summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornelson%bolyard.com <devnull@localhost>2008-12-03 04:53:00 +0000
committernelson%bolyard.com <devnull@localhost>2008-12-03 04:53:00 +0000
commit8c6b5db249c0578c0d8121903b5978cab799b8d8 (patch)
treeaeb9f34e5b0048afce6406d13b12dbeeec99bffd
parent0df396ec8baa811511a6e8ec62a58480ab9fcecc (diff)
downloadnss-hg-8c6b5db249c0578c0d8121903b5978cab799b8d8.tar.gz
Bug 444850: NSS misbehaves badly in the presence of a disabled PKCS#11 slotNSS_3_11_10_RTMNSS_3_11_10_RC3
r=rrelyea,alexei
Diffstat
-rw-r--r--security/nss/lib/dev/ckhelper.c20
-rw-r--r--security/nss/lib/dev/dev.h27
-rw-r--r--security/nss/lib/dev/devslot.c4
-rw-r--r--security/nss/lib/dev/devtoken.c187
-rw-r--r--security/nss/lib/dev/devutil.c220
-rw-r--r--security/nss/lib/pk11wrap/dev3hack.c9
-rw-r--r--security/nss/lib/pk11wrap/pk11cert.c91
-rw-r--r--security/nss/lib/pki/trustdomain.c253
8 files changed, 306 insertions, 505 deletions
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
index 61a854ce1..cabd82721 100644
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -359,6 +359,10 @@ nssCryptokiCertificate_GetAttributes (
session = sessionOpt ?
sessionOpt :
nssToken_GetDefaultSession(certObject->token);
+ if (!session) {
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return PR_FAILURE;
+ }
slot = nssToken_GetSlot(certObject->token);
status = nssCKObject_GetAttributes(certObject->handle,
@@ -457,6 +461,10 @@ nssCryptokiTrust_GetAttributes (
session = sessionOpt ?
sessionOpt :
nssToken_GetDefaultSession(trustObject->token);
+ if (!session) {
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return PR_FAILURE;
+ }
slot = nssToken_GetSlot(trustObject->token);
status = nssCKObject_GetAttributes(trustObject->handle,
@@ -522,6 +530,10 @@ nssCryptokiCRL_GetAttributes (
session = sessionOpt ?
sessionOpt :
nssToken_GetDefaultSession(crlObject->token);
+ if (session == NULL) {
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return PR_FAILURE;
+ }
slot = nssToken_GetSlot(crlObject->token);
status = nssCKObject_GetAttributes(crlObject->handle,
@@ -580,14 +592,16 @@ nssCryptokiPrivateKey_SetCertificate (
if (sessionOpt) {
if (!nssSession_IsReadWrite(sessionOpt)) {
return PR_FAILURE;
- } else {
- session = sessionOpt;
}
- } else if (nssSession_IsReadWrite(defaultSession)) {
+ session = sessionOpt;
+ } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
session = defaultSession;
} else {
NSSSlot *slot = nssToken_GetSlot(token);
session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
+ if (!session) {
+ return PR_FAILURE;
+ }
createdSession = PR_TRUE;
nssSlot_Destroy(slot);
}
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
index 4d12a30ba..b158266e8 100644
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -389,15 +389,13 @@ nssSlot_CreateSession
* nssToken_GenerateKeyPair
* nssToken_GenerateSymmetricKey
* nssToken_DeleteStoredObject
- * nssToken_FindCertificates
+ * nssToken_FindObjects
* nssToken_FindCertificatesBySubject
* nssToken_FindCertificatesByNickname
* nssToken_FindCertificatesByEmail
* nssToken_FindCertificateByIssuerAndSerialNumber
* nssToken_FindCertificateByEncodedCertificate
- * nssToken_FindTrustObjects
* nssToken_FindTrustForCertificate
- * nssToken_FindCRLs
* nssToken_FindCRLsBySubject
* nssToken_FindPrivateKeys
* nssToken_FindPrivateKeyByID
@@ -495,10 +493,11 @@ nssToken_DeleteStoredObject
);
NSS_EXTERN nssCryptokiObject **
-nssToken_FindCertificates
+nssToken_FindObjects
(
NSSToken *token,
nssSession *sessionOpt,
+ CK_OBJECT_CLASS objclass,
nssTokenSearchType searchType,
PRUint32 maximumOpt,
PRStatus *statusOpt
@@ -569,16 +568,6 @@ nssToken_FindCertificateByEncodedCertificate
PRStatus *statusOpt
);
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindTrustObjects
-(
- NSSToken *token,
- nssSession *sessionOpt,
- nssTokenSearchType searchType,
- PRUint32 maximumOpt,
- PRStatus *statusOpt
-);
-
NSS_EXTERN nssCryptokiObject *
nssToken_FindTrustForCertificate
(
@@ -591,16 +580,6 @@ nssToken_FindTrustForCertificate
);
NSS_EXTERN nssCryptokiObject **
-nssToken_FindCRLs
-(
- NSSToken *token,
- nssSession *sessionOpt,
- nssTokenSearchType searchType,
- PRUint32 maximumOpt,
- PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
nssToken_FindCRLsBySubject
(
NSSToken *token,
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
index 4ba45bfc2..3ef843477 100644
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -219,6 +219,7 @@ nssSlot_IsTokenPresent (
*/
session = nssToken_GetDefaultSession(slot->token);
if (session) {
+ PRBool isPresent = PR_FALSE;
nssSession_EnterMonitor(session);
if (session->handle != CK_INVALID_SESSION) {
CK_SESSION_INFO sessionInfo;
@@ -229,9 +230,10 @@ nssSlot_IsTokenPresent (
session->handle = CK_INVALID_SESSION;
}
}
+ isPresent = session->handle != CK_INVALID_SESSION;
nssSession_ExitMonitor(session);
/* token not removed, finished */
- if (session->handle != CK_INVALID_SESSION)
+ if (isPresent)
return PR_TRUE;
}
/* the token has been removed, and reinserted, or the slot contains
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index 2932b371b..64fe8a787 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -55,6 +55,7 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
#include "secerr.h"
extern const NSSError NSS_ERROR_NOT_FOUND;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
/* The number of object handles to grab during each call to C_FindObjects */
#define OBJECT_STACK_SIZE 16
@@ -68,6 +69,10 @@ nssToken_Destroy (
if (PR_AtomicDecrement(&tok->base.refCount) == 0) {
PZ_DestroyLock(tok->base.lock);
nssTokenObjectCache_Destroy(tok->cache);
+ /* The token holds the first/last reference to the slot.
+ * When the token is actually destroyed, that ref must go too.
+ */
+ (void)nssSlot_Destroy(tok->slot);
return nssArena_Destroy(tok->base.arena);
}
}
@@ -176,7 +181,8 @@ nssToken_DeleteStoredObject (
nssTokenObjectCache_RemoveObject(token->cache, instance);
}
if (instance->isTokenObject) {
- if (nssSession_IsReadWrite(token->defaultSession)) {
+ if (token->defaultSession &&
+ nssSession_IsReadWrite(token->defaultSession)) {
session = token->defaultSession;
} else {
session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
@@ -213,11 +219,12 @@ import_object (
if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
if (sessionOpt) {
if (!nssSession_IsReadWrite(sessionOpt)) {
- return CK_INVALID_HANDLE;
- } else {
- session = sessionOpt;
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return NULL;
}
- } else if (nssSession_IsReadWrite(tok->defaultSession)) {
+ session = sessionOpt;
+ } else if (tok->defaultSession &&
+ nssSession_IsReadWrite(tok->defaultSession)) {
session = tok->defaultSession;
} else {
session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
@@ -227,7 +234,8 @@ import_object (
session = (sessionOpt) ? sessionOpt : tok->defaultSession;
}
if (session == NULL) {
- return CK_INVALID_HANDLE;
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return NULL;
}
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_CreateObject(session->handle,
@@ -261,7 +269,9 @@ create_objects_from_handles (
for (--i; i>0; --i) {
nssCryptokiObject_Destroy(objects[i]);
}
- return (nssCryptokiObject **)NULL;
+ nss_ZFreeIf(objects);
+ objects = NULL;
+ break;
}
}
}
@@ -288,8 +298,7 @@ find_objects (
nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
/* Don't ask the module to use an invalid session handle. */
- PORT_Assert(session->handle != CK_INVALID_SESSION);
- if (session->handle == CK_INVALID_SESSION) {
+ if (!session || session->handle == CK_INVALID_SESSION) {
ckrv = CKR_SESSION_HANDLE_INVALID;
goto loser;
}
@@ -568,23 +577,24 @@ nssToken_ImportCertificate (
return rvObject;
}
-/* traverse all certificates - this should only happen if the token
- * has been marked as "traversable"
+/* traverse all objects of the given class - this should only happen
+ * if the token has been marked as "traversable"
*/
NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCertificates (
+nssToken_FindObjects (
NSSToken *token,
nssSession *sessionOpt,
+ CK_OBJECT_CLASS objclass,
nssTokenSearchType searchType,
PRUint32 maximumOpt,
PRStatus *statusOpt
)
{
CK_ATTRIBUTE_PTR attr;
- CK_ATTRIBUTE cert_template[2];
- CK_ULONG ctsize;
+ CK_ATTRIBUTE obj_template[2];
+ CK_ULONG obj_size;
nssCryptokiObject **objects;
- NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+ NSS_CK_TEMPLATE_START(obj_template, attr, obj_size);
/* Set the search to token/session only if provided */
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
@@ -592,16 +602,16 @@ nssToken_FindCertificates (
searchType == nssTokenSearchType_TokenForced) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
}
- NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
- NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+ NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, objclass);
+ NSS_CK_TEMPLATE_FINISH(obj_template, attr, obj_size);
if (searchType == nssTokenSearchType_TokenForced) {
objects = find_objects(token, sessionOpt,
- cert_template, ctsize,
+ obj_template, obj_size,
maximumOpt, statusOpt);
} else {
objects = find_objects_by_template(token, sessionOpt,
- cert_template, ctsize,
+ obj_template, obj_size,
maximumOpt, statusOpt);
}
return objects;
@@ -1110,44 +1120,6 @@ nssToken_ImportTrust (
return object;
}
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindTrustObjects (
- NSSToken *token,
- nssSession *sessionOpt,
- nssTokenSearchType searchType,
- PRUint32 maximumOpt,
- PRStatus *statusOpt
-)
-{
- CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
- CK_ATTRIBUTE_PTR attr;
- CK_ATTRIBUTE tobj_template[2];
- CK_ULONG tobj_size;
- nssCryptokiObject **objects;
- nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-
- NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
- if (searchType == nssTokenSearchType_SessionOnly) {
- NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
- } else if (searchType == nssTokenSearchType_TokenOnly ||
- searchType == nssTokenSearchType_TokenForced) {
- NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
- }
- NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
- NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
-
- if (searchType == nssTokenSearchType_TokenForced) {
- objects = find_objects(token, session,
- tobj_template, tobj_size,
- maximumOpt, statusOpt);
- } else {
- objects = find_objects_by_template(token, session,
- tobj_template, tobj_size,
- maximumOpt, statusOpt);
- }
- return objects;
-}
-
NSS_IMPLEMENT nssCryptokiObject *
nssToken_FindTrustForCertificate (
NSSToken *token,
@@ -1163,7 +1135,13 @@ nssToken_FindTrustForCertificate (
CK_ATTRIBUTE tobj_template[5];
CK_ULONG tobj_size;
nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
- nssCryptokiObject *object, **objects;
+ nssCryptokiObject *object = NULL, **objects;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return object;
+ }
NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
if (searchType == nssTokenSearchType_SessionOnly) {
@@ -1175,7 +1153,6 @@ nssToken_FindTrustForCertificate (
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, certIssuer);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , certSerial);
NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
- object = NULL;
objects = find_objects_by_template(token, session,
tobj_template, tobj_size,
1, NULL);
@@ -1230,44 +1207,6 @@ nssToken_ImportCRL (
}
NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCRLs (
- NSSToken *token,
- nssSession *sessionOpt,
- nssTokenSearchType searchType,
- PRUint32 maximumOpt,
- PRStatus *statusOpt
-)
-{
- CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
- CK_ATTRIBUTE_PTR attr;
- CK_ATTRIBUTE crlobj_template[2];
- CK_ULONG crlobj_size;
- nssCryptokiObject **objects;
- nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-
- NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
- if (searchType == nssTokenSearchType_SessionOnly) {
- NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
- } else if (searchType == nssTokenSearchType_TokenOnly ||
- searchType == nssTokenSearchType_TokenForced) {
- NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
- }
- NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
- NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size);
-
- if (searchType == nssTokenSearchType_TokenForced) {
- objects = find_objects(token, session,
- crlobj_template, crlobj_size,
- maximumOpt, statusOpt);
- } else {
- objects = find_objects_by_template(token, session,
- crlobj_template, crlobj_size,
- maximumOpt, statusOpt);
- }
- return objects;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
nssToken_FindCRLsBySubject (
NSSToken *token,
nssSession *sessionOpt,
@@ -1281,9 +1220,15 @@ nssToken_FindCRLsBySubject (
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE crlobj_template[3];
CK_ULONG crlobj_size;
- nssCryptokiObject **objects;
+ nssCryptokiObject **objects = NULL;
nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return objects;
+ }
+
NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
@@ -1334,8 +1279,14 @@ nssToken_Digest (
CK_BYTE_PTR digest;
NSSItem *rvItem = NULL;
void *epv = nssToken_GetCryptokiEPV(tok);
- nssSession *session;
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return rvItem;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
if (ckrv != CKR_OK) {
@@ -1394,9 +1345,15 @@ nssToken_BeginDigest (
)
{
CK_RV ckrv;
- nssSession *session;
void *epv = nssToken_GetCryptokiEPV(tok);
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return PR_FAILURE;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
nssSession_ExitMonitor(session);
@@ -1411,9 +1368,15 @@ nssToken_ContinueDigest (
)
{
CK_RV ckrv;
- nssSession *session;
void *epv = nssToken_GetCryptokiEPV(tok);
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return PR_FAILURE;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestUpdate(session->handle,
(CK_BYTE_PTR)item->data,
@@ -1435,8 +1398,14 @@ nssToken_FinishDigest (
CK_BYTE_PTR digest;
NSSItem *rvItem = NULL;
void *epv = nssToken_GetCryptokiEPV(tok);
- nssSession *session;
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return NULL;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestFinal(session->handle, NULL, &digestLen);
if (ckrv != CKR_OK || digestLen == 0) {
@@ -1513,6 +1482,12 @@ nssToken_TraverseCertificates (
void *epv = nssToken_GetCryptokiEPV(token);
nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return PR_FAILURE;
+ }
+
/* template for all certs */
NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
if (searchType == nssTokenSearchType_SessionOnly) {
diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c
index 99bb884bc..5d0f85f5c 100644
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@@ -382,8 +382,15 @@ create_object (
nssCryptokiObjectAndAttributes *rvCachedObject = NULL;
slot = nssToken_GetSlot(object->token);
+ if (!slot) {
+ nss_SetError(NSS_ERROR_INVALID_POINTER);
+ goto loser;
+ }
session = nssToken_GetDefaultSession(object->token);
-
+ if (!session) {
+ nss_SetError(NSS_ERROR_INVALID_POINTER);
+ goto loser;
+ }
arena = nssArena_Create();
if (!arena) {
goto loser;
@@ -513,60 +520,6 @@ create_cert (
return create_object(object, certAttr, numCertAttr, status);
}
-static PRStatus
-get_token_certs_for_cache (
- nssTokenObjectCache *cache
-)
-{
- PRStatus status;
- nssCryptokiObject **objects;
- PRBool *doIt = &cache->doObjectType[cachedCerts];
- PRUint32 i, numObjects;
-
- if (!search_for_objects(cache) ||
- cache->searchedObjectType[cachedCerts] ||
- !cache->doObjectType[cachedCerts])
- {
- /* Either there was a state change that prevents a search
- * (token logged out), or the search was already done,
- * or certs are not being cached.
- */
- return PR_SUCCESS;
- }
- objects = nssToken_FindCertificates(cache->token, NULL,
- nssTokenSearchType_TokenForced,
- MAX_LOCAL_CACHE_OBJECTS, &status);
- if (status != PR_SUCCESS) {
- return status;
- }
- cache->objects[cachedCerts] = create_object_array(objects,
- doIt,
- &numObjects,
- &status);
- if (status != PR_SUCCESS) {
- return status;
- }
- for (i=0; i<numObjects; i++) {
- cache->objects[cachedCerts][i] = create_cert(objects[i], &status);
- if (status != PR_SUCCESS) {
- break;
- }
- }
- if (status == PR_SUCCESS) {
- nss_ZFreeIf(objects);
- } else {
- PRUint32 j;
- for (j=0; j<i; j++) {
- /* sigh */
- nssToken_AddRef(cache->objects[cachedCerts][j]->object->token);
- nssArena_Destroy(cache->objects[cachedCerts][j]->arena);
- }
- nssCryptokiObjectArray_Destroy(objects);
- }
- cache->searchedObjectType[cachedCerts] = PR_TRUE;
- return status;
-}
-
static nssCryptokiObjectAndAttributes *
create_trust (
nssCryptokiObject *object,
@@ -590,60 +543,6 @@ create_trust (
return create_object(object, trustAttr, numTrustAttr, status);
}
-static PRStatus
-get_token_trust_for_cache (
- nssTokenObjectCache *cache
-)
-{
- PRStatus status;
- nssCryptokiObject **objects;
- PRBool *doIt = &cache->doObjectType[cachedTrust];
- PRUint32 i, numObjects;
-
- if (!search_for_objects(cache) ||
- cache->searchedObjectType[cachedTrust] ||
- !cache->doObjectType[cachedTrust])
- {
- /* Either there was a state change that prevents a search
- * (token logged out), or the search was already done,
- * or trust is not being cached.
- */
- return PR_SUCCESS;
- }
- objects = nssToken_FindTrustObjects(cache->token, NULL,
- nssTokenSearchType_TokenForced,
- MAX_LOCAL_CACHE_OBJECTS, &status);
- if (status != PR_SUCCESS) {
- return status;
- }
- cache->objects[cachedTrust] = create_object_array(objects,
- doIt,
- &numObjects,
- &status);
- if (status != PR_SUCCESS) {
- return status;
- }
- for (i=0; i<numObjects; i++) {
- cache->objects[cachedTrust][i] = create_trust(objects[i], &status);
- if (status != PR_SUCCESS) {
- break;
- }
- }
- if (status == PR_SUCCESS) {
- nss_ZFreeIf(objects);
- } else {
- PRUint32 j;
- for (j=0; j<i; j++) {
- /* sigh */
- nssToken_AddRef(cache->objects[cachedTrust][j]->object->token);
- nssArena_Destroy(cache->objects[cachedTrust][j]->arena);
- }
- nssCryptokiObjectArray_Destroy(objects);
- }
- cache->searchedObjectType[cachedTrust] = PR_TRUE;
- return status;
-}
-
static nssCryptokiObjectAndAttributes *
create_crl (
nssCryptokiObject *object,
@@ -663,33 +562,55 @@ create_crl (
return create_object(object, crlAttr, numCRLAttr, status);
}
+/* Dispatch to the create function for the object type */
+static nssCryptokiObjectAndAttributes *
+create_object_of_type (
+ nssCryptokiObject *object,
+ PRUint32 objectType,
+ PRStatus *status
+)
+{
+ if (objectType == cachedCerts) {
+ return create_cert(object, status);
+ }
+ if (objectType == cachedTrust) {
+ return create_trust(object, status);
+ }
+ if (objectType == cachedCRLs) {
+ return create_crl(object, status);
+ }
+ return (nssCryptokiObjectAndAttributes *)NULL;
+}
+
static PRStatus
-get_token_crls_for_cache (
- nssTokenObjectCache *cache
+get_token_objects_for_cache (
+ nssTokenObjectCache *cache,
+ PRUint32 objectType,
+ CK_OBJECT_CLASS objclass
)
{
PRStatus status;
nssCryptokiObject **objects;
- PRBool *doIt = &cache->doObjectType[cachedCRLs];
+ PRBool *doIt = &cache->doObjectType[objectType];
PRUint32 i, numObjects;
if (!search_for_objects(cache) ||
- cache->searchedObjectType[cachedCRLs] ||
- !cache->doObjectType[cachedCRLs])
+ cache->searchedObjectType[objectType] ||
+ !cache->doObjectType[objectType])
{
/* Either there was a state change that prevents a search
* (token logged out), or the search was already done,
- * or CRLs are not being cached.
+ * or objects of this type are not being cached.
*/
return PR_SUCCESS;
}
- objects = nssToken_FindCRLs(cache->token, NULL,
- nssTokenSearchType_TokenForced,
- MAX_LOCAL_CACHE_OBJECTS, &status);
+ objects = nssToken_FindObjects(cache->token, NULL, objclass,
+ nssTokenSearchType_TokenForced,
+ MAX_LOCAL_CACHE_OBJECTS, &status);
if (status != PR_SUCCESS) {
return status;
}
- cache->objects[cachedCRLs] = create_object_array(objects,
+ cache->objects[objectType] = create_object_array(objects,
doIt,
&numObjects,
&status);
@@ -697,7 +618,9 @@ get_token_crls_for_cache (
return status;
}
for (i=0; i<numObjects; i++) {
- cache->objects[cachedCRLs][i] = create_crl(objects[i], &status);
+ cache->objects[objectType][i] = create_object_of_type(objects[i],
+ objectType,
+ &status);
if (status != PR_SUCCESS) {
break;
}
@@ -708,12 +631,12 @@ get_token_crls_for_cache (
PRUint32 j;
for (j=0; j<i; j++) {
/* sigh */
- nssToken_AddRef(cache->objects[cachedCRLs][j]->object->token);
- nssArena_Destroy(cache->objects[cachedCRLs][j]->arena);
+ nssToken_AddRef(cache->objects[objectType][j]->object->token);
+ nssArena_Destroy(cache->objects[objectType][j]->arena);
}
nssCryptokiObjectArray_Destroy(objects);
}
- cache->searchedObjectType[cachedCRLs] = PR_TRUE;
+ cache->searchedObjectType[objectType] = PR_TRUE;
return status;
}
@@ -835,45 +758,25 @@ nssTokenObjectCache_FindObjectsByTemplate (
{
PRStatus status = PR_FAILURE;
nssCryptokiObject **rvObjects = NULL;
+ PRUint32 objectType;
if (!token_is_present(cache)) {
status = PR_SUCCESS;
goto finish;
}
- PZ_Lock(cache->lock);
switch (objclass) {
- case CKO_CERTIFICATE:
- if (cache->doObjectType[cachedCerts]) {
- status = get_token_certs_for_cache(cache);
- if (status != PR_SUCCESS) {
- goto unlock;
- }
- rvObjects = find_objects_in_array(cache->objects[cachedCerts],
- otemplate, otlen, maximumOpt);
- }
- break;
- case CKO_NETSCAPE_TRUST:
- if (cache->doObjectType[cachedTrust]) {
- status = get_token_trust_for_cache(cache);
- if (status != PR_SUCCESS) {
- goto unlock;
- }
- rvObjects = find_objects_in_array(cache->objects[cachedTrust],
- otemplate, otlen, maximumOpt);
- }
- break;
- case CKO_NETSCAPE_CRL:
- if (cache->doObjectType[cachedCRLs]) {
- status = get_token_crls_for_cache(cache);
- if (status != PR_SUCCESS) {
- goto unlock;
- }
- rvObjects = find_objects_in_array(cache->objects[cachedCRLs],
+ case CKO_CERTIFICATE: objectType = cachedCerts; break;
+ case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
+ case CKO_NETSCAPE_CRL: objectType = cachedCRLs; break;
+ default: goto finish;
+ }
+ PZ_Lock(cache->lock);
+ if (cache->doObjectType[objectType]) {
+ status = get_token_objects_for_cache(cache, objectType, objclass);
+ if (status == PR_SUCCESS) {
+ rvObjects = find_objects_in_array(cache->objects[objectType],
otemplate, otlen, maximumOpt);
}
- break;
- default: break;
}
-unlock:
PZ_Unlock(cache->lock);
finish:
if (statusOpt) {
@@ -1052,13 +955,8 @@ nssTokenObjectCache_ImportObject (
}
if (*otype) {
nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object);
- if (objectType == cachedCerts) {
- (*otype)[count] = create_cert(copyObject, &status);
- } else if (objectType == cachedTrust) {
- (*otype)[count] = create_trust(copyObject, &status);
- } else if (objectType == cachedCRLs) {
- (*otype)[count] = create_crl(copyObject, &status);
- }
+ (*otype)[count] = create_object_of_type(copyObject, objectType,
+ &status);
} else {
status = PR_FAILURE;
}
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
index c7a586305..0d643f70c 100644
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -195,7 +195,12 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
nss3slot->session,
nss3slot->sessionLock,
nss3slot->defRWSession);
- /* continue, even if rvToken->defaultSession is NULL */
+#if 0 /* we should do this instead of blindly continuing. */
+ if (!rvToken->defaultSession) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ goto loser;
+ }
+#endif
if (!PK11_IsInternal(nss3slot) && PK11_IsHW(nss3slot)) {
rvToken->cache = nssTokenObjectCache_Create(rvToken,
PR_TRUE, PR_TRUE, PR_TRUE);
@@ -271,7 +276,7 @@ nssSlot_Refresh
{
PK11SlotInfo *nss3slot = slot->pk11slot;
PRBool doit = PR_FALSE;
- if (slot->token->base.name[0] == 0) {
+ if (slot->token && slot->token->base.name[0] == 0) {
doit = PR_TRUE;
}
if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index ae7ae6bc3..1f9edfffc 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -257,14 +257,18 @@ static CERTCertificate
CK_ATTRIBUTE *privateLabel, char **nickptr)
{
NSSCertificate *c;
- nssCryptokiObject *co;
+ nssCryptokiObject *co = NULL;
nssPKIObject *pkio;
NSSToken *token;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
/* Get the cryptoki object from the handle */
token = PK11Slot_GetNSSToken(slot);
- co = nssCryptokiObject_Create(token, token->defaultSession, certID);
+ if (token->defaultSession) {
+ co = nssCryptokiObject_Create(token, token->defaultSession, certID);
+ } else {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ }
if (!co) {
return NULL;
}
@@ -354,8 +358,7 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
* valid CA's which are self-signed here. They must have an object
* ID of '0'. */
if (pk11_isID0(slot,certID) &&
- SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer)
- == SECEqual) {
+ cert->isRoot) {
trustflags |= CERTDB_TRUSTED_CA;
/* is the slot a fortezza card? allow the user or
* admin to turn on objectSigning, but don't turn
@@ -537,6 +540,10 @@ PK11_FindCertFromNickname(char *nickname, void *wincx)
char *tokenName;
nickCopy = PORT_Strdup(nickname);
+ if (!nickCopy) {
+ /* error code is set */
+ return NULL;
+ }
if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
tokenName = nickCopy;
nickname = delimit + 1;
@@ -650,6 +657,10 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx)
SECStatus rv;
nickCopy = PORT_Strdup(nickname);
+ if (!nickCopy) {
+ /* error code is set */
+ return NULL;
+ }
if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
tokenName = nickCopy;
nickname = delimit + 1;
@@ -738,7 +749,12 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx)
PRTime now = PR_Now();
certList = CERT_NewCertList();
for (i=0, c = *foundCerts; c; c = foundCerts[++i]) {
- CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c);
+ CERTCertificate *certCert;
+ if (!certList) {
+ nssCertificate_Destroy(c);
+ continue;
+ }
+ certCert = STAN_GetCERTCertificateOrRelease(c);
/* c may be invalid after this, don't reference it */
if (certCert) {
/* CERT_AddCertToListSorted adopts certCert */
@@ -746,7 +762,7 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx)
CERT_SortCBValidity, &now);
}
}
- if (CERT_LIST_HEAD(certList) == NULL) {
+ if (certList && CERT_LIST_HEAD(certList) == NULL) {
CERT_DestroyCertList(certList);
certList = NULL;
}
@@ -762,7 +778,8 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx)
* pkcs11 to extract the public key (we currently do not), this will break.
*/
SECItem *
-PK11_GetPubIndexKeyID(CERTCertificate *cert) {
+PK11_GetPubIndexKeyID(CERTCertificate *cert)
+{
SECKEYPublicKey *pubk;
SECItem *newItem = NULL;
@@ -795,7 +812,8 @@ PK11_GetPubIndexKeyID(CERTCertificate *cert) {
* generate a CKA_ID from a certificate.
*/
SECItem *
-pk11_mkcertKeyID(CERTCertificate *cert) {
+pk11_mkcertKeyID(CERTCertificate *cert)
+{
SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
SECItem *certCKA_ID;
@@ -835,6 +853,9 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
c = cert->nssCertificate;
} else {
c = STAN_GetNSSCertificate(cert);
+ if (c == NULL) {
+ goto loser;
+ }
}
if (c->object.cryptoContext) {
@@ -843,7 +864,6 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
nssCertificateStore_Lock(cc->certStore, &lockTrace);
nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace);
- nssCertificateStore_Check(&lockTrace, &unlockTrace);
c->object.cryptoContext = NULL;
cert->istemp = PR_FALSE;
cert->isperm = PR_TRUE;
@@ -909,7 +929,8 @@ loser:
SECStatus
PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
- CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) {
+ CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust)
+{
CERTCertificate *cert;
SECStatus rv;
@@ -950,7 +971,8 @@ pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert,
*/
SECKEYPrivateKey *
PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
- void *wincx) {
+ void *wincx)
+{
int err;
CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
CK_ATTRIBUTE theTemplate[] = {
@@ -1012,7 +1034,8 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
*/
PK11SlotInfo *
PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr,
- void *wincx) {
+ void *wincx)
+{
PK11SlotList *list;
PK11SlotListElement *le;
SECItem *keyID;
@@ -1067,7 +1090,8 @@ PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr,
*/
PK11SlotInfo *
PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr,
- void *wincx) {
+ void *wincx)
+{
CERTCertificate *cert;
PK11SlotInfo *slot = NULL;
@@ -1083,7 +1107,8 @@ PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr,
}
PK11SlotInfo *
-PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) {
+PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx)
+{
PK11SlotInfo *slot = NULL;
CK_OBJECT_HANDLE key;
@@ -1102,7 +1127,8 @@ PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) {
}
PK11SlotInfo *
-PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) {
+PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx)
+{
CERTCertificate *cert;
PK11SlotInfo *slot = NULL;
@@ -1117,7 +1143,8 @@ PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) {
static CK_OBJECT_HANDLE
pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr,
- CK_ATTRIBUTE *searchTemplate, int count, void *wincx) {
+ CK_ATTRIBUTE *searchTemplate, int count, void *wincx)
+{
PK11SlotList *list;
PK11SlotListElement *le;
CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
@@ -1358,7 +1385,8 @@ pk11_FindCertObjectByRecipient(PK11SlotInfo *slot,
static CERTCertificate *
pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr,
SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip,
- void *wincx) {
+ void *wincx)
+{
PK11SlotList *list;
PK11SlotListElement *le;
CERTCertificate * cert = NULL;
@@ -1687,6 +1715,11 @@ PK11_NumberCertsForCertSubject(CERTCertificate *cert)
PK11SlotListElement *le;
int count = 0;
+ if (!list) {
+ /* error code is set */
+ return 0;
+ }
+
/* loop through all the fortezza tokens */
for (le = list->head; le; le = le->next) {
count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize);
@@ -1713,6 +1746,10 @@ PK11_TraverseCertsForSubject(CERTCertificate *cert,
PR_FALSE,PR_TRUE,NULL);
PK11SlotListElement *le;
+ if (!list) {
+ /* error code is set */
+ return SECFailure;
+ }
/* loop through all the tokens */
for (le = list->head; le; le = le->next) {
PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg);
@@ -1888,8 +1925,8 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
}
(void *)nssTrustDomain_GetCertsFromCache(td, certList);
transfer_token_certs_to_collection(certList, tok, collection);
- instances = nssToken_FindCertificates(tok, NULL,
- tokenOnly, 0, &nssrv);
+ instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE,
+ tokenOnly, 0, &nssrv);
nssPKIObjectCollection_AddInstances(collection, instances, 0);
nss_ZFreeIf(instances);
nssList_Destroy(certList);
@@ -2101,7 +2138,8 @@ KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
}
PRBool
-PK11_FortezzaHasKEA(CERTCertificate *cert) {
+PK11_FortezzaHasKEA(CERTCertificate *cert)
+{
/* look at the subject and see if it is a KEA for MISSI key */
SECOidData *oid;
@@ -2111,8 +2149,9 @@ PK11_FortezzaHasKEA(CERTCertificate *cert) {
}
oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
-
-
+ if (!oid) {
+ return PR_FALSE;
+ }
return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) ||
(oid->offset == SEC_OID_MISSI_KEA_DSS) ||
(oid->offset == SEC_OID_MISSI_KEA)) ;
@@ -2153,6 +2192,11 @@ PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
CERTCertificate *returnedCert = NULL;
SECStatus rv;
+ if (!keaList) {
+ /* error code is set */
+ return NULL;
+ }
+
/* loop through all the fortezza tokens */
for (le = keaList->head; le; le = le->next) {
rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
@@ -2396,6 +2440,9 @@ listCertsCallback(CERTCertificate* cert, void*arg)
nssCryptokiObject **instances;
NSSCertificate *c = STAN_GetNSSCertificate(cert);
+ if (c == NULL) {
+ return SECFailure;
+ }
instances = nssPKIObject_GetInstances(&c->object);
if (!instances) {
return SECFailure;
diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
index 9f74c0033..126977cc0 100644
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -101,8 +101,10 @@ static void
token_destructor(void *t)
{
NSSToken *tok = (NSSToken *)t;
- /* in 3.4, also destroy the slot (managed separately) */
- (void)nssSlot_Destroy(tok->slot);
+ /* The token holds the first/last reference to the slot.
+ * When the token is actually destroyed (ref count == 0),
+ * the slot will also be destroyed.
+ */
nssToken_Destroy(tok);
}
@@ -771,6 +773,9 @@ NSSTrustDomain_FindCertificatesByNameComponents (
return NULL;
}
+/* This returns at most a single certificate, so it can stop the loop
+ * when one is found.
+ */
NSS_IMPLEMENT NSSCertificate *
nssTrustDomain_FindCertificateByIssuerAndSerialNumber (
NSSTrustDomain *td,
@@ -778,13 +783,12 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber (
NSSDER *serial
)
{
- PRStatus status;
- NSSToken *token = NULL;
NSSSlot **slots = NULL;
NSSSlot **slotp;
NSSCertificate *rvCert = NULL;
nssPKIObjectCollection *collection = NULL;
nssUpdateLevel updateLevel;
+
/* see if this search is already cached */
rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td,
issuer,
@@ -793,61 +797,56 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber (
return rvCert;
}
slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
- if (!slots) {
- goto loser;
- }
- for (slotp = slots; *slotp; slotp++) {
- token = nssSlot_GetToken(*slotp);
- if (token) {
+ if (slots) {
+ for (slotp = slots; *slotp; slotp++) {
+ NSSToken *token = nssSlot_GetToken(*slotp);
nssSession *session;
nssCryptokiObject *instance;
nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+ PRStatus status = PR_FAILURE;
+
+ if (!token)
+ continue;
session = nssTrustDomain_GetSessionForToken(td, token);
- if (!session) {
- nssToken_Destroy(token);
- goto loser;
+ if (session) {
+ instance = nssToken_FindCertificateByIssuerAndSerialNumber(
+ token,
+ session,
+ issuer,
+ serial,
+ tokenOnly,
+ &status);
}
- instance = nssToken_FindCertificateByIssuerAndSerialNumber(
- token,
- session,
- issuer,
- serial,
- tokenOnly,
- &status);
nssToken_Destroy(token);
if (status != PR_SUCCESS) {
- goto loser;
+ continue;
}
if (instance) {
if (!collection) {
collection = nssCertificateCollection_Create(td, NULL);
if (!collection) {
- goto loser;
+ break; /* don't keep looping if out if memory */
}
}
- nssPKIObjectCollection_AddInstances(collection,
- &instance, 1);
+ status = nssPKIObjectCollection_AddInstances(collection,
+ &instance, 1);
+ if (status == PR_SUCCESS) {
+ (void)nssPKIObjectCollection_GetCertificates(
+ collection, &rvCert, 1, NULL);
+ }
+ if (rvCert) {
+ break; /* found one cert, all done */
+ }
}
}
}
if (collection) {
- (void)nssPKIObjectCollection_GetCertificates(collection,
- &rvCert, 1, NULL);
- if (!rvCert) {
- goto loser;
- }
- nssPKIObjectCollection_Destroy(collection);
- }
- nssSlotArray_Destroy(slots);
- return rvCert;
-loser:
- if (collection) {
nssPKIObjectCollection_Destroy(collection);
}
if (slots) {
nssSlotArray_Destroy(slots);
}
- return (NSSCertificate *)NULL;
+ return rvCert;
}
NSS_IMPLEMENT NSSCertificate *
@@ -1036,7 +1035,7 @@ NSSTrustDomain_TraverseCertificates (
void *arg
)
{
- PRStatus status;
+ PRStatus status = PR_FAILURE;
NSSToken *token = NULL;
NSSSlot **slots = NULL;
NSSSlot **slotp;
@@ -1047,7 +1046,8 @@ NSSTrustDomain_TraverseCertificates (
nssList *certList;
certList = nssList_Create(NULL, PR_FALSE);
- if (!certList) return NULL;
+ if (!certList)
+ return NULL;
(void *)nssTrustDomain_GetCertsFromCache(td, certList);
cached = get_certs_from_list(certList);
collection = nssCertificateCollection_Create(td, cached);
@@ -1070,16 +1070,14 @@ NSSTrustDomain_TraverseCertificates (
nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
/* get a session for the token */
session = nssTrustDomain_GetSessionForToken(td, token);
- if (!session) {
- nssToken_Destroy(token);
- goto loser;
+ if (session) {
+ /* perform the traversal */
+ status = nssToken_TraverseCertificates(token,
+ session,
+ tokenOnly,
+ collector,
+ collection);
}
- /* perform the traversal */
- status = nssToken_TraverseCertificates(token,
- session,
- tokenOnly,
- collector,
- collection);
nssToken_Destroy(token);
}
}
@@ -1088,10 +1086,6 @@ NSSTrustDomain_TraverseCertificates (
pkiCallback.func.cert = callback;
pkiCallback.arg = arg;
status = nssPKIObjectCollection_Traverse(collection, &pkiCallback);
- /* clean up */
- nssPKIObjectCollection_Destroy(collection);
- nssSlotArray_Destroy(slots);
- return NULL;
loser:
if (slots) {
nssSlotArray_Destroy(slots);
@@ -1102,102 +1096,6 @@ loser:
return NULL;
}
-#ifdef notdef
-/*
- * search for Public and Private keys first
- */
-NSS_IMPLEMENT PRStatus *
-NSSTrustDomain_TraverseUserCertificates (
- NSSTrustDomain *td,
- PRStatus (*callback)(NSSCertificate *c, void *arg),
- void *arg
-)
-{
- PRStatus status;
- NSSToken *token = NULL;
- NSSSlot **slots = NULL;
- NSSSlot **slotp;
- nssPKIObjectCollection *collection = NULL;
- nssPKIObjectCallback pkiCallback;
- nssUpdateLevel updateLevel;
- NSSCertificate **cached = NULL;
- nssList *certList;
- certList = nssList_Create(NULL, PR_FALSE);
- if (!certList) return NULL;
- (void *)nssTrustDomain_GetCertsFromCache(td, certList);
- cached = get_certs_from_list(certList);
- collection = nssCertificateCollection_Create(td, cached);
- nssCertificateArray_Destroy(cached);
- nssList_Destroy(certList);
- if (!collection) {
- return (PRStatus *)NULL;
- }
- /* obtain the current set of active slots in the trust domain */
- slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
- if (!slots) {
- goto loser;
- }
- /* iterate over the slots */
- for (slotp = slots; *slotp; slotp++) {
- /* get the token for the slot, if present */
- token = nssSlot_GetToken(*slotp);
- if (token) {
- nssSession *session;
- nssCryptokiObject **instances;
- nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
- /* get a session for the token */
- session = nssTrustDomain_GetSessionForToken(td, token);
- if (!session) {
- nssToken_Destroy(token);
- goto loser;
- }
- /* perform the traversal */
- if (!isLoggedIn(tok)) {
- instances = nssToken_FindPublicKeys(token,
- session,
- tokenOnly,
- 0, &status);
- } else {
- instances = nssToken_FindPrivateKeys(token,
- session,
- tokenOnly,
- 0, &status);
- }
- nssToken_Destroy(token);
- if (status != PR_SUCCESS) {
- goto loser;
- }
- /* add the found certificates to the collection */
- status = nssPKIObjectCollection_AddInstances(collection,
- instances, 0);
- nss_ZFreeIf(instances);
- if (status != PR_SUCCESS) {
- goto loser;
- }
- }
- }
- status = nssPKIObjectCollection_MatchCerts(collection);
- if (status != PR_SUCCESS) {
- goto loser;
- }
- /* Traverse the collection */
- pkiCallback.func.cert = callback;
- pkiCallback.arg = arg;
- status = nssPKIObjectCollection_Traverse(collection, &pkiCallback);
- /* clean up */
- nssPKIObjectCollection_Destroy(collection);
- nssSlotArray_Destroy(slots);
- return NULL;
-loser:
- if (slots) {
- nssSlotArray_Destroy(slots);
- }
- if (collection) {
- nssPKIObjectCollection_Destroy(collection);
- }
- return NULL;
-}
-#endif
NSS_IMPLEMENT NSSTrust *
nssTrustDomain_FindTrustForCertificate (
@@ -1205,10 +1103,8 @@ nssTrustDomain_FindTrustForCertificate (
NSSCertificate *c
)
{
- PRStatus status;
NSSSlot **slots;
NSSSlot **slotp;
- NSSToken *token;
nssCryptokiObject *to = NULL;
nssPKIObject *pkio = NULL;
NSSTrust *rvt = NULL;
@@ -1218,7 +1114,8 @@ nssTrustDomain_FindTrustForCertificate (
return (NSSTrust *)NULL;
}
for (slotp = slots; *slotp; slotp++) {
- token = nssSlot_GetToken(*slotp);
+ NSSToken *token = nssSlot_GetToken(*slotp);
+
if (token) {
to = nssToken_FindTrustForCertificate(token, NULL,
&c->encoding,
@@ -1226,20 +1123,15 @@ nssTrustDomain_FindTrustForCertificate (
&c->serial,
nssTokenSearchType_TokenOnly);
if (to) {
+ PRStatus status;
if (!pkio) {
pkio = nssPKIObject_Create(NULL, to, td, NULL, nssPKILock);
- if (!pkio) {
- nssToken_Destroy(token);
- nssCryptokiObject_Destroy(to);
- goto loser;
- }
+ status = pkio ? PR_SUCCESS : PR_FAILURE;
} else {
status = nssPKIObject_AddInstance(pkio, to);
- if (status != PR_SUCCESS) {
- nssToken_Destroy(token);
- nssCryptokiObject_Destroy(to);
- goto loser;
- }
+ }
+ if (status != PR_SUCCESS) {
+ nssCryptokiObject_Destroy(to);
}
}
nssToken_Destroy(token);
@@ -1247,18 +1139,15 @@ nssTrustDomain_FindTrustForCertificate (
}
if (pkio) {
rvt = nssTrust_Create(pkio, &c->encoding);
- if (!rvt) {
- goto loser;
+ if (rvt) {
+ pkio = NULL; /* rvt object now owns the pkio reference */
}
}
nssSlotArray_Destroy(slots);
- return rvt;
-loser:
- nssSlotArray_Destroy(slots);
if (pkio) {
nssPKIObject_Destroy(pkio);
}
- return (NSSTrust *)NULL;
+ return rvt;
}
NSS_IMPLEMENT NSSCRL **
@@ -1267,7 +1156,6 @@ nssTrustDomain_FindCRLsBySubject (
NSSDER *subject
)
{
- PRStatus status;
NSSSlot **slots;
NSSSlot **slotp;
NSSToken *token;
@@ -1285,39 +1173,32 @@ nssTrustDomain_FindCRLsBySubject (
for (slotp = slots; *slotp; slotp++) {
token = nssSlot_GetToken(*slotp);
if (token) {
+ PRStatus status = PR_FAILURE;
nssSession *session;
- nssCryptokiObject **instances;
+ nssCryptokiObject **instances = NULL;
nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+
/* get a session for the token */
session = nssTrustDomain_GetSessionForToken(td, token);
- if (!session) {
- nssToken_Destroy(token);
- goto loser;
+ if (session) {
+ /* perform the traversal */
+ instances = nssToken_FindCRLsBySubject(token, session, subject,
+ tokenOnly, 0, &status);
}
- /* perform the traversal */
- instances = nssToken_FindCRLsBySubject(token, session, subject,
- tokenOnly, 0, &status);
nssToken_Destroy(token);
- if (status != PR_SUCCESS) {
- goto loser;
+ if (status == PR_SUCCESS) {
+ /* add the found CRL's to the collection */
+ status = nssPKIObjectCollection_AddInstances(collection,
+ instances, 0);
}
- /* add the found CRL's to the collection */
- status = nssPKIObjectCollection_AddInstances(collection,
- instances, 0);
nss_ZFreeIf(instances);
- if (status != PR_SUCCESS) {
- goto loser;
- }
}
}
rvCRLs = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
- nssPKIObjectCollection_Destroy(collection);
- nssSlotArray_Destroy(slots);
- return rvCRLs;
loser:
nssPKIObjectCollection_Destroy(collection);
nssSlotArray_Destroy(slots);
- return (NSSCRL **)NULL;
+ return rvCRLs;
}
NSS_IMPLEMENT PRStatus
View Lorry Controller Status