Merge NSS_3_14_2_RTM.

mozilla/security/nss/lib/pk11wrap/pk11cert.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file manages PKCS #11 instances of certificates.
  */
 
 #include "secport.h"
 #include "seccomon.h"
 #include "secmod.h"
@@ skipping 306 matching lines @@
         cert->slot = PK11_ReferenceSlot(slot);
         cert->pkcs11ID = certID;
         cert->ownSlot = PR_TRUE;
         cert->series = slot->series;
     }
 
     trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
     if (trust == NULL) 
         goto loser;
     PORT_Memset(trust,0, sizeof(CERTCertTrust));
-    cert->trust = trust;
 
     if(! pk11_HandleTrustObject(slot, cert, trust) ) {
         unsigned int type;
 
         /* build some cert trust flags */
         if (CERT_IsCACert(cert, &type)) {
             unsigned int trustflags = CERTDB_VALID_CA;
            
             /* Allow PKCS #11 modules to give us trusted CA's. We only accept
              * valid CA's which are self-signed here. They must have an object
@@ skipping 20 matching lines @@
                 trust->objectSigningFlags |= trustflags;
             }
         }
     }
 
     if (PK11_IsUserCert(slot,cert,certID)) {
         trust->sslFlags |= CERTDB_USER;
         trust->emailFlags |= CERTDB_USER;
         /*    trust->objectSigningFlags |= CERTDB_USER; */
     }
+    CERT_LockCertTrust(cert);
+    cert->trust = trust;
+    CERT_UnlockCertTrust(cert);
+
     return cert;
 
 loser:
     if (nickname) 
         PORT_Free(nickname);
     if (cert) 
         CERT_DestroyCertificate(cert);
     return NULL;
 }
 
@@ skipping 1025 matching lines @@
  * this is the new version for NSS SMIME code
  * this stuff should REALLY be in the SMIME code, but some things in here are not public
  * (they should be!)
  */
 static CERTCertificate *
 pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex, void *pwarg)
 {
     NSSCMSRecipient *ri = NULL;
     int i;
     PRBool tokenRescanDone = PR_FALSE;
+    CERTCertTrust trust;
 
     for (i=0; (ri = recipientlist[i]) != NULL; i++) {
         CERTCertificate *cert = NULL;
         if (ri->kind == RLSubjKeyID) {
             SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
             if (!derCert && !tokenRescanDone) {
                 /*
                  * We didn't find the cert by its key ID. If we have slots
                  * with removable tokens, a failure from
                  * cert_FindDERCertBySubjectKeyID doesn't necessarily imply
@@ skipping 60 matching lines @@
             if (derCert) {
                 cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg);
                 SECITEM_FreeItem(derCert, PR_TRUE);
             }
         } else {
             cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, 
                                                      pwarg);
         }
         if (cert) {
             /* this isn't our cert */
-            if ((cert->trust == NULL) ||
-                ((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+            if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
+                ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
                  CERT_DestroyCertificate(cert);
                 continue;
             }
             ri->slot = PK11_ReferenceSlot(slot);
             *rlIndex = i;
             return cert;
         }
     }
     *rlIndex = -1;
     return NULL;
@@ skipping 38 matching lines @@
 /*
  * We're looking for a cert which we have the private key for that's on the
  * list of recipients. This searches one slot.
  */
 static CERTCertificate *
 pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, 
         SEC_PKCS7RecipientInfo **recipientArray,
         SEC_PKCS7RecipientInfo **rip, void *pwarg)
 {
     SEC_PKCS7RecipientInfo *ri = NULL;
+    CERTCertTrust trust;
     int i;
 
     for (i=0; (ri = recipientArray[i]) != NULL; i++) {
         CERTCertificate *cert;
 
         cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, 
                                                                 pwarg);
         if (cert) {
             /* this isn't our cert */
-            if ((cert->trust == NULL) ||
-                ((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
+            if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
+                ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
                  CERT_DestroyCertificate(cert);
                 continue;
             }
             *rip = ri;
             return cert;
         }
 
     }
     *rip = NULL;
     return NULL;
@@ skipping 679 matching lines @@
 
     /* not implemented */
     return PR_FALSE;
 }
 
 PRBool
 PK11_FortezzaHasKEA(CERTCertificate *cert) 
 {
    /* look at the subject and see if it is a KEA for MISSI key */
    SECOidData *oid;
+   CERTCertTrust trust;
 
-   if ((cert->trust == NULL) ||
-       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
+   if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
+       ((trust.sslFlags & CERTDB_USER) != CERTDB_USER)) {
        return PR_FALSE;
    }
 
    oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
    if (!oid) {
        return PR_FALSE;
    }
 
    return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || 
                 (oid->offset == SEC_OID_MISSI_KEA_DSS) ||
@@ skipping 393 matching lines @@
     }
     if (!found) {
         PK11_FreeSlotList(slotList);
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         slotList = NULL;
     }
 
     nssCryptokiObjectArray_Destroy(instances);
     return slotList;
 }