certres.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

    SSM_DEBUG("EditCertKeywordHandler: can't get text for notAvailable\n");
    goto done;
  }
  if ((trust = target->cert->trust) == NULL) {
    SSM_DEBUG("EditCertKeywordHandler: cert trust object is NULL!\n");
    rv = SSM_FAILURE;
    goto done;
  }
  
  /* website cert */
  if (trust->sslFlags & CERTDB_VALID_PEER) { 
    CERTCertificate * issuer = CERT_FindCertIssuer(target->cert, PR_Now(), 
						 certUsageAnyCA);
    if (issuer && issuer->trust && 
	(issuer->trust->sslFlags & CERTDB_TRUSTED_CA))
      trustca = PR_TRUE;

    rv = SSM_GetAndExpandTextKeyedByString(cx, "edit_cert_website", &tmpStr);
    if (rv != SSM_SUCCESS) {
      SSM_DEBUG("EditCertKeywordHandler: can't find edit_cert_website \n");
      goto done;
    }
    /* check first button if trusted, second if not */
    if (trust->sslFlags & CERTDB_TRUSTED)
      trusted = PR_TRUE;
    PR_FREEIF(cx->m_result); 
    cx->m_result = PR_smprintf(tmpStr, target->cert->nickname, 
			       CERT_GetCommonName(&target->cert->issuer),
			       issuer?issuer->nickname:notAvailable,
			       trusted?checked:"", 
			       trusted?"":checked,
			       sslCertHelpTarget,
			       trustca?"":donot,
			       trustca?"":donot);
    
  } else if ( (trust->sslFlags & CERTDB_VALID_CA)    ||
	      (trust->emailFlags & CERTDB_VALID_CA ) ||
	      ( trust->objectSigningFlags & CERTDB_VALID_CA )) {
 
   /* security advisor in the old client does this, should we? */
    if ( ! ( target->cert->nsCertType & NS_CERT_TYPE_CA ) ) 
      target->cert->nsCertType = NS_CERT_TYPE_CA;
    
    rv = SSM_GetAndExpandTextKeyedByString(cx, "edit_cert_authority", &tmpStr);
    if (rv != SSM_SUCCESS) {
      SSM_DEBUG("EditCertKeywordHandler: can't get edit_cert_authority wrapper\n");
      goto done;
    }
    
    /* check first button if trusted, second if not */
    if (trust->sslFlags & CERTDB_TRUSTED_CA)
      ssltrust = PR_TRUE;
    if (trust->emailFlags & CERTDB_TRUSTED_CA)
      emailtrust = PR_TRUE;
    if (trust->objectSigningFlags & CERTDB_TRUSTED_CA ) 
      signtrust = PR_TRUE;
    
    PR_FREEIF(cx->m_result);
    cx->m_result = PR_smprintf(tmpStr, ssltrust?checked:"", 
			       emailtrust?checked:"",
			       signtrust?checked:"", 
			       target->cert->nickname,
			       caCertHelpTarget);
  } else if (trust->emailFlags & CERTDB_VALID_PEER) {
    CERTCertificate * issuer = CERT_FindCertIssuer(target->cert, PR_Now(), 
						 certUsageAnyCA);
    char *CN = NULL;
    if (issuer && issuer->trust && 
	(issuer->trust->emailFlags & CERTDB_TRUSTED_CA))
      trustca = PR_TRUE;

    rv = SSM_GetAndExpandTextKeyedByString(cx, "edit_cert_others", &tmpStr);
    if (rv != SSM_SUCCESS) {
      SSM_DEBUG("EditCertKeywordHandler: can't get edit_cert_authority wrapper\n");
      goto done;
    }
    if (trust->emailFlags & CERTDB_TRUSTED) 
      trusted = PR_TRUE;
    PR_FREEIF(cx->m_result);
    CN = CERT_GetCommonName(&target->cert->issuer);
    cx->m_result = PR_smprintf(tmpStr, target->cert->emailAddr, 
			       CN,
			       issuer?issuer->nickname:notAvailable,
			       trusted?checked:"", 
			       trusted?"":checked,
			       emailCertHelpTarget,
			       trustca?"":donot,
			       trustca?"":donot);
    PR_FREEIF(CN);
  } else {
    PR_FREEIF(cx->m_result);
    cx->m_result = PR_smprintf("Bad certificate type, don't know how to edit.\n");
  }
    
done:
  PR_FREEIF(tmpStr);
  PR_FREEIF(checked);
  PR_FREEIF(donot);
  return rv;
}

SSMStatus
SSM_EditCertificateTrustHandler(HTTPRequest * req)
{
  SSMResourceCert * target = (SSMResourceCert *)req->target;
  CERTCertTrust trust; 
  char * value;
  SSMStatus rv;
  
  PR_ASSERT(target && target->cert);
  rv = (SSMStatus) CERT_GetCertTrust(target->cert, &trust);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("EditCertificateTrustHandler: can't get cert trust object\n");
    goto done;
  }
  
  if (trust.sslFlags & CERTDB_VALID_PEER) {
    /* this is website cert we're editing */
    rv = SSM_HTTPParamValue(req, "trustoption", &value);
    if (rv != SSM_SUCCESS) 
      goto done;
    if (strcmp(value, "trust") == 0)
      trust.sslFlags |= CERTDB_TRUSTED;
    else trust.sslFlags &= (~CERTDB_TRUSTED);
  } 
  else 
    if ( (trust.sslFlags & CERTDB_VALID_CA)    ||
	 (trust.emailFlags & CERTDB_VALID_CA ) ||
	 ( trust.objectSigningFlags & CERTDB_VALID_CA ) 
	 ) {
      /* security advisor in the old client does this, should we? */
      if ( ! ( target->cert->nsCertType & NS_CERT_TYPE_CA ) ) 
	target->cert->nsCertType = NS_CERT_TYPE_CA;
      
      if (target->cert->nsCertType & NS_CERT_TYPE_SSL_CA)
	trust.sslFlags |= CERTDB_VALID_CA;
      if (target->cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING_CA)
	trust.objectSigningFlags |= CERTDB_VALID_CA;
      if (target->cert->nsCertType & NS_CERT_TYPE_EMAIL_CA)
	trust.emailFlags |= CERTDB_VALID_CA;

      rv = SSM_HTTPParamValue(req, "networksite", &value);
      if (rv == SSM_SUCCESS) 
	trust.sslFlags |= CERTDB_TRUSTED_CA;
      else trust.sslFlags &= (~CERTDB_TRUSTED_CA);
      
      rv = SSM_HTTPParamValue(req, "emailuser", &value);
      if (rv == SSM_SUCCESS) 
	trust.emailFlags |= CERTDB_TRUSTED_CA;
      else trust.emailFlags &= (~CERTDB_TRUSTED_CA);
      
      rv = SSM_HTTPParamValue(req, "software", &value);
      if (rv == SSM_SUCCESS) 
	trust.objectSigningFlags |= CERTDB_TRUSTED_CA;
      else trust.objectSigningFlags &= (~CERTDB_TRUSTED_CA);
    }
  else if (trust.emailFlags & CERTDB_VALID_PEER) 
    { 
      /* edit email cert */
      rv = SSM_HTTPParamValue(req, "trustoption", &value);
      if (rv != SSM_SUCCESS) 
	goto done;
      if (PL_strcmp(value, "trust") == 0)
	trust.emailFlags |= CERTDB_TRUSTED;
      else trust.emailFlags &= (~CERTDB_TRUSTED);
    }
  else 
    {
      SSM_DEBUG("EditCertificateTrustHandler: trying to edit bad cert\n");
      goto done;
    }
   rv = (SSMStatus) CERT_ChangeCertTrust(req->ctrlconn->m_certdb, target->cert, &trust);
   SSL_ClearSessionCache();

done:
   return SSM_SUCCESS; 
}

SSMStatus
SSM_SelectCertKeywordHandler(SSMTextGenContext * cx)
{
  SSMStatus rv = SSM_SUCCESS;
  char * item = NULL, * key = NULL, * value = NULL, *formName = NULL;
  char * fmt = NULL;
  PRIntn PARAM_FORMAT = (PRIntn) 0;
  PRIntn certType, certKey;

  /* Check for parameter validity */
  PR_ASSERT(cx);
  PR_ASSERT(cx->m_request);
  PR_ASSERT(cx->m_params);
  PR_ASSERT(cx->m_result);
  if (!cx || !cx->m_request || !cx->m_params || !cx->m_result)
    {
      rv = (SSMStatus) PR_INVALID_ARGUMENT_ERROR;
      goto loser; 
    }

  rv = SSM_HTTPParamValue(cx->m_request, "origin", &formName);
  if (rv != SSM_SUCCESS)
    goto loser;
  
  /* figure which certs we're looking for */
  if (strstr(formName, "_mine")) {
    certType = USER_CERT;
    certKey = NICKNAME;
  } else if (strstr(formName, "_others")) {
    certType = EMAIL_CERT;
    certKey = EMAILADDR;
  } else if (strstr(formName, "_websites")) {
    certType = WEBSITE_CERT;
    certKey = NICKNAME;
  } else if (strstr(formName, "_authorities")) {
    certType = CA_CERT;
    certKey = NICKNAME;
  } else 
    SSM_DEBUG("SelectCertKeywordHandler: Bad request\n");
  
  /* get format */
  fmt = (char *) SSM_At(cx->m_params, PARAM_FORMAT);
  rv = SSM_HTTPParamValue(cx->m_request, "content", &value);
  if (!fmt || !value) {
    SSM_DEBUG("SelectCertKeywordHandler: can't get format or nickname!\n");
    goto loser;
  }

  rv = SSM_GetAndExpandTextKeyedByString(cx, fmt, &fmt);
  if (rv != SSM_SUCCESS) 
    goto loser;
  SSM_DebugUTF8String("cert selection format <%s>", fmt);

  
  rv = ssm_select_cert(cx, &cx->m_result, fmt, certType, certKey, value);
  goto done;
  
loser:
  PR_FREEIF(cx->m_result);
  cx->m_result = NULL;
  if (rv == SSM_SUCCESS) 
    rv = SSM_FAILURE;
done:  
  return rv;
}

SSMStatus
ssm_select_cert(SSMTextGenContext * cx, char ** result, char * fmt, 
		PRIntn type, PRIntn key,char *nickname) 
{
  CERTCertList * certList;
  CERTCertListNode * node;
  CERTCertificate * cert;
  char * tmpStr = NULL, * checked = NULL;
  SSMStatus rv = SSM_FAILURE;
  PRBool first = PR_TRUE;
  
  PR_ASSERT(result);
  PR_ASSERT(fmt);
  PR_ASSERT(nickname);
  
  if (!result || !fmt || !nickname) {
    SSM_DEBUG("Bad parameters in ssm_select_cert_nick\n");
    goto loser;
  }
  *result = NULL;
 
  /* get a list of certs with the given nick or email address*/
  switch (key) {
  case NICKNAME:
    certList = SSMControlConnection_CreateCertListByNickname(cx->m_request->ctrlconn, 
							     nickname, 
							     PR_FALSE);
    break;
  case EMAILADDR:
    certList = SSMControlConnection_CreateCertListByNickname(cx->m_request->ctrlconn, nickname, 
							     PR_TRUE);
    break;
  default:
    SSM_DEBUG("select_cert: bad cert key, must be NICKNAME or EMAILADDR\n");
    goto loser;
  }
  if (!certList) {
    SSM_DEBUG("select_cert: no certificate with nick %s in the db\n", 
	      nickname);
    goto done;
  }

  rv = SSM_GetAndExpandTextKeyedByString(cx, "text_checked", &checked);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("select_cert: can't get text for checked attribute\n");
    goto done;
  }

  /* traverse the list */
  node = CERT_LIST_HEAD(certList);
  while (!CERT_LIST_END(node, certList))
    {
      cert = node->cert;
      node = CERT_LIST_NEXT(node);
      /* make sure it's correct type of cert */
      if (ssm_cert_belongs_type(cert, type) != SSM_SUCCESS) 
	continue;
      
      rv = ssm_create_select_cert_entry(cx, cert, &tmpStr, fmt, first?checked:""); 
      if (rv != SSM_SUCCESS) { 
	SSM_DEBUG("Could not create select_cert_entry\n");
	goto loser;
      }
      rv = SSM_ConcatenateUTF8String(result, tmpStr);
      if (rv != SSM_SUCCESS)
	goto loser;
      PR_Free(tmpStr);
      tmpStr = NULL;
      first = PR_FALSE;
    }/* end of loop on certs in the certList */
  goto done;
  
loser:
  if (rv == SSM_SUCCESS)
    rv = SSM_FAILURE;
  if (result && *result)
    PR_Free(*result);
  *result = NULL;
  
done:
  if (certList)
    CERT_DestroyCertList(certList);
  if (tmpStr) 
    PR_Free(tmpStr);
  return rv;
}

SSMStatus
ssm_create_select_cert_entry(SSMTextGenContext * cx, CERTCertificate * cert, 
			     char **result, char *fmt, char *checked) 
  {
    char * validNotBefore = NULL, * validNotAfter = NULL;
    char * purposeStr = NULL;
    char * valueStr = NULL, * serialNum = NULL;
    SSMStatus rv = SSM_FAILURE;
    
    PR_ASSERT(result);
    PR_ASSERT(fmt);
    PR_ASSERT(cert);
    if (!result || !fmt || !cert) {
      SSM_DEBUG("Bad params in ssm_create_select_cert_entry!\n");
      return SSM_FAILURE;
    }
    *result = NULL;
    /* now find info about this certificate */
    validNotBefore = DER_UTCDayToAscii(&cert->validity.notBefore);
    validNotAfter = DER_UTCDayToAscii(&cert->validity.notAfter);
    
    if ((cert->keyUsage & KU_KEY_ENCIPHERMENT) == KU_KEY_ENCIPHERMENT) 
      SSM_GetUTF8Text(cx, "key_encipherment", &purposeStr);
    else if ((cert->keyUsage & KU_DIGITAL_SIGNATURE) == KU_DIGITAL_SIGNATURE)
      SSM_GetUTF8Text(cx, "digital_signature", &purposeStr);
    else if ((cert->keyUsage & KU_KEY_AGREEMENT) == KU_KEY_AGREEMENT) 
      SSM_GetUTF8Text(cx, "key_agreement", &purposeStr);
    else {
      SSM_DEBUG("Can't find certificate usage!\n");
      goto loser;
    }
    rv = (SSMStatus) cert_GetKeyID(cert);
    if (rv != SECSuccess) 
      goto loser;
    valueStr = PR_smprintf("%s", CERT_Hexify(&(cert->subjectKeyID),
					     PR_FALSE));
    serialNum = CERT_Hexify(&cert->serialNumber, 0);
    if (!serialNum) 
      serialNum = PL_strdup("--");

    /* string ? 
     * <input type="radio" name="selectItem" value=keyusage> keyusage, etc.
     */
    *result = PR_smprintf(fmt, valueStr, purposeStr, validNotBefore, 
			  validNotAfter, checked, serialNum);
    goto done;
  loser:
    if (*result)
      PR_Free(result);
    *result = NULL;
  done:
    if (purposeStr) 
      PR_Free(purposeStr);
    if (valueStr)
      PR_Free(valueStr);
    if (validNotBefore)
      PR_Free(validNotBefore);
    if (validNotAfter)
      PR_Free(validNotAfter);
    PR_FREEIF(serialNum);
    return rv;
  }

SSMStatus
ssm_cert_belongs_type(CERTCertificate * cert, PRIntn type)
  {
    PR_ASSERT(cert);
    /* cert is not in perm database */
    if (!cert->trust) 
      goto loser;

    switch (type) {
    case USER_CERT:
      if ((cert->trust->sslFlags & CERTDB_USER) ||
	  (cert->trust->emailFlags & CERTDB_USER) ||
	  (cert->trust->objectSigningFlags & CERTDB_USER) )
        goto done;
      break;
    case EMAIL_CERT:
      if (cert->emailAddr && 
	  (ssm_cert_belongs_type(cert, USER_CERT) != SSM_SUCCESS ) &&
	  (cert->trust->emailFlags & CERTDB_VALID_PEER))
	goto done;
      break;
    case WEBSITE_CERT:
      if (cert->trust->sslFlags & CERTDB_VALID_PEER) 
	goto done;
      break;
    case CA_CERT:
      if ((cert->trust->sslFlags & CERTDB_VALID_CA) ||
	  (cert->trust->emailFlags & CERTDB_VALID_CA) ||
	  (cert->trust->objectSigningFlags & CERTDB_VALID_CA)) {
	/* it is a CA cert, make sure it's not invisible cert */
	if (!((cert->trust->sslFlags & CERTDB_INVISIBLE_CA) ||
	      (cert->trust->emailFlags & CERTDB_INVISIBLE_CA) || 
	      (cert->trust->objectSigningFlags & CERTDB_INVISIBLE_CA)))
	  goto done;
      }
      break;
    default:
      PR_ASSERT(0);
    }
    goto loser;
done:  
    return SSM_SUCCESS;
loser: 
    return SSM_FAILURE;
  }



SSMStatus
SSM_ViewCertInfoKeywordHandler(SSMTextGenContext * cx)
{
  SSMStatus rv = SSM_FAILURE;
  char* pattern = NULL;
  char* key = NULL;
  char * style = NULL, *commentString = NULL;
  const PRIntn CERT_WRAPPER = (PRIntn)1;
  const PRIntn CERT_WRAPPER_NO_COMMENT = (PRIntn)2;
  const PRIntn STYLE_PARAM = (PRIntn)0;