diff options
author | Dana Keeler <dkeeler@mozilla.com> | 2020-07-06 22:58:25 +0000 |
---|---|---|
committer | Dana Keeler <dkeeler@mozilla.com> | 2020-07-06 22:58:25 +0000 |
commit | 6d465a872226c8241942ab5d0be7b71e718398c2 (patch) | |
tree | fab1f5d298197a2397fa44f8e63c328402eaf650 /lib/pk11wrap | |
parent | 05bb49902e5c2d18eb3dcf761ffb759737ef00ed (diff) | |
download | nss-hg-6d465a872226c8241942ab5d0be7b71e718398c2.tar.gz |
Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle
of an encoded certificate in a given slot. If the given certificate does not
exist in that slot, CK_INVALID_HANDLE is returned.
Differential Revision: https://phabricator.services.mozilla.com/D81924
Diffstat (limited to 'lib/pk11wrap')
-rw-r--r-- | lib/pk11wrap/pk11cert.c | 110 | ||||
-rw-r--r-- | lib/pk11wrap/pk11pub.h | 1 |
2 files changed, 32 insertions, 79 deletions
diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c index 8375e2bb4..659f3a8f6 100644 --- a/lib/pk11wrap/pk11cert.c +++ b/lib/pk11wrap/pk11cert.c @@ -1255,29 +1255,6 @@ PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert, } /* - * get a certificate handle, look at the cached handle first.. - */ -static CK_OBJECT_HANDLE -pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, - CK_ATTRIBUTE *theTemplate, size_t tsize) -{ - CK_OBJECT_HANDLE certh; - - if (cert->slot == slot) { - certh = cert->pkcs11ID; - if ((certh == CK_INVALID_HANDLE) || - (cert->series != slot->series)) { - certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize); - cert->pkcs11ID = certh; - cert->series = slot->series; - } - } else { - certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize); - } - return certh; -} - -/* * return the private key From a given Cert */ SECKEYPrivateKey * @@ -1285,33 +1262,12 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) { int err; - CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; - CK_ATTRIBUTE theTemplate[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, NULL, 0 } - }; - /* if you change the array, change the variable below as well */ - const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_OBJECT_HANDLE certh; CK_OBJECT_HANDLE keyh; - CK_ATTRIBUTE *attrs = theTemplate; PRBool needLogin; SECStatus rv; - PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, - cert->derCert.len); - attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); - - /* - * issue the find - */ - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - return NULL; - } - - certh = pk11_getcerthandle(slot, cert, theTemplate, tsize); + certh = PK11_FindCertInSlot(slot, cert, wincx); if (certh == CK_INVALID_HANDLE) { return NULL; } @@ -2051,8 +2007,7 @@ PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot) PK11_SETATTRS(attr, CKA_VALUE, cert->derCert.data, cert->derCert.len); if (cert->slot) { - certHandle = pk11_getcerthandle(cert->slot, cert, searchTemplate, - templateSize); + certHandle = PK11_FindCertInSlot(cert->slot, cert, wincx); if (certHandle != CK_INVALID_HANDLE) { *pSlot = PK11_ReferenceSlot(cert->slot); return certHandle; @@ -2630,36 +2585,51 @@ PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2, return SECFailure; } -/* - * return the private key From a given Cert - */ CK_OBJECT_HANDLE -PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) +PK11_FindEncodedCertInSlot(PK11SlotInfo *slot, SECItem *derCert, void *wincx) { + if (!slot || !derCert) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { { CKA_VALUE, NULL, 0 }, { CKA_CLASS, NULL, 0 } }; - /* if you change the array, change the variable below as well */ const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_ATTRIBUTE *attrs = theTemplate; - SECStatus rv; - PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, - cert->derCert.len); + PK11_SETATTRS(attrs, CKA_VALUE, derCert->data, derCert->len); attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); - /* - * issue the find - */ - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); + SECStatus rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { return CK_INVALID_HANDLE; } - return pk11_getcerthandle(slot, cert, theTemplate, tsize); + return pk11_FindObjectByTemplate(slot, theTemplate, tsize); +} + +CK_OBJECT_HANDLE +PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) +{ + CK_OBJECT_HANDLE certh; + + if (cert->slot == slot) { + certh = cert->pkcs11ID; + if ((certh == CK_INVALID_HANDLE) || + (cert->series != slot->series)) { + certh = PK11_FindEncodedCertInSlot(slot, &cert->derCert, wincx); + cert->pkcs11ID = certh; + cert->series = slot->series; + } + } else { + certh = PK11_FindEncodedCertInSlot(slot, &cert->derCert, wincx); + } + return certh; } /* Looking for PK11_GetKeyIDFromCert? @@ -2787,30 +2757,12 @@ SECItem * PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) { - CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; - CK_ATTRIBUTE theTemplate[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, NULL, 0 } - }; - /* if you change the array, change the variable below as well */ - const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_OBJECT_HANDLE certHandle; - CK_ATTRIBUTE *attrs = theTemplate; PK11SlotInfo *slotRef = NULL; SECItem *item; - SECStatus rv; if (slot) { - PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, - cert->derCert.len); - attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); - - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - return NULL; - } - certHandle = pk11_getcerthandle(slot, cert, theTemplate, tsize); + certHandle = PK11_FindCertInSlot(slot, cert, wincx); } else { certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef); if (certHandle == CK_INVALID_HANDLE) { diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h index 5edcbf969..771a70f59 100644 --- a/lib/pk11wrap/pk11pub.h +++ b/lib/pk11wrap/pk11pub.h @@ -697,6 +697,7 @@ SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx); CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert, void *wincx); PRBool PK11_FortezzaHasKEA(CERTCertificate *cert); +CK_OBJECT_HANDLE PK11_FindEncodedCertInSlot(PK11SlotInfo *slot, SECItem *derCert, void *wincx); CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx); SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, |