyCertificate (cert); }
/* * Callback from SSL for checking certificate the peer (other end of * the socket) presents. */ SECStatus JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) { char * hostname = NULL; SECStatus rv = SECFailure; SECCertUsage certUsage; CERTCertificate *peerCert=NULL; certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; /* SSL_PeerCertificate() returns a shallow copy of the cert, so we must destroy it before we exit this function */ peerCert = SSL_PeerCertificate(fd); if (peerCert) { rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, checkSig, certUsage, NULL /*pinarg*/); } /* if we're a server, then we don't need to check the CN of the certificate, so we can just return whatever returncode we have now */ if ( rv != SECSuccess || isServer ) { if (peerCert) CERT_DestroyCertificate(peerCert); return (int)rv; } /* cert is OK. This is the client side of an SSL connection. * Now check the name field in the cert against the desired hostname. * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! */ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ if (hostname && hostname[0]) { rv = CERT_VerifyCertName(peerCert, hostname); PORT_Free(hostname); } else rv = SECFailure; if (peerCert) CERT_DestroyCertificate(peerCert); return rv; }
static void add_to_subject_list(CERTCertList *certList, CERTCertificate *cert, PRBool validOnly, PRTime sorttime) { SECStatus secrv; if (!validOnly || CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) == secCertTimeValid) { secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity, (void *)&sorttime); if (secrv != SECSuccess) { CERT_DestroyCertificate(cert); } } else { CERT_DestroyCertificate(cert); } }
static int __pkcs11h_crypto_nss_certificate_is_issuer ( IN void * const global_data, IN const unsigned char * const issuer_blob, IN const size_t issuer_blob_size, IN const unsigned char * const cert_blob, IN const size_t cert_blob_size ) { PKCS11H_BOOL is_issuer = FALSE; CERTCertificate *cert = NULL; CERTCertificate *issuer = NULL; (void)global_data; /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ _PKCS11H_ASSERT (issuer_blob!=NULL); _PKCS11H_ASSERT (cert_blob!=NULL); if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) { goto cleanup; } if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) { goto cleanup; } is_issuer = CERT_VerifySignedDataWithPublicKeyInfo ( &cert->signatureWrap, &issuer->subjectPublicKeyInfo, NULL ) == SECSuccess; cleanup: if (cert != NULL) { CERT_DestroyCertificate (cert); } if (issuer != NULL) { CERT_DestroyCertificate (issuer); } return is_issuer; }
/* * FUNCTION: pkix_pl_OcspResponse_Destroy * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) */ static PKIX_Error * pkix_pl_OcspResponse_Destroy( PKIX_PL_Object *object, void *plContext) { PKIX_PL_OcspResponse *ocspRsp = NULL; const SEC_HttpClientFcn *httpClient = NULL; const SEC_HttpClientFcnV1 *hcv1 = NULL; PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy"); PKIX_NULLCHECK_ONE(object); PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext), PKIX_OBJECTNOTANOCSPRESPONSE); ocspRsp = (PKIX_PL_OcspResponse *)object; if (ocspRsp->nssOCSPResponse != NULL) { CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse); ocspRsp->nssOCSPResponse = NULL; } if (ocspRsp->signerCert != NULL) { CERT_DestroyCertificate(ocspRsp->signerCert); ocspRsp->signerCert = NULL; } httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient); if (httpClient && (httpClient->version == 1)) { hcv1 = &(httpClient->fcnTable.ftable1); if (ocspRsp->sessionRequest != NULL) { (*hcv1->freeFcn)(ocspRsp->sessionRequest); ocspRsp->sessionRequest = NULL; } if (ocspRsp->serverSession != NULL) { (*hcv1->freeSessionFcn)(ocspRsp->serverSession); ocspRsp->serverSession = NULL; } } if (ocspRsp->arena != NULL) { PORT_FreeArena(ocspRsp->arena, PR_FALSE); ocspRsp->arena = NULL; } PKIX_DECREF(ocspRsp->producedAtDate); PKIX_DECREF(ocspRsp->pkixSignerCert); PKIX_DECREF(ocspRsp->request); cleanup: PKIX_RETURN(OCSPRESPONSE); }
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) { SECStatus result = SECFailure; struct connectdata *conn = (struct connectdata *)arg; PRErrorCode err = PR_GetError(); CERTCertificate *cert = NULL; char *subject, *subject_cn, *issuer; conn->data->set.ssl.certverifyresult=err; cert = SSL_PeerCertificate(sock); subject = CERT_NameToAscii(&cert->subject); subject_cn = CERT_GetCommonName(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); CERT_DestroyCertificate(cert); switch(err) { case SEC_ERROR_CA_CERT_INVALID: infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer); break; case SEC_ERROR_UNTRUSTED_ISSUER: infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n", issuer); break; case SSL_ERROR_BAD_CERT_DOMAIN: if(conn->data->set.ssl.verifyhost) { failf(conn->data, "SSL: certificate subject name '%s' does not match " "target host name '%s'", subject_cn, conn->host.dispname); } else { result = SECSuccess; infof(conn->data, "warning: SSL: certificate subject name '%s' does not " "match target host name '%s'\n", subject_cn, conn->host.dispname); } break; case SEC_ERROR_EXPIRED_CERTIFICATE: infof(conn->data, "Remote Certificate has expired.\n"); break; case SEC_ERROR_UNKNOWN_ISSUER: infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n", issuer); break; default: infof(conn->data, "Bad certificate received. Subject = '%s', " "Issuer = '%s'\n", subject, issuer); break; } if(result == SECSuccess) infof(conn->data, "SSL certificate verify ok.\n"); PR_Free(subject); PR_Free(subject_cn); PR_Free(issuer); return result; }
int main(int argc, char **argv) { if (NSS_NoDB_Init(NULL) != SECSuccess) { printf(" >>> NSS_NoDB_Init() failed.\n"); return 1; } if (argc < 3) { printf(" >>> I need a DER encoded file to read and have to know what to do with it [decode, private]!\n"); return 1; } PRFileDesc* file = PR_Open(argv[1], PR_RDONLY, 0); SECItem data = {0, NULL, 0}; if (SECU_ReadDERFromFile(&data, file, PR_FALSE, PR_FALSE) != SECSuccess) { printf(" >>> SECU_ReadDERFromFile() failed.\n"); return 1; } PR_Close(file); if (strcmp(argv[2], "decode") == 0) { CERTCertificate *cert = CERT_DecodeCertFromPackage((char*)data.data, data.len); if (cert){ printf(" >>> read cert!\n"); printf(" >>> SN: %s\n", cert->subjectName); printf(" >>> IN: %s\n", cert->issuerName); CERT_DestroyCertificate(cert); } else { printf(" >>> CERT_DecodeCertFromPackage failed.\n"); SECITEM_FreeItem(&data, PR_FALSE); return 1; } } if (argv[2] == "private") { PK11SlotInfo* slot = PK11_GetInternalSlot(); if (!slot) { printf(" >>> PK11_GetInternalSlot() failed.\n"); SECITEM_FreeItem(&data, PR_FALSE); return 1; } SECKEYPrivateKey* privKey; if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &data, NULL, NULL, PR_FALSE, PR_FALSE, KU_ALL, &privKey, NULL) != SECSuccess) { printf(" >>> PK11_ImportDERPrivateKeyInfoAndReturnKey() failed.\n"); SECITEM_FreeItem(&data, PR_FALSE); return 1; } } printf(" !!! Done.\n"); return 0; }
/* * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure */ void NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si) { if (si->cert != NULL) CERT_DestroyCertificate(si->cert); if (si->certList != NULL) CERT_DestroyCertificateList(si->certList); /* XXX storage ??? */ }
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) { SECStatus success = SECSuccess; struct connectdata *conn = (struct connectdata *)arg; PRErrorCode err = PR_GetError(); CERTCertificate *cert = NULL; char *subject, *issuer; if(conn->data->set.ssl.certverifyresult!=0) return success; conn->data->set.ssl.certverifyresult=err; cert = SSL_PeerCertificate(sock); subject = CERT_NameToAscii(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); CERT_DestroyCertificate(cert); switch(err) { case SEC_ERROR_CA_CERT_INVALID: infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer); if(conn->data->set.ssl.verifypeer) success = SECFailure; break; case SEC_ERROR_UNTRUSTED_ISSUER: if(conn->data->set.ssl.verifypeer) success = SECFailure; infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n", issuer); break; case SSL_ERROR_BAD_CERT_DOMAIN: if(conn->data->set.ssl.verifypeer) success = SECFailure; infof(conn->data, "common name: %s (does not match '%s')\n", subject, conn->host.dispname); break; case SEC_ERROR_EXPIRED_CERTIFICATE: if(conn->data->set.ssl.verifypeer) success = SECFailure; infof(conn->data, "Remote Certificate has expired.\n"); break; default: if(conn->data->set.ssl.verifypeer) success = SECFailure; infof(conn->data, "Bad certificate received. Subject = '%s', " "Issuer = '%s'\n", subject, issuer); break; } if(success == SECSuccess) infof(conn->data, "SSL certificate verify ok.\n"); PR_Free(subject); PR_Free(issuer); return success; }
CERTDistNames * CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames, int nnames) { CERTDistNames *dnames = NULL; PLArenaPool *arena; int i, rv; SECItem *names = NULL; CERTCertificate *cert = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) goto loser; dnames = PORT_ArenaZNew(arena, CERTDistNames); if (dnames == NULL) goto loser; dnames->arena = arena; dnames->nnames = nnames; dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames); if (names == NULL) goto loser; for (i = 0; i < nnames; i++) { cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]); if (cert == NULL) goto loser; rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject); if (rv == SECFailure) goto loser; CERT_DestroyCertificate(cert); } return dnames; loser: if (cert != NULL) CERT_DestroyCertificate(cert); if (arena != NULL) PORT_FreeArena(arena, PR_FALSE); return NULL; }
void CryptoMac_FreeCertificate(CryptoX_Certificate* aCertificate) { if (!OnLionOrLater()) { return CERT_DestroyCertificate((CERTCertificate*)*aCertificate); } if (!aCertificate || !*aCertificate) { return; } CFRelease((SecKeyRef)*aCertificate); }
CERTVerifyLogContentsCleaner::~CERTVerifyLogContentsCleaner() { if (!m_cvl) return; CERTVerifyLogNode *i_node; for (i_node = m_cvl->head; i_node; i_node = i_node->next) { if (i_node->cert) CERT_DestroyCertificate(i_node->cert); } }