certres.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

  PRIntn wrapper;
  CERTCertificate * cert = NULL;
	
  PR_ASSERT(cx != NULL);
  PR_ASSERT(cx->m_request != NULL);
  PR_ASSERT(cx->m_params != NULL);
  PR_ASSERT(cx->m_result != NULL);
  PR_ASSERT(SSM_IsAKindOf(cx->m_request->target, SSM_RESTYPE_CERTIFICATE));
 
  if (cx == NULL || cx->m_request == NULL || cx->m_params == NULL ||
      cx->m_result == NULL) {
    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
    goto loser;
  }
  /* get cert */
  cert = ((SSMResourceCert *)cx->m_request->target)->cert;
  if (!cert)
    goto loser;

  /* get the correct wrapper */
  commentString = CERT_GetCertCommentString(cert);
  if (commentString)
    wrapper = CERT_WRAPPER;
  else wrapper = CERT_WRAPPER_NO_COMMENT;
  key = (char *) SSM_At(cx->m_params, wrapper);
  PR_FREEIF(commentString);
  
  /* second, grab and expand the keyword objects */
  rv = SSM_GetAndExpandTextKeyedByString(cx, key, &pattern);
  if (rv != SSM_SUCCESS) {
    goto loser;
  }
  SSM_DebugUTF8String("ca cert info pattern <%s>", pattern);
  
  style = (char *) SSM_At(cx->m_params, STYLE_PARAM);
  PR_FREEIF(cx->m_result);
  if (!strcmp(style, "pretty")) 
    rv = SSM_PrettyFormatCert(cert, pattern, &cx->m_result);
  else
    rv = SSM_FormatCert(cert, pattern, &cx->m_result);
  goto done;

 loser:
  if (rv == SSM_SUCCESS)
    rv = SSM_FAILURE;
 done:
  PR_FREEIF(pattern);

  return rv;
}



int
SSM_CertListCount(CERTCertList *certList)
{
  int numCerts = 0;
  CERTCertListNode *node;
  
  node = CERT_LIST_HEAD(certList);
  while (!CERT_LIST_END(node, certList)) {
    numCerts++;
    node = CERT_LIST_NEXT(node);
  }
  return numCerts;
}

/* ### mwelch - PKCS11 private function? Need prototype for Mac */
#ifdef XP_MAC
extern "C" CERTCertList *
PK11_FindCertsFromNickname(char *nickname, void *wincx);
#endif

CERTCertList * 
SSMControlConnection_CreateCertListByNickname(SSMControlConnection * ctrl, 
					      char * nick, PRBool email)
{
  CERTCertList * certListDB = NULL, * certListExternal = NULL;

  certListDB = CERT_NewCertList();
  if (email) 
    certListDB = CERT_CreateEmailAddrCertList(certListDB,ctrl->m_certdb,
					    nick, PR_Now(), PR_FALSE);
  else 
    certListDB = CERT_CreateNicknameCertList(certListDB, ctrl->m_certdb,
					     nick, PR_Now(), PR_FALSE);
  if (!certListDB && !email) 
    certListExternal = PK11_FindCertsFromNickname(nick, ctrl);

  if (certListExternal) 
    return certListExternal;
  else 
    return certListDB;
}
      
CERTCertificate * 
SSMControlConnection_FindCertByNickname(SSMControlConnection * ctrl, 
					char * nick, PRBool email)
{
  CERTCertificate * cert = NULL;
  
  if (email) 
    cert = CERT_FindCertByEmailAddr(ctrl->m_certdb, nick);
  else 
    cert = CERT_FindCertByNickname(ctrl->m_certdb, nick);

  if (!cert && !email) 
    cert = PK11_FindCertFromNickname(nick, ctrl);

  return cert;
}

SSMStatus
SSM_OCSPOptionsKeywordHandler(SSMTextGenContext *cx)
{
  SSMStatus rv;
  PRBool prefBool;
  char *fmt = NULL, *ocspURL;
  char *noOCSP = NULL, *noDefaultResponder = NULL, *useDefaultResponder = NULL;
  PrefSet *prefs;

  rv =  SSM_GetAndExpandTextKeyedByString(cx, "ocsp_options_template",
					  &fmt);
  if (rv != SSM_SUCCESS) {
    goto loser;
  }
  prefs = cx->m_request->ctrlconn->m_prefs;
  rv = PREF_GetStringPref(prefs, "security.OCSP.URL", &ocspURL);
  if (rv != SSM_SUCCESS) {
    ocspURL = "";
  }
  rv = PREF_GetBoolPref(prefs, "security.OCSP.enabled", &prefBool);
  /*
   * Since the CHECKED is part of the HTML parsed by the broswer,
   * We don't have to localize it.  If the user were going to see
   * it, then we would have to localize it.
   */
  if (rv != SSM_SUCCESS || !prefBool) {
    noOCSP              = "CHECKED";
    noDefaultResponder  = "";
    useDefaultResponder = "";
  } else {
    rv = PREF_GetBoolPref(prefs, "security.OCSP.useDefaultResponder", 
			  &prefBool);
    if (rv != SSM_SUCCESS) {
      noOCSP              = "CHECKED";
      noDefaultResponder  = "";
      useDefaultResponder = "";
    } else if (prefBool) {
      noOCSP              = "";
      noDefaultResponder  = "";
      useDefaultResponder = "CHECKED";
    } else {
      noOCSP              = "";
      noDefaultResponder  = "CHECKED";
      useDefaultResponder = "";
    }
  }
  PR_FREEIF(cx->m_result);
  cx->m_result = PR_smprintf(fmt, noOCSP,noDefaultResponder,
			     useDefaultResponder, ocspURL);
  PR_Free(fmt);
  return SSM_SUCCESS;
 loser:
  PR_FREEIF(fmt);
  return SSM_FAILURE;
}

SSMStatus
SSM_OCSPDefaultResponderKeywordHandler(SSMTextGenContext *cx)
{
  SSMStatus rv;
  char *defaultResponder = NULL, *fmt = NULL;
  
  rv = PREF_GetStringPref(cx->m_request->ctrlconn->m_prefs, 
			  "security.OCSP.signingCA",
			  &defaultResponder);
  if (rv != SSM_SUCCESS) {
    goto loser;
  } 
  rv = SSM_GetAndExpandTextKeyedByString(cx, "default_responder_template", 
					 &fmt);
  if (rv != SSM_SUCCESS) {
    goto loser;
  }
  PR_FREEIF(cx->m_result);
  cx->m_result = PR_smprintf(fmt, defaultResponder);
  if (cx->m_result == NULL) {
    goto loser;
  }
  PR_Free(fmt);
  return SSM_SUCCESS;
  
 loser:
  cx->m_result = PL_strdup("");
  PR_FREEIF(fmt);
  return SSM_SUCCESS;
}

SSMStatus 
SSM_ObtainNewCertSite(SSMTextGenContext * cx)
{
  char * newCertURL = NULL;
  SSMStatus rv = SSM_FAILURE;

  rv = PREF_GetStringPref(cx->m_request->ctrlconn->m_prefs, "obtainCertURL",
			  &newCertURL);
  if (rv == SSM_SUCCESS) 
    goto done;

  rv = SSM_GetAndExpandText(cx, "new_cert_URL", &newCertURL);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("NewCertSite: can't find URL for obtaining new certs!\n");
    goto loser;
  }
  SSM_DEBUG("NewCertSite: no customized URL provided using default:%s", 
	    newCertURL);
  
 done:
  PR_FREEIF(cx->m_result);
  cx->m_result = newCertURL;
  newCertURL = NULL;
 loser:
  return rv;
}

SSMStatus SSM_ProcessLDAPWindow(HTTPRequest * req)
{
  SSMStatus rv = SSM_FAILURE;
  SSMResource * target = NULL;
  char * tmp = NULL, **ldap_servers, **ptr;

  if (!req || !req->ctrlconn) 
    goto loser;

  rv = PREF_CreateChildList(req->ctrlconn->m_prefs, 
			    "ldap_2.servers", &ldap_servers);
  if (rv != SSM_SUCCESS || !ldap_servers) {
    SSMControlConnection_SendUIEvent(req->ctrlconn, "get", 
                                     "show_followup", NULL, 
				     "result=no_ldap_setup", 
                                     &((SSMResource *)req->ctrlconn)->m_clientContext);
    goto loser;
  }
    
  target = (req->target ? req->target : (SSMResource *) req->ctrlconn);
  /* send UI event to bring up the dialog */
  SSM_LockUIEvent(&req->ctrlconn->super.super);
  rv = SSMControlConnection_SendUIEvent(req->ctrlconn, "get", 
					"ldap_request", target, 
					NULL, &target->m_clientContext);
  if (rv != SSM_SUCCESS) { 
    SSM_UnlockUIEvent(&req->ctrlconn->super.super);
    goto loser;
  }
  SSM_WaitUIEvent(&req->ctrlconn->super.super, PR_INTERVAL_NO_TIMEOUT);
  /*  if (req->ctrlconn->super.super.m_buttonType == SSM_BUTTON_CANCEL) {
      SSM_HTTPReportError(req, HTTP_NO_CONTENT);
      goto loser;
      }
  */
  /* free memory from ChildList */
  ptr = ldap_servers;
  while (*ptr) { 
    PR_Free(*ptr);
    ptr++;
  }
  PR_Free(ldap_servers);
  
 loser:
  if (req)
    SSM_RefreshRefererPage(req);
  return rv;
}

SSMStatus SSM_ProcessLDAPRequestHandler(HTTPRequest * req)
{
  SSMStatus rv = SSM_FAILURE;
  char * tmpStr = NULL, *emailaddr, *ldapserver;
  char* key = NULL;

  /* make sure you got the right baseRef */
  rv = SSM_HTTPParamValue(req, "baseRef", &tmpStr);
  if (rv != SSM_SUCCESS ||
      PL_strcmp(tmpStr, "windowclose_doclose_js") != 0) {
    goto loser;
  }

  /* Close the window */
  rv = SSM_HTTPDefaultCommandHandler(req);
  if (rv != SSM_SUCCESS) 
    SSM_DEBUG("UI_ProcessLDAPRequest: can't close the window !\n");

  rv = SSM_HTTPParamValue(req, "do_cancel", &tmpStr);
  if (rv == SSM_SUCCESS && tmpStr) {
    req->ctrlconn->super.super.m_buttonType = SSM_BUTTON_CANCEL;
    goto loser;
  }
  req->ctrlconn->super.super.m_buttonType = SSM_BUTTON_OK;

  rv = SSM_HTTPParamValue(req, "emailaddress", &emailaddr);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("UI_ProcessLDAPRequest: no email address supplied!\n");
    goto loser;
  }

  rv = SSM_HTTPParamValue(req, "ldapServer", &ldapserver);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("UI_ProcessLDAPRequest: can't find ldap server parameter!\n");
    goto loser;
  }
  
  /* create a complete key part */
  key = PR_smprintf("ldap_2.servers.%s", ldapserver);
  if (key == NULL) {
      goto loser;
  }

  rv = SSM_CompleteLDAPLookup(req->ctrlconn, key, emailaddr);
  if (rv == SSM_SUCCESS) 
    SSM_ChangeCertSecAdvisorList(req, emailaddr, certHashAdd);
  else 
    SSM_DEBUG("UI_ProcessLDAPRequest: can't import new cert into the db!\n");
  
 loser:
  SSM_NotifyUIEvent(&req->ctrlconn->super.super);
  PR_FREEIF(key);
  return rv;
}


SSMStatus 
SSM_CompleteLDAPLookup(SSMControlConnection *ctrl, char * ldapserver, 
		       char *emailaddr)
{
  SSMStatus rv = SSM_FAILURE;
  char * tmpStr, * servername, *baseDN, *mailAttribs;
  SECItem newCert = { siBuffer, NULL, 0};
  CERTCertificate * cert = NULL;
  SECStatus secrv; 
  int port = 0;
  char cert_attribs[] = "userSMIMECertificate,usercertificate;binary";
  cert_struct * certs[2] = {NULL, NULL};	/* one for ea cert_attrib */
  
  if (!ctrl || !ldapserver) 
    goto loser;
  PR_ASSERT(SSM_IsA((SSMResource *)ctrl, SSM_RESTYPE_CONTROL_CONNECTION));
  
  tmpStr = PR_smprintf("%s.serverName", ldapserver);
  rv = PREF_GetStringPref(ctrl->m_prefs,tmpStr,
			  &servername);
  PR_FREEIF(tmpStr);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("CompleteLDAPLookup: can't find LDAP server %s!\n",ldapserver);
    goto loser;
  }
  
  /* DN, mail attribs and port are not supplied from UI, look up in prefs */
  tmpStr = PR_smprintf("%s.searchBase",ldapserver);
  rv = PREF_GetStringPref(ctrl->m_prefs, tmpStr, &baseDN);
  PR_FREEIF(tmpStr);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("CompleteLDAPLookup: can't find baseDN for %s!\n",ldapserver);
    goto loser;
  }

  tmpStr = PR_smprintf("%s.attributes.mail",ldapserver);
  rv = PREF_GetStringPref(ctrl->m_prefs, tmpStr, &mailAttribs);
  PR_FREEIF(tmpStr);
  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("CompleteLDAPLookup:can't find mail attributes for %s!\n",
	      ldapserver);
    goto loser;
  }

  tmpStr = PR_smprintf("%s.port",ldapserver);
  rv = PREF_GetIntPref(ctrl->m_prefs, tmpStr, &port);
  PR_FREEIF(tmpStr);
  if (rv != SSM_SUCCESS)
    port = 0;

#ifndef XP_MAC
  rv = LDAPCertSearch(emailaddr, servername, baseDN, port, 1, NULL, NULL, 
		      NULL, mailAttribs, cert_attribs, certs);
#else
  rv = SSM_FAILURE; /* don't yet support LDAP on the Mac */
#endif

  if (rv != SSM_SUCCESS) {
    SSM_DEBUG("CompleteLDAPLookup: ldap search did not find anything!\n");
    goto loser;
  }

  /* Go thru the possible multiple Certs retrieved from LDAP */
  rv = SSM_FAILURE;	/* default case - no good Certs found */

  /* first check any userSMIMECerts found */
  if (certs[0]) {
	  PRBool ret;
	  SEC_PKCS7ContentInfo *ci;
	  SECItem digest;
	  unsigned char nullsha1[SHA1_LENGTH];
      struct cert_struct_def * cert_ptr;

      cert_ptr = certs[0];
      while (cert_ptr->cert_len) {
          newCert.len = cert_ptr->cert_len;
          newCert.data = (unsigned char *) cert_ptr->cert;
		  ci = SEC_PKCS7DecodeItem(&newCert, NULL, NULL,
								     NULL, NULL, NULL, NULL, NULL);
		  if ( ci != NULL ) {
			  if ( SEC_PKCS7ContentIsSigned(ci) ) {
				  rv = SHA1_HashBuf(nullsha1, nullsha1, 0);
				  if ( rv != SECSuccess ) {
					  break;
				  }
				  digest.len = SHA1_LENGTH;
				  digest.data = nullsha1;

				  ret = SEC_PKCS7VerifyDetachedSignature(ci,
									certUsageEmailRecipient,
									&digest,
									HASH_AlgSHA1,
									PR_TRUE);
				  if (ret == PR_TRUE) {
					  rv = SSM_SUCCESS;
				  }
			  }
		  }

          PR_Free(cert_ptr->cert);
          *cert_ptr++;
      }
      PR_Free(certs[0]);
  }

  /* If no valid Certs found yet, try userCertificate;binary */
  if (rv == SSM_FAILURE && certs[1]) {
      struct cert_struct_def * cert_ptr;

      cert_ptr = certs[1];
      while (cert_ptr->cert_len) {
          newCert.len = cert_ptr->cert_len;
          newCert.data = (unsigned char *) cert_ptr->cert;
/*        memcpy(newCert.data, cert_ptr->cert, newCert.len); */

          /* Okay, got a Cert - so try to store in CertDB */