|
 |
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700
|
|
|
b93447 |
@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
|
|
|
b93447 |
Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
|
|
|
b93447 |
Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
|
|
|
b93447 |
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
|
|
|
b93447 |
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
|
|
|
b93447 |
;+ local:
|
|
|
b93447 |
;+ *;
|
|
|
b93447 |
;+};
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700
|
|
|
b93447 |
@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec
|
|
|
b93447 |
public final class CryptoManager implements TokenSupplier
|
|
|
b93447 |
{
|
|
|
b93447 |
/**
|
|
|
b93447 |
+ * note: this is obsolete in NSS
|
|
|
b93447 |
* CertUsage options for validation
|
|
|
b93447 |
*/
|
|
|
b93447 |
public final static class CertUsage {
|
|
|
b93447 |
@@ -86,8 +87,6 @@ public final class CryptoManager impleme
|
|
|
b93447 |
return name;
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
-
|
|
|
b93447 |
-
|
|
|
b93447 |
// certUsage, these must be kept in sync with nss/lib/certdb/certt.h
|
|
|
b93447 |
public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
|
|
|
b93447 |
public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
|
|
|
b93447 |
@@ -103,6 +102,63 @@ public final class CryptoManager impleme
|
|
|
b93447 |
public static final CertUsage AnyCA = new CertUsage(11, "AnyCA");
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
+ /**
|
|
|
b93447 |
+ * CertificateUsage options for validation
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+ public final static class CertificateUsage {
|
|
|
b93447 |
+ private int usage;
|
|
|
b93447 |
+ private String name;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h
|
|
|
b93447 |
+ private static final int certificateUsageCheckAllUsages = 0x0000;
|
|
|
b93447 |
+ private static final int certificateUsageSSLClient = 0x0001;
|
|
|
b93447 |
+ private static final int certificateUsageSSLServer = 0x0002;
|
|
|
b93447 |
+ private static final int certificateUsageSSLServerWithStepUp = 0x0004;
|
|
|
b93447 |
+ private static final int certificateUsageSSLCA = 0x0008;
|
|
|
b93447 |
+ private static final int certificateUsageEmailSigner = 0x0010;
|
|
|
b93447 |
+ private static final int certificateUsageEmailRecipient = 0x0020;
|
|
|
b93447 |
+ private static final int certificateUsageObjectSigner = 0x0040;
|
|
|
b93447 |
+ private static final int certificateUsageUserCertImport = 0x0080;
|
|
|
b93447 |
+ private static final int certificateUsageVerifyCA = 0x0100;
|
|
|
b93447 |
+ private static final int certificateUsageProtectedObjectSigner = 0x0200;
|
|
|
b93447 |
+ private static final int certificateUsageStatusResponder = 0x0400;
|
|
|
b93447 |
+ private static final int certificateUsageAnyCA = 0x0800;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ static private ArrayList list = new ArrayList();
|
|
|
b93447 |
+ private CertificateUsage() {};
|
|
|
b93447 |
+ private CertificateUsage(int usage, String name) {
|
|
|
b93447 |
+ this.usage = usage;
|
|
|
b93447 |
+ this.name = name;
|
|
|
b93447 |
+ this.list.add(this);
|
|
|
b93447 |
+
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ public int getUsage() {
|
|
|
b93447 |
+ return usage;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
+ static public Iterator getCertificateUsages() {
|
|
|
b93447 |
+ return list.iterator();
|
|
|
b93447 |
+
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ public String toString() {
|
|
|
b93447 |
+ return name;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
+ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages");
|
|
|
b93447 |
+ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient");
|
|
|
b93447 |
+ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer");
|
|
|
b93447 |
+ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp");
|
|
|
b93447 |
+ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA");
|
|
|
b93447 |
+ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner");
|
|
|
b93447 |
+ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient");
|
|
|
b93447 |
+ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner");
|
|
|
b93447 |
+ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport");
|
|
|
b93447 |
+ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA");
|
|
|
b93447 |
+ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
|
|
|
b93447 |
+ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
|
|
|
b93447 |
+ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
public final static class NotInitializedException extends Exception {}
|
|
|
b93447 |
public final static class NicknameConflictException extends Exception {}
|
|
|
b93447 |
public final static class UserCertConflictException extends Exception {}
|
|
|
b93447 |
@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme
|
|
|
b93447 |
}
|
|
|
b93447 |
return tok;
|
|
|
b93447 |
}
|
|
|
b93447 |
+
|
|
|
b93447 |
/////////////////////////////////////////////////////////////
|
|
|
b93447 |
// isCertValid
|
|
|
b93447 |
/////////////////////////////////////////////////////////////
|
|
|
b93447 |
@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme
|
|
|
b93447 |
* against Now.
|
|
|
b93447 |
* @param nickname The nickname of the certificate to verify.
|
|
|
b93447 |
* @param checkSig verify the signature of the certificate
|
|
|
b93447 |
+ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
|
|
|
b93447 |
+ * @return true for success; false otherwise
|
|
|
b93447 |
+ *
|
|
|
b93447 |
+ * @exception InvalidNicknameException If the nickname is null
|
|
|
b93447 |
+ * @exception ObjectNotFoundException If no certificate could be found
|
|
|
b93447 |
+ * with the given nickname.
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+
|
|
|
b93447 |
+ public boolean isCertValid(String nickname, boolean checkSig,
|
|
|
b93447 |
+ CertificateUsage certificateUsage)
|
|
|
b93447 |
+ throws ObjectNotFoundException, InvalidNicknameException
|
|
|
b93447 |
+ {
|
|
|
b93447 |
+ if (nickname==null) {
|
|
|
b93447 |
+ throw new InvalidNicknameException("Nickname must be non-null");
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ // 0 certificate usage was supposed to get current usage, however,
|
|
|
b93447 |
+ // it is not exposed at this point
|
|
|
b93447 |
+ return verifyCertificateNowNative(nickname,
|
|
|
b93447 |
+ checkSig,
|
|
|
b93447 |
+ (certificateUsage == null) ? 0:certificateUsage.getUsage());
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
+ private native boolean verifyCertificateNowNative(String nickname,
|
|
|
b93447 |
+ boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ /**
|
|
|
b93447 |
+ * note: this method calls obsolete function in NSS
|
|
|
b93447 |
+ *
|
|
|
b93447 |
+ * Verify a certificate that exists in the given cert database,
|
|
|
b93447 |
+ * check if is valid and that we trust the issuer. Verify time
|
|
|
b93447 |
+ * against Now.
|
|
|
b93447 |
+ * @param nickname The nickname of the certificate to verify.
|
|
|
b93447 |
+ * @param checkSig verify the signature of the certificate
|
|
|
b93447 |
* @param certUsage see exposed certUsage defines to verify Certificate
|
|
|
b93447 |
* @return true for success; false otherwise
|
|
|
b93447 |
*
|
|
|
b93447 |
@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme
|
|
|
b93447 |
return verifyCertNowNative(nickname, checkSig, certUsage.getUsage());
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
+ /*
|
|
|
b93447 |
+ * Obsolete in NSS
|
|
|
b93447 |
+ */
|
|
|
b93447 |
private native boolean verifyCertNowNative(String nickname,
|
|
|
b93447 |
boolean checkSig, int cUsage) throws ObjectNotFoundException;
|
|
|
b93447 |
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700
|
|
|
b93447 |
@@ -1575,11 +1575,62 @@ finish:
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
/***********************************************************************
|
|
|
b93447 |
- * CryptoManager.verifyCertNowNative
|
|
|
b93447 |
+ * CryptoManager.verifyCertificateNowNative
|
|
|
b93447 |
*
|
|
|
b93447 |
* Returns JNI_TRUE if success, JNI_FALSE otherwise
|
|
|
b93447 |
*/
|
|
|
b93447 |
JNIEXPORT jboolean JNICALL
|
|
|
b93447 |
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
|
|
|
b93447 |
+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
|
|
|
b93447 |
+{
|
|
|
b93447 |
+ SECStatus rv = SECFailure;
|
|
|
b93447 |
+ SECCertificateUsage certificateUsage;
|
|
|
b93447 |
+ SECCertificateUsage currUsage; /* unexposed for now */
|
|
|
b93447 |
+ CERTCertificate *cert=NULL;
|
|
|
b93447 |
+ char *nickname=NULL;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
|
|
|
b93447 |
+ if( nickname == NULL ) {
|
|
|
b93447 |
+ goto finish;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
+ certificateUsage = required_certificateUsage;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
|
|
|
b93447 |
+
|
|
|
b93447 |
+ if (cert == NULL) {
|
|
|
b93447 |
+ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
|
|
|
b93447 |
+ goto finish;
|
|
|
b93447 |
+ } else {
|
|
|
b93447 |
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
|
|
|
b93447 |
+ * just get the current usage (which we are not passing back for now
|
|
|
b93447 |
+ * but will bypass the certificate usage check
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
|
|
|
b93447 |
+ checkSig, certificateUsage, NULL, &currUsage );
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
+finish:
|
|
|
b93447 |
+ if(nickname != NULL) {
|
|
|
b93447 |
+ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ if(cert != NULL) {
|
|
|
b93447 |
+ CERT_DestroyCertificate(cert);
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ if( rv == SECSuccess) {
|
|
|
b93447 |
+ return JNI_TRUE;
|
|
|
b93447 |
+ } else {
|
|
|
b93447 |
+ return JNI_FALSE;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+}
|
|
|
b93447 |
+
|
|
|
b93447 |
+
|
|
|
b93447 |
+/***********************************************************************
|
|
|
b93447 |
+ * CryptoManager.verifyCertNowNative
|
|
|
b93447 |
+ * note: this calls obsolete NSS function
|
|
|
b93447 |
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+JNIEXPORT jboolean JNICALL
|
|
|
b93447 |
Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
|
|
|
b93447 |
jobject self, jstring nickString, jboolean checkSig, jint cUsage)
|
|
|
b93447 |
{
|