|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800
|
|
|
b93447 |
@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
|
|
|
b93447 |
Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
|
|
|
b93447 |
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
|
|
|
b93447 |
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
|
|
|
b93447 |
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
|
|
|
b93447 |
;+ local:
|
|
|
b93447 |
;+ *;
|
|
|
b93447 |
;+};
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800
|
|
|
b93447 |
@@ -157,6 +157,19 @@ public final class CryptoManager impleme
|
|
|
b93447 |
public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
|
|
|
b93447 |
public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
|
|
|
b93447 |
public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
|
|
|
b93447 |
+
|
|
|
b93447 |
+ /*
|
|
|
b93447 |
+ The folllowing usages cannot be verified:
|
|
|
b93447 |
+ certUsageAnyCA
|
|
|
b93447 |
+ certUsageProtectedObjectSigner
|
|
|
b93447 |
+ certUsageUserCertImport
|
|
|
b93447 |
+ certUsageVerifyCA
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+ public static final int basicCertificateUsages = /*0x0b80;*/
|
|
|
b93447 |
+ certificateUsageUserCertImport |
|
|
|
b93447 |
+ certificateUsageVerifyCA |
|
|
|
b93447 |
+ certificateUsageProtectedObjectSigner |
|
|
|
b93447 |
+ certificateUsageAnyCA ;
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
public final static class NotInitializedException extends Exception {}
|
|
|
b93447 |
@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme
|
|
|
b93447 |
* against Now.
|
|
|
b93447 |
* @param nickname The nickname of the certificate to verify.
|
|
|
b93447 |
* @param checkSig verify the signature of the certificate
|
|
|
b93447 |
- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
|
|
|
b93447 |
- * @return true for success; false otherwise
|
|
|
b93447 |
+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage
|
|
|
b93447 |
*
|
|
|
b93447 |
* @exception InvalidNicknameException If the nickname is null
|
|
|
b93447 |
* @exception ObjectNotFoundException If no certificate could be found
|
|
|
b93447 |
* with the given nickname.
|
|
|
b93447 |
*/
|
|
|
b93447 |
+ public int isCertValid(String nickname, boolean checkSig)
|
|
|
b93447 |
+ throws ObjectNotFoundException, InvalidNicknameException
|
|
|
b93447 |
+ {
|
|
|
b93447 |
+ if (nickname==null) {
|
|
|
b93447 |
+ throw new InvalidNicknameException("Nickname must be non-null");
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ int currCertificateUsage = 0x0000; // initialize it to 0
|
|
|
b93447 |
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
|
|
|
b93447 |
+ checkSig);
|
|
|
b93447 |
+ return currCertificateUsage;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+
|
|
|
b93447 |
+ private native int verifyCertificateNowCUNative(String nickname,
|
|
|
b93447 |
+ boolean checkSig) throws ObjectNotFoundException;
|
|
|
b93447 |
|
|
|
b93447 |
+ /////////////////////////////////////////////////////////////
|
|
|
b93447 |
+ // isCertValid
|
|
|
b93447 |
+ /////////////////////////////////////////////////////////////
|
|
|
b93447 |
+ /**
|
|
|
b93447 |
+ * Verify a certificate that exists in the given cert database,
|
|
|
b93447 |
+ * check if is valid and that we trust the issuer. Verify time
|
|
|
b93447 |
+ * against Now.
|
|
|
b93447 |
+ * @param nickname The nickname of the certificate to verify.
|
|
|
b93447 |
+ * @param checkSig verify the signature of the certificate
|
|
|
b93447 |
+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above
|
|
|
b93447 |
+ * @return true for success; false otherwise
|
|
|
b93447 |
+ *
|
|
|
b93447 |
+ * @exception InvalidNicknameException If the nickname is null
|
|
|
b93447 |
+ * @exception ObjectNotFoundException If no certificate could be found
|
|
|
b93447 |
+ * with the given nickname.
|
|
|
b93447 |
+ */
|
|
|
b93447 |
public boolean isCertValid(String nickname, boolean checkSig,
|
|
|
b93447 |
CertificateUsage certificateUsage)
|
|
|
b93447 |
throws ObjectNotFoundException, InvalidNicknameException
|
|
|
b93447 |
@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme
|
|
|
b93447 |
if (nickname==null) {
|
|
|
b93447 |
throw new InvalidNicknameException("Nickname must be non-null");
|
|
|
b93447 |
}
|
|
|
b93447 |
- // 0 certificate usage was supposed to get current usage, however,
|
|
|
b93447 |
- // it is not exposed at this point
|
|
|
b93447 |
- return verifyCertificateNowNative(nickname,
|
|
|
b93447 |
- checkSig,
|
|
|
b93447 |
- (certificateUsage == null) ? 0:certificateUsage.getUsage());
|
|
|
b93447 |
+ // 0 certificate usage will get current usage
|
|
|
b93447 |
+ // should call isCertValid() call above that returns certificate usage
|
|
|
b93447 |
+ if ((certificateUsage == null) ||
|
|
|
b93447 |
+ (certificateUsage == CertificateUsage.CheckAllUsages)){
|
|
|
b93447 |
+ int currCertificateUsage = 0x0000;
|
|
|
b93447 |
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
|
|
|
b93447 |
+ checkSig);
|
|
|
b93447 |
+
|
|
|
b93447 |
+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
|
|
|
b93447 |
+ // cert is good for nothing
|
|
|
b93447 |
+ return false;
|
|
|
b93447 |
+ } else
|
|
|
b93447 |
+ return true;
|
|
|
b93447 |
+ } else {
|
|
|
b93447 |
+ return verifyCertificateNowNative(nickname, checkSig,
|
|
|
b93447 |
+ certificateUsage.getUsage());
|
|
|
b93447 |
+ }
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
private native boolean verifyCertificateNowNative(String nickname,
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800
|
|
|
b93447 |
@@ -1574,18 +1574,16 @@ finish:
|
|
|
b93447 |
}
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
+
|
|
|
b93447 |
/***********************************************************************
|
|
|
b93447 |
- * CryptoManager.verifyCertificateNowNative
|
|
|
b93447 |
- *
|
|
|
b93447 |
- * Returns JNI_TRUE if success, JNI_FALSE otherwise
|
|
|
b93447 |
+ * CryptoManager.verifyCertificateNow
|
|
|
b93447 |
*/
|
|
|
b93447 |
-JNIEXPORT jboolean JNICALL
|
|
|
b93447 |
-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
|
|
|
b93447 |
- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
|
|
|
b93447 |
+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
|
|
|
b93447 |
+ jboolean checkSig, jint required_certificateUsage,
|
|
|
b93447 |
+ SECCertificateUsage *currUsage)
|
|
|
b93447 |
{
|
|
|
b93447 |
SECStatus rv = SECFailure;
|
|
|
b93447 |
SECCertificateUsage certificateUsage;
|
|
|
b93447 |
- SECCertificateUsage currUsage; /* unexposed for now */
|
|
|
b93447 |
CERTCertificate *cert=NULL;
|
|
|
b93447 |
char *nickname=NULL;
|
|
|
b93447 |
|
|
|
b93447 |
@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif
|
|
|
b93447 |
JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
|
|
|
b93447 |
goto finish;
|
|
|
b93447 |
} else {
|
|
|
b93447 |
- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
|
|
|
b93447 |
- * just get the current usage (which we are not passing back for now
|
|
|
b93447 |
- * but will bypass the certificate usage check
|
|
|
b93447 |
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
|
|
|
b93447 |
+ * retrieve the current valid usage into currUsage
|
|
|
b93447 |
*/
|
|
|
b93447 |
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
|
|
|
b93447 |
- checkSig, certificateUsage, NULL, &currUsage );
|
|
|
b93447 |
+ checkSig, certificateUsage, NULL, currUsage );
|
|
|
b93447 |
+ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
|
|
|
b93447 |
+ if (*currUsage ==
|
|
|
b93447 |
+ ( certUsageUserCertImport |
|
|
|
b93447 |
+ certUsageVerifyCA |
|
|
|
b93447 |
+ certUsageProtectedObjectSigner |
|
|
|
b93447 |
+ certUsageAnyCA )) {
|
|
|
b93447 |
+
|
|
|
b93447 |
+ /* the cert is good for nothing
|
|
|
b93447 |
+ The folllowing usages cannot be verified:
|
|
|
b93447 |
+ certUsageAnyCA
|
|
|
b93447 |
+ certUsageProtectedObjectSigner
|
|
|
b93447 |
+ certUsageUserCertImport
|
|
|
b93447 |
+ certUsageVerifyCA
|
|
|
b93447 |
+ (0x0b80) */
|
|
|
b93447 |
+ rv =SECFailure;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ }
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
finish:
|
|
|
b93447 |
@@ -1617,6 +1631,49 @@ finish:
|
|
|
b93447 |
if(cert != NULL) {
|
|
|
b93447 |
CERT_DestroyCertificate(cert);
|
|
|
b93447 |
}
|
|
|
b93447 |
+
|
|
|
b93447 |
+ return rv;
|
|
|
b93447 |
+}
|
|
|
b93447 |
+
|
|
|
b93447 |
+/***********************************************************************
|
|
|
b93447 |
+ * CryptoManager.verifyCertificateNowCUNative
|
|
|
b93447 |
+ *
|
|
|
b93447 |
+ * Returns jint which contains bits in SECCertificateUsage that reflects
|
|
|
b93447 |
+ * the cert usage(s) that the cert is good for
|
|
|
b93447 |
+ * if the cert is good for nothing, returned value is
|
|
|
b93447 |
+ * (0x0b80):
|
|
|
b93447 |
+ * certUsageUserCertImport |
|
|
|
b93447 |
+ * certUsageVerifyCA |
|
|
|
b93447 |
+ * certUsageProtectedObjectSigner |
|
|
|
b93447 |
+ * certUsageAnyCA
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+JNIEXPORT jint JNICALL
|
|
|
b93447 |
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
|
|
|
b93447 |
+ jobject self, jstring nickString, jboolean checkSig)
|
|
|
b93447 |
+{
|
|
|
b93447 |
+ SECStatus rv = SECFailure;
|
|
|
b93447 |
+ SECCertificateUsage currUsage = 0x0000;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
|
|
|
b93447 |
+ /* rv is ignored */
|
|
|
b93447 |
+
|
|
|
b93447 |
+ return currUsage;
|
|
|
b93447 |
+}
|
|
|
b93447 |
+
|
|
|
b93447 |
+/***********************************************************************
|
|
|
b93447 |
+ * CryptoManager.verifyCertificateNowNative
|
|
|
b93447 |
+ *
|
|
|
b93447 |
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
|
|
|
b93447 |
+ */
|
|
|
b93447 |
+JNIEXPORT jboolean JNICALL
|
|
|
b93447 |
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
|
|
|
b93447 |
+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
|
|
|
b93447 |
+{
|
|
|
b93447 |
+ SECStatus rv = SECFailure;
|
|
|
b93447 |
+ SECCertificateUsage currUsage = 0x0000;
|
|
|
b93447 |
+
|
|
|
b93447 |
+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
|
|
|
b93447 |
+
|
|
|
b93447 |
if( rv == SECSuccess) {
|
|
|
b93447 |
return JNI_TRUE;
|
|
|
b93447 |
} else {
|
|
|
b93447 |
@@ -1624,7 +1681,6 @@ finish:
|
|
|
b93447 |
}
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
-
|
|
|
b93447 |
/***********************************************************************
|
|
|
b93447 |
* CryptoManager.verifyCertNowNative
|
|
|
b93447 |
* note: this calls obsolete NSS function
|