diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/nss/lib/softoken/cdbhdl.h | 2 | ||||
-rw-r--r-- | security/nss/lib/softoken/dbinit.c | 36 | ||||
-rw-r--r-- | security/nss/lib/softoken/keydb.c | 12 | ||||
-rw-r--r-- | security/nss/lib/softoken/pcert.h | 23 | ||||
-rw-r--r-- | security/nss/lib/softoken/pcertdb.c | 237 | ||||
-rw-r--r-- | security/nss/lib/softoken/pcertt.h | 12 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11.c | 18 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11u.c | 87 |
8 files changed, 387 insertions, 40 deletions
diff --git a/security/nss/lib/softoken/cdbhdl.h b/security/nss/lib/softoken/cdbhdl.h index f52712422..ba2f9fa7c 100644 --- a/security/nss/lib/softoken/cdbhdl.h +++ b/security/nss/lib/softoken/cdbhdl.h @@ -68,4 +68,6 @@ DB * rdbopen(const char *appName, const char *prefix, const char *type, int flags); SECStatus db_Copy(DB *dest,DB *src); +int db_BeginTransaction(DB *db); +int db_FinishTransaction(DB *db, PRBool abort); #endif diff --git a/security/nss/lib/softoken/dbinit.c b/security/nss/lib/softoken/dbinit.c index 87098dc0a..115a581ad 100644 --- a/security/nss/lib/softoken/dbinit.c +++ b/security/nss/lib/softoken/dbinit.c @@ -256,6 +256,7 @@ pk11_DBShutdown(NSSLOWCERTCertDBHandle *certHandle, } static rdbfunc pk11_rdbfunc; +static void *pk11_tnx; /* NOTE: SHLIB_SUFFIX is defined on the command line */ #define RDBLIB "rdb."SHLIB_SUFFIX @@ -283,7 +284,8 @@ DB * rdbopen(const char *appName, const char *prefix, /* get the entry point */ pk11_rdbfunc = (rdbfunc) PR_FindSymbol(lib,"rdbopen"); if (pk11_rdbfunc) { - return (*pk11_rdbfunc)(appName,prefix,type,flags); + db = (*pk11_rdbfunc)(appName,prefix,type,flags); + return db; } /* couldn't find the entry point, unload the library and fail */ @@ -291,6 +293,38 @@ DB * rdbopen(const char *appName, const char *prefix, return NULL; } +struct RDBStr { + DB db; + int (*xactstart)(DB *db); + int (*xactdone)(DB *db, PRBool abort); +}; + +#define DB_RDB ((DBTYPE) 0xff) + +int +db_BeginTransaction(DB *db) +{ + RDB *rdb = (RDB *)db; + if (db->type != DB_RDB) { + return 0; + } + + return rdb->xactstart(db); +} + +int +db_FinishTransaction(DB *db, PRBool abort) +{ + RDB *rdb = (RDB *)db; + if (db->type != DB_RDB) { + return 0; + } + + return rdb->xactdone(db, abort); +} + + + SECStatus db_Copy(DB *dest,DB *src) { diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c index dc58a402d..17d76acb7 100644 --- a/security/nss/lib/softoken/keydb.c +++ b/security/nss/lib/softoken/keydb.c @@ -2255,6 +2255,11 @@ ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle, return(SECFailure); } keylist.head = NULL; + + rv = db_BeginTransaction(handle->db); + if (rv != SECSuccess) { + goto loser; + } /* TNH - TraverseKeys should not be public, since it exposes the underlying DBT data type. */ @@ -2299,7 +2304,10 @@ ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle, newkey.size = privkey->u.dh.publicValue.len; break; default: - return SECFailure; + /* should we continue here and loose the key? */ + PORT_SetError(SEC_ERROR_BAD_DATABASE); + rv = SECFailure; + goto loser; } rv = seckey_put_private_key(handle, &newkey, newpwitem, privkey, @@ -2320,6 +2328,8 @@ ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle, loser: + db_FinishTransaction(handle->db,rv == SECSuccess); + /* free the arena */ if ( keylist.arena ) { PORT_FreeArena(keylist.arena, PR_FALSE); diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h index c1d9b3128..aa2c6ea3b 100644 --- a/security/nss/lib/softoken/pcert.h +++ b/security/nss/lib/softoken/pcert.h @@ -49,6 +49,8 @@ SEC_BEGIN_PROTOS SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust); +SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname); SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert); @@ -88,6 +90,7 @@ nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert, NSSLOWCERTCertificate * nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert); void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert); +void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust); /* * Lookup a certificate in the databases without locking @@ -100,6 +103,16 @@ NSSLOWCERTCertificate * nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey); /* + * Lookup trust for a certificate in the databases without locking + * "certKey" is the database key to look for + * + * XXX - this should be internal, but pkcs 11 needs to call it during a + * traversal. + */ +NSSLOWCERTTrust * +nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey); + +/* ** Generate a certificate key from the issuer and serialnumber, then look it ** up in the database. Return the cert if found. ** "issuerAndSN" is the issuer and serial number to look for @@ -108,6 +121,14 @@ extern NSSLOWCERTCertificate * nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN); /* +** Generate a certificate key from the issuer and serialnumber, then look it +** up in the database. Return the cert if found. +** "issuerAndSN" is the issuer and serial number to look for +*/ +extern NSSLOWCERTTrust * +nsslowcert_FindTrustByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN); + +/* ** Find a certificate in the database by a DER encoded certificate ** "derCert" is the DER encoded certificate */ @@ -189,7 +210,7 @@ nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust); PRBool -nsslowcert_hasTrust(NSSLOWCERTCertificate *cert); +nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust); void nsslowcert_DestroyGlobalLocks(void); diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c index bd50e00e1..4e0d6b46a 100644 --- a/security/nss/lib/softoken/pcertdb.c +++ b/security/nss/lib/softoken/pcertdb.c @@ -3749,6 +3749,7 @@ DeletePermCert(NSSLOWCERTCertificate *cert) rv = RemovePermSubjectNode(cert); + return(ret); } @@ -3761,6 +3762,11 @@ nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert) SECStatus rv; nsslowcert_LockDB(cert->dbhandle); + + rv = db_BeginTransaction(cert->dbhandle->permCertDB); + if ( rv != SECSuccess ) { + goto loser; + } /* delete the records from the permanent database */ rv = DeletePermCert(cert); @@ -3769,6 +3775,9 @@ nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert) cert->dbEntry = NULL; cert->trust = NULL; + db_FinishTransaction(cert->dbhandle->permCertDB,rv != SECSuccess); +loser: + nsslowcert_UnlockDB(cert->dbhandle); return(rv); } @@ -3848,6 +3857,22 @@ loser: return(0); } +static NSSLOWCERTTrust * +DecodeTrustEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry, SECItem *dbKey) +{ + NSSLOWCERTTrust *trust = PORT_Alloc(sizeof(NSSLOWCERTTrust)); + if (trust == NULL) { + return trust; + } + trust->dbhandle = handle; + trust->dbEntry = entry; + SECITEM_CopyItem(NULL, &trust->dbKey , dbKey); + trust->trust = &entry->trust; + trust->derCert = &entry->derCert; + + return(trust); +} + typedef struct { PermCertCallback certfunc; NSSLOWCERTCertDBHandle *handle; @@ -4043,6 +4068,11 @@ nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle, SECStatus ret; nsslowcert_LockDB(dbhandle); + rv = db_BeginTransaction(dbhandle->permCertDB); + if (rv != SECSuccess) { + nsslowcert_UnlockDB(dbhandle); + return SECFailure; + } PORT_Assert(!cert->dbEntry); @@ -4070,6 +4100,7 @@ nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle, ret = SECSuccess; done: + db_FinishTransaction(dbhandle->permCertDB, ret != SECSuccess); nsslowcert_UnlockDB(dbhandle); return(ret); } @@ -4148,6 +4179,12 @@ FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb) cert = DecodeACert(handle, entry); loser: + if (cert == NULL) { + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + } + if ( locked ) { nsslowcert_UnlockDB(handle); } @@ -4160,6 +4197,70 @@ loser: } /* + * Lookup a certificate in the databases. + */ +static NSSLOWCERTTrust * +FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb) +{ + SECItem keyitem; + DBT key; + SECStatus rv; + NSSLOWCERTTrust *trust = NULL; + PRArenaPool *arena = NULL; + certDBEntryCert *entry; + PRBool locked = PR_FALSE; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if ( arena == NULL ) { + goto loser; + } + + rv = EncodeDBCertKey(certKey, arena, &keyitem); + if ( rv != SECSuccess ) { + goto loser; + } + + key.data = keyitem.data; + key.size = keyitem.len; + + if ( lockdb ) { + locked = PR_TRUE; + nsslowcert_LockDB(handle); + } + + /* find in perm database */ + entry = ReadDBCertEntry(handle, certKey); + + if ( entry == NULL ) { + goto loser; + } + + if (!nsslowcert_hasTrust(&entry->trust)) { + goto loser; + } + + /* inherit entry */ + trust = DecodeTrustEntry(handle, entry, certKey); + +loser: + if (trust == NULL) { + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + } + + if ( locked ) { + nsslowcert_UnlockDB(handle); + } + + if ( arena ) { + PORT_FreeArena(arena, PR_FALSE); + } + + return(trust); +} + +/* * Lookup a certificate in the databases without locking */ NSSLOWCERTCertificate * @@ -4169,6 +4270,15 @@ nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey) } /* + * Lookup a trust object in the databases without locking + */ +NSSLOWCERTTrust * +nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey) +{ + return(FindTrustByKey(handle, certKey, PR_FALSE)); +} + +/* * Generate a key from an issuerAndSerialNumber, and find the * associated cert in the database. */ @@ -4251,6 +4361,94 @@ nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssue } /* + * Generate a key from an issuerAndSerialNumber, and find the + * associated cert in the database. + */ +NSSLOWCERTTrust * +nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, + NSSLOWCERTIssuerAndSN *issuerAndSN) +{ + SECItem certKey; + SECItem *sn = &issuerAndSN->serialNumber; + SECItem *issuer = &issuerAndSN->derIssuer; + NSSLOWCERTTrust *trust; + int data_left = sn->len-1; + int data_len = sn->len; + int index = 0; + + /* automatically detect DER encoded serial numbers and remove the der + * encoding since the database expects unencoded data. + * if it's DER encoded, there must be at least 3 bytes, tag, len, data */ + if ((sn->len >= 3) && (sn->data[0] == 0x2)) { + /* remove the der encoding of the serial number before generating the + * key.. */ + data_left = sn->len-2; + data_len = sn->data[1]; + index = 2; + + /* extended length ? (not very likely for a serial number) */ + if (data_len & 0x80) { + int len_count = data_len & 0x7f; + + data_len = 0; + data_left -= len_count; + if (data_left > 0) { + while (len_count --) { + data_len = (data_len << 8) | sn->data[index++]; + } + } + } + /* XXX leaving any leading zeros on the serial number for backwards + * compatibility + */ + /* not a valid der, must be just an unlucky serial number value */ + if (data_len != data_left) { + data_len = sn->len; + index = 0; + } + } + + certKey.data = (unsigned char*)PORT_Alloc(sn->len + issuer->len); + certKey.len = data_len + issuer->len; + + if ( certKey.data == NULL ) { + return(0); + } + + /* first try the serial number as hand-decoded above*/ + /* copy the serialNumber */ + PORT_Memcpy(certKey.data, &sn->data[index], data_len); + + /* copy the issuer */ + PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len); + + trust = nsslowcert_FindTrustByKey(handle, &certKey); + if (trust) { + PORT_Free(certKey.data); + return (trust); + } + + if (index == 0) { + PORT_Free(certKey.data); + return NULL; + } + + /* didn't find it, try by der encoded serial number */ + /* copy the serialNumber */ + PORT_Memcpy(certKey.data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len); + certKey.len = sn->len + issuer->len; + + trust = nsslowcert_FindTrustByKey(handle, &certKey); + + PORT_Free(certKey.data); + + return(trust); +} + +/* * look for the given DER certificate in the database */ NSSLOWCERTCertificate * @@ -4330,6 +4528,22 @@ DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb) } void +nsslowcert_DestroyTrust(NSSLOWCERTTrust *trust) +{ + certDBEntryCert *entry = trust->dbEntry; + + if ( entry ) { + DestroyDBEntry((certDBEntry *)entry); + } + if (trust->dbKey.data) { + PORT_Free(trust->dbKey.data); + } + PORT_Free(trust); + + return; +} + +void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert) { DestroyCertificate(cert, PR_TRUE); @@ -4407,6 +4621,10 @@ nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, certDBEntryRevocation *entry = NULL; certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation : certDBEntryTypeRevocation; + rv = db_BeginTransaction(handle->permCertDB); + if (rv != SECSuccess) { + return SECFailure; + } DeleteDBCrlEntry(handle, crlKey, crlType); /* Write the new entry into the data base */ @@ -4420,6 +4638,7 @@ done: if (entry) { DestroyDBEntry((certDBEntry *)entry); } + db_FinishTransaction(handle->permCertDB, rv != SECSuccess); return rv; } @@ -4430,24 +4649,26 @@ nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, SECItem *derName, SECStatus rv; certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation : certDBEntryTypeRevocation; + rv = db_BeginTransaction(handle->permCertDB); + if (rv != SECSuccess) { + return SECFailure; + } rv = DeleteDBCrlEntry(handle, derName, crlType); if (rv != SECSuccess) goto done; done: + db_FinishTransaction(handle->permCertDB, rv != SECSuccess); return rv; } PRBool -nsslowcert_hasTrust(NSSLOWCERTCertificate *cert) +nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust) { - NSSLOWCERTCertTrust *trust; - - if (cert->trust == NULL) { + if (trust == NULL) { return PR_FALSE; } - trust = cert->trust; return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) && (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) && (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN)); @@ -4465,6 +4686,11 @@ nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, certDBEntrySMime *entry = NULL; SECStatus rv = SECFailure;; + rv = db_BeginTransaction(dbhandle->permCertDB); + if (rv != SECSuccess) { + return SECFailure; + } + /* find our existing entry */ entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr); @@ -4511,6 +4737,7 @@ loser: if ( entry ) { DestroyDBEntry((certDBEntry *)entry); } + db_FinishTransaction(dbhandle->permCertDB, rv != SECSuccess); return(rv); } diff --git a/security/nss/lib/softoken/pcertt.h b/security/nss/lib/softoken/pcertt.h index 0170de389..a3c50b25c 100644 --- a/security/nss/lib/softoken/pcertt.h +++ b/security/nss/lib/softoken/pcertt.h @@ -53,6 +53,7 @@ typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; +typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust; typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; @@ -107,6 +108,17 @@ struct NSSLOWCERTCertTrustStr { }; /* +** PKCS11 Trust representation +*/ +struct NSSLOWCERTTrustStr { + NSSLOWCERTCertDBHandle *dbhandle; + SECItem dbKey; /* database key for this cert */ + certDBEntryCert *dbEntry; /* database entry struct */ + NSSLOWCERTCertTrust *trust; + SECItem *derCert; /* original DER for the cert */ +}; + +/* ** An X.509 certificate object (the unsigned form) */ struct NSSLOWCERTCertificateStr { diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 639b651ae..6ab8fa7ad 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -3861,10 +3861,22 @@ pk11_searchCertsAndTrust(PK11Slot *slot, SECItem *derCert, SECItem *name, pk11_cert_collect, &certData); } else if ((issuerSN->derIssuer.data != NULL) && (issuerSN->serialNumber.data != NULL)) { - NSSLOWCERTCertificate *cert = + if (classFlags & NSC_CERT) { + NSSLOWCERTCertificate *cert = nsslowcert_FindCertByIssuerAndSN(certHandle,issuerSN); - pk11_searchSingleCert(&certData,cert); + pk11_searchSingleCert(&certData,cert); + } + if (classFlags & NSC_TRUST) { + NSSLOWCERTTrust *trust = + nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN); + + if (trust) { + pk11_addHandle(handles, + pk11_mkHandle(slot,&trust->dbKey,PK11_TOKEN_TYPE_TRUST)); + nsslowcert_DestroyTrust(trust); + } + } } else if (email->data != NULL) { char *tmp_name = (char*)PORT_Alloc(email->len+1); certDBEntrySMime *entry = NULL; @@ -3907,7 +3919,7 @@ pk11_searchCertsAndTrust(PK11Slot *slot, SECItem *derCert, SECItem *name, pk11_addHandle(handles, pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_CERT)); } - if ((classFlags & NSC_TRUST) && nsslowcert_hasTrust(cert)) { + if ((classFlags & NSC_TRUST) && nsslowcert_hasTrust(cert->trust)) { pk11_addHandle(handles, pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_TRUST)); } diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c index 5e42975e0..f700f0a2a 100644 --- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -389,20 +389,39 @@ static NSSLOWCERTCertificate * pk11_getCert(PK11TokenObject *object) { NSSLOWCERTCertificate *cert; + CK_OBJECT_CLASS objClass = object->obj.objclass; - if ((object->obj.objclass != CKO_CERTIFICATE) && - (object->obj.objclass != CKO_NETSCAPE_TRUST)) { + if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) { return NULL; } - if (object->obj.objectInfo) { + if (objClass == CKO_CERTIFICATE && object->obj.objectInfo) { return (NSSLOWCERTCertificate *)object->obj.objectInfo; } cert = nsslowcert_FindCertByKey(object->obj.slot->certDB,&object->dbKey); - object->obj.objectInfo = (void *)cert; - object->obj.infoFree = (PK11Free) nsslowcert_DestroyCertificate ; + if (objClass == CKO_CERTIFICATE) { + object->obj.objectInfo = (void *)cert; + object->obj.infoFree = (PK11Free) nsslowcert_DestroyCertificate ; + } return cert; } +static NSSLOWCERTTrust * +pk11_getTrust(PK11TokenObject *object) +{ + NSSLOWCERTTrust *trust; + + if (object->obj.objclass != CKO_NETSCAPE_TRUST) { + return NULL; + } + if (object->obj.objectInfo) { + return (NSSLOWCERTTrust *)object->obj.objectInfo; + } + trust = nsslowcert_FindTrustByKey(object->obj.slot->certDB,&object->dbKey); + object->obj.objectInfo = (void *)trust; + object->obj.infoFree = (PK11Free) nsslowcert_DestroyTrust ; + return trust; +} + static NSSLOWKEYPublicKey * pk11_GetPublicKey(PK11TokenObject *object) { @@ -881,10 +900,8 @@ pk11_FindSMIMEAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type) static PK11Attribute * pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type) { - NSSLOWCERTCertificate *cert; + NSSLOWCERTTrust *trust; unsigned char hash[SHA1_LENGTH]; - SECItem *item; - PK11Attribute *attr; unsigned int trustFlags; switch (type) { @@ -897,38 +914,29 @@ pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type) default: break; } - cert = pk11_getCert(object); - if (cert == NULL) { + trust = pk11_getTrust(object); + if (trust == NULL) { return NULL; } switch (type) { case CKA_CERT_SHA1_HASH: - SHA1_HashBuf(hash,cert->derCert.data,cert->derCert.len); - return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE); + SHA1_HashBuf(hash,trust->derCert->data,trust->derCert->len); + return pk11_NewTokenAttribute(type, hash, SHA1_LENGTH, PR_TRUE); case CKA_CERT_MD5_HASH: - MD5_HashBuf(hash,cert->derCert.data,cert->derCert.len); - return pk11_NewTokenAttribute(type,hash,MD5_LENGTH, PR_TRUE); - case CKA_ISSUER: - return pk11_NewTokenAttribute(type,cert->derIssuer.data, - cert->derIssuer.len, PR_FALSE); - case CKA_SERIAL_NUMBER: - item = SEC_ASN1EncodeItem(NULL,NULL,cert,pk11_SerialTemplate); - if (item == NULL) break; - attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE); - SECITEM_FreeItem(item,PR_TRUE); - return attr; + MD5_HashBuf(hash,trust->derCert->data,trust->derCert->len); + return pk11_NewTokenAttribute(type, hash, MD5_LENGTH, PR_TRUE); case CKA_TRUST_CLIENT_AUTH: - trustFlags = cert->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ? - cert->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ; + trustFlags = trust->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ? + trust->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ; goto trust; case CKA_TRUST_SERVER_AUTH: - trustFlags = cert->trust->sslFlags; + trustFlags = trust->trust->sslFlags; goto trust; case CKA_TRUST_EMAIL_PROTECTION: - trustFlags = cert->trust->emailFlags; + trustFlags = trust->trust->emailFlags; goto trust; case CKA_TRUST_CODE_SIGNING: - trustFlags = cert->trust->objectSigningFlags; + trustFlags = trust->trust->objectSigningFlags; trust: if (trustFlags & CERTDB_TRUSTED_CA ) { return (PK11Attribute *)&pk11_StaticTrustedDelegatorAttr; @@ -952,6 +960,28 @@ trust: default: break; } + +#ifdef notdef + switch (type) { + case CKA_ISSUER: + cert = pk11_getCertObject(object); + if (cert == NULL) break; + attr = pk11_NewTokenAttribute(type,cert->derIssuer.data, + cert->derIssuer.len, PR_FALSE); + + case CKA_SERIAL_NUMBER: + cert = pk11_getCertObject(object); + if (cert == NULL) break; + item = SEC_ASN1EncodeItem(NULL,NULL,cert,pk11_SerialTemplate); + if (item == NULL) break; + attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE); + SECITEM_FreeItem(item,PR_TRUE); + } + if (cert) { + NSSLOWCERTDestroyCertificate(cert); + return attr; + } +#endif return NULL; } @@ -1180,7 +1210,6 @@ pk11_Attribute2SSecItem(PLArenaPool *arena,SECItem *item,PK11Object *object, CK_ATTRIBUTE_TYPE type) { PK11Attribute *attribute; - unsigned char *start; item->data = NULL; |