Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-01-05 15:59:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enable support for OCSP. Bug#80178, r=mcgreer@netscape.com, sr=blizzard@mozilla.org

Browse Source
This commit is contained in:
ddrinan%netscape.com 2001-05-15 17:35:35 +00:00
parent e466670ee3
commit dd40989267
9 changed files with 485 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
security/manager/pki/resources/content/PrefOverlay.xul
View File

@ -43,6 +43,14 @@
</treerow>
</treeitem>
</treechildren>
<treechildren id="securityChildren">
<treeitem id="validationItem" open="true" >
<treerow>
<treecell class="treecell-indent" url="chrome://pippki/content/pref-validation.xul"
label="&validation.label;" />
</treerow>
</treeitem>
</treechildren>
</treeitem>
</treechildren>
</overlay>

86
security/manager/pki/resources/content/pref-validation.js Normal file
View File

@ -0,0 +1,86 @@
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 2001 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
* David Drinan <ddrinan@netscape.com>
*/
const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
const nsISupportsArray = Components.interfaces.nsISupportsArray;
var certdb;
var ocspResponders;
function onLoad()
{
var ocspEntry;
var i;
certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
ocspResponders = certdb.getOCSPResponders();
var signersMenu = document.getElementById("signingCA");
var signersURL = document.getElementById("serviceURL");
for (i=0; i<ocspResponders.Count(); i++) {
ocspEntry = ocspResponders.GetElementAt(i).QueryInterface(nsIOCSPResponder);
var menuItemNode = document.createElement("menuitem");
menuItemNode.setAttribute("value", ocspEntry.responseSigner);
menuItemNode.setAttribute("label", ocspEntry.responseSigner);
signersMenu.firstChild.appendChild(menuItemNode);
}
parent.initPanel('chrome://pippki/content/pref-validation.xul');
doEnabling();
}
function doEnabling()
{
var signersMenu = document.getElementById("signingCA");
var signersURL = document.getElementById("serviceURL");
var radiogroup = document.getElementById("securityOCSPEnabled");
switch ( radiogroup.value ) {
case "0":
case "1":
signersMenu.setAttribute("disabled", true);
signersURL.setAttribute("disabled", true);
break;
case "2":
default:
signersMenu.removeAttribute("disabled");
signersURL.removeAttribute("disabled");
}
}
function changeURL()
{
var signersMenu = document.getElementById("signingCA");
var signersURL = document.getElementById("serviceURL");
var CA = signersMenu.getAttribute("value");
for (i=0; i < ocspResponders.Count(); i++) {
ocspEntry = ocspResponders.GetElementAt(i).QueryInterface(nsIOCSPResponder);
if (CA == ocspEntry.responseSigner) {
signersURL.setAttribute("value", ocspEntry.serviceURL);
break;
}
}
}

91
security/manager/pki/resources/content/pref-validation.xul Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0"?>
<!--
- The contents of this file are subject to the Mozilla Public
- License Version 1.1 (the "License"); you may not use this file
- except in compliance with the License. You may obtain a copy of
- the License at http://www.mozilla.org/MPL/
-
- Software distributed under the License is distributed on an "AS
- IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- implied. See the License for the specific language governing
- rights and limitations under the License.
-
- The Original Code is mozilla.org code.
-
- The Initial Developer of the Original Code is Netscape
- Communications Corp. Portions created by Netscape are
- Copyright (C) 2001 Netscape Communications Corp. All
- Rights Reserved.
-
- Contributor(s):
- David Drinan <ddrinan@netscape.com>
-->
<?xml-stylesheet href="chrome://communicator/skin/" type="text/css"?>
<?xml-stylesheet href="chrome://communicator/skin/dialogOverlay.css" type="text/css"?>
<!DOCTYPE window [
<!ENTITY % brandDTD SYSTEM "chrome://global/locale/brand.dtd">
<!ENTITY % prefValidationDTD SYSTEM "chrome://pippki/locale/pref-validation.dtd">
%brandDTD;
%prefValidationDTD;
]>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
class="color-dialog"
orient="vertical"
onload="onLoad();" >
<!-- List elements to manage for prefs -->
<script language="JavaScript">
<![CDATA[
var _elementIDs = ["securityOCSPEnabled", "serviceURL", "signingCA"];
]]>
</script>
<script src="pref-validation.js"/>
<!-- Fancy panel header -->
<box class="box-smallheader" title="&validation.title;" description="&validation.description;"/>
<!--
<titledbox orient="horizontal">
<label value="&validation.crl.label;"/>
</titledbox>
-->
<titledbox orient="vertical" autostretch="never" >
<label value="&validation.ocsp.label;"/>
<html> &validation.ocsp.description; </html>
<!-- Prefs -->
<radiogroup id="securityOCSPEnabled" orient="vertical" autostretch="never"
pref="true" preftype="int" prefstring="security.OCSP.enabled"
prefattribute="value">
<radio group="securityOCSPEnabled" value="0" label="&disableOCSP.label;" oncommand="doEnabling();"/>
<radio group="securityOCSPEnabled" value="1" label="&certOCSP.label;" oncommand="doEnabling();"/>
<radio group="securityOCSPEnabled" value="2" label="&proxyOCSP.label;" oncommand="doEnabling();"/>
<grid class="indent" flex="1">
<columns>
<column/>
<column flex="1"/>
</columns>
<rows>
<row>
<text class="label" value="&serviceURL.label;" for="serviceURL"/>
<textbox id="serviceURL" pref="true" preftype="string" prefstring="security.OCSP.URL"
prefattribute="value" flex="1"/>
</row>
<row>
<text class="label" value="&signingCA.label;" for="signingCA"/>
<menulist id="signingCA" pref="true" preftype="string" prefstring="security.OCSP.signingCA"
prefattribute="value" flex="1" oncommand="changeURL()">
<menupopup/>
</menulist>
</row>
</rows>
</grid>
</radiogroup>
</titledbox>
</window>

3
security/manager/pki/resources/jar.mn
View File

@ -37,6 +37,8 @@ pippki.jar:
content/pippki/certDump.xul (content/certDump.xul)
content/pippki/choosetoken.xul (content/choosetoken.xul)
content/pippki/choosetoken.js (content/choosetoken.js)
content/pippki/pref-validation.xul (content/pref-validation.xul)
content/pippki/pref-validation.js (content/pref-validation.js)
locale/en-US/pippki/contents.rdf (locale/en-US/contents.rdf)
locale/en-US/pippki/pippki.dtd (locale/en-US/pippki.dtd)
locale/en-US/pippki/pref-ssl.dtd (locale/en-US/pref-ssl.dtd)
@ -47,3 +49,4 @@ pippki.jar:
locale/en-US/pippki/pref-security.dtd (locale/en-US/pref-security.dtd)
locale/en-US/pippki/PageInfoOverlay.dtd (locale/en-US/PageInfoOverlay.dtd)
locale/en-US/pippki/certManager.dtd (locale/en-US/certManager.dtd)
locale/en-US/pippki/pref-validation.dtd (locale/en-US/pref-validation.dtd)

6
security/manager/pki/resources/locale/en-US/PrefOverlay.dtd
View File

@ -21,5 +21,7 @@
- Terry Hayes <thayes@netscape.com>
-->
<!ENTITY security.label "Privacy and Security">
<!ENTITY ssl.label "SSL">
<!ENTITY security.label "Privacy and Security">
<!ENTITY ssl.label "SSL">
<!ENTITY validation.label "Validation">

34
security/manager/pki/resources/locale/en-US/pref-validation.dtd Normal file
View File

@ -0,0 +1,34 @@
<!--
- The contents of this file are subject to the Mozilla Public
- License Version 1.1 (the "License"); you may not use this file
- except in compliance with the License. You may obtain a copy of
- the License at http://www.mozilla.org/MPL/
-
- Software distributed under the License is distributed on an "AS
- IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- implied. See the License for the specific language governing
- rights and limitations under the License.
-
- The Original Code is mozilla.org code.
-
- The Initial Developer of the Original Code is Netscape
- Communications Corp. Portions created by Netscape are
- Copyright (C) 2001 Netscape Communications Corp. All
- Rights Reserved.
-
- Contributor(s):
- David P. Drinan (ddrinan@netscape.com)
-->
<!ENTITY validation.title "Validation">
<!ENTITY validation.description "Settings for Validation">
<!ENTITY validation.crl.label "CRL">
<!ENTITY validation.ocsp.label "OCSP">
<!ENTITY validation.ocsp.description "&brandShortName; can use Online Certificate Status Protocol(OCSP) to verify certificates. Set &brandShortName; to use OCSP as follows:">
<!ENTITY disableOCSP.label "Do not use OCSP for certificate validation">
<!ENTITY certOCSP.label "Use OCSP to validate only cerificates that specify on OCSP service URL">
<!ENTITY proxyOCSP.label "Use OCSP to validate all certificates using the URL and signer specified here:">
<!ENTITY serviceURL.label "Service URL:">
<!ENTITY signingCA.label "Response Signer:">

13
security/manager/ssl/public/nsIX509CertDB.idl
View File

@ -64,6 +64,13 @@ native nsCertCompareFunc(nsCertCompareFunc);
native nsAutoString(nsAutoString);
[ref] native nsAutoStringRef(nsAutoString);
[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
interface nsIOCSPResponder : nsISupports {
readonly attribute wstring responseSigner;
readonly attribute wstring serviceURL;
};
[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
interface nsIX509CertDB : nsISupports {
@ -182,6 +189,12 @@ interface nsIX509CertDB : nsISupports {
in PRUint32 count,
[array, size_is(count)] in nsIX509Cert aCerts);
//[array, size_is(count)] in wstring aCertNames);
/*
* getOCSPResponders
*
* Export a set of OCSP responders i.e. CA names and (optional) URLs.
*/
nsISupportsArray getOCSPResponders();
};

207
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: nsNSSCertificate.cpp,v 1.22 2001/05/15 14:56:42 mcgreer%netscape.com Exp $
* $Id: nsNSSCertificate.cpp,v 1.23 2001/05/15 17:35:33 ddrinan%netscape.com Exp $
*/
#include "prmem.h"
@ -64,6 +64,7 @@ extern "C" {
#include "secasn1.h"
#include "secder.h"
}
#include "ocsp.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
@ -2541,6 +2542,210 @@ nsNSSCertificateDB::ExportPKCS12File(nsIPK11Token *aToken,
return blob.ExportToFile(aFile, certs, count);
}
/* Header file */
class nsOCSPResponder : public nsIOCSPResponder
{
public:
NS_DECL_ISUPPORTS
NS_DECL_NSIOCSPRESPONDER
nsOCSPResponder();
nsOCSPResponder(const PRUnichar*, const PRUnichar*);
virtual ~nsOCSPResponder();
/* additional members */
static PRInt32 CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b);
static PRInt32 CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b);
static PRBool IncludeCert(CERTCertificate *aCert);
private:
nsString mCA;
nsString mURL;
};
/* Implementation file */
NS_IMPL_ISUPPORTS1(nsOCSPResponder, nsIOCSPResponder)
nsOCSPResponder::nsOCSPResponder()
{
NS_INIT_ISUPPORTS();
/* member initializers and constructor code */
}
nsOCSPResponder::nsOCSPResponder(const PRUnichar * aCA, const PRUnichar * aURL)
{
NS_INIT_ISUPPORTS();
mCA.Assign(aCA);
mURL.Assign(aURL);
}
nsOCSPResponder::~nsOCSPResponder()
{
/* destructor code */
}
/* readonly attribute */
NS_IMETHODIMP nsOCSPResponder::GetResponseSigner(PRUnichar** aCA)
{
NS_ENSURE_ARG(aCA);
*aCA = mCA.ToNewUnicode();
return NS_OK;
}
/* readonly attribute */
NS_IMETHODIMP nsOCSPResponder::GetServiceURL(PRUnichar** aURL)
{
NS_ENSURE_ARG(aURL);
*aURL = mURL.ToNewUnicode();
return NS_OK;
}
PRBool nsOCSPResponder::IncludeCert(CERTCertificate *aCert)
{
CERTCertTrust *trust;
char *nickname;
trust = aCert->trust;
nickname = aCert->nickname;
if ( ( ( trust->sslFlags & CERTDB_INVISIBLE_CA ) ||
(trust->emailFlags & CERTDB_INVISIBLE_CA ) ||
(trust->objectSigningFlags & CERTDB_INVISIBLE_CA ) ) ||
nickname == NULL) {
return PR_FALSE;
}
if ((trust->sslFlags & CERTDB_VALID_CA) ||
(trust->emailFlags & CERTDB_VALID_CA) ||
(trust->objectSigningFlags & CERTDB_VALID_CA)) {
return PR_TRUE;
}
return PR_FALSE;
}
// CmpByCAName
//
// Compare two responders their token name. Returns -1, 0, 1 as
// in strcmp. No token name (null) is treated as >.
PRInt32 nsOCSPResponder::CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b)
{
PRInt32 cmp1;
nsXPIDLString aTok, bTok;
a->GetResponseSigner(getter_Copies(aTok));
b->GetResponseSigner(getter_Copies(bTok));
if (aTok != nsnull && bTok != nsnull) {
nsAutoString aStr(aTok);
cmp1 = aStr.CompareWithConversion(bTok);
} else {
cmp1 = (aTok == nsnull) ? 1 : -1;
}
return cmp1;
}
// ocsp_compare_entries
//
// Compare two responders. Returns -1, 0, 1 as
// in strcmp. Entries with urls come before those without urls.
PRInt32 nsOCSPResponder::CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b)
{
nsXPIDLString aURL, bURL;
nsAutoString aURLAuto, bURLAuto;
a->GetServiceURL(getter_Copies(aURL));
aURLAuto.Assign(aURL);
b->GetServiceURL(getter_Copies(bURL));
bURLAuto.Assign(bURL);
if (aURLAuto.Length() > 0 ) {
if (bURLAuto.Length() > 0) {
return nsOCSPResponder::CmpCAName(a, b);
} else {
return -1;
}
} else {
if (bURLAuto.Length() > 0) {
return 1;
} else {
return nsOCSPResponder::CmpCAName(a, b);
}
}
}
static SECStatus GetOCSPResponders (CERTCertificate *aCert,
SECItem *aDBKey,
void *aArg)
{
nsISupportsArray *array = NS_STATIC_CAST(nsISupportsArray*, aArg);
PRUnichar* nn = nsnull;
PRUnichar* url = nsnull;
char *serviceURL = nsnull;
char *nickname = nsnull;
PRUint32 i, count;
nsresult rv;
// Are we interested in this cert //
if (!nsOCSPResponder::IncludeCert(aCert)) {
return SECSuccess;
}
// Get the AIA and nickname //
serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
if (serviceURL) {
url = NS_ConvertASCIItoUCS2(serviceURL).ToNewUnicode();
}
nickname = aCert->nickname;
nn = NS_ConvertASCIItoUCS2(nickname).ToNewUnicode();
nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url);
// Sort the items according to nickname //
rv = array->Count(&count);
for (i=0; i < count; ++i) {
nsCOMPtr<nsISupports> isupport = getter_AddRefs(array->ElementAt(i));
nsCOMPtr<nsIOCSPResponder> entry = do_QueryInterface(isupport);
if (nsOCSPResponder::CompareEntries(new_entry, entry) < 0) {
array->InsertElementAt(new_entry, i);
break;
}
}
if (i == count) {
array->AppendElement(new_entry);
}
return SECSuccess;
}
/*
* getOCSPResponders
*
* Export a set of certs and keys from the database to a PKCS#12 file.
*/
NS_IMETHODIMP
nsNSSCertificateDB::GetOCSPResponders(nsISupportsArray ** aResponders)
{
SECStatus sec_rv;
nsCOMPtr<nsISupportsArray> respondersArray;
nsresult rv = NS_NewISupportsArray(getter_AddRefs(respondersArray));
if (NS_FAILED(rv)) {
return rv;
}
sec_rv = SEC_TraversePermCerts(CERT_GetDefaultCertDB(),
::GetOCSPResponders,
respondersArray);
if (sec_rv == SECSuccess) {
sec_rv = PK11_TraverseSlotCerts(::GetOCSPResponders,
respondersArray,
nsnull);
}
if (sec_rv != SECSuccess) {
goto loser;
}
*aResponders = respondersArray;
NS_IF_ADDREF(*aResponders);
return NS_OK;
loser:
return NS_ERROR_FAILURE;
}
/*
* NSS Helper Routines (private to nsNSSCertificateDB)
*/

40
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -53,6 +53,7 @@
#include "ssl.h"
#include "sslproto.h"
#include "secmod.h"
#include "ocsp.h"
extern "C" {
#include "pkcs11.h"
#include "pkcs12.h"
@ -368,6 +369,40 @@ static CipherPref CipherPrefs[] = {
{NULL, 0} /* end marker */
};
static void setOCSPOptions(nsIPref * pref)
{
// Set up OCSP //
PRInt32 ocspEnabled;
pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
switch (ocspEnabled) {
case 0:
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
break;
case 1:
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
break;
case 2:
{
char *signingCA = nsnull;
char *url = nsnull;
// Get the signing CA and service url //
pref->CopyCharPref("security.OCSP.signingCA", &signingCA);
pref->CopyCharPref("security.OCSP.URL", &url);
// Set OCSP up
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
nsMemory::Free(signingCA);
nsMemory::Free(url);
}
break;
}
}
nsresult
nsNSSComponent::InitializeNSS()
{
@ -438,6 +473,9 @@ nsNSSComponent::InitializeNSS()
SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
// Set up OCSP //
setOCSPOptions(mPref);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
return NS_OK;
}
@ -566,6 +604,8 @@ nsNSSComponent::PrefChanged(const char* prefName)
} else if (!nsCRT::strcmp(prefName, "security.enable_tls")) {
mPref->GetBoolPref("security.enable_tls", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
} else if (!nsCRT::strcmp(prefName, "security.OCSP.enabled")) {
setOCSPOptions(mPref);
} else {
/* Look through the cipher table and set according to pref setting */
for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {