/security/manager/ssl/src/nsCERTValInParamWrapper.cpp

http://github.com/zpao/v8monkey · C++ · 157 lines · 81 code · 26 blank · 50 comment · 14 complexity · 404daba931de1931314b9fa88e924798 MD5 · raw file

  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is mozilla.org code.
  15. *
  16. * The Initial Developer of the Original Code is
  17. * Red Hat, Inc.
  18. * Portions created by the Initial Developer are Copyright (C) 2011
  19. * the Initial Developer. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. * Kai Engert <kengert@redhat.com>
  23. *
  24. * Alternatively, the contents of this file may be used under the terms of
  25. * either the GNU General Public License Version 2 or later (the "GPL"), or
  26. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  27. * in which case the provisions of the GPL or the LGPL are applicable instead
  28. * of those above. If you wish to allow use of your version of this file only
  29. * under the terms of either the GPL or the LGPL, and not to allow others to
  30. * use your version of this file under the terms of the MPL, indicate your
  31. * decision by deleting the provisions above and replace them with the notice
  32. * and other provisions required by the GPL or the LGPL. If you do not delete
  33. * the provisions above, a recipient may use your version of this file under
  34. * the terms of any one of the MPL, the GPL or the LGPL.
  35. *
  36. * ***** END LICENSE BLOCK ***** */
  37. #include "nsCERTValInParamWrapper.h"
  38. NS_IMPL_THREADSAFE_ADDREF(nsCERTValInParamWrapper)
  39. NS_IMPL_THREADSAFE_RELEASE(nsCERTValInParamWrapper)
  40. nsCERTValInParamWrapper::nsCERTValInParamWrapper()
  41. :mAlreadyConstructed(false)
  42. ,mCVIN(nsnull)
  43. ,mRev(nsnull)
  44. {
  45. MOZ_COUNT_CTOR(nsCERTValInParamWrapper);
  46. }
  47. nsCERTValInParamWrapper::~nsCERTValInParamWrapper()
  48. {
  49. MOZ_COUNT_DTOR(nsCERTValInParamWrapper);
  50. if (mRev) {
  51. CERT_DestroyCERTRevocationFlags(mRev);
  52. }
  53. if (mCVIN)
  54. PORT_Free(mCVIN);
  55. }
  56. nsresult nsCERTValInParamWrapper::Construct(missing_cert_download_config mcdc,
  57. crl_download_config cdc,
  58. ocsp_download_config odc,
  59. ocsp_strict_config osc,
  60. any_revo_fresh_config arfc,
  61. const char *firstNetworkRevocationMethod)
  62. {
  63. if (mAlreadyConstructed)
  64. return NS_ERROR_FAILURE;
  65. CERTValInParam *p = (CERTValInParam*)PORT_Alloc(3 * sizeof(CERTValInParam));
  66. if (!p)
  67. return NS_ERROR_OUT_OF_MEMORY;
  68. CERTRevocationFlags *rev = CERT_AllocCERTRevocationFlags(
  69. cert_revocation_method_ocsp +1, 1,
  70. cert_revocation_method_ocsp +1, 1);
  71. if (!rev) {
  72. PORT_Free(p);
  73. return NS_ERROR_OUT_OF_MEMORY;
  74. }
  75. p[0].type = cert_pi_useAIACertFetch;
  76. p[0].value.scalar.b = (mcdc == missing_cert_download_on);
  77. p[1].type = cert_pi_revocationFlags;
  78. p[1].value.pointer.revocation = rev;
  79. p[2].type = cert_pi_end;
  80. rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
  81. rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
  82. // implicit default source - makes no sense for CRLs
  83. CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
  84. // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
  85. | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
  86. // no fresh CRL? well, let other flag decide whether to fail or not
  87. | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
  88. // testing using local CRLs is always allowed
  89. | CERT_REV_M_TEST_USING_THIS_METHOD
  90. // no local crl and don't know where to get it from? ignore
  91. | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
  92. // crl download based on parameter
  93. | ((cdc == crl_download_allowed) ?
  94. CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
  95. ;
  96. rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
  97. rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
  98. // is ocsp enabled at all?
  99. ((odc == ocsp_on) ?
  100. CERT_REV_M_TEST_USING_THIS_METHOD : CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD)
  101. // ocsp enabled controls network fetching, too
  102. | ((odc == ocsp_on) ?
  103. CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
  104. // ocsp set to strict==required?
  105. | ((osc == ocsp_strict) ?
  106. CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
  107. // if app has a default OCSP responder configured, let's use it
  108. | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
  109. // of course OCSP doesn't work without a source. let's accept such certs
  110. | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
  111. // ocsp success is sufficient
  112. | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
  113. ;
  114. bool wantsCrlFirst = (firstNetworkRevocationMethod != nsnull)
  115. && (strcmp("crl", firstNetworkRevocationMethod) == 0);
  116. rev->leafTests.preferred_methods[0] =
  117. rev->chainTests.preferred_methods[0] =
  118. wantsCrlFirst ? cert_revocation_method_crl : cert_revocation_method_ocsp;
  119. rev->leafTests.cert_rev_method_independent_flags =
  120. rev->chainTests.cert_rev_method_independent_flags =
  121. // avoiding the network is good, let's try local first
  122. CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
  123. // is overall revocation requirement strict or relaxed?
  124. | ((arfc == any_revo_strict) ?
  125. CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE : CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT)
  126. ;
  127. mAlreadyConstructed = true;
  128. mCVIN = p;
  129. mRev = rev;
  130. return NS_OK;
  131. }