summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrelyea%netscape.com <devnull@localhost>2001-10-24 00:58:11 +0000
committerrelyea%netscape.com <devnull@localhost>2001-10-24 00:58:11 +0000
commit3cc767ca1b0716c445b67a36824c77c47b10d7d1 (patch)
tree44817c42667ec86eae2524c4a985768eafbdf967
parent9427e48f230b10672add4fbd88ccccc2c51eecff (diff)
downloadnss-hg-3cc767ca1b0716c445b67a36824c77c47b10d7d1.tar.gz
Get trust flags working
Diffstat
-rw-r--r--security/nss/lib/softoken/pkcs11.c8
-rw-r--r--security/nss/lib/softoken/pkcs11u.c67
2 files changed, 63 insertions, 12 deletions
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 4105b552f..76960cfce 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -608,6 +608,9 @@ pk11_handleCertObject(PK11Session *session,PK11Object *object)
NSSLOWCERTCertTrust *trust = NULL;
NSSLOWCERTCertTrust userTrust =
{ CERTDB_USER, CERTDB_USER, CERTDB_USER };
+ NSSLOWCERTCertTrust defTrust =
+ { CERTDB_TRUSTED_UNKNOWN,
+ CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN };
SECStatus rv;
if (slot->certDB == NULL) {
@@ -629,6 +632,7 @@ pk11_handleCertObject(PK11Session *session,PK11Object *object)
trust = &userTrust;
}
if (!nsslowcert_CertDBKeyConflict(&derCert,slot->certDB)) {
+ if (!trust) trust = &defTrust;
rv = nsslowcert_AddPermCert(cert,label, trust);
} else {
rv = trust ? nsslowcert_ChangeCertTrust(slot->certDB,cert,trust) :
@@ -3244,10 +3248,10 @@ pk11_searchTokenList(PK11Slot *slot, PK11SearchResults *search,
classFlags &= NSC_CERT;
break;
case CKO_NETSCAPE_TRUST:
- classFlags &= NSC_CERT;
+ classFlags &= NSC_TRUST;
break;
case CKO_NETSCAPE_CRL:
- classFlags &= NSC_CERT;
+ classFlags &= NSC_CRL;
break;
case CKO_PRIVATE_KEY:
classFlags &= NSC_PRIVATE;
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
index 693bd29f8..1abdbe131 100644
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -239,13 +239,14 @@ pk11_DestroyAttribute(PK11Attribute *attribute)
PORT_Assert(attribute->refCount == 0);
PK11_USE_THREADS(PZ_DestroyLock(attribute->refLock);)
#endif
- if (attribute->attrib.pValue) {
- /* clear out the data in the attribute value... it may have been
- * sensitive data */
- PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
- }
if (attribute->freeData) {
- PORT_Free(attribute->attrib.pValue);
+ if (attribute->attrib.pValue) {
+ /* clear out the data in the attribute value... it may have been
+ * sensitive data */
+ PORT_Memset(attribute->attrib.pValue, 0,
+ attribute->attrib.ulValueLen);
+ }
+ PORT_Free(attribute->attrib.pValue);
}
PORT_Free(attribute);
}
@@ -290,6 +291,28 @@ static const PK11Attribute pk11_StaticFalseAttr =
PK11_DEF_ATTRIBUTE(&pk11_staticFalseValue,sizeof(pk11_staticFalseValue));
static const PK11Attribute pk11_StaticNullAttr = PK11_DEF_ATTRIBUTE(NULL,0);
+
+CK_TRUST pk11_staticTrustedValue = CKT_NETSCAPE_TRUSTED;
+CK_TRUST pk11_staticTrustedDelegatorValue = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+CK_TRUST pk11_staticUnTrustedValue = CKT_NETSCAPE_UNTRUSTED;
+CK_TRUST pk11_staticTrustUnknownValue = CKT_NETSCAPE_TRUST_UNKNOWN;
+CK_TRUST pk11_staticMustVerifyValue = CKT_NETSCAPE_MUST_VERIFY;
+static const PK11Attribute pk11_StaticTrustedAttr =
+ PK11_DEF_ATTRIBUTE(&pk11_staticTrustedValue,
+ sizeof(pk11_staticTrustedValue));
+static const PK11Attribute pk11_StaticTrustedDelegatorAttr =
+ PK11_DEF_ATTRIBUTE(&pk11_staticTrustedDelegatorValue,
+ sizeof(pk11_staticTrustedDelegatorValue));
+static const PK11Attribute pk11_StaticUnTrustedAttr =
+ PK11_DEF_ATTRIBUTE(&pk11_staticUnTrustedValue,
+ sizeof(pk11_staticUnTrustedValue));
+static const PK11Attribute pk11_StaticTrustUnknownAttr =
+ PK11_DEF_ATTRIBUTE(&pk11_staticTrustUnknownValue,
+ sizeof(pk11_staticTrustUnknownValue));
+static const PK11Attribute pk11_StaticMustVerifyAttr =
+ PK11_DEF_ATTRIBUTE(&pk11_staticMustVerifyValue,
+ sizeof(pk11_staticMustVerifyValue));
+
SECItem *
pk11_getCrl(PK11TokenObject *object)
{
@@ -734,6 +757,7 @@ pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
unsigned char hash[SHA1_LENGTH];
SECItem *item;
PK11Attribute *attr;
+ unsigned int trustFlags;
switch (type) {
case CKA_PRIVATE:
@@ -763,11 +787,32 @@ pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE);
SECITEM_FreeItem(item,PR_TRUE);
return attr;
- case CKA_TRUST_SERVER_AUTH:
case CKA_TRUST_CLIENT_AUTH:
+ trustFlags = cert->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
+ cert->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
+ goto trust;
+ case CKA_TRUST_SERVER_AUTH:
+ trustFlags = cert->trust->sslFlags;
+ goto trust;
case CKA_TRUST_EMAIL_PROTECTION:
+ trustFlags = cert->trust->emailFlags;
+ goto trust;
case CKA_TRUST_CODE_SIGNING:
- /* XXXXXX */
+ trustFlags = cert->trust->objectSigningFlags;
+trust:
+ if (trustFlags & CERTDB_TRUSTED_CA ) {
+ return (PK11Attribute *)&pk11_StaticTrustedDelegatorAttr;
+ }
+ if (trustFlags & CERTDB_TRUSTED) {
+ return (PK11Attribute *)&pk11_StaticTrustedAttr;
+ }
+ if (trustFlags & CERTDB_NOT_TRUSTED) {
+ return (PK11Attribute *)&pk11_StaticUnTrustedAttr;
+ }
+ if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
+ return (PK11Attribute *)&pk11_StaticTrustUnknownAttr;
+ }
+ return (PK11Attribute *)&pk11_StaticMustVerifyAttr;
default:
break;
}
@@ -2148,8 +2193,9 @@ pk11_mkHandle(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class)
SECItem *key;
SHA1_HashBuf(hashBuf,dbKey->data,dbKey->len);
- handle = PK11_TOKEN_MASK | class | (hashBuf[0] << 24) | hashBuf[1] << 16
- | hashBuf[2] << 8 ;
+ handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) |
+ (hashBuf[2] << 8) | hashBuf[3];
+ handle = PK11_TOKEN_MASK | class | (handle & ~PK11_TOKEN_TYPE_MASK);
pk11_tokenKeyLock(slot);
while (key = pk11_lookupTokenKeyByHandle(slot,handle)) {
@@ -2161,6 +2207,7 @@ pk11_mkHandle(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class)
}
pk11_addTokenKeyByHandle(slot,handle,dbKey);
pk11_tokenKeyUnlock(slot);
+ return handle;
}
void
View Lorry Controller Status