diff options
author | nelson%bolyard.com <devnull@localhost> | 2008-12-03 04:53:00 +0000 |
---|---|---|
committer | nelson%bolyard.com <devnull@localhost> | 2008-12-03 04:53:00 +0000 |
commit | 8c6b5db249c0578c0d8121903b5978cab799b8d8 (patch) | |
tree | aeb9f34e5b0048afce6406d13b12dbeeec99bffd | |
parent | 0df396ec8baa811511a6e8ec62a58480ab9fcecc (diff) | |
download | nss-hg-8c6b5db249c0578c0d8121903b5978cab799b8d8.tar.gz |
Bug 444850: NSS misbehaves badly in the presence of a disabled PKCS#11 slotNSS_3_11_10_RTMNSS_3_11_10_RC3
r=rrelyea,alexei
-rw-r--r-- | security/nss/lib/dev/ckhelper.c | 20 | ||||
-rw-r--r-- | security/nss/lib/dev/dev.h | 27 | ||||
-rw-r--r-- | security/nss/lib/dev/devslot.c | 4 | ||||
-rw-r--r-- | security/nss/lib/dev/devtoken.c | 187 | ||||
-rw-r--r-- | security/nss/lib/dev/devutil.c | 220 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/dev3hack.c | 9 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11cert.c | 91 | ||||
-rw-r--r-- | security/nss/lib/pki/trustdomain.c | 253 |
8 files changed, 306 insertions, 505 deletions
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c index 61a854ce1..cabd82721 100644 --- a/security/nss/lib/dev/ckhelper.c +++ b/security/nss/lib/dev/ckhelper.c @@ -359,6 +359,10 @@ nssCryptokiCertificate_GetAttributes ( session = sessionOpt ? sessionOpt : nssToken_GetDefaultSession(certObject->token); + if (!session) { + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return PR_FAILURE; + } slot = nssToken_GetSlot(certObject->token); status = nssCKObject_GetAttributes(certObject->handle, @@ -457,6 +461,10 @@ nssCryptokiTrust_GetAttributes ( session = sessionOpt ? sessionOpt : nssToken_GetDefaultSession(trustObject->token); + if (!session) { + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return PR_FAILURE; + } slot = nssToken_GetSlot(trustObject->token); status = nssCKObject_GetAttributes(trustObject->handle, @@ -522,6 +530,10 @@ nssCryptokiCRL_GetAttributes ( session = sessionOpt ? sessionOpt : nssToken_GetDefaultSession(crlObject->token); + if (session == NULL) { + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return PR_FAILURE; + } slot = nssToken_GetSlot(crlObject->token); status = nssCKObject_GetAttributes(crlObject->handle, @@ -580,14 +592,16 @@ nssCryptokiPrivateKey_SetCertificate ( if (sessionOpt) { if (!nssSession_IsReadWrite(sessionOpt)) { return PR_FAILURE; - } else { - session = sessionOpt; } - } else if (nssSession_IsReadWrite(defaultSession)) { + session = sessionOpt; + } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) { session = defaultSession; } else { NSSSlot *slot = nssToken_GetSlot(token); session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE); + if (!session) { + return PR_FAILURE; + } createdSession = PR_TRUE; nssSlot_Destroy(slot); } diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 4d12a30ba..b158266e8 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -389,15 +389,13 @@ nssSlot_CreateSession * nssToken_GenerateKeyPair * nssToken_GenerateSymmetricKey * nssToken_DeleteStoredObject - * nssToken_FindCertificates + * nssToken_FindObjects * nssToken_FindCertificatesBySubject * nssToken_FindCertificatesByNickname * nssToken_FindCertificatesByEmail * nssToken_FindCertificateByIssuerAndSerialNumber * nssToken_FindCertificateByEncodedCertificate - * nssToken_FindTrustObjects * nssToken_FindTrustForCertificate - * nssToken_FindCRLs * nssToken_FindCRLsBySubject * nssToken_FindPrivateKeys * nssToken_FindPrivateKeyByID @@ -495,10 +493,11 @@ nssToken_DeleteStoredObject ); NSS_EXTERN nssCryptokiObject ** -nssToken_FindCertificates +nssToken_FindObjects ( NSSToken *token, nssSession *sessionOpt, + CK_OBJECT_CLASS objclass, nssTokenSearchType searchType, PRUint32 maximumOpt, PRStatus *statusOpt @@ -569,16 +568,6 @@ nssToken_FindCertificateByEncodedCertificate PRStatus *statusOpt ); -NSS_EXTERN nssCryptokiObject ** -nssToken_FindTrustObjects -( - NSSToken *token, - nssSession *sessionOpt, - nssTokenSearchType searchType, - PRUint32 maximumOpt, - PRStatus *statusOpt -); - NSS_EXTERN nssCryptokiObject * nssToken_FindTrustForCertificate ( @@ -591,16 +580,6 @@ nssToken_FindTrustForCertificate ); NSS_EXTERN nssCryptokiObject ** -nssToken_FindCRLs -( - NSSToken *token, - nssSession *sessionOpt, - nssTokenSearchType searchType, - PRUint32 maximumOpt, - PRStatus *statusOpt -); - -NSS_EXTERN nssCryptokiObject ** nssToken_FindCRLsBySubject ( NSSToken *token, diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c index 4ba45bfc2..3ef843477 100644 --- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -219,6 +219,7 @@ nssSlot_IsTokenPresent ( */ session = nssToken_GetDefaultSession(slot->token); if (session) { + PRBool isPresent = PR_FALSE; nssSession_EnterMonitor(session); if (session->handle != CK_INVALID_SESSION) { CK_SESSION_INFO sessionInfo; @@ -229,9 +230,10 @@ nssSlot_IsTokenPresent ( session->handle = CK_INVALID_SESSION; } } + isPresent = session->handle != CK_INVALID_SESSION; nssSession_ExitMonitor(session); /* token not removed, finished */ - if (session->handle != CK_INVALID_SESSION) + if (isPresent) return PR_TRUE; } /* the token has been removed, and reinserted, or the slot contains diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index 2932b371b..64fe8a787 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -55,6 +55,7 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$"; #include "secerr.h" extern const NSSError NSS_ERROR_NOT_FOUND; +extern const NSSError NSS_ERROR_INVALID_ARGUMENT; /* The number of object handles to grab during each call to C_FindObjects */ #define OBJECT_STACK_SIZE 16 @@ -68,6 +69,10 @@ nssToken_Destroy ( if (PR_AtomicDecrement(&tok->base.refCount) == 0) { PZ_DestroyLock(tok->base.lock); nssTokenObjectCache_Destroy(tok->cache); + /* The token holds the first/last reference to the slot. + * When the token is actually destroyed, that ref must go too. + */ + (void)nssSlot_Destroy(tok->slot); return nssArena_Destroy(tok->base.arena); } } @@ -176,7 +181,8 @@ nssToken_DeleteStoredObject ( nssTokenObjectCache_RemoveObject(token->cache, instance); } if (instance->isTokenObject) { - if (nssSession_IsReadWrite(token->defaultSession)) { + if (token->defaultSession && + nssSession_IsReadWrite(token->defaultSession)) { session = token->defaultSession; } else { session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE); @@ -213,11 +219,12 @@ import_object ( if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) { if (sessionOpt) { if (!nssSession_IsReadWrite(sessionOpt)) { - return CK_INVALID_HANDLE; - } else { - session = sessionOpt; + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return NULL; } - } else if (nssSession_IsReadWrite(tok->defaultSession)) { + session = sessionOpt; + } else if (tok->defaultSession && + nssSession_IsReadWrite(tok->defaultSession)) { session = tok->defaultSession; } else { session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE); @@ -227,7 +234,8 @@ import_object ( session = (sessionOpt) ? sessionOpt : tok->defaultSession; } if (session == NULL) { - return CK_INVALID_HANDLE; + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return NULL; } nssSession_EnterMonitor(session); ckrv = CKAPI(epv)->C_CreateObject(session->handle, @@ -261,7 +269,9 @@ create_objects_from_handles ( for (--i; i>0; --i) { nssCryptokiObject_Destroy(objects[i]); } - return (nssCryptokiObject **)NULL; + nss_ZFreeIf(objects); + objects = NULL; + break; } } } @@ -288,8 +298,7 @@ find_objects ( nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession; /* Don't ask the module to use an invalid session handle. */ - PORT_Assert(session->handle != CK_INVALID_SESSION); - if (session->handle == CK_INVALID_SESSION) { + if (!session || session->handle == CK_INVALID_SESSION) { ckrv = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -568,23 +577,24 @@ nssToken_ImportCertificate ( return rvObject; } -/* traverse all certificates - this should only happen if the token - * has been marked as "traversable" +/* traverse all objects of the given class - this should only happen + * if the token has been marked as "traversable" */ NSS_IMPLEMENT nssCryptokiObject ** -nssToken_FindCertificates ( +nssToken_FindObjects ( NSSToken *token, nssSession *sessionOpt, + CK_OBJECT_CLASS objclass, nssTokenSearchType searchType, PRUint32 maximumOpt, PRStatus *statusOpt ) { CK_ATTRIBUTE_PTR attr; - CK_ATTRIBUTE cert_template[2]; - CK_ULONG ctsize; + CK_ATTRIBUTE obj_template[2]; + CK_ULONG obj_size; nssCryptokiObject **objects; - NSS_CK_TEMPLATE_START(cert_template, attr, ctsize); + NSS_CK_TEMPLATE_START(obj_template, attr, obj_size); /* Set the search to token/session only if provided */ if (searchType == nssTokenSearchType_SessionOnly) { NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); @@ -592,16 +602,16 @@ nssToken_FindCertificates ( searchType == nssTokenSearchType_TokenForced) { NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); } - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert); - NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize); + NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, objclass); + NSS_CK_TEMPLATE_FINISH(obj_template, attr, obj_size); if (searchType == nssTokenSearchType_TokenForced) { objects = find_objects(token, sessionOpt, - cert_template, ctsize, + obj_template, obj_size, maximumOpt, statusOpt); } else { objects = find_objects_by_template(token, sessionOpt, - cert_template, ctsize, + obj_template, obj_size, maximumOpt, statusOpt); } return objects; @@ -1110,44 +1120,6 @@ nssToken_ImportTrust ( return object; } -NSS_IMPLEMENT nssCryptokiObject ** -nssToken_FindTrustObjects ( - NSSToken *token, - nssSession *sessionOpt, - nssTokenSearchType searchType, - PRUint32 maximumOpt, - PRStatus *statusOpt -) -{ - CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; - CK_ATTRIBUTE_PTR attr; - CK_ATTRIBUTE tobj_template[2]; - CK_ULONG tobj_size; - nssCryptokiObject **objects; - nssSession *session = sessionOpt ? sessionOpt : token->defaultSession; - - NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size); - if (searchType == nssTokenSearchType_SessionOnly) { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); - } else if (searchType == nssTokenSearchType_TokenOnly || - searchType == nssTokenSearchType_TokenForced) { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); - } - NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc); - NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size); - - if (searchType == nssTokenSearchType_TokenForced) { - objects = find_objects(token, session, - tobj_template, tobj_size, - maximumOpt, statusOpt); - } else { - objects = find_objects_by_template(token, session, - tobj_template, tobj_size, - maximumOpt, statusOpt); - } - return objects; -} - NSS_IMPLEMENT nssCryptokiObject * nssToken_FindTrustForCertificate ( NSSToken *token, @@ -1163,7 +1135,13 @@ nssToken_FindTrustForCertificate ( CK_ATTRIBUTE tobj_template[5]; CK_ULONG tobj_size; nssSession *session = sessionOpt ? sessionOpt : token->defaultSession; - nssCryptokiObject *object, **objects; + nssCryptokiObject *object = NULL, **objects; + + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return object; + } NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size); if (searchType == nssTokenSearchType_SessionOnly) { @@ -1175,7 +1153,6 @@ nssToken_FindTrustForCertificate ( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, certIssuer); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , certSerial); NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size); - object = NULL; objects = find_objects_by_template(token, session, tobj_template, tobj_size, 1, NULL); @@ -1230,44 +1207,6 @@ nssToken_ImportCRL ( } NSS_IMPLEMENT nssCryptokiObject ** -nssToken_FindCRLs ( - NSSToken *token, - nssSession *sessionOpt, - nssTokenSearchType searchType, - PRUint32 maximumOpt, - PRStatus *statusOpt -) -{ - CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL; - CK_ATTRIBUTE_PTR attr; - CK_ATTRIBUTE crlobj_template[2]; - CK_ULONG crlobj_size; - nssCryptokiObject **objects; - nssSession *session = sessionOpt ? sessionOpt : token->defaultSession; - - NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size); - if (searchType == nssTokenSearchType_SessionOnly) { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); - } else if (searchType == nssTokenSearchType_TokenOnly || - searchType == nssTokenSearchType_TokenForced) { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); - } - NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc); - NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size); - - if (searchType == nssTokenSearchType_TokenForced) { - objects = find_objects(token, session, - crlobj_template, crlobj_size, - maximumOpt, statusOpt); - } else { - objects = find_objects_by_template(token, session, - crlobj_template, crlobj_size, - maximumOpt, statusOpt); - } - return objects; -} - -NSS_IMPLEMENT nssCryptokiObject ** nssToken_FindCRLsBySubject ( NSSToken *token, nssSession *sessionOpt, @@ -1281,9 +1220,15 @@ nssToken_FindCRLsBySubject ( CK_ATTRIBUTE_PTR attr; CK_ATTRIBUTE crlobj_template[3]; CK_ULONG crlobj_size; - nssCryptokiObject **objects; + nssCryptokiObject **objects = NULL; nssSession *session = sessionOpt ? sessionOpt : token->defaultSession; + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return objects; + } + NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size); if (searchType == nssTokenSearchType_SessionOnly) { NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); @@ -1334,8 +1279,14 @@ nssToken_Digest ( CK_BYTE_PTR digest; NSSItem *rvItem = NULL; void *epv = nssToken_GetCryptokiEPV(tok); - nssSession *session; - session = (sessionOpt) ? sessionOpt : tok->defaultSession; + nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession; + + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return rvItem; + } + nssSession_EnterMonitor(session); ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism); if (ckrv != CKR_OK) { @@ -1394,9 +1345,15 @@ nssToken_BeginDigest ( ) { CK_RV ckrv; - nssSession *session; void *epv = nssToken_GetCryptokiEPV(tok); - session = (sessionOpt) ? sessionOpt : tok->defaultSession; + nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession; + + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return PR_FAILURE; + } + nssSession_EnterMonitor(session); ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism); nssSession_ExitMonitor(session); @@ -1411,9 +1368,15 @@ nssToken_ContinueDigest ( ) { CK_RV ckrv; - nssSession *session; void *epv = nssToken_GetCryptokiEPV(tok); - session = (sessionOpt) ? sessionOpt : tok->defaultSession; + nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession; + + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return PR_FAILURE; + } + nssSession_EnterMonitor(session); ckrv = CKAPI(epv)->C_DigestUpdate(session->handle, (CK_BYTE_PTR)item->data, @@ -1435,8 +1398,14 @@ nssToken_FinishDigest ( CK_BYTE_PTR digest; NSSItem *rvItem = NULL; void *epv = nssToken_GetCryptokiEPV(tok); - nssSession *session; - session = (sessionOpt) ? sessionOpt : tok->defaultSession; + nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession; + + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; + } + nssSession_EnterMonitor(session); ckrv = CKAPI(epv)->C_DigestFinal(session->handle, NULL, &digestLen); if (ckrv != CKR_OK || digestLen == 0) { @@ -1513,6 +1482,12 @@ nssToken_TraverseCertificates ( void *epv = nssToken_GetCryptokiEPV(token); nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession; + /* Don't ask the module to use an invalid session handle. */ + if (!session || session->handle == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return PR_FAILURE; + } + /* template for all certs */ NSS_CK_TEMPLATE_START(cert_template, attr, ctsize); if (searchType == nssTokenSearchType_SessionOnly) { diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c index 99bb884bc..5d0f85f5c 100644 --- a/security/nss/lib/dev/devutil.c +++ b/security/nss/lib/dev/devutil.c @@ -382,8 +382,15 @@ create_object ( nssCryptokiObjectAndAttributes *rvCachedObject = NULL; slot = nssToken_GetSlot(object->token); + if (!slot) { + nss_SetError(NSS_ERROR_INVALID_POINTER); + goto loser; + } session = nssToken_GetDefaultSession(object->token); - + if (!session) { + nss_SetError(NSS_ERROR_INVALID_POINTER); + goto loser; + } arena = nssArena_Create(); if (!arena) { goto loser; @@ -513,60 +520,6 @@ create_cert ( return create_object(object, certAttr, numCertAttr, status); } -static PRStatus -get_token_certs_for_cache ( - nssTokenObjectCache *cache -) -{ - PRStatus status; - nssCryptokiObject **objects; - PRBool *doIt = &cache->doObjectType[cachedCerts]; - PRUint32 i, numObjects; - - if (!search_for_objects(cache) || - cache->searchedObjectType[cachedCerts] || - !cache->doObjectType[cachedCerts]) - { - /* Either there was a state change that prevents a search - * (token logged out), or the search was already done, - * or certs are not being cached. - */ - return PR_SUCCESS; - } - objects = nssToken_FindCertificates(cache->token, NULL, - nssTokenSearchType_TokenForced, - MAX_LOCAL_CACHE_OBJECTS, &status); - if (status != PR_SUCCESS) { - return status; - } - cache->objects[cachedCerts] = create_object_array(objects, - doIt, - &numObjects, - &status); - if (status != PR_SUCCESS) { - return status; - } - for (i=0; i<numObjects; i++) { - cache->objects[cachedCerts][i] = create_cert(objects[i], &status); - if (status != PR_SUCCESS) { - break; - } - } - if (status == PR_SUCCESS) { - nss_ZFreeIf(objects); - } else { - PRUint32 j; - for (j=0; j<i; j++) { - /* sigh */ - nssToken_AddRef(cache->objects[cachedCerts][j]->object->token); - nssArena_Destroy(cache->objects[cachedCerts][j]->arena); - } - nssCryptokiObjectArray_Destroy(objects); - } - cache->searchedObjectType[cachedCerts] = PR_TRUE; - return status; -} - static nssCryptokiObjectAndAttributes * create_trust ( nssCryptokiObject *object, @@ -590,60 +543,6 @@ create_trust ( return create_object(object, trustAttr, numTrustAttr, status); } -static PRStatus -get_token_trust_for_cache ( - nssTokenObjectCache *cache -) -{ - PRStatus status; - nssCryptokiObject **objects; - PRBool *doIt = &cache->doObjectType[cachedTrust]; - PRUint32 i, numObjects; - - if (!search_for_objects(cache) || - cache->searchedObjectType[cachedTrust] || - !cache->doObjectType[cachedTrust]) - { - /* Either there was a state change that prevents a search - * (token logged out), or the search was already done, - * or trust is not being cached. - */ - return PR_SUCCESS; - } - objects = nssToken_FindTrustObjects(cache->token, NULL, - nssTokenSearchType_TokenForced, - MAX_LOCAL_CACHE_OBJECTS, &status); - if (status != PR_SUCCESS) { - return status; - } - cache->objects[cachedTrust] = create_object_array(objects, - doIt, - &numObjects, - &status); - if (status != PR_SUCCESS) { - return status; - } - for (i=0; i<numObjects; i++) { - cache->objects[cachedTrust][i] = create_trust(objects[i], &status); - if (status != PR_SUCCESS) { - break; - } - } - if (status == PR_SUCCESS) { - nss_ZFreeIf(objects); - } else { - PRUint32 j; - for (j=0; j<i; j++) { - /* sigh */ - nssToken_AddRef(cache->objects[cachedTrust][j]->object->token); - nssArena_Destroy(cache->objects[cachedTrust][j]->arena); - } - nssCryptokiObjectArray_Destroy(objects); - } - cache->searchedObjectType[cachedTrust] = PR_TRUE; - return status; -} - static nssCryptokiObjectAndAttributes * create_crl ( nssCryptokiObject *object, @@ -663,33 +562,55 @@ create_crl ( return create_object(object, crlAttr, numCRLAttr, status); } +/* Dispatch to the create function for the object type */ +static nssCryptokiObjectAndAttributes * +create_object_of_type ( + nssCryptokiObject *object, + PRUint32 objectType, + PRStatus *status +) +{ + if (objectType == cachedCerts) { + return create_cert(object, status); + } + if (objectType == cachedTrust) { + return create_trust(object, status); + } + if (objectType == cachedCRLs) { + return create_crl(object, status); + } + return (nssCryptokiObjectAndAttributes *)NULL; +} + static PRStatus -get_token_crls_for_cache ( - nssTokenObjectCache *cache +get_token_objects_for_cache ( + nssTokenObjectCache *cache, + PRUint32 objectType, + CK_OBJECT_CLASS objclass ) { PRStatus status; nssCryptokiObject **objects; - PRBool *doIt = &cache->doObjectType[cachedCRLs]; + PRBool *doIt = &cache->doObjectType[objectType]; PRUint32 i, numObjects; if (!search_for_objects(cache) || - cache->searchedObjectType[cachedCRLs] || - !cache->doObjectType[cachedCRLs]) + cache->searchedObjectType[objectType] || + !cache->doObjectType[objectType]) { /* Either there was a state change that prevents a search * (token logged out), or the search was already done, - * or CRLs are not being cached. + * or objects of this type are not being cached. */ return PR_SUCCESS; } - objects = nssToken_FindCRLs(cache->token, NULL, - nssTokenSearchType_TokenForced, - MAX_LOCAL_CACHE_OBJECTS, &status); + objects = nssToken_FindObjects(cache->token, NULL, objclass, + nssTokenSearchType_TokenForced, + MAX_LOCAL_CACHE_OBJECTS, &status); if (status != PR_SUCCESS) { return status; } - cache->objects[cachedCRLs] = create_object_array(objects, + cache->objects[objectType] = create_object_array(objects, doIt, &numObjects, &status); @@ -697,7 +618,9 @@ get_token_crls_for_cache ( return status; } for (i=0; i<numObjects; i++) { - cache->objects[cachedCRLs][i] = create_crl(objects[i], &status); + cache->objects[objectType][i] = create_object_of_type(objects[i], + objectType, + &status); if (status != PR_SUCCESS) { break; } @@ -708,12 +631,12 @@ get_token_crls_for_cache ( PRUint32 j; for (j=0; j<i; j++) { /* sigh */ - nssToken_AddRef(cache->objects[cachedCRLs][j]->object->token); - nssArena_Destroy(cache->objects[cachedCRLs][j]->arena); + nssToken_AddRef(cache->objects[objectType][j]->object->token); + nssArena_Destroy(cache->objects[objectType][j]->arena); } nssCryptokiObjectArray_Destroy(objects); } - cache->searchedObjectType[cachedCRLs] = PR_TRUE; + cache->searchedObjectType[objectType] = PR_TRUE; return status; } @@ -835,45 +758,25 @@ nssTokenObjectCache_FindObjectsByTemplate ( { PRStatus status = PR_FAILURE; nssCryptokiObject **rvObjects = NULL; + PRUint32 objectType; if (!token_is_present(cache)) { status = PR_SUCCESS; goto finish; } - PZ_Lock(cache->lock); switch (objclass) { - case CKO_CERTIFICATE: - if (cache->doObjectType[cachedCerts]) { - status = get_token_certs_for_cache(cache); - if (status != PR_SUCCESS) { - goto unlock; - } - rvObjects = find_objects_in_array(cache->objects[cachedCerts], - otemplate, otlen, maximumOpt); - } - break; - case CKO_NETSCAPE_TRUST: - if (cache->doObjectType[cachedTrust]) { - status = get_token_trust_for_cache(cache); - if (status != PR_SUCCESS) { - goto unlock; - } - rvObjects = find_objects_in_array(cache->objects[cachedTrust], - otemplate, otlen, maximumOpt); - } - break; - case CKO_NETSCAPE_CRL: - if (cache->doObjectType[cachedCRLs]) { - status = get_token_crls_for_cache(cache); - if (status != PR_SUCCESS) { - goto unlock; - } - rvObjects = find_objects_in_array(cache->objects[cachedCRLs], + case CKO_CERTIFICATE: objectType = cachedCerts; break; + case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break; + case CKO_NETSCAPE_CRL: objectType = cachedCRLs; break; + default: goto finish; + } + PZ_Lock(cache->lock); + if (cache->doObjectType[objectType]) { + status = get_token_objects_for_cache(cache, objectType, objclass); + if (status == PR_SUCCESS) { + rvObjects = find_objects_in_array(cache->objects[objectType], otemplate, otlen, maximumOpt); } - break; - default: break; } -unlock: PZ_Unlock(cache->lock); finish: if (statusOpt) { @@ -1052,13 +955,8 @@ nssTokenObjectCache_ImportObject ( } if (*otype) { nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object); - if (objectType == cachedCerts) { - (*otype)[count] = create_cert(copyObject, &status); - } else if (objectType == cachedTrust) { - (*otype)[count] = create_trust(copyObject, &status); - } else if (objectType == cachedCRLs) { - (*otype)[count] = create_crl(copyObject, &status); - } + (*otype)[count] = create_object_of_type(copyObject, objectType, + &status); } else { status = PR_FAILURE; } diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c index c7a586305..0d643f70c 100644 --- a/security/nss/lib/pk11wrap/dev3hack.c +++ b/security/nss/lib/pk11wrap/dev3hack.c @@ -195,7 +195,12 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) nss3slot->session, nss3slot->sessionLock, nss3slot->defRWSession); - /* continue, even if rvToken->defaultSession is NULL */ +#if 0 /* we should do this instead of blindly continuing. */ + if (!rvToken->defaultSession) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + goto loser; + } +#endif if (!PK11_IsInternal(nss3slot) && PK11_IsHW(nss3slot)) { rvToken->cache = nssTokenObjectCache_Create(rvToken, PR_TRUE, PR_TRUE, PR_TRUE); @@ -271,7 +276,7 @@ nssSlot_Refresh { PK11SlotInfo *nss3slot = slot->pk11slot; PRBool doit = PR_FALSE; - if (slot->token->base.name[0] == 0) { + if (slot->token && slot->token->base.name[0] == 0) { doit = PR_TRUE; } if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) { diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index ae7ae6bc3..1f9edfffc 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -257,14 +257,18 @@ static CERTCertificate CK_ATTRIBUTE *privateLabel, char **nickptr) { NSSCertificate *c; - nssCryptokiObject *co; + nssCryptokiObject *co = NULL; nssPKIObject *pkio; NSSToken *token; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); /* Get the cryptoki object from the handle */ token = PK11Slot_GetNSSToken(slot); - co = nssCryptokiObject_Create(token, token->defaultSession, certID); + if (token->defaultSession) { + co = nssCryptokiObject_Create(token, token->defaultSession, certID); + } else { + PORT_SetError(SEC_ERROR_NO_TOKEN); + } if (!co) { return NULL; } @@ -354,8 +358,7 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID, * valid CA's which are self-signed here. They must have an object * ID of '0'. */ if (pk11_isID0(slot,certID) && - SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer) - == SECEqual) { + cert->isRoot) { trustflags |= CERTDB_TRUSTED_CA; /* is the slot a fortezza card? allow the user or * admin to turn on objectSigning, but don't turn @@ -537,6 +540,10 @@ PK11_FindCertFromNickname(char *nickname, void *wincx) char *tokenName; nickCopy = PORT_Strdup(nickname); + if (!nickCopy) { + /* error code is set */ + return NULL; + } if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) { tokenName = nickCopy; nickname = delimit + 1; @@ -650,6 +657,10 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) SECStatus rv; nickCopy = PORT_Strdup(nickname); + if (!nickCopy) { + /* error code is set */ + return NULL; + } if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) { tokenName = nickCopy; nickname = delimit + 1; @@ -738,7 +749,12 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) PRTime now = PR_Now(); certList = CERT_NewCertList(); for (i=0, c = *foundCerts; c; c = foundCerts[++i]) { - CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c); + CERTCertificate *certCert; + if (!certList) { + nssCertificate_Destroy(c); + continue; + } + certCert = STAN_GetCERTCertificateOrRelease(c); /* c may be invalid after this, don't reference it */ if (certCert) { /* CERT_AddCertToListSorted adopts certCert */ @@ -746,7 +762,7 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) CERT_SortCBValidity, &now); } } - if (CERT_LIST_HEAD(certList) == NULL) { + if (certList && CERT_LIST_HEAD(certList) == NULL) { CERT_DestroyCertList(certList); certList = NULL; } @@ -762,7 +778,8 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) * pkcs11 to extract the public key (we currently do not), this will break. */ SECItem * -PK11_GetPubIndexKeyID(CERTCertificate *cert) { +PK11_GetPubIndexKeyID(CERTCertificate *cert) +{ SECKEYPublicKey *pubk; SECItem *newItem = NULL; @@ -795,7 +812,8 @@ PK11_GetPubIndexKeyID(CERTCertificate *cert) { * generate a CKA_ID from a certificate. */ SECItem * -pk11_mkcertKeyID(CERTCertificate *cert) { +pk11_mkcertKeyID(CERTCertificate *cert) +{ SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ; SECItem *certCKA_ID; @@ -835,6 +853,9 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, c = cert->nssCertificate; } else { c = STAN_GetNSSCertificate(cert); + if (c == NULL) { + goto loser; + } } if (c->object.cryptoContext) { @@ -843,7 +864,6 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, nssCertificateStore_Lock(cc->certStore, &lockTrace); nssCertificateStore_RemoveCertLOCKED(cc->certStore, c); nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace); - nssCertificateStore_Check(&lockTrace, &unlockTrace); c->object.cryptoContext = NULL; cert->istemp = PR_FALSE; cert->isperm = PR_TRUE; @@ -909,7 +929,8 @@ loser: SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert, - CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) { + CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) +{ CERTCertificate *cert; SECStatus rv; @@ -950,7 +971,8 @@ pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, */ SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, - void *wincx) { + void *wincx) +{ int err; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { @@ -1012,7 +1034,8 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, */ PK11SlotInfo * PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, - void *wincx) { + void *wincx) +{ PK11SlotList *list; PK11SlotListElement *le; SECItem *keyID; @@ -1067,7 +1090,8 @@ PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, */ PK11SlotInfo * PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, - void *wincx) { + void *wincx) +{ CERTCertificate *cert; PK11SlotInfo *slot = NULL; @@ -1083,7 +1107,8 @@ PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, } PK11SlotInfo * -PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) { +PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) +{ PK11SlotInfo *slot = NULL; CK_OBJECT_HANDLE key; @@ -1102,7 +1127,8 @@ PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) { } PK11SlotInfo * -PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) { +PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) +{ CERTCertificate *cert; PK11SlotInfo *slot = NULL; @@ -1117,7 +1143,8 @@ PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) { static CK_OBJECT_HANDLE pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, - CK_ATTRIBUTE *searchTemplate, int count, void *wincx) { + CK_ATTRIBUTE *searchTemplate, int count, void *wincx) +{ PK11SlotList *list; PK11SlotListElement *le; CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE; @@ -1358,7 +1385,8 @@ pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, static CERTCertificate * pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip, - void *wincx) { + void *wincx) +{ PK11SlotList *list; PK11SlotListElement *le; CERTCertificate * cert = NULL; @@ -1687,6 +1715,11 @@ PK11_NumberCertsForCertSubject(CERTCertificate *cert) PK11SlotListElement *le; int count = 0; + if (!list) { + /* error code is set */ + return 0; + } + /* loop through all the fortezza tokens */ for (le = list->head; le; le = le->next) { count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize); @@ -1713,6 +1746,10 @@ PK11_TraverseCertsForSubject(CERTCertificate *cert, PR_FALSE,PR_TRUE,NULL); PK11SlotListElement *le; + if (!list) { + /* error code is set */ + return SECFailure; + } /* loop through all the tokens */ for (le = list->head; le; le = le->next) { PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg); @@ -1888,8 +1925,8 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, } (void *)nssTrustDomain_GetCertsFromCache(td, certList); transfer_token_certs_to_collection(certList, tok, collection); - instances = nssToken_FindCertificates(tok, NULL, - tokenOnly, 0, &nssrv); + instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE, + tokenOnly, 0, &nssrv); nssPKIObjectCollection_AddInstances(collection, instances, 0); nss_ZFreeIf(instances); nssList_Destroy(certList); @@ -2101,7 +2138,8 @@ KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) { } PRBool -PK11_FortezzaHasKEA(CERTCertificate *cert) { +PK11_FortezzaHasKEA(CERTCertificate *cert) +{ /* look at the subject and see if it is a KEA for MISSI key */ SECOidData *oid; @@ -2111,8 +2149,9 @@ PK11_FortezzaHasKEA(CERTCertificate *cert) { } oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm); - - + if (!oid) { + return PR_FALSE; + } return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || (oid->offset == SEC_OID_MISSI_KEA_DSS) || (oid->offset == SEC_OID_MISSI_KEA)) ; @@ -2153,6 +2192,11 @@ PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx) CERTCertificate *returnedCert = NULL; SECStatus rv; + if (!keaList) { + /* error code is set */ + return NULL; + } + /* loop through all the fortezza tokens */ for (le = keaList->head; le; le = le->next) { rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); @@ -2396,6 +2440,9 @@ listCertsCallback(CERTCertificate* cert, void*arg) nssCryptokiObject **instances; NSSCertificate *c = STAN_GetNSSCertificate(cert); + if (c == NULL) { + return SECFailure; + } instances = nssPKIObject_GetInstances(&c->object); if (!instances) { return SECFailure; diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 9f74c0033..126977cc0 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -101,8 +101,10 @@ static void token_destructor(void *t) { NSSToken *tok = (NSSToken *)t; - /* in 3.4, also destroy the slot (managed separately) */ - (void)nssSlot_Destroy(tok->slot); + /* The token holds the first/last reference to the slot. + * When the token is actually destroyed (ref count == 0), + * the slot will also be destroyed. + */ nssToken_Destroy(tok); } @@ -771,6 +773,9 @@ NSSTrustDomain_FindCertificatesByNameComponents ( return NULL; } +/* This returns at most a single certificate, so it can stop the loop + * when one is found. + */ NSS_IMPLEMENT NSSCertificate * nssTrustDomain_FindCertificateByIssuerAndSerialNumber ( NSSTrustDomain *td, @@ -778,13 +783,12 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber ( NSSDER *serial ) { - PRStatus status; - NSSToken *token = NULL; NSSSlot **slots = NULL; NSSSlot **slotp; NSSCertificate *rvCert = NULL; nssPKIObjectCollection *collection = NULL; nssUpdateLevel updateLevel; + /* see if this search is already cached */ rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td, issuer, @@ -793,61 +797,56 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber ( return rvCert; } slots = nssTrustDomain_GetActiveSlots(td, &updateLevel); - if (!slots) { - goto loser; - } - for (slotp = slots; *slotp; slotp++) { - token = nssSlot_GetToken(*slotp); - if (token) { + if (slots) { + for (slotp = slots; *slotp; slotp++) { + NSSToken *token = nssSlot_GetToken(*slotp); nssSession *session; nssCryptokiObject *instance; nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + PRStatus status = PR_FAILURE; + + if (!token) + continue; session = nssTrustDomain_GetSessionForToken(td, token); - if (!session) { - nssToken_Destroy(token); - goto loser; + if (session) { + instance = nssToken_FindCertificateByIssuerAndSerialNumber( + token, + session, + issuer, + serial, + tokenOnly, + &status); } - instance = nssToken_FindCertificateByIssuerAndSerialNumber( - token, - session, - issuer, - serial, - tokenOnly, - &status); nssToken_Destroy(token); if (status != PR_SUCCESS) { - goto loser; + continue; } if (instance) { if (!collection) { collection = nssCertificateCollection_Create(td, NULL); if (!collection) { - goto loser; + break; /* don't keep looping if out if memory */ } } - nssPKIObjectCollection_AddInstances(collection, - &instance, 1); + status = nssPKIObjectCollection_AddInstances(collection, + &instance, 1); + if (status == PR_SUCCESS) { + (void)nssPKIObjectCollection_GetCertificates( + collection, &rvCert, 1, NULL); + } + if (rvCert) { + break; /* found one cert, all done */ + } } } } if (collection) { - (void)nssPKIObjectCollection_GetCertificates(collection, - &rvCert, 1, NULL); - if (!rvCert) { - goto loser; - } - nssPKIObjectCollection_Destroy(collection); - } - nssSlotArray_Destroy(slots); - return rvCert; -loser: - if (collection) { nssPKIObjectCollection_Destroy(collection); } if (slots) { nssSlotArray_Destroy(slots); } - return (NSSCertificate *)NULL; + return rvCert; } NSS_IMPLEMENT NSSCertificate * @@ -1036,7 +1035,7 @@ NSSTrustDomain_TraverseCertificates ( void *arg ) { - PRStatus status; + PRStatus status = PR_FAILURE; NSSToken *token = NULL; NSSSlot **slots = NULL; NSSSlot **slotp; @@ -1047,7 +1046,8 @@ NSSTrustDomain_TraverseCertificates ( nssList *certList; certList = nssList_Create(NULL, PR_FALSE); - if (!certList) return NULL; + if (!certList) + return NULL; (void *)nssTrustDomain_GetCertsFromCache(td, certList); cached = get_certs_from_list(certList); collection = nssCertificateCollection_Create(td, cached); @@ -1070,16 +1070,14 @@ NSSTrustDomain_TraverseCertificates ( nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; /* get a session for the token */ session = nssTrustDomain_GetSessionForToken(td, token); - if (!session) { - nssToken_Destroy(token); - goto loser; + if (session) { + /* perform the traversal */ + status = nssToken_TraverseCertificates(token, + session, + tokenOnly, + collector, + collection); } - /* perform the traversal */ - status = nssToken_TraverseCertificates(token, - session, - tokenOnly, - collector, - collection); nssToken_Destroy(token); } } @@ -1088,10 +1086,6 @@ NSSTrustDomain_TraverseCertificates ( pkiCallback.func.cert = callback; pkiCallback.arg = arg; status = nssPKIObjectCollection_Traverse(collection, &pkiCallback); - /* clean up */ - nssPKIObjectCollection_Destroy(collection); - nssSlotArray_Destroy(slots); - return NULL; loser: if (slots) { nssSlotArray_Destroy(slots); @@ -1102,102 +1096,6 @@ loser: return NULL; } -#ifdef notdef -/* - * search for Public and Private keys first - */ -NSS_IMPLEMENT PRStatus * -NSSTrustDomain_TraverseUserCertificates ( - NSSTrustDomain *td, - PRStatus (*callback)(NSSCertificate *c, void *arg), - void *arg -) -{ - PRStatus status; - NSSToken *token = NULL; - NSSSlot **slots = NULL; - NSSSlot **slotp; - nssPKIObjectCollection *collection = NULL; - nssPKIObjectCallback pkiCallback; - nssUpdateLevel updateLevel; - NSSCertificate **cached = NULL; - nssList *certList; - certList = nssList_Create(NULL, PR_FALSE); - if (!certList) return NULL; - (void *)nssTrustDomain_GetCertsFromCache(td, certList); - cached = get_certs_from_list(certList); - collection = nssCertificateCollection_Create(td, cached); - nssCertificateArray_Destroy(cached); - nssList_Destroy(certList); - if (!collection) { - return (PRStatus *)NULL; - } - /* obtain the current set of active slots in the trust domain */ - slots = nssTrustDomain_GetActiveSlots(td, &updateLevel); - if (!slots) { - goto loser; - } - /* iterate over the slots */ - for (slotp = slots; *slotp; slotp++) { - /* get the token for the slot, if present */ - token = nssSlot_GetToken(*slotp); - if (token) { - nssSession *session; - nssCryptokiObject **instances; - nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; - /* get a session for the token */ - session = nssTrustDomain_GetSessionForToken(td, token); - if (!session) { - nssToken_Destroy(token); - goto loser; - } - /* perform the traversal */ - if (!isLoggedIn(tok)) { - instances = nssToken_FindPublicKeys(token, - session, - tokenOnly, - 0, &status); - } else { - instances = nssToken_FindPrivateKeys(token, - session, - tokenOnly, - 0, &status); - } - nssToken_Destroy(token); - if (status != PR_SUCCESS) { - goto loser; - } - /* add the found certificates to the collection */ - status = nssPKIObjectCollection_AddInstances(collection, - instances, 0); - nss_ZFreeIf(instances); - if (status != PR_SUCCESS) { - goto loser; - } - } - } - status = nssPKIObjectCollection_MatchCerts(collection); - if (status != PR_SUCCESS) { - goto loser; - } - /* Traverse the collection */ - pkiCallback.func.cert = callback; - pkiCallback.arg = arg; - status = nssPKIObjectCollection_Traverse(collection, &pkiCallback); - /* clean up */ - nssPKIObjectCollection_Destroy(collection); - nssSlotArray_Destroy(slots); - return NULL; -loser: - if (slots) { - nssSlotArray_Destroy(slots); - } - if (collection) { - nssPKIObjectCollection_Destroy(collection); - } - return NULL; -} -#endif NSS_IMPLEMENT NSSTrust * nssTrustDomain_FindTrustForCertificate ( @@ -1205,10 +1103,8 @@ nssTrustDomain_FindTrustForCertificate ( NSSCertificate *c ) { - PRStatus status; NSSSlot **slots; NSSSlot **slotp; - NSSToken *token; nssCryptokiObject *to = NULL; nssPKIObject *pkio = NULL; NSSTrust *rvt = NULL; @@ -1218,7 +1114,8 @@ nssTrustDomain_FindTrustForCertificate ( return (NSSTrust *)NULL; } for (slotp = slots; *slotp; slotp++) { - token = nssSlot_GetToken(*slotp); + NSSToken *token = nssSlot_GetToken(*slotp); + if (token) { to = nssToken_FindTrustForCertificate(token, NULL, &c->encoding, @@ -1226,20 +1123,15 @@ nssTrustDomain_FindTrustForCertificate ( &c->serial, nssTokenSearchType_TokenOnly); if (to) { + PRStatus status; if (!pkio) { pkio = nssPKIObject_Create(NULL, to, td, NULL, nssPKILock); - if (!pkio) { - nssToken_Destroy(token); - nssCryptokiObject_Destroy(to); - goto loser; - } + status = pkio ? PR_SUCCESS : PR_FAILURE; } else { status = nssPKIObject_AddInstance(pkio, to); - if (status != PR_SUCCESS) { - nssToken_Destroy(token); - nssCryptokiObject_Destroy(to); - goto loser; - } + } + if (status != PR_SUCCESS) { + nssCryptokiObject_Destroy(to); } } nssToken_Destroy(token); @@ -1247,18 +1139,15 @@ nssTrustDomain_FindTrustForCertificate ( } if (pkio) { rvt = nssTrust_Create(pkio, &c->encoding); - if (!rvt) { - goto loser; + if (rvt) { + pkio = NULL; /* rvt object now owns the pkio reference */ } } nssSlotArray_Destroy(slots); - return rvt; -loser: - nssSlotArray_Destroy(slots); if (pkio) { nssPKIObject_Destroy(pkio); } - return (NSSTrust *)NULL; + return rvt; } NSS_IMPLEMENT NSSCRL ** @@ -1267,7 +1156,6 @@ nssTrustDomain_FindCRLsBySubject ( NSSDER *subject ) { - PRStatus status; NSSSlot **slots; NSSSlot **slotp; NSSToken *token; @@ -1285,39 +1173,32 @@ nssTrustDomain_FindCRLsBySubject ( for (slotp = slots; *slotp; slotp++) { token = nssSlot_GetToken(*slotp); if (token) { + PRStatus status = PR_FAILURE; nssSession *session; - nssCryptokiObject **instances; + nssCryptokiObject **instances = NULL; nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + /* get a session for the token */ session = nssTrustDomain_GetSessionForToken(td, token); - if (!session) { - nssToken_Destroy(token); - goto loser; + if (session) { + /* perform the traversal */ + instances = nssToken_FindCRLsBySubject(token, session, subject, + tokenOnly, 0, &status); } - /* perform the traversal */ - instances = nssToken_FindCRLsBySubject(token, session, subject, - tokenOnly, 0, &status); nssToken_Destroy(token); - if (status != PR_SUCCESS) { - goto loser; + if (status == PR_SUCCESS) { + /* add the found CRL's to the collection */ + status = nssPKIObjectCollection_AddInstances(collection, + instances, 0); } - /* add the found CRL's to the collection */ - status = nssPKIObjectCollection_AddInstances(collection, - instances, 0); nss_ZFreeIf(instances); - if (status != PR_SUCCESS) { - goto loser; - } } } rvCRLs = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL); - nssPKIObjectCollection_Destroy(collection); - nssSlotArray_Destroy(slots); - return rvCRLs; loser: nssPKIObjectCollection_Destroy(collection); nssSlotArray_Destroy(slots); - return (NSSCRL **)NULL; + return rvCRLs; } NSS_IMPLEMENT PRStatus |