Cache whether there are no CRL's and Trust objects on removable HW tokens

6 files changed, 116 insertions, 0 deletions

diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
index 56220718b..65dee8d63 100644
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -281,6 +281,30 @@ nssToken_ImportTrust
   PRBool asTokenObject
 );
 
+NSS_EXTERN PRStatus
+nssToken_SetTrustCache
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_SetCrlCache
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRBool
+nssToken_HasCrls
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_SetHasCrls
+(
+  NSSToken *tok
+);
+
 NSS_EXTERN NSSPublicKey *
 nssToken_GenerateKeyPair
 (
diff --git a/security/nss/lib/dev/devobject.c b/security/nss/lib/dev/devobject.c
index 51515cd4f..06150df50 100644
--- a/security/nss/lib/dev/devobject.c
+++ b/security/nss/lib/dev/devobject.c
@@ -916,11 +916,66 @@ nssToken_ImportTrust
 	/* XXX Fix this! */
 	nssListIterator_Destroy(trust->object.instances);
 	trust->object.instances = nssList_CreateIterator(trust->object.instanceList);
+	tok->hasNoTrust = PR_FALSE;
 	return PR_SUCCESS;
     } 
     return PR_FAILURE;
 }
 
+NSS_IMPLEMENT PRStatus
+nssToken_SetTrustCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    CK_OBJECT_HANDLE obj;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    obj = find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+    token->hasNoTrust = PR_FALSE;
+    if (obj == CK_INVALID_HANDLE) {
+	token->hasNoTrust = PR_TRUE;
+    } 
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetCrlCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    CK_OBJECT_HANDLE obj;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    obj = find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+    token->hasNoCrls = PR_TRUE;
+    if (obj == CK_INVALID_HANDLE) {
+	token->hasNoCrls = PR_TRUE;
+    }
+    return PR_SUCCESS;
+}
+
 static CK_OBJECT_HANDLE
 get_cert_trust_handle
 (
@@ -936,6 +991,10 @@ get_cert_trust_handle
     CK_ULONG tobj_size;
     PRUint8 sha1[20]; /* this is cheating... */
     NSSItem sha1_result;
+
+    if (token->hasNoTrust) {
+	return CK_INVALID_HANDLE;
+    }
     sha1_result.data = sha1; sha1_result.size = sizeof sha1;
     sha1_hash(&c->encoding, &sha1_result);
     NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
index 5860e5907..ef031524b 100644
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -132,6 +132,8 @@ struct NSSTokenStr
     nssSession *defaultSession;
     NSSTrustDomain *trustDomain;
     PRIntervalTime lastTime;
+    PRBool hasNoTrust;
+    PRBool hasNoCrls;
 #ifdef NSS_3_4_CODE
     PK11SlotInfo *pk11slot;
     nssList *certList; /* local cache of certs for slow tokens */
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index ae26e3fb4..b3b168a5f 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -134,6 +134,8 @@ nssToken_Create
     rvToken->name = tokenName;
     rvToken->ckFlags = tokenInfo.flags;
     rvToken->defaultSession = session;
+    rvToken->hasNoTrust = PR_FALSE;
+    rvToken->hasNoCrls = PR_FALSE;
     if (mark) {
 	nssrv = nssArena_Unmark(arena, mark);
 	if (nssrv != PR_SUCCESS) {
@@ -279,6 +281,25 @@ nssToken_IsPresent
     }
 }
 
+NSS_IMPLEMENT PRBool
+nssToken_HasCrls
+(
+    NSSToken *tok
+)
+{
+    return !tok->hasNoCrls;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetHasCrls
+(
+    NSSToken *tok
+)
+{
+    tok->hasNoCrls = PR_FALSE;
+    return PR_SUCCESS;
+}
+
 NSS_IMPLEMENT NSSItem *
 nssToken_Digest
 (
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index 42c7d4c4e..9611ff06f 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -3710,6 +3710,9 @@ PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
 
 	/* loop through all the fortezza tokens */
 	for (le = list->head; le; le = le->next) {
+	    if (le->slot->nssToken && !nssToken_HasCrls(le->slot->nssToken)) {
+		continue;
+	    }
 	    crlh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
 	    if (crlh != CK_INVALID_HANDLE) {
 		*slot = PK11_ReferenceSlot(le->slot);
@@ -3806,6 +3809,10 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name,
     }
 
     PK11_RestoreROSession(slot,rwsession);
+
+    if (slot->nssToken) {
+	nssToken_SetHasCrls(slot->nssToken);
+    }
     return crlh;
 }
 
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index 00831c386..6752281f8 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -264,6 +264,9 @@ nssToken_LoadCerts(NSSToken *token)
 	}
 	/* ignore the rv, just work without the list */
 	(void)nssToken_TraverseCertificates(token, NULL, &search);
+	(void)nssToken_SetTrustCache(token);
+	(void)nssToken_SetCrlCache(token);
+
 	/* even if there are no certs, leave a valid list pointer should
 	 * any be imported.  Having the pointer will also prevent searches,
 	 * see below.