Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj

PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle of an encoded certificate in a given slot. If the given certificate does not exist in that slot, CK_INVALID_HANDLE is returned. Differential Revision: https://phabricator.services.mozilla.com/D81924
author: Dana Keeler <dkeeler@mozilla.com> 2020-07-06 22:58:25 +0000
committer: Dana Keeler <dkeeler@mozilla.com> 2020-07-06 22:58:25 +0000
commit: 6d465a872226c8241942ab5d0be7b71e718398c2 (patch)
tree: fab1f5d298197a2397fa44f8e63c328402eaf650 /lib/pk11wrap
parent: 05bb49902e5c2d18eb3dcf761ffb759737ef00ed (diff)
download: nss-hg-6d465a872226c8241942ab5d0be7b71e718398c2.tar.gz
2 files changed, 32 insertions, 79 deletions
diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c
index 8375e2bb4..659f3a8f6 100644
--- a/lib/pk11wrap/pk11cert.c
+++ b/lib/pk11wrap/pk11cert.c
@@ -1255,29 +1255,6 @@ PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
 }
 
 /*
- * get a certificate handle, look at the cached handle first..
- */
-static CK_OBJECT_HANDLE
-pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert,
-                   CK_ATTRIBUTE *theTemplate, size_t tsize)
-{
-    CK_OBJECT_HANDLE certh;
-
-    if (cert->slot == slot) {
-        certh = cert->pkcs11ID;
-        if ((certh == CK_INVALID_HANDLE) ||
-            (cert->series != slot->series)) {
-            certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize);
-            cert->pkcs11ID = certh;
-            cert->series = slot->series;
-        }
-    } else {
-        certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize);
-    }
-    return certh;
-}
-
-/*
  * return the private key From a given Cert
  */
 SECKEYPrivateKey *
@@ -1285,33 +1262,12 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
                             void *wincx)
 {
     int err;
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-        { CKA_VALUE, NULL, 0 },
-        { CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
     CK_OBJECT_HANDLE certh;
     CK_OBJECT_HANDLE keyh;
-    CK_ATTRIBUTE *attrs = theTemplate;
     PRBool needLogin;
     SECStatus rv;
 
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
-                  cert->derCert.len);
-    attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-        return NULL;
-    }
-
-    certh = pk11_getcerthandle(slot, cert, theTemplate, tsize);
+    certh = PK11_FindCertInSlot(slot, cert, wincx);
     if (certh == CK_INVALID_HANDLE) {
         return NULL;
     }
@@ -2051,8 +2007,7 @@ PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
     PK11_SETATTRS(attr, CKA_VALUE, cert->derCert.data, cert->derCert.len);
 
     if (cert->slot) {
-        certHandle = pk11_getcerthandle(cert->slot, cert, searchTemplate,
-                                        templateSize);
+        certHandle = PK11_FindCertInSlot(cert->slot, cert, wincx);
         if (certHandle != CK_INVALID_HANDLE) {
             *pSlot = PK11_ReferenceSlot(cert->slot);
             return certHandle;
@@ -2630,36 +2585,51 @@ PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
     return SECFailure;
 }
 
-/*
- * return the private key From a given Cert
- */
 CK_OBJECT_HANDLE
-PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
+PK11_FindEncodedCertInSlot(PK11SlotInfo *slot, SECItem *derCert, void *wincx)
 {
+    if (!slot || !derCert) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
     CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
     CK_ATTRIBUTE theTemplate[] = {
         { CKA_VALUE, NULL, 0 },
         { CKA_CLASS, NULL, 0 }
     };
-    /* if you change the array, change the variable below as well */
     const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
     CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
 
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
-                  cert->derCert.len);
+    PK11_SETATTRS(attrs, CKA_VALUE, derCert->data, derCert->len);
     attrs++;
     PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
 
-    /*
-     * issue the find
-     */
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+    SECStatus rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
     if (rv != SECSuccess) {
         return CK_INVALID_HANDLE;
     }
 
-    return pk11_getcerthandle(slot, cert, theTemplate, tsize);
+    return pk11_FindObjectByTemplate(slot, theTemplate, tsize);
+}
+
+CK_OBJECT_HANDLE
+PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
+{
+    CK_OBJECT_HANDLE certh;
+
+    if (cert->slot == slot) {
+        certh = cert->pkcs11ID;
+        if ((certh == CK_INVALID_HANDLE) ||
+            (cert->series != slot->series)) {
+            certh = PK11_FindEncodedCertInSlot(slot, &cert->derCert, wincx);
+            cert->pkcs11ID = certh;
+            cert->series = slot->series;
+        }
+    } else {
+        certh = PK11_FindEncodedCertInSlot(slot, &cert->derCert, wincx);
+    }
+    return certh;
 }
 
 /* Looking for PK11_GetKeyIDFromCert?
@@ -2787,30 +2757,12 @@ SECItem *
 PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
                              CERTCertificate *cert, void *wincx)
 {
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-        { CKA_VALUE, NULL, 0 },
-        { CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
     CK_OBJECT_HANDLE certHandle;
-    CK_ATTRIBUTE *attrs = theTemplate;
     PK11SlotInfo *slotRef = NULL;
     SECItem *item;
-    SECStatus rv;
 
     if (slot) {
-        PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
-                      cert->derCert.len);
-        attrs++;
-        PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-        rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-        if (rv != SECSuccess) {
-            return NULL;
-        }
-        certHandle = pk11_getcerthandle(slot, cert, theTemplate, tsize);
+        certHandle = PK11_FindCertInSlot(slot, cert, wincx);
     } else {
         certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
         if (certHandle == CK_INVALID_HANDLE) {
diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h
index 5edcbf969..771a70f59 100644
--- a/lib/pk11wrap/pk11pub.h
+++ b/lib/pk11wrap/pk11pub.h
@@ -697,6 +697,7 @@ SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
                                       void *wincx);
 CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert, void *wincx);
 PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
+CK_OBJECT_HANDLE PK11_FindEncodedCertInSlot(PK11SlotInfo *slot, SECItem *derCert, void *wincx);
 CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
                                      void *wincx);
 SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
author	Dana Keeler <dkeeler@mozilla.com>	2020-07-06 22:58:25 +0000
committer	Dana Keeler <dkeeler@mozilla.com>	2020-07-06 22:58:25 +0000
commit	6d465a872226c8241942ab5d0be7b71e718398c2 (patch)
tree	fab1f5d298197a2397fa44f8e63c328402eaf650 /lib/pk11wrap
parent	05bb49902e5c2d18eb3dcf761ffb759737ef00ed (diff)
download	nss-hg-6d465a872226c8241942ab5d0be7b71e718398c2.tar.gz