diff options
author | jpierre%netscape.com <devnull@localhost> | 2002-06-27 00:18:41 +0000 |
---|---|---|
committer | jpierre%netscape.com <devnull@localhost> | 2002-06-27 00:18:41 +0000 |
commit | d108d746f52d6b7432800837167b113c6cda4d99 (patch) | |
tree | 444525f8b5a68bfbe96c60f751cb295b0566a060 | |
parent | 279e17db220d6c5f4390f241814d16c7a2f5524a (diff) | |
parent | fb3d3830d4453a20a8a8bcd4e195e4c1cba8d038 (diff) | |
download | nss-hg-d108d746f52d6b7432800837167b113c6cda4d99.tar.gz |
Fix for 154212 - make CERT_SaveSMimeProfile copy the cert to the database if it
comes from an external source
-rw-r--r-- | security/coreconf/Darwin.mk | 2 | ||||
-rw-r--r-- | security/coreconf/rules.mk | 5 | ||||
-rw-r--r-- | security/nss/lib/certdb/cert.h | 22 | ||||
-rw-r--r-- | security/nss/lib/certdb/certt.h | 17 | ||||
-rw-r--r-- | security/nss/lib/certdb/crl.c | 58 | ||||
-rw-r--r-- | security/nss/lib/certdb/stanpcertdb.c | 19 |
6 files changed, 121 insertions, 2 deletions
diff --git a/security/coreconf/Darwin.mk b/security/coreconf/Darwin.mk index 6c2b93c9d..59f5af8fd 100644 --- a/security/coreconf/Darwin.mk +++ b/security/coreconf/Darwin.mk @@ -70,5 +70,7 @@ DSO_LDOPTS = -dynamiclib -compatibility_version 1 -current_version 1 -install_na MKSHLIB = $(CC) -arch $(CPU_ARCH) $(DSO_LDOPTS) DLL_SUFFIX = dylib +PROCESS_MAP_FILE = grep -v ';+' $(LIBRARY_NAME).def | grep -v ';-' | \ + sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@ G++INCLUDES = -I/usr/include/g++ diff --git a/security/coreconf/rules.mk b/security/coreconf/rules.mk index 76043627a..c53c1ffc5 100644 --- a/security/coreconf/rules.mk +++ b/security/coreconf/rules.mk @@ -364,6 +364,11 @@ endif ifeq ($(OS_TARGET),OpenVMS) @echo "`translate $@`" > $(@:$(DLL_SUFFIX)=vms) endif +ifeq ($(OS_TARGET),Darwin) +ifdef MAPFILE + nmedit -s $(MAPFILE) $@ +endif +endif endif endif diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index ad0f6864e..3b1081bb8 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -385,6 +385,7 @@ CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nicknam */ #define SEC_CRL_TYPE 1 #define SEC_KRL_TYPE 0 +#define SEC_CRL_TYPE_NO_ENTRIES 2 extern CERTSignedCrl * CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type); @@ -532,6 +533,27 @@ extern SECStatus CERT_VerifySignedData(CERTSignedData *sd, void *wincx); /* +** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use +** verify a certificate by checking validity times against a certain time, +** that we trust the issuer, and that the signature on the certificate is +** valid. +** "cert" the certificate to verify +** "checkSig" only check signatures if true +*/ +extern SECStatus +CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertificateUsage requiredUsages, + int64 t, void *wincx, CERTVerifyLog *log, + SECCertificateUsage* returnedUsages); + +/* same as above, but uses current time */ +extern SECStatus +CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert, + PRBool checkSig, SECCertificateUsage requiredUsages, + void *wincx, SECCertificateUsage* returnedUsages); + +/* +** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE ** verify a certificate by checking validity times against a certain time, ** that we trust the issuer, and that the signature on the certificate is ** valid. diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h index 3f70dcc84..d2cabb66d 100644 --- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -473,6 +473,23 @@ typedef enum SECCertUsageEnum { certUsageAnyCA = 11 } SECCertUsage; +typedef PRInt32 SECCertificateUsage; + +#define certificateUsageSSLClient (0x0001) +#define certificateUsageSSLServer (0x0002) +#define certificateUsageSSLServerWithStepUp (0x0004) +#define certificateUsageSSLCA (0x0008) +#define certificateUsageEmailSigner (0x0010) +#define certificateUsageEmailRecipient (0x0020) +#define certificateUsageObjectSigner (0x0040) +#define certificateUsageUserCertImport (0x0080) +#define certificateUsageVerifyCA (0x0100) +#define certificateUsageProtectedObjectSigner (0x0200) +#define certificateUsageStatusResponder (0x0400) +#define certificateUsageAnyCA (0x0800) + +#define highestUsage certificateUsageAnyCA + /* * Does the cert belong to the user, a peer, or a CA. */ diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index 8eb90005a..944a202c6 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -152,6 +152,11 @@ static const SEC_ASN1Template cert_CrlEntryTemplate[] = { { 0 } }; +static const SEC_ASN1Template cert_CrlSkipEntryTemplate[] = { + { SEC_ASN1_SKIP_REST }, + { 0 } +}; + const SEC_ASN1Template CERT_CrlTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCrl) }, @@ -178,6 +183,34 @@ const SEC_ASN1Template CERT_CrlTemplate[] = { { 0 } }; +const SEC_ASN1Template CERT_CrlTemplateNoEntries[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTCrl) }, + { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) }, + { SEC_ASN1_INLINE, + offsetof(CERTCrl,signatureAlg), + SECOID_AlgorithmIDTemplate }, + { SEC_ASN1_SAVE, + offsetof(CERTCrl,derName) }, + { SEC_ASN1_INLINE, + offsetof(CERTCrl,name), + CERT_NameTemplate }, + { SEC_ASN1_UTC_TIME, + offsetof(CERTCrl,lastUpdate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME, + offsetof(CERTCrl,nextUpdate) }, +/* { SEC_ASN1_SKIP | SEC_ASN1_SEQUENCE_OF }, */ +/* { SEC_ASN1_SKIP | SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF }, */ + { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF, + offsetof(CERTCrl,entries), + cert_CrlSkipEntryTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(CERTCrl,extensions), + SEC_CERTExtensionsTemplate}, + { 0 } +}; + static const SEC_ASN1Template cert_SignedCrlTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTSignedCrl) }, @@ -194,6 +227,22 @@ static const SEC_ASN1Template cert_SignedCrlTemplate[] = { { 0 } }; +static const SEC_ASN1Template cert_SignedCrlTemplateNoEntries[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTSignedCrl) }, + { SEC_ASN1_SAVE, + offsetof(CERTSignedCrl,signatureWrap.data) }, + { SEC_ASN1_INLINE, + offsetof(CERTSignedCrl,crl), + CERT_CrlTemplateNoEntries }, + { SEC_ASN1_INLINE, + offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm), + SECOID_AlgorithmIDTemplate }, + { SEC_ASN1_BIT_STRING, + offsetof(CERTSignedCrl,signatureWrap.signature) }, + { 0 } +}; + const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = { { SEC_ASN1_SET_OF, 0, cert_SignedCrlTemplate }, }; @@ -320,6 +369,8 @@ CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type) PRArenaPool *arena; CERTSignedCrl *crl; SECStatus rv; + const SEC_ASN1Template* crlTemplate = cert_SignedCrlTemplate; /* use full + template for decoding CRLs */ /* make a new arena */ if (narena == NULL) { @@ -353,9 +404,14 @@ CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type) /* decode the CRL info */ switch (type) { + case SEC_CRL_TYPE_NO_ENTRIES: + crlTemplate = cert_SignedCrlTemplateNoEntries; /* trimmed template */ + crl->crl.entries = NULL; + /* fall through */ + case SEC_CRL_TYPE: rv = SEC_ASN1DecodeItem - (arena, crl, cert_SignedCrlTemplate, derSignedCrl); + (arena, crl, crlTemplate, derSignedCrl); if (rv != SECSuccess) break; /* check for critical extentions */ diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 654da08dd..3f52f438e 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -747,7 +747,24 @@ CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, NSSCryptoContext *cc; nssSMIMEProfile *stanProfile = NULL; PRBool freeOldProfile = PR_FALSE; - + PK11SlotInfo* internalslot = PK11_GetInternalKeySlot(); + + if (cert && cert->slot != internalslot) { + /* this cert comes from an external source, we need to add it + to the cert db before creating an S/MIME profile */ + rv = PK11_ImportCert(internalslot, cert, + CK_INVALID_HANDLE, NULL, PR_FALSE); + + PK11_FreeSlot(internalslot); + + if (rv != SECSuccess ) + { + return SECFailure; + } + } else { + PK11_FreeSlot(internalslot); + } + emailAddr = cert->emailAddr; if ( emailAddr == NULL ) { |