Bug 92475 - Display error when SSL server CRL has expired. r=javi,sr=blizzard

2001-08-09 22:29:34 +00:00 · 2001-08-09 22:29:34 +00:00 · 2ae77cc74a
--- a/security/manager/pki/resources/content/serverCrlExpired.js
+++ b/security/manager/pki/resources/content/serverCrlExpired.js
@ -0,0 +1,75 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 1998 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *  David Drinan <ddrinan@netscape.com>
+ */
+
+
+const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
+const nsIPKIParamBlock    = Components.interfaces.nsIPKIParamBlock;
+const nsIX509Cert         = Components.interfaces.nsIX509Cert;
+
+var dialogParams;
+var pkiParams;
+var bundle;
+
+function onLoad()
+{
+  pkiParams    = window.arguments[0].QueryInterface(nsIPKIParamBlock);
+  dialogParams = pkiParams.QueryInterface(nsIDialogParamBlock);
+  var isupport = pkiParams.getISupportAtIndex(1);
+  var cert = isupport.QueryInterface(nsIX509Cert);
+  bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
+
+  //  Organization
+  addAttributeFromCert('organization', cert.organization);
+  //  Organizational Unit
+  addAttributeFromCert('orgunit', cert.organizationalUnit);
+
+  //Set the focus so key press events work.
+  document.getElementById('ok-button').focus();
+}
+
+function doOK()
+{
+  dialogParams.SetInt(1,1);
+  window.close();
+}
+
+function doCancel()
+{
+  dialogParams.SetInt(1,0);
+  window.close();
+}
+
+function managerCrls()
+{
+  window.open('chrome://pippki/content/crlManager.xul',  "",
+                'chrome,width=500,height=400,resizable=1');
+}
+
+function addAttributeFromCert(nodeName, value)
+{
+  var node = document.getElementById(nodeName);
+  if (!value) {
+    value = bundle.GetStringFromName('notPresent');  
+  }
+  node.setAttribute('value',value)
+}
--- a/security/manager/pki/resources/content/serverCrlExpired.xul
+++ b/security/manager/pki/resources/content/serverCrlExpired.xul
@ -0,0 +1,87 @@
+<?xml version="1.0"?>
+<!--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   -
+   -
+   - Contributor(s):
+   -  David Drinan <ddrinan@netscape.com>
+  -->
+
+<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
+
+<!-- CHANGE THIS WHEN MOVING FILES -->
+<!DOCTYPE window [
+    <!ENTITY % pipPkiDTD SYSTEM "chrome://pippki/locale/pippki.dtd">
+    %pipPkiDTD;
+    <!ENTITY % prefCertMgrDTD SYSTEM "chrome://pippki/locale/certManager.dtd">
+    %prefCertMgrDTD;
+]>
+
+<window
+  id="serverCrlExpired"
+  title="&serverCrlExpired.title;"
+  xmlns:html="http://www.w3.org/1999/xhtml"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"      
+  debug="false"
+  style="width: 30em; height: 16em"
+  onload="onLoad();"
+>
+<script type="application/x-javascript" src="chrome://global/content/strres.js" />
+<script type="application/x-javascript" src="chrome://pippki/content/pippki.js" />
+<script type="application/x-javascript" src="chrome://pippki/content/serverCrlExpired.js" />
+<script type="application/x-javascript" src="chrome://help/content/help.js" />
+
+<keyset id="keys">
+  <key id="enter-key"  keycode="VK_ENTER"  oncommand="doOK()"    />
+  <key id="return-key" keycode="VK_RETURN" oncommand="doOK()"    />
+  <key id="esc-key"    keycode="VK_ESCAPE" oncommand="doCancel()"/>
+</keyset>
+
+<vbox style="margin: 5px;" flex="100%">
+
+  <html> &serverCrlExpired.message1; </html>
+  <separator/>
+  <grid> 
+      <columns>
+        <column />
+        <column />
+      </columns>
+      <rows>
+        <row>
+          <text class="label" value="&certmgr.certdetail.o;" /> 
+          <text id="organization"/>
+        </row>
+        <row>
+          <text class="label" value="&certmgr.certdetail.ou;" /> 
+          <text id="orgunit"/>
+        </row>
+      </rows>
+  </grid>
+  <separator/>
+  <html> &serverCrlExpired.message2; </html>
+  <separator/>
+  <html> &serverCrlExpired.continue; </html>
+  <separator/>
+  <hbox>
+  <button id="manageCrlCert-button" class="dialog" label="&serverCrlExpired.manageCrls.label;"
+     onclick="managerCrls();"/> 
+  </hbox>
+  <separator/>
+  <hbox>
+  <button id="ok-button" class="dialog" label="&ok.label;" primary="true"
+     onclick="doOK();" disabled="false"/> 
+  <button id="cancel-button" class="dialog" label="&cancel.label;"
+     onclick="doCancel();" /> 
+  <button id="help-button" class="dialog" label="&help.label;"
+    oncommand="openHelp('chrome://help/content/help.xul?exp_web_cert_crl');" /> 
+  </hbox>
+</vbox>
+</window>
--- a/security/manager/pki/resources/jar.mn
+++ b/security/manager/pki/resources/jar.mn
@ -51,6 +51,8 @@ pippki.jar:
    content/pippki/crlManager.js             (content/crlManager.js)
    content/pippki/pref-masterpass.js        (content/pref-masterpass.js)
    content/pippki/pref-masterpass.xul       (content/pref-masterpass.xul)
+    content/pippki/serverCrlExpired.js       (content/serverCrlExpired.js)
+    content/pippki/serverCrlExpired.xul      (content/serverCrlExpired.xul)

 en-US.jar:
    locale/en-US/pippki/contents.rdf         (locale/en-US/contents.rdf)
--- a/security/manager/pki/resources/locale/en-US/pippki.dtd
+++ b/security/manager/pki/resources/locale/en-US/pippki.dtd
@ -96,5 +96,9 @@
 <!ENTITY escrowWarn.benefit1 "The benefit is that if you lose access to your encryption private key, you can request a copy from this certificate authority.">
 <!ENTITY escrowWarn.message2 "However, your encryption private key will be stored by the certificate authority, and could be used to read your encrypted email or documents without your permission.">

-
+<!ENTITY serverCrlExpired.title "Certificate Revocation List (CRL) Expired">
+<!ENTITY serverCrlExpired.message1 "The certificate revocation list (CRL) issued by this certificate authority has expired:">
+<!ENTITY serverCrlExpired.message2 "To avoid this warning in the future, ask your system administrator how to update this CRL. Or, if you are sure this CRL is no longer required, click Manage CRLs to locate and delete it.">
+<!ENTITY serverCrlExpired.continue "Would you like to continue?">
+<!ENTITY serverCrlExpired.manageCrls.label "Manager CRLs...">

--- a/security/manager/pki/src/nsNSSDialogs.cpp
+++ b/security/manager/pki/src/nsNSSDialogs.cpp
@ -416,6 +416,34 @@ nsNSSDialogs::CertExpired(nsITransportSecurityInfo *socketInfo,
  return NS_OK;
 }

+NS_IMETHODIMP 
+nsNSSDialogs::CrlExpired(nsITransportSecurityInfo *socketInfo, 
+                          nsIX509Cert *cert, PRBool *_retval)
+{
+  nsresult rv;
+
+  *_retval = PR_FALSE;
+  nsCOMPtr<nsIPKIParamBlock> block = do_CreateInstance(kPKIParamBlockCID);
+  nsCOMPtr<nsIDialogParamBlock> dialogBlock = do_QueryInterface(block);
+
+  rv = block->SetISupportAtIndex(1, cert);
+  if (NS_FAILED(rv))
+    return rv;
+
+  rv = nsNSSDialogHelper::openDialog(nsnull,
+                             "chrome://pippki/content/serverCrlExpired.xul",
+                             block);
+
+  PRInt32 status;
+  rv = dialogBlock->GetInt(1, &status);
+  if (NS_FAILED(rv))
+    return rv; 
+
+  *_retval = (status) ? PR_TRUE : PR_FALSE;
+
+  return NS_OK;
+}
+
 nsresult
 nsNSSDialogs::AlertEnteringSecure(nsIInterfaceRequestor *ctx)
 {
--- a/security/manager/ssl/public/nsIBadCertListener.idl
+++ b/security/manager/ssl/public/nsIBadCertListener.idl
@ -54,5 +54,8 @@ interface nsIBadCertListener : nsISupports {

  boolean certExpired(in nsITransportSecurityInfo socketInfo,
                      in nsIX509Cert cert);
+  boolean crlExpired(in nsITransportSecurityInfo socketInfo,
+                      in nsIX509Cert cert);
+
 };

--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -654,7 +654,7 @@ nsNSSComponent::VerifySignature(const char* aRSABuf, PRUint32 aRSABufLen,

  //-- Verify signature
  rv = SEC_PKCS7VerifyDetachedSignature(p7_info, certUsageObjectSigner, &digest, HASH_AlgSHA1, PR_TRUE);
-  if (rv != PR_SUCCESS) {
+  if (rv != PR_TRUE) {
    *aErrorCode = PR_GetError();
    return NS_OK;
  }
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -935,6 +935,9 @@ nsContinueDespiteCertError(nsNSSSocketInfo  *infoObject,
      peerCert->timeOK = PR_TRUE;
    }
    break;
+  case SEC_ERROR_CRL_EXPIRED:
+    rv = badCertHandler->CrlExpired(csi, callBackCert, &retVal);
+    break;
  default:
    rv = NS_ERROR_FAILURE;
    break;