diff --git a/mozilla/security/nss/lib/certdb/certdb.c b/mozilla/security/nss/lib/certdb/certdb.c index e8ae8bfb8c7..c04773d71d0 100644 --- a/mozilla/security/nss/lib/certdb/certdb.c +++ b/mozilla/security/nss/lib/certdb/certdb.c @@ -34,7 +34,7 @@ /* * Certificate handling code * - * $Id: certdb.c,v 1.27 2002-04-12 19:05:04 relyea%netscape.com Exp $ + * $Id: certdb.c,v 1.28 2002-04-22 19:08:44 relyea%netscape.com Exp $ */ #include "nssilock.h" @@ -2028,17 +2028,11 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, /* decode all of the certs into the temporary DB */ for ( i = 0, fcerts= 0; i < ncerts; i++) { - if ( keepCerts ) { - certs[fcerts] = CERT_DecodeDERCertificate(derCerts[i], - PR_FALSE, - NULL); - } else { - certs[fcerts] = CERT_NewTempCertificate(certdb, + certs[fcerts] = CERT_NewTempCertificate(certdb, derCerts[i], NULL, PR_FALSE, PR_TRUE); - } if (certs[fcerts]) fcerts++; } diff --git a/mozilla/security/nss/lib/certhigh/certhigh.c b/mozilla/security/nss/lib/certhigh/certhigh.c index 06cccb43b8a..59b597b3bff 100644 --- a/mozilla/security/nss/lib/certhigh/certhigh.c +++ b/mozilla/security/nss/lib/certhigh/certhigh.c @@ -91,6 +91,31 @@ CERT_MatchNickname(char *name1, char *name2) { return PR_TRUE; } +static SECStatus +cert_UserCertsOnly(CERTCertList *certList) +{ + CERTCertListNode *node, *freenode; + CERTCertificate *cert; + + node = CERT_LIST_HEAD(certList); + + while ( ! CERT_LIST_END(node, certList) ) { + cert = node->cert; + if ( !( cert->trust->sslFlags & CERTDB_USER ) && + !( cert->trust->emailFlags & CERTDB_USER ) && + !( cert->trust->objectSigningFlags & CERTDB_USER ) ) { + /* Not a User Cert, so remove this cert from the list */ + freenode = node; + node = CERT_LIST_NEXT(node); + CERT_RemoveCertListNode(freenode); + } else { + /* Is a User cert, so leave it in the list */ + node = CERT_LIST_NEXT(node); + } + } + + return(SECSuccess); +} /* * Find all user certificates that match the given criteria. @@ -157,6 +182,8 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle, /* collect certs for this nickname, sorting them into the list */ certList = CERT_CreateSubjectCertList(certList, handle, &cert->derSubject, time, validOnly); + + cert_UserCertsOnly(certList); /* drop the extra reference */ CERT_DestroyCertificate(cert); diff --git a/mozilla/security/nss/lib/dev/devm.h b/mozilla/security/nss/lib/dev/devm.h index 3551dbf6879..364ce82973d 100644 --- a/mozilla/security/nss/lib/dev/devm.h +++ b/mozilla/security/nss/lib/dev/devm.h @@ -35,7 +35,7 @@ #define DEVM_H #ifdef DEBUG -static const char DEVM_CVS_ID[] = "@(#) $RCSfile: devm.h,v $ $Revision: 1.7 $ $Date: 2002-04-19 16:14:06 $ $Name: not supported by cvs2svn $"; +static const char DEVM_CVS_ID[] = "@(#) $RCSfile: devm.h,v $ $Revision: 1.8 $ $Date: 2002-04-22 19:08:54 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef BASE_H @@ -134,6 +134,12 @@ nssToken_IsLoginRequired NSSToken *token ); +NSS_EXTERN void +nssToken_Remove +( + NSSToken *token +); + NSS_EXTERN nssCryptokiObject * nssCryptokiObject_Create ( @@ -157,6 +163,12 @@ nssTokenObjectCache_Destroy nssTokenObjectCache *cache ); +NSS_EXTERN void +nssTokenObjectCache_Clear +( + nssTokenObjectCache *cache +); + NSS_EXTERN PRBool nssTokenObjectCache_HaveObjectClass ( diff --git a/mozilla/security/nss/lib/dev/devslot.c b/mozilla/security/nss/lib/dev/devslot.c index 3d110e8b16e..57c58867c23 100644 --- a/mozilla/security/nss/lib/dev/devslot.c +++ b/mozilla/security/nss/lib/dev/devslot.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.5 $ $Date: 2002-04-19 23:06:39 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.6 $ $Date: 2002-04-22 19:08:54 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H @@ -301,6 +301,8 @@ nssSlot_IsTokenPresent } #endif slot->token->base.name[0] = 0; /* XXX */ + /* clear the token cache */ + nssToken_Remove(slot->token); return PR_FALSE; #ifdef PURE_STAN_CODE } else if (!slot->token) { diff --git a/mozilla/security/nss/lib/dev/devtoken.c b/mozilla/security/nss/lib/dev/devtoken.c index 5d4605ce3fb..29163071ae4 100644 --- a/mozilla/security/nss/lib/dev/devtoken.c +++ b/mozilla/security/nss/lib/dev/devtoken.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.16 $ $Date: 2002-04-22 14:14:39 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.17 $ $Date: 2002-04-22 19:08:55 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H @@ -160,6 +160,15 @@ nssToken_Destroy return PR_SUCCESS; } +NSS_IMPLEMENT void +nssToken_Remove +( + NSSToken *tok +) +{ + nssTokenObjectCache_Clear(tok->cache); +} + NSS_IMPLEMENT void NSSToken_Destroy ( diff --git a/mozilla/security/nss/lib/dev/devutil.c b/mozilla/security/nss/lib/dev/devutil.c index 769c48722b0..a7d767e274d 100644 --- a/mozilla/security/nss/lib/dev/devutil.c +++ b/mozilla/security/nss/lib/dev/devutil.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.10 $ $Date: 2002-04-22 15:21:06 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.11 $ $Date: 2002-04-22 19:08:55 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef DEVM_H @@ -619,6 +619,17 @@ clear_cache } } +NSS_IMPLEMENT void +nssTokenObjectCache_Clear +( + nssTokenObjectCache *cache +) +{ + if (cache) { + clear_cache(cache); + } +} + NSS_IMPLEMENT void nssTokenObjectCache_Destroy ( @@ -777,7 +788,7 @@ search_for_objects NSSSlot *slot = nssToken_GetSlot(cache->token); if (!nssSlot_IsTokenPresent(slot)) { /* The token is no longer present, destroy any cached objects */ - clear_cache(cache); + /* clear_cache(cache); */ nssSlot_Destroy(slot); return PR_FALSE; } diff --git a/mozilla/security/nss/lib/pk11wrap/pk11cert.c b/mozilla/security/nss/lib/pk11wrap/pk11cert.c index bf1e74450bd..8097611892e 100644 --- a/mozilla/security/nss/lib/pk11wrap/pk11cert.c +++ b/mozilla/security/nss/lib/pk11wrap/pk11cert.c @@ -971,7 +971,9 @@ pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), rv = PK11_Authenticate(le->slot, PR_FALSE, wincx); if (rv != SECSuccess) continue; } - (*callback)(le->slot,arg); + if (callback) { + (*callback)(le->slot,arg); + } } PK11_FreeSlotList(list); @@ -3206,12 +3208,16 @@ pk11ListCertCallback(CERTCertificate *cert, void *arg) CERTCertList *certList = listCertP->certList; CERTCertTrust *trust; PRBool isUnique = PR_FALSE; + PRBool isCA = PR_FALSE; char *nickname = NULL; unsigned int certType; if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique)) { isUnique = PR_TRUE; } + if ((type == PK11CertListCA) || (type == PK11CertListRootUnique)) { + isCA = PR_TRUE; + } /* at this point the nickname is correct for the cert. save it for later */ if (!isUnique && cert->nickname) { nickname = PORT_ArenaStrdup(listCertP->certList->arena,cert->nickname); @@ -3255,7 +3261,7 @@ pk11ListCertCallback(CERTCertificate *cert, void *arg) } /* if we want CA certs and it ain't one, skip it */ - if( type == PK11CertListCA && (!CERT_IsCACert(newCert, &certType)) ) { + if( isCA && (!CERT_IsCACert(newCert, &certType)) ) { CERT_DestroyCertificate(newCert); return SECSuccess; } @@ -3298,7 +3304,18 @@ PK11_ListCerts(PK11CertListType type, void *pwarg) listCerts.certList = certList; pk11cb.callback = pk11ListCertCallback; pk11cb.arg = &listCerts; - NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb); + + /* authenticate to the slots */ + (void) pk11_TraverseAllSlots( NULL, NULL, pwarg); +#ifdef notdef + if (type == PK11CertListUser) { + NSSTrustDomain_TraverseUserCertificates(defaultTD, convert_cert &pk11cb); + } else { + NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb); + } +#else + NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb); +#endif return certList; #endif } diff --git a/mozilla/security/nss/lib/pki/trustdomain.c b/mozilla/security/nss/lib/pki/trustdomain.c index 12dc3233b8b..ba0d369cbd1 100644 --- a/mozilla/security/nss/lib/pki/trustdomain.c +++ b/mozilla/security/nss/lib/pki/trustdomain.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.40 $ $Date: 2002-04-18 19:37:12 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.41 $ $Date: 2002-04-22 19:09:01 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef DEV_H @@ -1099,6 +1099,7 @@ NSSTrustDomain_TraverseCertificates } } } + /* Traverse the collection */ pkiCallback.func.cert = callback; pkiCallback.arg = arg; @@ -1117,6 +1118,104 @@ loser: return NULL; } +#ifdef notdef +/* + * search for Public and Private keys first + */ +NSS_IMPLEMENT PRStatus * +NSSTrustDomain_TraverseUserCertificates +( + NSSTrustDomain *td, + PRStatus (*callback)(NSSCertificate *c, void *arg), + void *arg +) +{ + PRStatus status; + NSSToken *token = NULL; + NSSSlot **slots = NULL; + NSSSlot **slotp; + nssPKIObjectCollection *collection = NULL; + nssPKIObjectCallback pkiCallback; + nssUpdateLevel updateLevel; + NSSCertificate **cached = NULL; + nssList *certList; + certList = nssList_Create(NULL, PR_FALSE); + if (!certList) return NULL; + (void *)nssTrustDomain_GetCertsFromCache(td, certList); + cached = get_certs_from_list(certList); + collection = nssCertificateCollection_Create(td, cached); + nssCertificateArray_Destroy(cached); + nssList_Destroy(certList); + if (!collection) { + return (PRStatus *)NULL; + } + /* obtain the current set of active slots in the trust domain */ + slots = nssTrustDomain_GetActiveSlots(td, &updateLevel); + if (!slots) { + goto loser; + } + /* iterate over the slots */ + for (slotp = slots; *slotp; slotp++) { + /* get the token for the slot, if present */ + token = nssSlot_GetToken(*slotp); + if (token) { + nssSession *session; + nssCryptokiObject **instances; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + /* get a session for the token */ + session = nssTrustDomain_GetSessionForToken(td, token); + if (!session) { + nssToken_Destroy(token); + goto loser; + } + /* perform the traversal */ + if (!isLoggedIn(tok)) { + instances = nssToken_FindPublicKeys(token, + session, + tokenOnly, + 0, &status); + } else { + instances = nssToken_FindPrivateKeys(token, + session, + tokenOnly, + 0, &status); + } + nssToken_Destroy(token); + if (status != PR_SUCCESS) { + goto loser; + } + /* add the found certificates to the collection */ + status = nssPKIObjectCollection_AddInstances(collection, + instances, 0); + nss_ZFreeIf(instances); + if (status != PR_SUCCESS) { + goto loser; + } + } + } + status = nssPKIObjectCollection_MatchCerts(collection); + if (status != PR_SUCCESS) { + goto loser; + } + /* Traverse the collection */ + pkiCallback.func.cert = callback; + pkiCallback.arg = arg; + status = nssPKIObjectCollection_Traverse(collection, &pkiCallback); + /* clean up */ + nssPKIObjectCollection_Destroy(collection); + nssSlotArray_Destroy(slots); + return NULL; +loser: + if (slots) { + nssSlotArray_Destroy(slots); + } + if (collection) { + nssPKIObjectCollection_Destroy(collection); + } + return NULL; +} +#endif + NSS_IMPLEMENT NSSTrust * nssTrustDomain_FindTrustForCertificate (