security/nss/lib/ssl/authcert.c

   1 /*
   2  * NSS utility functions
   3  *
   4  * ***** BEGIN LICENSE BLOCK *****
   5  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   6  *
   7  * The contents of this file are subject to the Mozilla Public License Version
   8  * 1.1 (the "License"); you may not use this file except in compliance with
   9  * the License. You may obtain a copy of the License at
  10  * http://www.mozilla.org/MPL/
  11  *
  12  * Software distributed under the License is distributed on an "AS IS" basis,
  13  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  14  * for the specific language governing rights and limitations under the
  15  * License.
  16  *
  17  * The Original Code is the Netscape security libraries.
  18  *
  19  * The Initial Developer of the Original Code is
  20  * Netscape Communications Corporation.
  21  * Portions created by the Initial Developer are Copyright (C) 1994-2000
  22  * the Initial Developer. All Rights Reserved.
  23  *
  24  * Contributor(s):
  25  *
  26  * Alternatively, the contents of this file may be used under the terms of
  27  * either the GNU General Public License Version 2 or later (the "GPL"), or
  28  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  29  * in which case the provisions of the GPL or the LGPL are applicable instead
  30  * of those above. If you wish to allow use of your version of this file only
  31  * under the terms of either the GPL or the LGPL, and not to allow others to
  32  * use your version of this file under the terms of the MPL, indicate your
  33  * decision by deleting the provisions above and replace them with the notice
  34  * and other provisions required by the GPL or the LGPL. If you do not delete
  35  * the provisions above, a recipient may use your version of this file under
  36  * the terms of any one of the MPL, the GPL or the LGPL.
  37  *
  38  * ***** END LICENSE BLOCK ***** */
  39 /* $Id: authcert.c,v 1.5 2004/04/27 23:04:39 gerv%gerv.net Exp $ */
  40
  41 #include <stdio.h>
  42 #include <string.h>
  43 #include "prerror.h"
  44 #include "secitem.h"
  45 #include "prnetdb.h"
  46 #include "cert.h"
  47 #include "nspr.h"
  48 #include "secder.h"
  49 #include "key.h"
  50 #include "nss.h"
  51 #include "ssl.h"
  52 #include "pk11func.h"   /* for PK11_ function calls */
  53
  54 /*
  55  * This callback used by SSL to pull client sertificate upon
  56  * server request
  57  */
  58 SECStatus
  59 NSS_GetClientAuthData(void *                       arg,
  60                       PRFileDesc *                 socket,
  61                       struct CERTDistNamesStr *    caNames,
  62                       struct CERTCertificateStr ** pRetCert,
  63                       struct SECKEYPrivateKeyStr **pRetKey)
  64 {
  65   CERTCertificate *  cert = NULL;
  66   SECKEYPrivateKey * privkey = NULL;
  67   char *             chosenNickName = (char *)arg;    /* CONST */
  68   void *             proto_win  = NULL;
  69   SECStatus          rv         = SECFailure;
  70
  71   proto_win = SSL_RevealPinArg(socket);
  72
  73   if (chosenNickName) {
  74     cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
  75                                     chosenNickName, certUsageSSLClient,
  76                                     PR_FALSE, proto_win);
  77     if ( cert ) {
  78       privkey = PK11_FindKeyByAnyCert(cert, proto_win);
  79       if ( privkey ) {
  80         rv = SECSuccess;
  81       } else {
  82         CERT_DestroyCertificate(cert);
  83       }
  84     }
  85   } else { /* no name given, automatically find the right cert. */
  86     CERTCertNicknames * names;
  87     int                 i;
  88
  89     names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
  90                                   SEC_CERT_NICKNAMES_USER, proto_win);
  91     if (names != NULL) {
  92       for (i = 0; i < names->numnicknames; i++) {
  93         cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
  94                             names->nicknames[i], certUsageSSLClient,
  95                             PR_FALSE, proto_win);
  96         if ( !cert )
  97           continue;
  98         /* Only check unexpired certs */
  99         if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) !=
 100             secCertTimeValid ) {
 101           CERT_DestroyCertificate(cert);
 102           continue;
 103         }
 104         rv = NSS_CmpCertChainWCANames(cert, caNames);
 105         if ( rv == SECSuccess ) {
 106           privkey = PK11_FindKeyByAnyCert(cert, proto_win);
 107           if ( privkey )
 108             break;
 109         }
 110         rv = SECFailure;
 111         CERT_DestroyCertificate(cert);
 112       }
 113       CERT_FreeNicknames(names);
 114     }
 115   }
 116   if (rv == SECSuccess) {
 117     *pRetCert = cert;
 118     *pRetKey  = privkey;
 119   }
 120   return rv;
 121 }
 122