diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2003-03-07 20:18:10 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-03-07 20:18:10 +0000 |
commit | 689642e9867fa9f2646f7829b76e8de53dee4cbc (patch) | |
tree | 546a235edd04fd4fb4d3cd32ab539ea580b2dcfd | |
parent | e5f6b12be8cf09fb80617f548eb9a183f0118e71 (diff) | |
download | nss-hg-689642e9867fa9f2646f7829b76e8de53dee4cbc.tar.gz |
reorganize pkiobject inheritance
-rw-r--r-- | security/nss/lib/pki/asymmkey.c | 171 | ||||
-rw-r--r-- | security/nss/lib/pki/cert.c | 151 | ||||
-rw-r--r-- | security/nss/lib/pki/cryptocontext.c | 172 | ||||
-rw-r--r-- | security/nss/lib/pki/manifest.mn | 1 | ||||
-rw-r--r-- | security/nss/lib/pki/nsspki.h | 9 | ||||
-rw-r--r-- | security/nss/lib/pki/pki.h | 30 | ||||
-rw-r--r-- | security/nss/lib/pki/pkibase.c | 83 | ||||
-rw-r--r-- | security/nss/lib/pki/pkietc.c | 195 | ||||
-rw-r--r-- | security/nss/lib/pki/pkim.h | 187 | ||||
-rw-r--r-- | security/nss/lib/pki/pkistore.c | 20 | ||||
-rw-r--r-- | security/nss/lib/pki/pkit.h | 3 | ||||
-rw-r--r-- | security/nss/lib/pki/pkitm.h | 6 | ||||
-rw-r--r-- | security/nss/lib/pki/symkey.c | 134 | ||||
-rw-r--r-- | security/nss/lib/pki/trustdomain.c | 2 | ||||
-rw-r--r-- | security/nss/lib/pki/volatiledomain.c | 13 |
15 files changed, 527 insertions, 650 deletions
diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c index 515bcf368..842c5464c 100644 --- a/security/nss/lib/pki/asymmkey.c +++ b/security/nss/lib/pki/asymmkey.c @@ -142,15 +142,7 @@ nssPrivateKey_Destroy ( NSSPrivateKey *vk ) { - PRBool destroyed; - if (vk) { - destroyed = nssPKIObject_Destroy(&vk->object); - /* - if (destroyed) { - } - */ - } - return PR_SUCCESS; + return nssPKIObject_Destroy(&vk->object); } NSS_IMPLEMENT PRStatus @@ -200,15 +192,6 @@ nssPrivateKey_GetInstance ( return nssPKIObject_GetInstance(&vk->object, token); } -NSS_IMPLEMENT nssCryptokiObject * -nssPrivateKey_FindInstanceForAlgorithm ( - NSSPrivateKey *vk, - const NSSAlgNParam *ap -) -{ - return nssPKIObject_FindInstanceForAlgorithm(&vk->object, ap); -} - NSS_IMPLEMENT PRStatus nssPrivateKey_RemoveInstanceForToken ( NSSPrivateKey *vk, @@ -260,17 +243,6 @@ NSSPrivateKey_GetKeyType ( return nssPrivateKey_GetKeyType(vk); } -NSS_IMPLEMENT nssCryptokiObject * -nssPrivateKey_CopyToToken ( - NSSPrivateKey *vk, - NSSToken *destination -) -{ - /* XXX this could get complicated... might have to wrap the key, etc. */ - PR_ASSERT(0); - return NULL; -} - NSS_IMPLEMENT PRUint32 nssPrivateKey_GetPrivateModulusLength ( NSSPrivateKey *vk @@ -378,7 +350,7 @@ nssPrivateKey_Encode ( } (void)nssAlgNParam_SetPBEPassword(ap, password); - vkey = nssPrivateKey_FindInstanceForAlgorithm(vk, ap); + vkey = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(vk), ap, PR_TRUE); if (!vkey) { /* XXX defer to trust domain? */ nss_ZFreeIf(password); @@ -388,8 +360,8 @@ nssPrivateKey_Encode ( /* XXX use GenByPassword!!! */ /* use the supplied PBE alg/param to create a wrapping key */ pbeKey = nssToken_GenerateSymKey(vkey->token, vkey->session, ap, - 0, NULL, PR_FALSE, - NSSOperations_WRAP, 0); + 0, NULL, PR_FALSE, + NSSOperations_WRAP, 0); nss_ZFreeIf(password); if (!pbeKey) { return (NSSItem *)NULL; @@ -403,8 +375,7 @@ nssPrivateKey_Encode ( /* wrap the private key with the PBE key */ wrap = nssToken_WrapKey(vkey->token, vkey->session, wrapAP, - pbeKey, vkey, - rvOpt, arenaOpt); + pbeKey, vkey, rvOpt, arenaOpt); nssAlgNParam_Destroy(wrapAP); nssCryptokiObject_Destroy(pbeKey); nssCryptokiObject_Destroy(vkey); @@ -587,21 +558,11 @@ nssPrivateKey_GetVolatileDomain ( } NSS_IMPLEMENT NSSTrustDomain * -nssPrivateKey_GetTrustDomain ( - NSSPrivateKey *vk, - PRStatus *statusOpt -) -{ - return vk->object.td; -} - -NSS_IMPLEMENT NSSTrustDomain * NSSPrivateKey_GetTrustDomain ( - NSSPrivateKey *vk, - PRStatus *statusOpt + NSSPrivateKey *vk ) { - return nssPrivateKey_GetTrustDomain(vk, statusOpt); + return nssPKIObject_GetTrustDomain(PKIOBJECT(vk)); } NSS_IMPLEMENT NSSToken ** @@ -676,7 +637,7 @@ nssPrivateKey_Decrypt ( } } - vko = nssPrivateKey_FindInstanceForAlgorithm(vk, ap); + vko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(vk), ap, PR_TRUE); if (!vko) { if (!apOpt) nssAlgNParam_Destroy(ap); return (NSSItem *)NULL; @@ -738,7 +699,7 @@ nssPrivateKey_Sign ( } } - vko = nssPrivateKey_FindInstanceForAlgorithm(vk, ap); + vko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(vk), ap, PR_TRUE); if (!vko) { if (!apOpt) nssAlgNParam_Destroy(ap); return NULL; @@ -841,7 +802,7 @@ nssPrivateKey_FindPublicKey ( NSSPrivateKey *vk ) { - NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vk, NULL); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(vk)); return nssTrustDomain_FindPublicKeyByID(td, &vk->id); } @@ -861,7 +822,7 @@ nssPrivateKey_FindCerts ( NSSArena *arenaOpt ) { - NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vk, NULL); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(vk)); return nssTrustDomain_FindCertsByID(td, &vk->id, rvOpt, maximumOpt, arenaOpt); } @@ -924,6 +885,44 @@ struct NSSPublicKeyStr NSSPublicKeyInfo info; }; +static PRStatus +copy_public_key_to_token ( + nssPKIObject *o, + NSSToken *token, + nssSession *sessionOpt, + PRBool asPersistentObject, + NSSUTF8 *nicknameOpt, + nssCryptokiObject **rvInstanceOpt +) +{ + nssCryptokiObject *bko; + nssSession *session; + NSSPublicKey *bk = (NSSPublicKey *)o; + + if (sessionOpt) { + session = sessionOpt; + } else { + session = nssToken_CreateSession(token, asPersistentObject); + if (!session) + return PR_FAILURE; + } + bko = nssToken_ImportPublicKey(token, session, + &bk->info, asPersistentObject); + if (!sessionOpt) { + nssSession_Destroy(session); + } + if (!bko) { + return PR_FAILURE; + } + if (nssPKIObject_AddInstance(&bk->object, bko) == PR_FAILURE) { + nssCryptokiObject_Destroy(bko); + return PR_FAILURE; + } else if (rvInstanceOpt) { + *rvInstanceOpt = nssCryptokiObject_Clone(bko); + } + return PR_SUCCESS; +} + NSS_IMPLEMENT NSSPublicKey * nssPublicKey_CreateFromInstance ( nssCryptokiObject *instance, @@ -950,6 +949,7 @@ nssPublicKey_CreateFromInstance ( pkio->objectType = pkiObjectType_PublicKey; pkio->numIDs = 1; pkio->uid[0] = &rvKey->id; + pkio->copyToToken = copy_public_key_to_token; rvKey = (NSSPublicKey *)nssPKIObjectTable_Add(objectTable, pkio); if (!rvKey) { rvKey = (NSSPublicKey *)pkio; @@ -1071,15 +1071,7 @@ nssPublicKey_Destroy ( NSSPublicKey *bk ) { - PRBool destroyed; - if (bk) { - destroyed = nssPKIObject_Destroy(&bk->object); - /* - if (destroyed) { - } - */ - } - return PR_SUCCESS; + return nssPKIObject_Destroy(&bk->object); } NSS_IMPLEMENT PRStatus @@ -1120,15 +1112,6 @@ nssPublicKey_GetInstance ( return nssPKIObject_GetInstance(&bk->object, token); } -NSS_IMPLEMENT nssCryptokiObject * -nssPublicKey_FindInstanceForAlgorithm ( - NSSPublicKey *bk, - const NSSAlgNParam *ap -) -{ - return nssPKIObject_FindInstanceForAlgorithm(&bk->object, ap); -} - NSS_IMPLEMENT PRStatus nssPublicKey_RemoveInstanceForToken ( NSSPublicKey *bk, @@ -1173,35 +1156,6 @@ NSSPublicKey_DeleteStoredObject ( return nssPublicKey_DeleteStoredObject(bk, uhh); } -NSS_IMPLEMENT nssCryptokiObject * -nssPublicKey_CopyToToken ( - NSSPublicKey *bk, - NSSToken *destination, - PRBool asPersistentObject -) -{ - nssSession *session; - nssCryptokiObject *bko; - - session = nssToken_CreateSession(destination, asPersistentObject); - if (!session) { - return (nssCryptokiObject *)NULL; - } - bko = nssToken_ImportPublicKey(destination, session, - &bk->info, asPersistentObject); - nssSession_Destroy(session); - if (bko) { - if (nssPKIObject_AddInstance(&bk->object, bko) == PR_FAILURE) { - nssCryptokiObject_Destroy(bko); - bko = NULL; - } else { - /* XXX maybe AddInstance should rethink not cloning */ - bko = nssCryptokiObject_Clone(bko); - } - } - return bko; -} - NSS_IMPLEMENT NSSItem * NSSPublicKey_Encode ( NSSPublicKey *bk, @@ -1216,21 +1170,11 @@ NSSPublicKey_Encode ( } NSS_IMPLEMENT NSSTrustDomain * -nssPublicKey_GetTrustDomain ( - NSSPublicKey *bk, - PRStatus *statusOpt -) -{ - return bk->object.td; -} - -NSS_IMPLEMENT NSSTrustDomain * NSSPublicKey_GetTrustDomain ( - NSSPublicKey *bk, - PRStatus *statusOpt + NSSPublicKey *bk ) { - return nssPublicKey_GetTrustDomain(bk, statusOpt); + return nssPKIObject_GetTrustDomain(PKIOBJECT(bk)); } NSS_IMPLEMENT NSSToken * @@ -1355,7 +1299,7 @@ nssPublicKey_Encrypt ( } } - bko = nssPublicKey_FindInstanceForAlgorithm(bk, ap); + bko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(bk), ap, PR_TRUE); if (!bko) { if (!apOpt) nssAlgNParam_Destroy(ap); return (NSSItem *)NULL; @@ -1496,7 +1440,10 @@ nssPublicKey_GetInstanceForAlgorithmAndObject ( /* didn't find a token with both objects, but did find * one that can do the operation */ - instance = nssPublicKey_CopyToToken(bk, candidate, PR_FALSE); + /* XXX session? */ + status = nssPKIObject_CopyToToken(PKIOBJECT(bk), candidate, + NULL, PR_FALSE, + NULL, &instance); } nssTokenArray_Destroy(tokens); } @@ -1566,7 +1513,7 @@ nssPublicKey_FindCerts ( NSSArena *arenaOpt ) { - NSSTrustDomain *td = nssPublicKey_GetTrustDomain(bk, NULL); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(bk)); return nssTrustDomain_FindCertsByID(td, &bk->id, rvOpt, maximumOpt, arenaOpt); } diff --git a/security/nss/lib/pki/cert.c b/security/nss/lib/pki/cert.c index fd49184cb..6d33e94be 100644 --- a/security/nss/lib/pki/cert.c +++ b/security/nss/lib/pki/cert.c @@ -83,6 +83,63 @@ nss_GetMethodsForType ( NSSCertType certType ); +static PRStatus +cert_destructor(nssPKIObject *o) +{ + NSSCert *c = (NSSCert *)o; + void *dc = c->decoding.data; + NSSCertMethods *methods = c->decoding.methods; + if (dc && methods) { + methods->destroy(dc); + } + return PR_SUCCESS; +} + +static PRStatus +copy_cert_to_token ( + nssPKIObject *o, + NSSToken *token, + nssSession *sessionOpt, + PRBool asPersistentObject, + NSSUTF8 *nicknameOpt, + nssCryptokiObject **rvInstanceOpt +) +{ + PRStatus status; + NSSCert *c = (NSSCert *)o; + nssCryptokiObject *instance; + nssSession *session; + + if (sessionOpt) { + session = sessionOpt; + } else { + session = nssToken_CreateSession(token, asPersistentObject); + if (!session) + return PR_FAILURE; + } + /* XXX why not id? */ + instance = nssToken_ImportCert(token, session, + c->kind, NULL, nicknameOpt, + &c->encoding, &c->issuer, + &c->subject, &c->serial, + c->email, asPersistentObject); + if (!sessionOpt) { + nssSession_Destroy(session); + } + if (!instance) { + return PR_FAILURE; + } + status = nssPKIObject_AddInstance(&c->object, instance); + if (status == PR_FAILURE) { + nssCryptokiObject_Destroy(instance); + return PR_FAILURE; + } + if (rvInstanceOpt) { + *rvInstanceOpt = nssCryptokiObject_Clone(instance); + } + return PR_SUCCESS; +} + NSS_IMPLEMENT NSSCert * nssCert_CreateFromInstance ( nssCryptokiObject *instance, @@ -125,6 +182,8 @@ nssCert_CreateFromInstance ( if (!rvCert->decoding.methods) { goto loser; } + rvCert->object.copyToToken = copy_cert_to_token; + rvCert->object.destructor = cert_destructor; if (rvCert && vdOpt) { status = nssVolatileDomain_ImportCert(vdOpt, rvCert); if (status == PR_FAILURE) { @@ -176,6 +235,8 @@ nssCert_Decode ( } else { goto loser; } + pkio->destructor = cert_destructor; + pkio->copyToToken = copy_cert_to_token; /* copy the BER encoding */ it = nssItem_Duplicate(ber, pkio->arena, &rvCert->encoding); if (!it) { @@ -257,18 +318,7 @@ nssCert_Destroy ( NSSCert *c ) { - PRBool destroyed; - if (c) { - void *dc = c->decoding.data; - NSSCertMethods *methods = c->decoding.methods; - destroyed = nssPKIObject_Destroy(&c->object); - if (destroyed) { - if (dc) { - methods->destroy(dc); - } - } - } - return PR_SUCCESS; + return nssPKIObject_Destroy(&c->object);; } NSS_IMPLEMENT PRStatus @@ -681,33 +731,12 @@ nssCert_SetVolatileDomain ( nssPKIObject_SetVolatileDomain(&c->object, vd); } -NSS_IMPLEMENT NSSVolatileDomain ** -nssCert_GetVolatileDomains( - NSSCert *c, - NSSVolatileDomain **vdsOpt, - PRUint32 maximumOpt, - NSSArena *arenaOpt, - PRStatus *statusOpt -) -{ - return nssPKIObject_GetVolatileDomains(&c->object, vdsOpt, - maximumOpt, arenaOpt, statusOpt); -} - -NSS_IMPLEMENT NSSTrustDomain * -nssCert_GetTrustDomain ( - NSSCert *c -) -{ - return c->object.td; -} - NSS_IMPLEMENT NSSTrustDomain * NSSCert_GetTrustDomain ( NSSCert *c ) { - return nssCert_GetTrustDomain(c); + return nssPKIObject_GetTrustDomain(PKIOBJECT(c)); } NSS_IMPLEMENT NSSToken ** @@ -750,15 +779,6 @@ NSSCert_GetModule ( return (NSSModule *)NULL; } -NSS_IMPLEMENT nssCryptokiObject * -nssCert_FindInstanceForAlgorithm ( - NSSCert *c, - NSSAlgNParam *ap -) -{ - return nssPKIObject_FindInstanceForAlgorithm(&c->object, ap); -} - NSS_IMPLEMENT PRStatus nssCert_DeleteStoredObject ( NSSCert *c, @@ -777,37 +797,6 @@ NSSCert_DeleteStoredObject ( return nssCert_DeleteStoredObject(c, uhh); } -NSS_IMPLEMENT PRStatus -nssCert_CopyToToken ( - NSSCert *c, - NSSToken *token, - NSSUTF8 *nicknameOpt -) -{ - PRStatus status; - nssCryptokiObject *instance; - nssSession *rwSession; - - rwSession = nssToken_CreateSession(token, PR_TRUE); - if (!rwSession) { - return PR_FAILURE; - } - instance = nssToken_ImportCert(token, rwSession, - c->kind, NULL, nicknameOpt, - &c->encoding, &c->issuer, - &c->subject, &c->serial, - c->email, PR_TRUE); - nssSession_Destroy(rwSession); - if (!instance) { - return PR_FAILURE; - } - status = nssPKIObject_AddInstance(&c->object, instance); - if (status == PR_FAILURE) { - return PR_FAILURE; - } - return PR_SUCCESS; -} - static PRStatus validate_and_discover_trust ( NSSCert *c, @@ -1123,7 +1112,7 @@ nssCert_SetTrustedUsages ( c->trust.notTrustedUsages.ca &= usages->ca; c->trust.notTrustedUsages.peer &= usages->peer; /* reflect the change in the db */ - td = nssCert_GetTrustDomain(c); + td = nssPKIObject_GetTrustDomain(PKIOBJECT(c)); return nssTrustDomain_SetCertTrust(td, c, &c->trust); } @@ -1189,8 +1178,8 @@ find_cert_issuer ( NSSTrustDomain *td; NSSVolatileDomain *vd; /* XXX what to do with multiple vds? */ - nssCert_GetVolatileDomains(c, &vd, 1, NULL, NULL); - td = nssCert_GetTrustDomain(c); + nssPKIObject_GetVolatileDomains(PKIOBJECT(c), &vd, 1, NULL, NULL); + td = nssPKIObject_GetTrustDomain(PKIOBJECT(c)); if (vd) { issuers = nssVolatileDomain_FindCertsBySubject(vd, &c->issuer, NULL, 0, NULL); @@ -1240,7 +1229,7 @@ nssCert_BuildChain ( NSSTrustDomain *td; NSSUsages usages = { 0 }; - td = NSSCert_GetTrustDomain(c); + td = nssPKIObject_GetTrustDomain(PKIOBJECT(c)); if (statusOpt) *statusOpt = PR_SUCCESS; if (rvLimit) { @@ -1423,10 +1412,10 @@ nssCert_GetPublicKey ( ) { PRStatus status; - NSSTrustDomain *td = nssCert_GetTrustDomain(c); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(c)); NSSVolatileDomain *vd; /* XXX multiple vds? */ - nssCert_GetVolatileDomains(c, &vd, 1, NULL, NULL); + nssPKIObject_GetVolatileDomains(PKIOBJECT(c), &vd, 1, NULL, NULL); if (!c->bk && c->id.size > 0) { /* first try looking for a persistent object */ @@ -1466,7 +1455,7 @@ nssCert_FindPrivateKey ( NSSCallback *uhh ) { - NSSTrustDomain *td = nssCert_GetTrustDomain(c); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(c)); if (c->id.size > 0) { return nssTrustDomain_FindPrivateKeyByID(td, &c->id); } else { diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c index 659a469fe..024480148 100644 --- a/security/nss/lib/pki/cryptocontext.c +++ b/security/nss/lib/pki/cryptocontext.c @@ -121,10 +121,10 @@ nssCryptoContext_CreateForSymKey ( ) { NSSCryptoContext *rvCC; - NSSTrustDomain *td = nssSymKey_GetTrustDomain(mkey, NULL); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(mkey)); /* XXX multiple vds? */ NSSVolatileDomain *vd; - nssSymKey_GetVolatileDomains(mkey, &vd, 1, NULL, NULL); + nssPKIObject_GetVolatileDomains(PKIOBJECT(mkey), &vd, 1, NULL, NULL); rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt); if (rvCC) { @@ -143,10 +143,10 @@ nssCryptoContext_CreateForPrivateKey ( ) { NSSCryptoContext *rvCC; - NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vkey, NULL); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(vkey)); /* XXX multiple vds? */ NSSVolatileDomain *vd; - nssPrivateKey_GetVolatileDomains(vkey, &vd, 1, NULL, NULL); + nssPKIObject_GetVolatileDomains(PKIOBJECT(vkey), &vd, 1, NULL, NULL); rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt); if (rvCC) { @@ -294,19 +294,21 @@ loser: } static PRStatus -prepare_context_symmetric_key ( +prepare_context_key ( NSSCryptoContext *cc, + nssPKIObject *key, + nssCryptokiObject **keyo, const NSSAlgNParam *ap ) { + PRStatus status; if (cc->token) { /* context already has a token set */ - if (nssToken_DoesAlgNParam(cc->token, ap)) - { + if (nssToken_DoesAlgNParam(cc->token, ap)) { /* and the token can do the operation */ - if (!cc->key) { + if (!*keyo) { /* get a key instance from it */ - cc->key = nssSymKey_GetInstance(cc->u.mkey, cc->token); + *keyo = nssPKIObject_GetInstance(key, cc->token); } /* else we already have a key instance */ } else { /* the token can't do the math, so this context won't work */ @@ -314,8 +316,8 @@ prepare_context_symmetric_key ( } } else { /* find an instance of the key that will do the operation */ - cc->key = nssSymKey_FindInstanceForAlgorithm(cc->u.mkey, cc->ap); - if (cc->key) { + *keyo = nssPKIObject_FindInstanceForAlgorithm(key, cc->ap, PR_TRUE); + if (*keyo) { /* okay, now we know what token to use */ cc->token = nssToken_AddRef(cc->key->token); } else { @@ -330,10 +332,11 @@ prepare_context_symmetric_key ( /* the token has been set, so if we didn't find a key instance on * the token, copy it there as a temp (session) object */ - if (!cc->key) { - cc->key = nssSymKey_CopyToToken(cc->u.mkey, cc->token, - PR_FALSE); - if (!cc->key) { + if (!*keyo) { + /* XXX uh, get the session first */ + status = nssPKIObject_CopyToToken(key, cc->token, NULL, PR_FALSE, + NULL, keyo); + if (status == PR_FAILURE) { goto loser; } } @@ -351,75 +354,34 @@ loser: } static PRStatus +prepare_context_symmetric_key ( + NSSCryptoContext *cc, + const NSSAlgNParam *ap +) +{ + return prepare_context_key(cc, PKIOBJECT(cc->u.mkey), &cc->key, ap); +} + +static PRStatus prepare_context_private_key ( NSSCryptoContext *cc, const NSSAlgNParam *ap ) { + PRStatus status; NSSPrivateKey *vkey = NULL; if (cc->which == a_cert) { /* try to get the key from the cert */ vkey = nssCert_FindPrivateKey(cc->u.cert, cc->callback); if (!vkey) { - goto loser; + return PR_FAILURE; } } else { vkey = nssPrivateKey_AddRef(cc->u.vkey); } - if (cc->token) { - /* context already has a token set */ - if (nssToken_DoesAlgNParam(cc->token, ap)) - { - /* and the token can do the operation */ - if (!cc->key) { - /* get a key instance from it */ - cc->key = nssPrivateKey_GetInstance(vkey, cc->token); - } /* else we already have a key instance for the token */ - } else { - /* the token can't do the math, so this context won't work */ - goto loser; - } - } else { - /* find an instance of the key that will do the operation */ - cc->key = nssPrivateKey_FindInstanceForAlgorithm(vkey, cc->ap); - if (cc->key) { - /* okay, now we know what token to use */ - cc->token = nssToken_AddRef(cc->key->token); - } else { - /* find any token in the trust domain that can */ - cc->token = nssTrustDomain_FindTokenForAlgNParam(cc->td, ap); - if (!cc->token) { - /*nss_SetError(NSS_ERROR_NO_TOKEN_FOR_OPERATION);*/ - goto loser; - } - } - } - /* the token has been set, so if we didn't find a key instance on - * the token, copy it there - */ - if (!cc->key) { - cc->key = nssPrivateKey_CopyToToken(vkey, cc->token); - if (!cc->key) { - goto loser; - } - } - /* Obtain a session for the operation */ - if (!cc->session) { - cc->session = nssToken_CreateSession(cc->token, PR_FALSE); - if (!cc->session) { - goto loser; - } - } - if (vkey) { - nssPrivateKey_Destroy(vkey); - } - return PR_SUCCESS; -loser: - if (vkey) { - nssPrivateKey_Destroy(vkey); - } - nss_SetError(NSS_ERROR_INVALID_CRYPTO_CONTEXT); - return PR_FAILURE; + status = prepare_context_key(cc, PKIOBJECT(vkey), &cc->key, ap); + nssPrivateKey_Destroy(vkey); + return status; } static PRStatus @@ -428,74 +390,24 @@ prepare_context_public_key ( const NSSAlgNParam *ap ) { + PRStatus status; + NSSPublicKey *bkey = NULL; /* when the dist. object is a cert, both keys may be available, * so public key is stored separately */ nssCryptokiObject **bkp = (cc->which == a_cert) ? &cc->bkey : &cc->key; - NSSPublicKey *bkey = NULL; if (cc->which == a_cert) { /* try to get the key from the cert */ bkey = nssCert_GetPublicKey(cc->u.cert); if (!bkey) { - goto loser; + return PR_FAILURE; } } else { bkey = nssPublicKey_AddRef(cc->u.bkey); } - if (cc->token) { - /* context already has a token set */ - if (nssToken_DoesAlgNParam(cc->token, ap)) - { - /* and the token can do the operation */ - if (!*bkp) { - /* get a key instance from it */ - *bkp = nssPublicKey_GetInstance(bkey, cc->token); - } /* else we already have a key instance for the token */ - } else { - /* the token can't do the math, so this context won't work */ - goto loser; - } - } else { - /* find an instance of the key that will do the operation */ - *bkp = nssPublicKey_FindInstanceForAlgorithm(bkey, cc->ap); - if (*bkp) { - /* okay, now we know what token to use */ - cc->token = nssToken_AddRef(cc->key->token); - } else { - /* find any token in the trust domain that can */ - cc->token = nssTrustDomain_FindTokenForAlgNParam(cc->td, ap); - if (!cc->token) { - /*nss_SetError(NSS_ERROR_NO_TOKEN_FOR_OPERATION);*/ - goto loser; - } - } - } - /* the token has been set, so if we didn't find a key instance on - * the token, copy it there - */ - if (!*bkp) { - *bkp = nssPublicKey_CopyToToken(bkey, cc->token, PR_FALSE); - if (!*bkp) { - goto loser; - } - } - /* Obtain a session for the operation */ - if (!cc->session) { - cc->session = nssToken_CreateSession(cc->token, PR_FALSE); - if (!cc->session) { - goto loser; - } - } - if (bkey) { - nssPublicKey_Destroy(bkey); - } - return PR_SUCCESS; -loser: - if (bkey) { - nssPublicKey_Destroy(bkey); - } - nss_SetError(NSS_ERROR_INVALID_CRYPTO_CONTEXT); - return PR_FAILURE; + status = prepare_context_key(cc, PKIOBJECT(bkey), bkp, ap); + nssPublicKey_Destroy(bkey); + return status; } NSS_IMPLEMENT NSSItem * @@ -1338,10 +1250,12 @@ nssCryptoContext_DigestKey ( /* The context is being asked to digest a key that may not be * within its scope. Copy the key if needed. */ - mko = nssSymKey_GetInstance(mkOpt, cc->token); + mko = nssPKIObject_GetInstance(PKIOBJECT(mkOpt), cc->token); if (!mko) { - mko = nssSymKey_CopyToToken(mkOpt, cc->token, PR_FALSE); - if (!mko) { + status = nssPKIObject_CopyToToken(PKIOBJECT(mkOpt), cc->token, + cc->session, PR_FALSE, + NULL, &mko); + if (status == PR_FAILURE) { return PR_FAILURE; } } diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn index a8b62aa56..348b6d2f5 100644 --- a/security/nss/lib/pki/manifest.mn +++ b/security/nss/lib/pki/manifest.mn @@ -54,6 +54,7 @@ CSRCS = \ cert.c \ cryptocontext.c \ symkey.c \ + pkietc.c \ time.c \ trustdomain.c \ volatiledomain.c \ diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h index d2cab22e5..8f0b2835d 100644 --- a/security/nss/lib/pki/nsspki.h +++ b/security/nss/lib/pki/nsspki.h @@ -692,8 +692,7 @@ NSSPrivateKey_Encode ( NSS_EXTERN NSSTrustDomain * NSSPrivateKey_GetTrustDomain ( - NSSPrivateKey *vk, - PRStatus *statusOpt + NSSPrivateKey *vk ); /* @@ -920,8 +919,7 @@ NSSPublicKey_Encode ( NSS_EXTERN NSSTrustDomain * NSSPublicKey_GetTrustDomain ( - NSSPublicKey *bk, - PRStatus *statusOpt + NSSPublicKey *bk ); /* @@ -1164,8 +1162,7 @@ NSSSymKey_IsStillPresent ( NSS_EXTERN NSSTrustDomain * NSSSymKey_GetTrustDomain ( - NSSSymKey *mk, - PRStatus *statusOpt + NSSSymKey *mk ); /* diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h index 22c459aa1..5a8044c44 100644 --- a/security/nss/lib/pki/pki.h +++ b/security/nss/lib/pki/pki.h @@ -269,27 +269,6 @@ nssPrivateKey_GetID ( NSSPrivateKey *vk ); -NSS_EXTERN NSSUTF8 * -nssPrivateKey_GetNickname ( - NSSPrivateKey *vk, - NSSToken *tokenOpt -); - -NSS_EXTERN NSSTrustDomain * -nssPrivateKey_GetTrustDomain ( - NSSPrivateKey *vk, - PRStatus *statusOpt -); - -NSS_EXTERN NSSVolatileDomain ** -nssPrivateKey_GetVolatileDomains ( - NSSPrivateKey *vk, - NSSVolatileDomain **vdsOpt, - PRUint32 maximumOpt, - NSSArena *arenaOpt, - PRStatus *statusOpt -); - NSS_EXTERN NSSPublicKey * nssPublicKey_AddRef ( NSSPublicKey *bk @@ -325,15 +304,6 @@ nssSymKey_AddRef ( NSSSymKey *mk ); -NSS_EXTERN NSSVolatileDomain ** -nssSymKey_GetVolatileDomains ( - NSSSymKey *mk, - NSSVolatileDomain **vdsOpt, - PRUint32 maximumOpt, - NSSArena *arenaOpt, - PRStatus *statusOpt -); - NSS_EXTERN NSSVolatileDomain * nssVolatileDomain_Create ( NSSTrustDomain *td, diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c index 7c13cb600..1d068e47a 100644 --- a/security/nss/lib/pki/pkibase.c +++ b/security/nss/lib/pki/pkibase.c @@ -48,6 +48,17 @@ struct volatile_domain_instance_str { NSSVolatileDomain *vd; }; +static PRStatus +virtual_copy_to_token(nssPKIObject *object, NSSToken *destination, + nssSession *sessionOpt, PRBool asPersistentObject, + NSSUTF8 *labelOpt, nssCryptokiObject **rvInstanceOpt) +{ + PR_ASSERT(0); + nss_SetError(NSS_ERROR_INTERNAL_ERROR); + return PR_FAILURE; +} + + NSS_IMPLEMENT nssPKIObject * nssPKIObject_Create ( NSSTrustDomain *td, @@ -69,6 +80,7 @@ nssPKIObject_Create ( object->arena = arena; object->td = td; /* XXX */ object->lock = PZ_NewLock(nssILockOther); + object->copyToToken = virtual_copy_to_token; if (!object->lock) { goto loser; } @@ -87,25 +99,30 @@ loser: return (nssPKIObject *)NULL; } -NSS_IMPLEMENT PRBool +NSS_IMPLEMENT PRStatus nssPKIObject_Destroy ( nssPKIObject *object ) { PRUint32 i; + PRStatus status; + PR_ASSERT(object->refCount > 0); PR_AtomicDecrement(&object->refCount); + status = PR_SUCCESS; if (object->refCount == 0) { for (i=0; i<object->numInstances; i++) { nssCryptokiObject_Destroy(object->instances[i]); } + if (object->destructor) { + status = object->destructor(object); + } /*nssVolatileDomain_Destroy(object->vd);*/ PZ_DestroyLock(object->lock); nssUTF8_Destroy(object->nickname); nssArena_Destroy(object->arena); - return PR_TRUE; } - return PR_FALSE; + return status; } NSS_IMPLEMENT nssPKIObject * @@ -465,10 +482,15 @@ nssPKIObject_GetInstance ( return instance; } +/* XXX currently, all callers of this function are using allowMove=true, + * but this is in need of a scheme to determine when/how to wrap + * sensitive objects before moving + */ NSS_IMPLEMENT nssCryptokiObject * nssPKIObject_FindInstanceForAlgorithm ( nssPKIObject *object, - const NSSAlgNParam *ap + const NSSAlgNParam *ap, + PRBool allowMove ) { nssCryptokiObject *instance = NULL; @@ -481,18 +503,23 @@ nssPKIObject_FindInstanceForAlgorithm ( } } PZ_Unlock(object->lock); + if (!instance && allowMove) { + NSSToken *token; + token = nssTrustDomain_FindTokenForAlgNParam(object->td, ap); + if (token) { + (void)nssPKIObject_CopyToToken(object, token, NULL, + PR_FALSE, NULL, &instance); + nssToken_Destroy(token); + } + } return instance; } NSS_IMPLEMENT NSSTrustDomain * nssPKIObject_GetTrustDomain ( - nssPKIObject *object, - PRStatus *statusOpt + nssPKIObject *object ) { - if (statusOpt) { - *statusOpt = PR_SUCCESS; - } return object->td; } @@ -504,7 +531,7 @@ object_is_in_vd(nssPKIObject *object, NSSVolatileDomain *vd) struct volatile_domain_instance_str *vdInstance; link = PR_NEXT_LINK(&object->vds); - while (link != &object->vds) { + while (link && link != &object->vds) { vdInstance = (struct volatile_domain_instance_str *)link; if (vdInstance->vd == vd) { inVD = PR_TRUE; @@ -563,9 +590,13 @@ nssPKIObject_GetVolatileDomains ( { PRCList *link; PRUint32 i; + NSSVolatileDomain **vds; struct volatile_domain_instance_str *vdInstance; + if (statusOpt) *statusOpt = PR_SUCCESS; - if (!vdsOpt) { + if (vdsOpt) { + vds = vdsOpt; + } else { if (maximumOpt > 0) { i = maximumOpt; } else { @@ -575,30 +606,30 @@ nssPKIObject_GetVolatileDomains ( link != &object->vds; link = PR_NEXT_LINK(link), i++); PZ_Unlock(object->lock); - maximumOpt = i; } if (i == 0) { return (NSSVolatileDomain **)NULL; } - vdsOpt = nss_ZNEWARRAY(arenaOpt, NSSVolatileDomain *, i + 1); - if (!vdsOpt) { + vds = nss_ZNEWARRAY(arenaOpt, NSSVolatileDomain *, i + 1); + if (!vds) { if (statusOpt) *statusOpt = PR_FAILURE; return (NSSVolatileDomain **)NULL; } } i = 0; + vds[0] = NULL; PZ_Lock(object->lock); link = PR_NEXT_LINK(&object->vds); - while (link != &object->vds) { + while (link && link != &object->vds) { vdInstance = (struct volatile_domain_instance_str *)link; - vdsOpt[i++] = nssVolatileDomain_AddRef(vdInstance->vd); - if (i == maximumOpt) + vds[i++] = nssVolatileDomain_AddRef(vdInstance->vd); + if (maximumOpt > 0 && i == maximumOpt) break; link = PR_NEXT_LINK(link); } PZ_Unlock(object->lock); - vdsOpt[i] = NULL; - return vdsOpt; + if (!vdsOpt || maximumOpt == 0) vds[i] = NULL; + return vds; } NSS_IMPLEMENT NSSCert ** @@ -628,6 +659,20 @@ nssCertArray_CreateFromInstances ( return rvCerts; } +NSS_IMPLEMENT PRStatus +nssPKIObject_CopyToToken ( + nssPKIObject *object, + NSSToken *destination, + nssSession *sessionOpt, + PRBool asPersistentObject, + NSSUTF8 *labelOpt, + nssCryptokiObject **rvInstanceOpt +) +{ + return object->copyToToken(object, destination, sessionOpt, + asPersistentObject, labelOpt, rvInstanceOpt); +} + NSS_IMPLEMENT void nssCertArray_Destroy ( NSSCert **certs diff --git a/security/nss/lib/pki/pkietc.c b/security/nss/lib/pki/pkietc.c new file mode 100644 index 000000000..07a2e497b --- /dev/null +++ b/security/nss/lib/pki/pkietc.c @@ -0,0 +1,195 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; +#endif /* DEBUG */ + +#ifndef DEV_H +#include "dev.h" +#endif /* DEV_H */ + +#ifndef PKIM_H +#include "pkim.h" +#endif /* PKIM_H */ + +struct nssSMIMEProfileStr +{ + nssPKIObject object; + NSSCert *certificate; + NSSASCII7 *email; + NSSDER *subject; + NSSItem *profileTime; + NSSItem *profileData; +}; + +NSS_IMPLEMENT nssSMIMEProfile * +nssSMIMEProfile_Create ( + NSSCert *cert, + NSSItem *profileTime, + NSSItem *profileData +) +{ +#if 0 + NSSArena *arena; + nssSMIMEProfile *rvProfile; + nssPKIObject *object; + NSSTrustDomain *td = nssCert_GetTrustDomain(cert); + NSSCryptoContext *cc = nssCert_GetCryptoContext(cert); + arena = nssArena_Create(); + if (!arena) { + return NULL; + } + object = nssPKIObject_Create(arena, NULL, td, cc); + if (!object) { + goto loser; + } + rvProfile = nss_ZNEW(arena, nssSMIMEProfile); + if (!rvProfile) { + goto loser; + } + rvProfile->object = *object; + rvProfile->certificate = cert; + rvProfile->email = nssUTF8_Duplicate(cert->email, arena); + rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL); + if (profileTime) { + rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL); + } + if (profileData) { + rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL); + } + return rvProfile; +loser: + nssPKIObject_Destroy(object); +#endif + return (nssSMIMEProfile *)NULL; +} + +NSS_IMPLEMENT nssSMIMEProfile * +nssSMIMEProfile_AddRef ( + nssSMIMEProfile *profile +) +{ + if (profile) { + nssPKIObject_AddRef(&profile->object); + } + return profile; +} + +NSS_IMPLEMENT PRStatus +nssSMIMEProfile_Destroy ( + nssSMIMEProfile *profile +) +{ + if (profile) { + (void)nssPKIObject_Destroy(&profile->object); + } + return PR_SUCCESS; +} + +struct NSSCRLStr { + nssPKIObject object; + NSSDER encoding; + NSSUTF8 *url; + PRBool isKRL; +}; + +NSS_IMPLEMENT NSSCRL * +nssCRL_Create ( + nssPKIObject *object +) +{ + PRStatus status; + NSSCRL *rvCRL; + NSSArena *arena = object->arena; + PR_ASSERT(object->instances != NULL && object->numInstances > 0); + rvCRL = nss_ZNEW(arena, NSSCRL); + if (!rvCRL) { + return (NSSCRL *)NULL; + } + rvCRL->object = *object; + /* XXX should choose instance based on some criteria */ + status = nssCryptokiCRL_GetAttributes(object->instances[0], + arena, + &rvCRL->encoding, + &rvCRL->url, + &rvCRL->isKRL); + if (status != PR_SUCCESS) { + return (NSSCRL *)NULL; + } + return rvCRL; +} + +NSS_IMPLEMENT NSSCRL * +nssCRL_AddRef ( + NSSCRL *crl +) +{ + if (crl) { + nssPKIObject_AddRef(&crl->object); + } + return crl; +} + +NSS_IMPLEMENT PRStatus +nssCRL_Destroy ( + NSSCRL *crl +) +{ + if (crl) { + (void)nssPKIObject_Destroy(&crl->object); + } + return PR_SUCCESS; +} + +NSS_IMPLEMENT PRStatus +nssCRL_DeleteStoredObject ( + NSSCRL *crl, + NSSCallback *uhh +) +{ + return nssPKIObject_DeleteStoredObject(&crl->object, uhh, PR_TRUE); +} + +NSS_IMPLEMENT NSSDER * +nssCRL_GetEncoding ( + NSSCRL *crl +) +{ + if (crl->encoding.data != NULL && crl->encoding.size > 0) { + return &crl->encoding; + } else { + return (NSSDER *)NULL; + } +} + diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h index 1dd1dc1b1..5d3b8cc1d 100644 --- a/security/nss/lib/pki/pkim.h +++ b/security/nss/lib/pki/pkim.h @@ -71,6 +71,9 @@ PR_BEGIN_EXTERN_C * nssPKIObject_DeleteStoredObject */ +/* Cast to base class */ +#define PKIOBJECT(o) ((nssPKIObject *)o) + /* nssPKIObject_Create * * A generic PKI object. It must live in a trust domain. It may be @@ -98,7 +101,7 @@ nssPKIObject_AddRef ( * Returns true if object was destroyed. This notifies the subclass that * all references are gone and it should delete any members it owns. */ -NSS_EXTERN PRBool +NSS_EXTERN PRStatus nssPKIObject_Destroy ( nssPKIObject *object ); @@ -205,8 +208,7 @@ nssPKIObject_DeleteStoredObject ( NSS_EXTERN NSSTrustDomain * nssPKIObject_GetTrustDomain ( - nssPKIObject *object, - PRStatus *statusOpt + nssPKIObject *object ); NSS_EXTERN void @@ -238,7 +240,18 @@ nssPKIObject_GetInstances ( NSS_EXTERN nssCryptokiObject * nssPKIObject_FindInstanceForAlgorithm ( nssPKIObject *object, - const NSSAlgNParam *ap + const NSSAlgNParam *ap, + PRBool allowMove +); + +NSS_EXTERN PRStatus +nssPKIObject_CopyToToken ( + nssPKIObject *object, + NSSToken *destination, + nssSession *sessionOpt, + PRBool asPersistentObject, + NSSUTF8 *labelOpt, + nssCryptokiObject **rvInstanceOpt ); NSS_EXTERN NSSToken * @@ -327,44 +340,6 @@ nssCert_CreateFromInstance ( NSSVolatileDomain *vdOpt ); -/* XXX XXX most of these belong in pki.h */ - -NSS_EXTERN nssCryptokiObject * -nssCert_FindInstanceForAlgorithm ( - NSSCert *c, - NSSAlgNParam *ap -); - -NSS_EXTERN void -nssCert_SetVolatileDomain ( - NSSCert *c, - NSSVolatileDomain *vd -); - -NSS_EXTERN PRStatus -nssCert_RemoveInstanceForToken ( - NSSCert *c, - NSSToken *token -); - -NSS_EXTERN PRBool -nssCert_HasInstanceOnToken ( - NSSCert *c, - NSSToken *token -); - -NSS_EXTERN PRIntn -nssCert_CountInstances ( - NSSCert *c -); - -NSS_EXTERN PRStatus -nssCert_CopyToToken ( - NSSCert *c, - NSSToken *token, - NSSUTF8 *nicknameOpt -); - NSS_EXTERN PRBool nssCert_HasCANameInChain ( NSSCert *c, @@ -403,51 +378,6 @@ nssSymKey_Destroy ( NSSSymKey *mk ); -NSS_EXTERN void -nssSymKey_SetVolatileDomain ( - NSSSymKey *mk, - NSSVolatileDomain *vd -); - -NSS_IMPLEMENT nssCryptokiObject * -nssSymKey_CopyToToken ( - NSSSymKey *mk, - NSSToken *destination, - PRBool asPersistentObject -); - -NSS_EXTERN NSSToken ** -nssSymKey_GetTokens ( - NSSSymKey *mk, - NSSToken **rvOpt, - PRUint32 rvMaxOpt, - PRStatus *statusOpt -); - -NSS_EXTERN NSSTrustDomain * -nssSymKey_GetTrustDomain ( - NSSSymKey *mk, - PRStatus *statusOpt -); - -NSS_EXTERN PRBool -nssSymKey_HasInstanceOnToken ( - NSSSymKey *mk, - NSSToken *token -); - -NSS_EXTERN nssCryptokiObject * -nssSymKey_GetInstance ( - NSSSymKey *mk, - NSSToken *token -); - -NSS_EXTERN nssCryptokiObject * -nssSymKey_FindInstanceForAlgorithm ( - NSSSymKey *mk, - const NSSAlgNParam *ap -); - NSS_EXTERN NSSDER * nssCRL_GetEncoding ( NSSCRL *crl @@ -468,48 +398,6 @@ nssPublicKey_CreateFromInstance ( NSSVolatileDomain *vdOpt ); -NSS_EXTERN void -nssPublicKey_SetVolatileDomain ( - NSSPublicKey *bk, - NSSVolatileDomain *vd -); - -NSS_EXTERN PRBool -nssPublicKey_HasInstanceOnToken ( - NSSPublicKey *bk, - NSSToken *token -); - -NSS_EXTERN nssCryptokiObject * -nssPublicKey_GetInstance ( - NSSPublicKey *bk, - NSSToken *token -); - -NSS_EXTERN nssCryptokiObject * -nssPublicKey_FindInstanceForAlgorithm ( - NSSPublicKey *bk, - const NSSAlgNParam *ap -); - -NSS_EXTERN PRStatus -nssPublicKey_RemoveInstanceForToken ( - NSSPublicKey *bk, - NSSToken *token -); - -NSS_EXTERN PRIntn -nssPublicKey_CountInstances ( - NSSPublicKey *bk -); - -NSS_EXTERN nssCryptokiObject * -nssPublicKey_CopyToToken ( - NSSPublicKey *bk, - NSSToken *destination, - PRBool asPersistentObject -); - NSS_EXTERN NSSPrivateKey * nssPrivateKey_CreateFromInstance ( nssCryptokiObject *instance, @@ -517,47 +405,6 @@ nssPrivateKey_CreateFromInstance ( NSSVolatileDomain *vdOpt ); -NSS_EXTERN void -nssPrivateKey_SetVolatileDomain ( - NSSPrivateKey *vk, - NSSVolatileDomain *vd -); - -NSS_EXTERN PRBool -nssPrivateKey_HasInstanceOnToken ( - NSSPrivateKey *vk, - NSSToken *token -); - -NSS_EXTERN nssCryptokiObject * -nssPrivateKey_GetInstance ( - NSSPrivateKey *vk, - NSSToken *token -); - -NSS_EXTERN nssCryptokiObject * -nssPrivateKey_FindInstanceForAlgorithm ( - NSSPrivateKey *vk, - const NSSAlgNParam *ap -); - -NSS_EXTERN PRStatus -nssPrivateKey_RemoveInstanceForToken ( - NSSPrivateKey *vk, - NSSToken *token -); - -NSS_EXTERN PRIntn -nssPrivateKey_CountInstances ( - NSSPrivateKey *vk -); - -NSS_EXTERN nssCryptokiObject * -nssPrivateKey_CopyToToken ( - NSSPrivateKey *vk, - NSSToken *destination -); - NSS_EXTERN PRIntn nssObjectArray_Count ( void **objects diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c index 1550fedc5..aa4d125b4 100644 --- a/security/nss/lib/pki/pkistore.c +++ b/security/nss/lib/pki/pkistore.c @@ -827,8 +827,9 @@ unload_token_certs(nssTokenObjectStore *objectStore, nssTokenStore *store) if (objectStore->certs) { /* notify the cert objects that the token is removed */ for (cp = objectStore->certs; *cp; cp++) { - nssCert_RemoveInstanceForToken(*cp, objectStore->token); - if (nssCert_CountInstances(*cp) == 0) { + nssPKIObject_RemoveInstanceForToken(PKIOBJECT(*cp), + objectStore->token); + if (nssPKIObject_CountInstances(PKIOBJECT(*cp)) == 0) { /* the cert now has no token instances, remove it from * the token store */ @@ -887,8 +888,9 @@ unload_token_bkeys(nssTokenObjectStore *objectStore, nssTokenStore *store) if (objectStore->bkeys) { /* notify the objects that the token is removed */ for (bkp = objectStore->bkeys; *bkp; bkp++) { - nssPublicKey_RemoveInstanceForToken(*bkp, objectStore->token); - if (nssPublicKey_CountInstances(*bkp) == 0) { + nssPKIObject_RemoveInstanceForToken(PKIOBJECT(*bkp), + objectStore->token); + if (nssPKIObject_CountInstances(PKIOBJECT(*bkp)) == 0) { /* the key now has no token instances, remove it from * the token store */ @@ -947,8 +949,9 @@ unload_token_vkeys(nssTokenObjectStore *objectStore, nssTokenStore *store) if (objectStore->vkeys) { /* notify the objects that the token is removed */ for (vkp = objectStore->vkeys; *vkp; vkp++) { - nssPrivateKey_RemoveInstanceForToken(*vkp, objectStore->token); - if (nssPrivateKey_CountInstances(*vkp) == 0) { + nssPKIObject_RemoveInstanceForToken(PKIOBJECT(*vkp), + objectStore->token); + if (nssPKIObject_CountInstances(PKIOBJECT(*vkp)) == 0) { /* the key now has no token instances, remove it from * the token store */ @@ -1329,12 +1332,13 @@ nssTokenStore_ImportCert ( /* refresh the token */ refresh_token_object_store(objectStore, store); /* see if it's already there */ - if (nssCert_HasInstanceOnToken(cert, destination)) { + if (nssPKIObject_HasInstanceOnToken(PKIOBJECT(cert), destination)) { return PR_SUCCESS; } /* copy it onto the token and add it to the store */ /* XXX use session */ - status = nssCert_CopyToToken(cert, destination, nicknameOpt); + status = nssPKIObject_CopyToToken(PKIOBJECT(cert), destination, NULL, + PR_TRUE, nicknameOpt, NULL); if (status == PR_SUCCESS) { status = nssCertStore_AddCert(store->certs, cert); if (status == PR_FAILURE) { diff --git a/security/nss/lib/pki/pkit.h b/security/nss/lib/pki/pkit.h index 182f16087..cdfdb018d 100644 --- a/security/nss/lib/pki/pkit.h +++ b/security/nss/lib/pki/pkit.h @@ -54,8 +54,7 @@ static const char PKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; PR_BEGIN_EXTERN_C -/* XXX */ -typedef struct nssCertCacheStr nssCertCache; +typedef struct nssPKIObjectStr nssPKIObject; typedef PRUint32 nssUpdateLevel; diff --git a/security/nss/lib/pki/pkitm.h b/security/nss/lib/pki/pkitm.h index 6606be06f..5e185dd22 100644 --- a/security/nss/lib/pki/pkitm.h +++ b/security/nss/lib/pki/pkitm.h @@ -98,10 +98,12 @@ struct nssPKIObjectStr pkiObjectType objectType; NSSItem *uid[MAX_ITEMS_FOR_UID]; PRUint32 numIDs; + /* these are implemented on per-object basis */ + PRStatus (* destructor)(nssPKIObject *); + PRStatus (* copyToToken)(nssPKIObject *, NSSToken *, nssSession *, + PRBool, NSSUTF8 *, nssCryptokiObject **); }; -typedef struct nssPKIObjectStr nssPKIObject; - typedef struct nssPKIObjectTableStr nssPKIObjectTable; typedef struct nssPKIObjectCreatorStr diff --git a/security/nss/lib/pki/symkey.c b/security/nss/lib/pki/symkey.c index 9974876fa..93929d637 100644 --- a/security/nss/lib/pki/symkey.c +++ b/security/nss/lib/pki/symkey.c @@ -52,6 +52,48 @@ struct NSSSymKeyStr NSSOperations operations; }; +static PRStatus +copy_symkey_to_token ( + nssPKIObject *o, + NSSToken *token, + nssSession *sessionOpt, + PRBool asPersistentObject, + NSSUTF8 *nicknameOpt, + nssCryptokiObject **rvInstanceOpt +) +{ + /* XXX this could get complicated... might have to wrap the key, etc. */ + nssCryptokiObject *mko; + nssSession *session; + NSSSymKey *mk = (NSSSymKey *)o; + + if (sessionOpt) { + session = sessionOpt; + } else { + session = nssToken_CreateSession(token, asPersistentObject); + if (!session) + return PR_FAILURE; + } + /* XXX kind of a hack to peek into first instance like this */ + mko = nssCryptokiSymKey_Copy(o->instances[0], + o->instances[0]->session, + token, session, + asPersistentObject); + if (!sessionOpt) { + nssSession_Destroy(session); + } + if (!mko) { + return PR_FAILURE; + } + if (nssPKIObject_AddInstance(&mk->object, mko) == PR_FAILURE) { + nssCryptokiObject_Destroy(mko); + return PR_FAILURE; + } else if (rvInstanceOpt) { + *rvInstanceOpt = nssCryptokiObject_Clone(mko); + } + return PR_SUCCESS; +} + NSS_IMPLEMENT NSSSymKey * nssSymKey_CreateFromInstance ( nssCryptokiObject *instance, @@ -77,6 +119,7 @@ nssSymKey_CreateFromInstance ( } pkio->objectType = pkiObjectType_SymKey; pkio->numIDs = 0; /* XXX */ + pkio->copyToToken = copy_symkey_to_token; /* XXX not adding to table w/o uid... */ if (rvKey && vdOpt) { status = nssVolatileDomain_ImportSymKey(vdOpt, rvKey); @@ -149,26 +192,6 @@ nssSymKey_GetInstance ( return nssPKIObject_GetInstance(&mk->object, token); } -NSS_IMPLEMENT nssCryptokiObject * -nssSymKey_FindInstanceForAlgorithm ( - NSSSymKey *mk, - const NSSAlgNParam *ap -) -{ - nssCryptokiObject *instance; - instance = nssPKIObject_FindInstanceForAlgorithm(&mk->object, ap); - /* XXX here for now... make it apply for all searches... */ - if (!instance) { - NSSToken *token; - token = nssTrustDomain_FindTokenForAlgNParam(mk->object.td, ap); - if (token) { - instance = nssSymKey_CopyToToken(mk, token, PR_FALSE); - nssToken_Destroy(token); - } - } - return instance; -} - NSS_IMPLEMENT PRBool nssSymKey_HasInstanceOnToken ( NSSSymKey *mk, @@ -196,42 +219,6 @@ NSSSymKey_DeleteStoredObject ( return nssSymKey_DeleteStoredObject(mk, uhh); } -/* XXX should take session as arg? crypto contexts copy instances in - * their own session? - */ -NSS_IMPLEMENT nssCryptokiObject * -nssSymKey_CopyToToken ( - NSSSymKey *mk, - NSSToken *destination, - PRBool asPersistentObject -) -{ - /* XXX this could get complicated... might have to wrap the key, etc. */ - nssSession *session; - nssCryptokiObject *mko; - - session = nssToken_CreateSession(destination, asPersistentObject); - if (!session) { - return (nssCryptokiObject *)NULL; - } - /* XXX kind of a hack to peek into first instance like this */ - mko = nssCryptokiSymKey_Copy(mk->object.instances[0], - mk->object.instances[0]->session, - destination, session, - asPersistentObject); - nssSession_Destroy(session); - if (mko) { - if (nssPKIObject_AddInstance(&mk->object, mko) == PR_FAILURE) { - nssCryptokiObject_Destroy(mko); - mko = NULL; - } else { - /* XXX */ - mko = nssCryptokiObject_Clone(mko); - } - } - return mko; -} - NSS_IMPLEMENT PRUint32 nssSymKey_GetKeyLength ( NSSSymKey *mk @@ -287,34 +274,11 @@ nssSymKey_SetVolatileDomain ( } NSS_IMPLEMENT NSSTrustDomain * -nssSymKey_GetTrustDomain ( - NSSSymKey *mk, - PRStatus *statusOpt -) -{ - return nssPKIObject_GetTrustDomain(&mk->object, statusOpt); -} - -NSS_IMPLEMENT NSSTrustDomain * NSSSymKey_GetTrustDomain ( - NSSSymKey *mk, - PRStatus *statusOpt -) -{ - return nssSymKey_GetTrustDomain(mk, statusOpt); -} - -NSS_IMPLEMENT NSSVolatileDomain ** -nssSymKey_GetVolatileDomains ( - NSSSymKey *mk, - NSSVolatileDomain **vdsOpt, - PRUint32 maximumOpt, - NSSArena *arenaOpt, - PRStatus *statusOpt + NSSSymKey *mk ) { - return nssPKIObject_GetVolatileDomains(&mk->object, vdsOpt, - maximumOpt, arenaOpt, statusOpt); + return nssPKIObject_GetTrustDomain(PKIOBJECT(mk)); } NSS_IMPLEMENT NSSToken * @@ -609,9 +573,10 @@ nssSymKey_DeriveSymKey ( { nssCryptokiObject *mko, *rvo; NSSSymKey *rvKey = NULL; - NSSTrustDomain *td = nssSymKey_GetTrustDomain(originalKey, NULL); + NSSTrustDomain *td = nssPKIObject_GetTrustDomain(PKIOBJECT(originalKey)); - mko = nssSymKey_FindInstanceForAlgorithm(originalKey, ap); + mko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(originalKey), + ap, PR_TRUE); if (!mko) { return (NSSSymKey *)NULL; } @@ -686,7 +651,8 @@ nssSymKey_DeriveSSLSessionKeys ( PRStatus status; PRIntn i; - nssSymKey_GetVolatileDomains(masterSecret, &vd, 1, NULL, &status); + nssPKIObject_GetVolatileDomains(PKIOBJECT(masterSecret), + &vd, 1, NULL, &status); if (status == PR_FAILURE) { return PR_FAILURE; } diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 036b1eff7..bd90f2b30 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -1053,7 +1053,7 @@ static PRStatus filter_out_token_certs(NSSCert *c, void *arg) { struct token_cert_filter_str *cbarg = (struct token_cert_filter_str *)arg; - if (nssCert_CountInstances(c) == 0) { + if (nssPKIObject_CountInstances(PKIOBJECT(c)) == 0) { return cbarg->callback(c, cbarg->arg); } return PR_SUCCESS; diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c index a58aebc8f..4e667b4b3 100644 --- a/security/nss/lib/pki/volatiledomain.c +++ b/security/nss/lib/pki/volatiledomain.c @@ -225,7 +225,7 @@ nssVolatileDomain_ImportCert ( ) { PZ_Lock(vd->objectLock); - if (nssPKIObject_IsInVolatileDomain(c, vd)) { + if (nssPKIObject_IsInVolatileDomain(PKIOBJECT(c), vd)) { PZ_Unlock(vd->objectLock); return PR_SUCCESS; } @@ -249,7 +249,7 @@ nssVolatileDomain_ImportCert ( } vd->certs.array[vd->certs.count++] = (void *)nssCert_AddRef(c); PZ_Unlock(vd->objectLock); - nssCert_SetVolatileDomain(c, vd); + nssPKIObject_SetVolatileDomain(PKIOBJECT(c), vd); return PR_SUCCESS; } @@ -341,7 +341,7 @@ nssVolatileDomain_ImportPublicKey ( } vd->bkeys.array[vd->bkeys.count++] = (void *)nssPublicKey_AddRef(bk); PZ_Unlock(vd->objectLock); - nssPublicKey_SetVolatileDomain(bk, vd); + nssPKIObject_SetVolatileDomain(PKIOBJECT(bk), vd); return PR_SUCCESS; } @@ -428,7 +428,7 @@ nssVolatileDomain_ImportPrivateKey ( } vd->vkeys.array[vd->vkeys.count++] = (void *)nssPrivateKey_AddRef(vk); PZ_Unlock(vd->objectLock); - nssPrivateKey_SetVolatileDomain(vk, vd); + nssPKIObject_SetVolatileDomain(PKIOBJECT(vk), vd); return PR_SUCCESS; } @@ -496,7 +496,7 @@ nssVolatileDomain_ImportSymKey ( } vd->mkeys.array[vd->mkeys.count++] = (void *)nssSymKey_AddRef(mk); PZ_Unlock(vd->objectLock); - nssSymKey_SetVolatileDomain(mk, vd); + nssPKIObject_SetVolatileDomain(PKIOBJECT(mk), vd); return PR_SUCCESS; } @@ -1260,7 +1260,8 @@ nssVolatileDomain_UnwrapSymKey ( NSSSymKey *mkey = NULL; /* find a token to do it on */ - vko = nssPrivateKey_FindInstanceForAlgorithm(wrapKey, ap); + vko = nssPKIObject_FindInstanceForAlgorithm(PKIOBJECT(wrapKey), ap, + PR_TRUE); if (!vko) { return (NSSSymKey *)NULL; } |