1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 #include "nsUsageArrayHelper.h"
8 #include "nsIDateTimeFormat.h"
9 #include "nsDateTimeFormatCID.h"
10 #include "nsComponentManagerUtils.h"
11 #include "nsReadableUtils.h"
12 #include "nsNSSCertificate.h"
15 #include "nsNSSCertHeader.h"
21 static NS_DEFINE_CID(kNSSComponentCID
, NS_NSSCOMPONENT_CID
);
23 nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate
*aCert
)
26 nsNSSShutDownPreventionLock locker
;
27 defaultcertdb
= CERT_GetDefaultCertDB();
28 nssComponent
= do_GetService(kNSSComponentCID
, &m_rv
);
32 nsUsageArrayHelper::check(const char *suffix
,
33 SECCertificateUsage aCertUsage
,
35 PRUnichar
**outUsages
)
37 if (!aCertUsage
) return;
38 nsCAutoString typestr
;
40 case certificateUsageSSLClient
:
41 typestr
= "VerifySSLClient";
43 case certificateUsageSSLServer
:
44 typestr
= "VerifySSLServer";
46 case certificateUsageSSLServerWithStepUp
:
47 typestr
= "VerifySSLStepUp";
49 case certificateUsageEmailSigner
:
50 typestr
= "VerifyEmailSigner";
52 case certificateUsageEmailRecipient
:
53 typestr
= "VerifyEmailRecip";
55 case certificateUsageObjectSigner
:
56 typestr
= "VerifyObjSign";
58 case certificateUsageProtectedObjectSigner
:
59 typestr
= "VerifyProtectObjSign";
61 case certificateUsageUserCertImport
:
62 typestr
= "VerifyUserImport";
64 case certificateUsageSSLCA
:
65 typestr
= "VerifySSLCA";
67 case certificateUsageVerifyCA
:
68 typestr
= "VerifyCAVerifier";
70 case certificateUsageStatusResponder
:
71 typestr
= "VerifyStatusResponder";
73 case certificateUsageAnyCA
:
74 typestr
= "VerifyAnyCA";
79 if (!typestr
.IsEmpty()) {
80 typestr
.Append(suffix
);
81 nsAutoString verifyDesc
;
82 m_rv
= nssComponent
->GetPIPNSSBundleString(typestr
.get(), verifyDesc
);
83 if (NS_SUCCEEDED(m_rv
)) {
84 outUsages
[aCounter
++] = ToNewUnicode(verifyDesc
);
90 nsUsageArrayHelper::verifyFailed(PRUint32
*_verified
, int err
)
93 /* For these cases, verify only failed for the particular usage */
94 case SEC_ERROR_INADEQUATE_KEY_USAGE
:
95 case SEC_ERROR_INADEQUATE_CERT_TYPE
:
96 *_verified
= nsNSSCertificate::USAGE_NOT_ALLOWED
; break;
97 /* These are the cases that have individual error messages */
98 case SEC_ERROR_REVOKED_CERTIFICATE
:
99 *_verified
= nsNSSCertificate::CERT_REVOKED
; break;
100 case SEC_ERROR_EXPIRED_CERTIFICATE
:
101 *_verified
= nsNSSCertificate::CERT_EXPIRED
; break;
102 case SEC_ERROR_UNTRUSTED_CERT
:
103 *_verified
= nsNSSCertificate::CERT_NOT_TRUSTED
; break;
104 case SEC_ERROR_UNTRUSTED_ISSUER
:
105 *_verified
= nsNSSCertificate::ISSUER_NOT_TRUSTED
; break;
106 case SEC_ERROR_UNKNOWN_ISSUER
:
107 *_verified
= nsNSSCertificate::ISSUER_UNKNOWN
; break;
108 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
:
109 // XXX are there other error for this?
110 *_verified
= nsNSSCertificate::INVALID_CA
; break;
111 case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
:
112 *_verified
= nsNSSCertificate::SIGNATURE_ALGORITHM_DISABLED
; break;
113 case SEC_ERROR_CERT_USAGES_INVALID
: // XXX what is this?
114 // there are some OCSP errors from PSM 1.x to add here
116 // this means, no verification result has ever been received
118 *_verified
= nsNSSCertificate::NOT_VERIFIED_UNKNOWN
; break;
123 nsUsageArrayHelper::GetUsagesArray(const char *suffix
,
125 PRUint32 outArraySize
,
128 PRUnichar
**outUsages
)
130 nsNSSShutDownPreventionLock locker
;
134 if (outArraySize
< max_returned_out_array_size
)
135 return NS_ERROR_FAILURE
;
137 nsCOMPtr
<nsINSSComponent
> nssComponent
;
139 if (!nsNSSComponent::globalConstFlagUsePKIXVerification
&& localOnly
) {
141 nssComponent
= do_GetService(kNSSComponentCID
, &rv
);
146 nssComponent
->SkipOcsp();
150 PRUint32
&count
= *_count
;
152 SECCertificateUsage usages
= 0;
155 if (!nsNSSComponent::globalConstFlagUsePKIXVerification
) {
156 // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
157 // valid for all the given usages. Hoewver, we are only looking for the list
158 // of usages for which the cert *is* valid.
160 CERT_VerifyCertificateNow(defaultcertdb
, mCert
, true,
161 certificateUsageSSLClient
|
162 certificateUsageSSLServer
|
163 certificateUsageSSLServerWithStepUp
|
164 certificateUsageEmailSigner
|
165 certificateUsageEmailRecipient
|
166 certificateUsageObjectSigner
|
167 certificateUsageSSLCA
|
168 certificateUsageStatusResponder
,
174 nsCOMPtr
<nsINSSComponent
> inss
= do_GetService(kNSSComponentCID
, &nsrv
);
177 nsRefPtr
<nsCERTValInParamWrapper
> survivingParams
;
179 nsrv
= inss
->GetDefaultCERTValInParamLocalOnly(survivingParams
);
181 nsrv
= inss
->GetDefaultCERTValInParam(survivingParams
);
186 CERTValOutParam cvout
[2];
187 cvout
[0].type
= cert_po_usages
;
188 cvout
[0].value
.scalar
.usages
= 0;
189 cvout
[1].type
= cert_po_end
;
191 CERT_PKIXVerifyCert(mCert
, certificateUsageCheckAllUsages
,
192 survivingParams
->GetRawPointerForNSS(),
195 usages
= cvout
[0].value
.scalar
.usages
;
198 // The following list of checks must be < max_returned_out_array_size
200 check(suffix
, usages
& certificateUsageSSLClient
, count
, outUsages
);
201 check(suffix
, usages
& certificateUsageSSLServer
, count
, outUsages
);
202 check(suffix
, usages
& certificateUsageSSLServerWithStepUp
, count
, outUsages
);
203 check(suffix
, usages
& certificateUsageEmailSigner
, count
, outUsages
);
204 check(suffix
, usages
& certificateUsageEmailRecipient
, count
, outUsages
);
205 check(suffix
, usages
& certificateUsageObjectSigner
, count
, outUsages
);
207 check(suffix
, usages
& certificateUsageProtectedObjectSigner
, count
, outUsages
);
208 check(suffix
, usages
& certificateUsageUserCertImport
, count
, outUsages
);
210 check(suffix
, usages
& certificateUsageSSLCA
, count
, outUsages
);
212 check(suffix
, usages
& certificateUsageVerifyCA
, count
, outUsages
);
214 check(suffix
, usages
& certificateUsageStatusResponder
, count
, outUsages
);
216 check(suffix
, usages
& certificateUsageAnyCA
, count
, outUsages
);
219 if (!nsNSSComponent::globalConstFlagUsePKIXVerification
&& localOnly
&& nssComponent
) {
220 nssComponent
->SkipOcspOff();
224 verifyFailed(_verified
, err
);
226 *_verified
= nsNSSCertificate::VERIFIED_OK
;