Add Transactions (still need to add transactions on database upgrade).

Make trust objects their own objects to reduce a couple of unnecessary cert decodes.

8 files changed, 387 insertions, 40 deletions

diff --git a/security/nss/lib/softoken/cdbhdl.h b/security/nss/lib/softoken/cdbhdl.h
index f52712422..ba2f9fa7c 100644
--- a/security/nss/lib/softoken/cdbhdl.h
+++ b/security/nss/lib/softoken/cdbhdl.h
@@ -68,4 +68,6 @@ DB * rdbopen(const char *appName, const char *prefix,
 				const char *type, int flags);
 
 SECStatus db_Copy(DB *dest,DB *src);
+int db_BeginTransaction(DB *db);
+int db_FinishTransaction(DB *db, PRBool abort);
 #endif
diff --git a/security/nss/lib/softoken/dbinit.c b/security/nss/lib/softoken/dbinit.c
index 87098dc0a..115a581ad 100644
--- a/security/nss/lib/softoken/dbinit.c
+++ b/security/nss/lib/softoken/dbinit.c
@@ -256,6 +256,7 @@ pk11_DBShutdown(NSSLOWCERTCertDBHandle *certHandle,
 }
 
 static rdbfunc pk11_rdbfunc;
+static void *pk11_tnx;
 
 /* NOTE: SHLIB_SUFFIX is defined on the command line */
 #define RDBLIB "rdb."SHLIB_SUFFIX
@@ -283,7 +284,8 @@ DB * rdbopen(const char *appName, const char *prefix,
     /* get the entry point */
     pk11_rdbfunc = (rdbfunc) PR_FindSymbol(lib,"rdbopen");
     if (pk11_rdbfunc) {
-	return (*pk11_rdbfunc)(appName,prefix,type,flags);
+	db = (*pk11_rdbfunc)(appName,prefix,type,flags);
+	return db;
     }
 
     /* couldn't find the entry point, unload the library and fail */
@@ -291,6 +293,38 @@ DB * rdbopen(const char *appName, const char *prefix,
     return NULL;
 }
 
+struct RDBStr {
+    DB	db;
+    int (*xactstart)(DB *db);
+    int (*xactdone)(DB *db, PRBool abort);
+};
+
+#define DB_RDB ((DBTYPE) 0xff)
+
+int
+db_BeginTransaction(DB *db)
+{
+    RDB *rdb = (RDB *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+
+    return rdb->xactstart(db);
+}
+
+int
+db_FinishTransaction(DB *db, PRBool abort)
+{
+    RDB *rdb = (RDB *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+
+    return rdb->xactdone(db, abort);
+}
+
+
+
 SECStatus
 db_Copy(DB *dest,DB *src)
 {
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
index dc58a402d..17d76acb7 100644
--- a/security/nss/lib/softoken/keydb.c
+++ b/security/nss/lib/softoken/keydb.c
@@ -2255,6 +2255,11 @@ ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
 	return(SECFailure);
     }
     keylist.head = NULL;
+
+    rv = db_BeginTransaction(handle->db);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
     
     /* TNH - TraverseKeys should not be public, since it exposes
        the underlying DBT data type. */
@@ -2299,7 +2304,10 @@ ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
 	    newkey.size = privkey->u.dh.publicValue.len;
 	    break;
 	  default:
-	    return SECFailure;
+	    /* should we continue here and loose the key? */
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    rv = SECFailure;
+	    goto loser;
 	}
 
 	rv = seckey_put_private_key(handle, &newkey, newpwitem, privkey,
@@ -2320,6 +2328,8 @@ ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
 
 loser:
 
+    db_FinishTransaction(handle->db,rv == SECSuccess);
+
     /* free the arena */
     if ( keylist.arena ) {
 	PORT_FreeArena(keylist.arena, PR_FALSE);
diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h
index c1d9b3128..aa2c6ea3b 100644
--- a/security/nss/lib/softoken/pcert.h
+++ b/security/nss/lib/softoken/pcert.h
@@ -49,6 +49,8 @@ SEC_BEGIN_PROTOS
 SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, 
 			NSSLOWCERTCertificate *cert,
 				char *nickname, NSSLOWCERTCertTrust *trust);
+SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname);
 
 SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert);
 
@@ -88,6 +90,7 @@ nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
 NSSLOWCERTCertificate *
 nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
 void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust);
 
 /*
  * Lookup a certificate in the databases without locking
@@ -100,6 +103,16 @@ NSSLOWCERTCertificate *
 nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
 
 /*
+ * Lookup trust for a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
+
+/*
 ** Generate a certificate key from the issuer and serialnumber, then look it
 ** up in the database.  Return the cert if found.
 **	"issuerAndSN" is the issuer and serial number to look for
@@ -108,6 +121,14 @@ extern NSSLOWCERTCertificate *
 nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
 
 /*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
 ** Find a certificate in the database by a DER encoded certificate
 **	"derCert" is the DER encoded certificate
 */
@@ -189,7 +210,7 @@ nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle,
 	  	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
 
 PRBool
-nsslowcert_hasTrust(NSSLOWCERTCertificate *cert);
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust);
 
 void
 nsslowcert_DestroyGlobalLocks(void);
diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c
index bd50e00e1..4e0d6b46a 100644
--- a/security/nss/lib/softoken/pcertdb.c
+++ b/security/nss/lib/softoken/pcertdb.c
@@ -3749,6 +3749,7 @@ DeletePermCert(NSSLOWCERTCertificate *cert)
     
     rv = RemovePermSubjectNode(cert);
 
+
     return(ret);
 }
 
@@ -3761,6 +3762,11 @@ nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert)
     SECStatus rv;
     
     nsslowcert_LockDB(cert->dbhandle);
+
+    rv = db_BeginTransaction(cert->dbhandle->permCertDB);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
     /* delete the records from the permanent database */
     rv = DeletePermCert(cert);
 
@@ -3769,6 +3775,9 @@ nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert)
     cert->dbEntry = NULL;
     cert->trust = NULL;
 
+    db_FinishTransaction(cert->dbhandle->permCertDB,rv != SECSuccess);
+loser:
+	
     nsslowcert_UnlockDB(cert->dbhandle);
     return(rv);
 }
@@ -3848,6 +3857,22 @@ loser:
     return(0);
 }
 
+static NSSLOWCERTTrust * 
+DecodeTrustEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry,				SECItem *dbKey)
+{
+    NSSLOWCERTTrust *trust = PORT_Alloc(sizeof(NSSLOWCERTTrust));
+    if (trust == NULL) {
+	return trust;
+    }
+    trust->dbhandle = handle;
+    trust->dbEntry = entry;
+    SECITEM_CopyItem(NULL, &trust->dbKey , dbKey);
+    trust->trust = &entry->trust;
+    trust->derCert = &entry->derCert;
+
+    return(trust);
+}
+
 typedef struct {
     PermCertCallback certfunc;
     NSSLOWCERTCertDBHandle *handle;
@@ -4043,6 +4068,11 @@ nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle,
     SECStatus ret;
 
     nsslowcert_LockDB(dbhandle);
+    rv = db_BeginTransaction(dbhandle->permCertDB);
+    if (rv != SECSuccess) {
+	nsslowcert_UnlockDB(dbhandle);
+	return SECFailure;
+    }
     
     PORT_Assert(!cert->dbEntry);
 
@@ -4070,6 +4100,7 @@ nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle,
     
     ret = SECSuccess;
 done:
+    db_FinishTransaction(dbhandle->permCertDB, ret != SECSuccess);
     nsslowcert_UnlockDB(dbhandle);
     return(ret);
 }
@@ -4148,6 +4179,12 @@ FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb)
     cert = DecodeACert(handle, entry);
 
 loser:
+    if (cert == NULL) {
+	if (entry) {
+	    DestroyDBEntry((certDBEntry *)entry);
+	}
+    }
+
     if ( locked ) {
 	nsslowcert_UnlockDB(handle);
     }
@@ -4160,6 +4197,70 @@ loser:
 }
 
 /*
+ * Lookup a certificate in the databases.
+ */
+static NSSLOWCERTTrust *
+FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb)
+{
+    SECItem keyitem;
+    DBT key;
+    SECStatus rv;
+    NSSLOWCERTTrust *trust = NULL;
+    PRArenaPool *arena = NULL;
+    certDBEntryCert *entry;
+    PRBool locked = PR_FALSE;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBCertKey(certKey, arena, &keyitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    key.data = keyitem.data;
+    key.size = keyitem.len;
+    
+    if ( lockdb ) {
+	locked = PR_TRUE;
+	nsslowcert_LockDB(handle);
+    }
+	
+    /* find in perm database */
+    entry = ReadDBCertEntry(handle, certKey);
+	
+    if ( entry == NULL ) {
+ 	goto loser;
+    }
+
+    if (!nsslowcert_hasTrust(&entry->trust)) {
+	goto loser;
+    }
+  
+    /* inherit entry */  
+    trust = DecodeTrustEntry(handle, entry, certKey);
+
+loser:
+    if (trust == NULL) {
+	if (entry) {
+	    DestroyDBEntry((certDBEntry *)entry);
+	}
+    }
+
+    if ( locked ) {
+	nsslowcert_UnlockDB(handle);
+    }
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(trust);
+}
+
+/*
  * Lookup a certificate in the databases without locking
  */
 NSSLOWCERTCertificate *
@@ -4169,6 +4270,15 @@ nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
 }
 
 /*
+ * Lookup a trust object in the databases without locking
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
+{
+    return(FindTrustByKey(handle, certKey, PR_FALSE));
+}
+
+/*
  * Generate a key from an issuerAndSerialNumber, and find the
  * associated cert in the database.
  */
@@ -4251,6 +4361,94 @@ nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssue
 }
 
 /*
+ * Generate a key from an issuerAndSerialNumber, and find the
+ * associated cert in the database.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, 
+					NSSLOWCERTIssuerAndSN *issuerAndSN)
+{
+    SECItem certKey;
+    SECItem *sn = &issuerAndSN->serialNumber;
+    SECItem *issuer = &issuerAndSN->derIssuer;
+    NSSLOWCERTTrust *trust;
+    int data_left = sn->len-1;
+    int data_len = sn->len;
+    int index = 0;
+
+    /* automatically detect DER encoded serial numbers and remove the der
+     * encoding since the database expects unencoded data. 
+     * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
+    if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
+	/* remove the der encoding of the serial number before generating the
+	 * key.. */
+	data_left = sn->len-2;
+	data_len = sn->data[1];
+	index = 2;
+
+	/* extended length ? (not very likely for a serial number) */
+	if (data_len & 0x80) {
+	    int len_count = data_len & 0x7f;
+
+	    data_len = 0;
+	    data_left -= len_count;
+	    if (data_left > 0) {
+		while (len_count --) {
+		    data_len = (data_len << 8) | sn->data[index++];
+		}
+	    } 
+	}
+	/* XXX leaving any leading zeros on the serial number for backwards
+	 * compatibility
+	 */
+	/* not a valid der, must be just an unlucky serial number value */
+	if (data_len != data_left) {
+	    data_len = sn->len;
+	    index = 0;
+	}
+    }
+
+    certKey.data = (unsigned char*)PORT_Alloc(sn->len + issuer->len);
+    certKey.len = data_len + issuer->len;
+    
+    if ( certKey.data == NULL ) {
+	return(0);
+    }
+
+    /* first try the serial number as hand-decoded above*/
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, &sn->data[index], data_len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len);
+
+    trust = nsslowcert_FindTrustByKey(handle, &certKey);
+    if (trust) {
+	PORT_Free(certKey.data);
+	return (trust);
+    }
+
+    if (index == 0) {
+	PORT_Free(certKey.data);
+	return NULL;
+    }
+
+    /* didn't find it, try by der encoded serial number */
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len);
+    certKey.len = sn->len + issuer->len;
+
+    trust = nsslowcert_FindTrustByKey(handle, &certKey);
+    
+    PORT_Free(certKey.data);
+    
+    return(trust);
+}
+
+/*
  * look for the given DER certificate in the database
  */
 NSSLOWCERTCertificate *
@@ -4330,6 +4528,22 @@ DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb)
 }
 
 void
+nsslowcert_DestroyTrust(NSSLOWCERTTrust *trust)
+{
+    certDBEntryCert *entry  = trust->dbEntry;
+
+    if ( entry ) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    if (trust->dbKey.data) {
+	PORT_Free(trust->dbKey.data);
+    }
+    PORT_Free(trust);
+
+    return;
+}
+
+void
 nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert)
 {
     DestroyCertificate(cert, PR_TRUE);
@@ -4407,6 +4621,10 @@ nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl,
     certDBEntryRevocation *entry = NULL;
     certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
 					: certDBEntryTypeRevocation;
+    rv = db_BeginTransaction(handle->permCertDB);
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
     DeleteDBCrlEntry(handle, crlKey, crlType);
 
     /* Write the new entry into the data base */
@@ -4420,6 +4638,7 @@ done:
     if (entry) {
 	DestroyDBEntry((certDBEntry *)entry);
     }
+    db_FinishTransaction(handle->permCertDB, rv != SECSuccess);
     return rv;
 }
 
@@ -4430,24 +4649,26 @@ nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, SECItem *derName,
     SECStatus rv;
     certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
 					: certDBEntryTypeRevocation;
+    rv = db_BeginTransaction(handle->permCertDB);
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
     
     rv = DeleteDBCrlEntry(handle, derName, crlType);
     if (rv != SECSuccess) goto done;
   
 done:
+    db_FinishTransaction(handle->permCertDB, rv != SECSuccess);
     return rv;
 }
 
 
 PRBool
-nsslowcert_hasTrust(NSSLOWCERTCertificate *cert)
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
 {
-    NSSLOWCERTCertTrust *trust;
-
-    if (cert->trust == NULL) {
+    if (trust == NULL) {
 	return PR_FALSE;
     }
-    trust = cert->trust;
     return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) && 
 		(trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) && 
 			(trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
@@ -4465,6 +4686,11 @@ nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr,
     certDBEntrySMime *entry = NULL;
     SECStatus rv = SECFailure;;
 
+    rv = db_BeginTransaction(dbhandle->permCertDB);
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
+
     /* find our existing entry */
     entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr);
 
@@ -4511,6 +4737,7 @@ loser:
     if ( entry ) {
 	DestroyDBEntry((certDBEntry *)entry);
     }
+    db_FinishTransaction(dbhandle->permCertDB, rv != SECSuccess);
     return(rv);
 }
 
diff --git a/security/nss/lib/softoken/pcertt.h b/security/nss/lib/softoken/pcertt.h
index 0170de389..a3c50b25c 100644
--- a/security/nss/lib/softoken/pcertt.h
+++ b/security/nss/lib/softoken/pcertt.h
@@ -53,6 +53,7 @@
 typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
 typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
 
+typedef struct NSSLOWCERTTrustStr                      NSSLOWCERTTrust;
 typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
 typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
 typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
@@ -107,6 +108,17 @@ struct NSSLOWCERTCertTrustStr {
 };
 
 /*
+** PKCS11 Trust representation
+*/
+struct NSSLOWCERTTrustStr {
+    NSSLOWCERTCertDBHandle *dbhandle;
+    SECItem dbKey;			/* database key for this cert */
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    NSSLOWCERTCertTrust *trust;
+    SECItem *derCert;			/* original DER for the cert */
+};
+
+/*
 ** An X.509 certificate object (the unsigned form)
 */
 struct NSSLOWCERTCertificateStr {
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 639b651ae..6ab8fa7ad 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -3861,10 +3861,22 @@ pk11_searchCertsAndTrust(PK11Slot *slot, SECItem *derCert, SECItem *name,
 				pk11_cert_collect, &certData);
     } else if ((issuerSN->derIssuer.data != NULL) && 
 			(issuerSN->serialNumber.data != NULL)) {
-	NSSLOWCERTCertificate *cert = 
+        if (classFlags & NSC_CERT) {
+	    NSSLOWCERTCertificate *cert = 
 		nsslowcert_FindCertByIssuerAndSN(certHandle,issuerSN);
 
-	pk11_searchSingleCert(&certData,cert);
+	    pk11_searchSingleCert(&certData,cert);
+	}
+	if (classFlags & NSC_TRUST) {
+	    NSSLOWCERTTrust *trust = 
+		nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN);
+
+	    if (trust) {
+		pk11_addHandle(handles,
+		    pk11_mkHandle(slot,&trust->dbKey,PK11_TOKEN_TYPE_TRUST));
+		nsslowcert_DestroyTrust(trust);
+	    }
+	}
     } else if (email->data != NULL) {
 	char *tmp_name = (char*)PORT_Alloc(email->len+1);
 	certDBEntrySMime *entry = NULL;
@@ -3907,7 +3919,7 @@ pk11_searchCertsAndTrust(PK11Slot *slot, SECItem *derCert, SECItem *name,
 	    pk11_addHandle(handles,
 		pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_CERT));
 	}
-	if ((classFlags & NSC_TRUST) && nsslowcert_hasTrust(cert)) {
+	if ((classFlags & NSC_TRUST) && nsslowcert_hasTrust(cert->trust)) {
 	    pk11_addHandle(handles,
 		pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_TRUST));
 	}
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
index 5e42975e0..f700f0a2a 100644
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -389,20 +389,39 @@ static NSSLOWCERTCertificate *
 pk11_getCert(PK11TokenObject *object)
 {
     NSSLOWCERTCertificate *cert;
+    CK_OBJECT_CLASS objClass = object->obj.objclass;
 
-    if ((object->obj.objclass != CKO_CERTIFICATE) &&
-	 		(object->obj.objclass != CKO_NETSCAPE_TRUST)) {
+    if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) {
 	return NULL;
     }
-    if (object->obj.objectInfo) {
+    if (objClass == CKO_CERTIFICATE && object->obj.objectInfo) {
 	return (NSSLOWCERTCertificate *)object->obj.objectInfo;
     }
     cert = nsslowcert_FindCertByKey(object->obj.slot->certDB,&object->dbKey);
-    object->obj.objectInfo = (void *)cert;
-    object->obj.infoFree = (PK11Free) nsslowcert_DestroyCertificate ;
+    if (objClass == CKO_CERTIFICATE) {
+	object->obj.objectInfo = (void *)cert;
+	object->obj.infoFree = (PK11Free) nsslowcert_DestroyCertificate ;
+    }
     return cert;
 }
 
+static NSSLOWCERTTrust *
+pk11_getTrust(PK11TokenObject *object)
+{
+    NSSLOWCERTTrust *trust;
+
+    if (object->obj.objclass != CKO_NETSCAPE_TRUST) {
+	return NULL;
+    }
+    if (object->obj.objectInfo) {
+	return (NSSLOWCERTTrust *)object->obj.objectInfo;
+    }
+    trust = nsslowcert_FindTrustByKey(object->obj.slot->certDB,&object->dbKey);
+    object->obj.objectInfo = (void *)trust;
+    object->obj.infoFree = (PK11Free) nsslowcert_DestroyTrust ;
+    return trust;
+}
+
 static NSSLOWKEYPublicKey *
 pk11_GetPublicKey(PK11TokenObject *object)
 {
@@ -881,10 +900,8 @@ pk11_FindSMIMEAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
 static PK11Attribute *
 pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
 {
-    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTTrust *trust;
     unsigned char hash[SHA1_LENGTH];
-    SECItem *item;
-    PK11Attribute *attr;
     unsigned int trustFlags;
 
     switch (type) {
@@ -897,38 +914,29 @@ pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
     default:
 	break;
     }
-    cert = pk11_getCert(object);
-    if (cert == NULL) {
+    trust = pk11_getTrust(object);
+    if (trust == NULL) {
 	return NULL;
     }
     switch (type) {
     case CKA_CERT_SHA1_HASH:
-	SHA1_HashBuf(hash,cert->derCert.data,cert->derCert.len);
-	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+	SHA1_HashBuf(hash,trust->derCert->data,trust->derCert->len);
+	return pk11_NewTokenAttribute(type, hash, SHA1_LENGTH, PR_TRUE);
     case CKA_CERT_MD5_HASH:
-	MD5_HashBuf(hash,cert->derCert.data,cert->derCert.len);
-	return pk11_NewTokenAttribute(type,hash,MD5_LENGTH, PR_TRUE);
-    case CKA_ISSUER:
-	return pk11_NewTokenAttribute(type,cert->derIssuer.data,
-						cert->derIssuer.len, PR_FALSE);
-    case CKA_SERIAL_NUMBER:
-	item = SEC_ASN1EncodeItem(NULL,NULL,cert,pk11_SerialTemplate);
-	if (item == NULL) break;
-	attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE);
-	SECITEM_FreeItem(item,PR_TRUE);
-	return attr;
+	MD5_HashBuf(hash,trust->derCert->data,trust->derCert->len);
+	return pk11_NewTokenAttribute(type, hash, MD5_LENGTH, PR_TRUE);
     case CKA_TRUST_CLIENT_AUTH:
-	trustFlags = cert->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
-		cert->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
+	trustFlags = trust->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
+		trust->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
 	goto trust;
     case CKA_TRUST_SERVER_AUTH:
-	trustFlags = cert->trust->sslFlags;
+	trustFlags = trust->trust->sslFlags;
 	goto trust;
     case CKA_TRUST_EMAIL_PROTECTION:
-	trustFlags = cert->trust->emailFlags;
+	trustFlags = trust->trust->emailFlags;
 	goto trust;
     case CKA_TRUST_CODE_SIGNING:
-	trustFlags = cert->trust->objectSigningFlags;
+	trustFlags = trust->trust->objectSigningFlags;
 trust:
 	if (trustFlags & CERTDB_TRUSTED_CA ) {
 	    return (PK11Attribute *)&pk11_StaticTrustedDelegatorAttr;
@@ -952,6 +960,28 @@ trust:
     default:
 	break;
     }
+
+#ifdef notdef
+    switch (type) {
+    case CKA_ISSUER:
+	cert = pk11_getCertObject(object);
+	if (cert == NULL) break;
+	attr = pk11_NewTokenAttribute(type,cert->derIssuer.data,
+						cert->derIssuer.len, PR_FALSE);
+	
+    case CKA_SERIAL_NUMBER:
+	cert = pk11_getCertObject(object);
+	if (cert == NULL) break;
+	item = SEC_ASN1EncodeItem(NULL,NULL,cert,pk11_SerialTemplate);
+	if (item == NULL) break;
+	attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE);
+	SECITEM_FreeItem(item,PR_TRUE);
+    }
+    if (cert) {
+	NSSLOWCERTDestroyCertificate(cert);	
+	return attr;
+    }
+#endif
     return NULL;
 }
 
@@ -1180,7 +1210,6 @@ pk11_Attribute2SSecItem(PLArenaPool *arena,SECItem *item,PK11Object *object,
                                       CK_ATTRIBUTE_TYPE type)
 {
     PK11Attribute *attribute;
-    unsigned char *start;
 
     item->data = NULL;