diff options
Diffstat (limited to 'nss/lib/pk11wrap/pk11nobj.c')
-rw-r--r-- | nss/lib/pk11wrap/pk11nobj.c | 597 |
1 files changed, 302 insertions, 295 deletions
diff --git a/nss/lib/pk11wrap/pk11nobj.c b/nss/lib/pk11wrap/pk11nobj.c index dcca434..41d1d96 100644 --- a/nss/lib/pk11wrap/pk11nobj.c +++ b/nss/lib/pk11wrap/pk11nobj.c @@ -14,20 +14,20 @@ #include "pkcs11.h" #include "pk11func.h" #include "cert.h" -#include "certi.h" +#include "certi.h" #include "secitem.h" -#include "sechash.h" +#include "sechash.h" #include "secoid.h" -#include "certdb.h" +#include "certdb.h" #include "secerr.h" #include "pki3hack.h" -#include "dev3hack.h" +#include "dev3hack.h" -#include "devm.h" +#include "devm.h" #include "pki.h" -#include "pkim.h" +#include "pkim.h" extern const NSSError NSS_ERROR_NOT_FOUND; @@ -35,135 +35,135 @@ CK_TRUST pk11_GetTrustField(PK11SlotInfo *slot, PLArenaPool *arena, CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type) { - CK_TRUST rv = 0; - SECItem item; + CK_TRUST rv = 0; + SECItem item; - item.data = NULL; - item.len = 0; + item.data = NULL; + item.len = 0; - if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) { - PORT_Assert(item.len == sizeof(CK_TRUST)); - PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST)); - /* Damn, is there an endian problem here? */ - return rv; - } + if (SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item)) { + PORT_Assert(item.len == sizeof(CK_TRUST)); + PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST)); + /* Damn, is there an endian problem here? */ + return rv; + } - return 0; + return 0; } PRBool pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust) { - PLArenaPool *arena; - - CK_ATTRIBUTE tobjTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_CERT_SHA1_HASH, NULL, 0 }, - }; + PLArenaPool *arena; - CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; - CK_OBJECT_HANDLE tobjID; - unsigned char sha1_hash[SHA1_LENGTH]; + CK_ATTRIBUTE tobjTemplate[] = { + { CKA_CLASS, NULL, 0 }, + { CKA_CERT_SHA1_HASH, NULL, 0 }, + }; - CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth; + CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; + CK_OBJECT_HANDLE tobjID; + unsigned char sha1_hash[SHA1_LENGTH]; - PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len); + CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth; - PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc)); - PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, - SHA1_LENGTH); + PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len); - tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, - sizeof(tobjTemplate)/sizeof(tobjTemplate[0])); - if( CK_INVALID_HANDLE == tobjID ) { - return PR_FALSE; - } + PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc)); + PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, + SHA1_LENGTH); - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if( NULL == arena ) return PR_FALSE; + tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, + sizeof(tobjTemplate) / sizeof(tobjTemplate[0])); + if (CK_INVALID_HANDLE == tobjID) { + return PR_FALSE; + } - /* Unfortunately, it seems that PK11_GetAttributes doesn't deal - * well with nonexistent attributes. I guess we have to check - * the trust info fields one at a time. - */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (NULL == arena) + return PR_FALSE; - /* We could verify CKA_CERT_HASH here */ + /* Unfortunately, it seems that PK11_GetAttributes doesn't deal + * well with nonexistent attributes. I guess we have to check + * the trust info fields one at a time. + */ - /* We could verify CKA_EXPIRES here */ + /* We could verify CKA_CERT_HASH here */ + /* We could verify CKA_EXPIRES here */ - /* "Purpose" trust information */ - serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH); - clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH); - codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING); - emailProtection = pk11_GetTrustField(slot, arena, tobjID, - CKA_TRUST_EMAIL_PROTECTION); - /* Here's where the fun logic happens. We have to map back from the - * key usage, extended key usage, purpose, and possibly other trust values - * into the old trust-flags bits. */ + /* "Purpose" trust information */ + serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH); + clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH); + codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING); + emailProtection = pk11_GetTrustField(slot, arena, tobjID, + CKA_TRUST_EMAIL_PROTECTION); + /* Here's where the fun logic happens. We have to map back from the + * key usage, extended key usage, purpose, and possibly other trust values + * into the old trust-flags bits. */ - /* First implementation: keep it simple for testing. We can study what other - * mappings would be appropriate and add them later.. fgmr 20000724 */ + /* First implementation: keep it simple for testing. We can study what other + * mappings would be appropriate and add them later.. fgmr 20000724 */ - if ( serverAuth == CKT_NSS_TRUSTED ) { - trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; - } + if (serverAuth == CKT_NSS_TRUSTED) { + trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + } - if ( serverAuth == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | - CERTDB_NS_TRUSTED_CA; - } - if ( clientAuth == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA ; - } + if (serverAuth == CKT_NSS_TRUSTED_DELEGATOR) { + trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | + CERTDB_NS_TRUSTED_CA; + } + if (clientAuth == CKT_NSS_TRUSTED_DELEGATOR) { + trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA; + } - if ( emailProtection == CKT_NSS_TRUSTED ) { - trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; - } + if (emailProtection == CKT_NSS_TRUSTED) { + trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + } - if ( emailProtection == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; - } + if (emailProtection == CKT_NSS_TRUSTED_DELEGATOR) { + trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; + } - if( codeSigning == CKT_NSS_TRUSTED ) { - trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; - } + if (codeSigning == CKT_NSS_TRUSTED) { + trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + } - if( codeSigning == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; - } + if (codeSigning == CKT_NSS_TRUSTED_DELEGATOR) { + trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; + } - /* There's certainly a lot more logic that can go here.. */ + /* There's certainly a lot more logic that can go here.. */ - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); - return PR_TRUE; + return PR_TRUE; } static SECStatus pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) { SECItem derCrl; - CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg; + CERTCrlHeadNode *head = (CERTCrlHeadNode *)arg; CERTCrlNode *new_node = NULL; CK_ATTRIBUTE fetchCrl[3] = { - { CKA_VALUE, NULL, 0}, - { CKA_NETSCAPE_KRL, NULL, 0}, - { CKA_NETSCAPE_URL, NULL, 0}, + { CKA_VALUE, NULL, 0 }, + { CKA_NETSCAPE_KRL, NULL, 0 }, + { CKA_NETSCAPE_URL, NULL, 0 }, }; - const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]); + const int fetchCrlSize = sizeof(fetchCrl) / sizeof(fetchCrl[2]); CK_RV crv; SECStatus rv = SECFailure; - crv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize); + crv = PK11_GetAttributes(head->arena, slot, crlID, fetchCrl, fetchCrlSize); if (CKR_OK != crv) { - PORT_SetError(PK11_MapError(crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (!fetchCrl[1].pValue) { - PORT_SetError(SEC_ERROR_CRL_INVALID); - goto loser; + PORT_SetError(SEC_ERROR_CRL_INVALID); + goto loser; } new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode)); @@ -179,15 +179,15 @@ pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) derCrl.type = siBuffer; derCrl.data = (unsigned char *)fetchCrl[0].pValue; derCrl.len = fetchCrl[0].ulValueLen; - new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type); + new_node->crl = CERT_DecodeDERCrl(head->arena, &derCrl, new_node->type); if (new_node->crl == NULL) { - goto loser; + goto loser; } if (fetchCrl[2].pValue) { int nnlen = fetchCrl[2].ulValueLen; - new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen+1); - if ( !new_node->crl->url ) { + new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen + 1); + if (!new_node->crl->url) { goto loser; } PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen); @@ -196,7 +196,6 @@ pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) new_node->crl->url = NULL; } - new_node->next = NULL; if (head->last) { head->last->next = new_node; @@ -207,7 +206,7 @@ pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) rv = SECSuccess; loser: - return(rv); + return (rv); } /* @@ -215,7 +214,8 @@ loser: * CRLs are allocated in the list's arena. */ SECStatus -PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { +PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) +{ pk11TraverseSlot creater; CK_ATTRIBUTE theTemplate[2]; CK_ATTRIBUTE *attrs; @@ -223,14 +223,16 @@ PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { CK_BBOOL isKrl = CK_FALSE; attrs = theTemplate; - PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); + attrs++; if (type != -1) { - isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE); - PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++; + isKrl = (CK_BBOOL)(type == SEC_KRL_TYPE); + PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); + attrs++; } creater.callback = pk11_CollectCrls; - creater.callbackArg = (void *) nodes; + creater.callbackArg = (void *)nodes; creater.findTemplate = theTemplate; creater.templateCount = (attrs - theTemplate); @@ -238,7 +240,7 @@ PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { } struct crlOptionsStr { - CERTCrlHeadNode* head; + CERTCrlHeadNode *head; PRInt32 decodeOptions; }; @@ -248,32 +250,32 @@ static SECStatus pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) { - SECItem* derCrl = NULL; - crlOptions* options = (crlOptions*) arg; + SECItem *derCrl = NULL; + crlOptions *options = (crlOptions *)arg; CERTCrlHeadNode *head = options->head; CERTCrlNode *new_node = NULL; CK_ATTRIBUTE fetchCrl[3] = { - { CKA_VALUE, NULL, 0}, - { CKA_NETSCAPE_KRL, NULL, 0}, - { CKA_NETSCAPE_URL, NULL, 0}, + { CKA_VALUE, NULL, 0 }, + { CKA_NETSCAPE_KRL, NULL, 0 }, + { CKA_NETSCAPE_URL, NULL, 0 }, }; - const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]); + const int fetchCrlSize = sizeof(fetchCrl) / sizeof(fetchCrl[2]); CK_RV crv; SECStatus rv = SECFailure; PRBool adopted = PR_FALSE; /* whether the CRL adopted the DER memory successfully */ int i; - crv = PK11_GetAttributes(NULL,slot,crlID,fetchCrl,fetchCrlSize); + crv = PK11_GetAttributes(NULL, slot, crlID, fetchCrl, fetchCrlSize); if (CKR_OK != crv) { - PORT_SetError(PK11_MapError(crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (!fetchCrl[1].pValue) { /* reject KRLs */ - PORT_SetError(SEC_ERROR_CRL_INVALID); - goto loser; + PORT_SetError(SEC_ERROR_CRL_INVALID); + goto loser; } new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, @@ -291,20 +293,20 @@ pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, derCrl->type = siBuffer; derCrl->data = (unsigned char *)fetchCrl[0].pValue; derCrl->len = fetchCrl[0].ulValueLen; - new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl,new_node->type, + new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl, new_node->type, options->decodeOptions); if (new_node->crl == NULL) { - goto loser; - } + goto loser; + } adopted = PR_TRUE; /* now that the CRL has adopted the DER memory, we won't need to free it upon exit */ if (fetchCrl[2].pValue && fetchCrl[2].ulValueLen) { /* copy the URL if there is one */ int nnlen = fetchCrl[2].ulValueLen; - new_node->crl->url = (char *)PORT_ArenaAlloc(new_node->crl->arena, - nnlen+1); - if ( !new_node->crl->url ) { + new_node->crl->url = (char *)PORT_ArenaAlloc(new_node->crl->arena, + nnlen + 1); + if (!new_node->crl->url) { goto loser; } PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen); @@ -326,7 +328,7 @@ pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, loser: /* free attributes that weren't adopted by the CRL */ - for (i=1;i<fetchCrlSize;i++) { + for (i = 1; i < fetchCrlSize; i++) { if (fetchCrl[i].pValue) { PORT_Free(fetchCrl[i].pValue); } @@ -342,7 +344,7 @@ loser: /* free the memory for the SECItem structure itself */ SECITEM_FreeItem(derCrl, PR_TRUE); } - return(rv); + return (rv); } /* @@ -351,8 +353,9 @@ loser: * arena, so that they can be used individually in the CRL cache . * CRLs are always partially decoded for efficiency. */ -SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, - void *wincx) +SECStatus +pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem *issuer, + void *wincx) { pk11TraverseSlot creater; CK_ATTRIBUTE theTemplate[2]; @@ -361,27 +364,27 @@ SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, crlOptions options; attrs = theTemplate; - PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); + attrs++; options.head = nodes; - /* - do a partial decoding - we don't need to decode the entries while - fetching + /* - do a partial decoding - we don't need to decode the entries while fetching - don't copy the DER for optimal performance - CRL can be very large - have the CRL objects adopt the DER, so SEC_DestroyCrl will free it - keep bad CRL objects. The CRL cache is interested in them, for security purposes. Bad CRL objects are a sign of something amiss. - */ + */ options.decodeOptions = CRL_DECODE_SKIP_ENTRIES | CRL_DECODE_DONT_COPY_DER | CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_KEEP_BAD_CRL; - if (issuer) - { - PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); attrs++; + if (issuer) { + PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); + attrs++; } creater.callback = pk11_RetrieveCrlsCallback; - creater.callbackArg = (void *) &options; + creater.callbackArg = (void *)&options; creater.findTemplate = theTemplate; creater.templateCount = (attrs - theTemplate); @@ -389,71 +392,70 @@ SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, } /* - * return the crl associated with a derSubjectName + * return the crl associated with a derSubjectName */ SECItem * PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle, - SECItem *name, int type, char **pUrl) + SECItem *name, int type, char **pUrl) { NSSCRL **crls, **crlp, *crl = NULL; NSSDER subject; SECItem *rvItem; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); - char * url = NULL; + char *url = NULL; PORT_SetError(0); NSSITEM_FROM_SECITEM(&subject, name); if (*slot) { - nssCryptokiObject **instances; - nssPKIObjectCollection *collection; - nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; - NSSToken *token = PK11Slot_GetNSSToken(*slot); - collection = nssCRLCollection_Create(td, NULL); - if (!collection) { - goto loser; - } - instances = nssToken_FindCRLsBySubject(token, NULL, &subject, - tokenOnly, 0, NULL); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); - crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL); - nssPKIObjectCollection_Destroy(collection); + nssCryptokiObject **instances; + nssPKIObjectCollection *collection; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + NSSToken *token = PK11Slot_GetNSSToken(*slot); + collection = nssCRLCollection_Create(td, NULL); + if (!collection) { + goto loser; + } + instances = nssToken_FindCRLsBySubject(token, NULL, &subject, + tokenOnly, 0, NULL); + nssPKIObjectCollection_AddInstances(collection, instances, 0); + nss_ZFreeIf(instances); + crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL); + nssPKIObjectCollection_Destroy(collection); } else { - crls = nssTrustDomain_FindCRLsBySubject(td, &subject); + crls = nssTrustDomain_FindCRLsBySubject(td, &subject); } if ((!crls) || (*crls == NULL)) { - if (crls) { - nssCRLArray_Destroy(crls); - } - if (NSS_GetError() == NSS_ERROR_NOT_FOUND) { - PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); - } - goto loser; + if (crls) { + nssCRLArray_Destroy(crls); + } + if (NSS_GetError() == NSS_ERROR_NOT_FOUND) { + PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); + } + goto loser; } for (crlp = crls; *crlp; crlp++) { - if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) || - ((*crlp)->isKRL && type != SEC_CRL_TYPE)) - { - crl = nssCRL_AddRef(*crlp); - break; - } + if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) || + ((*crlp)->isKRL && type != SEC_CRL_TYPE)) { + crl = nssCRL_AddRef(*crlp); + break; + } } nssCRLArray_Destroy(crls); - if (!crl) { - /* CRL collection was found, but no interesting CRL's were on it. - * Not an error */ - PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); - goto loser; + if (!crl) { + /* CRL collection was found, but no interesting CRL's were on it. + * Not an error */ + PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); + goto loser; } if (crl->url) { - url = PORT_Strdup(crl->url); - if (!url) { - goto loser; - } + url = PORT_Strdup(crl->url); + if (!url) { + goto loser; + } } rvItem = SECITEM_AllocItem(NULL, NULL, crl->encoding.size); if (!rvItem) { - goto loser; + goto loser; } memcpy(rvItem->data, crl->encoding.data, crl->encoding.size); *slot = PK11_ReferenceSlot(crl->object.instances[0]->token->pk11slot); @@ -464,18 +466,18 @@ PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle, loser: if (url) - PORT_Free(url); + PORT_Free(url); if (crl) - nssCRL_Destroy(crl); + nssCRL_Destroy(crl); if (PORT_GetError() == 0) { - PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); + PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); } return NULL; } CK_OBJECT_HANDLE -PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, - char *url, int type) +PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, + char *url, int type) { NSSItem derCRL, derSubject; NSSToken *token = PK11Slot_GetNSSToken(slot); @@ -486,20 +488,19 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, NSSITEM_FROM_SECITEM(&derSubject, name); NSSITEM_FROM_SECITEM(&derCRL, crl); - object = nssToken_ImportCRL(token, NULL, + object = nssToken_ImportCRL(token, NULL, &derSubject, &derCRL, isKRL, url, PR_TRUE); if (object) { - rvH = object->handle; - nssCryptokiObject_Destroy(object); + rvH = object->handle; + nssCryptokiObject_Destroy(object); } else { - rvH = CK_INVALID_HANDLE; + rvH = CK_INVALID_HANDLE; PORT_SetError(SEC_ERROR_CRL_IMPORT_FAILED); } return rvH; } - /* * delete a crl. */ @@ -513,9 +514,9 @@ SEC_DeletePermCRL(CERTSignedCrl *crl) if (slot == NULL) { PORT_Assert(slot); - /* shouldn't happen */ - PORT_SetError( SEC_ERROR_CRL_INVALID); - return SECFailure; + /* shouldn't happen */ + PORT_SetError(SEC_ERROR_CRL_INVALID); + return SECFailure; } token = PK11Slot_GetNSSToken(slot); @@ -534,129 +535,130 @@ SEC_DeletePermCRL(CERTSignedCrl *crl) } /* - * return the certificate associated with a derCert + * return the certificate associated with a derCert */ SECItem * PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr, - SECItem *name, SECItem **profileTime) + SECItem *name, SECItem **profileTime) { CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME; CK_ATTRIBUTE theTemplate[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, - { CKA_NETSCAPE_EMAIL, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, + { CKA_NETSCAPE_EMAIL, NULL, 0 }, }; - CK_ATTRIBUTE smimeData[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_VALUE, NULL, 0 }, + CK_ATTRIBUTE smimeData[] = { + { CKA_SUBJECT, NULL, 0 }, + { CKA_VALUE, NULL, 0 }, }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE; CK_ATTRIBUTE *attrs = theTemplate; CK_RV crv; SECItem *emailProfile = NULL; if (!emailAddr || !emailAddr[0]) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++; - PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); - attrs++; + PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); + attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); + attrs++; if (*slot) { - smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize); + smimeh = pk11_FindObjectByTemplate(*slot, theTemplate, tsize); } else { - PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, - PR_FALSE,PR_TRUE,NULL); - PK11SlotListElement *le; - - if (!list) { - return NULL; - } - /* loop through all the slots */ - for (le = list->head; le; le = le->next) { - smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize); - if (smimeh != CK_INVALID_HANDLE) { - *slot = PK11_ReferenceSlot(le->slot); - break; - } - } - PK11_FreeSlotList(list); - } - + PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, + PR_FALSE, PR_TRUE, NULL); + PK11SlotListElement *le; + + if (!list) { + return NULL; + } + /* loop through all the slots */ + for (le = list->head; le; le = le->next) { + smimeh = pk11_FindObjectByTemplate(le->slot, theTemplate, tsize); + if (smimeh != CK_INVALID_HANDLE) { + *slot = PK11_ReferenceSlot(le->slot); + break; + } + } + PK11_FreeSlotList(list); + } + if (smimeh == CK_INVALID_HANDLE) { - PORT_SetError(SEC_ERROR_NO_KRL); - return NULL; + PORT_SetError(SEC_ERROR_NO_KRL); + return NULL; } if (profileTime) { - PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0); - } - - crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2); + PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0); + } + + crv = PK11_GetAttributes(NULL, *slot, smimeh, smimeData, 2); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError (crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (!profileTime) { - SECItem profileSubject; + SECItem profileSubject; - profileSubject.data = (unsigned char*) smimeData[0].pValue; - profileSubject.len = smimeData[0].ulValueLen; - if (!SECITEM_ItemsAreEqual(&profileSubject,name)) { - goto loser; - } + profileSubject.data = (unsigned char *)smimeData[0].pValue; + profileSubject.len = smimeData[0].ulValueLen; + if (!SECITEM_ItemsAreEqual(&profileSubject, name)) { + goto loser; + } } - emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); if (emailProfile == NULL) { - goto loser; + goto loser; } - emailProfile->data = (unsigned char*) smimeData[1].pValue; + emailProfile->data = (unsigned char *)smimeData[1].pValue; emailProfile->len = smimeData[1].ulValueLen; if (profileTime) { - *profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); - if (*profileTime) { - (*profileTime)->data = (unsigned char*) smimeData[0].pValue; - (*profileTime)->len = smimeData[0].ulValueLen; - } + *profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + if (*profileTime) { + (*profileTime)->data = (unsigned char *)smimeData[0].pValue; + (*profileTime)->len = smimeData[0].ulValueLen; + } } loser: if (emailProfile == NULL) { - if (smimeData[1].pValue) { - PORT_Free(smimeData[1].pValue); - } + if (smimeData[1].pValue) { + PORT_Free(smimeData[1].pValue); + } } if (profileTime == NULL || *profileTime == NULL) { - if (smimeData[0].pValue) { - PORT_Free(smimeData[0].pValue); - } + if (smimeData[0].pValue) { + PORT_Free(smimeData[0].pValue); + } } return emailProfile; } - SECStatus PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, - SECItem *emailProfile, SECItem *profileTime) + SECItem *emailProfile, SECItem *profileTime) { CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME; CK_BBOOL ck_true = CK_TRUE; CK_ATTRIBUTE theTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_TOKEN, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 }, - { CKA_NETSCAPE_EMAIL, NULL, 0 }, - { CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 }, - { CKA_VALUE, NULL, 0 } + { CKA_CLASS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_NETSCAPE_EMAIL, NULL, 0 }, + { CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 }, + { CKA_VALUE, NULL, 0 } }; /* if you change the array, change the variable below as well */ int realSize = 0; @@ -666,60 +668,65 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, PK11SlotInfo *free_slot = NULL; CK_RV crv; #ifdef DEBUG - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); #endif - PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++; - PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++; - PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, - emailAddr, PORT_Strlen(emailAddr)+1); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); + attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, + emailAddr, PORT_Strlen(emailAddr) + 1); + attrs++; if (profileTime) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data, - profileTime->len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data, - emailProfile->len); attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data, + profileTime->len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, emailProfile->data, + emailProfile->len); + attrs++; } realSize = attrs - theTemplate; - PORT_Assert (realSize <= tsize); + PORT_Assert(realSize <= tsize); if (slot == NULL) { - free_slot = slot = PK11_GetInternalKeySlot(); - /* we need to free the key slot in the end!!! */ + free_slot = slot = PK11_GetInternalKeySlot(); + /* we need to free the key slot in the end!!! */ } rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_READ_ONLY); - if (free_slot) { - PK11_FreeSlot(free_slot); - } - return SECFailure; + PORT_SetError(SEC_ERROR_READ_ONLY); + if (free_slot) { + PK11_FreeSlot(free_slot); + } + return SECFailure; } - crv = PK11_GETTAB(slot)-> - C_CreateObject(rwsession,theTemplate,realSize,&smimeh); + crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate, realSize, &smimeh); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); } - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); if (free_slot) { - PK11_FreeSlot(free_slot); + PK11_FreeSlot(free_slot); } return SECSuccess; } - -CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url, - CERTSignedCrl *newCrl, SECItem *derCrl, int type); +CERTSignedCrl *crl_storeCRL(PK11SlotInfo *slot, char *url, + CERTSignedCrl *newCrl, SECItem *derCrl, int type); /* import the CRL into the token */ -CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, - int type, void *wincx, PRInt32 importOptions, PLArenaPool* arena, - PRInt32 decodeoptions) +CERTSignedCrl * +PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url, + int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, + PRInt32 decodeoptions) { CERTSignedCrl *newCrl, *crl; SECStatus rv; @@ -733,27 +740,27 @@ CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, if (newCrl == NULL) { if (type == SEC_CRL_TYPE) { /* only promote error when the error code is too generic */ - if (PORT_GetError () == SEC_ERROR_BAD_DER) + if (PORT_GetError() == SEC_ERROR_BAD_DER) PORT_SetError(SEC_ERROR_CRL_INVALID); - } else { + } else { PORT_SetError(SEC_ERROR_KRL_INVALID); } - break; + break; } - if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){ - CERTCertDBHandle* handle = CERT_GetDefaultCertDB(); + if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)) { + CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); PR_ASSERT(handle != NULL); - caCert = CERT_FindCertByName (handle, - &newCrl->crl.derName); + caCert = CERT_FindCertByName(handle, + &newCrl->crl.derName); if (caCert == NULL) { - PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); break; } /* If caCert is a v3 certificate, make sure that it can be used for crl signing purpose */ - rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN); + rv = CERT_CheckCertUsage(caCert, KU_CRL_SIGN); if (rv != SECSuccess) { break; } @@ -770,12 +777,12 @@ CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, } } - crl = crl_storeCRL(slot, url, newCrl, derCRL, type); + crl = crl_storeCRL(slot, url, newCrl, derCRL, type); } while (0); if (crl == NULL) { - SEC_DestroyCrl (newCrl); + SEC_DestroyCrl(newCrl); } if (caCert) { CERT_DestroyCertificate(caCert); |