security/manager/ssl/X509CertValidity.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "X509CertValidity.h"

#include "mozpkix/pkixder.h"
#include "mozpkix/pkixutil.h"
#include "nsComponentManagerUtils.h"
#include "secder.h"

NS_IMPL_ISUPPORTS(X509CertValidity, nsIX509CertValidity)

using namespace mozilla;
using namespace mozilla::pkix;

X509CertValidity::X509CertValidity(Input certDER)
    : mNotBefore(0), mNotAfter(0), mTimesInitialized(false) {
  using namespace mozilla::pkix::der;

  // We're not building a verified certificate chain, so the EndEntityOrCA
  // parameter doesn't matter.
  BackCert cert(certDER, EndEntityOrCA::MustBeEndEntity, nullptr);
  pkix::Result rv = cert.Init();
  if (rv != Success) {
    return;
  }
  // Validity ::= SEQUENCE {
  //    notBefore      Time,
  //    notAfter       Time  }
  //
  // Time ::= CHOICE {
  //    utcTime        UTCTime,
  //    generalTime    GeneralizedTime }
  //
  // NB: BackCert::GetValidity returns the value of the Validity of the
  // certificate (i.e. notBefore and notAfter, without the enclosing SEQUENCE
  // and length)
  Reader reader(cert.GetValidity());
  uint8_t expectedTag = reader.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
  Input notBefore;
  pkix::Result result = ExpectTagAndGetValue(reader, expectedTag, notBefore);
  if (result != Success) {
    return;
  }
  SECItemType notBeforeType =
      expectedTag == UTCTime ? siUTCTime : siGeneralizedTime;
  SECItem notBeforeItem = {
      notBeforeType, const_cast<unsigned char*>(notBefore.UnsafeGetData()),
      notBefore.GetLength()};
  SECStatus srv = DER_DecodeTimeChoice(&mNotBefore, &notBeforeItem);
  if (srv != SECSuccess) {
    return;
  }
  expectedTag = reader.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
  Input notAfter;
  result = ExpectTagAndGetValue(reader, expectedTag, notAfter);
  if (result != Success) {
    return;
  }
  SECItemType notAfterType =
      expectedTag == UTCTime ? siUTCTime : siGeneralizedTime;
  SECItem notAfterItem = {notAfterType,
                          const_cast<unsigned char*>(notAfter.UnsafeGetData()),
                          notAfter.GetLength()};
  srv = DER_DecodeTimeChoice(&mNotAfter, &notAfterItem);
  if (srv != SECSuccess) {
    return;
  }

  mTimesInitialized = true;
}

NS_IMETHODIMP
X509CertValidity::GetNotBefore(PRTime* aNotBefore) {
  NS_ENSURE_ARG(aNotBefore);

  if (!mTimesInitialized) {
    return NS_ERROR_FAILURE;
  }

  *aNotBefore = mNotBefore;
  return NS_OK;
}

NS_IMETHODIMP
X509CertValidity::GetNotAfter(PRTime* aNotAfter) {
  NS_ENSURE_ARG(aNotAfter);

  if (!mTimesInitialized) {
    return NS_ERROR_FAILURE;
  }

  *aNotAfter = mNotAfter;
  return NS_OK;
}