mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 03:15:11 +00:00
bug 857627 - 4/4: remove nickname-related APIs from nsIX509CertDB r=Cykesiopka,jcj
This removes findCertByNickname, findEmailEncryptionCert, and findEmailSigningCert. MozReview-Commit-ID: KOxWHJm3GNX --HG-- extra : rebase_source : c67a65ce71b25c6502bad012c48aa1c30e71f334
This commit is contained in:
parent
05e56a2501
commit
ca5083ce4d
@ -13,7 +13,6 @@
|
||||
#include "nsIPK11Token.h"
|
||||
#include "nsIPK11TokenDB.h"
|
||||
#include "nsIX509Cert.h"
|
||||
#include "nsIX509CertDB.h"
|
||||
#include "nsIX509CertValidity.h"
|
||||
#include "nsLiteralString.h"
|
||||
#include "nsProxyRelease.h"
|
||||
@ -23,6 +22,44 @@
|
||||
|
||||
namespace mozilla {
|
||||
|
||||
// Given a name, searches the internal certificate/key database for a
|
||||
// self-signed certificate with subject and issuer distinguished name equal to
|
||||
// "CN={name}". This assumes that the user has already authenticated to the
|
||||
// internal DB if necessary.
|
||||
static nsresult
|
||||
FindLocalCertByName(const nsACString& aName,
|
||||
/*out*/ UniqueCERTCertificate& aResult)
|
||||
{
|
||||
aResult.reset(nullptr);
|
||||
NS_NAMED_LITERAL_CSTRING(commonNamePrefix, "CN=");
|
||||
nsAutoCString expectedDistinguishedName(commonNamePrefix + aName);
|
||||
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
if (!slot) {
|
||||
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
|
||||
}
|
||||
UniqueCERTCertList certList(PK11_ListCertsInSlot(slot.get()));
|
||||
if (!certList) {
|
||||
return NS_ERROR_UNEXPECTED;
|
||||
}
|
||||
for (const CERTCertListNode* node = CERT_LIST_HEAD(certList);
|
||||
!CERT_LIST_END(node, certList); node = CERT_LIST_NEXT(node)) {
|
||||
// If this isn't a self-signed cert, it's not what we're interested in.
|
||||
if (!node->cert->isRoot) {
|
||||
continue;
|
||||
}
|
||||
if (!expectedDistinguishedName.Equals(node->cert->subjectName)) {
|
||||
continue; // Subject should match nickname
|
||||
}
|
||||
if (!expectedDistinguishedName.Equals(node->cert->issuerName)) {
|
||||
continue; // Issuer should match nickname
|
||||
}
|
||||
// We found a match.
|
||||
aResult.reset(CERT_DupCertificate(node->cert));
|
||||
return NS_OK;
|
||||
}
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
class LocalCertTask : public CryptoTask
|
||||
{
|
||||
protected:
|
||||
@ -33,33 +70,20 @@ protected:
|
||||
|
||||
nsresult RemoveExisting()
|
||||
{
|
||||
// Search for any existing certs with this name and remove them
|
||||
nsresult rv;
|
||||
|
||||
// Search for any existing self-signed certs with this name and remove them
|
||||
for (;;) {
|
||||
UniqueCERTCertificate cert(
|
||||
PK11_FindCertFromNickname(mNickname.get(), nullptr));
|
||||
UniqueCERTCertificate cert;
|
||||
nsresult rv = FindLocalCertByName(mNickname, cert);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
// If we didn't find a match, we're done.
|
||||
if (!cert) {
|
||||
return NS_OK; // All done
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// Found a cert, check if generated by this service
|
||||
if (!cert->isRoot) {
|
||||
return NS_ERROR_UNEXPECTED; // Should be self-signed
|
||||
}
|
||||
|
||||
NS_NAMED_LITERAL_CSTRING(commonNamePrefix, "CN=");
|
||||
nsAutoCString subjectNameFromNickname(commonNamePrefix + mNickname);
|
||||
if (!subjectNameFromNickname.Equals(cert->subjectName)) {
|
||||
return NS_ERROR_UNEXPECTED; // Subject should match nickname
|
||||
}
|
||||
if (!subjectNameFromNickname.Equals(cert->issuerName)) {
|
||||
return NS_ERROR_UNEXPECTED; // Issuer should match nickname
|
||||
}
|
||||
|
||||
rv = MapSECStatus(PK11_DeleteTokenCertAndKey(cert.get(), nullptr));
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv; // Some error, abort the loop
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -253,19 +277,15 @@ private:
|
||||
|
||||
nsresult GetFromDB()
|
||||
{
|
||||
nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID);
|
||||
if (!certDB) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIX509Cert> certFromDB;
|
||||
nsresult rv;
|
||||
rv = certDB->FindCertByNickname(NS_ConvertASCIItoUTF16(mNickname),
|
||||
getter_AddRefs(certFromDB));
|
||||
UniqueCERTCertificate cert;
|
||||
nsresult rv = FindLocalCertByName(mNickname, cert);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
mCert = certFromDB;
|
||||
if (!cert) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
mCert = nsNSSCertificate::Create(cert.get());
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
|
@ -74,17 +74,6 @@ interface nsIX509CertDB : nsISupports {
|
||||
const unsigned long TRUSTED_EMAIL = 1 << 1;
|
||||
const unsigned long TRUSTED_OBJSIGN = 1 << 2;
|
||||
|
||||
/**
|
||||
* Given a nickname,
|
||||
* locate the matching certificate.
|
||||
*
|
||||
* @param aNickname The nickname to be used as the key
|
||||
* to find a certificate.
|
||||
*
|
||||
* @return The matching certificate if found.
|
||||
*/
|
||||
nsIX509Cert findCertByNickname(in AString aNickname);
|
||||
|
||||
/**
|
||||
* Will find a certificate based on its dbkey
|
||||
* retrieved by getting the dbKey attribute of
|
||||
@ -95,26 +84,6 @@ interface nsIX509CertDB : nsISupports {
|
||||
*/
|
||||
nsIX509Cert findCertByDBKey(in string aDBkey);
|
||||
|
||||
/**
|
||||
* Find user's own email encryption certificate by nickname.
|
||||
*
|
||||
* @param aNickname The nickname to be used as the key
|
||||
* to find the certificate.
|
||||
*
|
||||
* @return The matching certificate if found.
|
||||
*/
|
||||
nsIX509Cert findEmailEncryptionCert(in AString aNickname);
|
||||
|
||||
/**
|
||||
* Find user's own email signing certificate by nickname.
|
||||
*
|
||||
* @param aNickname The nickname to be used as the key
|
||||
* to find the certificate.
|
||||
*
|
||||
* @return The matching certificate if found.
|
||||
*/
|
||||
nsIX509Cert findEmailSigningCert(in AString aNickname);
|
||||
|
||||
/**
|
||||
* Find a certificate by email address.
|
||||
*
|
||||
|
@ -669,7 +669,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
|
||||
NS_ENSURE_ARG(_rvChain);
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting chain for \"%s\"\n", mCert->nickname));
|
||||
|
||||
mozilla::pkix::Time now(mozilla::pkix::Now());
|
||||
|
||||
@ -703,9 +702,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
|
||||
if ((usage & otherUsagesToTest) == 0) {
|
||||
continue;
|
||||
}
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
||||
("pipnss: PKIX attempting chain(%d) for '%s'\n",
|
||||
usage, mCert->nickname));
|
||||
if (certVerifier->VerifyCert(mCert.get(), usage, now,
|
||||
nullptr, /*XXX fixme*/
|
||||
nullptr, /*hostname*/
|
||||
@ -721,9 +717,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
|
||||
// There is not verified path for the chain, however we still want to
|
||||
// present to the user as much of a possible chain as possible, in the case
|
||||
// where there was a problem with the cert or the issuers.
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
||||
("pipnss: getchain :CertVerify failed to get chain for '%s'\n",
|
||||
mCert->nickname));
|
||||
nssChain = UniqueCERTCertList(
|
||||
CERT_GetCertChainFromCert(mCert.get(), PR_Now(), certUsageSSLClient));
|
||||
}
|
||||
@ -740,8 +733,6 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
|
||||
for (node = CERT_LIST_HEAD(nssChain.get());
|
||||
!CERT_LIST_END(node, nssChain.get());
|
||||
node = CERT_LIST_NEXT(node)) {
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
||||
("adding %s to chain\n", node->cert->nickname));
|
||||
nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
|
||||
array->AppendElement(cert, false);
|
||||
}
|
||||
@ -763,7 +754,6 @@ nsNSSCertificate::GetAllTokenNames(uint32_t* aLength, char16_t*** aTokenNames)
|
||||
*aTokenNames = nullptr;
|
||||
|
||||
// Get the slots from NSS
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting slots for \"%s\"\n", mCert->nickname));
|
||||
UniquePK11SlotList slots(PK11_GetAllSlotsForCert(mCert.get(), nullptr));
|
||||
if (!slots) {
|
||||
if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {
|
||||
|
@ -94,36 +94,6 @@ nsNSSCertificateDB::~nsNSSCertificateDB()
|
||||
shutdown(ShutdownCalledFrom::Object);
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificateDB::FindCertByNickname(const nsAString& nickname,
|
||||
nsIX509Cert** _rvCert)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(_rvCert);
|
||||
*_rvCert = nullptr;
|
||||
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (isAlreadyShutDown()) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
char *asciiname = nullptr;
|
||||
NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
|
||||
asciiname = const_cast<char*>(aUtf8Nickname.get());
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"\n", asciiname));
|
||||
UniqueCERTCertificate cert(PK11_FindCertFromNickname(asciiname, nullptr));
|
||||
if (!cert) {
|
||||
cert.reset(CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname));
|
||||
}
|
||||
if (cert) {
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("got it\n"));
|
||||
nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert.get());
|
||||
if (pCert) {
|
||||
pCert.forget(_rvCert);
|
||||
return NS_OK;
|
||||
}
|
||||
}
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificateDB::FindCertByDBKey(const char* aDBKey,nsIX509Cert** _cert)
|
||||
{
|
||||
@ -1038,80 +1008,6 @@ nsNSSCertificateDB::ExportPKCS12File(nsISupports* aToken,
|
||||
return blob.ExportToFile(aFile, certs, count);
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString& aNickname,
|
||||
nsIX509Cert** _retval)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(_retval);
|
||||
*_retval = nullptr;
|
||||
|
||||
if (aNickname.IsEmpty())
|
||||
return NS_OK;
|
||||
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (isAlreadyShutDown()) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
|
||||
char *asciiname = nullptr;
|
||||
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
|
||||
asciiname = const_cast<char*>(aUtf8Nickname.get());
|
||||
|
||||
/* Find a good cert in the user's database */
|
||||
UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
|
||||
asciiname,
|
||||
certUsageEmailRecipient,
|
||||
true, ctx));
|
||||
if (!cert) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
|
||||
if (!nssCert) {
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
}
|
||||
nssCert.forget(_retval);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificateDB::FindEmailSigningCert(const nsAString& aNickname,
|
||||
nsIX509Cert** _retval)
|
||||
{
|
||||
NS_ENSURE_ARG_POINTER(_retval);
|
||||
*_retval = nullptr;
|
||||
|
||||
if (aNickname.IsEmpty())
|
||||
return NS_OK;
|
||||
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (isAlreadyShutDown()) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
|
||||
char *asciiname = nullptr;
|
||||
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
|
||||
asciiname = const_cast<char*>(aUtf8Nickname.get());
|
||||
|
||||
/* Find a good cert in the user's database */
|
||||
UniqueCERTCertificate cert(CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
|
||||
asciiname,
|
||||
certUsageEmailSigner,
|
||||
true, ctx));
|
||||
if (!cert) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
|
||||
if (!nssCert) {
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
}
|
||||
nssCert.forget(_retval);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificateDB::FindCertByEmailAddress(const char* aEmailAddress,
|
||||
nsIX509Cert** _retval)
|
||||
|
Loading…
Reference in New Issue
Block a user