Fix for 164744 - implement new functions for pk12util . r=wtc

6 files changed, 66 insertions, 76 deletions

diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c
index ddeaa1a7c..d0ba98ee8 100644
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -552,38 +552,6 @@ p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
     }
 }
 
-static SECStatus
-cert_UserCertsOnly(CERTCertList *certList)
-{
-    CERTCertListNode *node, *freenode;
-    CERTCertificate *cert;
-    PRUint32 numusercerts = 0;
-    
-    node = CERT_LIST_HEAD(certList);
-    
-    while ( ! CERT_LIST_END(node, certList) ) {
-	cert = node->cert;
-	if ( !( cert->trust->sslFlags & CERTDB_USER ) &&
-	     !( cert->trust->emailFlags & CERTDB_USER ) &&
-	     !( cert->trust->objectSigningFlags & CERTDB_USER ) ) {
-	    /* Not a User Cert, so remove this cert from the list */
-	    freenode = node;
-	    node = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(freenode);
-	} else {
-	    /* Is a User cert, so leave it in the list */
-	    node = CERT_LIST_NEXT(node);
-            numusercerts ++;
-	}
-    }
-    
-    if (numusercerts) {
-        return(SECSuccess);
-    } else  {
-        return(SECFailure);
-    }
-}
-
 void
 P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
 			secuPWData *slotPw, secuPWData *p12FilePw)
@@ -609,10 +577,11 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
 	return;
     }
 
-    if (SECSuccess != cert_UserCertsOnly(certlist)) {
-        SECU_PrintError(progName,"find user certs from nickname failed");
+    if ((SECSuccess != CERT_FilterCertListForUserCerts(certlist)) ||
+        CERT_LIST_EMPTY(certlist)) {
+        SECU_PrintError(progName,"no user certs from given nickname");
         pk12uErrno = PK12UERR_FINDCERTBYNN;
-        return;
+        goto loser;
     }
 
     /*	Password to use for PKCS12 file.  */
@@ -689,10 +658,11 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
                 pk12uErrno = PK12UERR_ADDCERTKEY;
                 goto loser;
         }
-        CERT_DestroyCertificate(cert);
-        node->cert = NULL;
     }
 
+    CERT_DestroyCertList(certlist);
+    certlist = NULL;
+
     if(SEC_PKCS12Encode(p12ecx, p12u_WriteToExportFile, p12cxt)
                         != SECSuccess) {
         SECU_PrintError(progName,"PKCS12 encode failed");
@@ -710,17 +680,10 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
 loser:
     SEC_PKCS12DestroyExportContext(p12ecx);
 
-    for (node = CERT_LIST_HEAD(certlist);!CERT_LIST_END(node,certlist);node=CERT_LIST_NEXT(node))
-    {
-        CERTCertificate* cert = node->cert;
-        if (!node->cert) {
-            continue;
-        }
-
-        if(cert) {
-            CERT_DestroyCertificate(cert);
-        }
-    }
+    if (certlist) {
+        CERT_DestroyCertList(certlist);
+        certlist = NULL;
+    }    
 
     if (slotPw)
         PR_Free(slotPw->data);
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 46f77b75e..82e6c67e7 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -968,6 +968,11 @@ CERT_DupCertList(CERTCertificateList * oldList);
 
 extern void CERT_DestroyCertificateList(CERTCertificateList *list);
 
+/* is cert a user cert ? ie. does it have CERTDB_USER trust,
+   ie. a private key
+ */
+PRBool CERT_IsUserCert(CERTCertificate* cert);
+
 /* is cert a newer than cert b? */
 PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
 
@@ -1242,6 +1247,12 @@ CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
 			     char **caNames, SECCertUsage usage);
 
 /*
+ * Filter a list of certificates, removing those certs that aren't user certs
+ */
+SECStatus
+CERT_FilterCertListForUserCerts(CERTCertList *certList);
+
+/*
  * Collect the nicknames from all certs in a CertList.  If the cert is not
  * valid, append a string to that nickname.
  *
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index f3df9997f..a42b19b4f 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -2603,6 +2603,45 @@ loser:
     return(SECFailure);
 }
 
+PRBool CERT_IsUserCert(CERTCertificate* cert)
+{
+    if ( (cert->trust->sslFlags & CERTDB_USER ) ||
+         (cert->trust->emailFlags & CERTDB_USER ) ||
+         (cert->trust->objectSigningFlags & CERTDB_USER ) ) {
+        return PR_TRUE;
+    } else {
+        return PR_FALSE;
+    }
+}
+
+SECStatus
+CERT_FilterCertListForUserCerts(CERTCertList *certList)
+{
+    CERTCertListNode *node, *freenode;
+    CERTCertificate *cert;
+
+    if (!certList) {
+        return SECFailure;
+    }
+
+    node = CERT_LIST_HEAD(certList);
+    
+    while ( ! CERT_LIST_END(node, certList) ) {
+	cert = node->cert;
+	if ( PR_TRUE != CERT_IsUserCert(cert) ) {
+	    /* Not a User Cert, so remove this cert from the list */
+	    freenode = node;
+	    node = CERT_LIST_NEXT(node);
+	    CERT_RemoveCertListNode(freenode);
+	} else {
+	    /* Is a User cert, so leave it in the list */
+	    node = CERT_LIST_NEXT(node);
+	}
+    }
+
+    return(SECSuccess);
+}
+
 static PZLock *certRefCountLock = NULL;
 
 /*
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 57f22efa7..3b9e985ee 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -371,6 +371,7 @@ struct CERTCertListStr {
 #define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
 #define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
 #define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
 
 struct CERTCrlEntryStr {
     SECItem serialNumber;
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
index f3ab3a1bf..3b818d370 100644
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -89,32 +89,6 @@ CERT_MatchNickname(char *name1, char *name2) {
     return PR_TRUE;
 }
 
-static SECStatus
-cert_UserCertsOnly(CERTCertList *certList)
-{
-    CERTCertListNode *node, *freenode;
-    CERTCertificate *cert;
-    
-    node = CERT_LIST_HEAD(certList);
-    
-    while ( ! CERT_LIST_END(node, certList) ) {
-	cert = node->cert;
-	if ( !( cert->trust->sslFlags & CERTDB_USER ) &&
-	     !( cert->trust->emailFlags & CERTDB_USER ) &&
-	     !( cert->trust->objectSigningFlags & CERTDB_USER ) ) {
-	    /* Not a User Cert, so remove this cert from the list */
-	    freenode = node;
-	    node = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(freenode);
-	} else {
-	    /* Is a User cert, so leave it in the list */
-	    node = CERT_LIST_NEXT(node);
-	}
-    }
-    
-    return(SECSuccess);
-}
-
 /*
  * Find all user certificates that match the given criteria.
  * 
@@ -181,7 +155,7 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
 	    certList = CERT_CreateSubjectCertList(certList, handle, 
 				&cert->derSubject, time, validOnly);
 
-	    cert_UserCertsOnly(certList);
+	    CERT_FilterCertListForUserCerts(certList);
 	
 	    /* drop the extra reference */
 	    CERT_DestroyCertificate(cert);
@@ -312,7 +286,7 @@ CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
 	certList = CERT_CreateSubjectCertList(certList, handle, 
 					&cert->derSubject, time, validOnly);
 
-	cert_UserCertsOnly(certList);
+	CERT_FilterCertListForUserCerts(certList);
 
 	/* drop the extra reference */
 	CERT_DestroyCertificate(cert);
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 6d19fcaf9..d4c5d1c91 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -691,8 +691,10 @@ CERT_DecodeOCSPResponse;
 CERT_DestroyOCSPCertID;
 CERT_DestroyOCSPRequest;
 CERT_EncodeOCSPRequest;
+CERT_FilterCertListForUserCerts;
 CERT_GetOCSPResponseStatus;
 CERT_GetOCSPStatusForCertID;
+CERT_IsUserCert;
 CERT_RemoveCertListNode;
 CERT_VerifyCACertForUsage;
 CERT_VerifyCertificate;