Back to index

lightning-sunbird  0.9+nobinonly
Public Member Functions | Static Public Member Functions | Public Attributes | Private Member Functions | Static Private Member Functions
nsNSSCertificateDB Class Reference

#include <nsNSSCertificateDB.h>

Inheritance diagram for nsNSSCertificateDB:
Inheritance graph
[legend]
Collaboration diagram for nsNSSCertificateDB:
Collaboration graph
[legend]

List of all members.

Public Member Functions

NS_DECL_ISUPPORTS
NS_DECL_NSIX509CERTDB
NS_DECL_NSIX509CERTDB2 
nsNSSCertificateDB ()
virtual ~nsNSSCertificateDB ()
nsIX509Cert findCertByNickname (in nsISupports aToken, in AString aNickname)
 Given a nickname and optionally a token, locate the matching certificate.
nsIX509Cert findCertByDBKey (in string aDBkey, in nsISupports aToken)
 Will find a certificate based on its dbkey retrieved by getting the dbKey attribute of the certificate.
void findCertNicknames (in nsISupports aToken, in unsigned long aType, out unsigned long count,[array, size_is(count)] out wstring certNameList)
 Obtain a list of certificate nicknames from the database.
nsIX509Cert findEmailEncryptionCert (in AString aNickname)
 Find the email encryption certificate by nickname.
nsIX509Cert findEmailSigningCert (in AString aNickname)
 Find the email signing certificate by nickname.
nsIX509Cert findCertByEmailAddress (in nsISupports aToken, in string aEmailAddress)
 Find a certificate by email address.
void importCertificates ([array, size_is(length)] in octet data, in unsigned long length, in unsigned long type, in nsIInterfaceRequestor ctx)
 Use this to import a stream sent down as a mime type into the certificate database on the default token.
void importEmailCertificate ([array, size_is(length)] in octet data, in unsigned long length, in nsIInterfaceRequestor ctx)
 Import another person's email certificate into the database.
void importServerCertificate ([array, size_is(length)] in octet data, in unsigned long length, in nsIInterfaceRequestor ctx)
 Import a server machine's certificate into the database.
void importUserCertificate ([array, size_is(length)] in octet data, in unsigned long length, in nsIInterfaceRequestor ctx)
 Import a personal certificate into the database, assuming the database already contains the private key for this certificate.
void deleteCertificate (in nsIX509Cert aCert)
 Delete a certificate stored in the database.
void setCertTrust (in nsIX509Cert cert, in unsigned long type, in unsigned long trust)
 Modify the trust that is stored and associated to a certificate within a database.
boolean isCertTrusted (in nsIX509Cert cert, in unsigned long certType, in unsigned long trustType)
 Query whether a certificate is trusted for a particular use.
void importCertsFromFile (in nsISupports aToken, in nsILocalFile aFile, in unsigned long aType)
 Import certificate(s) from file.
void importPKCS12File (in nsISupports aToken, in nsILocalFile aFile)
 Import a PKCS#12 file containing cert(s) and key(s) into the database.
void exportPKCS12File (in nsISupports aToken, in nsILocalFile aFile, in unsigned long count,[array, size_is(count)] in nsIX509Cert aCerts)
 Export a set of certs and keys from the database to a PKCS#12 file.
nsIArray getOCSPResponders ()
 An array of all known OCSP responders within the scope of the certificate database.
nsIX509Cert constructX509FromBase64 (in string base64)
void addCertFromBase64 (in string base64, in string aTrust, in string aName)

Static Public Member Functions

static char * default_nickname (CERTCertificate *cert, nsIInterfaceRequestor *ctx)
static nsresult ImportValidCACerts (int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx)

Public Attributes

const unsigned long UNTRUSTED = 0
 Constants that define which usages a certificate is trusted for.
const unsigned long TRUSTED_SSL = 1 << 0
const unsigned long TRUSTED_EMAIL = 1 << 1
const unsigned long TRUSTED_OBJSIGN = 1 << 2
readonly attribute boolean isOcspOn
 Whether OCSP is enabled in preferences.

Private Member Functions

void getCertNames (CERTCertList *certList, PRUint32 type, PRUint32 *_count, PRUnichar ***_certNameList)
CERTDERCerts * getCertsFromPackage (PRArenaPool *arena, PRUint8 *data, PRUint32 length)
nsresult handleCACertDownload (nsIArray *x509Certs, nsIInterfaceRequestor *ctx)

Static Private Member Functions

static nsresult ImportValidCACertsInList (CERTCertList *certList, nsIInterfaceRequestor *ctx)
static void DisplayCertificateAlert (nsIInterfaceRequestor *ctx, const char *stringID, nsIX509Cert *certToShow)

Detailed Description

Definition at line 48 of file nsNSSCertificateDB.h.


Constructor & Destructor Documentation

Definition at line 90 of file nsNSSCertificateDB.cpp.

{
}

Definition at line 94 of file nsNSSCertificateDB.cpp.

{
}

Member Function Documentation

void nsIX509CertDB2::addCertFromBase64 ( in string  base64,
in string  aTrust,
in string  aName 
) [inherited]
char * nsNSSCertificateDB::default_nickname ( CERTCertificate *  cert,
nsIInterfaceRequestor ctx 
) [static]

Definition at line 1545 of file nsNSSCertificateDB.cpp.

{   
  nsNSSShutDownPreventionLock locker;
  nsresult rv;
  char *username = NULL;
  char *caname = NULL;
  char *nickname = NULL;
  char *tmp = NULL;
  int count;
  char *nickFmt=NULL, *nickFmtWithNum = NULL;
  CERTCertificate *dummycert;
  PK11SlotInfo *slot=NULL;
  CK_OBJECT_HANDLE keyHandle;
  nsAutoString tmpNickFmt;
  nsAutoString tmpNickFmtWithNum;

  CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB();
  nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
  if (NS_FAILED(rv)) goto loser; 

  username = CERT_GetCommonName(&cert->subject);
  if ( username == NULL ) 
    username = PL_strdup("");

  if ( username == NULL ) 
    goto loser;
    
  caname = CERT_GetOrgName(&cert->issuer);
  if ( caname == NULL ) 
    caname = PL_strdup("");
  
  if ( caname == NULL ) 
    goto loser;
  
  count = 1;
  nssComponent->GetPIPNSSBundleString("nick_template", tmpNickFmt);
  nickFmt = ToNewUTF8String(tmpNickFmt);

  nssComponent->GetPIPNSSBundleString("nick_template_with_num", tmpNickFmtWithNum);
  nickFmtWithNum = ToNewUTF8String(tmpNickFmtWithNum);


  nickname = PR_smprintf(nickFmt, username, caname);
  /*
   * We need to see if the private key exists on a token, if it does
   * then we need to check for nicknames that already exist on the smart
   * card.
   */
  slot = PK11_KeyForCertExists(cert, &keyHandle, ctx);
  if (slot == NULL) {
    goto loser;
  }
  if (!PK11_IsInternal(slot)) {
    tmp = PR_smprintf("%s:%s", PK11_GetTokenName(slot), nickname);
    PR_Free(nickname);
    nickname = tmp;
    tmp = NULL;
  }
  tmp = nickname;
  while ( 1 ) {      
    if ( count > 1 ) {
      nickname = PR_smprintf("%s #%d", tmp, count);
    }
  
    if ( nickname == NULL ) 
      goto loser;
 
    if (PK11_IsInternal(slot)) {
      /* look up the nickname to make sure it isn't in use already */
      dummycert = CERT_FindCertByNickname(defaultcertdb, nickname);
      
    } else {
      /*
       * Check the cert against others that already live on the smart 
       * card.
       */
      dummycert = PK11_FindCertFromNickname(nickname, ctx);
      if (dummycert != NULL) {
       /*
        * Make sure the subject names are different.
        */ 
       if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual)
       {
         /*
          * There is another certificate with the same nickname and
          * the same subject name on the smart card, so let's use this
          * nickname.
          */
         CERT_DestroyCertificate(dummycert);
         dummycert = NULL;
       }
      }
    }
    if ( dummycert == NULL ) 
      goto done;
    
    /* found a cert, destroy it and loop */
    CERT_DestroyCertificate(dummycert);
    if (tmp != nickname) PR_Free(nickname);
    count++;
  } /* end of while(1) */
    
loser:
  if ( nickname ) {
    PR_Free(nickname);
  }
  nickname = NULL;
done:
  if ( caname ) {
    PR_Free(caname);
  }
  if ( username )  {
    PR_Free(username);
  }
  if (slot != NULL) {
      PK11_FreeSlot(slot);
      if (nickname != NULL) {
             tmp = nickname;
             nickname = strchr(tmp, ':');
             if (nickname != NULL) {
               nickname++;
               nickname = PL_strdup(nickname);
               PR_Free(tmp);
             tmp = nsnull;
             } else {
               nickname = tmp;
               tmp = NULL;
             }
      }
    }
    PR_FREEIF(tmp);
    return(nickname);
}

Here is the call graph for this function:

Delete a certificate stored in the database.

Parameters:
aCertDelete this certificate.
void nsNSSCertificateDB::DisplayCertificateAlert ( nsIInterfaceRequestor ctx,
const char *  stringID,
nsIX509Cert certToShow 
) [static, private]

Definition at line 832 of file nsNSSCertificateDB.cpp.

{
  nsPSMUITracker tracker;
  if (!tracker.isUIForbidden()) {

    nsCOMPtr<nsIInterfaceRequestor> my_cxt = ctx;
    if (!my_cxt)
      my_cxt = new PipUIContext();

    // This shall be replaced by embedding ovverridable prompts
    // as discussed in bug 310446, and should make use of certToShow.

    nsresult rv;
    nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
    if (NS_SUCCEEDED(rv)) {
      nsAutoString tmpMessage;
      nssComponent->GetPIPNSSBundleString(stringID, tmpMessage);

      // The interface requestor object may not be safe, so proxy the call to get
      // the nsIPrompt.

      nsCOMPtr<nsIInterfaceRequestor> proxiedCallbacks;
      NS_GetProxyForObject(NS_UI_THREAD_EVENTQ,
                           NS_GET_IID(nsIInterfaceRequestor),
                           my_cxt,
                           PROXY_SYNC,
                           getter_AddRefs(proxiedCallbacks));
    
      nsCOMPtr<nsIPrompt> prompt (do_GetInterface(proxiedCallbacks));
      if (!prompt)
        return;
    
      // Finally, get a proxy for the nsIPrompt
    
      nsCOMPtr<nsIPrompt> proxyPrompt;
      NS_GetProxyForObject(NS_UI_THREAD_EVENTQ,
                           NS_GET_IID(nsIPrompt),
                           prompt,
                           PROXY_SYNC,
                           getter_AddRefs(proxyPrompt));
    
      proxyPrompt->Alert(nsnull, tmpMessage.get());
    }
  }
}

Here is the call graph for this function:

Here is the caller graph for this function:

void nsIX509CertDB::exportPKCS12File ( in nsISupports  aToken,
in nsILocalFile  aFile,
in unsigned long  count,
[array, size_is(count)] in nsIX509Cert  aCerts 
) [inherited]

Export a set of certs and keys from the database to a PKCS#12 file.

Parameters:
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
aFileIdentifies a file that will be filled with the data to be exported.
countThe number of certificates to be exported.
aCertsThe array of all certificates to be exported.
nsIX509Cert nsIX509CertDB::findCertByDBKey ( in string  aDBkey,
in nsISupports  aToken 
) [inherited]

Will find a certificate based on its dbkey retrieved by getting the dbKey attribute of the certificate.

Parameters:
aDBkeyDatabase internal key, as obtained using attribute dbkey in nsIX509Cert.
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
nsIX509Cert nsIX509CertDB::findCertByEmailAddress ( in nsISupports  aToken,
in string  aEmailAddress 
) [inherited]

Find a certificate by email address.

Parameters:
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
aEmailAddressThe email address to be used as the key to find the certificate.
Returns:
The matching certificate if found.
nsIX509Cert nsIX509CertDB::findCertByNickname ( in nsISupports  aToken,
in AString  aNickname 
) [inherited]

Given a nickname and optionally a token, locate the matching certificate.

Parameters:
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
aNicknameThe nickname to be used as the key to find a certificate.
Returns:
The matching certificate if found.
void nsIX509CertDB::findCertNicknames ( in nsISupports  aToken,
in unsigned long  aType,
out unsigned long  count,
[array, size_is(count)] out wstring  certNameList 
) [inherited]

Obtain a list of certificate nicknames from the database.

What the name is depends on type: user, ca, or server cert - the nickname email cert - the email address

Parameters:
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
aTypeType of certificate to obtain See certificate type constants in nsIX509Cert.
countThe number of nicknames in the returned array
certNameListThe returned array of certificate nicknames.
nsIX509Cert nsIX509CertDB::findEmailEncryptionCert ( in AString  aNickname) [inherited]

Find the email encryption certificate by nickname.

Parameters:
aNicknameThe nickname to be used as the key to find the certificate.
Returns:
The matching certificate if found.
nsIX509Cert nsIX509CertDB::findEmailSigningCert ( in AString  aNickname) [inherited]

Find the email signing certificate by nickname.

Parameters:
aNicknameThe nickname to be used as the key to find the certificate.
Returns:
The matching certificate if found.
void nsNSSCertificateDB::getCertNames ( CERTCertList *  certList,
PRUint32  type,
PRUint32 _count,
PRUnichar ***  _certNameList 
) [private]

Definition at line 1296 of file nsNSSCertificateDB.cpp.

{
  nsNSSShutDownPreventionLock locker;
  nsresult rv;
  CERTCertListNode *node;
  PRUint32 numcerts = 0, i=0;
  PRUnichar **tmpArray = NULL;
  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("List of certs %d:\n", type));
  for (node = CERT_LIST_HEAD(certList);
       !CERT_LIST_END(node, certList);
       node = CERT_LIST_NEXT(node)) {
    if (getCertType(node->cert) == type) {
      numcerts++;
    }
  }
  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("num certs: %d\n", numcerts));
  int nc = (numcerts == 0) ? 1 : numcerts;
  tmpArray = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nc);
  if (numcerts == 0) goto finish;
  for (node = CERT_LIST_HEAD(certList);
       !CERT_LIST_END(node, certList);
       node = CERT_LIST_NEXT(node)) {
    if (getCertType(node->cert) == type) {
      nsNSSCertificate pipCert(node->cert);
      char *dbkey = NULL;
      char *namestr = NULL;
      nsAutoString certstr;
      rv = pipCert.GetDbKey(&dbkey);
      nsAutoString keystr = NS_ConvertASCIItoUCS2(dbkey);
      PR_FREEIF(dbkey);
      if (type == nsIX509Cert::EMAIL_CERT) {
        namestr = node->cert->emailAddr;
      } else {
        namestr = node->cert->nickname;
        if (namestr) {
          char *sc = strchr(namestr, ':');
          if (sc) *sc = DELIM;
        }
      }
      if (!namestr) namestr = "";
      nsAutoString certname = NS_ConvertASCIItoUCS2(namestr);
      certstr.Append(PRUnichar(DELIM));
      certstr += certname;
      certstr.Append(PRUnichar(DELIM));
      certstr += keystr;
      tmpArray[i++] = ToNewUnicode(certstr);
    }
  }
finish:
  *_count = numcerts;
  *_certNames = tmpArray;
}

Here is the call graph for this function:

CERTDERCerts * nsNSSCertificateDB::getCertsFromPackage ( PRArenaPool arena,
PRUint8 data,
PRUint32  length 
) [private]

Definition at line 252 of file nsNSSCertificateDB.cpp.

{
  nsNSSShutDownPreventionLock locker;
  CERTDERCerts *collectArgs = 
               (CERTDERCerts *)PORT_ArenaZAlloc(arena, sizeof(CERTDERCerts));
  if ( collectArgs == nsnull ) 
    return nsnull;

  collectArgs->arena = arena;
  SECStatus sec_rv = CERT_DecodeCertPackage(NS_REINTERPRET_CAST(char *, data), 
                                            length, collect_certs, 
                                            (void *)collectArgs);
  if (sec_rv != SECSuccess)
    return nsnull;

  return collectArgs;
}

Here is the call graph for this function:

An array of all known OCSP responders within the scope of the certificate database.

Returns:
Array of OCSP responders, entries are QIable to nsIOCSPResponder.

Definition at line 272 of file nsNSSCertificateDB.cpp.

{
  // First thing we have to do is figure out which certificate we're 
  // gonna present to the user.  The CA may have sent down a list of 
  // certs which may or may not be a chained list of certs.  Until
  // the day we can design some solid UI for the general case, we'll
  // code to the > 90% case.  That case is where a CA sends down a
  // list that is a hierarchy whose root is either the first or 
  // the last cert.  What we're gonna do is compare the first 
  // 2 entries, if the second was signed by the first, we assume
  // the root cert is the first cert and display it.  Otherwise,
  // we compare the last 2 entries, if the second to last cert was
  // signed by the last cert, then we assume the last cert is the
  // root and display it.

  nsNSSShutDownPreventionLock locker;

  PRUint32 numCerts;

  x509Certs->GetLength(&numCerts);
  NS_ASSERTION(numCerts > 0, "Didn't get any certs to import.");
  if (numCerts == 0)
    return NS_OK; // Nothing to import, so nothing to do.

  nsCOMPtr<nsIX509Cert> certToShow;
  nsCOMPtr<nsISupports> isupports;
  PRUint32 selCertIndex;
  if (numCerts == 1) {
    // There's only one cert, so let's show it.
    selCertIndex = 0;
    certToShow = do_QueryElementAt(x509Certs, selCertIndex);
  } else {
    nsCOMPtr<nsIX509Cert> cert0;    // first cert
    nsCOMPtr<nsIX509Cert> cert1;    // second cert
    nsCOMPtr<nsIX509Cert> certn_2;  // second to last cert
    nsCOMPtr<nsIX509Cert> certn_1;  // last cert

    cert0 = do_QueryElementAt(x509Certs, 0);
    cert1 = do_QueryElementAt(x509Certs, 1);
    certn_2 = do_QueryElementAt(x509Certs, numCerts-2);
    certn_1 = do_QueryElementAt(x509Certs, numCerts-1);

    nsXPIDLString cert0SubjectName;
    nsXPIDLString cert1IssuerName;
    nsXPIDLString certn_2IssuerName;
    nsXPIDLString certn_1SubjectName;

    cert0->GetSubjectName(cert0SubjectName);
    cert1->GetIssuerName(cert1IssuerName);
    certn_2->GetIssuerName(certn_2IssuerName);
    certn_1->GetSubjectName(certn_1SubjectName);

    if (cert1IssuerName.Equals(cert0SubjectName)) {
      // In this case, the first cert in the list signed the second,
      // so the first cert is the root.  Let's display it. 
      selCertIndex = 0;
      certToShow = cert0;
    } else 
    if (certn_2IssuerName.Equals(certn_1SubjectName)) { 
      // In this case the last cert has signed the second to last cert.
      // The last cert is the root, so let's display it.
      selCertIndex = numCerts-1;
      certToShow = certn_1;
    } else {
      // It's not a chain, so let's just show the first one in the 
      // downloaded list.
      selCertIndex = 0;
      certToShow = cert0;
    }
  }

  if (!certToShow)
    return NS_ERROR_FAILURE;

  nsCOMPtr<nsICertificateDialogs> dialogs;
  nsresult rv = ::getNSSDialogs(getter_AddRefs(dialogs), 
                                NS_GET_IID(nsICertificateDialogs),
                                NS_CERTIFICATEDIALOGS_CONTRACTID);
                       
  if (NS_FAILED(rv))
    return rv;
 
  SECItem der;
  rv=certToShow->GetRawDER(&der.len, (PRUint8 **)&der.data);

  if (NS_FAILED(rv))
    return rv;

  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
  CERTCertificate *tmpCert;
  CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
  tmpCert = CERT_FindCertByDERCert(certdb, &der);
  if (!tmpCert) {
    tmpCert = CERT_NewTempCertificate(certdb, &der,
                                      nsnull, PR_FALSE, PR_TRUE);
  }
  nsMemory::Free(der.data);
  der.data = nsnull;
  der.len = 0;
  
  if (!tmpCert) {
    NS_ERROR("Couldn't create cert from DER blob\n");
    return NS_ERROR_FAILURE;
  }

  CERTCertificateCleaner tmpCertCleaner(tmpCert);

  if (!CERT_IsCACert(tmpCert, NULL)) {
    DisplayCertificateAlert(ctx, "NotACACert", certToShow);
    return NS_ERROR_FAILURE;
  }

  if (tmpCert->isperm) {
    DisplayCertificateAlert(ctx, "CaCertExists", certToShow);
    return NS_ERROR_FAILURE;
  }

  PRUint32 trustBits;
  PRBool allows;
  rv = dialogs->ConfirmDownloadCACert(ctx, certToShow, &trustBits, &allows);
  if (NS_FAILED(rv))
    return rv;

  if (!allows)
    return NS_ERROR_NOT_AVAILABLE;

  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("trust is %d\n", trustBits));
  nsXPIDLCString nickname;
  nickname.Adopt(CERT_MakeCANickname(tmpCert));

  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));

  nsNSSCertTrust trust;
  trust.SetValidCA();
  trust.AddCATrust(trustBits & nsIX509CertDB::TRUSTED_SSL,
                   trustBits & nsIX509CertDB::TRUSTED_EMAIL,
                   trustBits & nsIX509CertDB::TRUSTED_OBJSIGN);

  SECStatus srv = CERT_AddTempCertToPerm(tmpCert, 
                                         NS_CONST_CAST(char*,nickname.get()), 
                                         trust.GetTrust()); 

  if (srv != SECSuccess)
    return NS_ERROR_FAILURE;

  // Import additional delivered certificates that can be verified.

  // build a CertList for filtering
  CERTCertList *certList = CERT_NewCertList();
  if (certList == NULL) {
    return NS_ERROR_FAILURE;
  }

  CERTCertListCleaner listCleaner(certList);

  // get all remaining certs into temp store

  for (PRUint32 i=0; i<numCerts; i++) {
    if (i == selCertIndex) {
      // we already processed that one
      continue;
    }

    certToShow = do_QueryElementAt(x509Certs, i);
    certToShow->GetRawDER(&der.len, (PRUint8 **)&der.data);

    CERTCertificate *tmpCert2 = 
      CERT_NewTempCertificate(certdb, &der, nsnull, PR_FALSE, PR_TRUE);

    nsMemory::Free(der.data);
    der.data = nsnull;
    der.len = 0;

    if (!tmpCert2) {
      NS_ASSERTION(0, "Couldn't create temp cert from DER blob\n");
      continue;  // Let's try to import the rest of 'em
    }
    
    CERT_AddCertToListTail(certList, tmpCert2);
  }

  return ImportValidCACertsInList(certList, ctx);
}

Here is the call graph for this function:

void nsIX509CertDB::importCertificates ( [array, size_is(length)] in octet  data,
in unsigned long  length,
in unsigned long  type,
in nsIInterfaceRequestor  ctx 
) [inherited]

Use this to import a stream sent down as a mime type into the certificate database on the default token.

The stream may consist of one or more certificates.

Parameters:
dataThe raw data to be imported
lengthThe length of the data to be imported
typeThe type of the certificate, see constants in nsIX509Cert
ctxA UI context.
void nsIX509CertDB::importCertsFromFile ( in nsISupports  aToken,
in nsILocalFile  aFile,
in unsigned long  aType 
) [inherited]

Import certificate(s) from file.

Parameters:
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
aFileIdentifies a file that contains the certificate to be imported.
aTypeDescribes the type of certificate that is going to be imported. See type constants in nsIX509Cert.
void nsIX509CertDB::importEmailCertificate ( [array, size_is(length)] in octet  data,
in unsigned long  length,
in nsIInterfaceRequestor  ctx 
) [inherited]

Import another person's email certificate into the database.

Parameters:
dataThe raw data to be imported
lengthThe length of the data to be imported
ctxA UI context.
void nsIX509CertDB::importPKCS12File ( in nsISupports  aToken,
in nsILocalFile  aFile 
) [inherited]

Import a PKCS#12 file containing cert(s) and key(s) into the database.

Parameters:
aTokenOptionally limits the scope of this function to a token device. Can be null to mean any token.
aFileIdentifies a file that contains the data to be imported.
void nsIX509CertDB::importServerCertificate ( [array, size_is(length)] in octet  data,
in unsigned long  length,
in nsIInterfaceRequestor  ctx 
) [inherited]

Import a server machine's certificate into the database.

Parameters:
dataThe raw data to be imported
lengthThe length of the data to be imported
ctxA UI context.
void nsIX509CertDB::importUserCertificate ( [array, size_is(length)] in octet  data,
in unsigned long  length,
in nsIInterfaceRequestor  ctx 
) [inherited]

Import a personal certificate into the database, assuming the database already contains the private key for this certificate.

Parameters:
dataThe raw data to be imported
lengthThe length of the data to be imported
ctxA UI context.
nsresult nsNSSCertificateDB::ImportValidCACerts ( int  numCACerts,
SECItem *  CACerts,
nsIInterfaceRequestor ctx 
) [static]

Definition at line 719 of file nsNSSCertificateDB.cpp.

{
  CERTCertList *certList = NULL;
  SECItem **rawArray;

  // build a CertList for filtering
  certList = CERT_NewCertList();
  if (certList == NULL) {
    return NS_ERROR_FAILURE;
  }

  CERTCertListCleaner listCleaner(certList);

  // get all certs into temp store
  SECStatus srv = SECFailure;
  CERTCertificate **certArray = NULL;

  rawArray = (SECItem **) PORT_Alloc(sizeof(SECItem *) * numCACerts);
  if ( !rawArray ) {
    return NS_ERROR_FAILURE;
  }

  for (int i=0; i < numCACerts; i++) {
    rawArray[i] = &CACerts[i];
  }

  srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageAnyCA, numCACerts, rawArray, 
                         &certArray, PR_FALSE, PR_TRUE, NULL);

  PORT_Free(rawArray);
  rawArray = NULL;

  if (srv != SECSuccess) {
    return NS_ERROR_FAILURE;
  }

  for (int i2=0; i2 < numCACerts; i2++) {
    CERTCertificate *cacert = certArray[i2];
    if (cacert)
      cacert = CERT_DupCertificate(cacert);
    if (cacert)
      CERT_AddCertToListTail(certList, cacert);
  }

  CERT_DestroyCertArray(certArray, numCACerts);

  return ImportValidCACertsInList(certList, ctx);
}

Here is the call graph for this function:

nsresult nsNSSCertificateDB::ImportValidCACertsInList ( CERTCertList *  certList,
nsIInterfaceRequestor ctx 
) [static, private]

Definition at line 769 of file nsNSSCertificateDB.cpp.

{
  SECItem **rawArray;

  /* filter out the certs we don't want */
  SECStatus srv = CERT_FilterCertListByUsage(certList, certUsageAnyCA, PR_TRUE);
  if (srv != SECSuccess) {
    return NS_ERROR_FAILURE;
  }

  /* go down the remaining list of certs and verify that they have
   * valid chains, if yes, then import.
   */
  PRTime now = PR_Now();
  CERTCertListNode *node;
  for (node = CERT_LIST_HEAD(certList);
       !CERT_LIST_END(node,certList);
       node = CERT_LIST_NEXT(node)) {

    bool alert_and_skip = false;

    if (CERT_VerifyCert(CERT_GetDefaultCertDB(), node->cert, 
        PR_TRUE, certUsageVerifyCA, now, ctx, NULL) != SECSuccess) {
      alert_and_skip = true;
    }

    CERTCertificateList *certChain = nsnull;
    CERTCertificateListCleaner chainCleaner(certChain);

    if (!alert_and_skip) {    
      certChain = CERT_CertChainFromCert(node->cert, certUsageAnyCA, PR_FALSE);
      if (!certChain) {
        alert_and_skip = true;
      }
    }

    if (alert_and_skip) {    
      nsCOMPtr<nsIX509Cert> certToShow = new nsNSSCertificate(node->cert);
      DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow);
      continue;
    }

    /*
     * CertChain returns an array of SECItems, import expects an array of
     * SECItem pointers. Create the SECItem Pointers from the array of
     * SECItems.
     */
    rawArray = (SECItem **) PORT_Alloc(certChain->len * sizeof(SECItem *));
    if (!rawArray) {
      continue;
    }
    for (int i=0; i < certChain->len; i++) {
      rawArray[i] = &certChain->certs[i];
    }
    CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageAnyCA, certChain->len, 
                            rawArray,  NULL, PR_TRUE, PR_TRUE, NULL);

    PORT_Free(rawArray);
  }
  
  return NS_OK;
}

Here is the call graph for this function:

Here is the caller graph for this function:

boolean nsIX509CertDB::isCertTrusted ( in nsIX509Cert  cert,
in unsigned long  certType,
in unsigned long  trustType 
) [inherited]

Query whether a certificate is trusted for a particular use.

Parameters:
certObtain the stored trust of this certificate.
certTypeThe type of the certificate. See nsIX509Cert.
trustTypeA single bit from the usages constants defined within this interface.
Returns:
Returns true if the certificate is trusted for the given use.
void nsIX509CertDB::setCertTrust ( in nsIX509Cert  cert,
in unsigned long  type,
in unsigned long  trust 
) [inherited]

Modify the trust that is stored and associated to a certificate within a database.

Separate trust is stored for One call manipulates the trust for one trust type only. See the trust type constants defined within this interface.

Parameters:
certChange the stored trust of this certificate.
typeThe type of the certificate. See nsIX509Cert.
trustA bitmask. The new trust for the possible usages. See the trust constants defined within this interface.

Member Data Documentation

Whether OCSP is enabled in preferences.

Definition at line 289 of file nsIX509CertDB.idl.

const unsigned long nsIX509CertDB::TRUSTED_EMAIL = 1 << 1 [inherited]

Definition at line 66 of file nsIX509CertDB.idl.

const unsigned long nsIX509CertDB::TRUSTED_OBJSIGN = 1 << 2 [inherited]

Definition at line 67 of file nsIX509CertDB.idl.

const unsigned long nsIX509CertDB::TRUSTED_SSL = 1 << 0 [inherited]

Definition at line 65 of file nsIX509CertDB.idl.

const unsigned long nsIX509CertDB::UNTRUSTED = 0 [inherited]

Constants that define which usages a certificate is trusted for.

Definition at line 64 of file nsIX509CertDB.idl.


The documentation for this class was generated from the following files: