security/manager/ssl/src/nsNSSCertTrust.cpp@b8a032363ba2
security/manager/ssl/src/nsNSSCertTrust.cpp
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 #include "nsNSSCertTrust.h"
7 void
8 nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
9 {
10 if (ssl) {
11 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
12 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
13 }
14 if (email) {
15 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
16 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
17 }
18 if (objSign) {
19 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
20 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
21 }
22 }
24 void
25 nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign)
26 {
27 if (ssl)
28 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
29 if (email)
30 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
31 if (objSign)
32 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
33 }
35 nsNSSCertTrust::nsNSSCertTrust()
36 {
37 memset(&mTrust, 0, sizeof(CERTCertTrust));
38 }
40 nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
41 unsigned int email,
42 unsigned int objsign)
43 {
44 memset(&mTrust, 0, sizeof(CERTCertTrust));
45 addTrust(&mTrust.sslFlags, ssl);
46 addTrust(&mTrust.emailFlags, email);
47 addTrust(&mTrust.objectSigningFlags, objsign);
48 }
50 nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
51 {
52 if (t)
53 memcpy(&mTrust, t, sizeof(CERTCertTrust));
54 else
55 memset(&mTrust, 0, sizeof(CERTCertTrust));
56 }
58 nsNSSCertTrust::~nsNSSCertTrust()
59 {
60 }
62 void
63 nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer,
64 bool ca, bool tCA, bool tClientCA,
65 bool user, bool warn)
66 {
67 mTrust.sslFlags = 0;
68 if (peer || tPeer)
69 addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
70 if (tPeer)
71 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
72 if (ca || tCA)
73 addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
74 if (tClientCA)
75 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
76 if (tCA)
77 addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
78 if (user)
79 addTrust(&mTrust.sslFlags, CERTDB_USER);
80 if (warn)
81 addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
82 }
84 void
85 nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer,
86 bool ca, bool tCA, bool tClientCA,
87 bool user, bool warn)
88 {
89 mTrust.emailFlags = 0;
90 if (peer || tPeer)
91 addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
92 if (tPeer)
93 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
94 if (ca || tCA)
95 addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
96 if (tClientCA)
97 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
98 if (tCA)
99 addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
100 if (user)
101 addTrust(&mTrust.emailFlags, CERTDB_USER);
102 if (warn)
103 addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
104 }
106 void
107 nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer,
108 bool ca, bool tCA, bool tClientCA,
109 bool user, bool warn)
110 {
111 mTrust.objectSigningFlags = 0;
112 if (peer || tPeer)
113 addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
114 if (tPeer)
115 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
116 if (ca || tCA)
117 addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
118 if (tClientCA)
119 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
120 if (tCA)
121 addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
122 if (user)
123 addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
124 if (warn)
125 addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
126 }
128 void
129 nsNSSCertTrust::SetValidCA()
130 {
131 SetSSLTrust(false, false,
132 true, false, false,
133 false, false);
134 SetEmailTrust(false, false,
135 true, false, false,
136 false, false);
137 SetObjSignTrust(false, false,
138 true, false, false,
139 false, false);
140 }
142 void
143 nsNSSCertTrust::SetTrustedServerCA()
144 {
145 SetSSLTrust(false, false,
146 true, true, false,
147 false, false);
148 SetEmailTrust(false, false,
149 true, true, false,
150 false, false);
151 SetObjSignTrust(false, false,
152 true, true, false,
153 false, false);
154 }
156 void
157 nsNSSCertTrust::SetTrustedCA()
158 {
159 SetSSLTrust(false, false,
160 true, true, true,
161 false, false);
162 SetEmailTrust(false, false,
163 true, true, true,
164 false, false);
165 SetObjSignTrust(false, false,
166 true, true, true,
167 false, false);
168 }
170 void
171 nsNSSCertTrust::SetValidPeer()
172 {
173 SetSSLTrust(true, false,
174 false, false, false,
175 false, false);
176 SetEmailTrust(true, false,
177 false, false, false,
178 false, false);
179 SetObjSignTrust(true, false,
180 false, false, false,
181 false, false);
182 }
184 void
185 nsNSSCertTrust::SetValidServerPeer()
186 {
187 SetSSLTrust(true, false,
188 false, false, false,
189 false, false);
190 SetEmailTrust(false, false,
191 false, false, false,
192 false, false);
193 SetObjSignTrust(false, false,
194 false, false, false,
195 false, false);
196 }
198 void
199 nsNSSCertTrust::SetTrustedPeer()
200 {
201 SetSSLTrust(true, true,
202 false, false, false,
203 false, false);
204 SetEmailTrust(true, true,
205 false, false, false,
206 false, false);
207 SetObjSignTrust(true, true,
208 false, false, false,
209 false, false);
210 }
212 void
213 nsNSSCertTrust::SetUser()
214 {
215 SetSSLTrust(false, false,
216 false, false, false,
217 true, false);
218 SetEmailTrust(false, false,
219 false, false, false,
220 true, false);
221 SetObjSignTrust(false, false,
222 false, false, false,
223 true, false);
224 }
226 bool
227 nsNSSCertTrust::HasAnyCA()
228 {
229 if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
230 hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
231 hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
232 return true;
233 return false;
234 }
236 bool
237 nsNSSCertTrust::HasCA(bool checkSSL,
238 bool checkEmail,
239 bool checkObjSign)
240 {
241 if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
242 return false;
243 if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
244 return false;
245 if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
246 return false;
247 return true;
248 }
250 bool
251 nsNSSCertTrust::HasPeer(bool checkSSL,
252 bool checkEmail,
253 bool checkObjSign)
254 {
255 if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
256 return false;
257 if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
258 return false;
259 if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
260 return false;
261 return true;
262 }
264 bool
265 nsNSSCertTrust::HasAnyUser()
266 {
267 if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
268 hasTrust(mTrust.emailFlags, CERTDB_USER) ||
269 hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
270 return true;
271 return false;
272 }
274 bool
275 nsNSSCertTrust::HasUser(bool checkSSL,
276 bool checkEmail,
277 bool checkObjSign)
278 {
279 if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
280 return false;
281 if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
282 return false;
283 if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
284 return false;
285 return true;
286 }
288 bool
289 nsNSSCertTrust::HasTrustedCA(bool checkSSL,
290 bool checkEmail,
291 bool checkObjSign)
292 {
293 if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
294 hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
295 return false;
296 if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
297 hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
298 return false;
299 if (checkObjSign &&
300 !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
301 hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
302 return false;
303 return true;
304 }
306 bool
307 nsNSSCertTrust::HasTrustedPeer(bool checkSSL,
308 bool checkEmail,
309 bool checkObjSign)
310 {
311 if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
312 return false;
313 if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
314 return false;
315 if (checkObjSign &&
316 !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
317 return false;
318 return true;
319 }
321 void
322 nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
323 {
324 *t |= v;
325 }
327 bool
328 nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
329 {
330 return !!(t & v);
331 }
