Back to index

lightning-sunbird  0.9+nobinonly
nsNSSCertTrust.cpp
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *   Ian McGreer <mcgreer@netscape.com>
00023  *   Javier Delgadillo <javi@netscape.com>
00024  *
00025  * Alternatively, the contents of this file may be used under the terms of
00026  * either the GNU General Public License Version 2 or later (the "GPL"), or
00027  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00028  * in which case the provisions of the GPL or the LGPL are applicable instead
00029  * of those above. If you wish to allow use of your version of this file only
00030  * under the terms of either the GPL or the LGPL, and not to allow others to
00031  * use your version of this file under the terms of the MPL, indicate your
00032  * decision by deleting the provisions above and replace them with the notice
00033  * and other provisions required by the GPL or the LGPL. If you do not delete
00034  * the provisions above, a recipient may use your version of this file under
00035  * the terms of any one of the MPL, the GPL or the LGPL.
00036  *
00037  * ***** END LICENSE BLOCK ***** */
00038 
00039 #include "nsNSSCertTrust.h"
00040 
00041 void
00042 nsNSSCertTrust::AddCATrust(PRBool ssl, PRBool email, PRBool objSign)
00043 {
00044   if (ssl) {
00045     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
00046     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
00047   }
00048   if (email) {
00049     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
00050     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
00051   }
00052   if (objSign) {
00053     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
00054     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
00055   }
00056 }
00057 
00058 void
00059 nsNSSCertTrust::AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign)
00060 {
00061   if (ssl)
00062     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
00063   if (email)
00064     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
00065   if (objSign)
00066     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
00067 }
00068 
00069 nsNSSCertTrust::nsNSSCertTrust()
00070 {
00071   memset(&mTrust, 0, sizeof(CERTCertTrust));
00072 }
00073 
00074 nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, 
00075                                unsigned int email, 
00076                                unsigned int objsign)
00077 {
00078   memset(&mTrust, 0, sizeof(CERTCertTrust));
00079   addTrust(&mTrust.sslFlags, ssl);
00080   addTrust(&mTrust.emailFlags, email);
00081   addTrust(&mTrust.objectSigningFlags, objsign);
00082 }
00083 
00084 nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
00085 {
00086   if (t)
00087     memcpy(&mTrust, t, sizeof(CERTCertTrust));
00088   else
00089     memset(&mTrust, 0, sizeof(CERTCertTrust)); 
00090 }
00091 
00092 nsNSSCertTrust::~nsNSSCertTrust()
00093 {
00094 }
00095 
00096 void
00097 nsNSSCertTrust::SetSSLTrust(PRBool peer, PRBool tPeer,
00098                             PRBool ca,   PRBool tCA, PRBool tClientCA,
00099                             PRBool user, PRBool warn)
00100 {
00101   mTrust.sslFlags = 0;
00102   if (peer || tPeer)
00103     addTrust(&mTrust.sslFlags, CERTDB_VALID_PEER);
00104   if (tPeer)
00105     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
00106   if (ca || tCA)
00107     addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
00108   if (tClientCA)
00109     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
00110   if (tCA)
00111     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
00112   if (user)
00113     addTrust(&mTrust.sslFlags, CERTDB_USER);
00114   if (warn)
00115     addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
00116 }
00117 
00118 void
00119 nsNSSCertTrust::SetEmailTrust(PRBool peer, PRBool tPeer,
00120                               PRBool ca,   PRBool tCA, PRBool tClientCA,
00121                               PRBool user, PRBool warn)
00122 {
00123   mTrust.emailFlags = 0;
00124   if (peer || tPeer)
00125     addTrust(&mTrust.emailFlags, CERTDB_VALID_PEER);
00126   if (tPeer)
00127     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
00128   if (ca || tCA)
00129     addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
00130   if (tClientCA)
00131     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
00132   if (tCA)
00133     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
00134   if (user)
00135     addTrust(&mTrust.emailFlags, CERTDB_USER);
00136   if (warn)
00137     addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
00138 }
00139 
00140 void
00141 nsNSSCertTrust::SetObjSignTrust(PRBool peer, PRBool tPeer,
00142                                 PRBool ca,   PRBool tCA, PRBool tClientCA,
00143                                 PRBool user, PRBool warn)
00144 {
00145   mTrust.objectSigningFlags = 0;
00146   if (peer || tPeer)
00147     addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_PEER);
00148   if (tPeer)
00149     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
00150   if (ca || tCA)
00151     addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
00152   if (tClientCA)
00153     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
00154   if (tCA)
00155     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
00156   if (user)
00157     addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
00158   if (warn)
00159     addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
00160 }
00161 
00162 void
00163 nsNSSCertTrust::SetValidCA()
00164 {
00165   SetSSLTrust(PR_FALSE, PR_FALSE,
00166               PR_TRUE, PR_FALSE, PR_FALSE,
00167               PR_FALSE, PR_FALSE);
00168   SetEmailTrust(PR_FALSE, PR_FALSE,
00169                 PR_TRUE, PR_FALSE, PR_FALSE,
00170                 PR_FALSE, PR_FALSE);
00171   SetObjSignTrust(PR_FALSE, PR_FALSE,
00172                   PR_TRUE, PR_FALSE, PR_FALSE,
00173                   PR_FALSE, PR_FALSE);
00174 }
00175 
00176 void
00177 nsNSSCertTrust::SetTrustedServerCA()
00178 {
00179   SetSSLTrust(PR_FALSE, PR_FALSE,
00180               PR_TRUE, PR_TRUE, PR_FALSE,
00181               PR_FALSE, PR_FALSE);
00182   SetEmailTrust(PR_FALSE, PR_FALSE,
00183                 PR_TRUE, PR_TRUE, PR_FALSE,
00184                 PR_FALSE, PR_FALSE);
00185   SetObjSignTrust(PR_FALSE, PR_FALSE,
00186                   PR_TRUE, PR_TRUE, PR_FALSE,
00187                   PR_FALSE, PR_FALSE);
00188 }
00189 
00190 void
00191 nsNSSCertTrust::SetTrustedCA()
00192 {
00193   SetSSLTrust(PR_FALSE, PR_FALSE,
00194               PR_TRUE, PR_TRUE, PR_TRUE,
00195               PR_FALSE, PR_FALSE);
00196   SetEmailTrust(PR_FALSE, PR_FALSE,
00197                 PR_TRUE, PR_TRUE, PR_TRUE,
00198                 PR_FALSE, PR_FALSE);
00199   SetObjSignTrust(PR_FALSE, PR_FALSE,
00200                   PR_TRUE, PR_TRUE, PR_TRUE,
00201                   PR_FALSE, PR_FALSE);
00202 }
00203 
00204 void 
00205 nsNSSCertTrust::SetValidPeer()
00206 {
00207   SetSSLTrust(PR_TRUE, PR_FALSE,
00208               PR_FALSE, PR_FALSE, PR_FALSE,
00209               PR_FALSE, PR_FALSE);
00210   SetEmailTrust(PR_TRUE, PR_FALSE,
00211                 PR_FALSE, PR_FALSE, PR_FALSE,
00212                 PR_FALSE, PR_FALSE);
00213   SetObjSignTrust(PR_TRUE, PR_FALSE,
00214                   PR_FALSE, PR_FALSE, PR_FALSE,
00215                   PR_FALSE, PR_FALSE);
00216 }
00217 
00218 void 
00219 nsNSSCertTrust::SetValidServerPeer()
00220 {
00221   SetSSLTrust(PR_TRUE, PR_FALSE,
00222               PR_FALSE, PR_FALSE, PR_FALSE,
00223               PR_FALSE, PR_FALSE);
00224   SetEmailTrust(PR_FALSE, PR_FALSE,
00225                 PR_FALSE, PR_FALSE, PR_FALSE,
00226                 PR_FALSE, PR_FALSE);
00227   SetObjSignTrust(PR_FALSE, PR_FALSE,
00228                   PR_FALSE, PR_FALSE, PR_FALSE,
00229                   PR_FALSE, PR_FALSE);
00230 }
00231 
00232 void 
00233 nsNSSCertTrust::SetTrustedPeer()
00234 {
00235   SetSSLTrust(PR_TRUE, PR_TRUE,
00236               PR_FALSE, PR_FALSE, PR_FALSE,
00237               PR_FALSE, PR_FALSE);
00238   SetEmailTrust(PR_TRUE, PR_TRUE,
00239                 PR_FALSE, PR_FALSE, PR_FALSE,
00240                 PR_FALSE, PR_FALSE);
00241   SetObjSignTrust(PR_TRUE, PR_TRUE,
00242                   PR_FALSE, PR_FALSE, PR_FALSE,
00243                   PR_FALSE, PR_FALSE);
00244 }
00245 
00246 void
00247 nsNSSCertTrust::SetUser()
00248 {
00249   SetSSLTrust(PR_FALSE, PR_FALSE,
00250               PR_FALSE, PR_FALSE, PR_FALSE,
00251               PR_TRUE, PR_FALSE);
00252   SetEmailTrust(PR_FALSE, PR_FALSE,
00253                 PR_FALSE, PR_FALSE, PR_FALSE,
00254                 PR_TRUE, PR_FALSE);
00255   SetObjSignTrust(PR_FALSE, PR_FALSE,
00256                   PR_FALSE, PR_FALSE, PR_FALSE,
00257                   PR_TRUE, PR_FALSE);
00258 }
00259 
00260 PRBool
00261 nsNSSCertTrust::HasAnyCA()
00262 {
00263   if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
00264       hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
00265       hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
00266     return PR_TRUE;
00267   return PR_FALSE;
00268 }
00269 
00270 PRBool
00271 nsNSSCertTrust::HasCA(PRBool checkSSL, 
00272                       PRBool checkEmail,  
00273                       PRBool checkObjSign)
00274 {
00275   if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
00276     return PR_FALSE;
00277   if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
00278     return PR_FALSE;
00279   if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
00280     return PR_FALSE;
00281   return PR_TRUE;
00282 }
00283 
00284 PRBool
00285 nsNSSCertTrust::HasPeer(PRBool checkSSL, 
00286                         PRBool checkEmail,  
00287                         PRBool checkObjSign)
00288 {
00289   if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_PEER))
00290     return PR_FALSE;
00291   if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_PEER))
00292     return PR_FALSE;
00293   if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_PEER))
00294     return PR_FALSE;
00295   return PR_TRUE;
00296 }
00297 
00298 PRBool
00299 nsNSSCertTrust::HasAnyUser()
00300 {
00301   if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
00302       hasTrust(mTrust.emailFlags, CERTDB_USER) ||
00303       hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
00304     return PR_TRUE;
00305   return PR_FALSE;
00306 }
00307 
00308 PRBool
00309 nsNSSCertTrust::HasUser(PRBool checkSSL, 
00310                         PRBool checkEmail,  
00311                         PRBool checkObjSign)
00312 {
00313   if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
00314     return PR_FALSE;
00315   if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
00316     return PR_FALSE;
00317   if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
00318     return PR_FALSE;
00319   return PR_TRUE;
00320 }
00321 
00322 PRBool
00323 nsNSSCertTrust::HasTrustedCA(PRBool checkSSL, 
00324                              PRBool checkEmail,  
00325                              PRBool checkObjSign)
00326 {
00327   if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
00328                     hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
00329     return PR_FALSE;
00330   if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
00331                       hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
00332     return PR_FALSE;
00333   if (checkObjSign && 
00334        !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
00335          hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
00336     return PR_FALSE;
00337   return PR_TRUE;
00338 }
00339 
00340 PRBool
00341 nsNSSCertTrust::HasTrustedPeer(PRBool checkSSL, 
00342                                PRBool checkEmail,  
00343                                PRBool checkObjSign)
00344 {
00345   if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
00346     return PR_FALSE;
00347   if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
00348     return PR_FALSE;
00349   if (checkObjSign && 
00350        !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
00351     return PR_FALSE;
00352   return PR_TRUE;
00353 }
00354 
00355 void
00356 nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
00357 {
00358   *t |= v;
00359 }
00360 
00361 PRBool
00362 nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
00363 {
00364   return (t & v);
00365 }
00366