• file
• revisions
• annotate
• diff
• comparison
• raw

security/nss/lib/ssl/authcert.c@b8a032363ba2 (annotated)

security/nss/lib/ssl/authcert.c

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	/*
michael@0	2	* NSS utility functions
michael@0	3	*
michael@0	4	* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	5	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	6	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	7
michael@0	8	#include <stdio.h>
michael@0	9	#include <string.h>
michael@0	10	#include "prerror.h"
michael@0	11	#include "secitem.h"
michael@0	12	#include "prnetdb.h"
michael@0	13	#include "cert.h"
michael@0	14	#include "nspr.h"
michael@0	15	#include "secder.h"
michael@0	16	#include "key.h"
michael@0	17	#include "nss.h"
michael@0	18	#include "ssl.h"
michael@0	19	#include "pk11func.h" /* for PK11_ function calls */
michael@0	20
michael@0	21	/*
michael@0	22	* This callback used by SSL to pull client sertificate upon
michael@0	23	* server request
michael@0	24	*/
michael@0	25	SECStatus
michael@0	26	NSS_GetClientAuthData(void * arg,
michael@0	27	PRFileDesc * socket,
michael@0	28	struct CERTDistNamesStr * caNames,
michael@0	29	struct CERTCertificateStr ** pRetCert,
michael@0	30	struct SECKEYPrivateKeyStr **pRetKey)
michael@0	31	{
michael@0	32	CERTCertificate * cert = NULL;
michael@0	33	SECKEYPrivateKey * privkey = NULL;
michael@0	34	char * chosenNickName = (char *)arg; /* CONST */
michael@0	35	void * proto_win = NULL;
michael@0	36	SECStatus rv = SECFailure;
michael@0	37
michael@0	38	proto_win = SSL_RevealPinArg(socket);
michael@0	39
michael@0	40	if (chosenNickName) {
michael@0	41	cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
michael@0	42	chosenNickName, certUsageSSLClient,
michael@0	43	PR_FALSE, proto_win);
michael@0	44	if ( cert ) {
michael@0	45	privkey = PK11_FindKeyByAnyCert(cert, proto_win);
michael@0	46	if ( privkey ) {
michael@0	47	rv = SECSuccess;
michael@0	48	} else {
michael@0	49	CERT_DestroyCertificate(cert);
michael@0	50	}
michael@0	51	}
michael@0	52	} else { /* no name given, automatically find the right cert. */
michael@0	53	CERTCertNicknames * names;
michael@0	54	int i;
michael@0	55
michael@0	56	names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
michael@0	57	SEC_CERT_NICKNAMES_USER, proto_win);
michael@0	58	if (names != NULL) {
michael@0	59	for (i = 0; i < names->numnicknames; i++) {
michael@0	60	cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
michael@0	61	names->nicknames[i], certUsageSSLClient,
michael@0	62	PR_FALSE, proto_win);
michael@0	63	if ( !cert )
michael@0	64	continue;
michael@0	65	/* Only check unexpired certs */
michael@0	66	if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) !=
michael@0	67	secCertTimeValid ) {
michael@0	68	CERT_DestroyCertificate(cert);
michael@0	69	continue;
michael@0	70	}
michael@0	71	rv = NSS_CmpCertChainWCANames(cert, caNames);
michael@0	72	if ( rv == SECSuccess ) {
michael@0	73	privkey = PK11_FindKeyByAnyCert(cert, proto_win);
michael@0	74	if ( privkey )
michael@0	75	break;
michael@0	76	}
michael@0	77	rv = SECFailure;
michael@0	78	CERT_DestroyCertificate(cert);
michael@0	79	}
michael@0	80	CERT_FreeNicknames(names);
michael@0	81	}
michael@0	82	}
michael@0	83	if (rv == SECSuccess) {
michael@0	84	*pRetCert = cert;
michael@0	85	*pRetKey = privkey;
michael@0	86	}
michael@0	87	return rv;
michael@0	88	}
michael@0	89