diff --git a/mozilla/security/nss/lib/dev/dev.h b/mozilla/security/nss/lib/dev/dev.h index ce88d08c40e..6018415650c 100644 --- a/mozilla/security/nss/lib/dev/dev.h +++ b/mozilla/security/nss/lib/dev/dev.h @@ -35,7 +35,7 @@ #define DEV_H #ifdef DEBUG -static const char DEV_CVS_ID[] = "@(#) $RCSfile: dev.h,v $ $Revision: 1.20 $ $Date: 2002-03-07 22:07:48 $ $Name: not supported by cvs2svn $"; +static const char DEV_CVS_ID[] = "@(#) $RCSfile: dev.h,v $ $Revision: 1.21 $ $Date: 2002-03-07 23:21:32 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef DEVT_H @@ -281,6 +281,30 @@ nssToken_ImportTrust PRBool asTokenObject ); +NSS_EXTERN PRStatus +nssToken_SetTrustCache +( + NSSToken *tok +); + +NSS_EXTERN PRStatus +nssToken_SetCrlCache +( + NSSToken *tok +); + +NSS_EXTERN PRBool +nssToken_HasCrls +( + NSSToken *tok +); + +NSS_EXTERN PRStatus +nssToken_SetHasCrls +( + NSSToken *tok +); + NSS_EXTERN NSSPublicKey * nssToken_GenerateKeyPair ( diff --git a/mozilla/security/nss/lib/dev/devobject.c b/mozilla/security/nss/lib/dev/devobject.c index e0a0fceedef..675a4ccc9c2 100644 --- a/mozilla/security/nss/lib/dev/devobject.c +++ b/mozilla/security/nss/lib/dev/devobject.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devobject.c,v $ $Revision: 1.20 $ $Date: 2002-03-07 22:07:49 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: devobject.c,v $ $Revision: 1.21 $ $Date: 2002-03-07 23:21:32 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef DEV_H @@ -916,11 +916,66 @@ nssToken_ImportTrust /* XXX Fix this! */ nssListIterator_Destroy(trust->object.instances); trust->object.instances = nssList_CreateIterator(trust->object.instanceList); + tok->hasNoTrust = PR_FALSE; return PR_SUCCESS; } return PR_FAILURE; } +NSS_IMPLEMENT PRStatus +nssToken_SetTrustCache +( + NSSToken *token +) +{ + CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE tobj_template[2]; + CK_ULONG tobj_size; + CK_OBJECT_HANDLE obj; + nssSession *session = token->defaultSession; + + NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size); + NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); + NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size); + + obj = find_object_by_template(token, session, + tobj_template, tobj_size); + token->hasNoTrust = PR_FALSE; + if (obj == CK_INVALID_HANDLE) { + token->hasNoTrust = PR_TRUE; + } + return PR_SUCCESS; +} + +NSS_IMPLEMENT PRStatus +nssToken_SetCrlCache +( + NSSToken *token +) +{ + CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_CRL; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE tobj_template[2]; + CK_ULONG tobj_size; + CK_OBJECT_HANDLE obj; + nssSession *session = token->defaultSession; + + NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size); + NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); + NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size); + + obj = find_object_by_template(token, session, + tobj_template, tobj_size); + token->hasNoCrls = PR_TRUE; + if (obj == CK_INVALID_HANDLE) { + token->hasNoCrls = PR_TRUE; + } + return PR_SUCCESS; +} + static CK_OBJECT_HANDLE get_cert_trust_handle ( @@ -936,6 +991,10 @@ get_cert_trust_handle CK_ULONG tobj_size; PRUint8 sha1[20]; /* this is cheating... */ NSSItem sha1_result; + + if (token->hasNoTrust) { + return CK_INVALID_HANDLE; + } sha1_result.data = sha1; sha1_result.size = sizeof sha1; sha1_hash(&c->encoding, &sha1_result); NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size); diff --git a/mozilla/security/nss/lib/dev/devt.h b/mozilla/security/nss/lib/dev/devt.h index efced27f183..99c5ea10b59 100644 --- a/mozilla/security/nss/lib/dev/devt.h +++ b/mozilla/security/nss/lib/dev/devt.h @@ -35,7 +35,7 @@ #define DEVT_H #ifdef DEBUG -static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.12 $ $Date: 2002-03-07 22:07:50 $ $Name: not supported by cvs2svn $"; +static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.13 $ $Date: 2002-03-07 23:21:33 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ /* @@ -132,6 +132,8 @@ struct NSSTokenStr nssSession *defaultSession; NSSTrustDomain *trustDomain; PRIntervalTime lastTime; + PRBool hasNoTrust; + PRBool hasNoCrls; #ifdef NSS_3_4_CODE PK11SlotInfo *pk11slot; nssList *certList; /* local cache of certs for slow tokens */ diff --git a/mozilla/security/nss/lib/dev/devtoken.c b/mozilla/security/nss/lib/dev/devtoken.c index a99acb25982..c0ce7c3489a 100644 --- a/mozilla/security/nss/lib/dev/devtoken.c +++ b/mozilla/security/nss/lib/dev/devtoken.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.9 $ $Date: 2002-03-06 01:44:47 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.10 $ $Date: 2002-03-07 23:21:33 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef DEV_H @@ -134,6 +134,8 @@ nssToken_Create rvToken->name = tokenName; rvToken->ckFlags = tokenInfo.flags; rvToken->defaultSession = session; + rvToken->hasNoTrust = PR_FALSE; + rvToken->hasNoCrls = PR_FALSE; if (mark) { nssrv = nssArena_Unmark(arena, mark); if (nssrv != PR_SUCCESS) { @@ -279,6 +281,25 @@ nssToken_IsPresent } } +NSS_IMPLEMENT PRBool +nssToken_HasCrls +( + NSSToken *tok +) +{ + return !tok->hasNoCrls; +} + +NSS_IMPLEMENT PRStatus +nssToken_SetHasCrls +( + NSSToken *tok +) +{ + tok->hasNoCrls = PR_FALSE; + return PR_SUCCESS; +} + NSS_IMPLEMENT NSSItem * nssToken_Digest ( diff --git a/mozilla/security/nss/lib/pk11wrap/pk11cert.c b/mozilla/security/nss/lib/pk11wrap/pk11cert.c index 42c7d4c4eff..9611ff06f33 100644 --- a/mozilla/security/nss/lib/pk11wrap/pk11cert.c +++ b/mozilla/security/nss/lib/pk11wrap/pk11cert.c @@ -3710,6 +3710,9 @@ PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle, /* loop through all the fortezza tokens */ for (le = list->head; le; le = le->next) { + if (le->slot->nssToken && !nssToken_HasCrls(le->slot->nssToken)) { + continue; + } crlh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize); if (crlh != CK_INVALID_HANDLE) { *slot = PK11_ReferenceSlot(le->slot); @@ -3806,6 +3809,10 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, } PK11_RestoreROSession(slot,rwsession); + + if (slot->nssToken) { + nssToken_SetHasCrls(slot->nssToken); + } return crlh; } diff --git a/mozilla/security/nss/lib/pki/pki3hack.c b/mozilla/security/nss/lib/pki/pki3hack.c index 27eb9e85df0..0a62f9cf55d 100644 --- a/mozilla/security/nss/lib/pki/pki3hack.c +++ b/mozilla/security/nss/lib/pki/pki3hack.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.42 $ $Date: 2002-03-07 22:53:40 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.43 $ $Date: 2002-03-07 23:21:39 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ /* @@ -264,6 +264,9 @@ nssToken_LoadCerts(NSSToken *token) } /* ignore the rv, just work without the list */ (void)nssToken_TraverseCertificates(token, NULL, &search); + (void)nssToken_SetTrustCache(token); + (void)nssToken_SetCrlCache(token); + /* even if there are no certs, leave a valid list pointer should * any be imported. Having the pointer will also prevent searches, * see below.