diff options
| author | ian.mcgreer%sun.com <devnull@localhost> | 2003-03-14 15:43:51 +0000 |
|---|---|---|
| committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-03-14 15:43:51 +0000 |
| commit | 5d6e65a3bfaccd548ffb7290a3ce8b9361629b00 (patch) | |
| tree | 6b4f67fc09d36a557a725bb7adb3189a5612055d | |
| parent | 689642e9867fa9f2646f7829b76e8de53dee4cbc (diff) | |
| download | nss-hg-5d6e65a3bfaccd548ffb7290a3ce8b9361629b00.tar.gz | |
bug fixes
| -rw-r--r-- | security/nss/cmd/cmdlib/cmdpp.c | 3 | ||||
| -rw-r--r-- | security/nss/cmd/pkiutil/pkiobject.c | 10 | ||||
| -rw-r--r-- | security/nss/lib/pki/asymmkey.c | 58 | ||||
| -rw-r--r-- | security/nss/lib/pki/cert.c | 16 | ||||
| -rw-r--r-- | security/nss/lib/pki/pkibase.c | 36 | ||||
| -rw-r--r-- | security/nss/lib/pki/pkidb.c | 3 | ||||
| -rw-r--r-- | security/nss/lib/pki/pkim.h | 9 | ||||
| -rw-r--r-- | security/nss/lib/pki/trustdomain.c | 12 | ||||
| -rw-r--r-- | security/nss/lib/pkix/include/nsspkixt.h | 2 | ||||
| -rw-r--r-- | security/nss/lib/pkix/include/pkixtm.h | 7 | ||||
| -rw-r--r-- | security/nss/lib/pkix/src/TBSCertificate.c | 27 | ||||
| -rw-r--r-- | security/nss/lib/pkix/src/nsspkix.def | 1 | ||||
| -rw-r--r-- | security/nss/lib/pkix/src/pkiglue.c | 6 | ||||
| -rw-r--r-- | security/nss/tests/ssl/sslauth.txt | 4 | ||||
| -rw-r--r-- | security/nss/tests/stan/stan.sh | 4 |
15 files changed, 129 insertions, 69 deletions
diff --git a/security/nss/cmd/cmdlib/cmdpp.c b/security/nss/cmd/cmdlib/cmdpp.c index 21a384131..e9c9741da 100644 --- a/security/nss/cmd/cmdlib/cmdpp.c +++ b/security/nss/cmd/cmdlib/cmdpp.c @@ -388,7 +388,8 @@ CMD_PrintPKIXTBSCertificate(CMDPrinter *printer, serialNum = NSSPKIXTBSCertificate_GetSerialNumber(tbsCert); if (serialNum) { - CMD_PrintInteger(printer, serialNum, "Serial Number"); + NSSItem *sn = NSSPKIXCertificateSerialNumber_GetSerialNumber(serialNum); + CMD_PrintInteger(printer, sn, "Serial Number"); newline_reset(printer); } diff --git a/security/nss/cmd/pkiutil/pkiobject.c b/security/nss/cmd/pkiutil/pkiobject.c index b19d60c3f..348c0dcb0 100644 --- a/security/nss/cmd/pkiutil/pkiobject.c +++ b/security/nss/cmd/pkiutil/pkiobject.c @@ -107,9 +107,11 @@ get_cert_serial_number(NSSCert *c) { NSSPKIXCertificate *pkixCert; NSSPKIXTBSCertificate *tbsCert; + NSSPKIXCertificateSerialNumber *serialNumber; pkixCert = (NSSPKIXCertificate *)NSSCert_GetDecoding(c); tbsCert = NSSPKIXCertificate_GetTBSCertificate(pkixCert); - return NSSPKIXTBSCertificate_GetSerialNumber(tbsCert); + serialNumber = NSSPKIXTBSCertificate_GetSerialNumber(tbsCert); + return NSSPKIXCertificateSerialNumber_GetSerialNumber(serialNumber); } /* XXX should have a filter function */ @@ -149,10 +151,10 @@ print_cert_callback(NSSCert *c, void *arg) CMDRunTimeData *rtData = (CMDRunTimeData *)arg; CMDPrinter printer; NSSUTF8 *nickname = nssCert_GetNickname(c, NULL); - NSSItem *serialNumber; + NSSItem *sn; NSSUsages usages; PRBool isUserCert = NSSCert_IsPrivateKeyAvailable(c, NULL, NULL); - serialNumber = get_cert_serial_number(c); + sn = get_cert_serial_number(c); if (NSSCert_GetTrustedUsages(c, &usages) == NULL) { CMD_PrintError("Failed to obtain trusted usages"); return PR_FAILURE; @@ -161,7 +163,7 @@ print_cert_callback(NSSCert *c, void *arg) CMD_InitPrinter(&printer, rtData->output.file, 0, 80); CMD_PrintCertificateTrust(&printer, &usages, NULL); PR_fprintf(rtData->output.file, " %-40s", nickname); - CMD_PrintHex(&printer, serialNumber, NULL); + CMD_PrintHex(&printer, sn, NULL); PR_fprintf(rtData->output.file, " "); PR_fprintf(rtData->output.file, "\n"); return PR_SUCCESS; diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c index 842c5464c..e833900db 100644 --- a/security/nss/lib/pki/asymmkey.c +++ b/security/nss/lib/pki/asymmkey.c @@ -947,8 +947,15 @@ nssPublicKey_CreateFromInstance ( goto loser; } pkio->objectType = pkiObjectType_PublicKey; - pkio->numIDs = 1; - pkio->uid[0] = &rvKey->id; + switch (rvKey->info.kind) { + case NSSKeyPairType_RSA: + pkio->numIDs = 1; + pkio->uid[0] = &rvKey->info.u.rsa.modulus; + break; + default: + PR_ASSERT(0); + goto loser; + } pkio->copyToToken = copy_public_key_to_token; rvKey = (NSSPublicKey *)nssPKIObjectTable_Add(objectTable, pkio); if (!rvKey) { @@ -1031,6 +1038,7 @@ nssPublicKey_CreateFromInfo ( bko = nssToken_ImportPublicKey(token, session, &bki, PR_FALSE); if (bko) { + /* XXX this re-gets the info from the token :( */ rvbk = nssPublicKey_CreateFromInstance(bko, td, vd); if (!rvbk) { nssCryptokiObject_Destroy(bko); @@ -1094,50 +1102,6 @@ nssPublicKey_GetID ( } } -NSS_IMPLEMENT PRBool -nssPublicKey_HasInstanceOnToken ( - NSSPublicKey *bk, - NSSToken *token -) -{ - return nssPKIObject_HasInstanceOnToken(&bk->object, token); -} - -NSS_IMPLEMENT nssCryptokiObject * -nssPublicKey_GetInstance ( - NSSPublicKey *bk, - NSSToken *token -) -{ - return nssPKIObject_GetInstance(&bk->object, token); -} - -NSS_IMPLEMENT PRStatus -nssPublicKey_RemoveInstanceForToken ( - NSSPublicKey *bk, - NSSToken *token -) -{ - return nssPKIObject_RemoveInstanceForToken(&bk->object, token); -} - -NSS_IMPLEMENT PRIntn -nssPublicKey_CountInstances ( - NSSPublicKey *bk -) -{ - return nssPKIObject_CountInstances(&bk->object); -} - -NSS_IMPLEMENT void -nssPublicKey_SetVolatileDomain ( - NSSPublicKey *bk, - NSSVolatileDomain *vd -) -{ - nssPKIObject_SetVolatileDomain(&bk->object, vd); -} - NSS_IMPLEMENT PRStatus nssPublicKey_DeleteStoredObject ( NSSPublicKey *bk, @@ -1426,7 +1390,7 @@ nssPublicKey_GetInstanceForAlgorithmAndObject ( for (tp = tokens; *tp; tp++) { if (nssToken_DoesAlgNParam(*tp, ap)) { /* found one for the algorithm */ - instance = nssPublicKey_GetInstance(bk, *tp); + instance = nssPKIObject_GetInstance(PKIOBJECT(bk), *tp); if (instance) { /* and the public key is there as well, done */ break; diff --git a/security/nss/lib/pki/cert.c b/security/nss/lib/pki/cert.c index 6d33e94be..32f323108 100644 --- a/security/nss/lib/pki/cert.c +++ b/security/nss/lib/pki/cert.c @@ -190,9 +190,12 @@ nssCert_CreateFromInstance ( goto loser; } } - /* token certs trusted by default */ - rvCert->trust.trustedUsages.ca = rvCert->trust.trustedUsages.peer = ~0; - /* XXX or check trust here by looking at db? */ + status = nssTrustDomain_GetCertTrust(td, rvCert, &rvCert->trust); + if (status == PR_FAILURE) { + /* XXX this should check whether is was not found err */ + /* token certs trusted by default */ + rvCert->trust.trustedUsages.ca = rvCert->trust.trustedUsages.peer = ~0; + } return rvCert; loser: nssCert_Destroy(rvCert); @@ -279,7 +282,14 @@ nssCert_Decode ( rvCert = (NSSCert *)pkio; goto loser; } else if ((nssPKIObject *)rvCert != pkio) { + /* XXX sigh, leak it for now, until fix table removal nssCert_Destroy((NSSCert *)pkio); + */ + } else { + /* XXX */ + /* XXX this hits a lock during traversal + (void)nssTrustDomain_GetCertTrust(td, rvCert, &rvCert->trust); + */ } return rvCert; loser: diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c index 1d068e47a..4b053fc0c 100644 --- a/security/nss/lib/pki/pkibase.c +++ b/security/nss/lib/pki/pkibase.c @@ -99,6 +99,12 @@ loser: return (nssPKIObject *)NULL; } +static PRStatus +nssPKIObjectTable_DestroyAndRemove ( + nssPKIObjectTable *table, + nssPKIObject *object +); + NSS_IMPLEMENT PRStatus nssPKIObject_Destroy ( nssPKIObject *object @@ -106,10 +112,14 @@ nssPKIObject_Destroy ( { PRUint32 i; PRStatus status; + nssPKIObjectTable *table = nssTrustDomain_GetObjectTable(object->td); PR_ASSERT(object->refCount > 0); + /* PR_AtomicDecrement(&object->refCount); status = PR_SUCCESS; + */ + status = nssPKIObjectTable_DestroyAndRemove(table, object); if (object->refCount == 0) { for (i=0; i<object->numInstances; i++) { nssCryptokiObject_Destroy(object->instances[i]); @@ -995,15 +1005,15 @@ static int nss_compare_pkiobjects(const void *v1, const void *v2) { int i; - int rv = 0; + int rv = 1; nssPKIObject *pkio1 = (nssPKIObject *)v1; nssPKIObject *pkio2 = (nssPKIObject *)v2; if (pkio1->objectType != pkio2->objectType) { - return 1; + return 0; } for (i = 0; i < pkio1->numIDs; i++) { - if (!nssItem_Equal(pkio1->uid[i], pkio1->uid[i], NULL)) { - rv = 1; + if (!nssItem_Equal(pkio1->uid[i], pkio2->uid[i], NULL)) { + rv = 0; break; } } @@ -1062,6 +1072,7 @@ nssPKIObjectTable_Add ( pkio = (nssPKIObject *)PL_HashTableLookup(table->hash, object); if (pkio) { pkio = nssPKIObject_Merge(pkio, object); + nssPKIObject_AddRef(pkio); } else { he = PL_HashTableAdd(table->hash, object, object); if( (PLHashEntry *)NULL == he ) { @@ -1077,13 +1088,28 @@ nssPKIObjectTable_Add ( return pkio; } +static PRStatus +nssPKIObjectTable_DestroyAndRemove ( + nssPKIObjectTable *table, + nssPKIObject *object +) +{ + PRStatus status = PR_SUCCESS; + PZ_Lock(table->lock); + PR_AtomicDecrement(&object->refCount); + if (object->refCount == 0) { + status = PL_HashTableRemove(table->hash, object); + } + PZ_Unlock(table->lock); + return status; +} + NSS_IMPLEMENT PRStatus nssPKIObjectTable_Remove ( nssPKIObjectTable *table, nssPKIObject *object ) { - PRStatus status; PZ_Lock(table->lock); status = PL_HashTableRemove(table->hash, object); diff --git a/security/nss/lib/pki/pkidb.c b/security/nss/lib/pki/pkidb.c index 814c16a22..8a84314a8 100644 --- a/security/nss/lib/pki/pkidb.c +++ b/security/nss/lib/pki/pkidb.c @@ -850,7 +850,7 @@ nssPKIDatabase_FindCertByEncodedCert ( } NSS_IMPLEMENT PRStatus -nssPKIDatabase_FindTrustForCert ( +nssPKIDatabase_GetCertTrust ( nssPKIDatabase *pkidb, NSSCert *cert, nssTrust *rvTrust @@ -912,6 +912,7 @@ nssPKIDatabase_TraverseCerts ( if (status == PR_FAILURE) { break; /* allow for early termination */ } + nssCert_Destroy(cert); } /* else ? */ } /* else ? */ } diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h index 5d3b8cc1d..c94ff9c64 100644 --- a/security/nss/lib/pki/pkim.h +++ b/security/nss/lib/pki/pkim.h @@ -303,6 +303,13 @@ nssTrustDomain_FindCRLsBySubject ( ); NSS_EXTERN PRStatus +nssTrustDomain_GetCertTrust ( + NSSTrustDomain *td, + NSSCert *c, + nssTrust *rvTrust +); + +NSS_EXTERN PRStatus nssTrustDomain_SetCertTrust ( NSSTrustDomain *td, NSSCert *c, @@ -754,7 +761,7 @@ nssPKIDatabase_FindCertByEncodedCert ( ); NSS_EXTERN PRStatus -nssPKIDatabase_FindTrustForCert ( +nssPKIDatabase_GetCertTrust ( nssPKIDatabase *pkidb, NSSCert *cert, nssTrust *rvTrust diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index bd90f2b30..2c8f020cf 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -141,8 +141,8 @@ nssTrustDomain_Destroy ( nssSlotList_Destroy(td->slots.forCerts); nssSlotList_Destroy(td->slots.forCiphers); nssSlotList_Destroy(td->slots.forTrust); - nssPKIObjectTable_Destroy(td->objectTable); nssTokenStore_Destroy(td->tokenStore); + nssPKIObjectTable_Destroy(td->objectTable); nssPKIDatabase_Close(td->pkidb); /* Destroy the trust domain */ nssArena_Destroy(td->arena); @@ -1318,6 +1318,16 @@ NSSTrustDomain_CreateCryptoContextForAlgorithm ( } NSS_IMPLEMENT PRStatus +nssTrustDomain_GetCertTrust ( + NSSTrustDomain *td, + NSSCert *c, + nssTrust *rvTrust +) +{ + return nssPKIDatabase_GetCertTrust(td->pkidb, c, rvTrust); +} + +NSS_IMPLEMENT PRStatus nssTrustDomain_SetCertTrust ( NSSTrustDomain *td, NSSCert *c, diff --git a/security/nss/lib/pkix/include/nsspkixt.h b/security/nss/lib/pkix/include/nsspkixt.h index cdd20c0bc..77873df3b 100644 --- a/security/nss/lib/pkix/include/nsspkixt.h +++ b/security/nss/lib/pkix/include/nsspkixt.h @@ -484,7 +484,7 @@ typedef enum NSSPKIXVersionEnum NSSPKIXVersion; * */ -typedef NSSItem NSSPKIXCertificateSerialNumber; +typedef struct NSSPKIXCertificateSerialNumberStr NSSPKIXCertificateSerialNumber; /* * Validity diff --git a/security/nss/lib/pkix/include/pkixtm.h b/security/nss/lib/pkix/include/pkixtm.h index 2513a7c3a..0cd315a49 100644 --- a/security/nss/lib/pkix/include/pkixtm.h +++ b/security/nss/lib/pkix/include/pkixtm.h @@ -377,6 +377,13 @@ struct NSSPKIXExtensionsStr { NSSPKIXExtension **extensions; }; +struct NSSPKIXCertificateSerialNumberStr { + NSSArena *arena; + PRBool i_allocated_arena; + NSSDER der; + NSSItem serialNumber; +}; + /* * TBSCertificate * diff --git a/security/nss/lib/pkix/src/TBSCertificate.c b/security/nss/lib/pkix/src/TBSCertificate.c index 555591843..0e49d562d 100644 --- a/security/nss/lib/pkix/src/TBSCertificate.c +++ b/security/nss/lib/pkix/src/TBSCertificate.c @@ -56,12 +56,18 @@ static const NSSASN1Template sub_any[] = { { NSSASN1_ANY } }; +static const NSSASN1Template sub_integer[] = { + { NSSASN1_INTEGER } +}; + const NSSASN1Template nssPKIXTBSCertificate_template[] = { { NSSASN1_SEQUENCE, 0, NULL, sizeof(NSSPKIXTBSCertificate) }, { NSSASN1_EXPLICIT | NSSASN1_OPTIONAL | NSSASN1_CONSTRUCTED | NSSASN1_CONTEXT_SPECIFIC | 0, 0, skipper }, - { NSSASN1_INTEGER, offsetof(NSSPKIXTBSCertificate, serialNumber) }, + { NSSASN1_SAVE, offsetof(NSSPKIXTBSCertificate, serialNumber.der) }, + { NSSASN1_INLINE, offsetof(NSSPKIXTBSCertificate, serialNumber.serialNumber), + sub_integer }, { NSSASN1_SKIP }, /* XXX signature */ { NSSASN1_ANY, offsetof(NSSPKIXTBSCertificate, issuer.der) }, { NSSASN1_ANY, offsetof(NSSPKIXTBSCertificate, validity.der) }, @@ -271,7 +277,7 @@ nssPKIXTBSCertificate_GetSerialNumber ( NSSPKIXTBSCertificate *tbsCert ) { - if (NSSITEM_IS_EMPTY(&tbsCert->serialNumber)) { + if (NSSITEM_IS_EMPTY(&tbsCert->serialNumber.der)) { if (NSSITEM_IS_EMPTY(&tbsCert->der) || decode_me(tbsCert) == PR_FAILURE) { @@ -620,3 +626,20 @@ NSSPKIXTBSCertificate_GetExtensions ( return nssPKIXTBSCertificate_GetExtensions(tbsCert); } +/* XXX move */ +NSS_IMPLEMENT NSSItem * +nssPKIXCertificateSerialNumber_GetSerialNumber ( + NSSPKIXCertificateSerialNumber *sn +) +{ + return &sn->serialNumber; +} + +NSS_IMPLEMENT NSSItem * +NSSPKIXCertificateSerialNumber_GetSerialNumber ( + NSSPKIXCertificateSerialNumber *sn +) +{ + return nssPKIXCertificateSerialNumber_GetSerialNumber(sn); +} + diff --git a/security/nss/lib/pkix/src/nsspkix.def b/security/nss/lib/pkix/src/nsspkix.def index 33dffb8a2..3a377758e 100644 --- a/security/nss/lib/pkix/src/nsspkix.def +++ b/security/nss/lib/pkix/src/nsspkix.def @@ -55,6 +55,7 @@ NSSPKIXBasicConstraints_GetPathLengthConstraint; NSSPKIXCertificate_Decode; NSSPKIXCertificate_GetSignature; NSSPKIXCertificate_GetTBSCertificate; +NSSPKIXCertificateSerialNumber_GetSerialNumber; NSSPKIXName_Encode; NSSPKIXTBSCertificate_Encode; NSSPKIXTBSCertificate_GetSerialNumber; diff --git a/security/nss/lib/pkix/src/pkiglue.c b/security/nss/lib/pkix/src/pkiglue.c index fd76fbc1f..2b5653f00 100644 --- a/security/nss/lib/pkix/src/pkiglue.c +++ b/security/nss/lib/pkix/src/pkiglue.c @@ -53,6 +53,9 @@ static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$"; #include "nss.h" +/* XXX for sn hack */ +#include "../include/pkixtm.h" + static void * pkix_Decode ( NSSArena *arenaOpt, @@ -163,7 +166,8 @@ pkix_GetSerialNumber ( /* * tbsCert->serialNumber */ - snBER = nssPKIXTBSCertificate_GetSerialNumber(tbsCert); + /* XXX hack for now */ + snBER = &tbsCert->serialNumber.der; finish: nss_ResumeErrorStack(); diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt index 0051e9dce..230cc5d2e 100644 --- a/security/nss/tests/ssl/sslauth.txt +++ b/security/nss/tests/ssl/sslauth.txt @@ -17,13 +17,13 @@ 254 -r_-r -T_-w_nss SSL3 Require client auth (client does not provide auth) 254 -r_-r -T_-n_client_-w_bogus SSL3 Require client auth (bad password) 0 -r_-r -T_-n_client_-w_nss SSL3 Require client auth (client auth) - 254 -r_-r_-r -w_nss TLS Request don't require client auth on 2nd hs (client does not provide auth) + 0 -r_-r_-r -w_nss TLS Request don't require client auth on 2nd hs (client does not provide auth) 0 -r_-r_-r -w_bogus_-n_client TLS Request don't require client auth on 2nd hs (bad password) 0 -r_-r_-r -w_nss_-n_client TLS Request don't require client auth on 2nd hs (client auth) 254 -r_-r_-r_-r -w_nss TLS Require client auth on 2nd hs (client does not provide auth) 1 -r_-r_-r_-r -w_bogus_-n_client TLS Require client auth on 2nd hs (bad password) 0 -r_-r_-r_-r -w_nss_-n_client_ TLS Require client auth on 2nd hs (client auth) - 254 -r_-r_-r -T_-w_nss SSL3 Request don't require client auth on 2nd hs (client does not provide auth) + 0 -r_-r_-r -T_-w_nss SSL3 Request don't require client auth on 2nd hs (client does not provide auth) 0 -r_-r_-r -T_-n_client_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password) 0 -r_-r_-r -T_-n_client_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth) 254 -r_-r_-r_-r -T_-w_nss SSL3 Require client auth on 2nd hs (client does not provide auth) diff --git a/security/nss/tests/stan/stan.sh b/security/nss/tests/stan/stan.sh index 7a9b52623..175f69b89 100644 --- a/security/nss/tests/stan/stan.sh +++ b/security/nss/tests/stan/stan.sh @@ -285,4 +285,8 @@ nssu --dump-token -d ${CERTDIR} CIPHER_ACTION="Run Symmetric Key Self-Tests" ciph -T +# set trust (stuck on token for now) +pkiutil -M -d server -n root -u "CV" +pkiutil -M -d client -n root -u "CV" + cert_cleanup |