pkcs11ui.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

    if (module)
        SECMOD_DestroyModule(module);
    return rv;
}

SSMStatus
ssm_pkcs11_chuck_property(SSMTextGenContext *cx, char *propName)
{
    char *text = NULL;
    SSMStatus rv;

    rv = SSM_GetAndExpandText(cx, propName, &text);
    if (rv != SSM_SUCCESS)
        goto loser;

    rv = SSM_HTTPSendUTF8String(cx->m_request, text);
    
 loser:
    PR_FREEIF(text);
    SSMTextGen_UTF8StringClear(&cx->m_result);
    return rv;
}

/* PKCS11ShowSlots?module=<moduleID> */
SSMStatus 
SSM_ShowSlotsCommandHandler(HTTPRequest *req)
{
    SSMTextGenContext *cx = NULL;
    char *tmpl = NULL, *type = NULL;
    char *nomod_ch = NULL;
    char *modID_ch = NULL;
    long moduleID;
    SECMODModule *module = NULL;
    PRIntn i;
    SSMStatus rv;

    /* If we have a "no_module" parameter, then there 
       is no module for which to load slots. */
    rv = SSM_HTTPParamValue(req, "no_module", &nomod_ch);
    if (rv == SSM_SUCCESS)
        goto display_stuff;

    rv = SSM_HTTPParamValue(req, "module", &modID_ch);
    if (rv != SSM_SUCCESS)
        goto display_stuff;

    if (modID_ch)
    {
        /* Convert the module ID into a real module ID. */
        PR_sscanf(modID_ch, "%ld", &moduleID);
        
        /* Find the module we're looking for based on the module ID. */
        module = SECMOD_FindModuleByID((SECMODModuleID) moduleID);
        if (!module)
            goto loser;
    }

 display_stuff:
    /* Make a new top-level text gen context to chuck text back. */
    rv = SSMTextGen_NewTopLevelContext(req, &cx);
    if (rv != SSM_SUCCESS)
        goto loser;

    rv = SSM_GetAndExpandText(cx, "adv_modules_slotlist_type", &type);
    if (rv != SSM_SUCCESS)
        goto loser;

    rv = SSM_HTTPSendOKHeader(req, NULL, type);
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Chuck out part 1. */
    rv = ssm_pkcs11_chuck_property(cx, "adv_modules_slotlist_part1");
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Get the template for the JS slot list. */
    rv = SSM_GetAndExpandText(cx, "adv_modules_slotlist_js_template", &tmpl);
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Iterate over the slots from this module. Put relevant info from each
       into its own copy of the wrapper text. */
    if (module)
    {
        for(i=0;i<module->slotCount;i++)
        {
            rv = ssmpkcs11_convert_slot(cx, i, module->slots[i], tmpl, 
                                        PR_FALSE);
            if (rv != SSM_SUCCESS)
                goto loser;
        }
    }

    PR_Free(tmpl);
    tmpl = NULL;
    
    /* Chuck out part 2. */
    rv = ssm_pkcs11_chuck_property(cx, "adv_modules_slotlist_part2");
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Get the template for the selectable slot list. */
    rv = SSM_GetAndExpandText(cx, "adv_modules_slotlist_select_template", &tmpl);
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Iterate over the slots from this module. Put relevant info from each
       into its own copy of the wrapper text. */
    if (module)
    {
        for(i=0;i<module->slotCount;i++)
        {
            rv = ssmpkcs11_convert_slot(cx, i, module->slots[i], tmpl, 
                                        PR_FALSE);
            if (rv != SSM_SUCCESS)
                goto loser;
        }
    }

    /* Chuck out part 3. */
    rv = ssm_pkcs11_chuck_property(cx, "adv_modules_slotlist_part3");
    req->sentResponse = PR_TRUE;

    goto done;
 loser:
    if (rv == SSM_SUCCESS) rv = SSM_FAILURE;
 done:
    if (cx)
        SSMTextGen_DestroyContext(cx);
    PR_FREEIF(tmpl);
    return rv;
}

SSMStatus
ssm_find_module_from_request(HTTPRequest *req, SECMODModule **mod)
{
    char *modID_ch = NULL;
    PRInt32 moduleID;
    SSMStatus rv;

    rv = SSM_HTTPParamValue(req, "module", &modID_ch);
    if (rv != SSM_SUCCESS)
        goto done;

    if (modID_ch)
    {
        /* Convert the module ID into a real module ID. */
        PR_sscanf(modID_ch, "%ld", &moduleID);
        
        /* Find the module we're looking for based on the module ID. */
        *mod = SECMOD_FindModuleByID((SECMODModuleID) moduleID);
    }
 done:
    if ((!*mod) && (rv == SSM_SUCCESS))
        rv = SSM_FAILURE;
    return rv;
}

PK11SlotInfo *
find_slot_by_ID(SECMODModule *mod, CK_SLOT_ID slotID)
{
    int i;
    PK11SlotInfo *slot;

    for (i=0; i < mod->slotCount; i++) {
        slot = mod->slots[i];
        if (slot->slotID == (CK_SLOT_ID) slotID)
            return PK11_ReferenceSlot(slot);
    }
    return NULL;

}

SSMStatus
ssm_find_slot_from_request(HTTPRequest *req, PK11SlotInfo **slot)
{
    char *slotID_ch = NULL;
    PRInt32 slotID;
    SECMODModule *mod;
    SSMStatus rv = SSM_SUCCESS;

    rv = ssm_find_module_from_request(req, &mod);
    if (rv != SSM_SUCCESS)
        goto done;

    rv = SSM_HTTPParamValue(req, "slot", &slotID_ch);
    if (rv != SSM_SUCCESS)
        goto done;

    if (slotID_ch)
    {
        /* Convert the module ID into a real module ID. */
        PR_sscanf(slotID_ch, "%ld", &slotID);

        /* Find the module we're looking for based on the module ID. */
        *slot = find_slot_by_ID(mod, (CK_SLOT_ID) slotID);
    }
 done:
    if ((!*slot) && (rv == SSM_SUCCESS))
        rv = SSM_FAILURE;
    return rv;
}

SSMStatus
ssmpkcs11_show_slot_info(HTTPRequest *req, PK11SlotInfo *slot)
{
    char *wrapperStr = NULL;
    char *tmpl = NULL;
    char *type = NULL;
    SSMTextGenContext *cx;
    SSMStatus rv;

    /* Make a new top-level text gen context to chuck text back. */
    rv = SSMTextGen_NewTopLevelContext(req, &cx);
    if (rv != SSM_SUCCESS)
        goto loser;

    rv = SSM_GetAndExpandText(cx, "adv_modules_slot_info_type", &type);
    if (rv != SSM_SUCCESS)
        goto loser;

    rv = SSM_HTTPSendOKHeader(req, NULL, type);
    if (rv != SSM_SUCCESS)
        goto loser;

    rv = SSM_GetAndExpandText(cx, "adv_modules_slot_info_content", &wrapperStr);
    if (rv != SSM_SUCCESS)
        goto loser; /* error string set by the called function */

    rv = ssmpkcs11_convert_slot(cx, 0, slot, wrapperStr, PR_FALSE);

    goto done;
 loser:
    if (rv == SSM_SUCCESS) rv = SSM_FAILURE;
 done:
    if (cx)
        SSMTextGen_DestroyContext(cx);
    PR_FREEIF(tmpl);
    PR_FREEIF(type);
    PR_FREEIF(wrapperStr);
    return rv;
}

SSMStatus 
SSM_ShowSlotCommandHandler(HTTPRequest *req)
{
    SSMStatus rv;
    PK11SlotInfo *slot;

    /* Find the slot. */
    rv = ssm_find_slot_from_request(req, &slot);
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Display the slot info. */
    rv = ssmpkcs11_show_slot_info(req, slot);
    req->sentResponse = PR_TRUE;

 loser:
    if (slot)
        PK11_FreeSlot(slot);
    return rv;
}

SSMStatus 
SSM_LoginSlotCommandHandler(HTTPRequest *req)
{
    SSMStatus rv;
    PK11SlotInfo *slot;

    /* Find the slot. */
    rv = ssm_find_slot_from_request(req, &slot);
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Log into the slot. */
    PK11_Authenticate(slot, PR_TRUE, req->ctrlconn);

    /* Display the slot info. */
    rv = ssmpkcs11_show_slot_info(req, slot);
    req->sentResponse = PR_TRUE;

 loser:
    if (slot)
        PK11_FreeSlot(slot);
    return rv;
}

SSMStatus
SSM_LogoutSlotCommandHandler(HTTPRequest *req)
{
    SSMStatus rv;
    PK11SlotInfo *slot;

    /* Find the slot. */
    rv = ssm_find_slot_from_request(req, &slot);
    if (rv != SSM_SUCCESS)
        goto loser;

    /* Log out of the slot. */
    PK11_Logout(slot);

    /* Display the slot info. */
    rv = ssmpkcs11_show_slot_info(req, slot);
    req->sentResponse = PR_TRUE;

 loser:
    if (slot)
        PK11_FreeSlot(slot);
    return rv;
}

SSMStatus 
SSM_LogoutAllSlotsCommandHandler(HTTPRequest *req)
{
    SSMStatus rv;
    PK11SlotInfo *slot;

    /* Find the slot. */
    rv = ssm_find_slot_from_request(req, &slot);
    /* Not relevant if we find the slot here, 
       just remember to display (or not) whatever slot we have */
    if (rv != SSM_SUCCESS)
        slot = NULL;

    /* Log out of all slots. */
    PK11_LogoutAll();

    /* Display the slot info (if any). */
    rv = ssmpkcs11_show_slot_info(req, slot);

    req->sentResponse = PR_TRUE;

    if (slot)
        PK11_FreeSlot(slot);
    return rv;
}

/*
  --------------------------------------------------------- 
  FIPS mode code
  --------------------------------------------------------- 
 */

/*
  FIPS mode keyword handler.
  Syntax: {_fipsmode <true_text>,<false_text>}
  where <true_text> is displayed if FIPS mode is on, <false_text> otherwise.
 */
SSMStatus 
SSM_PKCS11FIPSModeKeywordHandler(SSMTextGenContext *cx)
{
    SSMStatus rv = SSM_SUCCESS;
    char *param = NULL;
    char *tempStr = NULL;

    PR_ASSERT(cx);
    PR_ASSERT(cx->m_params);
    PR_ASSERT(cx->m_result);
    if (!cx || !cx->m_params || !cx->m_result)
    {
        rv = PR_INVALID_ARGUMENT_ERROR;
        goto loser; 
    }
    
    /* Figure out if we're in FIPS mode. */
    if (PK11_IsFIPS())
        param = (char *) SSM_At(cx->m_params, 0);
    else
        param = (char *) SSM_At(cx->m_params, 1);

    /* Display the appropriate string. */
    rv = SSMTextGen_SubstituteString(cx, param, &tempStr);
    if (rv != SSM_SUCCESS)
        goto loser; /* error string set by the called function */

    rv = SSM_ConcatenateUTF8String(&cx->m_result, tempStr);
    if (rv == SSM_SUCCESS)
        goto done;
 loser:
    if (rv == SSM_SUCCESS) rv = SSM_FAILURE;
 done:
    PR_FREEIF(tempStr);
    return rv;
}


void
SSM_TrimTrailingWhitespace(char *str)
{
    char *end = &(str[strlen(str)]);
    char *start = str;

    do
    {
        end--;
    }
    while ((end >= start) && 
           ((*end == ' ') || (*end == '\0')));
    *(++end) = '\0';
}

/*
  Command handler to set FIPS mode.
  Syntax: setFIPSMode?fips={on|off}&baseRef=<baseRef>&target=<ctrlconn>
 */
SSMStatus
SSM_SetFIPSModeCommandHandler(HTTPRequest *req)
{
    char *fips_ch = NULL, *baseRef_ch = NULL;
    SECStatus srv = SECSuccess;
    PRBool oldFIPS, newFIPS;

    SSMStatus rv = SSM_SUCCESS;
    rv = SSM_HTTPParamValue(req, "fips", &fips_ch);
    if (rv != SSM_SUCCESS)
        goto loser;

    newFIPS = !PL_strncmp(fips_ch, "on", 2);
    oldFIPS = PK11_IsFIPS();

    if (newFIPS != oldFIPS)
    {
        /* 
           Turning FIPS mode on/off requires the exact same operation:
           deleting the built-in PKCS11 module. 
           
           ### mwelch We need these calls to differentiate between 
                      secmod dbs!
        */
        SECMODModule *internal;
        CK_INFO modInfo;

        internal = SECMOD_GetInternalModule();
        if (!internal)
            goto loser;

        srv = PK11_GetModInfo(internal, &modInfo);
        if (srv != SECSuccess)
            goto loser;
        SSM_TrimTrailingWhitespace((char*) modInfo.libraryDescription);

        /* Delete the {FIPS,non-FIPS} internal module, so that 
           it will be replaced by the {non-FIPS,FIPS} counterpart. */
        srv = SECMOD_DeleteInternalModule(internal->commonName);
        if (srv != SECSuccess)
            goto loser;
    }

    /* if there's a baseRef, send it back. otherwise, no content. */
    rv = SSM_HTTPParamValue(req, "baseRef", &baseRef_ch);
    if (rv == SSM_SUCCESS)
    {
        /* send what was requested */
        rv = SSM_HTTPCloseAndSleep(req);
    }

    goto done;
 loser:
    if (rv == SSM_SUCCESS) rv = SSM_FAILURE;
    SSM_HTTPReportSpecificError(req, "SetFIPSModeCommandHandler: Error %d "
                                "attempting to change FIPS mode.",
                                srv != SECSuccess ? srv : rv);
 done:
    return rv;
}