8f6d73325c
Incorrect socket accept error message due to bad pointer arithmetic - bug 661142 - <cfu@redhat.com> Verification should fail when a revoked certificate is added
228 lines
9.8 KiB
Diff
228 lines
9.8 KiB
Diff
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
|
|
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800
|
|
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800
|
|
@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
|
|
Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
|
|
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
|
|
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
|
|
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
|
|
;+ local:
|
|
;+ *;
|
|
;+};
|
|
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
|
|
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800
|
|
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800
|
|
@@ -157,6 +157,19 @@ public final class CryptoManager impleme
|
|
public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
|
|
public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
|
|
public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
|
|
+
|
|
+ /*
|
|
+ The folllowing usages cannot be verified:
|
|
+ certUsageAnyCA
|
|
+ certUsageProtectedObjectSigner
|
|
+ certUsageUserCertImport
|
|
+ certUsageVerifyCA
|
|
+ */
|
|
+ public static final int basicCertificateUsages = /*0x0b80;*/
|
|
+ certificateUsageUserCertImport |
|
|
+ certificateUsageVerifyCA |
|
|
+ certificateUsageProtectedObjectSigner |
|
|
+ certificateUsageAnyCA ;
|
|
}
|
|
|
|
public final static class NotInitializedException extends Exception {}
|
|
@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme
|
|
* against Now.
|
|
* @param nickname The nickname of the certificate to verify.
|
|
* @param checkSig verify the signature of the certificate
|
|
- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
|
|
- * @return true for success; false otherwise
|
|
+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage
|
|
*
|
|
* @exception InvalidNicknameException If the nickname is null
|
|
* @exception ObjectNotFoundException If no certificate could be found
|
|
* with the given nickname.
|
|
*/
|
|
+ public int isCertValid(String nickname, boolean checkSig)
|
|
+ throws ObjectNotFoundException, InvalidNicknameException
|
|
+ {
|
|
+ if (nickname==null) {
|
|
+ throw new InvalidNicknameException("Nickname must be non-null");
|
|
+ }
|
|
+ int currCertificateUsage = 0x0000; // initialize it to 0
|
|
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
|
|
+ checkSig);
|
|
+ return currCertificateUsage;
|
|
+ }
|
|
+
|
|
+ private native int verifyCertificateNowCUNative(String nickname,
|
|
+ boolean checkSig) throws ObjectNotFoundException;
|
|
|
|
+ /////////////////////////////////////////////////////////////
|
|
+ // isCertValid
|
|
+ /////////////////////////////////////////////////////////////
|
|
+ /**
|
|
+ * Verify a certificate that exists in the given cert database,
|
|
+ * check if is valid and that we trust the issuer. Verify time
|
|
+ * against Now.
|
|
+ * @param nickname The nickname of the certificate to verify.
|
|
+ * @param checkSig verify the signature of the certificate
|
|
+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above
|
|
+ * @return true for success; false otherwise
|
|
+ *
|
|
+ * @exception InvalidNicknameException If the nickname is null
|
|
+ * @exception ObjectNotFoundException If no certificate could be found
|
|
+ * with the given nickname.
|
|
+ */
|
|
public boolean isCertValid(String nickname, boolean checkSig,
|
|
CertificateUsage certificateUsage)
|
|
throws ObjectNotFoundException, InvalidNicknameException
|
|
@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme
|
|
if (nickname==null) {
|
|
throw new InvalidNicknameException("Nickname must be non-null");
|
|
}
|
|
- // 0 certificate usage was supposed to get current usage, however,
|
|
- // it is not exposed at this point
|
|
- return verifyCertificateNowNative(nickname,
|
|
- checkSig,
|
|
- (certificateUsage == null) ? 0:certificateUsage.getUsage());
|
|
+ // 0 certificate usage will get current usage
|
|
+ // should call isCertValid() call above that returns certificate usage
|
|
+ if ((certificateUsage == null) ||
|
|
+ (certificateUsage == CertificateUsage.CheckAllUsages)){
|
|
+ int currCertificateUsage = 0x0000;
|
|
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
|
|
+ checkSig);
|
|
+
|
|
+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
|
|
+ // cert is good for nothing
|
|
+ return false;
|
|
+ } else
|
|
+ return true;
|
|
+ } else {
|
|
+ return verifyCertificateNowNative(nickname, checkSig,
|
|
+ certificateUsage.getUsage());
|
|
+ }
|
|
}
|
|
|
|
private native boolean verifyCertificateNowNative(String nickname,
|
|
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
|
|
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800
|
|
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800
|
|
@@ -1574,18 +1574,16 @@ finish:
|
|
}
|
|
}
|
|
|
|
+
|
|
/***********************************************************************
|
|
- * CryptoManager.verifyCertificateNowNative
|
|
- *
|
|
- * Returns JNI_TRUE if success, JNI_FALSE otherwise
|
|
+ * CryptoManager.verifyCertificateNow
|
|
*/
|
|
-JNIEXPORT jboolean JNICALL
|
|
-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
|
|
- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
|
|
+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
|
|
+ jboolean checkSig, jint required_certificateUsage,
|
|
+ SECCertificateUsage *currUsage)
|
|
{
|
|
SECStatus rv = SECFailure;
|
|
SECCertificateUsage certificateUsage;
|
|
- SECCertificateUsage currUsage; /* unexposed for now */
|
|
CERTCertificate *cert=NULL;
|
|
char *nickname=NULL;
|
|
|
|
@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif
|
|
JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
|
|
goto finish;
|
|
} else {
|
|
- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
|
|
- * just get the current usage (which we are not passing back for now
|
|
- * but will bypass the certificate usage check
|
|
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
|
|
+ * retrieve the current valid usage into currUsage
|
|
*/
|
|
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
|
|
- checkSig, certificateUsage, NULL, &currUsage );
|
|
+ checkSig, certificateUsage, NULL, currUsage );
|
|
+ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
|
|
+ if (*currUsage ==
|
|
+ ( certUsageUserCertImport |
|
|
+ certUsageVerifyCA |
|
|
+ certUsageProtectedObjectSigner |
|
|
+ certUsageAnyCA )) {
|
|
+
|
|
+ /* the cert is good for nothing
|
|
+ The folllowing usages cannot be verified:
|
|
+ certUsageAnyCA
|
|
+ certUsageProtectedObjectSigner
|
|
+ certUsageUserCertImport
|
|
+ certUsageVerifyCA
|
|
+ (0x0b80) */
|
|
+ rv =SECFailure;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
finish:
|
|
@@ -1617,6 +1631,49 @@ finish:
|
|
if(cert != NULL) {
|
|
CERT_DestroyCertificate(cert);
|
|
}
|
|
+
|
|
+ return rv;
|
|
+}
|
|
+
|
|
+/***********************************************************************
|
|
+ * CryptoManager.verifyCertificateNowCUNative
|
|
+ *
|
|
+ * Returns jint which contains bits in SECCertificateUsage that reflects
|
|
+ * the cert usage(s) that the cert is good for
|
|
+ * if the cert is good for nothing, returned value is
|
|
+ * (0x0b80):
|
|
+ * certUsageUserCertImport |
|
|
+ * certUsageVerifyCA |
|
|
+ * certUsageProtectedObjectSigner |
|
|
+ * certUsageAnyCA
|
|
+ */
|
|
+JNIEXPORT jint JNICALL
|
|
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
|
|
+ jobject self, jstring nickString, jboolean checkSig)
|
|
+{
|
|
+ SECStatus rv = SECFailure;
|
|
+ SECCertificateUsage currUsage = 0x0000;
|
|
+
|
|
+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
|
|
+ /* rv is ignored */
|
|
+
|
|
+ return currUsage;
|
|
+}
|
|
+
|
|
+/***********************************************************************
|
|
+ * CryptoManager.verifyCertificateNowNative
|
|
+ *
|
|
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
|
|
+ */
|
|
+JNIEXPORT jboolean JNICALL
|
|
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
|
|
+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
|
|
+{
|
|
+ SECStatus rv = SECFailure;
|
|
+ SECCertificateUsage currUsage = 0x0000;
|
|
+
|
|
+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
|
|
+
|
|
if( rv == SECSuccess) {
|
|
return JNI_TRUE;
|
|
} else {
|
|
@@ -1624,7 +1681,6 @@ finish:
|
|
}
|
|
}
|
|
|
|
-
|
|
/***********************************************************************
|
|
* CryptoManager.verifyCertNowNative
|
|
* note: this calls obsolete NSS function
|