Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(498)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mozilla/security/nss/lib/pk11wrap/pk11cert.c

Issue 14249009: Change the NSS and NSPR source tree to the new directory structure to be (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « mozilla/security/nss/lib/pk11wrap/pk11auth.c ('k') | mozilla/security/nss/lib/pk11wrap/pk11cxt.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * This file manages PKCS #11 instances of certificates.
6 */
7
8 #include "secport.h"
9 #include "seccomon.h"
10 #include "secmod.h"
11 #include "secmodi.h"
12 #include "secmodti.h"
13 #include "pkcs11.h"
14 #include "pk11func.h"
15 #include "cert.h"
16 #include "certi.h"
17 #include "secitem.h"
18 #include "key.h"
19 #include "secoid.h"
20 #include "pkcs7t.h"
21 #include "cmsreclist.h"
22
23 #include "certdb.h"
24 #include "secerr.h"
25 #include "sslerr.h"
26
27 #include "pki3hack.h"
28 #include "dev3hack.h"
29
30 #include "devm.h"
31 #include "nsspki.h"
32 #include "pki.h"
33 #include "pkim.h"
34 #include "pkitm.h"
35 #include "pkistore.h" /* to remove temp cert */
36 #include "devt.h"
37
38 extern const NSSError NSS_ERROR_NOT_FOUND;
39 extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
40
41 struct nss3_cert_cbstr {
42 SECStatus(* callback)(CERTCertificate*, void *);
43 nssList *cached;
44 void *arg;
45 };
46
47 /* Translate from NSSCertificate to CERTCertificate, then pass the latter
48 * to a callback.
49 */
50 static PRStatus convert_cert(NSSCertificate *c, void *arg)
51 {
52 CERTCertificate *nss3cert;
53 SECStatus secrv;
54 struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg;
55 /* 'c' is not adopted. caller will free it */
56 nss3cert = STAN_GetCERTCertificate(c);
57 if (!nss3cert) return PR_FAILURE;
58 secrv = (*nss3cb->callback)(nss3cert, nss3cb->arg);
59 return (secrv) ? PR_FAILURE : PR_SUCCESS;
60 }
61
62 /*
63 * build a cert nickname based on the token name and the label of the
64 * certificate If the label in NULL, build a label based on the ID.
65 */
66 static int toHex(int x) { return (x < 10) ? (x+'0') : (x+'a'-10); }
67 #define MAX_CERT_ID 4
68 #define DEFAULT_STRING "Cert ID "
69 static char *
70 pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label,
71 CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id)
72 {
73 int prefixLen = PORT_Strlen(slot->token_name);
74 int suffixLen = 0;
75 char *suffix = NULL;
76 char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2];
77 char *next,*nickname;
78
79 if (cert_label && (cert_label->ulValueLen)) {
80 suffixLen = cert_label->ulValueLen;
81 suffix = (char*)cert_label->pValue;
82 } else if (key_label && (key_label->ulValueLen)) {
83 suffixLen = key_label->ulValueLen;
84 suffix = (char*)key_label->pValue;
85 } else if (cert_id && cert_id->ulValueLen > 0) {
86 int i,first = cert_id->ulValueLen - MAX_CERT_ID;
87 int offset = sizeof(DEFAULT_STRING);
88 char *idValue = (char *)cert_id->pValue;
89
90 PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1);
91 next = buildNew + offset;
92 if (first < 0) first = 0;
93 for (i=first; i < (int) cert_id->ulValueLen; i++) {
94 *next++ = toHex((idValue[i] >> 4) & 0xf);
95 *next++ = toHex(idValue[i] & 0xf);
96 }
97 *next++ = 0;
98 suffix = buildNew;
99 suffixLen = PORT_Strlen(buildNew);
100 } else {
101 PORT_SetError( SEC_ERROR_LIBRARY_FAILURE );
102 return NULL;
103 }
104
105 /* if is internal key slot, add code to skip the prefix!! */
106 next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1);
107 if (nickname == NULL) return NULL;
108
109 PORT_Memcpy(next,slot->token_name,prefixLen);
110 next += prefixLen;
111 *next++ = ':';
112 PORT_Memcpy(next,suffix,suffixLen);
113 next += suffixLen;
114 *next++ = 0;
115 return nickname;
116 }
117
118 PRBool
119 PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
120 CK_OBJECT_HANDLE certID)
121 {
122 CK_OBJECT_CLASS theClass;
123
124 if (slot == NULL) return PR_FALSE;
125 if (cert == NULL) return PR_FALSE;
126
127 theClass = CKO_PRIVATE_KEY;
128 if (pk11_LoginStillRequired(slot,NULL)) {
129 theClass = CKO_PUBLIC_KEY;
130 }
131 if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_HANDLE) {
132 return PR_TRUE;
133 }
134
135 if (theClass == CKO_PUBLIC_KEY) {
136 SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert);
137 CK_ATTRIBUTE theTemplate;
138
139 if (pubKey == NULL) {
140 return PR_FALSE;
141 }
142
143 PK11_SETATTRS(&theTemplate,0,NULL,0);
144 switch (pubKey->keyType) {
145 case rsaKey:
146 PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
147 pubKey->u.rsa.modulus.len);
148 break;
149 case dsaKey:
150 PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data ,
151 pubKey->u.dsa.publicValue.len);
152 break;
153 case dhKey:
154 PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
155 pubKey->u.dh.publicValue.len);
156 break;
157 case ecKey:
158 PK11_SETATTRS(&theTemplate,CKA_EC_POINT,
159 pubKey->u.ec.publicValue.data,
160 pubKey->u.ec.publicValue.len);
161 break;
162 case keaKey:
163 case fortezzaKey:
164 case nullKey:
165 /* fall through and return false */
166 break;
167 }
168
169 if (theTemplate.ulValueLen == 0) {
170 SECKEY_DestroyPublicKey(pubKey);
171 return PR_FALSE;
172 }
173 pk11_SignedToUnsigned(&theTemplate);
174 if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) {
175 SECKEY_DestroyPublicKey(pubKey);
176 return PR_TRUE;
177 }
178 SECKEY_DestroyPublicKey(pubKey);
179 }
180 return PR_FALSE;
181 }
182
183 /*
184 * Check out if a cert has ID of zero. This is a magic ID that tells
185 * NSS that this cert may be an automagically trusted cert.
186 * The Cert has to be self signed as well. That check is done elsewhere.
187 *
188 */
189 PRBool
190 pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID)
191 {
192 CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0};
193 PRBool isZero = PR_FALSE;
194 int i;
195 CK_RV crv;
196
197
198 crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1);
199 if (crv != CKR_OK) {
200 return isZero;
201 }
202
203 if (keyID.ulValueLen != 0) {
204 char *value = (char *)keyID.pValue;
205 isZero = PR_TRUE; /* ID exists, may be zero */
206 for (i=0; i < (int) keyID.ulValueLen; i++) {
207 if (value[i] != 0) {
208 isZero = PR_FALSE; /* nope */
209 break;
210 }
211 }
212 }
213 PORT_Free(keyID.pValue);
214 return isZero;
215
216 }
217
218 /*
219 * Create an NSSCertificate from a slot/certID pair, return it as a
220 * CERTCertificate. Optionally, output the nickname string.
221 */
222 static CERTCertificate *
223 pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID,
224 CK_ATTRIBUTE *privateLabel, char **nickptr)
225 {
226 NSSCertificate *c;
227 nssCryptokiObject *co = NULL;
228 nssPKIObject *pkio;
229 NSSToken *token;
230 NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
231 PRStatus status;
232
233 /* Get the cryptoki object from the handle */
234 token = PK11Slot_GetNSSToken(slot);
235 if (token->defaultSession) {
236 co = nssCryptokiObject_Create(token, token->defaultSession, certID);
237 } else {
238 PORT_SetError(SEC_ERROR_NO_TOKEN);
239 }
240 if (!co) {
241 return NULL;
242 }
243
244 /* Create a PKI object from the cryptoki instance */
245 pkio = nssPKIObject_Create(NULL, co, td, NULL, nssPKIMonitor);
246 if (!pkio) {
247 nssCryptokiObject_Destroy(co);
248 return NULL;
249 }
250
251 /* Create a certificate */
252 c = nssCertificate_Create(pkio);
253 if (!c) {
254 nssPKIObject_Destroy(pkio);
255 return NULL;
256 }
257
258 /* Build and output a nickname, if desired.
259 * This must be done before calling nssTrustDomain_AddCertsToCache
260 * because that function may destroy c, pkio and co!
261 */
262 if ((nickptr) && (co->label)) {
263 CK_ATTRIBUTE label, id;
264
265 label.type = CKA_LABEL;
266 label.pValue = co->label;
267 label.ulValueLen = PORT_Strlen(co->label);
268
269 id.type = CKA_ID;
270 id.pValue = c->id.data;
271 id.ulValueLen = c->id.size;
272
273 *nickptr = pk11_buildNickname(slot, &label, privateLabel, &id);
274 }
275
276 /* This function may destroy the cert in "c" and all its subordinate
277 * structures, and replace the value in "c" with the address of a
278 * different NSSCertificate that it found in the cache.
279 * Presumably, the nickname which we just output above remains valid. :)
280 */
281 status = nssTrustDomain_AddCertsToCache(td, &c, 1);
282 return STAN_GetCERTCertificateOrRelease(c);
283 }
284
285 /*
286 * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
287 * Must be a CertObject. This code does not explicitly checks that.
288 */
289 CERTCertificate *
290 PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
291 CK_ATTRIBUTE *privateLabel)
292 {
293 char * nickname = NULL;
294 CERTCertificate *cert = NULL;
295 CERTCertTrust *trust;
296 PRBool isFortezzaRootCA = PR_FALSE;
297 PRBool swapNickname = PR_FALSE;
298
299 cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
300 if (cert == NULL)
301 goto loser;
302
303 if (nickname) {
304 if (cert->nickname != NULL) {
305 cert->dbnickname = cert->nickname;
306 }
307 cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
308 PORT_Free(nickname);
309 nickname = NULL;
310 swapNickname = PR_TRUE;
311 }
312
313 /* remember where this cert came from.... If we have just looked
314 * it up from the database and it already has a slot, don't add a new
315 * one. */
316 if (cert->slot == NULL) {
317 cert->slot = PK11_ReferenceSlot(slot);
318 cert->pkcs11ID = certID;
319 cert->ownSlot = PR_TRUE;
320 cert->series = slot->series;
321 }
322
323 trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
324 if (trust == NULL)
325 goto loser;
326 PORT_Memset(trust,0, sizeof(CERTCertTrust));
327
328 if(! pk11_HandleTrustObject(slot, cert, trust) ) {
329 unsigned int type;
330
331 /* build some cert trust flags */
332 if (CERT_IsCACert(cert, &type)) {
333 unsigned int trustflags = CERTDB_VALID_CA;
334
335 /* Allow PKCS #11 modules to give us trusted CA's. We only accept
336 * valid CA's which are self-signed here. They must have an object
337 * ID of '0'. */
338 if (pk11_isID0(slot,certID) &&
339 cert->isRoot) {
340 trustflags |= CERTDB_TRUSTED_CA;
341 /* is the slot a fortezza card? allow the user or
342 * admin to turn on objectSigning, but don't turn
343 * full trust on explicitly */
344 if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
345 trust->objectSigningFlags |= CERTDB_VALID_CA;
346 isFortezzaRootCA = PR_TRUE;
347 }
348 }
349 if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
350 trust->sslFlags |= trustflags;
351 }
352 if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
353 trust->emailFlags |= trustflags;
354 }
355 if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA)
356 == NS_CERT_TYPE_OBJECT_SIGNING_CA) {
357 trust->objectSigningFlags |= trustflags;
358 }
359 }
360 }
361
362 if (PK11_IsUserCert(slot,cert,certID)) {
363 trust->sslFlags |= CERTDB_USER;
364 trust->emailFlags |= CERTDB_USER;
365 /* trust->objectSigningFlags |= CERTDB_USER; */
366 }
367 CERT_LockCertTrust(cert);
368 cert->trust = trust;
369 CERT_UnlockCertTrust(cert);
370
371 return cert;
372
373 loser:
374 if (nickname)
375 PORT_Free(nickname);
376 if (cert)
377 CERT_DestroyCertificate(cert);
378 return NULL;
379 }
380
381
382 /*
383 * Build get a certificate from a private key
384 */
385 CERTCertificate *
386 PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey)
387 {
388 PK11SlotInfo *slot = privKey->pkcs11Slot;
389 CK_OBJECT_HANDLE handle = privKey->pkcs11ID;
390 CK_OBJECT_HANDLE certID =
391 PK11_MatchItem(slot,handle,CKO_CERTIFICATE);
392 CERTCertificate *cert;
393
394 if (certID == CK_INVALID_HANDLE) {
395 PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
396 return NULL;
397 }
398 cert = PK11_MakeCertFromHandle(slot,certID,NULL);
399 return (cert);
400
401 }
402
403 /*
404 * delete a cert and it's private key (if no other certs are pointing to the
405 * private key.
406 */
407 SECStatus
408 PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx)
409 {
410 SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx);
411 CK_OBJECT_HANDLE pubKey;
412 PK11SlotInfo *slot = NULL;
413
414 pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx);
415 if (privKey) {
416 /* For 3.4, utilize the generic cert delete function */
417 SEC_DeletePermCertificate(cert);
418 PK11_DeleteTokenPrivateKey(privKey, PR_FALSE);
419 }
420 if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) {
421 PK11_DestroyTokenObject(slot,pubKey);
422 PK11_FreeSlot(slot);
423 }
424 return SECSuccess;
425 }
426
427 /*
428 * cert callback structure
429 */
430 typedef struct pk11DoCertCallbackStr {
431 SECStatus(* callback)(PK11SlotInfo *slot, CERTCertificate*, void *);
432 SECStatus(* noslotcallback)(CERTCertificate*, void *);
433 SECStatus(* itemcallback)(CERTCertificate*, SECItem *, void *);
434 void *callbackArg;
435 } pk11DoCertCallback;
436
437
438 typedef struct pk11CertCallbackStr {
439 SECStatus(* callback)(CERTCertificate*,SECItem *,void *);
440 void *callbackArg;
441 } pk11CertCallback;
442
443 struct fake_der_cb_argstr
444 {
445 SECStatus(* callback)(CERTCertificate*, SECItem *, void *);
446 void *arg;
447 };
448
449 static SECStatus fake_der_cb(CERTCertificate *c, void *a)
450 {
451 struct fake_der_cb_argstr *fda = (struct fake_der_cb_argstr *)a;
452 return (*fda->callback)(c, &c->derCert, fda->arg);
453 }
454
455 /*
456 * Extract all the certs on a card from a slot.
457 */
458 SECStatus
459 PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
460 void *arg, void *wincx)
461 {
462 NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
463 struct fake_der_cb_argstr fda;
464 struct nss3_cert_cbstr pk11cb;
465
466 /* authenticate to the tokens first */
467 (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, wincx);
468
469 fda.callback = callback;
470 fda.arg = arg;
471 pk11cb.callback = fake_der_cb;
472 pk11cb.arg = &fda;
473 NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
474 return SECSuccess;
475 }
476
477 static void
478 transfer_token_certs_to_collection(nssList *certList, NSSToken *token,
479 nssPKIObjectCollection *collection)
480 {
481 NSSCertificate **certs;
482 PRUint32 i, count;
483 NSSToken **tokens, **tp;
484 count = nssList_Count(certList);
485 if (count == 0) {
486 return;
487 }
488 certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
489 if (!certs) {
490 return;
491 }
492 nssList_GetArray(certList, (void **)certs, count);
493 for (i=0; i<count; i++) {
494 tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL);
495 if (tokens) {
496 for (tp = tokens; *tp; tp++) {
497 if (*tp == token) {
498 nssPKIObjectCollection_AddObject(collection,
499 (nssPKIObject *)certs[i]);
500 }
501 }
502 nssTokenArray_Destroy(tokens);
503 }
504 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i]));
505 }
506 nss_ZFreeIf(certs);
507 }
508
509 CERTCertificate *
510 PK11_FindCertFromNickname(const char *nickname, void *wincx)
511 {
512 PRStatus status;
513 CERTCertificate *rvCert = NULL;
514 NSSCertificate *cert = NULL;
515 NSSCertificate **certs = NULL;
516 static const NSSUsage usage = {PR_TRUE /* ... */ };
517 NSSToken *token;
518 NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
519 PK11SlotInfo *slot = NULL;
520 SECStatus rv;
521 char *nickCopy;
522 char *delimit = NULL;
523 char *tokenName;
524
525 nickCopy = PORT_Strdup(nickname);
526 if (!nickCopy) {
527 /* error code is set */
528 return NULL;
529 }
530 if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
531 tokenName = nickCopy;
532 nickname = delimit + 1;
533 *delimit = '\0';
534 /* find token by name */
535 token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
536 if (token) {
537 slot = PK11_ReferenceSlot(token->pk11slot);
538 } else {
539 PORT_SetError(SEC_ERROR_NO_TOKEN);
540 }
541 *delimit = ':';
542 } else {
543 slot = PK11_GetInternalKeySlot();
544 token = PK11Slot_GetNSSToken(slot);
545 }
546 if (token) {
547 nssList *certList;
548 nssCryptokiObject **instances;
549 nssPKIObjectCollection *collection;
550 nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
551 if (!PK11_IsPresent(slot)) {
552 goto loser;
553 }
554 rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
555 if (rv != SECSuccess) {
556 goto loser;
557 }
558 collection = nssCertificateCollection_Create(defaultTD, NULL);
559 if (!collection) {
560 goto loser;
561 }
562 certList = nssList_Create(NULL, PR_FALSE);
563 if (!certList) {
564 nssPKIObjectCollection_Destroy(collection);
565 goto loser;
566 }
567 (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
568 nickname,
569 certList);
570 transfer_token_certs_to_collection(certList, token, collection);
571 instances = nssToken_FindCertificatesByNickname(token,
572 NULL,
573 nickname,
574 tokenOnly,
575 0,
576 &status);
577 nssPKIObjectCollection_AddInstances(collection, instances, 0);
578 nss_ZFreeIf(instances);
579 /* if it wasn't found, repeat the process for email address */
580 if (nssPKIObjectCollection_Count(collection) == 0 &&
581 PORT_Strchr(nickname, '@') != NULL)
582 {
583 char* lowercaseName = CERT_FixupEmailAddr(nickname);
584 if (lowercaseName) {
585 (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD,
586 lowercaseN ame,
587 certList);
588 transfer_token_certs_to_collection(certList, token, collection);
589 instances = nssToken_FindCertificatesByEmail(token,
590 NULL,
591 lowercaseName,
592 tokenOnly,
593 0,
594 &status);
595 nssPKIObjectCollection_AddInstances(collection, instances, 0);
596 nss_ZFreeIf(instances);
597 PORT_Free(lowercaseName);
598 }
599 }
600 certs = nssPKIObjectCollection_GetCertificates(collection,
601 NULL, 0, NULL);
602 nssPKIObjectCollection_Destroy(collection);
603 if (certs) {
604 cert = nssCertificateArray_FindBestCertificate(certs, NULL,
605 &usage, NULL);
606 if (cert) {
607 rvCert = STAN_GetCERTCertificateOrRelease(cert);
608 }
609 nssCertificateArray_Destroy(certs);
610 }
611 nssList_Destroy(certList);
612 }
613 if (slot) {
614 PK11_FreeSlot(slot);
615 }
616 if (nickCopy) PORT_Free(nickCopy);
617 return rvCert;
618 loser:
619 if (slot) {
620 PK11_FreeSlot(slot);
621 }
622 if (nickCopy) PORT_Free(nickCopy);
623 return NULL;
624 }
625
626 /* Traverse slots callback */
627 typedef struct FindCertsEmailArgStr {
628 char *email;
629 CERTCertList *certList;
630 } FindCertsEmailArg;
631
632 SECStatus
633 FindCertsEmailCallback(CERTCertificate *cert, SECItem *item, void *arg)
634 {
635 FindCertsEmailArg *cbparam = (FindCertsEmailArg *) arg;
636 const char *cert_email = CERT_GetFirstEmailAddress(cert);
637 PRBool found = PR_FALSE;
638
639 /* Email address present in certificate? */
640 if (cert_email == NULL){
641 return SECSuccess;
642 }
643
644 /* Parameter correctly set? */
645 if (cbparam->email == NULL) {
646 return SECFailure;
647 }
648
649 /* Loop over all email addresses */
650 do {
651 if (!strcmp(cert_email, cbparam->email)) {
652 /* found one matching email address */
653 PRTime now = PR_Now();
654 found = PR_TRUE;
655 CERT_AddCertToListSorted(cbparam->certList,
656 CERT_DupCertificate(cert),
657 CERT_SortCBValidity, &now);
658 }
659 cert_email = CERT_GetNextEmailAddress(cert, cert_email);
660 } while (cert_email && !found);
661
662 return SECSuccess;
663 }
664
665 /* Find all certificates with matching email address */
666 CERTCertList *
667 PK11_FindCertsFromEmailAddress(const char *email, void *wincx)
668 {
669 FindCertsEmailArg cbparam;
670 SECStatus rv;
671
672 cbparam.certList = CERT_NewCertList();
673 if (cbparam.certList == NULL) {
674 return NULL;
675 }
676
677 cbparam.email = CERT_FixupEmailAddr(email);
678 if (cbparam.email == NULL) {
679 CERT_DestroyCertList(cbparam.certList);
680 return NULL;
681 }
682
683 rv = PK11_TraverseSlotCerts(FindCertsEmailCallback, &cbparam, NULL);
684 if (rv != SECSuccess) {
685 CERT_DestroyCertList(cbparam.certList);
686 PORT_Free(cbparam.email);
687 return NULL;
688 }
689
690 /* empty list? */
691 if (CERT_LIST_HEAD(cbparam.certList) == NULL ||
692 CERT_LIST_END(CERT_LIST_HEAD(cbparam.certList), cbparam.certList)) {
693 CERT_DestroyCertList(cbparam.certList);
694 cbparam.certList = NULL;
695 }
696
697 PORT_Free(cbparam.email);
698 return cbparam.certList;
699 }
700
701
702 CERTCertList *
703 PK11_FindCertsFromNickname(const char *nickname, void *wincx)
704 {
705 char *nickCopy;
706 char *delimit = NULL;
707 char *tokenName;
708 int i;
709 CERTCertList *certList = NULL;
710 nssPKIObjectCollection *collection = NULL;
711 NSSCertificate **foundCerts = NULL;
712 NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
713 NSSCertificate *c;
714 NSSToken *token;
715 PK11SlotInfo *slot;
716 SECStatus rv;
717
718 nickCopy = PORT_Strdup(nickname);
719 if (!nickCopy) {
720 /* error code is set */
721 return NULL;
722 }
723 if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
724 tokenName = nickCopy;
725 nickname = delimit + 1;
726 *delimit = '\0';
727 /* find token by name */
728 token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
729 if (token) {
730 slot = PK11_ReferenceSlot(token->pk11slot);
731 } else {
732 PORT_SetError(SEC_ERROR_NO_TOKEN);
733 slot = NULL;
734 }
735 *delimit = ':';
736 } else {
737 slot = PK11_GetInternalKeySlot();
738 token = PK11Slot_GetNSSToken(slot);
739 }
740 if (token) {
741 PRStatus status;
742 nssList *nameList;
743 nssCryptokiObject **instances;
744 nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
745 rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
746 if (rv != SECSuccess) {
747 PK11_FreeSlot(slot);
748 if (nickCopy) PORT_Free(nickCopy);
749 return NULL;
750 }
751 collection = nssCertificateCollection_Create(defaultTD, NULL);
752 if (!collection) {
753 PK11_FreeSlot(slot);
754 if (nickCopy) PORT_Free(nickCopy);
755 return NULL;
756 }
757 nameList = nssList_Create(NULL, PR_FALSE);
758 if (!nameList) {
759 PK11_FreeSlot(slot);
760 if (nickCopy) PORT_Free(nickCopy);
761 return NULL;
762 }
763 (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
764 nickname,
765 nameList);
766 transfer_token_certs_to_collection(nameList, token, collection);
767 instances = nssToken_FindCertificatesByNickname(token,
768 NULL,
769 nickname,
770 tokenOnly,
771 0,
772 &status);
773 nssPKIObjectCollection_AddInstances(collection, instances, 0);
774 nss_ZFreeIf(instances);
775
776 /* if it wasn't found, repeat the process for email address */
777 if (nssPKIObjectCollection_Count(collection) == 0 &&
778 PORT_Strchr(nickname, '@') != NULL)
779 {
780 char* lowercaseName = CERT_FixupEmailAddr(nickname);
781 if (lowercaseName) {
782 (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD,
783 lowercaseN ame,
784 nameList);
785 transfer_token_certs_to_collection(nameList, token, collection);
786 instances = nssToken_FindCertificatesByEmail(token,
787 NULL,
788 lowercaseName,
789 tokenOnly,
790 0,
791 &status);
792 nssPKIObjectCollection_AddInstances(collection, instances, 0);
793 nss_ZFreeIf(instances);
794 PORT_Free(lowercaseName);
795 }
796 }
797
798 nssList_Destroy(nameList);
799 foundCerts = nssPKIObjectCollection_GetCertificates(collection,
800 NULL, 0, NULL);
801 nssPKIObjectCollection_Destroy(collection);
802 }
803 if (slot) {
804 PK11_FreeSlot(slot);
805 }
806 if (nickCopy) PORT_Free(nickCopy);
807 if (foundCerts) {
808 PRTime now = PR_Now();
809 certList = CERT_NewCertList();
810 for (i=0, c = *foundCerts; c; c = foundCerts[++i]) {
811 if (certList) {
812 CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c);
813 /* c may be invalid after this, don't reference it */
814 if (certCert) {
815 /* CERT_AddCertToListSorted adopts certCert */
816 CERT_AddCertToListSorted(certList, certCert,
817 CERT_SortCBValidity, &now);
818 }
819 } else {
820 nssCertificate_Destroy(c);
821 }
822 }
823 if (certList && CERT_LIST_HEAD(certList) == NULL) {
824 CERT_DestroyCertList(certList);
825 certList = NULL;
826 }
827 /* all the certs have been adopted or freed, free the raw array */
828 nss_ZFreeIf(foundCerts);
829 }
830 return certList;
831 }
832
833 /*
834 * extract a key ID for a certificate...
835 * NOTE: We call this function from PKCS11.c If we ever use
836 * pkcs11 to extract the public key (we currently do not), this will break.
837 */
838 SECItem *
839 PK11_GetPubIndexKeyID(CERTCertificate *cert)
840 {
841 SECKEYPublicKey *pubk;
842 SECItem *newItem = NULL;
843
844 pubk = CERT_ExtractPublicKey(cert);
845 if (pubk == NULL) return NULL;
846
847 switch (pubk->keyType) {
848 case rsaKey:
849 newItem = SECITEM_DupItem(&pubk->u.rsa.modulus);
850 break;
851 case dsaKey:
852 newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue);
853 break;
854 case dhKey:
855 newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
856 break;
857 case ecKey:
858 newItem = SECITEM_DupItem(&pubk->u.ec.publicValue);
859 break;
860 case fortezzaKey:
861 default:
862 newItem = NULL; /* Fortezza Fix later... */
863 }
864 SECKEY_DestroyPublicKey(pubk);
865 /* make hash of it */
866 return newItem;
867 }
868
869 /*
870 * generate a CKA_ID from a certificate.
871 */
872 SECItem *
873 pk11_mkcertKeyID(CERTCertificate *cert)
874 {
875 SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
876 SECItem *certCKA_ID;
877
878 if (pubKeyData == NULL) return NULL;
879
880 certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData);
881 SECITEM_FreeItem(pubKeyData,PR_TRUE);
882 return certCKA_ID;
883 }
884
885 /*
886 * Write the cert into the token.
887 */
888 SECStatus
889 PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
890 CK_OBJECT_HANDLE key, const char *nickname,
891 PRBool includeTrust)
892 {
893 PRStatus status;
894 NSSCertificate *c;
895 nssCryptokiObject *keyobj, *certobj;
896 NSSToken *token = PK11Slot_GetNSSToken(slot);
897 SECItem *keyID = pk11_mkcertKeyID(cert);
898 char *emailAddr = NULL;
899 nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
900 nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
901
902 if (keyID == NULL) {
903 goto loser; /* error code should be set already */
904 }
905 if (!token) {
906 PORT_SetError(SEC_ERROR_NO_TOKEN);
907 goto loser;
908 }
909
910 if (PK11_IsInternal(slot) && cert->emailAddr && cert->emailAddr[0]) {
911 emailAddr = cert->emailAddr;
912 }
913
914 /* need to get the cert as a stan cert */
915 if (cert->nssCertificate) {
916 c = cert->nssCertificate;
917 } else {
918 c = STAN_GetNSSCertificate(cert);
919 if (c == NULL) {
920 goto loser;
921 }
922 }
923
924 /* set the id for the cert */
925 nssItem_Create(c->object.arena, &c->id, keyID->len, keyID->data);
926 if (!c->id.data) {
927 goto loser;
928 }
929
930 if (key != CK_INVALID_HANDLE) {
931 /* create an object for the key, ... */
932 keyobj = nss_ZNEW(NULL, nssCryptokiObject);
933 if (!keyobj) {
934 goto loser;
935 }
936 keyobj->token = nssToken_AddRef(token);
937 keyobj->handle = key;
938 keyobj->isTokenObject = PR_TRUE;
939
940 /* ... in order to set matching attributes for the key */
941 status = nssCryptokiPrivateKey_SetCertificate(keyobj, NULL, nickname,
942 &c->id, &c->subject);
943 nssCryptokiObject_Destroy(keyobj);
944 if (status != PR_SUCCESS) {
945 goto loser;
946 }
947 }
948
949 /* do the token import */
950 certobj = nssToken_ImportCertificate(token, NULL,
951 NSSCertificateType_PKIX,
952 &c->id,
953 nickname,
954 &c->encoding,
955 &c->issuer,
956 &c->subject,
957 &c->serial,
958 emailAddr,
959 PR_TRUE);
960 if (!certobj) {
961 if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
962 PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
963 SECITEM_FreeItem(keyID,PR_TRUE);
964 return SECFailure;
965 }
966 goto loser;
967 }
968
969 if (c->object.cryptoContext) {
970 /* Delete the temp instance */
971 NSSCryptoContext *cc = c->object.cryptoContext;
972 nssCertificateStore_Lock(cc->certStore, &lockTrace);
973 nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
974 nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace);
975 c->object.cryptoContext = NULL;
976 cert->istemp = PR_FALSE;
977 cert->isperm = PR_TRUE;
978 }
979
980 /* add the new instance to the cert, force an update of the
981 * CERTCertificate, and finish
982 */
983 nssPKIObject_AddInstance(&c->object, certobj);
984 nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
985 (void)STAN_ForceCERTCertificateUpdate(c);
986 SECITEM_FreeItem(keyID,PR_TRUE);
987 return SECSuccess;
988 loser:
989 CERT_MapStanError();
990 SECITEM_FreeItem(keyID,PR_TRUE);
991 if (PORT_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
992 PORT_SetError(SEC_ERROR_ADDING_CERT);
993 }
994 return SECFailure;
995 }
996
997 SECStatus
998 PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
999 CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust)
1000 {
1001 CERTCertificate *cert;
1002 SECStatus rv;
1003
1004 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
1005 derCert, NULL, PR_FALSE, PR_TRUE);
1006 if (cert == NULL) return SECFailure;
1007
1008 rv = PK11_ImportCert(slot, cert, key, nickname, includeTrust);
1009 CERT_DestroyCertificate (cert);
1010 return rv;
1011 }
1012
1013 /*
1014 * get a certificate handle, look at the cached handle first..
1015 */
1016 CK_OBJECT_HANDLE
1017 pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert,
1018 CK_ATTRIBUTE *theTemplate,int tsize)
1019 {
1020 CK_OBJECT_HANDLE certh;
1021
1022 if (cert->slot == slot) {
1023 certh = cert->pkcs11ID;
1024 if ((certh == CK_INVALID_HANDLE) ||
1025 (cert->series != slot->series)) {
1026 certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
1027 cert->pkcs11ID = certh;
1028 cert->series = slot->series;
1029 }
1030 } else {
1031 certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
1032 }
1033 return certh;
1034 }
1035
1036 /*
1037 * return the private key From a given Cert
1038 */
1039 SECKEYPrivateKey *
1040 PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
1041 void *wincx)
1042 {
1043 int err;
1044 CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
1045 CK_ATTRIBUTE theTemplate[] = {
1046 { CKA_VALUE, NULL, 0 },
1047 { CKA_CLASS, NULL, 0 }
1048 };
1049 /* if you change the array, change the variable below as well */
1050 int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
1051 CK_OBJECT_HANDLE certh;
1052 CK_OBJECT_HANDLE keyh;
1053 CK_ATTRIBUTE *attrs = theTemplate;
1054 PRBool needLogin;
1055 SECStatus rv;
1056
1057 PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
1058 cert->derCert.len); attrs++;
1059 PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
1060
1061 /*
1062 * issue the find
1063 */
1064 rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
1065 if (rv != SECSuccess) {
1066 return NULL;
1067 }
1068
1069 certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
1070 if (certh == CK_INVALID_HANDLE) {
1071 return NULL;
1072 }
1073 /*
1074 * prevent a login race condition. If slot is logged in between
1075 * our call to pk11_LoginStillRequired and the
1076 * PK11_MatchItem. The matchItem call will either succeed, or
1077 * we will call it one more time after calling PK11_Authenticate
1078 * (which is a noop on an authenticated token).
1079 */
1080 needLogin = pk11_LoginStillRequired(slot,wincx);
1081 keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
1082 if ((keyh == CK_INVALID_HANDLE) && needLogin &&
1083 (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
1084 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
1085 /* try it again authenticated */
1086 rv = PK11_Authenticate(slot, PR_TRUE, wincx);
1087 if (rv != SECSuccess) {
1088 return NULL;
1089 }
1090 keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
1091 }
1092 if (keyh == CK_INVALID_HANDLE) {
1093 return NULL;
1094 }
1095 return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx);
1096 }
1097
1098 /*
1099 * import a cert for a private key we have already generated. Set the label
1100 * on both to be the nickname. This is for the Key Gen, orphaned key case.
1101 */
1102 PK11SlotInfo *
1103 PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr,
1104 void *wincx)
1105 {
1106 PK11SlotList *list;
1107 PK11SlotListElement *le;
1108 SECItem *keyID;
1109 CK_OBJECT_HANDLE key;
1110 PK11SlotInfo *slot = NULL;
1111 SECStatus rv;
1112 int err;
1113
1114 keyID = pk11_mkcertKeyID(cert);
1115 /* get them all! */
1116 list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
1117 if ((keyID == NULL) || (list == NULL)) {
1118 if (keyID) SECITEM_FreeItem(keyID,PR_TRUE);
1119 if (list) PK11_FreeSlotList(list);
1120 return NULL;
1121 }
1122
1123 /* Look for the slot that holds the Key */
1124 for (le = list->head ; le; le = le->next) {
1125 /*
1126 * prevent a login race condition. If le->slot is logged in between
1127 * our call to pk11_LoginStillRequired and the
1128 * pk11_FindPrivateKeyFromCertID, the find will either succeed, or
1129 * we will call it one more time after calling PK11_Authenticate
1130 * (which is a noop on an authenticated token).
1131 */
1132 PRBool needLogin = pk11_LoginStillRequired(le->slot,wincx);
1133 key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
1134 if ((key == CK_INVALID_HANDLE) && needLogin &&
1135 (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
1136 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
1137 /* authenticate and try again */
1138 rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
1139 if (rv != SECSuccess) continue;
1140 key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
1141 }
1142 if (key != CK_INVALID_HANDLE) {
1143 slot = PK11_ReferenceSlot(le->slot);
1144 if (keyPtr) *keyPtr = key;
1145 break;
1146 }
1147 }
1148
1149 SECITEM_FreeItem(keyID,PR_TRUE);
1150 PK11_FreeSlotList(list);
1151 return slot;
1152
1153 }
1154 /*
1155 * import a cert for a private key we have already generated. Set the label
1156 * on both to be the nickname. This is for the Key Gen, orphaned key case.
1157 */
1158 PK11SlotInfo *
1159 PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr,
1160 void *wincx)
1161 {
1162 CERTCertificate *cert;
1163 PK11SlotInfo *slot = NULL;
1164
1165 /* letting this use go -- the only thing that the cert is used for is
1166 * to get the ID attribute.
1167 */
1168 cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
1169 if (cert == NULL) return NULL;
1170
1171 slot = PK11_KeyForCertExists(cert, keyPtr, wincx);
1172 CERT_DestroyCertificate (cert);
1173 return slot;
1174 }
1175
1176 PK11SlotInfo *
1177 PK11_ImportCertForKey(CERTCertificate *cert, const char *nickname,
1178 void *wincx)
1179 {
1180 PK11SlotInfo *slot = NULL;
1181 CK_OBJECT_HANDLE key;
1182
1183 slot = PK11_KeyForCertExists(cert,&key,wincx);
1184
1185 if (slot) {
1186 if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) {
1187 PK11_FreeSlot(slot);
1188 slot = NULL;
1189 }
1190 } else {
1191 PORT_SetError(SEC_ERROR_ADDING_CERT);
1192 }
1193
1194 return slot;
1195 }
1196
1197 PK11SlotInfo *
1198 PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx)
1199 {
1200 CERTCertificate *cert;
1201 PK11SlotInfo *slot = NULL;
1202
1203 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
1204 derCert, NULL, PR_FALSE, PR_TRUE);
1205 if (cert == NULL) return NULL;
1206
1207 slot = PK11_ImportCertForKey(cert, nickname, wincx);
1208 CERT_DestroyCertificate (cert);
1209 return slot;
1210 }
1211
1212 static CK_OBJECT_HANDLE
1213 pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr,
1214 CK_ATTRIBUTE *searchTemplate, int count, void *wincx)
1215 {
1216 PK11SlotList *list;
1217 PK11SlotListElement *le;
1218 CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
1219 PK11SlotInfo *slot = NULL;
1220 SECStatus rv;
1221
1222 *slotPtr = NULL;
1223
1224 /* get them all! */
1225 list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
1226 if (list == NULL) {
1227 return CK_INVALID_HANDLE;
1228 }
1229
1230
1231 /* Look for the slot that holds the Key */
1232 for (le = list->head ; le; le = le->next) {
1233 rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
1234 if (rv != SECSuccess) continue;
1235
1236 certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count);
1237 if (certHandle != CK_INVALID_HANDLE) {
1238 slot = PK11_ReferenceSlot(le->slot);
1239 break;
1240 }
1241 }
1242
1243 PK11_FreeSlotList(list);
1244
1245 if (slot == NULL) {
1246 return CK_INVALID_HANDLE;
1247 }
1248 *slotPtr = slot;
1249 return certHandle;
1250 }
1251
1252 CERTCertificate *
1253 PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot,
1254 CERTIssuerAndSN *issuerSN, void *wincx)
1255 {
1256 CERTCertificate *rvCert = NULL;
1257 NSSCertificate *cert = NULL;
1258 NSSDER issuer, serial;
1259 NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
1260 NSSToken *token = slot->nssToken;
1261 nssSession *session;
1262 nssCryptokiObject *instance = NULL;
1263 nssPKIObject *object = NULL;
1264 SECItem *derSerial;
1265 PRStatus status;
1266
1267 if (!issuerSN || !issuerSN->derIssuer.data || !issuerSN->derIssuer.len ||
1268 !issuerSN->serialNumber.data || !issuerSN->serialNumber.len ||
1269 issuerSN->derIssuer.len > CERT_MAX_DN_BYTES ||
1270 issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES ) {
1271 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1272 return NULL;
1273 }
1274
1275 /* Paranoia */
1276 if (token == NULL) {
1277 PORT_SetError(SEC_ERROR_NO_TOKEN);
1278 return NULL;
1279 }
1280
1281
1282 /* PKCS#11 needs to use DER-encoded serial numbers. Create a
1283 * CERTIssuerAndSN that actually has the encoded value and pass that
1284 * to PKCS#11 (and the crypto context).
1285 */
1286 derSerial = SEC_ASN1EncodeItem(NULL, NULL,
1287 &issuerSN->serialNumber,
1288 SEC_ASN1_GET(SEC_IntegerTemplate));
1289 if (!derSerial) {
1290 return NULL;
1291 }
1292
1293 NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
1294 NSSITEM_FROM_SECITEM(&serial, derSerial);
1295
1296 session = nssToken_GetDefaultSession(token);
1297 if (!session) {
1298 goto loser;
1299 }
1300
1301 instance = nssToken_FindCertificateByIssuerAndSerialNumber(token,session,
1302 &issuer, &serial, nssTokenSearchType_TokenForced, &status);
1303
1304 SECITEM_FreeItem(derSerial, PR_TRUE);
1305
1306 if (!instance) {
1307 goto loser;
1308 }
1309 object = nssPKIObject_Create(NULL, instance, td, NULL, nssPKIMonitor);
1310 if (!object) {
1311 goto loser;
1312 }
1313 instance = NULL; /* adopted by the previous call */
1314 cert = nssCertificate_Create(object);
1315 if (!cert) {
1316 goto loser;
1317 }
1318 object = NULL; /* adopted by the previous call */
1319 nssTrustDomain_AddCertsToCache(td, &cert,1);
1320 /* on failure, cert is freed below */
1321 rvCert = STAN_GetCERTCertificate(cert);
1322 if (!rvCert) {
1323 goto loser;
1324 }
1325 return rvCert;
1326
1327 loser:
1328 if (instance) {
1329 nssCryptokiObject_Destroy(instance);
1330 }
1331 if (object) {
1332 nssPKIObject_Destroy(object);
1333 }
1334 if (cert) {
1335 nssCertificate_Destroy(cert);
1336 }
1337 return NULL;
1338 }
1339
1340 static PRCallOnceType keyIDHashCallOnce;
1341
1342 static PRStatus PR_CALLBACK
1343 pk11_keyIDHash_populate(void *wincx)
1344 {
1345 CERTCertList *certList;
1346 CERTCertListNode *node = NULL;
1347 SECItem subjKeyID = {siBuffer, NULL, 0};
1348 SECItem *slotid = NULL;
1349 SECMODModuleList *modules, *mlp;
1350 SECMODListLock *moduleLock;
1351 int i;
1352
1353 certList = PK11_ListCerts(PK11CertListUser, wincx);
1354 if (!certList) {
1355 return PR_FAILURE;
1356 }
1357
1358 for (node = CERT_LIST_HEAD(certList);
1359 !CERT_LIST_END(node, certList);
1360 node = CERT_LIST_NEXT(node)) {
1361 if (CERT_FindSubjectKeyIDExtension(node->cert,
1362 &subjKeyID) == SECSuccess &&
1363 subjKeyID.data != NULL) {
1364 cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert);
1365 SECITEM_FreeItem(&subjKeyID, PR_FALSE);
1366 }
1367 }
1368 CERT_DestroyCertList(certList);
1369
1370 /*
1371 * Record the state of each slot in a hash. The concatenation of slotID
1372 * and moduleID is used as its key, with the slot series as its value.
1373 */
1374 slotid = SECITEM_AllocItem(NULL, NULL,
1375 sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID));
1376 if (!slotid) {
1377 PORT_SetError(SEC_ERROR_NO_MEMORY);
1378 return PR_FAILURE;
1379 }
1380 moduleLock = SECMOD_GetDefaultModuleListLock();
1381 if (!moduleLock) {
1382 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1383 return PR_FAILURE;
1384 }
1385 SECMOD_GetReadLock(moduleLock);
1386 modules = SECMOD_GetDefaultModuleList();
1387 for (mlp = modules; mlp; mlp = mlp->next) {
1388 for (i = 0; i < mlp->module->slotCount; i++) {
1389 memcpy(slotid->data, &mlp->module->slots[i]->slotID,
1390 sizeof(CK_SLOT_ID));
1391 memcpy(&slotid->data[sizeof(CK_SLOT_ID)], &mlp->module->moduleID,
1392 sizeof(SECMODModuleID));
1393 cert_UpdateSubjectKeyIDSlotCheck(slotid,
1394 mlp->module->slots[i]->series);
1395 }
1396 }
1397 SECMOD_ReleaseReadLock(moduleLock);
1398 SECITEM_FreeItem(slotid, PR_TRUE);
1399
1400 return PR_SUCCESS;
1401 }
1402
1403 /*
1404 * We're looking for a cert which we have the private key for that's on the
1405 * list of recipients. This searches one slot.
1406 * this is the new version for NSS SMIME code
1407 * this stuff should REALLY be in the SMIME code, but some things in here are no t public
1408 * (they should be!)
1409 */
1410 static CERTCertificate *
1411 pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipien tlist, int *rlIndex, void *pwarg)
1412 {
1413 NSSCMSRecipient *ri = NULL;
1414 int i;
1415 PRBool tokenRescanDone = PR_FALSE;
1416 CERTCertTrust trust;
1417
1418 for (i=0; (ri = recipientlist[i]) != NULL; i++) {
1419 CERTCertificate *cert = NULL;
1420 if (ri->kind == RLSubjKeyID) {
1421 SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyI D);
1422 if (!derCert && !tokenRescanDone) {
1423 /*
1424 * We didn't find the cert by its key ID. If we have slots
1425 * with removable tokens, a failure from
1426 * cert_FindDERCertBySubjectKeyID doesn't necessarily imply
1427 * that the cert is unavailable - the token might simply
1428 * have been inserted after the initial run of
1429 * pk11_keyIDHash_populate (wrapped by PR_CallOnceWithArg),
1430 * or a different token might have been present in that
1431 * slot, initially. Let's check for new tokens...
1432 */
1433 PK11SlotList *sl = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
1434 PR_FALSE, PR_FALSE, pwarg);
1435 if (sl) {
1436 PK11SlotListElement *le;
1437 SECItem *slotid = SECITEM_AllocItem(NULL, NULL,
1438 sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID));
1439 if (!slotid) {
1440 PORT_SetError(SEC_ERROR_NO_MEMORY);
1441 return NULL;
1442 }
1443 for (le = sl->head; le; le = le->next) {
1444 memcpy(slotid->data, &le->slot->slotID,
1445 sizeof(CK_SLOT_ID));
1446 memcpy(&slotid->data[sizeof(CK_SLOT_ID)],
1447 &le->slot->module->moduleID,
1448 sizeof(SECMODModuleID));
1449 /*
1450 * Any changes with the slot since our last check?
1451 * If so, re-read the certs in that specific slot.
1452 */
1453 if (cert_SubjectKeyIDSlotCheckSeries(slotid)
1454 != PK11_GetSlotSeries(le->slot)) {
1455 CERTCertListNode *node = NULL;
1456 SECItem subjKeyID = {siBuffer, NULL, 0};
1457 CERTCertList *cl = PK11_ListCertsInSlot(le->slot);
1458 if (!cl) {
1459 continue;
1460 }
1461 for (node = CERT_LIST_HEAD(cl);
1462 !CERT_LIST_END(node, cl);
1463 node = CERT_LIST_NEXT(node)) {
1464 if (CERT_IsUserCert(node->cert) &&
1465 CERT_FindSubjectKeyIDExtension(node->cert,
1466 &subjKeyID) == SECSuccess) {
1467 if (subjKeyID.data) {
1468 cert_AddSubjectKeyIDMapping(&subjKeyID,
1469 node->cert);
1470 cert_UpdateSubjectKeyIDSlotCheck(slotid,
1471 PK11_GetSlotSeries(le->slot));
1472 }
1473 SECITEM_FreeItem(&subjKeyID, PR_FALSE);
1474 }
1475 }
1476 CERT_DestroyCertList(cl);
1477 }
1478 }
1479 PK11_FreeSlotList(sl);
1480 SECITEM_FreeItem(slotid, PR_TRUE);
1481 }
1482 /* only check once per message/recipientlist */
1483 tokenRescanDone = PR_TRUE;
1484 /* do another lookup (hopefully we found that cert...) */
1485 derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
1486 }
1487 if (derCert) {
1488 cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg);
1489 SECITEM_FreeItem(derCert, PR_TRUE);
1490 }
1491 } else {
1492 cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN,
1493 pwarg);
1494 }
1495 if (cert) {
1496 /* this isn't our cert */
1497 if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
1498 ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
1499 CERT_DestroyCertificate(cert);
1500 continue;
1501 }
1502 ri->slot = PK11_ReferenceSlot(slot);
1503 *rlIndex = i;
1504 return cert;
1505 }
1506 }
1507 *rlIndex = -1;
1508 return NULL;
1509 }
1510
1511 /*
1512 * This function is the same as above, but it searches all the slots.
1513 * this is the new version for NSS SMIME code
1514 * this stuff should REALLY be in the SMIME code, but some things in here are no t public
1515 * (they should be!)
1516 */
1517 static CERTCertificate *
1518 pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *winc x, int *rlIndex)
1519 {
1520 PK11SlotList *list;
1521 PK11SlotListElement *le;
1522 CERTCertificate *cert = NULL;
1523 SECStatus rv;
1524
1525 /* get them all! */
1526 list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
1527 if (list == NULL) {
1528 return CK_INVALID_HANDLE;
1529 }
1530
1531 /* Look for the slot that holds the Key */
1532 for (le = list->head ; le; le = le->next) {
1533 rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
1534 if (rv != SECSuccess) continue;
1535
1536 cert = pk11_FindCertObjectByRecipientNew(le->slot,
1537 recipientlist, rlIndex, wincx);
1538 if (cert)
1539 break;
1540 }
1541
1542 PK11_FreeSlotList(list);
1543
1544 return cert;
1545 }
1546
1547 /*
1548 * We're looking for a cert which we have the private key for that's on the
1549 * list of recipients. This searches one slot.
1550 */
1551 static CERTCertificate *
1552 pk11_FindCertObjectByRecipient(PK11SlotInfo *slot,
1553 SEC_PKCS7RecipientInfo **recipientArray,
1554 SEC_PKCS7RecipientInfo **rip, void *pwarg)
1555 {
1556 SEC_PKCS7RecipientInfo *ri = NULL;
1557 CERTCertTrust trust;
1558 int i;
1559
1560 for (i=0; (ri = recipientArray[i]) != NULL; i++) {
1561 CERTCertificate *cert;
1562
1563 cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN,
1564 pwarg);
1565 if (cert) {
1566 /* this isn't our cert */
1567 if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
1568 ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
1569 CERT_DestroyCertificate(cert);
1570 continue;
1571 }
1572 *rip = ri;
1573 return cert;
1574 }
1575
1576 }
1577 *rip = NULL;
1578 return NULL;
1579 }
1580
1581 /*
1582 * This function is the same as above, but it searches all the slots.
1583 */
1584 static CERTCertificate *
1585 pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr,
1586 SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip,
1587 void *wincx)
1588 {
1589 PK11SlotList *list;
1590 PK11SlotListElement *le;
1591 CERTCertificate * cert = NULL;
1592 PK11SlotInfo *slot = NULL;
1593 SECStatus rv;
1594
1595 *slotPtr = NULL;
1596
1597 /* get them all! */
1598 list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
1599 if (list == NULL) {
1600 return CK_INVALID_HANDLE;
1601 }
1602
1603 *rip = NULL;
1604
1605 /* Look for the slot that holds the Key */
1606 for (le = list->head ; le; le = le->next) {
1607 rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
1608 if (rv != SECSuccess) continue;
1609
1610 cert = pk11_FindCertObjectByRecipient(le->slot, recipientArray,
1611 rip, wincx);
1612 if (cert) {
1613 slot = PK11_ReferenceSlot(le->slot);
1614 break;
1615 }
1616 }
1617
1618 PK11_FreeSlotList(list);
1619
1620 if (slot == NULL) {
1621 return NULL;
1622 }
1623 *slotPtr = slot;
1624 PORT_Assert(cert != NULL);
1625 return cert;
1626 }
1627
1628 /*
1629 * We need to invert the search logic for PKCS 7 because if we search for
1630 * each cert on the list over all the slots, we wind up with lots of spurious
1631 * password prompts. This way we get only one password prompt per slot, at
1632 * the max, and most of the time we can find the cert, and only prompt for
1633 * the key...
1634 */
1635 CERTCertificate *
1636 PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr,
1637 SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
1638 SECKEYPrivateKey**privKey, void *wincx)
1639 {
1640 CERTCertificate *cert = NULL;
1641
1642 *privKey = NULL;
1643 *slotPtr = NULL;
1644 cert = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx);
1645 if (!cert) {
1646 return NULL;
1647 }
1648
1649 *privKey = PK11_FindKeyByAnyCert(cert, wincx);
1650 if (*privKey == NULL) {
1651 goto loser;
1652 }
1653
1654 return cert;
1655 loser:
1656 if (cert) CERT_DestroyCertificate(cert);
1657 if (*slotPtr) PK11_FreeSlot(*slotPtr);
1658 *slotPtr = NULL;
1659 return NULL;
1660 }
1661
1662 /*
1663 * This is the new version of the above function for NSS SMIME code
1664 * this stuff should REALLY be in the SMIME code, but some things in here are no t public
1665 * (they should be!)
1666 */
1667 int
1668 PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *win cx)
1669 {
1670 CERTCertificate *cert;
1671 NSSCMSRecipient *rl;
1672 PRStatus rv;
1673 int rlIndex;
1674
1675 rv = PR_CallOnceWithArg(&keyIDHashCallOnce, pk11_keyIDHash_populate, wincx);
1676 if (rv != PR_SUCCESS)
1677 return -1;
1678
1679 cert = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex);
1680 if (!cert) {
1681 return -1;
1682 }
1683
1684 rl = recipientlist[rlIndex];
1685
1686 /* at this point, rl->slot is set */
1687
1688 rl->privkey = PK11_FindKeyByAnyCert(cert, wincx);
1689 if (rl->privkey == NULL) {
1690 goto loser;
1691 }
1692
1693 /* make a cert from the cert handle */
1694 rl->cert = cert;
1695 return rlIndex;
1696
1697 loser:
1698 if (cert) CERT_DestroyCertificate(cert);
1699 if (rl->slot) PK11_FreeSlot(rl->slot);
1700 rl->slot = NULL;
1701 return -1;
1702 }
1703
1704 CERTCertificate *
1705 PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN,
1706 void *wincx)
1707 {
1708 CERTCertificate *rvCert = NULL;
1709 NSSCertificate *cert;
1710 NSSDER issuer, serial;
1711 NSSCryptoContext *cc;
1712 SECItem *derSerial;
1713
1714 if (!issuerSN || !issuerSN->derIssuer.data || !issuerSN->derIssuer.len ||
1715 !issuerSN->serialNumber.data || !issuerSN->serialNumber.len ||
1716 issuerSN->derIssuer.len > CERT_MAX_DN_BYTES ||
1717 issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES ) {
1718 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1719 return NULL;
1720 }
1721
1722 if (slotPtr) *slotPtr = NULL;
1723
1724 /* PKCS#11 needs to use DER-encoded serial numbers. Create a
1725 * CERTIssuerAndSN that actually has the encoded value and pass that
1726 * to PKCS#11 (and the crypto context).
1727 */
1728 derSerial = SEC_ASN1EncodeItem(NULL, NULL,
1729 &issuerSN->serialNumber,
1730 SEC_ASN1_GET(SEC_IntegerTemplate));
1731 if (!derSerial) {
1732 return NULL;
1733 }
1734
1735 NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
1736 NSSITEM_FROM_SECITEM(&serial, derSerial);
1737
1738 cc = STAN_GetDefaultCryptoContext();
1739 cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc,
1740 &issuer,
1741 &serial);
1742 if (cert) {
1743 SECITEM_FreeItem(derSerial, PR_TRUE);
1744 return STAN_GetCERTCertificateOrRelease(cert);
1745 }
1746
1747 do {
1748 /* free the old cert on retry. Associated slot was not present */
1749 if (rvCert) {
1750 CERT_DestroyCertificate(rvCert);
1751 rvCert = NULL;
1752 }
1753
1754 cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber(
1755 STAN_GetDefaultTrustDomain(),
1756 &issuer,
1757 &serial);
1758 if (!cert) {
1759 break;
1760 }
1761
1762 rvCert = STAN_GetCERTCertificateOrRelease(cert);
1763 if (rvCert == NULL) {
1764 break;
1765 }
1766
1767 /* Check to see if the cert's token is still there */
1768 } while (!PK11_IsPresent(rvCert->slot));
1769
1770 if (rvCert && slotPtr) *slotPtr = PK11_ReferenceSlot(rvCert->slot);
1771
1772 SECITEM_FreeItem(derSerial, PR_TRUE);
1773 return rvCert;
1774 }
1775
1776 CK_OBJECT_HANDLE
1777 PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
1778 {
1779 CK_OBJECT_HANDLE certHandle;
1780 CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
1781 CK_ATTRIBUTE *attr;
1782 CK_ATTRIBUTE searchTemplate[]= {
1783 { CKA_CLASS, NULL, 0 },
1784 { CKA_VALUE, NULL, 0 },
1785 };
1786 int templateSize = sizeof(searchTemplate)/sizeof(searchTemplate[0]);
1787
1788 attr = searchTemplate;
1789 PK11_SETATTRS(attr, CKA_CLASS, &certClass, sizeof(certClass)); attr++;
1790 PK11_SETATTRS(attr, CKA_VALUE, cert->derCert.data, cert->derCert.len);
1791
1792 if (cert->slot) {
1793 certHandle = pk11_getcerthandle(cert->slot, cert, searchTemplate,
1794 templateSize);
1795 if (certHandle != CK_INVALID_HANDLE) {
1796 *pSlot = PK11_ReferenceSlot(cert->slot);
1797 return certHandle;
1798 }
1799 }
1800
1801 certHandle = pk11_FindCertObjectByTemplate(pSlot, searchTemplate,
1802 templateSize, wincx);
1803 if (certHandle != CK_INVALID_HANDLE) {
1804 if (cert->slot == NULL) {
1805 cert->slot = PK11_ReferenceSlot(*pSlot);
1806 cert->pkcs11ID = certHandle;
1807 cert->ownSlot = PR_TRUE;
1808 cert->series = cert->slot->series;
1809 }
1810 }
1811
1812 return(certHandle);
1813 }
1814
1815 SECKEYPrivateKey *
1816 PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx)
1817 {
1818 CK_OBJECT_HANDLE certHandle;
1819 CK_OBJECT_HANDLE keyHandle;
1820 PK11SlotInfo *slot = NULL;
1821 SECKEYPrivateKey *privKey = NULL;
1822 PRBool needLogin;
1823 SECStatus rv;
1824 int err;
1825
1826 certHandle = PK11_FindObjectForCert(cert, wincx, &slot);
1827 if (certHandle == CK_INVALID_HANDLE) {
1828 return NULL;
1829 }
1830 /*
1831 * prevent a login race condition. If slot is logged in between
1832 * our call to pk11_LoginStillRequired and the
1833 * PK11_MatchItem. The matchItem call will either succeed, or
1834 * we will call it one more time after calling PK11_Authenticate
1835 * (which is a noop on an authenticated token).
1836 */
1837 needLogin = pk11_LoginStillRequired(slot,wincx);
1838 keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
1839 if ((keyHandle == CK_INVALID_HANDLE) && needLogin &&
1840 (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
1841 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err ) ) {
1842 /* authenticate and try again */
1843 rv = PK11_Authenticate(slot, PR_TRUE, wincx);
1844 if (rv == SECSuccess) {
1845 keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
1846 }
1847 }
1848 if (keyHandle != CK_INVALID_HANDLE) {
1849 privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
1850 }
1851 if (slot) {
1852 PK11_FreeSlot(slot);
1853 }
1854 return privKey;
1855 }
1856
1857 CK_OBJECT_HANDLE
1858 pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx )
1859 {
1860 CK_OBJECT_HANDLE certHandle;
1861 CK_OBJECT_HANDLE keyHandle;
1862
1863 certHandle = PK11_FindObjectForCert(cert, wincx, slot);
1864 if (certHandle == CK_INVALID_HANDLE) {
1865 return CK_INVALID_HANDLE;
1866 }
1867 keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY);
1868 if (keyHandle == CK_INVALID_HANDLE) {
1869 PK11_FreeSlot(*slot);
1870 return CK_INVALID_HANDLE;
1871 }
1872 return keyHandle;
1873 }
1874
1875 /*
1876 * find the number of certs in the slot with the same subject name
1877 */
1878 int
1879 PK11_NumberCertsForCertSubject(CERTCertificate *cert)
1880 {
1881 CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
1882 CK_ATTRIBUTE theTemplate[] = {
1883 { CKA_CLASS, NULL, 0 },
1884 { CKA_SUBJECT, NULL, 0 },
1885 };
1886 CK_ATTRIBUTE *attr = theTemplate;
1887 int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
1888
1889 PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
1890 PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
1891
1892 if (cert->slot == NULL) {
1893 PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
1894 PR_FALSE,PR_TRUE,NULL);
1895 PK11SlotListElement *le;
1896 int count = 0;
1897
1898 if (!list) {
1899 /* error code is set */
1900 return 0;
1901 }
1902
1903 /* loop through all the fortezza tokens */
1904 for (le = list->head; le; le = le->next) {
1905 count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize);
1906 }
1907 PK11_FreeSlotList(list);
1908 return count;
1909 }
1910
1911 return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize);
1912 }
1913
1914 /*
1915 * Walk all the certs with the same subject
1916 */
1917 SECStatus
1918 PK11_TraverseCertsForSubject(CERTCertificate *cert,
1919 SECStatus(* callback)(CERTCertificate*, void *), void *arg)
1920 {
1921 if(!cert) {
1922 return SECFailure;
1923 }
1924 if (cert->slot == NULL) {
1925 PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
1926 PR_FALSE,PR_TRUE,NULL);
1927 PK11SlotListElement *le;
1928
1929 if (!list) {
1930 /* error code is set */
1931 return SECFailure;
1932 }
1933 /* loop through all the tokens */
1934 for (le = list->head; le; le = le->next) {
1935 PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg);
1936 }
1937 PK11_FreeSlotList(list);
1938 return SECSuccess;
1939
1940 }
1941
1942 return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg);
1943 }
1944
1945 SECStatus
1946 PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
1947 SECStatus(* callback)(CERTCertificate*, void *), void *arg)
1948 {
1949 PRStatus nssrv = PR_SUCCESS;
1950 NSSToken *token;
1951 NSSDER subject;
1952 NSSTrustDomain *td;
1953 nssList *subjectList;
1954 nssPKIObjectCollection *collection;
1955 nssCryptokiObject **instances;
1956 NSSCertificate **certs;
1957 nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
1958 td = STAN_GetDefaultTrustDomain();
1959 NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
1960 token = PK11Slot_GetNSSToken(slot);
1961 if (!nssToken_IsPresent(token)) {
1962 return SECSuccess;
1963 }
1964 collection = nssCertificateCollection_Create(td, NULL);
1965 if (!collection) {
1966 return SECFailure;
1967 }
1968 subjectList = nssList_Create(NULL, PR_FALSE);
1969 if (!subjectList) {
1970 nssPKIObjectCollection_Destroy(collection);
1971 return SECFailure;
1972 }
1973 (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject,
1974 subjectList);
1975 transfer_token_certs_to_collection(subjectList, token, collection);
1976 instances = nssToken_FindCertificatesBySubject(token, NULL,
1977 &subject,
1978 tokenOnly, 0, &nssrv);
1979 nssPKIObjectCollection_AddInstances(collection, instances, 0);
1980 nss_ZFreeIf(instances);
1981 nssList_Destroy(subjectList);
1982 certs = nssPKIObjectCollection_GetCertificates(collection,
1983 NULL, 0, NULL);
1984 nssPKIObjectCollection_Destroy(collection);
1985 if (certs) {
1986 CERTCertificate *oldie;
1987 NSSCertificate **cp;
1988 for (cp = certs; *cp; cp++) {
1989 oldie = STAN_GetCERTCertificate(*cp);
1990 if (!oldie) {
1991 continue;
1992 }
1993 if ((*callback)(oldie, arg) != SECSuccess) {
1994 nssrv = PR_FAILURE;
1995 break;
1996 }
1997 }
1998 nssCertificateArray_Destroy(certs);
1999 }
2000 return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
2001 }
2002
2003 SECStatus
2004 PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
2005 SECStatus(* callback)(CERTCertificate*, void *), void *arg)
2006 {
2007 struct nss3_cert_cbstr pk11cb;
2008 PRStatus nssrv = PR_SUCCESS;
2009 NSSToken *token;
2010 NSSTrustDomain *td;
2011 NSSUTF8 *nick;
2012 PRBool created = PR_FALSE;
2013 nssCryptokiObject **instances;
2014 nssPKIObjectCollection *collection = NULL;
2015 NSSCertificate **certs;
2016 nssList *nameList = NULL;
2017 nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
2018 pk11cb.callback = callback;
2019 pk11cb.arg = arg;
2020 token = PK11Slot_GetNSSToken(slot);
2021 if (!nssToken_IsPresent(token)) {
2022 return SECSuccess;
2023 }
2024 if (nickname->data[nickname->len-1] != '\0') {
2025 nick = nssUTF8_Create(NULL, nssStringType_UTF8String,
2026 nickname->data, nickname->len);
2027 created = PR_TRUE;
2028 } else {
2029 nick = (NSSUTF8 *)nickname->data;
2030 }
2031 td = STAN_GetDefaultTrustDomain();
2032 collection = nssCertificateCollection_Create(td, NULL);
2033 if (!collection) {
2034 goto loser;
2035 }
2036 nameList = nssList_Create(NULL, PR_FALSE);
2037 if (!nameList) {
2038 goto loser;
2039 }
2040 (void)nssTrustDomain_GetCertsForNicknameFromCache(td, nick, nameList);
2041 transfer_token_certs_to_collection(nameList, token, collection);
2042 instances = nssToken_FindCertificatesByNickname(token, NULL,
2043 nick,
2044 tokenOnly, 0, &nssrv);
2045 nssPKIObjectCollection_AddInstances(collection, instances, 0);
2046 nss_ZFreeIf(instances);
2047 nssList_Destroy(nameList);
2048 certs = nssPKIObjectCollection_GetCertificates(collection,
2049 NULL, 0, NULL);
2050 nssPKIObjectCollection_Destroy(collection);
2051 if (certs) {
2052 CERTCertificate *oldie;
2053 NSSCertificate **cp;
2054 for (cp = certs; *cp; cp++) {
2055 oldie = STAN_GetCERTCertificate(*cp);
2056 if (!oldie) {
2057 continue;
2058 }
2059 if ((*callback)(oldie, arg) != SECSuccess) {
2060 nssrv = PR_FAILURE;
2061 break;
2062 }
2063 }
2064 nssCertificateArray_Destroy(certs);
2065 }
2066 if (created) nss_ZFreeIf(nick);
2067 return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
2068 loser:
2069 if (created) {
2070 nss_ZFreeIf(nick);
2071 }
2072 if (collection) {
2073 nssPKIObjectCollection_Destroy(collection);
2074 }
2075 if (nameList) {
2076 nssList_Destroy(nameList);
2077 }
2078 return SECFailure;
2079 }
2080
2081 SECStatus
2082 PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
2083 SECStatus(* callback)(CERTCertificate*, void *), void *arg)
2084 {
2085 PRStatus nssrv;
2086 NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
2087 NSSToken *tok;
2088 nssList *certList = NULL;
2089 nssCryptokiObject **instances;
2090 nssPKIObjectCollection *collection;
2091 NSSCertificate **certs;
2092 nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
2093 tok = PK11Slot_GetNSSToken(slot);
2094 if (!nssToken_IsPresent(tok)) {
2095 return SECSuccess;
2096 }
2097 collection = nssCertificateCollection_Create(td, NULL);
2098 if (!collection) {
2099 return SECFailure;
2100 }
2101 certList = nssList_Create(NULL, PR_FALSE);
2102 if (!certList) {
2103 nssPKIObjectCollection_Destroy(collection);
2104 return SECFailure;
2105 }
2106 (void)nssTrustDomain_GetCertsFromCache(td, certList);
2107 transfer_token_certs_to_collection(certList, tok, collection);
2108 instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE,
2109 tokenOnly, 0, &nssrv);
2110 nssPKIObjectCollection_AddInstances(collection, instances, 0);
2111 nss_ZFreeIf(instances);
2112 nssList_Destroy(certList);
2113 certs = nssPKIObjectCollection_GetCertificates(collection,
2114 NULL, 0, NULL);
2115 nssPKIObjectCollection_Destroy(collection);
2116 if (certs) {
2117 CERTCertificate *oldie;
2118 NSSCertificate **cp;
2119 for (cp = certs; *cp; cp++) {
2120 oldie = STAN_GetCERTCertificate(*cp);
2121 if (!oldie) {
2122 continue;
2123 }
2124 if ((*callback)(oldie, arg) != SECSuccess) {
2125 nssrv = PR_FAILURE;
2126 break;
2127 }
2128 }
2129 nssCertificateArray_Destroy(certs);
2130 }
2131 return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
2132 }
2133
2134 /*
2135 * return the certificate associated with a derCert
2136 */
2137 CERTCertificate *
2138 PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
2139 void *wincx)
2140 {
2141 return PK11_FindCertFromDERCertItem(slot, &cert->derCert, wincx);
2142 }
2143
2144 CERTCertificate *
2145 PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert,
2146 void *wincx)
2147
2148 {
2149 NSSDER derCert;
2150 NSSToken *tok;
2151 NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
2152 nssCryptokiObject *co = NULL;
2153 SECStatus rv;
2154
2155 tok = PK11Slot_GetNSSToken(slot);
2156 NSSITEM_FROM_SECITEM(&derCert, inDerCert);
2157 rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
2158 if (rv != SECSuccess) {
2159 PK11_FreeSlot(slot);
2160 return NULL;
2161 }
2162
2163 co = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert,
2164 nssTokenSearchType_TokenOnly, NULL);
2165
2166 return co ? PK11_MakeCertFromHandle(slot, co->handle, NULL) : NULL;
2167
2168 }
2169
2170 /*
2171 * import a cert for a private key we have already generated. Set the label
2172 * on both to be the nickname.
2173 */
2174 static CK_OBJECT_HANDLE
2175 pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
2176 void *wincx)
2177 {
2178 SECItem *keyID;
2179 CK_OBJECT_HANDLE key;
2180 SECStatus rv;
2181 PRBool needLogin;
2182 int err;
2183
2184 if((slot == NULL) || (cert == NULL)) {
2185 return CK_INVALID_HANDLE;
2186 }
2187
2188 keyID = pk11_mkcertKeyID(cert);
2189 if(keyID == NULL) {
2190 return CK_INVALID_HANDLE;
2191 }
2192
2193 /*
2194 * prevent a login race condition. If slot is logged in between
2195 * our call to pk11_LoginStillRequired and the
2196 * pk11_FindPrivateKeyFromCerID. The matchItem call will either succeed, or
2197 * we will call it one more time after calling PK11_Authenticate
2198 * (which is a noop on an authenticated token).
2199 */
2200 needLogin = pk11_LoginStillRequired(slot,wincx);
2201 key = pk11_FindPrivateKeyFromCertID(slot, keyID);
2202 if ((key == CK_INVALID_HANDLE) && needLogin &&
2203 (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
2204 SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
2205 /* authenticate and try again */
2206 rv = PK11_Authenticate(slot, PR_TRUE, wincx);
2207 if (rv != SECSuccess) goto loser;
2208 key = pk11_FindPrivateKeyFromCertID(slot, keyID);
2209 }
2210
2211 loser:
2212 SECITEM_ZfreeItem(keyID, PR_TRUE);
2213 return key;
2214 }
2215
2216 SECKEYPrivateKey *
2217 PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
2218 void *wincx)
2219 {
2220 CK_OBJECT_HANDLE keyHandle;
2221
2222 if((slot == NULL) || (cert == NULL)) {
2223 return NULL;
2224 }
2225
2226 keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
2227 if (keyHandle == CK_INVALID_HANDLE) {
2228 return NULL;
2229 }
2230
2231 return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx);
2232 }
2233
2234 SECStatus
2235 PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
2236 char *nickname,
2237 PRBool addCertUsage,void *wincx)
2238 {
2239 CK_OBJECT_HANDLE keyHandle;
2240
2241 if((slot == NULL) || (cert == NULL) || (nickname == NULL)) {
2242 return SECFailure;
2243 }
2244
2245 keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
2246 if (keyHandle == CK_INVALID_HANDLE) {
2247 return SECFailure;
2248 }
2249
2250 return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage);
2251 }
2252
2253
2254 /* remove when the real version comes out */
2255 #define SEC_OID_MISSI_KEA 300 /* until we have v3 stuff merged */
2256 PRBool
2257 KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
2258
2259 /* not implemented */
2260 return PR_FALSE;
2261 }
2262
2263 PRBool
2264 PK11_FortezzaHasKEA(CERTCertificate *cert)
2265 {
2266 /* look at the subject and see if it is a KEA for MISSI key */
2267 SECOidData *oid;
2268 CERTCertTrust trust;
2269
2270 if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
2271 ((trust.sslFlags & CERTDB_USER) != CERTDB_USER)) {
2272 return PR_FALSE;
2273 }
2274
2275 oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
2276 if (!oid) {
2277 return PR_FALSE;
2278 }
2279
2280 return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) ||
2281 (oid->offset == SEC_OID_MISSI_KEA_DSS) ||
2282 (oid->offset == SEC_OID_MISSI_KEA)) ;
2283 }
2284
2285 /*
2286 * Find a kea cert on this slot that matches the domain of it's peer
2287 */
2288 static CERTCertificate
2289 *pk11_GetKEAMate(PK11SlotInfo *slot,CERTCertificate *peer)
2290 {
2291 int i;
2292 CERTCertificate *returnedCert = NULL;
2293
2294 for (i=0; i < slot->cert_count; i++) {
2295 CERTCertificate *cert = slot->cert_array[i];
2296
2297 if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) {
2298 returnedCert = CERT_DupCertificate(cert);
2299 break;
2300 }
2301 }
2302 return returnedCert;
2303 }
2304
2305 /*
2306 * The following is a FORTEZZA only Certificate request. We call this when we
2307 * are doing a non-client auth SSL connection. We are only interested in the
2308 * fortezza slots, and we are only interested in certs that share the same root
2309 * key as the server.
2310 */
2311 CERTCertificate *
2312 PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
2313 {
2314 PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
2315 PR_FALSE,PR_TRUE,wincx);
2316 PK11SlotListElement *le;
2317 CERTCertificate *returnedCert = NULL;
2318 SECStatus rv;
2319
2320 if (!keaList) {
2321 /* error code is set */
2322 return NULL;
2323 }
2324
2325 /* loop through all the fortezza tokens */
2326 for (le = keaList->head; le; le = le->next) {
2327 rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
2328 if (rv != SECSuccess) continue;
2329 if (le->slot->session == CK_INVALID_SESSION) {
2330 continue;
2331 }
2332 returnedCert = pk11_GetKEAMate(le->slot,server);
2333 if (returnedCert) break;
2334 }
2335 PK11_FreeSlotList(keaList);
2336
2337 return returnedCert;
2338 }
2339
2340 /*
2341 * find a matched pair of kea certs to key exchange parameters from one
2342 * fortezza card to another as necessary.
2343 */
2344 SECStatus
2345 PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
2346 CERTCertificate **cert1, CERTCertificate **cert2)
2347 {
2348 CERTCertificate *returnedCert = NULL;
2349 int i;
2350
2351 for (i=0; i < slot1->cert_count; i++) {
2352 CERTCertificate *cert = slot1->cert_array[i];
2353
2354 if (PK11_FortezzaHasKEA(cert)) {
2355 returnedCert = pk11_GetKEAMate(slot2,cert);
2356 if (returnedCert != NULL) {
2357 *cert2 = returnedCert;
2358 *cert1 = CERT_DupCertificate(cert);
2359 return SECSuccess;
2360 }
2361 }
2362 }
2363 return SECFailure;
2364 }
2365
2366 /*
2367 * return the private key From a given Cert
2368 */
2369 CK_OBJECT_HANDLE
2370 PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
2371 {
2372 CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
2373 CK_ATTRIBUTE theTemplate[] = {
2374 { CKA_VALUE, NULL, 0 },
2375 { CKA_CLASS, NULL, 0 }
2376 };
2377 /* if you change the array, change the variable below as well */
2378 int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
2379 CK_ATTRIBUTE *attrs = theTemplate;
2380 SECStatus rv;
2381
2382 PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
2383 cert->derCert.len); attrs++;
2384 PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
2385
2386 /*
2387 * issue the find
2388 */
2389 rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
2390 if (rv != SECSuccess) {
2391 return CK_INVALID_HANDLE;
2392 }
2393
2394 return pk11_getcerthandle(slot,cert,theTemplate,tsize);
2395 }
2396
2397 /* Looking for PK11_GetKeyIDFromCert?
2398 * Use PK11_GetLowLevelKeyIDForCert instead.
2399 */
2400
2401
2402 struct listCertsStr {
2403 PK11CertListType type;
2404 CERTCertList *certList;
2405 };
2406
2407 static PRStatus
2408 pk11ListCertCallback(NSSCertificate *c, void *arg)
2409 {
2410 struct listCertsStr *listCertP = (struct listCertsStr *)arg;
2411 CERTCertificate *newCert = NULL;
2412 PK11CertListType type = listCertP->type;
2413 CERTCertList *certList = listCertP->certList;
2414 PRBool isUnique = PR_FALSE;
2415 PRBool isCA = PR_FALSE;
2416 char *nickname = NULL;
2417 unsigned int certType;
2418 SECStatus rv;
2419
2420 if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) ||
2421 (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) {
2422 /* only list one instance of each certificate, even if several exist */
2423 isUnique = PR_TRUE;
2424 }
2425 if ((type == PK11CertListCA) || (type == PK11CertListRootUnique) ||
2426 (type == PK11CertListCAUnique)) {
2427 isCA = PR_TRUE;
2428 }
2429
2430 /* if we want user certs and we don't have one skip this cert */
2431 if ( ( (type == PK11CertListUser) || (type == PK11CertListUserUnique) ) &&
2432 !NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
2433 return PR_SUCCESS;
2434 }
2435
2436 /* PK11CertListRootUnique means we want CA certs without a private key.
2437 * This is for legacy app support . PK11CertListCAUnique should be used
2438 * instead to get all CA certs, regardless of private key
2439 */
2440 if ((type == PK11CertListRootUnique) &&
2441 NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
2442 return PR_SUCCESS;
2443 }
2444
2445 /* caller still owns the reference to 'c' */
2446 newCert = STAN_GetCERTCertificate(c);
2447 if (!newCert) {
2448 return PR_SUCCESS;
2449 }
2450 /* if we want CA certs and it ain't one, skip it */
2451 if( isCA && (!CERT_IsCACert(newCert, &certType)) ) {
2452 return PR_SUCCESS;
2453 }
2454 if (isUnique) {
2455 CERT_DupCertificate(newCert);
2456
2457 nickname = STAN_GetCERTCertificateName(certList->arena, c);
2458
2459 /* put slot certs at the end */
2460 if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
2461 rv = CERT_AddCertToListTailWithData(certList,newCert,nickname);
2462 } else {
2463 rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname);
2464 }
2465 /* if we didn't add the cert to the list, don't leak it */
2466 if (rv != SECSuccess) {
2467 CERT_DestroyCertificate(newCert);
2468 }
2469 } else {
2470 /* add multiple instances to the cert list */
2471 nssCryptokiObject **ip;
2472 nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
2473 if (!instances) {
2474 return PR_SUCCESS;
2475 }
2476 for (ip = instances; *ip; ip++) {
2477 nssCryptokiObject *instance = *ip;
2478 PK11SlotInfo *slot = instance->token->pk11slot;
2479
2480 /* put the same CERTCertificate in the list for all instances */
2481 CERT_DupCertificate(newCert);
2482
2483 nickname = STAN_GetCERTCertificateNameForInstance(
2484 certList->arena, c, instance);
2485
2486 /* put slot certs at the end */
2487 if (slot && !PK11_IsInternal(slot)) {
2488 rv = CERT_AddCertToListTailWithData(certList,newCert,nickname);
2489 } else {
2490 rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname);
2491 }
2492 /* if we didn't add the cert to the list, don't leak it */
2493 if (rv != SECSuccess) {
2494 CERT_DestroyCertificate(newCert);
2495 }
2496 }
2497 nssCryptokiObjectArray_Destroy(instances);
2498 }
2499 return PR_SUCCESS;
2500 }
2501
2502
2503 CERTCertList *
2504 PK11_ListCerts(PK11CertListType type, void *pwarg)
2505 {
2506 NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
2507 CERTCertList *certList = NULL;
2508 struct listCertsStr listCerts;
2509 certList = CERT_NewCertList();
2510 listCerts.type = type;
2511 listCerts.certList = certList;
2512
2513 /* authenticate to the slots */
2514 (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, pwarg);
2515 NSSTrustDomain_TraverseCertificates(defaultTD, pk11ListCertCallback,
2516 &listCerts);
2517 return certList;
2518 }
2519
2520 SECItem *
2521 PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
2522 CERTCertificate *cert, void *wincx)
2523 {
2524 CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
2525 CK_ATTRIBUTE theTemplate[] = {
2526 { CKA_VALUE, NULL, 0 },
2527 { CKA_CLASS, NULL, 0 }
2528 };
2529 /* if you change the array, change the variable below as well */
2530 int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
2531 CK_OBJECT_HANDLE certHandle;
2532 CK_ATTRIBUTE *attrs = theTemplate;
2533 PK11SlotInfo *slotRef = NULL;
2534 SECItem *item;
2535 SECStatus rv;
2536
2537 if (slot) {
2538 PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
2539 cert->derCert.len); attrs++;
2540 PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
2541
2542 rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
2543 if (rv != SECSuccess) {
2544 return NULL;
2545 }
2546 certHandle = pk11_getcerthandle(slot,cert,theTemplate,tsize);
2547 } else {
2548 certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
2549 if (certHandle == CK_INVALID_HANDLE) {
2550 return pk11_mkcertKeyID(cert);
2551 }
2552 slot = slotRef;
2553 }
2554
2555 if (certHandle == CK_INVALID_HANDLE) {
2556 return NULL;
2557 }
2558
2559 item = pk11_GetLowLevelKeyFromHandle(slot,certHandle);
2560 if (slotRef) PK11_FreeSlot(slotRef);
2561 return item;
2562 }
2563
2564 /* argument type for listCertsCallback */
2565 typedef struct {
2566 CERTCertList *list;
2567 PK11SlotInfo *slot;
2568 } ListCertsArg;
2569
2570 static SECStatus
2571 listCertsCallback(CERTCertificate* cert, void*arg)
2572 {
2573 ListCertsArg *cdata = (ListCertsArg*)arg;
2574 char *nickname = NULL;
2575 nssCryptokiObject *instance, **ci;
2576 nssCryptokiObject **instances;
2577 NSSCertificate *c = STAN_GetNSSCertificate(cert);
2578 SECStatus rv;
2579
2580 if (c == NULL) {
2581 return SECFailure;
2582 }
2583 instances = nssPKIObject_GetInstances(&c->object);
2584 if (!instances) {
2585 return SECFailure;
2586 }
2587 instance = NULL;
2588 for (ci = instances; *ci; ci++) {
2589 if ((*ci)->token->pk11slot == cdata->slot) {
2590 instance = *ci;
2591 break;
2592 }
2593 }
2594 PORT_Assert(instance != NULL);
2595 if (!instance) {
2596 nssCryptokiObjectArray_Destroy(instances);
2597 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
2598 return SECFailure;
2599 }
2600 nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena,
2601 c, instance);
2602 nssCryptokiObjectArray_Destroy(instances);
2603
2604 CERT_DupCertificate(cert);
2605 rv = CERT_AddCertToListTailWithData(cdata->list, cert, nickname);
2606 if (rv != SECSuccess) {
2607 CERT_DestroyCertificate(cert);
2608 }
2609 return rv;
2610 }
2611
2612 CERTCertList *
2613 PK11_ListCertsInSlot(PK11SlotInfo *slot)
2614 {
2615 SECStatus status;
2616 CERTCertList *certs;
2617 ListCertsArg cdata;
2618
2619 certs = CERT_NewCertList();
2620 if(certs == NULL) return NULL;
2621 cdata.list = certs;
2622 cdata.slot = slot;
2623
2624 status = PK11_TraverseCertsInSlot(slot, listCertsCallback,
2625 &cdata);
2626
2627 if( status != SECSuccess ) {
2628 CERT_DestroyCertList(certs);
2629 certs = NULL;
2630 }
2631
2632 return certs;
2633 }
2634
2635 PK11SlotList *
2636 PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg)
2637 {
2638 nssCryptokiObject **ip;
2639 PK11SlotList *slotList;
2640 NSSCertificate *c;
2641 nssCryptokiObject **instances;
2642 PRBool found = PR_FALSE;
2643
2644 if (!cert) {
2645 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2646 return NULL;
2647 }
2648
2649 c = STAN_GetNSSCertificate(cert);
2650 if (!c) {
2651 CERT_MapStanError();
2652 return NULL;
2653 }
2654
2655 /* add multiple instances to the cert list */
2656 instances = nssPKIObject_GetInstances(&c->object);
2657 if (!instances) {
2658 PORT_SetError(SEC_ERROR_NO_TOKEN);
2659 return NULL;
2660 }
2661
2662 slotList = PK11_NewSlotList();
2663 if (!slotList) {
2664 nssCryptokiObjectArray_Destroy(instances);
2665 return NULL;
2666 }
2667
2668 for (ip = instances; *ip; ip++) {
2669 nssCryptokiObject *instance = *ip;
2670 PK11SlotInfo *slot = instance->token->pk11slot;
2671 if (slot) {
2672 PK11_AddSlotToList(slotList, slot, PR_TRUE);
2673 found = PR_TRUE;
2674 }
2675 }
2676 if (!found) {
2677 PK11_FreeSlotList(slotList);
2678 PORT_SetError(SEC_ERROR_NO_TOKEN);
2679 slotList = NULL;
2680 }
2681
2682 nssCryptokiObjectArray_Destroy(instances);
2683 return slotList;
2684 }
OLDNEW
« no previous file with comments | « mozilla/security/nss/lib/pk11wrap/pk11auth.c ('k') | mozilla/security/nss/lib/pk11wrap/pk11cxt.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698