开通博客赚积分
发布资源赚积分
分类

源码开发语言/平台
当前位置:首页 > 源码/资料 > 加密解密 > CA认证 > 查看源码
certinit.c
资源名称:nss-3.1.1.tar.gz [点击查看]
上传用户:lyxiangda
上传日期:2007-01-12
资源大小:3042k
文件大小:13k
源码类别:

CA认证

开发平台:

WINDOWS

certinit.c:源码内容
  1. /*
  2.  * The contents of this file are subject to the Mozilla Public
  3.  * License Version 1.1 (the "License"); you may not use this file
  4.  * except in compliance with the License. You may obtain a copy of
  5.  * the License at http://www.mozilla.org/MPL/
  6.  * 
  7.  * Software distributed under the License is distributed on an "AS
  8.  * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
  9.  * implied. See the License for the specific language governing
  10.  * rights and limitations under the License.
  11.  * 
  12.  * The Original Code is the Netscape security libraries.
  13.  * 
  14.  * The Initial Developer of the Original Code is Netscape
  15.  * Communications Corporation.  Portions created by Netscape are 
  16.  * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
  17.  * Rights Reserved.
  18.  * 
  19.  * Contributor(s):
  20.  * 
  21.  * Alternatively, the contents of this file may be used under the
  22.  * terms of the GNU General Public License Version 2 or later (the
  23.  * "GPL"), in which case the provisions of the GPL are applicable 
  24.  * instead of those above.  If you wish to allow use of your 
  25.  * version of this file only under the terms of the GPL and not to
  26.  * allow others to use your version of this file under the MPL,
  27.  * indicate your decision by deleting the provisions above and
  28.  * replace them with the notice and other provisions required by
  29.  * the GPL.  If you do not delete the provisions above, a recipient
  30.  * may use your version of this file under either the MPL or the
  31.  * GPL.
  32.  */
  34. #include "cert.h"
  35. #include "base64.h"
  36. #include "mcom_db.h"
  37. #include "certdb.h"
  39. #ifdef STATIC_CERT_INIT
  40. static char example_com_server_ca[] =
  41. "MIICBTCCAW6gAwIBAgIBATANBgkqhkiG9w0BAQQFADA+MREwDwYICZIm9ZgeZAET"
  42. "A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRIwEAYDVQQDEwlTZXJ2ZXIgQ0Ew"
  43. "HhcNMDAwMjAzMjIyMDA3WhcNMTAwNTAzMjIyMDA3WjA+MREwDwYICZIm9ZgeZAET"
  44. "A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRIwEAYDVQQDEwlTZXJ2ZXIgQ0Ew"
  45. "gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALGiKEvTd2k4ZJbdAVWokfFlB6Hz"
  46. "WJXveXm8+IgmFlgtAnicZI11z5wAutFRvDpun7WmRLgHxvEhU3tLoiACGYdGJXPw"
  47. "+lI2pzHzFSd63B0qcA/NVAW3EOBJeaEFwy0jkUaCIki8qQV06g8RosNX/zv6a+OF"
  48. "d5NMpS0fecK4fEvdAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN"
  49. "AQEEBQADgYEAi5rFiG6afWS1PHigssk2LwAJws5cszPbVIeIMHCBbtu259V7uWts"
  50. "gNxUPJRjeQBsK0ItAfinC0xxLeuMbRfIdZoRYv/OYDxCwGW7hUcNLi+fHlGnJNXH"
  51. "TWaCRdOwkljnws4v8ABas2DYA/k7xUFAygkIJd9NtE29ZrdrWpfSavI=";
  53. static char example_com_individual_ca[] =
  54. "MIICDTCCAXagAwIBAgIBAjANBgkqhkiG9w0BAQQFADBCMREwDwYICZIm9ZgeZAET"
  55. "A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRYwFAYDVQQDEw1JbmRpdmlkdWFs"
  56. "IENBMB4XDTAwMDIwMzIyMjE1NFoXDTEwMDUwMzIyMjE1NFowQjERMA8GCAmSJvWY"
  57. "HmQBEwNjb20xFTATBggJkib1mB5kARMHRXhhbXBsZTEWMBQGA1UEAxMNSW5kaXZp"
  58. "ZHVhbCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu5syfboe93MOkGec"
  59. "dOuJholyX42wcaH/RgnL3C/8NnZp9WWaTaguvn7KrbCj4TAMzu0pabUN8apB3J60"
  60. "9C/FlixjXF7r73OzbyTCM5ja6/bPfmHMPmDl9l/9tKqhh+loFvRizXDaWSFRViDS"
  61. "XvKNeQztwwAOpEAqnJwyTkn4FjECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zAN"
  62. "BgkqhkiG9w0BAQQFAAOBgQB1XK+5pXdXYq3O3TC/ZY5LWlZ7zuoWUO75OpuMY7XF"
  63. "iW/jeXbVT5IYZXoRGXJFGGaDmnAuK1/m6FTDhjSTG0XUmd5tg4aFieI+LY4rkYEv"
  64. "mbJElxKabXl5hVD4mg2bwYlFY7XBmifTa1Ll3HDX3VZM0DC1bm4KCHBnY0qXjSYq"
  65. "PA==";
  67. static char example_com_objsign_ca[] =
  68. "MIICETCCAXqgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBEMREwDwYICZIm9ZgeZAET"
  69. "A2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRgwFgYDVQQDEw9Db2RlIFNpZ25p"
  70. "bmcgQ0EwHhcNMDAwMjAzMjIyMzEzWhcNMTAwNTAzMjIyMzEzWjBEMREwDwYICZIm"
  71. "9ZgeZAETA2NvbTEVMBMGCAmSJvWYHmQBEwdFeGFtcGxlMRgwFgYDVQQDEw9Db2Rl"
  72. "IFNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALcy76InmpM9"
  73. "S9K2MlNSjusx6nkYWWbx7eDRTV+xhRPeDxW4t8jtKPqDF5LTusyM9WCI/nneqsIP"
  74. "7iTSHpxlGx37J1VbqKX5fZsfJ3wKv6ZIylzeRuFY9MFypPA2UmVd1ACDOUB3YDvY"
  75. "mrCVkOPEhjnZKbq4FfCpf8KNL2A5EBcZAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB"
  76. "Af8wDQYJKoZIhvcNAQEEBQADgYEAI0IXzwgBRXvow3JQi8Y4YdG2wZc4BWRGW87x"
  77. "2zOD7GOA0CWN149vb6rEchECykDsJj9LoBl6o1aRxk9WkIFnXmMOJSuJA+ilCe//"
  78. "81a5OhKbe0p7ym6rh190BLwh2VePFeyabq6NipfZlN6qgWUzoepf+jVblufW/2EI"
  79. "fbMSylc=";
  80. #endif
  82. /* This is the cert->certKey (serial number and issuer name) of
  83.  * the cert that we want to revoke.
  84.  */
  85. static unsigned char revoked_system_principal_key[] = {
  86. 0x40, 0x18, 0xf2, 0x35, 0x86, 0x06, 0x78, 0xce, 0x87, 0x89,
  87. 0x0c, 0x5d, 0x68, 0x67, 0x33, 0x09, 0x30, 0x81, 0xc1, 0x31,
  88. 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
  89. 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54,
  90. 0x72, 0x75, 0x73, 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f,
  91. 0x72, 0x6b, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
  92. 0x0b, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
  93. 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x3a, 0x30,
  94. 0x38, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x31, 0x56, 0x65,
  95. 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x4f, 0x62, 0x6a,
  96. 0x65, 0x63, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e,
  97. 0x67, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c, 0x61,
  98. 0x73, 0x73, 0x20, 0x33, 0x20, 0x4f, 0x72, 0x67, 0x61, 0x6e,
  99. 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x49, 0x30,
  100. 0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40, 0x77, 0x77,
  101. 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e,
  102. 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x50, 0x53, 0x20, 0x49,
  103. 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x62, 0x79, 0x20, 0x52,
  104. 0x65, 0x66, 0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42, 0x49, 0x4c,
  105. 0x49, 0x54, 0x59, 0x20, 0x4c, 0x54, 0x44, 0x2e, 0x28, 0x63,
  106. 0x29, 0x39, 0x37, 0x20, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
  107. 0x67, 0x6e
  108. };
  110. SECStatus
  111. CERT_CheckForEvilCert(CERTCertificate *cert)
  112. {
  113.     if ( cert->certKey.len == sizeof(revoked_system_principal_key) ) {
  114.         if ( PORT_Memcmp(cert->certKey.data,
  115.                          revoked_system_principal_key,
  116.                          sizeof(revoked_system_principal_key)) == 0 ) {
  117.             return(SECFailure);
  118.         }
  119.     }
  121.     return(SECSuccess);
  122. }
  124. #ifdef STATIC_CERT_INIT
  126. #define DEFAULT_TRUST_FLAGS (CERTDB_VALID_CA | 
  127.                              CERTDB_TRUSTED_CA | 
  128.                              CERTDB_NS_TRUSTED_CA)
  130. typedef enum {
  131.     certUpdateNone,
  132.     certUpdateAdd,
  133.     certUpdateDelete,
  134.     certUpdateAddTrust,
  135.     certUpdateRemoveTrust,
  136.     certUpdateSetTrust
  137. } certUpdateOp;
  139. typedef struct {
  140.     char *cert;
  141.     char *nickname;
  142.     CERTCertTrust trust;
  143.     int updateVersion;
  144.     certUpdateOp op;
  145.     CERTCertTrust trustDelta;
  146. } certInitEntry;
  148. static certInitEntry initialcerts[] = {
  149.   {
  150.     example_com_server_ca,
  151.     "Example.com Server CA",
  152.     { DEFAULT_TRUST_FLAGS | CERTDB_GOVT_APPROVED_CA, 0, 0 },
  153.     1,
  154.     certUpdateAdd,
  155.     { 0, 0, 0 }
  156.   },
  157.   {
  158.     example_com_server_ca,
  159.     "Example.com Server CA",
  160.     { DEFAULT_TRUST_FLAGS | CERTDB_GOVT_APPROVED_CA, 0, 0 },
  161.     2,
  162.     certUpdateAddTrust,
  163.     { CERTDB_GOVT_APPROVED_CA, 0, 0 }
  164.   },
  166.   {
  167.     example_com_individual_ca,
  168.     "Example.com Individual CA",
  169.     { 0, DEFAULT_TRUST_FLAGS, 0 },
  170.     1,
  171.     certUpdateAdd,
  172.     { 0, 0, 0 }
  173.   },
  174.   {
  175.     example_com_individual_ca,
  176.     "Example.com Individual CA",
  177.     { 0, DEFAULT_TRUST_FLAGS, 0 },
  178.     2,
  179.     certUpdateRemoveTrust,
  180.     { 0, 0, DEFAULT_TRUST_FLAGS }
  181.   },
  183.   {
  184.     example_com_objsign_ca,
  185.     "Example.com Code Signing CA",
  186.     { 0, 0, DEFAULT_TRUST_FLAGS },
  187.     2,
  188.     certUpdateAdd,
  189.     { 0, 0, 0 }
  190.   },
  192.   {
  193.         0, 0
  194.   }
  195. };
  198. static SECStatus
  199. ConvertAndCheckCertificate(CERTCertDBHandle *handle, char *asciicert,
  200.                            char *nickname, CERTCertTrust *trust)
  201. {
  202.     SECItem sdder;
  203.     SECStatus rv;
  204.     CERTCertificate *cert;
  205.     PRBool conflict;
  206.     SECItem derSubject;
  208.     /* First convert ascii to binary */
  209.     rv = ATOB_ConvertAsciiToItem (&sdder, asciicert);
  210.     if (rv != SECSuccess) {
  211.         return(rv);
  212.     }
  214.     /*
  215.     ** Inside the ascii is a Signed Certificate.
  216.     */
  218.     cert = NULL;
  220.     /* make sure that no conflicts exist */
  221.     conflict = SEC_CertDBKeyConflict(&sdder, handle);
  222.     if ( conflict ) {
  223.         goto done;
  224.     }
  226.     rv = CERT_NameFromDERCert(&sdder, &derSubject);
  227.     if ( rv != SECSuccess ) {
  228.         goto loser;
  229.     }
  231.     conflict = SEC_CertNicknameConflict(nickname, &derSubject, handle);
  232.     if ( conflict ) {
  233.         goto done;
  234.     }
  236.     cert = CERT_NewTempCertificate(handle, &sdder, NULL, PR_FALSE, PR_TRUE);
  237.     if ( cert == NULL ) {
  238.         goto loser;
  239.     }
  241.     rv = CERT_AddTempCertToPerm(cert, nickname, trust);
  243.     CERT_DestroyCertificate(cert);
  245.     if (rv == SECSuccess) {
  246.         /*
  247.         ** XXX should verify signatures too, if we have the certificate for
  248.         ** XXX its issuer...
  249.         */
  250.     }
  252. done:
  253.     PORT_Free(sdder.data);
  254.     return(rv);
  256. loser:
  257.     return(SECFailure);
  258. }
  260. #endif
  262. extern void certdb_InitDBLock(void);
  264. SECStatus
  265. CERT_InitCertDB(CERTCertDBHandle *handle)
  266. {
  267. #ifdef STATIC_CERT_INIT
  268.     SECStatus rv;
  269.     certInitEntry *entry;
  270.     certdb_InitDBLock();
  272.     entry = initialcerts;
  274.     while ( entry->cert != NULL) {
  275.         if ( entry->op != certUpdateDelete ) {
  276.             rv = ConvertAndCheckCertificate(handle, entry->cert,
  277.                                             entry->nickname, &entry->trust);
  278.             /* keep going */
  279.         }
  281.         entry++;
  282.     }
  283. done:
  284.     CERT_SetDBContentVersion(CERT_DB_CONTENT_VERSION, handle);
  285.     return(rv);
  286. #else
  287.     certdb_InitDBLock();
  288.     CERT_SetDBContentVersion(0, handle);
  289.     return(SECSuccess);
  290. #endif
  291. }
  293. #ifdef STATIC_CERT_INIT
  294. static CERTCertificate *
  295. CertFromEntry(CERTCertDBHandle *handle, char *asciicert)
  296. {
  297.     SECItem sdder;
  298.     SECStatus rv;
  299.     CERTCertificate *cert;
  301.     /* First convert ascii to binary */
  302.     rv = ATOB_ConvertAsciiToItem (&sdder, asciicert);
  303.     if (rv != SECSuccess) {
  304.         return(NULL);
  305.     }
  307.     /*
  308.     ** Inside the ascii is a Signed Certificate.
  309.     */
  311.     cert = CERT_NewTempCertificate(handle, &sdder, NULL, PR_FALSE, PR_TRUE);
  313.     return(cert);
  314. }
  315. #endif
  317. SECStatus
  318. CERT_AddNewCerts(CERTCertDBHandle *handle)
  319. {
  320. #ifdef STATIC_CERT_INIT
  321.     int oldversion;
  322.     int newversion;
  323.     certInitEntry *entry;
  324.     CERTCertTrust tmptrust;
  325.     SECStatus rv;
  326.     CERTCertificate *cert;
  328.     newversion = CERT_DB_CONTENT_VERSION;
  330.     oldversion = CERT_GetDBContentVersion(handle);
  332.     if ( newversion > oldversion ) {
  333.         entry = initialcerts;
  335.         while ( entry->cert != NULL ) {
  336.             if ( entry->updateVersion > oldversion ) {
  337.                 switch ( entry->op ) {
  338.                   default:
  339.                     break;
  340.                   case certUpdateAdd:
  341.                     rv = ConvertAndCheckCertificate(handle, entry->cert,
  342.                                                     entry->nickname,
  343.                                                     &entry->trust);
  344.                     break;
  345.                   case certUpdateDelete:
  346.                     cert = CertFromEntry(handle, entry->cert);
  347.                     if ( cert != NULL ) {
  348.                         if ( cert->isperm ) {
  349.                             rv = SEC_DeletePermCertificate(cert);
  350.                         }
  351.                         CERT_DestroyCertificate(cert);
  352.                     }
  353.                     break;
  354.                   case certUpdateAddTrust:
  355.                     cert = CertFromEntry(handle, entry->cert);
  356.                     if ( cert != NULL ) {
  357.                         if ( cert->isperm ) {
  358.                             tmptrust = *cert->trust;
  359.                             tmptrust.sslFlags |= entry->trustDelta.sslFlags;
  360.                             tmptrust.emailFlags |=
  361.                                 entry->trustDelta.emailFlags;
  362.                             tmptrust.objectSigningFlags |=
  363.                                 entry->trustDelta.objectSigningFlags;
  364.                             rv = CERT_ChangeCertTrust(handle, cert,
  365. &tmptrust);
  366.                         }
  367.                         CERT_DestroyCertificate(cert);
  368.                     }
  369.                     break;
  370.                   case certUpdateRemoveTrust:
  371.                     cert = CertFromEntry(handle, entry->cert);
  372.                     if ( cert != NULL ) {
  373.                         if ( cert->isperm ) {
  374.                             tmptrust = *cert->trust;
  375.                             tmptrust.sslFlags &=
  376.                                 (~entry->trustDelta.sslFlags);
  377.                             tmptrust.emailFlags &=
  378.                                 (~entry->trustDelta.emailFlags);
  379.                             tmptrust.objectSigningFlags &=
  380.                                 (~entry->trustDelta.objectSigningFlags);
  381.                             rv = CERT_ChangeCertTrust(handle, cert,
  382. &tmptrust);
  383.                         }
  384.                         CERT_DestroyCertificate(cert);
  385.                     }
  386.                     break;
  387.                   case certUpdateSetTrust:
  388.                     cert = CertFromEntry(handle, entry->cert);
  389.                     if ( cert != NULL ) {
  390.                         if ( cert->isperm ) {
  391.                             tmptrust = *cert->trust;
  392.                             tmptrust.sslFlags = entry->trustDelta.sslFlags;
  393.                             tmptrust.emailFlags =
  394.                                 entry->trustDelta.emailFlags;
  395.                             tmptrust.objectSigningFlags =
  396.                                 entry->trustDelta.objectSigningFlags;
  397.                             rv = CERT_ChangeCertTrust(handle, cert,
  398. &tmptrust);
  399.                         }
  400.                         CERT_DestroyCertificate(cert);
  401.                     }
  402.                     break;
  403.                 }
  404.             }
  406.             entry++;
  407.         }
  409.         CERT_SetDBContentVersion(newversion, handle);
  410.     }
  412. #endif
  413.     return(SECSuccess);
  414. }