b=97614PSM_2_2_DEV_20010918_BASE PSM_2_2_DEV_20010917_BASE

Merging changes from NSS_CLIENT_TAG into MOZILLA_0_9_4_BRANCH for directory mozilla/security/nss. a=pdt is covered by bug 96018
author: kaie%netscape.com <devnull@localhost> 2001-09-15 01:18:52 +0000
committer: kaie%netscape.com <devnull@localhost> 2001-09-15 01:18:52 +0000
commit: 62edb1aa3a4c115fec257354d5188121ca01d16d (patch)
tree: f54ebbeb2f7edc8034478ea685d51ca4ab20aa44
parent: 56d5d290048a6bd60fad2ac8cd54c5e19a566084 (diff)
download: nss-hg-62edb1aa3a4c115fec257354d5188121ca01d16d.tar.gz
9 files changed, 76 insertions, 28 deletions
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index 02350a903..286da745e 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -969,6 +969,7 @@ Usage(char *progName)
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
+    FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile]\n", progName);
     FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
     	progName);
     FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
@@ -1160,6 +1161,16 @@ static void LongUsage(char *progName)
 	"   -P dbprefix");
     FPS "\n");
 
+    FPS "%-15s Reset the Key database or token\n",
+	"-T");
+    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+	"   -d certdir");
+    FPS "%-20s Cert & Key database prefix\n",
+	"   -P dbprefix");
+    FPS "%-20s Token to reset (default is internal)\n"
+	"   -h token-name");
+    FPS "\n");
+
     FPS "%-15s Generate a certificate request (stdout)\n",
 	"-R");
     FPS "%-20s Specify the subject name (using RFC1485)\n",
@@ -2036,6 +2047,7 @@ enum {
     cmd_NewDBs,
     cmd_CertReq,
     cmd_CreateAndAddCert,
+    cmd_TokenReset,
     cmd_ListModules,
     cmd_CheckCertValidity,
     cmd_ChangePassword,
@@ -2044,7 +2056,8 @@ enum {
 
 /*  Certutil options */
 enum {
-    opt_AddKeyUsageExt = 0,
+    opt_SSOPass = 0,
+    opt_AddKeyUsageExt,
     opt_AddBasicConstraintExt,
     opt_AddAuthorityKeyIDExt,
     opt_AddCRLDistPtsExt,
@@ -2094,6 +2107,7 @@ static secuCommandFlag certutil_commands[] =
 	{ /* cmd_NewDBs              */  'N', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CertReq             */  'R', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CreateAndAddCert    */  'S', PR_FALSE, 0, PR_FALSE },
+	{ /* cmd_TokenReset          */  'T', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_ListModules         */  'U', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CheckCertValidity   */  'V', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_ChangePassword      */  'W', PR_FALSE, 0, PR_FALSE },
@@ -2102,6 +2116,7 @@ static secuCommandFlag certutil_commands[] =
 
 static secuCommandFlag certutil_options[] =
 {
+	{ /* opt_SSOPass             */  '0', PR_TRUE,  0, PR_FALSE },
 	{ /* opt_AddKeyUsageExt      */  '1', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
 	{ /* opt_AddAuthorityKeyIDExt*/  '3', PR_FALSE, 0, PR_FALSE },
@@ -2535,6 +2550,17 @@ main(int argc, char **argv)
 	rv = SECU_ChangePW(slot, 0, certutil.options[opt_PasswordFile].arg);
 	return !rv - 1;
     }
+    /*  Reset the a token */
+    if (certutil.commands[cmd_TokenReset].activated) {
+	char *sso_pass = "";
+
+	if (certutil.options[opt_SSOPass].activated) {
+	    sso_pass = certutil.options[opt_SSOPass].arg;
+ 	}
+	rv = PK11_ResetToken(slot,sso_pass);
+
+	return !rv - 1;
+    }
     /*  Check cert validity against current time (-V)  */
     if (certutil.commands[cmd_CheckCertValidity].activated) {
 	rv = ValidateCert(certHandle, name, 
diff --git a/security/nss/lib/pk11wrap/pk11db.c b/security/nss/lib/pk11wrap/pk11db.c
index 4e5ab5706..79e704378 100644
--- a/security/nss/lib/pk11wrap/pk11db.c
+++ b/security/nss/lib/pk11wrap/pk11db.c
@@ -109,7 +109,7 @@ SECMODModuleList *SECMOD_NewModuleListElement(void) {
 static unsigned long internalFlags = SECMOD_RSA_FLAG|SECMOD_DSA_FLAG|
 	SECMOD_RC2_FLAG| SECMOD_RC4_FLAG|SECMOD_DES_FLAG|SECMOD_RANDOM_FLAG|
 	SECMOD_SHA1_FLAG|SECMOD_MD5_FLAG|SECMOD_MD2_FLAG|SECMOD_SSL_FLAG|
-	SECMOD_TLS_FLAG|SECMOD_AES_FLAG;
+	SECMOD_TLS_FLAG|SECMOD_AES_FLAG|SECMOD_DH_FLAG;
 
 /* create a Internal  module */
 SECMODModule *SECMOD_NewInternal(void) {
@@ -118,7 +118,8 @@ SECMODModule *SECMOD_NewInternal(void) {
 	{ 1, SECMOD_RSA_FLAG|SECMOD_DSA_FLAG|SECMOD_RC2_FLAG|
 	SECMOD_RC4_FLAG|SECMOD_DES_FLAG|SECMOD_RANDOM_FLAG|
 	SECMOD_SHA1_FLAG|SECMOD_MD5_FLAG|SECMOD_MD2_FLAG|
-	SECMOD_SSL_FLAG|SECMOD_TLS_FLAG|SECMOD_AES_FLAG, -1, 30, 0 };
+	SECMOD_SSL_FLAG|SECMOD_TLS_FLAG|SECMOD_AES_FLAG|SECMOD_DH_FLAG,
+	-1, 30, 0 };
 
     intern = SECMOD_NewModule();
     if (intern == NULL) {
@@ -315,9 +316,9 @@ struct secmodSlotDataStr {
 };
 
 #define SECMOD_DB_VERSION_MAJOR 0
-#define SECMOD_DB_VERSION_MINOR 4
+#define SECMOD_DB_VERSION_MINOR 5
 #define SECMOD_DB_NOUI_VERSION_MAJOR 0
-#define SECMOD_DB_NOUI_VERSION_MINOR 3
+#define SECMOD_DB_NOUI_VERSION_MINOR 4
 
 #define SECMOD_PUTSHORT(dest,src) \
 	(dest)[1] = (unsigned char) ((src)&0xff); \
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
index 6006f6032..c50b9d8b6 100644
--- a/security/nss/lib/pk11wrap/pk11kea.c
+++ b/security/nss/lib/pk11wrap/pk11kea.c
@@ -99,18 +99,25 @@ pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
 	    privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY);
 	}
 
-	/* if no key exits, generate a key pair */
+	/* if no key exists, generate a key pair */
 	if (privKeyHandle == CK_INVALID_KEY) {
-	    unsigned int     keyLength = PK11_GetKeyLength(symKey);
+	    unsigned int     symKeyLength = PK11_GetKeyLength(symKey);
 	    PK11RSAGenParams rsaParams;
 
+	    if (symKeyLength > 60) /* bytes */ {
+		/* we'd have to generate an RSA key pair > 512 bits long,
+		** and that's too costly.  Don't even try. 
+		*/
+		PORT_SetError( SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY );
+		goto rsa_failed;
+	    }
 	    rsaParams.keySizeInBits = 
-		((keyLength == 0) || (keyLength > 16)) ? 512 : 256;
+	        (symKeyLength > 28 || symKeyLength == 0) ? 512 : 256;
 	    rsaParams.pe  = 0x10001;
 	    privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, 
-		&rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
+			    &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
 	} else {
-	    /* if key's exist, build SECKEY data structures for them */
+	    /* if keys exist, build SECKEY data structures for them */
 	    privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle,
 					symKey->cx);
 	    if (privKey != NULL) {
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index 607deeba8..83079c8ff 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -171,7 +171,7 @@ pk11_getKeyFromList(PK11SlotInfo *slot) {
     PK11_USE_THREADS(PZ_Unlock(slot->freeListLock);)
     if (symKey) {
 	symKey->next = NULL;
-	if (!symKey->sessionOwner)
+	if ((symKey->series != slot->series) || (!symKey->sessionOwner))
     	    symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
 	return symKey;
     }
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
index 076e722ec..6b28f816d 100644
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -2142,8 +2142,6 @@ sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
     if(testCert) {
 	if(!testCert->nickname) {
 	    cert->removeExisting = PR_TRUE;
-	} else {
-	    cert->noInstall = PR_TRUE;
 	}
 	CERT_DestroyCertificate(testCert);
 	if(cert->noInstall && !cert->removeExisting) {
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
index 90da85ac0..cfb9d3348 100644
--- a/security/nss/lib/softoken/keydb.c
+++ b/security/nss/lib/softoken/keydb.c
@@ -587,6 +587,9 @@ SECKEY_OpenKeyDB(PRBool readOnly, SECKEYDBNameFunc namecb, void *cbarg)
     if ( dbname == NULL ) {
 	goto loser;
     }
+
+    handle->dbname = PORT_Strdup(dbname);
+    handle->readOnly = readOnly;
     
     handle->db = dbopen( dbname, openflags, 0600, DB_HASH, 0 );
 
@@ -720,6 +723,7 @@ SECKEY_CloseKeyDB(SECKEYKeyDBHandle *handle)
 	if (handle->db != NULL) {
 	    (* handle->db->close)(handle->db);
 	}
+	if (handle->dbname) PORT_Free(handle->dbname);
 	PORT_Free(handle);
     }
 }
@@ -2416,6 +2420,7 @@ done:
     return(SECSuccess);
 }
 
+#define MAX_DB_SIZE 0xffff 
 /*
  * Clear out all the keys in the existing database
  */
@@ -2432,20 +2437,24 @@ SECKEY_ResetKeyDB(SECKEYKeyDBHandle *handle)
 	return(SECSuccess);
     }
 
-    
-    /* now traverse the database */
-    ret = (* handle->db->seq)(handle->db, &key, &data, R_FIRST);
-    if ( ret ) {
-	goto done;
+    if (handle->readOnly) {
+	/* set an error code */
+	return SECFailure;
+     }
+
+    PORT_Assert(handle->dbname != NULL);
+    if (handle->dbname == NULL) {
+	return SECFailure;
     }
-    
-    do {
-        /* delete each entry */
-	ret = (* handle->db->del)(handle->db, &key, 0);
-	if ( ret ) errors++;
 
-    } while ( (* handle->db->seq)(handle->db, &key, &data,
-					R_NEXT) == 0 );
+    (* handle->db->close)(handle->db);
+    handle->db = dbopen( handle->dbname,
+			     O_RDWR | O_CREAT | O_TRUNC, 0600, DB_HASH, 0 );
+    if (handle->db == NULL) {
+	/* set an error code */
+	return SECFailure;
+    }
+    
     rv = makeGlobalVersion(handle);
     if ( rv != SECSuccess ) {
 	errors++;
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index f336ff38d..1d1c80aa0 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -667,8 +667,12 @@ pk11_handleCertObject(PK11Session *session,PK11Object *object)
 							!= SECSuccess) {
 	    return CKR_ATTRIBUTE_VALUE_INVALID;
 	}
-	if (CERT_AddTempCertToPerm(cert, label, &trust) != SECSuccess) {
-	    return CKR_HOST_MEMORY;
+	if (!cert->isperm) {
+	    if (CERT_AddTempCertToPerm(cert, label, &trust) != SECSuccess) {
+		return CKR_HOST_MEMORY;
+	    }
+	} else {
+	    CERT_ChangeCertTrust(cert->dbhandle,cert,&trust);
 	}
 	if(certUsage) {
 	    if(CERT_ChangeCertTrustByUsage(CERT_GetDefaultCertDB(),
@@ -2704,6 +2708,7 @@ CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
 	    if (object) pk11_FreeObject(object);
 	} while (object != NULL);
     }
+    slot->DB_loaded = PR_FALSE;
     PK11_USE_THREADS(PZ_Unlock(slot->objectLock);)
 
     /* then clear out the key database */
diff --git a/security/nss/lib/softoken/private.h b/security/nss/lib/softoken/private.h
index b90ceaaea..0125c7e7b 100644
--- a/security/nss/lib/softoken/private.h
+++ b/security/nss/lib/softoken/private.h
@@ -50,6 +50,8 @@ struct SECKEYKeyDBHandleStr {
     DB *updatedb;		/* used when updating an old version */
     SECItem *global_salt;	/* password hashing salt for this db */
     int version;		/* version of the database */
+    char *dbname;		/* name of the openned DB */
+    PRBool readOnly;		/* is the DB read only */
 };
 
 /*
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
index 8b152f8e4..ff9c784ee 100644
--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@@ -149,7 +149,7 @@ SEC_ERROR_INVALID_PASSWORD 		    =	(SEC_ERROR_BASE + 101),
 SEC_ERROR_RETRY_OLD_PASSWORD 		    =	(SEC_ERROR_BASE + 102),
 SEC_ERROR_BAD_NICKNAME 			    =	(SEC_ERROR_BASE + 103),
 SEC_ERROR_NOT_FORTEZZA_ISSUER 		    = 	(SEC_ERROR_BASE + 104),
-/* UNUSED                                       (SEC_ERROR_BASE + 105) */
+SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY         =   (SEC_ERROR_BASE + 105),
 SEC_ERROR_JS_INVALID_MODULE_NAME 	    =	(SEC_ERROR_BASE + 106),
 SEC_ERROR_JS_INVALID_DLL 		    =	(SEC_ERROR_BASE + 107),
 SEC_ERROR_JS_ADD_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 108),
author	kaie%netscape.com <devnull@localhost>	2001-09-15 01:18:52 +0000
committer	kaie%netscape.com <devnull@localhost>	2001-09-15 01:18:52 +0000
commit	62edb1aa3a4c115fec257354d5188121ca01d16d (patch)
tree	f54ebbeb2f7edc8034478ea685d51ca4ab20aa44
parent	56d5d290048a6bd60fad2ac8cd54c5e19a566084 (diff)
download	nss-hg-62edb1aa3a4c115fec257354d5188121ca01d16d.tar.gz