support objects having multiple VD instances

9 files changed, 166 insertions, 217 deletions

diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c
index 04a8c67c0..515bcf368 100644
--- a/security/nss/lib/pki/asymmkey.c
+++ b/security/nss/lib/pki/asymmkey.c
@@ -232,7 +232,7 @@ nssPrivateKey_SetVolatileDomain (
   NSSVolatileDomain *vd
 )
 {
-    vk->object.vd = vd; /* volatile domain holds ref */
+    nssPKIObject_SetVolatileDomain(&vk->object, vd);
 }
 
 NSS_IMPLEMENT PRStatus
@@ -573,13 +573,17 @@ cleanup:
     return rvKey;
 }
 
-NSS_IMPLEMENT NSSVolatileDomain *
+NSS_IMPLEMENT NSSVolatileDomain **
 nssPrivateKey_GetVolatileDomain (
   NSSPrivateKey *vk,
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
   PRStatus *statusOpt
 )
 {
-    return nssPKIObject_GetVolatileDomain(&vk->object, statusOpt);
+    return nssPKIObject_GetVolatileDomains(&vk->object, vdsOpt,
+                                           maximumOpt, arenaOpt, statusOpt);
 }
 
 NSS_IMPLEMENT NSSTrustDomain *
@@ -1148,7 +1152,7 @@ nssPublicKey_SetVolatileDomain (
   NSSVolatileDomain *vd
 )
 {
-    bk->object.vd = vd; /* volatile domain holds ref */
+    nssPKIObject_SetVolatileDomain(&bk->object, vd);
 }
 
 NSS_IMPLEMENT PRStatus
diff --git a/security/nss/lib/pki/cert.c b/security/nss/lib/pki/cert.c
index f965b2f9b..fd49184cb 100644
--- a/security/nss/lib/pki/cert.c
+++ b/security/nss/lib/pki/cert.c
@@ -414,15 +414,6 @@ nssCert_GetNickname (
     return nssPKIObject_GetNickname(&c->object, tokenOpt);
 }
 
-NSS_IMPLEMENT NSSToken *
-nssCert_GetWriteToken (
-  NSSCert *c,
-  nssSession **rvSessionOpt
-)
-{
-    return nssPKIObject_GetWriteToken(&c->object, rvSessionOpt);
-}
-
 NSS_IMPLEMENT NSSUTF8 *
 NSSCert_GetNickname (
   NSSCert *c,
@@ -687,17 +678,20 @@ nssCert_SetVolatileDomain (
   NSSVolatileDomain *vd
 )
 {
-    c->object.vd = vd; /* volatile domain holds ref to cert */
-    c->object.td = nssVolatileDomain_GetTrustDomain(vd);
+    nssPKIObject_SetVolatileDomain(&c->object, vd);
 }
 
-NSS_IMPLEMENT NSSVolatileDomain *
-nssCert_GetVolatileDomain (
+NSS_IMPLEMENT NSSVolatileDomain **
+nssCert_GetVolatileDomains(
   NSSCert *c,
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
   PRStatus *statusOpt
 )
 {
-    return nssPKIObject_GetVolatileDomain(&c->object, statusOpt);
+    return nssPKIObject_GetVolatileDomains(&c->object, vdsOpt,
+                                           maximumOpt, arenaOpt, statusOpt);
 }
 
 NSS_IMPLEMENT NSSTrustDomain *
@@ -1194,7 +1188,8 @@ find_cert_issuer (
     NSSCert *issuer = NULL;
     NSSTrustDomain *td;
     NSSVolatileDomain *vd;
-    vd = nssCert_GetVolatileDomain(c, NULL);
+    /* XXX what to do with multiple vds? */
+    nssCert_GetVolatileDomains(c, &vd, 1, NULL, NULL);
     td = nssCert_GetTrustDomain(c);
     if (vd) {
 	issuers = nssVolatileDomain_FindCertsBySubject(vd, &c->issuer,
@@ -1429,7 +1424,9 @@ nssCert_GetPublicKey (
 {
     PRStatus status;
     NSSTrustDomain *td = nssCert_GetTrustDomain(c);
-    NSSVolatileDomain *vd = nssCert_GetVolatileDomain(c, NULL);
+    NSSVolatileDomain *vd;
+    /* XXX multiple vds? */
+    nssCert_GetVolatileDomains(c, &vd, 1, NULL, NULL);
 
     if (!c->bk && c->id.size > 0) {
 	/* first try looking for a persistent object */
@@ -1607,152 +1604,3 @@ NSSUserCert_DeriveSymKey (
     return NULL;
 }
 
-struct nssSMIMEProfileStr
-{
-    nssPKIObject object;
-    NSSCert *certificate;
-    NSSASCII7 *email;
-    NSSDER *subject;
-    NSSItem *profileTime;
-    NSSItem *profileData;
-};
-
-NSS_IMPLEMENT nssSMIMEProfile *
-nssSMIMEProfile_Create (
-  NSSCert *cert,
-  NSSItem *profileTime,
-  NSSItem *profileData
-)
-{
-#if 0
-    NSSArena *arena;
-    nssSMIMEProfile *rvProfile;
-    nssPKIObject *object;
-    NSSTrustDomain *td = nssCert_GetTrustDomain(cert);
-    NSSCryptoContext *cc = nssCert_GetCryptoContext(cert);
-    arena = nssArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    object = nssPKIObject_Create(arena, NULL, td, cc);
-    if (!object) {
-	goto loser;
-    }
-    rvProfile = nss_ZNEW(arena, nssSMIMEProfile);
-    if (!rvProfile) {
-	goto loser;
-    }
-    rvProfile->object = *object;
-    rvProfile->certificate = cert;
-    rvProfile->email = nssUTF8_Duplicate(cert->email, arena);
-    rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL);
-    if (profileTime) {
-	rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL);
-    }
-    if (profileData) {
-	rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL);
-    }
-    return rvProfile;
-loser:
-    nssPKIObject_Destroy(object);
-#endif
-    return (nssSMIMEProfile *)NULL;
-}
-
-NSS_IMPLEMENT nssSMIMEProfile *
-nssSMIMEProfile_AddRef (
-  nssSMIMEProfile *profile
-)
-{
-    if (profile) {
-	nssPKIObject_AddRef(&profile->object);
-    }
-    return profile;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSMIMEProfile_Destroy (
-  nssSMIMEProfile *profile
-)
-{
-    if (profile) {
-	(void)nssPKIObject_Destroy(&profile->object);
-    }
-    return PR_SUCCESS;
-}
-
-struct NSSCRLStr {
-  nssPKIObject object;
-  NSSDER encoding;
-  NSSUTF8 *url;
-  PRBool isKRL;
-};
-
-NSS_IMPLEMENT NSSCRL *
-nssCRL_Create (
-  nssPKIObject *object
-)
-{
-    PRStatus status;
-    NSSCRL *rvCRL;
-    NSSArena *arena = object->arena;
-    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
-    rvCRL = nss_ZNEW(arena, NSSCRL);
-    if (!rvCRL) {
-	return (NSSCRL *)NULL;
-    }
-    rvCRL->object = *object;
-    /* XXX should choose instance based on some criteria */
-    status = nssCryptokiCRL_GetAttributes(object->instances[0],
-                                          arena,
-                                          &rvCRL->encoding,
-                                          &rvCRL->url,
-                                          &rvCRL->isKRL);
-    if (status != PR_SUCCESS) {
-	return (NSSCRL *)NULL;
-    }
-    return rvCRL;
-}
-
-NSS_IMPLEMENT NSSCRL *
-nssCRL_AddRef (
-  NSSCRL *crl
-)
-{
-    if (crl) {
-	nssPKIObject_AddRef(&crl->object);
-    }
-    return crl;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCRL_Destroy (
-  NSSCRL *crl
-)
-{
-    if (crl) {
-	(void)nssPKIObject_Destroy(&crl->object);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCRL_DeleteStoredObject (
-  NSSCRL *crl,
-  NSSCallback *uhh
-)
-{
-    return nssPKIObject_DeleteStoredObject(&crl->object, uhh, PR_TRUE);
-}
-
-NSS_IMPLEMENT NSSDER *
-nssCRL_GetEncoding (
-  NSSCRL *crl
-)
-{
-    if (crl->encoding.data != NULL && crl->encoding.size > 0) {
-	return &crl->encoding;
-    } else {
-	return (NSSDER *)NULL;
-    }
-}
diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c
index 7888b8957..659a469fe 100644
--- a/security/nss/lib/pki/cryptocontext.c
+++ b/security/nss/lib/pki/cryptocontext.c
@@ -122,7 +122,9 @@ nssCryptoContext_CreateForSymKey (
 {
     NSSCryptoContext *rvCC;
     NSSTrustDomain *td = nssSymKey_GetTrustDomain(mkey, NULL);
-    NSSVolatileDomain *vd = nssSymKey_GetVolatileDomain(mkey, NULL);
+    /* XXX multiple vds? */
+    NSSVolatileDomain *vd;
+    nssSymKey_GetVolatileDomains(mkey, &vd, 1, NULL, NULL);
 
     rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt);
     if (rvCC) {
@@ -142,7 +144,9 @@ nssCryptoContext_CreateForPrivateKey (
 {
     NSSCryptoContext *rvCC;
     NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vkey, NULL);
-    NSSVolatileDomain *vd = nssPrivateKey_GetVolatileDomain(vkey, NULL);
+    /* XXX multiple vds? */
+    NSSVolatileDomain *vd;
+    nssPrivateKey_GetVolatileDomains(vkey, &vd, 1, NULL, NULL);
 
     rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt);
     if (rvCC) {
diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h
index 54e35d6b8..22c459aa1 100644
--- a/security/nss/lib/pki/pki.h
+++ b/security/nss/lib/pki/pki.h
@@ -281,9 +281,12 @@ nssPrivateKey_GetTrustDomain (
   PRStatus *statusOpt
 );
 
-NSS_EXTERN NSSVolatileDomain *
-nssPrivateKey_GetVolatileDomain (
+NSS_EXTERN NSSVolatileDomain **
+nssPrivateKey_GetVolatileDomains (
   NSSPrivateKey *vk,
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
   PRStatus *statusOpt
 );
 
@@ -322,9 +325,12 @@ nssSymKey_AddRef (
   NSSSymKey *mk
 );
 
-NSS_EXTERN NSSVolatileDomain *
-nssSymKey_GetVolatileDomain (
+NSS_EXTERN NSSVolatileDomain **
+nssSymKey_GetVolatileDomains (
   NSSSymKey *mk,
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
   PRStatus *statusOpt
 );
 
diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c
index e3e240547..7c13cb600 100644
--- a/security/nss/lib/pki/pkibase.c
+++ b/security/nss/lib/pki/pkibase.c
@@ -43,6 +43,11 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
 #include "pkim.h"
 #endif /* PKIM_H */
 
+struct volatile_domain_instance_str {
+    PRCList link;
+    NSSVolatileDomain *vd;
+};
+
 NSS_IMPLEMENT nssPKIObject *
 nssPKIObject_Create (
   NSSTrustDomain *td,
@@ -491,49 +496,109 @@ nssPKIObject_GetTrustDomain (
     return object->td;
 }
 
-NSS_IMPLEMENT NSSVolatileDomain *
-nssPKIObject_GetVolatileDomain (
+static PRBool 
+object_is_in_vd(nssPKIObject *object, NSSVolatileDomain *vd)
+{
+    PRCList *link;
+    PRBool inVD = PR_FALSE;
+    struct volatile_domain_instance_str *vdInstance;
+
+    link = PR_NEXT_LINK(&object->vds);
+    while (link != &object->vds) {
+	vdInstance = (struct volatile_domain_instance_str *)link;
+	if (vdInstance->vd == vd) {
+	    inVD = PR_TRUE;
+	    break;
+	}
+	link = PR_NEXT_LINK(link);
+    }
+    return inVD;
+}
+
+NSS_IMPLEMENT void
+nssPKIObject_SetVolatileDomain (
   nssPKIObject *object,
-  PRStatus *statusOpt
+  NSSVolatileDomain *vd
 )
 {
-    if (statusOpt) {
-	*statusOpt = PR_SUCCESS;
+    struct volatile_domain_instance_str *vdInstance;
+
+    PZ_Lock(object->lock);
+    if (!object_is_in_vd(object, vd)) {
+	/* XXX in arena? */
+	vdInstance = nss_ZNEW(object->arena, 
+	                      struct volatile_domain_instance_str);
+	if (vdInstance) {
+	    PR_INIT_CLIST(&vdInstance->link);
+	    vdInstance->vd = vd; /* no addref */
+	    PR_INSERT_BEFORE(&object->vds, &vdInstance->link);
+	}
     }
-    return nssVolatileDomain_AddRef(object->vd);
+    PZ_Unlock(object->lock);
+    /* XXX probably should return error */
+}
+
+NSS_IMPLEMENT PRBool
+nssPKIObject_IsInVolatileDomain (
+  nssPKIObject *object,
+  NSSVolatileDomain *vd
+)
+{
+    PRBool inVD;
+    PZ_Lock(object->lock);
+    inVD = object_is_in_vd(object, vd);
+    PZ_Unlock(object->lock);
+    return inVD;
 }
 
-NSS_IMPLEMENT NSSToken *
-nssPKIObject_GetWriteToken (
+
+NSS_IMPLEMENT NSSVolatileDomain **
+nssPKIObject_GetVolatileDomains (
   nssPKIObject *object,
-  nssSession **rvSessionOpt
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt
 )
 {
+    PRCList *link;
     PRUint32 i;
-    NSSToken *token = NULL;
-    nssCryptokiObject *instance;
-    *rvSessionOpt = NULL;
+    struct volatile_domain_instance_str *vdInstance;
+    if (statusOpt) *statusOpt = PR_SUCCESS;
+    if (!vdsOpt) {
+	if (maximumOpt > 0) {
+	    i = maximumOpt;
+	} else {
+	    PZ_Lock(object->lock);
+	    /* count the number of VD instances */
+	    for (link = PR_NEXT_LINK(&object->vds), i=0;
+	         link != &object->vds; 
+	         link = PR_NEXT_LINK(link), i++);
+	    PZ_Unlock(object->lock);
+	    maximumOpt = i;
+	}
+	if (i == 0) {
+	    return (NSSVolatileDomain **)NULL;
+	}
+	vdsOpt = nss_ZNEWARRAY(arenaOpt, NSSVolatileDomain *, i + 1);
+	if (!vdsOpt) {
+	    if (statusOpt) *statusOpt = PR_FAILURE;
+	    return (NSSVolatileDomain **)NULL;
+	}
+    }
+    i = 0;
     PZ_Lock(object->lock);
-    for (i=0; i<object->numInstances; i++) {
-	instance = object->instances[i];
-	if (!nssToken_IsReadOnly(instance->token)) {
-	    token = nssToken_AddRef(instance->token);
-	    if (rvSessionOpt && nssSession_IsReadWrite(instance->session)) 
-	    {
-		*rvSessionOpt = nssSession_AddRef(instance->session);
-	    }
+    link = PR_NEXT_LINK(&object->vds);
+    while (link != &object->vds) {
+	vdInstance = (struct volatile_domain_instance_str *)link;
+	vdsOpt[i++] = nssVolatileDomain_AddRef(vdInstance->vd);
+	if (i == maximumOpt)
 	    break;
-	}
+	link = PR_NEXT_LINK(link);
     }
     PZ_Unlock(object->lock);
-    if (token && rvSessionOpt && !*rvSessionOpt) {
-	*rvSessionOpt = nssToken_CreateSession(token, PR_TRUE);
-	if (!*rvSessionOpt) {
-	    nssToken_Destroy(token);
-	    token = NULL;
-	}
-    }
-    return token;
+    vdsOpt[i] = NULL;
+    return vdsOpt;
 }
 
 NSS_IMPLEMENT NSSCert **
diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h
index f3047db8d..1dd1dc1b1 100644
--- a/security/nss/lib/pki/pkim.h
+++ b/security/nss/lib/pki/pkim.h
@@ -209,16 +209,25 @@ nssPKIObject_GetTrustDomain (
   PRStatus *statusOpt
 );
 
-NSS_EXTERN NSSVolatileDomain *
-nssPKIObject_GetVolatileDomain (
+NSS_EXTERN void
+nssPKIObject_SetVolatileDomain (
   nssPKIObject *object,
-  PRStatus *statusOpt
+  NSSVolatileDomain *vd
 );
 
-NSS_EXTERN NSSToken *
-nssPKIObject_GetWriteToken (
+NSS_EXTERN PRBool
+nssPKIObject_IsInVolatileDomain (
+  nssPKIObject *object,
+  NSSVolatileDomain *vd
+);
+
+NSS_EXTERN NSSVolatileDomain **
+nssPKIObject_GetVolatileDomains (
   nssPKIObject *object,
-  nssSession **rvSessionOpt
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt
 );
 
 NSS_EXTERN nssCryptokiObject **
diff --git a/security/nss/lib/pki/pkitm.h b/security/nss/lib/pki/pkitm.h
index 4c44c5f84..6606be06f 100644
--- a/security/nss/lib/pki/pkitm.h
+++ b/security/nss/lib/pki/pkitm.h
@@ -87,8 +87,8 @@ struct nssPKIObjectStr
     PRUint32 numInstances;
     /* The object must live in a trust domain */
     NSSTrustDomain *td;
-    /* The object may live in a volatile domain */
-    NSSVolatileDomain *vd;
+    /* The object may live in multiple volatile domains (or none at all) */
+    PRCList vds;
     /* The "meta"-name of the object (token instance labels may differ) */
     NSSUTF8 *nickname;
     /* The following data index the UID for the object.  The UID is used
diff --git a/security/nss/lib/pki/symkey.c b/security/nss/lib/pki/symkey.c
index cb67a6c2e..9974876fa 100644
--- a/security/nss/lib/pki/symkey.c
+++ b/security/nss/lib/pki/symkey.c
@@ -283,7 +283,7 @@ nssSymKey_SetVolatileDomain (
   NSSVolatileDomain *vd
 )
 {
-    mk->object.vd = vd; /* volatile domain holds ref */
+    nssPKIObject_SetVolatileDomain(&mk->object, vd);
 }
 
 NSS_IMPLEMENT NSSTrustDomain *
@@ -304,13 +304,17 @@ NSSSymKey_GetTrustDomain (
     return nssSymKey_GetTrustDomain(mk, statusOpt);
 }
 
-NSS_IMPLEMENT NSSVolatileDomain *
-nssSymKey_GetVolatileDomain (
+NSS_IMPLEMENT NSSVolatileDomain **
+nssSymKey_GetVolatileDomains (
   NSSSymKey *mk,
+  NSSVolatileDomain **vdsOpt,
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt,
   PRStatus *statusOpt
 )
 {
-    return nssPKIObject_GetVolatileDomain(&mk->object, statusOpt);
+    return nssPKIObject_GetVolatileDomains(&mk->object, vdsOpt,
+                                           maximumOpt, arenaOpt, statusOpt);
 }
 
 NSS_IMPLEMENT NSSToken *
@@ -678,10 +682,15 @@ nssSymKey_DeriveSSLSessionKeys (
     nssCryptokiObject *mso; /* only one instance of master secret */
     nssCryptokiObject *skeys[4];
     NSSTrustDomain *td = masterSecret->object.td;
-    NSSVolatileDomain *vd = masterSecret->object.vd;
+    NSSVolatileDomain *vd;
     PRStatus status;
     PRIntn i;
 
+    nssSymKey_GetVolatileDomains(masterSecret, &vd, 1, NULL, &status);
+    if (status == PR_FAILURE) {
+	return PR_FAILURE;
+    }
+
     mso = masterSecret->object.instances[0];
     status = nssToken_DeriveSSLSessionKeys(mso->token, mso->session, 
                                            ap, mso, keySize, keyType,
diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c
index f07a52688..a58aebc8f 100644
--- a/security/nss/lib/pki/volatiledomain.c
+++ b/security/nss/lib/pki/volatiledomain.c
@@ -225,6 +225,10 @@ nssVolatileDomain_ImportCert (
 )
 {
     PZ_Lock(vd->objectLock);
+    if (nssPKIObject_IsInVolatileDomain(c, vd)) {
+	PZ_Unlock(vd->objectLock);
+	return PR_SUCCESS;
+    }
     if (vd->certs.count == vd->certs.size) {
 	if (vd->certs.size == 0) {
 	    /* need to alloc new array */