390888 - CERT_Verify* functions should be able to use libPKIX. r=nelson

security/nss/cmd/platlibs.mk

@@ -183,6 +183,8 @@ EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
 	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
 	$(NULL)
 

security/nss/lib/certdb/certi.h

@@ -276,5 +276,34 @@ SECStatus DPCache_GetCRLEntry(CRLDPCache* cache, PRBool readlocked,
  */
 void CERT_MapStanError();
 
+/* Programatical interface to switch to and from libpkix cert
+ * validation engine. */
+SECStatus cert_SetPKIXValidation(PRBool enable);
+
+/* The function return PR_TRUE if cert validation should go
+ * through libpkix cert validation engine. */
+PRBool cert_UsePKIXValidation();
+
+/* Interface function for libpkix cert validation engine:
+ * cert_verify wrapper. */
+SECStatus
+cert_VerifyCertPkix(CERTCertificate *cert,
+                    PRBool checkSig,
+                    SECCertUsage     requiredUsage,
+                    PRUint64         time,
+                    PRBool           asCA,
+                    void            *wincx,
+                    CERTVerifyLog   *log);
+
+/* Interface function for libpkix cert validation engine:
+ * cert_verify wrapper. */
+SECStatus
+cert_VerifyCertificatePkix(CERTCertificate *cert,
+                           PRBool checkSig,
+                           SECCertificateUsage requiredUsage,
+                           PRUint64 time,
+                           void *wincx,
+                           CERTVerifyLog *log,
+                           SECCertificateUsage *returnedUsages);
 #endif /* _CERTI_H_ */
 

security/nss/lib/certdb/certt.h

@@ -578,13 +578,15 @@ struct CERTIssuerAndSNStr {
 #define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
 #define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
 #define KU_CRL_SIGN			(0x02)  /* bit 6 */
+#define KU_ENCIPHER_ONLY		(0x01)  /* bit 7 */
 #define KU_ALL				(KU_DIGITAL_SIGNATURE | \
 					 KU_NON_REPUDIATION | \
 					 KU_KEY_ENCIPHERMENT | \
 					 KU_DATA_ENCIPHERMENT | \
 					 KU_KEY_AGREEMENT | \
 					 KU_KEY_CERT_SIGN | \
-					 KU_CRL_SIGN)
+					 KU_CRL_SIGN | \
+					 KU_ENCIPHER_ONLY)
 
 /* This value will not occur in certs.  It is used internally for the case
  * when the key type is not know ahead of time and either key agreement or

security/nss/lib/certhigh/certvfy.c

@@ -43,6 +43,7 @@
 #include "keyhi.h"
 #include "cert.h"
 #include "certdb.h"
+#include "certi.h"
 #include "cryptohi.h"
 
 #ifndef NSS_3_4_CODE
@@ -411,8 +412,8 @@ CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
 
 
 
-static void
-AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
+void
+cert_AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
 	       unsigned int depth, void *arg)
 {
     CERTVerifyLogNode *node, *tnode;
@@ -473,14 +474,14 @@ AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
 
 #define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
     if ( log != NULL ) { \
-	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
     } else { \
 	goto loser; \
     }
 
 #define LOG_ERROR(log,cert,depth,arg) \
     if ( log != NULL ) { \
-	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+	cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
     }
 
 
@@ -940,12 +941,8 @@ CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
 			 wincx, log, NULL);
 }
 
-/*
- * verify that a CA can sign a certificate with the requested usage.
- * XXX This function completely ignores cert path length constraints!
- */
 SECStatus
-CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
+cert_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
 		PRBool checkSig, SECCertUsage certUsage, int64 t,
 		void *wincx, CERTVerifyLog *log)
 {
@@ -1117,6 +1114,23 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
     return rv;
 }
 
+/*
+ * verify that a CA can sign a certificate with the requested usage.
+ * XXX This function completely ignores cert path length constraints!
+ */
+SECStatus
+CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, int64 t,
+		void *wincx, CERTVerifyLog *log)
+{
+    if (cert_UsePKIXValidation()) {
+        return cert_VerifyCertPkix(cert, checkSig, certUsage,
+                                   t, PR_TRUE, wincx, log);
+    }
+    return cert_VerifyCACertForUsage(handle, cert, checkSig, certUsage, t,
+                                     wincx, log);
+}
+
 #define NEXT_USAGE() { \
     i*=2; \
     certUsage++; \
@@ -1137,20 +1151,8 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
     NEXT_USAGE(); \
 }
 
-/*
- * verify a certificate by checking if it's valid and that we
- * trust the issuer.
- *
- * certificateUsage contains a bitfield of all cert usages that are
- * required for verification to succeed
- *
- * a bitfield of cert usages is returned in *returnedUsages
- * if requiredUsages is non-zero, the returned bitmap is only
- * for those required usages, otherwise it is for all usages
- *
- */
 SECStatus
-CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
+cert_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 		PRBool checkSig, SECCertificateUsage requiredUsages, int64 t,
 		void *wincx, CERTVerifyLog *log, SECCertificateUsage* returnedUsages)
 {
@@ -1383,10 +1385,41 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 loser:
     return(valid);
 }
-
-/* obsolete, do not use for new code */
+
+/*
+ * verify a certificate by checking if it's valid and that we
+ * trust the issuer.
+ *
+ * certificateUsage contains a bitfield of all cert usages that are
+ * required for verification to succeed
+ *
+ * a bitfield of cert usages is returned in *returnedUsages
+ * if requiredUsages is non-zero, the returned bitmap is only
+ * for those required usages, otherwise it is for all usages
+ *
+ */
 SECStatus
-CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+CERT_VerifyCertificate(CERTCertDBHandle *handle,
+                       CERTCertificate *cert,
+                       PRBool checkSig,
+                       SECCertificateUsage requiredUsages,
+                       int64 t,
+                       void *wincx,
+                       CERTVerifyLog *log,
+                       SECCertificateUsage* returnedUsages)
+{
+    if (cert_UsePKIXValidation()) {
+        return cert_VerifyCertificatePkix(cert, checkSig,
+                                          requiredUsages, t,
+                                          wincx, log, returnedUsages);
+    }
+    return cert_VerifyCertificate(handle, cert, checkSig,
+                                  requiredUsages, t,
+                                  wincx, log, returnedUsages);
+}
+
+static SECStatus
+cert_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
 		PRBool checkSig, SECCertUsage certUsage, int64 t,
 		void *wincx, CERTVerifyLog *log)
 {
@@ -1569,6 +1602,19 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
     return(rv);
 }
 
+SECStatus
+CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, int64 t,
+		void *wincx, CERTVerifyLog *log)
+{
+    if (cert_UsePKIXValidation()) {
+        return cert_VerifyCertPkix(cert, checkSig, certUsage,
+                                   t, PR_FALSE, wincx, log);
+    } 
+    return cert_VerifyCert(handle, cert, checkSig,
+                           certUsage, t, wincx, log);
+}
+
 /*
  * verify a certificate by checking if its valid and that we
  * trust the issuer.  Verify time against now.