diff options
Diffstat (limited to 'nss/lib/pki/certificate.c')
-rw-r--r-- | nss/lib/pki/certificate.c | 1114 |
1 files changed, 522 insertions, 592 deletions
diff --git a/nss/lib/pki/certificate.c b/nss/lib/pki/certificate.c index fdf147c..4d94bc8 100644 --- a/nss/lib/pki/certificate.c +++ b/nss/lib/pki/certificate.c @@ -32,25 +32,24 @@ extern const NSSError NSS_ERROR_NOT_FOUND; /* Creates a certificate from a base object */ NSS_IMPLEMENT NSSCertificate * -nssCertificate_Create ( - nssPKIObject *object -) +nssCertificate_Create( + nssPKIObject *object) { PRStatus status; NSSCertificate *rvCert; - nssArenaMark * mark; + nssArenaMark *mark; NSSArena *arena = object->arena; PR_ASSERT(object->instances != NULL && object->numInstances > 0); PR_ASSERT(object->lockType == nssPKIMonitor); mark = nssArena_Mark(arena); rvCert = nss_ZNEW(arena, NSSCertificate); if (!rvCert) { - return (NSSCertificate *)NULL; + return (NSSCertificate *)NULL; } rvCert->object = *object; /* XXX should choose instance based on some criteria */ status = nssCryptokiCertificate_GetAttributes(object->instances[0], - NULL, /* XXX sessionOpt */ + NULL, /* XXX sessionOpt */ arena, &rvCert->type, &rvCert->id, @@ -59,236 +58,217 @@ nssCertificate_Create ( &rvCert->serial, &rvCert->subject); if (status != PR_SUCCESS || - !rvCert->encoding.data || - !rvCert->encoding.size || - !rvCert->issuer.data || - !rvCert->issuer.size || - !rvCert->serial.data || - !rvCert->serial.size) { - if (mark) - nssArena_Release(arena, mark); - return (NSSCertificate *)NULL; + !rvCert->encoding.data || + !rvCert->encoding.size || + !rvCert->issuer.data || + !rvCert->issuer.size || + !rvCert->serial.data || + !rvCert->serial.size) { + if (mark) + nssArena_Release(arena, mark); + return (NSSCertificate *)NULL; } if (mark) - nssArena_Unmark(arena, mark); + nssArena_Unmark(arena, mark); return rvCert; } NSS_IMPLEMENT NSSCertificate * -nssCertificate_AddRef ( - NSSCertificate *c -) +nssCertificate_AddRef( + NSSCertificate *c) { if (c) { - nssPKIObject_AddRef(&c->object); + nssPKIObject_AddRef(&c->object); } return c; } NSS_IMPLEMENT PRStatus -nssCertificate_Destroy ( - NSSCertificate *c -) +nssCertificate_Destroy( + NSSCertificate *c) { - nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE}; - nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE}; + nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; + nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; if (c) { - PRUint32 i; - nssDecodedCert *dc = c->decoding; - NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); - NSSCryptoContext *cc = c->object.cryptoContext; - - PR_ASSERT(c->object.refCount > 0); - - /* --- LOCK storage --- */ - if (cc) { - nssCertificateStore_Lock(cc->certStore, &lockTrace); - } else { - nssTrustDomain_LockCertCache(td); - } - if (PR_ATOMIC_DECREMENT(&c->object.refCount) == 0) { - /* --- remove cert and UNLOCK storage --- */ - if (cc) { - nssCertificateStore_RemoveCertLOCKED(cc->certStore, c); - nssCertificateStore_Unlock(cc->certStore, &lockTrace, + PRUint32 i; + nssDecodedCert *dc = c->decoding; + NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); + NSSCryptoContext *cc = c->object.cryptoContext; + + PR_ASSERT(c->object.refCount > 0); + + /* --- LOCK storage --- */ + if (cc) { + nssCertificateStore_Lock(cc->certStore, &lockTrace); + } else { + nssTrustDomain_LockCertCache(td); + } + if (PR_ATOMIC_DECREMENT(&c->object.refCount) == 0) { + /* --- remove cert and UNLOCK storage --- */ + if (cc) { + nssCertificateStore_RemoveCertLOCKED(cc->certStore, c); + nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace); - } else { - nssTrustDomain_RemoveCertFromCacheLOCKED(td, c); - nssTrustDomain_UnlockCertCache(td); - } - /* free cert data */ - for (i=0; i<c->object.numInstances; i++) { - nssCryptokiObject_Destroy(c->object.instances[i]); - } - nssPKIObject_DestroyLock(&c->object); - nssArena_Destroy(c->object.arena); - nssDecodedCert_Destroy(dc); - } else { - /* --- UNLOCK storage --- */ - if (cc) { - nssCertificateStore_Unlock(cc->certStore, - &lockTrace, - &unlockTrace); - } else { - nssTrustDomain_UnlockCertCache(td); - } - } + } else { + nssTrustDomain_RemoveCertFromCacheLOCKED(td, c); + nssTrustDomain_UnlockCertCache(td); + } + /* free cert data */ + for (i = 0; i < c->object.numInstances; i++) { + nssCryptokiObject_Destroy(c->object.instances[i]); + } + nssPKIObject_DestroyLock(&c->object); + nssArena_Destroy(c->object.arena); + nssDecodedCert_Destroy(dc); + } else { + /* --- UNLOCK storage --- */ + if (cc) { + nssCertificateStore_Unlock(cc->certStore, + &lockTrace, + &unlockTrace); + } else { + nssTrustDomain_UnlockCertCache(td); + } + } } return PR_SUCCESS; } NSS_IMPLEMENT PRStatus -NSSCertificate_Destroy ( - NSSCertificate *c -) +NSSCertificate_Destroy(NSSCertificate *c) { return nssCertificate_Destroy(c); } NSS_IMPLEMENT NSSDER * -nssCertificate_GetEncoding ( - NSSCertificate *c -) +nssCertificate_GetEncoding(NSSCertificate *c) { if (c->encoding.size > 0 && c->encoding.data) { - return &c->encoding; + return &c->encoding; } else { - return (NSSDER *)NULL; + return (NSSDER *)NULL; } } NSS_IMPLEMENT NSSDER * -nssCertificate_GetIssuer ( - NSSCertificate *c -) +nssCertificate_GetIssuer(NSSCertificate *c) { if (c->issuer.size > 0 && c->issuer.data) { - return &c->issuer; + return &c->issuer; } else { - return (NSSDER *)NULL; + return (NSSDER *)NULL; } } NSS_IMPLEMENT NSSDER * -nssCertificate_GetSerialNumber ( - NSSCertificate *c -) +nssCertificate_GetSerialNumber(NSSCertificate *c) { if (c->serial.size > 0 && c->serial.data) { - return &c->serial; + return &c->serial; } else { - return (NSSDER *)NULL; + return (NSSDER *)NULL; } } NSS_IMPLEMENT NSSDER * -nssCertificate_GetSubject ( - NSSCertificate *c -) +nssCertificate_GetSubject(NSSCertificate *c) { if (c->subject.size > 0 && c->subject.data) { - return &c->subject; + return &c->subject; } else { - return (NSSDER *)NULL; + return (NSSDER *)NULL; } } /* Returns a copy, Caller must free using nss_ZFreeIf */ NSS_IMPLEMENT NSSUTF8 * -nssCertificate_GetNickname ( - NSSCertificate *c, - NSSToken *tokenOpt -) +nssCertificate_GetNickname( + NSSCertificate *c, + NSSToken *tokenOpt) { return nssPKIObject_GetNicknameForToken(&c->object, tokenOpt); } NSS_IMPLEMENT NSSASCII7 * -nssCertificate_GetEmailAddress ( - NSSCertificate *c -) +nssCertificate_GetEmailAddress(NSSCertificate *c) { return c->email; } NSS_IMPLEMENT PRStatus -NSSCertificate_DeleteStoredObject ( - NSSCertificate *c, - NSSCallback *uhh -) +NSSCertificate_DeleteStoredObject( + NSSCertificate *c, + NSSCallback *uhh) { return nssPKIObject_DeleteStoredObject(&c->object, uhh, PR_TRUE); } NSS_IMPLEMENT PRStatus -NSSCertificate_Validate ( - NSSCertificate *c, - NSSTime *timeOpt, /* NULL for "now" */ - NSSUsage *usage, - NSSPolicies *policiesOpt /* NULL for none */ -) +NSSCertificate_Validate( + NSSCertificate *c, + NSSTime *timeOpt, /* NULL for "now" */ + NSSUsage *usage, + NSSPolicies *policiesOpt /* NULL for none */ + ) { nss_SetError(NSS_ERROR_NOT_FOUND); return PR_FAILURE; } NSS_IMPLEMENT void ** /* void *[] */ -NSSCertificate_ValidateCompletely ( - NSSCertificate *c, - NSSTime *timeOpt, /* NULL for "now" */ - NSSUsage *usage, - NSSPolicies *policiesOpt, /* NULL for none */ - void **rvOpt, /* NULL for allocate */ - PRUint32 rvLimit, /* zero for no limit */ - NSSArena *arenaOpt /* NULL for heap */ -) + NSSCertificate_ValidateCompletely( + NSSCertificate *c, + NSSTime *timeOpt, /* NULL for "now" */ + NSSUsage *usage, + NSSPolicies *policiesOpt, /* NULL for none */ + void **rvOpt, /* NULL for allocate */ + PRUint32 rvLimit, /* zero for no limit */ + NSSArena *arenaOpt /* NULL for heap */ + ) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT PRStatus -NSSCertificate_ValidateAndDiscoverUsagesAndPolicies ( - NSSCertificate *c, - NSSTime **notBeforeOutOpt, - NSSTime **notAfterOutOpt, - void *allowedUsages, - void *disallowedUsages, - void *allowedPolicies, - void *disallowedPolicies, - /* more args.. work on this fgmr */ - NSSArena *arenaOpt -) +NSSCertificate_ValidateAndDiscoverUsagesAndPolicies( + NSSCertificate *c, + NSSTime **notBeforeOutOpt, + NSSTime **notAfterOutOpt, + void *allowedUsages, + void *disallowedUsages, + void *allowedPolicies, + void *disallowedPolicies, + /* more args.. work on this fgmr */ + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return PR_FAILURE; } NSS_IMPLEMENT NSSDER * -NSSCertificate_Encode ( - NSSCertificate *c, - NSSDER *rvOpt, - NSSArena *arenaOpt -) +NSSCertificate_Encode( + NSSCertificate *c, + NSSDER *rvOpt, + NSSArena *arenaOpt) { /* Item, DER, BER are all typedefs now... */ return nssItem_Duplicate((NSSItem *)&c->encoding, arenaOpt, rvOpt); } NSS_IMPLEMENT nssDecodedCert * -nssCertificate_GetDecoding ( - NSSCertificate *c -) +nssCertificate_GetDecoding( + NSSCertificate *c) { - nssDecodedCert* deco = NULL; + nssDecodedCert *deco = NULL; if (c->type == NSSCertificateType_PKIX) { (void)STAN_GetCERTCertificate(c); } nssPKIObject_Lock(&c->object); if (!c->decoding) { - deco = nssDecodedCert_Create(NULL, &c->encoding, c->type); - PORT_Assert(!c->decoding); + deco = nssDecodedCert_Create(NULL, &c->encoding, c->type); + PORT_Assert(!c->decoding); c->decoding = deco; } else { deco = c->decoding; @@ -298,10 +278,9 @@ nssCertificate_GetDecoding ( } static NSSCertificate ** -filter_subject_certs_for_id ( - NSSCertificate **subjectCerts, - void *id -) +filter_subject_certs_for_id( + NSSCertificate **subjectCerts, + void *id) { NSSCertificate **si; nssDecodedCert *dcp; @@ -312,74 +291,71 @@ filter_subject_certs_for_id ( /* walk the subject certs */ for (si = subjectCerts; *si; si++) { - dcp = nssCertificate_GetDecoding(*si); - if (!dcp) { - NSSCertificate_Destroy(*si); - continue; - } - match = dcp->matchIdentifier(dcp, id); - switch (match) { - case nssCertIDMatch_Yes: - if (matchLevel == nssCertIDMatch_Unknown) { - /* we have non-definitive matches, forget them */ - for (i = 0; i < nextOpenSlot; i++) { - NSSCertificate_Destroy(subjectCerts[i]); - subjectCerts[i] = NULL; - } - nextOpenSlot = 0; - /* only keep definitive matches from now on */ - matchLevel = nssCertIDMatch_Yes; - } - /* keep the cert */ - subjectCerts[nextOpenSlot++] = *si; - break; - case nssCertIDMatch_Unknown: - if (matchLevel == nssCertIDMatch_Unknown) { - /* only have non-definitive matches so far, keep it */ - subjectCerts[nextOpenSlot++] = *si; - break; - } - /* else fall through, we have a definitive match already */ - case nssCertIDMatch_No: - default: - NSSCertificate_Destroy(*si); - *si = NULL; - } + dcp = nssCertificate_GetDecoding(*si); + if (!dcp) { + NSSCertificate_Destroy(*si); + continue; + } + match = dcp->matchIdentifier(dcp, id); + switch (match) { + case nssCertIDMatch_Yes: + if (matchLevel == nssCertIDMatch_Unknown) { + /* we have non-definitive matches, forget them */ + for (i = 0; i < nextOpenSlot; i++) { + NSSCertificate_Destroy(subjectCerts[i]); + subjectCerts[i] = NULL; + } + nextOpenSlot = 0; + /* only keep definitive matches from now on */ + matchLevel = nssCertIDMatch_Yes; + } + /* keep the cert */ + subjectCerts[nextOpenSlot++] = *si; + break; + case nssCertIDMatch_Unknown: + if (matchLevel == nssCertIDMatch_Unknown) { + /* only have non-definitive matches so far, keep it */ + subjectCerts[nextOpenSlot++] = *si; + break; + } + /* else fall through, we have a definitive match already */ + case nssCertIDMatch_No: + default: + NSSCertificate_Destroy(*si); + *si = NULL; + } } subjectCerts[nextOpenSlot] = NULL; return subjectCerts; } static NSSCertificate ** -filter_certs_for_valid_issuers ( - NSSCertificate **certs -) +filter_certs_for_valid_issuers(NSSCertificate **certs) { NSSCertificate **cp; nssDecodedCert *dcp; int nextOpenSlot = 0; for (cp = certs; *cp; cp++) { - dcp = nssCertificate_GetDecoding(*cp); - if (dcp && dcp->isValidIssuer(dcp)) { - certs[nextOpenSlot++] = *cp; - } else { - NSSCertificate_Destroy(*cp); - } + dcp = nssCertificate_GetDecoding(*cp); + if (dcp && dcp->isValidIssuer(dcp)) { + certs[nextOpenSlot++] = *cp; + } else { + NSSCertificate_Destroy(*cp); + } } certs[nextOpenSlot] = NULL; return certs; } static NSSCertificate * -find_cert_issuer ( - NSSCertificate *c, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSTrustDomain *td, - NSSCryptoContext *cc -) +find_cert_issuer( + NSSCertificate *c, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSTrustDomain *td, + NSSCryptoContext *cc) { NSSArena *arena; NSSCertificate **certs = NULL; @@ -388,47 +364,47 @@ find_cert_issuer ( NSSCertificate *issuer = NULL; if (!cc) - cc = c->object.cryptoContext; + cc = c->object.cryptoContext; if (!td) - td = NSSCertificate_GetTrustDomain(c); + td = NSSCertificate_GetTrustDomain(c); arena = nssArena_Create(); if (!arena) { - return (NSSCertificate *)NULL; + return (NSSCertificate *)NULL; } if (cc) { - ccIssuers = nssCryptoContext_FindCertificatesBySubject(cc, - &c->issuer, - NULL, - 0, - arena); + ccIssuers = nssCryptoContext_FindCertificatesBySubject(cc, + &c->issuer, + NULL, + 0, + arena); } if (td) - tdIssuers = nssTrustDomain_FindCertificatesBySubject(td, - &c->issuer, - NULL, - 0, - arena); + tdIssuers = nssTrustDomain_FindCertificatesBySubject(td, + &c->issuer, + NULL, + 0, + arena); certs = nssCertificateArray_Join(ccIssuers, tdIssuers); if (certs) { - nssDecodedCert *dc = NULL; - void *issuerID = NULL; - dc = nssCertificate_GetDecoding(c); - if (dc) { - issuerID = dc->getIssuerIdentifier(dc); - } - /* XXX review based on CERT_FindCertIssuer - * this function is not using the authCertIssuer field as a fallback - * if authority key id does not exist - */ - if (issuerID) { - certs = filter_subject_certs_for_id(certs, issuerID); - } - certs = filter_certs_for_valid_issuers(certs); - issuer = nssCertificateArray_FindBestCertificate(certs, - timeOpt, - usage, - policiesOpt); - nssCertificateArray_Destroy(certs); + nssDecodedCert *dc = NULL; + void *issuerID = NULL; + dc = nssCertificate_GetDecoding(c); + if (dc) { + issuerID = dc->getIssuerIdentifier(dc); + } + /* XXX review based on CERT_FindCertIssuer + * this function is not using the authCertIssuer field as a fallback + * if authority key id does not exist + */ + if (issuerID) { + certs = filter_subject_certs_for_id(certs, issuerID); + } + certs = filter_certs_for_valid_issuers(certs); + issuer = nssCertificateArray_FindBestCertificate(certs, + timeOpt, + usage, + policiesOpt); + nssCertificateArray_Destroy(certs); } nssArena_Destroy(arena); return issuer; @@ -438,260 +414,243 @@ find_cert_issuer ( ** even if/when it fails to find an issuer, and returns PR_FAILURE */ NSS_IMPLEMENT NSSCertificate ** -nssCertificate_BuildChain ( - NSSCertificate *c, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCertificate **rvOpt, - PRUint32 rvLimit, - NSSArena *arenaOpt, - PRStatus *statusOpt, - NSSTrustDomain *td, - NSSCryptoContext *cc -) +nssCertificate_BuildChain( + NSSCertificate *c, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCertificate **rvOpt, + PRUint32 rvLimit, + NSSArena *arenaOpt, + PRStatus *statusOpt, + NSSTrustDomain *td, + NSSCryptoContext *cc) { NSSCertificate **rvChain = NULL; NSSUsage issuerUsage = *usage; nssPKIObjectCollection *collection = NULL; - PRUint32 rvCount = 0; - PRStatus st; - PRStatus ret = PR_SUCCESS; + PRUint32 rvCount = 0; + PRStatus st; + PRStatus ret = PR_SUCCESS; if (!c || !cc || (!td && (td = NSSCertificate_GetTrustDomain(c)) == NULL)) { - goto loser; + goto loser; } /* bump the usage up to CA level */ issuerUsage.nss3lookingForCA = PR_TRUE; collection = nssCertificateCollection_Create(td, NULL); if (!collection) - goto loser; + goto loser; st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c); if (st != PR_SUCCESS) - goto loser; + goto loser; for (rvCount = 1; (!rvLimit || rvCount < rvLimit); ++rvCount) { - CERTCertificate *cCert = STAN_GetCERTCertificate(c); - if (cCert->isRoot) { - /* not including the issuer of the self-signed cert, which is, - * of course, itself - */ - break; - } - c = find_cert_issuer(c, timeOpt, &issuerUsage, policiesOpt, td, cc); - if (!c) { - ret = PR_FAILURE; - break; - } - st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c); - nssCertificate_Destroy(c); /* collection has it */ - if (st != PR_SUCCESS) - goto loser; + CERTCertificate *cCert = STAN_GetCERTCertificate(c); + if (cCert->isRoot) { + /* not including the issuer of the self-signed cert, which is, + * of course, itself + */ + break; + } + c = find_cert_issuer(c, timeOpt, &issuerUsage, policiesOpt, td, cc); + if (!c) { + ret = PR_FAILURE; + break; + } + st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c); + nssCertificate_Destroy(c); /* collection has it */ + if (st != PR_SUCCESS) + goto loser; } - rvChain = nssPKIObjectCollection_GetCertificates(collection, - rvOpt, - rvLimit, + rvChain = nssPKIObjectCollection_GetCertificates(collection, + rvOpt, + rvLimit, arenaOpt); if (rvChain) { - nssPKIObjectCollection_Destroy(collection); - if (statusOpt) - *statusOpt = ret; - if (ret != PR_SUCCESS) - nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND); - return rvChain; + nssPKIObjectCollection_Destroy(collection); + if (statusOpt) + *statusOpt = ret; + if (ret != PR_SUCCESS) + nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND); + return rvChain; } loser: if (collection) - nssPKIObjectCollection_Destroy(collection); - if (statusOpt) - *statusOpt = PR_FAILURE; + nssPKIObjectCollection_Destroy(collection); + if (statusOpt) + *statusOpt = PR_FAILURE; nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND); return rvChain; } NSS_IMPLEMENT NSSCertificate ** -NSSCertificate_BuildChain ( - NSSCertificate *c, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCertificate **rvOpt, - PRUint32 rvLimit, /* zero for no limit */ - NSSArena *arenaOpt, - PRStatus *statusOpt, - NSSTrustDomain *td, - NSSCryptoContext *cc -) +NSSCertificate_BuildChain( + NSSCertificate *c, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCertificate **rvOpt, + PRUint32 rvLimit, /* zero for no limit */ + NSSArena *arenaOpt, + PRStatus *statusOpt, + NSSTrustDomain *td, + NSSCryptoContext *cc) { return nssCertificate_BuildChain(c, timeOpt, usage, policiesOpt, rvOpt, rvLimit, arenaOpt, statusOpt, - td, cc); + td, cc); } NSS_IMPLEMENT NSSCryptoContext * -nssCertificate_GetCryptoContext ( - NSSCertificate *c -) +nssCertificate_GetCryptoContext(NSSCertificate *c) { return c->object.cryptoContext; } NSS_IMPLEMENT NSSTrustDomain * -nssCertificate_GetTrustDomain ( - NSSCertificate *c -) +nssCertificate_GetTrustDomain(NSSCertificate *c) { return c->object.trustDomain; } NSS_IMPLEMENT NSSTrustDomain * -NSSCertificate_GetTrustDomain ( - NSSCertificate *c -) +NSSCertificate_GetTrustDomain(NSSCertificate *c) { return nssCertificate_GetTrustDomain(c); } NSS_IMPLEMENT NSSToken * -NSSCertificate_GetToken ( - NSSCertificate *c, - PRStatus *statusOpt -) +NSSCertificate_GetToken( + NSSCertificate *c, + PRStatus *statusOpt) { return (NSSToken *)NULL; } NSS_IMPLEMENT NSSSlot * -NSSCertificate_GetSlot ( - NSSCertificate *c, - PRStatus *statusOpt -) +NSSCertificate_GetSlot( + NSSCertificate *c, + PRStatus *statusOpt) { return (NSSSlot *)NULL; } NSS_IMPLEMENT NSSModule * -NSSCertificate_GetModule ( - NSSCertificate *c, - PRStatus *statusOpt -) +NSSCertificate_GetModule( + NSSCertificate *c, + PRStatus *statusOpt) { return (NSSModule *)NULL; } NSS_IMPLEMENT NSSItem * -NSSCertificate_Encrypt ( - NSSCertificate *c, - NSSAlgorithmAndParameters *apOpt, - NSSItem *data, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSCertificate_Encrypt( + NSSCertificate *c, + NSSAlgorithmAndParameters *apOpt, + NSSItem *data, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT PRStatus -NSSCertificate_Verify ( - NSSCertificate *c, - NSSAlgorithmAndParameters *apOpt, - NSSItem *data, - NSSItem *signature, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh -) +NSSCertificate_Verify( + NSSCertificate *c, + NSSAlgorithmAndParameters *apOpt, + NSSItem *data, + NSSItem *signature, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh) { nss_SetError(NSS_ERROR_NOT_FOUND); return PR_FAILURE; } NSS_IMPLEMENT NSSItem * -NSSCertificate_VerifyRecover ( - NSSCertificate *c, - NSSAlgorithmAndParameters *apOpt, - NSSItem *signature, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSCertificate_VerifyRecover( + NSSCertificate *c, + NSSAlgorithmAndParameters *apOpt, + NSSItem *signature, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSItem * -NSSCertificate_WrapSymmetricKey ( - NSSCertificate *c, - NSSAlgorithmAndParameters *apOpt, - NSSSymmetricKey *keyToWrap, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSCertificate_WrapSymmetricKey( + NSSCertificate *c, + NSSAlgorithmAndParameters *apOpt, + NSSSymmetricKey *keyToWrap, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSCryptoContext * -NSSCertificate_CreateCryptoContext ( - NSSCertificate *c, - NSSAlgorithmAndParameters *apOpt, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh -) +NSSCertificate_CreateCryptoContext( + NSSCertificate *c, + NSSAlgorithmAndParameters *apOpt, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSPublicKey * -NSSCertificate_GetPublicKey ( - NSSCertificate *c -) +NSSCertificate_GetPublicKey( + NSSCertificate *c) { #if 0 CK_ATTRIBUTE pubktemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_ID, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 } + { CKA_CLASS, NULL, 0 }, + { CKA_ID, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 } }; PRStatus nssrv; CK_ULONG count = sizeof(pubktemplate) / sizeof(pubktemplate[0]); NSS_CK_SET_ATTRIBUTE_ITEM(pubktemplate, 0, &g_ck_class_pubkey); if (c->id.size > 0) { - /* CKA_ID */ - NSS_CK_ITEM_TO_ATTRIBUTE(&c->id, &pubktemplate[1]); + /* CKA_ID */ + NSS_CK_ITEM_TO_ATTRIBUTE(&c->id, &pubktemplate[1]); } else { - /* failure, yes? */ - return (NSSPublicKey *)NULL; + /* failure, yes? */ + return (NSSPublicKey *)NULL; } if (c->subject.size > 0) { - /* CKA_SUBJECT */ - NSS_CK_ITEM_TO_ATTRIBUTE(&c->subject, &pubktemplate[2]); + /* CKA_SUBJECT */ + NSS_CK_ITEM_TO_ATTRIBUTE(&c->subject, &pubktemplate[2]); } else { - /* failure, yes? */ - return (NSSPublicKey *)NULL; + /* failure, yes? */ + return (NSSPublicKey *)NULL; } /* Try the cert's token first */ if (c->token) { - nssrv = nssToken_FindObjectByTemplate(c->token, pubktemplate, count); + nssrv = nssToken_FindObjectByTemplate(c->token, pubktemplate, count); } #endif /* Try all other key tokens */ @@ -699,33 +658,31 @@ NSSCertificate_GetPublicKey ( } NSS_IMPLEMENT NSSPrivateKey * -NSSCertificate_FindPrivateKey ( - NSSCertificate *c, - NSSCallback *uhh -) +NSSCertificate_FindPrivateKey( + NSSCertificate *c, + NSSCallback *uhh) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT PRBool -NSSCertificate_IsPrivateKeyAvailable ( - NSSCertificate *c, - NSSCallback *uhh, - PRStatus *statusOpt -) +NSSCertificate_IsPrivateKeyAvailable( + NSSCertificate *c, + NSSCallback *uhh, + PRStatus *statusOpt) { PRBool isUser = PR_FALSE; nssCryptokiObject **ip; nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object); if (!instances) { - return PR_FALSE; + return PR_FALSE; } for (ip = instances; *ip; ip++) { - nssCryptokiObject *instance = *ip; - if (nssToken_IsPrivateKeyAvailable(instance->token, c, instance)) { - isUser = PR_TRUE; - } + nssCryptokiObject *instance = *ip; + if (nssToken_IsPrivateKeyAvailable(instance->token, c, instance)) { + isUser = PR_TRUE; + } } nssCryptokiObjectArray_Destroy(instances); return isUser; @@ -733,123 +690,115 @@ NSSCertificate_IsPrivateKeyAvailable ( /* sort the subject cert list from newest to oldest */ PRIntn -nssCertificate_SubjectListSort ( - void *v1, - void *v2 -) +nssCertificate_SubjectListSort( + void *v1, + void *v2) { NSSCertificate *c1 = (NSSCertificate *)v1; NSSCertificate *c2 = (NSSCertificate *)v2; nssDecodedCert *dc1 = nssCertificate_GetDecoding(c1); nssDecodedCert *dc2 = nssCertificate_GetDecoding(c2); if (!dc1) { - return dc2 ? 1 : 0; + return dc2 ? 1 : 0; } else if (!dc2) { - return -1; + return -1; } else { - return dc1->isNewerThan(dc1, dc2) ? -1 : 1; + return dc1->isNewerThan(dc1, dc2) ? -1 : 1; } } NSS_IMPLEMENT PRBool -NSSUserCertificate_IsStillPresent ( - NSSUserCertificate *uc, - PRStatus *statusOpt -) +NSSUserCertificate_IsStillPresent( + NSSUserCertificate *uc, + PRStatus *statusOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return PR_FALSE; } NSS_IMPLEMENT NSSItem * -NSSUserCertificate_Decrypt ( - NSSUserCertificate *uc, - NSSAlgorithmAndParameters *apOpt, - NSSItem *data, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSUserCertificate_Decrypt( + NSSUserCertificate *uc, + NSSAlgorithmAndParameters *apOpt, + NSSItem *data, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSItem * -NSSUserCertificate_Sign ( - NSSUserCertificate *uc, - NSSAlgorithmAndParameters *apOpt, - NSSItem *data, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSUserCertificate_Sign( + NSSUserCertificate *uc, + NSSAlgorithmAndParameters *apOpt, + NSSItem *data, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSItem * -NSSUserCertificate_SignRecover ( - NSSUserCertificate *uc, - NSSAlgorithmAndParameters *apOpt, - NSSItem *data, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSUserCertificate_SignRecover( + NSSUserCertificate *uc, + NSSAlgorithmAndParameters *apOpt, + NSSItem *data, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSSymmetricKey * -NSSUserCertificate_UnwrapSymmetricKey ( - NSSUserCertificate *uc, - NSSAlgorithmAndParameters *apOpt, - NSSItem *wrappedKey, - NSSTime *timeOpt, - NSSUsage *usage, - NSSPolicies *policiesOpt, - NSSCallback *uhh, - NSSItem *rvOpt, - NSSArena *arenaOpt -) +NSSUserCertificate_UnwrapSymmetricKey( + NSSUserCertificate *uc, + NSSAlgorithmAndParameters *apOpt, + NSSItem *wrappedKey, + NSSTime *timeOpt, + NSSUsage *usage, + NSSPolicies *policiesOpt, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT NSSSymmetricKey * -NSSUserCertificate_DeriveSymmetricKey ( - NSSUserCertificate *uc, /* provides private key */ - NSSCertificate *c, /* provides public key */ - NSSAlgorithmAndParameters *apOpt, - NSSOID *target, - PRUint32 keySizeOpt, /* zero for best allowed */ - NSSOperations operations, - NSSCallback *uhh -) +NSSUserCertificate_DeriveSymmetricKey( + NSSUserCertificate *uc, /* provides private key */ + NSSCertificate *c, /* provides public key */ + NSSAlgorithmAndParameters *apOpt, + NSSOID *target, + PRUint32 keySizeOpt, /* zero for best allowed */ + NSSOperations operations, + NSSCallback *uhh) { nss_SetError(NSS_ERROR_NOT_FOUND); return NULL; } NSS_IMPLEMENT nssSMIMEProfile * -nssSMIMEProfile_Create ( - NSSCertificate *cert, - NSSItem *profileTime, - NSSItem *profileData -) +nssSMIMEProfile_Create( + NSSCertificate *cert, + NSSItem *profileTime, + NSSItem *profileData) { NSSArena *arena; nssSMIMEProfile *rvProfile; @@ -858,40 +807,41 @@ nssSMIMEProfile_Create ( NSSCryptoContext *cc = nssCertificate_GetCryptoContext(cert); arena = nssArena_Create(); if (!arena) { - return NULL; + return NULL; } object = nssPKIObject_Create(arena, NULL, td, cc, nssPKILock); if (!object) { - goto loser; + goto loser; } rvProfile = nss_ZNEW(arena, nssSMIMEProfile); if (!rvProfile) { - goto loser; + goto loser; } rvProfile->object = *object; rvProfile->certificate = cert; rvProfile->email = nssUTF8_Duplicate(cert->email, arena); rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL); if (profileTime) { - rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL); + rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL); } if (profileData) { - rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL); + rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL); } return rvProfile; loser: - if (object) nssPKIObject_Destroy(object); - else if (arena) nssArena_Destroy(arena); + if (object) + nssPKIObject_Destroy(object); + else if (arena) + nssArena_Destroy(arena); return (nssSMIMEProfile *)NULL; } /* execute a callback function on all members of a cert list */ NSS_EXTERN PRStatus -nssCertificateList_DoCallback ( - nssList *certList, - PRStatus (* callback)(NSSCertificate *c, void *arg), - void *arg -) +nssCertificateList_DoCallback( + nssList *certList, + PRStatus (*callback)(NSSCertificate *c, void *arg), + void *arg) { nssListIterator *certs; NSSCertificate *cert; @@ -899,74 +849,71 @@ nssCertificateList_DoCallback ( if (!certs) { return PR_FAILURE; } - for (cert = (NSSCertificate *)nssListIterator_Start(certs); + for (cert = (NSSCertificate *)nssListIterator_Start(certs); cert != (NSSCertificate *)NULL; - cert = (NSSCertificate *)nssListIterator_Next(certs)) - { - (void)(*callback)(cert, arg); + cert = (NSSCertificate *)nssListIterator_Next(certs)) { + (void)(*callback)(cert, arg); } nssListIterator_Finish(certs); nssListIterator_Destroy(certs); return PR_SUCCESS; } -static PRStatus add_ref_callback(NSSCertificate *c, void *a) +static PRStatus +add_ref_callback(NSSCertificate *c, void *a) { nssCertificate_AddRef(c); return PR_SUCCESS; } NSS_IMPLEMENT void -nssCertificateList_AddReferences ( - nssList *certList -) +nssCertificateList_AddReferences( + nssList *certList) { (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL); } - /* - * Is this trust record safe to apply to all certs of the same issuer/SN - * independent of the cert matching the hash. This is only true is the trust - * is unknown or distrusted. In general this feature is only useful to - * explicitly distrusting certs. It is not safe to use to trust certs, so + * Is this trust record safe to apply to all certs of the same issuer/SN + * independent of the cert matching the hash. This is only true is the trust + * is unknown or distrusted. In general this feature is only useful to + * explicitly distrusting certs. It is not safe to use to trust certs, so * only allow unknown and untrusted trust types. */ PRBool -nssTrust_IsSafeToIgnoreCertHash(nssTrustLevel serverAuth, - nssTrustLevel clientAuth, nssTrustLevel codeSigning, - nssTrustLevel email, PRBool stepup) +nssTrust_IsSafeToIgnoreCertHash(nssTrustLevel serverAuth, + nssTrustLevel clientAuth, nssTrustLevel codeSigning, + nssTrustLevel email, PRBool stepup) { /* step up is a trust type, if it's on, we must have a hash for the cert */ if (stepup) { - return PR_FALSE; + return PR_FALSE; } - if ((serverAuth != nssTrustLevel_Unknown) && - (serverAuth != nssTrustLevel_NotTrusted)) { - return PR_FALSE; + if ((serverAuth != nssTrustLevel_Unknown) && + (serverAuth != nssTrustLevel_NotTrusted)) { + return PR_FALSE; } - if ((clientAuth != nssTrustLevel_Unknown) && - (clientAuth != nssTrustLevel_NotTrusted)) { - return PR_FALSE; + if ((clientAuth != nssTrustLevel_Unknown) && + (clientAuth != nssTrustLevel_NotTrusted)) { + return PR_FALSE; } - if ((codeSigning != nssTrustLevel_Unknown) && - (codeSigning != nssTrustLevel_NotTrusted)) { - return PR_FALSE; + if ((codeSigning != nssTrustLevel_Unknown) && + (codeSigning != nssTrustLevel_NotTrusted)) { + return PR_FALSE; } - if ((email != nssTrustLevel_Unknown) && - (email != nssTrustLevel_NotTrusted)) { - return PR_FALSE; + if ((email != nssTrustLevel_Unknown) && + (email != nssTrustLevel_NotTrusted)) { + return PR_FALSE; } - /* record only has Unknown and Untrusted entries, ok to accept without a + /* record only has Unknown and Untrusted entries, ok to accept without a * hash */ return PR_TRUE; } NSS_IMPLEMENT NSSTrust * -nssTrust_Create ( - nssPKIObject *object, - NSSItem *certData -) +nssTrust_Create( + nssPKIObject *object, + NSSItem *certData) { PRStatus status; PRUint32 i; @@ -980,128 +927,115 @@ nssTrust_Create ( SECStatus rv; /* Should be stan flavor */ PRBool stepUp; - lastTrustOrder = 1<<16; /* just make it big */ + lastTrustOrder = 1 << 16; /* just make it big */ PR_ASSERT(object->instances != NULL && object->numInstances > 0); rvt = nss_ZNEW(object->arena, NSSTrust); if (!rvt) { - return (NSSTrust *)NULL; + return (NSSTrust *)NULL; } rvt->object = *object; /* should be stan flavor of Hashbuf */ - rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size); + rv = PK11_HashBuf(SEC_OID_SHA1, sha1_hashcmp, certData->data, certData->size); if (rv != SECSuccess) { - return (NSSTrust *)NULL; + return (NSSTrust *)NULL; } sha1_hash.data = sha1_hashin; - sha1_hash.size = sizeof (sha1_hashin); + sha1_hash.size = sizeof(sha1_hashin); /* trust has to peek into the base object members */ nssPKIObject_Lock(object); - for (i=0; i<object->numInstances; i++) { - instance = object->instances[i]; - myTrustOrder = nssToken_GetTrustOrder(instance->token); - status = nssCryptokiTrust_GetAttributes(instance, NULL, - &sha1_hash, - &serverAuth, - &clientAuth, - &codeSigning, - &emailProtection, - &stepUp); - if (status != PR_SUCCESS) { - nssPKIObject_Unlock(object); - return (NSSTrust *)NULL; - } - /* if no hash is specified, then trust applies to all certs with - * this issuer/SN. NOTE: This is only true for entries that - * have distrust and unknown record */ - if (!( - /* we continue if there is no hash, and the trust type is - * safe to accept without a hash ... or ... */ - ((sha1_hash.size == 0) && - nssTrust_IsSafeToIgnoreCertHash(serverAuth,clientAuth, - codeSigning, emailProtection,stepUp)) - || - /* we have a hash of the correct size, and it matches */ - ((sha1_hash.size == SHA1_LENGTH) && (PORT_Memcmp(sha1_hashin, - sha1_hashcmp,SHA1_LENGTH) == 0)) )) { - nssPKIObject_Unlock(object); - return (NSSTrust *)NULL; - } - if (rvt->serverAuth == nssTrustLevel_Unknown || - myTrustOrder < lastTrustOrder) - { - rvt->serverAuth = serverAuth; - } - if (rvt->clientAuth == nssTrustLevel_Unknown || - myTrustOrder < lastTrustOrder) - { - rvt->clientAuth = clientAuth; - } - if (rvt->emailProtection == nssTrustLevel_Unknown || - myTrustOrder < lastTrustOrder) - { - rvt->emailProtection = emailProtection; - } - if (rvt->codeSigning == nssTrustLevel_Unknown || - myTrustOrder < lastTrustOrder) - { - rvt->codeSigning = codeSigning; - } - rvt->stepUpApproved = stepUp; - lastTrustOrder = myTrustOrder; + for (i = 0; i < object->numInstances; i++) { + instance = object->instances[i]; + myTrustOrder = nssToken_GetTrustOrder(instance->token); + status = nssCryptokiTrust_GetAttributes(instance, NULL, + &sha1_hash, + &serverAuth, + &clientAuth, + &codeSigning, + &emailProtection, + &stepUp); + if (status != PR_SUCCESS) { + nssPKIObject_Unlock(object); + return (NSSTrust *)NULL; + } + /* if no hash is specified, then trust applies to all certs with + * this issuer/SN. NOTE: This is only true for entries that + * have distrust and unknown record */ + if (!( + /* we continue if there is no hash, and the trust type is + * safe to accept without a hash ... or ... */ + ((sha1_hash.size == 0) && + nssTrust_IsSafeToIgnoreCertHash(serverAuth, clientAuth, + codeSigning, emailProtection, + stepUp)) || + /* we have a hash of the correct size, and it matches */ + ((sha1_hash.size == SHA1_LENGTH) && (PORT_Memcmp(sha1_hashin, + sha1_hashcmp, + SHA1_LENGTH) == 0)))) { + nssPKIObject_Unlock(object); + return (NSSTrust *)NULL; + } + if (rvt->serverAuth == nssTrustLevel_Unknown || + myTrustOrder < lastTrustOrder) { + rvt->serverAuth = serverAuth; + } + if (rvt->clientAuth == nssTrustLevel_Unknown || + myTrustOrder < lastTrustOrder) { + rvt->clientAuth = clientAuth; + } + if (rvt->emailProtection == nssTrustLevel_Unknown || + myTrustOrder < lastTrustOrder) { + rvt->emailProtection = emailProtection; + } + if (rvt->codeSigning == nssTrustLevel_Unknown || + myTrustOrder < lastTrustOrder) { + rvt->codeSigning = codeSigning; + } + rvt->stepUpApproved = stepUp; + lastTrustOrder = myTrustOrder; } nssPKIObject_Unlock(object); return rvt; } NSS_IMPLEMENT NSSTrust * -nssTrust_AddRef ( - NSSTrust *trust -) +nssTrust_AddRef(NSSTrust *trust) { if (trust) { - nssPKIObject_AddRef(&trust->object); + nssPKIObject_AddRef(&trust->object); } return trust; } NSS_IMPLEMENT PRStatus -nssTrust_Destroy ( - NSSTrust *trust -) +nssTrust_Destroy(NSSTrust *trust) { if (trust) { - (void)nssPKIObject_Destroy(&trust->object); + (void)nssPKIObject_Destroy(&trust->object); } return PR_SUCCESS; } NSS_IMPLEMENT nssSMIMEProfile * -nssSMIMEProfile_AddRef ( - nssSMIMEProfile *profile -) +nssSMIMEProfile_AddRef(nssSMIMEProfile *profile) { if (profile) { - nssPKIObject_AddRef(&profile->object); + nssPKIObject_AddRef(&profile->object); } return profile; } NSS_IMPLEMENT PRStatus -nssSMIMEProfile_Destroy ( - nssSMIMEProfile *profile -) +nssSMIMEProfile_Destroy(nssSMIMEProfile *profile) { if (profile) { - (void)nssPKIObject_Destroy(&profile->object); + (void)nssPKIObject_Destroy(&profile->object); } return PR_SUCCESS; } NSS_IMPLEMENT NSSCRL * -nssCRL_Create ( - nssPKIObject *object -) +nssCRL_Create(nssPKIObject *object) { PRStatus status; NSSCRL *rvCRL; @@ -1109,12 +1043,12 @@ nssCRL_Create ( PR_ASSERT(object->instances != NULL && object->numInstances > 0); rvCRL = nss_ZNEW(arena, NSSCRL); if (!rvCRL) { - return (NSSCRL *)NULL; + return (NSSCRL *)NULL; } rvCRL->object = *object; /* XXX should choose instance based on some criteria */ status = nssCryptokiCRL_GetAttributes(object->instances[0], - NULL, /* XXX sessionOpt */ + NULL, /* XXX sessionOpt */ arena, &rvCRL->encoding, NULL, /* subject */ @@ -1122,50 +1056,46 @@ nssCRL_Create ( &rvCRL->url, &rvCRL->isKRL); if (status != PR_SUCCESS) { - return (NSSCRL *)NULL; + if (!arena) { + nssPKIObject_Destroy((nssPKIObject *)rvCRL); + } + return (NSSCRL *)NULL; } return rvCRL; } NSS_IMPLEMENT NSSCRL * -nssCRL_AddRef ( - NSSCRL *crl -) +nssCRL_AddRef(NSSCRL *crl) { if (crl) { - nssPKIObject_AddRef(&crl->object); + nssPKIObject_AddRef(&crl->object); } return crl; } NSS_IMPLEMENT PRStatus -nssCRL_Destroy ( - NSSCRL *crl -) +nssCRL_Destroy(NSSCRL *crl) { if (crl) { - (void)nssPKIObject_Destroy(&crl->object); + (void)nssPKIObject_Destroy(&crl->object); } return PR_SUCCESS; } NSS_IMPLEMENT PRStatus -nssCRL_DeleteStoredObject ( - NSSCRL *crl, - NSSCallback *uhh -) +nssCRL_DeleteStoredObject( + NSSCRL *crl, + NSSCallback *uhh) { return nssPKIObject_DeleteStoredObject(&crl->object, uhh, PR_TRUE); } NSS_IMPLEMENT NSSDER * -nssCRL_GetEncoding ( - NSSCRL *crl -) +nssCRL_GetEncoding(NSSCRL *crl) { if (crl && crl->encoding.data != NULL && crl->encoding.size > 0) { - return &crl->encoding; + return &crl->encoding; } else { - return (NSSDER *)NULL; + return (NSSDER *)NULL; } } |