PageRenderTime 23ms CodeModel.GetById 9ms app.highlight 11ms RepoModel.GetById 1ms app.codeStats 0ms

/security/manager/ssl/src/nsCERTValInParamWrapper.cpp

http://github.com/zpao/v8monkey
C++ | 157 lines | 81 code | 26 blank | 50 comment | 14 complexity | 404daba931de1931314b9fa88e924798 MD5 | raw file
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is mozilla.org code.
 15 *
 16 * The Initial Developer of the Original Code is
 17 * Red Hat, Inc.
 18 * Portions created by the Initial Developer are Copyright (C) 2011
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *   Kai Engert <kengert@redhat.com>
 23 *
 24 * Alternatively, the contents of this file may be used under the terms of
 25 * either the GNU General Public License Version 2 or later (the "GPL"), or
 26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 27 * in which case the provisions of the GPL or the LGPL are applicable instead
 28 * of those above. If you wish to allow use of your version of this file only
 29 * under the terms of either the GPL or the LGPL, and not to allow others to
 30 * use your version of this file under the terms of the MPL, indicate your
 31 * decision by deleting the provisions above and replace them with the notice
 32 * and other provisions required by the GPL or the LGPL. If you do not delete
 33 * the provisions above, a recipient may use your version of this file under
 34 * the terms of any one of the MPL, the GPL or the LGPL.
 35 *
 36 * ***** END LICENSE BLOCK ***** */
 37
 38#include "nsCERTValInParamWrapper.h"
 39
 40NS_IMPL_THREADSAFE_ADDREF(nsCERTValInParamWrapper)
 41NS_IMPL_THREADSAFE_RELEASE(nsCERTValInParamWrapper)
 42
 43nsCERTValInParamWrapper::nsCERTValInParamWrapper()
 44:mAlreadyConstructed(false)
 45,mCVIN(nsnull)
 46,mRev(nsnull)
 47{
 48  MOZ_COUNT_CTOR(nsCERTValInParamWrapper);
 49}
 50
 51nsCERTValInParamWrapper::~nsCERTValInParamWrapper()
 52{
 53  MOZ_COUNT_DTOR(nsCERTValInParamWrapper);
 54  if (mRev) {
 55    CERT_DestroyCERTRevocationFlags(mRev);
 56  }
 57  if (mCVIN)
 58    PORT_Free(mCVIN);
 59}
 60
 61nsresult nsCERTValInParamWrapper::Construct(missing_cert_download_config mcdc,
 62                                            crl_download_config cdc,
 63                                            ocsp_download_config odc,
 64                                            ocsp_strict_config osc,
 65                                            any_revo_fresh_config arfc,
 66                                            const char *firstNetworkRevocationMethod)
 67{
 68  if (mAlreadyConstructed)
 69    return NS_ERROR_FAILURE;
 70
 71  CERTValInParam *p = (CERTValInParam*)PORT_Alloc(3 * sizeof(CERTValInParam));
 72  if (!p)
 73    return NS_ERROR_OUT_OF_MEMORY;
 74
 75  CERTRevocationFlags *rev = CERT_AllocCERTRevocationFlags(
 76      cert_revocation_method_ocsp +1, 1,
 77      cert_revocation_method_ocsp +1, 1);
 78  
 79  if (!rev) {
 80    PORT_Free(p);
 81    return NS_ERROR_OUT_OF_MEMORY;
 82  }
 83  
 84  p[0].type = cert_pi_useAIACertFetch;
 85  p[0].value.scalar.b = (mcdc == missing_cert_download_on);
 86  p[1].type = cert_pi_revocationFlags;
 87  p[1].value.pointer.revocation = rev;
 88  p[2].type = cert_pi_end;
 89  
 90  rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
 91  rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
 92    // implicit default source - makes no sense for CRLs
 93    CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
 94
 95    // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
 96    | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
 97
 98    // no fresh CRL? well, let other flag decide whether to fail or not
 99    | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
100
101    // testing using local CRLs is always allowed
102    | CERT_REV_M_TEST_USING_THIS_METHOD
103
104    // no local crl and don't know where to get it from? ignore
105    | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
106
107    // crl download based on parameter
108    | ((cdc == crl_download_allowed) ?
109        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
110    ;
111
112  rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
113  rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
114    // is ocsp enabled at all?
115    ((odc == ocsp_on) ?
116      CERT_REV_M_TEST_USING_THIS_METHOD : CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD)
117
118    // ocsp enabled controls network fetching, too
119    | ((odc == ocsp_on) ?
120        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
121
122    // ocsp set to strict==required?
123    | ((osc == ocsp_strict) ?
124        CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
125
126    // if app has a default OCSP responder configured, let's use it
127    | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
128
129    // of course OCSP doesn't work without a source. let's accept such certs
130    | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
131
132    // ocsp success is sufficient
133    | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
134    ;
135
136  bool wantsCrlFirst = (firstNetworkRevocationMethod != nsnull)
137                          && (strcmp("crl", firstNetworkRevocationMethod) == 0);
138    
139  rev->leafTests.preferred_methods[0] =
140  rev->chainTests.preferred_methods[0] =
141    wantsCrlFirst ? cert_revocation_method_crl : cert_revocation_method_ocsp;
142
143  rev->leafTests.cert_rev_method_independent_flags =
144  rev->chainTests.cert_rev_method_independent_flags =
145    // avoiding the network is good, let's try local first
146    CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
147
148    // is overall revocation requirement strict or relaxed?
149    | ((arfc == any_revo_strict) ?
150        CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE : CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT)
151    ;
152
153  mAlreadyConstructed = true;
154  mCVIN = p;
155  mRev = rev;
156  return NS_OK;
157}