diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def --- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700 +++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700 @@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; +Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; ;+ local: ;+ *; ;+}; diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700 @@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec public final class CryptoManager implements TokenSupplier { /** + * note: this is obsolete in NSS * CertUsage options for validation */ public final static class CertUsage { @@ -86,8 +87,6 @@ public final class CryptoManager impleme return name; } - - // certUsage, these must be kept in sync with nss/lib/certdb/certt.h public static final CertUsage SSLClient = new CertUsage(0, "SSLClient"); public static final CertUsage SSLServer = new CertUsage(1, "SSLServer"); @@ -103,6 +102,63 @@ public final class CryptoManager impleme public static final CertUsage AnyCA = new CertUsage(11, "AnyCA"); } + /** + * CertificateUsage options for validation + */ + public final static class CertificateUsage { + private int usage; + private String name; + + // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h + private static final int certificateUsageCheckAllUsages = 0x0000; + private static final int certificateUsageSSLClient = 0x0001; + private static final int certificateUsageSSLServer = 0x0002; + private static final int certificateUsageSSLServerWithStepUp = 0x0004; + private static final int certificateUsageSSLCA = 0x0008; + private static final int certificateUsageEmailSigner = 0x0010; + private static final int certificateUsageEmailRecipient = 0x0020; + private static final int certificateUsageObjectSigner = 0x0040; + private static final int certificateUsageUserCertImport = 0x0080; + private static final int certificateUsageVerifyCA = 0x0100; + private static final int certificateUsageProtectedObjectSigner = 0x0200; + private static final int certificateUsageStatusResponder = 0x0400; + private static final int certificateUsageAnyCA = 0x0800; + + static private ArrayList list = new ArrayList(); + private CertificateUsage() {}; + private CertificateUsage(int usage, String name) { + this.usage = usage; + this.name = name; + this.list.add(this); + + } + public int getUsage() { + return usage; + } + + static public Iterator getCertificateUsages() { + return list.iterator(); + + } + public String toString() { + return name; + } + + public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages"); + public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient"); + public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer"); + public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp"); + public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA"); + public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner"); + public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient"); + public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner"); + public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport"); + public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA"); + public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); + public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); + public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); + } + public final static class NotInitializedException extends Exception {} public final static class NicknameConflictException extends Exception {} public final static class UserCertConflictException extends Exception {} @@ -1386,6 +1442,7 @@ public final class CryptoManager impleme } return tok; } + ///////////////////////////////////////////////////////////// // isCertValid ///////////////////////////////////////////////////////////// @@ -1395,6 +1452,39 @@ public final class CryptoManager impleme * against Now. * @param nickname The nickname of the certificate to verify. * @param checkSig verify the signature of the certificate + * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check + * @return true for success; false otherwise + * + * @exception InvalidNicknameException If the nickname is null + * @exception ObjectNotFoundException If no certificate could be found + * with the given nickname. + */ + + public boolean isCertValid(String nickname, boolean checkSig, + CertificateUsage certificateUsage) + throws ObjectNotFoundException, InvalidNicknameException + { + if (nickname==null) { + throw new InvalidNicknameException("Nickname must be non-null"); + } + // 0 certificate usage was supposed to get current usage, however, + // it is not exposed at this point + return verifyCertificateNowNative(nickname, + checkSig, + (certificateUsage == null) ? 0:certificateUsage.getUsage()); + } + + private native boolean verifyCertificateNowNative(String nickname, + boolean checkSig, int certificateUsage) throws ObjectNotFoundException; + + /** + * note: this method calls obsolete function in NSS + * + * Verify a certificate that exists in the given cert database, + * check if is valid and that we trust the issuer. Verify time + * against Now. + * @param nickname The nickname of the certificate to verify. + * @param checkSig verify the signature of the certificate * @param certUsage see exposed certUsage defines to verify Certificate * @return true for success; false otherwise * @@ -1413,6 +1503,9 @@ public final class CryptoManager impleme return verifyCertNowNative(nickname, checkSig, certUsage.getUsage()); } + /* + * Obsolete in NSS + */ private native boolean verifyCertNowNative(String nickname, boolean checkSig, int cUsage) throws ObjectNotFoundException; diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700 @@ -1575,11 +1575,62 @@ finish: } /*********************************************************************** - * CryptoManager.verifyCertNowNative + * CryptoManager.verifyCertificateNowNative * * Returns JNI_TRUE if success, JNI_FALSE otherwise */ JNIEXPORT jboolean JNICALL +Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, + jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) +{ + SECStatus rv = SECFailure; + SECCertificateUsage certificateUsage; + SECCertificateUsage currUsage; /* unexposed for now */ + CERTCertificate *cert=NULL; + char *nickname=NULL; + + nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); + if( nickname == NULL ) { + goto finish; + } + + certificateUsage = required_certificateUsage; + + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); + + if (cert == NULL) { + JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); + goto finish; + } else { + /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to + * just get the current usage (which we are not passing back for now + * but will bypass the certificate usage check + */ + rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, + checkSig, certificateUsage, NULL, &currUsage ); + } + +finish: + if(nickname != NULL) { + (*env)->ReleaseStringUTFChars(env, nickString, nickname); + } + if(cert != NULL) { + CERT_DestroyCertificate(cert); + } + if( rv == SECSuccess) { + return JNI_TRUE; + } else { + return JNI_FALSE; + } +} + + +/*********************************************************************** + * CryptoManager.verifyCertNowNative + * note: this calls obsolete NSS function + * Returns JNI_TRUE if success, JNI_FALSE otherwise + */ +JNIEXPORT jboolean JNICALL Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env, jobject self, jstring nickString, jboolean checkSig, jint cUsage) {