certres.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

/* 
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 * 
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 * 
 * The Original Code is the Netscape security libraries.
 * 
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are 
 * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
 * Rights Reserved.
 * 
 * Contributor(s):
 * 
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable 
 * instead of those above.  If you wish to allow use of your 
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */
/*********************************************************************
 *  Class functions for cert resource. 
 *  GetAttribute fills the attribute value in data, 
 *     returns size of the string.
 *  PickleCert fills pickled cert struct in data, 
 *     returns size of the string. Pickling doesn't destroy resource.
 *  UnpickleCert function is not a class function, used to create a 
 *     certificate resource given a pickled lump of data. Returns pointer
 *     to the certificate resource.
 *
 *  Space for the data is allocated, needs to be freed by the caller.
 *  Returned is length of the data string (including the terminating byte). 
 *********************************************************************
 */
#include "certres.h"
#include "sechash.h"
#include "ssmerrs.h"
#include "ctrlconn.h"
#include "certlist.h"
#include "resource.h"
#include "ssldlgs.h"
#include "certsearch.h"
#include "secpkcs7.h"
#include "secerr.h"

typedef enum 
{ myCert = 0,
  othersCert,
  webCert,
  caCert,
  badCert
} certPane;

enum {
  USER_CERT = (PRIntn) 0, 
  EMAIL_CERT, 
  CA_CERT, 
  WEBSITE_CERT
};

enum { 
  NICKNAME = (PRIntn) 0,
  EMAILADDR
};

SSMStatus SSM_DeleteCertificate(SSMResourceCert * resource);
SECItem * unhexify(char * hex);
SSMStatus
ssm_select_cert(SSMTextGenContext * cx, char ** result, char * fmt, 
	        PRIntn type, PRIntn key, char * nickname);
SSMStatus
ssm_create_select_cert_entry(SSMTextGenContext * cx, CERTCertificate * cert, 
			     char **result, char *fmt, char * checked);
SSMStatus
ssm_cert_belongs_type(CERTCertificate * cert, PRIntn type);
static
certPane SSMUI_CertBelongs(CERTCertificate * cert);

/* ### mwelch Defined in libcert. Should we be using this? */
SEC_BEGIN_PROTOS
extern SECStatus cert_GetKeyID(CERTCertificate *cert);
SEC_END_PROTOS

CERTCertificate * FindCertByKeyIDAndNickname(SSMControlConnection * ctrl, 
					     char *nickname, SECItem *keyID, 
					     char * serial);

CERTCertList * 
SSMControlConnection_CreateCertListByNickname(SSMControlConnection * ctrl, 
					      char * nick, PRBool email);
CERTCertificate * 
SSMControlConnection_FindCertByNickname(SSMControlConnection * ctrl, 
					char * nick, PRBool email);
SSMStatus SSM_RefreshRefererPage(HTTPRequest * req);

extern SSMStatus httpparse_count_params(HTTPRequest * req);
extern SSMStatus httpparse_parse_params(HTTPRequest * req);

/* Shorthand macros for inherited classes */
#define SSMRESOURCE(ss) (&(ss)->super)

SSMStatus SSMResourceCert_GetAttr(SSMResource * resource, 
				  SSMAttributeID attrib,
				  SSMResourceAttrType attrType,
				  SSMAttributeValue *value)
{
  SSMResourceCert * res = (SSMResourceCert *)resource;
  SECItem secitem;
  SSMStatus rv;
  char *tmpstr = NULL;

  if (!res || !res->cert || !value )
    goto loser;

  /* Access fields in the certificate and pass up in the data field */
  switch (attrib) {
  case SSM_FID_CERT_SUBJECT_NAME:
    if (!res->cert->subjectName) 
      goto loser;
    value->type = SSM_STRING_ATTRIBUTE;
    value->u.string.len = strlen(res->cert->subjectName);
    value->u.string.data = (unsigned char *) strdup(res->cert->subjectName);
    break;
    
  case SSM_FID_CERT_ISSUER_NAME:
    if (!res->cert->issuerName) 
      goto loser;
    value->type = SSM_STRING_ATTRIBUTE;
    value->u.string.len = strlen(res->cert->issuerName);
    value->u.string.data = (unsigned char *) strdup(res->cert->issuerName);
    break;
    
  case SSM_FID_CERT_SERIAL_NUMBER:
    value->type = SSM_STRING_ATTRIBUTE;
    tmpstr = CERT_Hexify(&(res->cert->serialNumber), 1);
    if (tmpstr == NULL)
      goto loser;
    value->u.string.len = strlen(tmpstr);
    value->u.string.data = (unsigned char *) strdup(tmpstr);
    break;

  case SSM_FID_CERT_EXP_DATE:
    value->type = SSM_STRING_ATTRIBUTE;
    tmpstr = DER_UTCDayToAscii(&(res->cert->validity.notAfter));
    if (tmpstr == NULL)
      goto loser;
    value->u.string.len = strlen(tmpstr);
    value->u.string.data = (unsigned char *) strdup(tmpstr);
    break;

  case SSM_FID_CERT_FINGERPRINT:
    {
      unsigned char buf[MD5_LENGTH];
      value->type = SSM_STRING_ATTRIBUTE;
      MD5_HashBuf(buf, res->cert->derCert.data, res->cert->derCert.len);
      secitem.data = buf;
      secitem.len = 16;
      tmpstr = CERT_Hexify(&secitem, 1);
      if (tmpstr == NULL)
	    goto loser;
      value->u.string.len = strlen(tmpstr);
      value->u.string.data = (unsigned char *) strdup(tmpstr);
      break;
    }
    
  case SSM_FID_CERT_COMMON_NAME:
    value->type = SSM_STRING_ATTRIBUTE;
    tmpstr = CERT_GetCommonName(&(res->cert->subject));
    if (tmpstr == NULL)
      goto loser;
    value->u.string.len = strlen(tmpstr);
    value->u.string.data = (unsigned char *) strdup(tmpstr);
    break;
    
  case SSM_FID_CERT_NICKNAME:
    if (!res->cert->nickname) 
      goto loser;
    value->type = SSM_STRING_ATTRIBUTE;
    value->u.string.len = strlen(res->cert->nickname);
    value->u.string.data = (unsigned char *) strdup(res->cert->nickname);
    break;
    
  case SSM_FID_CERT_ORG_NAME:
    value->type = SSM_STRING_ATTRIBUTE;
    tmpstr = CERT_GetOrgName(&(res->cert->subject));
    if (tmpstr == NULL)
      goto loser;
    value->u.string.len = strlen(tmpstr);
    value->u.string.data = (unsigned char *) strdup(tmpstr);
    break;

  case SSM_FID_CERT_EMAIL_ADDRESS:
    value->type = SSM_STRING_ATTRIBUTE;
    tmpstr = PL_strdup(CERT_GetCertificateEmailAddress(res->cert));
    if (tmpstr == NULL)
      goto loser;
    value->u.string.len = PL_strlen(tmpstr);
    value->u.string.data = (unsigned char *) PL_strdup(tmpstr);
    break;
    
  case SSM_FID_CERT_PICKLE_CERT:
    value->type = SSM_STRING_ATTRIBUTE;
    if (!(value->u.string.data = (unsigned char *) PR_Malloc(res->cert->derCert.len))) {
        goto loser;
    }
    memcpy(value->u.string.data, res->cert->derCert.data, res->cert->derCert.len);
    value->u.string.len = res->cert->derCert.len;
    break;

  case SSM_FID_CERT_HTML_CERT:
    value->type = SSM_STRING_ATTRIBUTE;
    rv = (*resource->m_html_func)(resource, NULL, (void **)&tmpstr);
    if (rv != PR_SUCCESS)
      goto loser;
    value->u.string.len = PL_strlen(tmpstr);
    value->u.string.data = (unsigned char *) PL_strdup(tmpstr);
    break;

  case SSM_FID_CERT_CERTKEY:
      value->type = SSM_STRING_ATTRIBUTE;
      if (!(value->u.string.data = (unsigned char *) PR_Malloc(res->cert->certKey.len))) {
          goto loser;
      }
      memcpy(value->u.string.data, res->cert->certKey.data, res->cert->certKey.len);
      value->u.string.len = res->cert->certKey.len;
      break;

  case SSM_FID_CERT_FIND_CERT_ISSUER:
      {
        SSMResourceCert *certRes;
        SSMResourceID certID;
        SSMStatus rv;
        CERTCertificate *cert;

        /* Make sure we have a cert to return. */
        cert = CERT_FindCertIssuer(res->cert, PR_Now(), certUsageObjectSigner);
        if (!cert) {
            goto loser;
        }

        if ((cert->certKey.len != res->cert->certKey.len) ||
            (memcmp(cert->certKey.data, 
                    res->cert->certKey.data, 
                    cert->certKey.len)))
        {
            rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE,
				    cert, resource->m_connection, &certID,
				    (SSMResource**)&certRes);
	    if (rv != PR_SUCCESS)
	      goto loser;
	    rv = SSM_ClientGetResourceReference(SSMRESOURCE(certRes), &certID);
	    SSM_FreeResource(SSMRESOURCE(certRes));
	    if (rv != PR_SUCCESS)
	      goto loser;
        }
        else
        {
	    rv = SSM_ClientGetResourceReference(SSMRESOURCE(res), &certID);
	    if (rv != PR_SUCCESS)
	      goto loser;
        }

        value->type = SSM_RID_ATTRIBUTE;
	value->u.rid = certID;

        rv = PR_SUCCESS;
        break;
        }
    case SSM_FID_CERT_ISPERM:
        value->type = SSM_NUMERIC_ATTRIBUTE;
        value->u.numeric = res->cert->isperm;
        rv = PR_SUCCESS;
        break;

  default: 
    goto loser;
  }

  if (tmpstr != NULL)
    PR_Free(tmpstr);
  return PR_SUCCESS;
  
loser:
  value->type = SSM_NO_ATTRIBUTE;
  if (tmpstr != NULL)
    PR_Free(tmpstr);
  return PR_FAILURE;
}


SSMStatus SSMResourceCert_Pickle(SSMResource * res, 
			PRIntn * len,
			void ** data)
{
  SSMAttributeValue value;
  SSMStatus rv;

  if (!res || !((SSMResourceCert *)res)->cert || !data || !len ) 
    return PR_FAILURE;

  rv =  ((*(SSMResourceCert *)res).super.m_get_func)(res,
						     SSM_FID_CERT_PICKLE_CERT,
						     SSM_STRING_ATTRIBUTE,
						     &value);
  if (rv != PR_SUCCESS)
    goto loser;

  *data = PR_Malloc(value.u.string.len);
  if (!*data) { 
      goto loser;
  }
  memcpy(*data, value.u.string.data, value.u.string.len);
  *len = value.u.string.len;
  SSM_DestroyAttrValue(&value, PR_FALSE);
loser:
  return rv;
}


SSMStatus SSMResourceCert_GetAttrIDs(SSMResource *res,
				    SSMAttributeID **ids,
				    PRIntn *count)
{
  int i=-1;
  
  if (!res || !ids || !count) 
    goto loser;
  
  /* all certificate attributes accessible to client */
  *count = SSM_FID_CERT_ORG_NAME - SSM_FID_CERT_SUBJECT_NAME + 1;
  *ids = (SSMAttributeID *)PORT_ZAlloc(*count * (sizeof(SSMAttributeID)));
  if (!*ids) goto loser;

  while (i < *count) {
    (*ids)[i] = (SSMAttributeID) ((int) SSM_FID_CERT_SUBJECT_NAME + i);
    i++;
  }
  return PR_SUCCESS;
  
loser:
  return PR_FAILURE;
}


SSMStatus
SSMResourceCert_Create(void *arg, SSMControlConnection * connection, 
		       SSMResource **res)
{
  SSMStatus rv = PR_SUCCESS;
  SSMResourceCert * certResource = NULL;

  if (!res) 
    goto loser;
  *res = NULL;
  
  if (!arg)
    goto loser;
  
  /* before creating a cert, make sure we don't have it already */
  SSMControlConnection_CertLookUp(connection, arg, res);
  if (*res) 
    goto done; /* found cert resource! */

  certResource = (SSMResourceCert *)PR_CALLOC(sizeof(SSMResourceCert));
  if (!certResource) 
    goto loser;
  rv = SSMResourceCert_Init(certResource, connection, arg);
  if (rv != PR_SUCCESS) goto loser;
  
  *res = (SSMResource *)&certResource->super;
  /* enter cert into cert db */
  rv = SSM_HashInsert(connection->m_certIdDB, (SSMHashKey) arg, (void *)*res);
  if (rv != PR_SUCCESS) 
    goto loser;

done:
  return PR_SUCCESS;
loser:
  if (certResource) 
    (*((SSMRESOURCE(certResource))->m_destroy_func))
      ((SSMResource *)certResource, PR_TRUE);
  else 
    if (arg) 
      PR_Free(arg); 
  return PR_FAILURE;
}

SSMStatus SSMResourceCert_Init(SSMResourceCert * certResource,
			      SSMControlConnection * conn,
			      void * arg)
     
{
  SSMResource_Init(conn, SSMRESOURCE(certResource), SSM_RESTYPE_CERTIFICATE);
  certResource->cert = (CERTCertificate *)arg;
  if (!arg) 
    return SSM_FAILURE;

  if (certResource->cert->slot) 
    PK11_ReferenceSlot(certResource->cert->slot);
  certResource->m_verify_func = &SSMResourceCert_Verify;
  certResource->m_deletecert_func = &SSMResourceCert_DeleteCert;
  certResource->m_markedForDeletion = PR_FALSE;
  return SSM_SUCCESS;
}

SSMStatus SSMResourceCert_Unpickle(SSMResource ** resource, 
				  SSMControlConnection * connection, 
				  PRInt32 len, 
				  void * value)
{
  SSMStatus rv = PR_SUCCESS;
  SSMResourceID resID;
  CERTCertificate * cert;
  SECItem certArg;

  if (!resource || !value) 
     goto loser;
  certArg.len = len;
  certArg.data = (unsigned char *) value;
  
  cert = CERT_NewTempCertificate(connection->m_certdb,(SECItem *)&certArg, 
                                 NULL, PR_FALSE, PR_TRUE);
  if (!cert) {
    rv = (SSMStatus) PR_GetError();
    goto loser;
  }
  rv = SSM_CreateResource(SSM_RESTYPE_CERTIFICATE, (void *)cert, connection, 
			  &resID, resource); 
  if (rv != PR_SUCCESS) goto loser;
  goto done;

loser:

  if (resource && *resource) {
    SSM_DEBUG("Error unpickling cert: %d.\n", rv);
    ((*resource)->m_destroy_func)(*resource, PR_TRUE);
    PR_Free(*resource);
  }
  SSM_DEBUG("Error unpickling cert: %d.\n", rv);
done: