mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-26 06:11:37 +00:00
Bug 431819, SSL client auth, repeated prompts for client certificate
r=rrelyea, r=dveditz
This commit is contained in:
parent
7c88a89044
commit
0f228913f3
@ -61,6 +61,7 @@ pref("security.ssl3.rsa_null_sha", false);
|
||||
pref("security.ssl3.rsa_null_md5", false);
|
||||
|
||||
pref("security.default_personal_cert", "Ask Every Time");
|
||||
pref("security.remember_cert_checkbox_default_setting", true);
|
||||
pref("security.ask_for_password", 0);
|
||||
pref("security.password_lifetime", 30);
|
||||
pref("security.warn_entering_secure", false);
|
||||
|
@ -42,6 +42,7 @@ const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
|
||||
|
||||
var dialogParams;
|
||||
var itemCount = 0;
|
||||
var rememberBox;
|
||||
|
||||
function onLoad()
|
||||
{
|
||||
@ -54,6 +55,28 @@ function onLoad()
|
||||
org = dialogParams.GetString(1);
|
||||
issuer = dialogParams.GetString(2);
|
||||
|
||||
// added with bug 431819. reuse string from caps in order to avoid string changes
|
||||
var capsBundle = srGetStrBundle("chrome://global/locale/security/caps.properties");
|
||||
var rememberString = capsBundle.GetStringFromName("CheckMessage");
|
||||
var rememberSetting = true;
|
||||
|
||||
var pref = Components.classes['@mozilla.org/preferences-service;1']
|
||||
.getService(Components.interfaces.nsIPrefService);
|
||||
if (pref) {
|
||||
pref = pref.getBranch(null);
|
||||
try {
|
||||
rememberSetting =
|
||||
pref.getBoolPref("security.remember_cert_checkbox_default_setting");
|
||||
}
|
||||
catch(e) {
|
||||
// pref is missing
|
||||
}
|
||||
}
|
||||
|
||||
rememberBox = document.getElementById("rememberBox");
|
||||
rememberBox.label = rememberString;
|
||||
rememberBox.checked = rememberSetting;
|
||||
|
||||
var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
|
||||
var message1 = bundle.formatStringFromName("clientAuthMessage1",
|
||||
[org],
|
||||
@ -98,11 +121,14 @@ function doOK()
|
||||
dialogParams.SetInt(0,1);
|
||||
var index = parseInt(document.getElementById("nicknames").value);
|
||||
dialogParams.SetInt(1, index);
|
||||
dialogParams.SetInt(2, rememberBox.checked);
|
||||
return true;
|
||||
}
|
||||
|
||||
function doCancel()
|
||||
{
|
||||
dialogParams.SetInt(0,0);
|
||||
dialogParams.SetInt(1, -1); // invalid value
|
||||
dialogParams.SetInt(2, rememberBox.checked);
|
||||
return true;
|
||||
}
|
||||
|
@ -73,6 +73,7 @@
|
||||
<description>&clientAuthAsk.message3;</description>
|
||||
<textbox readonly="true" id="details" multiline="true"
|
||||
style="height: 11em;"/>
|
||||
<checkbox id="rememberBox" checked="true"/>
|
||||
</groupbox>
|
||||
|
||||
</dialog>
|
||||
|
@ -309,10 +309,18 @@ nsNSSDialogs::ChooseCertificate(nsIInterfaceRequestor *ctx, const PRUnichar *cn,
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
PRInt32 status;
|
||||
|
||||
rv = block->GetInt(0, &status);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
nsCOMPtr<nsIClientAuthUserDecision> extraResult = do_QueryInterface(ctx);
|
||||
if (extraResult) {
|
||||
PRInt32 rememberSelection;
|
||||
rv = block->GetInt(2, &rememberSelection);
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
extraResult->SetRememberClientAuthCertificate(rememberSelection!=0);
|
||||
}
|
||||
}
|
||||
|
||||
*canceled = (status == 0)?PR_TRUE:PR_FALSE;
|
||||
if (!*canceled) {
|
||||
// retrieve the nickname
|
||||
|
@ -61,6 +61,12 @@ interface nsIClientAuthDialogs : nsISupports
|
||||
out boolean canceled);
|
||||
};
|
||||
|
||||
[scriptable, uuid(95c4373e-bdd4-4a63-b431-f5b000367721)]
|
||||
interface nsIClientAuthUserDecision : nsISupports
|
||||
{
|
||||
attribute boolean rememberClientAuthCertificate;
|
||||
};
|
||||
|
||||
%{C++
|
||||
#define NS_CLIENTAUTHDIALOGS_CONTRACTID "@mozilla.org/nsClientAuthDialogs;1"
|
||||
%}
|
||||
|
@ -60,6 +60,7 @@ CPPSRCS = \
|
||||
nsNSSCleaner.cpp \
|
||||
nsCertOverrideService.cpp \
|
||||
nsRecentBadCerts.cpp \
|
||||
nsClientAuthRemember.cpp \
|
||||
nsPSMBackgroundThread.cpp \
|
||||
nsSSLThread.cpp \
|
||||
nsCertVerificationThread.cpp \
|
||||
|
256
security/manager/ssl/src/nsClientAuthRemember.cpp
Normal file
256
security/manager/ssl/src/nsClientAuthRemember.cpp
Normal file
@ -0,0 +1,256 @@
|
||||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
*
|
||||
* ***** BEGIN LICENSE BLOCK *****
|
||||
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
*
|
||||
* The contents of this file are subject to the Mozilla Public License Version
|
||||
* 1.1 (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
* http://www.mozilla.org/MPL/
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS IS" basis,
|
||||
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
* for the specific language governing rights and limitations under the
|
||||
* License.
|
||||
*
|
||||
* The Original Code is mozilla.org code.
|
||||
*
|
||||
* The Initial Developer of the Original Code is
|
||||
* Red Hat, Inc.
|
||||
* Portions created by the Initial Developer are Copyright (C) 2008
|
||||
* the Initial Developer. All Rights Reserved.
|
||||
*
|
||||
* Contributor(s):
|
||||
* Kai Engert <kengert@redhat.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
* in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
* of those above. If you wish to allow use of your version of this file only
|
||||
* under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
* use your version of this file under the terms of the MPL, indicate your
|
||||
* decision by deleting the provisions above and replace them with the notice
|
||||
* and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
* the provisions above, a recipient may use your version of this file under
|
||||
* the terms of any one of the MPL, the GPL or the LGPL.
|
||||
*
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
|
||||
#include "nsClientAuthRemember.h"
|
||||
|
||||
#include "nsIX509Cert.h"
|
||||
#include "nsCRT.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsIObserverService.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsISupportsPrimitives.h"
|
||||
#include "nsPromiseFlatString.h"
|
||||
#include "nsProxiedService.h"
|
||||
#include "nsStringBuffer.h"
|
||||
#include "nsAutoLock.h"
|
||||
#include "nspr.h"
|
||||
#include "pk11pub.h"
|
||||
#include "certdb.h"
|
||||
#include "sechash.h"
|
||||
#include "ssl.h" // For SSL_ClearSessionCache
|
||||
|
||||
#include "nsNSSCleaner.h"
|
||||
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
|
||||
|
||||
NS_IMPL_THREADSAFE_ISUPPORTS1(nsClientAuthRememberService,
|
||||
nsIObserver)
|
||||
|
||||
nsClientAuthRememberService::nsClientAuthRememberService()
|
||||
{
|
||||
monitor = PR_NewMonitor();
|
||||
}
|
||||
|
||||
nsClientAuthRememberService::~nsClientAuthRememberService()
|
||||
{
|
||||
RemoveAllFromMemory();
|
||||
if (monitor)
|
||||
PR_DestroyMonitor(monitor);
|
||||
}
|
||||
|
||||
nsresult
|
||||
nsClientAuthRememberService::Init()
|
||||
{
|
||||
if (!mSettingsTable.Init())
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
nsCOMPtr<nsIProxyObjectManager> proxyman(do_GetService(NS_XPCOMPROXY_CONTRACTID));
|
||||
if (!proxyman)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
nsCOMPtr<nsIObserverService> observerService(do_GetService("@mozilla.org/observer-service;1"));
|
||||
nsCOMPtr<nsIObserverService> proxiedObserver;
|
||||
|
||||
NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD,
|
||||
NS_GET_IID(nsIObserverService),
|
||||
observerService,
|
||||
NS_PROXY_SYNC,
|
||||
getter_AddRefs(proxiedObserver));
|
||||
|
||||
if (proxiedObserver) {
|
||||
proxiedObserver->AddObserver(this, "profile-before-change", PR_TRUE);
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsClientAuthRememberService::Observe(nsISupports *aSubject,
|
||||
const char *aTopic,
|
||||
const PRUnichar *aData)
|
||||
{
|
||||
// check the topic
|
||||
if (!nsCRT::strcmp(aTopic, "profile-before-change")) {
|
||||
// The profile is about to change,
|
||||
// or is going away because the application is shutting down.
|
||||
|
||||
nsAutoMonitor lock(monitor);
|
||||
RemoveAllFromMemory();
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
void nsClientAuthRememberService::ClearRememberedDecisions()
|
||||
{
|
||||
nsAutoMonitor lock(monitor);
|
||||
RemoveAllFromMemory();
|
||||
}
|
||||
|
||||
void
|
||||
nsClientAuthRememberService::RemoveAllFromMemory()
|
||||
{
|
||||
mSettingsTable.Clear();
|
||||
}
|
||||
|
||||
static nsresult
|
||||
GetCertFingerprintByOidTag(CERTCertificate* nsscert,
|
||||
SECOidTag aOidTag,
|
||||
nsCString &fp)
|
||||
{
|
||||
unsigned int hash_len = HASH_ResultLenByOidTag(aOidTag);
|
||||
nsRefPtr<nsStringBuffer> fingerprint = nsStringBuffer::Alloc(hash_len);
|
||||
if (!fingerprint)
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
PK11_HashBuf(aOidTag, (unsigned char*)fingerprint->Data(),
|
||||
nsscert->derCert.data, nsscert->derCert.len);
|
||||
|
||||
SECItem fpItem;
|
||||
fpItem.data = (unsigned char*)fingerprint->Data();
|
||||
fpItem.len = hash_len;
|
||||
|
||||
fp.Adopt(CERT_Hexify(&fpItem, 1));
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsresult
|
||||
nsClientAuthRememberService::RememberDecision(const nsACString & aHostName,
|
||||
CERTCertificate *aServerCert, CERTCertificate *aClientCert)
|
||||
{
|
||||
// aClientCert == NULL means: remember that user does not want to use a cert
|
||||
NS_ENSURE_ARG_POINTER(aServerCert);
|
||||
if (aHostName.IsEmpty())
|
||||
return NS_ERROR_INVALID_ARG;
|
||||
|
||||
nsCAutoString fpStr;
|
||||
nsresult rv = GetCertFingerprintByOidTag(aServerCert, SEC_OID_SHA256, fpStr);
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
|
||||
{
|
||||
nsAutoMonitor lock(monitor);
|
||||
if (aClientCert) {
|
||||
AddEntryToList(aHostName, fpStr,
|
||||
nsDependentCString(aClientCert->nickname));
|
||||
}
|
||||
else {
|
||||
nsCString empty;
|
||||
AddEntryToList(aHostName, fpStr, empty);
|
||||
}
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsresult
|
||||
nsClientAuthRememberService::HasRememberedDecision(const nsACString & aHostName,
|
||||
CERTCertificate *aCert,
|
||||
nsACString & aClientNickname,
|
||||
PRBool *_retval)
|
||||
{
|
||||
if (aHostName.IsEmpty())
|
||||
return NS_ERROR_INVALID_ARG;
|
||||
|
||||
NS_ENSURE_ARG_POINTER(aCert);
|
||||
NS_ENSURE_ARG_POINTER(_retval);
|
||||
*_retval = PR_FALSE;
|
||||
|
||||
nsresult rv;
|
||||
nsCAutoString fpStr;
|
||||
rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
|
||||
nsCAutoString hostCert;
|
||||
GetHostWithCert(aHostName, fpStr, hostCert);
|
||||
nsClientAuthRemember settings;
|
||||
|
||||
{
|
||||
nsAutoMonitor lock(monitor);
|
||||
nsClientAuthRememberEntry *entry = mSettingsTable.GetEntry(hostCert.get());
|
||||
if (!entry)
|
||||
return NS_OK;
|
||||
settings = entry->mSettings; // copy
|
||||
}
|
||||
|
||||
aClientNickname = settings.mClientNickname;
|
||||
*_retval = PR_TRUE;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsresult
|
||||
nsClientAuthRememberService::AddEntryToList(const nsACString &aHostName,
|
||||
const nsACString &fingerprint,
|
||||
const nsACString &client_nickname)
|
||||
|
||||
{
|
||||
nsCAutoString hostCert;
|
||||
GetHostWithCert(aHostName, fingerprint, hostCert);
|
||||
|
||||
{
|
||||
nsAutoMonitor lock(monitor);
|
||||
nsClientAuthRememberEntry *entry = mSettingsTable.PutEntry(hostCert.get());
|
||||
|
||||
if (!entry) {
|
||||
NS_ERROR("can't insert a null entry!");
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
}
|
||||
|
||||
entry->mHostWithCert = hostCert;
|
||||
|
||||
nsClientAuthRemember &settings = entry->mSettings;
|
||||
settings.mAsciiHost = aHostName;
|
||||
settings.mFingerprint = fingerprint;
|
||||
settings.mClientNickname = client_nickname;
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
void
|
||||
nsClientAuthRememberService::GetHostWithCert(const nsACString & aHostName,
|
||||
const nsACString & fingerprint,
|
||||
nsACString& _retval)
|
||||
{
|
||||
nsCAutoString hostCert(aHostName);
|
||||
hostCert.AppendLiteral(":");
|
||||
hostCert.Append(fingerprint);
|
||||
|
||||
_retval.Assign(hostCert);
|
||||
}
|
172
security/manager/ssl/src/nsClientAuthRemember.h
Normal file
172
security/manager/ssl/src/nsClientAuthRemember.h
Normal file
@ -0,0 +1,172 @@
|
||||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
*
|
||||
* ***** BEGIN LICENSE BLOCK *****
|
||||
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||
*
|
||||
* The contents of this file are subject to the Mozilla Public License Version
|
||||
* 1.1 (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
* http://www.mozilla.org/MPL/
|
||||
*
|
||||
* Software distributed under the License is distributed on an "AS IS" basis,
|
||||
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||
* for the specific language governing rights and limitations under the
|
||||
* License.
|
||||
*
|
||||
* The Original Code is mozilla.org code.
|
||||
*
|
||||
* The Initial Developer of the Original Code is
|
||||
* Red Hat, Inc.
|
||||
* Portions created by the Initial Developer are Copyright (C) 2008
|
||||
* the Initial Developer. All Rights Reserved.
|
||||
*
|
||||
* Contributor(s):
|
||||
* Kai Engert <kengert@redhat.com>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||
* in which case the provisions of the GPL or the LGPL are applicable instead
|
||||
* of those above. If you wish to allow use of your version of this file only
|
||||
* under the terms of either the GPL or the LGPL, and not to allow others to
|
||||
* use your version of this file under the terms of the MPL, indicate your
|
||||
* decision by deleting the provisions above and replace them with the notice
|
||||
* and other provisions required by the GPL or the LGPL. If you do not delete
|
||||
* the provisions above, a recipient may use your version of this file under
|
||||
* the terms of any one of the MPL, the GPL or the LGPL.
|
||||
*
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
|
||||
#ifndef __NSCLIENTAUTHREMEMBER_H__
|
||||
#define __NSCLIENTAUTHREMEMBER_H__
|
||||
|
||||
#include "nsTHashtable.h"
|
||||
#include "nsIObserver.h"
|
||||
#include "nsIX509Cert.h"
|
||||
#include "nsAutoPtr.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "nsString.h"
|
||||
#include "prmon.h"
|
||||
|
||||
class nsClientAuthRemember
|
||||
{
|
||||
public:
|
||||
|
||||
nsClientAuthRemember()
|
||||
{
|
||||
}
|
||||
|
||||
nsClientAuthRemember(const nsClientAuthRemember &other)
|
||||
{
|
||||
this->operator=(other);
|
||||
}
|
||||
|
||||
nsClientAuthRemember &operator=(const nsClientAuthRemember &other)
|
||||
{
|
||||
mAsciiHost = other.mAsciiHost;
|
||||
mFingerprint = other.mFingerprint;
|
||||
mClientNickname = other.mClientNickname;
|
||||
return *this;
|
||||
}
|
||||
|
||||
nsCString mAsciiHost;
|
||||
nsCString mFingerprint;
|
||||
nsCString mClientNickname;
|
||||
};
|
||||
|
||||
|
||||
// hash entry class
|
||||
class nsClientAuthRememberEntry : public PLDHashEntryHdr
|
||||
{
|
||||
public:
|
||||
// Hash methods
|
||||
typedef const char* KeyType;
|
||||
typedef const char* KeyTypePointer;
|
||||
|
||||
// do nothing with aHost - we require mHead to be set before we're live!
|
||||
nsClientAuthRememberEntry(KeyTypePointer aHostWithCertUTF8)
|
||||
{
|
||||
}
|
||||
|
||||
nsClientAuthRememberEntry(const nsClientAuthRememberEntry& toCopy)
|
||||
{
|
||||
mSettings = toCopy.mSettings;
|
||||
}
|
||||
|
||||
~nsClientAuthRememberEntry()
|
||||
{
|
||||
}
|
||||
|
||||
KeyType GetKey() const
|
||||
{
|
||||
return HostWithCertPtr();
|
||||
}
|
||||
|
||||
KeyTypePointer GetKeyPointer() const
|
||||
{
|
||||
return HostWithCertPtr();
|
||||
}
|
||||
|
||||
PRBool KeyEquals(KeyTypePointer aKey) const
|
||||
{
|
||||
return !strcmp(HostWithCertPtr(), aKey);
|
||||
}
|
||||
|
||||
static KeyTypePointer KeyToPointer(KeyType aKey)
|
||||
{
|
||||
return aKey;
|
||||
}
|
||||
|
||||
static PLDHashNumber HashKey(KeyTypePointer aKey)
|
||||
{
|
||||
// PL_DHashStringKey doesn't use the table parameter, so we can safely
|
||||
// pass nsnull
|
||||
return PL_DHashStringKey(nsnull, aKey);
|
||||
}
|
||||
|
||||
enum { ALLOW_MEMMOVE = PR_FALSE };
|
||||
|
||||
// get methods
|
||||
inline const nsCString &HostWithCert() const { return mHostWithCert; }
|
||||
|
||||
inline KeyTypePointer HostWithCertPtr() const
|
||||
{
|
||||
return mHostWithCert.get();
|
||||
}
|
||||
|
||||
nsClientAuthRemember mSettings;
|
||||
nsCString mHostWithCert;
|
||||
};
|
||||
|
||||
class nsClientAuthRememberService : public nsIObserver
|
||||
{
|
||||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSIOBSERVER
|
||||
|
||||
nsClientAuthRememberService();
|
||||
~nsClientAuthRememberService();
|
||||
|
||||
nsresult Init();
|
||||
|
||||
static void GetHostWithCert(const nsACString & aHostName,
|
||||
const nsACString & nickname, nsACString& _retval);
|
||||
|
||||
nsresult RememberDecision(const nsACString & aHostName,
|
||||
CERTCertificate *aServerCert, CERTCertificate *aClientCert);
|
||||
nsresult HasRememberedDecision(const nsACString & aHostName,
|
||||
CERTCertificate *aCert, nsACString & aClientNickname, PRBool *_retval);
|
||||
|
||||
void ClearRememberedDecisions();
|
||||
|
||||
protected:
|
||||
PRMonitor *monitor;
|
||||
nsTHashtable<nsClientAuthRememberEntry> mSettingsTable;
|
||||
|
||||
void RemoveAllFromMemory();
|
||||
nsresult AddEntryToList(const nsACString &host,
|
||||
const nsACString &server_fingerprint,
|
||||
const nsACString &client_nickname);
|
||||
};
|
||||
|
||||
#endif
|
@ -296,6 +296,7 @@ nsNSSComponent::nsNSSComponent()
|
||||
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
|
||||
|
||||
nsSSLIOLayerHelpers::Init();
|
||||
mClientAuthRememberService.Init();
|
||||
|
||||
NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
|
||||
++mInstanceCount;
|
||||
@ -1683,6 +1684,7 @@ nsNSSComponent::ShutdownNSS()
|
||||
|
||||
ShutdownSmartCardThreads();
|
||||
SSL_ClearSessionCache();
|
||||
mClientAuthRememberService.ClearRememberedDecisions();
|
||||
UnloadLoadableRoots();
|
||||
CleanupIdentityInfo();
|
||||
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n"));
|
||||
@ -2148,6 +2150,7 @@ void nsNSSComponent::ShowAlert(AlertIdentifier ai)
|
||||
|
||||
nsresult nsNSSComponent::LogoutAuthenticatedPK11()
|
||||
{
|
||||
mClientAuthRememberService.ClearRememberedDecisions();
|
||||
return mShutdownObjectList->doPK11Logout();
|
||||
}
|
||||
|
||||
@ -2409,6 +2412,13 @@ nsNSSComponent::DoProfileChangeNetRestore()
|
||||
mIsNetworkDown = PR_FALSE;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(cars);
|
||||
*cars = &mClientAuthRememberService;
|
||||
}
|
||||
|
||||
//---------------------------------------------
|
||||
// Implementing nsICryptoHash
|
||||
//---------------------------------------------
|
||||
@ -3178,4 +3188,3 @@ PSMContentListener::SetParentContentListener(nsIURIContentListener * aContentLis
|
||||
mParentContentListener = aContentListener;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
|
@ -69,6 +69,7 @@
|
||||
#include "nsNSSCallbacks.h"
|
||||
|
||||
#include "nsNSSHelper.h"
|
||||
#include "nsClientAuthRemember.h"
|
||||
|
||||
#define NS_NSSCOMPONENT_CID \
|
||||
{0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}}
|
||||
@ -171,6 +172,8 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
|
||||
|
||||
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0;
|
||||
|
||||
NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars) = 0;
|
||||
|
||||
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
|
||||
};
|
||||
|
||||
@ -259,6 +262,7 @@ public:
|
||||
NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module);
|
||||
NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token);
|
||||
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token);
|
||||
NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars);
|
||||
NS_IMETHOD EnsureIdentityInfoLoaded();
|
||||
|
||||
private:
|
||||
@ -324,6 +328,7 @@ private:
|
||||
nsSSLThread *mSSLThread;
|
||||
nsCertVerificationThread *mCertVerificationThread;
|
||||
nsNSSHttpInterface mHttpForNSS;
|
||||
nsClientAuthRememberService mClientAuthRememberService;
|
||||
|
||||
static PRStatus PR_CALLBACK IdentityInfoInit(void);
|
||||
PRCallOnceType mIdentityInfoCallOnce;
|
||||
|
@ -58,6 +58,7 @@
|
||||
#include "nsIDateTimeFormat.h"
|
||||
#include "nsDateTimeFormatCID.h"
|
||||
#include "nsIClientAuthDialogs.h"
|
||||
#include "nsClientAuthRemember.h"
|
||||
#include "nsICertOverrideService.h"
|
||||
#include "nsIBadCertListener2.h"
|
||||
#include "nsISSLErrorListener.h"
|
||||
@ -237,7 +238,7 @@ void nsNSSSocketInfo::virtualDestroyNSSReference()
|
||||
{
|
||||
}
|
||||
|
||||
NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
|
||||
NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo,
|
||||
nsITransportSecurityInfo,
|
||||
nsISSLSocketControl,
|
||||
nsIInterfaceRequestor,
|
||||
@ -245,7 +246,8 @@ NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
|
||||
nsIIdentityInfo,
|
||||
nsIAssociatedContentSecurity,
|
||||
nsISerializable,
|
||||
nsIClassInfo)
|
||||
nsIClassInfo,
|
||||
nsIClientAuthUserDecision)
|
||||
|
||||
nsresult
|
||||
nsNSSSocketInfo::GetHandshakePending(PRBool *aHandshakePending)
|
||||
@ -299,6 +301,19 @@ PRBool nsNSSSocketInfo::GetCanceled()
|
||||
return mCanceled;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(PRBool *aRememberClientAuthCertificate)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
|
||||
*aRememberClientAuthCertificate = mRememberClientAuthCertificate;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(PRBool aRememberClientAuthCertificate)
|
||||
{
|
||||
mRememberClientAuthCertificate = aRememberClientAuthCertificate;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
void nsNSSSocketInfo::SetHasCleartextPhase(PRBool aHasCleartextPhase)
|
||||
{
|
||||
mHasCleartextPhase = aHasCleartextPhase;
|
||||
@ -2464,12 +2479,10 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
void* wincx = NULL;
|
||||
SECStatus ret = SECFailure;
|
||||
nsresult rv;
|
||||
nsNSSSocketInfo* info = NULL;
|
||||
PRArenaPool* arena = NULL;
|
||||
char** caNameStrings;
|
||||
CERTCertificate* cert = NULL;
|
||||
CERTCertificate* serverCert = NULL;
|
||||
SECKEYPrivateKey* privKey = NULL;
|
||||
CERTCertList* certList = NULL;
|
||||
CERTCertListNode* node;
|
||||
@ -2593,13 +2606,63 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
goto noCert;
|
||||
}
|
||||
}
|
||||
else { // Not Auto => ask
|
||||
/* Get the SSL Certificate */
|
||||
CERTCertificate* serverCert = NULL;
|
||||
CERTCertificateCleaner serverCertCleaner(serverCert);
|
||||
serverCert = SSL_PeerCertificate(socket);
|
||||
if (serverCert == NULL) {
|
||||
/* couldn't get the server cert: what do I do? */
|
||||
goto loser;
|
||||
}
|
||||
|
||||
nsXPIDLCString hostname;
|
||||
info->GetHostName(getter_Copies(hostname));
|
||||
|
||||
nsresult rv;
|
||||
NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID);
|
||||
nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(nssComponentCID, &rv));
|
||||
// it's ok to keep our raw pointer to the nsClientAuthRememberService
|
||||
// as long as we hold the reference to the nssComponent.
|
||||
// Yes, this sucks, but this is branch only code,
|
||||
// and I don't want to deal with new interfaces, and want to use full
|
||||
// typed pointers.
|
||||
// Note nsINSSComponent is NOT exposed to anywhere outside of PSM.
|
||||
nsClientAuthRememberService *cars = nsnull;
|
||||
if (nssComponent) {
|
||||
nssComponent->GetClientAuthRememberService(&cars);
|
||||
}
|
||||
|
||||
PRBool hasRemembered = PR_FALSE;
|
||||
nsCString rememberedNickname;
|
||||
if (cars) {
|
||||
PRBool found;
|
||||
nsresult rv = cars->HasRememberedDecision(hostname,
|
||||
serverCert,
|
||||
rememberedNickname, &found);
|
||||
if (NS_SUCCEEDED(rv) && found) {
|
||||
hasRemembered = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
PRBool canceled = PR_FALSE;
|
||||
|
||||
if (hasRemembered)
|
||||
{
|
||||
if (rememberedNickname.IsEmpty())
|
||||
canceled = PR_TRUE;
|
||||
else {
|
||||
char *const_nickname = const_cast<char*>(rememberedNickname.get());
|
||||
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), const_nickname);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
/* user selects a cert to present */
|
||||
nsIClientAuthDialogs *dialogs = NULL;
|
||||
PRInt32 selectedIndex = -1;
|
||||
PRUnichar **certNicknameList = NULL;
|
||||
PRUnichar **certDetailsList = NULL;
|
||||
PRBool canceled;
|
||||
|
||||
/* find all user certs that are for SSL */
|
||||
/* note that we are allowing expired certs in this list */
|
||||
@ -2656,13 +2719,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
|
||||
NS_ASSERTION(nicknames->numnicknames == NumberOfCerts, "nicknames->numnicknames != NumberOfCerts");
|
||||
|
||||
/* Get the SSL Certificate */
|
||||
serverCert = SSL_PeerCertificate(socket);
|
||||
if (serverCert == NULL) {
|
||||
/* couldn't get the server cert: what do I do? */
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* Get CN and O of the subject and O of the issuer */
|
||||
char *ccn = CERT_GetCommonName(&serverCert->subject);
|
||||
charCleaner ccnCleaner(ccn);
|
||||
@ -2670,8 +2726,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
|
||||
PRInt32 port;
|
||||
info->GetPort(&port);
|
||||
char *hostname = SSL_RevealURL(socket);
|
||||
charCleaner hostnameCleaner(hostname);
|
||||
|
||||
nsString cn_host_port;
|
||||
if (ccn && strcmp(ccn, hostname) == 0) {
|
||||
@ -2695,8 +2749,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
NS_ConvertUTF8toUTF16 issuer(cissuer);
|
||||
if (cissuer) PORT_Free(cissuer);
|
||||
|
||||
CERT_DestroyCertificate(serverCert);
|
||||
|
||||
certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames);
|
||||
if (!certNicknameList)
|
||||
goto loser;
|
||||
@ -2764,9 +2816,12 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
|
||||
if (NS_FAILED(rv)) goto loser;
|
||||
|
||||
if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
|
||||
// even if the user has canceled, we want to remember that, to avoid repeating prompts
|
||||
PRBool wantRemember = PR_FALSE;
|
||||
info->GetRememberClientAuthCertificate(&wantRemember);
|
||||
|
||||
int i;
|
||||
if (!canceled)
|
||||
for (i = 0, node = CERT_LIST_HEAD(certList);
|
||||
!CERT_LIST_END(node, certList);
|
||||
++i, node = CERT_LIST_NEXT(node)) {
|
||||
@ -2777,6 +2832,15 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
|
||||
}
|
||||
}
|
||||
|
||||
if (cars && wantRemember) {
|
||||
cars->RememberDecision(hostname,
|
||||
serverCert,
|
||||
canceled ? 0 : cert);
|
||||
}
|
||||
}
|
||||
|
||||
if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
|
||||
|
||||
if (cert == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
|
@ -55,6 +55,7 @@
|
||||
#include "nsIAssociatedContentSecurity.h"
|
||||
#include "nsXPIDLString.h"
|
||||
#include "nsNSSShutDown.h"
|
||||
#include "nsIClientAuthDialogs.h"
|
||||
#include "nsAutoPtr.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
|
||||
@ -132,6 +133,7 @@ class nsNSSSocketInfo : public nsITransportSecurityInfo,
|
||||
public nsIAssociatedContentSecurity,
|
||||
public nsISerializable,
|
||||
public nsIClassInfo,
|
||||
public nsIClientAuthUserDecision,
|
||||
public nsNSSShutDownObject,
|
||||
public nsOnPK11LogoutCancelObject
|
||||
{
|
||||
@ -148,6 +150,7 @@ public:
|
||||
NS_DECL_NSIASSOCIATEDCONTENTSECURITY
|
||||
NS_DECL_NSISERIALIZABLE
|
||||
NS_DECL_NSICLASSINFO
|
||||
NS_DECL_NSICLIENTAUTHUSERDECISION
|
||||
|
||||
nsresult SetSecurityState(PRUint32 aState);
|
||||
nsresult SetShortSecurityDescription(const PRUnichar *aText);
|
||||
@ -220,6 +223,7 @@ protected:
|
||||
PRPackedBool mHasCleartextPhase;
|
||||
PRPackedBool mHandshakeInProgress;
|
||||
PRPackedBool mAllowTLSIntoleranceTimeout;
|
||||
PRPackedBool mRememberClientAuthCertificate;
|
||||
PRIntervalTime mHandshakeStartTime;
|
||||
PRInt32 mPort;
|
||||
nsXPIDLCString mHostName;
|
||||
|
Loading…
Reference in New Issue
Block a user