Bug 783551 - Get tooltool running on the b2g on OS X builds. r=respindola
[gecko.git] / security / manager / ssl / src / nsUsageArrayHelper.cpp
blobbb1615aef85a0ee6ab52dc13471d3936c47a733d
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 #include "nsUsageArrayHelper.h"
7 #include "nsCOMPtr.h"
8 #include "nsIDateTimeFormat.h"
9 #include "nsDateTimeFormatCID.h"
10 #include "nsComponentManagerUtils.h"
11 #include "nsReadableUtils.h"
12 #include "nsNSSCertificate.h"
14 #include "nspr.h"
15 #include "nsNSSCertHeader.h"
17 extern "C" {
18 #include "secerr.h"
21 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
23 nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
24 :mCert(aCert)
26 nsNSSShutDownPreventionLock locker;
27 defaultcertdb = CERT_GetDefaultCertDB();
28 nssComponent = do_GetService(kNSSComponentCID, &m_rv);
31 void
32 nsUsageArrayHelper::check(const char *suffix,
33 SECCertificateUsage aCertUsage,
34 PRUint32 &aCounter,
35 PRUnichar **outUsages)
37 if (!aCertUsage) return;
38 nsCAutoString typestr;
39 switch (aCertUsage) {
40 case certificateUsageSSLClient:
41 typestr = "VerifySSLClient";
42 break;
43 case certificateUsageSSLServer:
44 typestr = "VerifySSLServer";
45 break;
46 case certificateUsageSSLServerWithStepUp:
47 typestr = "VerifySSLStepUp";
48 break;
49 case certificateUsageEmailSigner:
50 typestr = "VerifyEmailSigner";
51 break;
52 case certificateUsageEmailRecipient:
53 typestr = "VerifyEmailRecip";
54 break;
55 case certificateUsageObjectSigner:
56 typestr = "VerifyObjSign";
57 break;
58 case certificateUsageProtectedObjectSigner:
59 typestr = "VerifyProtectObjSign";
60 break;
61 case certificateUsageUserCertImport:
62 typestr = "VerifyUserImport";
63 break;
64 case certificateUsageSSLCA:
65 typestr = "VerifySSLCA";
66 break;
67 case certificateUsageVerifyCA:
68 typestr = "VerifyCAVerifier";
69 break;
70 case certificateUsageStatusResponder:
71 typestr = "VerifyStatusResponder";
72 break;
73 case certificateUsageAnyCA:
74 typestr = "VerifyAnyCA";
75 break;
76 default:
77 break;
79 if (!typestr.IsEmpty()) {
80 typestr.Append(suffix);
81 nsAutoString verifyDesc;
82 m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
83 if (NS_SUCCEEDED(m_rv)) {
84 outUsages[aCounter++] = ToNewUnicode(verifyDesc);
89 void
90 nsUsageArrayHelper::verifyFailed(PRUint32 *_verified, int err)
92 switch (err) {
93 /* For these cases, verify only failed for the particular usage */
94 case SEC_ERROR_INADEQUATE_KEY_USAGE:
95 case SEC_ERROR_INADEQUATE_CERT_TYPE:
96 *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
97 /* These are the cases that have individual error messages */
98 case SEC_ERROR_REVOKED_CERTIFICATE:
99 *_verified = nsNSSCertificate::CERT_REVOKED; break;
100 case SEC_ERROR_EXPIRED_CERTIFICATE:
101 *_verified = nsNSSCertificate::CERT_EXPIRED; break;
102 case SEC_ERROR_UNTRUSTED_CERT:
103 *_verified = nsNSSCertificate::CERT_NOT_TRUSTED; break;
104 case SEC_ERROR_UNTRUSTED_ISSUER:
105 *_verified = nsNSSCertificate::ISSUER_NOT_TRUSTED; break;
106 case SEC_ERROR_UNKNOWN_ISSUER:
107 *_verified = nsNSSCertificate::ISSUER_UNKNOWN; break;
108 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
109 // XXX are there other error for this?
110 *_verified = nsNSSCertificate::INVALID_CA; break;
111 case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
112 *_verified = nsNSSCertificate::SIGNATURE_ALGORITHM_DISABLED; break;
113 case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this?
114 // there are some OCSP errors from PSM 1.x to add here
115 case SECSuccess:
116 // this means, no verification result has ever been received
117 default:
118 *_verified = nsNSSCertificate::NOT_VERIFIED_UNKNOWN; break;
122 nsresult
123 nsUsageArrayHelper::GetUsagesArray(const char *suffix,
124 bool localOnly,
125 PRUint32 outArraySize,
126 PRUint32 *_verified,
127 PRUint32 *_count,
128 PRUnichar **outUsages)
130 nsNSSShutDownPreventionLock locker;
131 if (NS_FAILED(m_rv))
132 return m_rv;
134 if (outArraySize < max_returned_out_array_size)
135 return NS_ERROR_FAILURE;
137 nsCOMPtr<nsINSSComponent> nssComponent;
139 if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
140 nsresult rv;
141 nssComponent = do_GetService(kNSSComponentCID, &rv);
142 if (NS_FAILED(rv))
143 return rv;
145 if (nssComponent) {
146 nssComponent->SkipOcsp();
150 PRUint32 &count = *_count;
151 count = 0;
152 SECCertificateUsage usages = 0;
153 int err = 0;
155 if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
156 // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
157 // valid for all the given usages. Hoewver, we are only looking for the list
158 // of usages for which the cert *is* valid.
159 (void)
160 CERT_VerifyCertificateNow(defaultcertdb, mCert, true,
161 certificateUsageSSLClient |
162 certificateUsageSSLServer |
163 certificateUsageSSLServerWithStepUp |
164 certificateUsageEmailSigner |
165 certificateUsageEmailRecipient |
166 certificateUsageObjectSigner |
167 certificateUsageSSLCA |
168 certificateUsageStatusResponder,
169 NULL, &usages);
170 err = PR_GetError();
172 else {
173 nsresult nsrv;
174 nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
175 if (!inss)
176 return nsrv;
177 nsRefPtr<nsCERTValInParamWrapper> survivingParams;
178 if (localOnly)
179 nsrv = inss->GetDefaultCERTValInParamLocalOnly(survivingParams);
180 else
181 nsrv = inss->GetDefaultCERTValInParam(survivingParams);
183 if (NS_FAILED(nsrv))
184 return nsrv;
186 CERTValOutParam cvout[2];
187 cvout[0].type = cert_po_usages;
188 cvout[0].value.scalar.usages = 0;
189 cvout[1].type = cert_po_end;
191 CERT_PKIXVerifyCert(mCert, certificateUsageCheckAllUsages,
192 survivingParams->GetRawPointerForNSS(),
193 cvout, NULL);
194 err = PR_GetError();
195 usages = cvout[0].value.scalar.usages;
198 // The following list of checks must be < max_returned_out_array_size
200 check(suffix, usages & certificateUsageSSLClient, count, outUsages);
201 check(suffix, usages & certificateUsageSSLServer, count, outUsages);
202 check(suffix, usages & certificateUsageSSLServerWithStepUp, count, outUsages);
203 check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
204 check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
205 check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
206 #if 0
207 check(suffix, usages & certificateUsageProtectedObjectSigner, count, outUsages);
208 check(suffix, usages & certificateUsageUserCertImport, count, outUsages);
209 #endif
210 check(suffix, usages & certificateUsageSSLCA, count, outUsages);
211 #if 0
212 check(suffix, usages & certificateUsageVerifyCA, count, outUsages);
213 #endif
214 check(suffix, usages & certificateUsageStatusResponder, count, outUsages);
215 #if 0
216 check(suffix, usages & certificateUsageAnyCA, count, outUsages);
217 #endif
219 if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly && nssComponent) {
220 nssComponent->SkipOcspOff();
223 if (count == 0) {
224 verifyFailed(_verified, err);
225 } else {
226 *_verified = nsNSSCertificate::VERIFIED_OK;
228 return NS_OK;