From 3a0bcb0fb2d556326d1867bce28c89b6347275ec Mon Sep 17 00:00:00 2001
From: "glen.beasley%sun.com" <glen.beasley%sun.com>
Date: Thu, 4 Jul 2002 00:36:52 +0000
Subject: [PATCH] verify certificate in memory method

---
 .../jss/org/mozilla/jss/CryptoManager.java    |  89 ++++++++----
 security/jss/org/mozilla/jss/PK11Finder.c     | 135 +++++++++++++-----
 2 files changed, 156 insertions(+), 68 deletions(-)

diff --git a/security/jss/org/mozilla/jss/CryptoManager.java b/security/jss/org/mozilla/jss/CryptoManager.java
index 4eccbc910a83..2dca6305e762 100644
--- a/security/jss/org/mozilla/jss/CryptoManager.java
+++ b/security/jss/org/mozilla/jss/CryptoManager.java
@@ -1,27 +1,27 @@
-/* 
+/*
  * The contents of this file are subject to the Mozilla Public
  * License Version 1.1 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of
  * the License at http://www.mozilla.org/MPL/
- * 
+ *
  * Software distributed under the License is distributed on an "AS
  * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
  * implied. See the License for the specific language governing
  * rights and limitations under the License.
- * 
+ *
  * The Original Code is the Netscape Security Services for Java.
- * 
+ *
  * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
+ * Communications Corporation.  Portions created by Netscape are
  * Copyright (C) 1998-2000 Netscape Communications Corporation.  All
  * Rights Reserved.
- * 
+ *
  * Contributor(s):
- * 
+ *
  * Alternatively, the contents of this file may be used under the
  * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
  * version of this file only under the terms of the GPL and not to
  * allow others to use your version of this file under the MPL,
  * indicate your decision by deleting the provisions above and
@@ -52,12 +52,12 @@ import org.mozilla.jss.provider.java.security.JSSMessageDigestSpi;
  * Initialization is done with static methods, and must be done before
  * an instance can be created.  All other operations are done with instance
  * methods.
- * @version $Revision: 1.8 $ $Date: 2002/07/03 23:46:02 $ 
+ * @version $Revision: 1.9 $ $Date: 2002/07/04 00:36:51 $
  */
 public final class CryptoManager implements TokenSupplier
 {
     /**
-     * CertUsage options for validation 
+     * CertUsage options for validation
      */
     public final static class CertUsage {
         private int usage;
@@ -74,7 +74,7 @@ public final class CryptoManager implements TokenSupplier
         public String toString() {
             return name;
         }
-        
+
         // certUsage, these must be kept in sync with nss/lib/certdb/certt.h
         public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
         public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
@@ -126,7 +126,7 @@ public final class CryptoManager implements TokenSupplier
         /**
          * This class enumerates the possible modes for FIPS compliance.
          */
-        public static final class FIPSMode { 
+        public static final class FIPSMode {
             private FIPSMode() {}
 
             /**
@@ -439,8 +439,8 @@ public final class CryptoManager implements TokenSupplier
         public String ocspResponderURL = null;
 
         /**
-         * The nickname of the cert to trust (expected) to 
-         * sign the OCSP responses. 
+         * The nickname of the cert to trust (expected) to
+         * sign the OCSP responses.
          * Only checked when the OCSPResponder value is set.
          */
         public String ocspResponderCertNickname = null;
@@ -461,7 +461,7 @@ public final class CryptoManager implements TokenSupplier
          * be initialized. Only the Java portions of JSS will be
          * initialized. This should only be used if NSS has been initialized
          * elsewhere.
-         * 
+         *
          * <p>Specifically, the following components will <b>not</b> be
          *  configured by <tt>CryptoManager.initialize</tt> if this flag is set:
          * <ul>
@@ -628,7 +628,7 @@ public final class CryptoManager implements TokenSupplier
      */
     private Vector moduleVector;
 
-    /** 
+    /**
      * Re-creates the Vector of modules that is stored by CryptoManager.
      * This entails going into native code to enumerate all modules,
      * wrap each one in a PK11Module, and storing the PK11Module in the vector.
@@ -687,7 +687,7 @@ public final class CryptoManager implements TokenSupplier
     }
 
     /**
-     * Retrieve the single instance of CryptoManager. 
+     * Retrieve the single instance of CryptoManager.
      * This cannot be called before initialization.
      *
      * @see #initialize(CryptoManager.InitializationValues)
@@ -1102,7 +1102,7 @@ public final class CryptoManager implements TokenSupplier
      *
      * @param the DER-encoded CRL.
      */
-    private native 
+    private native
     void importCRLNative(byte[] crl, String url, int rl_type)
         throws CRLImportException, TokenException;
 
@@ -1117,7 +1117,7 @@ public final class CryptoManager implements TokenSupplier
      * field contains the given certificates but whose <i>content</i> field
      * is empty.
      *
-     * @param certs One or more certificates that should be exported into 
+     * @param certs One or more certificates that should be exported into
      *      the PKCS #7 object.  The leaf certificate should be the first
      *      in the chain.  The output of <code>buildCertificateChain</code>
      *      would be appropriate here.
@@ -1167,7 +1167,7 @@ public final class CryptoManager implements TokenSupplier
      * Looks up a certificate by issuer and serial number. The internal
      *      database and all PKCS #11 modules are searched.
      *
-     * @param derIssuer The DER encoding of the certificate issuer name. 
+     * @param derIssuer The DER encoding of the certificate issuer name.
      *      The issuer name has ASN.1 type <i>Name</i>, which is defined in
      *      X.501.
      * @param serialNumber The certificate serial number.
@@ -1269,7 +1269,7 @@ public final class CryptoManager implements TokenSupplier
      *
      * @return A JSS SecureRandom implemented with FIPS-validated NSS.
      */
-    public org.mozilla.jss.crypto.JSSSecureRandom 
+    public org.mozilla.jss.crypto.JSSSecureRandom
     createPseudoRandomNumberGenerator()
     {
         return new PK11SecureRandom();
@@ -1379,15 +1379,15 @@ public final class CryptoManager implements TokenSupplier
     // isCertValid
     /////////////////////////////////////////////////////////////
     /**
-     * Verify a certificate that exists in the given cert database, 
+     * Verify a certificate that exists in the given cert database,
      * check if is valid and that we trust the issuer. Verify time
-     * against Now.  
+     * against Now.
      * @param nickname The nickname of the certificate to verify.
      * @param checkSig verify the signature of the certificate
-     * @param certUsage see exposed certUsage defines to verify Certificate 
-     * @return true for success; false otherwise 
-     *      
-     * @exception InvalidNicknameException If the nickname is null 
+     * @param certUsage see exposed certUsage defines to verify Certificate
+     * @return true for success; false otherwise
+     *
+     * @exception InvalidNicknameException If the nickname is null
      * @exception ObjectNotFoundException If no certificate could be found
      *      with the given nickname.
      */
@@ -1403,6 +1403,37 @@ public final class CryptoManager implements TokenSupplier
     }
 
     private native boolean verifyCertNowNative(String nickname,
-        boolean checkSig, int cUsage) throws ObjectNotFoundException; 
+        boolean checkSig, int cUsage) throws ObjectNotFoundException;
+
+    /////////////////////////////////////////////////////////////
+    // isCertValid
+    /////////////////////////////////////////////////////////////
+    /**
+     * Verify a certificate in memory. Check if
+     * valid and that we trust the issuer. Verify time
+     * against Now.
+     * @param certificate in memory
+     * @param checkSig verify the signature of the certificate
+     * @param certUsage see exposed certUsage defines to verify Certificate
+     * @return true for success; false otherwise
+     *
+     * @exception TokenException unable to insert temporary certificate
+     *            into database.
+     * @exception CertificateEncodingException If the package encoding
+     *      was not recognized.
+     */
+
+    public boolean isCertValid(byte[] certPackage, boolean checkSig,
+            CertUsage certUsage)
+        throws TokenException, CertificateEncodingException
+    {
+        return verifyCertTempNative(certPackage , checkSig,
+                                    certUsage.getUsage());
+    }
+
+
+    private native boolean verifyCertTempNative(byte[] certPackage,
+        boolean checkSig, int cUsage)
+        throws TokenException, CertificateEncodingException;
 
 }
diff --git a/security/jss/org/mozilla/jss/PK11Finder.c b/security/jss/org/mozilla/jss/PK11Finder.c
index 9525af0c8da8..b074980d27db 100644
--- a/security/jss/org/mozilla/jss/PK11Finder.c
+++ b/security/jss/org/mozilla/jss/PK11Finder.c
@@ -1,27 +1,27 @@
-/* 
+/*
  * The contents of this file are subject to the Mozilla Public
  * License Version 1.1 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of
  * the License at http://www.mozilla.org/MPL/
- * 
+ *
  * Software distributed under the License is distributed on an "AS
  * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
  * implied. See the License for the specific language governing
  * rights and limitations under the License.
- * 
+ *
  * The Original Code is the Netscape Security Services for Java.
- * 
+ *
  * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
+ * Communications Corporation.  Portions created by Netscape are
  * Copyright (C) 1998-2000 Netscape Communications Corporation.  All
  * Rights Reserved.
- * 
+ *
  * Contributor(s):
- * 
+ *
  * Alternatively, the contents of this file may be used under the
  * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
  * version of this file only under the terms of the GPL and not to
  * allow others to use your version of this file under the MPL,
  * indicate your decision by deleting the provisions above and
@@ -475,7 +475,7 @@ Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative
     }
 
 finish:
-    
+
     PR_DetachThread();
     return chainArray;
 }
@@ -533,7 +533,7 @@ loser:
 
 /***********************************************************************
  * CryptoManager.importCertToPerm
- *  - add the certificate to the permanent database 
+ *  - add the certificate to the permanent database
  *
  * throws TOKEN_EXCEPTION
  */
@@ -604,7 +604,7 @@ data_start(unsigned char *buf, int length, unsigned int *data_length,
 
         while (len_count-- > 0) {
             *data_length = (*data_length << 8) | buf[used_length++];
-        } 
+        }
     }
 
     if (*data_length > (length-used_length) ) {
@@ -613,7 +613,7 @@ data_start(unsigned char *buf, int length, unsigned int *data_length,
     }
     if (includeTag) *data_length += used_length;
 
-    return (buf + (includeTag ? 0 : used_length));      
+    return (buf + (includeTag ? 0 : used_length));
 }
 
 static PRStatus
@@ -679,19 +679,19 @@ getCertFields(SECItem *derCert, SECItem *issuer,
 
 
 /**
- * Returns 
+ * Returns
  *   -1 if operation error.
- *    0 if no leaf found. 
+ *    0 if no leaf found.
  *    1 if leaf is found
  */
 static int find_child_cert(
   CERTCertDBHandle *certdb,
-  SECItem *derCerts, 
-  int numCerts, 
+  SECItem *derCerts,
+  int numCerts,
   int *linked,
   int cur_link,
   int *leaf_link
-) 
+)
 {
     int i;
     int status = 0;
@@ -722,7 +722,7 @@ static int find_child_cert(
             *leaf_link = i;
             status = 1; /* got it */
             goto finish;
-        } 
+        }
       }
 
 finish:
@@ -738,8 +738,8 @@ finish:
  */
 static int find_leaf_cert(
   CERTCertDBHandle *certdb,
-  SECItem *derCerts, 
-  int numCerts, 
+  SECItem *derCerts,
+  int numCerts,
   SECItem *theDerCert
 )
 {
@@ -761,18 +761,18 @@ static int find_leaf_cert(
     cur_link = leaf_link;
     linked[leaf_link] = 1;
 
-    while (((found = find_child_cert(certdb, 
+    while (((found = find_child_cert(certdb,
        derCerts, numCerts, linked, cur_link, &leaf_link)) == 1))
     {
-        cur_link = leaf_link;   
+        cur_link = leaf_link;
     }
     if (found == -1) {
         /* the certificate chain is problemtic! */
-        status = 0; 
+        status = 0;
         goto finish;
     }
-  
-    *theDerCert = derCerts[leaf_link]; 
+
+    *theDerCert = derCerts[leaf_link];
 
 finish:
 
@@ -915,7 +915,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
      ***************************************************/
     if(noUser) {
         slot = NULL;
-    } else { 
+    } else {
         slot = PK11_KeyForDERCertExists(&theDerCert, &keyID, NULL);
     }
     if( slot == NULL ) {
@@ -930,7 +930,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
         }
     } else {
         /***************************************************
-         * We have a user cert, import it 
+         * We have a user cert, import it
          ***************************************************/
 
         /***************************************************
@@ -1133,7 +1133,7 @@ encoderOutputCallback( void *arg, const char *buf, unsigned long len)
     EncoderCallbackInfo *info;
 
     /***************************************************
-     * validate arguments 
+     * validate arguments
      ***************************************************/
     PR_ASSERT(arg!=NULL);
     info = (EncoderCallbackInfo*) arg;
@@ -1145,7 +1145,7 @@ encoderOutputCallback( void *arg, const char *buf, unsigned long len)
     /***************************************************
      * Create a new node to store this information
      ***************************************************/
-    node = PR_NEW( BufferNode );  
+    node = PR_NEW( BufferNode );
     if( node == NULL ) {
         PR_ASSERT(PR_FALSE);
         goto finish;
@@ -1369,7 +1369,7 @@ finish:
  *
  * Gathers all certificates of the given type into a Java array.
  */
-static jobjectArray 
+static jobjectArray
 getCerts(JNIEnv *env, PK11CertListType type)
 {
     jobjectArray certArray = NULL;
@@ -1500,7 +1500,7 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
 
     packageItem = JSS_ByteArrayToSECItem(env, der_crl);
     if ( packageItem == NULL ) {
-        goto finish; 
+        goto finish;
     }
     /* XXX need to deal with if error */
 
@@ -1535,13 +1535,13 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
             case SEC_ERROR_KRL_NOT_YET_VALID:
                 errmsg = "KRL Not yet valid";
                 break;
-            case SEC_ERROR_CRL_INVALID: 
+            case SEC_ERROR_CRL_INVALID:
                 errmsg = "Invalid encoding of CRL";
                 break;
-            case SEC_ERROR_KRL_INVALID: 
+            case SEC_ERROR_KRL_INVALID:
                 errmsg = "Invalid encoding of KRL";
                 break;
-            case SEC_ERROR_BAD_DATABASE: 
+            case SEC_ERROR_BAD_DATABASE:
                 errmsg = "Database error";
                 break;
             default:
@@ -1586,18 +1586,18 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
     if( nickname == NULL ) {
          goto finish;
     }
-    certUsage = cUsage; 
+    certUsage = cUsage;
     cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
-    
+
     if (cert == NULL) {
         JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
         goto finish;
     } else {
-        rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert, 
+        rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
             checkSig, certUsage, NULL );
     }
 
-finish: 
+finish:
     if(nickname != NULL) {
       (*env)->ReleaseStringUTFChars(env, nickString, nickname);
     }
@@ -1611,3 +1611,60 @@ finish:
     }
 }
 
+/***********************************************************************
+ * CryptoManager.verifyCertNative
+ *
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ */
+JNIEXPORT jboolean JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env,
+     jobject self, jbyteArray packageArray,jboolean checkSig, jint cUsage)
+{
+    SECStatus         rv    = SECFailure;
+    SECCertUsage      certUsage;
+    SECItem *derCerts[2];
+    SECStatus status;
+    CERTCertificate **certArray = NULL;
+    CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
+
+    /***************************************************
+     * Validate arguments
+     ***************************************************/
+    if (packageArray == NULL) {
+        JSS_throwMsg(env, CERTIFICATE_ENCODING_EXCEPTION,
+                     "Certificate package is NULL");
+        goto finish;
+    }
+    PR_ASSERT(certdb != NULL);
+
+    derCerts[0] = NULL;
+    derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
+    derCerts[1] = NULL;
+
+    rv = CERT_ImportCerts(certdb, cUsage,
+                          1, derCerts, &certArray, PR_FALSE /*temp Certs*/,
+                          PR_FALSE /*caOnly*/, NULL);
+
+    if ( rv != SECSuccess || certArray == NULL || certArray[0] == NULL) {
+        JSS_throwMsg(env, TOKEN_EXCEPTION, "Unable to insert certificate"
+                     " into temporary database");
+        goto finish;
+    }
+
+    certUsage = cUsage;
+    rv = CERT_VerifyCertNow(certdb, certArray[0],
+                            checkSig, certUsage, NULL );
+
+    finish:
+    /* this checks for NULL */
+    CERT_DestroyCertArray(certArray, 1);
+    if (derCerts[0]) {
+        SECITEM_FreeItem(derCerts[0], PR_TRUE /*freeit*/);
+    }
+    if ( rv == SECSuccess) {
+        return JNI_TRUE;
+    } else {
+        return JNI_FALSE;
+    }
+}
+