mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

verify certificate in memory method

This commit is contained in:
glen.beasley%sun.com 2002-07-04 00:36:52 +00:00
Родитель 5deb4aec40
Коммит 3a0bcb0fb2
2 изменённых файлов: 156 добавлений и 68 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

89
security/jss/org/mozilla/jss/CryptoManager.java
Просмотреть файл

@ -1,27 +1,27 @@
/*
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
*
* The Original Code is the Netscape Security Services for Java.
*
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1998-2000 Netscape Communications Corporation. All
* Rights Reserved.
*
*
* Contributor(s):
*
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
@ -52,12 +52,12 @@ import org.mozilla.jss.provider.java.security.JSSMessageDigestSpi;
* Initialization is done with static methods, and must be done before
* an instance can be created. All other operations are done with instance
* methods.
* @version $Revision: 1.8 $ $Date: 2002/07/03 23:46:02 $
* @version $Revision: 1.9 $ $Date: 2002/07/04 00:36:51 $
*/
public final class CryptoManager implements TokenSupplier
{
/**
* CertUsage options for validation
* CertUsage options for validation
*/
public final static class CertUsage {
private int usage;
@ -74,7 +74,7 @@ public final class CryptoManager implements TokenSupplier
public String toString() {
return name;
}
// certUsage, these must be kept in sync with nss/lib/certdb/certt.h
public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
@ -126,7 +126,7 @@ public final class CryptoManager implements TokenSupplier
/**
* This class enumerates the possible modes for FIPS compliance.
*/
public static final class FIPSMode {
public static final class FIPSMode {
private FIPSMode() {}
/**
@ -439,8 +439,8 @@ public final class CryptoManager implements TokenSupplier
public String ocspResponderURL = null;
/**
* The nickname of the cert to trust (expected) to
* sign the OCSP responses.
* The nickname of the cert to trust (expected) to
* sign the OCSP responses.
* Only checked when the OCSPResponder value is set.
*/
public String ocspResponderCertNickname = null;
@ -461,7 +461,7 @@ public final class CryptoManager implements TokenSupplier
* be initialized. Only the Java portions of JSS will be
* initialized. This should only be used if NSS has been initialized
* elsewhere.
*
*
* <p>Specifically, the following components will <b>not</b> be
* configured by <tt>CryptoManager.initialize</tt> if this flag is set:
* <ul>
@ -628,7 +628,7 @@ public final class CryptoManager implements TokenSupplier
*/
private Vector moduleVector;
/**
/**
* Re-creates the Vector of modules that is stored by CryptoManager.
* This entails going into native code to enumerate all modules,
* wrap each one in a PK11Module, and storing the PK11Module in the vector.
@ -687,7 +687,7 @@ public final class CryptoManager implements TokenSupplier
}
/**
* Retrieve the single instance of CryptoManager.
* Retrieve the single instance of CryptoManager.
* This cannot be called before initialization.
*
* @see #initialize(CryptoManager.InitializationValues)
@ -1102,7 +1102,7 @@ public final class CryptoManager implements TokenSupplier
*
* @param the DER-encoded CRL.
*/
private native
private native
void importCRLNative(byte[] crl, String url, int rl_type)
throws CRLImportException, TokenException;
@ -1117,7 +1117,7 @@ public final class CryptoManager implements TokenSupplier
* field contains the given certificates but whose <i>content</i> field
* is empty.
*
* @param certs One or more certificates that should be exported into
* @param certs One or more certificates that should be exported into
* the PKCS #7 object. The leaf certificate should be the first
* in the chain. The output of <code>buildCertificateChain</code>
* would be appropriate here.
@ -1167,7 +1167,7 @@ public final class CryptoManager implements TokenSupplier
* Looks up a certificate by issuer and serial number. The internal
* database and all PKCS #11 modules are searched.
*
* @param derIssuer The DER encoding of the certificate issuer name.
* @param derIssuer The DER encoding of the certificate issuer name.
* The issuer name has ASN.1 type <i>Name</i>, which is defined in
* X.501.
* @param serialNumber The certificate serial number.
@ -1269,7 +1269,7 @@ public final class CryptoManager implements TokenSupplier
*
* @return A JSS SecureRandom implemented with FIPS-validated NSS.
*/
public org.mozilla.jss.crypto.JSSSecureRandom
public org.mozilla.jss.crypto.JSSSecureRandom
createPseudoRandomNumberGenerator()
{
return new PK11SecureRandom();
@ -1379,15 +1379,15 @@ public final class CryptoManager implements TokenSupplier
// isCertValid
/////////////////////////////////////////////////////////////
/**
* Verify a certificate that exists in the given cert database,
* Verify a certificate that exists in the given cert database,
* check if is valid and that we trust the issuer. Verify time
* against Now.
* against Now.
* @param nickname The nickname of the certificate to verify.
* @param checkSig verify the signature of the certificate
* @param certUsage see exposed certUsage defines to verify Certificate
* @return true for success; false otherwise
*
* @exception InvalidNicknameException If the nickname is null
* @param certUsage see exposed certUsage defines to verify Certificate
* @return true for success; false otherwise
*
* @exception InvalidNicknameException If the nickname is null
* @exception ObjectNotFoundException If no certificate could be found
* with the given nickname.
*/
@ -1403,6 +1403,37 @@ public final class CryptoManager implements TokenSupplier
}
private native boolean verifyCertNowNative(String nickname,
boolean checkSig, int cUsage) throws ObjectNotFoundException;
boolean checkSig, int cUsage) throws ObjectNotFoundException;
/////////////////////////////////////////////////////////////
// isCertValid
/////////////////////////////////////////////////////////////
/**
* Verify a certificate in memory. Check if
* valid and that we trust the issuer. Verify time
* against Now.
* @param certificate in memory
* @param checkSig verify the signature of the certificate
* @param certUsage see exposed certUsage defines to verify Certificate
* @return true for success; false otherwise
*
* @exception TokenException unable to insert temporary certificate
* into database.
* @exception CertificateEncodingException If the package encoding
* was not recognized.
*/
public boolean isCertValid(byte[] certPackage, boolean checkSig,
CertUsage certUsage)
throws TokenException, CertificateEncodingException
{
return verifyCertTempNative(certPackage , checkSig,
certUsage.getUsage());
}
private native boolean verifyCertTempNative(byte[] certPackage,
boolean checkSig, int cUsage)
throws TokenException, CertificateEncodingException;
}

135
security/jss/org/mozilla/jss/PK11Finder.c
Просмотреть файл

@ -1,27 +1,27 @@
/*
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
*
* The Original Code is the Netscape Security Services for Java.
*
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1998-2000 Netscape Communications Corporation. All
* Rights Reserved.
*
*
* Contributor(s):
*
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
@ -475,7 +475,7 @@ Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative
}
finish:
PR_DetachThread();
return chainArray;
}
@ -533,7 +533,7 @@ loser:
/***********************************************************************
* CryptoManager.importCertToPerm
* - add the certificate to the permanent database
* - add the certificate to the permanent database
*
* throws TOKEN_EXCEPTION
*/
@ -604,7 +604,7 @@ data_start(unsigned char *buf, int length, unsigned int *data_length,
while (len_count-- > 0) {
*data_length = (*data_length << 8) | buf[used_length++];
}
}
}
if (*data_length > (length-used_length) ) {
@ -613,7 +613,7 @@ data_start(unsigned char *buf, int length, unsigned int *data_length,
}
if (includeTag) *data_length += used_length;
return (buf + (includeTag ? 0 : used_length));
return (buf + (includeTag ? 0 : used_length));
}
static PRStatus
@ -679,19 +679,19 @@ getCertFields(SECItem *derCert, SECItem *issuer,
/**
* Returns
* Returns
* -1 if operation error.
* 0 if no leaf found.
* 0 if no leaf found.
* 1 if leaf is found
*/
static int find_child_cert(
CERTCertDBHandle *certdb,
SECItem *derCerts,
int numCerts,
SECItem *derCerts,
int numCerts,
int *linked,
int cur_link,
int *leaf_link
)
)
{
int i;
int status = 0;
@ -722,7 +722,7 @@ static int find_child_cert(
*leaf_link = i;
status = 1; /* got it */
goto finish;
}
}
}
finish:
@ -738,8 +738,8 @@ finish:
*/
static int find_leaf_cert(
CERTCertDBHandle *certdb,
SECItem *derCerts,
int numCerts,
SECItem *derCerts,
int numCerts,
SECItem *theDerCert
)
{
@ -761,18 +761,18 @@ static int find_leaf_cert(
cur_link = leaf_link;
linked[leaf_link] = 1;
while (((found = find_child_cert(certdb,
while (((found = find_child_cert(certdb,
derCerts, numCerts, linked, cur_link, &leaf_link)) == 1))
{
cur_link = leaf_link;
cur_link = leaf_link;
}
if (found == -1) {
/* the certificate chain is problemtic! */
status = 0;
status = 0;
goto finish;
}
*theDerCert = derCerts[leaf_link];
*theDerCert = derCerts[leaf_link];
finish:
@ -915,7 +915,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
***************************************************/
if(noUser) {
slot = NULL;
} else {
} else {
slot = PK11_KeyForDERCertExists(&theDerCert, &keyID, NULL);
}
if( slot == NULL ) {
@ -930,7 +930,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
}
} else {
/***************************************************
* We have a user cert, import it
* We have a user cert, import it
***************************************************/
/***************************************************
@ -1133,7 +1133,7 @@ encoderOutputCallback( void *arg, const char *buf, unsigned long len)
EncoderCallbackInfo *info;
/***************************************************
* validate arguments
* validate arguments
***************************************************/
PR_ASSERT(arg!=NULL);
info = (EncoderCallbackInfo*) arg;
@ -1145,7 +1145,7 @@ encoderOutputCallback( void *arg, const char *buf, unsigned long len)
/***************************************************
* Create a new node to store this information
***************************************************/
node = PR_NEW( BufferNode );
node = PR_NEW( BufferNode );
if( node == NULL ) {
PR_ASSERT(PR_FALSE);
goto finish;
@ -1369,7 +1369,7 @@ finish:
*
* Gathers all certificates of the given type into a Java array.
*/
static jobjectArray
static jobjectArray
getCerts(JNIEnv *env, PK11CertListType type)
{
jobjectArray certArray = NULL;
@ -1500,7 +1500,7 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
packageItem = JSS_ByteArrayToSECItem(env, der_crl);
if ( packageItem == NULL ) {
goto finish;
goto finish;
}
/* XXX need to deal with if error */
@ -1535,13 +1535,13 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
case SEC_ERROR_KRL_NOT_YET_VALID:
errmsg = "KRL Not yet valid";
break;
case SEC_ERROR_CRL_INVALID:
case SEC_ERROR_CRL_INVALID:
errmsg = "Invalid encoding of CRL";
break;
case SEC_ERROR_KRL_INVALID:
case SEC_ERROR_KRL_INVALID:
errmsg = "Invalid encoding of KRL";
break;
case SEC_ERROR_BAD_DATABASE:
case SEC_ERROR_BAD_DATABASE:
errmsg = "Database error";
break;
default:
@ -1586,18 +1586,18 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
if( nickname == NULL ) {
goto finish;
}
certUsage = cUsage;
certUsage = cUsage;
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
if (cert == NULL) {
JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
goto finish;
} else {
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
checkSig, certUsage, NULL );
}
finish:
finish:
if(nickname != NULL) {
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
}
@ -1611,3 +1611,60 @@ finish:
}
}
/***********************************************************************
* CryptoManager.verifyCertNative
*
* Returns JNI_TRUE if success, JNI_FALSE otherwise
*/
JNIEXPORT jboolean JNICALL
Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env,
jobject self, jbyteArray packageArray,jboolean checkSig, jint cUsage)
{
SECStatus rv = SECFailure;
SECCertUsage certUsage;
SECItem *derCerts[2];
SECStatus status;
CERTCertificate **certArray = NULL;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
/***************************************************
* Validate arguments
***************************************************/
if (packageArray == NULL) {
JSS_throwMsg(env, CERTIFICATE_ENCODING_EXCEPTION,
"Certificate package is NULL");
goto finish;
}
PR_ASSERT(certdb != NULL);
derCerts[0] = NULL;
derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
derCerts[1] = NULL;
rv = CERT_ImportCerts(certdb, cUsage,
1, derCerts, &certArray, PR_FALSE /*temp Certs*/,
PR_FALSE /*caOnly*/, NULL);
if ( rv != SECSuccess || certArray == NULL || certArray[0] == NULL) {
JSS_throwMsg(env, TOKEN_EXCEPTION, "Unable to insert certificate"
" into temporary database");
goto finish;
}
certUsage = cUsage;
rv = CERT_VerifyCertNow(certdb, certArray[0],
checkSig, certUsage, NULL );
finish:
/* this checks for NULL */
CERT_DestroyCertArray(certArray, 1);
if (derCerts[0]) {
SECITEM_FreeItem(derCerts[0], PR_TRUE /*freeit*/);
}
if ( rv == SECSuccess) {
return JNI_TRUE;
} else {
return JNI_FALSE;
}
}