Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1103739 Details for
Bug 1074208
JSS certificate validation does not pass up exact error from NSS
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
jss-Added-verifyCertificate-method.patch
jss-Added-verifyCertificate-method.patch (text/plain), 14.26 KB, created by
Endi Sukma Dewata
on 2015-12-08 23:02:16 UTC
(
hide
)
Description:
jss-Added-verifyCertificate-method.patch
Filename:
MIME Type:
Creator:
Endi Sukma Dewata
Created:
2015-12-08 23:02:16 UTC
Size:
14.26 KB
patch
obsolete
>From 085c357c0e7043c6168107d30f91748fe1e2f44c Mon Sep 17 00:00:00 2001 >From: "Endi S. Dewata" <edewata@redhat.com> >Date: Wed, 2 Dec 2015 14:16:27 +0100 >Subject: [PATCH] Added verifyCertificate() method. > >The private verifyCertificateNowNative() has been converted into >a public verifyCertificate() method to provide an alternative >for isCertValid(). If there is a certificate validation problem, >the method will throw an exception that includes the NSS error >message and also the exception will provide a stack trace to help >troubleshoot validation issues. > >https://fedorahosted.org/pki/ticket/850 >--- > mozilla/security/jss/lib/jss.def | 2 +- > .../jss/org/mozilla/jss/CryptoManager.java | 46 +++++---- > .../security/jss/org/mozilla/jss/JSSException.java | 49 +++++++++ > mozilla/security/jss/org/mozilla/jss/PK11Finder.c | 109 +++++++++++++-------- > .../jss/org/mozilla/jss/util/jss_exceptions.h | 4 + > 5 files changed, 147 insertions(+), 63 deletions(-) > create mode 100644 mozilla/security/jss/org/mozilla/jss/JSSException.java > >diff --git a/mozilla/security/jss/lib/jss.def b/mozilla/security/jss/lib/jss.def >index 2bfc18df1b6a301328e229a43b2e743f9342e9ca..71d93184fcc6fa0aab23c0c22632d39cb7bff8d1 100644 >--- a/mozilla/security/jss/lib/jss.def >+++ b/mozilla/security/jss/lib/jss.def >@@ -331,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; > Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; > Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; > Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; >-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; >+Java_org_mozilla_jss_CryptoManager_verifyCertificate; > Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; > Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; > Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange; >diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java >index 1fd749c5ed86d7d7f768970709a27964a4e7bee8..08aad8fe3c3a62ae8e233fc1035723690adf4581 100644 >--- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java >+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java >@@ -1515,30 +1515,36 @@ public final class CryptoManager implements TokenSupplier > CertificateUsage certificateUsage) > throws ObjectNotFoundException, InvalidNicknameException > { >- if (nickname==null) { >- throw new InvalidNicknameException("Nickname must be non-null"); >- } >- // 0 certificate usage will get current usage >- // should call isCertValid() call above that returns certificate usage >- if ((certificateUsage == null) || >- (certificateUsage == CertificateUsage.CheckAllUsages)){ >- int currCertificateUsage = 0x0000; >- currCertificateUsage = verifyCertificateNowCUNative(nickname, >- checkSig); >+ try { >+ verifyCertificate(nickname, checkSig, certificateUsage); >+ return true; > >- if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ >- // cert is good for nothing >- return false; >- } else >- return true; >- } else { >- return verifyCertificateNowNative(nickname, checkSig, >- certificateUsage.getUsage()); >+ } catch (ObjectNotFoundException | InvalidNicknameException e) { >+ throw e; >+ >+ } catch (JSSException e) { >+ return false; > } > } > >- private native boolean verifyCertificateNowNative(String nickname, >- boolean checkSig, int certificateUsage) throws ObjectNotFoundException; >+ /** >+ * Verify a certificate that exists in the given cert database, >+ * check if it's valid and that we trust the issuer. Verify time >+ * against now. >+ * @param nickname nickname of the certificate to verify. >+ * @param checkSignature verify the signature of the certificate >+ * @param requiredUsage see certificate usage defined to verify certificate >+ * >+ * @exception InvalidNicknameException If the nickname is null. >+ * @exception ObjectNotFoundException If no certificate could be found >+ * with the given nickname. >+ * @exception JSSException If certificate is invalid. >+ */ >+ public native void verifyCertificate( >+ String nickname, >+ boolean checkSignature, >+ CertificateUsage requiredUsage) >+ throws ObjectNotFoundException, InvalidNicknameException, JSSException; > > /** > * note: this method calls obsolete function in NSS >diff --git a/mozilla/security/jss/org/mozilla/jss/JSSException.java b/mozilla/security/jss/org/mozilla/jss/JSSException.java >new file mode 100644 >index 0000000000000000000000000000000000000000..780bc01a94268d8bcb38d0f04afaba8753c85b20 >--- /dev/null >+++ b/mozilla/security/jss/org/mozilla/jss/JSSException.java >@@ -0,0 +1,49 @@ >+/* ***** BEGIN LICENSE BLOCK ***** >+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 >+ * >+ * The contents of this file are subject to the Mozilla Public License Version >+ * 1.1 (the "License"); you may not use this file except in compliance with >+ * the License. You may obtain a copy of the License at >+ * http://www.mozilla.org/MPL/ >+ * >+ * Software distributed under the License is distributed on an "AS IS" basis, >+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License >+ * for the specific language governing rights and limitations under the >+ * License. >+ * >+ * The Original Code is the Netscape Security Services for Java. >+ * >+ * The Initial Developer of the Original Code is >+ * Netscape Communications Corporation. >+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 >+ * the Initial Developer. All Rights Reserved. >+ * >+ * Contributor(s): >+ * >+ * Alternatively, the contents of this file may be used under the terms of >+ * either the GNU General Public License Version 2 or later (the "GPL"), or >+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), >+ * in which case the provisions of the GPL or the LGPL are applicable instead >+ * of those above. If you wish to allow use of your version of this file only >+ * under the terms of either the GPL or the LGPL, and not to allow others to >+ * use your version of this file under the terms of the MPL, indicate your >+ * decision by deleting the provisions above and replace them with the notice >+ * and other provisions required by the GPL or the LGPL. If you do not delete >+ * the provisions above, a recipient may use your version of this file under >+ * the terms of any one of the MPL, the GPL or the LGPL. >+ * >+ * ***** END LICENSE BLOCK ***** */ >+package org.mozilla.jss; >+ >+public class JSSException extends Exception { >+ >+ private static final long serialVersionUID = 1L; >+ >+ public JSSException(String message) { >+ super(message); >+ } >+ >+ public JSSException(String message, Throwable source) { >+ super(message, source); >+ } >+} >diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c >index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..0020c1468bdd95a7ff90c6d20c01040888ed38f4 100644 >--- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c >+++ b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c >@@ -1582,7 +1582,7 @@ finish: > /*********************************************************************** > * CryptoManager.verifyCertificateNow > */ >-SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, >+void verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, > jboolean checkSig, jint required_certificateUsage, > SECCertificateUsage *currUsage) > { >@@ -1591,9 +1591,15 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, > CERTCertificate *cert=NULL; > char *nickname=NULL; > >+ if (nickString == NULL) { >+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); >+ goto finish; >+ } >+ > nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); >- if( nickname == NULL ) { >- goto finish; >+ if (nickname == NULL) { >+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); >+ goto finish; > } > > certificateUsage = required_certificateUsage; >@@ -1601,42 +1607,52 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, > cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); > > if (cert == NULL) { >- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); >+ char *msgBuf; >+ msgBuf = PR_smprintf("Certificate not found: %s", nickname); >+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf); >+ PR_Free(msgBuf); > goto finish; >- } else { >+ } >+ > /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will > * retrieve the current valid usage into currUsage > */ >- rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, >- checkSig, certificateUsage, NULL, currUsage ); >- if ((rv == SECSuccess) && certificateUsage == 0x0000) { >- if (*currUsage == >- ( certUsageUserCertImport | >- certUsageVerifyCA | >- certUsageProtectedObjectSigner | >- certUsageAnyCA )) { >+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, >+ checkSig, certificateUsage, NULL, currUsage ); > >- /* the cert is good for nothing >- The folllowing usages cannot be verified: >- certUsageAnyCA >- certUsageProtectedObjectSigner >- certUsageUserCertImport >- certUsageVerifyCA >- (0x0b80) */ >- rv =SECFailure; >- } >- } >+ if (rv != SECSuccess) { >+ JSS_throwMsgPrErr(env, JSS_EXCEPTION, "Invalid certificate"); >+ goto finish; >+ } >+ >+ if ((rv == SECSuccess) && >+ (certificateUsage == 0x0000) && >+ (*currUsage == >+ ( certUsageUserCertImport | >+ certUsageVerifyCA | >+ certUsageProtectedObjectSigner | >+ certUsageAnyCA ))) { >+ >+ /* The certificate is good for nothing. >+ * The following usages cannot be verified: >+ * certUsageAnyCA >+ * certUsageProtectedObjectSigner >+ * certUsageUserCertImport >+ * certUsageVerifyCA >+ * (0x0b80) >+ */ >+ >+ JSS_throwMsgPrErr(env, JSS_EXCEPTION, "Unusable certificate"); >+ goto finish; > } > > finish: >- if(nickname != NULL) { >+ if (nickname != NULL) { > (*env)->ReleaseStringUTFChars(env, nickString, nickname); > } >- if(cert != NULL) { >+ if (cert != NULL) { > CERT_DestroyCertificate(cert); > } >- >- return rv; > } > > /*********************************************************************** >@@ -1655,34 +1671,43 @@ JNIEXPORT jint JNICALL > Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, > jobject self, jstring nickString, jboolean checkSig) > { >- SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure; > SECCertificateUsage currUsage = 0x0000; > >- rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); >- /* rv is ignored */ >+ verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); > > return currUsage; > } > > /*********************************************************************** >- * CryptoManager.verifyCertificateNowNative >+ * CryptoManager.verifyCertificate > * >- * Returns JNI_TRUE if success, JNI_FALSE otherwise >+ * Verify a certificate that exists in the given cert database, >+ * check if it's valid and that we trust the issuer. Verify time >+ * against now. >+ * @param nickname nickname of the certificate to verify. >+ * @param checkSignature verify the signature of the certificate >+ * @param requiredUsage see certificate usage defined to verify certificate >+ * >+ * @exception InvalidNicknameException If the nickname is null. >+ * @exception ObjectNotFoundException If no certificate could be found >+ * with the given nickname. >+ * @exception JSSException If certificate is invalid. > */ >-JNIEXPORT jboolean JNICALL >-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, >- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) >+JNIEXPORT void JNICALL >+Java_org_mozilla_jss_CryptoManager_verifyCertificate(JNIEnv *env, >+ jobject self, jstring nickname, jboolean checkSignature, jobject requiredUsage) > { >- SECStatus rv = SECFailure; >+ jclass clazz; >+ jmethodID methodID; >+ jint usage; > SECCertificateUsage currUsage = 0x0000; > >- rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); >+ /* int usage = requiredUsage.getUsage() */ >+ clazz = (*env)->FindClass(env, "org/mozilla/jss/CryptoManager$CertificateUsage"); >+ methodID = (*env)->GetMethodID(env, clazz, "getUsage", "()I"); >+ usage = (*env)->CallIntMethod(env, requiredUsage, methodID); > >- if( rv == SECSuccess) { >- return JNI_TRUE; >- } else { >- return JNI_FALSE; >- } >+ verifyCertificateNow(env, self, nickname, checkSignature, usage, &currUsage); > } > > /*********************************************************************** >diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h >index 4884928306223ff0699a22e7da33e3d13a904d39..5034bfe353011a0ccfc63a5f308154e91c59755e 100644 >--- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h >+++ b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h >@@ -79,12 +79,16 @@ PR_BEGIN_EXTERN_C > > #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException" > >+#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException" >+ > #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException" > > #define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException" > > #define IO_EXCEPTION "java/io/IOException" > >+#define JSS_EXCEPTION "org/mozilla/jss/JSSException" >+ > #define KEY_DATABASE_EXCEPTION "org/mozilla/jss/KeyDatabaseException" > > #define KEY_EXISTS_EXCEPTION "org/mozilla/jss/crypto/KeyAlreadyImportedException" >-- >2.4.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1103739">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1074208
:
1103739
|
1103974
|
1104028