Don't decode or extract trust for certs if we are just getting the nicknames -- particularly for user certs.

2002-06-24 22:36:59 +00:00 · 2002-06-24 22:36:59 +00:00 · acca079eec
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@ -44,6 +44,7 @@
 #define NSS_3_4_CODE
 #endif
 #include "nsspki.h"
+#include "pki.h"
 #include "pkit.h"
 #include "pkitm.h"
 #include "pki3hack.h"
@ -384,50 +385,59 @@ typedef struct stringNode {
 } stringNode;
    
 static SECStatus
-CollectNicknames( CERTCertificate *cert, SECItem *k, void *data)
+CollectNicknames( NSSCertificate *c, void *data)
 {
    CERTCertNicknames *names;
    PRBool saveit = PR_FALSE;
-    CERTCertTrust *trust;
    stringNode *node;
    int len;
+    NSSTrustDomain *td;
+    NSSTrust *trust;
+    char *nickname;
    
    names = (CERTCertNicknames *)data;
+
+    nickname = nssCertificate_GetNickname(c,NULL);
    
-    if ( cert->nickname ) {
-	trust = cert->trust;
-	
-	switch(names->what) {
-	  case SEC_CERT_NICKNAMES_ALL:
-	    if ( ( trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
-	      ( trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
-	      ( trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ) {
-		saveit = PR_TRUE;
-	    }
-	    
-	    break;
-	  case SEC_CERT_NICKNAMES_USER:
-	    if ( ( trust->sslFlags & CERTDB_USER ) ||
-		( trust->emailFlags & CERTDB_USER ) ||
-		( trust->objectSigningFlags & CERTDB_USER ) ) {
-		saveit = PR_TRUE;
-	    }
-	    
-	    break;
-	  case SEC_CERT_NICKNAMES_SERVER:
-	    if ( trust->sslFlags & CERTDB_VALID_PEER ) {
-		saveit = PR_TRUE;
-	    }
-	    
-	    break;
-	  case SEC_CERT_NICKNAMES_CA:
-	    if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
-		( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
-		( ( trust->objectSigningFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ) {
-		saveit = PR_TRUE;
-	    }
-	    break;
+    if ( nickname ) {
+	if (names->what == SEC_CERT_NICKNAMES_USER) {
+	    saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL);
 	}
+#ifdef notdef
+	  else {
+	    td = NSSCertificate_GetTrustDomain(c);
+	    if (!td) {
+		return SECSuccess;
+	    }
+	    trust = nssTrustDomain_FindTrustForCertificate(td,c);
+	
+	    switch(names->what) {
+	     case SEC_CERT_NICKNAMES_ALL:
+		if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
+		 (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
+		 (trust->objectSigningFlags & 
+					(CERTDB_VALID_CA|CERTDB_VALID_PEER))) {
+		    saveit = PR_TRUE;
+		}
+	    
+		break;
+	     case SEC_CERT_NICKNAMES_SERVER:
+		if ( trust->sslFlags & CERTDB_VALID_PEER ) {
+		    saveit = PR_TRUE;
+		}
+	    
+		break;
+	     case SEC_CERT_NICKNAMES_CA:
+		if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)||
+		 ((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) ||
+		 ((trust->objectSigningFlags & CERTDB_VALID_CA ) 
+							== CERTDB_VALID_CA)) {
+		    saveit = PR_TRUE;
+		}
+		break;
+	    }
+	}
+#endif
    }

    /* traverse the list of collected nicknames and make sure we don't make
@ -436,7 +446,7 @@ CollectNicknames( CERTCertificate *cert, SECItem *k, void *data)
    if ( saveit ) {
 	node = (stringNode *)names->head;
 	while ( node != NULL ) {
-	    if ( PORT_Strcmp(cert->nickname, node->string) == 0 ) { 
+	    if ( PORT_Strcmp(nickname, node->string) == 0 ) { 
 		/* if the string matches, then don't save this one */
 		saveit = PR_FALSE;
 		break;
@ -454,12 +464,12 @@ CollectNicknames( CERTCertificate *cert, SECItem *k, void *data)
 	}

 	/* copy the string */
-	len = PORT_Strlen(cert->nickname) + 1;
+	len = PORT_Strlen(nickname) + 1;
 	node->string = (char*)PORT_ArenaAlloc(names->arena, len);
 	if ( node->string == NULL ) {
 	    return(SECFailure);
 	}
-	PORT_Memcpy(node->string, cert->nickname, len);
+	PORT_Memcpy(node->string, nickname, len);

 	/* link it into the list */
 	node->next = (stringNode *)names->head;
@ -498,12 +508,12 @@ CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
    names->nicknames = NULL;
    names->what = what;
    names->totallen = 0;
-    
-    rv = PK11_TraverseSlotCerts(CollectNicknames, (void *)names, wincx);
-    if ( rv ) {
-	goto loser;
-    }

+    /* make sure we are logged in */
+    (void) pk11_TraverseAllSlots(NULL, NULL, wincx);
+   
+    NSSTrustDomain_TraverseCertificates(handle,
+					    CollectNicknames, (void *)names);
    if ( names->numnicknames ) {
 	names->nicknames = (char**)PORT_ArenaAlloc(arena,
 					 names->numnicknames * sizeof(char *));
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@ -41,7 +41,7 @@
 */

 #ifdef DEBUG
-static const char DEV_CVS_ID[] = "@(#) $RCSfile: dev.h,v $ $Revision: 1.28 $ $Date: 2002-05-21 21:23:33 $ $Name:  $";
+static const char DEV_CVS_ID[] = "@(#) $RCSfile: dev.h,v $ $Revision: 1.29 $ $Date: 2002-06-24 22:36:53 $ $Name:  $";
 #endif /* DEBUG */

 #ifndef NSSCKT_H
@ -963,6 +963,15 @@ nssToken_TraverseCertificates
  void *arg
 );

+NSS_EXTERN PRBool
+nssToken_IsPrivateKeyAvailable
+(
+  NSSToken *token,
+  NSSCertificate *c,
+  nssCryptokiObject *instance
+);
+
+
 #endif

 PR_END_EXTERN_C
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@ -32,7 +32,7 @@
 */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.9 $ $Date: 2002-06-13 21:40:43 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.10 $ $Date: 2002-06-24 22:36:53 $ $Name:  $";
 #endif /* DEBUG */

 #ifndef NSSCKEPV_H
@ -48,7 +48,7 @@ static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.9 $ $Dat
 #endif /* CKHELPER_H */

 /* measured in seconds */
-#define NSSSLOT_TOKEN_DELAY_TIME 10
+#define NSSSLOT_TOKEN_DELAY_TIME 1

 /* this should track global and per-transaction login information */

--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@ -32,7 +32,7 @@
 */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.23 $ $Date: 2002-05-20 23:21:34 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.24 $ $Date: 2002-06-24 22:36:53 $ $Name:  $";
 #endif /* DEBUG */

 #ifndef NSSCKEPV_H
@ -1662,3 +1662,26 @@ loser:
    return PR_FAILURE;
 }

+NSS_IMPLEMENT PRStatus
+nssToken_IsPrivateKeyAvailable
+(
+  NSSToken *token,
+  NSSCertificate *c,
+  nssCryptokiObject *instance
+)
+{
+    CK_OBJECT_CLASS theClass;
+
+    if (token == NULL) return PR_FALSE;
+    if (c == NULL) return PR_FALSE;
+
+    theClass = CKO_PRIVATE_KEY;
+    if (!nssSlot_IsLoggedIn(token->slot)) {
+	theClass = CKO_PUBLIC_KEY;
+    }
+    if (PK11_MatchItem(token->pk11slot, instance->handle, theClass) 
+						!= CK_INVALID_HANDLE) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@ -951,7 +951,7 @@ typedef struct pk11CertCallbackStr {
 /*
 * Extract all the certs on a card from a slot.
 */
-static SECStatus
+SECStatus
 pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
 						void *arg,void *wincx) {
    PK11SlotList *list;
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ b/security/nss/lib/pk11wrap/pk11func.h
@ -560,6 +560,11 @@ char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
 SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
 						const char *nickname) ;

+
+/* private */
+SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
+	void *cbArg, void *pwArg);
+
 SEC_END_PROTOS

 #endif
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/certificate.c
@ -32,7 +32,7 @@
 */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.36 $ $Date: 2002-05-20 18:05:10 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.37 $ $Date: 2002-06-24 22:36:59 $ $Name:  $";
 #endif /* DEBUG */

 #ifndef NSSPKI_H
@ -669,8 +669,20 @@ NSSCertificate_IsPrivateKeyAvailable
  PRStatus *statusOpt
 )
 {
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FALSE;
+    PRBool isUser = PR_FALSE;
+    nssCryptokiObject **ip;
+    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
+    if (!instances) {
+	return PR_FALSE;
+    }
+    for (ip = instances; *ip; ip++) {
+	nssCryptokiObject *instance = *ip;
+	if (nssToken_IsPrivateKeyAvailable(instance->token, c, instance)) {
+	    isUser = PR_TRUE;
+	}
+    }
+    nssCryptokiObjectArray_Destroy(instances);
+    return isUser;
 }

 NSS_IMPLEMENT PRBool
@ -1112,4 +1124,3 @@ nssCRL_GetEncoding
 	return (NSSDER *)NULL;
    }
 }
-
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@ -32,7 +32,7 @@
 */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.55 $ $Date: 2002-05-21 21:22:55 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.56 $ $Date: 2002-06-24 22:36:59 $ $Name:  $";
 #endif /* DEBUG */

 /*
@ -446,10 +446,6 @@ nssDecodedPKIXCertificate_Destroy
    return PR_SUCCESS;
 }

-/* From pk11cert.c */
-extern PRBool
-PK11_IsUserCert(PK11SlotInfo *, CERTCertificate *, CK_OBJECT_HANDLE);
-
 /* see pk11cert.c:pk11_HandleTrustObject */
 static unsigned int
 get_nss3trust_from_nss4trust(CK_TRUST t)
@ -492,25 +488,6 @@ cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
    return rvTrust;
 }

-/* check all cert instances for private key */
-static PRBool is_user_cert(NSSCertificate *c, CERTCertificate *cc)
-{
-    PRBool isUser = PR_FALSE;
-    nssCryptokiObject **ip;
-    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
-    if (!instances) {
-	return PR_FALSE;
-    }
-    for (ip = instances; *ip; ip++) {
-	nssCryptokiObject *instance = *ip;
-	if (PK11_IsUserCert(instance->token->pk11slot, cc, instance->handle)) {
-	    isUser = PR_TRUE;
-	}
-    }
-    nssCryptokiObjectArray_Destroy(instances);
-    return isUser;
-}
-
 CERTCertTrust * 
 nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
 {
@ -532,7 +509,7 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
 	}
 	memset(rvTrust, 0, sizeof(*rvTrust));
    }
-    if (is_user_cert(c, cc)) {
+    if (NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) {
 	if (!rvTrust) {
 	}
 	rvTrust->sslFlags |= CERTDB_USER;
--- a/security/nss/lib/pki/pkibase.c
+++ b/security/nss/lib/pki/pkibase.c
@ -32,7 +32,7 @@
 */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pkibase.c,v $ $Revision: 1.8 $ $Date: 2002-05-20 23:21:39 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: pkibase.c,v $ $Revision: 1.9 $ $Date: 2002-06-24 22:36:59 $ $Name:  $";
 #endif /* DEBUG */

 #ifndef DEV_H
@ -1026,10 +1026,10 @@ cert_createObject(nssPKIObject *o)
    NSSCertificate *cert;
    cert = nssCertificate_Create(o);
 #ifdef NSS_3_4_CODE
-    if (STAN_GetCERTCertificate(cert) == NULL) {
+/*    if (STAN_GetCERTCertificate(cert) == NULL) {
 	nssCertificate_Destroy(cert);
 	return (nssPKIObject *)NULL;
-    }
+    } */
    /* In 3.4, have to maintain uniqueness of cert pointers by caching all
     * certs.  Cache the cert here, before returning.  If it is already
     * cached, take the cached entry.