diff options
| author | relyea%netscape.com <devnull@localhost> | 2002-08-27 23:38:29 +0000 |
|---|---|---|
| committer | relyea%netscape.com <devnull@localhost> | 2002-08-27 23:38:29 +0000 |
| commit | 7aea5036c858194843995413c96d53665aa6cb64 (patch) | |
| tree | 023c139f7fbec6d45dc283e2a5743c87d9dc6598 | |
| parent | de9a7e9f25b990d4d8bbb595ee718167727c4a03 (diff) | |
| download | nss-hg-7aea5036c858194843995413c96d53665aa6cb64.tar.gz | |
close hole in trust lookups.
| -rw-r--r-- | security/nss/lib/dev/ckhelper.c | 4 | ||||
| -rw-r--r-- | security/nss/lib/dev/dev.h | 1 | ||||
| -rw-r--r-- | security/nss/lib/pki/certificate.c | 22 | ||||
| -rw-r--r-- | security/nss/lib/pki/pkim.h | 3 | ||||
| -rw-r--r-- | security/nss/lib/pki/trustdomain.c | 2 |
5 files changed, 28 insertions, 4 deletions
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c index 26c4b58e4..19099df33 100644 --- a/security/nss/lib/dev/ckhelper.c +++ b/security/nss/lib/dev/ckhelper.c @@ -552,6 +552,7 @@ nssCryptokiTrust_GetAttributes ( nssCryptokiObject *trustObject, nssSession *sessionOpt, + NSSItem *sha1_hash, nssTrustLevel *serverAuth, nssTrustLevel *clientAuth, nssTrustLevel *codeSigning, @@ -564,7 +565,7 @@ nssCryptokiTrust_GetAttributes CK_BBOOL isToken; CK_TRUST saTrust, caTrust, epTrust, csTrust; CK_ATTRIBUTE_PTR attr; - CK_ATTRIBUTE trust_template[5]; + CK_ATTRIBUTE trust_template[6]; CK_ULONG trust_size; /* Use the trust object to find the trust settings */ @@ -574,6 +575,7 @@ nssCryptokiTrust_GetAttributes NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH, caTrust); NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust); NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING, csTrust); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, sha1_hash); NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size); status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL, diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index ef2853336..fc6e2091d 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -741,6 +741,7 @@ nssCryptokiTrust_GetAttributes ( nssCryptokiObject *trustObject, nssSession *sessionOpt, + NSSItem *sha1_hash, nssTrustLevel *serverAuth, nssTrustLevel *clientAuth, nssTrustLevel *codeSigning, diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c index c4ef4fb3f..4761948f1 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/certificate.c @@ -53,6 +53,8 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; #ifdef NSS_3_4_CODE #include "pki3hack.h" +#include "pk11func.h" +#include "hasht.h" #endif #ifndef BASE_H @@ -950,15 +952,20 @@ nssCertificateList_AddReferences NSS_IMPLEMENT NSSTrust * nssTrust_Create ( - nssPKIObject *object + nssPKIObject *object, + NSSItem *certData ) { PRStatus status; PRUint32 i; PRUint32 lastTrustOrder, myTrustOrder; + unsigned char sha1_hashcmp[SHA1_LENGTH]; + unsigned char sha1_hashin[SHA1_LENGTH]; + NSSItem sha1_hash; NSSTrust *rvt; nssCryptokiObject *instance; nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection; + SECStatus rv; /* Should be stan flavor */ lastTrustOrder = 1<<16; /* just make it big */ PR_ASSERT(object->instances != NULL && object->numInstances > 0); rvt = nss_ZNEW(object->arena, NSSTrust); @@ -966,12 +973,21 @@ nssTrust_Create return (NSSTrust *)NULL; } rvt->object = *object; + + /* should be stan flavor of Hashbuf */ + rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size); + if (rv != SECSuccess) { + return (NSSTrust *)NULL; + } + sha1_hash.data = sha1_hashin; + sha1_hash.size = sizeof (sha1_hashin); /* trust has to peek into the base object members */ PZ_Lock(object->lock); for (i=0; i<object->numInstances; i++) { instance = object->instances[i]; myTrustOrder = nssToken_GetTrustOrder(instance->token); status = nssCryptokiTrust_GetAttributes(instance, NULL, + &sha1_hash, &serverAuth, &clientAuth, &codeSigning, @@ -980,6 +996,10 @@ nssTrust_Create PZ_Unlock(object->lock); return (NSSTrust *)NULL; } + if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) { + PZ_Unlock(object->lock); + return (NSSTrust *)NULL; + } if (rvt->serverAuth == nssTrustLevel_Unknown || myTrustOrder < lastTrustOrder) { diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h index 170a4d938..c1fe3e146 100644 --- a/security/nss/lib/pki/pkim.h +++ b/security/nss/lib/pki/pkim.h @@ -247,7 +247,8 @@ nssDecodedCert_Destroy NSS_EXTERN NSSTrust * nssTrust_Create ( - nssPKIObject *object + nssPKIObject *object, + NSSCertificate *nssCert ); NSS_EXTERN NSSCRL * diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index c5e3dc337..15542c568 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -1261,7 +1261,7 @@ nssTrustDomain_FindTrustForCertificate } } if (pkio) { - rvt = nssTrust_Create(pkio); + rvt = nssTrust_Create(pkio, &c->encoding); if (!rvt) { goto loser; } |