From ce09346d8cf1d12060d6197e27afea16d30b5837 Mon Sep 17 00:00:00 2001 From: "relyea%netscape.com" Date: Mon, 22 Apr 2002 19:09:01 +0000 Subject: [PATCH] Token and cert processing fixes: 1) use NewTempCert rather than DERDecode cert in all import cert cases. When DERDecode cert is used, we may wind up with a cert that gets cleared when we try to import it because it already in the cache. NewTempCert will return the version that is in the cache. 2) If we are returning the CAList, only return certs that are CA's (not usercerts). 3) Authenticate to all the tokens if necessary before we try to list certs. (Stan code should eventually get automatic authentication calls in the code itself). 4) When looking up user certs, don't return those certs with the same subject, but do not have any key material associated with them (that is don't crash if we have old certs in our database without nicknames, but match user certs on our smart cards). 5) Save the nickname associated with our subject list in the temp cache so we can correctly remove the entry even if the cert's nickname changes (because of smart card insertions and removals, or because of creation and deletions of our user cert). --- security/nss/lib/certdb/certdb.c | 10 +-- security/nss/lib/certhigh/certhigh.c | 27 +++++++ security/nss/lib/dev/devm.h | 14 +++- security/nss/lib/dev/devslot.c | 4 +- security/nss/lib/dev/devtoken.c | 11 ++- security/nss/lib/dev/devutil.c | 15 +++- security/nss/lib/pk11wrap/pk11cert.c | 23 +++++- security/nss/lib/pki/trustdomain.c | 101 ++++++++++++++++++++++++++- 8 files changed, 188 insertions(+), 17 deletions(-) diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 3cd6bdd5abfb..464c9bd3c60f 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -34,7 +34,7 @@ /* * Certificate handling code * - * $Id: certdb.c,v 1.27 2002/04/12 19:05:04 relyea%netscape.com Exp $ + * $Id: certdb.c,v 1.28 2002/04/22 19:08:44 relyea%netscape.com Exp $ */ #include "nssilock.h" @@ -2028,17 +2028,11 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, /* decode all of the certs into the temporary DB */ for ( i = 0, fcerts= 0; i < ncerts; i++) { - if ( keepCerts ) { - certs[fcerts] = CERT_DecodeDERCertificate(derCerts[i], - PR_FALSE, - NULL); - } else { - certs[fcerts] = CERT_NewTempCertificate(certdb, + certs[fcerts] = CERT_NewTempCertificate(certdb, derCerts[i], NULL, PR_FALSE, PR_TRUE); - } if (certs[fcerts]) fcerts++; } diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index 06cccb43b8a4..59b597b3bff0 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -91,6 +91,31 @@ CERT_MatchNickname(char *name1, char *name2) { return PR_TRUE; } +static SECStatus +cert_UserCertsOnly(CERTCertList *certList) +{ + CERTCertListNode *node, *freenode; + CERTCertificate *cert; + + node = CERT_LIST_HEAD(certList); + + while ( ! CERT_LIST_END(node, certList) ) { + cert = node->cert; + if ( !( cert->trust->sslFlags & CERTDB_USER ) && + !( cert->trust->emailFlags & CERTDB_USER ) && + !( cert->trust->objectSigningFlags & CERTDB_USER ) ) { + /* Not a User Cert, so remove this cert from the list */ + freenode = node; + node = CERT_LIST_NEXT(node); + CERT_RemoveCertListNode(freenode); + } else { + /* Is a User cert, so leave it in the list */ + node = CERT_LIST_NEXT(node); + } + } + + return(SECSuccess); +} /* * Find all user certificates that match the given criteria. @@ -157,6 +182,8 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, /* collect certs for this nickname, sorting them into the list */ certList = CERT_CreateSubjectCertList(certList, handle, &cert->derSubject, time, validOnly); + + cert_UserCertsOnly(certList); /* drop the extra reference */ CERT_DestroyCertificate(cert); diff --git a/security/nss/lib/dev/devm.h b/security/nss/lib/dev/devm.h index ec6a14fe74c0..365a2f0cb458 100644 --- a/security/nss/lib/dev/devm.h +++ b/security/nss/lib/dev/devm.h @@ -35,7 +35,7 @@ #define DEVM_H #ifdef DEBUG -static const char DEVM_CVS_ID[] = "@(#) $RCSfile: devm.h,v $ $Revision: 1.7 $ $Date: 2002/04/19 16:14:06 $ $Name: $"; +static const char DEVM_CVS_ID[] = "@(#) $RCSfile: devm.h,v $ $Revision: 1.8 $ $Date: 2002/04/22 19:08:54 $ $Name: $"; #endif /* DEBUG */ #ifndef BASE_H @@ -134,6 +134,12 @@ nssToken_IsLoginRequired NSSToken *token ); +NSS_EXTERN void +nssToken_Remove +( + NSSToken *token +); + NSS_EXTERN nssCryptokiObject * nssCryptokiObject_Create ( @@ -157,6 +163,12 @@ nssTokenObjectCache_Destroy nssTokenObjectCache *cache ); +NSS_EXTERN void +nssTokenObjectCache_Clear +( + nssTokenObjectCache *cache +); + NSS_EXTERN PRBool nssTokenObjectCache_HaveObjectClass ( diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c index 8de6276afa63..fa34203c4ee0 100644 --- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.5 $ $Date: 2002/04/19 23:06:39 $ $Name: $"; +static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.6 $ $Date: 2002/04/22 19:08:54 $ $Name: $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H @@ -301,6 +301,8 @@ nssSlot_IsTokenPresent } #endif slot->token->base.name[0] = 0; /* XXX */ + /* clear the token cache */ + nssToken_Remove(slot->token); return PR_FALSE; #ifdef PURE_STAN_CODE } else if (!slot->token) { diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index 35f485ff63ac..6cba3d2808ad 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.16 $ $Date: 2002/04/22 14:14:39 $ $Name: $"; +static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.17 $ $Date: 2002/04/22 19:08:55 $ $Name: $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H @@ -160,6 +160,15 @@ nssToken_Destroy return PR_SUCCESS; } +NSS_IMPLEMENT void +nssToken_Remove +( + NSSToken *tok +) +{ + nssTokenObjectCache_Clear(tok->cache); +} + NSS_IMPLEMENT void NSSToken_Destroy ( diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c index 5afc4d28db70..569738fe50c2 100644 --- a/security/nss/lib/dev/devutil.c +++ b/security/nss/lib/dev/devutil.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.10 $ $Date: 2002/04/22 15:21:06 $ $Name: $"; +static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.11 $ $Date: 2002/04/22 19:08:55 $ $Name: $"; #endif /* DEBUG */ #ifndef DEVM_H @@ -619,6 +619,17 @@ clear_cache } } +NSS_IMPLEMENT void +nssTokenObjectCache_Clear +( + nssTokenObjectCache *cache +) +{ + if (cache) { + clear_cache(cache); + } +} + NSS_IMPLEMENT void nssTokenObjectCache_Destroy ( @@ -777,7 +788,7 @@ search_for_objects NSSSlot *slot = nssToken_GetSlot(cache->token); if (!nssSlot_IsTokenPresent(slot)) { /* The token is no longer present, destroy any cached objects */ - clear_cache(cache); + /* clear_cache(cache); */ nssSlot_Destroy(slot); return PR_FALSE; } diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index bf1e74450bdd..8097611892e7 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -971,7 +971,9 @@ pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), rv = PK11_Authenticate(le->slot, PR_FALSE, wincx); if (rv != SECSuccess) continue; } - (*callback)(le->slot,arg); + if (callback) { + (*callback)(le->slot,arg); + } } PK11_FreeSlotList(list); @@ -3206,12 +3208,16 @@ pk11ListCertCallback(CERTCertificate *cert, void *arg) CERTCertList *certList = listCertP->certList; CERTCertTrust *trust; PRBool isUnique = PR_FALSE; + PRBool isCA = PR_FALSE; char *nickname = NULL; unsigned int certType; if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique)) { isUnique = PR_TRUE; } + if ((type == PK11CertListCA) || (type == PK11CertListRootUnique)) { + isCA = PR_TRUE; + } /* at this point the nickname is correct for the cert. save it for later */ if (!isUnique && cert->nickname) { nickname = PORT_ArenaStrdup(listCertP->certList->arena,cert->nickname); @@ -3255,7 +3261,7 @@ pk11ListCertCallback(CERTCertificate *cert, void *arg) } /* if we want CA certs and it ain't one, skip it */ - if( type == PK11CertListCA && (!CERT_IsCACert(newCert, &certType)) ) { + if( isCA && (!CERT_IsCACert(newCert, &certType)) ) { CERT_DestroyCertificate(newCert); return SECSuccess; } @@ -3298,7 +3304,18 @@ PK11_ListCerts(PK11CertListType type, void *pwarg) listCerts.certList = certList; pk11cb.callback = pk11ListCertCallback; pk11cb.arg = &listCerts; - NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb); + + /* authenticate to the slots */ + (void) pk11_TraverseAllSlots( NULL, NULL, pwarg); +#ifdef notdef + if (type == PK11CertListUser) { + NSSTrustDomain_TraverseUserCertificates(defaultTD, convert_cert &pk11cb); + } else { + NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb); + } +#else + NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb); +#endif return certList; #endif } diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index ff5a6f0598be..853673a1bc22 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.40 $ $Date: 2002/04/18 19:37:12 $ $Name: $"; +static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.41 $ $Date: 2002/04/22 19:09:01 $ $Name: $"; #endif /* DEBUG */ #ifndef DEV_H @@ -1099,6 +1099,7 @@ NSSTrustDomain_TraverseCertificates } } } + /* Traverse the collection */ pkiCallback.func.cert = callback; pkiCallback.arg = arg; @@ -1117,6 +1118,104 @@ loser: return NULL; } +#ifdef notdef +/* + * search for Public and Private keys first + */ +NSS_IMPLEMENT PRStatus * +NSSTrustDomain_TraverseUserCertificates +( + NSSTrustDomain *td, + PRStatus (*callback)(NSSCertificate *c, void *arg), + void *arg +) +{ + PRStatus status; + NSSToken *token = NULL; + NSSSlot **slots = NULL; + NSSSlot **slotp; + nssPKIObjectCollection *collection = NULL; + nssPKIObjectCallback pkiCallback; + nssUpdateLevel updateLevel; + NSSCertificate **cached = NULL; + nssList *certList; + certList = nssList_Create(NULL, PR_FALSE); + if (!certList) return NULL; + (void *)nssTrustDomain_GetCertsFromCache(td, certList); + cached = get_certs_from_list(certList); + collection = nssCertificateCollection_Create(td, cached); + nssCertificateArray_Destroy(cached); + nssList_Destroy(certList); + if (!collection) { + return (PRStatus *)NULL; + } + /* obtain the current set of active slots in the trust domain */ + slots = nssTrustDomain_GetActiveSlots(td, &updateLevel); + if (!slots) { + goto loser; + } + /* iterate over the slots */ + for (slotp = slots; *slotp; slotp++) { + /* get the token for the slot, if present */ + token = nssSlot_GetToken(*slotp); + if (token) { + nssSession *session; + nssCryptokiObject **instances; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + /* get a session for the token */ + session = nssTrustDomain_GetSessionForToken(td, token); + if (!session) { + nssToken_Destroy(token); + goto loser; + } + /* perform the traversal */ + if (!isLoggedIn(tok)) { + instances = nssToken_FindPublicKeys(token, + session, + tokenOnly, + 0, &status); + } else { + instances = nssToken_FindPrivateKeys(token, + session, + tokenOnly, + 0, &status); + } + nssToken_Destroy(token); + if (status != PR_SUCCESS) { + goto loser; + } + /* add the found certificates to the collection */ + status = nssPKIObjectCollection_AddInstances(collection, + instances, 0); + nss_ZFreeIf(instances); + if (status != PR_SUCCESS) { + goto loser; + } + } + } + status = nssPKIObjectCollection_MatchCerts(collection); + if (status != PR_SUCCESS) { + goto loser; + } + /* Traverse the collection */ + pkiCallback.func.cert = callback; + pkiCallback.arg = arg; + status = nssPKIObjectCollection_Traverse(collection, &pkiCallback); + /* clean up */ + nssPKIObjectCollection_Destroy(collection); + nssSlotArray_Destroy(slots); + return NULL; +loser: + if (slots) { + nssSlotArray_Destroy(slots); + } + if (collection) { + nssPKIObjectCollection_Destroy(collection); + } + return NULL; +} +#endif + NSS_IMPLEMENT NSSTrust * nssTrustDomain_FindTrustForCertificate (