summaryrefslogtreecommitdiff
path: root/nss/lib/pki/pki3hack.c
diff options
context:
space:
mode:
authorLorry Tar Creator <lorry-tar-importer@lorry>2017-01-04 14:24:24 +0000
committerLorry Tar Creator <lorry-tar-importer@lorry>2017-01-04 14:24:24 +0000
commitdc1565216a5d20ae0d75872151523252309a1292 (patch)
treed57454ba9a40386552179eddf60d28bd1e8f3d54 /nss/lib/pki/pki3hack.c
parent26c046fbc57d53136b4fb3b5e0d18298318125d4 (diff)
downloadnss-822b884019ac3b4a984e5d3b33b2cd07bc1518c1.tar.gz
nss-3.28.1nss-3.28.1
Diffstat (limited to 'nss/lib/pki/pki3hack.c')
-rw-r--r--nss/lib/pki/pki3hack.c1197
1 files changed, 599 insertions, 598 deletions
diff --git a/nss/lib/pki/pki3hack.c b/nss/lib/pki/pki3hack.c
index b145092..0826b7f 100644
--- a/nss/lib/pki/pki3hack.c
+++ b/nss/lib/pki/pki3hack.c
@@ -64,20 +64,20 @@ STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot)
{
NSSToken *token;
if (!td) {
- td = g_default_trust_domain;
- if (!td) {
- /* we're called while still initting. slot will get added
- * appropriately through normal init processes */
- return PR_SUCCESS;
- }
+ td = g_default_trust_domain;
+ if (!td) {
+ /* we're called while still initting. slot will get added
+ * appropriately through normal init processes */
+ return PR_SUCCESS;
+ }
}
token = nssToken_CreateFromPK11SlotInfo(td, slot);
PK11Slot_SetNSSToken(slot, token);
/* Don't add nonexistent token to TD's token list */
if (token) {
- NSSRWLock_LockWrite(td->tokensLock);
- nssList_Add(td->tokenList, token);
- NSSRWLock_UnlockWrite(td->tokensLock);
+ NSSRWLock_LockWrite(td->tokensLock);
+ nssList_Add(td->tokenList, token);
+ NSSRWLock_UnlockWrite(td->tokensLock);
}
return PR_SUCCESS;
}
@@ -86,12 +86,12 @@ NSS_IMPLEMENT PRStatus
STAN_ResetTokenInterator(NSSTrustDomain *td)
{
if (!td) {
- td = g_default_trust_domain;
- if (!td) {
- /* we're called while still initting. slot will get added
- * appropriately through normal init processes */
- return PR_SUCCESS;
- }
+ td = g_default_trust_domain;
+ if (!td) {
+ /* we're called while still initting. slot will get added
+ * appropriately through normal init processes */
+ return PR_SUCCESS;
+ }
}
NSSRWLock_LockWrite(td->tokensLock);
nssListIterator_Destroy(td->tokens);
@@ -101,9 +101,8 @@ STAN_ResetTokenInterator(NSSTrustDomain *td)
}
NSS_IMPLEMENT PRStatus
-STAN_LoadDefaultNSS3TrustDomain (
- void
-)
+STAN_LoadDefaultNSS3TrustDomain(
+ void)
{
NSSTrustDomain *td;
SECMODModuleList *mlp;
@@ -111,13 +110,13 @@ STAN_LoadDefaultNSS3TrustDomain (
int i;
if (g_default_trust_domain || g_default_crypto_context) {
- /* Stan is already initialized or a previous shutdown failed. */
- nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
- return PR_FAILURE;
+ /* Stan is already initialized or a previous shutdown failed. */
+ nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
+ return PR_FAILURE;
}
td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
if (!td) {
- return PR_FAILURE;
+ return PR_FAILURE;
}
/*
* Deadlock warning: we should never acquire the moduleLock while
@@ -126,29 +125,29 @@ STAN_LoadDefaultNSS3TrustDomain (
*/
td->tokenList = nssList_Create(td->arena, PR_TRUE);
if (!td->tokenList) {
- goto loser;
+ goto loser;
}
SECMOD_GetReadLock(moduleLock);
NSSRWLock_LockWrite(td->tokensLock);
- for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
- for (i=0; i < mlp->module->slotCount; i++) {
- STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
- }
+ for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp = mlp->next) {
+ for (i = 0; i < mlp->module->slotCount; i++) {
+ STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
+ }
}
td->tokens = nssList_CreateIterator(td->tokenList);
NSSRWLock_UnlockWrite(td->tokensLock);
SECMOD_ReleaseReadLock(moduleLock);
if (!td->tokens) {
- goto loser;
+ goto loser;
}
g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
if (!g_default_crypto_context) {
- goto loser;
+ goto loser;
}
g_default_trust_domain = td;
return PR_SUCCESS;
- loser:
+loser:
NSSTrustDomain_Destroy(td);
return PR_FAILURE;
}
@@ -157,15 +156,14 @@ STAN_LoadDefaultNSS3TrustDomain (
* must be called holding the ModuleListLock (either read or write).
*/
NSS_IMPLEMENT SECStatus
-STAN_AddModuleToDefaultTrustDomain (
- SECMODModule *module
-)
+STAN_AddModuleToDefaultTrustDomain(
+ SECMODModule *module)
{
NSSTrustDomain *td;
int i;
td = STAN_GetDefaultTrustDomain();
- for (i=0; i<module->slotCount; i++) {
- STAN_InitTokenForSlotInfo(td, module->slots[i]);
+ for (i = 0; i < module->slotCount; i++) {
+ STAN_InitTokenForSlotInfo(td, module->slots[i]);
}
STAN_ResetTokenInterator(td);
return SECSuccess;
@@ -175,23 +173,22 @@ STAN_AddModuleToDefaultTrustDomain (
* must be called holding the ModuleListLock (either read or write).
*/
NSS_IMPLEMENT SECStatus
-STAN_RemoveModuleFromDefaultTrustDomain (
- SECMODModule *module
-)
+STAN_RemoveModuleFromDefaultTrustDomain(
+ SECMODModule *module)
{
NSSToken *token;
NSSTrustDomain *td;
int i;
td = STAN_GetDefaultTrustDomain();
NSSRWLock_LockWrite(td->tokensLock);
- for (i=0; i<module->slotCount; i++) {
- token = PK11Slot_GetNSSToken(module->slots[i]);
- if (token) {
- nssToken_NotifyCertsNotVisible(token);
- nssList_Remove(td->tokenList, token);
- PK11Slot_SetNSSToken(module->slots[i], NULL);
- nssToken_Destroy(token);
- }
+ for (i = 0; i < module->slotCount; i++) {
+ token = PK11Slot_GetNSSToken(module->slots[i]);
+ if (token) {
+ nssToken_NotifyCertsNotVisible(token);
+ nssList_Remove(td->tokenList, token);
+ PK11Slot_SetNSSToken(module->slots[i], NULL);
+ nssToken_Destroy(token);
+ }
}
nssListIterator_Destroy(td->tokens);
td->tokens = nssList_CreateIterator(td->tokenList);
@@ -204,18 +201,18 @@ STAN_Shutdown()
{
PRStatus status = PR_SUCCESS;
if (g_default_trust_domain) {
- if (NSSTrustDomain_Destroy(g_default_trust_domain) == PR_SUCCESS) {
- g_default_trust_domain = NULL;
- } else {
- status = PR_FAILURE;
- }
+ if (NSSTrustDomain_Destroy(g_default_trust_domain) == PR_SUCCESS) {
+ g_default_trust_domain = NULL;
+ } else {
+ status = PR_FAILURE;
+ }
}
if (g_default_crypto_context) {
- if (NSSCryptoContext_Destroy(g_default_crypto_context) == PR_SUCCESS) {
- g_default_crypto_context = NULL;
- } else {
- status = PR_FAILURE;
- }
+ if (NSSCryptoContext_Destroy(g_default_crypto_context) == PR_SUCCESS) {
+ g_default_crypto_context = NULL;
+ } else {
+ status = PR_FAILURE;
+ }
}
return status;
}
@@ -235,15 +232,15 @@ STAN_GetCertIdentifierFromDER(NSSArena *arenaOpt, NSSDER *der)
/* nss3 call uses nss3 arena's */
arena = PORT_NewArena(256);
if (!arena) {
- return NULL;
+ return NULL;
}
secrv = CERT_KeyFromDERCert(arena, &secDER, &secKey);
if (secrv != SECSuccess) {
- PORT_FreeArena(arena, PR_FALSE);
- return NULL;
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
}
rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
- PORT_FreeArena(arena,PR_FALSE);
+ PORT_FreeArena(arena, PR_FALSE);
return rvKey;
}
@@ -251,7 +248,7 @@ NSS_IMPLEMENT PRStatus
nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der,
NSSDER *issuer, NSSDER *serial)
{
- SECItem derCert = { 0 };
+ SECItem derCert = { 0 };
SECItem derIssuer = { 0 };
SECItem derSerial = { 0 };
SECStatus secrv;
@@ -259,12 +256,12 @@ nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der,
derCert.len = der->size;
secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
if (secrv != SECSuccess) {
- return PR_FAILURE;
+ return PR_FAILURE;
}
secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
if (secrv != SECSuccess) {
- PORT_Free(derSerial.data);
- return PR_FAILURE;
+ PORT_Free(derSerial.data);
+ return PR_FAILURE;
}
issuer->data = derIssuer.data;
issuer->size = derIssuer.len;
@@ -299,35 +296,34 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
/* keyIdentifier */
if (authKeyID->keyID.len > 0 &&
- CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
- PRBool skiEqual;
- skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
- PORT_Free(skid.data);
- if (skiEqual) {
- /* change the state to positive match, but keep going */
- match = nssCertIDMatch_Yes;
- } else {
- /* exit immediately on failure */
- return nssCertIDMatch_No;
- }
+ CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
+ PRBool skiEqual;
+ skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
+ PORT_Free(skid.data);
+ if (skiEqual) {
+ /* change the state to positive match, but keep going */
+ match = nssCertIDMatch_Yes;
+ } else {
+ /* exit immediately on failure */
+ return nssCertIDMatch_No;
+ }
}
/* issuer/serial (treated as pair) */
if (authKeyID->authCertIssuer) {
- SECItem *caName = NULL;
- SECItem *caSN = &authKeyID->authCertSerialNumber;
-
- caName = (SECItem *)CERT_GetGeneralNameByType(
- authKeyID->authCertIssuer,
- certDirectoryName, PR_TRUE);
- if (caName != NULL &&
- SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
- SECITEM_ItemsAreEqual(&c->serialNumber, caSN))
- {
- match = nssCertIDMatch_Yes;
- } else {
- match = nssCertIDMatch_Unknown;
- }
+ SECItem *caName = NULL;
+ SECItem *caSN = &authKeyID->authCertSerialNumber;
+
+ caName = (SECItem *)CERT_GetGeneralNameByType(
+ authKeyID->authCertIssuer,
+ certDirectoryName, PR_TRUE);
+ if (caName != NULL &&
+ SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
+ SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) {
+ match = nssCertIDMatch_Yes;
+ } else {
+ match = nssCertIDMatch_Unknown;
+ }
}
return match;
}
@@ -347,26 +343,26 @@ nss3certificate_getUsage(nssDecodedCert *dc)
return NULL;
}
-static PRBool
+static PRBool
nss3certificate_isValidAtTime(nssDecodedCert *dc, NSSTime *time)
{
SECCertTimeValidity validity;
CERTCertificate *c = (CERTCertificate *)dc->data;
validity = CERT_CheckCertValidTimes(c, NSSTime_GetPRTime(time), PR_TRUE);
if (validity == secCertTimeValid) {
- return PR_TRUE;
+ return PR_TRUE;
}
return PR_FALSE;
}
-static PRBool
+static PRBool
nss3certificate_isNewerThan(nssDecodedCert *dc, nssDecodedCert *cmpdc)
{
/* I know this isn't right, but this is glue code anyway */
if (cmpdc->type == dc->type) {
- CERTCertificate *certa = (CERTCertificate *)dc->data;
- CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
- return CERT_IsNewer(certa, certb);
+ CERTCertificate *certa = (CERTCertificate *)dc->data;
+ CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
+ return CERT_IsNewer(certa, certb);
}
return PR_FALSE;
}
@@ -384,28 +380,28 @@ nss3certificate_matchUsage(nssDecodedCert *dc, const NSSUsage *usage)
/* This is for NSS 3.3 functions that do not specify a usage */
if (usage->anyUsage) {
- return PR_TRUE;
+ return PR_TRUE;
}
ca = usage->nss3lookingForCA;
secrv = CERT_KeyUsageAndTypeForCertUsage(usage->nss3usage, ca,
&requiredKeyUsage,
&requiredCertType);
if (secrv != SECSuccess) {
- return PR_FALSE;
+ return PR_FALSE;
}
cc = (CERTCertificate *)dc->data;
secrv = CERT_CheckKeyUsage(cc, requiredKeyUsage);
match = (PRBool)(secrv == SECSuccess);
if (match) {
- unsigned int certType = 0;
- if (ca) {
- (void)CERT_IsCACert(cc, &certType);
- } else {
- certType = cc->nsCertType;
- }
- if (!(certType & requiredCertType)) {
- match = PR_FALSE;
- }
+ unsigned int certType = 0;
+ if (ca) {
+ (void)CERT_IsCACert(cc, &certType);
+ } else {
+ certType = cc->nsCertType;
+ }
+ if (!(certType & requiredCertType)) {
+ match = PR_FALSE;
+ }
}
return match;
}
@@ -423,33 +419,33 @@ nss3certificate_isTrustedForUsage(nssDecodedCert *dc, const NSSUsage *usage)
/* This is for NSS 3.3 functions that do not specify a usage */
if (usage->anyUsage) {
- return PR_FALSE; /* XXX is this right? */
+ return PR_FALSE; /* XXX is this right? */
}
cc = (CERTCertificate *)dc->data;
ca = usage->nss3lookingForCA;
if (!ca) {
- PRBool trusted;
- unsigned int failedFlags;
- secrv = cert_CheckLeafTrust(cc, usage->nss3usage,
- &failedFlags, &trusted);
- return secrv == SECSuccess && trusted;
+ PRBool trusted;
+ unsigned int failedFlags;
+ secrv = cert_CheckLeafTrust(cc, usage->nss3usage,
+ &failedFlags, &trusted);
+ return secrv == SECSuccess && trusted;
}
secrv = CERT_TrustFlagsForCACertUsage(usage->nss3usage, &requiredFlags,
- &trustType);
+ &trustType);
if (secrv != SECSuccess) {
- return PR_FALSE;
+ return PR_FALSE;
}
secrv = CERT_GetCertTrust(cc, &trust);
if (secrv != SECSuccess) {
- return PR_FALSE;
+ return PR_FALSE;
}
if (trustType == trustTypeNone) {
- /* normally trustTypeNone usages accept any of the given trust bits
- * being on as acceptable. */
- trustFlags = trust.sslFlags | trust.emailFlags |
- trust.objectSigningFlags;
+ /* normally trustTypeNone usages accept any of the given trust bits
+ * being on as acceptable. */
+ trustFlags = trust.sslFlags | trust.emailFlags |
+ trust.objectSigningFlags;
} else {
- trustFlags = SEC_GET_TRUST_FLAGS(&trust, trustType);
+ trustFlags = SEC_GET_TRUST_FLAGS(&trust, trustType);
}
return (trustFlags & requiredFlags) == requiredFlags;
}
@@ -459,11 +455,12 @@ nss3certificate_getEmailAddress(nssDecodedCert *dc)
{
CERTCertificate *cc = (CERTCertificate *)dc->data;
return (cc && cc->emailAddr && cc->emailAddr[0])
- ? (NSSASCII7 *)cc->emailAddr : NULL;
+ ? (NSSASCII7 *)cc->emailAddr
+ : NULL;
}
static PRStatus
-nss3certificate_getDERSerialNumber(nssDecodedCert *dc,
+nss3certificate_getDERSerialNumber(nssDecodedCert *dc,
NSSDER *serial, NSSArena *arena)
{
CERTCertificate *cc = (CERTCertificate *)dc->data;
@@ -471,96 +468,92 @@ nss3certificate_getDERSerialNumber(nssDecodedCert *dc,
SECStatus secrv;
secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
if (secrv == SECSuccess) {
- (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
- PORT_Free(derSerial.data);
- return PR_SUCCESS;
+ (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
+ PORT_Free(derSerial.data);
+ return PR_SUCCESS;
}
return PR_FAILURE;
}
/* Returns NULL if "encoding" cannot be decoded. */
NSS_IMPLEMENT nssDecodedCert *
-nssDecodedPKIXCertificate_Create (
- NSSArena *arenaOpt,
- NSSDER *encoding
-)
+nssDecodedPKIXCertificate_Create(
+ NSSArena *arenaOpt,
+ NSSDER *encoding)
{
- nssDecodedCert *rvDC = NULL;
+ nssDecodedCert *rvDC = NULL;
CERTCertificate *cert;
- SECItem secDER;
+ SECItem secDER;
SECITEM_FROM_NSSITEM(&secDER, encoding);
cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
if (cert) {
- rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
- if (rvDC) {
- rvDC->type = NSSCertificateType_PKIX;
- rvDC->data = (void *)cert;
- rvDC->getIdentifier = nss3certificate_getIdentifier;
- rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
- rvDC->matchIdentifier = nss3certificate_matchIdentifier;
- rvDC->isValidIssuer = nss3certificate_isValidIssuer;
- rvDC->getUsage = nss3certificate_getUsage;
- rvDC->isValidAtTime = nss3certificate_isValidAtTime;
- rvDC->isNewerThan = nss3certificate_isNewerThan;
- rvDC->matchUsage = nss3certificate_matchUsage;
- rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
- rvDC->getEmailAddress = nss3certificate_getEmailAddress;
- rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
- } else {
- CERT_DestroyCertificate(cert);
- }
+ rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
+ if (rvDC) {
+ rvDC->type = NSSCertificateType_PKIX;
+ rvDC->data = (void *)cert;
+ rvDC->getIdentifier = nss3certificate_getIdentifier;
+ rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
+ rvDC->matchIdentifier = nss3certificate_matchIdentifier;
+ rvDC->isValidIssuer = nss3certificate_isValidIssuer;
+ rvDC->getUsage = nss3certificate_getUsage;
+ rvDC->isValidAtTime = nss3certificate_isValidAtTime;
+ rvDC->isNewerThan = nss3certificate_isNewerThan;
+ rvDC->matchUsage = nss3certificate_matchUsage;
+ rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
+ rvDC->getEmailAddress = nss3certificate_getEmailAddress;
+ rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
+ } else {
+ CERT_DestroyCertificate(cert);
+ }
}
return rvDC;
}
static nssDecodedCert *
-create_decoded_pkix_cert_from_nss3cert (
- NSSArena *arenaOpt,
- CERTCertificate *cc
-)
+create_decoded_pkix_cert_from_nss3cert(
+ NSSArena *arenaOpt,
+ CERTCertificate *cc)
{
nssDecodedCert *rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
if (rvDC) {
- rvDC->type = NSSCertificateType_PKIX;
- rvDC->data = (void *)cc;
- rvDC->getIdentifier = nss3certificate_getIdentifier;
- rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
- rvDC->matchIdentifier = nss3certificate_matchIdentifier;
- rvDC->isValidIssuer = nss3certificate_isValidIssuer;
- rvDC->getUsage = nss3certificate_getUsage;
- rvDC->isValidAtTime = nss3certificate_isValidAtTime;
- rvDC->isNewerThan = nss3certificate_isNewerThan;
- rvDC->matchUsage = nss3certificate_matchUsage;
- rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
- rvDC->getEmailAddress = nss3certificate_getEmailAddress;
- rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
+ rvDC->type = NSSCertificateType_PKIX;
+ rvDC->data = (void *)cc;
+ rvDC->getIdentifier = nss3certificate_getIdentifier;
+ rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
+ rvDC->matchIdentifier = nss3certificate_matchIdentifier;
+ rvDC->isValidIssuer = nss3certificate_isValidIssuer;
+ rvDC->getUsage = nss3certificate_getUsage;
+ rvDC->isValidAtTime = nss3certificate_isValidAtTime;
+ rvDC->isNewerThan = nss3certificate_isNewerThan;
+ rvDC->matchUsage = nss3certificate_matchUsage;
+ rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
+ rvDC->getEmailAddress = nss3certificate_getEmailAddress;
+ rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
}
return rvDC;
}
NSS_IMPLEMENT PRStatus
-nssDecodedPKIXCertificate_Destroy (
- nssDecodedCert *dc
-)
+nssDecodedPKIXCertificate_Destroy(nssDecodedCert *dc)
{
CERTCertificate *cert = (CERTCertificate *)dc->data;
- /* The decoder may only be half initialized (the case where we find we
+ /* The decoder may only be half initialized (the case where we find we
* could not decode the certificate). In this case, there is not cert to
* free, just free the dc structure. */
if (cert) {
- PRBool freeSlot = cert->ownSlot;
- PK11SlotInfo *slot = cert->slot;
- PLArenaPool *arena = cert->arena;
- /* zero cert before freeing. Any stale references to this cert
- * after this point will probably cause an exception. */
- PORT_Memset(cert, 0, sizeof *cert);
- /* free the arena that contains the cert. */
- PORT_FreeArena(arena, PR_FALSE);
- if (slot && freeSlot) {
- PK11_FreeSlot(slot);
- }
+ PRBool freeSlot = cert->ownSlot;
+ PK11SlotInfo *slot = cert->slot;
+ PLArenaPool *arena = cert->arena;
+ /* zero cert before freeing. Any stale references to this cert
+ * after this point will probably cause an exception. */
+ PORT_Memset(cert, 0, sizeof *cert);
+ /* free the arena that contains the cert. */
+ PORT_FreeArena(arena, PR_FALSE);
+ if (slot && freeSlot) {
+ PK11_FreeSlot(slot);
+ }
}
nss_ZFreeIf(dc);
return PR_SUCCESS;
@@ -572,16 +565,16 @@ get_nss3trust_from_nss4trust(nssTrustLevel t)
{
unsigned int rt = 0;
if (t == nssTrustLevel_Trusted) {
- rt |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
+ rt |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
}
if (t == nssTrustLevel_TrustedDelegator) {
- rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA;
+ rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA;
}
if (t == nssTrustLevel_NotTrusted) {
- rt |= CERTDB_TERMINAL_RECORD;
+ rt |= CERTDB_TERMINAL_RECORD;
}
if (t == nssTrustLevel_ValidDelegator) {
- rt |= CERTDB_VALID_CA;
+ rt |= CERTDB_VALID_CA;
}
return rt;
}
@@ -592,15 +585,16 @@ cert_trust_from_stan_trust(NSSTrust *t, PLArenaPool *arena)
CERTCertTrust *rvTrust;
unsigned int client;
if (!t) {
- return NULL;
+ return NULL;
}
rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
- if (!rvTrust) return NULL;
+ if (!rvTrust)
+ return NULL;
rvTrust->sslFlags = get_nss3trust_from_nss4trust(t->serverAuth);
client = get_nss3trust_from_nss4trust(t->clientAuth);
- if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
- client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
- rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
+ if (client & (CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA)) {
+ client &= ~(CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA);
+ rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
}
rvTrust->sslFlags |= client;
rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
@@ -608,7 +602,7 @@ cert_trust_from_stan_trust(NSSTrust *t, PLArenaPool *arena)
return rvTrust;
}
-CERTCertTrust *
+CERTCertTrust *
nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
{
CERTCertTrust *rvTrust = NULL;
@@ -616,23 +610,23 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
NSSTrust *t;
t = nssTrustDomain_FindTrustForCertificate(td, c);
if (t) {
- rvTrust = cert_trust_from_stan_trust(t, cc->arena);
- if (!rvTrust) {
- nssTrust_Destroy(t);
- return NULL;
- }
- nssTrust_Destroy(t);
+ rvTrust = cert_trust_from_stan_trust(t, cc->arena);
+ if (!rvTrust) {
+ nssTrust_Destroy(t);
+ return NULL;
+ }
+ nssTrust_Destroy(t);
} else {
- rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
- if (!rvTrust) {
- return NULL;
- }
- memset(rvTrust, 0, sizeof(*rvTrust));
+ rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
+ if (!rvTrust) {
+ return NULL;
+ }
+ memset(rvTrust, 0, sizeof(*rvTrust));
}
if (NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) {
- rvTrust->sslFlags |= CERTDB_USER;
- rvTrust->emailFlags |= CERTDB_USER;
- rvTrust->objectSigningFlags |= CERTDB_USER;
+ rvTrust->sslFlags |= CERTDB_USER;
+ rvTrust->emailFlags |= CERTDB_USER;
+ rvTrust->objectSigningFlags |= CERTDB_USER;
}
return rvTrust;
}
@@ -643,34 +637,33 @@ get_cert_instance(NSSCertificate *c)
nssCryptokiObject *instance, **ci;
nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
if (!instances) {
- return NULL;
+ return NULL;
}
instance = NULL;
for (ci = instances; *ci; ci++) {
- if (!instance) {
- instance = nssCryptokiObject_Clone(*ci);
- } else {
- /* This only really works for two instances... But 3.4 can't
- * handle more anyway. The logic is, if there are multiple
- * instances, prefer the one that is not internal (e.g., on
- * a hardware device.
- */
- if (PK11_IsInternal(instance->token->pk11slot)) {
- nssCryptokiObject_Destroy(instance);
- instance = nssCryptokiObject_Clone(*ci);
- }
- }
+ if (!instance) {
+ instance = nssCryptokiObject_Clone(*ci);
+ } else {
+ /* This only really works for two instances... But 3.4 can't
+ * handle more anyway. The logic is, if there are multiple
+ * instances, prefer the one that is not internal (e.g., on
+ * a hardware device.
+ */
+ if (PK11_IsInternal(instance->token->pk11slot)) {
+ nssCryptokiObject_Destroy(instance);
+ instance = nssCryptokiObject_Clone(*ci);
+ }
+ }
}
nssCryptokiObjectArray_Destroy(instances);
return instance;
}
-char *
-STAN_GetCERTCertificateNameForInstance (
- PLArenaPool *arenaOpt,
- NSSCertificate *c,
- nssCryptokiInstance *instance
-)
+char *
+STAN_GetCERTCertificateNameForInstance(
+ PLArenaPool *arenaOpt,
+ NSSCertificate *c,
+ nssCryptokiInstance *instance)
{
NSSCryptoContext *context = c->object.cryptoContext;
PRStatus nssrv;
@@ -681,55 +674,55 @@ STAN_GetCERTCertificateNameForInstance (
char *nick;
if (instance) {
- stanNick = instance->label;
+ stanNick = instance->label;
} else if (context) {
- stanNick = c->object.tempName;
+ stanNick = c->object.tempName;
}
if (stanNick) {
- /* fill other fields needed by NSS3 functions using CERTCertificate */
- if (instance && (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
- PORT_Strchr(stanNick, ':') != NULL) ) {
- tokenName = nssToken_GetName(instance->token);
- tokenlen = nssUTF8_Size(tokenName, &nssrv);
- } else {
- /* don't use token name for internal slot; 3.3 didn't */
- tokenlen = 0;
- }
- nicklen = nssUTF8_Size(stanNick, &nssrv);
- len = tokenlen + nicklen;
- if (arenaOpt) {
- nickname = PORT_ArenaAlloc(arenaOpt, len);
- } else {
- nickname = PORT_Alloc(len);
- }
- nick = nickname;
- if (tokenName) {
- memcpy(nick, tokenName, tokenlen-1);
- nick += tokenlen-1;
- *nick++ = ':';
- }
- memcpy(nick, stanNick, nicklen-1);
- nickname[len-1] = '\0';
+ /* fill other fields needed by NSS3 functions using CERTCertificate */
+ if (instance && (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
+ PORT_Strchr(stanNick, ':') != NULL)) {
+ tokenName = nssToken_GetName(instance->token);
+ tokenlen = nssUTF8_Size(tokenName, &nssrv);
+ } else {
+ /* don't use token name for internal slot; 3.3 didn't */
+ tokenlen = 0;
+ }
+ nicklen = nssUTF8_Size(stanNick, &nssrv);
+ len = tokenlen + nicklen;
+ if (arenaOpt) {
+ nickname = PORT_ArenaAlloc(arenaOpt, len);
+ } else {
+ nickname = PORT_Alloc(len);
+ }
+ nick = nickname;
+ if (tokenName) {
+ memcpy(nick, tokenName, tokenlen - 1);
+ nick += tokenlen - 1;
+ *nick++ = ':';
+ }
+ memcpy(nick, stanNick, nicklen - 1);
+ nickname[len - 1] = '\0';
}
return nickname;
}
-char *
+char *
STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c)
{
- char * result;
+ char *result;
nssCryptokiInstance *instance = get_cert_instance(c);
/* It's OK to call this function, even if instance is NULL */
result = STAN_GetCERTCertificateNameForInstance(arenaOpt, c, instance);
if (instance)
- nssCryptokiObject_Destroy(instance);
+ nssCryptokiObject_Destroy(instance);
return result;
}
static void
fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced)
{
- CERTCertTrust* trust = NULL;
+ CERTCertTrust *trust = NULL;
NSSTrust *nssTrust;
NSSCryptoContext *context = c->object.cryptoContext;
nssCryptokiInstance *instance;
@@ -742,62 +735,62 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
instance = get_cert_instance(c);
if (instance) {
- stanNick = instance->label;
+ stanNick = instance->label;
} else if (context) {
- stanNick = c->object.tempName;
+ stanNick = c->object.tempName;
}
/* fill other fields needed by NSS3 functions using CERTCertificate */
if ((!cc->nickname && stanNick) || forced) {
- PRStatus nssrv;
- int nicklen, tokenlen, len;
- NSSUTF8 *tokenName = NULL;
- char *nick;
- if (instance &&
- (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
- (stanNick && PORT_Strchr(stanNick, ':') != NULL))) {
- tokenName = nssToken_GetName(instance->token);
- tokenlen = nssUTF8_Size(tokenName, &nssrv);
- } else {
- /* don't use token name for internal slot; 3.3 didn't */
- tokenlen = 0;
- }
- if (stanNick) {
- nicklen = nssUTF8_Size(stanNick, &nssrv);
- len = tokenlen + nicklen;
- nick = PORT_ArenaAlloc(cc->arena, len);
- if (tokenName) {
- memcpy(nick, tokenName, tokenlen-1);
- nick[tokenlen-1] = ':';
- memcpy(nick+tokenlen, stanNick, nicklen-1);
- } else {
- memcpy(nick, stanNick, nicklen-1);
- }
- nick[len-1] = '\0';
+ PRStatus nssrv;
+ int nicklen, tokenlen, len;
+ NSSUTF8 *tokenName = NULL;
+ char *nick;
+ if (instance &&
+ (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
+ (stanNick && PORT_Strchr(stanNick, ':') != NULL))) {
+ tokenName = nssToken_GetName(instance->token);
+ tokenlen = nssUTF8_Size(tokenName, &nssrv);
+ } else {
+ /* don't use token name for internal slot; 3.3 didn't */
+ tokenlen = 0;
+ }
+ if (stanNick) {
+ nicklen = nssUTF8_Size(stanNick, &nssrv);
+ len = tokenlen + nicklen;
+ nick = PORT_ArenaAlloc(cc->arena, len);
+ if (tokenName) {
+ memcpy(nick, tokenName, tokenlen - 1);
+ nick[tokenlen - 1] = ':';
+ memcpy(nick + tokenlen, stanNick, nicklen - 1);
+ } else {
+ memcpy(nick, stanNick, nicklen - 1);
+ }
+ nick[len - 1] = '\0';
cc->nickname = nick;
- } else {
- cc->nickname = NULL;
- }
+ } else {
+ cc->nickname = NULL;
+ }
}
if (context) {
- /* trust */
- nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
- if (!nssTrust) {
- /* chicken and egg issue:
- *
- * c->issuer and c->serial are empty at this point, but
- * nssTrustDomain_FindTrustForCertificate use them to look up
- * up the trust object, so we point them to cc->derIssuer and
- * cc->serialNumber.
- *
- * Our caller will fill these in with proper arena copies when we
- * return. */
- c->issuer.data = cc->derIssuer.data;
- c->issuer.size = cc->derIssuer.len;
- c->serial.data = cc->serialNumber.data;
- c->serial.size = cc->serialNumber.len;
- nssTrust = nssTrustDomain_FindTrustForCertificate(context->td, c);
- }
- if (nssTrust) {
+ /* trust */
+ nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
+ if (!nssTrust) {
+ /* chicken and egg issue:
+ *
+ * c->issuer and c->serial are empty at this point, but
+ * nssTrustDomain_FindTrustForCertificate use them to look up
+ * up the trust object, so we point them to cc->derIssuer and
+ * cc->serialNumber.
+ *
+ * Our caller will fill these in with proper arena copies when we
+ * return. */
+ c->issuer.data = cc->derIssuer.data;
+ c->issuer.size = cc->derIssuer.len;
+ c->serial.data = cc->serialNumber.data;
+ c->serial.size = cc->serialNumber.len;
+ nssTrust = nssTrustDomain_FindTrustForCertificate(context->td, c);
+ }
+ if (nssTrust) {
trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
if (trust) {
/* we should destroy cc->trust before replacing it, but it's
@@ -807,21 +800,21 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
cc->trust = trust;
CERT_UnlockCertTrust(cc);
}
- nssTrust_Destroy(nssTrust);
- }
+ nssTrust_Destroy(nssTrust);
+ }
} else if (instance) {
- /* slot */
- if (cc->slot != instance->token->pk11slot) {
- if (cc->slot) {
- PK11_FreeSlot(cc->slot);
- }
- cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
- }
- cc->ownSlot = PR_TRUE;
- /* pkcs11ID */
- cc->pkcs11ID = instance->handle;
- /* trust */
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ /* slot */
+ if (cc->slot != instance->token->pk11slot) {
+ if (cc->slot) {
+ PK11_FreeSlot(cc->slot);
+ }
+ cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
+ }
+ cc->ownSlot = PR_TRUE;
+ /* pkcs11ID */
+ cc->pkcs11ID = instance->handle;
+ /* trust */
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
if (trust) {
/* we should destroy cc->trust before replacing it, but it's
allocated in cc->arena, so memory growth will occur on each
@@ -830,8 +823,10 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
cc->trust = trust;
CERT_UnlockCertTrust(cc);
}
- nssCryptokiObject_Destroy(instance);
- }
+ }
+ if (instance) {
+ nssCryptokiObject_Destroy(instance);
+ }
/* database handle is now the trust domain */
cc->dbhandle = c->object.trustDomain;
/* subjectList ? */
@@ -841,12 +836,12 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
/* pointer back */
cc->nssCertificate = c;
if (trust) {
- /* force the cert type to be recomputed to include trust info */
- PRUint32 nsCertType = cert_ComputeCertType(cc);
+ /* force the cert type to be recomputed to include trust info */
+ PRUint32 nsCertType = cert_ComputeCertType(cc);
- /* Assert that it is safe to cast &cc->nsCertType to "PRInt32 *" */
- PORT_Assert(sizeof(cc->nsCertType) == sizeof(PRInt32));
- PR_ATOMIC_SET((PRInt32 *)&cc->nsCertType, nsCertType);
+ /* Assert that it is safe to cast &cc->nsCertType to "PRInt32 *" */
+ PORT_Assert(sizeof(cc->nsCertType) == sizeof(PRInt32));
+ PR_ATOMIC_SET((PRInt32 *)&cc->nsCertType, nsCertType);
}
}
@@ -863,26 +858,26 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
dc = c->decoding;
if (!dc) {
- dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
- if (!dc) {
+ dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
+ if (!dc) {
goto loser;
}
- cc = (CERTCertificate *)dc->data;
- PORT_Assert(cc); /* software error */
- if (!cc) {
- nssDecodedPKIXCertificate_Destroy(dc);
- nss_SetError(NSS_ERROR_INTERNAL_ERROR);
- goto loser;
- }
- PORT_Assert(!c->decoding);
- if (!c->decoding) {
- c->decoding = dc;
- } else {
+ cc = (CERTCertificate *)dc->data;
+ PORT_Assert(cc); /* software error */
+ if (!cc) {
+ nssDecodedPKIXCertificate_Destroy(dc);
+ nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+ goto loser;
+ }
+ PORT_Assert(!c->decoding);
+ if (!c->decoding) {
+ c->decoding = dc;
+ } else {
/* this should never happen. Fail. */
- nssDecodedPKIXCertificate_Destroy(dc);
- nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+ nssDecodedPKIXCertificate_Destroy(dc);
+ nss_SetError(NSS_ERROR_INTERNAL_ERROR);
goto loser;
- }
+ }
}
cc = (CERTCertificate *)dc->data;
PORT_Assert(cc);
@@ -898,7 +893,7 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
* trust, so look for the trust again. But a temp cert can be
* ignored.
*/
- CERTCertTrust* trust = NULL;
+ CERTCertTrust *trust = NULL;
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
CERT_LockCertTrust(cc);
@@ -906,7 +901,7 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
CERT_UnlockCertTrust(cc);
}
- loser:
+loser:
nssPKIObject_Unlock(&c->object);
nssPKIObject_Destroy(&c->object);
return cc;
@@ -916,7 +911,7 @@ NSS_IMPLEMENT CERTCertificate *
STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
{
if (c->decoding) {
- return stan_GetCERTCertificate(c, PR_TRUE);
+ return stan_GetCERTCertificate(c, PR_TRUE);
}
return NULL;
}
@@ -928,10 +923,10 @@ STAN_GetCERTCertificate(NSSCertificate *c)
}
/*
* many callers of STAN_GetCERTCertificate() intend that
- * the CERTCertificate returned inherits the reference to the
- * NSSCertificate. For these callers it's convenient to have
- * this function 'own' the reference and either return a valid
- * CERTCertificate structure which inherits the reference or
+ * the CERTCertificate returned inherits the reference to the
+ * NSSCertificate. For these callers it's convenient to have
+ * this function 'own' the reference and either return a valid
+ * CERTCertificate structure which inherits the reference or
* destroy the reference to NSSCertificate and returns NULL.
*/
NSS_IMPLEMENT CERTCertificate *
@@ -939,31 +934,31 @@ STAN_GetCERTCertificateOrRelease(NSSCertificate *c)
{
CERTCertificate *nss3cert = stan_GetCERTCertificate(c, PR_FALSE);
if (!nss3cert) {
- nssCertificate_Destroy(c);
+ nssCertificate_Destroy(c);
}
return nss3cert;
}
static nssTrustLevel
-get_stan_trust(unsigned int t, PRBool isClientAuth)
+get_stan_trust(unsigned int t, PRBool isClientAuth)
{
if (isClientAuth) {
- if (t & CERTDB_TRUSTED_CLIENT_CA) {
- return nssTrustLevel_TrustedDelegator;
- }
+ if (t & CERTDB_TRUSTED_CLIENT_CA) {
+ return nssTrustLevel_TrustedDelegator;
+ }
} else {
- if (t & CERTDB_TRUSTED_CA || t & CERTDB_NS_TRUSTED_CA) {
- return nssTrustLevel_TrustedDelegator;
- }
+ if (t & CERTDB_TRUSTED_CA || t & CERTDB_NS_TRUSTED_CA) {
+ return nssTrustLevel_TrustedDelegator;
+ }
}
if (t & CERTDB_TRUSTED) {
- return nssTrustLevel_Trusted;
+ return nssTrustLevel_Trusted;
}
if (t & CERTDB_TERMINAL_RECORD) {
- return nssTrustLevel_NotTrusted;
+ return nssTrustLevel_NotTrusted;
}
if (t & CERTDB_VALID_CA) {
- return nssTrustLevel_ValidDelegator;
+ return nssTrustLevel_ValidDelegator;
}
return nssTrustLevel_MustVerify;
}
@@ -977,26 +972,26 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
NSSArena *arena;
c = cc->nssCertificate;
if (c) {
- return c;
+ return c;
}
/* i don't think this should happen. but if it can, need to create
* NSSCertificate from CERTCertificate values here. */
/* Yup, it can happen. */
arena = NSSArena_Create();
if (!arena) {
- return NULL;
+ return NULL;
}
c = nss_ZNEW(arena, NSSCertificate);
if (!c) {
- nssArena_Destroy(arena);
- return NULL;
+ nssArena_Destroy(arena);
+ return NULL;
}
NSSITEM_FROM_SECITEM(&c->encoding, &cc->derCert);
c->type = NSSCertificateType_PKIX;
pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKIMonitor);
if (!pkiob) {
- nssArena_Destroy(arena);
- return NULL;
+ nssArena_Destroy(arena);
+ return NULL;
}
c->object = *pkiob;
nssItem_Create(arena,
@@ -1004,18 +999,18 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
nssItem_Create(arena,
&c->subject, cc->derSubject.len, cc->derSubject.data);
if (PR_TRUE) {
- /* CERTCertificate stores serial numbers decoded. I need the DER
- * here. sigh.
- */
- SECItem derSerial;
- SECStatus secrv;
- secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
- if (secrv == SECFailure) {
- nssArena_Destroy(arena);
- return NULL;
- }
- nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
- PORT_Free(derSerial.data);
+ /* CERTCertificate stores serial numbers decoded. I need the DER
+ * here. sigh.
+ */
+ SECItem derSerial;
+ SECStatus secrv;
+ secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+ if (secrv == SECFailure) {
+ nssArena_Destroy(arena);
+ return NULL;
+ }
+ nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+ PORT_Free(derSerial.data);
}
if (cc->emailAddr && cc->emailAddr[0]) {
c->email = nssUTF8_Create(arena,
@@ -1024,31 +1019,30 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
PORT_Strlen(cc->emailAddr));
}
if (cc->slot) {
- instance = nss_ZNEW(arena, nssCryptokiInstance);
- if (!instance) {
- nssArena_Destroy(arena);
- return NULL;
- }
- instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
- instance->handle = cc->pkcs11ID;
- instance->isTokenObject = PR_TRUE;
- if (cc->nickname) {
- instance->label = nssUTF8_Create(arena,
- nssStringType_UTF8String,
- (NSSUTF8 *)cc->nickname,
- PORT_Strlen(cc->nickname));
- }
- nssPKIObject_AddInstance(&c->object, instance);
+ instance = nss_ZNEW(arena, nssCryptokiInstance);
+ if (!instance) {
+ nssArena_Destroy(arena);
+ return NULL;
+ }
+ instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
+ instance->handle = cc->pkcs11ID;
+ instance->isTokenObject = PR_TRUE;
+ if (cc->nickname) {
+ instance->label = nssUTF8_Create(arena,
+ nssStringType_UTF8String,
+ (NSSUTF8 *)cc->nickname,
+ PORT_Strlen(cc->nickname));
+ }
+ nssPKIObject_AddInstance(&c->object, instance);
}
c->decoding = create_decoded_pkix_cert_from_nss3cert(NULL, cc);
cc->nssCertificate = c;
return c;
}
-static NSSToken*
-stan_GetTrustToken (
- NSSCertificate *c
-)
+static NSSToken *
+stan_GetTrustToken(
+ NSSCertificate *c)
{
NSSToken *ttok = NULL;
NSSToken *rtok = NULL;
@@ -1056,31 +1050,31 @@ stan_GetTrustToken (
nssCryptokiObject **ip;
nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
if (!instances) {
- return PR_FALSE;
+ return PR_FALSE;
}
for (ip = instances; *ip; ip++) {
- nssCryptokiObject *instance = *ip;
- nssCryptokiObject *to =
- nssToken_FindTrustForCertificate(instance->token, NULL,
- &c->encoding, &c->issuer, &c->serial,
- nssTokenSearchType_TokenOnly);
- NSSToken *ctok = instance->token;
- PRBool ro = PK11_IsReadOnly(ctok->pk11slot);
-
- if (to) {
- nssCryptokiObject_Destroy(to);
- ttok = ctok;
- if (!ro) {
- break;
- }
- } else {
- if (!rtok && ro) {
- rtok = ctok;
- }
- if (!tok && !ro) {
- tok = ctok;
- }
- }
+ nssCryptokiObject *instance = *ip;
+ nssCryptokiObject *to =
+ nssToken_FindTrustForCertificate(instance->token, NULL,
+ &c->encoding, &c->issuer, &c->serial,
+ nssTokenSearchType_TokenOnly);
+ NSSToken *ctok = instance->token;
+ PRBool ro = PK11_IsReadOnly(ctok->pk11slot);
+
+ if (to) {
+ nssCryptokiObject_Destroy(to);
+ ttok = ctok;
+ if (!ro) {
+ break;
+ }
+ } else {
+ if (!rtok && ro) {
+ rtok = ctok;
+ }
+ if (!tok && !ro) {
+ tok = ctok;
+ }
+ }
}
nssCryptokiObjectArray_Destroy(instances);
return ttok ? ttok : (tok ? tok : rtok);
@@ -1107,15 +1101,15 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
}
oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
if (oldTrust) {
- if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
- /* ... and the new trust is no different, done) */
- return PR_SUCCESS;
- } else {
- /* take over memory already allocated in cc's arena */
- newTrust = oldTrust;
- }
+ if (memcmp(oldTrust, trust, sizeof(CERTCertTrust)) == 0) {
+ /* ... and the new trust is no different, done) */
+ return PR_SUCCESS;
+ } else {
+ /* take over memory already allocated in cc's arena */
+ newTrust = oldTrust;
+ }
} else {
- newTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
+ newTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
}
memcpy(newTrust, trust, sizeof(CERTCertTrust));
CERT_LockCertTrust(cc);
@@ -1123,16 +1117,17 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
CERT_UnlockCertTrust(cc);
/* Set the NSSCerticate's trust */
arena = nssArena_Create();
- if (!arena) return PR_FAILURE;
+ if (!arena)
+ return PR_FAILURE;
nssTrust = nss_ZNEW(arena, NSSTrust);
if (!nssTrust) {
- nssArena_Destroy(arena);
- return PR_FAILURE;
+ nssArena_Destroy(arena);
+ return PR_FAILURE;
}
pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKILock);
if (!pkiob) {
- nssArena_Destroy(arena);
- return PR_FAILURE;
+ nssArena_Destroy(arena);
+ return PR_FAILURE;
}
nssTrust->object = *pkiob;
nssTrust->certificate = c;
@@ -1140,120 +1135,120 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
- nssTrust->stepUpApproved =
- (PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
+ nssTrust->stepUpApproved =
+ (PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
if (c->object.cryptoContext != NULL) {
- /* The cert is in a context, set the trust there */
- NSSCryptoContext *cc = c->object.cryptoContext;
- nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
- if (nssrv != PR_SUCCESS) {
- goto done;
- }
- if (c->object.numInstances == 0) {
- /* The context is the only instance, finished */
- goto done;
- }
+ /* The cert is in a context, set the trust there */
+ NSSCryptoContext *cc = c->object.cryptoContext;
+ nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
+ if (nssrv != PR_SUCCESS) {
+ goto done;
+ }
+ if (c->object.numInstances == 0) {
+ /* The context is the only instance, finished */
+ goto done;
+ }
}
td = STAN_GetDefaultTrustDomain();
tok = stan_GetTrustToken(c);
moving_object = PR_FALSE;
- if (tok && PK11_IsReadOnly(tok->pk11slot)) {
- NSSRWLock_LockRead(td->tokensLock);
- tokens = nssList_CreateIterator(td->tokenList);
- if (!tokens) {
- nssrv = PR_FAILURE;
- NSSRWLock_UnlockRead(td->tokensLock);
- goto done;
- }
- for (tok = (NSSToken *)nssListIterator_Start(tokens);
- tok != (NSSToken *)NULL;
- tok = (NSSToken *)nssListIterator_Next(tokens))
- {
- if (!PK11_IsReadOnly(tok->pk11slot)) break;
- }
- nssListIterator_Finish(tokens);
- nssListIterator_Destroy(tokens);
- NSSRWLock_UnlockRead(td->tokensLock);
- moving_object = PR_TRUE;
- }
+ if (tok && PK11_IsReadOnly(tok->pk11slot)) {
+ NSSRWLock_LockRead(td->tokensLock);
+ tokens = nssList_CreateIterator(td->tokenList);
+ if (!tokens) {
+ nssrv = PR_FAILURE;
+ NSSRWLock_UnlockRead(td->tokensLock);
+ goto done;
+ }
+ for (tok = (NSSToken *)nssListIterator_Start(tokens);
+ tok != (NSSToken *)NULL;
+ tok = (NSSToken *)nssListIterator_Next(tokens)) {
+ if (!PK11_IsReadOnly(tok->pk11slot))
+ break;
+ }
+ nssListIterator_Finish(tokens);
+ nssListIterator_Destroy(tokens);
+ NSSRWLock_UnlockRead(td->tokensLock);
+ moving_object = PR_TRUE;
+ }
if (tok) {
- if (moving_object) {
- /* this is kind of hacky. the softoken needs the cert
- * object in order to store trust. forcing it to be perm
- */
- NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
- NSSASCII7 *email = NULL;
-
- if (PK11_IsInternal(tok->pk11slot)) {
- email = c->email;
- }
- newInstance = nssToken_ImportCertificate(tok, NULL,
- NSSCertificateType_PKIX,
- &c->id,
- nickname,
- &c->encoding,
- &c->issuer,
- &c->subject,
- &c->serial,
- email,
- PR_TRUE);
+ if (moving_object) {
+ /* this is kind of hacky. the softoken needs the cert
+ * object in order to store trust. forcing it to be perm
+ */
+ NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
+ NSSASCII7 *email = NULL;
+
+ if (PK11_IsInternal(tok->pk11slot)) {
+ email = c->email;
+ }
+ newInstance = nssToken_ImportCertificate(tok, NULL,
+ NSSCertificateType_PKIX,
+ &c->id,
+ nickname,
+ &c->encoding,
+ &c->issuer,
+ &c->subject,
+ &c->serial,
+ email,
+ PR_TRUE);
nss_ZFreeIf(nickname);
nickname = NULL;
- if (!newInstance) {
- nssrv = PR_FAILURE;
- goto done;
- }
- nssPKIObject_AddInstance(&c->object, newInstance);
- }
- newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
- &c->issuer, &c->serial,
- nssTrust->serverAuth,
- nssTrust->clientAuth,
- nssTrust->codeSigning,
- nssTrust->emailProtection,
- nssTrust->stepUpApproved, PR_TRUE);
- /* If the selected token can't handle trust, dump the trust on
- * the internal token */
- if (!newInstance && !PK11_IsInternalKeySlot(tok->pk11slot)) {
- PK11SlotInfo *slot = PK11_GetInternalKeySlot();
- NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
- NSSASCII7 *email = c->email;
- tok = PK11Slot_GetNSSToken(slot);
- PK11_FreeSlot(slot);
-
- newInstance = nssToken_ImportCertificate(tok, NULL,
- NSSCertificateType_PKIX,
- &c->id,
- nickname,
- &c->encoding,
- &c->issuer,
- &c->subject,
- &c->serial,
- email,
- PR_TRUE);
+ if (!newInstance) {
+ nssrv = PR_FAILURE;
+ goto done;
+ }
+ nssPKIObject_AddInstance(&c->object, newInstance);
+ }
+ newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
+ &c->issuer, &c->serial,
+ nssTrust->serverAuth,
+ nssTrust->clientAuth,
+ nssTrust->codeSigning,
+ nssTrust->emailProtection,
+ nssTrust->stepUpApproved, PR_TRUE);
+ /* If the selected token can't handle trust, dump the trust on
+ * the internal token */
+ if (!newInstance && !PK11_IsInternalKeySlot(tok->pk11slot)) {
+ PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+ NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
+ NSSASCII7 *email = c->email;
+ tok = PK11Slot_GetNSSToken(slot);
+ PK11_FreeSlot(slot);
+
+ newInstance = nssToken_ImportCertificate(tok, NULL,
+ NSSCertificateType_PKIX,
+ &c->id,
+ nickname,
+ &c->encoding,
+ &c->issuer,
+ &c->subject,
+ &c->serial,
+ email,
+ PR_TRUE);
nss_ZFreeIf(nickname);
nickname = NULL;
- if (!newInstance) {
- nssrv = PR_FAILURE;
- goto done;
- }
- nssPKIObject_AddInstance(&c->object, newInstance);
- newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
- &c->issuer, &c->serial,
- nssTrust->serverAuth,
- nssTrust->clientAuth,
- nssTrust->codeSigning,
- nssTrust->emailProtection,
- nssTrust->stepUpApproved, PR_TRUE);
- }
- if (newInstance) {
- nssCryptokiObject_Destroy(newInstance);
- nssrv = PR_SUCCESS;
- } else {
- nssrv = PR_FAILURE;
- }
+ if (!newInstance) {
+ nssrv = PR_FAILURE;
+ goto done;
+ }
+ nssPKIObject_AddInstance(&c->object, newInstance);
+ newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
+ &c->issuer, &c->serial,
+ nssTrust->serverAuth,
+ nssTrust->clientAuth,
+ nssTrust->codeSigning,
+ nssTrust->emailProtection,
+ nssTrust->stepUpApproved, PR_TRUE);
+ }
+ if (newInstance) {
+ nssCryptokiObject_Destroy(newInstance);
+ nssrv = PR_SUCCESS;
+ } else {
+ nssrv = PR_FAILURE;
+ }
} else {
- nssrv = PR_FAILURE;
+ nssrv = PR_FAILURE;
}
done:
(void)nssTrust_Destroy(nssTrust);
@@ -1271,41 +1266,40 @@ done:
static PRStatus
DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
{
- int numNotDestroyed = 0; /* the ones skipped plus the failures */
- int failureCount = 0; /* actual deletion failures by devices */
+ int numNotDestroyed = 0; /* the ones skipped plus the failures */
+ int failureCount = 0; /* actual deletion failures by devices */
unsigned int index;
nssPKIObject_AddRef(tObject);
nssPKIObject_Lock(tObject);
/* Keep going even if a module fails to delete. */
for (index = 0; index < tObject->numInstances; index++) {
- nssCryptokiObject *instance = tObject->instances[index];
- if (!instance) {
- continue;
- }
-
- /* ReadOnly and not matched treated the same */
- if (PK11_IsReadOnly(instance->token->pk11slot) ||
- pk11slot != instance->token->pk11slot) {
- tObject->instances[numNotDestroyed++] = instance;
- continue;
- }
-
- /* Here we have found a matching one */
- tObject->instances[index] = NULL;
- if (nssToken_DeleteStoredObject(instance) == PR_SUCCESS) {
- nssCryptokiObject_Destroy(instance);
- } else {
- tObject->instances[numNotDestroyed++] = instance;
- failureCount++;
- }
+ nssCryptokiObject *instance = tObject->instances[index];
+ if (!instance) {
+ continue;
+ }
+ /* ReadOnly and not matched treated the same */
+ if (PK11_IsReadOnly(instance->token->pk11slot) ||
+ pk11slot != instance->token->pk11slot) {
+ tObject->instances[numNotDestroyed++] = instance;
+ continue;
+ }
+
+ /* Here we have found a matching one */
+ tObject->instances[index] = NULL;
+ if (nssToken_DeleteStoredObject(instance) == PR_SUCCESS) {
+ nssCryptokiObject_Destroy(instance);
+ } else {
+ tObject->instances[numNotDestroyed++] = instance;
+ failureCount++;
+ }
}
if (numNotDestroyed == 0) {
- nss_ZFreeIf(tObject->instances);
- tObject->numInstances = 0;
+ nss_ZFreeIf(tObject->instances);
+ tObject->numInstances = 0;
} else {
- tObject->numInstances = numNotDestroyed;
+ tObject->numInstances = numNotDestroyed;
}
nssPKIObject_Unlock(tObject);
@@ -1316,19 +1310,24 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
/*
** Delete trust objects matching the slot of the given certificate.
-** Returns an error if any device fails to delete.
+** Returns an error if any device fails to delete.
*/
NSS_EXTERN PRStatus
STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c)
{
PRStatus nssrv = PR_SUCCESS;
+ unsigned int i;
+ nssPKIObject *tobject = NULL;
+ nssPKIObject *cobject = &c->object;
+
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
- /* caller made sure nssTrust isn't NULL */
- nssPKIObject *tobject = &nssTrust->object;
- nssPKIObject *cobject = &c->object;
- unsigned int i;
+ if (!nssTrust) {
+ return PR_FAILURE;
+ }
+
+ tobject = &nssTrust->object;
/* Iterate through the cert and trust object instances looking for
* those with matching pk11 slots to delete. Even if some device
@@ -1339,17 +1338,19 @@ STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c)
nssPKIObject_AddRef(cobject);
nssPKIObject_Lock(cobject);
for (i = 0; i < cobject->numInstances; i++) {
- nssCryptokiObject *cInstance = cobject->instances[i];
- if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
- PRStatus status;
- if (!tobject->numInstances || !tobject->instances) continue;
- status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
- if (status == PR_FAILURE) {
- /* set the outer one but keep going */
- nssrv = PR_FAILURE;
- }
- }
+ nssCryptokiObject *cInstance = cobject->instances[i];
+ if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
+ PRStatus status;
+ if (!tobject->numInstances || !tobject->instances)
+ continue;
+ status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
+ if (status == PR_FAILURE) {
+ /* set the outer one but keep going */
+ nssrv = PR_FAILURE;
+ }
+ }
}
+ nssTrust_Destroy(nssTrust);
nssPKIObject_Unlock(cobject);
nssPKIObject_Destroy(cobject);
NSSRWLock_UnlockRead(td->tokensLock);
@@ -1358,12 +1359,11 @@ STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c)
/* CERT_TraversePermCertsForSubject */
NSS_IMPLEMENT PRStatus
-nssTrustDomain_TraverseCertificatesBySubject (
- NSSTrustDomain *td,
- NSSDER *subject,
- PRStatus (*callback)(NSSCertificate *c, void *arg),
- void *arg
-)
+nssTrustDomain_TraverseCertificatesBySubject(
+ NSSTrustDomain *td,
+ NSSDER *subject,
+ PRStatus (*callback)(NSSCertificate *c, void *arg),
+ void *arg)
{
PRStatus nssrv = PR_SUCCESS;
NSSArena *tmpArena;
@@ -1377,10 +1377,11 @@ nssTrustDomain_TraverseCertificatesBySubject (
subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td, subject, NULL,
0, tmpArena);
if (subjectCerts) {
- for (i=0, c = subjectCerts[i]; c; i++) {
- nssrv = callback(c, arg);
- if (nssrv != PR_SUCCESS) break;
- }
+ for (i = 0, c = subjectCerts[i]; c; i++) {
+ nssrv = callback(c, arg);
+ if (nssrv != PR_SUCCESS)
+ break;
+ }
}
nssArena_Destroy(tmpArena);
return nssrv;
@@ -1388,12 +1389,11 @@ nssTrustDomain_TraverseCertificatesBySubject (
/* CERT_TraversePermCertsForNickname */
NSS_IMPLEMENT PRStatus
-nssTrustDomain_TraverseCertificatesByNickname (
- NSSTrustDomain *td,
- NSSUTF8 *nickname,
- PRStatus (*callback)(NSSCertificate *c, void *arg),
- void *arg
-)
+nssTrustDomain_TraverseCertificatesByNickname(
+ NSSTrustDomain *td,
+ NSSUTF8 *nickname,
+ PRStatus (*callback)(NSSCertificate *c, void *arg),
+ void *arg)
{
PRStatus nssrv = PR_SUCCESS;
NSSArena *tmpArena;
@@ -1407,16 +1407,18 @@ nssTrustDomain_TraverseCertificatesByNickname (
nickCerts = NSSTrustDomain_FindCertificatesByNickname(td, nickname, NULL,
0, tmpArena);
if (nickCerts) {
- for (i=0, c = nickCerts[i]; c; i++) {
- nssrv = callback(c, arg);
- if (nssrv != PR_SUCCESS) break;
- }
+ for (i = 0, c = nickCerts[i]; c; i++) {
+ nssrv = callback(c, arg);
+ if (nssrv != PR_SUCCESS)
+ break;
+ }
}
nssArena_Destroy(tmpArena);
return nssrv;
}
-static void cert_dump_iter(const void *k, void *v, void *a)
+static void
+cert_dump_iter(const void *k, void *v, void *a)
{
NSSCertificate *c = (NSSCertificate *)k;
CERTCertificate *cert = STAN_GetCERTCertificate(c);
@@ -1434,7 +1436,6 @@ nss_DumpCertificateCacheInfo()
nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
printf("\n\nCertificates in the temporary store:\n");
if (cc->certStore) {
- nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
+ nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
}
}
-
View Lorry Controller Status