gecko-dev/security/manager/ssl/nsNSSCertTrust.cpp

319 lines
8.5 KiB
C++

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSCertTrust.h"
void
nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
{
if (ssl) {
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
}
if (email) {
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
}
if (objSign) {
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
}
}
void
nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign)
{
if (ssl)
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
if (email)
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
if (objSign)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
}
nsNSSCertTrust::nsNSSCertTrust()
{
memset(&mTrust, 0, sizeof(CERTCertTrust));
}
nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
unsigned int email,
unsigned int objsign)
{
memset(&mTrust, 0, sizeof(CERTCertTrust));
addTrust(&mTrust.sslFlags, ssl);
addTrust(&mTrust.emailFlags, email);
addTrust(&mTrust.objectSigningFlags, objsign);
}
nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
{
if (t)
memcpy(&mTrust, t, sizeof(CERTCertTrust));
else
memset(&mTrust, 0, sizeof(CERTCertTrust));
}
nsNSSCertTrust::~nsNSSCertTrust()
{
}
void
nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer,
bool ca, bool tCA, bool tClientCA,
bool user, bool warn)
{
mTrust.sslFlags = 0;
if (peer || tPeer)
addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
if (tPeer)
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
if (ca || tCA)
addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
if (tClientCA)
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
if (tCA)
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
if (user)
addTrust(&mTrust.sslFlags, CERTDB_USER);
if (warn)
addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
}
void
nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer,
bool ca, bool tCA, bool tClientCA,
bool user, bool warn)
{
mTrust.emailFlags = 0;
if (peer || tPeer)
addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
if (tPeer)
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
if (ca || tCA)
addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
if (tClientCA)
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
if (tCA)
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
if (user)
addTrust(&mTrust.emailFlags, CERTDB_USER);
if (warn)
addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
}
void
nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer,
bool ca, bool tCA, bool tClientCA,
bool user, bool warn)
{
mTrust.objectSigningFlags = 0;
if (peer || tPeer)
addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
if (tPeer)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
if (ca || tCA)
addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
if (tClientCA)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
if (tCA)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
if (user)
addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
if (warn)
addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
}
void
nsNSSCertTrust::SetValidCA()
{
SetSSLTrust(false, false,
true, false, false,
false, false);
SetEmailTrust(false, false,
true, false, false,
false, false);
SetObjSignTrust(false, false,
true, false, false,
false, false);
}
void
nsNSSCertTrust::SetTrustedServerCA()
{
SetSSLTrust(false, false,
true, true, false,
false, false);
SetEmailTrust(false, false,
true, true, false,
false, false);
SetObjSignTrust(false, false,
true, true, false,
false, false);
}
void
nsNSSCertTrust::SetTrustedCA()
{
SetSSLTrust(false, false,
true, true, true,
false, false);
SetEmailTrust(false, false,
true, true, true,
false, false);
SetObjSignTrust(false, false,
true, true, true,
false, false);
}
void
nsNSSCertTrust::SetValidPeer()
{
SetSSLTrust(true, false,
false, false, false,
false, false);
SetEmailTrust(true, false,
false, false, false,
false, false);
SetObjSignTrust(true, false,
false, false, false,
false, false);
}
void
nsNSSCertTrust::SetTrustedPeer()
{
SetSSLTrust(true, true,
false, false, false,
false, false);
SetEmailTrust(true, true,
false, false, false,
false, false);
SetObjSignTrust(true, true,
false, false, false,
false, false);
}
void
nsNSSCertTrust::SetUser()
{
SetSSLTrust(false, false,
false, false, false,
true, false);
SetEmailTrust(false, false,
false, false, false,
true, false);
SetObjSignTrust(false, false,
false, false, false,
true, false);
}
bool
nsNSSCertTrust::HasAnyCA()
{
if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
return true;
return false;
}
bool
nsNSSCertTrust::HasCA(bool checkSSL,
bool checkEmail,
bool checkObjSign)
{
if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
return false;
if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
return false;
if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
return false;
return true;
}
bool
nsNSSCertTrust::HasPeer(bool checkSSL,
bool checkEmail,
bool checkObjSign)
{
if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
return false;
if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
return false;
if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
return false;
return true;
}
bool
nsNSSCertTrust::HasAnyUser()
{
if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
hasTrust(mTrust.emailFlags, CERTDB_USER) ||
hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
return true;
return false;
}
bool
nsNSSCertTrust::HasUser(bool checkSSL,
bool checkEmail,
bool checkObjSign)
{
if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
return false;
if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
return false;
if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
return false;
return true;
}
bool
nsNSSCertTrust::HasTrustedCA(bool checkSSL,
bool checkEmail,
bool checkObjSign)
{
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
if (checkObjSign &&
!(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
return true;
}
bool
nsNSSCertTrust::HasTrustedPeer(bool checkSSL,
bool checkEmail,
bool checkObjSign)
{
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
return false;
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
return false;
if (checkObjSign &&
!(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
return false;
return true;
}
void
nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
{
*t |= v;
}
bool
nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
{
return !!(t & v);
}