зеркало из https://github.com/mozilla/gecko-dev.git
verify certificate in memory method
This commit is contained in:
Родитель
5deb4aec40
Коммит
3a0bcb0fb2
|
@ -1,27 +1,27 @@
|
|||
/*
|
||||
/*
|
||||
* The contents of this file are subject to the Mozilla Public
|
||||
* License Version 1.1 (the "License"); you may not use this file
|
||||
* except in compliance with the License. You may obtain a copy of
|
||||
* the License at http://www.mozilla.org/MPL/
|
||||
*
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS
|
||||
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
||||
* implied. See the License for the specific language governing
|
||||
* rights and limitations under the License.
|
||||
*
|
||||
*
|
||||
* The Original Code is the Netscape Security Services for Java.
|
||||
*
|
||||
*
|
||||
* The Initial Developer of the Original Code is Netscape
|
||||
* Communications Corporation. Portions created by Netscape are
|
||||
* Communications Corporation. Portions created by Netscape are
|
||||
* Copyright (C) 1998-2000 Netscape Communications Corporation. All
|
||||
* Rights Reserved.
|
||||
*
|
||||
*
|
||||
* Contributor(s):
|
||||
*
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the
|
||||
* terms of the GNU General Public License Version 2 or later (the
|
||||
* "GPL"), in which case the provisions of the GPL are applicable
|
||||
* instead of those above. If you wish to allow use of your
|
||||
* "GPL"), in which case the provisions of the GPL are applicable
|
||||
* instead of those above. If you wish to allow use of your
|
||||
* version of this file only under the terms of the GPL and not to
|
||||
* allow others to use your version of this file under the MPL,
|
||||
* indicate your decision by deleting the provisions above and
|
||||
|
@ -52,12 +52,12 @@ import org.mozilla.jss.provider.java.security.JSSMessageDigestSpi;
|
|||
* Initialization is done with static methods, and must be done before
|
||||
* an instance can be created. All other operations are done with instance
|
||||
* methods.
|
||||
* @version $Revision: 1.8 $ $Date: 2002/07/03 23:46:02 $
|
||||
* @version $Revision: 1.9 $ $Date: 2002/07/04 00:36:51 $
|
||||
*/
|
||||
public final class CryptoManager implements TokenSupplier
|
||||
{
|
||||
/**
|
||||
* CertUsage options for validation
|
||||
* CertUsage options for validation
|
||||
*/
|
||||
public final static class CertUsage {
|
||||
private int usage;
|
||||
|
@ -74,7 +74,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
public String toString() {
|
||||
return name;
|
||||
}
|
||||
|
||||
|
||||
// certUsage, these must be kept in sync with nss/lib/certdb/certt.h
|
||||
public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
|
||||
public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
|
||||
|
@ -126,7 +126,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
/**
|
||||
* This class enumerates the possible modes for FIPS compliance.
|
||||
*/
|
||||
public static final class FIPSMode {
|
||||
public static final class FIPSMode {
|
||||
private FIPSMode() {}
|
||||
|
||||
/**
|
||||
|
@ -439,8 +439,8 @@ public final class CryptoManager implements TokenSupplier
|
|||
public String ocspResponderURL = null;
|
||||
|
||||
/**
|
||||
* The nickname of the cert to trust (expected) to
|
||||
* sign the OCSP responses.
|
||||
* The nickname of the cert to trust (expected) to
|
||||
* sign the OCSP responses.
|
||||
* Only checked when the OCSPResponder value is set.
|
||||
*/
|
||||
public String ocspResponderCertNickname = null;
|
||||
|
@ -461,7 +461,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
* be initialized. Only the Java portions of JSS will be
|
||||
* initialized. This should only be used if NSS has been initialized
|
||||
* elsewhere.
|
||||
*
|
||||
*
|
||||
* <p>Specifically, the following components will <b>not</b> be
|
||||
* configured by <tt>CryptoManager.initialize</tt> if this flag is set:
|
||||
* <ul>
|
||||
|
@ -628,7 +628,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
*/
|
||||
private Vector moduleVector;
|
||||
|
||||
/**
|
||||
/**
|
||||
* Re-creates the Vector of modules that is stored by CryptoManager.
|
||||
* This entails going into native code to enumerate all modules,
|
||||
* wrap each one in a PK11Module, and storing the PK11Module in the vector.
|
||||
|
@ -687,7 +687,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
}
|
||||
|
||||
/**
|
||||
* Retrieve the single instance of CryptoManager.
|
||||
* Retrieve the single instance of CryptoManager.
|
||||
* This cannot be called before initialization.
|
||||
*
|
||||
* @see #initialize(CryptoManager.InitializationValues)
|
||||
|
@ -1102,7 +1102,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
*
|
||||
* @param the DER-encoded CRL.
|
||||
*/
|
||||
private native
|
||||
private native
|
||||
void importCRLNative(byte[] crl, String url, int rl_type)
|
||||
throws CRLImportException, TokenException;
|
||||
|
||||
|
@ -1117,7 +1117,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
* field contains the given certificates but whose <i>content</i> field
|
||||
* is empty.
|
||||
*
|
||||
* @param certs One or more certificates that should be exported into
|
||||
* @param certs One or more certificates that should be exported into
|
||||
* the PKCS #7 object. The leaf certificate should be the first
|
||||
* in the chain. The output of <code>buildCertificateChain</code>
|
||||
* would be appropriate here.
|
||||
|
@ -1167,7 +1167,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
* Looks up a certificate by issuer and serial number. The internal
|
||||
* database and all PKCS #11 modules are searched.
|
||||
*
|
||||
* @param derIssuer The DER encoding of the certificate issuer name.
|
||||
* @param derIssuer The DER encoding of the certificate issuer name.
|
||||
* The issuer name has ASN.1 type <i>Name</i>, which is defined in
|
||||
* X.501.
|
||||
* @param serialNumber The certificate serial number.
|
||||
|
@ -1269,7 +1269,7 @@ public final class CryptoManager implements TokenSupplier
|
|||
*
|
||||
* @return A JSS SecureRandom implemented with FIPS-validated NSS.
|
||||
*/
|
||||
public org.mozilla.jss.crypto.JSSSecureRandom
|
||||
public org.mozilla.jss.crypto.JSSSecureRandom
|
||||
createPseudoRandomNumberGenerator()
|
||||
{
|
||||
return new PK11SecureRandom();
|
||||
|
@ -1379,15 +1379,15 @@ public final class CryptoManager implements TokenSupplier
|
|||
// isCertValid
|
||||
/////////////////////////////////////////////////////////////
|
||||
/**
|
||||
* Verify a certificate that exists in the given cert database,
|
||||
* Verify a certificate that exists in the given cert database,
|
||||
* check if is valid and that we trust the issuer. Verify time
|
||||
* against Now.
|
||||
* against Now.
|
||||
* @param nickname The nickname of the certificate to verify.
|
||||
* @param checkSig verify the signature of the certificate
|
||||
* @param certUsage see exposed certUsage defines to verify Certificate
|
||||
* @return true for success; false otherwise
|
||||
*
|
||||
* @exception InvalidNicknameException If the nickname is null
|
||||
* @param certUsage see exposed certUsage defines to verify Certificate
|
||||
* @return true for success; false otherwise
|
||||
*
|
||||
* @exception InvalidNicknameException If the nickname is null
|
||||
* @exception ObjectNotFoundException If no certificate could be found
|
||||
* with the given nickname.
|
||||
*/
|
||||
|
@ -1403,6 +1403,37 @@ public final class CryptoManager implements TokenSupplier
|
|||
}
|
||||
|
||||
private native boolean verifyCertNowNative(String nickname,
|
||||
boolean checkSig, int cUsage) throws ObjectNotFoundException;
|
||||
boolean checkSig, int cUsage) throws ObjectNotFoundException;
|
||||
|
||||
/////////////////////////////////////////////////////////////
|
||||
// isCertValid
|
||||
/////////////////////////////////////////////////////////////
|
||||
/**
|
||||
* Verify a certificate in memory. Check if
|
||||
* valid and that we trust the issuer. Verify time
|
||||
* against Now.
|
||||
* @param certificate in memory
|
||||
* @param checkSig verify the signature of the certificate
|
||||
* @param certUsage see exposed certUsage defines to verify Certificate
|
||||
* @return true for success; false otherwise
|
||||
*
|
||||
* @exception TokenException unable to insert temporary certificate
|
||||
* into database.
|
||||
* @exception CertificateEncodingException If the package encoding
|
||||
* was not recognized.
|
||||
*/
|
||||
|
||||
public boolean isCertValid(byte[] certPackage, boolean checkSig,
|
||||
CertUsage certUsage)
|
||||
throws TokenException, CertificateEncodingException
|
||||
{
|
||||
return verifyCertTempNative(certPackage , checkSig,
|
||||
certUsage.getUsage());
|
||||
}
|
||||
|
||||
|
||||
private native boolean verifyCertTempNative(byte[] certPackage,
|
||||
boolean checkSig, int cUsage)
|
||||
throws TokenException, CertificateEncodingException;
|
||||
|
||||
}
|
||||
|
|
|
@ -1,27 +1,27 @@
|
|||
/*
|
||||
/*
|
||||
* The contents of this file are subject to the Mozilla Public
|
||||
* License Version 1.1 (the "License"); you may not use this file
|
||||
* except in compliance with the License. You may obtain a copy of
|
||||
* the License at http://www.mozilla.org/MPL/
|
||||
*
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS
|
||||
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
||||
* implied. See the License for the specific language governing
|
||||
* rights and limitations under the License.
|
||||
*
|
||||
*
|
||||
* The Original Code is the Netscape Security Services for Java.
|
||||
*
|
||||
*
|
||||
* The Initial Developer of the Original Code is Netscape
|
||||
* Communications Corporation. Portions created by Netscape are
|
||||
* Communications Corporation. Portions created by Netscape are
|
||||
* Copyright (C) 1998-2000 Netscape Communications Corporation. All
|
||||
* Rights Reserved.
|
||||
*
|
||||
*
|
||||
* Contributor(s):
|
||||
*
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the
|
||||
* terms of the GNU General Public License Version 2 or later (the
|
||||
* "GPL"), in which case the provisions of the GPL are applicable
|
||||
* instead of those above. If you wish to allow use of your
|
||||
* "GPL"), in which case the provisions of the GPL are applicable
|
||||
* instead of those above. If you wish to allow use of your
|
||||
* version of this file only under the terms of the GPL and not to
|
||||
* allow others to use your version of this file under the MPL,
|
||||
* indicate your decision by deleting the provisions above and
|
||||
|
@ -475,7 +475,7 @@ Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative
|
|||
}
|
||||
|
||||
finish:
|
||||
|
||||
|
||||
PR_DetachThread();
|
||||
return chainArray;
|
||||
}
|
||||
|
@ -533,7 +533,7 @@ loser:
|
|||
|
||||
/***********************************************************************
|
||||
* CryptoManager.importCertToPerm
|
||||
* - add the certificate to the permanent database
|
||||
* - add the certificate to the permanent database
|
||||
*
|
||||
* throws TOKEN_EXCEPTION
|
||||
*/
|
||||
|
@ -604,7 +604,7 @@ data_start(unsigned char *buf, int length, unsigned int *data_length,
|
|||
|
||||
while (len_count-- > 0) {
|
||||
*data_length = (*data_length << 8) | buf[used_length++];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (*data_length > (length-used_length) ) {
|
||||
|
@ -613,7 +613,7 @@ data_start(unsigned char *buf, int length, unsigned int *data_length,
|
|||
}
|
||||
if (includeTag) *data_length += used_length;
|
||||
|
||||
return (buf + (includeTag ? 0 : used_length));
|
||||
return (buf + (includeTag ? 0 : used_length));
|
||||
}
|
||||
|
||||
static PRStatus
|
||||
|
@ -679,19 +679,19 @@ getCertFields(SECItem *derCert, SECItem *issuer,
|
|||
|
||||
|
||||
/**
|
||||
* Returns
|
||||
* Returns
|
||||
* -1 if operation error.
|
||||
* 0 if no leaf found.
|
||||
* 0 if no leaf found.
|
||||
* 1 if leaf is found
|
||||
*/
|
||||
static int find_child_cert(
|
||||
CERTCertDBHandle *certdb,
|
||||
SECItem *derCerts,
|
||||
int numCerts,
|
||||
SECItem *derCerts,
|
||||
int numCerts,
|
||||
int *linked,
|
||||
int cur_link,
|
||||
int *leaf_link
|
||||
)
|
||||
)
|
||||
{
|
||||
int i;
|
||||
int status = 0;
|
||||
|
@ -722,7 +722,7 @@ static int find_child_cert(
|
|||
*leaf_link = i;
|
||||
status = 1; /* got it */
|
||||
goto finish;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
finish:
|
||||
|
@ -738,8 +738,8 @@ finish:
|
|||
*/
|
||||
static int find_leaf_cert(
|
||||
CERTCertDBHandle *certdb,
|
||||
SECItem *derCerts,
|
||||
int numCerts,
|
||||
SECItem *derCerts,
|
||||
int numCerts,
|
||||
SECItem *theDerCert
|
||||
)
|
||||
{
|
||||
|
@ -761,18 +761,18 @@ static int find_leaf_cert(
|
|||
cur_link = leaf_link;
|
||||
linked[leaf_link] = 1;
|
||||
|
||||
while (((found = find_child_cert(certdb,
|
||||
while (((found = find_child_cert(certdb,
|
||||
derCerts, numCerts, linked, cur_link, &leaf_link)) == 1))
|
||||
{
|
||||
cur_link = leaf_link;
|
||||
cur_link = leaf_link;
|
||||
}
|
||||
if (found == -1) {
|
||||
/* the certificate chain is problemtic! */
|
||||
status = 0;
|
||||
status = 0;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
*theDerCert = derCerts[leaf_link];
|
||||
|
||||
*theDerCert = derCerts[leaf_link];
|
||||
|
||||
finish:
|
||||
|
||||
|
@ -915,7 +915,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
|
|||
***************************************************/
|
||||
if(noUser) {
|
||||
slot = NULL;
|
||||
} else {
|
||||
} else {
|
||||
slot = PK11_KeyForDERCertExists(&theDerCert, &keyID, NULL);
|
||||
}
|
||||
if( slot == NULL ) {
|
||||
|
@ -930,7 +930,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
|
|||
}
|
||||
} else {
|
||||
/***************************************************
|
||||
* We have a user cert, import it
|
||||
* We have a user cert, import it
|
||||
***************************************************/
|
||||
|
||||
/***************************************************
|
||||
|
@ -1133,7 +1133,7 @@ encoderOutputCallback( void *arg, const char *buf, unsigned long len)
|
|||
EncoderCallbackInfo *info;
|
||||
|
||||
/***************************************************
|
||||
* validate arguments
|
||||
* validate arguments
|
||||
***************************************************/
|
||||
PR_ASSERT(arg!=NULL);
|
||||
info = (EncoderCallbackInfo*) arg;
|
||||
|
@ -1145,7 +1145,7 @@ encoderOutputCallback( void *arg, const char *buf, unsigned long len)
|
|||
/***************************************************
|
||||
* Create a new node to store this information
|
||||
***************************************************/
|
||||
node = PR_NEW( BufferNode );
|
||||
node = PR_NEW( BufferNode );
|
||||
if( node == NULL ) {
|
||||
PR_ASSERT(PR_FALSE);
|
||||
goto finish;
|
||||
|
@ -1369,7 +1369,7 @@ finish:
|
|||
*
|
||||
* Gathers all certificates of the given type into a Java array.
|
||||
*/
|
||||
static jobjectArray
|
||||
static jobjectArray
|
||||
getCerts(JNIEnv *env, PK11CertListType type)
|
||||
{
|
||||
jobjectArray certArray = NULL;
|
||||
|
@ -1500,7 +1500,7 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
|
|||
|
||||
packageItem = JSS_ByteArrayToSECItem(env, der_crl);
|
||||
if ( packageItem == NULL ) {
|
||||
goto finish;
|
||||
goto finish;
|
||||
}
|
||||
/* XXX need to deal with if error */
|
||||
|
||||
|
@ -1535,13 +1535,13 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
|
|||
case SEC_ERROR_KRL_NOT_YET_VALID:
|
||||
errmsg = "KRL Not yet valid";
|
||||
break;
|
||||
case SEC_ERROR_CRL_INVALID:
|
||||
case SEC_ERROR_CRL_INVALID:
|
||||
errmsg = "Invalid encoding of CRL";
|
||||
break;
|
||||
case SEC_ERROR_KRL_INVALID:
|
||||
case SEC_ERROR_KRL_INVALID:
|
||||
errmsg = "Invalid encoding of KRL";
|
||||
break;
|
||||
case SEC_ERROR_BAD_DATABASE:
|
||||
case SEC_ERROR_BAD_DATABASE:
|
||||
errmsg = "Database error";
|
||||
break;
|
||||
default:
|
||||
|
@ -1586,18 +1586,18 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
|
|||
if( nickname == NULL ) {
|
||||
goto finish;
|
||||
}
|
||||
certUsage = cUsage;
|
||||
certUsage = cUsage;
|
||||
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
|
||||
|
||||
|
||||
if (cert == NULL) {
|
||||
JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
|
||||
goto finish;
|
||||
} else {
|
||||
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
|
||||
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
|
||||
checkSig, certUsage, NULL );
|
||||
}
|
||||
|
||||
finish:
|
||||
finish:
|
||||
if(nickname != NULL) {
|
||||
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
|
||||
}
|
||||
|
@ -1611,3 +1611,60 @@ finish:
|
|||
}
|
||||
}
|
||||
|
||||
/***********************************************************************
|
||||
* CryptoManager.verifyCertNative
|
||||
*
|
||||
* Returns JNI_TRUE if success, JNI_FALSE otherwise
|
||||
*/
|
||||
JNIEXPORT jboolean JNICALL
|
||||
Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env,
|
||||
jobject self, jbyteArray packageArray,jboolean checkSig, jint cUsage)
|
||||
{
|
||||
SECStatus rv = SECFailure;
|
||||
SECCertUsage certUsage;
|
||||
SECItem *derCerts[2];
|
||||
SECStatus status;
|
||||
CERTCertificate **certArray = NULL;
|
||||
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
|
||||
|
||||
/***************************************************
|
||||
* Validate arguments
|
||||
***************************************************/
|
||||
if (packageArray == NULL) {
|
||||
JSS_throwMsg(env, CERTIFICATE_ENCODING_EXCEPTION,
|
||||
"Certificate package is NULL");
|
||||
goto finish;
|
||||
}
|
||||
PR_ASSERT(certdb != NULL);
|
||||
|
||||
derCerts[0] = NULL;
|
||||
derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
|
||||
derCerts[1] = NULL;
|
||||
|
||||
rv = CERT_ImportCerts(certdb, cUsage,
|
||||
1, derCerts, &certArray, PR_FALSE /*temp Certs*/,
|
||||
PR_FALSE /*caOnly*/, NULL);
|
||||
|
||||
if ( rv != SECSuccess || certArray == NULL || certArray[0] == NULL) {
|
||||
JSS_throwMsg(env, TOKEN_EXCEPTION, "Unable to insert certificate"
|
||||
" into temporary database");
|
||||
goto finish;
|
||||
}
|
||||
|
||||
certUsage = cUsage;
|
||||
rv = CERT_VerifyCertNow(certdb, certArray[0],
|
||||
checkSig, certUsage, NULL );
|
||||
|
||||
finish:
|
||||
/* this checks for NULL */
|
||||
CERT_DestroyCertArray(certArray, 1);
|
||||
if (derCerts[0]) {
|
||||
SECITEM_FreeItem(derCerts[0], PR_TRUE /*freeit*/);
|
||||
}
|
||||
if ( rv == SECSuccess) {
|
||||
return JNI_TRUE;
|
||||
} else {
|
||||
return JNI_FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче