diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2002-04-19 23:06:44 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2002-04-19 23:06:44 +0000 |
commit | 182a7dbba04d34efa398ceea337be7914471bf7c (patch) | |
tree | 34c66f0ce390ff613811108278003a5b61e84af9 | |
parent | 144b72ff47abd7e305b0c13b3ff4592a4c701f64 (diff) | |
download | nss-hg-182a7dbba04d34efa398ceea337be7914471bf7c.tar.gz |
re-sync the trust domain cache with token insertion/removal
-rw-r--r-- | security/nss/lib/dev/dev.h | 6 | ||||
-rw-r--r-- | security/nss/lib/dev/devslot.c | 7 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/dev3hack.c | 33 | ||||
-rw-r--r-- | security/nss/lib/pki/pkim.h | 7 | ||||
-rw-r--r-- | security/nss/lib/pki/tdcache.c | 106 |
5 files changed, 130 insertions, 29 deletions
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 612c0c018..d9b898cf2 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -946,6 +946,12 @@ nssToken_GetTrustOrder NSSToken *tok ); +NSS_EXTERN PRStatus +nssToken_NofifyCertsNotVisible +( + NSSToken *tok +); + #endif PR_END_EXTERN_C diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c index 6950256ad..437fbfdb3 100644 --- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -293,6 +293,13 @@ nssSlot_IsTokenPresent session->handle = CK_INVALID_SESSION; } nssSession_ExitMonitor(session); +#ifdef NSS_3_4_CODE + if (slot->token->base.name[0] != 0) { + /* notify the high-level cache that the token is removed */ + slot->token->base.name[0] = 0; /* XXX */ + nssToken_NofifyCertsNotVisible(slot->token); + } +#endif slot->token->base.name[0] = 0; /* XXX */ return PR_FALSE; #ifdef PURE_STAN_CODE diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c index 57fbb37c0..3f481ce9d 100644 --- a/security/nss/lib/pk11wrap/dev3hack.c +++ b/security/nss/lib/pk11wrap/dev3hack.c @@ -49,6 +49,7 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; #include "pki3hack.h" #include "dev3hack.h" +#include "pkim.h" #ifndef BASE_H #include "base.h" @@ -230,9 +231,17 @@ nssSlot_Refresh ) { PK11SlotInfo *nss3slot = slot->pk11slot; + PRBool doit = PR_FALSE; + if (slot->token->base.name[0] == 0) { + doit = PR_TRUE; + } if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) { return PR_FAILURE; } + if (doit) { + nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, + slot->token); + } return nssToken_Refresh(slot->token); } @@ -268,25 +277,19 @@ nssToken_GetTrustDomain(NSSToken *token) return token->trustDomain; } -typedef enum { - nssPK11Event_DefaultSessionRO = 0, - nssPK11Event_DefaultSessionRW = 1 -} nssPK11Event; +NSS_EXTERN PRStatus +nssTrustDomain_RemoveTokenCertsFromCache +( + NSSTrustDomain *td, + NSSToken *token +); NSS_IMPLEMENT PRStatus -nssToken_Nofify +nssToken_NofifyCertsNotVisible ( - NSSToken *tok, - nssPK11Event event + NSSToken *tok ) - { -#ifdef notdef - switch (event) { - default: - return PR_FAILURE; - } -#endif - return PR_FAILURE; + return nssTrustDomain_RemoveTokenCertsFromCache(tok->trustDomain, tok); } diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h index 16ac87f3c..55708cddf 100644 --- a/security/nss/lib/pki/pkim.h +++ b/security/nss/lib/pki/pkim.h @@ -610,6 +610,13 @@ nssTrustDomain_RemoveTokenCertsFromCache NSSToken *token ); +NSS_EXTERN PRStatus +nssTrustDomain_UpdateCachedTokenCerts +( + NSSTrustDomain *td, + NSSToken *token +); + /* * Find all cached certs with this nickname (label). */ diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c index 4af45ac5f..8e575dc08 100644 --- a/security/nss/lib/pki/tdcache.c +++ b/security/nss/lib/pki/tdcache.c @@ -61,6 +61,8 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; #ifdef NSS_3_4_CODE #include "cert.h" +#include "dev.h" +#include "pki3hack.h" #endif #ifdef DEBUG_CACHE @@ -447,23 +449,39 @@ nssTrustDomain_FlushCache { } -struct token_cert_destructor { - nssTDCertificateCache *cache; +struct token_cert_dtor { NSSToken *token; + nssTDCertificateCache *cache; + NSSCertificate **certs; + PRUint32 numCerts, arrSize; }; static void remove_token_certs(const void *k, void *v, void *a) { -#if 0 - struct NSSItem *identifier = (struct NSSItem *)k; - NSSCertificate *c = (NSSCertificate *)v; - struct token_cert_destructor *tcd = (struct token_cert_destructor *)a; - if (c->token == tcd->token) { - nssHash_Remove(tcd->cache->issuerAndSN, identifier); - /* remove from the other hashes */ + NSSCertificate *c = (NSSCertificate *)k; + nssPKIObject *object = &c->object; + struct token_cert_dtor *dtor = a; + PRUint32 i; + PZ_Lock(object->lock); + for (i=0; i<object->numInstances; i++) { + if (object->instances[i]->token == dtor->token) { + nssCryptokiObject_Destroy(object->instances[i]); + object->instances[i] = object->instances[object->numInstances-1]; + object->instances[object->numInstances-1] = NULL; + object->numInstances--; + dtor->certs[dtor->numCerts++] = nssCertificate_AddRef(c); + if (dtor->numCerts == dtor->arrSize) { + dtor->arrSize *= 2; + dtor->certs = nss_ZREALLOCARRAY(dtor->certs, + NSSCertificate *, + dtor->arrSize); + } + break; + } } -#endif + PZ_Unlock(object->lock); + return; } /* @@ -477,12 +495,72 @@ nssTrustDomain_RemoveTokenCertsFromCache NSSToken *token ) { - struct token_cert_destructor tcd; - tcd.cache = td->cache; - tcd.token = token; + NSSCertificate **certs; + PRUint32 i, arrSize = 10; + struct token_cert_dtor dtor; + certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize); + if (!certs) { + return PR_FAILURE; + } + dtor.cache = td->cache; + dtor.token = token; + dtor.certs = certs; + dtor.numCerts = 0; + dtor.arrSize = arrSize; PZ_Lock(td->cache->lock); - nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&tcd); + nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&dtor); PZ_Unlock(td->cache->lock); + for (i=0; i<dtor.numCerts; i++) { + if (dtor.certs[i]->object.numInstances == 0) { + nssTrustDomain_RemoveCertFromCache(td, dtor.certs[i]); + } else { + STAN_ForceCERTCertificateUpdate(dtor.certs[i]); + } + nssCertificate_Destroy(dtor.certs[i]); + } + nss_ZFreeIf(dtor.certs); + return PR_SUCCESS; +} + +NSS_IMPLEMENT PRStatus +nssTrustDomain_UpdateCachedTokenCerts +( + NSSTrustDomain *td, + NSSToken *token +) +{ + NSSCertificate **cp, **cached = NULL; + nssList *certList; + PRUint32 count; + certList = nssList_Create(NULL, PR_FALSE); + if (!certList) return PR_FAILURE; + (void *)nssTrustDomain_GetCertsFromCache(td, certList); + count = nssList_Count(certList); + if (count > 0) { + cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1); + if (!cached) { + return PR_FAILURE; + } + nssList_GetArray(certList, (void **)cached, count); + nssList_Destroy(certList); + for (cp = cached; *cp; cp++) { + nssCryptokiObject *instance; + NSSCertificate *c = *cp; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + instance = nssToken_FindCertificateByIssuerAndSerialNumber( + token, + NULL, + &c->issuer, + &c->serial, + tokenOnly, + NULL); + if (instance) { + nssPKIObject_AddInstance(&c->object, instance); + STAN_ForceCERTCertificateUpdate(c); + } + } + nssCertificateArray_Destroy(cached); + } return PR_SUCCESS; } |