bug 135521, change cert lookups on tokens to be actual finds instead of traversals

7 files changed, 158 insertions, 124 deletions

diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
index 6092128c6..c07afd649 100644
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -287,7 +287,6 @@ nssCKObject_IsTokenObjectTemplate
     return PR_FALSE;
 }
 
-#ifdef PURE_STAN_BUILD
 static NSSCertificateType
 nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
 {
@@ -358,10 +357,14 @@ nssCryptokiCertificate_GetAttributes
 	return PR_SUCCESS;
     }
 
+#ifdef PURE_STAN_BUILD
     status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
                                                 certObject, CKO_CERTIFICATE,
                                                 cert_template, template_size);
     if (status != PR_SUCCESS) {
+#else
+    if (PR_TRUE) {
+#endif
 
 	session = sessionOpt ? 
 	          sessionOpt : 
@@ -402,6 +405,7 @@ nssCryptokiCertificate_GetAttributes
     return PR_SUCCESS;
 }
 
+#ifdef PURE_STAN_BUILD
 static NSSKeyPairType
 nss_key_pair_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
 {
@@ -523,6 +527,7 @@ nssCryptokiPublicKey_GetAttributes
     }
     return PR_SUCCESS;
 }
+#endif /* PURE_STAN_BUILD */
 
 static nssTrustLevel 
 get_nss_trust
@@ -572,11 +577,15 @@ nssCryptokiTrust_GetAttributes
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
     NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
 
+#ifdef PURE_STAN_BUILD
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject, 
                                                 CKO_NETSCAPE_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
+#else
+    if (PR_TRUE) {
+#endif
 	session = sessionOpt ? 
 	          sessionOpt : 
 	          nssToken_GetDefaultSession(trustObject->token);
@@ -598,6 +607,7 @@ nssCryptokiTrust_GetAttributes
     return PR_SUCCESS;
 }
 
+#ifdef PURE_STAN_BUILD
 NSS_IMPLEMENT PRStatus
 nssCryptokiCRL_GetAttributes
 (
diff --git a/security/nss/lib/dev/ckhelper.h b/security/nss/lib/dev/ckhelper.h
index f09088041..fc64ea9b7 100644
--- a/security/nss/lib/dev/ckhelper.h
+++ b/security/nss/lib/dev/ckhelper.h
@@ -86,6 +86,12 @@ NSS_EXTERN_DATA const NSSItem g_ck_class_privkey;
     (pattr)->ulValueLen = (CK_ULONG)sizeof(var);      \
     (pattr)++;
 
+#define NSS_CK_SET_ATTRIBUTE_NULL(pattr, kind)        \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)NULL;              \
+    (pattr)->ulValueLen = 0;                          \
+    (pattr)++;
+
 #define NSS_CK_TEMPLATE_FINISH(_template, attr, size) \
     size = (attr) - (_template);                      \
     PR_ASSERT(size <= sizeof(_template)/sizeof(_template[0]));
@@ -127,7 +133,7 @@ nssCKObject_GetAttributes
   CK_ULONG count,
   NSSArena *arenaOpt,
   nssSession *session,
-  NSSSlot  *slot
+  NSSSlot *slot
 );
 
 /* Get a single attribute as an item. */
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
index ccce63c8a..2e7bc4cdd 100644
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -421,7 +421,6 @@ nssToken_NeedsPINInitialization
   NSSToken *token
 );
 
-#ifdef PURE_STAN_BUILD
 NSS_EXTERN nssCryptokiObject *
 nssToken_ImportCertificate
 (
@@ -603,8 +602,6 @@ nssToken_FindPublicKeyByID
   NSSItem *keyID
 );
 
-#endif /* PURE_STAN_BUILD */
-
 NSS_EXTERN NSSItem *
 nssToken_Digest
 (
@@ -903,26 +900,18 @@ nssSlotList_GetBestSlotForAlgorithmsAndParameters
   NSSAlgorithmAndParameters **ap
 );
 
-#ifndef PURE_STAN_BUILD
-/* XXX the following remain while merging new work */
+#ifdef NSS_3_4_CODE
 
-NSS_EXTERN PRStatus
-nssToken_ImportCertificate
+NSS_EXTERN PRBool
+nssToken_IsPresent
 (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSCertificate *cert,
-  NSSUTF8 *nickname,
-  PRBool asTokenObject
+  NSSToken *token
 );
- 
-NSS_EXTERN PRStatus
-nssToken_ImportTrust
+
+NSS_EXTERN nssSession *
+nssToken_GetDefaultSession
 (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSTrust *trust,
-  PRBool asTokenObject
+  NSSToken *token
 );
 
 NSS_EXTERN PRStatus
@@ -949,96 +938,13 @@ nssToken_SetHasCrls
   NSSToken *tok
 );
 
-/* Permanently remove an object from the token. */
-NSS_EXTERN PRStatus
-nssToken_DeleteStoredObject
-(
-  nssCryptokiInstance *instance
-);
-
-NSS_EXTERN NSSTrust *
-nssToken_FindTrustForCert
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSCertificate *c,
-  nssTokenSearchType searchType
-);
-
-NSS_EXTERN PRStatus
-nssToken_TraverseCertificates
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  nssTokenCertSearch *search
-);
-
-NSS_EXTERN PRStatus
-nssToken_TraverseCertificatesBySubject
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  nssTokenCertSearch *search
-);
-
-NSS_EXTERN PRStatus
-nssToken_TraverseCertificatesByNickname
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSUTF8 *name,
-  nssTokenCertSearch *search
-);
-
 NSS_EXTERN PRStatus
-nssToken_TraverseCertificatesByEmail
+nssToken_GetTrustOrder
 (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSASCII7 *email,
-  nssTokenCertSearch *search
-);
-
-NSS_EXTERN NSSCertificate *
-nssToken_FindCertificateByIssuerAndSerialNumber
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *issuer,
-  NSSDER *serial,
-  nssTokenSearchType searchType
-);
-
-NSS_EXTERN NSSCertificate *
-nssToken_FindCertificateByEncodedCertificate
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSBER *encodedCertificate,
-  nssTokenSearchType searchType
-);
-
-NSS_EXTERN NSSTrust *
-nssToken_FindTrustForCert
-(
-  NSSToken *token,
-  nssSession *session,
-  NSSCertificate *c,
-  nssTokenSearchType searchType
-);
-
-/* exposing this for the smart card cache code */
-NSS_EXTERN nssCryptokiInstance *
-nssCryptokiInstance_Create
-(
-  NSSArena *arena,
-  NSSToken *t, 
-  CK_OBJECT_HANDLE h,
-  PRBool isTokenObject
+  NSSToken *tok
 );
 
-#endif /* !PURE_STAN_BUILD */
+#endif
 
 PR_END_EXTERN_C
 
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
index b712f644e..4d7b2feaf 100644
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -144,7 +144,7 @@ typedef enum {
     NSSCertificateType_PKIX = 1
 } NSSCertificateType;
 
-#ifdef NSS_3_4_CODE
+#ifdef nodef
 /* the current definition of NSSTrust depends on this value being CK_ULONG */
 typedef CK_ULONG nssTrustLevel;
 #else
@@ -175,7 +175,8 @@ typedef struct nssTokenCertSearchStr nssTokenCertSearch;
 typedef enum {
     nssTokenSearchType_AllObjects = 0,
     nssTokenSearchType_SessionOnly = 1,
-    nssTokenSearchType_TokenOnly = 2
+    nssTokenSearchType_TokenOnly = 2,
+    nssTokenSearchType_TokenForced = 3
 } nssTokenSearchType;
 
 struct nssTokenCertSearchStr
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index 5da32851f..52c3b9c4c 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -48,6 +48,8 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
 #endif /* CKHELPER_H */
 
 #ifdef NSS_3_4_CODE
+#include "pk11func.h"
+#include "dev3hack.h"
 #endif
 
 /* The number of object handles to grab during each call to C_FindObjects */
@@ -254,7 +256,6 @@ nssToken_NeedsPINInitialization
     return (!(token->ckFlags & CKF_USER_PIN_INITIALIZED));
 }
 
-#ifdef PURE_STAN_BUILD
 NSS_IMPLEMENT PRStatus
 nssToken_DeleteStoredObject
 (
@@ -267,9 +268,11 @@ nssToken_DeleteStoredObject
     NSSToken *token = instance->token;
     nssSession *session = NULL;
     void *epv = nssToken_GetCryptokiEPV(instance->token);
+#ifdef PURE_STAN_BUILD
     if (token->cache) {
 	status = nssTokenObjectCache_RemoveObject(token->cache, instance);
     }
+#endif
     if (instance->isTokenObject) {
        if (nssSession_IsReadWrite(token->defaultSession)) {
 	   session = token->defaultSession;
@@ -304,6 +307,7 @@ import_object
 {
     nssSession *session = NULL;
     PRBool createdSession = PR_FALSE;
+    nssCryptokiObject *object = NULL;
     CK_OBJECT_HANDLE handle;
     CK_RV ckrv;
     void *epv = nssToken_GetCryptokiEPV(tok);
@@ -331,13 +335,13 @@ import_object
                                       objectTemplate, otsize,
                                       &handle);
     nssSession_ExitMonitor(session);
+    if (ckrv == CKR_OK) {
+	object = nssCryptokiObject_Create(tok, session, handle);
+    }
     if (createdSession) {
 	nssSession_Destroy(session);
     }
-    if (ckrv != CKR_OK) {
-	return CK_INVALID_HANDLE;
-    }
-    return nssCryptokiObject_Create(tok, session, handle);
+    return object;
 }
 
 static nssCryptokiObject **
@@ -421,8 +425,11 @@ find_objects
 	}
 	/* bump the number of found objects */
 	numHandles += count;
-	if (maximumOpt == 0 || numHandles < arraySize) {
-	    /* either reached maximum, or no more objects to get */
+	if (maximumOpt > 0 || numHandles < arraySize) {
+	    /* When a maximum is provided, the search is done all at once,
+	     * so the search is finished.  If the number returned was less 
+	     * than the number sought, the search is finished.
+	     */
 	    break;
 	}
 	/* the array is filled, double it and continue */
@@ -469,6 +476,7 @@ find_objects_by_template
     CK_OBJECT_CLASS objclass;
     nssCryptokiObject **objects = NULL;
     PRUint32 i;
+#ifdef PURE_STAN_BUILD
     for (i=0; i<otsize; i++) {
 	if (obj_template[i].type == CKA_CLASS) {
 	    objclass = *(CK_OBJECT_CLASS *)obj_template[i].pValue;
@@ -487,6 +495,7 @@ find_objects_by_template
 	                                                    maximumOpt);
 	if (statusOpt) *statusOpt = PR_SUCCESS;
     }
+#endif /* PURE_STAN_BUILD */
     /* Either they are not cached, or cache failed; look on token. */
     if (!objects) {
 	objects = find_objects(token, sessionOpt, 
@@ -538,11 +547,13 @@ nssToken_ImportCertificate
     NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
     /* Import the certificate onto the token */
     rvObject = import_object(tok, sessionOpt, cert_tmpl, ctsize);
+#ifdef PURE_STAN_BUILD
     if (rvObject && tok->cache) {
 	nssTokenObjectCache_ImportObject(tok->cache, rvObject,
 	                                 CKO_CERTIFICATE,
 	                                 cert_tmpl, ctsize);
     }
+#endif
     return rvObject;
 }
 
@@ -909,7 +920,12 @@ static void
 sha1_hash(NSSItem *input, NSSItem *output)
 {
     NSSAlgorithmAndParameters *ap;
+#ifdef NSS_3_4_CODE
+    PK11SlotInfo *internal = PK11_GetInternalSlot();
+    NSSToken *token = PK11Slot_GetNSSToken(internal);
+#else
     NSSToken *token = nss_GetDefaultCryptoToken();
+#endif
     ap = NSSAlgorithmAndParameters_CreateSHA1Digest(NULL);
     (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
 #ifdef NSS_3_4_CODE
@@ -922,7 +938,12 @@ static void
 md5_hash(NSSItem *input, NSSItem *output)
 {
     NSSAlgorithmAndParameters *ap;
+#ifdef NSS_3_4_CODE
+    PK11SlotInfo *internal = PK11_GetInternalSlot();
+    NSSToken *token = PK11Slot_GetNSSToken(internal);
+#else
     NSSToken *token = nss_GetDefaultCryptoToken();
+#endif
     ap = NSSAlgorithmAndParameters_CreateMD5Digest(NULL);
     (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
 #ifdef NSS_3_4_CODE
@@ -1001,16 +1022,13 @@ nssToken_ImportTrust
     NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
     /* import the trust object onto the token */
     object = import_object(tok, sessionOpt, trust_tmpl, tsize);
+#ifdef PURE_STAN_BUILD
     if (object && tok->cache) {
 	nssTokenObjectCache_ImportObject(tok->cache, object,
 	                                 CKO_CERTIFICATE,
 	                                 trust_tmpl, tsize);
     }
-    /* XXX
-    if (object) {
-	tok->hasNoTrust = PR_FALSE;
-    } 
-    */
+#endif
     return object;
 }
 
@@ -1144,11 +1162,13 @@ nssToken_ImportCRL
 
     /* import the crl object onto the token */
     object = import_object(token, sessionOpt, crl_tmpl, crlsize);
+#ifdef PURE_STAN_BUILD
     if (object && token->cache) {
 	nssTokenObjectCache_ImportObject(token->cache, object,
 	                                 CKO_CERTIFICATE,
 	                                 crl_tmpl, crlsize);
     }
+#endif
     return object;
 }
 
@@ -1191,6 +1211,7 @@ nssToken_FindCRLs
     return objects;
 }
 
+#ifdef PURE_STAN_BUILD
 NSS_IMPLEMENT PRStatus
 nssToken_GetCachedObjectAttributes
 (
@@ -1209,7 +1230,7 @@ nssToken_GetCachedObjectAttributes
                                                    object, objclass,
                                                    atemplate, atlen);
 }
-#endif /* PURE_STAN_BUILD */
+#endif
 
 NSS_IMPLEMENT NSSItem *
 nssToken_Digest
@@ -1370,3 +1391,92 @@ nssToken_FinishDigest
     return rvItem;
 }
 
+#ifdef NSS_3_4_CODE
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetTrustCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    nssCryptokiObject **objects;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    objects = find_objects_by_template(token, session,
+                                       tobj_template, tobj_size, 1, NULL);
+    token->hasNoTrust = PR_FALSE;
+    if (objects) {
+	nssCryptokiObjectArray_Destroy(objects);
+    } else {
+	token->hasNoTrust = PR_TRUE;
+    } 
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetCrlCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    nssCryptokiObject **objects;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    objects = find_objects_by_template(token, session,
+                                       tobj_template, tobj_size, 1, NULL);
+    token->hasNoCrls = PR_TRUE;
+    if (objects) {
+	nssCryptokiObjectArray_Destroy(objects);
+    } else {
+	token->hasNoCrls = PR_TRUE;
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_HasCrls
+(
+    NSSToken *tok
+)
+{
+    return !tok->hasNoCrls;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetHasCrls
+(
+    NSSToken *tok
+)
+{
+    tok->hasNoCrls = PR_FALSE;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_IsPresent
+(
+  NSSToken *token
+)
+{
+    return nssSlot_IsTokenPresent(token->slot);
+}
+#endif
+
diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c
index 955b79b28..083c898ab 100644
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@@ -43,7 +43,6 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
 #include "ckhelper.h"
 #endif /* CKHELPER_H */
 
-#ifdef PURE_STAN_BUILD
 NSS_IMPLEMENT nssCryptokiObject *
 nssCryptokiObject_Create
 (
@@ -161,6 +160,7 @@ nssSlotArray_Clone
     return rvSlots;
 }
 
+#ifdef PURE_STAN_BUILD
 NSS_IMPLEMENT void
 nssModuleArray_Destroy
 (
@@ -175,6 +175,7 @@ nssModuleArray_Destroy
 	nss_ZFreeIf(modules);
     }
 }
+#endif
 
 NSS_IMPLEMENT void
 nssSlotArray_Destroy
@@ -239,6 +240,7 @@ nssCryptokiObjectArray_Destroy
     }
 }
 
+#ifdef PURE_STAN_BUILD
 /*
  * Slot lists
  */
diff --git a/security/nss/lib/dev/manifest.mn b/security/nss/lib/dev/manifest.mn
index 7f7ac0101..df0151ef2 100644
--- a/security/nss/lib/dev/manifest.mn
+++ b/security/nss/lib/dev/manifest.mn
@@ -50,7 +50,6 @@ MODULE = security
 CSRCS =		        \
 	devmod.c        \
 	devslot.c       \
-	devobject.c     \
 	devtoken.c      \
 	devutil.c       \
 	ckhelper.c      \