processmsg.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

    *moduleType = 0;
    srv = SECMOD_DeleteModule(request.string, moduleType);
    if (srv != SECSuccess) {
        goto loser;
    }
    PR_Free(request.string);
    return PR_SUCCESS;
 loser:
    if (request.string != NULL) {
        PR_Free(request.string);
    }
    return PR_FAILURE;
}

static PRBool
SSM_CiphersEnabled(PRInt32 *ciphers, PRInt16 numCiphers)
{
    PRInt16 i;
    SECStatus rv;
    PRInt32 policy;

    for (i=0; i<numCiphers; i++) {
        rv = SSL_CipherPolicyGet(ciphers[i], &policy);
        if (rv == SECSuccess && policy == SSL_ALLOWED) {
            return PR_TRUE;
        }
    }
    return PR_FALSE;
}

#define SSL_CB_RC4_128_WITH_MD5              (SSL_EN_RC4_128_WITH_MD5)
#define SSL_CB_RC4_128_EXPORT40_WITH_MD5     (SSL_EN_RC4_128_EXPORT40_WITH_MD5)
#define SSL_CB_RC2_128_CBC_WITH_MD5          (SSL_EN_RC2_128_CBC_WITH_MD5)
#define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5)
#define SSL_CB_IDEA_128_CBC_WITH_MD5         (SSL_EN_IDEA_128_CBC_WITH_MD5)
#define SSL_CB_DES_64_CBC_WITH_MD5           (SSL_EN_DES_64_CBC_WITH_MD5)
#define SSL_CB_DES_192_EDE3_CBC_WITH_MD5     (SSL_EN_DES_192_EDE3_CBC_WITH_MD5)


static CMInt32
SSM_GetSSLCapabilities(void)
{
    CMInt32 allowed = (SSL_SC_RSA | SSL_SC_MD2 | SSL_SC_MD5);
    PRInt32 policies[2];

    policies[0] = SSL_CB_RC2_128_CBC_WITH_MD5;
    policies[1] = SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5;
    if (SSM_CiphersEnabled(policies, 2)) {
        allowed |= SSL_SC_RC2_CBC;
    }

    policies[0] = SSL_CB_RC4_128_WITH_MD5;
    policies[1] = SSL_CB_RC4_128_EXPORT40_WITH_MD5;
    if (SSM_CiphersEnabled(policies, 2)) {
        allowed |= SSL_SC_RC4;
    }

    policies[0] = SSL_CB_DES_64_CBC_WITH_MD5;
    if (SSM_CiphersEnabled(policies, 1)) {
        allowed |= SSL_SC_DES_CBC;
    }

    policies[0] = SSL_CB_DES_192_EDE3_CBC_WITH_MD5;
    if (SSM_CiphersEnabled(policies, 1)) {
        allowed |= SSL_SC_DES_EDE3_CBC;
    }

    policies[0] = SSL_CB_IDEA_128_CBC_WITH_MD5;
    if (SSM_CiphersEnabled(policies, 1)) {
        allowed |= SSL_SC_IDEA_CBC;
    }

    return allowed;
}

SSMStatus
SSMControlConnection_ProcessPKCS11Request(SSMControlConnection * ctrl, 
                                          SECItem * msg)
{
  SSMResourceID  rsrcid;
  SSMStatus       rv;
  SECStatus      srv;
  PRInt32        moduleType;
  SingleNumMessage reply;

  SSM_DEBUG("Got a PKCS11 request.\n");
  
  switch (msg->type & SSM_SUBTYPE_MASK) {
  case SSM_CREATE_KEY_PAIR: /*Should just call a function that does the 
			     *approprieate action */
    SSM_DEBUG("Generating a key pair.\n");
    rv = SSMKeyGenContext_BeginGeneratingKeyPair(ctrl, msg, &rsrcid);
    if (rv != PR_SUCCESS) {
      goto loser;
    }
    /* Getting this far means success */
    msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_PKCS11_ACTION | SSM_CREATE_KEY_PAIR);
    msg->data = NULL;
    msg->len = 0;
    reply.value = rsrcid;
    if (CMT_EncodeMessage(SingleNumMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
    }
    break;
  case SSM_FINISH_KEY_GEN:
    SSM_DEBUG("Finish generating all of the key pairs. \n");
    rv = SSMKeyGenContext_FinishGeneratingAllKeyPairs(ctrl, msg);
    if (rv != PR_SUCCESS) {
        goto loser;
    }
    msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_PKCS11_ACTION | SSM_FINISH_KEY_GEN);
    msg->data = NULL;
    msg->len  = 0;
    break;
  case SSM_ADD_NEW_MODULE:
      SSM_DEBUG("Adding a new PKCS11 module.\n");
      srv = SSMControlConnection_AddNewSecurityModule(ctrl, msg);
      msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_PKCS11_ACTION | 
                  SSM_ADD_NEW_MODULE);
      reply.value = srv;
      if (CMT_EncodeMessage(SingleNumMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
      }
      break;
  case SSM_DEL_MODULE:
      rv = SSMControlConnection_DeleteSecurityModule(ctrl, msg, &moduleType);
      if (rv != PR_SUCCESS) {
          goto loser;
      }
      PR_Free(msg->data);
      msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_PKCS11_ACTION |
                  SSM_DEL_MODULE);
      reply.value = moduleType;
      if (CMT_EncodeMessage(SingleNumMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
      }
      break;
  case SSM_LOGOUT_ALL:
      PK11_LogoutAll();
      if (msg->data) {
          PR_Free(msg->data);
      }
      msg->data = NULL;
      msg->len  = 0;
      msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_PKCS11_ACTION |
                                 SSM_LOGOUT_ALL);
      break;
  case SSM_ENABLED_CIPHERS:
      reply.value = SSM_GetSSLCapabilities();
      msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_PKCS11_ACTION |
                                 SSM_ENABLED_CIPHERS);
      if (CMT_EncodeMessage(SingleNumMessageTemplate, 
                            (CMTItem*)msg, &reply) != CMTSuccess) {
          goto loser;
      }
      break;
  default:
    SSM_DEBUG("Unknown PKCS11 message %lx\n",msg->type);
    goto loser;
  }
  return PR_SUCCESS;
  
loser:
  return PR_FAILURE;
}

SSMStatus
SSMControlConnection_ProcessCRMFRequest(SSMControlConnection * ctrl,
                                        SECItem *msg)
{
  SSMResourceID  rsrcid;
  char          *challengeResponse;
  SSMStatus       rv;
  PRInt32        challengeLen;

  SSM_DEBUG("Got a CRMF/CMMF request\n");

  switch(msg->type & SSM_SUBTYPE_MASK) {
  case SSM_CREATE_CRMF_REQ:
      {
        SingleNumMessage reply;
        SSM_DEBUG("Generating a new CRMF request\n");
        rv = SSM_CreateNewCRMFRequest(msg, ctrl, &rsrcid);
        if (rv != PR_SUCCESS) {
            goto loser;
        }
        msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_CRMF_ACTION | SSM_CREATE_CRMF_REQ);
        reply.value = rsrcid;
        if (CMT_EncodeMessage(SingleNumMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
            goto loser;
        }
      }
    break;
  case SSM_DER_ENCODE_REQ:
      {
          SSMCRMFThreadArg *arg;

          arg = SSM_NEW(SSMCRMFThreadArg);
          if (arg == NULL) {
              goto loser;
          }
          arg->ctrl = ctrl;
          arg->msg = SECITEM_DupItem(msg);
          if (arg->msg == NULL) {
              PR_Free(arg);
          }
          SSM_GetResourceReference(&ctrl->super.super);
          if (PR_CreateThread(PR_USER_THREAD,
                              SSM_CRMFEncodeThread,
                              (void*)arg,
                              PR_PRIORITY_NORMAL,
                              PR_LOCAL_THREAD,
                              PR_UNJOINABLE_THREAD, 0) == NULL) {
              SSM_DEBUG("Couldn't start thread for CRMF encoding");
              SECITEM_FreeItem(arg->msg, PR_TRUE);
              PR_Free(arg);
              SSM_FreeResource(&ctrl->super.super);
              goto loser;
          }
          return SSM_ERR_DEFER_RESPONSE;
      }
    break;
  case SSM_PROCESS_CMMF_RESP:
    SSM_DEBUG("Process a CMMF Response.\n");
    rv = SSM_ProcessCMMFCertResponse(msg, ctrl);
    if (rv != SSM_ERR_DEFER_RESPONSE) {
      goto loser;
    }
    return rv;
  case SSM_CHALLENGE:
      {
        SingleItemMessage reply;

        SSM_DEBUG("Doing a Challenge-Response for Proof Of Possession.\n");
        rv = SSM_RespondToPOPChallenge(msg, ctrl, &challengeResponse, 
                                   (unsigned int *) &challengeLen);
        if (rv != PR_SUCCESS) {
            goto loser;
        }   
        msg->data = NULL;
        msg->len  = 0;
        msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_CRMF_ACTION | SSM_CHALLENGE);
        reply.item.len = challengeLen;
        reply.item.data = (unsigned char *) challengeResponse;
        if (CMT_EncodeMessage(SingleItemMessageTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
            goto loser;
        }
        SSM_DEBUG("Answering challenge with following response:\n%s\n", 
                  challengeResponse);
        PR_Free(challengeResponse);
      }
    break;
  default:
    SSM_DEBUG("Got unkown CRMF/CMMF message %lx\n", msg->type);
    goto loser;
  }
  return PR_SUCCESS;
 loser:
  return PR_FAILURE;
}

char*
get_string_key(SSMLocalizedString whichString)
{
    char *key;
    switch(whichString) {
    case SSM_STRING_BAD_PK11_LIB_PARAM:
        key = "module_invalid_module_name";
        break;
    case SSM_STRING_BAD_PK11_LIB_PATH:
        key = "module_invalid_library";
        break;
    case SSM_STRING_ADD_MOD_SUCCESS:
        key = "module_add_success";
        break;
    case SSM_STRING_ADD_MOD_FAILURE:
        key = "module_add_failure";
        break;
    case SSM_STRING_BAD_MOD_NAME:
        key = "module_invalid_library";
        break;
    case SSM_STRING_EXT_MOD_DEL:
        key = "module_ext_mod_del";
        break;
    case SSM_STRING_INT_MOD_DEL:
        key = "module_int_mod_del";
        break;
    case SSM_STRING_MOD_DEL_FAIL:
        key = "module_del_failure";
        break;
    case SSM_STRING_ADD_MOD_WARN:
        key = "module_add_warning";
        break;
    case SSM_STRING_MOD_PROMPT:
        key = "module_prompt";
        break;
    case SSM_STRING_DLL_PROMPT:
        key = "module_library_prompt";
        break;
    case SSM_STRING_DEL_MOD_WARN:
        key = "module_del_warning";
        break;
    case SSM_STRING_INVALID_CRL:
        key = "invalid_crl";
        break;
    case SSM_STRING_INVALID_CKL:
        key = "invalid_krl";
        break;
    case SSM_STRING_ROOT_CKL_CERT_NOT_FOUND:
        key = "root_ckl_cert_not_found";
        break;
    case SSM_STRING_BAD_CRL_SIGNATURE:
        key = "bad_crl_signature";
        break;
    case SSM_STRING_BAD_CKL_SIGNATURE:
        key = "bad_ckl_signature";
        break;
    case SSM_STRING_ERR_ADD_CRL:
        key = "error_adding_crl";
        break;
    case SSM_STRING_ERR_ADD_CKL:
        key = "error_adding_ckl";
        break;
    case SSM_STRING_JAVASCRIPT_DISABLED:
        key = "javascript_diabled";
        break;
    default:
        key = NULL;
        break;
    }
    if (key == NULL) {
        return NULL;
    }
    return PL_strdup(key);
}

SSMStatus
SSMControlConnection_ProcessLocalizedTextRequest(SSMControlConnection *ctrl,
                                                 SECItem * msg)
{
    SSMStatus            rv;
    char               *localizedString;
    char               *key=NULL;
    SSMTextGenContext  *txtGenCxt=NULL;
    SingleNumMessage request;
    GetLocalizedTextReply reply;

    SSM_DEBUG("Retrieving localized text\n");
    /* Decode the message */
    if (CMT_DecodeMessage(SingleNumMessageTemplate, &request, (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }

    key = get_string_key((SSMLocalizedString) request.value);
    if (key == NULL) {
        goto loser;
    }
    rv = SSMTextGen_NewContext(NULL, NULL, NULL, NULL, &txtGenCxt);
    if (rv != PR_SUCCESS) {
        goto loser;
    }
    rv = SSM_FindUTF8StringInBundles(txtGenCxt, key, &localizedString);
    if (rv != PR_SUCCESS) {
        goto loser;
    }

    msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_LOCALIZED_TEXT);
    reply.whichString = request.value;
    reply.localizedString = localizedString;

    if (CMT_EncodeMessage(GetLocalizedTextReplyTemplate, (CMTItem*)msg, &reply) != CMTSuccess) {
        goto loser;
    }
    if (msg->len == 0 || msg->data == NULL) {
        goto loser;
    }
    SSM_DEBUG("Returning the string \"%s\"\n", localizedString);
    PR_Free(localizedString);
    PR_Free(key);
    return PR_SUCCESS;
loser:
    if (key != NULL) {
        PR_Free(key);
    }
    return PR_FAILURE;
}

SSMStatus
SSMControlConnection_ProcessFormSigningRequest(SSMControlConnection * ctrl,
                                        SECItem *msg)
{
    SSMStatus       rv;

    SSM_DEBUG("Got a From Signing request\n");

    switch(msg->type & SSM_SUBTYPE_MASK) {
        case SSM_SIGN_TEXT:
            SSM_DEBUG("Generating a new sign text request\n");
            rv = SSM_CreateSignTextRequest(msg, ctrl);
            if (rv != PR_SUCCESS) {
                goto loser;
            }
            msg->type = (SECItemType) (SSM_REPLY_OK_MESSAGE | SSM_FORMSIGN_ACTION | SSM_SIGN_TEXT);
            PR_Free(msg->data);
            msg->data = NULL;
            msg->len = 0;
            break;
        default:
            SSM_DEBUG("Got unkown Form Signing message %lx\n", msg->type);
            goto loser;
            break;
    }
    return PR_SUCCESS;
loser:
    return PR_FAILURE;
}

SSMStatus
SSMControlConnection_ProcessRedirectCompare(SSMControlConnection *ctrl, 
                                            SECItem * msg)
{
    RedirectCompareRequest request;
    SSMSSLSocketStatus *ss1=NULL, *ss2=NULL;
    SingleNumMessage reply;

    SSM_DEBUG("Comparing Certs for re-direct\n");
    if (CMT_DecodeMessage(RedirectCompareRequestTemplate, &request,
                          (CMTItem*)msg) != CMTSuccess) {
        goto loser;
    }
    if (SSMSSLSocketStatus_Unpickle((SSMResource**)&ss1,