1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsCMSSecureMessage.h"
#include <string.h>
#include "ScopedNSSTypes.h"
#include "SharedCertVerifier.h"
#include "cms.h"
#include "mozilla/Logging.h"
#include "mozilla/RefPtr.h"
#include "nsCOMPtr.h"
#include "nsDependentSubstring.h"
#include "nsIInterfaceRequestor.h"
#include "nsServiceManagerUtils.h"
#include "nsISupports.h"
#include "nsIX509Cert.h"
#include "nsIX509CertDB.h"
#include "nsNSSComponent.h"
#include "nsNSSHelper.h"
#include "plbase64.h"
using namespace mozilla;
using namespace mozilla::psm;
// Standard ISupports implementation
// NOTE: Should these be the thread-safe versions?
/*****
* nsCMSSecureMessage
*****/
// Standard ISupports implementation
NS_IMPL_ISUPPORTS(nsCMSSecureMessage, nsICMSSecureMessage)
// nsCMSSecureMessage constructor
nsCMSSecureMessage::nsCMSSecureMessage() {
// initialize superclass
}
// nsCMSMessage destructor
nsCMSSecureMessage::~nsCMSSecureMessage() {}
nsresult nsCMSSecureMessage::Init() {
nsresult rv;
nsCOMPtr<nsISupports> nssInitialized =
do_GetService("@mozilla.org/psm;1", &rv);
return rv;
}
nsresult nsCMSSecureMessage::CheckUsageOk(nsIX509Cert* aCert,
SECCertificateUsage aUsage,
bool* aCanBeUsed) {
NS_ENSURE_ARG_POINTER(aCert);
*aCanBeUsed = false;
nsresult rv;
nsCOMPtr<nsIX509CertDB> certdb =
do_GetService("@mozilla.org/security/x509certdb;1", &rv);
NS_ENSURE_SUCCESS(rv, rv);
nsTArray<uint8_t> certBytes;
rv = aCert->GetRawDER(certBytes);
NS_ENSURE_SUCCESS(rv, rv);
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
nsTArray<nsTArray<uint8_t>> unusedBuiltChain;
// It's fine to skip OCSP, because this is called only from code
// for selecting the user's own configured cert.
if (certVerifier->VerifyCert(certBytes, aUsage, mozilla::pkix::Now(), nullptr,
nullptr, unusedBuiltChain,
CertVerifier::FLAG_LOCAL_ONLY) ==
mozilla::pkix::Success) {
*aCanBeUsed = true;
}
return NS_OK;
}
NS_IMETHODIMP nsCMSSecureMessage::CanBeUsedForEmailEncryption(
nsIX509Cert* aCert, bool* aCanBeUsed) {
return CheckUsageOk(aCert, certificateUsageEmailRecipient, aCanBeUsed);
}
NS_IMETHODIMP nsCMSSecureMessage::CanBeUsedForEmailSigning(nsIX509Cert* aCert,
bool* aCanBeUsed) {
return CheckUsageOk(aCert, certificateUsageEmailSigner, aCanBeUsed);
}
|
