summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorian.mcgreer%sun.com <devnull@localhost>2003-03-07 20:18:10 +0000
committerian.mcgreer%sun.com <devnull@localhost>2003-03-07 20:18:10 +0000
commit689642e9867fa9f2646f7829b76e8de53dee4cbc (patch)
tree546a235edd04fd4fb4d3cd32ab539ea580b2dcfd
parente5f6b12be8cf09fb80617f548eb9a183f0118e71 (diff)
downloadnss-hg-689642e9867fa9f2646f7829b76e8de53dee4cbc.tar.gz
reorganize pkiobject inheritance
Diffstat
-rw-r--r--security/nss/lib/pki/asymmkey.c171
-rw-r--r--security/nss/lib/pki/cert.c151
-rw-r--r--security/nss/lib/pki/cryptocontext.c172
-rw-r--r--security/nss/lib/pki/manifest.mn1
-rw-r--r--security/nss/lib/pki/nsspki.h9
-rw-r--r--security/nss/lib/pki/pki.h30
-rw-r--r--security/nss/lib/pki/pkibase.c83
-rw-r--r--security/nss/lib/pki/pkietc.c195
-rw-r--r--security/nss/lib/pki/pkim.h187
-rw-r--r--security/nss/lib/pki/pkistore.c20
-rw-r--r--security/nss/lib/pki/pkit.h3
-rw-r--r--security/nss/lib/pki/pkitm.h6
-rw-r--r--security/nss/lib/pki/symkey.c134
-rw-r--r--security/nss/lib/pki/trustdomain.c2
-rw-r--r--security/nss/lib/pki/volatiledomain.c13
15 files changed, 527 insertions, 650 deletions
diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c
index 515bcf368..842c5464c 100644
--- a/security/nss/lib/pki/asymmkey.c
+++ b/security/nss/lib/pki/asymmkey.c
@@ -142,15 +142,7 @@ nssPrivateKey_Destroy (
NSSPrivateKey *vk
)
{
- PRBool destroyed;
- if (vk) {
- destroyed = nssPKIObject_Destroy(&vk->object);
- /*
- if (destroyed) {
- }
- */
- }
- return PR_SUCCESS;
+ return nssPKIObject_Destroy(&vk->object);
}
NSS_IMPLEMENT PRStatus
@@ -200,15 +192,6 @@ nssPrivateKey_GetInstance (
return nssPKIObject_GetInstance(&vk->object, token);
}
-NSS_IMPLEMENT nssCryptokiObject *
-nssPrivateKey_FindInstanceForAlgorithm (
- NSSPrivateKey *vk,
- const NSSAlgNParam *ap
-)
-{
- return nssPKIObject_FindInstanceForAlgorithm(&vk->object, ap);
-}
-
NSS_IMPLEMENT PRStatus
nssPrivateKey_RemoveInstanceForToken (
NSSPrivateKey *vk,
@@ -260,17 +243,6 @@ NSSPrivateKey_GetKeyType (
return nssPrivateKey_GetKeyType(vk);
}
-NSS_IMPLEMENT nssCryptokiObject *
-nssPrivateKey_CopyToToken (
- NSSPrivateKey *vk,
- NSSToken *destination
-)
-{
- /* XXX this could get complicated... might have to wrap the key, etc. */
- PR_ASSERT(0);
- return NULL;
-}
-
NSS_IMPLEMENT PRUint32
nssPrivateKey_GetPrivateModulusLength (
NSSPrivateKey *vk
@@ -378,7 +350,7 @@ nssPrivateKey_Encode (
}
(void)nssAlgNParam_SetPBEPassword(ap, password);
- vkey = nssPrivateKey_FindInstanceForAlgorithm(vk, ap);
+ vkey = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(vk), ap, PR_TRUE);
if (!vkey) {
/* XXX defer to trust domain? */
nss_ZFreeIf(password);
@@ -388,8 +360,8 @@ nssPrivateKey_Encode (
/* XXX use GenByPassword!!! */
/* use the supplied PBE alg/param to create a wrapping key */
pbeKey = nssToken_GenerateSymKey(vkey->token, vkey->session, ap,
- 0, NULL, PR_FALSE,
- NSSOperations_WRAP, 0);
+ 0, NULL, PR_FALSE,
+ NSSOperations_WRAP, 0);
nss_ZFreeIf(password);
if (!pbeKey) {
return (NSSItem *)NULL;
@@ -403,8 +375,7 @@ nssPrivateKey_Encode (
/* wrap the private key with the PBE key */
wrap = nssToken_WrapKey(vkey->token, vkey->session, wrapAP,
- pbeKey, vkey,
- rvOpt, arenaOpt);
+ pbeKey, vkey, rvOpt, arenaOpt);
nssAlgNParam_Destroy(wrapAP);
nssCryptokiObject_Destroy(pbeKey);
nssCryptokiObject_Destroy(vkey);
@@ -587,21 +558,11 @@ nssPrivateKey_GetVolatileDomain (
}
NSS_IMPLEMENT NSSTrustDomain *
-nssPrivateKey_GetTrustDomain (
- NSSPrivateKey *vk,
- PRStatus *statusOpt
-)
-{
- return vk->object.td;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
NSSPrivateKey_GetTrustDomain (
- NSSPrivateKey *vk,
- PRStatus *statusOpt
+ NSSPrivateKey *vk
)
{
- return nssPrivateKey_GetTrustDomain(vk, statusOpt);
+ return nssPKIObject_GetTrustDomain(PKIOBJECT(vk));
}
NSS_IMPLEMENT NSSToken **
@@ -676,7 +637,7 @@ nssPrivateKey_Decrypt (
}
}
- vko = nssPrivateKey_FindInstanceForAlgorithm(vk, ap);
+ vko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(vk), ap, PR_TRUE);
if (!vko) {
if (!apOpt) nssAlgNParam_Destroy(ap);
return (NSSItem *)NULL;
@@ -738,7 +699,7 @@ nssPrivateKey_Sign (
}
}
- vko = nssPrivateKey_FindInstanceForAlgorithm(vk, ap);
+ vko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(vk), ap, PR_TRUE);
if (!vko) {
if (!apOpt) nssAlgNParam_Destroy(ap);
return NULL;
@@ -841,7 +802,7 @@ nssPrivateKey_FindPublicKey (
NSSPrivateKey *vk
)
{
- NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vk, NULL);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(vk));
return nssTrustDomain_FindPublicKeyByID(td, &vk->id);
}
@@ -861,7 +822,7 @@ nssPrivateKey_FindCerts (
NSSArena *arenaOpt
)
{
- NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vk, NULL);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(vk));
return nssTrustDomain_FindCertsByID(td, &vk->id,
rvOpt, maximumOpt, arenaOpt);
}
@@ -924,6 +885,44 @@ struct NSSPublicKeyStr
NSSPublicKeyInfo info;
};
+static PRStatus
+copy_public_key_to_token (
+ nssPKIObject *o,
+ NSSToken *token,
+ nssSession *sessionOpt,
+ PRBool asPersistentObject,
+ NSSUTF8 *nicknameOpt,
+ nssCryptokiObject **rvInstanceOpt
+)
+{
+ nssCryptokiObject *bko;
+ nssSession *session;
+ NSSPublicKey *bk = (NSSPublicKey *)o;
+
+ if (sessionOpt) {
+ session = sessionOpt;
+ } else {
+ session = nssToken_CreateSession(token, asPersistentObject);
+ if (!session)
+ return PR_FAILURE;
+ }
+ bko = nssToken_ImportPublicKey(token, session,
+ &bk->info, asPersistentObject);
+ if (!sessionOpt) {
+ nssSession_Destroy(session);
+ }
+ if (!bko) {
+ return PR_FAILURE;
+ }
+ if (nssPKIObject_AddInstance(&bk->object, bko) == PR_FAILURE) {
+ nssCryptokiObject_Destroy(bko);
+ return PR_FAILURE;
+ } else if (rvInstanceOpt) {
+ *rvInstanceOpt = nssCryptokiObject_Clone(bko);
+ }
+ return PR_SUCCESS;
+}
+
NSS_IMPLEMENT NSSPublicKey *
nssPublicKey_CreateFromInstance (
nssCryptokiObject *instance,
@@ -950,6 +949,7 @@ nssPublicKey_CreateFromInstance (
pkio->objectType = pkiObjectType_PublicKey;
pkio->numIDs = 1;
pkio->uid[0] = &rvKey->id;
+ pkio->copyToToken = copy_public_key_to_token;
rvKey = (NSSPublicKey *)nssPKIObjectTable_Add(objectTable, pkio);
if (!rvKey) {
rvKey = (NSSPublicKey *)pkio;
@@ -1071,15 +1071,7 @@ nssPublicKey_Destroy (
NSSPublicKey *bk
)
{
- PRBool destroyed;
- if (bk) {
- destroyed = nssPKIObject_Destroy(&bk->object);
- /*
- if (destroyed) {
- }
- */
- }
- return PR_SUCCESS;
+ return nssPKIObject_Destroy(&bk->object);
}
NSS_IMPLEMENT PRStatus
@@ -1120,15 +1112,6 @@ nssPublicKey_GetInstance (
return nssPKIObject_GetInstance(&bk->object, token);
}
-NSS_IMPLEMENT nssCryptokiObject *
-nssPublicKey_FindInstanceForAlgorithm (
- NSSPublicKey *bk,
- const NSSAlgNParam *ap
-)
-{
- return nssPKIObject_FindInstanceForAlgorithm(&bk->object, ap);
-}
-
NSS_IMPLEMENT PRStatus
nssPublicKey_RemoveInstanceForToken (
NSSPublicKey *bk,
@@ -1173,35 +1156,6 @@ NSSPublicKey_DeleteStoredObject (
return nssPublicKey_DeleteStoredObject(bk, uhh);
}
-NSS_IMPLEMENT nssCryptokiObject *
-nssPublicKey_CopyToToken (
- NSSPublicKey *bk,
- NSSToken *destination,
- PRBool asPersistentObject
-)
-{
- nssSession *session;
- nssCryptokiObject *bko;
-
- session = nssToken_CreateSession(destination, asPersistentObject);
- if (!session) {
- return (nssCryptokiObject *)NULL;
- }
- bko = nssToken_ImportPublicKey(destination, session,
- &bk->info, asPersistentObject);
- nssSession_Destroy(session);
- if (bko) {
- if (nssPKIObject_AddInstance(&bk->object, bko) == PR_FAILURE) {
- nssCryptokiObject_Destroy(bko);
- bko = NULL;
- } else {
- /* XXX maybe AddInstance should rethink not cloning */
- bko = nssCryptokiObject_Clone(bko);
- }
- }
- return bko;
-}
-
NSS_IMPLEMENT NSSItem *
NSSPublicKey_Encode (
NSSPublicKey *bk,
@@ -1216,21 +1170,11 @@ NSSPublicKey_Encode (
}
NSS_IMPLEMENT NSSTrustDomain *
-nssPublicKey_GetTrustDomain (
- NSSPublicKey *bk,
- PRStatus *statusOpt
-)
-{
- return bk->object.td;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
NSSPublicKey_GetTrustDomain (
- NSSPublicKey *bk,
- PRStatus *statusOpt
+ NSSPublicKey *bk
)
{
- return nssPublicKey_GetTrustDomain(bk, statusOpt);
+ return nssPKIObject_GetTrustDomain(PKIOBJECT(bk));
}
NSS_IMPLEMENT NSSToken *
@@ -1355,7 +1299,7 @@ nssPublicKey_Encrypt (
}
}
- bko = nssPublicKey_FindInstanceForAlgorithm(bk, ap);
+ bko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(bk), ap, PR_TRUE);
if (!bko) {
if (!apOpt) nssAlgNParam_Destroy(ap);
return (NSSItem *)NULL;
@@ -1496,7 +1440,10 @@ nssPublicKey_GetInstanceForAlgorithmAndObject (
/* didn't find a token with both objects, but did find
* one that can do the operation
*/
- instance = nssPublicKey_CopyToToken(bk, candidate, PR_FALSE);
+ /* XXX session? */
+ status = nssPKIObject_CopyToToken(PKIOBJECT(bk), candidate,
+ NULL, PR_FALSE,
+ NULL, &instance);
}
nssTokenArray_Destroy(tokens);
}
@@ -1566,7 +1513,7 @@ nssPublicKey_FindCerts (
NSSArena *arenaOpt
)
{
- NSSTrustDomain *td = nssPublicKey_GetTrustDomain(bk, NULL);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(bk));
return nssTrustDomain_FindCertsByID(td, &bk->id,
rvOpt, maximumOpt, arenaOpt);
}
diff --git a/security/nss/lib/pki/cert.c b/security/nss/lib/pki/cert.c
index fd49184cb..6d33e94be 100644
--- a/security/nss/lib/pki/cert.c
+++ b/security/nss/lib/pki/cert.c
@@ -83,6 +83,63 @@ nss_GetMethodsForType (
NSSCertType certType
);
+static PRStatus
+cert_destructor(nssPKIObject *o)
+{
+ NSSCert *c = (NSSCert *)o;
+ void *dc = c->decoding.data;
+ NSSCertMethods *methods = c->decoding.methods;
+ if (dc && methods) {
+ methods->destroy(dc);
+ }
+ return PR_SUCCESS;
+}
+
+static PRStatus
+copy_cert_to_token (
+ nssPKIObject *o,
+ NSSToken *token,
+ nssSession *sessionOpt,
+ PRBool asPersistentObject,
+ NSSUTF8 *nicknameOpt,
+ nssCryptokiObject **rvInstanceOpt
+)
+{
+ PRStatus status;
+ NSSCert *c = (NSSCert *)o;
+ nssCryptokiObject *instance;
+ nssSession *session;
+
+ if (sessionOpt) {
+ session = sessionOpt;
+ } else {
+ session = nssToken_CreateSession(token, asPersistentObject);
+ if (!session)
+ return PR_FAILURE;
+ }
+ /* XXX why not id? */
+ instance = nssToken_ImportCert(token, session,
+ c->kind, NULL, nicknameOpt,
+ &c->encoding, &c->issuer,
+ &c->subject, &c->serial,
+ c->email, asPersistentObject);
+ if (!sessionOpt) {
+ nssSession_Destroy(session);
+ }
+ if (!instance) {
+ return PR_FAILURE;
+ }
+ status = nssPKIObject_AddInstance(&c->object, instance);
+ if (status == PR_FAILURE) {
+ nssCryptokiObject_Destroy(instance);
+ return PR_FAILURE;
+ }
+ if (rvInstanceOpt) {
+ *rvInstanceOpt = nssCryptokiObject_Clone(instance);
+ }
+ return PR_SUCCESS;
+}
+
NSS_IMPLEMENT NSSCert *
nssCert_CreateFromInstance (
nssCryptokiObject *instance,
@@ -125,6 +182,8 @@ nssCert_CreateFromInstance (
if (!rvCert->decoding.methods) {
goto loser;
}
+ rvCert->object.copyToToken = copy_cert_to_token;
+ rvCert->object.destructor = cert_destructor;
if (rvCert && vdOpt) {
status = nssVolatileDomain_ImportCert(vdOpt, rvCert);
if (status == PR_FAILURE) {
@@ -176,6 +235,8 @@ nssCert_Decode (
} else {
goto loser;
}
+ pkio->destructor = cert_destructor;
+ pkio->copyToToken = copy_cert_to_token;
/* copy the BER encoding */
it = nssItem_Duplicate(ber, pkio->arena, &rvCert->encoding);
if (!it) {
@@ -257,18 +318,7 @@ nssCert_Destroy (
NSSCert *c
)
{
- PRBool destroyed;
- if (c) {
- void *dc = c->decoding.data;
- NSSCertMethods *methods = c->decoding.methods;
- destroyed = nssPKIObject_Destroy(&c->object);
- if (destroyed) {
- if (dc) {
- methods->destroy(dc);
- }
- }
- }
- return PR_SUCCESS;
+ return nssPKIObject_Destroy(&c->object);;
}
NSS_IMPLEMENT PRStatus
@@ -681,33 +731,12 @@ nssCert_SetVolatileDomain (
nssPKIObject_SetVolatileDomain(&c->object, vd);
}
-NSS_IMPLEMENT NSSVolatileDomain **
-nssCert_GetVolatileDomains(
- NSSCert *c,
- NSSVolatileDomain **vdsOpt,
- PRUint32 maximumOpt,
- NSSArena *arenaOpt,
- PRStatus *statusOpt
-)
-{
- return nssPKIObject_GetVolatileDomains(&c->object, vdsOpt,
- maximumOpt, arenaOpt, statusOpt);
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-nssCert_GetTrustDomain (
- NSSCert *c
-)
-{
- return c->object.td;
-}
-
NSS_IMPLEMENT NSSTrustDomain *
NSSCert_GetTrustDomain (
NSSCert *c
)
{
- return nssCert_GetTrustDomain(c);
+ return nssPKIObject_GetTrustDomain(PKIOBJECT(c));
}
NSS_IMPLEMENT NSSToken **
@@ -750,15 +779,6 @@ NSSCert_GetModule (
return (NSSModule *)NULL;
}
-NSS_IMPLEMENT nssCryptokiObject *
-nssCert_FindInstanceForAlgorithm (
- NSSCert *c,
- NSSAlgNParam *ap
-)
-{
- return nssPKIObject_FindInstanceForAlgorithm(&c->object, ap);
-}
-
NSS_IMPLEMENT PRStatus
nssCert_DeleteStoredObject (
NSSCert *c,
@@ -777,37 +797,6 @@ NSSCert_DeleteStoredObject (
return nssCert_DeleteStoredObject(c, uhh);
}
-NSS_IMPLEMENT PRStatus
-nssCert_CopyToToken (
- NSSCert *c,
- NSSToken *token,
- NSSUTF8 *nicknameOpt
-)
-{
- PRStatus status;
- nssCryptokiObject *instance;
- nssSession *rwSession;
-
- rwSession = nssToken_CreateSession(token, PR_TRUE);
- if (!rwSession) {
- return PR_FAILURE;
- }
- instance = nssToken_ImportCert(token, rwSession,
- c->kind, NULL, nicknameOpt,
- &c->encoding, &c->issuer,
- &c->subject, &c->serial,
- c->email, PR_TRUE);
- nssSession_Destroy(rwSession);
- if (!instance) {
- return PR_FAILURE;
- }
- status = nssPKIObject_AddInstance(&c->object, instance);
- if (status == PR_FAILURE) {
- return PR_FAILURE;
- }
- return PR_SUCCESS;
-}
-
static PRStatus
validate_and_discover_trust (
NSSCert *c,
@@ -1123,7 +1112,7 @@ nssCert_SetTrustedUsages (
c->trust.notTrustedUsages.ca &= usages->ca;
c->trust.notTrustedUsages.peer &= usages->peer;
/* reflect the change in the db */
- td = nssCert_GetTrustDomain(c);
+ td = nssPKIObject_GetTrustDomain(PKIOBJECT(c));
return nssTrustDomain_SetCertTrust(td, c, &c->trust);
}
@@ -1189,8 +1178,8 @@ find_cert_issuer (
NSSTrustDomain *td;
NSSVolatileDomain *vd;
/* XXX what to do with multiple vds? */
- nssCert_GetVolatileDomains(c, &vd, 1, NULL, NULL);
- td = nssCert_GetTrustDomain(c);
+ nssPKIObject_GetVolatileDomains(PKIOBJECT(c), &vd, 1, NULL, NULL);
+ td = nssPKIObject_GetTrustDomain(PKIOBJECT(c));
if (vd) {
issuers = nssVolatileDomain_FindCertsBySubject(vd, &c->issuer,
NULL, 0, NULL);
@@ -1240,7 +1229,7 @@ nssCert_BuildChain (
NSSTrustDomain *td;
NSSUsages usages = { 0 };
- td = NSSCert_GetTrustDomain(c);
+ td = nssPKIObject_GetTrustDomain(PKIOBJECT(c));
if (statusOpt) *statusOpt = PR_SUCCESS;
if (rvLimit) {
@@ -1423,10 +1412,10 @@ nssCert_GetPublicKey (
)
{
PRStatus status;
- NSSTrustDomain *td = nssCert_GetTrustDomain(c);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(c));
NSSVolatileDomain *vd;
/* XXX multiple vds? */
- nssCert_GetVolatileDomains(c, &vd, 1, NULL, NULL);
+ nssPKIObject_GetVolatileDomains(PKIOBJECT(c), &vd, 1, NULL, NULL);
if (!c->bk && c->id.size > 0) {
/* first try looking for a persistent object */
@@ -1466,7 +1455,7 @@ nssCert_FindPrivateKey (
NSSCallback *uhh
)
{
- NSSTrustDomain *td = nssCert_GetTrustDomain(c);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(c));
if (c->id.size > 0) {
return nssTrustDomain_FindPrivateKeyByID(td, &c->id);
} else {
diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c
index 659a469fe..024480148 100644
--- a/security/nss/lib/pki/cryptocontext.c
+++ b/security/nss/lib/pki/cryptocontext.c
@@ -121,10 +121,10 @@ nssCryptoContext_CreateForSymKey (
)
{
NSSCryptoContext *rvCC;
- NSSTrustDomain *td = nssSymKey_GetTrustDomain(mkey, NULL);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(mkey));
/* XXX multiple vds? */
NSSVolatileDomain *vd;
- nssSymKey_GetVolatileDomains(mkey, &vd, 1, NULL, NULL);
+ nssPKIObject_GetVolatileDomains(PKIOBJECT(mkey), &vd, 1, NULL, NULL);
rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt);
if (rvCC) {
@@ -143,10 +143,10 @@ nssCryptoContext_CreateForPrivateKey (
)
{
NSSCryptoContext *rvCC;
- NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vkey, NULL);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(vkey));
/* XXX multiple vds? */
NSSVolatileDomain *vd;
- nssPrivateKey_GetVolatileDomains(vkey, &vd, 1, NULL, NULL);
+ nssPKIObject_GetVolatileDomains(PKIOBJECT(vkey), &vd, 1, NULL, NULL);
rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt);
if (rvCC) {
@@ -294,19 +294,21 @@ loser:
}
static PRStatus
-prepare_context_symmetric_key (
+prepare_context_key (
NSSCryptoContext *cc,
+ nssPKIObject *key,
+ nssCryptokiObject **keyo,
const NSSAlgNParam *ap
)
{
+ PRStatus status;
if (cc->token) {
/* context already has a token set */
- if (nssToken_DoesAlgNParam(cc->token, ap))
- {
+ if (nssToken_DoesAlgNParam(cc->token, ap)) {
/* and the token can do the operation */
- if (!cc->key) {
+ if (!*keyo) {
/* get a key instance from it */
- cc->key = nssSymKey_GetInstance(cc->u.mkey, cc->token);
+ *keyo = nssPKIObject_GetInstance(key, cc->token);
} /* else we already have a key instance */
} else {
/* the token can't do the math, so this context won't work */
@@ -314,8 +316,8 @@ prepare_context_symmetric_key (
}
} else {
/* find an instance of the key that will do the operation */
- cc->key = nssSymKey_FindInstanceForAlgorithm(cc->u.mkey, cc->ap);
- if (cc->key) {
+ *keyo = nssPKIObject_FindInstanceForAlgorithm(key, cc->ap, PR_TRUE);
+ if (*keyo) {
/* okay, now we know what token to use */
cc->token = nssToken_AddRef(cc->key->token);
} else {
@@ -330,10 +332,11 @@ prepare_context_symmetric_key (
/* the token has been set, so if we didn't find a key instance on
* the token, copy it there as a temp (session) object
*/
- if (!cc->key) {
- cc->key = nssSymKey_CopyToToken(cc->u.mkey, cc->token,
- PR_FALSE);
- if (!cc->key) {
+ if (!*keyo) {
+ /* XXX uh, get the session first */
+ status = nssPKIObject_CopyToToken(key, cc->token, NULL, PR_FALSE,
+ NULL, keyo);
+ if (status == PR_FAILURE) {
goto loser;
}
}
@@ -351,75 +354,34 @@ loser:
}
static PRStatus
+prepare_context_symmetric_key (
+ NSSCryptoContext *cc,
+ const NSSAlgNParam *ap
+)
+{
+ return prepare_context_key(cc, PKIOBJECT(cc->u.mkey), &cc->key, ap);
+}
+
+static PRStatus
prepare_context_private_key (
NSSCryptoContext *cc,
const NSSAlgNParam *ap
)
{
+ PRStatus status;
NSSPrivateKey *vkey = NULL;
if (cc->which == a_cert) {
/* try to get the key from the cert */
vkey = nssCert_FindPrivateKey(cc->u.cert, cc->callback);
if (!vkey) {
- goto loser;
+ return PR_FAILURE;
}
} else {
vkey = nssPrivateKey_AddRef(cc->u.vkey);
}
- if (cc->token) {
- /* context already has a token set */
- if (nssToken_DoesAlgNParam(cc->token, ap))
- {
- /* and the token can do the operation */
- if (!cc->key) {
- /* get a key instance from it */
- cc->key = nssPrivateKey_GetInstance(vkey, cc->token);
- } /* else we already have a key instance for the token */
- } else {
- /* the token can't do the math, so this context won't work */
- goto loser;
- }
- } else {
- /* find an instance of the key that will do the operation */
- cc->key = nssPrivateKey_FindInstanceForAlgorithm(vkey, cc->ap);
- if (cc->key) {
- /* okay, now we know what token to use */
- cc->token = nssToken_AddRef(cc->key->token);
- } else {
- /* find any token in the trust domain that can */
- cc->token = nssTrustDomain_FindTokenForAlgNParam(cc->td, ap);
- if (!cc->token) {
- /*nss_SetError(NSS_ERROR_NO_TOKEN_FOR_OPERATION);*/
- goto loser;
- }
- }
- }
- /* the token has been set, so if we didn't find a key instance on
- * the token, copy it there
- */
- if (!cc->key) {
- cc->key = nssPrivateKey_CopyToToken(vkey, cc->token);
- if (!cc->key) {
- goto loser;
- }
- }
- /* Obtain a session for the operation */
- if (!cc->session) {
- cc->session = nssToken_CreateSession(cc->token, PR_FALSE);
- if (!cc->session) {
- goto loser;
- }
- }
- if (vkey) {
- nssPrivateKey_Destroy(vkey);
- }
- return PR_SUCCESS;
-loser:
- if (vkey) {
- nssPrivateKey_Destroy(vkey);
- }
- nss_SetError(NSS_ERROR_INVALID_CRYPTO_CONTEXT);
- return PR_FAILURE;
+ status = prepare_context_key(cc, PKIOBJECT(vkey), &cc->key, ap);
+ nssPrivateKey_Destroy(vkey);
+ return status;
}
static PRStatus
@@ -428,74 +390,24 @@ prepare_context_public_key (
const NSSAlgNParam *ap
)
{
+ PRStatus status;
+ NSSPublicKey *bkey = NULL;
/* when the dist. object is a cert, both keys may be available,
* so public key is stored separately
*/
nssCryptokiObject **bkp = (cc->which == a_cert) ? &cc->bkey : &cc->key;
- NSSPublicKey *bkey = NULL;
if (cc->which == a_cert) {
/* try to get the key from the cert */
bkey = nssCert_GetPublicKey(cc->u.cert);
if (!bkey) {
- goto loser;
+ return PR_FAILURE;
}
} else {
bkey = nssPublicKey_AddRef(cc->u.bkey);
}
- if (cc->token) {
- /* context already has a token set */
- if (nssToken_DoesAlgNParam(cc->token, ap))
- {
- /* and the token can do the operation */
- if (!*bkp) {
- /* get a key instance from it */
- *bkp = nssPublicKey_GetInstance(bkey, cc->token);
- } /* else we already have a key instance for the token */
- } else {
- /* the token can't do the math, so this context won't work */
- goto loser;
- }
- } else {
- /* find an instance of the key that will do the operation */
- *bkp = nssPublicKey_FindInstanceForAlgorithm(bkey, cc->ap);
- if (*bkp) {
- /* okay, now we know what token to use */
- cc->token = nssToken_AddRef(cc->key->token);
- } else {
- /* find any token in the trust domain that can */
- cc->token = nssTrustDomain_FindTokenForAlgNParam(cc->td, ap);
- if (!cc->token) {
- /*nss_SetError(NSS_ERROR_NO_TOKEN_FOR_OPERATION);*/
- goto loser;
- }
- }
- }
- /* the token has been set, so if we didn't find a key instance on
- * the token, copy it there
- */
- if (!*bkp) {
- *bkp = nssPublicKey_CopyToToken(bkey, cc->token, PR_FALSE);
- if (!*bkp) {
- goto loser;
- }
- }
- /* Obtain a session for the operation */
- if (!cc->session) {
- cc->session = nssToken_CreateSession(cc->token, PR_FALSE);
- if (!cc->session) {
- goto loser;
- }
- }
- if (bkey) {
- nssPublicKey_Destroy(bkey);
- }
- return PR_SUCCESS;
-loser:
- if (bkey) {
- nssPublicKey_Destroy(bkey);
- }
- nss_SetError(NSS_ERROR_INVALID_CRYPTO_CONTEXT);
- return PR_FAILURE;
+ status = prepare_context_key(cc, PKIOBJECT(bkey), bkp, ap);
+ nssPublicKey_Destroy(bkey);
+ return status;
}
NSS_IMPLEMENT NSSItem *
@@ -1338,10 +1250,12 @@ nssCryptoContext_DigestKey (
/* The context is being asked to digest a key that may not be
* within its scope. Copy the key if needed.
*/
- mko = nssSymKey_GetInstance(mkOpt, cc->token);
+ mko = nssPKIObject_GetInstance(PKIOBJECT(mkOpt), cc->token);
if (!mko) {
- mko = nssSymKey_CopyToToken(mkOpt, cc->token, PR_FALSE);
- if (!mko) {
+ status = nssPKIObject_CopyToToken(PKIOBJECT(mkOpt), cc->token,
+ cc->session, PR_FALSE,
+ NULL, &mko);
+ if (status == PR_FAILURE) {
return PR_FAILURE;
}
}
diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn
index a8b62aa56..348b6d2f5 100644
--- a/security/nss/lib/pki/manifest.mn
+++ b/security/nss/lib/pki/manifest.mn
@@ -54,6 +54,7 @@ CSRCS = \
cert.c \
cryptocontext.c \
symkey.c \
+ pkietc.c \
time.c \
trustdomain.c \
volatiledomain.c \
diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h
index d2cab22e5..8f0b2835d 100644
--- a/security/nss/lib/pki/nsspki.h
+++ b/security/nss/lib/pki/nsspki.h
@@ -692,8 +692,7 @@ NSSPrivateKey_Encode (
NSS_EXTERN NSSTrustDomain *
NSSPrivateKey_GetTrustDomain (
- NSSPrivateKey *vk,
- PRStatus *statusOpt
+ NSSPrivateKey *vk
);
/*
@@ -920,8 +919,7 @@ NSSPublicKey_Encode (
NSS_EXTERN NSSTrustDomain *
NSSPublicKey_GetTrustDomain (
- NSSPublicKey *bk,
- PRStatus *statusOpt
+ NSSPublicKey *bk
);
/*
@@ -1164,8 +1162,7 @@ NSSSymKey_IsStillPresent (
NSS_EXTERN NSSTrustDomain *
NSSSymKey_GetTrustDomain (
- NSSSymKey *mk,
- PRStatus *statusOpt
+ NSSSymKey *mk
);
/*
diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h
index 22c459aa1..5a8044c44 100644
--- a/security/nss/lib/pki/pki.h
+++ b/security/nss/lib/pki/pki.h
@@ -269,27 +269,6 @@ nssPrivateKey_GetID (
NSSPrivateKey *vk
);
-NSS_EXTERN NSSUTF8 *
-nssPrivateKey_GetNickname (
- NSSPrivateKey *vk,
- NSSToken *tokenOpt
-);
-
-NSS_EXTERN NSSTrustDomain *
-nssPrivateKey_GetTrustDomain (
- NSSPrivateKey *vk,
- PRStatus *statusOpt
-);
-
-NSS_EXTERN NSSVolatileDomain **
-nssPrivateKey_GetVolatileDomains (
- NSSPrivateKey *vk,
- NSSVolatileDomain **vdsOpt,
- PRUint32 maximumOpt,
- NSSArena *arenaOpt,
- PRStatus *statusOpt
-);
-
NSS_EXTERN NSSPublicKey *
nssPublicKey_AddRef (
NSSPublicKey *bk
@@ -325,15 +304,6 @@ nssSymKey_AddRef (
NSSSymKey *mk
);
-NSS_EXTERN NSSVolatileDomain **
-nssSymKey_GetVolatileDomains (
- NSSSymKey *mk,
- NSSVolatileDomain **vdsOpt,
- PRUint32 maximumOpt,
- NSSArena *arenaOpt,
- PRStatus *statusOpt
-);
-
NSS_EXTERN NSSVolatileDomain *
nssVolatileDomain_Create (
NSSTrustDomain *td,
diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c
index 7c13cb600..1d068e47a 100644
--- a/security/nss/lib/pki/pkibase.c
+++ b/security/nss/lib/pki/pkibase.c
@@ -48,6 +48,17 @@ struct volatile_domain_instance_str {
NSSVolatileDomain *vd;
};
+static PRStatus
+virtual_copy_to_token(nssPKIObject *object, NSSToken *destination,
+ nssSession *sessionOpt, PRBool asPersistentObject,
+ NSSUTF8 *labelOpt, nssCryptokiObject **rvInstanceOpt)
+{
+ PR_ASSERT(0);
+ nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+ return PR_FAILURE;
+}
+
+
NSS_IMPLEMENT nssPKIObject *
nssPKIObject_Create (
NSSTrustDomain *td,
@@ -69,6 +80,7 @@ nssPKIObject_Create (
object->arena = arena;
object->td = td; /* XXX */
object->lock = PZ_NewLock(nssILockOther);
+ object->copyToToken = virtual_copy_to_token;
if (!object->lock) {
goto loser;
}
@@ -87,25 +99,30 @@ loser:
return (nssPKIObject *)NULL;
}
-NSS_IMPLEMENT PRBool
+NSS_IMPLEMENT PRStatus
nssPKIObject_Destroy (
nssPKIObject *object
)
{
PRUint32 i;
+ PRStatus status;
+
PR_ASSERT(object->refCount > 0);
PR_AtomicDecrement(&object->refCount);
+ status = PR_SUCCESS;
if (object->refCount == 0) {
for (i=0; i<object->numInstances; i++) {
nssCryptokiObject_Destroy(object->instances[i]);
}
+ if (object->destructor) {
+ status = object->destructor(object);
+ }
/*nssVolatileDomain_Destroy(object->vd);*/
PZ_DestroyLock(object->lock);
nssUTF8_Destroy(object->nickname);
nssArena_Destroy(object->arena);
- return PR_TRUE;
}
- return PR_FALSE;
+ return status;
}
NSS_IMPLEMENT nssPKIObject *
@@ -465,10 +482,15 @@ nssPKIObject_GetInstance (
return instance;
}
+/* XXX currently, all callers of this function are using allowMove=true,
+ * but this is in need of a scheme to determine when/how to wrap
+ * sensitive objects before moving
+ */
NSS_IMPLEMENT nssCryptokiObject *
nssPKIObject_FindInstanceForAlgorithm (
nssPKIObject *object,
- const NSSAlgNParam *ap
+ const NSSAlgNParam *ap,
+ PRBool allowMove
)
{
nssCryptokiObject *instance = NULL;
@@ -481,18 +503,23 @@ nssPKIObject_FindInstanceForAlgorithm (
}
}
PZ_Unlock(object->lock);
+ if (!instance && allowMove) {
+ NSSToken *token;
+ token = nssTrustDomain_FindTokenForAlgNParam(object->td, ap);
+ if (token) {
+ (void)nssPKIObject_CopyToToken(object, token, NULL,
+ PR_FALSE, NULL, &instance);
+ nssToken_Destroy(token);
+ }
+ }
return instance;
}
NSS_IMPLEMENT NSSTrustDomain *
nssPKIObject_GetTrustDomain (
- nssPKIObject *object,
- PRStatus *statusOpt
+ nssPKIObject *object
)
{
- if (statusOpt) {
- *statusOpt = PR_SUCCESS;
- }
return object->td;
}
@@ -504,7 +531,7 @@ object_is_in_vd(nssPKIObject *object, NSSVolatileDomain *vd)
struct volatile_domain_instance_str *vdInstance;
link = PR_NEXT_LINK(&object->vds);
- while (link != &object->vds) {
+ while (link && link != &object->vds) {
vdInstance = (struct volatile_domain_instance_str *)link;
if (vdInstance->vd == vd) {
inVD = PR_TRUE;
@@ -563,9 +590,13 @@ nssPKIObject_GetVolatileDomains (
{
PRCList *link;
PRUint32 i;
+ NSSVolatileDomain **vds;
struct volatile_domain_instance_str *vdInstance;
+
if (statusOpt) *statusOpt = PR_SUCCESS;
- if (!vdsOpt) {
+ if (vdsOpt) {
+ vds = vdsOpt;
+ } else {
if (maximumOpt > 0) {
i = maximumOpt;
} else {
@@ -575,30 +606,30 @@ nssPKIObject_GetVolatileDomains (
link != &object->vds;
link = PR_NEXT_LINK(link), i++);
PZ_Unlock(object->lock);
- maximumOpt = i;
}
if (i == 0) {
return (NSSVolatileDomain **)NULL;
}
- vdsOpt = nss_ZNEWARRAY(arenaOpt, NSSVolatileDomain *, i + 1);
- if (!vdsOpt) {
+ vds = nss_ZNEWARRAY(arenaOpt, NSSVolatileDomain *, i + 1);
+ if (!vds) {
if (statusOpt) *statusOpt = PR_FAILURE;
return (NSSVolatileDomain **)NULL;
}
}
i = 0;
+ vds[0] = NULL;
PZ_Lock(object->lock);
link = PR_NEXT_LINK(&object->vds);
- while (link != &object->vds) {
+ while (link && link != &object->vds) {
vdInstance = (struct volatile_domain_instance_str *)link;
- vdsOpt[i++] = nssVolatileDomain_AddRef(vdInstance->vd);
- if (i == maximumOpt)
+ vds[i++] = nssVolatileDomain_AddRef(vdInstance->vd);
+ if (maximumOpt > 0 && i == maximumOpt)
break;
link = PR_NEXT_LINK(link);
}
PZ_Unlock(object->lock);
- vdsOpt[i] = NULL;
- return vdsOpt;
+ if (!vdsOpt || maximumOpt == 0) vds[i] = NULL;
+ return vds;
}
NSS_IMPLEMENT NSSCert **
@@ -628,6 +659,20 @@ nssCertArray_CreateFromInstances (
return rvCerts;
}
+NSS_IMPLEMENT PRStatus
+nssPKIObject_CopyToToken (
+ nssPKIObject *object,
+ NSSToken *destination,
+ nssSession *sessionOpt,
+ PRBool asPersistentObject,
+ NSSUTF8 *labelOpt,
+ nssCryptokiObject **rvInstanceOpt
+)
+{
+ return object->copyToToken(object, destination, sessionOpt,
+ asPersistentObject, labelOpt, rvInstanceOpt);
+}
+
NSS_IMPLEMENT void
nssCertArray_Destroy (
NSSCert **certs
diff --git a/security/nss/lib/pki/pkietc.c b/security/nss/lib/pki/pkietc.c
new file mode 100644
index 000000000..07a2e497b
--- /dev/null
+++ b/security/nss/lib/pki/pkietc.c
@@ -0,0 +1,195 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation. Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above. If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL. If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+struct nssSMIMEProfileStr
+{
+ nssPKIObject object;
+ NSSCert *certificate;
+ NSSASCII7 *email;
+ NSSDER *subject;
+ NSSItem *profileTime;
+ NSSItem *profileData;
+};
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssSMIMEProfile_Create (
+ NSSCert *cert,
+ NSSItem *profileTime,
+ NSSItem *profileData
+)
+{
+#if 0
+ NSSArena *arena;
+ nssSMIMEProfile *rvProfile;
+ nssPKIObject *object;
+ NSSTrustDomain *td = nssCert_GetTrustDomain(cert);
+ NSSCryptoContext *cc = nssCert_GetCryptoContext(cert);
+ arena = nssArena_Create();
+ if (!arena) {
+ return NULL;
+ }
+ object = nssPKIObject_Create(arena, NULL, td, cc);
+ if (!object) {
+ goto loser;
+ }
+ rvProfile = nss_ZNEW(arena, nssSMIMEProfile);
+ if (!rvProfile) {
+ goto loser;
+ }
+ rvProfile->object = *object;
+ rvProfile->certificate = cert;
+ rvProfile->email = nssUTF8_Duplicate(cert->email, arena);
+ rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL);
+ if (profileTime) {
+ rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL);
+ }
+ if (profileData) {
+ rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL);
+ }
+ return rvProfile;
+loser:
+ nssPKIObject_Destroy(object);
+#endif
+ return (nssSMIMEProfile *)NULL;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssSMIMEProfile_AddRef (
+ nssSMIMEProfile *profile
+)
+{
+ if (profile) {
+ nssPKIObject_AddRef(&profile->object);
+ }
+ return profile;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSMIMEProfile_Destroy (
+ nssSMIMEProfile *profile
+)
+{
+ if (profile) {
+ (void)nssPKIObject_Destroy(&profile->object);
+ }
+ return PR_SUCCESS;
+}
+
+struct NSSCRLStr {
+ nssPKIObject object;
+ NSSDER encoding;
+ NSSUTF8 *url;
+ PRBool isKRL;
+};
+
+NSS_IMPLEMENT NSSCRL *
+nssCRL_Create (
+ nssPKIObject *object
+)
+{
+ PRStatus status;
+ NSSCRL *rvCRL;
+ NSSArena *arena = object->arena;
+ PR_ASSERT(object->instances != NULL && object->numInstances > 0);
+ rvCRL = nss_ZNEW(arena, NSSCRL);
+ if (!rvCRL) {
+ return (NSSCRL *)NULL;
+ }
+ rvCRL->object = *object;
+ /* XXX should choose instance based on some criteria */
+ status = nssCryptokiCRL_GetAttributes(object->instances[0],
+ arena,
+ &rvCRL->encoding,
+ &rvCRL->url,
+ &rvCRL->isKRL);
+ if (status != PR_SUCCESS) {
+ return (NSSCRL *)NULL;
+ }
+ return rvCRL;
+}
+
+NSS_IMPLEMENT NSSCRL *
+nssCRL_AddRef (
+ NSSCRL *crl
+)
+{
+ if (crl) {
+ nssPKIObject_AddRef(&crl->object);
+ }
+ return crl;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCRL_Destroy (
+ NSSCRL *crl
+)
+{
+ if (crl) {
+ (void)nssPKIObject_Destroy(&crl->object);
+ }
+ return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCRL_DeleteStoredObject (
+ NSSCRL *crl,
+ NSSCallback *uhh
+)
+{
+ return nssPKIObject_DeleteStoredObject(&crl->object, uhh, PR_TRUE);
+}
+
+NSS_IMPLEMENT NSSDER *
+nssCRL_GetEncoding (
+ NSSCRL *crl
+)
+{
+ if (crl->encoding.data != NULL && crl->encoding.size > 0) {
+ return &crl->encoding;
+ } else {
+ return (NSSDER *)NULL;
+ }
+}
+
diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h
index 1dd1dc1b1..5d3b8cc1d 100644
--- a/security/nss/lib/pki/pkim.h
+++ b/security/nss/lib/pki/pkim.h
@@ -71,6 +71,9 @@ PR_BEGIN_EXTERN_C
* nssPKIObject_DeleteStoredObject
*/
+/* Cast to base class */
+#define PKIOBJECT(o) ((nssPKIObject *)o)
+
/* nssPKIObject_Create
*
* A generic PKI object. It must live in a trust domain. It may be
@@ -98,7 +101,7 @@ nssPKIObject_AddRef (
* Returns true if object was destroyed. This notifies the subclass that
* all references are gone and it should delete any members it owns.
*/
-NSS_EXTERN PRBool
+NSS_EXTERN PRStatus
nssPKIObject_Destroy (
nssPKIObject *object
);
@@ -205,8 +208,7 @@ nssPKIObject_DeleteStoredObject (
NSS_EXTERN NSSTrustDomain *
nssPKIObject_GetTrustDomain (
- nssPKIObject *object,
- PRStatus *statusOpt
+ nssPKIObject *object
);
NSS_EXTERN void
@@ -238,7 +240,18 @@ nssPKIObject_GetInstances (
NSS_EXTERN nssCryptokiObject *
nssPKIObject_FindInstanceForAlgorithm (
nssPKIObject *object,
- const NSSAlgNParam *ap
+ const NSSAlgNParam *ap,
+ PRBool allowMove
+);
+
+NSS_EXTERN PRStatus
+nssPKIObject_CopyToToken (
+ nssPKIObject *object,
+ NSSToken *destination,
+ nssSession *sessionOpt,
+ PRBool asPersistentObject,
+ NSSUTF8 *labelOpt,
+ nssCryptokiObject **rvInstanceOpt
);
NSS_EXTERN NSSToken *
@@ -327,44 +340,6 @@ nssCert_CreateFromInstance (
NSSVolatileDomain *vdOpt
);
-/* XXX XXX most of these belong in pki.h */
-
-NSS_EXTERN nssCryptokiObject *
-nssCert_FindInstanceForAlgorithm (
- NSSCert *c,
- NSSAlgNParam *ap
-);
-
-NSS_EXTERN void
-nssCert_SetVolatileDomain (
- NSSCert *c,
- NSSVolatileDomain *vd
-);
-
-NSS_EXTERN PRStatus
-nssCert_RemoveInstanceForToken (
- NSSCert *c,
- NSSToken *token
-);
-
-NSS_EXTERN PRBool
-nssCert_HasInstanceOnToken (
- NSSCert *c,
- NSSToken *token
-);
-
-NSS_EXTERN PRIntn
-nssCert_CountInstances (
- NSSCert *c
-);
-
-NSS_EXTERN PRStatus
-nssCert_CopyToToken (
- NSSCert *c,
- NSSToken *token,
- NSSUTF8 *nicknameOpt
-);
-
NSS_EXTERN PRBool
nssCert_HasCANameInChain (
NSSCert *c,
@@ -403,51 +378,6 @@ nssSymKey_Destroy (
NSSSymKey *mk
);
-NSS_EXTERN void
-nssSymKey_SetVolatileDomain (
- NSSSymKey *mk,
- NSSVolatileDomain *vd
-);
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssSymKey_CopyToToken (
- NSSSymKey *mk,
- NSSToken *destination,
- PRBool asPersistentObject
-);
-
-NSS_EXTERN NSSToken **
-nssSymKey_GetTokens (
- NSSSymKey *mk,
- NSSToken **rvOpt,
- PRUint32 rvMaxOpt,
- PRStatus *statusOpt
-);
-
-NSS_EXTERN NSSTrustDomain *
-nssSymKey_GetTrustDomain (
- NSSSymKey *mk,
- PRStatus *statusOpt
-);
-
-NSS_EXTERN PRBool
-nssSymKey_HasInstanceOnToken (
- NSSSymKey *mk,
- NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssSymKey_GetInstance (
- NSSSymKey *mk,
- NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssSymKey_FindInstanceForAlgorithm (
- NSSSymKey *mk,
- const NSSAlgNParam *ap
-);
-
NSS_EXTERN NSSDER *
nssCRL_GetEncoding (
NSSCRL *crl
@@ -468,48 +398,6 @@ nssPublicKey_CreateFromInstance (
NSSVolatileDomain *vdOpt
);
-NSS_EXTERN void
-nssPublicKey_SetVolatileDomain (
- NSSPublicKey *bk,
- NSSVolatileDomain *vd
-);
-
-NSS_EXTERN PRBool
-nssPublicKey_HasInstanceOnToken (
- NSSPublicKey *bk,
- NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssPublicKey_GetInstance (
- NSSPublicKey *bk,
- NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssPublicKey_FindInstanceForAlgorithm (
- NSSPublicKey *bk,
- const NSSAlgNParam *ap
-);
-
-NSS_EXTERN PRStatus
-nssPublicKey_RemoveInstanceForToken (
- NSSPublicKey *bk,
- NSSToken *token
-);
-
-NSS_EXTERN PRIntn
-nssPublicKey_CountInstances (
- NSSPublicKey *bk
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssPublicKey_CopyToToken (
- NSSPublicKey *bk,
- NSSToken *destination,
- PRBool asPersistentObject
-);
-
NSS_EXTERN NSSPrivateKey *
nssPrivateKey_CreateFromInstance (
nssCryptokiObject *instance,
@@ -517,47 +405,6 @@ nssPrivateKey_CreateFromInstance (
NSSVolatileDomain *vdOpt
);
-NSS_EXTERN void
-nssPrivateKey_SetVolatileDomain (
- NSSPrivateKey *vk,
- NSSVolatileDomain *vd
-);
-
-NSS_EXTERN PRBool
-nssPrivateKey_HasInstanceOnToken (
- NSSPrivateKey *vk,
- NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssPrivateKey_GetInstance (
- NSSPrivateKey *vk,
- NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssPrivateKey_FindInstanceForAlgorithm (
- NSSPrivateKey *vk,
- const NSSAlgNParam *ap
-);
-
-NSS_EXTERN PRStatus
-nssPrivateKey_RemoveInstanceForToken (
- NSSPrivateKey *vk,
- NSSToken *token
-);
-
-NSS_EXTERN PRIntn
-nssPrivateKey_CountInstances (
- NSSPrivateKey *vk
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssPrivateKey_CopyToToken (
- NSSPrivateKey *vk,
- NSSToken *destination
-);
-
NSS_EXTERN PRIntn
nssObjectArray_Count (
void **objects
diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c
index 1550fedc5..aa4d125b4 100644
--- a/security/nss/lib/pki/pkistore.c
+++ b/security/nss/lib/pki/pkistore.c
@@ -827,8 +827,9 @@ unload_token_certs(nssTokenObjectStore *objectStore, nssTokenStore *store)
if (objectStore->certs) {
/* notify the cert objects that the token is removed */
for (cp = objectStore->certs; *cp; cp++) {
- nssCert_RemoveInstanceForToken(*cp, objectStore->token);
- if (nssCert_CountInstances(*cp) == 0) {
+ nssPKIObject_RemoveInstanceForToken(PKIOBJECT(*cp),
+ objectStore->token);
+ if (nssPKIObject_CountInstances(PKIOBJECT(*cp)) == 0) {
/* the cert now has no token instances, remove it from
* the token store
*/
@@ -887,8 +888,9 @@ unload_token_bkeys(nssTokenObjectStore *objectStore, nssTokenStore *store)
if (objectStore->bkeys) {
/* notify the objects that the token is removed */
for (bkp = objectStore->bkeys; *bkp; bkp++) {
- nssPublicKey_RemoveInstanceForToken(*bkp, objectStore->token);
- if (nssPublicKey_CountInstances(*bkp) == 0) {
+ nssPKIObject_RemoveInstanceForToken(PKIOBJECT(*bkp),
+ objectStore->token);
+ if (nssPKIObject_CountInstances(PKIOBJECT(*bkp)) == 0) {
/* the key now has no token instances, remove it from
* the token store
*/
@@ -947,8 +949,9 @@ unload_token_vkeys(nssTokenObjectStore *objectStore, nssTokenStore *store)
if (objectStore->vkeys) {
/* notify the objects that the token is removed */
for (vkp = objectStore->vkeys; *vkp; vkp++) {
- nssPrivateKey_RemoveInstanceForToken(*vkp, objectStore->token);
- if (nssPrivateKey_CountInstances(*vkp) == 0) {
+ nssPKIObject_RemoveInstanceForToken(PKIOBJECT(*vkp),
+ objectStore->token);
+ if (nssPKIObject_CountInstances(PKIOBJECT(*vkp)) == 0) {
/* the key now has no token instances, remove it from
* the token store
*/
@@ -1329,12 +1332,13 @@ nssTokenStore_ImportCert (
/* refresh the token */
refresh_token_object_store(objectStore, store);
/* see if it's already there */
- if (nssCert_HasInstanceOnToken(cert, destination)) {
+ if (nssPKIObject_HasInstanceOnToken(PKIOBJECT(cert), destination)) {
return PR_SUCCESS;
}
/* copy it onto the token and add it to the store */
/* XXX use session */
- status = nssCert_CopyToToken(cert, destination, nicknameOpt);
+ status = nssPKIObject_CopyToToken(PKIOBJECT(cert), destination, NULL,
+ PR_TRUE, nicknameOpt, NULL);
if (status == PR_SUCCESS) {
status = nssCertStore_AddCert(store->certs, cert);
if (status == PR_FAILURE) {
diff --git a/security/nss/lib/pki/pkit.h b/security/nss/lib/pki/pkit.h
index 182f16087..cdfdb018d 100644
--- a/security/nss/lib/pki/pkit.h
+++ b/security/nss/lib/pki/pkit.h
@@ -54,8 +54,7 @@ static const char PKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
PR_BEGIN_EXTERN_C
-/* XXX */
-typedef struct nssCertCacheStr nssCertCache;
+typedef struct nssPKIObjectStr nssPKIObject;
typedef PRUint32 nssUpdateLevel;
diff --git a/security/nss/lib/pki/pkitm.h b/security/nss/lib/pki/pkitm.h
index 6606be06f..5e185dd22 100644
--- a/security/nss/lib/pki/pkitm.h
+++ b/security/nss/lib/pki/pkitm.h
@@ -98,10 +98,12 @@ struct nssPKIObjectStr
pkiObjectType objectType;
NSSItem *uid[MAX_ITEMS_FOR_UID];
PRUint32 numIDs;
+ /* these are implemented on per-object basis */
+ PRStatus (* destructor)(nssPKIObject *);
+ PRStatus (* copyToToken)(nssPKIObject *, NSSToken *, nssSession *,
+ PRBool, NSSUTF8 *, nssCryptokiObject **);
};
-typedef struct nssPKIObjectStr nssPKIObject;
-
typedef struct nssPKIObjectTableStr nssPKIObjectTable;
typedef struct nssPKIObjectCreatorStr
diff --git a/security/nss/lib/pki/symkey.c b/security/nss/lib/pki/symkey.c
index 9974876fa..93929d637 100644
--- a/security/nss/lib/pki/symkey.c
+++ b/security/nss/lib/pki/symkey.c
@@ -52,6 +52,48 @@ struct NSSSymKeyStr
NSSOperations operations;
};
+static PRStatus
+copy_symkey_to_token (
+ nssPKIObject *o,
+ NSSToken *token,
+ nssSession *sessionOpt,
+ PRBool asPersistentObject,
+ NSSUTF8 *nicknameOpt,
+ nssCryptokiObject **rvInstanceOpt
+)
+{
+ /* XXX this could get complicated... might have to wrap the key, etc. */
+ nssCryptokiObject *mko;
+ nssSession *session;
+ NSSSymKey *mk = (NSSSymKey *)o;
+
+ if (sessionOpt) {
+ session = sessionOpt;
+ } else {
+ session = nssToken_CreateSession(token, asPersistentObject);
+ if (!session)
+ return PR_FAILURE;
+ }
+ /* XXX kind of a hack to peek into first instance like this */
+ mko = nssCryptokiSymKey_Copy(o->instances[0],
+ o->instances[0]->session,
+ token, session,
+ asPersistentObject);
+ if (!sessionOpt) {
+ nssSession_Destroy(session);
+ }
+ if (!mko) {
+ return PR_FAILURE;
+ }
+ if (nssPKIObject_AddInstance(&mk->object, mko) == PR_FAILURE) {
+ nssCryptokiObject_Destroy(mko);
+ return PR_FAILURE;
+ } else if (rvInstanceOpt) {
+ *rvInstanceOpt = nssCryptokiObject_Clone(mko);
+ }
+ return PR_SUCCESS;
+}
+
NSS_IMPLEMENT NSSSymKey *
nssSymKey_CreateFromInstance (
nssCryptokiObject *instance,
@@ -77,6 +119,7 @@ nssSymKey_CreateFromInstance (
}
pkio->objectType = pkiObjectType_SymKey;
pkio->numIDs = 0; /* XXX */
+ pkio->copyToToken = copy_symkey_to_token;
/* XXX not adding to table w/o uid... */
if (rvKey && vdOpt) {
status = nssVolatileDomain_ImportSymKey(vdOpt, rvKey);
@@ -149,26 +192,6 @@ nssSymKey_GetInstance (
return nssPKIObject_GetInstance(&mk->object, token);
}
-NSS_IMPLEMENT nssCryptokiObject *
-nssSymKey_FindInstanceForAlgorithm (
- NSSSymKey *mk,
- const NSSAlgNParam *ap
-)
-{
- nssCryptokiObject *instance;
- instance = nssPKIObject_FindInstanceForAlgorithm(&mk->object, ap);
- /* XXX here for now... make it apply for all searches... */
- if (!instance) {
- NSSToken *token;
- token = nssTrustDomain_FindTokenForAlgNParam(mk->object.td, ap);
- if (token) {
- instance = nssSymKey_CopyToToken(mk, token, PR_FALSE);
- nssToken_Destroy(token);
- }
- }
- return instance;
-}
-
NSS_IMPLEMENT PRBool
nssSymKey_HasInstanceOnToken (
NSSSymKey *mk,
@@ -196,42 +219,6 @@ NSSSymKey_DeleteStoredObject (
return nssSymKey_DeleteStoredObject(mk, uhh);
}
-/* XXX should take session as arg? crypto contexts copy instances in
- * their own session?
- */
-NSS_IMPLEMENT nssCryptokiObject *
-nssSymKey_CopyToToken (
- NSSSymKey *mk,
- NSSToken *destination,
- PRBool asPersistentObject
-)
-{
- /* XXX this could get complicated... might have to wrap the key, etc. */
- nssSession *session;
- nssCryptokiObject *mko;
-
- session = nssToken_CreateSession(destination, asPersistentObject);
- if (!session) {
- return (nssCryptokiObject *)NULL;
- }
- /* XXX kind of a hack to peek into first instance like this */
- mko = nssCryptokiSymKey_Copy(mk->object.instances[0],
- mk->object.instances[0]->session,
- destination, session,
- asPersistentObject);
- nssSession_Destroy(session);
- if (mko) {
- if (nssPKIObject_AddInstance(&mk->object, mko) == PR_FAILURE) {
- nssCryptokiObject_Destroy(mko);
- mko = NULL;
- } else {
- /* XXX */
- mko = nssCryptokiObject_Clone(mko);
- }
- }
- return mko;
-}
-
NSS_IMPLEMENT PRUint32
nssSymKey_GetKeyLength (
NSSSymKey *mk
@@ -287,34 +274,11 @@ nssSymKey_SetVolatileDomain (
}
NSS_IMPLEMENT NSSTrustDomain *
-nssSymKey_GetTrustDomain (
- NSSSymKey *mk,
- PRStatus *statusOpt
-)
-{
- return nssPKIObject_GetTrustDomain(&mk->object, statusOpt);
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
NSSSymKey_GetTrustDomain (
- NSSSymKey *mk,
- PRStatus *statusOpt
-)
-{
- return nssSymKey_GetTrustDomain(mk, statusOpt);
-}
-
-NSS_IMPLEMENT NSSVolatileDomain **
-nssSymKey_GetVolatileDomains (
- NSSSymKey *mk,
- NSSVolatileDomain **vdsOpt,
- PRUint32 maximumOpt,
- NSSArena *arenaOpt,
- PRStatus *statusOpt
+ NSSSymKey *mk
)
{
- return nssPKIObject_GetVolatileDomains(&mk->object, vdsOpt,
- maximumOpt, arenaOpt, statusOpt);
+ return nssPKIObject_GetTrustDomain(PKIOBJECT(mk));
}
NSS_IMPLEMENT NSSToken *
@@ -609,9 +573,10 @@ nssSymKey_DeriveSymKey (
{
nssCryptokiObject *mko, *rvo;
NSSSymKey *rvKey = NULL;
- NSSTrustDomain *td = nssSymKey_GetTrustDomain(originalKey, NULL);
+ NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(originalKey));
- mko = nssSymKey_FindInstanceForAlgorithm(originalKey, ap);
+ mko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(originalKey),
+ ap, PR_TRUE);
if (!mko) {
return (NSSSymKey *)NULL;
}
@@ -686,7 +651,8 @@ nssSymKey_DeriveSSLSessionKeys (
PRStatus status;
PRIntn i;
- nssSymKey_GetVolatileDomains(masterSecret, &vd, 1, NULL, &status);
+ nssPKIObject_GetVolatileDomains(PKIOBJECT(masterSecret),
+ &vd, 1, NULL, &status);
if (status == PR_FAILURE) {
return PR_FAILURE;
}
diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
index 036b1eff7..bd90f2b30 100644
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -1053,7 +1053,7 @@ static PRStatus
filter_out_token_certs(NSSCert *c, void *arg)
{
struct token_cert_filter_str *cbarg = (struct token_cert_filter_str *)arg;
- if (nssCert_CountInstances(c) == 0) {
+ if (nssPKIObject_CountInstances(PKIOBJECT(c)) == 0) {
return cbarg->callback(c, cbarg->arg);
}
return PR_SUCCESS;
diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c
index a58aebc8f..4e667b4b3 100644
--- a/security/nss/lib/pki/volatiledomain.c
+++ b/security/nss/lib/pki/volatiledomain.c
@@ -225,7 +225,7 @@ nssVolatileDomain_ImportCert (
)
{
PZ_Lock(vd->objectLock);
- if (nssPKIObject_IsInVolatileDomain(c, vd)) {
+ if (nssPKIObject_IsInVolatileDomain(PKIOBJECT(c), vd)) {
PZ_Unlock(vd->objectLock);
return PR_SUCCESS;
}
@@ -249,7 +249,7 @@ nssVolatileDomain_ImportCert (
}
vd->certs.array[vd->certs.count++] = (void *)nssCert_AddRef(c);
PZ_Unlock(vd->objectLock);
- nssCert_SetVolatileDomain(c, vd);
+ nssPKIObject_SetVolatileDomain(PKIOBJECT(c), vd);
return PR_SUCCESS;
}
@@ -341,7 +341,7 @@ nssVolatileDomain_ImportPublicKey (
}
vd->bkeys.array[vd->bkeys.count++] = (void *)nssPublicKey_AddRef(bk);
PZ_Unlock(vd->objectLock);
- nssPublicKey_SetVolatileDomain(bk, vd);
+ nssPKIObject_SetVolatileDomain(PKIOBJECT(bk), vd);
return PR_SUCCESS;
}
@@ -428,7 +428,7 @@ nssVolatileDomain_ImportPrivateKey (
}
vd->vkeys.array[vd->vkeys.count++] = (void *)nssPrivateKey_AddRef(vk);
PZ_Unlock(vd->objectLock);
- nssPrivateKey_SetVolatileDomain(vk, vd);
+ nssPKIObject_SetVolatileDomain(PKIOBJECT(vk), vd);
return PR_SUCCESS;
}
@@ -496,7 +496,7 @@ nssVolatileDomain_ImportSymKey (
}
vd->mkeys.array[vd->mkeys.count++] = (void *)nssSymKey_AddRef(mk);
PZ_Unlock(vd->objectLock);
- nssSymKey_SetVolatileDomain(mk, vd);
+ nssPKIObject_SetVolatileDomain(PKIOBJECT(mk), vd);
return PR_SUCCESS;
}
@@ -1260,7 +1260,8 @@ nssVolatileDomain_UnwrapSymKey (
NSSSymKey *mkey = NULL;
/* find a token to do it on */
- vko = nssPrivateKey_FindInstanceForAlgorithm(wrapKey, ap);
+ vko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(wrapKey), ap,
+ PR_TRUE);
if (!vko) {
return (NSSSymKey *)NULL;
}
View Lorry Controller Status