advisor.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

SSMSecurityAdvisorContext_Print(SSMResource *res,
                                char *fmt, PRIntn numParam,
                                char **value, char **resultStr)
{
    SSMSecurityAdvisorContext *cx = (SSMSecurityAdvisorContext*)res;
    SSMStatus rv;

    PR_ASSERT(fmt != NULL && resultStr != NULL);
    if (!SSM_IsAKindOf(res, SSM_RESTYPE_SECADVISOR_CONTEXT)) {
        return PR_FAILURE;
    }
    /* We don't use the extra parameters */
    if (cx->m_nickname != NULL) {
        *resultStr = PR_smprintf(fmt, res->m_id, "backup", cx->m_nickname, *value);
        rv = (*resultStr == NULL) ? PR_FAILURE : PR_SUCCESS;
    } else {
        rv = SSMResource_Print(res, fmt, numParam, value, resultStr);
    }
    return rv;
}

SSMStatus SSM_SetSelectedItemInfo(SSMSecurityAdvisorContext* cx)
{
	SSMStatus rv = SSM_SUCCESS;
    char * page = NULL;

    switch (cx->infoContext)
    {
        case SSM_NOINFO:
            cx->selectedItemPage = SSM_NO_INFO;
            break;
        case SSM_COMPOSE:
            break;
		case SSM_SNEWS_MESSAGE:
		case SSM_NEWS_MESSAGE:
        case SSM_MAIL_MESSAGE:
            cx->selectedItemPage = SSM_MESSAGE;
			if (cx->encryptedP7CInfo) {
			    /* Get the P7 Content info resource */
				rv = SSMControlConnection_GetResource(SSMRESOURCE(cx)->m_connection, (SSMResourceID)cx->encryptedP7CInfo,
					  (SSMResource**)&cx->encryptedP7CInfoRes);
				if ((rv != PR_SUCCESS) || (cx->encryptedP7CInfoRes == NULL)) {
					goto loser;
				}
			}
			if (cx->signedP7CInfo) {
			    /* Get the P7 Content info resource */
				rv = SSMControlConnection_GetResource(SSMRESOURCE(cx)->m_connection, (SSMResourceID)cx->signedP7CInfo,
					  (SSMResource**)&cx->signedP7CInfoRes);
				if ((rv != PR_SUCCESS) || (cx->signedP7CInfoRes == NULL)) {
					goto loser;
				}
			}

			if (!cx->encryptedP7CInfo &&
				!cx->signedP7CInfo &&
				cx->verifyError &&
				!cx->decodeError) {
				/* Somehow we have the error code backwards */
				cx->decodeError = cx->verifyError;
				cx->verifyError = 0;
			}

			cx->encrypted_b = (cx->decodeError ||
								(cx->encryptedP7CInfo &&
								SEC_PKCS7ContentIsEncrypted(cx->encryptedP7CInfoRes->m_cinfo)) ||
								(cx->signedP7CInfo &&
								SEC_PKCS7ContentIsEncrypted(cx->signedP7CInfoRes->m_cinfo)));
			cx->signed_b = (cx->verifyError ||
								(cx->encryptedP7CInfo &&
								SEC_PKCS7ContentIsSigned(cx->encryptedP7CInfoRes->m_cinfo)) ||
								(cx->signedP7CInfo &&
								SEC_PKCS7ContentIsSigned(cx->signedP7CInfoRes->m_cinfo)));
            break;
        case SSM_BROWSER:
            if (cx->resID == 0) {
                cx->selectedItemPage = SSM_BROWSER_NO_SEC;
            } else {
                cx->selectedItemPage = SSM_BROWSER_SSL;
            }
            break;
        default:
            cx->selectedItemPage = SSM_NO_INFO;
            break;
    }
	return rv;

loser:
	return SSM_FAILURE;
}

SSMStatus sa_noinfo(SSMTextGenContext *cx)
{
    SSMStatus rv = SSM_SUCCESS;
    SSMResource *target = NULL;
    SSMSecurityAdvisorContext* res = NULL;
	char *fmt = NULL;

    /* get the connection object */
    target = SSMTextGen_GetTargetObject(cx);
    PR_ASSERT(target != NULL);
    res = (SSMSecurityAdvisorContext*)target;

	rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_noinfo", &fmt);
	if (rv != SSM_SUCCESS) {
		goto loser;
	}
        PR_FREEIF(cx->m_result);
	cx->m_result = fmt;

	return SSM_SUCCESS;
loser:
	return SSM_FAILURE;
}

SSMStatus sa_browser(SSMTextGenContext *cx)
{
    SSMStatus rv = SSM_SUCCESS;
    SSMResource *target = NULL;
    SSMSecurityAdvisorContext* res = NULL;
	char *fmt = NULL;
	SSMSSLSocketStatus *socketStatusRes = NULL;
	char * encryption_level = NULL;
	char * serverCN = NULL;
	char * issuerName = NULL;
	CERTCertificate *issuerCert = NULL;
	SSMResourceCert *serverCertRes = NULL, *issuerCertRes = NULL;
	int serverCertResID, issuerCertResID;

    /* get the connection object */
    target = SSMTextGen_GetTargetObject(cx);
    PR_ASSERT(target != NULL);
    res = (SSMSecurityAdvisorContext*)target;

	if (res->resID == 0) {
		rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_browser_no_sec", &fmt);
		if (rv != SSM_SUCCESS) {
			goto loser;
		}
                PR_FREEIF(cx->m_result);
		cx->m_result = PR_smprintf(fmt, res->hostname, res->hostname);
		PR_Free(fmt);
		return SSM_SUCCESS;
	} else {
	    /* Get the socket status resource */
		rv = SSMControlConnection_GetResource(SSMRESOURCE(res)->m_connection, (SSMResourceID)res->resID,
						  (SSMResource**)&socketStatusRes);
		if ((rv != PR_SUCCESS) || (socketStatusRes == NULL)) {
			goto loser;
		}

		/* Do we have an error */
		if (!socketStatusRes->m_error) {
			rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_browser_ssl", &fmt);
			if (rv != SSM_SUCCESS) {
				goto loser;
			}

			/* Create a resource for this cert */
			rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
			if (rv != PR_SUCCESS) {
				goto loser;
			}

			issuerName = CERT_NameToAscii(&socketStatusRes->m_cert->issuer);

			if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
				SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
			} else {
				SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
			}
            PR_FREEIF(cx->m_result);
			cx->m_result = PR_smprintf(fmt, res->hostname, issuerName, target->m_id, serverCertResID,
										encryption_level, socketStatusRes->m_cipherName,
										socketStatusRes->m_secretKeySize);
			PR_Free(issuerName);
			PR_Free(encryption_level);
			PR_Free(fmt);
			return SSM_SUCCESS;
		} else {
			if (socketStatusRes->m_error == SEC_ERROR_UNKNOWN_ISSUER ||
				socketStatusRes->m_error == SEC_ERROR_CA_CERT_INVALID ) {
				rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_browser_ssl_unknown_issuer", &fmt);
				if (rv != SSM_SUCCESS) {
					goto loser;
				}

				/* Get the common name of the issuer */
				issuerName = CERT_NameToAscii(&socketStatusRes->m_cert->issuer);
				if (!issuerName) {
					goto loser;
				}

				/* Get the common name of the server cert */
				serverCN = CERT_GetCommonName(&socketStatusRes->m_cert->subject);
				if (!serverCN) {
					goto loser;
				}

				/* Create resource for the server cert */
				rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
				if (rv != PR_SUCCESS) {
					goto loser;
				}

				if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
					SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
				} else {
					SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
				}
                                PR_FREEIF(cx->m_result);
				cx->m_result = PR_smprintf(fmt, res->hostname, issuerName, target->m_id, serverCertResID,
											encryption_level, socketStatusRes->m_cipherName,
											socketStatusRes->m_secretKeySize);
				PR_Free(fmt);
				PR_Free(issuerName);
				PR_Free(serverCN);
				PR_Free(encryption_level);
				return SSM_SUCCESS;
			} else if(socketStatusRes->m_error == SEC_ERROR_UNTRUSTED_ISSUER) {
				rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_browser_ssl_bad_issuer", &fmt);
				if (rv != SSM_SUCCESS) {
					goto loser;
				}

				/* Get the common name of the issuer */
				issuerName = CERT_NameToAscii(&socketStatusRes->m_cert->issuer);
				if (!issuerName) {
					goto loser;
				}

				/* Get the common name of the server cert */
				serverCN = CERT_GetCommonName(&socketStatusRes->m_cert->subject);
				if (!serverCN) {
					goto loser;
				}

				/* Create resource for the server cert */
				rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
				if (rv != PR_SUCCESS) {
					goto loser;
				}

				/* Create a resource for the issuer cert (if it exists) */
				issuerCert = CERT_FindCertIssuer(socketStatusRes->m_cert, PR_Now(), certUsageAnyCA);
				if (issuerCert) {
					/* Create resource for the issuer cert */
					rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
										issuerCert,
										SSMRESOURCE(res)->m_connection,
										(long *) &issuerCertResID,
										(SSMResource**)&issuerCertRes);
					if (rv != PR_SUCCESS) {
						goto loser;
					}
				} else {
					issuerCertResID = 0;
				}

				if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
					SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
				} else {
					SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
				}
                                PR_FREEIF(cx->m_result);
				cx->m_result = PR_smprintf(fmt, res->hostname, issuerName, target->m_id, serverCertResID,
											issuerCertResID, encryption_level, socketStatusRes->m_cipherName,
											socketStatusRes->m_secretKeySize);
				PR_Free(fmt);
				PR_Free(issuerName);
				PR_Free(serverCN);
				PR_Free(encryption_level);
				return SSM_SUCCESS;
			} else if (socketStatusRes->m_error == SSL_ERROR_BAD_CERT_DOMAIN) {
					rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_browser_ssl_bad_cert_domain", &fmt);
					if (rv != SSM_SUCCESS) {
						goto loser;
					}

					/* Get the common name of the server cert */
					serverCN = CERT_GetCommonName(&socketStatusRes->m_cert->subject);
					if (!serverCN) {
						goto loser;
					}

					if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
						SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
					} else {
						SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
					}
                    PR_FREEIF(cx->m_result);
					cx->m_result = PR_smprintf(fmt, res->hostname, serverCN, encryption_level, socketStatusRes->m_cipherName,
												socketStatusRes->m_secretKeySize);

					PR_Free(fmt);
					PR_Free(serverCN);
					PR_Free(encryption_level);
					return SSM_SUCCESS;
			} else {
				rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_browser_ssl_unknown_error", &fmt);
				if (rv != SSM_SUCCESS) {
					goto loser;
				}

				/* Create resource for the server cert */
				rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
									socketStatusRes->m_cert,
									SSMRESOURCE(res)->m_connection,
									(long *) &serverCertResID,
									(SSMResource**)&serverCertRes);
				if (rv != PR_SUCCESS) {
					goto loser;
				}

				if (socketStatusRes->m_level == SSL_SECURITY_STATUS_ON_HIGH) {
					SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
				} else {
					SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
				}
                PR_FREEIF(cx->m_result);
				cx->m_result = PR_smprintf(fmt, res->hostname, target->m_id, serverCertResID, encryption_level, socketStatusRes->m_cipherName,
											socketStatusRes->m_secretKeySize);
				PR_Free(fmt);
				return SSM_SUCCESS;
			}
		}
	}
loser:
	PR_FREEIF(fmt);
	PR_FREEIF(serverCN);
	PR_FREEIF(issuerName);
	return SSM_FAILURE;
}

static CERTCertificate * get_signer_cert(SSMSecurityAdvisorContext *res)
{
	CERTCertificate * cert = NULL;

	/* Get the signing cert */
	if (res->signedP7CInfoRes ||
		res->encryptedP7CInfoRes) {
		SEC_PKCS7SignerInfo **signerinfos;
		SEC_PKCS7ContentInfo *ci = res->signedP7CInfoRes->m_cinfo;
		if (!ci) ci = res->encryptedP7CInfoRes->m_cinfo;

		/* Finding the signers cert */
		switch(ci->contentTypeTag->offset) {
			default:
			case SEC_OID_PKCS7_DATA:
			case SEC_OID_PKCS7_DIGESTED_DATA:
			case SEC_OID_PKCS7_ENVELOPED_DATA:
			case SEC_OID_PKCS7_ENCRYPTED_DATA:
			/* Could only get here if SEC_PKCS7ContentIsSigned
			* is broken. */
			{
				PORT_Assert (0);
				cert=NULL;
			}
			break;
			case SEC_OID_PKCS7_SIGNED_DATA:
			{
				SEC_PKCS7SignedData *sdp;
				sdp = ci->content.signedData;
				signerinfos = sdp->signerInfos;
				cert = signerinfos[0]->cert;
			}
			break;
			case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
			{
				SEC_PKCS7SignedAndEnvelopedData *saedp;
				saedp = ci->content.signedAndEnvelopedData;
				signerinfos = saedp->signerInfos;
				cert = signerinfos[0]->cert;
			}
			break;
		} /* finding the signer cert */
	}
	return cert;
}

static CERTCertificate * get_encryption_cert(SSMSecurityAdvisorContext *res)
{
	return NULL;
}

static char *
sa_get_algorithm_string(SEC_PKCS7ContentInfo *cinfo)
{
	SECAlgorithmID *algid;
	SECOidTag algtag;
	const char *alg_name;
	int key_size;
	if (!cinfo) return 0;
	algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);
	if (!algid) return 0;
	algtag = SECOID_GetAlgorithmTag(algid);
	alg_name = SECOID_FindOIDTagDescription(algtag);