1) use NewTempCert rather than DERDecode cert in all import cert cases.
When DERDecode cert is used, we may wind up with a cert that gets cleared
when we try to import it because it already in the cache. NewTempCert will
return the version that is in the cache.
2) If we are returning the CAList, only return certs that are CA's
(not usercerts).
3) Authenticate to all the tokens if necessary before we try to list
certs. (Stan code should eventually get automatic authentication calls in
the code itself).
4) When looking up user certs, don't return those certs with the same
subject, but do not have any key material associated with them (that is
don't crash if we have old certs in our database without nicknames, but
match user certs on our smart cards).
5) Save the nickname associated with our subject list in the temp
cache so we can correctly remove the entry even if the cert's nickname
changes (because of smart card insertions and removals, or because of
creation and deletions of our user cert).
1) Implicit declaration of function.
2) Possibly unitialized variables.
These warnings have indicated some real problems in the code, so many changes
are not just to silence the warnings, but to fix the problems. Others were
inocuous, but the warnings were silenced to reduce the noise.
* separate trust object from cert object
* move handling of cryptoki objects into libdev
* implement digest in libdev (for trust object indexing)
* fixes in cache implementation; connect cache to 3.4 certs
* implement CERT_NewTempCertificate via crypto context
remove lots of depricated files.
move some files to appropriate directories (pcertdb *_rand
associated headers to soft token, for instance)
rename several stan files which had the same name as other nss files.
remove depricated functions.
address of an external variable that comes from another DLL.
This is a fundamental difference between WIN32 DLLs and Unix DSOs.
So, for every SEC_ASN1Template inside of libnss3 that is referenced by
other templates outside of libnss3, a new "chooser" function was created
that returns the address of that template. For WIN32, the templates
outside of libnss3 access libnss3's templates by the chooser function
rather than by direct reference. Some simple macros allow Unix to
continue to use direct references, avoiding the extra function calls.
With these changes, all.sh (qa script) passes all tests on NT with DLLs.
Modified Files:
cmd/checkcert/checkcert.c cmd/lib/secutil.c lib/asn1/asn1t.h
lib/certdb/certdb.c lib/certdb/certt.h lib/certdb/crl.c
lib/certhigh/certreq.c lib/crmf/asn1cmn.c lib/crmf/crmfcont.c
lib/crmf/crmftmpl.c lib/cryptohi/secsign.c lib/nss/nss.def
lib/pkcs12/p12local.c lib/pkcs12/p12tmpl.c
lib/pkcs7/certread.c lib/pkcs7/p7decode.c lib/pkcs7/p7local.c
lib/smime/cmsasn1.c lib/smime/cmsattr.c lib/smime/cmspubkey.c
lib/smime/cmssigdata.c lib/smime/smimeutil.c
lib/softoken/keydb.c lib/softoken/keydbt.h lib/util/secalgid.c
lib/util/secasn1.h lib/util/secasn1d.c lib/util/secasn1t.h
lib/util/secasn1u.c lib/util/secdig.c lib/util/secdig.h
lib/util/secoid.h
As a result of this move I have to export one more data symbol
(SECAnyTemplate) from libnss3.so. :( Removed the temporary workaround
in coreconf/rules.mk.
Modified Files:
coreconf/rules.mk nss/lib/certhigh/manifest.mn
nss/lib/nss/mapfile nss/lib/nss/nss.def
nss/lib/pkcs7/manifest.mn
Added Files:
nss/lib/pkcs7/certread.c
Removed Files:
nss/lib/certhigh/certread.c
CERT_CertChainFromCert in ssl_DupSocket(). This is MUCH faster. This is
the first approximation of the right fix. The next step is to consider
doing ref counting instead of actual duplication. Fixes bug 51425 .