Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 03:15:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bug 857627 - 4/4: remove nickname-related APIs from nsIX509CertDB r=Cykesiopka,jcj

Browse Source 
This removes findCertByNickname, findEmailEncryptionCert, and
findEmailSigningCert.

MozReview-Commit-ID: KOxWHJm3GNX

--HG--
extra : rebase_source : c67a65ce71b25c6502bad012c48aa1c30e71f334
This commit is contained in:
David Keeler 2016-11-18 16:35:27 -08:00
parent 05e56a2501
commit ca5083ce4d
4 changed files with 53 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
security/manager/ssl/LocalCertService.cpp
View File

@ -13,7 +13,6 @@
#include "nsIPK11Token.h"
#include "nsIPK11TokenDB.h"
#include "nsIX509Cert.h"
#include "nsIX509CertDB.h"
#include "nsIX509CertValidity.h"
#include "nsLiteralString.h"
#include "nsProxyRelease.h"
@ -23,6 +22,44 @@
namespace mozilla {
// Given a name, searches the internal certificate/key database for a
// self-signed certificate with subject and issuer distinguished name equal to
// "CN={name}". This assumes that the user has already authenticated to the
// internal DB if necessary.
static nsresult
FindLocalCertByName(const nsACString& aName,
/*out*/ UniqueCERTCertificate& aResult)
{
aResult.reset(nullptr);
NS_NAMED_LITERAL_CSTRING(commonNamePrefix, "CN=");
nsAutoCString expectedDistinguishedName(commonNamePrefix + aName);
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
UniqueCERTCertList certList(PK11_ListCertsInSlot(slot.get()));
if (!certList) {
return NS_ERROR_UNEXPECTED;
}
for (const CERTCertListNode* node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node, certList); node = CERT_LIST_NEXT(node)) {
// If this isn't a self-signed cert, it's not what we're interested in.
if (!node->cert->isRoot) {
continue;
}
if (!expectedDistinguishedName.Equals(node->cert->subjectName)) {
continue; // Subject should match nickname
}
if (!expectedDistinguishedName.Equals(node->cert->issuerName)) {
continue; // Issuer should match nickname
}
// We found a match.
aResult.reset(CERT_DupCertificate(node->cert));
return NS_OK;
}
return NS_OK;
}
class LocalCertTask : public CryptoTask
{
protected:
@ -33,33 +70,20 @@ protected:
nsresult RemoveExisting()
{
// Search for any existing certs with this name and remove them
nsresult rv;
// Search for any existing self-signed certs with this name and remove them
for (;;) {
UniqueCERTCertificate cert(
PK11_FindCertFromNickname(mNickname.get(), nullptr));
UniqueCERTCertificate cert;
nsresult rv = FindLocalCertByName(mNickname, cert);
if (NS_FAILED(rv)) {
return rv;
}
// If we didn't find a match, we're done.
if (!cert) {
return NS_OK; // All done
return NS_OK;
}
// Found a cert, check if generated by this service
if (!cert->isRoot) {
return NS_ERROR_UNEXPECTED; // Should be self-signed
}
NS_NAMED_LITERAL_CSTRING(commonNamePrefix, "CN=");
nsAutoCString subjectNameFromNickname(commonNamePrefix + mNickname);
if (!subjectNameFromNickname.Equals(cert->subjectName)) {
return NS_ERROR_UNEXPECTED; // Subject should match nickname
}
if (!subjectNameFromNickname.Equals(cert->issuerName)) {
return NS_ERROR_UNEXPECTED; // Issuer should match nickname
}
rv = MapSECStatus(PK11_DeleteTokenCertAndKey(cert.get(), nullptr));
if (NS_FAILED(rv)) {
return rv; // Some error, abort the loop
return rv;
}
}
}
@ -253,19 +277,15 @@ private:
nsresult GetFromDB()
{
nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID);
if (!certDB) {
return NS_ERROR_FAILURE;
}
nsCOMPtr<nsIX509Cert> certFromDB;
nsresult rv;
rv = certDB->FindCertByNickname(NS_ConvertASCIItoUTF16(mNickname),
getter_AddRefs(certFromDB));
UniqueCERTCertificate cert;
nsresult rv = FindLocalCertByName(mNickname, cert);
if (NS_FAILED(rv)) {
return rv;
}
mCert = certFromDB;
if (!cert) {
return NS_ERROR_FAILURE;
}
mCert = nsNSSCertificate::Create(cert.get());
return NS_OK;
}

31
security/manager/ssl/nsIX509CertDB.idl
View File

@ -74,17 +74,6 @@ interface nsIX509CertDB : nsISupports {
const unsigned long TRUSTED_EMAIL = 1 << 1;
const unsigned long TRUSTED_OBJSIGN = 1 << 2;
/**
* Given a nickname,
* locate the matching certificate.
*
* @param aNickname The nickname to be used as the key
* to find a certificate.
*
* @return The matching certificate if found.
*/
nsIX509Cert findCertByNickname(in AString aNickname);
/**
* Will find a certificate based on its dbkey
* retrieved by getting the dbKey attribute of
@ -95,26 +84,6 @@ interface nsIX509CertDB : nsISupports {
*/
nsIX509Cert findCertByDBKey(in string aDBkey);
/**
* Find user's own email encryption certificate by nickname.
*
* @param aNickname The nickname to be used as the key
* to find the certificate.
*
* @return The matching certificate if found.
*/
nsIX509Cert findEmailEncryptionCert(in AString aNickname);
/**
* Find user's own email signing certificate by nickname.
*
* @param aNickname The nickname to be used as the key
* to find the certificate.
*
* @return The matching certificate if found.
*/
nsIX509Cert findEmailSigningCert(in AString aNickname);
/**
* Find a certificate by email address.
*

10
security/manager/ssl/nsNSSCertificate.cpp
View File

@ -669,7 +669,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
return NS_ERROR_NOT_AVAILABLE;
NS_ENSURE_ARG(_rvChain);
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting chain for \"%s\"\n", mCert->nickname));
mozilla::pkix::Time now(mozilla::pkix::Now());
@ -703,9 +702,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
if ((usage & otherUsagesToTest) == 0) {
continue;
}
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("pipnss: PKIX attempting chain(%d) for '%s'\n",
usage, mCert->nickname));
if (certVerifier->VerifyCert(mCert.get(), usage, now,
nullptr, /*XXX fixme*/
nullptr, /*hostname*/
@ -721,9 +717,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
// There is not verified path for the chain, however we still want to
// present to the user as much of a possible chain as possible, in the case
// where there was a problem with the cert or the issuers.
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("pipnss: getchain :CertVerify failed to get chain for '%s'\n",
mCert->nickname));
nssChain = UniqueCERTCertList(
CERT_GetCertChainFromCert(mCert.get(), PR_Now(), certUsageSSLClient));
}
@ -740,8 +733,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
for (node = CERT_LIST_HEAD(nssChain.get());
!CERT_LIST_END(node, nssChain.get());
node = CERT_LIST_NEXT(node)) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("adding %s to chain\n", node->cert->nickname));
nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
array->AppendElement(cert, false);
}
@ -763,7 +754,6 @@ nsNSSCertificate::GetAllTokenNames(uint32_t* aLength, char16_t*** aTokenNames)
*aTokenNames = nullptr;
// Get the slots from NSS
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting slots for \"%s\"\n", mCert->nickname));
UniquePK11SlotList slots(PK11_GetAllSlotsForCert(mCert.get(), nullptr));
if (!slots) {
if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {

104
security/manager/ssl/nsNSSCertificateDB.cpp
View File

@ -94,36 +94,6 @@ nsNSSCertificateDB::~nsNSSCertificateDB()
shutdown(ShutdownCalledFrom::Object);
}
NS_IMETHODIMP
nsNSSCertificateDB::FindCertByNickname(const nsAString& nickname,
nsIX509Cert** _rvCert)
{
NS_ENSURE_ARG_POINTER(_rvCert);
*_rvCert = nullptr;
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"\n", asciiname));
UniqueCERTCertificate cert(PK11_FindCertFromNickname(asciiname, nullptr));
if (!cert) {
cert.reset(CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname));
}
if (cert) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("got it\n"));
nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert.get());
if (pCert) {
pCert.forget(_rvCert);
return NS_OK;
}
}
return NS_ERROR_FAILURE;
}
NS_IMETHODIMP
nsNSSCertificateDB::FindCertByDBKey(const char* aDBKey,nsIX509Cert** _cert)
{
@ -1038,80 +1008,6 @@ nsNSSCertificateDB::ExportPKCS12File(nsISupports* aToken,
return blob.ExportToFile(aFile, certs, count);
}
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString& aNickname,
nsIX509Cert** _retval)
{
NS_ENSURE_ARG_POINTER(_retval);
*_retval = nullptr;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
asciiname,
certUsageEmailRecipient,
true, ctx));
if (!cert) {
return NS_OK;
}
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
}
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailSigningCert(const nsAString& aNickname,
nsIX509Cert** _retval)
{
NS_ENSURE_ARG_POINTER(_retval);
*_retval = nullptr;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
asciiname,
certUsageEmailSigner,
true, ctx));
if (!cert) {
return NS_OK;
}
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
}
NS_IMETHODIMP
nsNSSCertificateDB::FindCertByEmailAddress(const char* aEmailAddress,
nsIX509Cert** _retval)