зеркало из https://github.com/mozilla/gecko-dev.git
Enable support for OCSP. Bug#80178, r=mcgreer@netscape.com, sr=blizzard@mozilla.org
This commit is contained in:
Родитель
e466670ee3
Коммит
dd40989267
|
@ -43,6 +43,14 @@
|
||||||
</treerow>
|
</treerow>
|
||||||
</treeitem>
|
</treeitem>
|
||||||
</treechildren>
|
</treechildren>
|
||||||
|
<treechildren id="securityChildren">
|
||||||
|
<treeitem id="validationItem" open="true" >
|
||||||
|
<treerow>
|
||||||
|
<treecell class="treecell-indent" url="chrome://pippki/content/pref-validation.xul"
|
||||||
|
label="&validation.label;" />
|
||||||
|
</treerow>
|
||||||
|
</treeitem>
|
||||||
|
</treechildren>
|
||||||
</treeitem>
|
</treeitem>
|
||||||
</treechildren>
|
</treechildren>
|
||||||
</overlay>
|
</overlay>
|
||||||
|
|
|
@ -0,0 +1,86 @@
|
||||||
|
/*
|
||||||
|
* The contents of this file are subject to the Mozilla Public
|
||||||
|
* License Version 1.1 (the "License"); you may not use this file
|
||||||
|
* except in compliance with the License. You may obtain a copy of
|
||||||
|
* the License at http://www.mozilla.org/MPL/
|
||||||
|
*
|
||||||
|
* Software distributed under the License is distributed on an "AS
|
||||||
|
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
||||||
|
* implied. See the License for the specific language governing
|
||||||
|
* rights and limitations under the License.
|
||||||
|
*
|
||||||
|
* The Original Code is mozilla.org code.
|
||||||
|
*
|
||||||
|
* The Initial Developer of the Original Code is Netscape
|
||||||
|
* Communications Corporation. Portions created by Netscape are
|
||||||
|
* Copyright (C) 2001 Netscape Communications Corporation. All
|
||||||
|
* Rights Reserved.
|
||||||
|
*
|
||||||
|
* Contributor(s):
|
||||||
|
* David Drinan <ddrinan@netscape.com>
|
||||||
|
*/
|
||||||
|
|
||||||
|
const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
|
||||||
|
const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
|
||||||
|
const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
|
||||||
|
const nsISupportsArray = Components.interfaces.nsISupportsArray;
|
||||||
|
|
||||||
|
var certdb;
|
||||||
|
var ocspResponders;
|
||||||
|
|
||||||
|
function onLoad()
|
||||||
|
{
|
||||||
|
var ocspEntry;
|
||||||
|
var i;
|
||||||
|
|
||||||
|
certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
|
||||||
|
ocspResponders = certdb.getOCSPResponders();
|
||||||
|
|
||||||
|
var signersMenu = document.getElementById("signingCA");
|
||||||
|
var signersURL = document.getElementById("serviceURL");
|
||||||
|
for (i=0; i<ocspResponders.Count(); i++) {
|
||||||
|
ocspEntry = ocspResponders.GetElementAt(i).QueryInterface(nsIOCSPResponder);
|
||||||
|
var menuItemNode = document.createElement("menuitem");
|
||||||
|
menuItemNode.setAttribute("value", ocspEntry.responseSigner);
|
||||||
|
menuItemNode.setAttribute("label", ocspEntry.responseSigner);
|
||||||
|
signersMenu.firstChild.appendChild(menuItemNode);
|
||||||
|
}
|
||||||
|
|
||||||
|
parent.initPanel('chrome://pippki/content/pref-validation.xul');
|
||||||
|
|
||||||
|
doEnabling();
|
||||||
|
}
|
||||||
|
|
||||||
|
function doEnabling()
|
||||||
|
{
|
||||||
|
var signersMenu = document.getElementById("signingCA");
|
||||||
|
var signersURL = document.getElementById("serviceURL");
|
||||||
|
var radiogroup = document.getElementById("securityOCSPEnabled");
|
||||||
|
|
||||||
|
switch ( radiogroup.value ) {
|
||||||
|
case "0":
|
||||||
|
case "1":
|
||||||
|
signersMenu.setAttribute("disabled", true);
|
||||||
|
signersURL.setAttribute("disabled", true);
|
||||||
|
break;
|
||||||
|
case "2":
|
||||||
|
default:
|
||||||
|
signersMenu.removeAttribute("disabled");
|
||||||
|
signersURL.removeAttribute("disabled");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function changeURL()
|
||||||
|
{
|
||||||
|
var signersMenu = document.getElementById("signingCA");
|
||||||
|
var signersURL = document.getElementById("serviceURL");
|
||||||
|
var CA = signersMenu.getAttribute("value");
|
||||||
|
|
||||||
|
for (i=0; i < ocspResponders.Count(); i++) {
|
||||||
|
ocspEntry = ocspResponders.GetElementAt(i).QueryInterface(nsIOCSPResponder);
|
||||||
|
if (CA == ocspEntry.responseSigner) {
|
||||||
|
signersURL.setAttribute("value", ocspEntry.serviceURL);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,91 @@
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<!--
|
||||||
|
- The contents of this file are subject to the Mozilla Public
|
||||||
|
- License Version 1.1 (the "License"); you may not use this file
|
||||||
|
- except in compliance with the License. You may obtain a copy of
|
||||||
|
- the License at http://www.mozilla.org/MPL/
|
||||||
|
-
|
||||||
|
- Software distributed under the License is distributed on an "AS
|
||||||
|
- IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
||||||
|
- implied. See the License for the specific language governing
|
||||||
|
- rights and limitations under the License.
|
||||||
|
-
|
||||||
|
- The Original Code is mozilla.org code.
|
||||||
|
-
|
||||||
|
- The Initial Developer of the Original Code is Netscape
|
||||||
|
- Communications Corp. Portions created by Netscape are
|
||||||
|
- Copyright (C) 2001 Netscape Communications Corp. All
|
||||||
|
- Rights Reserved.
|
||||||
|
-
|
||||||
|
- Contributor(s):
|
||||||
|
- David Drinan <ddrinan@netscape.com>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<?xml-stylesheet href="chrome://communicator/skin/" type="text/css"?>
|
||||||
|
<?xml-stylesheet href="chrome://communicator/skin/dialogOverlay.css" type="text/css"?>
|
||||||
|
|
||||||
|
<!DOCTYPE window [
|
||||||
|
<!ENTITY % brandDTD SYSTEM "chrome://global/locale/brand.dtd">
|
||||||
|
<!ENTITY % prefValidationDTD SYSTEM "chrome://pippki/locale/pref-validation.dtd">
|
||||||
|
%brandDTD;
|
||||||
|
%prefValidationDTD;
|
||||||
|
]>
|
||||||
|
|
||||||
|
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
|
||||||
|
class="color-dialog"
|
||||||
|
orient="vertical"
|
||||||
|
onload="onLoad();" >
|
||||||
|
|
||||||
|
<!-- List elements to manage for prefs -->
|
||||||
|
<script language="JavaScript">
|
||||||
|
<![CDATA[
|
||||||
|
var _elementIDs = ["securityOCSPEnabled", "serviceURL", "signingCA"];
|
||||||
|
]]>
|
||||||
|
</script>
|
||||||
|
|
||||||
|
<script src="pref-validation.js"/>
|
||||||
|
|
||||||
|
<!-- Fancy panel header -->
|
||||||
|
<box class="box-smallheader" title="&validation.title;" description="&validation.description;"/>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
<titledbox orient="horizontal">
|
||||||
|
<label value="&validation.crl.label;"/>
|
||||||
|
</titledbox>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<titledbox orient="vertical" autostretch="never" >
|
||||||
|
<label value="&validation.ocsp.label;"/>
|
||||||
|
<html> &validation.ocsp.description; </html>
|
||||||
|
<!-- Prefs -->
|
||||||
|
<radiogroup id="securityOCSPEnabled" orient="vertical" autostretch="never"
|
||||||
|
pref="true" preftype="int" prefstring="security.OCSP.enabled"
|
||||||
|
prefattribute="value">
|
||||||
|
<radio group="securityOCSPEnabled" value="0" label="&disableOCSP.label;" oncommand="doEnabling();"/>
|
||||||
|
<radio group="securityOCSPEnabled" value="1" label="&certOCSP.label;" oncommand="doEnabling();"/>
|
||||||
|
<radio group="securityOCSPEnabled" value="2" label="&proxyOCSP.label;" oncommand="doEnabling();"/>
|
||||||
|
|
||||||
|
<grid class="indent" flex="1">
|
||||||
|
<columns>
|
||||||
|
<column/>
|
||||||
|
<column flex="1"/>
|
||||||
|
</columns>
|
||||||
|
|
||||||
|
<rows>
|
||||||
|
<row>
|
||||||
|
<text class="label" value="&serviceURL.label;" for="serviceURL"/>
|
||||||
|
<textbox id="serviceURL" pref="true" preftype="string" prefstring="security.OCSP.URL"
|
||||||
|
prefattribute="value" flex="1"/>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<text class="label" value="&signingCA.label;" for="signingCA"/>
|
||||||
|
<menulist id="signingCA" pref="true" preftype="string" prefstring="security.OCSP.signingCA"
|
||||||
|
prefattribute="value" flex="1" oncommand="changeURL()">
|
||||||
|
<menupopup/>
|
||||||
|
</menulist>
|
||||||
|
</row>
|
||||||
|
</rows>
|
||||||
|
</grid>
|
||||||
|
</radiogroup>
|
||||||
|
</titledbox>
|
||||||
|
</window>
|
|
@ -37,6 +37,8 @@ pippki.jar:
|
||||||
content/pippki/certDump.xul (content/certDump.xul)
|
content/pippki/certDump.xul (content/certDump.xul)
|
||||||
content/pippki/choosetoken.xul (content/choosetoken.xul)
|
content/pippki/choosetoken.xul (content/choosetoken.xul)
|
||||||
content/pippki/choosetoken.js (content/choosetoken.js)
|
content/pippki/choosetoken.js (content/choosetoken.js)
|
||||||
|
content/pippki/pref-validation.xul (content/pref-validation.xul)
|
||||||
|
content/pippki/pref-validation.js (content/pref-validation.js)
|
||||||
locale/en-US/pippki/contents.rdf (locale/en-US/contents.rdf)
|
locale/en-US/pippki/contents.rdf (locale/en-US/contents.rdf)
|
||||||
locale/en-US/pippki/pippki.dtd (locale/en-US/pippki.dtd)
|
locale/en-US/pippki/pippki.dtd (locale/en-US/pippki.dtd)
|
||||||
locale/en-US/pippki/pref-ssl.dtd (locale/en-US/pref-ssl.dtd)
|
locale/en-US/pippki/pref-ssl.dtd (locale/en-US/pref-ssl.dtd)
|
||||||
|
@ -47,3 +49,4 @@ pippki.jar:
|
||||||
locale/en-US/pippki/pref-security.dtd (locale/en-US/pref-security.dtd)
|
locale/en-US/pippki/pref-security.dtd (locale/en-US/pref-security.dtd)
|
||||||
locale/en-US/pippki/PageInfoOverlay.dtd (locale/en-US/PageInfoOverlay.dtd)
|
locale/en-US/pippki/PageInfoOverlay.dtd (locale/en-US/PageInfoOverlay.dtd)
|
||||||
locale/en-US/pippki/certManager.dtd (locale/en-US/certManager.dtd)
|
locale/en-US/pippki/certManager.dtd (locale/en-US/certManager.dtd)
|
||||||
|
locale/en-US/pippki/pref-validation.dtd (locale/en-US/pref-validation.dtd)
|
||||||
|
|
|
@ -21,5 +21,7 @@
|
||||||
- Terry Hayes <thayes@netscape.com>
|
- Terry Hayes <thayes@netscape.com>
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!ENTITY security.label "Privacy and Security">
|
<!ENTITY security.label "Privacy and Security">
|
||||||
<!ENTITY ssl.label "SSL">
|
|
||||||
|
<!ENTITY ssl.label "SSL">
|
||||||
|
<!ENTITY validation.label "Validation">
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
<!--
|
||||||
|
- The contents of this file are subject to the Mozilla Public
|
||||||
|
- License Version 1.1 (the "License"); you may not use this file
|
||||||
|
- except in compliance with the License. You may obtain a copy of
|
||||||
|
- the License at http://www.mozilla.org/MPL/
|
||||||
|
-
|
||||||
|
- Software distributed under the License is distributed on an "AS
|
||||||
|
- IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
||||||
|
- implied. See the License for the specific language governing
|
||||||
|
- rights and limitations under the License.
|
||||||
|
-
|
||||||
|
- The Original Code is mozilla.org code.
|
||||||
|
-
|
||||||
|
- The Initial Developer of the Original Code is Netscape
|
||||||
|
- Communications Corp. Portions created by Netscape are
|
||||||
|
- Copyright (C) 2001 Netscape Communications Corp. All
|
||||||
|
- Rights Reserved.
|
||||||
|
-
|
||||||
|
- Contributor(s):
|
||||||
|
- David P. Drinan (ddrinan@netscape.com)
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!ENTITY validation.title "Validation">
|
||||||
|
<!ENTITY validation.description "Settings for Validation">
|
||||||
|
|
||||||
|
<!ENTITY validation.crl.label "CRL">
|
||||||
|
|
||||||
|
<!ENTITY validation.ocsp.label "OCSP">
|
||||||
|
<!ENTITY validation.ocsp.description "&brandShortName; can use Online Certificate Status Protocol(OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
|
||||||
|
<!ENTITY disableOCSP.label "Do not use OCSP for certificate validation">
|
||||||
|
<!ENTITY certOCSP.label "Use OCSP to validate only cerificates that specify on OCSP service URL">
|
||||||
|
<!ENTITY proxyOCSP.label "Use OCSP to validate all certificates using the URL and signer specified here:">
|
||||||
|
<!ENTITY serviceURL.label "Service URL:">
|
||||||
|
<!ENTITY signingCA.label "Response Signer:">
|
|
@ -64,6 +64,13 @@ native nsCertCompareFunc(nsCertCompareFunc);
|
||||||
native nsAutoString(nsAutoString);
|
native nsAutoString(nsAutoString);
|
||||||
[ref] native nsAutoStringRef(nsAutoString);
|
[ref] native nsAutoStringRef(nsAutoString);
|
||||||
|
|
||||||
|
[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
|
||||||
|
interface nsIOCSPResponder : nsISupports {
|
||||||
|
readonly attribute wstring responseSigner;
|
||||||
|
readonly attribute wstring serviceURL;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
|
[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
|
||||||
interface nsIX509CertDB : nsISupports {
|
interface nsIX509CertDB : nsISupports {
|
||||||
|
|
||||||
|
@ -182,6 +189,12 @@ interface nsIX509CertDB : nsISupports {
|
||||||
in PRUint32 count,
|
in PRUint32 count,
|
||||||
[array, size_is(count)] in nsIX509Cert aCerts);
|
[array, size_is(count)] in nsIX509Cert aCerts);
|
||||||
//[array, size_is(count)] in wstring aCertNames);
|
//[array, size_is(count)] in wstring aCertNames);
|
||||||
|
/*
|
||||||
|
* getOCSPResponders
|
||||||
|
*
|
||||||
|
* Export a set of OCSP responders i.e. CA names and (optional) URLs.
|
||||||
|
*/
|
||||||
|
nsISupportsArray getOCSPResponders();
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
* may use your version of this file under either the MPL or the
|
* may use your version of this file under either the MPL or the
|
||||||
* GPL.
|
* GPL.
|
||||||
*
|
*
|
||||||
* $Id: nsNSSCertificate.cpp,v 1.22 2001/05/15 14:56:42 mcgreer%netscape.com Exp $
|
* $Id: nsNSSCertificate.cpp,v 1.23 2001/05/15 17:35:33 ddrinan%netscape.com Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "prmem.h"
|
#include "prmem.h"
|
||||||
|
@ -64,6 +64,7 @@ extern "C" {
|
||||||
#include "secasn1.h"
|
#include "secasn1.h"
|
||||||
#include "secder.h"
|
#include "secder.h"
|
||||||
}
|
}
|
||||||
|
#include "ocsp.h"
|
||||||
|
|
||||||
#ifdef PR_LOGGING
|
#ifdef PR_LOGGING
|
||||||
extern PRLogModuleInfo* gPIPNSSLog;
|
extern PRLogModuleInfo* gPIPNSSLog;
|
||||||
|
@ -2541,6 +2542,210 @@ nsNSSCertificateDB::ExportPKCS12File(nsIPK11Token *aToken,
|
||||||
return blob.ExportToFile(aFile, certs, count);
|
return blob.ExportToFile(aFile, certs, count);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Header file */
|
||||||
|
class nsOCSPResponder : public nsIOCSPResponder
|
||||||
|
{
|
||||||
|
public:
|
||||||
|
NS_DECL_ISUPPORTS
|
||||||
|
NS_DECL_NSIOCSPRESPONDER
|
||||||
|
|
||||||
|
nsOCSPResponder();
|
||||||
|
nsOCSPResponder(const PRUnichar*, const PRUnichar*);
|
||||||
|
virtual ~nsOCSPResponder();
|
||||||
|
/* additional members */
|
||||||
|
static PRInt32 CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b);
|
||||||
|
static PRInt32 CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b);
|
||||||
|
static PRBool IncludeCert(CERTCertificate *aCert);
|
||||||
|
private:
|
||||||
|
nsString mCA;
|
||||||
|
nsString mURL;
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Implementation file */
|
||||||
|
NS_IMPL_ISUPPORTS1(nsOCSPResponder, nsIOCSPResponder)
|
||||||
|
|
||||||
|
nsOCSPResponder::nsOCSPResponder()
|
||||||
|
{
|
||||||
|
NS_INIT_ISUPPORTS();
|
||||||
|
/* member initializers and constructor code */
|
||||||
|
}
|
||||||
|
|
||||||
|
nsOCSPResponder::nsOCSPResponder(const PRUnichar * aCA, const PRUnichar * aURL)
|
||||||
|
{
|
||||||
|
NS_INIT_ISUPPORTS();
|
||||||
|
mCA.Assign(aCA);
|
||||||
|
mURL.Assign(aURL);
|
||||||
|
}
|
||||||
|
|
||||||
|
nsOCSPResponder::~nsOCSPResponder()
|
||||||
|
{
|
||||||
|
/* destructor code */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* readonly attribute */
|
||||||
|
NS_IMETHODIMP nsOCSPResponder::GetResponseSigner(PRUnichar** aCA)
|
||||||
|
{
|
||||||
|
NS_ENSURE_ARG(aCA);
|
||||||
|
*aCA = mCA.ToNewUnicode();
|
||||||
|
return NS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* readonly attribute */
|
||||||
|
NS_IMETHODIMP nsOCSPResponder::GetServiceURL(PRUnichar** aURL)
|
||||||
|
{
|
||||||
|
NS_ENSURE_ARG(aURL);
|
||||||
|
*aURL = mURL.ToNewUnicode();
|
||||||
|
return NS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
PRBool nsOCSPResponder::IncludeCert(CERTCertificate *aCert)
|
||||||
|
{
|
||||||
|
CERTCertTrust *trust;
|
||||||
|
char *nickname;
|
||||||
|
|
||||||
|
trust = aCert->trust;
|
||||||
|
nickname = aCert->nickname;
|
||||||
|
|
||||||
|
if ( ( ( trust->sslFlags & CERTDB_INVISIBLE_CA ) ||
|
||||||
|
(trust->emailFlags & CERTDB_INVISIBLE_CA ) ||
|
||||||
|
(trust->objectSigningFlags & CERTDB_INVISIBLE_CA ) ) ||
|
||||||
|
nickname == NULL) {
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
if ((trust->sslFlags & CERTDB_VALID_CA) ||
|
||||||
|
(trust->emailFlags & CERTDB_VALID_CA) ||
|
||||||
|
(trust->objectSigningFlags & CERTDB_VALID_CA)) {
|
||||||
|
return PR_TRUE;
|
||||||
|
}
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
// CmpByCAName
|
||||||
|
//
|
||||||
|
// Compare two responders their token name. Returns -1, 0, 1 as
|
||||||
|
// in strcmp. No token name (null) is treated as >.
|
||||||
|
PRInt32 nsOCSPResponder::CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b)
|
||||||
|
{
|
||||||
|
PRInt32 cmp1;
|
||||||
|
nsXPIDLString aTok, bTok;
|
||||||
|
a->GetResponseSigner(getter_Copies(aTok));
|
||||||
|
b->GetResponseSigner(getter_Copies(bTok));
|
||||||
|
if (aTok != nsnull && bTok != nsnull) {
|
||||||
|
nsAutoString aStr(aTok);
|
||||||
|
cmp1 = aStr.CompareWithConversion(bTok);
|
||||||
|
} else {
|
||||||
|
cmp1 = (aTok == nsnull) ? 1 : -1;
|
||||||
|
}
|
||||||
|
return cmp1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// ocsp_compare_entries
|
||||||
|
//
|
||||||
|
// Compare two responders. Returns -1, 0, 1 as
|
||||||
|
// in strcmp. Entries with urls come before those without urls.
|
||||||
|
PRInt32 nsOCSPResponder::CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b)
|
||||||
|
{
|
||||||
|
nsXPIDLString aURL, bURL;
|
||||||
|
nsAutoString aURLAuto, bURLAuto;
|
||||||
|
|
||||||
|
a->GetServiceURL(getter_Copies(aURL));
|
||||||
|
aURLAuto.Assign(aURL);
|
||||||
|
b->GetServiceURL(getter_Copies(bURL));
|
||||||
|
bURLAuto.Assign(bURL);
|
||||||
|
|
||||||
|
if (aURLAuto.Length() > 0 ) {
|
||||||
|
if (bURLAuto.Length() > 0) {
|
||||||
|
return nsOCSPResponder::CmpCAName(a, b);
|
||||||
|
} else {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (bURLAuto.Length() > 0) {
|
||||||
|
return 1;
|
||||||
|
} else {
|
||||||
|
return nsOCSPResponder::CmpCAName(a, b);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static SECStatus GetOCSPResponders (CERTCertificate *aCert,
|
||||||
|
SECItem *aDBKey,
|
||||||
|
void *aArg)
|
||||||
|
{
|
||||||
|
nsISupportsArray *array = NS_STATIC_CAST(nsISupportsArray*, aArg);
|
||||||
|
PRUnichar* nn = nsnull;
|
||||||
|
PRUnichar* url = nsnull;
|
||||||
|
char *serviceURL = nsnull;
|
||||||
|
char *nickname = nsnull;
|
||||||
|
PRUint32 i, count;
|
||||||
|
nsresult rv;
|
||||||
|
|
||||||
|
// Are we interested in this cert //
|
||||||
|
if (!nsOCSPResponder::IncludeCert(aCert)) {
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get the AIA and nickname //
|
||||||
|
serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
|
||||||
|
if (serviceURL) {
|
||||||
|
url = NS_ConvertASCIItoUCS2(serviceURL).ToNewUnicode();
|
||||||
|
}
|
||||||
|
|
||||||
|
nickname = aCert->nickname;
|
||||||
|
nn = NS_ConvertASCIItoUCS2(nickname).ToNewUnicode();
|
||||||
|
|
||||||
|
nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url);
|
||||||
|
|
||||||
|
// Sort the items according to nickname //
|
||||||
|
rv = array->Count(&count);
|
||||||
|
for (i=0; i < count; ++i) {
|
||||||
|
nsCOMPtr<nsISupports> isupport = getter_AddRefs(array->ElementAt(i));
|
||||||
|
nsCOMPtr<nsIOCSPResponder> entry = do_QueryInterface(isupport);
|
||||||
|
if (nsOCSPResponder::CompareEntries(new_entry, entry) < 0) {
|
||||||
|
array->InsertElementAt(new_entry, i);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (i == count) {
|
||||||
|
array->AppendElement(new_entry);
|
||||||
|
}
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* getOCSPResponders
|
||||||
|
*
|
||||||
|
* Export a set of certs and keys from the database to a PKCS#12 file.
|
||||||
|
*/
|
||||||
|
NS_IMETHODIMP
|
||||||
|
nsNSSCertificateDB::GetOCSPResponders(nsISupportsArray ** aResponders)
|
||||||
|
{
|
||||||
|
SECStatus sec_rv;
|
||||||
|
nsCOMPtr<nsISupportsArray> respondersArray;
|
||||||
|
nsresult rv = NS_NewISupportsArray(getter_AddRefs(respondersArray));
|
||||||
|
if (NS_FAILED(rv)) {
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
sec_rv = SEC_TraversePermCerts(CERT_GetDefaultCertDB(),
|
||||||
|
::GetOCSPResponders,
|
||||||
|
respondersArray);
|
||||||
|
if (sec_rv == SECSuccess) {
|
||||||
|
sec_rv = PK11_TraverseSlotCerts(::GetOCSPResponders,
|
||||||
|
respondersArray,
|
||||||
|
nsnull);
|
||||||
|
}
|
||||||
|
if (sec_rv != SECSuccess) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
|
||||||
|
*aResponders = respondersArray;
|
||||||
|
NS_IF_ADDREF(*aResponders);
|
||||||
|
return NS_OK;
|
||||||
|
loser:
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* NSS Helper Routines (private to nsNSSCertificateDB)
|
* NSS Helper Routines (private to nsNSSCertificateDB)
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
#include "ssl.h"
|
#include "ssl.h"
|
||||||
#include "sslproto.h"
|
#include "sslproto.h"
|
||||||
#include "secmod.h"
|
#include "secmod.h"
|
||||||
|
#include "ocsp.h"
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#include "pkcs11.h"
|
#include "pkcs11.h"
|
||||||
#include "pkcs12.h"
|
#include "pkcs12.h"
|
||||||
|
@ -368,6 +369,40 @@ static CipherPref CipherPrefs[] = {
|
||||||
{NULL, 0} /* end marker */
|
{NULL, 0} /* end marker */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static void setOCSPOptions(nsIPref * pref)
|
||||||
|
{
|
||||||
|
// Set up OCSP //
|
||||||
|
PRInt32 ocspEnabled;
|
||||||
|
pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
|
||||||
|
switch (ocspEnabled) {
|
||||||
|
case 0:
|
||||||
|
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
|
||||||
|
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||||
|
break;
|
||||||
|
case 1:
|
||||||
|
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
|
||||||
|
break;
|
||||||
|
case 2:
|
||||||
|
{
|
||||||
|
char *signingCA = nsnull;
|
||||||
|
char *url = nsnull;
|
||||||
|
|
||||||
|
// Get the signing CA and service url //
|
||||||
|
pref->CopyCharPref("security.OCSP.signingCA", &signingCA);
|
||||||
|
pref->CopyCharPref("security.OCSP.URL", &url);
|
||||||
|
|
||||||
|
// Set OCSP up
|
||||||
|
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
|
||||||
|
CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
|
||||||
|
CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||||
|
|
||||||
|
nsMemory::Free(signingCA);
|
||||||
|
nsMemory::Free(url);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
nsresult
|
nsresult
|
||||||
nsNSSComponent::InitializeNSS()
|
nsNSSComponent::InitializeNSS()
|
||||||
{
|
{
|
||||||
|
@ -438,6 +473,9 @@ nsNSSComponent::InitializeNSS()
|
||||||
SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
|
SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
|
||||||
PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
|
PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
|
||||||
|
|
||||||
|
// Set up OCSP //
|
||||||
|
setOCSPOptions(mPref);
|
||||||
|
|
||||||
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
|
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
|
@ -566,6 +604,8 @@ nsNSSComponent::PrefChanged(const char* prefName)
|
||||||
} else if (!nsCRT::strcmp(prefName, "security.enable_tls")) {
|
} else if (!nsCRT::strcmp(prefName, "security.enable_tls")) {
|
||||||
mPref->GetBoolPref("security.enable_tls", &enabled);
|
mPref->GetBoolPref("security.enable_tls", &enabled);
|
||||||
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
|
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
|
||||||
|
} else if (!nsCRT::strcmp(prefName, "security.OCSP.enabled")) {
|
||||||
|
setOCSPOptions(mPref);
|
||||||
} else {
|
} else {
|
||||||
/* Look through the cipher table and set according to pref setting */
|
/* Look through the cipher table and set according to pref setting */
|
||||||
for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
|
for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
|
||||||
|
|
Загрузка…
Ссылка в новой задаче