Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(229)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: remove openssl stubs, replace TrustBits::TRUST_TERMINAL_RECORD with EXPLICIT_DISTRUST Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp ('K') | « net/third_party/mozilla_security_manager/nsNSSCertTrust.h ('k') | net/third_party/mozilla_security_manager/nsNSSCertificateDB.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Ian McGreer <mcgreer@netscape.com>
23 * Javier Delgadillo <javi@netscape.com>
24 *
25 * Alternatively, the contents of this file may be used under the terms of
26 * either the GNU General Public License Version 2 or later (the "GPL"), or
27 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
28 * in which case the provisions of the GPL or the LGPL are applicable instead
29 * of those above. If you wish to allow use of your version of this file only
30 * under the terms of either the GPL or the LGPL, and not to allow others to
31 * use your version of this file under the terms of the MPL, indicate your
32 * decision by deleting the provisions above and replace them with the notice
33 * and other provisions required by the GPL or the LGPL. If you do not delete
34 * the provisions above, a recipient may use your version of this file under
35 * the terms of any one of the MPL, the GPL or the LGPL.
36 *
37 * ***** END LICENSE BLOCK ***** */
38
39 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
40
41 #if !defined(CERTDB_TERMINAL_RECORD)
42 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD
43 * and marks CERTDB_VALID_PEER as deprecated.
44 * If we're using an older version, rename it ourselves.
45 */
46 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
47 #endif
48
49 namespace mozilla_security_manager {
50
51 void
52 nsNSSCertTrust::AddCATrust(PRBool ssl, PRBool email, PRBool objSign)
53 {
54 if (ssl) {
55 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
56 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
57 }
58 if (email) {
59 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
60 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
61 }
62 if (objSign) {
63 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
64 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
65 }
66 }
67
68 void
69 nsNSSCertTrust::AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign)
70 {
71 if (ssl)
72 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
73 if (email)
74 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
75 if (objSign)
76 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
77 }
78
79 nsNSSCertTrust::nsNSSCertTrust()
80 {
81 memset(&mTrust, 0, sizeof(CERTCertTrust));
82 }
83
84 nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
85 unsigned int email,
86 unsigned int objsign)
87 {
88 memset(&mTrust, 0, sizeof(CERTCertTrust));
89 addTrust(&mTrust.sslFlags, ssl);
90 addTrust(&mTrust.emailFlags, email);
91 addTrust(&mTrust.objectSigningFlags, objsign);
92 }
93
94 nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
95 {
96 if (t)
97 memcpy(&mTrust, t, sizeof(CERTCertTrust));
98 else
99 memset(&mTrust, 0, sizeof(CERTCertTrust));
100 }
101
102 nsNSSCertTrust::~nsNSSCertTrust()
103 {
104 }
105
106 void
107 nsNSSCertTrust::SetSSLTrust(PRBool peer, PRBool tPeer,
108 PRBool ca, PRBool tCA, PRBool tClientCA,
109 PRBool user, PRBool warn)
110 {
111 mTrust.sslFlags = 0;
112 if (peer || tPeer)
113 addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
114 if (tPeer)
115 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
116 if (ca || tCA)
117 addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
118 if (tClientCA)
119 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
120 if (tCA)
121 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
122 if (user)
123 addTrust(&mTrust.sslFlags, CERTDB_USER);
124 if (warn)
125 addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
126 }
127
128 void
129 nsNSSCertTrust::SetEmailTrust(PRBool peer, PRBool tPeer,
130 PRBool ca, PRBool tCA, PRBool tClientCA,
131 PRBool user, PRBool warn)
132 {
133 mTrust.emailFlags = 0;
134 if (peer || tPeer)
135 addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
136 if (tPeer)
137 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
138 if (ca || tCA)
139 addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
140 if (tClientCA)
141 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
142 if (tCA)
143 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
144 if (user)
145 addTrust(&mTrust.emailFlags, CERTDB_USER);
146 if (warn)
147 addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
148 }
149
150 void
151 nsNSSCertTrust::SetObjSignTrust(PRBool peer, PRBool tPeer,
152 PRBool ca, PRBool tCA, PRBool tClientCA,
153 PRBool user, PRBool warn)
154 {
155 mTrust.objectSigningFlags = 0;
156 if (peer || tPeer)
157 addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
158 if (tPeer)
159 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
160 if (ca || tCA)
161 addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
162 if (tClientCA)
163 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
164 if (tCA)
165 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
166 if (user)
167 addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
168 if (warn)
169 addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
170 }
171
172 void
173 nsNSSCertTrust::SetValidCA()
174 {
175 SetSSLTrust(PR_FALSE, PR_FALSE,
176 PR_TRUE, PR_FALSE, PR_FALSE,
177 PR_FALSE, PR_FALSE);
178 SetEmailTrust(PR_FALSE, PR_FALSE,
179 PR_TRUE, PR_FALSE, PR_FALSE,
180 PR_FALSE, PR_FALSE);
181 SetObjSignTrust(PR_FALSE, PR_FALSE,
182 PR_TRUE, PR_FALSE, PR_FALSE,
183 PR_FALSE, PR_FALSE);
184 }
185
186 void
187 nsNSSCertTrust::SetTrustedServerCA()
188 {
189 SetSSLTrust(PR_FALSE, PR_FALSE,
190 PR_TRUE, PR_TRUE, PR_FALSE,
191 PR_FALSE, PR_FALSE);
192 SetEmailTrust(PR_FALSE, PR_FALSE,
193 PR_TRUE, PR_TRUE, PR_FALSE,
194 PR_FALSE, PR_FALSE);
195 SetObjSignTrust(PR_FALSE, PR_FALSE,
196 PR_TRUE, PR_TRUE, PR_FALSE,
197 PR_FALSE, PR_FALSE);
198 }
199
200 void
201 nsNSSCertTrust::SetTrustedCA()
202 {
203 SetSSLTrust(PR_FALSE, PR_FALSE,
204 PR_TRUE, PR_TRUE, PR_TRUE,
205 PR_FALSE, PR_FALSE);
206 SetEmailTrust(PR_FALSE, PR_FALSE,
207 PR_TRUE, PR_TRUE, PR_TRUE,
208 PR_FALSE, PR_FALSE);
209 SetObjSignTrust(PR_FALSE, PR_FALSE,
210 PR_TRUE, PR_TRUE, PR_TRUE,
211 PR_FALSE, PR_FALSE);
212 }
213
214 void
215 nsNSSCertTrust::SetValidPeer()
216 {
217 SetSSLTrust(PR_TRUE, PR_FALSE,
218 PR_FALSE, PR_FALSE, PR_FALSE,
219 PR_FALSE, PR_FALSE);
220 SetEmailTrust(PR_TRUE, PR_FALSE,
221 PR_FALSE, PR_FALSE, PR_FALSE,
222 PR_FALSE, PR_FALSE);
223 SetObjSignTrust(PR_TRUE, PR_FALSE,
224 PR_FALSE, PR_FALSE, PR_FALSE,
225 PR_FALSE, PR_FALSE);
226 }
227
228 void
229 nsNSSCertTrust::SetValidServerPeer()
230 {
231 SetSSLTrust(PR_TRUE, PR_FALSE,
232 PR_FALSE, PR_FALSE, PR_FALSE,
233 PR_FALSE, PR_FALSE);
234 SetEmailTrust(PR_FALSE, PR_FALSE,
235 PR_FALSE, PR_FALSE, PR_FALSE,
236 PR_FALSE, PR_FALSE);
237 SetObjSignTrust(PR_FALSE, PR_FALSE,
238 PR_FALSE, PR_FALSE, PR_FALSE,
239 PR_FALSE, PR_FALSE);
240 }
241
242 void
243 nsNSSCertTrust::SetTrustedPeer()
244 {
245 SetSSLTrust(PR_TRUE, PR_TRUE,
246 PR_FALSE, PR_FALSE, PR_FALSE,
247 PR_FALSE, PR_FALSE);
248 SetEmailTrust(PR_TRUE, PR_TRUE,
249 PR_FALSE, PR_FALSE, PR_FALSE,
250 PR_FALSE, PR_FALSE);
251 SetObjSignTrust(PR_TRUE, PR_TRUE,
252 PR_FALSE, PR_FALSE, PR_FALSE,
253 PR_FALSE, PR_FALSE);
254 }
255
256 void
257 nsNSSCertTrust::SetUser()
258 {
259 SetSSLTrust(PR_FALSE, PR_FALSE,
260 PR_FALSE, PR_FALSE, PR_FALSE,
261 PR_TRUE, PR_FALSE);
262 SetEmailTrust(PR_FALSE, PR_FALSE,
263 PR_FALSE, PR_FALSE, PR_FALSE,
264 PR_TRUE, PR_FALSE);
265 SetObjSignTrust(PR_FALSE, PR_FALSE,
266 PR_FALSE, PR_FALSE, PR_FALSE,
267 PR_TRUE, PR_FALSE);
268 }
269
270 PRBool
271 nsNSSCertTrust::HasAnyCA()
272 {
273 if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
274 hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
275 hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
276 return PR_TRUE;
277 return PR_FALSE;
278 }
279
280 PRBool
281 nsNSSCertTrust::HasCA(PRBool checkSSL,
282 PRBool checkEmail,
283 PRBool checkObjSign)
284 {
285 if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
286 return PR_FALSE;
287 if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
288 return PR_FALSE;
289 if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
290 return PR_FALSE;
291 return PR_TRUE;
292 }
293
294 PRBool
295 nsNSSCertTrust::HasPeer(PRBool checkSSL,
296 PRBool checkEmail,
297 PRBool checkObjSign)
298 {
299 if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
300 return PR_FALSE;
301 if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
302 return PR_FALSE;
303 if (checkObjSign &&
304 !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
305 return PR_FALSE;
306 return PR_TRUE;
307 }
308
309 PRBool
310 nsNSSCertTrust::HasAnyUser()
311 {
312 if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
313 hasTrust(mTrust.emailFlags, CERTDB_USER) ||
314 hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
315 return PR_TRUE;
316 return PR_FALSE;
317 }
318
319 PRBool
320 nsNSSCertTrust::HasUser(PRBool checkSSL,
321 PRBool checkEmail,
322 PRBool checkObjSign)
323 {
324 if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
325 return PR_FALSE;
326 if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
327 return PR_FALSE;
328 if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
329 return PR_FALSE;
330 return PR_TRUE;
331 }
332
333 PRBool
334 nsNSSCertTrust::HasTrustedCA(PRBool checkSSL,
335 PRBool checkEmail,
336 PRBool checkObjSign)
337 {
338 if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
339 hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
340 return PR_FALSE;
341 if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
342 hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
343 return PR_FALSE;
344 if (checkObjSign &&
345 !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
346 hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
347 return PR_FALSE;
348 return PR_TRUE;
349 }
350
351 PRBool
352 nsNSSCertTrust::HasTrustedPeer(PRBool checkSSL,
353 PRBool checkEmail,
354 PRBool checkObjSign)
355 {
356 if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
357 return PR_FALSE;
358 if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
359 return PR_FALSE;
360 if (checkObjSign &&
361 !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
362 return PR_FALSE;
363 return PR_TRUE;
364 }
365
366 void
367 nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
368 {
369 *t |= v;
370 }
371
372 PRBool
373 nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
374 {
375 return !!(t & v);
376 }
377
378 } // namespace mozilla_security_manager
OLDNEW
« chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp ('K') | « net/third_party/mozilla_security_manager/nsNSSCertTrust.h ('k') | net/third_party/mozilla_security_manager/nsNSSCertificateDB.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698