Download and manage CRLs. Bug# 58233, r=javi@netscape.com, sr=blizzard@mozilla.org

security/manager/pki/resources/content/crlManager.js

@@ -0,0 +1,104 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 2001 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *  David Drinan <ddrinan@netscape.com>
+ */
+
+const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
+const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
+const nsICrlEntry = Components.interfaces.nsICrlEntry;
+const nsISupportsArray = Components.interfaces.nsISupportsArray;
+
+var certdb;
+var crls;
+
+function onLoad()
+{
+  var crlEntry;
+  var i;
+
+  certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
+  crls = certdb.getCrls();
+
+  for (i=0; i<crls.Count(); i++) {
+    crlEntry = crls.GetElementAt(i).QueryInterface(nsICrlEntry);
+    var name = crlEntry.name;
+    var lastUpdate = crlEntry.lastUpdate;
+    var nextUpdate = crlEntry.nextUpdate;
+    AddItem("crlList", [name, lastUpdate, nextUpdate], "crltree_", i);
+  }
+}
+
+function AddItem(children,cells,prefix,idfier)
+{
+  var kids = document.getElementById(children);
+  var item  = document.createElement("treeitem");
+  var row   = document.createElement("treerow");
+  for(var i = 0; i < cells.length; i++)
+  {
+    var cell  = document.createElement("treecell");
+    cell.setAttribute("class", "propertylist");
+    cell.setAttribute("label", cells[i])
+    row.appendChild(cell);
+  }
+  item.appendChild(row);
+  item.setAttribute("id",prefix + idfier);
+  kids.appendChild(item);
+}
+
+function DeleteCrlSelected() {
+  var crlEntry;
+
+  // delete selected item
+  var crltree = document.getElementById("crltree");
+  var i = crltree.selectedIndex;
+
+  // Delete it
+  certdb.deleteCrl(i);
+  DeleteItemSelected("crltree", "crltree_", "crlList");
+  if( !crltree.selectedItems.length ) {
+    if( !document.getElementById("deleteCrl").disabled ) {
+      document.getElementById("deleteCrl").setAttribute("disabled", "true")
+    }
+  }
+}
+
+function EnableCrlActions() {
+  document.getElementById("deleteCrl").removeAttribute("disabled", "true");
+  // document.getElementById("updateCrl").removeAttribute("disabled", "true");
+}
+
+function DeleteItemSelected(tree, prefix, kids) {
+  var i;
+  var delnarray = [];
+  var rv = "";
+  var cookietree = document.getElementById(tree);
+  var selitems = cookietree.selectedItems;
+  for(i = 0; i < selitems.length; i++) 
+  { 
+    delnarray[i] = document.getElementById(selitems[i].getAttribute("id"));
+    var itemid = parseInt(selitems[i].getAttribute("id").substring(prefix.length,selitems[i].getAttribute("id").length));
+    rv += (itemid + ",");
+  }
+  for(i = 0; i < delnarray.length; i++) 
+  { 
+    document.getElementById(kids).removeChild(delnarray[i]);
+  }
+  return rv;
+}

security/manager/pki/resources/content/crlManager.xul

@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<!-- 
+  The contents of this file are subject to the Netscape Public
+  License Version 1.1 (the "License"); you may not use this file
+  except in compliance with the License. You may obtain a copy of
+  the License at http://www.mozilla.org/NPL/
+  
+  Software distributed under the License is distributed on an "AS
+  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+  implied. See the License for the specific language governing
+  rights and limitations under the License.
+  
+  The Original Code is Mozilla Communicator client code, released
+  March 31, 1998.
+  
+  The Initial Developer of the Original Code is Netscape
+  Communications Corporation. Portions created by Netscape are
+  Copyright (C) 1998-1999 Netscape Communications Corporation. All
+  Rights Reserved.
+  
+  Contributor(s):
+    David Drinan (ddrinan@netscape.com)
+-->
+
+<!-- CHANGE THIS WHEN MOVING FILES -->
+<?xml-stylesheet href="chrome://communicator/skin/" type="text/css"?> 
+<?xul-overlay href="chrome://global/content/dialogOverlay.xul"?>
+
+<!-- CHANGE THIS WHEN MOVING FILES -->
+<!DOCTYPE window SYSTEM "chrome://pippki/locale/pref-validation.dtd">
+
+<window id="crlviewer"
+        class="dialog"
+        title="&validation.crlmanager.label;"
+        xmlns:html="http://www.w3.org/1999/xhtml"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        style="width: 30em;"
+        orient="vertical"
+        onload="onLoad()">
+
+  <script src="chrome://global/content/strres.js"/>
+  <script src="crlManager.js"/>
+
+  <text class="label" value="&validation.crlmanager.label;"/>
+  <separator class="thin"/>
+  <tree id="crltree" class="inset" style="height: 10em;"
+   multiple="false" onclick="EnableCrlActions()" flex="1">
+    <treecolgroup>
+      <treecol flex="4" width="0"/>
+      <splitter class="tree-splitter"/>
+      <treecol flex="2" width="0"/>
+      <splitter class="tree-splitter"/>
+      <treecol flex="2" width="0"/>
+    </treecolgroup>
+    <treehead>
+      <treerow>
+        <treecell class="treecell-header sortDirectionIndicator"
+                          label="&validation.crlname.label;"
+                          />
+        <treecell class="treecell-header
+                          sortDirectionIndicator"
+                          label="&validation.crllastupdate.label;"
+                          />
+        <treecell class="treecell-header
+                          sortDirectionIndicator"
+                          label="&validation.crlnextupdate.label;"
+                          />
+      </treerow>          
+    </treehead>
+    <treechildren id="crlList" flex="1"/>
+  </tree>
+  <box>
+    <button id="deleteCrl" class="dialog push" disabled="true"
+                          label="&validation.deletecrl.label;"
+                          oncommand="DeleteCrlSelected();"/>
+  </box>
+  <separator class="thin"/>
+</window>

security/manager/pki/resources/content/pref-validation.js

@@ -84,3 +84,10 @@ function changeURL()
     }
   }
 }
+
+function openCrlManager()
+{
+    window.open('chrome://pippki/content/crlManager.xul',  "",
+                'chrome,width=500,height=400,resizable=1');
+}
+

security/manager/pki/resources/content/pref-validation.xul

@@ -48,11 +48,14 @@
   <!-- Fancy panel header -->
   <box class="box-smallheader" title="&validation.title;" description="&validation.description;"/>
 
-  <!--
-  <titledbox orient="horizontal">
+  <titledbox orient="vertical">
     <label value="&validation.crl.label;"/>
+    <html> &validation.crl.description; </html>
+    <box halign="left" autostretch="never">
+      <button class="dialog" label="&validation.managecrls.button;" disabled="false"
+        oncommand="openCrlManager();" />
+    </box>
   </titledbox>
-  -->
 
   <titledbox orient="vertical" autostretch="never" >
     <label value="&validation.ocsp.label;"/>

security/manager/pki/resources/jar.mn

@@ -44,6 +44,8 @@ pippki.jar:
     content/pippki/escrowWarn.js             (content/escrowWarn.js)
     content/pippki/pref-validation.xul       (content/pref-validation.xul)
     content/pippki/pref-validation.js        (content/pref-validation.js)
+    content/pippki/crlManager.xul            (content/crlManager.xul)
+    content/pippki/crlManager.js             (content/crlManager.js)
     locale/en-US/pippki/contents.rdf         (locale/en-US/contents.rdf)
     locale/en-US/pippki/pippki.dtd           (locale/en-US/pippki.dtd)
     locale/en-US/pippki/pref-ssl.dtd         (locale/en-US/pref-ssl.dtd)

security/manager/pki/resources/locale/en-US/pref-validation.dtd

@@ -24,9 +24,17 @@
 <!ENTITY  validation.description    "Settings for Validation">
 
 <!ENTITY  validation.crl.label      "CRL">
+<!ENTITY  validation.crl.description "Use the CRL Manager to manage the Certificate Revocation Lists (CRL) that are stored in your certificate database.">
+<!ENTITY  validation.managecrls.button      "Manage CRLs...">
+<!ENTITY  validation.crlmanager.label       "Manage CRLs">
+<!ENTITY  validation.crlname.label          "Name">
+<!ENTITY  validation.crllastupdate.label    "Last Update">
+<!ENTITY  validation.crlnextupdate.label    "Next Update">
+<!ENTITY  validation.deletecrl.label        "Delete">
+<!ENTITY  validation.updatecrl.label        "Update">
 
 <!ENTITY validation.ocsp.label      "OCSP">
-<!ENTITY validation.ocsp.description "&brandShortName; can use Online Certificate Status Protocol(OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
+<!ENTITY validation.ocsp.description "&brandShortName; can use Online Certificate Status Protocol (OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
 <!ENTITY disableOCSP.label "Do not use OCSP for certificate validation">
 <!ENTITY certOCSP.label "Use OCSP to validate only cerificates that specify on OCSP service URL">
 <!ENTITY proxyOCSP.label "Use OCSP to validate all certificates using the URL and signer specified here:">

security/manager/ssl/public/nsIX509CertDB.idl

@@ -35,15 +35,12 @@
 
 #include "nsISupports.idl"
 
-%{C++
-#include "nsString.h"
-%}
-
 interface nsISupportsArray;
 interface nsIX509Cert;
 interface nsIPK11Token;
 interface nsILocalFile;
 interface nsIInterfaceRequestor;
+interface nsIURI;
 
 %{C++
 
@@ -70,6 +67,12 @@ interface nsIOCSPResponder : nsISupports {
   readonly attribute wstring serviceURL;
 };
 
+[scriptable, uuid(c185d920-4a3e-11d5-ba27-00108303b117)]
+interface nsICrlEntry : nsISupports {
+  readonly attribute wstring name;
+  readonly attribute wstring lastUpdate;
+  readonly attribute wstring nextUpdate;
+};
 
 [scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
 interface nsIX509CertDB : nsISupports {
@@ -196,5 +199,29 @@ interface nsIX509CertDB : nsISupports {
    */
   nsISupportsArray getOCSPResponders();
 
-};
+  /*
+   * importCrl
+   *
+   * Import a CRL into the database.
+   */
+  [noscript] void importCrl(in charPtr data, 
+                            in unsigned long length,
+						                in nsIURI uri,
+                            in PRUint32 type);
+
+  /*
+   * getCrls
+   *
+   * Get a list of Crl entries in the DB.
+   */
+  nsISupportsArray getCrls();
+
+  /*
+   * deleteCrl
+   *
+   * Delete the crl.
+   */
+  void deleteCrl(in PRUint32 crlIndex);
+
+ };
 

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: nsNSSCertificate.cpp,v 1.25 2001/05/15 23:15:08 javi%netscape.com Exp $
+ * $Id: nsNSSCertificate.cpp,v 1.26 2001/05/19 01:20:17 ddrinan%netscape.com Exp $
  */
 
 #include "prmem.h"
@@ -53,6 +53,7 @@
 #include "nsIDateTimeFormat.h"
 #include "nsDateTimeFormatCID.h"
 #include "nsILocaleService.h"
+#include "nsIURI.h"
 
 #include "nspr.h"
 extern "C" {
@@ -64,6 +65,7 @@ extern "C" {
 #include "secasn1.h"
 #include "secder.h"
 }
+#include "ssl.h"
 #include "ocsp.h"
 
 #ifdef PR_LOGGING
@@ -2864,3 +2866,231 @@ nsNSSCertificateDB::getCertType(CERTCertificate *cert)
   return nsIX509Cert::UNKNOWN_CERT;
 }
 
+
+NS_IMETHODIMP 
+nsNSSCertificateDB::ImportCrl (char *aData, PRUint32 aLength, nsIURI * aURI, PRUint32 aType)
+{
+  PRArenaPool *arena = NULL;
+  CERTCertificate *caCert;
+  SECItem derName = { siBuffer, NULL, 0 };
+  SECItem derCrl;
+  CERTSignedData sd;
+  SECStatus sec_rv;
+  CERTSignedCrl *crl;
+  nsXPIDLCString url;
+  aURI->GetSpec(getter_Copies(url));
+  arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if (!arena) {
+    goto loser;
+  }
+  memset(&sd, 0, sizeof(sd));
+
+  derCrl.data = (unsigned char*)aData;
+  derCrl.len = aLength;
+  sec_rv = CERT_KeyFromDERCrl(arena, &derCrl, &derName);
+  if (sec_rv != SECSuccess) {
+    goto loser;
+  }
+
+  caCert = CERT_FindCertByName(CERT_GetDefaultCertDB(), &derName);
+  if (!caCert) {
+    if (aType == SEC_KRL_TYPE){
+      goto loser;
+    }
+  } else {
+    sec_rv = SEC_ASN1DecodeItem(arena,
+                            &sd, CERT_SignedDataTemplate, 
+                            &derCrl);
+    if (sec_rv != SECSuccess) {
+      goto loser;
+    }
+    sec_rv = CERT_VerifySignedData(&sd, caCert, PR_Now(),
+                               nsnull);
+    if (sec_rv != SECSuccess) {
+      goto loser;
+    }
+  }
+    
+  crl = SEC_NewCrl(CERT_GetDefaultCertDB(), (char*)url.get(), &derCrl,
+                   aType);
+  if (!crl) {
+    goto loser;
+  }
+  SSL_ClearSessionCache();
+  SEC_DestroyCrl(crl);
+  return NS_OK;
+loser:
+  return NS_ERROR_FAILURE;;
+}
+
+/* Header file */
+class nsCrlEntry : public nsICrlEntry
+{
+public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSICRLENTRY
+
+  nsCrlEntry();
+  nsCrlEntry(const PRUnichar*, const PRUnichar*, const PRUnichar*);
+  virtual ~nsCrlEntry();
+  /* additional members */
+private:
+  nsString mName;
+  nsString mLastUpdate;
+  nsString mNextUpdate;
+};
+
+/* Implementation file */
+NS_IMPL_ISUPPORTS1(nsCrlEntry, nsICrlEntry)
+
+nsCrlEntry::nsCrlEntry()
+{
+  NS_INIT_ISUPPORTS();
+  /* member initializers and constructor code */
+}
+
+nsCrlEntry::nsCrlEntry(const PRUnichar * aName, const PRUnichar * aLastUpdate, const PRUnichar *aNextUpdate)
+{
+  NS_INIT_ISUPPORTS();
+  mName.Assign(aName);
+  mLastUpdate.Assign(aLastUpdate);
+  mNextUpdate.Assign(aNextUpdate);
+}
+
+nsCrlEntry::~nsCrlEntry()
+{
+  /* destructor code */
+}
+
+/* readonly attribute */
+NS_IMETHODIMP nsCrlEntry::GetName(PRUnichar** aName)
+{
+  NS_ENSURE_ARG(aName);
+  *aName = mName.ToNewUnicode();
+  return NS_OK;
+}
+
+/* readonly attribute */
+NS_IMETHODIMP nsCrlEntry::GetLastUpdate(PRUnichar** aLastUpdate)
+{
+  NS_ENSURE_ARG(aLastUpdate);
+  *aLastUpdate = mLastUpdate.ToNewUnicode();
+  return NS_OK;
+}
+
+/* readonly attribute */
+NS_IMETHODIMP nsCrlEntry::GetNextUpdate(PRUnichar** aNextUpdate)
+{
+  NS_ENSURE_ARG(aNextUpdate);
+  *aNextUpdate = mNextUpdate.ToNewUnicode();
+  return NS_OK;
+}
+
+/*
+ * getCRLs
+ *
+ * Export a set of certs and keys from the database to a PKCS#12 file.
+*/
+NS_IMETHODIMP 
+nsNSSCertificateDB::GetCrls(nsISupportsArray ** aCrls)
+{
+  SECStatus sec_rv;
+  CERTCrlHeadNode *head = nsnull;
+  CERTCrlNode *node = nsnull;
+  CERTCertificate *caCert = nsnull;
+  nsAutoString name;
+  nsAutoString nextUpdate;
+  nsAutoString lastUpdate;
+  PRTime tmpDate;
+  nsCOMPtr<nsISupportsArray> crlsArray;
+  nsresult rv;
+  rv = NS_NewISupportsArray(getter_AddRefs(crlsArray));
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsCOMPtr<nsIDateTimeFormat> dateFormatter =
+     do_CreateInstance(kDateTimeFormatCID, &rv);
+  if (NS_FAILED(rv)) return rv;
+
+  // Get the list of certs //
+  sec_rv = SEC_LookupCrls(CERT_GetDefaultCertDB(), &head, -1);
+  if (sec_rv != SECSuccess) {
+    goto loser;
+  }
+
+  if (head) {
+    for (node=head->first; node != nsnull; node = node->next) {
+      // Get the information we need here //
+
+      // Name (this is the OU of the CA)
+      caCert = CERT_FindCertByName(CERT_GetDefaultCertDB(), &(node->crl->crl.derName));
+      if (caCert) {
+        char *orgunit = CERT_GetOrgUnitName(&caCert->subject);
+        if (orgunit) {
+          name = NS_ConvertASCIItoUCS2(orgunit);
+        }
+      }
+
+      // Last Update time
+      sec_rv = DER_UTCTimeToTime(&tmpDate, &(node->crl->crl.lastUpdate));
+      if (sec_rv == SECSuccess) {
+        dateFormatter->FormatPRTime(nsnull, kDateFormatShort, kTimeFormatNone,
+                              tmpDate, lastUpdate);
+      }
+
+      // Next update time
+      sec_rv = DER_UTCTimeToTime(&tmpDate, &(node->crl->crl.nextUpdate));
+      if (sec_rv == SECSuccess) {
+        dateFormatter->FormatPRTime(nsnull, kDateFormatShort, kTimeFormatNone,
+                              tmpDate, nextUpdate);
+      }
+      nsCOMPtr<nsICrlEntry> entry = new nsCrlEntry(name.get(), lastUpdate.get(), nextUpdate.get());
+      crlsArray->AppendElement(entry);
+    }
+    PORT_FreeArena(head->arena, PR_FALSE);
+  }
+
+  *aCrls = crlsArray;
+  NS_IF_ADDREF(*aCrls);
+  return NS_OK;
+loser:
+  return NS_ERROR_FAILURE;;
+}
+
+/*
+ * deletetCrl
+ *
+ * Delete a Crl entry from the cert db.
+*/
+NS_IMETHODIMP 
+nsNSSCertificateDB::DeleteCrl(PRUint32 aCrlIndex)
+{
+  CERTSignedCrl *realCrl = nsnull;
+  CERTCrlHeadNode *head = nsnull;
+  CERTCrlNode *node = nsnull;
+  SECStatus sec_rv;
+  PRUint32 i;
+
+  // Get the list of certs //
+  sec_rv = SEC_LookupCrls(CERT_GetDefaultCertDB(), &head, -1);
+  if (sec_rv != SECSuccess) {
+    goto loser;
+  }
+
+  if (head) {
+    for (i = 0, node=head->first; node != nsnull; i++, node = node->next) {
+      if (i != aCrlIndex) {
+        continue;
+      }
+      realCrl = SEC_FindCrlByName(CERT_GetDefaultCertDB(), &(node->crl->crl.derName), node->type);
+      SEC_DeletePermCRL(realCrl);
+      SEC_DestroyCrl(realCrl);
+      SSL_ClearSessionCache();
+    }
+    PORT_FreeArena(head->arena, PR_FALSE);
+  }
+  return NS_OK;
+loser:
+  return NS_ERROR_FAILURE;;
+}

security/manager/ssl/src/nsNSSComponent.cpp

@@ -102,12 +102,12 @@ nsNSSComponent::nsNSSComponent()
 
 nsNSSComponent::~nsNSSComponent()
 {
-  if (mCertContentListener) {
+  if (mPSMContentListener) {
     nsresult rv = NS_ERROR_FAILURE;
       
     nsCOMPtr<nsIURILoader> dispatcher(do_GetService(NS_URI_LOADER_CONTRACTID));
     if (dispatcher) {
-      rv = dispatcher->UnRegisterContentListener(mCertContentListener);
+      rv = dispatcher->UnRegisterContentListener(mPSMContentListener);
     }
   }
   if (mPref)
@@ -325,14 +325,14 @@ nsNSSComponent::InitializePIPNSSBundle()
 }
 
 nsresult
-nsNSSComponent::RegisterCertContentListener()
+nsNSSComponent::RegisterPSMContentListener()
 {
   nsresult rv = NS_OK;
-  if (!mCertContentListener) {
+  if (!mPSMContentListener) {
     nsCOMPtr<nsIURILoader> dispatcher(do_GetService(NS_URI_LOADER_CONTRACTID));
     if (dispatcher) {
-      mCertContentListener = do_CreateInstance(NS_CERTCONTENTLISTEN_CONTRACTID);
-      rv = dispatcher->RegisterContentListener(mCertContentListener);
+      mPSMContentListener = do_CreateInstance(NS_PSMCONTENTLISTEN_CONTRACTID);
+      rv = dispatcher->RegisterContentListener(mPSMContentListener);
     }
   }
   return rv;
@@ -502,7 +502,7 @@ nsNSSComponent::Init()
     return rv;
   }
   InstallLoadableRoots();
-  RegisterCertContentListener();
+  RegisterPSMContentListener();
   RegisterProfileChangeObserver();
   return rv;
 }
@@ -754,30 +754,30 @@ setPassword(PK11SlotInfo *slot, nsIInterfaceRequestor *ctx)
 // Implementation of an nsIInterfaceRequestor for use
 // as context for NSS calls
 //
-class CertDownloaderContext : public nsIInterfaceRequestor
+class PSMContentDownloaderContext : public nsIInterfaceRequestor
 {
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIINTERFACEREQUESTOR
 
-  CertDownloaderContext();
-  virtual ~CertDownloaderContext();
+  PSMContentDownloaderContext();
+  virtual ~PSMContentDownloaderContext();
 
 };
 
-NS_IMPL_ISUPPORTS1(CertDownloaderContext, nsIInterfaceRequestor)
+NS_IMPL_ISUPPORTS1(PSMContentDownloaderContext, nsIInterfaceRequestor)
 
-CertDownloaderContext::CertDownloaderContext()
+PSMContentDownloaderContext::PSMContentDownloaderContext()
 {
   NS_INIT_ISUPPORTS();
 }
 
-CertDownloaderContext::~CertDownloaderContext()
+PSMContentDownloaderContext::~PSMContentDownloaderContext()
 {
 }
 
 /* void getInterface (in nsIIDRef uuid, [iid_is (uuid), retval] out nsQIResult result); */
-NS_IMETHODIMP CertDownloaderContext::GetInterface(const nsIID & uuid, void * *result)
+NS_IMETHODIMP PSMContentDownloaderContext::GetInterface(const nsIID & uuid, void * *result)
 {
   nsresult rv;
 
@@ -805,27 +805,35 @@ NS_IMETHODIMP CertDownloaderContext::GetInterface(const nsIID & uuid, void * *re
   return rv;
 }
 
-class CertDownloader : public nsIStreamListener
+class PSMContentDownloader : public nsIStreamListener
 {
 public:
-  CertDownloader() {NS_ASSERTION(PR_FALSE, "don't use this constructor."); }
-  CertDownloader(PRUint32 type);
-  virtual ~CertDownloader();
+  PSMContentDownloader() {NS_ASSERTION(PR_FALSE, "don't use this constructor."); }
+  PSMContentDownloader(PRUint32 type);
+  virtual ~PSMContentDownloader();
   
   NS_DECL_ISUPPORTS
   NS_DECL_NSIREQUESTOBSERVER
   NS_DECL_NSISTREAMLISTENER
 
+  enum {UNKNOWN_TYPE = 0};
+  enum {X509_CA_CERT  = 1};
+  enum {X509_USER_CERT  = 2};
+  enum {X509_EMAIL_CERT  = 3};
+  enum {X509_SERVER_CERT  = 4};
+  enum {PKCS7_CRL = 5};
+
 protected:
   char* mByteData;
   PRInt32 mBufferOffset;
   PRInt32 mContentLength;
   PRUint32 mType;
   nsCOMPtr<nsISecurityManagerComponent> mNSS;
+  nsCOMPtr<nsIURI> mURI;
 };
 
 
-CertDownloader::CertDownloader(PRUint32 type)
+PSMContentDownloader::PSMContentDownloader(PRUint32 type)
   : mByteData(nsnull),
     mType(type)
 {
@@ -834,25 +842,28 @@ CertDownloader::CertDownloader(PRUint32 type)
   mNSS = do_GetService(PSM_COMPONENT_CONTRACTID);
 }
 
-CertDownloader::~CertDownloader()
+PSMContentDownloader::~PSMContentDownloader()
 {
   if (mByteData)
     nsMemory::Free(mByteData);
 }
 
 /*NS_IMPL_ISUPPORTS1(CertDownloader, nsIStreamListener);*/
-NS_IMPL_ISUPPORTS(CertDownloader,NS_GET_IID(nsIStreamListener));
+NS_IMPL_ISUPPORTS(PSMContentDownloader,NS_GET_IID(nsIStreamListener));
 
 const PRInt32 kDefaultCertAllocLength = 2048;
 
 NS_IMETHODIMP
-CertDownloader::OnStartRequest(nsIRequest* request, nsISupports* context)
+PSMContentDownloader::OnStartRequest(nsIRequest* request, nsISupports* context)
 {
   nsresult rv;
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CertDownloader::OnStartRequest\n"));
   nsCOMPtr<nsIChannel> channel(do_QueryInterface(request));
   if (!channel) return NS_ERROR_FAILURE;
 
+  // Get the URI //
+  channel->GetURI(getter_AddRefs(mURI));
+
   rv = channel->GetContentLength(&mContentLength);
   if (rv != NS_OK || mContentLength == -1)
     mContentLength = kDefaultCertAllocLength;
@@ -866,7 +877,7 @@ CertDownloader::OnStartRequest(nsIRequest* request, nsISupports* context)
 }
 
 NS_IMETHODIMP
-CertDownloader::OnDataAvailable(nsIRequest* request,
+PSMContentDownloader::OnDataAvailable(nsIRequest* request,
                                 nsISupports* context,
                                 nsIInputStream *aIStream,
                                 PRUint32 aSourceOffset,
@@ -905,7 +916,7 @@ CertDownloader::OnDataAvailable(nsIRequest* request,
 }
 
 NS_IMETHODIMP
-CertDownloader::OnStopRequest(nsIRequest* request,
+PSMContentDownloader::OnStopRequest(nsIRequest* request,
                               nsISupports* context,
                               nsresult aStatus)
 {
@@ -914,10 +925,10 @@ CertDownloader::OnStopRequest(nsIRequest* request,
   nsCOMPtr<nsIX509CertDB> certdb = do_GetService(NS_X509CERTDB_CONTRACTID);
 
   nsresult rv;
-  nsCOMPtr<nsIInterfaceRequestor> ctx = new CertDownloaderContext();
+  nsCOMPtr<nsIInterfaceRequestor> ctx = new PSMContentDownloaderContext();
 
   switch (mType) {
-  case nsIX509Cert::CA_CERT:
+  case PSMContentDownloader::X509_CA_CERT:
     {
       nsCOMPtr<nsIX509Cert> cert = new nsNSSCertificate(mByteData, mBufferOffset);
       if (certdb == nsnull)
@@ -935,8 +946,11 @@ CertDownloader::OnStopRequest(nsIRequest* request,
 
       return certdb->ImportCertificate(cert, mType, trust, nsnull);
     }
-  case nsIX509Cert::USER_CERT:
+  case PSMContentDownloader::X509_USER_CERT:
     return certdb->ImportUserCertificate(mByteData, mBufferOffset, ctx);
+    break;
+  case PSMContentDownloader::PKCS7_CRL:
+    return certdb->ImportCrl(mByteData, mBufferOffset, mURI, SEC_CRL_TYPE);
   default:
 	  rv = NS_ERROR_FAILURE;
 	  break;
@@ -955,43 +969,45 @@ loser:
 */
 
 PRUint32
-getPSMCertType(const char * aContentType)
+getPSMContentType(const char * aContentType)
 { 
   if (!nsCRT::strcasecmp(aContentType, "application/x-x509-ca-cert"))
-    return nsIX509Cert::CA_CERT;
+    return PSMContentDownloader::X509_CA_CERT;
   else if (!nsCRT::strcasecmp(aContentType, "application/x-x509-server-cert"))
-    return nsIX509Cert::SERVER_CERT;
+    return PSMContentDownloader::X509_SERVER_CERT;
   else if (!nsCRT::strcasecmp(aContentType, "application/x-x509-user-cert"))
-    return nsIX509Cert::USER_CERT;
+    return PSMContentDownloader::X509_USER_CERT;
   else if (!nsCRT::strcasecmp(aContentType, "application/x-x509-email-cert"))
-    return nsIX509Cert::EMAIL_CERT;
-  return nsIX509Cert::UNKNOWN_CERT;
+    return PSMContentDownloader::X509_EMAIL_CERT;
+  else if (!nsCRT::strcasecmp(aContentType, "application/x-pkcs7-crl"))
+    return PSMContentDownloader::PKCS7_CRL;
+  return PSMContentDownloader::UNKNOWN_TYPE;
 }
 
 
-NS_IMPL_ISUPPORTS2(CertContentListener,
+NS_IMPL_ISUPPORTS2(PSMContentListener,
                    nsIURIContentListener,
                    nsISupportsWeakReference); 
 
-CertContentListener::CertContentListener()
+PSMContentListener::PSMContentListener()
 {
   NS_INIT_REFCNT();
   mLoadCookie = nsnull;
   mParentContentListener = nsnull;
 }
 
-CertContentListener::~CertContentListener()
+PSMContentListener::~PSMContentListener()
 {
 }
 
 nsresult
-CertContentListener::init()
+PSMContentListener::init()
 {
   return NS_OK;
 }
 
 NS_IMETHODIMP
-CertContentListener::OnStartURIOpen(nsIURI *aURI, PRBool *aAbortOpen)
+PSMContentListener::OnStartURIOpen(nsIURI *aURI, PRBool *aAbortOpen)
 {
   //if we don't want to handle the URI, return PR_TRUE in
   //*aAbortOpen
@@ -999,7 +1015,7 @@ CertContentListener::OnStartURIOpen(nsIURI *aURI, PRBool *aAbortOpen)
 }
 
 NS_IMETHODIMP
-CertContentListener::GetProtocolHandler(nsIURI *aURI, 
+PSMContentListener::GetProtocolHandler(nsIURI *aURI, 
                                         nsIProtocolHandler **aProtocolHandler)
 {
   *aProtocolHandler = nsnull;
@@ -1007,7 +1023,7 @@ CertContentListener::GetProtocolHandler(nsIURI *aURI,
 }
 
 NS_IMETHODIMP
-CertContentListener::IsPreferred(const char * aContentType,
+PSMContentListener::IsPreferred(const char * aContentType,
                                  nsURILoadCommand aCommand,
                                  char ** aDesiredContentType,
                                  PRBool * aCanHandleContent)
@@ -1017,13 +1033,13 @@ CertContentListener::IsPreferred(const char * aContentType,
 }
 
 NS_IMETHODIMP
-CertContentListener::CanHandleContent(const char * aContentType,
+PSMContentListener::CanHandleContent(const char * aContentType,
                                       nsURILoadCommand aCommand,
                                       char ** aDesiredContentType,
                                       PRBool * aCanHandleContent)
 {
   PRUint32 type;
-  type = getPSMCertType(aContentType);
+  type = getPSMContentType(aContentType);
   if (type == nsIX509Cert::UNKNOWN_CERT) {
     *aCanHandleContent = PR_FALSE;
   } else {
@@ -1033,18 +1049,18 @@ CertContentListener::CanHandleContent(const char * aContentType,
 }
 
 NS_IMETHODIMP
-CertContentListener::DoContent(const char * aContentType,
+PSMContentListener::DoContent(const char * aContentType,
                                nsURILoadCommand aCommand,
                                nsIRequest * aRequest,
                                nsIStreamListener ** aContentHandler,
                                PRBool * aAbortProcess)
 {
-  CertDownloader *downLoader;
+  PSMContentDownloader *downLoader;
   PRUint32 type;
-  type = getPSMCertType(aContentType);
-  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CertContentListener::DoContent\n"));
+  type = getPSMContentType(aContentType);
+  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("PSMContentListener::DoContent\n"));
   if (type != nsIX509Cert::UNKNOWN_CERT) {
-    downLoader = new CertDownloader(type);
+    downLoader = new PSMContentDownloader(type);
     if (downLoader) {
       downLoader->QueryInterface(NS_GET_IID(nsIStreamListener), 
                                             (void **)aContentHandler);
@@ -1055,7 +1071,7 @@ CertContentListener::DoContent(const char * aContentType,
 }
 
 NS_IMETHODIMP
-CertContentListener::GetLoadCookie(nsISupports * *aLoadCookie)
+PSMContentListener::GetLoadCookie(nsISupports * *aLoadCookie)
 {
   *aLoadCookie = mLoadCookie;
   NS_IF_ADDREF(*aLoadCookie);
@@ -1063,14 +1079,14 @@ CertContentListener::GetLoadCookie(nsISupports * *aLoadCookie)
 }
 
 NS_IMETHODIMP
-CertContentListener::SetLoadCookie(nsISupports * aLoadCookie)
+PSMContentListener::SetLoadCookie(nsISupports * aLoadCookie)
 {
   mLoadCookie = aLoadCookie;
   return NS_OK;
 }
 
 NS_IMETHODIMP
-CertContentListener::GetParentContentListener(nsIURIContentListener ** aContentListener)
+PSMContentListener::GetParentContentListener(nsIURIContentListener ** aContentListener)
 {
   *aContentListener = mParentContentListener;
   NS_IF_ADDREF(*aContentListener);
@@ -1078,7 +1094,7 @@ CertContentListener::GetParentContentListener(nsIURIContentListener ** aContentL
 }
 
 NS_IMETHODIMP
-CertContentListener::SetParentContentListener(nsIURIContentListener * aContentListener)
+PSMContentListener::SetParentContentListener(nsIURIContentListener * aContentListener)
 {
   mParentContentListener = aContentListener;
   return NS_OK;

security/manager/ssl/src/nsNSSComponent.h

@@ -52,8 +52,8 @@
   {0xd4b49dd6, 0x1dd1, 0x11b2, \
     { 0xb6, 0xfe, 0xb1, 0x4c, 0xfa, 0xf6, 0x9c, 0xbd }}
 
-#define NS_CERTCONTENTLISTEN_CID {0xc94f4a30, 0x64d7, 0x11d4, {0x99, 0x60, 0x00, 0xb0, 0xd0, 0x23, 0x54, 0xa0}}
-#define NS_CERTCONTENTLISTEN_CONTRACTID "@mozilla.org/security/certdownload;1"
+#define NS_PSMCONTENTLISTEN_CID {0xc94f4a30, 0x64d7, 0x11d4, {0x99, 0x60, 0x00, 0xb0, 0xd0, 0x23, 0x54, 0xa0}}
+#define NS_PSMCONTENTLISTEN_CONTRACTID "@mozilla.org/security/psmdownload;1"
 
 
 class NS_NO_VTABLE nsINSSComponent : public nsISupports {
@@ -107,13 +107,13 @@ private:
   nsresult InitializePIPNSSBundle();
   nsresult ConfigureInternalPKCS11Token();
   char * GetPK11String(const PRUnichar *name, PRUint32 len);
-  nsresult RegisterCertContentListener();
+  nsresult RegisterPSMContentListener();
   nsresult RegisterProfileChangeObserver();
   static int PrefChangedCallback(const char* aPrefName, void* data);
   void PrefChanged(const char* aPrefName);
 
   nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
-  nsCOMPtr<nsIURIContentListener> mCertContentListener;
+  nsCOMPtr<nsIURIContentListener> mPSMContentListener;
   nsCOMPtr<nsIPref> mPref;
   static PRBool mNSSInitialized;
 };
@@ -122,11 +122,11 @@ private:
 // Now we need a content listener to register 
 //--------------------------------------------
 
-class CertContentListener : public nsIURIContentListener,
+class PSMContentListener : public nsIURIContentListener,
                             public nsSupportsWeakReference {
 public:
-  CertContentListener();
-  virtual ~CertContentListener();
+  PSMContentListener();
+  virtual ~PSMContentListener();
   nsresult init();
 
   NS_DECL_ISUPPORTS

security/manager/ssl/src/nsNSSModule.cpp

@@ -52,7 +52,7 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(nsTLSSocketProvider)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsSecretDecoderRing)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsPK11TokenDB)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsPKCS11ModuleDB)
-NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(CertContentListener, init)
+NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(PSMContentListener, init)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSCertificateDB)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsCertOutliner)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsCrypto)
@@ -154,9 +154,9 @@ static nsModuleComponentInfo components[] =
 
   {
     "Generic Certificate Content Handler",
-    NS_CERTCONTENTLISTEN_CID,
-    NS_CERTCONTENTLISTEN_CONTRACTID,
-    CertContentListenerConstructor
+    NS_PSMCONTENTLISTEN_CID,
+    NS_PSMCONTENTLISTEN_CONTRACTID,
+    PSMContentListenerConstructor
   },
 
   {