Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(661)

Unified Diff: nss/lib/pk11wrap/pk11nobj.c

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « nss/lib/pk11wrap/pk11merge.c ('k') | nss/lib/pk11wrap/pk11obj.c » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: nss/lib/pk11wrap/pk11nobj.c
diff --git a/nss/lib/pk11wrap/pk11nobj.c b/nss/lib/pk11wrap/pk11nobj.c
deleted file mode 100644
index dcca4342601a24d3706eb37681619e71ac11740b..0000000000000000000000000000000000000000
--- a/nss/lib/pk11wrap/pk11nobj.c
+++ /dev/null
@@ -1,784 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/*
- * This file manages Netscape specific PKCS #11 objects (CRLs, Trust objects,
- * etc).
- */
-
-#include "secport.h"
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "certi.h"
-#include "secitem.h"
-#include "sechash.h"
-#include "secoid.h"
-
-#include "certdb.h"
-#include "secerr.h"
-
-#include "pki3hack.h"
-#include "dev3hack.h"
-
-#include "devm.h"
-#include "pki.h"
-#include "pkim.h"
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-CK_TRUST
-pk11_GetTrustField(PK11SlotInfo *slot, PLArenaPool *arena,
- CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type)
-{
- CK_TRUST rv = 0;
- SECItem item;
-
- item.data = NULL;
- item.len = 0;
-
- if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) {
- PORT_Assert(item.len == sizeof(CK_TRUST));
- PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST));
- /* Damn, is there an endian problem here? */
- return rv;
- }
-
- return 0;
-}
-
-PRBool
-pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust)
-{
- PLArenaPool *arena;
-
- CK_ATTRIBUTE tobjTemplate[] = {
- { CKA_CLASS, NULL, 0 },
- { CKA_CERT_SHA1_HASH, NULL, 0 },
- };
-
- CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
- CK_OBJECT_HANDLE tobjID;
- unsigned char sha1_hash[SHA1_LENGTH];
-
- CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth;
-
- PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len);
-
- PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc));
- PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash,
- SHA1_LENGTH);
-
- tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate,
- sizeof(tobjTemplate)/sizeof(tobjTemplate[0]));
- if( CK_INVALID_HANDLE == tobjID ) {
- return PR_FALSE;
- }
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if( NULL == arena ) return PR_FALSE;
-
- /* Unfortunately, it seems that PK11_GetAttributes doesn't deal
- * well with nonexistent attributes. I guess we have to check
- * the trust info fields one at a time.
- */
-
- /* We could verify CKA_CERT_HASH here */
-
- /* We could verify CKA_EXPIRES here */
-
-
- /* "Purpose" trust information */
- serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH);
- clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH);
- codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING);
- emailProtection = pk11_GetTrustField(slot, arena, tobjID,
- CKA_TRUST_EMAIL_PROTECTION);
- /* Here's where the fun logic happens. We have to map back from the
- * key usage, extended key usage, purpose, and possibly other trust values
- * into the old trust-flags bits. */
-
- /* First implementation: keep it simple for testing. We can study what other
- * mappings would be appropriate and add them later.. fgmr 20000724 */
-
- if ( serverAuth == CKT_NSS_TRUSTED ) {
- trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
- }
-
- if ( serverAuth == CKT_NSS_TRUSTED_DELEGATOR ) {
- trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
- CERTDB_NS_TRUSTED_CA;
- }
- if ( clientAuth == CKT_NSS_TRUSTED_DELEGATOR ) {
- trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA ;
- }
-
- if ( emailProtection == CKT_NSS_TRUSTED ) {
- trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
- }
-
- if ( emailProtection == CKT_NSS_TRUSTED_DELEGATOR ) {
- trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
- }
-
- if( codeSigning == CKT_NSS_TRUSTED ) {
- trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
- }
-
- if( codeSigning == CKT_NSS_TRUSTED_DELEGATOR ) {
- trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
- }
-
- /* There's certainly a lot more logic that can go here.. */
-
- PORT_FreeArena(arena, PR_FALSE);
-
- return PR_TRUE;
-}
-
-static SECStatus
-pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
-{
- SECItem derCrl;
- CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg;
- CERTCrlNode *new_node = NULL;
- CK_ATTRIBUTE fetchCrl[3] = {
- { CKA_VALUE, NULL, 0},
- { CKA_NETSCAPE_KRL, NULL, 0},
- { CKA_NETSCAPE_URL, NULL, 0},
- };
- const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
- CK_RV crv;
- SECStatus rv = SECFailure;
-
- crv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize);
- if (CKR_OK != crv) {
- PORT_SetError(PK11_MapError(crv));
- goto loser;
- }
-
- if (!fetchCrl[1].pValue) {
- PORT_SetError(SEC_ERROR_CRL_INVALID);
- goto loser;
- }
-
- new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode));
- if (new_node == NULL) {
- goto loser;
- }
-
- if (*((CK_BBOOL *)fetchCrl[1].pValue))
- new_node->type = SEC_KRL_TYPE;
- else
- new_node->type = SEC_CRL_TYPE;
-
- derCrl.type = siBuffer;
- derCrl.data = (unsigned char *)fetchCrl[0].pValue;
- derCrl.len = fetchCrl[0].ulValueLen;
- new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
- if (new_node->crl == NULL) {
- goto loser;
- }
-
- if (fetchCrl[2].pValue) {
- int nnlen = fetchCrl[2].ulValueLen;
- new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);
- if ( !new_node->crl->url ) {
- goto loser;
- }
- PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
- new_node->crl->url[nnlen] = 0;
- } else {
- new_node->crl->url = NULL;
- }
-
-
- new_node->next = NULL;
- if (head->last) {
- head->last->next = new_node;
- head->last = new_node;
- } else {
- head->first = head->last = new_node;
- }
- rv = SECSuccess;
-
-loser:
- return(rv);
-}
-
-/*
- * Return a list of all the CRLs .
- * CRLs are allocated in the list's arena.
- */
-SECStatus
-PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) {
- pk11TraverseSlot creater;
- CK_ATTRIBUTE theTemplate[2];
- CK_ATTRIBUTE *attrs;
- CK_OBJECT_CLASS certClass = CKO_NETSCAPE_CRL;
- CK_BBOOL isKrl = CK_FALSE;
-
- attrs = theTemplate;
- PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++;
- if (type != -1) {
- isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE);
- PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++;
- }
-
- creater.callback = pk11_CollectCrls;
- creater.callbackArg = (void *) nodes;
- creater.findTemplate = theTemplate;
- creater.templateCount = (attrs - theTemplate);
-
- return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, PR_FALSE, wincx);
-}
-
-struct crlOptionsStr {
- CERTCrlHeadNode* head;
- PRInt32 decodeOptions;
-};
-
-typedef struct crlOptionsStr crlOptions;
-
-static SECStatus
-pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID,
- void *arg)
-{
- SECItem* derCrl = NULL;
- crlOptions* options = (crlOptions*) arg;
- CERTCrlHeadNode *head = options->head;
- CERTCrlNode *new_node = NULL;
- CK_ATTRIBUTE fetchCrl[3] = {
- { CKA_VALUE, NULL, 0},
- { CKA_NETSCAPE_KRL, NULL, 0},
- { CKA_NETSCAPE_URL, NULL, 0},
- };
- const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
- CK_RV crv;
- SECStatus rv = SECFailure;
- PRBool adopted = PR_FALSE; /* whether the CRL adopted the DER memory
- successfully */
- int i;
-
- crv = PK11_GetAttributes(NULL,slot,crlID,fetchCrl,fetchCrlSize);
- if (CKR_OK != crv) {
- PORT_SetError(PK11_MapError(crv));
- goto loser;
- }
-
- if (!fetchCrl[1].pValue) {
- /* reject KRLs */
- PORT_SetError(SEC_ERROR_CRL_INVALID);
- goto loser;
- }
-
- new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena,
- sizeof(CERTCrlNode));
- if (new_node == NULL) {
- goto loser;
- }
-
- new_node->type = SEC_CRL_TYPE;
-
- derCrl = SECITEM_AllocItem(NULL, NULL, 0);
- if (!derCrl) {
- goto loser;
- }
- derCrl->type = siBuffer;
- derCrl->data = (unsigned char *)fetchCrl[0].pValue;
- derCrl->len = fetchCrl[0].ulValueLen;
- new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl,new_node->type,
- options->decodeOptions);
- if (new_node->crl == NULL) {
- goto loser;
- }
- adopted = PR_TRUE; /* now that the CRL has adopted the DER memory,
- we won't need to free it upon exit */
-
- if (fetchCrl[2].pValue && fetchCrl[2].ulValueLen) {
- /* copy the URL if there is one */
- int nnlen = fetchCrl[2].ulValueLen;
- new_node->crl->url = (char *)PORT_ArenaAlloc(new_node->crl->arena,
- nnlen+1);
- if ( !new_node->crl->url ) {
- goto loser;
- }
- PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
- new_node->crl->url[nnlen] = 0;
- } else {
- new_node->crl->url = NULL;
- }
-
- new_node->next = NULL;
- if (head->last) {
- head->last->next = new_node;
- head->last = new_node;
- } else {
- head->first = head->last = new_node;
- }
- rv = SECSuccess;
- new_node->crl->slot = PK11_ReferenceSlot(slot);
- new_node->crl->pkcs11ID = crlID;
-
-loser:
- /* free attributes that weren't adopted by the CRL */
- for (i=1;i<fetchCrlSize;i++) {
- if (fetchCrl[i].pValue) {
- PORT_Free(fetchCrl[i].pValue);
- }
- }
- /* free the DER if the CRL object didn't adopt it */
- if (fetchCrl[0].pValue && PR_FALSE == adopted) {
- PORT_Free(fetchCrl[0].pValue);
- }
- if (derCrl && !adopted) {
- /* clear the data fields, which we already took care of above */
- derCrl->data = NULL;
- derCrl->len = 0;
- /* free the memory for the SECItem structure itself */
- SECITEM_FreeItem(derCrl, PR_TRUE);
- }
- return(rv);
-}
-
-/*
- * Return a list of CRLs matching specified issuer and type
- * CRLs are not allocated in the list's arena, but rather in their own,
- * arena, so that they can be used individually in the CRL cache .
- * CRLs are always partially decoded for efficiency.
- */
-SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer,
- void *wincx)
-{
- pk11TraverseSlot creater;
- CK_ATTRIBUTE theTemplate[2];
- CK_ATTRIBUTE *attrs;
- CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
- crlOptions options;
-
- attrs = theTemplate;
- PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
-
- options.head = nodes;
-
- /* - do a partial decoding - we don't need to decode the entries while
- fetching
- - don't copy the DER for optimal performance - CRL can be very large
- - have the CRL objects adopt the DER, so SEC_DestroyCrl will free it
- - keep bad CRL objects. The CRL cache is interested in them, for
- security purposes. Bad CRL objects are a sign of something amiss.
- */
-
- options.decodeOptions = CRL_DECODE_SKIP_ENTRIES | CRL_DECODE_DONT_COPY_DER |
- CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_KEEP_BAD_CRL;
- if (issuer)
- {
- PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); attrs++;
- }
-
- creater.callback = pk11_RetrieveCrlsCallback;
- creater.callbackArg = (void *) &options;
- creater.findTemplate = theTemplate;
- creater.templateCount = (attrs - theTemplate);
-
- return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, PR_FALSE, wincx);
-}
-
-/*
- * return the crl associated with a derSubjectName
- */
-SECItem *
-PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
- SECItem *name, int type, char **pUrl)
-{
- NSSCRL **crls, **crlp, *crl = NULL;
- NSSDER subject;
- SECItem *rvItem;
- NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
- char * url = NULL;
-
- PORT_SetError(0);
- NSSITEM_FROM_SECITEM(&subject, name);
- if (*slot) {
- nssCryptokiObject **instances;
- nssPKIObjectCollection *collection;
- nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
- NSSToken *token = PK11Slot_GetNSSToken(*slot);
- collection = nssCRLCollection_Create(td, NULL);
- if (!collection) {
- goto loser;
- }
- instances = nssToken_FindCRLsBySubject(token, NULL, &subject,
- tokenOnly, 0, NULL);
- nssPKIObjectCollection_AddInstances(collection, instances, 0);
- nss_ZFreeIf(instances);
- crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
- nssPKIObjectCollection_Destroy(collection);
- } else {
- crls = nssTrustDomain_FindCRLsBySubject(td, &subject);
- }
- if ((!crls) || (*crls == NULL)) {
- if (crls) {
- nssCRLArray_Destroy(crls);
- }
- if (NSS_GetError() == NSS_ERROR_NOT_FOUND) {
- PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
- }
- goto loser;
- }
- for (crlp = crls; *crlp; crlp++) {
- if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) ||
- ((*crlp)->isKRL && type != SEC_CRL_TYPE))
- {
- crl = nssCRL_AddRef(*crlp);
- break;
- }
- }
- nssCRLArray_Destroy(crls);
- if (!crl) {
- /* CRL collection was found, but no interesting CRL's were on it.
- * Not an error */
- PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
- goto loser;
- }
- if (crl->url) {
- url = PORT_Strdup(crl->url);
- if (!url) {
- goto loser;
- }
- }
- rvItem = SECITEM_AllocItem(NULL, NULL, crl->encoding.size);
- if (!rvItem) {
- goto loser;
- }
- memcpy(rvItem->data, crl->encoding.data, crl->encoding.size);
- *slot = PK11_ReferenceSlot(crl->object.instances[0]->token->pk11slot);
- *crlHandle = crl->object.instances[0]->handle;
- *pUrl = url;
- nssCRL_Destroy(crl);
- return rvItem;
-
-loser:
- if (url)
- PORT_Free(url);
- if (crl)
- nssCRL_Destroy(crl);
- if (PORT_GetError() == 0) {
- PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
- }
- return NULL;
-}
-
-CK_OBJECT_HANDLE
-PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name,
- char *url, int type)
-{
- NSSItem derCRL, derSubject;
- NSSToken *token = PK11Slot_GetNSSToken(slot);
- nssCryptokiObject *object;
- PRBool isKRL = (type == SEC_CRL_TYPE) ? PR_FALSE : PR_TRUE;
- CK_OBJECT_HANDLE rvH;
-
- NSSITEM_FROM_SECITEM(&derSubject, name);
- NSSITEM_FROM_SECITEM(&derCRL, crl);
-
- object = nssToken_ImportCRL(token, NULL,
- &derSubject, &derCRL, isKRL, url, PR_TRUE);
-
- if (object) {
- rvH = object->handle;
- nssCryptokiObject_Destroy(object);
- } else {
- rvH = CK_INVALID_HANDLE;
- PORT_SetError(SEC_ERROR_CRL_IMPORT_FAILED);
- }
- return rvH;
-}
-
-
-/*
- * delete a crl.
- */
-SECStatus
-SEC_DeletePermCRL(CERTSignedCrl *crl)
-{
- PRStatus status;
- NSSToken *token;
- nssCryptokiObject *object;
- PK11SlotInfo *slot = crl->slot;
-
- if (slot == NULL) {
- PORT_Assert(slot);
- /* shouldn't happen */
- PORT_SetError( SEC_ERROR_CRL_INVALID);
- return SECFailure;
- }
- token = PK11Slot_GetNSSToken(slot);
-
- object = nss_ZNEW(NULL, nssCryptokiObject);
- if (!object) {
- return SECFailure;
- }
- object->token = nssToken_AddRef(token);
- object->handle = crl->pkcs11ID;
- object->isTokenObject = PR_TRUE;
-
- status = nssToken_DeleteStoredObject(object);
-
- nssCryptokiObject_Destroy(object);
- return (status == PR_SUCCESS) ? SECSuccess : SECFailure;
-}
-
-/*
- * return the certificate associated with a derCert
- */
-SECItem *
-PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr,
- SECItem *name, SECItem **profileTime)
-{
- CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
- CK_ATTRIBUTE theTemplate[] = {
- { CKA_SUBJECT, NULL, 0 },
- { CKA_CLASS, NULL, 0 },
- { CKA_NETSCAPE_EMAIL, NULL, 0 },
- };
- CK_ATTRIBUTE smimeData[] = {
- { CKA_SUBJECT, NULL, 0 },
- { CKA_VALUE, NULL, 0 },
- };
- /* if you change the array, change the variable below as well */
- int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
- CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
- CK_ATTRIBUTE *attrs = theTemplate;
- CK_RV crv;
- SECItem *emailProfile = NULL;
-
- if (!emailAddr || !emailAddr[0]) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return NULL;
- }
-
- PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
- PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
- PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr));
- attrs++;
-
- if (*slot) {
- smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
- } else {
- PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
- PR_FALSE,PR_TRUE,NULL);
- PK11SlotListElement *le;
-
- if (!list) {
- return NULL;
- }
- /* loop through all the slots */
- for (le = list->head; le; le = le->next) {
- smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
- if (smimeh != CK_INVALID_HANDLE) {
- *slot = PK11_ReferenceSlot(le->slot);
- break;
- }
- }
- PK11_FreeSlotList(list);
- }
-
- if (smimeh == CK_INVALID_HANDLE) {
- PORT_SetError(SEC_ERROR_NO_KRL);
- return NULL;
- }
-
- if (profileTime) {
- PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0);
- }
-
- crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2);
- if (crv != CKR_OK) {
- PORT_SetError(PK11_MapError (crv));
- goto loser;
- }
-
- if (!profileTime) {
- SECItem profileSubject;
-
- profileSubject.data = (unsigned char*) smimeData[0].pValue;
- profileSubject.len = smimeData[0].ulValueLen;
- if (!SECITEM_ItemsAreEqual(&profileSubject,name)) {
- goto loser;
- }
- }
-
- emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
- if (emailProfile == NULL) {
- goto loser;
- }
-
- emailProfile->data = (unsigned char*) smimeData[1].pValue;
- emailProfile->len = smimeData[1].ulValueLen;
-
- if (profileTime) {
- *profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
- if (*profileTime) {
- (*profileTime)->data = (unsigned char*) smimeData[0].pValue;
- (*profileTime)->len = smimeData[0].ulValueLen;
- }
- }
-
-loser:
- if (emailProfile == NULL) {
- if (smimeData[1].pValue) {
- PORT_Free(smimeData[1].pValue);
- }
- }
- if (profileTime == NULL || *profileTime == NULL) {
- if (smimeData[0].pValue) {
- PORT_Free(smimeData[0].pValue);
- }
- }
- return emailProfile;
-}
-
-
-SECStatus
-PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
- SECItem *emailProfile, SECItem *profileTime)
-{
- CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
- CK_BBOOL ck_true = CK_TRUE;
- CK_ATTRIBUTE theTemplate[] = {
- { CKA_CLASS, NULL, 0 },
- { CKA_TOKEN, NULL, 0 },
- { CKA_SUBJECT, NULL, 0 },
- { CKA_NETSCAPE_EMAIL, NULL, 0 },
- { CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 },
- { CKA_VALUE, NULL, 0 }
- };
- /* if you change the array, change the variable below as well */
- int realSize = 0;
- CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
- CK_ATTRIBUTE *attrs = theTemplate;
- CK_SESSION_HANDLE rwsession;
- PK11SlotInfo *free_slot = NULL;
- CK_RV crv;
-#ifdef DEBUG
- int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-#endif
-
- PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
- PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++;
- PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++;
- PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL,
- emailAddr, PORT_Strlen(emailAddr)+1); attrs++;
- if (profileTime) {
- PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data,
- profileTime->len); attrs++;
- PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data,
- emailProfile->len); attrs++;
- }
- realSize = attrs - theTemplate;
- PORT_Assert (realSize <= tsize);
-
- if (slot == NULL) {
- free_slot = slot = PK11_GetInternalKeySlot();
- /* we need to free the key slot in the end!!! */
- }
-
- rwsession = PK11_GetRWSession(slot);
- if (rwsession == CK_INVALID_SESSION) {
- PORT_SetError(SEC_ERROR_READ_ONLY);
- if (free_slot) {
- PK11_FreeSlot(free_slot);
- }
- return SECFailure;
- }
-
- crv = PK11_GETTAB(slot)->
- C_CreateObject(rwsession,theTemplate,realSize,&smimeh);
- if (crv != CKR_OK) {
- PORT_SetError( PK11_MapError(crv) );
- }
-
- PK11_RestoreROSession(slot,rwsession);
-
- if (free_slot) {
- PK11_FreeSlot(free_slot);
- }
- return SECSuccess;
-}
-
-
-CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url,
- CERTSignedCrl *newCrl, SECItem *derCrl, int type);
-
-/* import the CRL into the token */
-
-CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
- int type, void *wincx, PRInt32 importOptions, PLArenaPool* arena,
- PRInt32 decodeoptions)
-{
- CERTSignedCrl *newCrl, *crl;
- SECStatus rv;
- CERTCertificate *caCert = NULL;
-
- newCrl = crl = NULL;
-
- do {
- newCrl = CERT_DecodeDERCrlWithFlags(arena, derCRL, type,
- decodeoptions);
- if (newCrl == NULL) {
- if (type == SEC_CRL_TYPE) {
- /* only promote error when the error code is too generic */
- if (PORT_GetError () == SEC_ERROR_BAD_DER)
- PORT_SetError(SEC_ERROR_CRL_INVALID);
- } else {
- PORT_SetError(SEC_ERROR_KRL_INVALID);
- }
- break;
- }
-
- if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
- CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
- PR_ASSERT(handle != NULL);
- caCert = CERT_FindCertByName (handle,
- &newCrl->crl.derName);
- if (caCert == NULL) {
- PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
- break;
- }
-
- /* If caCert is a v3 certificate, make sure that it can be used for
- crl signing purpose */
- rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
- if (rv != SECSuccess) {
- break;
- }
-
- rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
- PR_Now(), wincx);
- if (rv != SECSuccess) {
- if (type == SEC_CRL_TYPE) {
- PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
- } else {
- PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
- }
- break;
- }
- }
-
- crl = crl_storeCRL(slot, url, newCrl, derCRL, type);
-
- } while (0);
-
- if (crl == NULL) {
- SEC_DestroyCrl (newCrl);
- }
- if (caCert) {
- CERT_DestroyCertificate(caCert);
- }
- return (crl);
-}
« no previous file with comments | « nss/lib/pk11wrap/pk11merge.c ('k') | nss/lib/pk11wrap/pk11obj.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698