More PSM fixes:

clean up of the escape adding string code.
   Code to keep cert->trust in sync with nscert->trust in various situations.
   Code to allow old version of built-ins to continue to work.
   Implement TrustDomain_TraverseCertificates so that PK11_ListCerts will work.


git-svn-id: svn://10.0.0.236/trunk@108596 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/nss/lib/certdb/certdb.c

@@ -34,7 +34,7 @@
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.17 2001-11-08 00:14:39 relyea%netscape.com Exp $
+ * $Id: certdb.c,v 1.18 2001-11-20 18:28:38 relyea%netscape.com Exp $
  */
 
 #include "nssilock.h"
@@ -1593,20 +1593,24 @@ CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
     ret = PR_FALSE;
     type = 0;
     
-    if ( cert->isperm ) {
+    if ( cert->trust ) {
 	trust = cert->trust;
-	if ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) {
+	if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+	   ( ( trust->sslFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
 	    ret = PR_TRUE;
 	    type |= NS_CERT_TYPE_SSL_CA;
 	}
 	
-	if ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) {
+	if ( ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+	  ( ( trust->emailFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
 	    ret = PR_TRUE;
 	    type |= NS_CERT_TYPE_EMAIL_CA;
 	}
 	
-	if ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) ==
-	    CERTDB_VALID_CA ) {
+	if ( ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) 
+						== CERTDB_VALID_CA ) ||
+          ( ( trust->objectSigningFlags & CERTDB_TRUSTED_CA ) 
+						== CERTDB_TRUSTED_CA ) ) {
 	    ret = PR_TRUE;
 	    type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
 	}

mozilla/security/nss/lib/nss/nssinit.c

@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- # $Id: nssinit.c,v 1.28 2001-11-19 19:04:50 relyea%netscape.com Exp $
+ # $Id: nssinit.c,v 1.29 2001-11-20 18:28:41 relyea%netscape.com Exp $
  */
 
 #include <ctype.h>
@@ -195,12 +195,19 @@ PK11_ConfigurePKCS11(char *man, char *libdes, char *tokdes, char *ptokdes,
 }
 
 static char *
-nss_addEscape(char *string, char quote)
+nss_addEscape(const char *string, char quote)
 {
-    int len = PORT_Strlen(string);
-    char *newString = PORT_ZAlloc(2*len+1); /* worst case */
-    char *src,*dest;
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
 
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1); 
     if (newString == NULL) {
 	return NULL;
     }
@@ -215,6 +222,26 @@ nss_addEscape(char *string, char quote)
     return newString;
 }
 
+static char *
+nss_doubleEscape(const char *string)
+{
+    char *round1 = NULL;
+    char *retValue = NULL;
+    if (string == NULL) {
+	goto done;
+    }
+    round1 = nss_addEscape(string,'\'');
+    if (round1) {
+	retValue = nss_addEscape(round1,'"');
+	PORT_Free(round1);
+    }
+
+done:
+    if (retValue == NULL) {
+	retValue = PORT_Strdup("");
+    }
+    return retValue;
+}
 
 
 /*
@@ -243,6 +270,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
     char *moduleSpec = NULL;
     char *flags = NULL;
     SECStatus rv = SECFailure;
+    char *lconfigdir,*lcertPrefix,*lkeyPrefix,*lsecmodName;
 
     flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
 						pk11_password_required);
@@ -252,23 +280,20 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
      * configdir is double nested, and Windows uses the same character
      * for file seps as we use for escapes! (sigh).
      */
-    if (configdir) {
-	char *esc_configdir;
-	esc_configdir = nss_addEscape(configdir,'\'');
-	if (esc_configdir) {
-	    configdir = nss_addEscape(esc_configdir,'"');
-	    PORT_Free(esc_configdir);
-	}
-    }
+    lconfigdir = nss_doubleEscape(configdir);
+    lcertPrefix = nss_doubleEscape(certPrefix);
+    lkeyPrefix = nss_doubleEscape(keyPrefix);
+    lsecmodName = nss_doubleEscape(secmodName);
 
-    moduleSpec = PR_smprintf("name=\"%s\" parameters=\"configdir='%s' certPrefix=%s keyPrefix=%s secmod=%s flags=%s %s\" NSS=\"flags=internal,moduleDB,moduleDBOnly,critical\"",
+    moduleSpec = PR_smprintf("name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s %s\" NSS=\"flags=internal,moduleDB,moduleDBOnly,critical\"",
 		pk11_config_name ? pk11_config_name : NSS_DEFAULT_MOD_NAME,
-		configdir,certPrefix,keyPrefix,secmodName,flags,
+		lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
 		pk11_config_strings ? pk11_config_strings : "");
     PORT_Free(flags);
-    if (configdir) {
-	PORT_Free(configdir);
-    }
+    PORT_Free(lconfigdir);
+    PORT_Free(lcertPrefix);
+    PORT_Free(lkeyPrefix);
+    PORT_Free(lsecmodName);
 
     if (moduleSpec) {
 	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);

mozilla/security/nss/lib/pk11wrap/pk11cert.c

@@ -2802,7 +2802,6 @@ isOnList(CERTCertList *certList,CERTCertificate *cert)
 	}
 	return PR_FALSE;
 }
-
 static SECStatus
 pk11ListCertCallback(CERTCertificate *cert, SECItem *derCert, void *arg)
 {
@@ -2871,6 +2870,13 @@ pk11ListCertCallback(CERTCertificate *cert, SECItem *derCert, void *arg)
     return SECSuccess;
 }
 
+static SECStatus
+pk11ListCertCallbackStub(CERTCertificate *cert, void *arg)
+{
+    return pk11ListCertCallback(cert, NULL, arg);
+}
+
+
 
 CERTCertList *
 PK11_ListCerts(PK11CertListType type, void *pwarg)
@@ -2899,7 +2905,7 @@ PK11_ListCerts(PK11CertListType type, void *pwarg)
     listCerts.type = type;
     listCerts.certList = certList;
     /* XXX need to fix, this callback is of a different form */
-    pk11cb.callback = pk11ListCertCallback;
+    pk11cb.callback = pk11ListCertCallbackStub;
     pk11cb.arg = &listCerts;
     NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
     return certList;

mozilla/security/nss/lib/pki/certificate.c

@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.15 $ $Date: 2001-11-15 23:06:10 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.16 $ $Date: 2001-11-20 18:28:46 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef NSSPKI_H
@@ -189,6 +189,11 @@ get_cert_trust_handle
     tobj_template[1].ulValueLen = (CK_ULONG)SHA1_LENGTH;
     NSS_CK_SET_ATTRIBUTE_ITEM(tobj_template, 2, &c->issuer);
     NSS_CK_SET_ATTRIBUTE_ITEM(tobj_template, 3, &c->serial);
+#ifdef NSS_3_4_CODE
+    if (PK11_HasRootCerts(c->token->pk11slot)) {
+	tobj_size -= 2;
+    }
+#endif
 
     /*
      * we need to arrange for the built-in token to loose the bottom 2 
@@ -533,6 +538,10 @@ nssCertificate_GetDecoding
     if (!c->decoding) {
 	c->decoding = nssDecodedCert_Create(NULL, &c->encoding, c->type);
     }
+#ifdef NSS_3_4_CODE
+    /* cause the trust bits to get updated in the encoded cert */
+    (void) STAN_GetCERTCertificate(c);
+#endif
     return c->decoding;
 }
 
@@ -558,7 +567,7 @@ find_issuer_cert_for_identifier(NSSCertificate *c, NSSItem *id)
 		/* this cert has the correct identifier */
 		rvCert = p;
 		/* now free all the remaining subject certs */
-		while ((p = subjectCerts[++i])) {
+		while ((p = subjectCerts[i++])) {
 		    NSSCertificate_Destroy(p);
 		}
 		/* and exit */

mozilla/security/nss/lib/pki/trustdomain.c

@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.15 $ $Date: 2001-11-09 16:39:34 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.16 $ $Date: 2001-11-20 18:28:47 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef NSSPKI_H
@@ -418,6 +418,7 @@ find_best_cert_for_template
 	                                                cktemplate, ctsize,
 	                                                get_best_cert, best);
     } else {
+	/* we need to lock the iterator */
 	for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
 	     tok != (NSSToken *)NULL;
 	     tok  = (NSSToken *)nssListIterator_Next(td->tokens))
@@ -432,6 +433,18 @@ find_best_cert_for_template
     }
     /* Cache the cert before returning */
     /*nssTrustDomain_AddCertsToCache(td, &best->cert, 1);*/
+    /* rjr handle orphanned certs in cache for now. real fix will be Ian's
+     * crypto object */
+    if (best->cert == NULL) {
+	if (nssList_Count(best->cached) >= 1) {
+	    NSSCertificate * candidate;
+
+	    nssList_GetArray(best->cached,&candidate,1); 
+	    if (candidate) {
+		best->cert = nssCertificate_AddRef(candidate);
+	    }
+	}
+    }
     return best->cert;
 }
 
@@ -477,6 +490,7 @@ find_all_certs_for_template
 	                                                cktemplate, ctsize,
                                                         collect_certs, ca);
     } else {
+	/* we need to lock the iterator */
 	for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
 	     tok != (NSSToken *)NULL;
 	     tok  = (NSSToken *)nssListIterator_Next(td->tokens))
@@ -1057,7 +1071,18 @@ NSSTrustDomain_TraverseCertificates
   void *arg
 )
 {
-    return NULL;
+    PRStatus nssrv;
+    NSSToken *tok;
+
+    /* we need to lock the iterator */
+    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+	     tok != (NSSToken *)NULL;
+	     tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	nssrv = nssToken_TraverseCertificates(tok, NULL, callback, arg);
+    }
+    nssListIterator_Finish(td->tokens);
+    return NULL; /* should return array of nssrv's ? */
 }
 
 NSS_IMPLEMENT PRStatus

mozilla/security/nss/lib/softoken/pk11db.c

@@ -581,7 +581,7 @@ secmod_DecodeData(char *defParams, DBT *data, PRBool *retInternal)
 	}
     }
     if (internal) {
-	parameters = pk11_formatValue(arena,defParams,'"');
+	parameters = PORT_ArenaStrdup(arena,defParams);
     }
 
     /* decode SSL cipher enable flags */