mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-14 13:55:43 +00:00
bug 149834, Enhance PSM speed by using new NSS API CERT_VerifyCertificateNow
Patch by John G. Myers, r=kengert
This commit is contained in:
parent
fafafb5654
commit
23de42117e
@ -903,56 +903,56 @@ nsNSSCertificate::VerifyForUsage(PRUint32 usage, PRUint32 *verificationResult)
|
||||
|
||||
NS_ENSURE_ARG(verificationResult);
|
||||
|
||||
SECCertUsage nss_usage;
|
||||
SECCertificateUsage nss_usage;
|
||||
|
||||
switch (usage)
|
||||
{
|
||||
case CERT_USAGE_SSLClient:
|
||||
nss_usage = certUsageSSLClient;
|
||||
nss_usage = certificateUsageSSLClient;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_SSLServer:
|
||||
nss_usage = certUsageSSLServer;
|
||||
nss_usage = certificateUsageSSLServer;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_SSLServerWithStepUp:
|
||||
nss_usage = certUsageSSLServerWithStepUp;
|
||||
nss_usage = certificateUsageSSLServerWithStepUp;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_SSLCA:
|
||||
nss_usage = certUsageSSLCA;
|
||||
nss_usage = certificateUsageSSLCA;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_EmailSigner:
|
||||
nss_usage = certUsageEmailSigner;
|
||||
nss_usage = certificateUsageEmailSigner;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_EmailRecipient:
|
||||
nss_usage = certUsageEmailRecipient;
|
||||
nss_usage = certificateUsageEmailRecipient;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_ObjectSigner:
|
||||
nss_usage = certUsageObjectSigner;
|
||||
nss_usage = certificateUsageObjectSigner;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_UserCertImport:
|
||||
nss_usage = certUsageUserCertImport;
|
||||
nss_usage = certificateUsageUserCertImport;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_VerifyCA:
|
||||
nss_usage = certUsageVerifyCA;
|
||||
nss_usage = certificateUsageVerifyCA;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_ProtectedObjectSigner:
|
||||
nss_usage = certUsageProtectedObjectSigner;
|
||||
nss_usage = certificateUsageProtectedObjectSigner;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_StatusResponder:
|
||||
nss_usage = certUsageStatusResponder;
|
||||
nss_usage = certificateUsageStatusResponder;
|
||||
break;
|
||||
|
||||
case CERT_USAGE_AnyCA:
|
||||
nss_usage = certUsageAnyCA;
|
||||
nss_usage = certificateUsageAnyCA;
|
||||
break;
|
||||
|
||||
default:
|
||||
@ -961,8 +961,8 @@ nsNSSCertificate::VerifyForUsage(PRUint32 usage, PRUint32 *verificationResult)
|
||||
|
||||
CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB();
|
||||
|
||||
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
|
||||
nss_usage, NULL) == SECSuccess)
|
||||
if (CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
|
||||
nss_usage, NULL, NULL) == SECSuccess)
|
||||
{
|
||||
*verificationResult = VERIFIED_OK;
|
||||
}
|
||||
|
@ -1378,9 +1378,9 @@ verifyCertAgain(CERTCertificate *cert,
|
||||
|
||||
// If we get here, the user has accepted the cert so
|
||||
// far, so we don't check the signature again.
|
||||
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
|
||||
PR_FALSE, certUsageSSLServer,
|
||||
(void*)infoObject);
|
||||
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
|
||||
PR_FALSE, certificateUsageSSLServer,
|
||||
(void*)infoObject, NULL);
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
|
@ -19,6 +19,7 @@
|
||||
* the Initial Developer. All Rights Reserved.
|
||||
*
|
||||
* Contributor(s):
|
||||
* John Gardiner Myers <jgmyers@speakeasy.net>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
@ -58,94 +59,70 @@ nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
defaultcertdb = CERT_GetDefaultCertDB();
|
||||
nssComponent = do_GetService(kNSSComponentCID, &m_rv);
|
||||
mCached_NonInadequateReason = SECSuccess;
|
||||
}
|
||||
|
||||
void
|
||||
nsUsageArrayHelper::check(const char *suffix,
|
||||
SECCertUsage aCertUsage,
|
||||
SECCertificateUsage aCertUsage,
|
||||
PRUint32 &aCounter,
|
||||
PRUnichar **outUsages)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (CERT_VerifyCertNow(defaultcertdb, mCert, PR_TRUE,
|
||||
aCertUsage, NULL) == SECSuccess) {
|
||||
nsCAutoString typestr;
|
||||
switch (aCertUsage) {
|
||||
case certUsageSSLClient:
|
||||
typestr = "VerifySSLClient";
|
||||
break;
|
||||
case certUsageSSLServer:
|
||||
typestr = "VerifySSLServer";
|
||||
break;
|
||||
case certUsageSSLServerWithStepUp:
|
||||
typestr = "VerifySSLStepUp";
|
||||
break;
|
||||
case certUsageEmailSigner:
|
||||
typestr = "VerifyEmailSigner";
|
||||
break;
|
||||
case certUsageEmailRecipient:
|
||||
typestr = "VerifyEmailRecip";
|
||||
break;
|
||||
case certUsageObjectSigner:
|
||||
typestr = "VerifyObjSign";
|
||||
break;
|
||||
case certUsageProtectedObjectSigner:
|
||||
typestr = "VerifyProtectObjSign";
|
||||
break;
|
||||
case certUsageUserCertImport:
|
||||
typestr = "VerifyUserImport";
|
||||
break;
|
||||
case certUsageSSLCA:
|
||||
typestr = "VerifySSLCA";
|
||||
break;
|
||||
case certUsageVerifyCA:
|
||||
typestr = "VerifyCAVerifier";
|
||||
break;
|
||||
case certUsageStatusResponder:
|
||||
typestr = "VerifyStatusResponder";
|
||||
break;
|
||||
case certUsageAnyCA:
|
||||
typestr = "VerifyAnyCA";
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
if (!typestr.IsEmpty()) {
|
||||
typestr.Append(suffix);
|
||||
nsAutoString verifyDesc;
|
||||
m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
|
||||
if (NS_SUCCEEDED(m_rv)) {
|
||||
outUsages[aCounter++] = ToNewUnicode(verifyDesc);
|
||||
}
|
||||
}
|
||||
if (!aCertUsage) return;
|
||||
nsCAutoString typestr;
|
||||
switch (aCertUsage) {
|
||||
case certificateUsageSSLClient:
|
||||
typestr = "VerifySSLClient";
|
||||
break;
|
||||
case certificateUsageSSLServer:
|
||||
typestr = "VerifySSLServer";
|
||||
break;
|
||||
case certificateUsageSSLServerWithStepUp:
|
||||
typestr = "VerifySSLStepUp";
|
||||
break;
|
||||
case certificateUsageEmailSigner:
|
||||
typestr = "VerifyEmailSigner";
|
||||
break;
|
||||
case certificateUsageEmailRecipient:
|
||||
typestr = "VerifyEmailRecip";
|
||||
break;
|
||||
case certificateUsageObjectSigner:
|
||||
typestr = "VerifyObjSign";
|
||||
break;
|
||||
case certificateUsageProtectedObjectSigner:
|
||||
typestr = "VerifyProtectObjSign";
|
||||
break;
|
||||
case certificateUsageUserCertImport:
|
||||
typestr = "VerifyUserImport";
|
||||
break;
|
||||
case certificateUsageSSLCA:
|
||||
typestr = "VerifySSLCA";
|
||||
break;
|
||||
case certificateUsageVerifyCA:
|
||||
typestr = "VerifyCAVerifier";
|
||||
break;
|
||||
case certificateUsageStatusResponder:
|
||||
typestr = "VerifyStatusResponder";
|
||||
break;
|
||||
case certificateUsageAnyCA:
|
||||
typestr = "VerifyAnyCA";
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
else {
|
||||
int err = PR_GetError();
|
||||
|
||||
if (SECSuccess == mCached_NonInadequateReason) {
|
||||
// we have not yet cached anything
|
||||
mCached_NonInadequateReason = err;
|
||||
}
|
||||
else {
|
||||
switch (err) {
|
||||
case SEC_ERROR_INADEQUATE_KEY_USAGE:
|
||||
case SEC_ERROR_INADEQUATE_CERT_TYPE:
|
||||
// this code should not override a possibly cached more informative reason
|
||||
break;
|
||||
|
||||
default:
|
||||
mCached_NonInadequateReason = err;
|
||||
break;
|
||||
}
|
||||
if (!typestr.IsEmpty()) {
|
||||
typestr.Append(suffix);
|
||||
nsAutoString verifyDesc;
|
||||
m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
|
||||
if (NS_SUCCEEDED(m_rv)) {
|
||||
outUsages[aCounter++] = ToNewUnicode(verifyDesc);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
nsUsageArrayHelper::verifyFailed(PRUint32 *_verified)
|
||||
nsUsageArrayHelper::verifyFailed(PRUint32 *_verified, int err)
|
||||
{
|
||||
switch (mCached_NonInadequateReason) {
|
||||
switch (err) {
|
||||
/* For these cases, verify only failed for the particular usage */
|
||||
case SEC_ERROR_INADEQUATE_KEY_USAGE:
|
||||
case SEC_ERROR_INADEQUATE_CERT_TYPE:
|
||||
@ -203,26 +180,39 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
|
||||
|
||||
PRUint32 &count = *_count;
|
||||
count = 0;
|
||||
SECCertificateUsage usages;
|
||||
|
||||
CERT_VerifyCertificateNow(defaultcertdb, mCert, PR_TRUE,
|
||||
certificateUsageSSLClient |
|
||||
certificateUsageSSLServer |
|
||||
certificateUsageSSLServerWithStepUp |
|
||||
certificateUsageEmailSigner |
|
||||
certificateUsageEmailRecipient |
|
||||
certificateUsageObjectSigner |
|
||||
certificateUsageSSLCA |
|
||||
certificateUsageStatusResponder,
|
||||
NULL, &usages);
|
||||
int err = PR_GetError();
|
||||
|
||||
// The following list of checks must be < max_returned_out_array_size
|
||||
|
||||
check(suffix, certUsageSSLClient, count, outUsages);
|
||||
check(suffix, certUsageSSLServer, count, outUsages);
|
||||
check(suffix, certUsageSSLServerWithStepUp, count, outUsages);
|
||||
check(suffix, certUsageEmailSigner, count, outUsages);
|
||||
check(suffix, certUsageEmailRecipient, count, outUsages);
|
||||
check(suffix, certUsageObjectSigner, count, outUsages);
|
||||
check(suffix, usages & certificateUsageSSLClient, count, outUsages);
|
||||
check(suffix, usages & certificateUsageSSLServer, count, outUsages);
|
||||
check(suffix, usages & certificateUsageSSLServerWithStepUp, count, outUsages);
|
||||
check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
|
||||
check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
|
||||
check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
|
||||
#if 0
|
||||
check(suffix, certUsageProtectedObjectSigner, count, outUsages);
|
||||
check(suffix, certUsageUserCertImport, count, outUsages);
|
||||
check(suffix, usages & certificateUsageProtectedObjectSigner, count, outUsages);
|
||||
check(suffix, usages & certificateUsageUserCertImport, count, outUsages);
|
||||
#endif
|
||||
check(suffix, certUsageSSLCA, count, outUsages);
|
||||
check(suffix, usages & certificateUsageSSLCA, count, outUsages);
|
||||
#if 0
|
||||
check(suffix, certUsageVerifyCA, count, outUsages);
|
||||
check(suffix, usages & certificateUsageVerifyCA, count, outUsages);
|
||||
#endif
|
||||
check(suffix, certUsageStatusResponder, count, outUsages);
|
||||
check(suffix, usages & certificateUsageStatusResponder, count, outUsages);
|
||||
#if 0
|
||||
check(suffix, certUsageAnyCA, count, outUsages);
|
||||
check(suffix, usages & certificateUsageAnyCA, count, outUsages);
|
||||
#endif
|
||||
|
||||
if (ignoreOcsp && nssComponent) {
|
||||
@ -230,7 +220,7 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
|
||||
}
|
||||
|
||||
if (count == 0) {
|
||||
verifyFailed(_verified);
|
||||
verifyFailed(_verified, err);
|
||||
} else {
|
||||
*_verified = nsNSSCertificate::VERIFIED_OK;
|
||||
}
|
||||
|
@ -19,6 +19,7 @@
|
||||
* the Initial Developer. All Rights Reserved.
|
||||
*
|
||||
* Contributor(s):
|
||||
* John Gardiner Myers <jgmyers@speakeasy.net>
|
||||
*
|
||||
* Alternatively, the contents of this file may be used under the terms of
|
||||
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||
@ -60,14 +61,13 @@ private:
|
||||
nsresult m_rv;
|
||||
CERTCertDBHandle *defaultcertdb;
|
||||
nsCOMPtr<nsINSSComponent> nssComponent;
|
||||
int mCached_NonInadequateReason;
|
||||
|
||||
void check(const char *suffix,
|
||||
SECCertUsage aCertUsage,
|
||||
SECCertificateUsage aCertUsage,
|
||||
PRUint32 &aCounter,
|
||||
PRUnichar **outUsages);
|
||||
|
||||
void verifyFailed(PRUint32 *_verified);
|
||||
void verifyFailed(PRUint32 *_verified, int err);
|
||||
};
|
||||
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user