The Tor Browser / annotate

security/manager/ssl/src/nsCMSSecureMessage.cpp@b8a032363ba2 (annotated)

security/manager/ssl/src/nsCMSSecureMessage.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
michael@0 2 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 3 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 5
michael@0 6 #include "nsXPIDLString.h"
michael@0 7 #include "nsCOMPtr.h"
michael@0 8 #include "nsISupports.h"
michael@0 9 #include "nsIInterfaceRequestor.h"
michael@0 10 #include "nsCRT.h"
michael@0 11
michael@0 12 #include "nsICMSSecureMessage.h"
michael@0 13
michael@0 14 #include "nsCMSSecureMessage.h"
michael@0 15 #include "nsNSSCertificate.h"
michael@0 16 #include "nsNSSHelper.h"
michael@0 17 #include "nsNSSShutDown.h"
michael@0 18
michael@0 19 #include <string.h>
michael@0 20 #include "plbase64.h"
michael@0 21 #include "cert.h"
michael@0 22 #include "cms.h"
michael@0 23
michael@0 24 #include "nsIServiceManager.h"
michael@0 25 #include "nsIPrefService.h"
michael@0 26 #include "nsIPrefBranch.h"
michael@0 27
michael@0 28 #include "prlog.h"
michael@0 29 #ifdef PR_LOGGING
michael@0 30 extern PRLogModuleInfo* gPIPNSSLog;
michael@0 31 #endif
michael@0 32
michael@0 33 // Standard ISupports implementation
michael@0 34 // NOTE: Should these be the thread-safe versions?
michael@0 35
michael@0 36 /*****
michael@0 37 * nsCMSSecureMessage
michael@0 38 *****/
michael@0 39
michael@0 40 // Standard ISupports implementation
michael@0 41 NS_IMPL_ISUPPORTS(nsCMSSecureMessage, nsICMSSecureMessage)
michael@0 42
michael@0 43 // nsCMSSecureMessage constructor
michael@0 44 nsCMSSecureMessage::nsCMSSecureMessage()
michael@0 45 {
michael@0 46 // initialize superclass
michael@0 47 }
michael@0 48
michael@0 49 // nsCMSMessage destructor
michael@0 50 nsCMSSecureMessage::~nsCMSSecureMessage()
michael@0 51 {
michael@0 52 }
michael@0 53
michael@0 54 /* string getCertByPrefID (in string certID); */
michael@0 55 NS_IMETHODIMP nsCMSSecureMessage::
michael@0 56 GetCertByPrefID(const char *certID, char **_retval)
michael@0 57 {
michael@0 58 nsNSSShutDownPreventionLock locker;
michael@0 59 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::GetCertByPrefID\n"));
michael@0 60 nsresult rv = NS_OK;
michael@0 61 CERTCertificate *cert = 0;
michael@0 62 nsXPIDLCString nickname;
michael@0 63 nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
michael@0 64
michael@0 65 *_retval = 0;
michael@0 66
michael@0 67 nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
michael@0 68 if (NS_FAILED(rv)) {
michael@0 69 goto done;
michael@0 70 }
michael@0 71
michael@0 72 rv = prefs->GetCharPref(certID,
michael@0 73 getter_Copies(nickname));
michael@0 74 if (NS_FAILED(rv)) goto done;
michael@0 75
michael@0 76 /* Find a good cert in the user's database */
michael@0 77 cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), const_cast<char*>(nickname.get()),
michael@0 78 certUsageEmailRecipient, true, ctx);
michael@0 79
michael@0 80 if (!cert) {
michael@0 81 /* Success, but no value */
michael@0 82 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::GetCertByPrefID - can't find user cert\n"));
michael@0 83 goto done;
michael@0 84 }
michael@0 85
michael@0 86 /* Convert the DER to a BASE64 String */
michael@0 87 encode(cert->derCert.data, cert->derCert.len, _retval);
michael@0 88
michael@0 89 done:
michael@0 90 if (cert) CERT_DestroyCertificate(cert);
michael@0 91 return rv;
michael@0 92 }
michael@0 93
michael@0 94
michael@0 95 // nsCMSSecureMessage::DecodeCert
michael@0 96 nsresult nsCMSSecureMessage::
michael@0 97 DecodeCert(const char *value, nsIX509Cert ** _retval)
michael@0 98 {
michael@0 99 nsNSSShutDownPreventionLock locker;
michael@0 100 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::DecodeCert\n"));
michael@0 101 nsresult rv = NS_OK;
michael@0 102 int32_t length;
michael@0 103 unsigned char *data = 0;
michael@0 104
michael@0 105 *_retval = 0;
michael@0 106
michael@0 107 if (!value) { return NS_ERROR_FAILURE; }
michael@0 108
michael@0 109 rv = decode(value, &data, &length);
michael@0 110 if (NS_FAILED(rv)) {
michael@0 111 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::DecodeCert - can't decode cert\n"));
michael@0 112 return rv;
michael@0 113 }
michael@0 114
michael@0 115 nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::ConstructFromDER((char *)data, length);
michael@0 116
michael@0 117 if (cert) {
michael@0 118 *_retval = cert;
michael@0 119 NS_ADDREF(*_retval);
michael@0 120 }
michael@0 121 else {
michael@0 122 rv = NS_ERROR_FAILURE;
michael@0 123 }
michael@0 124
michael@0 125 free((char*)data);
michael@0 126 return rv;
michael@0 127 }
michael@0 128
michael@0 129 // nsCMSSecureMessage::SendMessage
michael@0 130 nsresult nsCMSSecureMessage::
michael@0 131 SendMessage(const char *msg, const char *base64Cert, char ** _retval)
michael@0 132 {
michael@0 133 nsNSSShutDownPreventionLock locker;
michael@0 134 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage\n"));
michael@0 135 nsresult rv = NS_OK;
michael@0 136 CERTCertificate *cert = 0;
michael@0 137 NSSCMSMessage *cmsMsg = 0;
michael@0 138 unsigned char *certDER = 0;
michael@0 139 int32_t derLen;
michael@0 140 NSSCMSEnvelopedData *env;
michael@0 141 NSSCMSContentInfo *cinfo;
michael@0 142 NSSCMSRecipientInfo *rcpt;
michael@0 143 SECItem output;
michael@0 144 PLArenaPool *arena = PORT_NewArena(1024);
michael@0 145 SECStatus s;
michael@0 146 nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
michael@0 147
michael@0 148 /* Step 0. Create a CMS Message */
michael@0 149 cmsMsg = NSS_CMSMessage_Create(nullptr);
michael@0 150 if (!cmsMsg) {
michael@0 151 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't create NSSCMSMessage\n"));
michael@0 152 rv = NS_ERROR_FAILURE;
michael@0 153 goto done;
michael@0 154 }
michael@0 155
michael@0 156 /* Step 1. Import the certificate into NSS */
michael@0 157 rv = decode(base64Cert, &certDER, &derLen);
michael@0 158 if (NS_FAILED(rv)) {
michael@0 159 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't decode / import cert into NSS\n"));
michael@0 160 goto done;
michael@0 161 }
michael@0 162
michael@0 163 cert = CERT_DecodeCertFromPackage((char *)certDER, derLen);
michael@0 164 if (!cert) {
michael@0 165 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't decode cert from package\n"));
michael@0 166 rv = NS_ERROR_FAILURE;
michael@0 167 goto done;
michael@0 168 }
michael@0 169
michael@0 170 /* Step 2. Get a signature cert */
michael@0 171
michael@0 172 /* Step 3. Build inner (signature) content */
michael@0 173
michael@0 174 /* Step 4. Build outer (enveloped) content */
michael@0 175 env = NSS_CMSEnvelopedData_Create(cmsMsg, SEC_OID_DES_EDE3_CBC, 0);
michael@0 176 if (!env) {
michael@0 177 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't create envelope data\n"));
michael@0 178 rv = NS_ERROR_FAILURE;
michael@0 179 goto done;
michael@0 180 }
michael@0 181
michael@0 182 cinfo = NSS_CMSEnvelopedData_GetContentInfo(env);
michael@0 183 s = NSS_CMSContentInfo_SetContent_Data(cmsMsg, cinfo, 0, false);
michael@0 184 if (s != SECSuccess) {
michael@0 185 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't set content data\n"));
michael@0 186 rv = NS_ERROR_FAILURE;
michael@0 187 goto done;
michael@0 188 }
michael@0 189
michael@0 190 rcpt = NSS_CMSRecipientInfo_Create(cmsMsg, cert);
michael@0 191 if (!rcpt) {
michael@0 192 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't create recipient info\n"));
michael@0 193 rv = NS_ERROR_FAILURE;
michael@0 194 goto done;
michael@0 195 }
michael@0 196
michael@0 197 s = NSS_CMSEnvelopedData_AddRecipient(env, rcpt);
michael@0 198 if (s != SECSuccess) {
michael@0 199 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't add recipient\n"));
michael@0 200 rv = NS_ERROR_FAILURE;
michael@0 201 goto done;
michael@0 202 }
michael@0 203
michael@0 204 /* Step 5. Add content to message */
michael@0 205 cinfo = NSS_CMSMessage_GetContentInfo(cmsMsg);
michael@0 206 s = NSS_CMSContentInfo_SetContent_EnvelopedData(cmsMsg, cinfo, env);
michael@0 207 if (s != SECSuccess) {
michael@0 208 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't set content enveloped data\n"));
michael@0 209 rv = NS_ERROR_FAILURE;
michael@0 210 goto done;
michael@0 211 }
michael@0 212
michael@0 213 /* Step 6. Encode */
michael@0 214 NSSCMSEncoderContext *ecx;
michael@0 215
michael@0 216 output.data = 0; output.len = 0;
michael@0 217 ecx = NSS_CMSEncoder_Start(cmsMsg, 0, 0, &output, arena,
michael@0 218 0, ctx, 0, 0, 0, 0);
michael@0 219 if (!ecx) {
michael@0 220 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't start cms encoder\n"));
michael@0 221 rv = NS_ERROR_FAILURE;
michael@0 222 goto done;
michael@0 223 }
michael@0 224
michael@0 225 s = NSS_CMSEncoder_Update(ecx, msg, strlen(msg));
michael@0 226 if (s != SECSuccess) {
michael@0 227 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't update encoder\n"));
michael@0 228 rv = NS_ERROR_FAILURE;
michael@0 229 goto done;
michael@0 230 }
michael@0 231
michael@0 232 s = NSS_CMSEncoder_Finish(ecx);
michael@0 233 if (s != SECSuccess) {
michael@0 234 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::SendMessage - can't finish encoder\n"));
michael@0 235 rv = NS_ERROR_FAILURE;
michael@0 236 goto done;
michael@0 237 }
michael@0 238
michael@0 239 /* Step 7. Base64 encode and return the result */
michael@0 240 rv = encode(output.data, output.len, _retval);
michael@0 241
michael@0 242 done:
michael@0 243 if (certDER) free((char *)certDER);
michael@0 244 if (cert) CERT_DestroyCertificate(cert);
michael@0 245 if (cmsMsg) NSS_CMSMessage_Destroy(cmsMsg);
michael@0 246 if (arena) PORT_FreeArena(arena, false); /* false? */
michael@0 247
michael@0 248 return rv;
michael@0 249 }
michael@0 250
michael@0 251 /*
michael@0 252 * nsCMSSecureMessage::ReceiveMessage
michael@0 253 */
michael@0 254 nsresult nsCMSSecureMessage::
michael@0 255 ReceiveMessage(const char *msg, char **_retval)
michael@0 256 {
michael@0 257 nsNSSShutDownPreventionLock locker;
michael@0 258 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::ReceiveMessage\n"));
michael@0 259 nsresult rv = NS_OK;
michael@0 260 NSSCMSDecoderContext *dcx;
michael@0 261 unsigned char *der = 0;
michael@0 262 int32_t derLen;
michael@0 263 NSSCMSMessage *cmsMsg = 0;
michael@0 264 SECItem *content;
michael@0 265 nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
michael@0 266
michael@0 267 /* Step 1. Decode the base64 wrapper */
michael@0 268 rv = decode(msg, &der, &derLen);
michael@0 269 if (NS_FAILED(rv)) {
michael@0 270 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::ReceiveMessage - can't base64 decode\n"));
michael@0 271 goto done;
michael@0 272 }
michael@0 273
michael@0 274 dcx = NSS_CMSDecoder_Start(0, 0, 0, /* pw */ 0, ctx, /* key */ 0, 0);
michael@0 275 if (!dcx) {
michael@0 276 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::ReceiveMessage - can't start decoder\n"));
michael@0 277 rv = NS_ERROR_FAILURE;
michael@0 278 goto done;
michael@0 279 }
michael@0 280
michael@0 281 (void)NSS_CMSDecoder_Update(dcx, (char *)der, derLen);
michael@0 282 cmsMsg = NSS_CMSDecoder_Finish(dcx);
michael@0 283 if (!cmsMsg) {
michael@0 284 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::ReceiveMessage - can't finish decoder\n"));
michael@0 285 rv = NS_ERROR_FAILURE;
michael@0 286 /* Memory leak on dcx?? */
michael@0 287 goto done;
michael@0 288 }
michael@0 289
michael@0 290 content = NSS_CMSMessage_GetContent(cmsMsg);
michael@0 291 if (!content) {
michael@0 292 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::ReceiveMessage - can't get content\n"));
michael@0 293 rv = NS_ERROR_FAILURE;
michael@0 294 goto done;
michael@0 295 }
michael@0 296
michael@0 297 /* Copy the data */
michael@0 298 *_retval = (char*)malloc(content->len+1);
michael@0 299 memcpy(*_retval, content->data, content->len);
michael@0 300 (*_retval)[content->len] = 0;
michael@0 301
michael@0 302 done:
michael@0 303 if (der) free(der);
michael@0 304 if (cmsMsg) NSS_CMSMessage_Destroy(cmsMsg);
michael@0 305
michael@0 306 return rv;
michael@0 307 }
michael@0 308
michael@0 309 nsresult nsCMSSecureMessage::
michael@0 310 encode(const unsigned char *data, int32_t dataLen, char **_retval)
michael@0 311 {
michael@0 312 nsresult rv = NS_OK;
michael@0 313
michael@0 314 *_retval = PL_Base64Encode((const char *)data, dataLen, nullptr);
michael@0 315 if (!*_retval) { rv = NS_ERROR_OUT_OF_MEMORY; goto loser; }
michael@0 316
michael@0 317 loser:
michael@0 318 return rv;
michael@0 319 }
michael@0 320
michael@0 321 nsresult nsCMSSecureMessage::
michael@0 322 decode(const char *data, unsigned char **result, int32_t * _retval)
michael@0 323 {
michael@0 324 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::decode\n"));
michael@0 325 nsresult rv = NS_OK;
michael@0 326 uint32_t len = strlen(data);
michael@0 327 int adjust = 0;
michael@0 328
michael@0 329 /* Compute length adjustment */
michael@0 330 if (data[len-1] == '=') {
michael@0 331 adjust++;
michael@0 332 if (data[len-2] == '=') adjust++;
michael@0 333 }
michael@0 334
michael@0 335 *result = (unsigned char *)PL_Base64Decode(data, len, nullptr);
michael@0 336 if (!*result) {
michael@0 337 PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSSecureMessage::decode - error decoding base64\n"));
michael@0 338 rv = NS_ERROR_ILLEGAL_VALUE;
michael@0 339 goto loser;
michael@0 340 }
michael@0 341
michael@0 342 *_retval = (len*3)/4 - adjust;
michael@0 343
michael@0 344 loser:
michael@0 345 return rv;
michael@0 346 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial