mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

the last step - restrict trust domain and PK11_ searches to token objects 

also, make sure trust is grabbed from crypto context
This commit is contained in:
ian.mcgreer%sun.com 2001-12-14 20:50:59 +00:00
Родитель d50881b931
Коммит baf889251d
3 изменённых файлов: 58 добавлений и 33 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
security/nss/lib/pk11wrap/pk11cert.c
Просмотреть файл

@ -1202,7 +1202,7 @@ PK11_FindCertFromNickname(char *nickname, void *wincx) {
search.callback = get_newest_cert;
search.cbarg = (void *)&cert;
search.cached = certList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
/* find best cert on token */
nssToken_TraverseCertificatesByNickname(token, NULL,
(NSSUTF8 *)nickname,
@ -1293,7 +1293,7 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) {
search.callback = collect_certs;
search.cbarg = nameList;
search.cached = nameList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
nssrv = nssToken_TraverseCertificatesByNickname(token, NULL,
nickname, &search);
count = nssList_Count(nameList);
@ -2336,7 +2336,7 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
search.callback = convert_cert;
search.cbarg = &pk11cb;
search.cached = subjectList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
token = PK11Slot_GetNSSToken(slot);
nssrv = nssToken_TraverseCertificatesBySubject(token, NULL,
&subject, &search);
@ -2406,7 +2406,7 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
search.callback = convert_cert;
search.cbarg = &pk11cb;
search.cached = nameList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
token = PK11Slot_GetNSSToken(slot);
nssrv = nssToken_TraverseCertificatesByNickname(token, NULL,
nick, &search);
@ -2459,7 +2459,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
search.callback = convert_cert;
search.cbarg = &pk11cb;
search.cached = certList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
tok = PK11Slot_GetNSSToken(slot);
if (tok) {
nssrv = nssToken_TraverseCertificates(tok, NULL, &search);
@ -2516,7 +2516,7 @@ PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
NSSITEM_FROM_SECITEM(&derCert, &cert->derCert);
/* XXX login to slots */
c = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert,
nssTokenSearchType_AllObjects);
nssTokenSearchType_TokenOnly);
if (c) {
rvCert = STAN_GetCERTCertificate(c);
}

61
security/nss/lib/pki/pki3hack.c
Просмотреть файл

@ -32,7 +32,7 @@
*/
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.12 $ $Date: 2001-12-14 17:32:19 $ $Name: $";
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.13 $ $Date: 2001-12-14 20:50:58 $ $Name: $";
#endif /* DEBUG */
/*
@ -387,11 +387,32 @@ get_nss3trust_from_cktrust(CK_TRUST t)
return rt;
}
static CERTCertTrust *
cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
{
CERTCertTrust *rvTrust;
unsigned int client;
if (!t) {
return NULL;
}
rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
if (!rvTrust) return NULL;
rvTrust->sslFlags = get_nss3trust_from_cktrust(t->serverAuth);
client = get_nss3trust_from_cktrust(t->clientAuth);
if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
}
rvTrust->sslFlags |= client;
rvTrust->emailFlags = get_nss3trust_from_cktrust(t->emailProtection);
rvTrust->objectSigningFlags = get_nss3trust_from_cktrust(t->codeSigning);
return rvTrust;
}
static CERTCertTrust *
nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
{
CERTCertTrust *rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
unsigned int client;
CERTCertTrust *rvTrust;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSToken *tok;
NSSTrust *tokenTrust;
@ -404,7 +425,7 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
tok = (NSSToken *)nssListIterator_Next(tokens))
{
tokenTrust = nssToken_FindTrustForCert(tok, NULL, c,
nssTokenSearchType_AllObjects);
nssTokenSearchType_TokenOnly);
if (tokenTrust) {
if (t) {
if (t->serverAuth == CKT_NETSCAPE_TRUST_UNKNOWN) {
@ -431,16 +452,9 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
if (!t) {
return NULL;
}
rvTrust->sslFlags = get_nss3trust_from_cktrust(t->serverAuth);
client = get_nss3trust_from_cktrust(t->clientAuth);
if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
}
rvTrust->sslFlags |= client;
rvTrust->emailFlags = get_nss3trust_from_cktrust(t->emailProtection);
rvTrust->objectSigningFlags = get_nss3trust_from_cktrust(t->codeSigning);
if (PK11_IsUserCert(cc->slot, cc, cc->pkcs11ID)) {
rvTrust = cert_trust_from_stan_trust(t, cc->arena);
if (!rvTrust) return NULL;
if (cc->slot && PK11_IsUserCert(cc->slot, cc, cc->pkcs11ID)) {
rvTrust->sslFlags |= CERTDB_USER;
rvTrust->emailFlags |= CERTDB_USER;
rvTrust->objectSigningFlags |= CERTDB_USER;
@ -461,6 +475,8 @@ get_cert_instance(NSSCertificate *c)
static void
fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc)
{
NSSTrust *nssTrust;
NSSCryptoContext *context = c->object.cryptoContext;
nssCryptokiInstance *instance = get_cert_instance(c);
/* fill other fields needed by NSS3 functions using CERTCertificate */
if (!cc->nickname && c->nickname) {
@ -470,13 +486,22 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc)
memcpy(cc->nickname, c->nickname, len-1);
cc->nickname[len-1] = '\0';
}
if (instance) {
if (context) {
/* trust */
nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
if (nssTrust) {
cc->trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
nssPKIObject_Destroy(&nssTrust->object);
} else {
cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
}
} else if (instance) {
/* trust */
cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
/* slot */
cc->slot = instance->token->pk11slot;
/* pkcs11ID */
cc->pkcs11ID = instance->handle;
/* trust */
cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
}
/* database handle is now the trust domain */
cc->dbhandle = c->object.trustDomain;
@ -763,7 +788,7 @@ nssTrustDomain_TraverseCertificates
search.callback = callback;
search.cbarg = arg;
search.cached = certList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;
token = (NSSToken *)nssListIterator_Next(td->tokens))

18
security/nss/lib/pki/trustdomain.c
Просмотреть файл

@ -32,7 +32,7 @@
*/
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.21 $ $Date: 2001-12-14 17:32:23 $ $Name: $";
static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.22 $ $Date: 2001-12-14 20:50:59 $ $Name: $";
#endif /* DEBUG */
#ifndef NSSPKI_H
@ -401,7 +401,7 @@ NSSTrustDomain_FindBestCertificateByNickname
search.callback = nssBestCertificate_Callback;
search.cbarg = &best;
search.cached = nameList;
search.searchType = nssTokenSearchType_AllObjects; /* XXX */
search.searchType = nssTokenSearchType_TokenOnly;
/* traverse the tokens */
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;
@ -444,7 +444,7 @@ NSSTrustDomain_FindCertificatesByNickname
search.callback = collect_certs;
search.cbarg = &ca;
search.cached = nameList;
search.searchType = nssTokenSearchType_AllObjects; /* XXX */
search.searchType = nssTokenSearchType_TokenOnly;
/* traverse the tokens */
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;
@ -496,7 +496,7 @@ NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
NULL,
issuer,
serialNumber,
nssTokenSearchType_AllObjects);
nssTokenSearchType_TokenOnly);
if (rvCert) {
/* cache it */
nssTrustDomain_AddCertsToCache(td, &rvCert, 1);
@ -531,7 +531,7 @@ NSSTrustDomain_FindBestCertificateBySubject
search.callback = nssBestCertificate_Callback;
search.cbarg = &best;
search.cached = subjectList;
search.searchType = nssTokenSearchType_AllObjects; /* XXX */
search.searchType = nssTokenSearchType_TokenOnly;
/* traverse the tokens */
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;
@ -574,7 +574,7 @@ NSSTrustDomain_FindCertificatesBySubject
search.callback = collect_certs;
search.cbarg = &ca;
search.cached = subjectList;
search.searchType = nssTokenSearchType_AllObjects; /* XXX */
search.searchType = nssTokenSearchType_TokenOnly;
/* traverse the tokens */
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;
@ -649,7 +649,7 @@ NSSTrustDomain_FindCertificateByEncodedCertificate
{
rvCert = nssToken_FindCertificateByEncodedCertificate(tok, NULL,
encodedCertificate,
nssTokenSearchType_AllObjects);
nssTokenSearchType_TokenOnly);
if (rvCert) {
/* cache it */
nssTrustDomain_AddCertsToCache(td, &rvCert, 1);
@ -684,7 +684,7 @@ NSSTrustDomain_FindCertificateByEmail
search.callback = nssBestCertificate_Callback;
search.cbarg = &best;
search.cached = emailList;
search.searchType = nssTokenSearchType_AllObjects; /* XXX */
search.searchType = nssTokenSearchType_TokenOnly;
/* traverse the tokens */
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;
@ -839,7 +839,7 @@ NSSTrustDomain_TraverseCertificates
search.callback = callback;
search.cbarg = arg;
search.cached = certList;
search.searchType = nssTokenSearchType_AllObjects;
search.searchType = nssTokenSearchType_TokenOnly;
/* traverse the tokens */
for (token = (NSSToken *)nssListIterator_Start(td->tokens);
token != (NSSToken *)NULL;