advisor.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 2,020 行 · 第 1/5 页

				if (!serverCN) {
					goto loser;
				}
#if 0
				/* Create resource for the server cert */
				rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
				if (rv != PR_SUCCESS) {
					goto loser;
				}
#else 
                serverCertRes = socketStatusRes->m_cert;
                serverCertResID = serverCertRes->super.m_id;
#endif
				if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
					SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
				} else {
					SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
				}
                                PR_FREEIF(cx->m_result);
				cx->m_result = PR_smprintf(fmt, res->hostname, issuerName, target->m_id, serverCertResID,
											encryption_level, socketStatusRes->m_cipherName,
											socketStatusRes->m_secretKeySize);
				PR_Free(fmt);
				PR_Free(issuerName);
				PR_Free(serverCN);
				PR_Free(encryption_level);
                SSM_FreeResource(&socketStatusRes->super);
				return SSM_SUCCESS;
			} else if(socketStatusRes->m_error == SEC_ERROR_UNTRUSTED_ISSUER) {
				rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_navigator_ssl_bad_issuer", &fmt);
				if (rv != SSM_SUCCESS) {
					goto loser;
				}

				/* Get the common name of the issuer */
				issuerName = CERT_NameToAscii(&socketStatusRes->m_cert->cert->issuer);
				if (!issuerName) {
					goto loser;
				}

				/* Get the common name of the server cert */
				serverCN = CERT_GetCommonName(&socketStatusRes->m_cert->cert->subject);
				if (!serverCN) {
					goto loser;
				}
#if 0
				/* Create resource for the server cert */
				rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
				if (rv != PR_SUCCESS) {
					goto loser;
				}
#else 
                serverCertRes = socketStatusRes->m_cert;
                serverCertResID = serverCertRes->super.m_id;
#endif

				/* Create a resource for the issuer cert (if it exists) */
				issuerCert = CERT_FindCertIssuer(socketStatusRes->m_cert->cert,
                                                 PR_Now(), certUsageAnyCA);
				if (issuerCert) {
					/* Create resource for the issuer cert */
					rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
										issuerCert,
										SSMRESOURCE(res)->m_connection,
										(long *) &issuerCertResID,
										(SSMResource**)&issuerCertRes);
					if (rv != PR_SUCCESS) {
						goto loser;
					}
				} else {
					issuerCertResID = 0;
				}

				if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
					SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
				} else {
					SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
				}
                                PR_FREEIF(cx->m_result);
				cx->m_result = PR_smprintf(fmt, res->hostname, issuerName, target->m_id, serverCertResID,
											issuerCertResID, encryption_level, socketStatusRes->m_cipherName,
											socketStatusRes->m_secretKeySize);
				PR_Free(fmt);
				PR_Free(issuerName);
				PR_Free(serverCN);
				PR_Free(encryption_level);
                SSM_FreeResource(&socketStatusRes->super);
				return SSM_SUCCESS;
			} else if (socketStatusRes->m_error == SSL_ERROR_BAD_CERT_DOMAIN) {
					rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_navigator_ssl_bad_cert_domain", &fmt);
					if (rv != SSM_SUCCESS) {
						goto loser;
					}

					/* Get the common name of the server cert */
					serverCN = CERT_GetCommonName(&socketStatusRes->m_cert->cert->subject);
					if (!serverCN) {
						goto loser;
					}

					if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
						SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
					} else {
						SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
					}
                    PR_FREEIF(cx->m_result);
					cx->m_result = PR_smprintf(fmt, res->hostname, serverCN, encryption_level, socketStatusRes->m_cipherName,
												socketStatusRes->m_secretKeySize);

					PR_Free(fmt);
					PR_Free(serverCN);
					PR_Free(encryption_level);
                    SSM_FreeResource(&socketStatusRes->super);
					return SSM_SUCCESS;
			} else {
				rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_navigator_ssl_unknown_error", &fmt);
				if (rv != SSM_SUCCESS) {
					goto loser;
				}
#if 0
				/* Create resource for the server cert */
				rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
				if (rv != PR_SUCCESS) {
					goto loser;
				}
#else
                serverCertRes = socketStatusRes->m_cert;
                serverCertResID = serverCertRes->super.m_id;
#endif

				if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
					SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
				} else {
					SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
				}
                PR_FREEIF(cx->m_result);
				cx->m_result = PR_smprintf(fmt, res->hostname, target->m_id, serverCertResID, encryption_level, socketStatusRes->m_cipherName,
											socketStatusRes->m_secretKeySize);
				PR_Free(fmt);
                SSM_FreeResource(&socketStatusRes->super);
				return SSM_SUCCESS;
			}
		}
	}
loser:
	PR_FREEIF(fmt);
	PR_FREEIF(serverCN);
	PR_FREEIF(issuerName);
    if (socketStatusRes) {
        SSM_FreeResource(&socketStatusRes->super);
    }
	return SSM_FAILURE;
}

static CERTCertificate * get_signer_cert(SSMSecurityAdvisorContext *res)
{
	CERTCertificate * cert = NULL;

	/* Get the signing cert */
	if (res->signedP7CInfoRes ||
		res->encryptedP7CInfoRes) {
		SEC_PKCS7SignerInfo **signerinfos;
		SEC_PKCS7ContentInfo *ci = res->signedP7CInfoRes->m_cinfo;
		if (!ci) ci = res->encryptedP7CInfoRes->m_cinfo;

		/* Finding the signers cert */
		switch(ci->contentTypeTag->offset) {
			default:
			case SEC_OID_PKCS7_DATA:
			case SEC_OID_PKCS7_DIGESTED_DATA:
			case SEC_OID_PKCS7_ENVELOPED_DATA:
			case SEC_OID_PKCS7_ENCRYPTED_DATA:
			/* Could only get here if SEC_PKCS7ContentIsSigned
			* is broken. */
			{
				PORT_Assert (0);
				cert=NULL;
			}
			break;
			case SEC_OID_PKCS7_SIGNED_DATA:
			{
				SEC_PKCS7SignedData *sdp;
				sdp = ci->content.signedData;
				signerinfos = sdp->signerInfos;
				cert = signerinfos[0]->cert;
			}
			break;
			case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
			{
				SEC_PKCS7SignedAndEnvelopedData *saedp;
				saedp = ci->content.signedAndEnvelopedData;
				signerinfos = saedp->signerInfos;
				cert = signerinfos[0]->cert;
			}
			break;
		} /* finding the signer cert */
	}
	return cert;
}

char*
SSM_GetOCSPURL(CERTCertificate *cert, PrefSet *prefs)
{
    SSMStatus rv;
    PRBool boolval = PR_FALSE;
    char *responderURL = NULL;

    /* Is there a default responder installed */
    rv = PREF_GetBoolPref(prefs, "security.OCSP.useDefaultResponder", &boolval);
    if (boolval) {
        PREF_CopyStringPref(prefs, "security.OCSP.URL", &responderURL);
    } else {
	responderURL = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
    }
    return responderURL;
}

static CERTCertificate * get_encryption_cert(SSMSecurityAdvisorContext *res)
{
	return NULL;
}

static char *
sa_get_algorithm_string(SEC_PKCS7ContentInfo *cinfo)
{
	SECAlgorithmID *algid;
	SECOidTag algtag;
	const char *alg_name;
	int key_size;
	if (!cinfo) return 0;
	algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);
	if (!algid) return 0;
	algtag = SECOID_GetAlgorithmTag(algid);
	alg_name = SECOID_FindOIDTagDescription(algtag);

	key_size = SEC_PKCS7GetKeyLength(cinfo);

	if (!alg_name || !*alg_name)
		return 0;
	else if (key_size > 0)
		return PR_smprintf("%d-bits %s",
			       key_size, alg_name);
	else
		return PL_strdup(alg_name);
}

PRBool
SSM_IsOCSPEnabled(SSMControlConnection *connection) 
{
    SSMStatus rv;
    PRBool isOCSPEnabled = PR_FALSE;

    rv = PREF_GetBoolPref(connection->m_prefs, "security.OCSP.enabled",
                          &isOCSPEnabled);
    return (rv == SSM_SUCCESS) ? isOCSPEnabled : PR_FALSE; 
}

char *
SSM_GetGenericOCSPWarning(SSMControlConnection *ctrl,
                          CERTCertificate *cert)
{
    char *retString = NULL;
    char *responderURL = NULL;
    SSMTextGenContext *cx = NULL;
    SSMStatus rv;

    retString = PL_strdup("");
    if (SSM_IsOCSPEnabled(ctrl)) {
        responderURL = SSM_GetOCSPURL(cert, ctrl->m_prefs);
        if (responderURL == NULL) {
            goto done;
        }
        rv = SSMTextGen_NewTopLevelContext(NULL, &cx);
        if (rv != SSM_SUCCESS) {
            goto done;
        }
        SSM_GetAndExpandTextKeyedByString(cx, "ocsp_fail_message_generic",
                                          &retString);
    } 
 done:
    PR_FREEIF(responderURL);
    if (cx) {
        SSMTextGen_DestroyContext(cx);
    }
    return retString;
}

SSMStatus sa_message(SSMTextGenContext *cx)
{
    SSMStatus rv = SSM_SUCCESS;
    SSMResource *target = NULL;
    SSMSecurityAdvisorContext* res = NULL;
	char *fmt = NULL, *fmtSigned = NULL, *fmtEncrypted = NULL;
    char *genericOCSPWarning = NULL;

    /* get the connection object */
    target = SSMTextGen_GetTargetObject(cx);
    PR_ASSERT(target != NULL);
    res = (SSMSecurityAdvisorContext*)target;

	/* Deal with the signed part first */
	if (!res->signed_b) {
		rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_not_signed", &fmtSigned);
		if (rv != SSM_SUCCESS) {
			goto loser;
		}
	} else {
		if (res->verifyError == 0) {
			char *signer_email;
			CERTCertificate *signerCert = NULL;
			SSMResourceCert *signerCertRes = NULL;
			int signerCertResID;

			rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed", &fmt);
			if (rv != SSM_SUCCESS) {
				goto loser;
			}

			signerCert = get_signer_cert(res);
			if (!signerCert) {
				goto loser;
			}

			/* Get the signers email address */
			if (res->signedP7CInfoRes) {
				signer_email = SEC_PKCS7GetSignerEmailAddress(res->signedP7CInfoRes->m_cinfo);
			}

			if (!signer_email && res->encryptedP7CInfoRes) {
				signer_email = SEC_PKCS7GetSignerEmailAddress(res->encryptedP7CInfoRes->m_cinfo);
			}

			/* Create a cert resource for this certificate */
		    rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
			                        signerCert,
				                    SSMRESOURCE(res)->m_connection,
					                (long *) &signerCertResID,
						            (SSMResource**)&signerCertRes);
			if (rv != PR_SUCCESS) {
	            goto loser;
		    }

			fmtSigned = PR_smprintf(fmt, signer_email, target->m_id, signerCertResID);
			PR_Free(fmt);
		} else {
            CERTCertificate *signerCert;

            /* Get the signing certificate */
            signerCert = get_signer_cert(res);
            if (!signerCert) {
                goto loser;
            }

            genericOCSPWarning = 
                SSM_GetGenericOCSPWarning(target->m_connection,
                                          signerCert);
			switch(res->verifyError) {
				case SEC_ERROR_PKCS7_BAD_SIGNATURE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_bad_signature", &fmt);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
                        fmtSigned = PR_smprintf(fmt, genericOCSPWarning);
                        PR_FREEIF(fmt);
					}
					break;

				/* This case handles both expired and not yet valid certs */
				case SEC_ERROR_EXPIRED_CERTIFICATE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_expired_signing_cert", &fmt);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
                        fmtSigned = PR_smprintf(fmt, genericOCSPWarning);
                        PR_FREEIF(fmt);
					}
					break;

				case SEC_ERROR_REVOKED_CERTIFICATE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_revoked_signing_cert", &fmt);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
                        fmtSigned = PR_smprintf(fmt, genericOCSPWarning);
                        PR_FREEIF(fmt);
					}
					break;

				case SEC_ERROR_UNKNOWN_IS