本文整理汇总了C++中CERT_GetDefaultCertDB函数的典型用法代码示例。如果您正苦于以下问题:C++ CERT_GetDefaultCertDB函数的具体用法?C++ CERT_GetDefaultCertDB怎么用?C++ CERT_GetDefaultCertDB使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了CERT_GetDefaultCertDB函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: GetCertUsageStrings
void GetCertUsageStrings(CERTCertificate* cert, std::vector<std::string>* out) {
SECCertificateUsage usages = 0;
// TODO(wtc): See if we should use X509Certificate::Verify instead.
if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, PR_TRUE,
certificateUsageCheckAllUsages,
NULL, &usages) == SECSuccess) {
static const struct {
SECCertificateUsage usage;
int string_id;
} usage_string_map[] = {
{certificateUsageSSLClient, IDS_CERT_USAGE_SSL_CLIENT},
{certificateUsageSSLServer, IDS_CERT_USAGE_SSL_SERVER},
{certificateUsageSSLServerWithStepUp,
IDS_CERT_USAGE_SSL_SERVER_WITH_STEPUP},
{certificateUsageEmailSigner, IDS_CERT_USAGE_EMAIL_SIGNER},
{certificateUsageEmailRecipient, IDS_CERT_USAGE_EMAIL_RECEIVER},
{certificateUsageObjectSigner, IDS_CERT_USAGE_OBJECT_SIGNER},
{certificateUsageSSLCA, IDS_CERT_USAGE_SSL_CA},
{certificateUsageStatusResponder, IDS_CERT_USAGE_STATUS_RESPONDER},
};
for (size_t i = 0; i < arraysize(usage_string_map); ++i) {
if (usages & usage_string_map[i].usage)
out->push_back(l10n_util::GetStringUTF8(
usage_string_map[i].string_id));
}
}
}示例2: ssl_connected
static gboolean ssl_connected(gpointer data, gint source,
b_input_condition cond)
{
struct scd *conn = data;
/* Right now we don't have any verification functionality for NSS. */
if (conn->verify) {
conn->func(conn->data, 1, NULL, cond);
if (source >= 0) {
closesocket(source);
}
g_free(conn->hostname);
g_free(conn);
return FALSE;
}
if (source == -1) {
goto ssl_connected_failure;
}
/* Until we find out how to handle non-blocking I/O with NSS... */
sock_make_blocking(conn->fd);
conn->prfd = SSL_ImportFD(NULL, PR_ImportTCPSocket(source));
if (!conn->prfd) {
goto ssl_connected_failure;
}
SSL_OptionSet(conn->prfd, SSL_SECURITY, PR_TRUE);
SSL_OptionSet(conn->prfd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
SSL_BadCertHook(conn->prfd, (SSLBadCertHandler) nss_bad_cert, NULL);
SSL_AuthCertificateHook(conn->prfd, (SSLAuthCertificate) nss_auth_cert,
(void *) CERT_GetDefaultCertDB());
SSL_SetURL(conn->prfd, conn->hostname);
SSL_ResetHandshake(conn->prfd, PR_FALSE);
if (SSL_ForceHandshake(conn->prfd)) {
goto ssl_connected_failure;
}
conn->established = TRUE;
conn->func(conn->data, 0, conn, cond);
return FALSE;
ssl_connected_failure:
conn->func(conn->data, 0, NULL, cond);
if (conn->prfd) {
PR_Close(conn->prfd);
} else if (source >= 0) {
/* proxy_disconnect() would be redundant here */
closesocket(source);
}
g_free(conn->hostname);
g_free(conn);
return FALSE;
}示例3: do_CreateInstance
/**
* getCRLs
*
* Export a set of certs and keys from the database to a PKCS#12 file.
*/
NS_IMETHODIMP
nsCRLManager::GetCrls(nsIArray ** aCrls)
{
nsNSSShutDownPreventionLock locker;
SECStatus sec_rv;
CERTCrlHeadNode *head = nullptr;
CERTCrlNode *node = nullptr;
nsresult rv;
nsCOMPtr<nsIMutableArray> crlsArray =
do_CreateInstance(NS_ARRAY_CONTRACTID, &rv);
if (NS_FAILED(rv)) {
return rv;
}
// Get the list of certs //
sec_rv = SEC_LookupCrls(CERT_GetDefaultCertDB(), &head, -1);
if (sec_rv != SECSuccess) {
return NS_ERROR_FAILURE;
}
if (head) {
for (node=head->first; node; node = node->next) {
nsCOMPtr<nsICRLInfo> entry = new nsCRLInfo((node->crl));
crlsArray->AppendElement(entry, false);
}
PORT_FreeArena(head->arena, false);
}
*aCrls = crlsArray;
NS_IF_ADDREF(*aCrls);
return NS_OK;
}示例4: NSS_LoadPublicKey
/**
* Loads the public key for the specified cert name from the NSS store.
*
* @param certData The DER-encoded X509 certificate to extract the key from.
* @param certDataSize The size of certData.
* @param publicKey Out parameter for the public key to use.
* @return CryptoX_Success on success, CryptoX_Error on error.
*/
CryptoX_Result
NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,
SECKEYPublicKey **publicKey)
{
CERTCertificate * cert;
SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };
if (!certData || !publicKey) {
return CryptoX_Error;
}
cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,
PR_FALSE, PR_TRUE);
/* Get the cert and embedded public key out of the database */
if (!cert) {
return CryptoX_Error;
}
*publicKey = CERT_ExtractPublicKey(cert);
CERT_DestroyCertificate(cert);
if (!*publicKey) {
return CryptoX_Error;
}
return CryptoX_Success;
}示例5: do_QueryInterface
/*
* void deleteCertificate(in nsIX509Cert aCert);
*/
NS_IMETHODIMP
nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
CERTCertificate *cert = nssCert->GetCert();
if (!cert) return NS_ERROR_FAILURE;
CERTCertificateCleaner certCleaner(cert);
SECStatus srv = SECSuccess;
PRUint32 certType;
nssCert->GetCertType(&certType);
if (NS_FAILED(nssCert->MarkForPermDeletion()))
{
return NS_ERROR_FAILURE;
}
if (cert->slot && certType != nsIX509Cert::USER_CERT) {
// To delete a cert of a slot (builtin, most likely), mark it as
// completely untrusted. This way we keep a copy cached in the
// local database, and next time we try to load it off of the
// external token/slot, we'll know not to trust it. We don't
// want to do that with user certs, because a user may re-store
// the cert onto the card again at which point we *will* want to
// trust that cert if it chains up properly.
nsNSSCertTrust trust(0, 0, 0);
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
cert, trust.GetTrust());
}
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("cert deleted: %d", srv));
return (srv) ? NS_ERROR_FAILURE : NS_OK;
}示例6: trustNewServer
/* Add the server's certificate to our database of trusted servers. */
static SECStatus
trustNewServer (CERTCertificate *serverCert)
{
SECStatus secStatus;
CERTCertTrust *trust = NULL;
PK11SlotInfo *slot;
/* Import the certificate. */
slot = PK11_GetInternalKeySlot();;
secStatus = PK11_ImportCert(slot, serverCert, CK_INVALID_HANDLE, "stap-server", PR_FALSE);
if (secStatus != SECSuccess)
goto done;
/* Make it a trusted peer. */
trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));
if (! trust)
{
secStatus = SECFailure;
goto done;
}
secStatus = CERT_DecodeTrustString(trust, "P,P,P");
if (secStatus != SECSuccess)
goto done;
secStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), serverCert, trust);
if (secStatus != SECSuccess)
goto done;
done:
if (trust)
PORT_Free(trust);
return secStatus;
}示例7: find_certificate
int
find_certificate(cms_context *ctx)
{
if (!ctx->certname || !*ctx->certname)
return -1;
typedef struct {
enum {
PW_NONE = 0,
PW_FROMFILE = 1,
PW_PLAINTEXT = 2,
PW_EXTERNAL = 3
} source;
char *data;
} secuPWData;
secuPWData pwdata = { 0, 0 };
CERTCertificate *cert = NULL;
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), ctx->certname,
certUsageObjectSigner, PR_FALSE, &pwdata);
if (cert == NULL) {
fprintf(stderr, "Could not find certificate\n");
exit(1);
}
ctx->cert = cert;
return 0;
}示例8: nss_cache_crl
/* add given CRL to cache if it is not already there */
static SECStatus nss_cache_crl(SECItem *crlDER)
{
CERTCertDBHandle *db = CERT_GetDefaultCertDB();
CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0);
if(crl) {
/* CRL already cached */
SEC_DestroyCrl(crl);
SECITEM_FreeItem(crlDER, PR_FALSE);
return SECSuccess;
}
/* acquire lock before call of CERT_CacheCRL() */
PR_Lock(nss_crllock);
if(SECSuccess != CERT_CacheCRL(db, crlDER)) {
/* unable to cache CRL */
PR_Unlock(nss_crllock);
SECITEM_FreeItem(crlDER, PR_FALSE);
return SECFailure;
}
/* we need to clear session cache, so that the CRL could take effect */
SSL_ClearSessionCache();
PR_Unlock(nss_crllock);
return SECSuccess;
}示例9: crypto_init
int crypto_init(cert_policy *policy) {
SECStatus rv;
DBG("Initializing NSS ...");
if (NSS_IsInitialized()) {
app_has_NSS = 1;
/* we should save the app's password function */
PK11_SetPasswordFunc(password_passthrough);
DBG("... NSS is initialized");
return 0;
}
if (policy->nss_dir) {
/* initialize with read only databases */
DBG1("Initializing NSS ... database=%s", policy->nss_dir);
rv = NSS_Init(policy->nss_dir);
} else {
/* not database secified */
DBG("Initializing NSS ... with no db");
rv = NSS_NoDB_Init(NULL);
}
if (rv != SECSuccess) {
DBG1("NSS_Initialize failed: %s", SECU_Strerror(PR_GetError()));
return -1;
}
/* register a callback */
PK11_SetPasswordFunc(password_passthrough);
if (policy->ocsp_policy == OCSP_ON) {
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
}
DBG("... NSS Complete");
return 0;
}示例10: CERT_GetDefaultCertDB
nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
:mCert(aCert)
{
nsNSSShutDownPreventionLock locker;
defaultcertdb = CERT_GetDefaultCertDB();
nssComponent = do_GetService(kNSSComponentCID, &m_rv);
}示例11: MOZ_ASSERT
SECStatus
AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
const SECItem& candidateCertDER,
/*out*/ TrustLevel* trustLevel)
{
MOZ_ASSERT(policy.IsAnyPolicy());
MOZ_ASSERT(trustLevel);
MOZ_ASSERT(mTrustedRoot);
if (!trustLevel || !policy.IsAnyPolicy()) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
if (!mTrustedRoot) {
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
// Handle active distrust of the certificate.
// XXX: This would be cleaner and more efficient if we could get the trust
// information without constructing a CERTCertificate here, but NSS doesn't
// expose it in any other easy-to-use fashion.
ScopedCERTCertificate candidateCert(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
const_cast<SECItem*>(&candidateCertDER), nullptr,
false, true));
if (!candidateCert) {
return SECFailure;
}
CERTCertTrust trust;
if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
PRUint32 flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);
// For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,
// because we can have active distrust for either type of cert. Note that
// CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the
// relevant trust bit isn't set then that means the cert must be considered
// distrusted.
PRUint32 relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA
? CERTDB_TRUSTED_CA
: CERTDB_TRUSTED;
if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD)))
== CERTDB_TERMINAL_RECORD) {
*trustLevel = TrustLevel::ActivelyDistrusted;
return SECSuccess;
}
}
// mTrustedRoot is the only trust anchor for this validation.
if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {
*trustLevel = TrustLevel::TrustAnchor;
return SECSuccess;
}
*trustLevel = TrustLevel::InheritsTrust;
return SECSuccess;
}示例12: CheckNameConstraints
// TODO: Remove #include "pkix/pkixnss.h", #include "cert.h",
// #include "ScopedPtr.h", etc. when this is rewritten to be independent of
// NSS.
Result
CheckNameConstraints(Input encodedNameConstraints,
const BackCert& firstChild,
KeyPurposeId requiredEKUIfPresent)
{
ScopedPtr<PLArenaPool, PORT_FreeArena_false>
arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
if (!arena) {
return Result::FATAL_ERROR_NO_MEMORY;
}
SECItem encodedNameConstraintsSECItem =
UnsafeMapInputToSECItem(encodedNameConstraints);
// Owned by arena
const CERTNameConstraints* constraints =
CERT_DecodeNameConstraintsExtension(arena.get(),
&encodedNameConstraintsSECItem);
if (!constraints) {
return MapPRErrorCodeToResult(PR_GetError());
}
for (const BackCert* child = &firstChild; child; child = child->childCert) {
SECItem childCertDER = UnsafeMapInputToSECItem(child->GetDER());
ScopedPtr<CERTCertificate, CERT_DestroyCertificate>
nssCert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &childCertDER,
nullptr, false, true));
if (!nssCert) {
return MapPRErrorCodeToResult(PR_GetError());
}
bool includeCN = child->endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
requiredEKUIfPresent == KeyPurposeId::id_kp_serverAuth;
// owned by arena
const CERTGeneralName*
names(CERT_GetConstrainedCertificateNames(nssCert.get(), arena.get(),
includeCN));
if (!names) {
return MapPRErrorCodeToResult(PR_GetError());
}
CERTGeneralName* currentName = const_cast<CERTGeneralName*>(names);
do {
if (CERT_CheckNameSpace(arena.get(), constraints, currentName)
!= SECSuccess) {
// XXX: It seems like CERT_CheckNameSpace doesn't always call
// PR_SetError when it fails, so we ignore what PR_GetError would
// return. NSS's cert_VerifyCertChainOld does something similar.
return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
}
currentName = CERT_GetNextGeneralName(currentName);
} while (currentName != names);
}
return Success;
}示例13: NS_ENSURE_ARG_POINTER
NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName)
{
NS_ENSURE_ARG_POINTER(aBase64);
nsCOMPtr <nsIX509Cert> newCert;
nsNSSCertTrust trust;
// need to calculate the trust bits from the aTrust string.
nsresult rv = CERT_DecodeTrustString(trust.GetTrust(), /* this is const, but not declared that way */(char *) aTrust);
NS_ENSURE_SUCCESS(rv, rv); // if bad trust passed in, return error.
rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
NS_ENSURE_SUCCESS(rv, rv);
SECItem der;
rv = newCert->GetRawDER(&der.len, (PRUint8 **)&der.data);
NS_ENSURE_SUCCESS(rv, rv);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertificate *tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert)
tmpCert = CERT_NewTempCertificate(certdb, &der,
nsnull, PR_FALSE, PR_TRUE);
nsMemory::Free(der.data);
der.data = nsnull;
der.len = 0;
if (!tmpCert) {
NS_ASSERTION(0,"Couldn't create cert from DER blob\n");
return NS_ERROR_FAILURE;
}
if (tmpCert->isperm) {
CERT_DestroyCertificate(tmpCert);
return NS_OK;
}
CERTCertificateCleaner tmpCertCleaner(tmpCert);
nsXPIDLCString nickname;
nickname.Adopt(CERT_MakeCANickname(tmpCert));
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));
SECStatus srv = CERT_AddTempCertToPerm(tmpCert,
const_cast<char*>(nickname.get()),
trust.GetTrust());
return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
}示例14: nss_auth_cert_hook
/* bypass the default SSL_AuthCertificate() hook in case we do not want to
* verify peer */
static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
PRBool isServer)
{
struct connectdata *conn = (struct connectdata *)arg;
if(!conn->data->set.ssl.verifypeer) {
infof(conn->data, "skipping SSL peer certificate verification\n");
return SECSuccess;
}
return SSL_AuthCertificate(CERT_GetDefaultCertDB(), fd, checksig, isServer);
}示例15: CERT_CreateSubjectCertList
SECStatus
NSSCertDBTrustDomain::FindPotentialIssuers(
const SECItem* encodedIssuerName, PRTime time,
/*out*/ mozilla::pkix::ScopedCERTCertList& results)
{
// TODO: normalize encodedIssuerName
// TODO: NSS seems to be ambiguous between "no potential issuers found" and
// "there was an error trying to retrieve the potential issuers."
results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
encodedIssuerName, time, true);
return SECSuccess;
}