mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-11 02:10:17 +01:00
1255 lines
31 KiB
C
1255 lines
31 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef DEV_H
|
|
#include "dev.h"
|
|
#endif /* DEV_H */
|
|
|
|
#ifndef PKIM_H
|
|
#include "pkim.h"
|
|
#endif /* PKIM_H */
|
|
|
|
#include "pki3hack.h"
|
|
|
|
extern const NSSError NSS_ERROR_NOT_FOUND;
|
|
|
|
NSS_IMPLEMENT void
|
|
nssPKIObject_Lock(nssPKIObject * object)
|
|
{
|
|
switch (object->lockType) {
|
|
case nssPKIMonitor:
|
|
PZ_EnterMonitor(object->sync.mlock);
|
|
break;
|
|
case nssPKILock:
|
|
PZ_Lock(object->sync.lock);
|
|
break;
|
|
default:
|
|
PORT_Assert(0);
|
|
}
|
|
}
|
|
|
|
NSS_IMPLEMENT void
|
|
nssPKIObject_Unlock(nssPKIObject * object)
|
|
{
|
|
switch (object->lockType) {
|
|
case nssPKIMonitor:
|
|
PZ_ExitMonitor(object->sync.mlock);
|
|
break;
|
|
case nssPKILock:
|
|
PZ_Unlock(object->sync.lock);
|
|
break;
|
|
default:
|
|
PORT_Assert(0);
|
|
}
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObject_NewLock(nssPKIObject * object, nssPKILockType lockType)
|
|
{
|
|
object->lockType = lockType;
|
|
switch (lockType) {
|
|
case nssPKIMonitor:
|
|
object->sync.mlock = PZ_NewMonitor(nssILockSSL);
|
|
return (object->sync.mlock ? PR_SUCCESS : PR_FAILURE);
|
|
case nssPKILock:
|
|
object->sync.lock = PZ_NewLock(nssILockSSL);
|
|
return (object->sync.lock ? PR_SUCCESS : PR_FAILURE);
|
|
default:
|
|
PORT_Assert(0);
|
|
return PR_FAILURE;
|
|
}
|
|
}
|
|
|
|
NSS_IMPLEMENT void
|
|
nssPKIObject_DestroyLock(nssPKIObject * object)
|
|
{
|
|
switch (object->lockType) {
|
|
case nssPKIMonitor:
|
|
PZ_DestroyMonitor(object->sync.mlock);
|
|
object->sync.mlock = NULL;
|
|
break;
|
|
case nssPKILock:
|
|
PZ_DestroyLock(object->sync.lock);
|
|
object->sync.lock = NULL;
|
|
break;
|
|
default:
|
|
PORT_Assert(0);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
NSS_IMPLEMENT nssPKIObject *
|
|
nssPKIObject_Create (
|
|
NSSArena *arenaOpt,
|
|
nssCryptokiObject *instanceOpt,
|
|
NSSTrustDomain *td,
|
|
NSSCryptoContext *cc,
|
|
nssPKILockType lockType
|
|
)
|
|
{
|
|
NSSArena *arena;
|
|
nssArenaMark *mark = NULL;
|
|
nssPKIObject *object;
|
|
if (arenaOpt) {
|
|
arena = arenaOpt;
|
|
mark = nssArena_Mark(arena);
|
|
} else {
|
|
arena = nssArena_Create();
|
|
if (!arena) {
|
|
return (nssPKIObject *)NULL;
|
|
}
|
|
}
|
|
object = nss_ZNEW(arena, nssPKIObject);
|
|
if (!object) {
|
|
goto loser;
|
|
}
|
|
object->arena = arena;
|
|
object->trustDomain = td; /* XXX */
|
|
object->cryptoContext = cc;
|
|
if (PR_SUCCESS != nssPKIObject_NewLock(object, lockType)) {
|
|
goto loser;
|
|
}
|
|
if (instanceOpt) {
|
|
if (nssPKIObject_AddInstance(object, instanceOpt) != PR_SUCCESS) {
|
|
goto loser;
|
|
}
|
|
}
|
|
PR_ATOMIC_INCREMENT(&object->refCount);
|
|
if (mark) {
|
|
nssArena_Unmark(arena, mark);
|
|
}
|
|
return object;
|
|
loser:
|
|
if (mark) {
|
|
nssArena_Release(arena, mark);
|
|
} else {
|
|
nssArena_Destroy(arena);
|
|
}
|
|
return (nssPKIObject *)NULL;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRBool
|
|
nssPKIObject_Destroy (
|
|
nssPKIObject *object
|
|
)
|
|
{
|
|
PRUint32 i;
|
|
PR_ASSERT(object->refCount > 0);
|
|
if (PR_ATOMIC_DECREMENT(&object->refCount) == 0) {
|
|
for (i=0; i<object->numInstances; i++) {
|
|
nssCryptokiObject_Destroy(object->instances[i]);
|
|
}
|
|
nssPKIObject_DestroyLock(object);
|
|
nssArena_Destroy(object->arena);
|
|
return PR_TRUE;
|
|
}
|
|
return PR_FALSE;
|
|
}
|
|
|
|
NSS_IMPLEMENT nssPKIObject *
|
|
nssPKIObject_AddRef (
|
|
nssPKIObject *object
|
|
)
|
|
{
|
|
PR_ATOMIC_INCREMENT(&object->refCount);
|
|
return object;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObject_AddInstance (
|
|
nssPKIObject *object,
|
|
nssCryptokiObject *instance
|
|
)
|
|
{
|
|
nssCryptokiObject **newInstances = NULL;
|
|
|
|
nssPKIObject_Lock(object);
|
|
if (object->numInstances == 0) {
|
|
newInstances = nss_ZNEWARRAY(object->arena,
|
|
nssCryptokiObject *,
|
|
object->numInstances + 1);
|
|
} else {
|
|
PRBool found = PR_FALSE;
|
|
PRUint32 i;
|
|
for (i=0; i<object->numInstances; i++) {
|
|
if (nssCryptokiObject_Equal(object->instances[i], instance)) {
|
|
found = PR_TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if (found) {
|
|
/* The new instance is identical to one in the array, except
|
|
* perhaps that the label may be different. So replace
|
|
* the label in the array instance with the label from the
|
|
* new instance, and discard the new instance.
|
|
*/
|
|
nss_ZFreeIf(object->instances[i]->label);
|
|
object->instances[i]->label = instance->label;
|
|
nssPKIObject_Unlock(object);
|
|
instance->label = NULL;
|
|
nssCryptokiObject_Destroy(instance);
|
|
return PR_SUCCESS;
|
|
}
|
|
newInstances = nss_ZREALLOCARRAY(object->instances,
|
|
nssCryptokiObject *,
|
|
object->numInstances + 1);
|
|
}
|
|
if (newInstances) {
|
|
object->instances = newInstances;
|
|
newInstances[object->numInstances++] = instance;
|
|
}
|
|
nssPKIObject_Unlock(object);
|
|
return (newInstances ? PR_SUCCESS : PR_FAILURE);
|
|
}
|
|
|
|
NSS_IMPLEMENT PRBool
|
|
nssPKIObject_HasInstance (
|
|
nssPKIObject *object,
|
|
nssCryptokiObject *instance
|
|
)
|
|
{
|
|
PRUint32 i;
|
|
PRBool hasIt = PR_FALSE;;
|
|
nssPKIObject_Lock(object);
|
|
for (i=0; i<object->numInstances; i++) {
|
|
if (nssCryptokiObject_Equal(object->instances[i], instance)) {
|
|
hasIt = PR_TRUE;
|
|
break;
|
|
}
|
|
}
|
|
nssPKIObject_Unlock(object);
|
|
return hasIt;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObject_RemoveInstanceForToken (
|
|
nssPKIObject *object,
|
|
NSSToken *token
|
|
)
|
|
{
|
|
PRUint32 i;
|
|
nssCryptokiObject *instanceToRemove = NULL;
|
|
nssPKIObject_Lock(object);
|
|
if (object->numInstances == 0) {
|
|
nssPKIObject_Unlock(object);
|
|
return PR_SUCCESS;
|
|
}
|
|
for (i=0; i<object->numInstances; i++) {
|
|
if (object->instances[i]->token == token) {
|
|
instanceToRemove = object->instances[i];
|
|
object->instances[i] = object->instances[object->numInstances-1];
|
|
object->instances[object->numInstances-1] = NULL;
|
|
break;
|
|
}
|
|
}
|
|
if (--object->numInstances > 0) {
|
|
nssCryptokiObject **instances = nss_ZREALLOCARRAY(object->instances,
|
|
nssCryptokiObject *,
|
|
object->numInstances);
|
|
if (instances) {
|
|
object->instances = instances;
|
|
}
|
|
} else {
|
|
nss_ZFreeIf(object->instances);
|
|
}
|
|
nssCryptokiObject_Destroy(instanceToRemove);
|
|
nssPKIObject_Unlock(object);
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
/* this needs more thought on what will happen when there are multiple
|
|
* instances
|
|
*/
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObject_DeleteStoredObject (
|
|
nssPKIObject *object,
|
|
NSSCallback *uhh,
|
|
PRBool isFriendly
|
|
)
|
|
{
|
|
PRUint32 i, numNotDestroyed;
|
|
PRStatus status = PR_SUCCESS;
|
|
numNotDestroyed = 0;
|
|
nssPKIObject_Lock(object);
|
|
for (i=0; i<object->numInstances; i++) {
|
|
nssCryptokiObject *instance = object->instances[i];
|
|
status = nssToken_DeleteStoredObject(instance);
|
|
object->instances[i] = NULL;
|
|
if (status == PR_SUCCESS) {
|
|
nssCryptokiObject_Destroy(instance);
|
|
} else {
|
|
object->instances[numNotDestroyed++] = instance;
|
|
}
|
|
}
|
|
if (numNotDestroyed == 0) {
|
|
nss_ZFreeIf(object->instances);
|
|
object->numInstances = 0;
|
|
} else {
|
|
object->numInstances = numNotDestroyed;
|
|
}
|
|
nssPKIObject_Unlock(object);
|
|
return status;
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSToken **
|
|
nssPKIObject_GetTokens (
|
|
nssPKIObject *object,
|
|
PRStatus *statusOpt
|
|
)
|
|
{
|
|
NSSToken **tokens = NULL;
|
|
nssPKIObject_Lock(object);
|
|
if (object->numInstances > 0) {
|
|
tokens = nss_ZNEWARRAY(NULL, NSSToken *, object->numInstances + 1);
|
|
if (tokens) {
|
|
PRUint32 i;
|
|
for (i=0; i<object->numInstances; i++) {
|
|
tokens[i] = nssToken_AddRef(object->instances[i]->token);
|
|
}
|
|
}
|
|
}
|
|
nssPKIObject_Unlock(object);
|
|
if (statusOpt) *statusOpt = PR_SUCCESS; /* until more logic here */
|
|
return tokens;
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSUTF8 *
|
|
nssPKIObject_GetNicknameForToken (
|
|
nssPKIObject *object,
|
|
NSSToken *tokenOpt
|
|
)
|
|
{
|
|
PRUint32 i;
|
|
NSSUTF8 *nickname = NULL;
|
|
nssPKIObject_Lock(object);
|
|
for (i=0; i<object->numInstances; i++) {
|
|
if ((!tokenOpt && object->instances[i]->label) ||
|
|
(object->instances[i]->token == tokenOpt))
|
|
{
|
|
/* Must copy, see bug 745548 */
|
|
nickname = nssUTF8_Duplicate(object->instances[i]->label, NULL);
|
|
break;
|
|
}
|
|
}
|
|
nssPKIObject_Unlock(object);
|
|
return nickname;
|
|
}
|
|
|
|
NSS_IMPLEMENT nssCryptokiObject **
|
|
nssPKIObject_GetInstances (
|
|
nssPKIObject *object
|
|
)
|
|
{
|
|
nssCryptokiObject **instances = NULL;
|
|
PRUint32 i;
|
|
if (object->numInstances == 0) {
|
|
return (nssCryptokiObject **)NULL;
|
|
}
|
|
nssPKIObject_Lock(object);
|
|
instances = nss_ZNEWARRAY(NULL, nssCryptokiObject *,
|
|
object->numInstances + 1);
|
|
if (instances) {
|
|
for (i=0; i<object->numInstances; i++) {
|
|
instances[i] = nssCryptokiObject_Clone(object->instances[i]);
|
|
}
|
|
}
|
|
nssPKIObject_Unlock(object);
|
|
return instances;
|
|
}
|
|
|
|
NSS_IMPLEMENT void
|
|
nssCertificateArray_Destroy (
|
|
NSSCertificate **certs
|
|
)
|
|
{
|
|
if (certs) {
|
|
NSSCertificate **certp;
|
|
for (certp = certs; *certp; certp++) {
|
|
if ((*certp)->decoding) {
|
|
CERTCertificate *cc = STAN_GetCERTCertificate(*certp);
|
|
if (cc) {
|
|
CERT_DestroyCertificate(cc);
|
|
}
|
|
continue;
|
|
}
|
|
nssCertificate_Destroy(*certp);
|
|
}
|
|
nss_ZFreeIf(certs);
|
|
}
|
|
}
|
|
|
|
NSS_IMPLEMENT void
|
|
NSSCertificateArray_Destroy (
|
|
NSSCertificate **certs
|
|
)
|
|
{
|
|
nssCertificateArray_Destroy(certs);
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSCertificate **
|
|
nssCertificateArray_Join (
|
|
NSSCertificate **certs1,
|
|
NSSCertificate **certs2
|
|
)
|
|
{
|
|
if (certs1 && certs2) {
|
|
NSSCertificate **certs, **cp;
|
|
PRUint32 count = 0;
|
|
PRUint32 count1 = 0;
|
|
cp = certs1;
|
|
while (*cp++) count1++;
|
|
count = count1;
|
|
cp = certs2;
|
|
while (*cp++) count++;
|
|
certs = nss_ZREALLOCARRAY(certs1, NSSCertificate *, count + 1);
|
|
if (!certs) {
|
|
nss_ZFreeIf(certs1);
|
|
nss_ZFreeIf(certs2);
|
|
return (NSSCertificate **)NULL;
|
|
}
|
|
for (cp = certs2; *cp; cp++, count1++) {
|
|
certs[count1] = *cp;
|
|
}
|
|
nss_ZFreeIf(certs2);
|
|
return certs;
|
|
} else if (certs1) {
|
|
return certs1;
|
|
} else {
|
|
return certs2;
|
|
}
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSCertificate *
|
|
nssCertificateArray_FindBestCertificate (
|
|
NSSCertificate **certs,
|
|
NSSTime *timeOpt,
|
|
const NSSUsage *usage,
|
|
NSSPolicies *policiesOpt
|
|
)
|
|
{
|
|
NSSCertificate *bestCert = NULL;
|
|
nssDecodedCert *bestdc = NULL;
|
|
NSSTime *time, sTime;
|
|
PRBool bestCertMatches = PR_FALSE;
|
|
PRBool thisCertMatches;
|
|
PRBool bestCertIsValidAtTime = PR_FALSE;
|
|
PRBool bestCertIsTrusted = PR_FALSE;
|
|
|
|
if (timeOpt) {
|
|
time = timeOpt;
|
|
} else {
|
|
NSSTime_Now(&sTime);
|
|
time = &sTime;
|
|
}
|
|
if (!certs) {
|
|
return (NSSCertificate *)NULL;
|
|
}
|
|
for (; *certs; certs++) {
|
|
nssDecodedCert *dc;
|
|
NSSCertificate *c = *certs;
|
|
dc = nssCertificate_GetDecoding(c);
|
|
if (!dc) continue;
|
|
thisCertMatches = dc->matchUsage(dc, usage);
|
|
if (!bestCert) {
|
|
/* always take the first cert, but remember whether or not
|
|
* the usage matched
|
|
*/
|
|
bestCert = nssCertificate_AddRef(c);
|
|
bestCertMatches = thisCertMatches;
|
|
bestdc = dc;
|
|
continue;
|
|
} else {
|
|
if (bestCertMatches && !thisCertMatches) {
|
|
/* if already have a cert for this usage, and if this cert
|
|
* doesn't have the correct usage, continue
|
|
*/
|
|
continue;
|
|
} else if (!bestCertMatches && thisCertMatches) {
|
|
/* this one does match usage, replace the other */
|
|
nssCertificate_Destroy(bestCert);
|
|
bestCert = nssCertificate_AddRef(c);
|
|
bestCertMatches = thisCertMatches;
|
|
bestdc = dc;
|
|
continue;
|
|
}
|
|
/* this cert match as well as any cert we've found so far,
|
|
* defer to time/policies
|
|
* */
|
|
}
|
|
/* time */
|
|
if (bestCertIsValidAtTime || bestdc->isValidAtTime(bestdc, time)) {
|
|
/* The current best cert is valid at time */
|
|
bestCertIsValidAtTime = PR_TRUE;
|
|
if (!dc->isValidAtTime(dc, time)) {
|
|
/* If the new cert isn't valid at time, it's not better */
|
|
continue;
|
|
}
|
|
} else {
|
|
/* The current best cert is not valid at time */
|
|
if (dc->isValidAtTime(dc, time)) {
|
|
/* If the new cert is valid at time, it's better */
|
|
nssCertificate_Destroy(bestCert);
|
|
bestCert = nssCertificate_AddRef(c);
|
|
bestdc = dc;
|
|
bestCertIsValidAtTime = PR_TRUE;
|
|
continue;
|
|
}
|
|
}
|
|
/* Either they are both valid at time, or neither valid.
|
|
* If only one is trusted for this usage, take it.
|
|
*/
|
|
if (bestCertIsTrusted || bestdc->isTrustedForUsage(bestdc, usage)) {
|
|
bestCertIsTrusted = PR_TRUE;
|
|
if (!dc->isTrustedForUsage(dc, usage)) {
|
|
continue;
|
|
}
|
|
} else {
|
|
/* The current best cert is not trusted */
|
|
if (dc->isTrustedForUsage(dc, usage)) {
|
|
/* If the new cert is trusted, it's better */
|
|
nssCertificate_Destroy(bestCert);
|
|
bestCert = nssCertificate_AddRef(c);
|
|
bestdc = dc;
|
|
bestCertIsTrusted = PR_TRUE;
|
|
continue;
|
|
}
|
|
}
|
|
/* Otherwise, take the newer one. */
|
|
if (!bestdc->isNewerThan(bestdc, dc)) {
|
|
nssCertificate_Destroy(bestCert);
|
|
bestCert = nssCertificate_AddRef(c);
|
|
bestdc = dc;
|
|
continue;
|
|
}
|
|
/* policies */
|
|
/* XXX later -- defer to policies */
|
|
}
|
|
return bestCert;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssCertificateArray_Traverse (
|
|
NSSCertificate **certs,
|
|
PRStatus (* callback)(NSSCertificate *c, void *arg),
|
|
void *arg
|
|
)
|
|
{
|
|
PRStatus status = PR_SUCCESS;
|
|
if (certs) {
|
|
NSSCertificate **certp;
|
|
for (certp = certs; *certp; certp++) {
|
|
status = (*callback)(*certp, arg);
|
|
if (status != PR_SUCCESS) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
return status;
|
|
}
|
|
|
|
|
|
NSS_IMPLEMENT void
|
|
nssCRLArray_Destroy (
|
|
NSSCRL **crls
|
|
)
|
|
{
|
|
if (crls) {
|
|
NSSCRL **crlp;
|
|
for (crlp = crls; *crlp; crlp++) {
|
|
nssCRL_Destroy(*crlp);
|
|
}
|
|
nss_ZFreeIf(crls);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Object collections
|
|
*/
|
|
|
|
typedef enum
|
|
{
|
|
pkiObjectType_Certificate = 0,
|
|
pkiObjectType_CRL = 1,
|
|
pkiObjectType_PrivateKey = 2,
|
|
pkiObjectType_PublicKey = 3
|
|
} pkiObjectType;
|
|
|
|
/* Each object is defined by a set of items that uniquely identify it.
|
|
* Here are the uid sets:
|
|
*
|
|
* NSSCertificate ==> { issuer, serial }
|
|
* NSSPrivateKey
|
|
* (RSA) ==> { modulus, public exponent }
|
|
*
|
|
*/
|
|
#define MAX_ITEMS_FOR_UID 2
|
|
|
|
/* pkiObjectCollectionNode
|
|
*
|
|
* A node in the collection is the set of unique identifiers for a single
|
|
* object, along with either the actual object or a proto-object.
|
|
*/
|
|
typedef struct
|
|
{
|
|
PRCList link;
|
|
PRBool haveObject;
|
|
nssPKIObject *object;
|
|
NSSItem uid[MAX_ITEMS_FOR_UID];
|
|
}
|
|
pkiObjectCollectionNode;
|
|
|
|
/* nssPKIObjectCollection
|
|
*
|
|
* The collection is the set of all objects, plus the interfaces needed
|
|
* to manage the objects.
|
|
*
|
|
*/
|
|
struct nssPKIObjectCollectionStr
|
|
{
|
|
NSSArena *arena;
|
|
NSSTrustDomain *td;
|
|
NSSCryptoContext *cc;
|
|
PRCList head; /* list of pkiObjectCollectionNode's */
|
|
PRUint32 size;
|
|
pkiObjectType objectType;
|
|
void (* destroyObject)(nssPKIObject *o);
|
|
PRStatus (* getUIDFromObject)(nssPKIObject *o, NSSItem *uid);
|
|
PRStatus (* getUIDFromInstance)(nssCryptokiObject *co, NSSItem *uid,
|
|
NSSArena *arena);
|
|
nssPKIObject * (* createObject)(nssPKIObject *o);
|
|
nssPKILockType lockType; /* type of lock to use for new proto-objects */
|
|
};
|
|
|
|
static nssPKIObjectCollection *
|
|
nssPKIObjectCollection_Create (
|
|
NSSTrustDomain *td,
|
|
NSSCryptoContext *ccOpt,
|
|
nssPKILockType lockType
|
|
)
|
|
{
|
|
NSSArena *arena;
|
|
nssPKIObjectCollection *rvCollection = NULL;
|
|
arena = nssArena_Create();
|
|
if (!arena) {
|
|
return (nssPKIObjectCollection *)NULL;
|
|
}
|
|
rvCollection = nss_ZNEW(arena, nssPKIObjectCollection);
|
|
if (!rvCollection) {
|
|
goto loser;
|
|
}
|
|
PR_INIT_CLIST(&rvCollection->head);
|
|
rvCollection->arena = arena;
|
|
rvCollection->td = td; /* XXX */
|
|
rvCollection->cc = ccOpt;
|
|
rvCollection->lockType = lockType;
|
|
return rvCollection;
|
|
loser:
|
|
nssArena_Destroy(arena);
|
|
return (nssPKIObjectCollection *)NULL;
|
|
}
|
|
|
|
NSS_IMPLEMENT void
|
|
nssPKIObjectCollection_Destroy (
|
|
nssPKIObjectCollection *collection
|
|
)
|
|
{
|
|
if (collection) {
|
|
PRCList *link;
|
|
pkiObjectCollectionNode *node;
|
|
/* first destroy any objects in the collection */
|
|
link = PR_NEXT_LINK(&collection->head);
|
|
while (link != &collection->head) {
|
|
node = (pkiObjectCollectionNode *)link;
|
|
if (node->haveObject) {
|
|
(*collection->destroyObject)(node->object);
|
|
} else {
|
|
nssPKIObject_Destroy(node->object);
|
|
}
|
|
link = PR_NEXT_LINK(link);
|
|
}
|
|
/* then destroy it */
|
|
nssArena_Destroy(collection->arena);
|
|
}
|
|
}
|
|
|
|
NSS_IMPLEMENT PRUint32
|
|
nssPKIObjectCollection_Count (
|
|
nssPKIObjectCollection *collection
|
|
)
|
|
{
|
|
return collection->size;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObjectCollection_AddObject (
|
|
nssPKIObjectCollection *collection,
|
|
nssPKIObject *object
|
|
)
|
|
{
|
|
pkiObjectCollectionNode *node;
|
|
node = nss_ZNEW(collection->arena, pkiObjectCollectionNode);
|
|
if (!node) {
|
|
return PR_FAILURE;
|
|
}
|
|
node->haveObject = PR_TRUE;
|
|
node->object = nssPKIObject_AddRef(object);
|
|
(*collection->getUIDFromObject)(object, node->uid);
|
|
PR_INIT_CLIST(&node->link);
|
|
PR_INSERT_BEFORE(&node->link, &collection->head);
|
|
collection->size++;
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
static pkiObjectCollectionNode *
|
|
find_instance_in_collection (
|
|
nssPKIObjectCollection *collection,
|
|
nssCryptokiObject *instance
|
|
)
|
|
{
|
|
PRCList *link;
|
|
pkiObjectCollectionNode *node;
|
|
link = PR_NEXT_LINK(&collection->head);
|
|
while (link != &collection->head) {
|
|
node = (pkiObjectCollectionNode *)link;
|
|
if (nssPKIObject_HasInstance(node->object, instance)) {
|
|
return node;
|
|
}
|
|
link = PR_NEXT_LINK(link);
|
|
}
|
|
return (pkiObjectCollectionNode *)NULL;
|
|
}
|
|
|
|
static pkiObjectCollectionNode *
|
|
find_object_in_collection (
|
|
nssPKIObjectCollection *collection,
|
|
NSSItem *uid
|
|
)
|
|
{
|
|
PRUint32 i;
|
|
PRStatus status;
|
|
PRCList *link;
|
|
pkiObjectCollectionNode *node;
|
|
link = PR_NEXT_LINK(&collection->head);
|
|
while (link != &collection->head) {
|
|
node = (pkiObjectCollectionNode *)link;
|
|
for (i=0; i<MAX_ITEMS_FOR_UID; i++) {
|
|
if (!nssItem_Equal(&node->uid[i], &uid[i], &status)) {
|
|
break;
|
|
}
|
|
}
|
|
if (i == MAX_ITEMS_FOR_UID) {
|
|
return node;
|
|
}
|
|
link = PR_NEXT_LINK(link);
|
|
}
|
|
return (pkiObjectCollectionNode *)NULL;
|
|
}
|
|
|
|
static pkiObjectCollectionNode *
|
|
add_object_instance (
|
|
nssPKIObjectCollection *collection,
|
|
nssCryptokiObject *instance,
|
|
PRBool *foundIt
|
|
)
|
|
{
|
|
PRUint32 i;
|
|
PRStatus status;
|
|
pkiObjectCollectionNode *node;
|
|
nssArenaMark *mark = NULL;
|
|
NSSItem uid[MAX_ITEMS_FOR_UID];
|
|
nsslibc_memset(uid, 0, sizeof uid);
|
|
/* The list is traversed twice, first (here) looking to match the
|
|
* { token, handle } tuple, and if that is not found, below a search
|
|
* for unique identifier is done. Here, a match means this exact object
|
|
* instance is already in the collection, and we have nothing to do.
|
|
*/
|
|
*foundIt = PR_FALSE;
|
|
node = find_instance_in_collection(collection, instance);
|
|
if (node) {
|
|
/* The collection is assumed to take over the instance. Since we
|
|
* are not using it, it must be destroyed.
|
|
*/
|
|
nssCryptokiObject_Destroy(instance);
|
|
*foundIt = PR_TRUE;
|
|
return node;
|
|
}
|
|
mark = nssArena_Mark(collection->arena);
|
|
if (!mark) {
|
|
goto loser;
|
|
}
|
|
status = (*collection->getUIDFromInstance)(instance, uid,
|
|
collection->arena);
|
|
if (status != PR_SUCCESS) {
|
|
goto loser;
|
|
}
|
|
/* Search for unique identifier. A match here means the object exists
|
|
* in the collection, but does not have this instance, so the instance
|
|
* needs to be added.
|
|
*/
|
|
node = find_object_in_collection(collection, uid);
|
|
if (node) {
|
|
/* This is an object with multiple instances */
|
|
status = nssPKIObject_AddInstance(node->object, instance);
|
|
} else {
|
|
/* This is a completely new object. Create a node for it. */
|
|
node = nss_ZNEW(collection->arena, pkiObjectCollectionNode);
|
|
if (!node) {
|
|
goto loser;
|
|
}
|
|
node->object = nssPKIObject_Create(NULL, instance,
|
|
collection->td, collection->cc,
|
|
collection->lockType);
|
|
if (!node->object) {
|
|
goto loser;
|
|
}
|
|
for (i=0; i<MAX_ITEMS_FOR_UID; i++) {
|
|
node->uid[i] = uid[i];
|
|
}
|
|
node->haveObject = PR_FALSE;
|
|
PR_INIT_CLIST(&node->link);
|
|
PR_INSERT_BEFORE(&node->link, &collection->head);
|
|
collection->size++;
|
|
status = PR_SUCCESS;
|
|
}
|
|
nssArena_Unmark(collection->arena, mark);
|
|
return node;
|
|
loser:
|
|
if (mark) {
|
|
nssArena_Release(collection->arena, mark);
|
|
}
|
|
nssCryptokiObject_Destroy(instance);
|
|
return (pkiObjectCollectionNode *)NULL;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObjectCollection_AddInstances (
|
|
nssPKIObjectCollection *collection,
|
|
nssCryptokiObject **instances,
|
|
PRUint32 numInstances
|
|
)
|
|
{
|
|
PRStatus status = PR_SUCCESS;
|
|
PRUint32 i = 0;
|
|
PRBool foundIt;
|
|
pkiObjectCollectionNode *node;
|
|
if (instances) {
|
|
while ((!numInstances || i < numInstances) && *instances) {
|
|
if (status == PR_SUCCESS) {
|
|
node = add_object_instance(collection, *instances, &foundIt);
|
|
if (node == NULL) {
|
|
/* add_object_instance freed the current instance */
|
|
/* free the remaining instances */
|
|
status = PR_FAILURE;
|
|
}
|
|
} else {
|
|
nssCryptokiObject_Destroy(*instances);
|
|
}
|
|
instances++;
|
|
i++;
|
|
}
|
|
}
|
|
return status;
|
|
}
|
|
|
|
static void
|
|
nssPKIObjectCollection_RemoveNode (
|
|
nssPKIObjectCollection *collection,
|
|
pkiObjectCollectionNode *node
|
|
)
|
|
{
|
|
PR_REMOVE_LINK(&node->link);
|
|
collection->size--;
|
|
}
|
|
|
|
static PRStatus
|
|
nssPKIObjectCollection_GetObjects (
|
|
nssPKIObjectCollection *collection,
|
|
nssPKIObject **rvObjects,
|
|
PRUint32 rvSize
|
|
)
|
|
{
|
|
PRUint32 i = 0;
|
|
PRCList *link = PR_NEXT_LINK(&collection->head);
|
|
pkiObjectCollectionNode *node;
|
|
int error=0;
|
|
while ((i < rvSize) && (link != &collection->head)) {
|
|
node = (pkiObjectCollectionNode *)link;
|
|
if (!node->haveObject) {
|
|
/* Convert the proto-object to an object */
|
|
node->object = (*collection->createObject)(node->object);
|
|
if (!node->object) {
|
|
link = PR_NEXT_LINK(link);
|
|
/*remove bogus object from list*/
|
|
nssPKIObjectCollection_RemoveNode(collection,node);
|
|
error++;
|
|
continue;
|
|
}
|
|
node->haveObject = PR_TRUE;
|
|
}
|
|
rvObjects[i++] = nssPKIObject_AddRef(node->object);
|
|
link = PR_NEXT_LINK(link);
|
|
}
|
|
if (!error && *rvObjects == NULL) {
|
|
nss_SetError(NSS_ERROR_NOT_FOUND);
|
|
}
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObjectCollection_Traverse (
|
|
nssPKIObjectCollection *collection,
|
|
nssPKIObjectCallback *callback
|
|
)
|
|
{
|
|
PRStatus status;
|
|
PRCList *link = PR_NEXT_LINK(&collection->head);
|
|
pkiObjectCollectionNode *node;
|
|
while (link != &collection->head) {
|
|
node = (pkiObjectCollectionNode *)link;
|
|
if (!node->haveObject) {
|
|
node->object = (*collection->createObject)(node->object);
|
|
if (!node->object) {
|
|
link = PR_NEXT_LINK(link);
|
|
/*remove bogus object from list*/
|
|
nssPKIObjectCollection_RemoveNode(collection,node);
|
|
continue;
|
|
}
|
|
node->haveObject = PR_TRUE;
|
|
}
|
|
switch (collection->objectType) {
|
|
case pkiObjectType_Certificate:
|
|
status = (*callback->func.cert)((NSSCertificate *)node->object,
|
|
callback->arg);
|
|
break;
|
|
case pkiObjectType_CRL:
|
|
status = (*callback->func.crl)((NSSCRL *)node->object,
|
|
callback->arg);
|
|
break;
|
|
case pkiObjectType_PrivateKey:
|
|
status = (*callback->func.pvkey)((NSSPrivateKey *)node->object,
|
|
callback->arg);
|
|
break;
|
|
case pkiObjectType_PublicKey:
|
|
status = (*callback->func.pbkey)((NSSPublicKey *)node->object,
|
|
callback->arg);
|
|
break;
|
|
}
|
|
link = PR_NEXT_LINK(link);
|
|
}
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRStatus
|
|
nssPKIObjectCollection_AddInstanceAsObject (
|
|
nssPKIObjectCollection *collection,
|
|
nssCryptokiObject *instance
|
|
)
|
|
{
|
|
pkiObjectCollectionNode *node;
|
|
PRBool foundIt;
|
|
node = add_object_instance(collection, instance, &foundIt);
|
|
if (node == NULL) {
|
|
return PR_FAILURE;
|
|
}
|
|
if (!node->haveObject) {
|
|
node->object = (*collection->createObject)(node->object);
|
|
if (!node->object) {
|
|
/*remove bogus object from list*/
|
|
nssPKIObjectCollection_RemoveNode(collection,node);
|
|
return PR_FAILURE;
|
|
}
|
|
node->haveObject = PR_TRUE;
|
|
} else if (!foundIt) {
|
|
/* The instance was added to a pre-existing node. This
|
|
* function is *only* being used for certificates, and having
|
|
* multiple instances of certs in 3.X requires updating the
|
|
* CERTCertificate.
|
|
* But only do it if it was a new instance!!! If the same instance
|
|
* is encountered, we set *foundIt to true. Detect that here and
|
|
* ignore it.
|
|
*/
|
|
STAN_ForceCERTCertificateUpdate((NSSCertificate *)node->object);
|
|
}
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
* Certificate collections
|
|
*/
|
|
|
|
static void
|
|
cert_destroyObject(nssPKIObject *o)
|
|
{
|
|
NSSCertificate *c = (NSSCertificate *)o;
|
|
if (c->decoding) {
|
|
CERTCertificate *cc = STAN_GetCERTCertificate(c);
|
|
if (cc) {
|
|
CERT_DestroyCertificate(cc);
|
|
return;
|
|
} /* else destroy it as NSSCertificate below */
|
|
}
|
|
nssCertificate_Destroy(c);
|
|
}
|
|
|
|
static PRStatus
|
|
cert_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
|
|
{
|
|
NSSCertificate *c = (NSSCertificate *)o;
|
|
/* The builtins are still returning decoded serial numbers. Until
|
|
* this compatibility issue is resolved, use the full DER of the
|
|
* cert to uniquely identify it.
|
|
*/
|
|
NSSDER *derCert;
|
|
derCert = nssCertificate_GetEncoding(c);
|
|
uid[0].data = NULL; uid[0].size = 0;
|
|
uid[1].data = NULL; uid[1].size = 0;
|
|
if (derCert != NULL) {
|
|
uid[0] = *derCert;
|
|
}
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
static PRStatus
|
|
cert_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid,
|
|
NSSArena *arena)
|
|
{
|
|
/* The builtins are still returning decoded serial numbers. Until
|
|
* this compatibility issue is resolved, use the full DER of the
|
|
* cert to uniquely identify it.
|
|
*/
|
|
uid[1].data = NULL; uid[1].size = 0;
|
|
return nssCryptokiCertificate_GetAttributes(instance,
|
|
NULL, /* XXX sessionOpt */
|
|
arena, /* arena */
|
|
NULL, /* type */
|
|
NULL, /* id */
|
|
&uid[0], /* encoding */
|
|
NULL, /* issuer */
|
|
NULL, /* serial */
|
|
NULL); /* subject */
|
|
}
|
|
|
|
static nssPKIObject *
|
|
cert_createObject(nssPKIObject *o)
|
|
{
|
|
NSSCertificate *cert;
|
|
cert = nssCertificate_Create(o);
|
|
/* if (STAN_GetCERTCertificate(cert) == NULL) {
|
|
nssCertificate_Destroy(cert);
|
|
return (nssPKIObject *)NULL;
|
|
} */
|
|
/* In 3.4, have to maintain uniqueness of cert pointers by caching all
|
|
* certs. Cache the cert here, before returning. If it is already
|
|
* cached, take the cached entry.
|
|
*/
|
|
{
|
|
NSSTrustDomain *td = o->trustDomain;
|
|
nssTrustDomain_AddCertsToCache(td, &cert, 1);
|
|
}
|
|
return (nssPKIObject *)cert;
|
|
}
|
|
|
|
NSS_IMPLEMENT nssPKIObjectCollection *
|
|
nssCertificateCollection_Create (
|
|
NSSTrustDomain *td,
|
|
NSSCertificate **certsOpt
|
|
)
|
|
{
|
|
PRStatus status;
|
|
nssPKIObjectCollection *collection;
|
|
collection = nssPKIObjectCollection_Create(td, NULL, nssPKIMonitor);
|
|
collection->objectType = pkiObjectType_Certificate;
|
|
collection->destroyObject = cert_destroyObject;
|
|
collection->getUIDFromObject = cert_getUIDFromObject;
|
|
collection->getUIDFromInstance = cert_getUIDFromInstance;
|
|
collection->createObject = cert_createObject;
|
|
if (certsOpt) {
|
|
for (; *certsOpt; certsOpt++) {
|
|
nssPKIObject *object = (nssPKIObject *)(*certsOpt);
|
|
status = nssPKIObjectCollection_AddObject(collection, object);
|
|
}
|
|
}
|
|
return collection;
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSCertificate **
|
|
nssPKIObjectCollection_GetCertificates (
|
|
nssPKIObjectCollection *collection,
|
|
NSSCertificate **rvOpt,
|
|
PRUint32 maximumOpt,
|
|
NSSArena *arenaOpt
|
|
)
|
|
{
|
|
PRStatus status;
|
|
PRUint32 rvSize;
|
|
PRBool allocated = PR_FALSE;
|
|
if (collection->size == 0) {
|
|
return (NSSCertificate **)NULL;
|
|
}
|
|
if (maximumOpt == 0) {
|
|
rvSize = collection->size;
|
|
} else {
|
|
rvSize = PR_MIN(collection->size, maximumOpt);
|
|
}
|
|
if (!rvOpt) {
|
|
rvOpt = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, rvSize + 1);
|
|
if (!rvOpt) {
|
|
return (NSSCertificate **)NULL;
|
|
}
|
|
allocated = PR_TRUE;
|
|
}
|
|
status = nssPKIObjectCollection_GetObjects(collection,
|
|
(nssPKIObject **)rvOpt,
|
|
rvSize);
|
|
if (status != PR_SUCCESS) {
|
|
if (allocated) {
|
|
nss_ZFreeIf(rvOpt);
|
|
}
|
|
return (NSSCertificate **)NULL;
|
|
}
|
|
return rvOpt;
|
|
}
|
|
|
|
/*
|
|
* CRL/KRL collections
|
|
*/
|
|
|
|
static void
|
|
crl_destroyObject(nssPKIObject *o)
|
|
{
|
|
NSSCRL *crl = (NSSCRL *)o;
|
|
nssCRL_Destroy(crl);
|
|
}
|
|
|
|
static PRStatus
|
|
crl_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
|
|
{
|
|
NSSCRL *crl = (NSSCRL *)o;
|
|
NSSDER *encoding;
|
|
encoding = nssCRL_GetEncoding(crl);
|
|
if (!encoding) {
|
|
nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
|
|
return PR_FALSE;
|
|
}
|
|
uid[0] = *encoding;
|
|
uid[1].data = NULL; uid[1].size = 0;
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
static PRStatus
|
|
crl_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid,
|
|
NSSArena *arena)
|
|
{
|
|
return nssCryptokiCRL_GetAttributes(instance,
|
|
NULL, /* XXX sessionOpt */
|
|
arena, /* arena */
|
|
&uid[0], /* encoding */
|
|
NULL, /* subject */
|
|
NULL, /* class */
|
|
NULL, /* url */
|
|
NULL); /* isKRL */
|
|
}
|
|
|
|
static nssPKIObject *
|
|
crl_createObject(nssPKIObject *o)
|
|
{
|
|
return (nssPKIObject *)nssCRL_Create(o);
|
|
}
|
|
|
|
NSS_IMPLEMENT nssPKIObjectCollection *
|
|
nssCRLCollection_Create (
|
|
NSSTrustDomain *td,
|
|
NSSCRL **crlsOpt
|
|
)
|
|
{
|
|
PRStatus status;
|
|
nssPKIObjectCollection *collection;
|
|
collection = nssPKIObjectCollection_Create(td, NULL, nssPKILock);
|
|
collection->objectType = pkiObjectType_CRL;
|
|
collection->destroyObject = crl_destroyObject;
|
|
collection->getUIDFromObject = crl_getUIDFromObject;
|
|
collection->getUIDFromInstance = crl_getUIDFromInstance;
|
|
collection->createObject = crl_createObject;
|
|
if (crlsOpt) {
|
|
for (; *crlsOpt; crlsOpt++) {
|
|
nssPKIObject *object = (nssPKIObject *)(*crlsOpt);
|
|
status = nssPKIObjectCollection_AddObject(collection, object);
|
|
}
|
|
}
|
|
return collection;
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSCRL **
|
|
nssPKIObjectCollection_GetCRLs (
|
|
nssPKIObjectCollection *collection,
|
|
NSSCRL **rvOpt,
|
|
PRUint32 maximumOpt,
|
|
NSSArena *arenaOpt
|
|
)
|
|
{
|
|
PRStatus status;
|
|
PRUint32 rvSize;
|
|
PRBool allocated = PR_FALSE;
|
|
if (collection->size == 0) {
|
|
return (NSSCRL **)NULL;
|
|
}
|
|
if (maximumOpt == 0) {
|
|
rvSize = collection->size;
|
|
} else {
|
|
rvSize = PR_MIN(collection->size, maximumOpt);
|
|
}
|
|
if (!rvOpt) {
|
|
rvOpt = nss_ZNEWARRAY(arenaOpt, NSSCRL *, rvSize + 1);
|
|
if (!rvOpt) {
|
|
return (NSSCRL **)NULL;
|
|
}
|
|
allocated = PR_TRUE;
|
|
}
|
|
status = nssPKIObjectCollection_GetObjects(collection,
|
|
(nssPKIObject **)rvOpt,
|
|
rvSize);
|
|
if (status != PR_SUCCESS) {
|
|
if (allocated) {
|
|
nss_ZFreeIf(rvOpt);
|
|
}
|
|
return (NSSCRL **)NULL;
|
|
}
|
|
return rvOpt;
|
|
}
|
|
|
|
/* how bad would it be to have a static now sitting around, updated whenever
|
|
* this was called? would avoid repeated allocs...
|
|
*/
|
|
NSS_IMPLEMENT NSSTime *
|
|
NSSTime_Now (
|
|
NSSTime *timeOpt
|
|
)
|
|
{
|
|
return NSSTime_SetPRTime(timeOpt, PR_Now());
|
|
}
|
|
|
|
NSS_IMPLEMENT NSSTime *
|
|
NSSTime_SetPRTime (
|
|
NSSTime *timeOpt,
|
|
PRTime prTime
|
|
)
|
|
{
|
|
NSSTime *rvTime;
|
|
rvTime = (timeOpt) ? timeOpt : nss_ZNEW(NULL, NSSTime);
|
|
if (rvTime) {
|
|
rvTime->prTime = prTime;
|
|
}
|
|
return rvTime;
|
|
}
|
|
|
|
NSS_IMPLEMENT PRTime
|
|
NSSTime_GetPRTime (
|
|
NSSTime *time
|
|
)
|
|
{
|
|
return time->prTime;
|
|
}
|
|
|