Changes for NSS/JSS integration.

author: nicolson%netscape.com <devnull@localhost> 2001-06-12 20:57:20 +0000
committer: nicolson%netscape.com <devnull@localhost> 2001-06-12 20:57:20 +0000
commit: df4ed6a694c7a10a0a07d38d3ce6ed51b4a08b6c (patch)
tree: 72d12614963c992350a7c44e7f8fa4b166e7d93c
parent: 7aa9d098c83a1fe90b888b6f598dc8e44b1a588a (diff)
download: nss-hg-df4ed6a694c7a10a0a07d38d3ce6ed51b4a08b6c.tar.gz
9 files changed, 169 insertions, 17 deletions
diff --git a/security/nss/lib/certdb/pcertdb.c b/security/nss/lib/certdb/pcertdb.c
index f4f6d3483..8dcedb410 100644
--- a/security/nss/lib/certdb/pcertdb.c
+++ b/security/nss/lib/certdb/pcertdb.c
@@ -7196,10 +7196,6 @@ CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
 	break;
     }
 
-    if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){
-	saveit = PR_FALSE;
-    }
-
     if ( saveit ) {
 	if ( cert->isperm ) {
 	    /* Cert already in the DB.  Just adjust flags */
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 631391ca2..6ecbc3db9 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -95,6 +95,7 @@ DER_GeneralizedTimeToTime;
 NSS_Init;
 NSS_Initialize;
 NSS_InitReadWrite;
+NSS_IsInitialized;
 NSS_NoDB_Init;
 NSS_Shutdown;
 NSS_VersionCheck;
@@ -113,6 +114,7 @@ PK11_DigestOp;
 PK11_DigestFinal;
 PK11_DoesMechanism;
 PK11_FindCertFromNickname;
+PK11_FindCertsFromNickname;
 PK11_FindCertFromDERCert;
 PK11_FindCertByIssuerAndSN;
 PK11_FindKeyByAnyCert;
@@ -307,6 +309,7 @@ PK11_GetKeyStrength;
 PK11_ImportCertForKeyToSlot;
 PK11_ImportEncryptedPrivateKeyInfo;
 PK11_ImportPrivateKeyInfo;
+PK11_ImportDERPrivateKeyInfo;
 PK11_MapPBEMechanismToCryptoMechanism;
 PK11_PBEKeyGen;
 PK11_ParamFromAlgid;
@@ -477,6 +480,10 @@ PBE_CreateContext;
 PBE_DestroyContext;
 PBE_GenerateBits;
 PK11_CheckSSOPassword;
+PK11_CopySymKeyForSigning;
+PK11_DeleteTokenCertAndKey;
+PK11_DEREncodePublicKey;
+PK11_FindKeyByKeyID;
 PK11_GetIVLength;
 PK11_GetKeyData;
 PK11_GetKeyType;
@@ -486,6 +493,7 @@ PK11_ImportCertForKey;
 PK11_ImportDERCertForKey;
 PK11_IsLoggedIn;
 PK11_KeyForDERCertExists;
+PK11_KeyForCertExists;
 PK11_Logout;
 PK11_NeedPWInit;
 PK11_MakeIDFromPubKey;
@@ -510,6 +518,9 @@ PK11_ReferenceSlot;
 PK11_GetSlotPWValues;
 PK11_ImportSymKey;
 PK11_ExtractKeyValue;
+PK11_TraversePrivateKeysInSlot;
+PK11_TraverseCertsInSlot;
+SEC_CertNicknameConflict;
 SECMOD_DeleteInternalModule;
 SECMOD_DestroyModule;
 SECMOD_GetDefaultModuleList;
@@ -521,6 +532,7 @@ SECMOD_ReleaseReadLock;
 SECKEY_GetPrivateKeyType;
 SECKEY_EncodeDERSubjectPublicKeyInfo;
 SECKEY_ExtractPublicKey;
+SECKEY_HashPassword;
 SEC_PKCS5GetIV;
 VFY_EndWithSignature;
 ;+    local:
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index 51d4ae895..14c68974c 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -131,6 +131,13 @@ SECStatus NSS_NoDB_Init(const char *configdir);
  */
 extern void NSS_Shutdown(void);
 
+/*
+ * Returns PR_TRUE if NSS has already been successfully initialized,
+ * PR_FALSE otherwise.
+ */
+PRBool NSS_IsInitialized();
+
+
 SEC_END_PROTOS
 
 #endif /* __nss_h_ */
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index 2a51d7463..2cd4988a0 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -180,6 +180,8 @@ nss_OpenSecModDB(const char * configdir,const char *dbname)
 
 static CERTCertDBHandle certhandle = { 0 };
 
+static PRBool isInitialized = PR_FALSE;
+
 static SECStatus
 nss_OpenVolatileCertDB() {
       SECStatus rv = SECSuccess;
@@ -280,7 +282,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
 	}
     }
     rv = SECSuccess;
-
+    isInitialized = PR_TRUE;
 
 loser:
     if (rv != SECSuccess) 
@@ -302,6 +304,12 @@ NSS_InitReadWrite(const char *configdir)
 		PR_FALSE, PR_FALSE, PR_FALSE);
 }
 
+PRBool
+NSS_IsInitialized()
+{
+    return isInitialized;
+}
+
 /*
  * OK there are now lots of options here, lets go through them all:
  *
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index e6774cac9..5aa8ed37e 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -842,7 +842,7 @@ typedef struct pk11TraverseSlotStr {
     void *callbackArg;
     CK_ATTRIBUTE *findTemplate;
     int templateCount;
-} pk11TraverseSlotCert;
+} pk11TraverseSlot;
 
 /*
  * Extract all the certs on a card from a slot.
@@ -854,7 +854,7 @@ PK11_TraverseSlot(PK11SlotInfo *slot, void *arg)
     CK_OBJECT_HANDLE *objID = NULL;
     int object_count = 0;
     CK_ULONG returned_count = 0;
-    pk11TraverseSlotCert *slotcb = (pk11TraverseSlotCert *) arg;
+    pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg;
 
     objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate,
 		slotcb->templateCount,&object_count);
@@ -982,7 +982,7 @@ pk11_UpdateSlotPQG(PK11SlotInfo *slot)
 static SECStatus
 pk11_ExtractCertsFromSlot(PK11SlotInfo *slot, void *arg)
 {
-    pk11TraverseSlotCert *slotcb = (pk11TraverseSlotCert *) arg;
+    pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg;
     int object_count;
     SECStatus rv;
 
@@ -1023,7 +1023,7 @@ PK11_ReadSlotCerts(PK11SlotInfo *slot)
     /* build slot list */
     pk11CertCallback caller;
     pk11DoCertCallback saver;
-    pk11TraverseSlotCert creater;
+    pk11TraverseSlot creater;
     CK_ATTRIBUTE theTemplate;
     CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
 
@@ -1083,7 +1083,7 @@ PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
 						void *arg, void *wincx) {
     pk11CertCallback caller;
     pk11DoCertCallback saver;
-    pk11TraverseSlotCert creater;
+    pk11TraverseSlot creater;
     CK_ATTRIBUTE theTemplate;
     CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
 
@@ -1103,6 +1103,48 @@ PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
 							&creater, wincx);
 }
 
+/***********************************************************************
+ * PK11_TraversePrivateKeysInSlot
+ *
+ * Traverses all the private keys on a slot.
+ *
+ * INPUTS
+ *      slot
+ *          The PKCS #11 slot whose private keys you want to traverse.
+ *      callback
+ *          A callback function that will be called for each key.
+ *      arg
+ *          An argument that will be passed to the callback function.
+ */
+SECStatus
+PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg)
+{
+    pk11KeyCallback perKeyCB;
+    pk11TraverseSlot perObjectCB;
+    CK_OBJECT_CLASS privkClass = CKO_PRIVATE_KEY;
+    CK_ATTRIBUTE theTemplate[1];
+    int templateSize = 1;
+
+    theTemplate[0].type = CKA_CLASS;
+    theTemplate[0].pValue = &privkClass;
+    theTemplate[0].ulValueLen = sizeof(privkClass);
+
+    if(slot==NULL) {
+        return SECSuccess;
+    }
+
+    perObjectCB.callback = pk11_DoKeys;
+    perObjectCB.callbackArg = &perKeyCB;
+    perObjectCB.findTemplate = theTemplate;
+    perObjectCB.templateCount = templateSize;
+    perKeyCB.callback = callback;
+    perKeyCB.callbackArg = arg;
+    perKeyCB.wincx = NULL;
+
+    return PK11_TraverseSlot(slot, &perObjectCB);
+}
+
 CK_OBJECT_HANDLE *
 PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr,
 			CK_OBJECT_CLASS objclass, int *returnCount, void *wincx) {
@@ -2117,7 +2159,7 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
 	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
 {
     pk11DoCertCallback caller;
-    pk11TraverseSlotCert callarg;
+    pk11TraverseSlot callarg;
     CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
     CK_ATTRIBUTE theTemplate[] = {
 	{ CKA_CLASS, NULL, 0 },
@@ -2148,7 +2190,7 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
 	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
 {
     pk11DoCertCallback caller;
-    pk11TraverseSlotCert callarg;
+    pk11TraverseSlot callarg;
     CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
     CK_ATTRIBUTE theTemplate[] = {
 	{ CKA_CLASS, NULL, 0 },
@@ -2184,7 +2226,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
 	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
 {
     pk11DoCertCallback caller;
-    pk11TraverseSlotCert callarg;
+    pk11TraverseSlot callarg;
     CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
     CK_ATTRIBUTE theTemplate[] = {
 	{ CKA_CLASS, NULL, 0 },
@@ -2649,6 +2691,11 @@ pk11ListCertCallback(CERTCertificate *cert, SECItem *derCert, void *arg)
 	return SECSuccess;
     }
 
+    /* if we want CA certs and it ain't one, skip it */
+    if( type == PK11CertListCA  && (!isCACert(newCert)) ) {
+	CERT_DestroyCertificate(newCert);
+	return SECSuccess;
+    }
 
     /* put slot certs at the end */
     if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
index 289db9207..e67246252 100644
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -301,6 +301,10 @@ SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
 		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
 		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
 		unsigned int usage, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECItem *derPKI, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, void *wincx);
 SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, 
 		SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
 		SECItem *nickname, SECItem *publicValue, PRBool isPerm,
@@ -329,6 +333,9 @@ PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
 		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
 SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx);
 SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx);
+SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
+PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
+	CK_MECHANISM_TYPE mech);
 
 /**********************************************************************
  *                   Certs
@@ -338,6 +345,8 @@ CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
 SECStatus PK11_TraverseSlotCerts(
      SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
                                                 void *arg, void *wincx);
+SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
 CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
 CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
 SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index 6c54beeb7..618dce8dd 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -4244,6 +4244,37 @@ done:
     return rv;
 }
 
+SECStatus
+PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    SECKEYPrivateKeyInfo *pki = NULL;
+    PRArenaPool *temparena = NULL;
+    SECStatus rv = SECFailure;
+
+    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    pki = PORT_ZNew(SECKEYPrivateKeyInfo);
+
+    rv = SEC_ASN1DecodeItem(temparena, pki, SECKEY_PrivateKeyInfoTemplate,
+		derPKI);
+    if( rv != SECSuccess ) {
+	goto finish;
+    }
+
+    rv = PK11_ImportPrivateKeyInfo(slot, pki, nickname, publicValue,
+			isPerm, isPrivate, keyUsage, wincx);
+
+finish:
+    if( pki != NULL ) {
+	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
+    }
+    if( temparena != NULL ) {
+	PORT_FreeArena(temparena, PR_TRUE);
+    }
+    return rv;
+}
+        
 /*
  * import a private key info into the desired slot
  */
@@ -4293,9 +4324,6 @@ PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki,
 	    keyType = CKK_RSA;
 	    break;
 	case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	    if(!publicValue) {
-		goto loser;
-	    }
 	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
 	    paramTemplate = SECKEY_PQGParamsTemplate;
 	    paramDest = &(lpk->u.dsa.params);
@@ -4395,6 +4423,17 @@ PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki,
 	     * our database, we need to pass in the public key value for 
 	     * this dsa key. We have a netscape only CKA_ value to do this.
 	     * Only send it to internal slots */
+	    if( publicValue == NULL ) {
+		/*
+		 * Try to extract the public value out of the private key.
+		 * This might not work, since the public value is not
+	 	 * required to be in the private key.
+		 */
+		publicValue = &lpk->u.dsa.publicValue;
+		if( publicValue->data == NULL || publicValue->len == 0) {
+		    goto loser;
+		}
+	    }
 	    if (PK11_IsInternal(slot)) {
 	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
 				publicValue->data, publicValue->len); attrs++;
@@ -4900,3 +4939,33 @@ PK11_SetFortezzaHack(PK11SymKey *symKey) {
    symKey->origin = PK11_OriginFortezzaHack;
 }
 
+SECItem*
+PK11_DEREncodePublicKey(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki=NULL;
+    SECItem *spkiDER = NULL;
+
+    if( pubk == NULL ) {
+        return NULL;
+    }
+
+    /* get the subjectpublickeyinfo */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if( spki == NULL ) {
+        goto finish;
+    }
+
+    /* DER-encode the subjectpublickeyinfo */
+    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
+                    CERT_SubjectPublicKeyInfoTemplate);
+
+finish:
+    return spkiDER;
+}
+
+PK11SymKey*
+PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech)
+{
+    return pk11_CopyToSlot(PK11_GetSlotFromKey(originalKey), mech, CKA_SIGN,
+			originalKey);
+}
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
index b2d401e24..1996001e8 100644
--- a/security/nss/lib/pk11wrap/secmodt.h
+++ b/security/nss/lib/pk11wrap/secmodt.h
@@ -99,7 +99,8 @@ struct PK11RSAGenParamsStr {
 typedef enum {
      PK11CertListUnique = 0,
      PK11CertListUser = 1,
-     PK11CertListRootUnique = 2
+     PK11CertListRootUnique = 2,
+     PK11CertListCA = 3
 } PK11CertListType;
 
 /*
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
index 31bf8d4ae..ddcdc87a2 100644
--- a/security/nss/lib/smime/smime.def
+++ b/security/nss/lib/smime/smime.def
@@ -128,9 +128,11 @@ NSS_CMSSignerInfo_IncludeCerts;
 NSS_CMSUtil_VerificationStatusToString;
 NSS_SMIMEUtil_FindBulkAlgForRecipients;
 CERT_DecodeCertPackage;
+SEC_PKCS7AddCertificate;
 SEC_PKCS7AddRecipient;
 SEC_PKCS7AddSigningTime;
 SEC_PKCS7ContentType;
+SEC_PKCS7CreateCertsOnly;
 SEC_PKCS7CreateData;
 SEC_PKCS7CreateEncryptedData;
 SEC_PKCS7CreateEnvelopedData;
@@ -141,6 +143,7 @@ SEC_PKCS7DecoderStart;
 SEC_PKCS7DecoderUpdate;
 SEC_PKCS7DecryptContents;
 SEC_PKCS7DestroyContentInfo;
+SEC_PKCS7Encode;
 SEC_PKCS7EncoderFinish;
 SEC_PKCS7EncoderStart;
 SEC_PKCS7EncoderUpdate;
author	nicolson%netscape.com <devnull@localhost>	2001-06-12 20:57:20 +0000
committer	nicolson%netscape.com <devnull@localhost>	2001-06-12 20:57:20 +0000
commit	df4ed6a694c7a10a0a07d38d3ce6ed51b4a08b6c (patch)
tree	72d12614963c992350a7c44e7f8fa4b166e7d93c
parent	7aa9d098c83a1fe90b888b6f598dc8e44b1a588a (diff)
download	nss-hg-df4ed6a694c7a10a0a07d38d3ce6ed51b4a08b6c.tar.gz