esc/esc-1.1.0-fix6.patch
2009-09-15 21:31:06 +00:00

885 lines
26 KiB
Diff

--- ./esc/src/lib/NssHttpClient/engine.h.fix6 2009-06-19 16:07:39.000000000 -0700
+++ ./esc/src/lib/NssHttpClient/engine.h 2009-06-19 16:07:44.000000000 -0700
@@ -22,9 +22,17 @@
#include "response.h"
#include "request.h"
+struct BadCertData {
+ PRErrorCode error;
+ PRInt32 port;
+};
+
+typedef struct BadCertData BadCertData;
+
+
class __EXPORT Engine {
public:
- Engine() {};
+ Engine() { _certData = NULL; _sock=NULL;};
~Engine() {};
PRFileDesc *_doConnect(PRNetAddr *addr, PRBool SSLOn = PR_FALSE,
@@ -37,7 +45,8 @@
static PRIntervalTime globaltimeout;
PRFileDesc *_sock;
-
+ BadCertData *_certData;
+ BadCertData *getBadCertData() { return _certData;}
PRFileDesc *getSocket() { return _sock;}
bool connectionClosed ;
--- ./esc/src/lib/NssHttpClient/engine.cpp.fix6 2009-06-19 16:07:12.000000000 -0700
+++ ./esc/src/lib/NssHttpClient/engine.cpp 2009-06-19 16:07:29.000000000 -0700
@@ -16,6 +16,8 @@
* All rights reserved.
* END COPYRIGHT BLOCK **/
+#define FORCE_PR_LOG 1
+
#include <nspr.h>
#include "sslproto.h"
#include <prerror.h>
@@ -27,7 +29,7 @@
#include "certt.h"
#include "sslerr.h"
#include "secerr.h"
-
+#include "CoolKey.h"
#include "engine.h"
#include "http.h"
@@ -39,6 +41,9 @@
int cipherCount = 0;
int _doVerifyServerCert = 1;
+PRLogModuleInfo *httpEngineLog = PR_NewLogModule("coolKeyHttpEngine");
+
+
PRIntervalTime Engine::globaltimeout = PR_TicksPerSecond()*30;
/**
@@ -56,13 +61,26 @@
SECStatus secStatus = SECFailure;
PRErrorCode err;
+ char tBuff[56];
+
+ PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+ ("%s myBadCertHandler enter. \n",GetTStamp(tBuff,56)));
+
/* log invalid cert here */
if ( !arg ) {
return secStatus;
}
- *(PRErrorCode *)arg = err = PORT_GetError();
+ err = PORT_GetError();
+
+ BadCertData *data = (BadCertData *) arg;
+ if(data) {
+ data->error = err;
+ }
+
+ PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+ ("%s myBadCertHandler err: %d . \n",GetTStamp(tBuff,56),err));
/* If any of the cases in the switch are met, then we will proceed */
/* with the processing of the request anyway. Otherwise, the default */
@@ -91,6 +109,10 @@
break;
}
+ PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+ ("%s myBadCertHandler status: %d . \n",GetTStamp(tBuff,56),secStatus));
+
+
return secStatus;
}
@@ -416,7 +438,6 @@
return;
}
-
void Engine::CloseConnection()
{
connectionClosed = true;
@@ -426,7 +447,14 @@
PR_Close(_sock);
_sock = NULL;
}
+
+ if(_certData)
+ {
+ delete _certData;
+ _certData = NULL;
+ }
}
+
/**
* Returns a file descriptor for I/O if the HTTP connection is successful
* @param addr PRnetAddr structure which points to the server to connect to
@@ -442,21 +470,19 @@
PRFileDesc *tcpsock = NULL;
PRFileDesc *sock = NULL;
connectionClosed = false;
+ _certData = new BadCertData();
tcpsock = PR_OpenTCPSocket(addr->raw.family);
-
if (!tcpsock) {
-
return NULL;
}
nodelay(tcpsock);
if (PR_TRUE == SSLOn) {
- sock=SSL_ImportFD(NULL, tcpsock);
-
+ sock=SSL_ImportFD(NULL, tcpsock);
if (!sock) {
//xxx log
if( tcpsock != NULL ) {
@@ -516,9 +542,23 @@
PRErrorCode errCode = 0;
- rv = SSL_BadCertHook( sock,
+ if(_certData) {
+ _certData->error = errCode;
+ _certData->port = PR_ntohs(PR_NetAddrInetPort(addr));
+ }
+
+ CoolKeyBadCertHandler overriddenHandler = CoolKeyGetBadCertHandler();
+
+ if(overriddenHandler) {
+ rv = SSL_BadCertHook( sock,
+ (SSLBadCertHandler)overriddenHandler,
+ (void *)_certData);
+ } else {
+ rv = SSL_BadCertHook( sock,
(SSLBadCertHandler)myBadCertHandler,
- &errCode );
+ (void *)_certData);
+ }
+
rv = SSL_SetURL( sock, serverName );
if (rv != SECSuccess ) {
@@ -536,8 +576,6 @@
sock = tcpsock;
}
-
-
if ( PR_Connect(sock, addr, timeout) == PR_FAILURE ) {
if( sock != NULL ) {
@@ -563,11 +601,17 @@
const PSHttpServer& server,
int timeout, PRBool expectChunked ,PRBool processStreamed) {
PRNetAddr addr;
- PRFileDesc *sock = NULL;
PSHttpResponse *resp = NULL;
PRBool response_code = 0;
+ char tBuff[56];
+
+ PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+ ("%s HttpEngine::makeRequest enter. \n",GetTStamp(tBuff,56)));
+
+
+
server.getAddr(&addr);
char *nickName = request.getCertNickName();
@@ -575,8 +619,17 @@
char *serverName = (char *)server.getAddr();
_sock = _doConnect( &addr, request.isSSL(), 0, 0,nickName, 0, serverName );
+ PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+ ("%s HttpEngine::makeRequest past doConnect sock: %p. \n",
+ GetTStamp(tBuff,56),_sock));
+
if ( _sock != NULL) {
PRBool status = request.send( _sock );
+
+ PR_LOG(httpEngineLog, PR_LOG_DEBUG,
+ ("%s HttpEngine::makeRequest past request.send status: %d. \n",
+ GetTStamp(tBuff,56),status));
+
if ( status ) {
resp = new PSHttpResponse( _sock, &request, timeout, expectChunked ,this);
response_code = resp->processResponse(processStreamed);
--- ./esc/src/lib/NssHttpClient/manifest.mn.fix6 2009-06-19 16:08:05.000000000 -0700
+++ ./esc/src/lib/NssHttpClient/manifest.mn 2009-06-19 16:08:13.000000000 -0700
@@ -24,7 +24,7 @@
MODULE = httpchunked
LIBRARY_NAME = $(MODULE)
SHARED_NAME = $(MODULE)
-REQUIRES = nss nspr
+REQUIRES = nss nspr ckymanager
ifndef MOZ_OFFSET
MOZ_OFFSET = mozilla-1.7.13
endif
--- ./esc/src/lib/coolkey/NSSManager.h.fix6 2009-06-19 16:06:41.000000000 -0700
+++ ./esc/src/lib/coolkey/NSSManager.h 2009-06-19 16:06:47.000000000 -0700
@@ -70,6 +70,8 @@
static HRESULT GetKeyCertNicknames( const CoolKey *aKey, vector<string> & aStrings );
+ static HRESULT GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength);
+
static HRESULT GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
static HRESULT GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
--- ./esc/src/lib/coolkey/CoolKey.cpp.fix6 2009-06-19 16:02:43.000000000 -0700
+++ ./esc/src/lib/coolkey/CoolKey.cpp 2009-06-19 16:03:03.000000000 -0700
@@ -259,12 +259,14 @@
static CoolKeyRelease g_Release = NULL;
static CoolKeyGetConfigValue g_GetConfigValue = NULL;
static CoolKeySetConfigValue g_SetConfigValue = NULL;
+static CoolKeyBadCertHandler g_BadCertHandler = NULL;
char* CoolKeyVerifyPassword(PK11SlotInfo *,PRBool,void *);
COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
CoolKeyReference reference, CoolKeyRelease release,
- CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue)
+ CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
+ CoolKeyBadCertHandler badcerthandler)
{
char tBuff[56];
g_Dispatch = dispatch;
@@ -272,6 +274,7 @@
g_Release = release;
g_GetConfigValue = getconfigvalue;
g_SetConfigValue = setconfigvalue;
+ g_BadCertHandler = badcerthandler;
char * suppressPINPrompt =(char*) CoolKeyGetConfig("esc.security.url");
@@ -997,6 +1000,16 @@
return NSSManager::GetKeyPolicy(aKey, aBuf, aBufLen);
}
+
+HRESULT
+CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength)
+{
+ if (!aKey || !aKey->mKeyID || !aBuf || aBufLength < 1)
+ return E_FAIL;
+
+ return NSSManager::GetKeyUID(aKey,aBuf,aBufLength);
+}
+
HRESULT
CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
{
@@ -1290,6 +1303,13 @@
return aCUID;
}
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler()
+{
+ if(g_BadCertHandler)
+ return g_BadCertHandler;
+ return NULL;
+}
+
const char *CoolKeyGetConfig(const char *aValue)
{
if(!g_GetConfigValue || ! aValue)
--- ./esc/src/lib/coolkey/manifest.mn.fix6 2009-06-19 16:05:45.000000000 -0700
+++ ./esc/src/lib/coolkey/manifest.mn 2009-06-19 16:05:54.000000000 -0700
@@ -19,7 +19,6 @@
XULRUNNER_BASE=$(CORE_DEPTH)/dist/$(OBJDIR)//xulrunner_build
-
SYS_INC = /usr/include
MODULE = ckymanager
LIBRARY_NAME = $(MODULE)
@@ -41,7 +40,7 @@
SmartCardMonitoringThread.cpp \
$(NULL)
-EXPORTS = \
+EXPORTS = \
CoolKey.h \
$(NULL)
--- ./esc/src/lib/coolkey/NSSManager.cpp.fix6 2009-06-19 16:06:19.000000000 -0700
+++ ./esc/src/lib/coolkey/NSSManager.cpp 2009-06-19 16:06:28.000000000 -0700
@@ -369,7 +369,7 @@
aBuf[0]=0;
- PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo \n",GetTStamp(tBuff,56)));
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer \n",GetTStamp(tBuff,56)));
if(!aKey )
return E_FAIL;
@@ -409,7 +409,7 @@
continue;
}
orgID = CERT_GetOrgName(&cert->subject);
- PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer ourSlot %p curSlot %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
}
@@ -437,6 +437,85 @@
return S_OK;
}
+HRESULT NSSManager::GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength)
+{
+ char tBuff[56];
+ if(!aBuf)
+ return E_FAIL;
+
+ aBuf[0]=0;
+
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID \n",GetTStamp(tBuff,56)));
+
+ if(!aKey )
+ return E_FAIL;
+
+ PK11SlotInfo *slot = GetSlotForKeyID(aKey);
+
+ if (!slot)
+ return E_FAIL;
+
+ CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);
+
+ if (!certs)
+ {
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyUID no certs found! \n",GetTStamp(tBuff,56)));
+ PK11_FreeSlot(slot);
+ return E_FAIL;
+ }
+
+ CERTCertListNode *node= NULL;
+
+ char *certID = NULL;
+
+ for( node = CERT_LIST_HEAD(certs);
+ ! CERT_LIST_END(node, certs);
+ node = CERT_LIST_NEXT(node))
+ {
+ if(node->cert)
+ {
+ CERTCertificate *cert = node->cert;
+
+ if(cert)
+ {
+ if(cert->slot == slot)
+ {
+ if(IsCACert(cert))
+ {
+ continue;
+ }
+
+ certID = CERT_GetCertUid(&cert->subject);
+
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID ourSlot %p curSlot %p certID %s \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
+
+ }
+
+ if(certID)
+ break;
+ }
+ }
+
+ }
+
+ if(certID && ((int)strlen(certID) < aBufLength))
+ {
+ strcpy(aBuf,certID);
+ }
+
+ if(certs)
+ CERT_DestroyCertList(certs);
+
+ if(slot)
+ PK11_FreeSlot(slot);
+
+ if(certID)
+ PORT_Free(certID);
+
+ return S_OK;
+}
+
+
HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
{
char tBuff[56];
@@ -487,6 +566,10 @@
certID = CERT_GetCommonName(&cert->subject);
+ if(!certID) {
+ certID = CERT_GetCertUid(&cert->subject);
+ }
+
PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot %p certID %s \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
}
--- ./esc/src/lib/coolkey/CoolKey.h.fix6 2009-06-19 16:04:59.000000000 -0700
+++ ./esc/src/lib/coolkey/CoolKey.h 2009-06-19 16:05:05.000000000 -0700
@@ -26,6 +26,7 @@
// platforms (coreconf will do the appropriate processing.
#define COOLKEY_API
+#include "ssl.h"
#include <string.h>
#include <stdlib.h>
#include <vector>
@@ -100,7 +101,7 @@
typedef HRESULT (*CoolKeySetConfigValue)(const char *name,const char *value);
typedef const char * (*CoolKeyGetConfigValue)(const char *name);
-
+typedef SECStatus (*CoolKeyBadCertHandler)(void *arg, PRFileDesc *fd);
extern "C" {
@@ -112,7 +113,8 @@
COOLKEY_API HRESULT CoolKeyUnregisterListener(CoolKeyListener* aListener);
COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
CoolKeyReference reference, CoolKeyRelease release,
- CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue);
+ CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
+ CoolKeyBadCertHandler badcerthandler=NULL);
COOLKEY_API bool CoolKeyRequiresAuthentication(const CoolKey *aKey);
COOLKEY_API bool CoolKeyHasApplet(const CoolKey *aKey);
@@ -133,6 +135,8 @@
COOLKEY_API HRESULT CoolKeyGetCertInfo(const CoolKey *aKey, char *aCertNickname, std::string & aCertInfo);
+COOLKEY_API HRESULT CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength);
+
COOLKEY_API HRESULT CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
COOLKEY_API HRESULT CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
@@ -257,6 +261,9 @@
const char *CoolKeyGetConfig(const char *aName);
HRESULT CoolKeySetConfig(const char *aName,const char *aValue);
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler();
+
+
}
--- ./esc/src/lib/coolkey/Makefile.fix6 2009-06-19 16:05:24.000000000 -0700
+++ ./esc/src/lib/coolkey/Makefile 2009-06-19 16:05:32.000000000 -0700
@@ -35,6 +35,9 @@
echo "Build Linux or Windows."
make -f common.mk
+export::
+ make -f common.mk export
+
endif
ifeq ($(OS_ARCH),Darwin)
--- ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul.fix6 2009-06-19 16:01:21.000000000 -0700
+++ ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul 2009-06-19 16:01:43.000000000 -0700
@@ -65,7 +65,7 @@
<tabs id="certMgrTabbox" onselect="CertsTabsSelected();">
<tab id="mine_tab" label="&certmgr.tab.mine;" selected="true"/>
<tab id="others_tab" hidden="true" label="&certmgr.tab.others2;"/>
- <tab id="websites_tab" hidden="true" label="&certmgr.tab.websites3;"/>
+ <tab id="websites_tab" hidden="false" label="&certmgr.tab.websites3;"/>
<tab id="ca_tab" hidden="false" label="&certmgr.tab.ca;"/>
<tab id="orphan_tab" hidden="true" label="&certmgr.tab.orphan2;"/>
--- ./esc/src/app/xpcom/rhCoolKey.cpp.fix6 2009-06-19 15:56:20.000000000 -0700
+++ ./esc/src/app/xpcom/rhCoolKey.cpp 2009-06-19 15:57:48.000000000 -0700
@@ -30,7 +30,7 @@
#else
#include "nsServiceManagerUtils.h"
#endif
-
+#include "pipnss/nsICertOverrideService.h"
#include "nsIPrefBranch.h"
#include "nsIPrefService.h"
#include "nsCOMPtr.h"
@@ -69,6 +69,7 @@
#endif
#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
static const nsIID kIModuleIID = NS_IMODULE_IID;
static const nsIID kIFactoryIID = NS_IFACTORY_IID;
@@ -89,6 +90,7 @@
std::list< nsCOMPtr <rhIKeyNotify> > rhCoolKey::gNotifyListeners;
+PRLock* rhCoolKey::certCBLock=NULL;
PRBool rhCoolKey::gAutoEnrollBlankTokens = PR_FALSE;
@@ -190,6 +192,13 @@
mCSPListener = nsnull;
#endif
+ certCBLock = PR_NewLock();
+
+ if(!certCBLock) {
+ PR_LOG( coolKeyLog, PR_LOG_ERROR, ("%s Failed to create lock exiting! \n",GetTStamp(tBuff,56)));
+ exit(1);
+ }
+
PRBool res = InitInstance();
if(res == PR_FALSE)
@@ -207,6 +216,10 @@
char tBuff[56];
PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s rhCoolKey::~rhCoolKey: %p \n",GetTStamp(tBuff,56),this));
+
+ if(certCBLock) {
+ PR_DestroyLock(certCBLock);
+ }
}
void rhCoolKey::ShutDownInstance()
@@ -255,6 +268,212 @@
return S_OK;
}
+struct BadCertData {
+ PRErrorCode error;
+ PRInt32 port;
+};
+
+typedef struct BadCertData BadCertData;
+
+SECStatus rhCoolKey::badCertHandler(void *arg, PRFileDesc *fd)
+{
+ SECStatus secStatus = SECFailure;
+ PRErrorCode err;
+ char *host = NULL;
+ PRInt32 port = 0;
+ CERTCertificate *serverCert = NULL;
+ PRUint32 errorBits = 0;
+ char tBuff[56];
+
+ PR_Lock(certCBLock);
+
+ if (!arg || !fd) {
+ PR_Unlock(certCBLock);
+ return secStatus;
+ }
+
+ // Retrieve callback data from NssHttpClient
+ // Caller cleans up this data
+ BadCertData *data = (BadCertData *) arg;
+ data->error = err = PORT_GetError();
+
+
+ /* If any of the cases in the switch are met, then we will proceed */
+
+ switch (err) {
+ case SEC_ERROR_INVALID_AVA:
+ case SEC_ERROR_INVALID_TIME:
+ case SEC_ERROR_BAD_SIGNATURE:
+ case SEC_ERROR_EXPIRED_CERTIFICATE:
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ case SEC_ERROR_UNTRUSTED_CERT:
+ case SEC_ERROR_CERT_VALID:
+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ case SEC_ERROR_CRL_EXPIRED:
+ case SEC_ERROR_CRL_BAD_SIGNATURE:
+ case SEC_ERROR_EXTENSION_VALUE_INVALID:
+ case SEC_ERROR_CA_CERT_INVALID:
+ case SEC_ERROR_CERT_USAGES_INVALID:
+ case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
+ case SEC_ERROR_EXTENSION_NOT_FOUND: // Added by Rob 5/21/2002
+ secStatus = SECSuccess;
+ break;
+ default:
+ secStatus = SECFailure;
+ break;
+ }
+
+ if(secStatus == SECSuccess) {
+ PR_Unlock(certCBLock);
+ return secStatus;
+ }
+
+ // Collect errors to compare with override service output
+ switch(err) {
+ case SEC_ERROR_UNTRUSTED_ISSUER:
+ errorBits |= nsICertOverrideService::ERROR_UNTRUSTED;
+ break;
+ case SSL_ERROR_BAD_CERT_DOMAIN:
+ errorBits |= nsICertOverrideService::ERROR_MISMATCH;
+ break;
+ case SEC_ERROR_EXPIRED_CERTIFICATE:
+ errorBits |= nsICertOverrideService::ERROR_TIME;
+ default:
+ break;
+ };
+
+ // Now proceed to see if we have an exception.
+ // Get the server certificate that was rejected.
+ serverCert = SSL_PeerCertificate(fd);
+
+ if(!serverCert) {
+ PR_Unlock(certCBLock);
+ return secStatus;
+ }
+
+ port = data->port;
+ host = SSL_RevealURL(fd);
+
+ if(!host || port <= 0) {
+ PR_Unlock(certCBLock);
+ return secStatus;
+ }
+
+ PR_LOG(coolKeyLog, PR_LOG_DEBUG,
+ ("%s rhCoolKey::badCertHandler enter: error: %d url: %s port: %d \n",
+ GetTStamp(tBuff,56),err,host,port)
+ );
+
+ PRBool isTemporaryOverride = PR_FALSE;
+ PRUint32 overrideBits = 0;
+ PRBool overrideResult = PR_FALSE;
+
+ // Use the nsICertOverrideService to see if we have
+ // previously trusted this certificate.
+ nsCOMPtr<nsICertOverrideService> overrideService =
+ do_GetService(NS_CERTOVERRIDE_CONTRACTID);
+
+ const nsEmbedCString nsHost(host);
+ nsEmbedCString hashAlg,fingerPrint;
+
+ nsresult nsrv;
+ unsigned char* fingerprint=NULL;
+ if(overrideService) {
+ nsrv = overrideService->GetValidityOverride((const nsACString &)nsHost,
+ port,(nsACString &)hashAlg,
+ (nsACString&)fingerPrint,&overrideBits,
+ &isTemporaryOverride,&overrideResult
+ );
+ if(nsrv == NS_OK) {
+ PR_LOG(coolKeyLog, PR_LOG_DEBUG,
+ ("%s rhCoolKey::badCertHandler res %d print %s len %d bits %u temp %d alg: %s \n",
+ GetTStamp(tBuff,56),overrideResult,fingerPrint.get(),
+ fingerPrint.Length(),overrideBits, isTemporaryOverride,hashAlg.get())
+ );
+ }
+
+ PRBool certMatches = PR_FALSE;
+
+ if( (nsrv == NS_OK) && overrideResult) {
+ SECItem oid;
+ oid.data = nsnull;
+ oid.len = 0;
+ SECStatus srv = SEC_StringToOID(nsnull, &oid,
+ hashAlg.get(), hashAlg.Length());
+
+ if (srv != SECSuccess) {
+ PR_Free(host);
+ host=NULL;
+ CERT_DestroyCertificate(serverCert);
+ serverCert=NULL;
+ PR_Unlock(certCBLock);
+ return secStatus;
+ }
+
+ SECOidTag oid_tag = SECOID_FindOIDTag(&oid);
+
+ unsigned int hash_len = HASH_ResultLenByOidTag(oid_tag);
+ fingerprint = new unsigned char[hash_len];
+
+ if(!fingerprint) {
+ CERT_DestroyCertificate(serverCert);
+ serverCert=NULL;
+ PR_Unlock(certCBLock);
+ return secStatus;
+ }
+
+ SECItem computedPrint;
+ memset(fingerprint, 0, sizeof fingerprint);
+ PK11_HashBuf(oid_tag, fingerprint,
+ serverCert->derCert.data, serverCert->derCert.len);
+ CERT_DestroyCertificate(serverCert);
+ serverCert=NULL;
+
+ computedPrint.data=fingerprint;
+ computedPrint.len=hash_len;
+
+ char *formattedPrint = CERT_Hexify(&computedPrint,1);
+ char *inputPrint = (char *)fingerPrint.get();
+
+ //Compare fingerprints.
+
+ if(formattedPrint && inputPrint) {
+ if(!PL_strcmp(formattedPrint, inputPrint))
+ certMatches = PR_TRUE;
+ }
+ PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s certMatches: %d \n",
+ GetTStamp(tBuff,56),certMatches)
+ );
+
+ if(formattedPrint) {
+ PORT_Free(formattedPrint);
+ formattedPrint = NULL;
+ }
+ } else {
+ PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s override test failed. \n",
+ GetTStamp(tBuff,56))
+ );
+ }
+
+ if( certMatches ) {
+ if(overrideBits | errorBits)
+ secStatus = SECSuccess;
+ }
+ }
+
+ PR_Free(host);
+ host = NULL;
+ if(fingerprint) {
+ delete [] fingerprint;
+ fingerprint = NULL;
+ }
+
+ PR_Unlock(certCBLock);
+
+ return secStatus;
+}
+
+
HRESULT rhCoolKey::doSetCoolKeyConfigValue(const char *aName, const char *aValue)
{
@@ -340,7 +559,7 @@
nssComponent
= do_GetService(PSM_COMPONENT_CONTRACTID);
- CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue);
+ CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue,badCertHandler);
mProxy = CreateProxyObject();
@@ -1262,6 +1481,38 @@
}
/* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
+NS_IMETHODIMP rhCoolKey::GetCoolKeyUID(PRUint32 aKeyType, const char *aKeyID, char **uid)
+{
+ char tBuff[56];
+ if (!aKeyID) {
+ return NS_ERROR_FAILURE;
+ }
+
+ AutoCoolKey key(aKeyType, ( char *)aKeyID);
+
+ char buff[512];
+ int bufLength = 512;
+ buff[0] = 0;
+
+ CoolKeyGetUID(&key, (char *) buff, bufLength);
+
+ if(!buff[0])
+ {
+ return NS_OK;
+ }
+
+ PR_LOG(coolKeyLog,PR_LOG_DEBUG,("%s rhCoolKey::RhGetCoolKeyGetUID %s \n",GetTStamp(tBuff,56),(char *) buff));
+
+ char *temp = (char *) nsMemory::Clone(buff,sizeof(char) * strlen(buff) + 1);
+
+ *uid = temp;
+
+ return NS_OK;
+
+}
+
+
+/* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
NS_IMETHODIMP rhCoolKey::GetCoolKeyIssuedTo(PRUint32 aKeyType, const char *aKeyID, char **issuedTo)
{
char tBuff[56];
--- ./esc/src/app/xpcom/rhICoolKey.idl.fix6 2009-06-19 16:00:20.000000000 -0700
+++ ./esc/src/app/xpcom/rhICoolKey.idl 2009-06-19 16:00:32.000000000 -0700
@@ -66,6 +66,8 @@
string GetCoolKeyCertInfo(in unsigned long aKeyType, in string aKeyID, in string aCertNickname);
+ string GetCoolKeyUID(in unsigned long aKeyType, in string aKeyID);
+
string GetCoolKeyIssuedTo(in unsigned long aKeyType, in string aKeyID);
string GetCoolKeyIssuer(in unsigned long aKeyType, in string aKeyID);
--- ./esc/src/app/xpcom/Makefile.sdk.fix6 2009-06-19 15:54:52.000000000 -0700
+++ ./esc/src/app/xpcom/Makefile.sdk 2009-06-19 15:55:43.000000000 -0700
@@ -109,7 +109,7 @@
CPPFLAGS += -fno-rtti \
-fno-exceptions \
-fshort-wchar -fPIC
-GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
+GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnssutil3 -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
endif
ifeq ($(OS_ARCH),WINNT)
@@ -145,7 +145,7 @@
GECKO_INCLUDES += -I $(GECKO_SDK_PATH)/sdk/include
OBJECT = rhCoolKey.obj
OBJECTCSP = CoolKeyCSP.obj
-COOL_LDFLAGS = -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nss3.lib ssl3.lib smime3.lib softokn3.lib /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
+COOL_LDFLAGS = -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nssutil3.lib nss3.lib ssl3.lib smime3.lib softokn3.lib /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
endif
ifeq ($(OS_ARCH),Darwin)
--- ./esc/src/app/xpcom/rhCoolKey.h.fix6 2009-06-19 15:58:21.000000000 -0700
+++ ./esc/src/app/xpcom/rhCoolKey.h 2009-06-19 15:58:28.000000000 -0700
@@ -22,6 +22,15 @@
#include "nsIGenericFactory.h"
#include "nsEmbedString.h"
#include <list>
+#include "nspr.h"
+#include "prio.h"
+#include "ssl.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "sslerr.h"
+#include "secerr.h"
+#include "sechash.h"
+
#include "CoolKey.h"
#include "nsCOMPtr.h"
#include "nsIObserver.h"
@@ -92,6 +101,7 @@
static HRESULT doSetCoolKeyConfigValue(const char *aName, const char *aValue);
static const char *doGetCoolKeyConfigValue(const char *aName );
+ static SECStatus badCertHandler(void *arg, PRFileDesc *fd);
protected:
/* additional members */
@@ -107,6 +117,8 @@
static std::list< nsCOMPtr <rhIKeyNotify> > gNotifyListeners;
+ static PRLock* certCBLock;
+
rhICoolKey* mProxy;
static PRBool gAutoEnrollBlankTokens;