зеркало из https://github.com/mozilla/pjs.git
Bug 327181, Improve error reporting for invalid-certificate errors (error page for https, or combined dialog) Code in mozilla/security/manager: r=rrelyea Code elsewhere: r=mconnor, sr=dveditz blocking1.9=mconnor
This commit is contained in:
Родитель
137ae6249a
Коммит
7104607e1d
|
@ -1767,8 +1767,7 @@ MicrosummaryResource.prototype = {
|
|||
// and abort loads for bad SSL certs and HTTP authorization requests.
|
||||
|
||||
// Interfaces this component implements.
|
||||
interfaces: [Ci.nsIBadCertListener,
|
||||
Ci.nsIAuthPromptProvider,
|
||||
interfaces: [Ci.nsIAuthPromptProvider,
|
||||
Ci.nsIAuthPrompt,
|
||||
Ci.nsIPrompt,
|
||||
Ci.nsIProgressEventSink,
|
||||
|
@ -1800,25 +1799,6 @@ MicrosummaryResource.prototype = {
|
|||
return this.QueryInterface(iid);
|
||||
},
|
||||
|
||||
// nsIBadCertListener
|
||||
|
||||
// Suppress UI and abort secure loads from servers with bad SSL certificates.
|
||||
|
||||
confirmUnknownIssuer: function MSR_confirmUnknownIssuer(socketInfo, cert, certAddType) {
|
||||
return false;
|
||||
},
|
||||
|
||||
confirmMismatchDomain: function MSR_confirmMismatchDomain(socketInfo, targetURL, cert) {
|
||||
return false;
|
||||
},
|
||||
|
||||
confirmCertExpired: function MSR_confirmCertExpired(socketInfo, cert) {
|
||||
return false;
|
||||
},
|
||||
|
||||
notifyCrlNextupdate: function MSR_notifyCrlNextupdate(socketInfo, targetURL, cert) {
|
||||
},
|
||||
|
||||
// Suppress UI and abort loads for files secured by authentication.
|
||||
|
||||
// Auth requests appear to succeed when we cancel them (since the server
|
||||
|
|
|
@ -293,7 +293,6 @@ loadListener.prototype = {
|
|||
aIID.equals(Ci.nsIStreamListener) ||
|
||||
aIID.equals(Ci.nsIChannelEventSink) ||
|
||||
aIID.equals(Ci.nsIInterfaceRequestor) ||
|
||||
aIID.equals(Ci.nsIBadCertListener) ||
|
||||
// See FIXME comment below
|
||||
aIID.equals(Ci.nsIHttpEventSink) ||
|
||||
aIID.equals(Ci.nsIProgressEventSink) ||
|
||||
|
@ -349,24 +348,6 @@ loadListener.prototype = {
|
|||
return this.QueryInterface(aIID);
|
||||
},
|
||||
|
||||
// nsIBadCertListener
|
||||
confirmUnknownIssuer: function SRCH_load_CUI(aSocketInfo, aCert,
|
||||
aCertAddType) {
|
||||
return false;
|
||||
},
|
||||
|
||||
confirmMismatchDomain: function SRCH_load_CMD(aSocketInfo, aTargetURL,
|
||||
aCert) {
|
||||
return false;
|
||||
},
|
||||
|
||||
confirmCertExpired: function SRCH_load_CCE(aSocketInfo, aCert) {
|
||||
return false;
|
||||
},
|
||||
|
||||
notifyCrlNextupdate: function SRCH_load_NCN(aSocketInfo, aTargetURL, aCert) {
|
||||
},
|
||||
|
||||
// FIXME: bug 253127
|
||||
// nsIHttpEventSink
|
||||
onRedirect: function (aChannel, aNewChannel) {},
|
||||
|
|
|
@ -87,10 +87,6 @@ NS_IMPL_THREADSAFE_ADDREF(EmbedCertificates)
|
|||
NS_IMPL_THREADSAFE_RELEASE(EmbedCertificates)
|
||||
NS_INTERFACE_MAP_BEGIN(EmbedCertificates)
|
||||
NS_INTERFACE_MAP_ENTRY(nsITokenPasswordDialogs)
|
||||
NS_INTERFACE_MAP_ENTRY(nsIBadCertListener)
|
||||
#ifdef BAD_CERT_LISTENER2
|
||||
NS_INTERFACE_MAP_ENTRY(nsIBadCertListener2)
|
||||
#endif
|
||||
NS_INTERFACE_MAP_ENTRY(nsICertificateDialogs)
|
||||
NS_INTERFACE_MAP_ENTRY(nsIClientAuthDialogs)
|
||||
NS_INTERFACE_MAP_ENTRY(nsICertPickDialogs)
|
||||
|
@ -129,40 +125,6 @@ EmbedCertificates::GetPassword(nsIInterfaceRequestor *ctx,
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
EmbedCertificates::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo,
|
||||
nsIX509Cert *cert, PRInt16 *outAddType,
|
||||
PRBool *_retval)
|
||||
{
|
||||
*outAddType = ADD_TRUSTED_FOR_SESSION;
|
||||
*_retval = PR_TRUE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
EmbedCertificates::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo,
|
||||
const nsACString &targetURL,
|
||||
nsIX509Cert *cert, PRBool *_retval)
|
||||
{
|
||||
*_retval = PR_TRUE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
EmbedCertificates::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo,
|
||||
nsIX509Cert *cert, PRBool *_retval)
|
||||
{
|
||||
*_retval = PR_TRUE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
EmbedCertificates::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo,
|
||||
const nsACString &targetURL, nsIX509Cert *cert)
|
||||
{
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
EmbedCertificates::CrlImportStatusDialog(nsIInterfaceRequestor *ctx, nsICRLInfo *crl)
|
||||
{
|
||||
|
@ -278,86 +240,3 @@ EmbedCertificates::ConfirmKeyEscrow(nsIX509Cert *escrowAuthority, PRBool *_retva
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
#ifdef BAD_CERT_LISTENER2
|
||||
NS_IMETHODIMP
|
||||
EmbedCertificates::ConfirmBadCertificate(
|
||||
nsIInterfaceRequestor *ctx,
|
||||
nsIX509Cert *cert,
|
||||
PRBool aSecSuccess,
|
||||
PRUint32 aError,
|
||||
PRBool *_retval)
|
||||
{
|
||||
nsresult rv;
|
||||
gpointer pCert = NULL;
|
||||
guint messint = 0;
|
||||
nsCOMPtr<nsIDOMWindow> parent(do_GetInterface(ctx));
|
||||
|
||||
GtkMozEmbedCommon * common = nsnull;
|
||||
GtkMozEmbed *parentWidget = GTK_MOZ_EMBED(GetGtkWidgetForDOMWindow(parent));
|
||||
|
||||
if (!parentWidget) {
|
||||
EmbedCommon * embedcommon = EmbedCommon::GetInstance();
|
||||
if (embedcommon)
|
||||
common = GTK_MOZ_EMBED_COMMON(embedcommon->mCommon);
|
||||
}
|
||||
|
||||
if (!(aError & nsIX509Cert::VERIFIED_OK)) {
|
||||
pCert = (gpointer)cert;
|
||||
messint = GTK_MOZ_EMBED_CERT_VERIFIED_OK;
|
||||
if (aError & nsIX509Cert::NOT_VERIFIED_UNKNOWN) {
|
||||
messint |= GTK_MOZ_EMBED_CERT_NOT_VERIFIED_UNKNOWN;
|
||||
}
|
||||
if (aError & nsIX509Cert::CERT_EXPIRED || aError & nsIX509Cert::CERT_REVOKED) {
|
||||
nsCOMPtr<nsIX509CertValidity> validity;
|
||||
rv = cert->GetValidity(getter_AddRefs(validity));
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
PRTime notBefore, notAfter, timeToUse;
|
||||
PRTime now = PR_Now();
|
||||
rv = validity->GetNotBefore(¬Before);
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
rv = validity->GetNotAfter(¬After);
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
if (LL_CMP(now, >, notAfter)) {
|
||||
messint |= GTK_MOZ_EMBED_CERT_EXPIRED;
|
||||
timeToUse = notAfter;
|
||||
} else {
|
||||
messint |= GTK_MOZ_EMBED_CERT_REVOKED;
|
||||
timeToUse = notBefore;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (aError & nsIX509Cert::CERT_NOT_TRUSTED) {
|
||||
messint |= GTK_MOZ_EMBED_CERT_UNTRUSTED;
|
||||
}
|
||||
if (aError & nsIX509Cert::ISSUER_UNKNOWN) {
|
||||
messint |= GTK_MOZ_EMBED_CERT_ISSUER_UNKNOWN;
|
||||
}
|
||||
if (aError & nsIX509Cert::ISSUER_NOT_TRUSTED) {
|
||||
messint |= GTK_MOZ_EMBED_CERT_ISSUER_UNTRUSTED;
|
||||
}
|
||||
if (aError & nsIX509Cert::INVALID_CA) {
|
||||
messint |= GTK_MOZ_EMBED_CERT_INVALID_CA;
|
||||
}
|
||||
if (aError & nsIX509Cert::USAGE_NOT_ALLOWED) {
|
||||
}
|
||||
PRBool retVal = PR_FALSE;
|
||||
if (common) {
|
||||
g_signal_emit_by_name(common, "certificate-error", pCert, messint, &retVal);
|
||||
}
|
||||
if (retVal == PR_TRUE) {
|
||||
*_retval = PR_FALSE;
|
||||
rv = NS_ERROR_FAILURE;
|
||||
} else {
|
||||
rv = NS_OK;
|
||||
*_retval = PR_TRUE;
|
||||
}
|
||||
pCert = NULL;
|
||||
} else {
|
||||
rv = NS_OK;
|
||||
*_retval = PR_TRUE;
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -44,10 +44,6 @@
|
|||
#ifndef __EmbedCertificates_h
|
||||
#define __EmbedCertificates_h
|
||||
#include "nsITokenPasswordDialogs.h"
|
||||
#include "nsIBadCertListener.h"
|
||||
#ifdef BAD_CERT_LISTENER2
|
||||
#include "nsIBadCertListener2.h"
|
||||
#endif
|
||||
#include "nsICertificateDialogs.h"
|
||||
#include "nsIClientAuthDialogs.h"
|
||||
#include "nsICertPickDialogs.h"
|
||||
|
@ -63,10 +59,6 @@
|
|||
class EmbedPrivate;
|
||||
class EmbedCertificates
|
||||
: public nsITokenPasswordDialogs,
|
||||
public nsIBadCertListener,
|
||||
#ifdef BAD_CERT_LISTENER2
|
||||
public nsIBadCertListener2,
|
||||
#endif
|
||||
public nsICertificateDialogs,
|
||||
public nsIClientAuthDialogs,
|
||||
public nsICertPickDialogs,
|
||||
|
@ -77,10 +69,6 @@ class EmbedCertificates
|
|||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSITOKENPASSWORDDIALOGS
|
||||
NS_DECL_NSIBADCERTLISTENER
|
||||
#ifdef BAD_CERT_LISTENER2
|
||||
NS_DECL_NSIBADCERTLISTENER2
|
||||
#endif
|
||||
NS_DECL_NSICERTIFICATEDIALOGS
|
||||
NS_DECL_NSICLIENTAUTHDIALOGS
|
||||
NS_DECL_NSICERTPICKDIALOGS
|
||||
|
|
|
@ -81,7 +81,6 @@
|
|||
#include "nsIDocShellTreeItem.h"
|
||||
#include "nsDocShellCID.h"
|
||||
#include "nsMemory.h"
|
||||
#include "nsIBadCertListener.h"
|
||||
#include "nsIInterfaceRequestor.h"
|
||||
#include "nsIInterfaceRequestorUtils.h"
|
||||
#include "nsIX509Cert.h"
|
||||
|
@ -195,95 +194,6 @@ CompressBZ2(nsIInputStream *src, PRFileDesc *outFd)
|
|||
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
class nsMetricsService::BadCertListener : public nsIBadCertListener,
|
||||
public nsIInterfaceRequestor
|
||||
{
|
||||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSIBADCERTLISTENER
|
||||
NS_DECL_NSIINTERFACEREQUESTOR
|
||||
|
||||
BadCertListener() { }
|
||||
|
||||
private:
|
||||
~BadCertListener() { }
|
||||
};
|
||||
|
||||
// This object has to implement threadsafe addref and release, but this is
|
||||
// only because the GetInterface call happens on the socket transport thread.
|
||||
// The actual notifications are proxied to the main thread.
|
||||
NS_IMPL_THREADSAFE_ISUPPORTS2(nsMetricsService::BadCertListener,
|
||||
nsIBadCertListener, nsIInterfaceRequestor)
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsMetricsService::BadCertListener::ConfirmUnknownIssuer(
|
||||
nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert,
|
||||
PRInt16 *certAddType, PRBool *result)
|
||||
{
|
||||
*result = PR_FALSE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsMetricsService::BadCertListener::ConfirmMismatchDomain(
|
||||
nsIInterfaceRequestor *socketInfo, const nsACString &targetURL,
|
||||
nsIX509Cert *cert, PRBool *result)
|
||||
{
|
||||
*result = PR_FALSE;
|
||||
|
||||
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
|
||||
NS_ENSURE_STATE(prefs);
|
||||
|
||||
nsCString certHostOverride;
|
||||
prefs->GetCharPref("metrics.upload.cert-host-override",
|
||||
getter_Copies(certHostOverride));
|
||||
|
||||
if (!certHostOverride.IsEmpty()) {
|
||||
// Accept the given alternate hostname (CN) for the certificate
|
||||
nsString certHost;
|
||||
cert->GetCommonName(certHost);
|
||||
if (certHostOverride.Equals(NS_ConvertUTF16toUTF8(certHost))) {
|
||||
*result = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsMetricsService::BadCertListener::ConfirmCertExpired(
|
||||
nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRBool *result)
|
||||
{
|
||||
*result = PR_FALSE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsMetricsService::BadCertListener::NotifyCrlNextupdate(
|
||||
nsIInterfaceRequestor *socketInfo,
|
||||
const nsACString &targetURL, nsIX509Cert *cert)
|
||||
{
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsMetricsService::BadCertListener::GetInterface(const nsIID &uuid,
|
||||
void **result)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(result);
|
||||
|
||||
if (uuid.Equals(NS_GET_IID(nsIBadCertListener))) {
|
||||
*result = static_cast<nsIBadCertListener *>(this);
|
||||
NS_ADDREF_THIS();
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
*result = nsnull;
|
||||
return NS_ERROR_NO_INTERFACE;
|
||||
}
|
||||
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
nsMetricsService::nsMetricsService()
|
||||
: mMD5Context(nsnull),
|
||||
mEventCount(0),
|
||||
|
@ -1327,11 +1237,6 @@ nsMetricsService::UploadData()
|
|||
NS_ENSURE_STATE(props);
|
||||
props->SetPropertyAsBool(NS_LITERAL_STRING("moz-metrics-request"), PR_TRUE);
|
||||
|
||||
nsCOMPtr<nsIInterfaceRequestor> certListener = new BadCertListener();
|
||||
NS_ENSURE_TRUE(certListener, NS_ERROR_OUT_OF_MEMORY);
|
||||
|
||||
channel->SetNotificationCallbacks(certListener);
|
||||
|
||||
nsCOMPtr<nsIUploadChannel> uploadChannel = do_QueryInterface(channel);
|
||||
NS_ENSURE_STATE(uploadChannel);
|
||||
|
||||
|
|
|
@ -82,16 +82,8 @@
|
|||
<!-- Certificate Exists in database -->
|
||||
<!ENTITY caCertExists.title "Certificate Exists">
|
||||
<!ENTITY caCertExists.message "The Certificate already exists.">
|
||||
|
||||
<!-- Strings for the MismatchDomain dialog -->
|
||||
<!ENTITY domainMismatch.title "Security Error: Domain Name Mismatch">
|
||||
<!ENTITY examineCert.label "View Certificate">
|
||||
<!ENTITY examineCert.accesskey "V">
|
||||
|
||||
<!-- Strings for the Server cert expired dialog -->
|
||||
<!ENTITY serverCertExpired.continue "Would you like to continue anyway?">
|
||||
<!ENTITY serverCertExpired.accept.label "Continue">
|
||||
|
||||
<!-- Strings for the SSL client auth ask dialog -->
|
||||
<!ENTITY clientAuthAsk.title "User Identification Request">
|
||||
<!ENTITY clientAuthAsk.message1 "This site has requested that you identify yourself with a certificate:">
|
||||
|
|
|
@ -54,9 +54,9 @@ issuerNotKnown=Because you do not know the certificate authority that issued thi
|
|||
issuerCertNotFound=Certificate for this certificate authority was not found
|
||||
|
||||
#For Deleting Certificates
|
||||
deleteSslCertConfirm=Are you sure you want to delete these web site certificates?
|
||||
deleteSslCertImpact=If you delete a web site certificate, you will be asked to accept it again the next time you visit the web site.
|
||||
deleteSslCertTitle=Delete Web Site Certificates
|
||||
deleteSslCertConfirm2=Are you sure you want to delete these web site exceptions?
|
||||
deleteSslCertImpact2=If you delete a web site exception, you restore the usual security checks for that site and require it uses a valid certificate.
|
||||
deleteSslCertTitle2=Delete Web Site Certificate Exceptions
|
||||
|
||||
deleteUserCertConfirm=Are you sure you want to delete these certificates?
|
||||
deleteUserCertImpact=If you delete one of your own certificates, you can no longer use it to identify yourself.
|
||||
|
@ -79,16 +79,6 @@ chooseP12RestoreFileDialog=File Name to Restore
|
|||
chooseP12BackupFileDialog=File Name to Backup
|
||||
file_browse_PKCS12_spec=PKCS12 Files
|
||||
|
||||
#Mismatch Domain Dialg
|
||||
mismatchDomainMsg1=You have attempted to establish a connection with "%S". However, the security certificate presented belongs to "%S". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site.
|
||||
mismatchDomainMsg2=If you suspect the certificate shown does not belong to "%S", please cancel the connection and notify the site administrator.
|
||||
|
||||
#Server Cert expired
|
||||
serverCertExpiredMsg1="%S" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on %S.
|
||||
serverCertExpiredTitle=Server Certificate Expired
|
||||
serverCertNotYetValedMsg1="%S" is a site that uses a security certificate to encrypt data during transmission, but its certificate will not be valid until %S.
|
||||
serverCertNotYetValidTitle=Server Certificate Not Yet Valid
|
||||
serverCertExpiredMsg2=You should check to make sure that your computer's time (currently set to %S) is correct.
|
||||
|
||||
#Preferences
|
||||
resetPreferences=Use this button to reset %S's security preferences to their factory settings.
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
* Contributor(s):
|
||||
* Bob Lord <lord@netscape.com>
|
||||
* Ian McGreer <mcgreer@netscape.com>
|
||||
* Kai Engert <kengert@redhat.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
|
@ -53,7 +54,8 @@ const nsNSSCertCache = "@mozilla.org/security/nsscertcache;1";
|
|||
var key;
|
||||
|
||||
var selected_certs = [];
|
||||
var selected_cert_index = [];
|
||||
var selected_tree_items = [];
|
||||
var selected_index = [];
|
||||
var certdb;
|
||||
|
||||
var caTreeView;
|
||||
|
@ -157,7 +159,61 @@ function getSelectedCerts()
|
|||
if (cert) {
|
||||
var sc = selected_certs.length;
|
||||
selected_certs[sc] = cert;
|
||||
selected_cert_index[sc] = j;
|
||||
selected_index[sc] = j;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function getSelectedTreeItems()
|
||||
{
|
||||
var ca_tab = document.getElementById("ca_tab");
|
||||
var mine_tab = document.getElementById("mine_tab");
|
||||
var others_tab = document.getElementById("others_tab");
|
||||
var websites_tab = document.getElementById("websites_tab");
|
||||
var orphan_tab = document.getElementById("orphan_tab");
|
||||
var items = null;
|
||||
if (ca_tab.selected) {
|
||||
items = caTreeView.selection;
|
||||
} else if (mine_tab.selected) {
|
||||
items = userTreeView.selection;
|
||||
} else if (others_tab.selected) {
|
||||
items = emailTreeView.selection;
|
||||
} else if (websites_tab.selected) {
|
||||
items = serverTreeView.selection;
|
||||
} else if (orphan_tab.selected) {
|
||||
items = orphanTreeView.selection;
|
||||
}
|
||||
selected_certs = [];
|
||||
selected_tree_items = [];
|
||||
selected_index = [];
|
||||
var tree_item = null;
|
||||
var nr = 0;
|
||||
if (items != null) nr = items.getRangeCount();
|
||||
if (nr > 0) {
|
||||
for (var i=0; i<nr; i++) {
|
||||
var o1 = {};
|
||||
var o2 = {};
|
||||
items.getRangeAt(i, o1, o2);
|
||||
var min = o1.value;
|
||||
var max = o2.value;
|
||||
for (var j=min; j<=max; j++) {
|
||||
if (ca_tab.selected) {
|
||||
tree_item = caTreeView.getTreeItem(j);
|
||||
} else if (mine_tab.selected) {
|
||||
tree_item = userTreeView.getTreeItem(j);
|
||||
} else if (others_tab.selected) {
|
||||
tree_item = emailTreeView.getTreeItem(j);
|
||||
} else if (websites_tab.selected) {
|
||||
tree_item = serverTreeView.getTreeItem(j);
|
||||
} else if (orphan_tab.selected) {
|
||||
tree_item = orphanTreeView.getTreeItem(j);
|
||||
}
|
||||
if (tree_item) {
|
||||
var sc = selected_tree_items.length;
|
||||
selected_tree_items[sc] = tree_item;
|
||||
selected_index[sc] = j;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -222,18 +278,49 @@ function mine_enableButtons()
|
|||
function websites_enableButtons()
|
||||
{
|
||||
var items = serverTreeView.selection;
|
||||
var toggle="false";
|
||||
if (items.getRangeCount() == 0) {
|
||||
toggle="true";
|
||||
var count_ranges = items.getRangeCount();
|
||||
|
||||
var enable_delete = false;
|
||||
var enable_view = false;
|
||||
var enable_edit = false;
|
||||
|
||||
if (count_ranges > 0) {
|
||||
enable_delete = true;
|
||||
}
|
||||
|
||||
if (count_ranges == 1) {
|
||||
var o1 = {};
|
||||
var o2 = {};
|
||||
items.getRangeAt(0, o1, o2); // the first range
|
||||
if (o1.value == o2.value) {
|
||||
// only a single item is selected
|
||||
try {
|
||||
var ti = serverTreeView.getTreeItem(o1.value);
|
||||
if (ti) {
|
||||
if (ti.cert) {
|
||||
enable_view = true;
|
||||
}
|
||||
// Trust editing is not possible for override
|
||||
// entries that are bound to host:port,
|
||||
// where the cert is stored for convenince only.
|
||||
if (!ti.hostPort.length) {
|
||||
enable_edit = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (e) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var enableViewButton=document.getElementById('websites_viewButton');
|
||||
enableViewButton.setAttribute("disabled",toggle);
|
||||
enableViewButton.setAttribute("disabled", !enable_view);
|
||||
var enableEditButton=document.getElementById('websites_editButton');
|
||||
enableEditButton.setAttribute("disabled",toggle);
|
||||
enableEditButton.setAttribute("disabled", !enable_edit);
|
||||
var enableExportButton=document.getElementById('websites_exportButton');
|
||||
enableExportButton.setAttribute("disabled",toggle);
|
||||
enableExportButton.setAttribute("disabled", !enable_edit);
|
||||
var enableDeleteButton=document.getElementById('websites_deleteButton');
|
||||
enableDeleteButton.setAttribute("disabled",toggle);
|
||||
enableDeleteButton.setAttribute("disabled", !enable_delete);
|
||||
}
|
||||
|
||||
function email_enableButtons()
|
||||
|
@ -305,15 +392,17 @@ function editCerts()
|
|||
for (var t=0; t<numcerts; t++) {
|
||||
var cert = selected_certs[t];
|
||||
var certkey = cert.dbKey;
|
||||
var ca_tab = document.getElementById("ca_tab");
|
||||
var others_tab = document.getElementById("others_tab");
|
||||
if (ca_tab.selected) {
|
||||
if (document.getElementById("ca_tab").selected) {
|
||||
window.openDialog('chrome://pippki/content/editcacert.xul', certkey,
|
||||
'chrome,centerscreen,modal');
|
||||
} else if (others_tab.selected) {
|
||||
} else if (document.getElementById("others_tab").selected) {
|
||||
window.openDialog('chrome://pippki/content/editemailcert.xul', certkey,
|
||||
'chrome,centerscreen,modal');
|
||||
} else {
|
||||
} else if (!document.getElementById("websites_tab").selected
|
||||
|| !serverTreeView.isHostPortOverride(selected_index[t])) {
|
||||
// If the web sites tab is select, trust editing is only allowed
|
||||
// if the entry refers to a real cert, but not if it's
|
||||
// a host:port override, where the cert is stored for convenince only.
|
||||
window.openDialog('chrome://pippki/content/editsslcert.xul', certkey,
|
||||
'chrome,centerscreen,modal');
|
||||
}
|
||||
|
@ -356,8 +445,8 @@ function exportCerts()
|
|||
|
||||
function deleteCerts()
|
||||
{
|
||||
getSelectedCerts();
|
||||
var numcerts = selected_certs.length;
|
||||
getSelectedTreeItems();
|
||||
var numcerts = selected_tree_items.length;
|
||||
if (!numcerts)
|
||||
return;
|
||||
|
||||
|
@ -398,15 +487,17 @@ function deleteCerts()
|
|||
params.SetInt(0,numcerts);
|
||||
for (t=0; t<numcerts; t++)
|
||||
{
|
||||
var cert = selected_certs[t];
|
||||
params.SetString(t+1, cert.dbKey);
|
||||
var tree_item = selected_tree_items[t];
|
||||
var c = tree_item.cert;
|
||||
if (!c) {
|
||||
params.SetString(t+1, tree_item.hostPort);
|
||||
}
|
||||
else {
|
||||
params.SetString(t+1, c.commonName);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// The dialog will modify the params.
|
||||
// Every param item where the corresponding cert could get deleted,
|
||||
// will still contain the db key.
|
||||
// Certs which could not get deleted, will have their corrensponding
|
||||
// param string erased.
|
||||
window.openDialog('chrome://pippki/content/deletecert.xul', "",
|
||||
'chrome,centerscreen,modal', params);
|
||||
|
||||
|
@ -419,30 +510,23 @@ function deleteCerts()
|
|||
selTabID = selTab.getAttribute('id');
|
||||
if (selTabID == 'mine_tab') {
|
||||
treeView = userTreeView;
|
||||
loadParam = nsIX509Cert.USER_CERT;
|
||||
} else if (selTabID == "others_tab") {
|
||||
treeView = emailTreeView;
|
||||
loadParam = nsIX509Cert.EMAIL_CERT;
|
||||
} else if (selTabID == "websites_tab") {
|
||||
treeView = serverTreeView;
|
||||
loadParam = nsIX509Cert.SERVER_CERT;
|
||||
} else if (selTabID == "ca_tab") {
|
||||
treeView = caTreeView;
|
||||
loadParam = nsIX509Cert.CA_CERT;
|
||||
} else if (selTabID == "orphan_tab") {
|
||||
treeView = orphanTreeView;
|
||||
loadParam = nsIX509Cert.UNKNOWN_CERT;
|
||||
}
|
||||
|
||||
for (t=numcerts-1; t>=0; t--)
|
||||
{
|
||||
var s = params.GetString(t+1);
|
||||
if (s.length) {
|
||||
// This cert was deleted.
|
||||
treeView.removeCert(selected_cert_index[t]);
|
||||
}
|
||||
treeView.deleteEntryObject(selected_index[t]);
|
||||
}
|
||||
|
||||
selected_tree_items = [];
|
||||
selected_index = [];
|
||||
treeView.selection.clearSelection();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -42,24 +42,14 @@ const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
|
|||
const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
|
||||
|
||||
var certdb;
|
||||
var certs = [];
|
||||
var gParams;
|
||||
|
||||
function setWindowName()
|
||||
{
|
||||
gParams = window.arguments[0].QueryInterface(nsIDialogParamBlock);
|
||||
|
||||
// Get the cert from the cert database
|
||||
certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
|
||||
|
||||
var typeFlag = gParams.GetString(0);
|
||||
var numberOfCerts = gParams.GetInt(0);
|
||||
var dbkey;
|
||||
for(var x=0; x<numberOfCerts;x++)
|
||||
{
|
||||
dbkey = gParams.GetString(x+1);
|
||||
certs[x] = certdb.findCertByDBKey(dbkey , null);
|
||||
}
|
||||
|
||||
var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
|
||||
var title;
|
||||
|
@ -74,9 +64,9 @@ function setWindowName()
|
|||
}
|
||||
else if(typeFlag == "websites_tab")
|
||||
{
|
||||
title = bundle.GetStringFromName("deleteSslCertTitle");
|
||||
confirm = bundle.GetStringFromName("deleteSslCertConfirm");
|
||||
impact = bundle.GetStringFromName("deleteSslCertImpact");
|
||||
title = bundle.GetStringFromName("deleteSslCertTitle2");
|
||||
confirm = bundle.GetStringFromName("deleteSslCertConfirm2");
|
||||
impact = bundle.GetStringFromName("deleteSslCertImpact2");
|
||||
}
|
||||
else if(typeFlag == "ca_tab")
|
||||
{
|
||||
|
@ -108,12 +98,10 @@ function setWindowName()
|
|||
|
||||
var box=document.getElementById("certlist");
|
||||
var text;
|
||||
for(x=0;x<certs.length;x++)
|
||||
for(var x=0;x<numberOfCerts;x++)
|
||||
{
|
||||
if (!certs[x])
|
||||
continue;
|
||||
text = document.createElement("text");
|
||||
text.setAttribute("value",certs[x].commonName);
|
||||
text.setAttribute("value", gParams.GetString(x+1));
|
||||
box.appendChild(text);
|
||||
}
|
||||
|
||||
|
@ -122,32 +110,12 @@ function setWindowName()
|
|||
|
||||
function doOK()
|
||||
{
|
||||
// On returning our param list will contain keys of those certs that were deleted.
|
||||
// It will contain empty strings for those certs that are still alive.
|
||||
|
||||
for(var i=0;i<certs.length;i++)
|
||||
{
|
||||
if (certs[i]) {
|
||||
try {
|
||||
certdb.deleteCertificate(certs[i]);
|
||||
}
|
||||
catch (e) {
|
||||
gParams.SetString(i+1, "");
|
||||
}
|
||||
certs[i] = null;
|
||||
}
|
||||
}
|
||||
gParams.SetInt(1, 1); // means OK
|
||||
return true;
|
||||
}
|
||||
|
||||
function doCancel()
|
||||
{
|
||||
var numberOfCerts = gParams.GetInt(0);
|
||||
for(var x=0; x<numberOfCerts;x++)
|
||||
{
|
||||
gParams.SetString(x+1, "");
|
||||
}
|
||||
gParams.SetInt(1, 0); // means CANCEL
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -1,91 +0,0 @@
|
|||
<?xml version="1.0"?>
|
||||
<!-- ***** BEGIN LICENSE BLOCK *****
|
||||
- Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
-
|
||||
- The contents of this file are subject to the Mozilla Public License Version
|
||||
- 1.1 (the "License"); you may not use this file except in compliance with
|
||||
- the License. You may obtain a copy of the License at
|
||||
- http://www.mozilla.org/MPL/
|
||||
-
|
||||
- Software distributed under the License is distributed on an "AS IS" basis,
|
||||
- WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
- for the specific language governing rights and limitations under the
|
||||
- License.
|
||||
-
|
||||
- The Original Code is mozilla.org Code.
|
||||
-
|
||||
- The Initial Developer of the Original Code is
|
||||
- Netscape Communications Corporation.
|
||||
- Portions created by the Initial Developer are Copyright (C) 2001
|
||||
- the Initial Developer. All Rights Reserved.
|
||||
-
|
||||
- Contributor(s):
|
||||
- Javier Delgadillo <javi@netscape.com>
|
||||
- Bob Lord <lord@netscape.com>
|
||||
- Håkan Waara <hwaara@chello.se>
|
||||
-
|
||||
- Alternatively, the contents of this file may be used under the terms of
|
||||
- either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
- the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
- in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
- of those above. If you wish to allow use of your version of this file only
|
||||
- under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
- use your version of this file under the terms of the MPL, indicate your
|
||||
- decision by deleting the provisions above and replace them with the notice
|
||||
- and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
- the provisions above, a recipient may use your version of this file under
|
||||
- the terms of any one of the MPL, the GPL or the LGPL.
|
||||
-
|
||||
- ***** END LICENSE BLOCK ***** -->
|
||||
|
||||
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
|
||||
|
||||
<!DOCTYPE dialog [
|
||||
<!ENTITY % newserverDTD SYSTEM "chrome://pippki/locale/newserver.dtd" >
|
||||
%newserverDTD;
|
||||
<!ENTITY % pippkiDTD SYSTEM "chrome://pippki/locale/pippki.dtd" >
|
||||
%pippkiDTD;
|
||||
]>
|
||||
|
||||
<dialog id="newServerDialog" title="&newserver.title;"
|
||||
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
|
||||
style="width: 47em;"
|
||||
onload="onLoad();"
|
||||
buttons="accept,cancel,extra2"
|
||||
defaultButton="cancel"
|
||||
buttonlabelextra2="&newserver.examine;"
|
||||
ondialogaccept="return doOK();"
|
||||
ondialogcancel="return doCancel();"
|
||||
ondialogextra2="viewCert();">
|
||||
|
||||
<script type="application/x-javascript" src="chrome://global/content/strres.js"/>
|
||||
<script type="application/x-javascript" src="chrome://pippki/content/pippki.js"/>
|
||||
<script type="application/x-javascript" src="chrome://pippki/content/newserver.js"/>
|
||||
|
||||
<stringbundle id="newserver_bundle" src="chrome://pippki/locale/newserver.properties"/>
|
||||
|
||||
<hbox valign="top" align="center">
|
||||
|
||||
<image class="alert-icon" style="margin: 5px"/>
|
||||
<vbox flex="1" valign="middle">
|
||||
|
||||
<description id="intro"/>
|
||||
<separator class="thin"/>
|
||||
<description>&newserver.reasons;</description>
|
||||
<description>&newserver.reason1x;</description>
|
||||
<description>&newserver.reason2;</description>
|
||||
<description id="reason3"/>
|
||||
<separator class="thin"/>
|
||||
<description>&newserver.notify;</description>
|
||||
<separator/>
|
||||
<description id="question"/>
|
||||
<separator class="thin"/>
|
||||
<radiogroup id="whatnow">
|
||||
<radio label="&newserver.remember;" id="remember" value="0"/>
|
||||
<radio label="&newserver.session;" id="session"
|
||||
value="1" selected="true"/>
|
||||
</radiogroup>
|
||||
</vbox>
|
||||
</hbox>
|
||||
|
||||
</dialog>
|
|
@ -1,92 +0,0 @@
|
|||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
*
|
||||
* ***** BEGIN LICENSE BLOCK *****
|
||||
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
*
|
||||
* The contents of this file are subject to the Mozilla Public License Version
|
||||
* 1.1 (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
* http://www.mozilla.org/MPL/
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS IS" basis,
|
||||
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
* for the specific language governing rights and limitations under the
|
||||
* License.
|
||||
*
|
||||
* The Original Code is mozilla.org code.
|
||||
*
|
||||
* The Initial Developer of the Original Code is
|
||||
* Netscape Communications Corporation.
|
||||
* Portions created by the Initial Developer are Copyright (C) 1998
|
||||
* the Initial Developer. All Rights Reserved.
|
||||
*
|
||||
* Contributor(s):
|
||||
* Javier Delgadillo <javi@netscape.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
* in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
* of those above. If you wish to allow use of your version of this file only
|
||||
* under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
* use your version of this file under the terms of the MPL, indicate your
|
||||
* decision by deleting the provisions above and replace them with the notice
|
||||
* and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
* the provisions above, a recipient may use your version of this file under
|
||||
* the terms of any one of the MPL, the GPL or the LGPL.
|
||||
*
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
|
||||
|
||||
const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
|
||||
const nsIPKIParamBlock = Components.interfaces.nsIPKIParamBlock;
|
||||
const nsIX509Cert = Components.interfaces.nsIX509Cert;
|
||||
|
||||
var dialogParams;
|
||||
var pkiParams;
|
||||
var cert=null;
|
||||
|
||||
function onLoad()
|
||||
{
|
||||
pkiParams = window.arguments[0].QueryInterface(nsIPKIParamBlock);
|
||||
dialogParams = pkiParams.QueryInterface(nsIDialogParamBlock);
|
||||
|
||||
document.title = dialogParams.GetString(2);
|
||||
var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
|
||||
var message1 = dialogParams.GetString(1);
|
||||
|
||||
const nsIScriptableDateFormat = Components.interfaces.nsIScriptableDateFormat;
|
||||
var dateService = Components.classes["@mozilla.org/intl/scriptabledateformat;1"].getService(nsIScriptableDateFormat);
|
||||
var date = new Date();
|
||||
var dateStr = dateService.FormatDateTime("", dateService.dateFormatShort, dateService.timeFormatNoSeconds,
|
||||
date.getFullYear(), date.getMonth()+1, date.getDate(),
|
||||
date.getHours(), date.getMinutes(), date.getSeconds());
|
||||
|
||||
var message2 = bundle.formatStringFromName("serverCertExpiredMsg2",
|
||||
[ dateStr ],
|
||||
1);
|
||||
setText("message1", message1);
|
||||
setText("message2", message2);
|
||||
document.documentElement.getButton("accept").focus();
|
||||
}
|
||||
|
||||
function doOK()
|
||||
{
|
||||
dialogParams.SetInt(1,1);
|
||||
return true;
|
||||
}
|
||||
|
||||
function doCancel()
|
||||
{
|
||||
dialogParams.SetInt(1,0);
|
||||
return true;
|
||||
}
|
||||
|
||||
function viewCert()
|
||||
{
|
||||
if (cert == null) {
|
||||
var isupport = pkiParams.getISupportAtIndex(1);
|
||||
cert = isupport.QueryInterface(nsIX509Cert);
|
||||
}
|
||||
viewCertHelper(window, cert);
|
||||
}
|
|
@ -41,7 +41,6 @@
|
|||
#define __NS_NSSDIALOGS_H__
|
||||
|
||||
#include "nsITokenPasswordDialogs.h"
|
||||
#include "nsIBadCertListener.h"
|
||||
#include "nsICertificateDialogs.h"
|
||||
#include "nsIClientAuthDialogs.h"
|
||||
#include "nsICertPickDialogs.h"
|
||||
|
@ -58,7 +57,6 @@
|
|||
|
||||
class nsNSSDialogs
|
||||
: public nsITokenPasswordDialogs,
|
||||
public nsIBadCertListener,
|
||||
public nsICertificateDialogs,
|
||||
public nsIClientAuthDialogs,
|
||||
public nsICertPickDialogs,
|
||||
|
@ -69,7 +67,6 @@ class nsNSSDialogs
|
|||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSITOKENPASSWORDDIALOGS
|
||||
NS_DECL_NSIBADCERTLISTENER
|
||||
NS_DECL_NSICERTIFICATEDIALOGS
|
||||
NS_DECL_NSICLIENTAUTHDIALOGS
|
||||
NS_DECL_NSICERTPICKDIALOGS
|
||||
|
|
|
@ -61,13 +61,6 @@ static const nsModuleComponentInfo components[] =
|
|||
nsNSSDialogsConstructor
|
||||
},
|
||||
|
||||
{
|
||||
NSS_DIALOGS_DESCRIPTION,
|
||||
NS_NSSDIALOGS_CID,
|
||||
NS_BADCERTLISTENER_CONTRACTID,
|
||||
nsNSSDialogsConstructor
|
||||
},
|
||||
|
||||
{
|
||||
NSS_DIALOGS_DESCRIPTION,
|
||||
NS_NSSDIALOGS_CID,
|
||||
|
|
|
@ -51,7 +51,7 @@ GRE_MODULE = 1
|
|||
SDK_XPIDLSRCS = \
|
||||
nsIASN1Object.idl \
|
||||
nsIASN1Sequence.idl \
|
||||
nsIBadCertListener.idl \
|
||||
nsIBadCertListener2.idl \
|
||||
nsICertificateDialogs.idl \
|
||||
nsICRLInfo.idl \
|
||||
nsIX509Cert.idl \
|
||||
|
@ -61,6 +61,7 @@ SDK_XPIDLSRCS = \
|
|||
$(NULL)
|
||||
|
||||
XPIDLSRCS = \
|
||||
nsICertOverrideService.idl \
|
||||
nsIFormSigningDialog.idl \
|
||||
nsIX509Cert2.idl \
|
||||
nsIX509Cert3.idl \
|
||||
|
|
|
@ -1,155 +0,0 @@
|
|||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
*
|
||||
* ***** BEGIN LICENSE BLOCK *****
|
||||
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
*
|
||||
* The contents of this file are subject to the Mozilla Public License Version
|
||||
* 1.1 (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
* http://www.mozilla.org/MPL/
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS IS" basis,
|
||||
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
* for the specific language governing rights and limitations under the
|
||||
* License.
|
||||
*
|
||||
* The Original Code is mozilla.org code.
|
||||
*
|
||||
* The Initial Developer of the Original Code is
|
||||
* Netscape Communications Corporation.
|
||||
* Portions created by the Initial Developer are Copyright (C) 1998
|
||||
* the Initial Developer. All Rights Reserved.
|
||||
*
|
||||
* Contributor(s):
|
||||
* Javier Delgadillo <javi@netscape.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
* in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
* of those above. If you wish to allow use of your version of this file only
|
||||
* under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
* use your version of this file under the terms of the MPL, indicate your
|
||||
* decision by deleting the provisions above and replace them with the notice
|
||||
* and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
* the provisions above, a recipient may use your version of this file under
|
||||
* the terms of any one of the MPL, the GPL or the LGPL.
|
||||
*
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
|
||||
#include "nsISupports.idl"
|
||||
|
||||
interface nsIX509Cert;
|
||||
interface nsIInterfaceRequestor;
|
||||
|
||||
/**
|
||||
* Functions that display warnings for problems with web site trust.
|
||||
*
|
||||
* @status FROZEN
|
||||
*/
|
||||
[scriptable, uuid(86960956-edb0-11d4-998b-00b0d02354a0)]
|
||||
interface nsIBadCertListener : nsISupports {
|
||||
|
||||
/**
|
||||
* No decision was made by the user, whether to trust a cert.
|
||||
*/
|
||||
const short UNINIT_ADD_FLAG = -1;
|
||||
|
||||
/**
|
||||
* The user decided to add trust to a certificate temporarily
|
||||
* for the current application session only.
|
||||
*/
|
||||
const short ADD_TRUSTED_FOR_SESSION = 1;
|
||||
|
||||
/**
|
||||
* The user decided to add trust to a certificate permanently.
|
||||
*/
|
||||
const short ADD_TRUSTED_PERMANENTLY = 2;
|
||||
|
||||
/**
|
||||
* Inform the user there are problems with the trust of a certificate,
|
||||
* and request a decision from the user.
|
||||
* The UI should offer the user a way to look at the certificate in detail.
|
||||
* The following is a sample UI message to be shown to the user:
|
||||
*
|
||||
* Unable to verify the identity of %S as a trusted site.
|
||||
* Possible reasons for this error:
|
||||
* - Your browser does not recognize the Certificate Authority
|
||||
* that issued the site's certificate.
|
||||
* - The site's certificate is incomplete due to a
|
||||
* server misconfiguration.
|
||||
* - You are connected to a site pretending to be %S,
|
||||
* possibly to obtain your confidential information.
|
||||
* Please notify the site's webmaster about this problem.
|
||||
* Before accepting this certificate, you should examine this site's
|
||||
* certificate carefully. Are you willing to accept this certificate
|
||||
* for the purpose of identifying the Web site %S?
|
||||
* o Accept this certificate permanently
|
||||
* x Accept this certificate temporarily for this session
|
||||
* o Do not accept this certificate and do not connect to this Web site
|
||||
*
|
||||
* @param socketInfo A network communication context that can be used to obtain more information
|
||||
* about the active connection.
|
||||
* @param cert The certificate that is not trusted and that is having the problem.
|
||||
* @param certAddType The user's trust decision. See constants defined above.
|
||||
*
|
||||
* @return true if the user decided to connect anyway, false if the user decided to not connect
|
||||
*/
|
||||
boolean confirmUnknownIssuer(in nsIInterfaceRequestor socketInfo,
|
||||
in nsIX509Cert cert,
|
||||
out short certAddType);
|
||||
|
||||
/**
|
||||
* Inform the user there are problems with the trust of a certificate,
|
||||
* and request a decision from the user.
|
||||
* The hostname mentioned in the server's certificate is not the hostname
|
||||
* that was used as a destination address for the current connection.
|
||||
*
|
||||
* @param socketInfo A network communication context that can be used to obtain more information
|
||||
* about the active connection.
|
||||
* @param targetURL The URL that was used to open the current connection.
|
||||
* @param cert The certificate that was presented by the server.
|
||||
*
|
||||
* @return true if the user decided to connect anyway, false if the user decided to not connect
|
||||
*/
|
||||
boolean confirmMismatchDomain(in nsIInterfaceRequestor socketInfo,
|
||||
in AUTF8String targetURL,
|
||||
in nsIX509Cert cert);
|
||||
|
||||
/**
|
||||
* Inform the user there are problems with the trust of a certificate,
|
||||
* and request a decision from the user.
|
||||
* The certificate presented by the server is no longer valid because
|
||||
* the validity period has expired.
|
||||
*
|
||||
* @param socketInfo A network communication context that can be used to obtain more information
|
||||
* about the active connection.
|
||||
* @param cert The certificate that was presented by the server.
|
||||
*
|
||||
* @return true if the user decided to connect anyway, false if the user decided to not connect
|
||||
*/
|
||||
boolean confirmCertExpired(in nsIInterfaceRequestor socketInfo,
|
||||
in nsIX509Cert cert);
|
||||
|
||||
/**
|
||||
* Inform the user there are problems with the trust of a certificate,
|
||||
* and request a decision from the user.
|
||||
* The Certificate Authority (CA) that issued the server's certificate has issued a
|
||||
* Certificate Revocation List (CRL).
|
||||
* However, the application does not have a current version of the CA's CRL.
|
||||
* Due to the application configuration, the application disallows the connection
|
||||
* to the remote site.
|
||||
*
|
||||
* @param socketInfo A network communication context that can be used to obtain more information
|
||||
* about the active connection.
|
||||
* @param targetURL The URL that was used to open the current connection.
|
||||
* @param cert The certificate that was presented by the server.
|
||||
*/
|
||||
void notifyCrlNextupdate(in nsIInterfaceRequestor socketInfo,
|
||||
in AUTF8String targetURL, in nsIX509Cert cert);
|
||||
|
||||
};
|
||||
|
||||
%{C++
|
||||
#define NS_BADCERTLISTENER_CONTRACTID "@mozilla.org/nsBadCertListener;1"
|
||||
%}
|
|
@ -22,6 +22,7 @@
|
|||
*
|
||||
* Contributor(s):
|
||||
* Ian McGreer <mcgreer@netscape.com>
|
||||
* Kai Engert <kengert@redhat.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
|
@ -43,15 +44,23 @@
|
|||
interface nsINSSCertCache;
|
||||
interface nsIX509Cert;
|
||||
|
||||
[scriptable, uuid(4ea60761-31d6-491d-9e34-4b53a26c416c)]
|
||||
[scriptable, uuid(d0180863-606e-49e6-8324-cf45ed4dd891)]
|
||||
interface nsICertTreeItem : nsISupports {
|
||||
readonly attribute nsIX509Cert cert;
|
||||
readonly attribute AString hostPort;
|
||||
};
|
||||
|
||||
[scriptable, uuid(a8cd1c89-a901-4735-831b-7198b7b8b6b1)]
|
||||
interface nsICertTree : nsITreeView {
|
||||
|
||||
void loadCerts(in unsigned long type);
|
||||
void loadCertsFromCache(in nsINSSCertCache cache, in unsigned long type);
|
||||
|
||||
nsIX509Cert getCert(in unsigned long index);
|
||||
nsICertTreeItem getTreeItem(in unsigned long index);
|
||||
boolean isHostPortOverride(in unsigned long index);
|
||||
|
||||
void removeCert(in unsigned long index);
|
||||
void deleteEntryObject(in unsigned long index);
|
||||
};
|
||||
|
||||
%{C++
|
||||
|
|
|
@ -41,10 +41,25 @@
|
|||
|
||||
interface nsIX509Cert;
|
||||
|
||||
[scriptable, uuid(7b2ca1ca-1dd2-11b2-87ec-d217dbe22b85)]
|
||||
[scriptable, uuid(cfede939-def1-49be-81ed-d401b3a07d1c)]
|
||||
interface nsISSLStatus : nsISupports {
|
||||
readonly attribute nsIX509Cert serverCert;
|
||||
|
||||
readonly attribute string cipherName;
|
||||
readonly attribute unsigned long keyLength;
|
||||
readonly attribute unsigned long secretKeyLength;
|
||||
|
||||
readonly attribute boolean isDomainMismatch;
|
||||
readonly attribute boolean isNotValidAtThisTime;
|
||||
|
||||
/* Note: To distinguish between
|
||||
* "unstrusted because missing or untrusted issuer"
|
||||
* and
|
||||
* "untrusted because self signed"
|
||||
* compare for equality of
|
||||
* nsIX509Cert::subjectName
|
||||
* and
|
||||
* nsIX509Cert::issuerName
|
||||
*/
|
||||
readonly attribute boolean isUntrusted;
|
||||
};
|
||||
|
|
|
@ -57,6 +57,8 @@ LIBXUL_LIBRARY = 1
|
|||
PACKAGE_FILE = pipnss.pkg
|
||||
|
||||
CPPSRCS = \
|
||||
nsNSSCleaner.cpp \
|
||||
nsCertOverrideService.cpp \
|
||||
nsPSMBackgroundThread.cpp \
|
||||
nsSSLThread.cpp \
|
||||
nsCertVerificationThread.cpp \
|
||||
|
@ -65,6 +67,7 @@ CPPSRCS = \
|
|||
nsNSSComponent.cpp \
|
||||
nsNSSErrors.cpp \
|
||||
nsNSSIOLayer.cpp \
|
||||
nsSSLStatus.cpp \
|
||||
nsNSSModule.cpp \
|
||||
nsSSLSocketProvider.cpp \
|
||||
nsTLSSocketProvider.cpp \
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
*
|
||||
* Contributor(s):
|
||||
* Ian McGreer <mcgreer@netscape.com>
|
||||
* Kai Engert <kengert@redhat.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
|
@ -51,12 +52,18 @@
|
|||
#include "nsArrayUtils.h"
|
||||
#include "nsISupportsPrimitives.h"
|
||||
#include "nsXPCOMCID.h"
|
||||
#include "nsTHashtable.h"
|
||||
#include "nsHashKeys.h"
|
||||
|
||||
|
||||
#include "prlog.h"
|
||||
#ifdef PR_LOGGING
|
||||
extern PRLogModuleInfo* gPIPNSSLog;
|
||||
#endif
|
||||
|
||||
#include "nsNSSCleaner.h"
|
||||
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
|
||||
|
||||
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
|
||||
|
||||
// treeArrayElStr
|
||||
|
@ -130,7 +137,48 @@ static PLDHashTableOps gMapOps = {
|
|||
CompareCacheInitEntry
|
||||
};
|
||||
|
||||
NS_IMPL_ISUPPORTS0(nsCertAddonInfo)
|
||||
NS_IMPL_ISUPPORTS1(nsCertTreeDispInfo, nsICertTreeItem)
|
||||
|
||||
nsCertTreeDispInfo::nsCertTreeDispInfo()
|
||||
:mAddonInfo(nsnull)
|
||||
,mTypeOfEntry(direct_db)
|
||||
,mOverrideBits(nsCertOverride::ob_None)
|
||||
{
|
||||
}
|
||||
|
||||
nsCertTreeDispInfo::nsCertTreeDispInfo(nsCertTreeDispInfo &other)
|
||||
{
|
||||
mAddonInfo = other.mAddonInfo;
|
||||
mTypeOfEntry = other.mTypeOfEntry;
|
||||
mHostWithPort = other.mHostWithPort;
|
||||
mOverrideBits = other.mOverrideBits;
|
||||
}
|
||||
|
||||
nsCertTreeDispInfo::~nsCertTreeDispInfo()
|
||||
{
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsCertTreeDispInfo::GetCert(nsIX509Cert **_cert)
|
||||
{
|
||||
NS_ENSURE_ARG(_cert);
|
||||
if (mAddonInfo) {
|
||||
*_cert = mAddonInfo->mCert.get();
|
||||
NS_IF_ADDREF(*_cert);
|
||||
}
|
||||
else {
|
||||
*_cert = nsnull;
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsCertTreeDispInfo::GetHostPort(nsAString &aHostPort)
|
||||
{
|
||||
aHostPort = mHostWithPort;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMPL_ISUPPORTS2(nsCertTree, nsICertTree, nsITreeView)
|
||||
|
||||
|
@ -138,6 +186,7 @@ nsCertTree::nsCertTree() : mTreeArray(NULL)
|
|||
{
|
||||
mCompareCache.ops = nsnull;
|
||||
mNSSComponent = do_GetService(kNSSComponentCID);
|
||||
mOverrideService = do_GetService("@mozilla.org/security/certoverride;1");
|
||||
mCellText = nsnull;
|
||||
}
|
||||
|
||||
|
@ -169,20 +218,7 @@ nsCertTree::~nsCertTree()
|
|||
void
|
||||
nsCertTree::FreeCertArray()
|
||||
{
|
||||
if (mCertArray) {
|
||||
PRUint32 count;
|
||||
nsresult rv = mCertArray->Count(&count);
|
||||
if (NS_FAILED(rv))
|
||||
{
|
||||
NS_ASSERTION(0, "Count failed");
|
||||
return;
|
||||
}
|
||||
PRInt32 i;
|
||||
for (i = count - 1; i >= 0; i--)
|
||||
{
|
||||
mCertArray->RemoveElementAt(i);
|
||||
}
|
||||
}
|
||||
mDispInfo.Clear();
|
||||
}
|
||||
|
||||
CompareCacheHashEntry *
|
||||
|
@ -208,16 +244,19 @@ PRInt32
|
|||
nsCertTree::CountOrganizations()
|
||||
{
|
||||
PRUint32 i, certCount;
|
||||
nsresult rv = mCertArray->Count(&certCount);
|
||||
if (NS_FAILED(rv)) return -1;
|
||||
certCount = mDispInfo.Length();
|
||||
if (certCount == 0) return 0;
|
||||
nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(0));
|
||||
nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
|
||||
nsCOMPtr<nsIX509Cert> orgCert = nsnull;
|
||||
if (mDispInfo.ElementAt(0)->mAddonInfo) {
|
||||
orgCert = mDispInfo.ElementAt(0)->mAddonInfo->mCert;
|
||||
}
|
||||
nsCOMPtr<nsIX509Cert> nextCert = nsnull;
|
||||
PRInt32 orgCount = 1;
|
||||
for (i=1; i<certCount; i++) {
|
||||
isupport = dont_AddRef(mCertArray->ElementAt(i));
|
||||
nextCert = do_QueryInterface(isupport);
|
||||
nextCert = nsnull;
|
||||
if (mDispInfo.ElementAt(i)->mAddonInfo) {
|
||||
nextCert = mDispInfo.ElementAt(i)->mAddonInfo->mCert;
|
||||
}
|
||||
// XXX we assume issuer org is always criterion 1
|
||||
if (CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, sort_None) != 0) {
|
||||
orgCert = nextCert;
|
||||
|
@ -255,8 +294,25 @@ nsCertTree::GetThreadDescAtIndex(PRInt32 index)
|
|||
nsIX509Cert *
|
||||
nsCertTree::GetCertAtIndex(PRInt32 index, PRInt32 *outAbsoluteCertOffset)
|
||||
{
|
||||
int i, idx = 0, cIndex = 0, nc;
|
||||
nsRefPtr<nsCertTreeDispInfo> certdi =
|
||||
getter_AddRefs(GetDispInfoAtIndex(index, outAbsoluteCertOffset));
|
||||
if (!certdi)
|
||||
return nsnull;
|
||||
|
||||
nsIX509Cert *rawPtr = nsnull;
|
||||
if (certdi->mAddonInfo) {
|
||||
rawPtr = certdi->mAddonInfo->mCert;
|
||||
NS_IF_ADDREF(rawPtr);
|
||||
}
|
||||
return rawPtr;
|
||||
}
|
||||
|
||||
// If the row at index is a cert, return that cert. Otherwise, return null.
|
||||
nsCertTreeDispInfo *
|
||||
nsCertTree::GetDispInfoAtIndex(PRInt32 index,
|
||||
PRInt32 *outAbsoluteCertOffset)
|
||||
{
|
||||
int i, idx = 0, cIndex = 0, nc;
|
||||
if (index < 0) return nsnull;
|
||||
// Loop over the threads
|
||||
for (i=0; i<mNumOrgs; i++) {
|
||||
|
@ -267,11 +323,12 @@ nsCertTree::GetCertAtIndex(PRInt32 index, PRInt32 *outAbsoluteCertOffset)
|
|||
PRInt32 certIndex = cIndex + index - idx;
|
||||
if (outAbsoluteCertOffset)
|
||||
*outAbsoluteCertOffset = certIndex;
|
||||
nsCOMPtr<nsISupports> isupport =
|
||||
dont_AddRef(mCertArray->ElementAt(certIndex));
|
||||
nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(isupport);
|
||||
rawPtr = cert;
|
||||
NS_IF_ADDREF(rawPtr);
|
||||
nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.ElementAt(certIndex);
|
||||
if (certdi) {
|
||||
nsCertTreeDispInfo *raw = certdi.get();
|
||||
NS_IF_ADDREF(raw);
|
||||
return raw;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (mTreeArray[i].open)
|
||||
|
@ -279,7 +336,7 @@ nsCertTree::GetCertAtIndex(PRInt32 index, PRInt32 *outAbsoluteCertOffset)
|
|||
cIndex += mTreeArray[i].numChildren;
|
||||
if (idx > index) break;
|
||||
}
|
||||
return rawPtr;
|
||||
return nsnull;
|
||||
}
|
||||
|
||||
nsCertTree::nsCertCompareFunc
|
||||
|
@ -299,72 +356,313 @@ nsCertTree::GetCompareFuncFromCertType(PRUint32 aType)
|
|||
}
|
||||
}
|
||||
|
||||
PRBool
|
||||
struct nsCertAndArrayAndPositionAndCounterAndTracker
|
||||
{
|
||||
nsRefPtr<nsCertAddonInfo> certai;
|
||||
nsTArray< nsRefPtr<nsCertTreeDispInfo> > *array;
|
||||
int position;
|
||||
int counter;
|
||||
nsTHashtable<nsCStringHashKey> *tracker;
|
||||
};
|
||||
|
||||
// Used to enumerate host:port overrides that match a stored
|
||||
// certificate, creates and adds a display-info-object to the
|
||||
// provided array. Increments insert position and entry counter.
|
||||
// We remove the given key from the tracker, which is used to
|
||||
// track entries that have not yet been handled.
|
||||
// The created display-info references the cert, so make a note
|
||||
// of that by incrementing the cert usage counter.
|
||||
PR_STATIC_CALLBACK(void)
|
||||
MatchingCertOverridesCallback(const nsCertOverride &aSettings,
|
||||
void *aUserData)
|
||||
{
|
||||
nsCertAndArrayAndPositionAndCounterAndTracker *cap =
|
||||
(nsCertAndArrayAndPositionAndCounterAndTracker*)aUserData;
|
||||
if (!cap)
|
||||
return;
|
||||
|
||||
nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;
|
||||
if (certdi) {
|
||||
if (cap->certai)
|
||||
cap->certai->mUsageCount++;
|
||||
certdi->mAddonInfo = cap->certai;
|
||||
certdi->mTypeOfEntry = nsCertTreeDispInfo::host_port_override;
|
||||
certdi->mHostWithPort = NS_ConvertUTF8toUTF16(aSettings.mHostWithPortUTF8);
|
||||
certdi->mOverrideBits = aSettings.mOverrideBits;
|
||||
NS_IF_ADDREF(certdi);
|
||||
cap->array->InsertElementAt(cap->position, certdi);
|
||||
cap->position++;
|
||||
cap->counter++;
|
||||
}
|
||||
|
||||
// this entry is now associated to a displayed cert, remove
|
||||
// it from the list of remaining entries
|
||||
cap->tracker->RemoveEntry(aSettings.mHostWithPortUTF8);
|
||||
}
|
||||
|
||||
// Used to collect a list of the (unique) host:port keys
|
||||
// for all stored overrides.
|
||||
PR_STATIC_CALLBACK(void)
|
||||
CollectAllHostPortOverridesCallback(const nsCertOverride &aSettings,
|
||||
void *aUserData)
|
||||
{
|
||||
nsTHashtable<nsCStringHashKey> *collectorTable =
|
||||
(nsTHashtable<nsCStringHashKey> *)aUserData;
|
||||
if (!collectorTable)
|
||||
return;
|
||||
|
||||
collectorTable->PutEntry(aSettings.mHostWithPortUTF8);
|
||||
}
|
||||
|
||||
struct nsArrayAndPositionAndCounterAndTracker
|
||||
{
|
||||
nsTArray< nsRefPtr<nsCertTreeDispInfo> > *array;
|
||||
int position;
|
||||
int counter;
|
||||
nsTHashtable<nsCStringHashKey> *tracker;
|
||||
};
|
||||
|
||||
// Used when enumerating the stored host:port overrides where
|
||||
// no associated certificate was found in the NSS database.
|
||||
PR_STATIC_CALLBACK(void)
|
||||
AddRemaningHostPortOverridesCallback(const nsCertOverride &aSettings,
|
||||
void *aUserData)
|
||||
{
|
||||
nsArrayAndPositionAndCounterAndTracker *cap =
|
||||
(nsArrayAndPositionAndCounterAndTracker*)aUserData;
|
||||
if (!cap)
|
||||
return;
|
||||
|
||||
if (!cap->tracker->GetEntry(aSettings.mHostWithPortUTF8))
|
||||
return;
|
||||
|
||||
// This entry is not associated to any stored cert,
|
||||
// so we still need to display it.
|
||||
|
||||
nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;
|
||||
if (certdi) {
|
||||
certdi->mAddonInfo = nsnull;
|
||||
certdi->mTypeOfEntry = nsCertTreeDispInfo::host_port_override;
|
||||
certdi->mHostWithPort = NS_ConvertUTF8toUTF16(aSettings.mHostWithPortUTF8);
|
||||
certdi->mOverrideBits = aSettings.mOverrideBits;
|
||||
NS_IF_ADDREF(certdi);
|
||||
cap->array->InsertElementAt(cap->position, certdi);
|
||||
cap->position++;
|
||||
cap->counter++;
|
||||
}
|
||||
}
|
||||
|
||||
nsresult
|
||||
nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
|
||||
PRUint32 aType,
|
||||
PRUint32 aWantedType,
|
||||
nsCertCompareFunc aCertCmpFn,
|
||||
void *aCertCmpFnArg,
|
||||
nsISupportsArray **_certs)
|
||||
void *aCertCmpFnArg)
|
||||
{
|
||||
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("GetCertsByTypeFromCertList"));
|
||||
if (!aCertList)
|
||||
return PR_FALSE;
|
||||
nsCOMPtr<nsISupportsArray> certarray;
|
||||
nsresult rv = NS_NewISupportsArray(getter_AddRefs(certarray));
|
||||
if (NS_FAILED(rv)) return PR_FALSE;
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
nsCertOverrideService *cos =
|
||||
reinterpret_cast<nsCertOverrideService*>(mOverrideService.get());
|
||||
if (!cos)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys;
|
||||
if (!allHostPortOverrideKeys.Init())
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
if (aWantedType == nsIX509Cert::SERVER_CERT) {
|
||||
cos->EnumerateCertOverrides(nsnull,
|
||||
CollectAllHostPortOverridesCallback,
|
||||
&allHostPortOverrideKeys);
|
||||
}
|
||||
|
||||
CERTCertListNode *node;
|
||||
int count = 0;
|
||||
for (node = CERT_LIST_HEAD(aCertList);
|
||||
!CERT_LIST_END(node, aCertList);
|
||||
node = CERT_LIST_NEXT(node)) {
|
||||
if (aType == nsIX509Cert2::ANY_CERT || getCertType(node->cert) == aType) {
|
||||
|
||||
PRBool wantThisCert = (aWantedType == nsIX509Cert2::ANY_CERT);
|
||||
PRBool wantThisCertIfNoOverrides = PR_FALSE;
|
||||
PRBool wantThisCertIfHaveOverrides = PR_FALSE;
|
||||
PRBool addOverrides = PR_FALSE;
|
||||
|
||||
if (!wantThisCert) {
|
||||
PRUint32 thisCertType = getCertType(node->cert);
|
||||
|
||||
// The output from getCertType is a "guess", which can be wrong.
|
||||
// The guess is based on stored trust flags, but for the host:port
|
||||
// overrides, we are storing certs without any trust flags associated.
|
||||
// So we must check whether the cert really belongs to the
|
||||
// server, email or unknown tab. We will lookup the cert in the override
|
||||
// list to come to the decision. Unfortunately, the lookup in the
|
||||
// override list is quite expensive. Therefore we are using this
|
||||
// lengthy if/else statement to minimize
|
||||
// the number of override-list-lookups.
|
||||
|
||||
if (aWantedType == nsIX509Cert::SERVER_CERT
|
||||
&& thisCertType == nsIX509Cert::UNKNOWN_CERT) {
|
||||
// This unknown cert was stored without trust
|
||||
// Are there host:port based overrides stored?
|
||||
// If yes, display them.
|
||||
addOverrides = PR_TRUE;
|
||||
}
|
||||
else
|
||||
if (aWantedType == nsIX509Cert::UNKNOWN_CERT
|
||||
&& thisCertType == nsIX509Cert::UNKNOWN_CERT) {
|
||||
// This unknown cert was stored without trust.
|
||||
// If there are associated overrides, do not show as unknown.
|
||||
// If there are no associated overrides, display as unknown.
|
||||
wantThisCertIfNoOverrides = PR_TRUE;
|
||||
}
|
||||
else
|
||||
if (aWantedType == nsIX509Cert::SERVER_CERT
|
||||
&& thisCertType == nsIX509Cert::SERVER_CERT) {
|
||||
// This server cert is explicitly marked as a web site peer,
|
||||
// with or without trust, but editable, so show it
|
||||
wantThisCert = PR_TRUE;
|
||||
// Are there host:port based overrides stored?
|
||||
// If yes, display them.
|
||||
addOverrides = PR_TRUE;
|
||||
}
|
||||
else
|
||||
if (aWantedType == nsIX509Cert::SERVER_CERT
|
||||
&& thisCertType == nsIX509Cert::EMAIL_CERT) {
|
||||
// This cert might have been categorized as an email cert
|
||||
// because it carries an email address. But is it really one?
|
||||
// Our cert categorization is uncertain when it comes to
|
||||
// distinguish between email certs and web site certs.
|
||||
// So, let's see if we have an override for that cert
|
||||
// and if there is, conclude it's really a web site cert.
|
||||
addOverrides = PR_TRUE;
|
||||
}
|
||||
else
|
||||
if (aWantedType == nsIX509Cert::EMAIL_CERT
|
||||
&& thisCertType == nsIX509Cert::EMAIL_CERT) {
|
||||
// This cert might have been categorized as an email cert
|
||||
// because it carries an email address. But is it really one?
|
||||
// Our cert categorization is uncertain when it comes to
|
||||
// distinguish between email certs and web site certs.
|
||||
// So, let's see if we have an override for that cert
|
||||
// and if there is, conclude it's really a web site cert.
|
||||
wantThisCertIfNoOverrides = PR_TRUE;
|
||||
}
|
||||
else
|
||||
if (thisCertType == aWantedType) {
|
||||
wantThisCert = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIX509Cert> pipCert = new nsNSSCertificate(node->cert);
|
||||
if (pipCert) {
|
||||
int i;
|
||||
for (i = 0; i < count; ++i) {
|
||||
nsCOMPtr<nsIX509Cert> cert = do_QueryElementAt(certarray, i);
|
||||
if (!pipCert)
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
if (wantThisCertIfNoOverrides || wantThisCertIfHaveOverrides) {
|
||||
PRUint32 ocount = 0;
|
||||
nsresult rv = mOverrideService->IsCertUsedForOverrides(pipCert, &ocount);
|
||||
|
||||
if (wantThisCertIfNoOverrides) {
|
||||
if (NS_FAILED(rv) || ocount == 0) {
|
||||
// no overrides for this cert
|
||||
wantThisCert = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
if (wantThisCertIfHaveOverrides) {
|
||||
if (NS_SUCCEEDED(rv) && ocount > 0) {
|
||||
// there are overrides for this cert
|
||||
wantThisCert = PR_TRUE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
nsRefPtr<nsCertAddonInfo> certai = new nsCertAddonInfo;
|
||||
if (!certai)
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
certai->mCert = pipCert;
|
||||
certai->mUsageCount = 0;
|
||||
|
||||
if (wantThisCert || addOverrides) {
|
||||
int InsertPosition = 0;
|
||||
for (; InsertPosition < count; ++InsertPosition) {
|
||||
nsCOMPtr<nsIX509Cert> cert = nsnull;
|
||||
nsRefPtr<nsCertTreeDispInfo> elem = mDispInfo.ElementAt(InsertPosition);
|
||||
if (elem->mAddonInfo) {
|
||||
cert = mDispInfo.ElementAt(InsertPosition)->mAddonInfo->mCert;
|
||||
}
|
||||
if ((*aCertCmpFn)(aCertCmpFnArg, pipCert, cert) < 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
certarray->InsertElementAt(pipCert, i);
|
||||
if (wantThisCert) {
|
||||
nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;
|
||||
if (!certdi)
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
certdi->mAddonInfo = certai;
|
||||
certai->mUsageCount++;
|
||||
certdi->mTypeOfEntry = nsCertTreeDispInfo::direct_db;
|
||||
// not necessary: certdi->mHostWithPort.Clear();
|
||||
certdi->mOverrideBits = nsCertOverride::ob_None;
|
||||
NS_IF_ADDREF(certdi);
|
||||
mDispInfo.InsertElementAt(InsertPosition, certdi);
|
||||
++count;
|
||||
++InsertPosition;
|
||||
}
|
||||
if (addOverrides && cos) {
|
||||
nsCertAndArrayAndPositionAndCounterAndTracker cap;
|
||||
cap.certai = certai;
|
||||
cap.array = &mDispInfo;
|
||||
cap.position = InsertPosition;
|
||||
cap.counter = 0;
|
||||
cap.tracker = &allHostPortOverrideKeys;
|
||||
|
||||
cos->EnumerateCertOverrides(pipCert, MatchingCertOverridesCallback, &cap);
|
||||
count += cap.counter;
|
||||
}
|
||||
}
|
||||
}
|
||||
*_certs = certarray;
|
||||
NS_ADDREF(*_certs);
|
||||
return PR_TRUE;
|
||||
|
||||
if (aWantedType == nsIX509Cert::SERVER_CERT) {
|
||||
nsArrayAndPositionAndCounterAndTracker cap;
|
||||
cap.array = &mDispInfo;
|
||||
cap.position = 0;
|
||||
cap.counter = 0;
|
||||
cap.tracker = &allHostPortOverrideKeys;
|
||||
cos->EnumerateCertOverrides(nsnull, AddRemaningHostPortOverridesCallback, &cap);
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
PRBool
|
||||
nsresult
|
||||
nsCertTree::GetCertsByType(PRUint32 aType,
|
||||
nsCertCompareFunc aCertCmpFn,
|
||||
void *aCertCmpFnArg,
|
||||
nsISupportsArray **_certs)
|
||||
void *aCertCmpFnArg)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
CERTCertList *certList = NULL;
|
||||
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
|
||||
certList = PK11_ListCerts(PK11CertListUnique, cxt);
|
||||
PRBool rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg, _certs);
|
||||
nsresult rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
|
||||
if (certList)
|
||||
CERT_DestroyCertList(certList);
|
||||
return rv;
|
||||
}
|
||||
|
||||
PRBool
|
||||
nsresult
|
||||
nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache *aCache,
|
||||
PRUint32 aType,
|
||||
nsCertCompareFunc aCertCmpFn,
|
||||
void *aCertCmpFnArg,
|
||||
nsISupportsArray **_certs)
|
||||
void *aCertCmpFnArg)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(aCache);
|
||||
CERTCertList *certList = reinterpret_cast<CERTCertList*>(aCache->GetCachedCerts());
|
||||
if (!certList)
|
||||
return NS_ERROR_FAILURE;
|
||||
return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg, _certs);
|
||||
return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
|
||||
}
|
||||
|
||||
// LoadCerts
|
||||
|
@ -384,8 +682,7 @@ nsCertTree::LoadCertsFromCache(nsINSSCertCache *aCache, PRUint32 aType)
|
|||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
rv = GetCertsByTypeFromCache(aCache, aType,
|
||||
GetCompareFuncFromCertType(aType), &mCompareCache,
|
||||
getter_AddRefs(mCertArray));
|
||||
GetCompareFuncFromCertType(aType), &mCompareCache);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
return UpdateUIContents();
|
||||
}
|
||||
|
@ -403,8 +700,7 @@ nsCertTree::LoadCerts(PRUint32 aType)
|
|||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
rv = GetCertsByType(aType,
|
||||
GetCompareFuncFromCertType(aType), &mCompareCache,
|
||||
getter_AddRefs(mCertArray));
|
||||
GetCompareFuncFromCertType(aType), &mCompareCache);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
return UpdateUIContents();
|
||||
}
|
||||
|
@ -412,9 +708,7 @@ nsCertTree::LoadCerts(PRUint32 aType)
|
|||
nsresult
|
||||
nsCertTree::UpdateUIContents()
|
||||
{
|
||||
PRUint32 count;
|
||||
nsresult rv = mCertArray->Count(&count);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
PRUint32 count = mDispInfo.Length();
|
||||
mNumOrgs = CountOrganizations();
|
||||
mTreeArray = new treeArrayEl[mNumOrgs];
|
||||
if (!mTreeArray)
|
||||
|
@ -422,28 +716,41 @@ nsCertTree::UpdateUIContents()
|
|||
|
||||
mCellText = do_CreateInstance(NS_ARRAY_CONTRACTID);
|
||||
|
||||
if (count) {
|
||||
PRUint32 j = 0;
|
||||
nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(j));
|
||||
nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
|
||||
nsCOMPtr<nsIX509Cert> orgCert = nsnull;
|
||||
if (mDispInfo.ElementAt(j)->mAddonInfo) {
|
||||
orgCert = mDispInfo.ElementAt(j)->mAddonInfo->mCert;
|
||||
}
|
||||
for (PRInt32 i=0; i<mNumOrgs; i++) {
|
||||
nsString &orgNameRef = mTreeArray[i].orgName;
|
||||
if (!orgCert) {
|
||||
mNSSComponent->GetPIPNSSBundleString("CertOrgUnknown", orgNameRef);
|
||||
}
|
||||
else {
|
||||
orgCert->GetIssuerOrganization(orgNameRef);
|
||||
if (orgNameRef.IsEmpty())
|
||||
orgCert->GetCommonName(orgNameRef);
|
||||
}
|
||||
mTreeArray[i].open = PR_TRUE;
|
||||
mTreeArray[i].certIndex = j;
|
||||
mTreeArray[i].numChildren = 1;
|
||||
if (++j >= count) break;
|
||||
isupport = dont_AddRef(mCertArray->ElementAt(j));
|
||||
nsCOMPtr<nsIX509Cert> nextCert = do_QueryInterface(isupport);
|
||||
nsCOMPtr<nsIX509Cert> nextCert = nsnull;
|
||||
if (mDispInfo.ElementAt(j)->mAddonInfo) {
|
||||
nextCert = mDispInfo.ElementAt(j)->mAddonInfo->mCert;
|
||||
}
|
||||
while (0 == CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, sort_None)) {
|
||||
mTreeArray[i].numChildren++;
|
||||
if (++j >= count) break;
|
||||
isupport = dont_AddRef(mCertArray->ElementAt(j));
|
||||
nextCert = do_QueryInterface(isupport);
|
||||
nextCert = nsnull;
|
||||
if (mDispInfo.ElementAt(j)->mAddonInfo) {
|
||||
nextCert = mDispInfo.ElementAt(j)->mAddonInfo->mCert;
|
||||
}
|
||||
}
|
||||
orgCert = nextCert;
|
||||
}
|
||||
}
|
||||
if (mTree) {
|
||||
mTree->BeginUpdateBatch();
|
||||
mTree->RowCountChanged(0, -mNumRows);
|
||||
|
@ -455,9 +762,15 @@ nsCertTree::UpdateUIContents()
|
|||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsCertTree::RemoveCert(PRUint32 index)
|
||||
nsCertTree::DeleteEntryObject(PRUint32 index)
|
||||
{
|
||||
if (!mCertArray || !mTreeArray || index < 0) {
|
||||
if (!mTreeArray || index < 0) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIX509CertDB> certdb =
|
||||
do_GetService("@mozilla.org/security/x509certdb;1");
|
||||
if (!certdb) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
|
@ -471,9 +784,66 @@ nsCertTree::RemoveCert(PRUint32 index)
|
|||
nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;
|
||||
if (index < idx + nc) { // cert is within range of this thread
|
||||
PRInt32 certIndex = cIndex + index - idx;
|
||||
nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(certIndex));
|
||||
RemoveCacheEntry(isupport);
|
||||
mCertArray->RemoveElementAt(certIndex);
|
||||
|
||||
nsRefPtr<nsCertTreeDispInfo> certdi = mDispInfo.ElementAt(certIndex);
|
||||
nsCOMPtr<nsIX509Cert> cert = nsnull;
|
||||
if (certdi->mAddonInfo) {
|
||||
cert = certdi->mAddonInfo->mCert;
|
||||
}
|
||||
PRBool canRemoveEntry = PR_FALSE;
|
||||
|
||||
if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
|
||||
mOverrideService->ClearValidityOverride(certdi->mHostWithPort);
|
||||
if (certdi->mAddonInfo) {
|
||||
certdi->mAddonInfo->mUsageCount--;
|
||||
if (certdi->mAddonInfo->mUsageCount == 0) {
|
||||
// The certificate stored in the database is no longer
|
||||
// referenced by any other object displayed.
|
||||
// That means we no longer need to keep it around
|
||||
// and really can remove it.
|
||||
canRemoveEntry = PR_TRUE;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (certdi->mAddonInfo->mUsageCount > 1) {
|
||||
// user is trying to delete a perm trusted cert,
|
||||
// although there are still overrides stored,
|
||||
// so, we keep the cert, but remove the trust
|
||||
|
||||
CERTCertificate *nsscert = nsnull;
|
||||
CERTCertificateCleaner nsscertCleaner(nsscert);
|
||||
|
||||
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
|
||||
if (cert2) {
|
||||
nsscert = cert2->GetCert();
|
||||
}
|
||||
|
||||
if (nsscert) {
|
||||
CERTCertTrust trust;
|
||||
memset((void*)&trust, 0, sizeof(trust));
|
||||
|
||||
SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override
|
||||
if (srv == SECSuccess) {
|
||||
CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
canRemoveEntry = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
nsCertTreeDispInfo *certdi2 = mDispInfo.ElementAt(certIndex);
|
||||
mDispInfo.RemoveElementAt(certIndex);
|
||||
NS_IF_RELEASE(certdi2);
|
||||
certdi2 = 0;
|
||||
|
||||
if (canRemoveEntry) {
|
||||
RemoveCacheEntry(cert);
|
||||
certdb->DeleteCertificate(cert);
|
||||
}
|
||||
|
||||
delete [] mTreeArray;
|
||||
mTreeArray = nsnull;
|
||||
return UpdateUIContents();
|
||||
|
@ -499,11 +869,35 @@ nsCertTree::GetCert(PRUint32 aIndex, nsIX509Cert **_cert)
|
|||
{
|
||||
NS_ENSURE_ARG(_cert);
|
||||
*_cert = GetCertAtIndex(aIndex);
|
||||
//nsCOMPtr<nsIX509Cert> cert = GetCertAtIndex(aIndex);
|
||||
//if (cert) {
|
||||
//*_cert = cert;
|
||||
//NS_ADDREF(*_cert);
|
||||
//}
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsCertTree::GetTreeItem(PRUint32 aIndex, nsICertTreeItem **_treeitem)
|
||||
{
|
||||
NS_ENSURE_ARG(_treeitem);
|
||||
|
||||
nsRefPtr<nsCertTreeDispInfo> certdi =
|
||||
getter_AddRefs(GetDispInfoAtIndex(aIndex));
|
||||
if (!certdi)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
*_treeitem = certdi;
|
||||
NS_IF_ADDREF(*_treeitem);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsCertTree::IsHostPortOverride(PRUint32 aIndex, PRBool *_retval)
|
||||
{
|
||||
NS_ENSURE_ARG(_retval);
|
||||
|
||||
nsRefPtr<nsCertTreeDispInfo> certdi =
|
||||
getter_AddRefs(GetDispInfoAtIndex(aIndex));
|
||||
if (!certdi)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
*_retval = (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
|
@ -719,7 +1113,15 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
|
|||
}
|
||||
|
||||
PRInt32 absoluteCertOffset;
|
||||
nsCOMPtr<nsIX509Cert> cert = dont_AddRef(GetCertAtIndex(row, &absoluteCertOffset));
|
||||
nsRefPtr<nsCertTreeDispInfo> certdi =
|
||||
getter_AddRefs(GetDispInfoAtIndex(row, &absoluteCertOffset));
|
||||
if (!certdi)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
nsCOMPtr<nsIX509Cert> cert = nsnull;
|
||||
if (certdi->mAddonInfo) {
|
||||
cert = certdi->mAddonInfo->mCert;
|
||||
}
|
||||
|
||||
PRInt32 colIndex;
|
||||
col->GetIndex(&colIndex);
|
||||
|
@ -736,8 +1138,11 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
|
|||
}
|
||||
}
|
||||
|
||||
if (cert == nsnull) return NS_ERROR_FAILURE;
|
||||
if (NS_LITERAL_STRING("certcol").Equals(colID)) {
|
||||
if (!cert) {
|
||||
mNSSComponent->GetPIPNSSBundleString("CertNotStored", _retval);
|
||||
}
|
||||
else {
|
||||
rv = cert->GetCommonName(_retval);
|
||||
if (NS_FAILED(rv) || _retval.IsEmpty()) {
|
||||
// kaie: I didn't invent the idea to cut off anything before
|
||||
|
@ -759,11 +1164,12 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
|
|||
_retval = nick;
|
||||
}
|
||||
}
|
||||
} else if (NS_LITERAL_STRING("tokencol").Equals(colID)) {
|
||||
}
|
||||
} else if (NS_LITERAL_STRING("tokencol").Equals(colID) && cert) {
|
||||
rv = cert->GetTokenName(_retval);
|
||||
} else if (NS_LITERAL_STRING("emailcol").Equals(colID)) {
|
||||
} else if (NS_LITERAL_STRING("emailcol").Equals(colID) && cert) {
|
||||
rv = cert->GetEmailAddress(_retval);
|
||||
} else if (NS_LITERAL_STRING("purposecol").Equals(colID) && mNSSComponent) {
|
||||
} else if (NS_LITERAL_STRING("purposecol").Equals(colID) && mNSSComponent && cert) {
|
||||
PRUint32 verified;
|
||||
|
||||
nsAutoString theUsages;
|
||||
|
@ -801,23 +1207,41 @@ nsCertTree::GetCellText(PRInt32 row, nsITreeColumn* col,
|
|||
rv = mNSSComponent->GetPIPNSSBundleString("VerifyUnknown", _retval);
|
||||
break;
|
||||
}
|
||||
} else if (NS_LITERAL_STRING("issuedcol").Equals(colID)) {
|
||||
} else if (NS_LITERAL_STRING("issuedcol").Equals(colID) && cert) {
|
||||
nsCOMPtr<nsIX509CertValidity> validity;
|
||||
|
||||
rv = cert->GetValidity(getter_AddRefs(validity));
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
validity->GetNotBeforeLocalDay(_retval);
|
||||
}
|
||||
} else if (NS_LITERAL_STRING("expiredcol").Equals(colID)) {
|
||||
} else if (NS_LITERAL_STRING("expiredcol").Equals(colID) && cert) {
|
||||
nsCOMPtr<nsIX509CertValidity> validity;
|
||||
|
||||
rv = cert->GetValidity(getter_AddRefs(validity));
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
validity->GetNotAfterLocalDay(_retval);
|
||||
}
|
||||
} else if (NS_LITERAL_STRING("serialnumcol").Equals(colID)) {
|
||||
} else if (NS_LITERAL_STRING("serialnumcol").Equals(colID) && cert) {
|
||||
rv = cert->GetSerialNumber(_retval);
|
||||
} else if (NS_LITERAL_STRING("typecol").Equals(colID)) {
|
||||
|
||||
|
||||
} else if (NS_LITERAL_STRING("overridetypecol").Equals(colID)) {
|
||||
// default to classic permanent-trust
|
||||
nsCertOverride::OverrideBits ob = nsCertOverride::ob_Untrusted;
|
||||
if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
|
||||
ob = certdi->mOverrideBits;
|
||||
}
|
||||
nsCAutoString temp;
|
||||
nsCertOverride::convertBitsToString(ob, temp);
|
||||
_retval = NS_ConvertUTF8toUTF16(temp);
|
||||
} else if (NS_LITERAL_STRING("sitecol").Equals(colID)) {
|
||||
if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {
|
||||
_retval = certdi->mHostWithPort;
|
||||
}
|
||||
else {
|
||||
_retval = NS_LITERAL_STRING("*");
|
||||
}
|
||||
} else if (NS_LITERAL_STRING("typecol").Equals(colID) && cert) {
|
||||
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
|
||||
PRUint32 type = nsIX509Cert::UNKNOWN_CERT;
|
||||
|
||||
|
@ -972,7 +1396,7 @@ nsCertTree::dumpMap()
|
|||
nsAutoString td(el->orgName);
|
||||
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("thread desc[%d]: %s", i, NS_LossyConvertUTF16toASCII(td).get()));
|
||||
}
|
||||
nsCOMPtr<nsIX509Cert> ct = dont_AddRef(GetCertAtIndex(i));
|
||||
nsCOMPtr<nsIX509Cert> ct = getter_AddRefs(GetCertAtIndex(i));
|
||||
if (ct != nsnull) {
|
||||
PRUnichar *goo;
|
||||
ct->GetCommonName(&goo);
|
||||
|
@ -1105,11 +1529,24 @@ PRInt32
|
|||
nsCertTree::CmpBy(void *cache, nsIX509Cert *a, nsIX509Cert *b,
|
||||
sortCriterion c0, sortCriterion c1, sortCriterion c2)
|
||||
{
|
||||
NS_ENSURE_TRUE( (cache!=0 && a!=0 && b!=0), 0 );
|
||||
// This will be called when comparing items for display sorting.
|
||||
// Some items might have no cert associated, so either a or b is null.
|
||||
// We want all those orphans show at the top of the list,
|
||||
// so we treat a null cert as "smaller" by returning -1.
|
||||
// We don't try to sort within the group of no-cert entries,
|
||||
// so we treat them as equal wrt sort order.
|
||||
|
||||
if (a == b)
|
||||
if (!a && !b)
|
||||
return 0;
|
||||
|
||||
if (!a)
|
||||
return -1;
|
||||
|
||||
if (!b)
|
||||
return 1;
|
||||
|
||||
NS_ENSURE_TRUE( (cache!=0 && a!=0 && b!=0), 0 );
|
||||
|
||||
CompareCacheHashEntry *ace = getCacheEntry(cache, a);
|
||||
CompareCacheHashEntry *bce = getCacheEntry(cache, b);
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
*
|
||||
* Contributor(s):
|
||||
* Ian McGreer <mcgreer@netscape.com>
|
||||
* Kai Engert <kengert@redhat.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
|
@ -39,6 +40,7 @@
|
|||
#define _NS_CERTTREE_H_
|
||||
|
||||
#include "nsCOMPtr.h"
|
||||
#include "nsAutoPtr.h"
|
||||
#include "nsIServiceManager.h"
|
||||
#include "nsICertTree.h"
|
||||
#include "nsITreeView.h"
|
||||
|
@ -46,8 +48,11 @@
|
|||
#include "nsITreeSelection.h"
|
||||
#include "nsISupportsArray.h"
|
||||
#include "nsIMutableArray.h"
|
||||
#include "nsTArray.h"
|
||||
#include "pldhash.h"
|
||||
#include "nsIX509CertDB.h"
|
||||
#include "nsCertOverrideService.h"
|
||||
|
||||
|
||||
typedef struct treeArrayElStr treeArrayEl;
|
||||
|
||||
|
@ -66,6 +71,36 @@ struct CompareCacheHashEntryPtr : PLDHashEntryHdr {
|
|||
CompareCacheHashEntry *entry;
|
||||
};
|
||||
|
||||
class nsCertAddonInfo : public nsISupports
|
||||
{
|
||||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
|
||||
nsCertAddonInfo() : mUsageCount(0) {}
|
||||
|
||||
nsRefPtr<nsIX509Cert> mCert;
|
||||
// how many display entries reference this?
|
||||
// (and therefore depend on the underlying cert)
|
||||
PRInt32 mUsageCount;
|
||||
};
|
||||
|
||||
class nsCertTreeDispInfo : public nsICertTreeItem
|
||||
{
|
||||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSICERTTREEITEM
|
||||
|
||||
nsCertTreeDispInfo();
|
||||
nsCertTreeDispInfo(nsCertTreeDispInfo &other);
|
||||
virtual ~nsCertTreeDispInfo();
|
||||
|
||||
nsRefPtr<nsCertAddonInfo> mAddonInfo;
|
||||
enum {
|
||||
direct_db, host_port_override
|
||||
} mTypeOfEntry;
|
||||
nsString mHostWithPort;
|
||||
nsCertOverride::OverrideBits mOverrideBits;
|
||||
};
|
||||
|
||||
class nsCertTree : public nsICertTree
|
||||
{
|
||||
|
@ -102,14 +137,13 @@ protected:
|
|||
nsCertCompareFunc GetCompareFuncFromCertType(PRUint32 aType);
|
||||
PRInt32 CountOrganizations();
|
||||
|
||||
PRBool GetCertsByType(PRUint32 aType, nsCertCompareFunc aCertCmpFn,
|
||||
void *aCertCmpFnArg, nsISupportsArray **_certs);
|
||||
nsresult GetCertsByType(PRUint32 aType, nsCertCompareFunc aCertCmpFn,
|
||||
void *aCertCmpFnArg);
|
||||
|
||||
PRBool GetCertsByTypeFromCache(nsINSSCertCache *aCache, PRUint32 aType,
|
||||
nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg,
|
||||
nsISupportsArray **_certs);
|
||||
nsresult GetCertsByTypeFromCache(nsINSSCertCache *aCache, PRUint32 aType,
|
||||
nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg);
|
||||
private:
|
||||
nsCOMPtr<nsISupportsArray> mCertArray;
|
||||
nsTArray< nsRefPtr<nsCertTreeDispInfo> > mDispInfo;
|
||||
nsCOMPtr<nsITreeBoxObject> mTree;
|
||||
nsCOMPtr<nsITreeSelection> mSelection;
|
||||
treeArrayEl *mTreeArray;
|
||||
|
@ -117,18 +151,19 @@ private:
|
|||
PRInt32 mNumRows;
|
||||
PLDHashTable mCompareCache;
|
||||
nsCOMPtr<nsINSSComponent> mNSSComponent;
|
||||
nsCOMPtr<nsICertOverrideService> mOverrideService;
|
||||
|
||||
treeArrayEl *GetThreadDescAtIndex(PRInt32 _index);
|
||||
nsIX509Cert *GetCertAtIndex(PRInt32 _index, PRInt32 *outAbsoluteCertOffset = nsnull);
|
||||
|
||||
nsCertTreeDispInfo *GetDispInfoAtIndex(PRInt32 index,
|
||||
PRInt32 *outAbsoluteCertOffset = nsnull);
|
||||
void FreeCertArray();
|
||||
nsresult UpdateUIContents();
|
||||
|
||||
PRBool GetCertsByTypeFromCertList(CERTCertList *aCertList,
|
||||
nsresult GetCertsByTypeFromCertList(CERTCertList *aCertList,
|
||||
PRUint32 aType,
|
||||
nsCertCompareFunc aCertCmpFn,
|
||||
void *aCertCmpFnArg,
|
||||
nsISupportsArray **_certs);
|
||||
void *aCertCmpFnArg);
|
||||
|
||||
nsCOMPtr<nsIMutableArray> mCellText;
|
||||
|
||||
|
|
|
@ -41,7 +41,8 @@
|
|||
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
|
||||
#include "nsNSSCallbacks.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "nsISSLStatus.h"
|
||||
#include "nsNSSCleaner.h"
|
||||
#include "nsSSLStatus.h"
|
||||
#include "nsNSSIOLayer.h" // for nsNSSSocketInfo
|
||||
#include "nsIWebProgressListener.h"
|
||||
#include "nsIStringBundle.h"
|
||||
|
@ -69,6 +70,7 @@
|
|||
#include "ocsp.h"
|
||||
|
||||
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
|
||||
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
|
||||
|
||||
#ifdef PR_LOGGING
|
||||
extern PRLogModuleInfo* gPIPNSSLog;
|
||||
|
@ -621,77 +623,6 @@ void nsHTTPListener::send_done_signal()
|
|||
}
|
||||
}
|
||||
|
||||
/* Implementation of nsISSLStatus */
|
||||
class nsSSLStatus
|
||||
: public nsISSLStatus
|
||||
{
|
||||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSISSLSTATUS
|
||||
|
||||
nsSSLStatus();
|
||||
virtual ~nsSSLStatus();
|
||||
|
||||
/* public for initilization in this file */
|
||||
nsCOMPtr<nsIX509Cert> mServerCert;
|
||||
PRUint32 mKeyLength;
|
||||
PRUint32 mSecretKeyLength;
|
||||
nsXPIDLCString mCipherName;
|
||||
};
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsSSLStatus::GetServerCert(nsIX509Cert** _result)
|
||||
{
|
||||
NS_ASSERTION(_result, "non-NULL destination required");
|
||||
|
||||
*_result = mServerCert;
|
||||
NS_IF_ADDREF(*_result);
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsSSLStatus::GetKeyLength(PRUint32* _result)
|
||||
{
|
||||
NS_ASSERTION(_result, "non-NULL destination required");
|
||||
|
||||
*_result = mKeyLength;
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsSSLStatus::GetSecretKeyLength(PRUint32* _result)
|
||||
{
|
||||
NS_ASSERTION(_result, "non-NULL destination required");
|
||||
|
||||
*_result = mSecretKeyLength;
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsSSLStatus::GetCipherName(char** _result)
|
||||
{
|
||||
NS_ASSERTION(_result, "non-NULL destination required");
|
||||
|
||||
*_result = PL_strdup(mCipherName.get());
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsSSLStatus::nsSSLStatus()
|
||||
: mKeyLength(0), mSecretKeyLength(0)
|
||||
{
|
||||
}
|
||||
|
||||
NS_IMPL_THREADSAFE_ISUPPORTS1(nsSSLStatus, nsISSLStatus)
|
||||
|
||||
nsSSLStatus::~nsSSLStatus()
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
char* PR_CALLBACK
|
||||
PK11PasswordPrompt(PK11SlotInfo* slot, PRBool retry, void* arg) {
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
|
@ -839,7 +770,12 @@ void PR_CALLBACK HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
|||
infoObject->SetShortSecurityDescription(shortDesc.get());
|
||||
|
||||
/* Set the SSL Status information */
|
||||
nsCOMPtr<nsSSLStatus> status = new nsSSLStatus();
|
||||
nsCOMPtr<nsSSLStatus> status;
|
||||
infoObject->GetSSLStatus(getter_AddRefs(status));
|
||||
if (!status) {
|
||||
status = new nsSSLStatus();
|
||||
infoObject->SetSSLStatus(status);
|
||||
}
|
||||
|
||||
CERTCertificate *serverCert = SSL_PeerCertificate(fd);
|
||||
if (serverCert) {
|
||||
|
@ -852,11 +788,10 @@ void PR_CALLBACK HandshakeCallback(PRFileDesc* fd, void* client_data) {
|
|||
}
|
||||
}
|
||||
|
||||
status->mHaveKeyLengthAndCipher = PR_TRUE;
|
||||
status->mKeyLength = keyLength;
|
||||
status->mSecretKeyLength = encryptBits;
|
||||
status->mCipherName.Adopt(cipherName);
|
||||
|
||||
infoObject->SetSSLStatus(status);
|
||||
}
|
||||
|
||||
PR_FREEIF(certOrgName);
|
||||
|
@ -874,9 +809,11 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
|
|||
// complete chain at any time it might need it.
|
||||
// But we keep only those CA certs in the temp db, that we didn't already know.
|
||||
|
||||
if (SECSuccess == rv) {
|
||||
CERTCertificate *serverCert = SSL_PeerCertificate(fd);
|
||||
CERTCertificateCleaner serverCertCleaner(serverCert);
|
||||
|
||||
if (serverCert) {
|
||||
if (SECSuccess == rv) {
|
||||
CERTCertList *certList = CERT_GetCertChainFromCert(serverCert, PR_Now(), certUsageSSLCA);
|
||||
|
||||
nsCOMPtr<nsINSSComponent> nssComponent;
|
||||
|
@ -915,7 +852,21 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* client_data, PRFileDesc* fd,
|
|||
}
|
||||
|
||||
CERT_DestroyCertList(certList);
|
||||
CERT_DestroyCertificate(serverCert);
|
||||
}
|
||||
else {
|
||||
// The connection will be terminated, let's provide a minimal SSLStatus
|
||||
// to the caller that contains at least the cert and its status.
|
||||
nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
|
||||
|
||||
nsCOMPtr<nsSSLStatus> status;
|
||||
infoObject->GetSSLStatus(getter_AddRefs(status));
|
||||
if (!status) {
|
||||
status = new nsSSLStatus();
|
||||
infoObject->SetSSLStatus(status);
|
||||
}
|
||||
if (status) {
|
||||
status->mServerCert = new nsNSSCertificate(serverCert);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -175,13 +175,6 @@ public:
|
|||
|
||||
void SetAllowTLSIntoleranceTimeout(PRBool aAllow);
|
||||
|
||||
enum BadCertUIStatusType {
|
||||
bcuis_not_shown, bcuis_active, bcuis_was_shown
|
||||
};
|
||||
|
||||
void SetBadCertUIStatus(BadCertUIStatusType aNewStatus);
|
||||
BadCertUIStatusType GetBadCertUIStatus() { return mBadCertUIStatus; }
|
||||
|
||||
nsresult GetExternalErrorReporting(PRBool* state);
|
||||
nsresult SetExternalErrorReporting(PRBool aState);
|
||||
|
||||
|
@ -209,7 +202,6 @@ protected:
|
|||
PRPackedBool mHasCleartextPhase;
|
||||
PRPackedBool mHandshakeInProgress;
|
||||
PRPackedBool mAllowTLSIntoleranceTimeout;
|
||||
BadCertUIStatusType mBadCertUIStatus;
|
||||
PRIntervalTime mHandshakeStartTime;
|
||||
PRInt32 mPort;
|
||||
nsXPIDLCString mHostName;
|
||||
|
|
|
@ -72,6 +72,7 @@
|
|||
#include "nsStreamCipher.h"
|
||||
#include "nsKeyModule.h"
|
||||
#include "nsDataSignatureVerifier.h"
|
||||
#include "nsCertOverrideService.h"
|
||||
|
||||
// We must ensure that the nsNSSComponent has been loaded before
|
||||
// creating any other components.
|
||||
|
@ -192,6 +193,7 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsStreamCipher)
|
|||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsKeyObject)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsKeyObjectFactory)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(PR_FALSE, nsDataSignatureVerifier)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(PR_FALSE, nsCertOverrideService, Init)
|
||||
|
||||
static NS_METHOD RegisterPSMContentListeners(
|
||||
nsIComponentManager *aCompMgr,
|
||||
|
@ -454,6 +456,13 @@ static const nsModuleComponentInfo components[] =
|
|||
NS_DATASIGNATUREVERIFIER_CID,
|
||||
NS_DATASIGNATUREVERIFIER_CONTRACTID,
|
||||
nsDataSignatureVerifierConstructor
|
||||
},
|
||||
|
||||
{
|
||||
"PSM Cert Override Settings Service",
|
||||
NS_CERTOVERRIDE_CID,
|
||||
NS_CERTOVERRIDE_CONTRACTID,
|
||||
nsCertOverrideServiceConstructor
|
||||
}
|
||||
};
|
||||
|
||||
|
|
|
@ -69,25 +69,6 @@ function BadCertHandler() {
|
|||
}
|
||||
BadCertHandler.prototype = {
|
||||
|
||||
// nsIBadCertListener
|
||||
confirmUnknownIssuer: function(socketInfo, cert, certAddType) {
|
||||
LOG("EM BadCertHandler: Unknown issuer");
|
||||
return false;
|
||||
},
|
||||
|
||||
confirmMismatchDomain: function(socketInfo, targetURL, cert) {
|
||||
LOG("EM BadCertHandler: Mismatched domain");
|
||||
return false;
|
||||
},
|
||||
|
||||
confirmCertExpired: function(socketInfo, cert) {
|
||||
LOG("EM BadCertHandler: Expired certificate");
|
||||
return false;
|
||||
},
|
||||
|
||||
notifyCrlNextupdate: function(socketInfo, targetURL, cert) {
|
||||
},
|
||||
|
||||
// nsIChannelEventSink
|
||||
onChannelRedirect: function(oldChannel, newChannel, flags) {
|
||||
// make sure the certificate of the old channel checks out before we follow
|
||||
|
|
|
@ -140,7 +140,7 @@ NS_IMPL_THREADSAFE_ISUPPORTS11(nsXPInstallManager,
|
|||
nsIProgressEventSink,
|
||||
nsIInterfaceRequestor,
|
||||
nsPICertNotification,
|
||||
nsIBadCertListener,
|
||||
nsIBadCertListener2,
|
||||
nsIChannelEventSink,
|
||||
nsISupportsWeakReference)
|
||||
|
||||
|
@ -1253,7 +1253,7 @@ nsXPInstallManager::GetInterface(const nsIID & eventSinkIID, void* *_retval)
|
|||
*_retval = p;
|
||||
return NS_OK;
|
||||
}
|
||||
else if (eventSinkIID.Equals(NS_GET_IID(nsIBadCertListener))) {
|
||||
else if (eventSinkIID.Equals(NS_GET_IID(nsIBadCertListener2))) {
|
||||
// If we aren't chrome triggered fall back to the default dialogs
|
||||
if (!mFromChrome)
|
||||
return NS_ERROR_NO_INTERFACE;
|
||||
|
@ -1271,31 +1271,14 @@ nsXPInstallManager::OnChannelRedirect(nsIChannel *oldChannel, nsIChannel *newCha
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
// nsIBadCertListener methods
|
||||
// nsIBadCertListener2 methods
|
||||
NS_IMETHODIMP
|
||||
nsXPInstallManager::ConfirmUnknownIssuer(nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRInt16 *certAddType, PRBool *_retval)
|
||||
{
|
||||
*_retval = PR_FALSE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsXPInstallManager::ConfirmMismatchDomain(nsIInterfaceRequestor *socketInfo, const nsACString & targetURL, nsIX509Cert *cert, PRBool *_retval)
|
||||
{
|
||||
*_retval = PR_FALSE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsXPInstallManager::ConfirmCertExpired(nsIInterfaceRequestor *socketInfo, nsIX509Cert *cert, PRBool *_retval)
|
||||
{
|
||||
*_retval = PR_FALSE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsXPInstallManager::NotifyCrlNextupdate(nsIInterfaceRequestor *socketInfo, const nsACString & targetURL, nsIX509Cert *cert)
|
||||
nsXPInstallManager::NotifyCertProblem(nsIInterfaceRequestor *socketInfo,
|
||||
nsISSLStatus *status,
|
||||
const nsACString &targetSite,
|
||||
PRBool *_retval)
|
||||
{
|
||||
*_retval = PR_TRUE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
#include "nsIChromeRegistry.h"
|
||||
#include "nsIDOMWindowInternal.h"
|
||||
#include "nsIObserver.h"
|
||||
#include "nsIBadCertListener.h"
|
||||
#include "nsIBadCertListener2.h"
|
||||
#include "nsIChannelEventSink.h"
|
||||
#include "nsIXPIInstallInfo.h"
|
||||
|
||||
|
@ -86,7 +86,7 @@ class nsXPInstallManager : public nsIXPIListener,
|
|||
public nsIProgressEventSink,
|
||||
public nsIInterfaceRequestor,
|
||||
public nsPICertNotification,
|
||||
public nsIBadCertListener,
|
||||
public nsIBadCertListener2,
|
||||
public nsIChannelEventSink,
|
||||
public nsSupportsWeakReference
|
||||
{
|
||||
|
@ -104,7 +104,7 @@ class nsXPInstallManager : public nsIXPIListener,
|
|||
NS_DECL_NSIREQUESTOBSERVER
|
||||
NS_DECL_NSIINTERFACEREQUESTOR
|
||||
NS_DECL_NSPICERTNOTIFICATION
|
||||
NS_DECL_NSIBADCERTLISTENER
|
||||
NS_DECL_NSIBADCERTLISTENER2
|
||||
NS_DECL_NSICHANNELEVENTSINK
|
||||
|
||||
NS_IMETHOD InitManager(nsIDOMWindowInternal* aParentWindow, nsXPITriggerInfo* aTrigger, PRUint32 aChromeType );
|
||||
|
|
Загрузка…
Ссылка в новой задаче