Bug 1334976, use a new attribute in the builtins root CA list, to distinguish between Mozilla policy CAs and other CAs, code changes, r=rrelyea

author: Kai Engert <kaie@kuix.de> 2017-02-09 20:10:55 +0100
committer: Kai Engert <kaie@kuix.de> 2017-02-09 20:10:55 +0100
commit: fcb7d51f217c2a57e83c911066e9fe4d173e3ba7 (patch)
tree: 4c43e8270b614cb33ad947d042007d2795afadf1 /cmd/lib
parent: bef9fd9bf3f8a3bf232a54ab7f89e195a67ba2a4 (diff)
download: nss-hg-fcb7d51f217c2a57e83c911066e9fe4d173e3ba7.tar.gz
1 files changed, 31 insertions, 1 deletions
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
index c5ed068a7..33603bbae 100644
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -32,7 +32,7 @@
 #include "certt.h"
 #include "certdb.h"
 
-/* #include "secmod.h" */
+#include "secmod.h"
 #include "pk11func.h"
 #include "secoid.h"
 
@@ -3229,6 +3229,8 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
     SECStatus rv;
     SECItem data;
     CERTCertTrust certTrust;
+    PK11SlotList *slotList;
+    const char *moz_policy_ca_info = NULL;
 
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
@@ -3238,6 +3240,34 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
     if (rv) {
         return (SECFailure);
     }
+
+    slotList = PK11_GetAllSlotsForCert(cert, NULL);
+    if (slotList) {
+        PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
+        for ( ; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
+            CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
+            if (handle != CK_INVALID_HANDLE) {
+                PORT_SetError(0);
+                if (PK11_HasAttributeSet(se->slot, handle,
+                                         CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
+                    moz_policy_ca_info = "true (attribute present)";
+                } else {
+                    if (PORT_GetError() != 0) {
+                        moz_policy_ca_info = "false (attribute missing)";
+                    } else {
+                        moz_policy_ca_info = "false (attribute present)";
+                    }
+                }
+            }
+        }
+        PK11_FreeSlotList(slotList);
+    }
+
+    if (moz_policy_ca_info) {
+        SECU_Indent(stdout, 1);
+        printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
+    }
+
     if (trust) {
         SECU_PrintTrustFlags(stdout, trust,
                              "Certificate Trust Flags", 1);
author	Kai Engert <kaie@kuix.de>	2017-02-09 20:10:55 +0100
committer	Kai Engert <kaie@kuix.de>	2017-02-09 20:10:55 +0100
commit	fcb7d51f217c2a57e83c911066e9fe4d173e3ba7 (patch)
tree	4c43e8270b614cb33ad947d042007d2795afadf1 /cmd/lib
parent	bef9fd9bf3f8a3bf232a54ab7f89e195a67ba2a4 (diff)
download	nss-hg-fcb7d51f217c2a57e83c911066e9fe4d173e3ba7.tar.gz