| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | 4 |
| 5 #include "prtime.h" | 5 #include "prtime.h" |
| 6 | 6 |
| 7 #include "cert.h" | 7 #include "cert.h" |
| 8 #include "certi.h" | 8 #include "certi.h" |
| 9 #include "certdb.h" | 9 #include "certdb.h" |
| 10 #include "secitem.h" | 10 #include "secitem.h" |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include "pkim.h" | 26 #include "pkim.h" |
| 27 #include "pki3hack.h" | 27 #include "pki3hack.h" |
| 28 #include "ckhelper.h" | 28 #include "ckhelper.h" |
| 29 #include "base.h" | 29 #include "base.h" |
| 30 #include "pkistore.h" | 30 #include "pkistore.h" |
| 31 #include "dev3hack.h" | 31 #include "dev3hack.h" |
| 32 #include "dev.h" | 32 #include "dev.h" |
| 33 | 33 |
| 34 PRBool | 34 PRBool |
| 35 SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject, | 35 SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject, |
| 36 » » » CERTCertDBHandle *handle) | 36 CERTCertDBHandle *handle) |
| 37 { | 37 { |
| 38 CERTCertificate *cert; | 38 CERTCertificate *cert; |
| 39 PRBool conflict = PR_FALSE; | 39 PRBool conflict = PR_FALSE; |
| 40 | 40 |
| 41 cert=CERT_FindCertByNickname(handle, nickname); | 41 cert = CERT_FindCertByNickname(handle, nickname); |
| 42 | 42 |
| 43 if (!cert) { | 43 if (!cert) { |
| 44 » return conflict; | 44 return conflict; |
| 45 } | 45 } |
| 46 | 46 |
| 47 conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject); | 47 conflict = !SECITEM_ItemsAreEqual(derSubject, &cert->derSubject); |
| 48 CERT_DestroyCertificate(cert); | 48 CERT_DestroyCertificate(cert); |
| 49 return conflict; | 49 return conflict; |
| 50 } | 50 } |
| 51 | 51 |
| 52 SECStatus | 52 SECStatus |
| 53 SEC_DeletePermCertificate(CERTCertificate *cert) | 53 SEC_DeletePermCertificate(CERTCertificate *cert) |
| 54 { | 54 { |
| 55 PRStatus nssrv; | 55 PRStatus nssrv; |
| 56 NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); | 56 NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); |
| 57 NSSCertificate *c = STAN_GetNSSCertificate(cert); | 57 NSSCertificate *c = STAN_GetNSSCertificate(cert); |
| 58 CERTCertTrust *certTrust; | 58 CERTCertTrust *certTrust; |
| 59 | 59 |
| 60 if (c == NULL) { | 60 if (c == NULL) { |
| 61 /* error code is set */ | 61 /* error code is set */ |
| 62 return SECFailure; | 62 return SECFailure; |
| 63 } | 63 } |
| 64 | 64 |
| 65 certTrust = nssTrust_GetCERTCertTrustForCert(c, cert); | 65 certTrust = nssTrust_GetCERTCertTrustForCert(c, cert); |
| 66 if (certTrust) { | 66 if (certTrust) { |
| 67 » NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c); | 67 NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c); |
| 68 » if (nssTrust) { | 68 if (nssTrust) { |
| 69 » nssrv = STAN_DeleteCertTrustMatchingSlot(c); | 69 nssrv = STAN_DeleteCertTrustMatchingSlot(c); |
| 70 » if (nssrv != PR_SUCCESS) { | 70 if (nssrv != PR_SUCCESS) { |
| 71 » » CERT_MapStanError(); | 71 CERT_MapStanError(); |
| 72 » } | 72 } |
| 73 » /* This call always returns PR_SUCCESS! */ | 73 /* This call always returns PR_SUCCESS! */ |
| 74 » (void) nssTrust_Destroy(nssTrust); | 74 (void)nssTrust_Destroy(nssTrust); |
| 75 » } | 75 } |
| 76 } | 76 } |
| 77 | 77 |
| 78 /* get rid of the token instances */ | 78 /* get rid of the token instances */ |
| 79 nssrv = NSSCertificate_DeleteStoredObject(c, NULL); | 79 nssrv = NSSCertificate_DeleteStoredObject(c, NULL); |
| 80 | 80 |
| 81 /* get rid of the cache entry */ | 81 /* get rid of the cache entry */ |
| 82 nssTrustDomain_LockCertCache(td); | 82 nssTrustDomain_LockCertCache(td); |
| 83 nssTrustDomain_RemoveCertFromCacheLOCKED(td, c); | 83 nssTrustDomain_RemoveCertFromCacheLOCKED(td, c); |
| 84 nssTrustDomain_UnlockCertCache(td); | 84 nssTrustDomain_UnlockCertCache(td); |
| 85 | 85 |
| 86 return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; | 86 return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; |
| 87 } | 87 } |
| 88 | 88 |
| 89 SECStatus | 89 SECStatus |
| 90 CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust) | 90 CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust) |
| 91 { | 91 { |
| 92 SECStatus rv; | 92 SECStatus rv; |
| 93 CERT_LockCertTrust(cert); | 93 CERT_LockCertTrust(cert); |
| 94 if ( cert->trust == NULL ) { | 94 if (cert->trust == NULL) { |
| 95 » rv = SECFailure; | 95 rv = SECFailure; |
| 96 } else { | 96 } else { |
| 97 » *trust = *cert->trust; | 97 *trust = *cert->trust; |
| 98 » rv = SECSuccess; | 98 rv = SECSuccess; |
| 99 } | 99 } |
| 100 CERT_UnlockCertTrust(cert); | 100 CERT_UnlockCertTrust(cert); |
| 101 return(rv); | 101 return (rv); |
| 102 } | 102 } |
| 103 | 103 |
| 104 extern const NSSError NSS_ERROR_NO_ERROR; | 104 extern const NSSError NSS_ERROR_NO_ERROR; |
| 105 extern const NSSError NSS_ERROR_INTERNAL_ERROR; | 105 extern const NSSError NSS_ERROR_INTERNAL_ERROR; |
| 106 extern const NSSError NSS_ERROR_NO_MEMORY; | 106 extern const NSSError NSS_ERROR_NO_MEMORY; |
| 107 extern const NSSError NSS_ERROR_INVALID_POINTER; | 107 extern const NSSError NSS_ERROR_INVALID_POINTER; |
| 108 extern const NSSError NSS_ERROR_INVALID_ARENA; | 108 extern const NSSError NSS_ERROR_INVALID_ARENA; |
| 109 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK; | 109 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK; |
| 110 extern const NSSError NSS_ERROR_DUPLICATE_POINTER; | 110 extern const NSSError NSS_ERROR_DUPLICATE_POINTER; |
| 111 extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED; | 111 extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED; |
| (...skipping 22 matching lines...) Expand all Loading... |
| 134 extern const NSSError NSS_ERROR_MAXIMUM_FOUND; | 134 extern const NSSError NSS_ERROR_MAXIMUM_FOUND; |
| 135 extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND; | 135 extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND; |
| 136 extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE; | 136 extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE; |
| 137 extern const NSSError NSS_ERROR_HASH_COLLISION; | 137 extern const NSSError NSS_ERROR_HASH_COLLISION; |
| 138 extern const NSSError NSS_ERROR_DEVICE_ERROR; | 138 extern const NSSError NSS_ERROR_DEVICE_ERROR; |
| 139 extern const NSSError NSS_ERROR_INVALID_CERTIFICATE; | 139 extern const NSSError NSS_ERROR_INVALID_CERTIFICATE; |
| 140 extern const NSSError NSS_ERROR_BUSY; | 140 extern const NSSError NSS_ERROR_BUSY; |
| 141 extern const NSSError NSS_ERROR_ALREADY_INITIALIZED; | 141 extern const NSSError NSS_ERROR_ALREADY_INITIALIZED; |
| 142 extern const NSSError NSS_ERROR_PKCS11; | 142 extern const NSSError NSS_ERROR_PKCS11; |
| 143 | 143 |
| 144 /* Look at the stan error stack and map it to NSS 3 errors */ |
| 145 #define STAN_MAP_ERROR(x, y) \ |
| 146 else if (error == (x)) { secError = y; } |
| 144 | 147 |
| 145 /* Look at the stan error stack and map it to NSS 3 errors */ | 148 /* |
| 146 #define STAN_MAP_ERROR(x,y) \ | |
| 147 else if (error == (x)) { \ | |
| 148 secError = y; \ | |
| 149 } \ | |
| 150 | |
| 151 /* | |
| 152 * map Stan errors into NSS errors | 149 * map Stan errors into NSS errors |
| 153 * This function examines the stan error stack and automatically sets | 150 * This function examines the stan error stack and automatically sets |
| 154 * PORT_SetError(); to the appropriate SEC_ERROR value. | 151 * PORT_SetError(); to the appropriate SEC_ERROR value. |
| 155 */ | 152 */ |
| 156 void | 153 void |
| 157 CERT_MapStanError() | 154 CERT_MapStanError() |
| 158 { | 155 { |
| 159 PRInt32 *errorStack; | 156 PRInt32 *errorStack; |
| 160 NSSError error, prevError; | 157 NSSError error, prevError; |
| 161 int secError; | 158 int secError; |
| 162 int i; | 159 int i; |
| 163 | 160 |
| 164 error = 0; | 161 error = 0; |
| 165 | 162 |
| 166 errorStack = NSS_GetErrorStack(); | 163 errorStack = NSS_GetErrorStack(); |
| 167 if (errorStack == 0) { | 164 if (errorStack == 0) { |
| 168 » PORT_SetError(0); | 165 PORT_SetError(0); |
| 169 » return; | 166 return; |
| 170 } | 167 } |
| 171 error = prevError = CKR_GENERAL_ERROR; | 168 error = prevError = CKR_GENERAL_ERROR; |
| 172 /* get the 'top 2' error codes from the stack */ | 169 /* get the 'top 2' error codes from the stack */ |
| 173 for (i=0; errorStack[i]; i++) { | 170 for (i = 0; errorStack[i]; i++) { |
| 174 » prevError = error; | 171 prevError = error; |
| 175 » error = errorStack[i]; | 172 error = errorStack[i]; |
| 176 } | 173 } |
| 177 if (error == NSS_ERROR_PKCS11) { | 174 if (error == NSS_ERROR_PKCS11) { |
| 178 » /* map it */ | 175 /* map it */ |
| 179 » secError = PK11_MapError(prevError); | 176 secError = PK11_MapError(prevError); |
| 180 } | 177 } |
| 181 » STAN_MAP_ERROR(NSS_ERROR_NO_ERROR, 0) | 178 STAN_MAP_ERROR(NSS_ERROR_NO_ERROR, 0) |
| 182 » STAN_MAP_ERROR(NSS_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY) | 179 STAN_MAP_ERROR(NSS_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY) |
| 183 » STAN_MAP_ERROR(NSS_ERROR_INVALID_BASE64, SEC_ERROR_BAD_DATA) | 180 STAN_MAP_ERROR(NSS_ERROR_INVALID_BASE64, SEC_ERROR_BAD_DATA) |
| 184 » STAN_MAP_ERROR(NSS_ERROR_INVALID_BER, SEC_ERROR_BAD_DER) | 181 STAN_MAP_ERROR(NSS_ERROR_INVALID_BER, SEC_ERROR_BAD_DER) |
| 185 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ATAV, SEC_ERROR_INVALID_AVA) | 182 STAN_MAP_ERROR(NSS_ERROR_INVALID_ATAV, SEC_ERROR_INVALID_AVA) |
| 186 » STAN_MAP_ERROR(NSS_ERROR_INVALID_PASSWORD,SEC_ERROR_BAD_PASSWORD) | 183 STAN_MAP_ERROR(NSS_ERROR_INVALID_PASSWORD, SEC_ERROR_BAD_PASSWORD) |
| 187 » STAN_MAP_ERROR(NSS_ERROR_BUSY, SEC_ERROR_BUSY) | 184 STAN_MAP_ERROR(NSS_ERROR_BUSY, SEC_ERROR_BUSY) |
| 188 » STAN_MAP_ERROR(NSS_ERROR_DEVICE_ERROR, SEC_ERROR_IO) | 185 STAN_MAP_ERROR(NSS_ERROR_DEVICE_ERROR, SEC_ERROR_IO) |
| 189 » STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND, | 186 STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND, |
| 190 » » » SEC_ERROR_UNKNOWN_ISSUER) | 187 SEC_ERROR_UNKNOWN_ISSUER) |
| 191 » STAN_MAP_ERROR(NSS_ERROR_INVALID_CERTIFICATE, SEC_ERROR_CERT_NOT_VALID) | 188 STAN_MAP_ERROR(NSS_ERROR_INVALID_CERTIFICATE, SEC_ERROR_CERT_NOT_VALID) |
| 192 » STAN_MAP_ERROR(NSS_ERROR_INVALID_UTF8, SEC_ERROR_BAD_DATA) | 189 STAN_MAP_ERROR(NSS_ERROR_INVALID_UTF8, SEC_ERROR_BAD_DATA) |
| 193 » STAN_MAP_ERROR(NSS_ERROR_INVALID_NSSOID, SEC_ERROR_BAD_DATA) | 190 STAN_MAP_ERROR(NSS_ERROR_INVALID_NSSOID, SEC_ERROR_BAD_DATA) |
| 194 | 191 |
| 195 » /* these are library failure for lack of a better error code */ | 192 /* these are library failure for lack of a better error code */ |
| 196 » STAN_MAP_ERROR(NSS_ERROR_NOT_FOUND, SEC_ERROR_LIBRARY_FAILURE) | 193 STAN_MAP_ERROR(NSS_ERROR_NOT_FOUND, SEC_ERROR_LIBRARY_FAILURE) |
| 197 » STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_IN_CACHE, | 194 STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_IN_CACHE, SEC_ERROR_LIBRARY_FAILURE) |
| 198 » » » » » » SEC_ERROR_LIBRARY_FAILURE) | 195 STAN_MAP_ERROR(NSS_ERROR_MAXIMUM_FOUND, SEC_ERROR_LIBRARY_FAILURE) |
| 199 » STAN_MAP_ERROR(NSS_ERROR_MAXIMUM_FOUND, SEC_ERROR_LIBRARY_FAILURE) | 196 STAN_MAP_ERROR(NSS_ERROR_USER_CANCELED, SEC_ERROR_LIBRARY_FAILURE) |
| 200 » STAN_MAP_ERROR(NSS_ERROR_USER_CANCELED, SEC_ERROR_LIBRARY_FAILURE) | 197 STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE) |
| 201 » STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_INITIALIZED, | 198 STAN_MAP_ERROR(NSS_ERROR_ALREADY_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE) |
| 202 » » » » » » SEC_ERROR_LIBRARY_FAILURE) | 199 STAN_MAP_ERROR(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD, |
| 203 » STAN_MAP_ERROR(NSS_ERROR_ALREADY_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE) | 200 SEC_ERROR_LIBRARY_FAILURE) |
| 204 » STAN_MAP_ERROR(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD, | 201 STAN_MAP_ERROR(NSS_ERROR_HASH_COLLISION, SEC_ERROR_LIBRARY_FAILURE) |
| 205 » » » » » » SEC_ERROR_LIBRARY_FAILURE) | |
| 206 » STAN_MAP_ERROR(NSS_ERROR_HASH_COLLISION, SEC_ERROR_LIBRARY_FAILURE) | |
| 207 | 202 |
| 208 » STAN_MAP_ERROR(NSS_ERROR_INTERNAL_ERROR, SEC_ERROR_LIBRARY_FAILURE) | 203 STAN_MAP_ERROR(NSS_ERROR_INTERNAL_ERROR, SEC_ERROR_LIBRARY_FAILURE) |
| 209 | 204 |
| 210 » /* these are all invalid arguments */ | 205 /* these are all invalid arguments */ |
| 211 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ARGUMENT, SEC_ERROR_INVALID_ARGS) | 206 STAN_MAP_ERROR(NSS_ERROR_INVALID_ARGUMENT, SEC_ERROR_INVALID_ARGS) |
| 212 » STAN_MAP_ERROR(NSS_ERROR_INVALID_POINTER, SEC_ERROR_INVALID_ARGS) | 207 STAN_MAP_ERROR(NSS_ERROR_INVALID_POINTER, SEC_ERROR_INVALID_ARGS) |
| 213 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA, SEC_ERROR_INVALID_ARGS) | 208 STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA, SEC_ERROR_INVALID_ARGS) |
| 214 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA_MARK, SEC_ERROR_INVALID_ARGS) | 209 STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA_MARK, SEC_ERROR_INVALID_ARGS) |
| 215 » STAN_MAP_ERROR(NSS_ERROR_DUPLICATE_POINTER, SEC_ERROR_INVALID_ARGS) | 210 STAN_MAP_ERROR(NSS_ERROR_DUPLICATE_POINTER, SEC_ERROR_INVALID_ARGS) |
| 216 » STAN_MAP_ERROR(NSS_ERROR_POINTER_NOT_REGISTERED, SEC_ERROR_INVALID_ARGS) | 211 STAN_MAP_ERROR(NSS_ERROR_POINTER_NOT_REGISTERED, SEC_ERROR_INVALID_ARGS) |
| 217 » STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_EMPTY, SEC_ERROR_INVALID_ARGS) | 212 STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_EMPTY, SEC_ERROR_INVALID_ARGS) |
| 218 » STAN_MAP_ERROR(NSS_ERROR_VALUE_TOO_LARGE, SEC_ERROR_INVALID_ARGS) | 213 STAN_MAP_ERROR(NSS_ERROR_VALUE_TOO_LARGE, SEC_ERROR_INVALID_ARGS) |
| 219 » STAN_MAP_ERROR(NSS_ERROR_UNSUPPORTED_TYPE, SEC_ERROR_INVALID_ARGS) | 214 STAN_MAP_ERROR(NSS_ERROR_UNSUPPORTED_TYPE, SEC_ERROR_INVALID_ARGS) |
| 220 » STAN_MAP_ERROR(NSS_ERROR_BUFFER_TOO_SHORT, SEC_ERROR_INVALID_ARGS) | 215 STAN_MAP_ERROR(NSS_ERROR_BUFFER_TOO_SHORT, SEC_ERROR_INVALID_ARGS) |
| 221 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ATOB_CONTEXT, SEC_ERROR_INVALID_ARGS) | 216 STAN_MAP_ERROR(NSS_ERROR_INVALID_ATOB_CONTEXT, SEC_ERROR_INVALID_ARGS) |
| 222 » STAN_MAP_ERROR(NSS_ERROR_INVALID_BTOA_CONTEXT, SEC_ERROR_INVALID_ARGS) | 217 STAN_MAP_ERROR(NSS_ERROR_INVALID_BTOA_CONTEXT, SEC_ERROR_INVALID_ARGS) |
| 223 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ITEM, SEC_ERROR_INVALID_ARGS) | 218 STAN_MAP_ERROR(NSS_ERROR_INVALID_ITEM, SEC_ERROR_INVALID_ARGS) |
| 224 » STAN_MAP_ERROR(NSS_ERROR_INVALID_STRING, SEC_ERROR_INVALID_ARGS) | 219 STAN_MAP_ERROR(NSS_ERROR_INVALID_STRING, SEC_ERROR_INVALID_ARGS) |
| 225 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1ENCODER, SEC_ERROR_INVALID_ARGS) | 220 STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1ENCODER, SEC_ERROR_INVALID_ARGS) |
| 226 » STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1DECODER, SEC_ERROR_INVALID_ARGS) | 221 STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1DECODER, SEC_ERROR_INVALID_ARGS) |
| 227 » STAN_MAP_ERROR(NSS_ERROR_UNKNOWN_ATTRIBUTE, SEC_ERROR_INVALID_ARGS) | 222 STAN_MAP_ERROR(NSS_ERROR_UNKNOWN_ATTRIBUTE, SEC_ERROR_INVALID_ARGS) |
| 228 else { | 223 else { secError = SEC_ERROR_LIBRARY_FAILURE; } |
| 229 » secError = SEC_ERROR_LIBRARY_FAILURE; | |
| 230 } | |
| 231 PORT_SetError(secError); | 224 PORT_SetError(secError); |
| 232 } | 225 } |
| 233 | 226 |
| 234 | |
| 235 | |
| 236 SECStatus | 227 SECStatus |
| 237 CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert, | 228 CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert, |
| 238 » » CERTCertTrust *trust) | 229 CERTCertTrust *trust) |
| 239 { | 230 { |
| 240 SECStatus rv = SECSuccess; | 231 SECStatus rv = SECSuccess; |
| 241 PRStatus ret; | 232 PRStatus ret; |
| 242 | 233 |
| 243 ret = STAN_ChangeCertTrust(cert, trust); | 234 ret = STAN_ChangeCertTrust(cert, trust); |
| 244 if (ret != PR_SUCCESS) { | 235 if (ret != PR_SUCCESS) { |
| 245 » rv = SECFailure; | 236 rv = SECFailure; |
| 246 » CERT_MapStanError(); | 237 CERT_MapStanError(); |
| 247 } | 238 } |
| 248 return rv; | 239 return rv; |
| 249 } | 240 } |
| 250 | 241 |
| 251 extern const NSSError NSS_ERROR_INVALID_CERTIFICATE; | 242 extern const NSSError NSS_ERROR_INVALID_CERTIFICATE; |
| 252 | 243 |
| 253 SECStatus | 244 SECStatus |
| 254 __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, | 245 __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, |
| 255 » » CERTCertTrust *trust) | 246 CERTCertTrust *trust) |
| 256 { | 247 { |
| 257 NSSUTF8 *stanNick; | 248 NSSUTF8 *stanNick; |
| 258 PK11SlotInfo *slot; | 249 PK11SlotInfo *slot; |
| 259 NSSToken *internal; | 250 NSSToken *internal; |
| 260 NSSCryptoContext *context; | 251 NSSCryptoContext *context; |
| 261 nssCryptokiObject *permInstance; | 252 nssCryptokiObject *permInstance; |
| 262 NSSCertificate *c = STAN_GetNSSCertificate(cert); | 253 NSSCertificate *c = STAN_GetNSSCertificate(cert); |
| 263 nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE}; | 254 nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; |
| 264 nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE}; | 255 nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; |
| 265 SECStatus rv; | 256 SECStatus rv; |
| 266 PRStatus ret; | 257 PRStatus ret; |
| 267 | 258 |
| 268 if (c == NULL) { | 259 if (c == NULL) { |
| 269 » CERT_MapStanError(); | 260 CERT_MapStanError(); |
| 270 return SECFailure; | 261 return SECFailure; |
| 271 } | 262 } |
| 272 | 263 |
| 273 context = c->object.cryptoContext; | 264 context = c->object.cryptoContext; |
| 274 if (!context) { | 265 if (!context) { |
| 275 » PORT_SetError(SEC_ERROR_ADDING_CERT); | 266 PORT_SetError(SEC_ERROR_ADDING_CERT); |
| 276 » return SECFailure; /* wasn't a temp cert */ | 267 return SECFailure; /* wasn't a temp cert */ |
| 277 } | 268 } |
| 278 stanNick = nssCertificate_GetNickname(c, NULL); | 269 stanNick = nssCertificate_GetNickname(c, NULL); |
| 279 if (stanNick && nickname && strcmp(nickname, stanNick) != 0) { | 270 if (stanNick && nickname && strcmp(nickname, stanNick) != 0) { |
| 280 » /* different: take the new nickname */ | 271 /* different: take the new nickname */ |
| 281 » cert->nickname = NULL; | 272 cert->nickname = NULL; |
| 282 nss_ZFreeIf(stanNick); | 273 nss_ZFreeIf(stanNick); |
| 283 » stanNick = NULL; | 274 stanNick = NULL; |
| 284 } | 275 } |
| 285 if (!stanNick && nickname) { | 276 if (!stanNick && nickname) { |
| 286 /* Either there was no nickname yet, or we have a new nickname */ | 277 /* Either there was no nickname yet, or we have a new nickname */ |
| 287 » stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, NULL); | 278 stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, NULL); |
| 288 } /* else: old stanNick is identical to new nickname */ | 279 } /* else: old stanNick is identical to new nickname */ |
| 289 /* Delete the temp instance */ | 280 /* Delete the temp instance */ |
| 290 nssCertificateStore_Lock(context->certStore, &lockTrace); | 281 nssCertificateStore_Lock(context->certStore, &lockTrace); |
| 291 nssCertificateStore_RemoveCertLOCKED(context->certStore, c); | 282 nssCertificateStore_RemoveCertLOCKED(context->certStore, c); |
| 292 nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace); | 283 nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace); |
| 293 c->object.cryptoContext = NULL; | 284 c->object.cryptoContext = NULL; |
| 294 /* Import the perm instance onto the internal token */ | 285 /* Import the perm instance onto the internal token */ |
| 295 slot = PK11_GetInternalKeySlot(); | 286 slot = PK11_GetInternalKeySlot(); |
| 296 internal = PK11Slot_GetNSSToken(slot); | 287 internal = PK11Slot_GetNSSToken(slot); |
| 297 permInstance = nssToken_ImportCertificate(internal, NULL, | 288 permInstance = nssToken_ImportCertificate( |
| 298 NSSCertificateType_PKIX, | 289 internal, NULL, NSSCertificateType_PKIX, &c->id, stanNick, &c->encoding, |
| 299 &c->id, | 290 &c->issuer, &c->subject, &c->serial, cert->emailAddr, PR_TRUE); |
| 300 stanNick, | |
| 301 &c->encoding, | |
| 302 &c->issuer, | |
| 303 &c->subject, | |
| 304 &c->serial, | |
| 305 » » » » » cert->emailAddr, | |
| 306 PR_TRUE); | |
| 307 nss_ZFreeIf(stanNick); | 291 nss_ZFreeIf(stanNick); |
| 308 stanNick = NULL; | 292 stanNick = NULL; |
| 309 PK11_FreeSlot(slot); | 293 PK11_FreeSlot(slot); |
| 310 if (!permInstance) { | 294 if (!permInstance) { |
| 311 » if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) { | 295 if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) { |
| 312 » PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); | 296 PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); |
| 313 » } | 297 } |
| 314 » return SECFailure; | 298 return SECFailure; |
| 315 } | 299 } |
| 316 nssPKIObject_AddInstance(&c->object, permInstance); | 300 nssPKIObject_AddInstance(&c->object, permInstance); |
| 317 nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1); | 301 nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1); |
| 318 /* reset the CERTCertificate fields */ | 302 /* reset the CERTCertificate fields */ |
| 319 cert->nssCertificate = NULL; | 303 cert->nssCertificate = NULL; |
| 320 cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */ | 304 cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */ |
| 321 if (!cert) { | 305 if (!cert) { |
| 322 » CERT_MapStanError(); | 306 CERT_MapStanError(); |
| 323 return SECFailure; | 307 return SECFailure; |
| 324 } | 308 } |
| 325 cert->istemp = PR_FALSE; | 309 cert->istemp = PR_FALSE; |
| 326 cert->isperm = PR_TRUE; | 310 cert->isperm = PR_TRUE; |
| 327 if (!trust) { | 311 if (!trust) { |
| 328 » return SECSuccess; | 312 return SECSuccess; |
| 329 } | 313 } |
| 330 ret = STAN_ChangeCertTrust(cert, trust); | 314 ret = STAN_ChangeCertTrust(cert, trust); |
| 331 rv = SECSuccess; | 315 rv = SECSuccess; |
| 332 if (ret != PR_SUCCESS) { | 316 if (ret != PR_SUCCESS) { |
| 333 » rv = SECFailure; | 317 rv = SECFailure; |
| 334 » CERT_MapStanError(); | 318 CERT_MapStanError(); |
| 335 } | 319 } |
| 336 return rv; | 320 return rv; |
| 337 } | 321 } |
| 338 | 322 |
| 339 SECStatus | 323 SECStatus |
| 340 CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, | 324 CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, |
| 341 » » CERTCertTrust *trust) | 325 CERTCertTrust *trust) |
| 342 { | 326 { |
| 343 return __CERT_AddTempCertToPerm(cert, nickname, trust); | 327 return __CERT_AddTempCertToPerm(cert, nickname, trust); |
| 344 } | 328 } |
| 345 | 329 |
| 346 CERTCertificate * | 330 CERTCertificate * |
| 347 CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, | 331 CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, |
| 348 » » » char *nickname, PRBool isperm, PRBool copyDER) | 332 char *nickname, PRBool isperm, PRBool copyDER) |
| 349 { | 333 { |
| 350 NSSCertificate *c; | 334 NSSCertificate *c; |
| 351 CERTCertificate *cc; | 335 CERTCertificate *cc; |
| 352 NSSCertificate *tempCert = NULL; | 336 NSSCertificate *tempCert = NULL; |
| 353 nssPKIObject *pkio; | 337 nssPKIObject *pkio; |
| 354 NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext(); | 338 NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext(); |
| 355 NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain(); | 339 NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain(); |
| 356 if (!isperm) { | 340 if (!isperm) { |
| 357 » NSSDER encoding; | 341 NSSDER encoding; |
| 358 » NSSITEM_FROM_SECITEM(&encoding, derCert); | 342 NSSITEM_FROM_SECITEM(&encoding, derCert); |
| 359 » /* First, see if it is already a temp cert */ | 343 /* First, see if it is already a temp cert */ |
| 360 » c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, | 344 c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, |
| 361 » &encoding); | 345 &encoding); |
| 362 » if (!c) { | 346 if (!c) { |
| 363 » /* Then, see if it is already a perm cert */ | 347 /* Then, see if it is already a perm cert */ |
| 364 » c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, | 348 c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, |
| 365 » &encoding); | 349 &encoding); |
| 366 » } | 350 } |
| 367 » if (c) { | 351 if (c) { |
| 368 » /* actually, that search ends up going by issuer/serial, | 352 /* actually, that search ends up going by issuer/serial, |
| 369 » * so it is still possible to return a cert with the same | 353 * so it is still possible to return a cert with the same |
| 370 » * issuer/serial but a different encoding, and we're | 354 * issuer/serial but a different encoding, and we're |
| 371 » * going to reject that | 355 * going to reject that |
| 372 » */ | 356 */ |
| 373 » if (!nssItem_Equal(&c->encoding, &encoding, NULL)) { | 357 if (!nssItem_Equal(&c->encoding, &encoding, NULL)) { |
| 374 » » nssCertificate_Destroy(c); | 358 nssCertificate_Destroy(c); |
| 375 » » PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); | 359 PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); |
| 376 » » cc = NULL; | 360 cc = NULL; |
| 377 » } else { | 361 } else { |
| 378 » » cc = STAN_GetCERTCertificateOrRelease(c); | 362 cc = STAN_GetCERTCertificateOrRelease(c); |
| 379 » » if (cc == NULL) { | 363 if (cc == NULL) { |
| 380 » » CERT_MapStanError(); | 364 CERT_MapStanError(); |
| 381 » » } | 365 } |
| 382 » } | 366 } |
| 383 » return cc; | 367 return cc; |
| 384 » } | 368 } |
| 385 } | 369 } |
| 386 pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC, nssPKIMonitor); | 370 pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC, nssPKIMonitor); |
| 387 if (!pkio) { | 371 if (!pkio) { |
| 388 » CERT_MapStanError(); | 372 CERT_MapStanError(); |
| 389 » return NULL; | 373 return NULL; |
| 390 } | 374 } |
| 391 c = nss_ZNEW(pkio->arena, NSSCertificate); | 375 c = nss_ZNEW(pkio->arena, NSSCertificate); |
| 392 if (!c) { | 376 if (!c) { |
| 393 » CERT_MapStanError(); | 377 CERT_MapStanError(); |
| 394 » nssPKIObject_Destroy(pkio); | 378 nssPKIObject_Destroy(pkio); |
| 395 » return NULL; | 379 return NULL; |
| 396 } | 380 } |
| 397 c->object = *pkio; | 381 c->object = *pkio; |
| 398 if (copyDER) { | 382 if (copyDER) { |
| 399 » nssItem_Create(c->object.arena, &c->encoding, | 383 nssItem_Create(c->object.arena, &c->encoding, derCert->len, |
| 400 » derCert->len, derCert->data); | 384 derCert->data); |
| 401 } else { | 385 } else { |
| 402 » NSSITEM_FROM_SECITEM(&c->encoding, derCert); | 386 NSSITEM_FROM_SECITEM(&c->encoding, derCert); |
| 403 } | 387 } |
| 404 /* Forces a decoding of the cert in order to obtain the parts used | 388 /* Forces a decoding of the cert in order to obtain the parts used |
| 405 * below | 389 * below |
| 406 */ | 390 */ |
| 407 /* 'c' is not adopted here, if we fail loser frees what has been | 391 /* 'c' is not adopted here, if we fail loser frees what has been |
| 408 * allocated so far for 'c' */ | 392 * allocated so far for 'c' */ |
| 409 cc = STAN_GetCERTCertificate(c); | 393 cc = STAN_GetCERTCertificate(c); |
| 410 if (!cc) { | 394 if (!cc) { |
| 411 » CERT_MapStanError(); | 395 CERT_MapStanError(); |
| 412 goto loser; | 396 goto loser; |
| 413 } | 397 } |
| 414 nssItem_Create(c->object.arena, | 398 nssItem_Create(c->object.arena, &c->issuer, cc->derIssuer.len, |
| 415 &c->issuer, cc->derIssuer.len, cc->derIssuer.data); | 399 cc->derIssuer.data); |
| 416 nssItem_Create(c->object.arena, | 400 nssItem_Create(c->object.arena, &c->subject, cc->derSubject.len, |
| 417 &c->subject, cc->derSubject.len, cc->derSubject.data); | 401 cc->derSubject.data); |
| 418 if (PR_TRUE) { | 402 if (PR_TRUE) { |
| 419 » /* CERTCertificate stores serial numbers decoded. I need the DER | 403 /* CERTCertificate stores serial numbers decoded. I need the DER |
| 420 » * here. sigh. | 404 * here. sigh. |
| 421 » */ | 405 */ |
| 422 » SECItem derSerial = { 0 }; | 406 SECItem derSerial = { 0 }; |
| 423 » CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial); | 407 CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial); |
| 424 » if (!derSerial.data) goto loser; | 408 if (!derSerial.data) |
| 425 » nssItem_Create(c->object.arena, &c->serial, derSerial.len, derSerial.dat
a); | 409 goto loser; |
| 426 » PORT_Free(derSerial.data); | 410 nssItem_Create(c->object.arena, &c->serial, derSerial.len, |
| 411 derSerial.data); |
| 412 PORT_Free(derSerial.data); |
| 427 } | 413 } |
| 428 if (nickname) { | 414 if (nickname) { |
| 429 » c->object.tempName = nssUTF8_Create(c->object.arena, | 415 c->object.tempName = |
| 430 nssStringType_UTF8String, | 416 nssUTF8_Create(c->object.arena, nssStringType_UTF8String, |
| 431 (NSSUTF8 *)nickname, | 417 (NSSUTF8 *)nickname, PORT_Strlen(nickname)); |
| 432 PORT_Strlen(nickname)); | |
| 433 } | 418 } |
| 434 if (cc->emailAddr && cc->emailAddr[0]) { | 419 if (cc->emailAddr && cc->emailAddr[0]) { |
| 435 » c->email = nssUTF8_Create(c->object.arena, | 420 c->email = nssUTF8_Create( |
| 436 » nssStringType_PrintableString, | 421 c->object.arena, nssStringType_PrintableString, |
| 437 » (NSSUTF8 *)cc->emailAddr, | 422 (NSSUTF8 *)cc->emailAddr, PORT_Strlen(cc->emailAddr)); |
| 438 » PORT_Strlen(cc->emailAddr)); | |
| 439 } | 423 } |
| 440 | 424 |
| 441 tempCert = NSSCryptoContext_FindOrImportCertificate(gCC, c); | 425 tempCert = NSSCryptoContext_FindOrImportCertificate(gCC, c); |
| 442 if (!tempCert) { | 426 if (!tempCert) { |
| 443 » CERT_MapStanError(); | 427 CERT_MapStanError(); |
| 444 » goto loser; | 428 goto loser; |
| 445 } | 429 } |
| 446 /* destroy our copy */ | 430 /* destroy our copy */ |
| 447 NSSCertificate_Destroy(c); | 431 NSSCertificate_Destroy(c); |
| 448 /* and use the stored entry */ | 432 /* and use the stored entry */ |
| 449 c = tempCert; | 433 c = tempCert; |
| 450 cc = STAN_GetCERTCertificateOrRelease(c); | 434 cc = STAN_GetCERTCertificateOrRelease(c); |
| 451 if (!cc) { | 435 if (!cc) { |
| 452 » /* STAN_GetCERTCertificateOrRelease destroys c on failure. */ | 436 /* STAN_GetCERTCertificateOrRelease destroys c on failure. */ |
| 453 » CERT_MapStanError(); | 437 CERT_MapStanError(); |
| 454 » return NULL; | 438 return NULL; |
| 455 } | 439 } |
| 456 | 440 |
| 457 cc->istemp = PR_TRUE; | 441 cc->istemp = PR_TRUE; |
| 458 cc->isperm = PR_FALSE; | 442 cc->isperm = PR_FALSE; |
| 459 return cc; | 443 return cc; |
| 460 loser: | 444 loser: |
| 461 /* Perhaps this should be nssCertificate_Destroy(c) */ | 445 /* Perhaps this should be nssCertificate_Destroy(c) */ |
| 462 nssPKIObject_Destroy(&c->object); | 446 nssPKIObject_Destroy(&c->object); |
| 463 return NULL; | 447 return NULL; |
| 464 } | 448 } |
| 465 | 449 |
| 466 /* This symbol is exported for backward compatibility. */ | 450 /* This symbol is exported for backward compatibility. */ |
| 467 CERTCertificate * | 451 CERTCertificate * |
| 468 __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, | 452 __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, |
| 469 » » » char *nickname, PRBool isperm, PRBool copyDER) | 453 char *nickname, PRBool isperm, PRBool copyDER) |
| 470 { | 454 { |
| 471 return CERT_NewTempCertificate(handle, derCert, nickname, | 455 return CERT_NewTempCertificate(handle, derCert, nickname, isperm, copyDER); |
| 472 isperm, copyDER); | |
| 473 } | 456 } |
| 474 | 457 |
| 475 /* maybe all the wincx's should be some const for internal token login? */ | 458 /* maybe all the wincx's should be some const for internal token login? */ |
| 476 CERTCertificate * | 459 CERTCertificate * |
| 477 CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndS
N) | 460 CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, |
| 461 CERTIssuerAndSN *issuerAndSN) |
| 478 { | 462 { |
| 479 PK11SlotInfo *slot; | 463 PK11SlotInfo *slot; |
| 480 CERTCertificate *cert; | 464 CERTCertificate *cert; |
| 481 | 465 |
| 482 cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL); | 466 cert = PK11_FindCertByIssuerAndSN(&slot, issuerAndSN, NULL); |
| 483 if (cert && slot) { | 467 if (cert && slot) { |
| 484 PK11_FreeSlot(slot); | 468 PK11_FreeSlot(slot); |
| 485 } | 469 } |
| 486 | 470 |
| 487 return cert; | 471 return cert; |
| 488 } | 472 } |
| 489 | 473 |
| 490 static NSSCertificate * | 474 static NSSCertificate * |
| 491 get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp) | 475 get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp) |
| 492 { | 476 { |
| 493 NSSUsage usage; | 477 NSSUsage usage; |
| 494 NSSCertificate *arr[3]; | 478 NSSCertificate *arr[3]; |
| 495 if (!ct) { | 479 if (!ct) { |
| 496 » return nssCertificate_AddRef(cp); | 480 return nssCertificate_AddRef(cp); |
| 497 } else if (!cp) { | 481 } else if (!cp) { |
| 498 » return nssCertificate_AddRef(ct); | 482 return nssCertificate_AddRef(ct); |
| 499 } | 483 } |
| 500 arr[0] = ct; | 484 arr[0] = ct; |
| 501 arr[1] = cp; | 485 arr[1] = cp; |
| 502 arr[2] = NULL; | 486 arr[2] = NULL; |
| 503 usage.anyUsage = PR_TRUE; | 487 usage.anyUsage = PR_TRUE; |
| 504 return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL); | 488 return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL); |
| 505 } | 489 } |
| 506 | 490 |
| 507 CERTCertificate * | 491 CERTCertificate * |
| 508 CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name) | 492 CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name) |
| 509 { | 493 { |
| 510 NSSCertificate *cp, *ct, *c; | 494 NSSCertificate *cp, *ct, *c; |
| 511 NSSDER subject; | 495 NSSDER subject; |
| 512 NSSUsage usage; | 496 NSSUsage usage; |
| 513 NSSCryptoContext *cc; | 497 NSSCryptoContext *cc; |
| 514 NSSITEM_FROM_SECITEM(&subject, name); | 498 NSSITEM_FROM_SECITEM(&subject, name); |
| 515 usage.anyUsage = PR_TRUE; | 499 usage.anyUsage = PR_TRUE; |
| 516 cc = STAN_GetDefaultCryptoContext(); | 500 cc = STAN_GetDefaultCryptoContext(); |
| 517 ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject, | 501 ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject, NULL, |
| 518 NULL, &usage, NULL); | 502 &usage, NULL); |
| 519 cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, | 503 cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, NULL, |
| 520 NULL, &usage, NULL); | 504 &usage, NULL); |
| 521 c = get_best_temp_or_perm(ct, cp); | 505 c = get_best_temp_or_perm(ct, cp); |
| 522 if (ct) { | 506 if (ct) { |
| 523 » CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); | 507 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); |
| 524 } | 508 } |
| 525 if (cp) { | 509 if (cp) { |
| 526 » CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(cp)); | 510 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(cp)); |
| 527 } | 511 } |
| 528 return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; | 512 return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; |
| 529 } | 513 } |
| 530 | 514 |
| 531 CERTCertificate * | 515 CERTCertificate * |
| 532 CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID) | 516 CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID) |
| 533 { | 517 { |
| 534 CERTCertList *list; | 518 CERTCertList *list; |
| 535 CERTCertificate *cert = NULL; | 519 CERTCertificate *cert = NULL; |
| 536 CERTCertListNode *node, *head; | 520 CERTCertListNode *node, *head; |
| 537 | 521 |
| 538 list = CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE); | 522 list = CERT_CreateSubjectCertList(NULL, handle, name, 0, PR_FALSE); |
| 539 if (list == NULL) return NULL; | 523 if (list == NULL) |
| 524 return NULL; |
| 540 | 525 |
| 541 node = head = CERT_LIST_HEAD(list); | 526 node = head = CERT_LIST_HEAD(list); |
| 542 if (head) { | 527 if (head) { |
| 543 » do { | 528 do { |
| 544 » if (node->cert && | 529 if (node->cert && |
| 545 » » SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID) ) { | 530 SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID)) { |
| 546 » » cert = CERT_DupCertificate(node->cert); | 531 cert = CERT_DupCertificate(node->cert); |
| 547 » » goto done; | 532 goto done; |
| 548 » } | 533 } |
| 549 » node = CERT_LIST_NEXT(node); | 534 node = CERT_LIST_NEXT(node); |
| 550 » } while (node && head != node); | 535 } while (node && head != node); |
| 551 } | 536 } |
| 552 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); | 537 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); |
| 553 done: | 538 done: |
| 554 if (list) { | 539 if (list) { |
| 555 CERT_DestroyCertList(list); | 540 CERT_DestroyCertList(list); |
| 556 } | 541 } |
| 557 return cert; | 542 return cert; |
| 558 } | 543 } |
| 559 | 544 |
| 560 CERTCertificate * | 545 CERTCertificate * |
| 561 CERT_FindCertByNickname(CERTCertDBHandle *handle, const char *nickname) | 546 CERT_FindCertByNickname(CERTCertDBHandle *handle, const char *nickname) |
| 562 { | 547 { |
| 563 NSSCryptoContext *cc; | 548 NSSCryptoContext *cc; |
| 564 NSSCertificate *c, *ct; | 549 NSSCertificate *c, *ct; |
| 565 CERTCertificate *cert; | 550 CERTCertificate *cert; |
| 566 NSSUsage usage; | 551 NSSUsage usage; |
| 567 usage.anyUsage = PR_TRUE; | 552 usage.anyUsage = PR_TRUE; |
| 568 cc = STAN_GetDefaultCryptoContext(); | 553 cc = STAN_GetDefaultCryptoContext(); |
| 569 ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, | 554 ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, NULL, |
| 570 NULL, &usage, NULL); | 555 &usage, NULL); |
| 571 cert = PK11_FindCertFromNickname(nickname, NULL); | 556 cert = PK11_FindCertFromNickname(nickname, NULL); |
| 572 c = NULL; | 557 c = NULL; |
| 573 if (cert) { | 558 if (cert) { |
| 574 » c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert)); | 559 c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert)); |
| 575 » CERT_DestroyCertificate(cert); | 560 CERT_DestroyCertificate(cert); |
| 576 » if (ct) { | 561 if (ct) { |
| 577 » CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); | 562 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); |
| 578 » } | 563 } |
| 579 } else { | 564 } else { |
| 580 » c = ct; | 565 c = ct; |
| 581 } | 566 } |
| 582 return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; | 567 return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; |
| 583 } | 568 } |
| 584 | 569 |
| 585 CERTCertificate * | 570 CERTCertificate * |
| 586 CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert) | 571 CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert) |
| 587 { | 572 { |
| 588 NSSCryptoContext *cc; | 573 NSSCryptoContext *cc; |
| 589 NSSCertificate *c; | 574 NSSCertificate *c; |
| 590 NSSDER encoding; | 575 NSSDER encoding; |
| 591 NSSITEM_FROM_SECITEM(&encoding, derCert); | 576 NSSITEM_FROM_SECITEM(&encoding, derCert); |
| 592 cc = STAN_GetDefaultCryptoContext(); | 577 cc = STAN_GetDefaultCryptoContext(); |
| 593 c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding); | 578 c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding); |
| 594 if (!c) { | 579 if (!c) { |
| 595 » c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, | 580 c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, |
| 596 » &encoding); | 581 &encoding); |
| 597 » if (!c) return NULL; | 582 if (!c) |
| 583 return NULL; |
| 598 } | 584 } |
| 599 return STAN_GetCERTCertificateOrRelease(c); | 585 return STAN_GetCERTCertificateOrRelease(c); |
| 600 } | 586 } |
| 601 | 587 |
| 602 static CERTCertificate * | 588 static CERTCertificate * |
| 603 common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, | 589 common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, |
| 604 const char *name, | 590 const char *name, PRBool anyUsage, |
| 605 PRBool anyUsage, | |
| 606 SECCertUsage lookingForUsage) | 591 SECCertUsage lookingForUsage) |
| 607 { | 592 { |
| 608 NSSCryptoContext *cc; | 593 NSSCryptoContext *cc; |
| 609 NSSCertificate *c, *ct; | 594 NSSCertificate *c, *ct; |
| 610 CERTCertificate *cert = NULL; | 595 CERTCertificate *cert = NULL; |
| 611 NSSUsage usage; | 596 NSSUsage usage; |
| 612 CERTCertList *certlist; | 597 CERTCertList *certlist; |
| 613 | 598 |
| 614 if (NULL == name) { | 599 if (NULL == name) { |
| 615 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 600 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 616 » return NULL; | 601 return NULL; |
| 617 } | 602 } |
| 618 | 603 |
| 619 usage.anyUsage = anyUsage; | 604 usage.anyUsage = anyUsage; |
| 620 | 605 |
| 621 if (!anyUsage) { | 606 if (!anyUsage) { |
| 622 usage.nss3lookingForCA = PR_FALSE; | 607 usage.nss3lookingForCA = PR_FALSE; |
| 623 usage.nss3usage = lookingForUsage; | 608 usage.nss3usage = lookingForUsage; |
| 624 } | 609 } |
| 625 | 610 |
| 626 cc = STAN_GetDefaultCryptoContext(); | 611 cc = STAN_GetDefaultCryptoContext(); |
| 627 ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, | 612 ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, NULL, &usage, |
| 628 NULL, &usage, NULL); | 613 NULL); |
| 629 if (!ct && PORT_Strchr(name, '@') != NULL) { | 614 if (!ct && PORT_Strchr(name, '@') != NULL) { |
| 630 char* lowercaseName = CERT_FixupEmailAddr(name); | 615 char *lowercaseName = CERT_FixupEmailAddr(name); |
| 631 if (lowercaseName) { | 616 if (lowercaseName) { |
| 632 » ct = NSSCryptoContext_FindBestCertificateByEmail(cc, lowercaseName, | 617 ct = NSSCryptoContext_FindBestCertificateByEmail( |
| 633 » » » » » » » NULL, &usage, NULL); | 618 cc, lowercaseName, NULL, &usage, NULL); |
| 634 PORT_Free(lowercaseName); | 619 PORT_Free(lowercaseName); |
| 635 } | 620 } |
| 636 } | 621 } |
| 637 | 622 |
| 638 if (anyUsage) { | 623 if (anyUsage) { |
| 639 cert = PK11_FindCertFromNickname(name, NULL); | 624 cert = PK11_FindCertFromNickname(name, NULL); |
| 640 } | 625 } else { |
| 641 else { | 626 if (ct) { |
| 642 if (ct) { | 627 /* Does ct really have the required usage? */ |
| 643 /* Does ct really have the required usage? */ | 628 nssDecodedCert *dc; |
| 644 nssDecodedCert *dc; | 629 dc = nssCertificate_GetDecoding(ct); |
| 645 dc = nssCertificate_GetDecoding(ct); | 630 if (!dc->matchUsage(dc, &usage)) { |
| 646 if (!dc->matchUsage(dc, &usage)) { | 631 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); |
| 647 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); | 632 ct = NULL; |
| 648 ct = NULL; | 633 } |
| 649 } | 634 } |
| 650 } | |
| 651 | 635 |
| 652 certlist = PK11_FindCertsFromNickname(name, NULL); | 636 certlist = PK11_FindCertsFromNickname(name, NULL); |
| 653 if (certlist) { | 637 if (certlist) { |
| 654 SECStatus rv = CERT_FilterCertListByUsage(certlist, | 638 SECStatus rv = |
| 655 lookingForUsage, | 639 CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE); |
| 656 PR_FALSE); | 640 if (SECSuccess == rv && |
| 657 if (SECSuccess == rv && | 641 !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) { |
| 658 !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) { | 642 cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert); |
| 659 cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert); | 643 } |
| 644 CERT_DestroyCertList(certlist); |
| 660 } | 645 } |
| 661 CERT_DestroyCertList(certlist); | |
| 662 } | |
| 663 } | 646 } |
| 664 | 647 |
| 665 if (cert) { | 648 if (cert) { |
| 666 » c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert)); | 649 c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert)); |
| 667 » CERT_DestroyCertificate(cert); | 650 CERT_DestroyCertificate(cert); |
| 668 » if (ct) { | 651 if (ct) { |
| 669 » CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); | 652 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); |
| 670 » } | 653 } |
| 671 } else { | 654 } else { |
| 672 » c = ct; | 655 c = ct; |
| 673 } | 656 } |
| 674 return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; | 657 return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; |
| 675 } | 658 } |
| 676 | 659 |
| 677 CERTCertificate * | 660 CERTCertificate * |
| 678 CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name) | 661 CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name) |
| 679 { | 662 { |
| 680 return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, | 663 return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, PR_TRUE, |
| 681 PR_TRUE, 0); | 664 0); |
| 682 } | 665 } |
| 683 | 666 |
| 684 CERTCertificate * | 667 CERTCertificate * |
| 685 CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, | 668 CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, |
| 686 const char *name, | 669 const char *name, |
| 687 SECCertUsage lookingForUsage) | 670 SECCertUsage lookingForUsage) |
| 688 { | 671 { |
| 689 return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, | 672 return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, PR_FALSE, |
| 690 PR_FALSE, | 673 lookingForUsage); |
| 691 lookingForUsage); | |
| 692 } | 674 } |
| 693 | 675 |
| 694 static void | 676 static void |
| 695 add_to_subject_list(CERTCertList *certList, CERTCertificate *cert, | 677 add_to_subject_list(CERTCertList *certList, CERTCertificate *cert, |
| 696 PRBool validOnly, PRTime sorttime) | 678 PRBool validOnly, PRTime sorttime) |
| 697 { | 679 { |
| 698 SECStatus secrv; | 680 SECStatus secrv; |
| 699 if (!validOnly || | 681 if (!validOnly || |
| 700 » CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) | 682 CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) == |
| 701 » == secCertTimeValid) { | 683 secCertTimeValid) { |
| 702 » secrv = CERT_AddCertToListSorted(certList, cert, | 684 secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity, |
| 703 » CERT_SortCBValidity, | 685 (void *)&sorttime); |
| 704 » (void *)&sorttime); | 686 if (secrv != SECSuccess) { |
| 705 » if (secrv != SECSuccess) { | 687 CERT_DestroyCertificate(cert); |
| 706 » » CERT_DestroyCertificate(cert); | 688 } |
| 707 » } | |
| 708 } else { | 689 } else { |
| 709 » CERT_DestroyCertificate(cert); | 690 CERT_DestroyCertificate(cert); |
| 710 } | 691 } |
| 711 } | 692 } |
| 712 | 693 |
| 713 CERTCertList * | 694 CERTCertList * |
| 714 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle, | 695 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle, |
| 715 » » » const SECItem *name, PRTime sorttime, | 696 const SECItem *name, PRTime sorttime, |
| 716 » » » PRBool validOnly) | 697 PRBool validOnly) |
| 717 { | 698 { |
| 718 NSSCryptoContext *cc; | 699 NSSCryptoContext *cc; |
| 719 NSSCertificate **tSubjectCerts, **pSubjectCerts; | 700 NSSCertificate **tSubjectCerts, **pSubjectCerts; |
| 720 NSSCertificate **ci; | 701 NSSCertificate **ci; |
| 721 CERTCertificate *cert; | 702 CERTCertificate *cert; |
| 722 NSSDER subject; | 703 NSSDER subject; |
| 723 PRBool myList = PR_FALSE; | 704 PRBool myList = PR_FALSE; |
| 724 cc = STAN_GetDefaultCryptoContext(); | 705 cc = STAN_GetDefaultCryptoContext(); |
| 725 NSSITEM_FROM_SECITEM(&subject, name); | 706 NSSITEM_FROM_SECITEM(&subject, name); |
| 726 /* Collect both temp and perm certs for the subject */ | 707 /* Collect both temp and perm certs for the subject */ |
| 727 tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc, | 708 tSubjectCerts = |
| 728 &subject, | 709 NSSCryptoContext_FindCertificatesBySubject(cc, &subject, NULL, 0, NULL); |
| 729 NULL, | 710 pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle, &subject, |
| 730 0, | 711 NULL, 0, NULL); |
| 731 NULL); | |
| 732 pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle, | |
| 733 &subject, | |
| 734 NULL, | |
| 735 0, | |
| 736 NULL); | |
| 737 if (!tSubjectCerts && !pSubjectCerts) { | 712 if (!tSubjectCerts && !pSubjectCerts) { |
| 738 » return NULL; | 713 return NULL; |
| 739 } | 714 } |
| 740 if (certList == NULL) { | 715 if (certList == NULL) { |
| 741 » certList = CERT_NewCertList(); | 716 certList = CERT_NewCertList(); |
| 742 » myList = PR_TRUE; | 717 myList = PR_TRUE; |
| 743 » if (!certList) goto loser; | 718 if (!certList) |
| 719 goto loser; |
| 744 } | 720 } |
| 745 /* Iterate over the matching temp certs. Add them to the list */ | 721 /* Iterate over the matching temp certs. Add them to the list */ |
| 746 ci = tSubjectCerts; | 722 ci = tSubjectCerts; |
| 747 while (ci && *ci) { | 723 while (ci && *ci) { |
| 748 » cert = STAN_GetCERTCertificateOrRelease(*ci); | 724 cert = STAN_GetCERTCertificateOrRelease(*ci); |
| 749 » /* *ci may be invalid at this point, don't reference it again */ | 725 /* *ci may be invalid at this point, don't reference it again */ |
| 750 if (cert) { | 726 if (cert) { |
| 751 » /* NOTE: add_to_subject_list adopts the incoming cert. */ | 727 /* NOTE: add_to_subject_list adopts the incoming cert. */ |
| 752 » add_to_subject_list(certList, cert, validOnly, sorttime); | 728 add_to_subject_list(certList, cert, validOnly, sorttime); |
| 753 } | 729 } |
| 754 » ci++; | 730 ci++; |
| 755 } | 731 } |
| 756 /* Iterate over the matching perm certs. Add them to the list */ | 732 /* Iterate over the matching perm certs. Add them to the list */ |
| 757 ci = pSubjectCerts; | 733 ci = pSubjectCerts; |
| 758 while (ci && *ci) { | 734 while (ci && *ci) { |
| 759 » cert = STAN_GetCERTCertificateOrRelease(*ci); | 735 cert = STAN_GetCERTCertificateOrRelease(*ci); |
| 760 » /* *ci may be invalid at this point, don't reference it again */ | 736 /* *ci may be invalid at this point, don't reference it again */ |
| 761 if (cert) { | 737 if (cert) { |
| 762 » /* NOTE: add_to_subject_list adopts the incoming cert. */ | 738 /* NOTE: add_to_subject_list adopts the incoming cert. */ |
| 763 » add_to_subject_list(certList, cert, validOnly, sorttime); | 739 add_to_subject_list(certList, cert, validOnly, sorttime); |
| 764 } | 740 } |
| 765 » ci++; | 741 ci++; |
| 766 } | 742 } |
| 767 /* all the references have been adopted or freed at this point, just | 743 /* all the references have been adopted or freed at this point, just |
| 768 * free the arrays now */ | 744 * free the arrays now */ |
| 769 nss_ZFreeIf(tSubjectCerts); | 745 nss_ZFreeIf(tSubjectCerts); |
| 770 nss_ZFreeIf(pSubjectCerts); | 746 nss_ZFreeIf(pSubjectCerts); |
| 771 return certList; | 747 return certList; |
| 772 loser: | 748 loser: |
| 773 /* need to free the references in tSubjectCerts and pSubjectCerts! */ | 749 /* need to free the references in tSubjectCerts and pSubjectCerts! */ |
| 774 nssCertificateArray_Destroy(tSubjectCerts); | 750 nssCertificateArray_Destroy(tSubjectCerts); |
| 775 nssCertificateArray_Destroy(pSubjectCerts); | 751 nssCertificateArray_Destroy(pSubjectCerts); |
| 776 if (myList && certList != NULL) { | 752 if (myList && certList != NULL) { |
| 777 » CERT_DestroyCertList(certList); | 753 CERT_DestroyCertList(certList); |
| 778 } | 754 } |
| 779 return NULL; | 755 return NULL; |
| 780 } | 756 } |
| 781 | 757 |
| 782 void | 758 void |
| 783 CERT_DestroyCertificate(CERTCertificate *cert) | 759 CERT_DestroyCertificate(CERTCertificate *cert) |
| 784 { | 760 { |
| 785 if ( cert ) { | 761 if (cert) { |
| 786 » /* don't use STAN_GetNSSCertificate because we don't want to | 762 /* don't use STAN_GetNSSCertificate because we don't want to |
| 787 » * go to the trouble of translating the CERTCertificate into | 763 * go to the trouble of translating the CERTCertificate into |
| 788 » * an NSSCertificate just to destroy it. If it hasn't been done | 764 * an NSSCertificate just to destroy it. If it hasn't been done |
| 789 » * yet, don't do it at all. | 765 * yet, don't do it at all. |
| 790 » */ | 766 */ |
| 791 » NSSCertificate *tmp = cert->nssCertificate; | 767 NSSCertificate *tmp = cert->nssCertificate; |
| 792 » if (tmp) { | 768 if (tmp) { |
| 793 » /* delete the NSSCertificate */ | 769 /* delete the NSSCertificate */ |
| 794 » NSSCertificate_Destroy(tmp); | 770 NSSCertificate_Destroy(tmp); |
| 795 » } else if (cert->arena) { | 771 } else if (cert->arena) { |
| 796 » PORT_FreeArena(cert->arena, PR_FALSE); | 772 PORT_FreeArena(cert->arena, PR_FALSE); |
| 797 » } | 773 } |
| 798 } | 774 } |
| 799 return; | 775 return; |
| 800 } | 776 } |
| 801 | 777 |
| 802 int | 778 int |
| 803 CERT_GetDBContentVersion(CERTCertDBHandle *handle) | 779 CERT_GetDBContentVersion(CERTCertDBHandle *handle) |
| 804 { | 780 { |
| 805 /* should read the DB content version from the pkcs #11 device */ | 781 /* should read the DB content version from the pkcs #11 device */ |
| 806 return 0; | 782 return 0; |
| 807 } | 783 } |
| 808 | 784 |
| 809 SECStatus | 785 SECStatus |
| 810 certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr, | 786 certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr, |
| 811 » » » » SECItem *emailProfile, SECItem *profileTime) | 787 SECItem *emailProfile, SECItem *profileTime) |
| 812 { | 788 { |
| 813 PRTime oldtime; | 789 PRTime oldtime; |
| 814 PRTime newtime; | 790 PRTime newtime; |
| 815 SECStatus rv = SECFailure; | 791 SECStatus rv = SECFailure; |
| 816 PRBool saveit; | 792 PRBool saveit; |
| 817 SECItem oldprof, oldproftime; | 793 SECItem oldprof, oldproftime; |
| 818 SECItem *oldProfile = NULL; | 794 SECItem *oldProfile = NULL; |
| 819 SECItem *oldProfileTime = NULL; | 795 SECItem *oldProfileTime = NULL; |
| 820 PK11SlotInfo *slot = NULL; | 796 PK11SlotInfo *slot = NULL; |
| 821 NSSCertificate *c; | 797 NSSCertificate *c; |
| 822 NSSCryptoContext *cc; | 798 NSSCryptoContext *cc; |
| 823 nssSMIMEProfile *stanProfile = NULL; | 799 nssSMIMEProfile *stanProfile = NULL; |
| 824 PRBool freeOldProfile = PR_FALSE; | 800 PRBool freeOldProfile = PR_FALSE; |
| 825 | 801 |
| 826 c = STAN_GetNSSCertificate(cert); | 802 c = STAN_GetNSSCertificate(cert); |
| 827 if (!c) return SECFailure; | 803 if (!c) |
| 804 return SECFailure; |
| 828 cc = c->object.cryptoContext; | 805 cc = c->object.cryptoContext; |
| 829 if (cc != NULL) { | 806 if (cc != NULL) { |
| 830 » stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c); | 807 stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c); |
| 831 » if (stanProfile) { | 808 if (stanProfile) { |
| 832 » PORT_Assert(stanProfile->profileData); | 809 PORT_Assert(stanProfile->profileData); |
| 833 » SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData); | 810 SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData); |
| 834 » oldProfile = &oldprof; | 811 oldProfile = &oldprof; |
| 835 » SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime); | 812 SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime); |
| 836 » oldProfileTime = &oldproftime; | 813 oldProfileTime = &oldproftime; |
| 837 » } | 814 } |
| 838 } else { | 815 } else { |
| 839 » oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr, | 816 oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr, |
| 840 » » » » » &cert->derSubject, &oldProfileTime); | 817 &cert->derSubject, &oldProfileTime); |
| 841 » freeOldProfile = PR_TRUE; | 818 freeOldProfile = PR_TRUE; |
| 842 } | 819 } |
| 843 | 820 |
| 844 saveit = PR_FALSE; | 821 saveit = PR_FALSE; |
| 845 | 822 |
| 846 /* both profileTime and emailProfile have to exist or not exist */ | 823 /* both profileTime and emailProfile have to exist or not exist */ |
| 847 if ( emailProfile == NULL ) { | 824 if (emailProfile == NULL) { |
| 848 » profileTime = NULL; | 825 profileTime = NULL; |
| 849 } else if ( profileTime == NULL ) { | 826 } else if (profileTime == NULL) { |
| 850 » emailProfile = NULL; | 827 emailProfile = NULL; |
| 851 } | |
| 852 | |
| 853 if ( oldProfileTime == NULL ) { | |
| 854 » saveit = PR_TRUE; | |
| 855 } else { | |
| 856 » /* there was already a profile for this email addr */ | |
| 857 » if ( profileTime ) { | |
| 858 » /* we have an old and new profile - save whichever is more recent*/ | |
| 859 » if ( oldProfileTime->len == 0 ) { | |
| 860 » » /* always replace if old entry doesn't have a time */ | |
| 861 » » oldtime = LL_MININT; | |
| 862 » } else { | |
| 863 » » rv = DER_UTCTimeToTime(&oldtime, oldProfileTime); | |
| 864 » » if ( rv != SECSuccess ) { | |
| 865 » » goto loser; | |
| 866 » » } | |
| 867 » } | |
| 868 » | |
| 869 » rv = DER_UTCTimeToTime(&newtime, profileTime); | |
| 870 » if ( rv != SECSuccess ) { | |
| 871 » » goto loser; | |
| 872 » } | |
| 873 » | |
| 874 » if ( LL_CMP(newtime, >, oldtime ) ) { | |
| 875 » » /* this is a newer profile, save it and cert */ | |
| 876 » » saveit = PR_TRUE; | |
| 877 » } | |
| 878 » } else { | |
| 879 » saveit = PR_TRUE; | |
| 880 » } | |
| 881 } | 828 } |
| 882 | 829 |
| 830 if (oldProfileTime == NULL) { |
| 831 saveit = PR_TRUE; |
| 832 } else { |
| 833 /* there was already a profile for this email addr */ |
| 834 if (profileTime) { |
| 835 /* we have an old and new profile - save whichever is more recent*/ |
| 836 if (oldProfileTime->len == 0) { |
| 837 /* always replace if old entry doesn't have a time */ |
| 838 oldtime = LL_MININT; |
| 839 } else { |
| 840 rv = DER_UTCTimeToTime(&oldtime, oldProfileTime); |
| 841 if (rv != SECSuccess) { |
| 842 goto loser; |
| 843 } |
| 844 } |
| 845 |
| 846 rv = DER_UTCTimeToTime(&newtime, profileTime); |
| 847 if (rv != SECSuccess) { |
| 848 goto loser; |
| 849 } |
| 850 |
| 851 if (LL_CMP(newtime, >, oldtime)) { |
| 852 /* this is a newer profile, save it and cert */ |
| 853 saveit = PR_TRUE; |
| 854 } |
| 855 } else { |
| 856 saveit = PR_TRUE; |
| 857 } |
| 858 } |
| 883 | 859 |
| 884 if (saveit) { | 860 if (saveit) { |
| 885 » if (cc) { | 861 if (cc) { |
| 886 » if (stanProfile) { | 862 if (stanProfile) { |
| 887 » » /* stanProfile is already stored in the crypto context, | 863 /* stanProfile is already stored in the crypto context, |
| 888 » » * overwrite the data | 864 * overwrite the data |
| 889 » » */ | 865 */ |
| 890 » » NSSArena *arena = stanProfile->object.arena; | 866 NSSArena *arena = stanProfile->object.arena; |
| 891 » » stanProfile->profileTime = nssItem_Create(arena, | 867 stanProfile->profileTime = nssItem_Create( |
| 892 » » NULL, | 868 arena, NULL, profileTime->len, profileTime->data); |
| 893 » » profileTime->len, | 869 stanProfile->profileData = nssItem_Create( |
| 894 » » profileTime->data); | 870 arena, NULL, emailProfile->len, emailProfile->data); |
| 895 » » stanProfile->profileData = nssItem_Create(arena, | 871 } else if (profileTime && emailProfile) { |
| 896 » » NULL, | 872 PRStatus nssrv; |
| 897 » » emailProfile->len, | 873 NSSItem profTime, profData; |
| 898 » » emailProfile->data); | 874 NSSITEM_FROM_SECITEM(&profTime, profileTime); |
| 899 » } else if (profileTime && emailProfile) { | 875 NSSITEM_FROM_SECITEM(&profData, emailProfile); |
| 900 » » PRStatus nssrv; | 876 stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData); |
| 901 » » NSSItem profTime, profData; | 877 if (!stanProfile) |
| 902 » » NSSITEM_FROM_SECITEM(&profTime, profileTime); | 878 goto loser; |
| 903 » » NSSITEM_FROM_SECITEM(&profData, emailProfile); | 879 nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile); |
| 904 » » stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData); | 880 rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; |
| 905 » » if (!stanProfile) goto loser; | 881 } |
| 906 » » nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile); | 882 } else { |
| 907 » » rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; | 883 rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr, |
| 908 » } | 884 &cert->derSubject, emailProfile, |
| 909 » } else { | 885 profileTime); |
| 910 » rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr, | 886 } |
| 911 » » » » &cert->derSubject, emailProfile, profileTime); | |
| 912 » } | |
| 913 } else { | 887 } else { |
| 914 » rv = SECSuccess; | 888 rv = SECSuccess; |
| 915 } | 889 } |
| 916 | 890 |
| 917 loser: | 891 loser: |
| 918 if (oldProfile && freeOldProfile) { | 892 if (oldProfile && freeOldProfile) { |
| 919 » SECITEM_FreeItem(oldProfile,PR_TRUE); | 893 SECITEM_FreeItem(oldProfile, PR_TRUE); |
| 920 } | 894 } |
| 921 if (oldProfileTime && freeOldProfile) { | 895 if (oldProfileTime && freeOldProfile) { |
| 922 » SECITEM_FreeItem(oldProfileTime,PR_TRUE); | 896 SECITEM_FreeItem(oldProfileTime, PR_TRUE); |
| 923 } | 897 } |
| 924 if (stanProfile) { | 898 if (stanProfile) { |
| 925 » nssSMIMEProfile_Destroy(stanProfile); | 899 nssSMIMEProfile_Destroy(stanProfile); |
| 926 } | 900 } |
| 927 if (slot) { | 901 if (slot) { |
| 928 » PK11_FreeSlot(slot); | 902 PK11_FreeSlot(slot); |
| 929 } | 903 } |
| 930 | 904 |
| 931 return(rv); | 905 return (rv); |
| 932 } | 906 } |
| 933 | 907 |
| 934 /* | 908 /* |
| 935 * | 909 * |
| 936 * Manage S/MIME profiles | 910 * Manage S/MIME profiles |
| 937 * | 911 * |
| 938 */ | 912 */ |
| 939 | 913 |
| 940 SECStatus | 914 SECStatus |
| 941 CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, | 915 CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, |
| 942 » » SECItem *profileTime) | 916 SECItem *profileTime) |
| 943 { | 917 { |
| 944 const char *emailAddr; | 918 const char *emailAddr; |
| 945 SECStatus rv; | 919 SECStatus rv; |
| 946 | 920 |
| 947 if (!cert) { | 921 if (!cert) { |
| 948 return SECFailure; | 922 return SECFailure; |
| 949 } | 923 } |
| 950 | 924 |
| 951 if (cert->slot && !PK11_IsInternal(cert->slot)) { | 925 if (cert->slot && !PK11_IsInternal(cert->slot)) { |
| 952 /* this cert comes from an external source, we need to add it | 926 /* this cert comes from an external source, we need to add it |
| 953 to the cert db before creating an S/MIME profile */ | 927 to the cert db before creating an S/MIME profile */ |
| 954 PK11SlotInfo* internalslot = PK11_GetInternalKeySlot(); | 928 PK11SlotInfo *internalslot = PK11_GetInternalKeySlot(); |
| 955 if (!internalslot) { | 929 if (!internalslot) { |
| 956 return SECFailure; | 930 return SECFailure; |
| 957 } | 931 } |
| 958 rv = PK11_ImportCert(internalslot, cert, | 932 rv = PK11_ImportCert(internalslot, cert, CK_INVALID_HANDLE, NULL, |
| 959 CK_INVALID_HANDLE, NULL, PR_FALSE); | 933 PR_FALSE); |
| 960 | 934 |
| 961 PK11_FreeSlot(internalslot); | 935 PK11_FreeSlot(internalslot); |
| 962 if (rv != SECSuccess ) { | 936 if (rv != SECSuccess) { |
| 963 return SECFailure; | 937 return SECFailure; |
| 964 } | 938 } |
| 965 } | 939 } |
| 966 | 940 |
| 967 if (cert->slot && cert->isperm && CERT_IsUserCert(cert) && | 941 if (cert->slot && cert->isperm && CERT_IsUserCert(cert) && |
| 968 » (!emailProfile || !emailProfile->len)) { | 942 (!emailProfile || !emailProfile->len)) { |
| 969 » /* Don't clobber emailProfile for user certs. */ | 943 /* Don't clobber emailProfile for user certs. */ |
| 970 » return SECSuccess; | 944 return SECSuccess; |
| 971 } | 945 } |
| 972 | 946 |
| 973 for (emailAddr = CERT_GetFirstEmailAddress(cert); emailAddr != NULL; | 947 for (emailAddr = CERT_GetFirstEmailAddress(cert); emailAddr != NULL; |
| 974 » » emailAddr = CERT_GetNextEmailAddress(cert,emailAddr)) { | 948 emailAddr = CERT_GetNextEmailAddress(cert, emailAddr)) { |
| 975 » rv = certdb_SaveSingleProfile(cert,emailAddr,emailProfile,profileTime); | 949 rv = certdb_SaveSingleProfile(cert, emailAddr, emailProfile, |
| 976 » if (rv != SECSuccess) { | 950 profileTime); |
| 977 » return SECFailure; | 951 if (rv != SECSuccess) { |
| 978 » } | 952 return SECFailure; |
| 953 } |
| 979 } | 954 } |
| 980 return SECSuccess; | 955 return SECSuccess; |
| 981 | |
| 982 } | 956 } |
| 983 | 957 |
| 984 | |
| 985 SECItem * | 958 SECItem * |
| 986 CERT_FindSMimeProfile(CERTCertificate *cert) | 959 CERT_FindSMimeProfile(CERTCertificate *cert) |
| 987 { | 960 { |
| 988 PK11SlotInfo *slot = NULL; | 961 PK11SlotInfo *slot = NULL; |
| 989 NSSCertificate *c; | 962 NSSCertificate *c; |
| 990 NSSCryptoContext *cc; | 963 NSSCryptoContext *cc; |
| 991 SECItem *rvItem = NULL; | 964 SECItem *rvItem = NULL; |
| 992 | 965 |
| 993 if (!cert || !cert->emailAddr || !cert->emailAddr[0]) { | 966 if (!cert || !cert->emailAddr || !cert->emailAddr[0]) { |
| 994 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 967 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 995 » return NULL; | 968 return NULL; |
| 996 } | 969 } |
| 997 c = STAN_GetNSSCertificate(cert); | 970 c = STAN_GetNSSCertificate(cert); |
| 998 if (!c) return NULL; | 971 if (!c) |
| 972 return NULL; |
| 999 cc = c->object.cryptoContext; | 973 cc = c->object.cryptoContext; |
| 1000 if (cc != NULL) { | 974 if (cc != NULL) { |
| 1001 » nssSMIMEProfile *stanProfile; | 975 nssSMIMEProfile *stanProfile; |
| 1002 » stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c); | 976 stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c); |
| 1003 » if (stanProfile) { | 977 if (stanProfile) { |
| 1004 » rvItem = SECITEM_AllocItem(NULL, NULL, | 978 rvItem = |
| 1005 » stanProfile->profileData->size); | 979 SECITEM_AllocItem(NULL, NULL, stanProfile->profileData->size); |
| 1006 » if (rvItem) { | 980 if (rvItem) { |
| 1007 » » rvItem->data = stanProfile->profileData->data; | 981 rvItem->data = stanProfile->profileData->data; |
| 1008 » } | 982 } |
| 1009 » nssSMIMEProfile_Destroy(stanProfile); | 983 nssSMIMEProfile_Destroy(stanProfile); |
| 1010 » } | 984 } |
| 1011 » return rvItem; | 985 return rvItem; |
| 1012 } | 986 } |
| 1013 rvItem = | 987 rvItem = |
| 1014 » PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL); | 988 PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL); |
| 1015 if (slot) { | 989 if (slot) { |
| 1016 » PK11_FreeSlot(slot); | 990 PK11_FreeSlot(slot); |
| 1017 } | 991 } |
| 1018 return rvItem; | 992 return rvItem; |
| 1019 } | 993 } |
| 1020 | 994 |
| 1021 /* | 995 /* |
| 1022 * deprecated functions that are now just stubs. | 996 * deprecated functions that are now just stubs. |
| 1023 */ | 997 */ |
| 1024 /* | 998 /* |
| 1025 * Close the database | 999 * Close the database |
| 1026 */ | 1000 */ |
| (...skipping 16 matching lines...) Expand all Loading... |
| 1043 SECItem * | 1017 SECItem * |
| 1044 SECKEY_HashPassword(char *pw, SECItem *salt) | 1018 SECKEY_HashPassword(char *pw, SECItem *salt) |
| 1045 { | 1019 { |
| 1046 PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL); | 1020 PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL); |
| 1047 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 1021 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 1048 return NULL; | 1022 return NULL; |
| 1049 } | 1023 } |
| 1050 | 1024 |
| 1051 SECStatus | 1025 SECStatus |
| 1052 __CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle, | 1026 __CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle, |
| 1053 SECItem *derSubject, | 1027 SECItem *derSubject, void *cb, void *cbarg) |
| 1054 void *cb, void *cbarg) | |
| 1055 { | 1028 { |
| 1056 PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL); | 1029 PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL); |
| 1057 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 1030 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 1058 return SECFailure; | 1031 return SECFailure; |
| 1059 } | 1032 } |
| 1060 | 1033 |
| 1061 | |
| 1062 SECStatus | 1034 SECStatus |
| 1063 __CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname, | 1035 __CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname, |
| 1064 void *cb, void *cbarg) | 1036 void *cb, void *cbarg) |
| 1065 { | 1037 { |
| 1066 PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL); | 1038 PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL); |
| 1067 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 1039 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| 1068 return SECFailure; | 1040 return SECFailure; |
| 1069 } | 1041 } |
| 1070 | |
| 1071 | |
| 1072 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1843333003:
Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master