From 3143ebfdf101afa4b9ca2fa68ed9911dc80c178b Mon Sep 17 00:00:00 2001 From: "ian.mcgreer%sun.com" Date: Fri, 14 Dec 2001 20:50:59 +0000 Subject: [PATCH] the last step - restrict trust domain and PK11_ searches to token objects also, make sure trust is grabbed from crypto context git-svn-id: svn://10.0.0.236/trunk@110480 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/security/nss/lib/pk11wrap/pk11cert.c | 12 ++-- mozilla/security/nss/lib/pki/pki3hack.c | 61 ++++++++++++++------ mozilla/security/nss/lib/pki/trustdomain.c | 18 +++--- 3 files changed, 58 insertions(+), 33 deletions(-) diff --git a/mozilla/security/nss/lib/pk11wrap/pk11cert.c b/mozilla/security/nss/lib/pk11wrap/pk11cert.c index 0b58f913442..be50a9ad2c4 100644 --- a/mozilla/security/nss/lib/pk11wrap/pk11cert.c +++ b/mozilla/security/nss/lib/pk11wrap/pk11cert.c @@ -1202,7 +1202,7 @@ PK11_FindCertFromNickname(char *nickname, void *wincx) { search.callback = get_newest_cert; search.cbarg = (void *)&cert; search.cached = certList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; /* find best cert on token */ nssToken_TraverseCertificatesByNickname(token, NULL, (NSSUTF8 *)nickname, @@ -1293,7 +1293,7 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) { search.callback = collect_certs; search.cbarg = nameList; search.cached = nameList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; nssrv = nssToken_TraverseCertificatesByNickname(token, NULL, nickname, &search); count = nssList_Count(nameList); @@ -2336,7 +2336,7 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, search.callback = convert_cert; search.cbarg = &pk11cb; search.cached = subjectList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; token = PK11Slot_GetNSSToken(slot); nssrv = nssToken_TraverseCertificatesBySubject(token, NULL, &subject, &search); @@ -2406,7 +2406,7 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, search.callback = convert_cert; search.cbarg = &pk11cb; search.cached = nameList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; token = PK11Slot_GetNSSToken(slot); nssrv = nssToken_TraverseCertificatesByNickname(token, NULL, nick, &search); @@ -2459,7 +2459,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, search.callback = convert_cert; search.cbarg = &pk11cb; search.cached = certList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; tok = PK11Slot_GetNSSToken(slot); if (tok) { nssrv = nssToken_TraverseCertificates(tok, NULL, &search); @@ -2516,7 +2516,7 @@ PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert, NSSITEM_FROM_SECITEM(&derCert, &cert->derCert); /* XXX login to slots */ c = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert, - nssTokenSearchType_AllObjects); + nssTokenSearchType_TokenOnly); if (c) { rvCert = STAN_GetCERTCertificate(c); } diff --git a/mozilla/security/nss/lib/pki/pki3hack.c b/mozilla/security/nss/lib/pki/pki3hack.c index d525467334e..2078f57cb6e 100644 --- a/mozilla/security/nss/lib/pki/pki3hack.c +++ b/mozilla/security/nss/lib/pki/pki3hack.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.12 $ $Date: 2001-12-14 17:32:19 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.13 $ $Date: 2001-12-14 20:50:58 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ /* @@ -387,11 +387,32 @@ get_nss3trust_from_cktrust(CK_TRUST t) return rt; } +static CERTCertTrust * +cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena) +{ + CERTCertTrust *rvTrust; + unsigned int client; + if (!t) { + return NULL; + } + rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust)); + if (!rvTrust) return NULL; + rvTrust->sslFlags = get_nss3trust_from_cktrust(t->serverAuth); + client = get_nss3trust_from_cktrust(t->clientAuth); + if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) { + client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA); + rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA; + } + rvTrust->sslFlags |= client; + rvTrust->emailFlags = get_nss3trust_from_cktrust(t->emailProtection); + rvTrust->objectSigningFlags = get_nss3trust_from_cktrust(t->codeSigning); + return rvTrust; +} + static CERTCertTrust * nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc) { - CERTCertTrust *rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust)); - unsigned int client; + CERTCertTrust *rvTrust; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); NSSToken *tok; NSSTrust *tokenTrust; @@ -404,7 +425,7 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc) tok = (NSSToken *)nssListIterator_Next(tokens)) { tokenTrust = nssToken_FindTrustForCert(tok, NULL, c, - nssTokenSearchType_AllObjects); + nssTokenSearchType_TokenOnly); if (tokenTrust) { if (t) { if (t->serverAuth == CKT_NETSCAPE_TRUST_UNKNOWN) { @@ -431,16 +452,9 @@ nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc) if (!t) { return NULL; } - rvTrust->sslFlags = get_nss3trust_from_cktrust(t->serverAuth); - client = get_nss3trust_from_cktrust(t->clientAuth); - if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) { - client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA); - rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA; - } - rvTrust->sslFlags |= client; - rvTrust->emailFlags = get_nss3trust_from_cktrust(t->emailProtection); - rvTrust->objectSigningFlags = get_nss3trust_from_cktrust(t->codeSigning); - if (PK11_IsUserCert(cc->slot, cc, cc->pkcs11ID)) { + rvTrust = cert_trust_from_stan_trust(t, cc->arena); + if (!rvTrust) return NULL; + if (cc->slot && PK11_IsUserCert(cc->slot, cc, cc->pkcs11ID)) { rvTrust->sslFlags |= CERTDB_USER; rvTrust->emailFlags |= CERTDB_USER; rvTrust->objectSigningFlags |= CERTDB_USER; @@ -461,6 +475,8 @@ get_cert_instance(NSSCertificate *c) static void fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc) { + NSSTrust *nssTrust; + NSSCryptoContext *context = c->object.cryptoContext; nssCryptokiInstance *instance = get_cert_instance(c); /* fill other fields needed by NSS3 functions using CERTCertificate */ if (!cc->nickname && c->nickname) { @@ -470,13 +486,22 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc) memcpy(cc->nickname, c->nickname, len-1); cc->nickname[len-1] = '\0'; } - if (instance) { + if (context) { + /* trust */ + nssTrust = nssCryptoContext_FindTrustForCertificate(context, c); + if (nssTrust) { + cc->trust = cert_trust_from_stan_trust(nssTrust, cc->arena); + nssPKIObject_Destroy(&nssTrust->object); + } else { + cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } + } else if (instance) { + /* trust */ + cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc); /* slot */ cc->slot = instance->token->pk11slot; /* pkcs11ID */ cc->pkcs11ID = instance->handle; - /* trust */ - cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc); } /* database handle is now the trust domain */ cc->dbhandle = c->object.trustDomain; @@ -763,7 +788,7 @@ nssTrustDomain_TraverseCertificates search.callback = callback; search.cbarg = arg; search.cached = certList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL; token = (NSSToken *)nssListIterator_Next(td->tokens)) diff --git a/mozilla/security/nss/lib/pki/trustdomain.c b/mozilla/security/nss/lib/pki/trustdomain.c index 0e4aef71c5d..c711217d572 100644 --- a/mozilla/security/nss/lib/pki/trustdomain.c +++ b/mozilla/security/nss/lib/pki/trustdomain.c @@ -32,7 +32,7 @@ */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.21 $ $Date: 2001-12-14 17:32:23 $ $Name: not supported by cvs2svn $"; +static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.22 $ $Date: 2001-12-14 20:50:59 $ $Name: not supported by cvs2svn $"; #endif /* DEBUG */ #ifndef NSSPKI_H @@ -401,7 +401,7 @@ NSSTrustDomain_FindBestCertificateByNickname search.callback = nssBestCertificate_Callback; search.cbarg = &best; search.cached = nameList; - search.searchType = nssTokenSearchType_AllObjects; /* XXX */ + search.searchType = nssTokenSearchType_TokenOnly; /* traverse the tokens */ for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL; @@ -444,7 +444,7 @@ NSSTrustDomain_FindCertificatesByNickname search.callback = collect_certs; search.cbarg = &ca; search.cached = nameList; - search.searchType = nssTokenSearchType_AllObjects; /* XXX */ + search.searchType = nssTokenSearchType_TokenOnly; /* traverse the tokens */ for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL; @@ -496,7 +496,7 @@ NSSTrustDomain_FindCertificateByIssuerAndSerialNumber NULL, issuer, serialNumber, - nssTokenSearchType_AllObjects); + nssTokenSearchType_TokenOnly); if (rvCert) { /* cache it */ nssTrustDomain_AddCertsToCache(td, &rvCert, 1); @@ -531,7 +531,7 @@ NSSTrustDomain_FindBestCertificateBySubject search.callback = nssBestCertificate_Callback; search.cbarg = &best; search.cached = subjectList; - search.searchType = nssTokenSearchType_AllObjects; /* XXX */ + search.searchType = nssTokenSearchType_TokenOnly; /* traverse the tokens */ for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL; @@ -574,7 +574,7 @@ NSSTrustDomain_FindCertificatesBySubject search.callback = collect_certs; search.cbarg = &ca; search.cached = subjectList; - search.searchType = nssTokenSearchType_AllObjects; /* XXX */ + search.searchType = nssTokenSearchType_TokenOnly; /* traverse the tokens */ for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL; @@ -649,7 +649,7 @@ NSSTrustDomain_FindCertificateByEncodedCertificate { rvCert = nssToken_FindCertificateByEncodedCertificate(tok, NULL, encodedCertificate, - nssTokenSearchType_AllObjects); + nssTokenSearchType_TokenOnly); if (rvCert) { /* cache it */ nssTrustDomain_AddCertsToCache(td, &rvCert, 1); @@ -684,7 +684,7 @@ NSSTrustDomain_FindCertificateByEmail search.callback = nssBestCertificate_Callback; search.cbarg = &best; search.cached = emailList; - search.searchType = nssTokenSearchType_AllObjects; /* XXX */ + search.searchType = nssTokenSearchType_TokenOnly; /* traverse the tokens */ for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL; @@ -839,7 +839,7 @@ NSSTrustDomain_TraverseCertificates search.callback = callback; search.cbarg = arg; search.cached = certList; - search.searchType = nssTokenSearchType_AllObjects; + search.searchType = nssTokenSearchType_TokenOnly; /* traverse the tokens */ for (token = (NSSToken *)nssListIterator_Start(td->tokens); token != (NSSToken *)NULL;