michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include "nsNSSCertTrust.h" michael@0: michael@0: void michael@0: nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign) michael@0: { michael@0: if (ssl) { michael@0: addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); michael@0: addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); michael@0: } michael@0: if (email) { michael@0: addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); michael@0: addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); michael@0: } michael@0: if (objSign) { michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); michael@0: } michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign) michael@0: { michael@0: if (ssl) michael@0: addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); michael@0: if (email) michael@0: addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); michael@0: if (objSign) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); michael@0: } michael@0: michael@0: nsNSSCertTrust::nsNSSCertTrust() michael@0: { michael@0: memset(&mTrust, 0, sizeof(CERTCertTrust)); michael@0: } michael@0: michael@0: nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, michael@0: unsigned int email, michael@0: unsigned int objsign) michael@0: { michael@0: memset(&mTrust, 0, sizeof(CERTCertTrust)); michael@0: addTrust(&mTrust.sslFlags, ssl); michael@0: addTrust(&mTrust.emailFlags, email); michael@0: addTrust(&mTrust.objectSigningFlags, objsign); michael@0: } michael@0: michael@0: nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t) michael@0: { michael@0: if (t) michael@0: memcpy(&mTrust, t, sizeof(CERTCertTrust)); michael@0: else michael@0: memset(&mTrust, 0, sizeof(CERTCertTrust)); michael@0: } michael@0: michael@0: nsNSSCertTrust::~nsNSSCertTrust() michael@0: { michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer, michael@0: bool ca, bool tCA, bool tClientCA, michael@0: bool user, bool warn) michael@0: { michael@0: mTrust.sslFlags = 0; michael@0: if (peer || tPeer) michael@0: addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD); michael@0: if (tPeer) michael@0: addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); michael@0: if (ca || tCA) michael@0: addTrust(&mTrust.sslFlags, CERTDB_VALID_CA); michael@0: if (tClientCA) michael@0: addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); michael@0: if (tCA) michael@0: addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); michael@0: if (user) michael@0: addTrust(&mTrust.sslFlags, CERTDB_USER); michael@0: if (warn) michael@0: addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer, michael@0: bool ca, bool tCA, bool tClientCA, michael@0: bool user, bool warn) michael@0: { michael@0: mTrust.emailFlags = 0; michael@0: if (peer || tPeer) michael@0: addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD); michael@0: if (tPeer) michael@0: addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); michael@0: if (ca || tCA) michael@0: addTrust(&mTrust.emailFlags, CERTDB_VALID_CA); michael@0: if (tClientCA) michael@0: addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); michael@0: if (tCA) michael@0: addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); michael@0: if (user) michael@0: addTrust(&mTrust.emailFlags, CERTDB_USER); michael@0: if (warn) michael@0: addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer, michael@0: bool ca, bool tCA, bool tClientCA, michael@0: bool user, bool warn) michael@0: { michael@0: mTrust.objectSigningFlags = 0; michael@0: if (peer || tPeer) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD); michael@0: if (tPeer) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); michael@0: if (ca || tCA) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA); michael@0: if (tClientCA) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); michael@0: if (tCA) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); michael@0: if (user) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_USER); michael@0: if (warn) michael@0: addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetValidCA() michael@0: { michael@0: SetSSLTrust(false, false, michael@0: true, false, false, michael@0: false, false); michael@0: SetEmailTrust(false, false, michael@0: true, false, false, michael@0: false, false); michael@0: SetObjSignTrust(false, false, michael@0: true, false, false, michael@0: false, false); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetTrustedServerCA() michael@0: { michael@0: SetSSLTrust(false, false, michael@0: true, true, false, michael@0: false, false); michael@0: SetEmailTrust(false, false, michael@0: true, true, false, michael@0: false, false); michael@0: SetObjSignTrust(false, false, michael@0: true, true, false, michael@0: false, false); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetTrustedCA() michael@0: { michael@0: SetSSLTrust(false, false, michael@0: true, true, true, michael@0: false, false); michael@0: SetEmailTrust(false, false, michael@0: true, true, true, michael@0: false, false); michael@0: SetObjSignTrust(false, false, michael@0: true, true, true, michael@0: false, false); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetValidPeer() michael@0: { michael@0: SetSSLTrust(true, false, michael@0: false, false, false, michael@0: false, false); michael@0: SetEmailTrust(true, false, michael@0: false, false, false, michael@0: false, false); michael@0: SetObjSignTrust(true, false, michael@0: false, false, false, michael@0: false, false); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetValidServerPeer() michael@0: { michael@0: SetSSLTrust(true, false, michael@0: false, false, false, michael@0: false, false); michael@0: SetEmailTrust(false, false, michael@0: false, false, false, michael@0: false, false); michael@0: SetObjSignTrust(false, false, michael@0: false, false, false, michael@0: false, false); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetTrustedPeer() michael@0: { michael@0: SetSSLTrust(true, true, michael@0: false, false, false, michael@0: false, false); michael@0: SetEmailTrust(true, true, michael@0: false, false, false, michael@0: false, false); michael@0: SetObjSignTrust(true, true, michael@0: false, false, false, michael@0: false, false); michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::SetUser() michael@0: { michael@0: SetSSLTrust(false, false, michael@0: false, false, false, michael@0: true, false); michael@0: SetEmailTrust(false, false, michael@0: false, false, false, michael@0: true, false); michael@0: SetObjSignTrust(false, false, michael@0: false, false, false, michael@0: true, false); michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasAnyCA() michael@0: { michael@0: if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) || michael@0: hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) || michael@0: hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) michael@0: return true; michael@0: return false; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasCA(bool checkSSL, michael@0: bool checkEmail, michael@0: bool checkObjSign) michael@0: { michael@0: if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA)) michael@0: return false; michael@0: if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA)) michael@0: return false; michael@0: if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) michael@0: return false; michael@0: return true; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasPeer(bool checkSSL, michael@0: bool checkEmail, michael@0: bool checkObjSign) michael@0: { michael@0: if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD)) michael@0: return false; michael@0: if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD)) michael@0: return false; michael@0: if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD)) michael@0: return false; michael@0: return true; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasAnyUser() michael@0: { michael@0: if (hasTrust(mTrust.sslFlags, CERTDB_USER) || michael@0: hasTrust(mTrust.emailFlags, CERTDB_USER) || michael@0: hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) michael@0: return true; michael@0: return false; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasUser(bool checkSSL, michael@0: bool checkEmail, michael@0: bool checkObjSign) michael@0: { michael@0: if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER)) michael@0: return false; michael@0: if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER)) michael@0: return false; michael@0: if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) michael@0: return false; michael@0: return true; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasTrustedCA(bool checkSSL, michael@0: bool checkEmail, michael@0: bool checkObjSign) michael@0: { michael@0: if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) || michael@0: hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA))) michael@0: return false; michael@0: if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) || michael@0: hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA))) michael@0: return false; michael@0: if (checkObjSign && michael@0: !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) || michael@0: hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA))) michael@0: return false; michael@0: return true; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::HasTrustedPeer(bool checkSSL, michael@0: bool checkEmail, michael@0: bool checkObjSign) michael@0: { michael@0: if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) michael@0: return false; michael@0: if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED))) michael@0: return false; michael@0: if (checkObjSign && michael@0: !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED))) michael@0: return false; michael@0: return true; michael@0: } michael@0: michael@0: void michael@0: nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v) michael@0: { michael@0: *t |= v; michael@0: } michael@0: michael@0: bool michael@0: nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) michael@0: { michael@0: return !!(t & v); michael@0: } michael@0: