clean up cert manager code

* move trust to nsIX509CertDB
* remove unneccessary interface nsICertificateManager (everything should be handled by nsIX509CertDB)
This commit is contained in:
mcgreer%netscape.com 2001-03-22 16:48:19 +00:00
parent 8dbd4156be
commit f591c170a2
13 changed files with 107 additions and 240 deletions

View File

@ -27,7 +27,7 @@ const nsIX509CertDB = Components.interfaces.nsIX509CertDB;
const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
var selected_certs = [];
var certmgr;
var certdb;
function getSelectedCerts()
{
@ -88,58 +88,59 @@ function AddNameWithToken(children, cells, prefix, idfier)
function GetNameList(type, node)
{
certNameList = certmgr.getCertNicknames(type);
var obj1 = {};
var obj2 = {};
certdb.getCertNicknames(null, type, obj1, obj2);
var count = obj1.value;
var certNameList = obj2.value;
if (certNameList.length > 0) {
var delim = certNameList[0];
certNameList = certNameList.split(delim);
certNameList.sort();
}
for (var i=1; i<certNameList.length; i++) {
var certname = certNameList[i];
var ti = certname.indexOf(":");
var token = "";
if (ti > 0) {
token = certname.substring(0, ti);
certname = certname.substring(ti+1, certname.length);
for (var i=0; i<certNameList.length; i++) {
var certname = certNameList[i];
var ti = certname.indexOf(":");
var token = "";
if (ti > 0) {
token = certname.substring(0, ti);
certname = certname.substring(ti+1, certname.length);
}
AddNameWithToken(node, [certname, token], node + "_", i);
}
AddNameWithToken(node, [certname, token], node + "_", i);
}
}
function LoadCertNames()
{
certmgr = Components
.classes["@mozilla.org/security/certmanager;1"]
.createInstance();
certmgr = certmgr.QueryInterface(Components
.interfaces
.nsICertificateManager);
certNameList = certmgr.getCertNicknames(1);
certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
var obj1 = {};
var obj2 = {};
certdb.getCertNicknames(null,
Components.interfaces.nsIX509Cert.CA_CERT,
obj1, obj2);
var count = obj1.value;
var certNameList = obj2.value;
if (certNameList.length > 0) {
var delim = certNameList[0];
certNameList = certNameList.split(delim);
certNameList.sort();
}
var nb = 0;
var nm = 0;
for (var i=1; i<certNameList.length; i++) {
var certname = certNameList[i];
var ti = certname.indexOf(":");
var token = "";
if (ti > 0) {
token = certname.substring(0, ti);
certname = certname.substring(ti+1, certname.length);
}
if (token == "Builtin Object Token") {
AddNameWithToken("builtins", [certname, token], "builtin_", nb);
nb++;
} else {
AddNameWithToken("mycas", [certname, token], "myca_", nm);
nm++;
var nb = 0;
var nm = 0;
for (var i=0; i<certNameList.length; i++) {
var certname = certNameList[i];
var ti = certname.indexOf(":");
var token = "";
if (ti > 0) {
token = certname.substring(0, ti);
certname = certname.substring(ti+1, certname.length);
}
if (token == "Builtin Object Token") {
AddNameWithToken("builtins", [certname, token], "builtin_", nb);
nb++;
} else {
AddNameWithToken("mycas", [certname, token], "myca_", nm);
nm++;
}
}
}
GetNameList(8, "servers");
GetNameList(2, "mine");
GetNameList(Components.interfaces.nsIX509Cert.USER_CERT, "mine");
GetNameList(Components.interfaces.nsIX509Cert.SERVER_CERT, "servers");
}
function ca_enableButtons()
@ -213,7 +214,6 @@ function backupCerts()
fp.appendFilters(nsIFilePicker.filterAll);
if (fp.show() == nsIFilePicker.returnOK ||
fp.show() == nsIFilePicker.returnReplace) {
var certdb = Components.classes[nsX509CertDB].getService(nsIX509CertDB);
certdb.exportPKCS12File(null, fp.file, numcerts, certs);
}
// don't really know it was successful...

View File

@ -51,7 +51,6 @@ EXPORTS = \
CPPSRCS = \
nsNSSDialogs.cpp \
nsPKIModule.cpp \
nsCertificateManager.cpp \
nsPKIParamBlock.cpp \
$(NULL)

View File

@ -62,7 +62,6 @@ EXPORTS = \
OBJS = \
.\$(OBJDIR)\nsNSSDialogs.obj \
.\$(OBJDIR)\nsPKIModule.obj \
.\$(OBJDIR)\nsCertificateManager.obj \
.\$(OBJDIR)\nsPKIParamBlock.obj \
$(NULL)

View File

@ -1,67 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 2001 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
* Ian McGreer <mcgreer@netscape.com>
*/
#include "nsIServiceManager.h"
#include "nsIX509CertDB.h"
#include "nsCertificateManager.h"
#include "prlog.h"
#ifdef PR_LOGGING
PRLogModuleInfo* gPIPPKILog = nsnull;
#endif
static NS_DEFINE_IID(kCertDBCID, NS_X509CERTDB_CID);
nsCertificateManager::nsCertificateManager()
{
NS_INIT_REFCNT();
#ifdef PR_LOGGING
if (!gPIPPKILog)
gPIPPKILog = PR_NewLogModule("pippki");
#endif
}
nsCertificateManager::~nsCertificateManager()
{
}
NS_IMPL_ISUPPORTS(nsCertificateManager, NS_GET_IID(nsICertificateManager));
NS_IMETHODIMP
nsCertificateManager::GetCertNicknames(PRUint32 type,
PRUnichar **_rNameList)
{
nsresult rv;
nsAutoString nameList;
PR_LOG(gPIPPKILog, PR_LOG_ERROR, ("getting certdb service\n"));
NS_WITH_SERVICE(nsIX509CertDB, certdb, kCertDBCID, &rv);
if (NS_FAILED(rv)) return rv;
PR_LOG(gPIPPKILog, PR_LOG_ERROR, ("getting cert names\n"));
rv = certdb->GetCertificateNames(nsnull, type, nameList);
if (NS_SUCCEEDED(rv)) {
PR_LOG(gPIPPKILog, PR_LOG_ERROR, ("converting unicode\n"));
*_rNameList = nameList.ToNewUnicode();
}
return rv;
}

View File

@ -1,37 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 2001 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
* Ian McGreer <mcgreer@netscape.com>
*/
#include "nsISupports.h"
#include "nsICertificateManager.h"
class nsCertificateManager : public nsICertificateManager
{
public:
nsCertificateManager();
virtual ~nsCertificateManager();
NS_DECL_ISUPPORTS
NS_DECL_NSICERTIFICATEMANAGER
};

View File

@ -43,6 +43,7 @@
#include "nsIPref.h"
#include "nsIInterfaceRequestor.h"
#include "nsIX509Cert.h"
#include "nsIX509CertDB.h"
#include "nsILocaleService.h"
#include "nsIDateTimeFormat.h"
#include "nsDateTimeFormatCID.h"
@ -672,10 +673,10 @@ nsNSSDialogs::DownloadCACert(nsIInterfaceRequestor *ctx,
rv = block->GetInt(4, &objsign);
if (NS_FAILED(rv)) return rv;
*_trust = nsIX509Cert::UNTRUSTED;
*_trust |= (ssl) ? nsIX509Cert::TRUSTED_SSL : 0;
*_trust |= (email) ? nsIX509Cert::TRUSTED_EMAIL : 0;
*_trust |= (objsign) ? nsIX509Cert::TRUSTED_OBJSIGN : 0;
*_trust = nsIX509CertDB::UNTRUSTED;
*_trust |= (ssl) ? nsIX509CertDB::TRUSTED_SSL : 0;
*_trust |= (email) ? nsIX509CertDB::TRUSTED_EMAIL : 0;
*_trust |= (objsign) ? nsIX509CertDB::TRUSTED_OBJSIGN : 0;
*_canceled = (status == 0)?PR_TRUE:PR_FALSE;

View File

@ -51,7 +51,6 @@ XPIDLSRCS = \
nsIPKCS11Slot.idl \
nsIPK11TokenDB.idl \
nsINSSDialogs.idl \
nsICertificateManager.idl \
$(NULL)
include $(topsrcdir)/config/rules.mk

View File

@ -57,7 +57,6 @@ XPIDLSRCS= \
.\nsIPKCS11Slot.idl \
.\nsIPK11TokenDB.idl \
.\nsINSSDialogs.idl \
.\nsICertificateManager.idl \
$(NULL)

View File

@ -1,45 +0,0 @@
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 2001 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
* Ian McGreer <mcgreer@netscape.com>
*/
#include "nsISupports.idl"
#include "nsIX509Cert.idl"
/**
* nsICertificateManager
* This is the interface for the certificate manager
*/
[scriptable, uuid(246ec570-11aa-11d5-ac66-000064657374)]
interface nsICertificateManager : nsISupports
{
wstring getCertNicknames(in unsigned long type);
};
%{C++
// 246ec570-11aa-11d5-ac66-000064657374
#define NS_CERTIFICATEMANAGER_CID \
{ 0x246ec570, 0x11aa, 0x11d5, {0xac, 0x66, 0x00, 0x00, 0x64, 0x65, 0x73, 0x74} }
#define NS_CERTIFICATEMANAGER_CONTRACTID "@mozilla.org/security/certmanager;1"
%}

View File

@ -82,12 +82,6 @@ interface nsIX509Cert : nsISupports {
const unsigned long ISSUER_NOT_TRUSTED = 1 << 4;
const unsigned long ISSUER_UNKNOWN = 1 << 5;
const unsigned long INVALID_CA = 1 << 6;
/* XXX I think these should be moved to nsIX509CertDB */
const unsigned long UNTRUSTED = 0;
const unsigned long TRUSTED_SSL = 1 << 0;
const unsigned long TRUSTED_EMAIL = 1 << 1;
const unsigned long TRUSTED_OBJSIGN = 1 << 2;
/*
* accessors for certs

View File

@ -49,6 +49,11 @@ native nsAutoString(nsAutoString);
[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
interface nsIX509CertDB : nsISupports {
/* the database is responsible for managing cert trust */
const unsigned long UNTRUSTED = 0;
const unsigned long TRUSTED_SSL = 1 << 0;
const unsigned long TRUSTED_EMAIL = 1 << 1;
const unsigned long TRUSTED_OBJSIGN = 1 << 2;
nsIX509Cert getCertByNickname(in nsIPK11Token aToken,
in wstring aNickname);
@ -80,20 +85,21 @@ interface nsIX509CertDB : nsISupports {
*/
/*
* getCertificateNames
* getCertNicknames
*
* Obtain a list of certificate names from the database.
* Obtain a list of certificate nicknames from the database.
* What the name is depends on type:
* user, ca, or server cert - the nickname
* email cert - the email address
*
* aToken - PKCS#11 token to get certs from (null for all tokens)
* aType - type of certificate to obtain (see nsIX509Cert)
* rCertNameList - a string of certificate names seperated by a delimiter
* count, certNameList - the returned array of names
*/
[noscript] void getCertificateNames(in nsIPK11Token aToken,
in unsigned long aType,
in nsAutoStringRef rCertNameList);
void getCertNicknames(in nsIPK11Token aToken,
in unsigned long aType,
out unsigned long count,
[array, size_is(count)] out wstring certNameList);
/*
* importCertificate

View File

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: nsNSSCertificate.cpp,v 1.12 2001/03/21 22:00:14 mcgreer%netscape.com Exp $
* $Id: nsNSSCertificate.cpp,v 1.13 2001/03/22 16:48:18 mcgreer%netscape.com Exp $
*/
#include "prmem.h"
@ -1011,14 +1011,17 @@ nsNSSCertificateDB::GetCertByKeyDB(const char *dbkey, nsIX509Cert **_retval)
return NS_OK;
}
/* [noscript] void getCertificateNames(in nsIPK11Token aToken,
* in unsigned long aType,
* in nsAutoStringRef rCertNameList);
/*
* void getCertNicknames(in nsIPK11Token aToken,
* in unsigned long aType,
* out unsigned long count,
* [array, size_is(count)] out wstring certNameList);
*/
NS_IMETHODIMP
nsNSSCertificateDB::GetCertificateNames(nsIPK11Token *aToken,
PRUint32 aType,
nsAutoString& rCertNameList)
nsNSSCertificateDB::GetCertNicknames(nsIPK11Token *aToken,
PRUint32 aType,
PRUint32 *_count,
PRUnichar ***_certNames)
{
nsresult rv = NS_ERROR_FAILURE;
/*
@ -1041,7 +1044,7 @@ nsNSSCertificateDB::GetCertificateNames(nsIPK11Token *aToken,
* get list of cert names from list of certs
* XXX also cull the list (NSS only distinguishes based on user/non-user
*/
getCertNames(certList, aType, rCertNameList);
getCertNames(certList, aType, _count, _certNames);
rv = NS_OK;
/*
* finish up
@ -1073,9 +1076,9 @@ nsNSSCertificateDB::ImportCertificate(nsIX509Cert *cert,
switch (type) {
case nsIX509Cert::CA_CERT:
trust.SetValidCA();
trust.AddCATrust(trusted & nsIX509Cert::TRUSTED_SSL,
trusted & nsIX509Cert::TRUSTED_EMAIL,
trusted & nsIX509Cert::TRUSTED_OBJSIGN);
trust.AddCATrust(trusted & nsIX509CertDB::TRUSTED_SSL,
trusted & nsIX509CertDB::TRUSTED_EMAIL,
trusted & nsIX509CertDB::TRUSTED_OBJSIGN);
break;
default:
return NS_ERROR_NOT_IMPLEMENTED;
@ -1134,9 +1137,9 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
////// end of kluge
// always start with untrusted and move up
trust.SetValidCA();
trust.AddCATrust(trusted & nsIX509Cert::TRUSTED_SSL,
trusted & nsIX509Cert::TRUSTED_EMAIL,
trusted & nsIX509Cert::TRUSTED_OBJSIGN);
trust.AddCATrust(trusted & nsIX509CertDB::TRUSTED_SSL,
trusted & nsIX509CertDB::TRUSTED_EMAIL,
trusted & nsIX509CertDB::TRUSTED_OBJSIGN);
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
nsscert,
trust.GetTrust());
@ -1166,11 +1169,11 @@ nsNSSCertificateDB::GetCertTrust(nsIX509Cert *cert,
CERTCertTrust nsstrust;
srv = CERT_GetCertTrust(nsscert, &nsstrust);
nsNSSCertTrust trust(&nsstrust);
if (trustType & nsIX509Cert::TRUSTED_SSL) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE);
} else if (trustType & nsIX509Cert::TRUSTED_EMAIL) {
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE);
} else if (trustType & nsIX509Cert::TRUSTED_OBJSIGN) {
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE);
} else {
return NS_ERROR_FAILURE;
@ -1226,26 +1229,41 @@ nsNSSCertificateDB::ExportPKCS12File(nsIPK11Token *aToken,
void
nsNSSCertificateDB::getCertNames(CERTCertList *certList,
PRUint32 type,
nsString& nameList)
PRUint32 *_count,
PRUnichar ***_certNames)
{
CERTCertListNode *node;
PRUint32 numcerts = 0, i=0;
PRUnichar **tmpArray = NULL;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("List of certs %d:\n", type));
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node, certList);
node = CERT_LIST_NEXT(node)) {
if (getCertType(node->cert) == type) {
nameList.AppendWithConversion(DELIM);
if (type == nsIX509Cert::EMAIL_CERT) {
nameList.AppendWithConversion(node->cert->emailAddr);
} else {
nameList.AppendWithConversion(node->cert->nickname);
}
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("%s\n", node->cert->nickname));
numcerts++;
}
if (type == nsIX509Cert::USER_CERT)
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("%s\n", node->cert->nickname));
}
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("num certs: %d\n", numcerts));
int nc = (numcerts == 0) ? 1 : numcerts;
tmpArray = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nc);
if (numcerts == 0) goto finish;
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node, certList);
node = CERT_LIST_NEXT(node)) {
if (getCertType(node->cert) == type) {
if (type == nsIX509Cert::EMAIL_CERT) {
nsAutoString certname = NS_ConvertASCIItoUCS2(node->cert->emailAddr);
tmpArray[i++] = certname.ToNewUnicode();
} else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("cert [%d]<%s>\n", i,node->cert->nickname));
nsAutoString certname = NS_ConvertASCIItoUCS2(node->cert->nickname);
tmpArray[i++] = certname.ToNewUnicode();
}
}
}
finish:
*_count = numcerts;
*_certNames = tmpArray;
}
/* somewhat follows logic of cert_list_include_cert from PSM 1.x */

View File

@ -76,7 +76,8 @@ private:
void getCertNames(CERTCertList *certList,
PRUint32 type,
nsString& nameList);
PRUint32 *_count,
PRUnichar ***_certNameList);
PRUint32 getCertType(CERTCertificate *cert);