/security/manager/ssl/src/nsCERTValInParamWrapper.cpp
C++ | 157 lines | 81 code | 26 blank | 50 comment | 14 complexity | 404daba931de1931314b9fa88e924798 MD5 | raw file
1/* ***** BEGIN LICENSE BLOCK ***** 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 3 * 4 * The contents of this file are subject to the Mozilla Public License Version 5 * 1.1 (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * http://www.mozilla.org/MPL/ 8 * 9 * Software distributed under the License is distributed on an "AS IS" basis, 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 11 * for the specific language governing rights and limitations under the 12 * License. 13 * 14 * The Original Code is mozilla.org code. 15 * 16 * The Initial Developer of the Original Code is 17 * Red Hat, Inc. 18 * Portions created by the Initial Developer are Copyright (C) 2011 19 * the Initial Developer. All Rights Reserved. 20 * 21 * Contributor(s): 22 * Kai Engert <kengert@redhat.com> 23 * 24 * Alternatively, the contents of this file may be used under the terms of 25 * either the GNU General Public License Version 2 or later (the "GPL"), or 26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 27 * in which case the provisions of the GPL or the LGPL are applicable instead 28 * of those above. If you wish to allow use of your version of this file only 29 * under the terms of either the GPL or the LGPL, and not to allow others to 30 * use your version of this file under the terms of the MPL, indicate your 31 * decision by deleting the provisions above and replace them with the notice 32 * and other provisions required by the GPL or the LGPL. If you do not delete 33 * the provisions above, a recipient may use your version of this file under 34 * the terms of any one of the MPL, the GPL or the LGPL. 35 * 36 * ***** END LICENSE BLOCK ***** */ 37 38#include "nsCERTValInParamWrapper.h" 39 40NS_IMPL_THREADSAFE_ADDREF(nsCERTValInParamWrapper) 41NS_IMPL_THREADSAFE_RELEASE(nsCERTValInParamWrapper) 42 43nsCERTValInParamWrapper::nsCERTValInParamWrapper() 44:mAlreadyConstructed(false) 45,mCVIN(nsnull) 46,mRev(nsnull) 47{ 48 MOZ_COUNT_CTOR(nsCERTValInParamWrapper); 49} 50 51nsCERTValInParamWrapper::~nsCERTValInParamWrapper() 52{ 53 MOZ_COUNT_DTOR(nsCERTValInParamWrapper); 54 if (mRev) { 55 CERT_DestroyCERTRevocationFlags(mRev); 56 } 57 if (mCVIN) 58 PORT_Free(mCVIN); 59} 60 61nsresult nsCERTValInParamWrapper::Construct(missing_cert_download_config mcdc, 62 crl_download_config cdc, 63 ocsp_download_config odc, 64 ocsp_strict_config osc, 65 any_revo_fresh_config arfc, 66 const char *firstNetworkRevocationMethod) 67{ 68 if (mAlreadyConstructed) 69 return NS_ERROR_FAILURE; 70 71 CERTValInParam *p = (CERTValInParam*)PORT_Alloc(3 * sizeof(CERTValInParam)); 72 if (!p) 73 return NS_ERROR_OUT_OF_MEMORY; 74 75 CERTRevocationFlags *rev = CERT_AllocCERTRevocationFlags( 76 cert_revocation_method_ocsp +1, 1, 77 cert_revocation_method_ocsp +1, 1); 78 79 if (!rev) { 80 PORT_Free(p); 81 return NS_ERROR_OUT_OF_MEMORY; 82 } 83 84 p[0].type = cert_pi_useAIACertFetch; 85 p[0].value.scalar.b = (mcdc == missing_cert_download_on); 86 p[1].type = cert_pi_revocationFlags; 87 p[1].value.pointer.revocation = rev; 88 p[2].type = cert_pi_end; 89 90 rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = 91 rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = 92 // implicit default source - makes no sense for CRLs 93 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE 94 95 // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it 96 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 97 98 // no fresh CRL? well, let other flag decide whether to fail or not 99 | CERT_REV_M_IGNORE_MISSING_FRESH_INFO 100 101 // testing using local CRLs is always allowed 102 | CERT_REV_M_TEST_USING_THIS_METHOD 103 104 // no local crl and don't know where to get it from? ignore 105 | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 106 107 // crl download based on parameter 108 | ((cdc == crl_download_allowed) ? 109 CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING) 110 ; 111 112 rev->leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = 113 rev->chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = 114 // is ocsp enabled at all? 115 ((odc == ocsp_on) ? 116 CERT_REV_M_TEST_USING_THIS_METHOD : CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD) 117 118 // ocsp enabled controls network fetching, too 119 | ((odc == ocsp_on) ? 120 CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING) 121 122 // ocsp set to strict==required? 123 | ((osc == ocsp_strict) ? 124 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO) 125 126 // if app has a default OCSP responder configured, let's use it 127 | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE 128 129 // of course OCSP doesn't work without a source. let's accept such certs 130 | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 131 132 // ocsp success is sufficient 133 | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 134 ; 135 136 bool wantsCrlFirst = (firstNetworkRevocationMethod != nsnull) 137 && (strcmp("crl", firstNetworkRevocationMethod) == 0); 138 139 rev->leafTests.preferred_methods[0] = 140 rev->chainTests.preferred_methods[0] = 141 wantsCrlFirst ? cert_revocation_method_crl : cert_revocation_method_ocsp; 142 143 rev->leafTests.cert_rev_method_independent_flags = 144 rev->chainTests.cert_rev_method_independent_flags = 145 // avoiding the network is good, let's try local first 146 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 147 148 // is overall revocation requirement strict or relaxed? 149 | ((arfc == any_revo_strict) ? 150 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE : CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT) 151 ; 152 153 mAlreadyConstructed = true; 154 mCVIN = p; 155 mRev = rev; 156 return NS_OK; 157}