advisor.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

	key_size = SEC_PKCS7GetKeyLength(cinfo);

	if (!alg_name || !*alg_name)
		return 0;
	else if (key_size > 0)
		return PR_smprintf("%d-bits %s",
			       key_size, alg_name);
	else
		return strdup(alg_name);
}

SSMStatus sa_message(SSMTextGenContext *cx)
{
    SSMStatus rv = SSM_SUCCESS;
    SSMResource *target = NULL;
    SSMSecurityAdvisorContext* res = NULL;
	char *fmt = NULL, *fmtSigned = NULL, *fmtEncrypted = NULL;

    /* get the connection object */
    target = SSMTextGen_GetTargetObject(cx);
    PR_ASSERT(target != NULL);
    res = (SSMSecurityAdvisorContext*)target;

	/* Deal with the signed part first */
	if (!res->signed_b) {
		rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_not_signed", &fmtSigned);
		if (rv != SSM_SUCCESS) {
			goto loser;
		}
	} else {
		if (res->verifyError == 0) {
			char *signer_email;
			CERTCertificate *signerCert = NULL;
			SSMResourceCert *signerCertRes = NULL;
			int signerCertResID;

			rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed", &fmt);
			if (rv != SSM_SUCCESS) {
				goto loser;
			}

			signerCert = get_signer_cert(res);
			if (!signerCert) {
				goto loser;
			}

			/* Get the signers email address */
			if (res->signedP7CInfoRes) {
				signer_email = SEC_PKCS7GetSignerEmailAddress(res->signedP7CInfoRes->m_cinfo);
			}

			if (!signer_email && res->encryptedP7CInfoRes) {
				signer_email = SEC_PKCS7GetSignerEmailAddress(res->encryptedP7CInfoRes->m_cinfo);
			}

			/* Create a cert resource for this certificate */
		    rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
			                        signerCert,
				                    SSMRESOURCE(res)->m_connection,
					                (long *) &signerCertResID,
						            (SSMResource**)&signerCertRes);
			if (rv != PR_SUCCESS) {
	            goto loser;
		    }

			fmtSigned = PR_smprintf(fmt, signer_email, target->m_id, signerCertResID);
			PR_Free(fmt);
		} else {
			switch(res->verifyError) {
				case SEC_ERROR_PKCS7_BAD_SIGNATURE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_bad_signature", &fmtSigned);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
					break;

				/* This case handles both expired and not yet valid certs */
				case SEC_ERROR_EXPIRED_CERTIFICATE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_expired_signing_cert", &fmtSigned);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
					break;

				case SEC_ERROR_REVOKED_CERTIFICATE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_revoked_signing_cert", &fmtSigned);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
					break;

				case SEC_ERROR_UNKNOWN_ISSUER:
					{
						CERTCertificate *signerCert;
						SSMResourceCert *signerCertRes;
						PRUint32 signerCertResID;
						char *fmt;

						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_unknown_issuer", &fmt);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}

						/* Get the signing certificate */
						signerCert = get_signer_cert(res);
						if (!signerCert) {
							goto loser;
						}

						/* Create a cert resource for this certificate */
						rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
												signerCert,
												SSMRESOURCE(res)->m_connection,
												(long *) &signerCertResID,
												(SSMResource**)&signerCertRes);
						if (rv != PR_SUCCESS) {
							goto loser;
						}

						fmtSigned = PR_smprintf(fmt, target->m_id, signerCertResID);
						PR_Free(fmt);
					}
					break;

				case SEC_ERROR_CA_CERT_INVALID:
				case SEC_ERROR_UNTRUSTED_ISSUER:
					{
						CERTCertificate * signerCert, *issuerCert;
						SSMResourceCert * signerCertRes, issuerCertRes;
						PRInt32 signerCertResID, issuerCertResID;
						char *fmt = NULL;

						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_untrusted_issuer", &fmt);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}

						/* Get the signer cert */
						signerCert = get_signer_cert(res);
						if (!signerCert) {
							goto loser;
						}

						/* Get the isser cert */
						issuerCert = CERT_FindCertIssuer(signerCert, PR_Now(), certUsageAnyCA);
						if (!issuerCert) {
							goto loser;
						}

						/* Create resources for these certs */
						rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
												signerCert,
												SSMRESOURCE(res)->m_connection,
												(long *) &signerCertResID,
												(SSMResource**)&signerCertRes);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}

						rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
												issuerCert,
												SSMRESOURCE(res)->m_connection,
												(long *) &issuerCertResID,
												(SSMResource**)&issuerCertRes);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}

						fmtSigned = PR_smprintf(fmt, target->m_id, signerCertResID, issuerCertResID);
						PR_Free(fmt);
					}
					break;

				/* This case handles both expired and not yet valid certs */
				case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_expired_issuer_cert", &fmtSigned);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
					break;

				/* Cert address mismatch */
				case SEC_ERROR_CERT_ADDR_MISMATCH:
					{
						char * signer_email = NULL;
						char * signerCN = NULL;
						CERTCertificate *signerCert = NULL;
						SSMResourceCert *signerCertRes = NULL;
						PRInt32 signerCertResID;
						SECItem * item = NULL;
						char *signTime = NULL;

						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_addr_mismatch", &fmt);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}

						/* Get the signer cert */
						signerCert = get_signer_cert(res);
						if (!signerCert) {
							goto loser;
						}

						/* Get the signer common name */
						signerCN = CERT_GetCommonName(&signerCert->subject);

						/* Get the signing time */
						item = SEC_PKCS7GetSigningTime(res->signedP7CInfoRes->m_cinfo);
						signTime = (item ? DER_UTCTimeToAscii(item) : 0);

						/* Create resources for these certs */
						rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
												signerCert,
												SSMRESOURCE(res)->m_connection,
												(long *) &signerCertResID,
												(SSMResource**)&signerCertRes);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}

						/* Get the signers email address */
						if (res->signedP7CInfoRes) {
							signer_email = SEC_PKCS7GetSignerEmailAddress(res->signedP7CInfoRes->m_cinfo);
						}

						if (!signer_email && res->encryptedP7CInfoRes) {
							signer_email = SEC_PKCS7GetSignerEmailAddress(res->encryptedP7CInfoRes->m_cinfo);
						}

						fmtSigned = PR_smprintf(fmt,res->senderAddr,signer_email,signerCN,signTime, target->m_id, signerCertResID);
						PR_Free(fmt);
						PR_FREEIF(signer_email);
						PR_FREEIF(signTime);
					}
					break;
				default:
					{
						CERTCertificate *signerCert = NULL;
						SSMStatus rv = SSM_SUCCESS;
						PrefSet* prefs = NULL;
						PRBool boolval;
						char *responderURL = NULL;

						prefs = res->super.m_connection->m_prefs;

						/* Is OCSP enabled? */
						rv = PREF_GetBoolPref(prefs, "security.OCSP.enabled", &boolval);
						if (boolval == PR_TRUE) {
							/* Is there a default responder installed */
							rv = PREF_GetBoolPref(prefs, "security.OCSP.useDefaultResponder", &boolval);
							if (boolval == TRUE) {
								PREF_GetStringPref(prefs, "security.OCSP.URL", &responderURL);
							} else {
								/* Get the signer cert */
								signerCert = get_signer_cert(res);
								if (!signerCert) {
									goto loser;
								}
								responderURL = CERT_GetOCSPAuthorityInfoAccessLocation(signerCert);
							}
							rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_ocsp_error", &fmt);
							if (rv != SSM_SUCCESS) {
								goto loser;
							}
							fmtSigned = PR_smprintf(fmt,responderURL,res->verifyError);
							PR_Free(fmt);
						} else {
							rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_signed_unknown_error", &fmtSigned);
							if (rv != SSM_SUCCESS) {
								goto loser;
							}
						}
					}
					break;
				/* XXX Missing the case where the issuer cert has been revoked XXX */
			}
		}
	}

	/* Now deal with the encrypted part */
	if (!res->encrypted_b) {
		rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_not_encrypted", &fmtEncrypted);
		if (rv != SSM_SUCCESS) {
			goto loser;
		}
	} else {
		if (res->decodeError == 0) {
			SECAlgorithmID *algid;
			SECOidTag algtag;
			const char *alg_name;
			char *encryption_level;
			int key_size;

			rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_encrypted", &fmt);
			if (rv != SSM_SUCCESS) {
				goto loser;
			}
            if (res->encryptedP7CInfoRes == NULL) {
			algid = SEC_PKCS7GetEncryptionAlgorithm(res->signedP7CInfoRes->m_cinfo);
            } else {
			algid = SEC_PKCS7GetEncryptionAlgorithm(res->encryptedP7CInfoRes->m_cinfo);
            }
			if (!algid) {
				goto loser;
			}

			algtag = SECOID_GetAlgorithmTag(algid);
			alg_name = SECOID_FindOIDTagDescription(algtag);
            if (res->encryptedP7CInfoRes) {
			key_size = SEC_PKCS7GetKeyLength(res->encryptedP7CInfoRes->m_cinfo);
            } else {
			key_size = SEC_PKCS7GetKeyLength(res->signedP7CInfoRes->m_cinfo);
            }
			if (key_size == 40) {
				SSM_GetUTF8Text(cx, "low_grade_encryption", &encryption_level);
			} else if (key_size == 56 || key_size == 64) {
				SSM_GetUTF8Text(cx, "medium_grade_encryption", &encryption_level);
			} else {
				SSM_GetUTF8Text(cx, "high_grade_encryption", &encryption_level);
			}

			fmtEncrypted = PR_smprintf(fmt, encryption_level, key_size, alg_name);
			PR_Free(fmt);
		} else {
			switch (res->decodeError) {
				case SEC_ERROR_NOT_A_RECIPIENT:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_encrypted_no_recipient", &fmtEncrypted);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
					break;
				case SEC_ERROR_BAD_PASSWORD:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_encrypted_bad_password", &fmtEncrypted);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
					break;
				/* XXX Missing cases for contents altered and encryption strength mismatch XXX */
				default:
					{
						rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_message_encrypted_unknown_error", &fmtEncrypted);
						if (rv != SSM_SUCCESS) {
							goto loser;
						}
					}
			}
		}
	}

	/* Output the stirngs */
	PR_FREEIF(cx->m_result);
	cx->m_result = PR_smprintf("%s%s", fmtSigned, fmtEncrypted);
	PR_Free(fmtSigned);
	PR_Free(fmtEncrypted);
	return SSM_SUCCESS;

loser:
	PR_FREEIF(fmt);
	PR_FREEIF(fmtSigned);
	PR_FREEIF(fmtEncrypted);
	return SSM_FAILURE;
}

SSMStatus sa_compose(SSMTextGenContext *cx)
{
    SSMStatus rv = SSM_SUCCESS;
    SSMResource *target = NULL;
    SSMSecurityAdvisorContext* res = NULL;
	char *fmt = NULL, *fmtSigned = NULL, *fmtEncrypted = NULL;
	CERTCertificate *cert = NULL;
	char *certNickname = NULL;
	int err;
	char ** errCerts = NULL;
	int numErrCerts, i;

    /* get the connection object */
    target = SSMTextGen_GetTargetObject(cx);
    PR_ASSERT(target != NULL);
    res = (SSMSecurityAdvisorContext*)target;

	/* Get the default email certificate */
	rv = PREF_GetStringPref(target->m_connection->m_prefs, "security.default_mail_cert",
			                 &certNickname);
	if (rv != PR_SUCCESS) {
		goto loser;
	}

	/* Deal with the signing part first */
	if (!res->signthis) {
		rv = SSM_GetAndExpandTextKeyedByString(cx, "sa_compose_not_to_be_signed", &fmtSigned);
		if (rv != SSM_SUCCESS) {
			goto loser;
		}
	} else {
		/* Do we have a default cert installed */
		if (!certNickname) {