mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

b=132589 Fix incorrect verification status when viewing email-signing-only certificates. 

r=javi sr=alecf
This commit is contained in:
kaie%netscape.com 2002-08-06 12:51:43 +00:00
Родитель b77f08d876
Коммит 9887192835
3 изменённых файлов: 154 добавлений и 149 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/manager/pki/resources/content/viewCertDetails.js
Просмотреть файл

@ -194,7 +194,7 @@ function DisplayGeneralDataFromCert(cert)
verifystr = bundle.GetStringFromName('certNotVerified_IssuerUnknown'); verifystr = bundle.GetStringFromName('certNotVerified_IssuerUnknown');
} else if (verifystate == cert.INVALID_CA) { } else if (verifystate == cert.INVALID_CA) {
verifystr = bundle.GetStringFromName('certNotVerified_CAInvalid'); verifystr = bundle.GetStringFromName('certNotVerified_CAInvalid');
} else { /* if (verifystate == cert.NOT_VERIFIED_UNKNOWN) */ } else { /* if (verifystate == cert.NOT_VERIFIED_UNKNOWN || == USAGE_NOT_ALLOWED) */
verifystr = bundle.GetStringFromName('certNotVerified_Unknown'); verifystr = bundle.GetStringFromName('certNotVerified_Unknown');
} }
var verified=document.getElementById('verified'); var verified=document.getElementById('verified');

293
security/manager/ssl/src/nsNSSCertificate.cpp
Просмотреть файл

@ -1506,28 +1506,130 @@ nsNSSCertificate::VerifyForUsage(PRUint32 usage, PRUint32 *verificationResult)
return NS_OK; return NS_OK;
} }
class UsageArrayHelper
PRBool
nsNSSCertificate::verifyFailed(PRUint32 *_verified)
{ {
SECCertUsage certUsage; public:
switch (nsNSSCertificateDB::getCertType(mCert)) { UsageArrayHelper(CERTCertificate *aCert);
case EMAIL_CERT: /* fall through */
case USER_CERT: certUsage = certUsageEmailRecipient; break; nsresult GetUsageArray(char *suffix,
case CA_CERT: certUsage = certUsageSSLCA; break; PRUint32 outArraySize,
// Chances are if we don't know the cert type, it's because PRUint32 *_verified,
// of an SSL site we're visiting. PRUint32 *_count,
default: PRUnichar **tmpUsages);
case SERVER_CERT: certUsage = certUsageSSLServer; break;
enum { max_returned_out_array_size = 12 };
private:
CERTCertificate *mCert;
nsresult m_rv;
CERTCertDBHandle *defaultcertdb;
nsCOMPtr<nsINSSComponent> nssComponent;
int mCached_NonInadequateReason;
void check(char *suffix,
SECCertUsage aCertUsage,
PRUint32 &aCounter,
PRUnichar **outUsages);
void verifyFailed(PRUint32 *_verified);
};
UsageArrayHelper::UsageArrayHelper(CERTCertificate *aCert)
:mCert(aCert)
{
defaultcertdb = CERT_GetDefaultCertDB();
nssComponent = do_GetService(kNSSComponentCID, &m_rv);
mCached_NonInadequateReason = SECSuccess;
}
void
UsageArrayHelper::check(char *suffix,
SECCertUsage aCertUsage,
PRUint32 &aCounter,
PRUnichar **outUsages)
{
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
aCertUsage, NULL) == SECSuccess) {
nsAutoString typestr;
switch (aCertUsage) {
case certUsageSSLClient:
typestr = NS_LITERAL_STRING("VerifySSLClient");
break;
case certUsageSSLServer:
typestr = NS_LITERAL_STRING("VerifySSLServer");
break;
case certUsageSSLServerWithStepUp:
typestr = NS_LITERAL_STRING("VerifySSLStepUp");
break;
case certUsageEmailSigner:
typestr = NS_LITERAL_STRING("VerifyEmailSigner");
break;
case certUsageEmailRecipient:
typestr = NS_LITERAL_STRING("VerifyEmailRecip");
break;
case certUsageObjectSigner:
typestr = NS_LITERAL_STRING("VerifyObjSign");
break;
case certUsageProtectedObjectSigner:
typestr = NS_LITERAL_STRING("VerifyProtectObjSign");
break;
case certUsageUserCertImport:
typestr = NS_LITERAL_STRING("VerifyUserImport");
break;
case certUsageSSLCA:
typestr = NS_LITERAL_STRING("VerifySSLCA");
break;
case certUsageVerifyCA:
typestr = NS_LITERAL_STRING("VerifyCAVerifier");
break;
case certUsageStatusResponder:
typestr = NS_LITERAL_STRING("VerifyStatusResponder");
break;
case certUsageAnyCA:
typestr = NS_LITERAL_STRING("VerifyAnyCA");
break;
default:
break;
}
if (!typestr.IsEmpty()) {
typestr.AppendWithConversion(suffix);
nsAutoString verifyDesc;
m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
if (NS_SUCCEEDED(m_rv)) {
outUsages[aCounter++] = ToNewUnicode(verifyDesc);
}
}
} }
CERT_VerifyCertNow(CERT_GetDefaultCertDB(), mCert, PR_TRUE, certUsage, NULL); else {
int err = PR_GetError(); int err = PR_GetError();
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("not verified because: %d\n", err));
switch (err) { if (SECSuccess == mCached_NonInadequateReason) {
// we have not yet cached anything
mCached_NonInadequateReason = err;
}
else {
switch (err) {
case SEC_ERROR_INADEQUATE_KEY_USAGE:
case SEC_ERROR_INADEQUATE_CERT_TYPE:
// this code should not override a possibly cached more informative reason
break;
default:
mCached_NonInadequateReason = err;
break;
}
}
}
}
void
UsageArrayHelper::verifyFailed(PRUint32 *_verified)
{
switch (mCached_NonInadequateReason) {
/* For these cases, verify only failed for the particular usage */ /* For these cases, verify only failed for the particular usage */
case SEC_ERROR_INADEQUATE_KEY_USAGE: case SEC_ERROR_INADEQUATE_KEY_USAGE:
case SEC_ERROR_INADEQUATE_CERT_TYPE: case SEC_ERROR_INADEQUATE_CERT_TYPE:
return PR_FALSE; *_verified = nsNSSCertificate::USAGE_NOT_ALLOWED; break;
/* These are the cases that have individual error messages */ /* These are the cases that have individual error messages */
case SEC_ERROR_REVOKED_CERTIFICATE: case SEC_ERROR_REVOKED_CERTIFICATE:
*_verified = nsNSSCertificate::CERT_REVOKED; break; *_verified = nsNSSCertificate::CERT_REVOKED; break;
@ -1544,145 +1646,54 @@ nsNSSCertificate::verifyFailed(PRUint32 *_verified)
*_verified = nsNSSCertificate::INVALID_CA; break; *_verified = nsNSSCertificate::INVALID_CA; break;
case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this? case SEC_ERROR_CERT_USAGES_INVALID: // XXX what is this?
// there are some OCSP errors from PSM 1.x to add here // there are some OCSP errors from PSM 1.x to add here
case SECSuccess:
// this means, no verification result has ever been received
default: default:
*_verified = nsNSSCertificate::NOT_VERIFIED_UNKNOWN; break; *_verified = nsNSSCertificate::NOT_VERIFIED_UNKNOWN; break;
} }
return PR_TRUE;
} }
nsresult nsresult
nsNSSCertificate::GetUsageArray(char *suffix, UsageArrayHelper::GetUsageArray(char *suffix,
PRUint32 *_verified, PRUint32 outArraySize,
PRUint32 *_count, PRUint32 *_verified,
PRUnichar **tmpUsages) PRUint32 *_count,
PRUnichar **outUsages)
{ {
nsresult rv; if (NS_FAILED(m_rv))
int tmpCount = 0; return m_rv;
CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB(); if (outArraySize < max_returned_out_array_size)
nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); return NS_ERROR_FAILURE;
if (NS_FAILED(rv)) return rv;
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, PRUint32 &count = *_count;
certUsageSSLClient, NULL) == SECSuccess) { count = 0;
// add client to usage
nsAutoString verifyDesc; // The following list of checks must be < max_returned_out_array_size
nsAutoString typestr(NS_LITERAL_STRING("VerifySSLClient"));
typestr.AppendWithConversion(suffix); check(suffix, certUsageSSLClient, count, outUsages);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc); check(suffix, certUsageSSLServer, count, outUsages);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc); check(suffix, certUsageSSLServerWithStepUp, count, outUsages);
} check(suffix, certUsageEmailSigner, count, outUsages);
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, check(suffix, certUsageEmailRecipient, count, outUsages);
certUsageSSLServer, NULL) == SECSuccess) { check(suffix, certUsageObjectSigner, count, outUsages);
// add server to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifySSLServer"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
certUsageSSLServerWithStepUp, NULL) == SECSuccess) {
// add stepup to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifySSLStepUp"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
certUsageEmailSigner, NULL) == SECSuccess) {
// add signer to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyEmailSigner"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
certUsageEmailRecipient, NULL) == SECSuccess) {
// add recipient to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyEmailRecip"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
certUsageObjectSigner, NULL) == SECSuccess) {
// add objsigner to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyObjSign"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
#if 0 #if 0
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, check(suffix, certUsageProtectedObjectSigner, count, outUsages);
certUsageProtectedObjectSigner, NULL) == SECSuccess) { check(suffix, certUsageUserCertImport, count, outUsages);
// add protected objsigner to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyProtectObjSign"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
certUsageUserCertImport, NULL) == SECSuccess) {
// add user import to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyUserImport"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
#endif #endif
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, check(suffix, certUsageSSLCA, count, outUsages);
certUsageSSLCA, NULL) == SECSuccess) {
// add SSL CA to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifySSLCA"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
#if 0 #if 0
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, check(suffix, certUsageVerifyCA, count, outUsages);
certUsageVerifyCA, NULL) == SECSuccess) {
// add verify CA to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyCAVerifier"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
#endif #endif
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, check(suffix, certUsageStatusResponder, count, outUsages);
certUsageStatusResponder, NULL) == SECSuccess) {
// add status responder to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyStatusResponder"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
#if 0 #if 0
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE, check(suffix, certUsageAnyCA, count, outUsages);
certUsageAnyCA, NULL) == SECSuccess) {
// add any CA to usage
nsAutoString verifyDesc;
nsAutoString typestr(NS_LITERAL_STRING("VerifyAnyCA"));
typestr.AppendWithConversion(suffix);
rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
tmpUsages[tmpCount++] = ToNewUnicode(verifyDesc);
}
#endif #endif
if (tmpCount == 0) { if (count == 0) {
verifyFailed(_verified); verifyFailed(_verified);
} else { } else {
*_count = tmpCount;
*_verified = nsNSSCertificate::VERIFIED_OK; *_verified = nsNSSCertificate::VERIFIED_OK;
} }
*_count = tmpCount;
return NS_OK; return NS_OK;
} }
@ -2186,7 +2197,8 @@ nsNSSCertificate::GetUsages(PRUint32 *_verified,
PRUnichar *tmpUsages[13]; PRUnichar *tmpUsages[13];
char *suffix = ""; char *suffix = "";
PRUint32 tmpCount; PRUint32 tmpCount;
rv = GetUsageArray(suffix, _verified, &tmpCount, tmpUsages); UsageArrayHelper uah(mCert);
rv = uah.GetUsageArray(suffix, 13, _verified, &tmpCount, tmpUsages);
if (tmpCount > 0) { if (tmpCount > 0) {
*_usages = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * tmpCount); *_usages = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * tmpCount);
for (PRUint32 i=0; i<tmpCount; i++) { for (PRUint32 i=0; i<tmpCount; i++) {
@ -2209,7 +2221,8 @@ nsNSSCertificate::GetPurposes(PRUint32 *_verified,
PRUnichar *tmpUsages[13]; PRUnichar *tmpUsages[13];
char *suffix = "_p"; char *suffix = "_p";
PRUint32 tmpCount; PRUint32 tmpCount;
rv = GetUsageArray(suffix, _verified, &tmpCount, tmpUsages); UsageArrayHelper uah(mCert);
rv = uah.GetUsageArray(suffix, 13, _verified, &tmpCount, tmpUsages);
nsAutoString porpoises; nsAutoString porpoises;
for (PRUint32 i=0; i<tmpCount; i++) { for (PRUint32 i=0; i<tmpCount; i++) {
if (i>0) porpoises.Append(NS_LITERAL_STRING(",")); if (i>0) porpoises.Append(NS_LITERAL_STRING(","));

8
security/manager/ssl/src/nsNSSCertificate.h
Просмотреть файл

@ -80,14 +80,6 @@ private:
nsresult CreateASN1Struct(); nsresult CreateASN1Struct();
nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence, nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence,
nsINSSComponent *nssComponent); nsINSSComponent *nssComponent);
PRBool verifyFailed(PRUint32 *_verified);
nsresult GetUsageArray(char *suffix,
PRUint32 *_verified,
PRUint32 *_count,
PRUnichar **tmpUsages);
}; };
/* Header file */ /* Header file */