1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSCertTrust.h"
#include "certdb.h"
void nsNSSCertTrust::AddCATrust(bool ssl, bool email) {
if (ssl) {
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
}
if (email) {
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
}
}
void nsNSSCertTrust::AddPeerTrust(bool ssl, bool email) {
if (ssl) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
if (email) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
}
nsNSSCertTrust::nsNSSCertTrust() { memset(&mTrust, 0, sizeof(CERTCertTrust)); }
nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, unsigned int email) {
memset(&mTrust, 0, sizeof(CERTCertTrust));
addTrust(&mTrust.sslFlags, ssl);
addTrust(&mTrust.emailFlags, email);
}
nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust* t) {
if (t)
memcpy(&mTrust, t, sizeof(CERTCertTrust));
else
memset(&mTrust, 0, sizeof(CERTCertTrust));
}
nsNSSCertTrust::~nsNSSCertTrust() = default;
void nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer, bool ca, bool tCA,
bool tClientCA, bool user, bool warn) {
mTrust.sslFlags = 0;
if (peer || tPeer) addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
if (tPeer) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
if (ca || tCA) addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
if (tClientCA) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
if (tCA) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
if (user) addTrust(&mTrust.sslFlags, CERTDB_USER);
if (warn) addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
}
void nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer, bool ca, bool tCA,
bool tClientCA, bool user, bool warn) {
mTrust.emailFlags = 0;
if (peer || tPeer) addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
if (tPeer) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
if (ca || tCA) addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
if (tClientCA) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
if (tCA) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
if (user) addTrust(&mTrust.emailFlags, CERTDB_USER);
if (warn) addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
}
void nsNSSCertTrust::SetValidCA() {
SetSSLTrust(false, false, true, false, false, false, false);
SetEmailTrust(false, false, true, false, false, false, false);
}
void nsNSSCertTrust::SetValidPeer() {
SetSSLTrust(true, false, false, false, false, false, false);
SetEmailTrust(true, false, false, false, false, false, false);
}
bool nsNSSCertTrust::HasAnyCA() {
if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
return true;
return false;
}
bool nsNSSCertTrust::HasPeer(bool checkSSL, bool checkEmail) {
if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
return false;
if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
return false;
return true;
}
bool nsNSSCertTrust::HasAnyUser() {
if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
hasTrust(mTrust.emailFlags, CERTDB_USER) ||
hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
return true;
return false;
}
bool nsNSSCertTrust::HasTrustedCA(bool checkSSL, bool checkEmail) {
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
return true;
}
bool nsNSSCertTrust::HasTrustedPeer(bool checkSSL, bool checkEmail) {
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) return false;
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
return false;
return true;
}
void nsNSSCertTrust::addTrust(unsigned int* t, unsigned int v) { *t |= v; }
bool nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) {
return !!(t & v);
}
|
