certres.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

      }
      rv = SSM_ProcessCertUIAction(req, cert);
    }  
done:
  PR_FREEIF(page);
  PR_FREEIF(outPage);
  PR_FREEIF(nickhtml);
  if (certList) 
    CERT_DestroyCertList(certList);
 
  return rv;

loser:
  if (certList) 
    CERT_DestroyCertList(certList);
  
  /* kill the window */
  rv = SSMTextGen_NewTopLevelContext(req, &cx);
  rv = SSM_GetAndExpandText(cx, "windowclose_doclose_js_content", &page);
  SSMTextGen_DestroyContext(cx);
  req->sentResponse = PR_TRUE;
  rv = SSM_HTTPSendOKHeader(req, NULL, "text/html");
  rv = SSM_HTTPSendUTF8String(req, page);
  /* notify owner if this a UI event */
  if (((SSMResource *)req->ctrlconn)->m_UILock) 
    SSM_NotifyUIEvent((SSMResource *)req->ctrlconn);
  
  return SSM_SUCCESS;

}


SSMStatus
SSM_ProcessCertUIAction(HTTPRequest * req, CERTCertificate * cert)
{
  SSMResource * certres = NULL;
  SSMResourceID resID;
  SSMStatus rv = SSM_FAILURE;
  char * page = NULL, *outPage = NULL;
  char * action, *ref;
  SSMTextGenContext * cx = NULL;

  if (!cert) {
    SSM_DEBUG("ProcessCertUIAction: no cert. Either user hit Cancel or smth is wrong.\n");
    SSM_DEBUG("Close the window \n");    
    goto done;
  }

  /* get a resource for this cert */
  rv = (SSMStatus) SSM_CreateResource(SSM_RESTYPE_CERTIFICATE, (void *)cert, 
			  req->ctrlconn, &resID, &certres); 
  if (rv != SSM_SUCCESS) 
    goto done;  
  rv = (SSMStatus) SSM_GetResourceReference(certres);
  if (rv != SSM_SUCCESS) 
    SSM_DEBUG("ProcessUIAction: can't get resource reference for cert!\n");

  /* Free reference to the previous target */
  if (req->target) 
    SSM_FreeResource(req->target);
  req->target = certres;
  
  /* figure out what action was requested */
  rv = SSM_HTTPParamValue(req, "action", &action);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("ProcessCertUIAction: no action parameter found!\n");
    SSM_HTTPReportError(req, HTTP_NO_CONTENT);
    goto done;
  }
  ref = PR_smprintf("%s_content", action);
  rv = SSMTextGen_NewTopLevelContext(req, &cx);
  if (rv != SSM_SUCCESS) 
    SSM_DEBUG("ProcessUIAction: can't get new TopLevelContext\n");
  rv = SSM_GetAndExpandText(cx, ref, &page);
  if (rv != SSM_SUCCESS) 
    SSM_DEBUG("ProcessUIAction:can't get wrapper for %s\n", action);
  SSMTextGen_DestroyContext(cx);
  outPage = PR_smprintf(page, resID, action, "bogus");
  rv = SSM_HTTPSendOKHeader(req, NULL, "text/html");
  rv = SSM_HTTPSendUTF8String(req, outPage);

 done:
  PR_FREEIF(page);
  PR_FREEIF(outPage);
  return rv;
}    


char * digits = "0123456789ABCDEF";
#define HEX_DIGIT(x)  (strchr(digits, *x) - digits)

SECItem *
unhexify(char * hex) 
{
  SECItem * result = NULL;
  char * data = NULL;
  char * ptr, *ch;
  PRIntn len;
  
  if (!hex)
    return NULL;

  result = (SECItem *) PORT_ZAlloc(sizeof(SECItem));

  ch = hex;
  len = strlen(hex)/2;
  if (strlen(hex)&1) 
    len++;

  ptr = data = (char *) PORT_ZAlloc(len);
  if (strlen(hex)&1) {
    *ptr = HEX_DIGIT(ch);
    ptr++;
    ch++;
  }


  while (*ch) { 
    *ptr = (HEX_DIGIT(ch) << 4) + HEX_DIGIT((ch+1));
    ch += 2;
    ptr++;
  }
  result->data = (unsigned char *) data;
  result->len = len;
  return result;
}
 
/*
 * Here's how we do unhexify -jp
 * Number[J]=HexDigit(*P)*16+HexDigit(*(P+1));
 * J++;
 * P+=2;
 * char *Digits="012345679ABCDEF"
 *return(strchr(Digits,toupper(Char))-Digits)
 */ 

SSMStatus SSM_ChooseCertUsageHandler(HTTPRequest * req)
{
  SSMResource * target = NULL, *origTarget;
  char * value = NULL, * nick = NULL, *serialNum;
  char * tmp;
  SSMStatus rv = SSM_FAILURE;
  SECItem * keyID;
  CERTCertificate * cert = NULL;
  SSMTextGenContext * cx;
  char * urlStr=NULL, *action=NULL, * redirectHTML=NULL, * outStr=NULL;
  SSMResourceID resID;
  char * windowName = NULL, * params = NULL;

  /* Get the target resource. */
  target = (req->target ? req->target : (SSMResource *) req->ctrlconn);
  PR_ASSERT(target);
  origTarget = target;
  rv = SSM_HTTPParamValue(req, "selectItem", &value);
  if (rv != SSM_SUCCESS) 
    goto loser;

  rv = SSM_HTTPParamValue(req, "nick", &nick);
  if (rv != SSM_SUCCESS)
    goto loser;
  
  rv = SSM_HTTPParamValue(req, "baseRef", &action);
  if (rv != SSM_SUCCESS)
    goto loser;
  
  tmp = PL_strdup(value);
  value = strtok(tmp, ":");
  serialNum = strtok(NULL, ":");
  keyID = unhexify(value);
  cert = FindCertByKeyIDAndNickname(req->ctrlconn, nick, keyID, serialNum);
  SECITEM_FreeItem(keyID,PR_TRUE);
  PR_Free(tmp);
  
  SSM_DEBUG("ChooseCertUsageHandler: found certificate %lx!\n", cert);

  req->ctrlconn->super.super.m_uiData = (void *)cert;
  
  /* set the window name:
   * View is done through http thread, window name is popup
   * Delete is done with UIEvent, window name is PSM
   */
  if (PL_strcmp(action, "cert_view") == 0 || 
      PL_strcmp(action, "ca_policy_view") == 0) 
    windowName = PR_smprintf("popup");
  else if (PL_strcmp(action, "delete_cert") == 0)
    windowName = PR_smprintf("PSM");
  else if (PL_strcmp(action, "backup") == 0)
    windowName = NULL;
  else if (PL_strcmp(action, "cert_edit") == 0)
    windowName = PR_smprintf("popup");
  else {
    SSM_DEBUG("ChooseCertUsageHandler: bad action baseRef = %s", action);
    goto loser;
  }
  
  /* make sure the next URL takes up the whole window */
  rv = SSMTextGen_NewTopLevelContext(req, &cx);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("ChooseCertUsageHandler: can't get new textGen context\n");
    goto loser;
  }
  rv = (SSMStatus) SSM_CreateResource(SSM_RESTYPE_CERTIFICATE, (void *)cert, 
			  req->ctrlconn, &resID, &target);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("ChooseCertUsageHandler: can't create cert resource \n");
    goto loser;
  }
  if (!MIN_STRCMP(action, "backup")) {
    rv = SSM_GetAndExpandText(cx, "windowclose_doclose_js_content", &outStr);
    if (rv != SSM_SUCCESS) {
      goto loser;
    }
    SSM_NotifyUIEvent(origTarget);
  } else {

    /* policy view requires extra parameters */
    if (PL_strcmp(action, "ca_policy_view") == 0)
      params = PR_smprintf("&certresource=%d&bogus=bogus", resID);
    
    urlStr = PR_smprintf("get?baseRef=%s&target=%d%s", action, resID, params?params:"");
 
    rv = SSM_GetAndExpandText(cx, "refresh_frameset_content", &redirectHTML);
    if (rv != SSM_SUCCESS)
      SSM_DEBUG("ChooseCertUsageHandler: can't create redirectHTML");
    outStr = PR_smprintf(redirectHTML, urlStr, windowName);
    SSMTextGen_DestroyContext(cx);
    cx = NULL;
    PR_Free(urlStr);
    PR_Free(redirectHTML);
  }
  req->sentResponse = PR_TRUE;
  rv = SSM_HTTPSendOKHeader(req, NULL, "text/html");
  if (rv != SSM_SUCCESS) 
    SSM_DEBUG("ChooseCertUsageHandler: error sending OKHeaders\n");
  rv = SSM_HTTPSendUTF8String(req, outStr);
  if (rv != SSM_SUCCESS)
    SSM_DEBUG("ChooseCertUsageHandler: error sending <%s>\n", outStr);
  PR_FREEIF(windowName);
  PR_Free(outStr);
  if (cx != NULL)
    SSMTextGen_DestroyContext(cx);
  return rv;
loser:  
  if (cx != NULL)
    SSMTextGen_DestroyContext(cx);
  if (rv == SSM_SUCCESS)
    rv = SSM_FAILURE;
  SSM_DEBUG("ChooseCertUsageHandler: somethings is very wrong!\n");
  return SSM_HTTPCloseWindow(req);
 }

CERTCertificate *
FindCertByKeyIDAndNickname(SSMControlConnection * ctrl, char *nickname, 
			   SECItem *keyID, char * serial)
{
  CERTCertificate *cert = NULL;
  CERTCertList *certList = NULL;
  CERTCertListNode *node;
  PRBool found = PR_FALSE;
  char *hexSerial=NULL;

  certList = SSMControlConnection_CreateCertListByNickname(ctrl, nickname, 
							   PR_FALSE);
  if (!certList)  /* could not find certs with this nick, try email address */
    certList = SSMControlConnection_CreateCertListByNickname(ctrl, nickname, 
							     PR_TRUE);  
  if (!certList) 
    goto loser;

  node = CERT_LIST_HEAD(certList);
  while (!CERT_LIST_END(node, certList)) {
    if (cert_GetKeyID(node->cert) != SECSuccess) 
      goto loser;
    hexSerial = CERT_Hexify(&node->cert->serialNumber, 0);
    if ( SECITEM_CompareItem(keyID, &node->cert->subjectKeyID) == SECEqual &&
	 (hexSerial == NULL ||  
	  strcmp(hexSerial, serial) == 0)) { 
      PR_FREEIF(hexSerial);   
      goto found;
    }
    PR_FREEIF(hexSerial);
    node = CERT_LIST_NEXT(node);
  }
  
  SSM_DEBUG("FindCertByKeyIDAndNickname: could not find certificate!\n");
  goto loser;

found:
  cert = CERT_DupCertificate(node->cert);

loser:
  if (certList) 
    CERT_DestroyCertList(certList);
  return cert;

}

SSMStatus
SSM_VerifyCertKeywordHandler(SSMTextGenContext * cx)
{
  SSMStatus rv = SSM_FAILURE;
  SSMResourceCert * certres = NULL;
  /* All the certUsage values currently defined in NSS */
  /* All of these strings should come from the properties files. */
  char * formatKey = NULL, * fmt = NULL;
  PRBool verified[12];
  char * result = NULL;
  PRInt32 i, j;
  PRBool valid = PR_FALSE;
  SECCertUsage certUsage;
  int err;

  PR_ASSERT(cx != NULL);
  PR_ASSERT(cx->m_request != NULL);
  PR_ASSERT(cx->m_params != NULL);
  PR_ASSERT(cx->m_result != NULL);
  PR_ASSERT(SSM_IsAKindOf(cx->m_request->target, SSM_RESTYPE_CERTIFICATE));

  /* get certificate resource */
  certres = (SSMResourceCert *)cx->m_request->target;

  for (i = 0, j= 0; i < certUsageAnyCA + 1; i++) {
    /* UserCertImport, ProtectedObjectSigner, AnyCA, VerifyCA certUsages 
     * cause NSS to panic, make sure we don't try to verify it.
     */
    if (i == certUsageUserCertImport ||
	i == certUsageProtectedObjectSigner ||
	i == certUsageVerifyCA ||
	i == certUsageAnyCA) {
      verified[i] = PR_FALSE;
      continue;
    }
    if (SSM_VerifyCert(certres, (SECCertUsage) i) == SECSuccess) {
      verified[i] = PR_TRUE;
      valid = PR_TRUE;
    }
    else verified[i] = PR_FALSE;
  }
  
  if (valid) {
	rv = SSM_GetAndExpandText(cx, "verified_prefix", 
			      &cx->m_result);
  } else {
		if (ssm_cert_belongs_type(certres->cert, USER_CERT) == SSM_SUCCESS) {
			certUsage = certUsageEmailRecipient;
		} else if (ssm_cert_belongs_type(certres->cert, EMAIL_CERT) == SSM_SUCCESS) {
			certUsage = certUsageEmailRecipient;
		} else if (ssm_cert_belongs_type(certres->cert, CA_CERT) == SSM_SUCCESS) {
			certUsage = certUsageVerifyCA;
		} else if (ssm_cert_belongs_type(certres->cert, WEBSITE_CERT) == SSM_SUCCESS) {
			certUsage = certUsageSSLServer;
		}

		if (SSM_VerifyCert(certres, certUsage) != SECSuccess) {
			err = PR_GetError();
			switch (err) {
			case SEC_ERROR_EXPIRED_CERTIFICATE:
				rv = SSM_GetAndExpandText(cx, "not_verified_expired_cert_text", 
			      &cx->m_result);
				break;
			case SEC_ERROR_REVOKED_CERTIFICATE:
				rv = SSM_GetAndExpandText(cx, "not_verified_revoked_cert_text", 
			      &cx->m_result);
				break;
			case SEC_ERROR_UNKNOWN_ISSUER:
				rv = SSM_GetAndExpandText(cx, "not_verified_unknown_issuer_text", 
			      &cx->m_result);
				break;
			case SEC_ERROR_CA_CERT_INVALID:
				rv = SSM_GetAndExpandText(cx, "not_verified_ca_invalid_text", 
			      &cx->m_result);
				break;
			case SEC_ERROR_UNTRUSTED_ISSUER:
				rv = SSM_GetAndExpandText(cx, "not_verified_untrusted_issuer_text", 
			      &cx->m_result);
				break;
			case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
				rv = SSM_GetAndExpandText(cx, "not_verified_expired_issuer_text", 
			      &cx->m_result);
				break;
			case SEC_ERROR_UNTRUSTED_CERT:
				rv = SSM_GetAndExpandText(cx, "not_verified_untrusted_cert_text", 
			      &cx->m_result);
				break;
			default:
				rv = SSM_GetAndExpandText(cx, "not_verified_unknown_error_text", 
			      &cx->m_result);
			}
		} else {
			rv = SSM_GetAndExpandText(cx, "not_verified_unknown_error_text", 
				      &cx->m_result);
		}
	}
  formatKey = (char *) SSM_At(cx->m_params, (PRIntn)0);
  rv = SSM_GetAndExpandTextKeyedByString(cx, formatKey, &fmt);
  if (rv != SSM_SUCCESS) 
    goto loser;
  result = PR_smprintf(fmt, verified[0], verified[1], verified[2],
		       verified[3], verified[4], verified[5],
		       verified[6], verified[7], verified[8],
		       verified[9], verified[10], verified[11], valid);
  rv = SSM_ConcatenateUTF8String(&cx->m_result, result);
  PR_Free(result);
  rv = SSM_SUCCESS;
  goto done;

loser:
  SSM_DEBUG("VerifyCertKeywordHandler: something is wrong!\n");
  if (rv == SSM_SUCCESS) 
    rv = SSM_FAILURE;
  if (cx->m_result) 
    PR_Free(cx->m_result);
  cx->m_result = NULL;
done:
  PR_FREEIF(fmt);
  return rv;
}


SSMStatus 
SSM_EditCertKeywordHandler(SSMTextGenContext * cx)
{
  SSMStatus rv;
  SSMResourceCert * target = (SSMResourceCert *)SSMTextGen_GetTargetObject(cx);
  CERTCertTrust * trust;
  char * tmpStr = NULL, *checked = NULL, *notAvailable = NULL, * donot= NULL;
  PRBool trusted=PR_FALSE, trustca = PR_FALSE;
  PRBool emailtrust=PR_FALSE, signtrust=PR_FALSE, ssltrust = PR_FALSE; 
  unsigned int myTrust = 0;
/* edit cert dialog help targets */
  char * emailCertHelpTarget = "1036027";
  char * sslCertHelpTarget   = "1035916";
  char * caCertHelpTarget    = "1036857";
 

  PR_ASSERT(target && SSM_IsAKindOf((SSMResource *)target, SSM_RESTYPE_CERTIFICATE));
  PR_ASSERT(target->cert);
  
  rv = SSM_GetAndExpandTextKeyedByString(cx, "text_checked", &checked);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("EditCertKeywordHandler: can't get text for 'checked'\n");
    goto done;
  }
  rv = SSM_GetAndExpandTextKeyedByString(cx, "trust_do_not", &donot);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("EditCertKeywordHandler: can't get text for 'trust_do_not'\n");
    goto done;
  }
  
  rv = SSM_GetAndExpandTextKeyedByString(cx, "text_not_available", 
					 &notAvailable);
  if (rv != SSM_SUCCESS) {