1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/src/nsNSSCertTrust.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,332 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include "nsNSSCertTrust.h"
1.9 +
1.10 +void
1.11 +nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
1.12 +{
1.13 + if (ssl) {
1.14 + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
1.15 + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
1.16 + }
1.17 + if (email) {
1.18 + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
1.19 + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
1.20 + }
1.21 + if (objSign) {
1.22 + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
1.23 + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
1.24 + }
1.25 +}
1.26 +
1.27 +void
1.28 +nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign)
1.29 +{
1.30 + if (ssl)
1.31 + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
1.32 + if (email)
1.33 + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
1.34 + if (objSign)
1.35 + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
1.36 +}
1.37 +
1.38 +nsNSSCertTrust::nsNSSCertTrust()
1.39 +{
1.40 + memset(&mTrust, 0, sizeof(CERTCertTrust));
1.41 +}
1.42 +
1.43 +nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
1.44 + unsigned int email,
1.45 + unsigned int objsign)
1.46 +{
1.47 + memset(&mTrust, 0, sizeof(CERTCertTrust));
1.48 + addTrust(&mTrust.sslFlags, ssl);
1.49 + addTrust(&mTrust.emailFlags, email);
1.50 + addTrust(&mTrust.objectSigningFlags, objsign);
1.51 +}
1.52 +
1.53 +nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
1.54 +{
1.55 + if (t)
1.56 + memcpy(&mTrust, t, sizeof(CERTCertTrust));
1.57 + else
1.58 + memset(&mTrust, 0, sizeof(CERTCertTrust));
1.59 +}
1.60 +
1.61 +nsNSSCertTrust::~nsNSSCertTrust()
1.62 +{
1.63 +}
1.64 +
1.65 +void
1.66 +nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer,
1.67 + bool ca, bool tCA, bool tClientCA,
1.68 + bool user, bool warn)
1.69 +{
1.70 + mTrust.sslFlags = 0;
1.71 + if (peer || tPeer)
1.72 + addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
1.73 + if (tPeer)
1.74 + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
1.75 + if (ca || tCA)
1.76 + addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
1.77 + if (tClientCA)
1.78 + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
1.79 + if (tCA)
1.80 + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
1.81 + if (user)
1.82 + addTrust(&mTrust.sslFlags, CERTDB_USER);
1.83 + if (warn)
1.84 + addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
1.85 +}
1.86 +
1.87 +void
1.88 +nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer,
1.89 + bool ca, bool tCA, bool tClientCA,
1.90 + bool user, bool warn)
1.91 +{
1.92 + mTrust.emailFlags = 0;
1.93 + if (peer || tPeer)
1.94 + addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
1.95 + if (tPeer)
1.96 + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
1.97 + if (ca || tCA)
1.98 + addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
1.99 + if (tClientCA)
1.100 + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
1.101 + if (tCA)
1.102 + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
1.103 + if (user)
1.104 + addTrust(&mTrust.emailFlags, CERTDB_USER);
1.105 + if (warn)
1.106 + addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
1.107 +}
1.108 +
1.109 +void
1.110 +nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer,
1.111 + bool ca, bool tCA, bool tClientCA,
1.112 + bool user, bool warn)
1.113 +{
1.114 + mTrust.objectSigningFlags = 0;
1.115 + if (peer || tPeer)
1.116 + addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
1.117 + if (tPeer)
1.118 + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
1.119 + if (ca || tCA)
1.120 + addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
1.121 + if (tClientCA)
1.122 + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
1.123 + if (tCA)
1.124 + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
1.125 + if (user)
1.126 + addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
1.127 + if (warn)
1.128 + addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
1.129 +}
1.130 +
1.131 +void
1.132 +nsNSSCertTrust::SetValidCA()
1.133 +{
1.134 + SetSSLTrust(false, false,
1.135 + true, false, false,
1.136 + false, false);
1.137 + SetEmailTrust(false, false,
1.138 + true, false, false,
1.139 + false, false);
1.140 + SetObjSignTrust(false, false,
1.141 + true, false, false,
1.142 + false, false);
1.143 +}
1.144 +
1.145 +void
1.146 +nsNSSCertTrust::SetTrustedServerCA()
1.147 +{
1.148 + SetSSLTrust(false, false,
1.149 + true, true, false,
1.150 + false, false);
1.151 + SetEmailTrust(false, false,
1.152 + true, true, false,
1.153 + false, false);
1.154 + SetObjSignTrust(false, false,
1.155 + true, true, false,
1.156 + false, false);
1.157 +}
1.158 +
1.159 +void
1.160 +nsNSSCertTrust::SetTrustedCA()
1.161 +{
1.162 + SetSSLTrust(false, false,
1.163 + true, true, true,
1.164 + false, false);
1.165 + SetEmailTrust(false, false,
1.166 + true, true, true,
1.167 + false, false);
1.168 + SetObjSignTrust(false, false,
1.169 + true, true, true,
1.170 + false, false);
1.171 +}
1.172 +
1.173 +void
1.174 +nsNSSCertTrust::SetValidPeer()
1.175 +{
1.176 + SetSSLTrust(true, false,
1.177 + false, false, false,
1.178 + false, false);
1.179 + SetEmailTrust(true, false,
1.180 + false, false, false,
1.181 + false, false);
1.182 + SetObjSignTrust(true, false,
1.183 + false, false, false,
1.184 + false, false);
1.185 +}
1.186 +
1.187 +void
1.188 +nsNSSCertTrust::SetValidServerPeer()
1.189 +{
1.190 + SetSSLTrust(true, false,
1.191 + false, false, false,
1.192 + false, false);
1.193 + SetEmailTrust(false, false,
1.194 + false, false, false,
1.195 + false, false);
1.196 + SetObjSignTrust(false, false,
1.197 + false, false, false,
1.198 + false, false);
1.199 +}
1.200 +
1.201 +void
1.202 +nsNSSCertTrust::SetTrustedPeer()
1.203 +{
1.204 + SetSSLTrust(true, true,
1.205 + false, false, false,
1.206 + false, false);
1.207 + SetEmailTrust(true, true,
1.208 + false, false, false,
1.209 + false, false);
1.210 + SetObjSignTrust(true, true,
1.211 + false, false, false,
1.212 + false, false);
1.213 +}
1.214 +
1.215 +void
1.216 +nsNSSCertTrust::SetUser()
1.217 +{
1.218 + SetSSLTrust(false, false,
1.219 + false, false, false,
1.220 + true, false);
1.221 + SetEmailTrust(false, false,
1.222 + false, false, false,
1.223 + true, false);
1.224 + SetObjSignTrust(false, false,
1.225 + false, false, false,
1.226 + true, false);
1.227 +}
1.228 +
1.229 +bool
1.230 +nsNSSCertTrust::HasAnyCA()
1.231 +{
1.232 + if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
1.233 + hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
1.234 + hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
1.235 + return true;
1.236 + return false;
1.237 +}
1.238 +
1.239 +bool
1.240 +nsNSSCertTrust::HasCA(bool checkSSL,
1.241 + bool checkEmail,
1.242 + bool checkObjSign)
1.243 +{
1.244 + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
1.245 + return false;
1.246 + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
1.247 + return false;
1.248 + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
1.249 + return false;
1.250 + return true;
1.251 +}
1.252 +
1.253 +bool
1.254 +nsNSSCertTrust::HasPeer(bool checkSSL,
1.255 + bool checkEmail,
1.256 + bool checkObjSign)
1.257 +{
1.258 + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
1.259 + return false;
1.260 + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
1.261 + return false;
1.262 + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
1.263 + return false;
1.264 + return true;
1.265 +}
1.266 +
1.267 +bool
1.268 +nsNSSCertTrust::HasAnyUser()
1.269 +{
1.270 + if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
1.271 + hasTrust(mTrust.emailFlags, CERTDB_USER) ||
1.272 + hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
1.273 + return true;
1.274 + return false;
1.275 +}
1.276 +
1.277 +bool
1.278 +nsNSSCertTrust::HasUser(bool checkSSL,
1.279 + bool checkEmail,
1.280 + bool checkObjSign)
1.281 +{
1.282 + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
1.283 + return false;
1.284 + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
1.285 + return false;
1.286 + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
1.287 + return false;
1.288 + return true;
1.289 +}
1.290 +
1.291 +bool
1.292 +nsNSSCertTrust::HasTrustedCA(bool checkSSL,
1.293 + bool checkEmail,
1.294 + bool checkObjSign)
1.295 +{
1.296 + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
1.297 + hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
1.298 + return false;
1.299 + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
1.300 + hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
1.301 + return false;
1.302 + if (checkObjSign &&
1.303 + !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
1.304 + hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
1.305 + return false;
1.306 + return true;
1.307 +}
1.308 +
1.309 +bool
1.310 +nsNSSCertTrust::HasTrustedPeer(bool checkSSL,
1.311 + bool checkEmail,
1.312 + bool checkObjSign)
1.313 +{
1.314 + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
1.315 + return false;
1.316 + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
1.317 + return false;
1.318 + if (checkObjSign &&
1.319 + !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
1.320 + return false;
1.321 + return true;
1.322 +}
1.323 +
1.324 +void
1.325 +nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
1.326 +{
1.327 + *t |= v;
1.328 +}
1.329 +
1.330 +bool
1.331 +nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
1.332 +{
1.333 + return !!(t & v);
1.334 +}
1.335 +
