PKIFNSSTrustStore.cpp
Go to the documentation of this file.00001
00010 #include "PKIFNSSTrustStore.h"
00011
00012 #include "PKIFNSSDatabase.h"
00013 #include "ToolkitUtils.h"
00014 #include "components.h"
00015 #include "PKIFCacheErrors.h"
00016 #include "Buffer.h"
00017 #include "Certificate.h"
00018 #include "Name.h"
00019 #include "PKIFTrustRoot.h"
00020 #include "PKIFCacheException.h"
00021
00022 #include "PKIFNSSConfig.h"
00023
00024 #include <sstream>
00025 using namespace std;
00026
00028 struct PKIFNSSTrustStoreImpl
00029 {
00030 CERTCertDBHandle * m_certDbHandle;
00031 CPKIFNSSDatabase * m_db;
00032 };
00034
00046 CPKIFNSSTrustStore::CPKIFNSSTrustStore(const std::string & dbdir)
00047 :m_impl(new PKIFNSSTrustStoreImpl)
00048 {
00049 LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_SR_NSSTRUSTSTORE,0,this);
00050 m_impl->m_certDbHandle = 0;
00051 m_impl->m_db = 0;
00052
00053
00054 if(dbdir == "") {
00055 m_impl->m_db = CPKIFNSSDatabase::GetInstance();
00056 } else {
00057
00058
00059
00060 m_impl->m_db = CPKIFNSSDatabase::GetInstance(dbdir);
00061 }
00062 }
00070 CPKIFNSSTrustStore::~CPKIFNSSTrustStore(void)
00071 {
00072 LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_SR_NSSTRUSTSTORE,0,this);
00073 PKIFDelete(m_impl);
00074 m_impl = 0;
00075 }
00076
00097 bool CPKIFNSSTrustStore::GetTrustRoots(const CPKIFNamePtr& subDN, IPKIFTrustAnchorList& root)
00098 {
00099 LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_SR_NSSTRUSTSTORE,0,this);
00100 if(0 == m_impl->m_certDbHandle)
00101 {
00102 RAISE_CACHE_EXCEPTION("CPKIFNSSTrustStore instance not initialized.", thisComponent, COMMON_NOT_INITIALIZED, this)
00103 }
00104
00105 const size_t origSize = root.size();
00106 CERTCertList *certs = 0;
00107 SECItem nameItem;
00108 nameItem.type = siBuffer;
00109
00110 CPKIFBufferPtr encName = subDN->Encoded();
00111 nameItem.data = (unsigned char *)encName->GetBuffer();
00112 nameItem.len = encName->GetLength();
00113
00114
00115 certs = CERT_CreateSubjectCertList(0,m_impl->m_certDbHandle,&nameItem,
00116 PR_Now(),PR_FALSE);
00117
00118 if(!certs) {
00119 return false;
00120 }
00121
00122 CERTCertListNode *node = CERT_LIST_HEAD(certs);
00123 while(!CERT_LIST_END(node,certs)) {
00124 CERTCertificate * foundCert = node->cert;
00125 CERTCertTrust nssTrust;
00126 memset(&nssTrust,0x00,sizeof(CERTCertTrust));
00127 SECStatus rv = CERT_GetCertTrust(foundCert,&nssTrust);
00128 if(SECSuccess != rv) {
00129 ostringstream os;
00130 os << "NSS Trust store colleague: Unable to read NSS trust status for certificate issued to ";
00131 os << subDN->ToString();
00132 LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_ENTRY_BAD, this);
00133 }
00134
00135
00136
00137 if( (nssTrust.emailFlags & CERTDB_TRUSTED_CA) ||
00138 (nssTrust.objectSigningFlags & CERTDB_TRUSTED_CA) ||
00139 (nssTrust.sslFlags & CERTDB_TRUSTED_CA)
00140 )
00141 {
00142 CPKIFCertificatePtr tmpCert(new CPKIFCertificate());
00143 try {
00144 tmpCert->Decode(foundCert->derCert.data, foundCert->derCert.len);
00145 }catch(CPKIFException &){
00146
00147 std::ostringstream os;
00148 os << "Failed to parse certificate from NSS store searching for certificates issued to: " << subDN->ToString();
00149 LOG_STRING_ERROR(os.str().c_str(), thisComponent, CACHE_PARSE_ERROR, this);
00150 }
00151 CPKIFTrustRootPtr tmpRoot(new CPKIFTrustRoot());
00152 tmpRoot->SetCert(tmpCert);
00153 root.push_back(tmpRoot);
00154 }
00155 node = CERT_LIST_NEXT(node);
00156 }
00157 CERT_DestroyCertList(certs);
00158
00159 return (origSize != root.size());
00160 }
00169 void CPKIFNSSTrustStore::Initialize(void)
00170 {
00171 LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_SR_NSSTRUSTSTORE,0,this);
00172 m_impl->m_certDbHandle = CERT_GetDefaultCertDB();
00173 }
