diff options
Diffstat (limited to 'security/nss/lib/pki/certificate.c')
| -rw-r--r-- | security/nss/lib/pki/certificate.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c index c4ef4fb3f..4761948f1 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/certificate.c @@ -53,6 +53,8 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; #ifdef NSS_3_4_CODE #include "pki3hack.h" +#include "pk11func.h" +#include "hasht.h" #endif #ifndef BASE_H @@ -950,15 +952,20 @@ nssCertificateList_AddReferences NSS_IMPLEMENT NSSTrust * nssTrust_Create ( - nssPKIObject *object + nssPKIObject *object, + NSSItem *certData ) { PRStatus status; PRUint32 i; PRUint32 lastTrustOrder, myTrustOrder; + unsigned char sha1_hashcmp[SHA1_LENGTH]; + unsigned char sha1_hashin[SHA1_LENGTH]; + NSSItem sha1_hash; NSSTrust *rvt; nssCryptokiObject *instance; nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection; + SECStatus rv; /* Should be stan flavor */ lastTrustOrder = 1<<16; /* just make it big */ PR_ASSERT(object->instances != NULL && object->numInstances > 0); rvt = nss_ZNEW(object->arena, NSSTrust); @@ -966,12 +973,21 @@ nssTrust_Create return (NSSTrust *)NULL; } rvt->object = *object; + + /* should be stan flavor of Hashbuf */ + rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size); + if (rv != SECSuccess) { + return (NSSTrust *)NULL; + } + sha1_hash.data = sha1_hashin; + sha1_hash.size = sizeof (sha1_hashin); /* trust has to peek into the base object members */ PZ_Lock(object->lock); for (i=0; i<object->numInstances; i++) { instance = object->instances[i]; myTrustOrder = nssToken_GetTrustOrder(instance->token); status = nssCryptokiTrust_GetAttributes(instance, NULL, + &sha1_hash, &serverAuth, &clientAuth, &codeSigning, @@ -980,6 +996,10 @@ nssTrust_Create PZ_Unlock(object->lock); return (NSSTrust *)NULL; } + if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) { + PZ_Unlock(object->lock); + return (NSSTrust *)NULL; + } if (rvt->serverAuth == nssTrustLevel_Unknown || myTrustOrder < lastTrustOrder) { |