This commit was manufactured by cvs2svn to create branch

'NSS_CLIENT_3_4_BRANCH'.

git-svn-id: svn://10.0.0.236/branches/NSS_CLIENT_3_4_BRANCH@115844 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/nss/lib/Makefile

@@ -0,0 +1,89 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+ifdef MOZILLA_SECURITY_BUILD
+FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
+
+export::
+	if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
+	    $(NSINSTALL) -D crypto; \
+	    for file in $(FILES) ; do \
+		if test -f $$file; then \
+		    $(INSTALL) -m 444 $$file crypto; \
+		fi; \
+	    done;  \
+	    $(INSTALL) -m 444 freebl/sha_fast.c crypto; \
+	    $(INSTALL) -m 444 freebl/sha_fast.h crypto; \
+	fi
+endif

mozilla/security/nss/lib/asn1/Makefile

@@ -0,0 +1,40 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.3 $ $Date: 2001-10-11 17:41:40 $ $Name: not supported by cvs2svn $"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export

mozilla/security/nss/lib/asn1/asn1.h

@@ -0,0 +1,879 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef ASN1_H
+#define ASN1_H
+
+#ifdef DEBUG
+static const char ASN1_CVS_ID[] = "@(#) $RCSfile: asn1.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:54:58 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * asn1.h
+ *
+ * This file contains the ASN.1 encoder/decoder routines available
+ * internally within NSS.  It's not clear right now if this file
+ * will be folded into base.h or something, I just needed to get this
+ * going.  At the moment, most of these routines wrap the old SEC_ASN1
+ * calls.
+ */
+
+#ifndef ASN1T_H
+#include "asn1t.h"
+#endif /* ASN1T_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssASN1Decoder
+ *
+ * ... description here ...
+ *
+ *  nssASN1Decoder_Create (Factory/Constructor)
+ *  nssASN1Decoder_Update
+ *  nssASN1Decoder_Finish (Destructor)
+ *  nssASN1Decoder_SetFilter
+ *  nssASN1Decoder_GetFilter
+ *  nssASN1Decoder_SetNotify
+ *  nssASN1Decoder_GetNotify
+ *
+ * Debug builds only:
+ *
+ *  nssASN1Decoder_verify
+ *
+ * Related functions that aren't type methods:
+ *
+ *  nssASN1_Decode
+ *  nssASN1_DecodeBER
+ */
+
+/*
+ * nssASN1Decoder_Create
+ *
+ * This routine creates an ASN.1 Decoder, which will use the specified
+ * template to decode a datastream into the specified destination
+ * structure.  If the optional arena argument is non-NULL, blah blah 
+ * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
+ * as a hint?  Or is each encoding distinctive?  This routine may 
+ * return NULL upon error, in which case an error will have been 
+ * placed upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  ...
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an ASN.1 Decoder upon success.
+ */
+
+NSS_EXTERN nssASN1Decoder *
+nssASN1Decoder_Create
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[]
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Decoder_Update
+ *
+ * This routine feeds data to the decoder.  In the event of an error, 
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *  NSS_ERROR_INVALID_BER
+ *  ...
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success.
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_Update
+(
+  nssASN1Decoder *decoder,
+  const void *data,
+  PRUint32 amount
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+
+/*
+ * nssASN1Decoder_Finish
+ *
+ * This routine finishes the decoding and destroys the decoder.
+ * In the event of an error, it will place an error on the error
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_Finish
+(
+  nssASN1Decoder *decoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_SetFilter
+ *
+ * This routine registers a callback filter routine with the decoder,
+ * which will be called blah blah blah.  The specified argument will
+ * be passed as-is to the filter routine.  The routine pointer may
+ * be NULL, in which case no filter callback will be called.  If the
+ * noStore boolean is PR_TRUE, then decoded fields will not be stored
+ * in the destination structure specified when the decoder was 
+ * created.  This routine returns a PRStatus value; in the event of
+ * an error, it will place an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_SetFilter
+(
+  nssASN1Decoder *decoder,
+  nssASN1DecoderFilterFunction *callback,
+  void *argument,
+  PRBool noStore
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_GetFilter
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Decoder_SetFilter will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt
+ * pointer is non-null, the filter's closure argument will be stored
+ * there.  If the optional pNoStoreOpt pointer is non-null, the
+ * noStore value specified when setting the filter will be stored
+ * there.  This routine returns a PRStatus value; in the event of
+ * an error it will place an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_GetFilter
+(
+  nssASN1Decoder *decoder,
+  nssASN1DecoderFilterFunction **pCallbackOpt,
+  void **pArgumentOpt,
+  PRBool *pNoStoreOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_SetNotify
+ *
+ * This routine registers a callback notify routine with the decoder,
+ * which will be called whenever.. The specified argument will be
+ * passed as-is to the notify routine.  The routine pointer may be
+ * NULL, in which case no notify routine will be called.  This routine
+ * returns a PRStatus value; in the event of an error it will place
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_SetNotify
+(
+  nssASN1Decoder *decoder,
+  nssASN1NotifyFunction *callback,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_GetNotify
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Decoder_SetNotify will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt pointer is
+ * non-null, the filter's closure argument will be stored there.
+ * This routine returns a PRStatus value; in the event of an error it
+ * will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_GetNotify
+(
+  nssASN1Decoder *decoder,
+  nssASN1NotifyFunction **pCallbackOpt,
+  void **pArgumentOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_verify
+ *
+ * This routine is only available in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an nssASN1Decoder
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssASN1Decoder_verify
+(
+  nssASN1Decoder *decoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+#endif /* DEBUG */
+
+/*
+ * nssASN1_Decode
+ *
+ * This routine will decode the specified data into the specified
+ * destination structure, as specified by the specified template.
+ * This routine returns a PRStatus value; in the event of an error
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_BER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_Decode
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[],
+  const void *berData,
+  PRUint32 amount
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+
+/*
+ * nssASN1_DecodeBER
+ *
+ * This routine will decode the data in the specified NSSBER
+ * into the destination structure, as specified by the template.
+ * This routine returns a PRStatus value; in the event of an error
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_NSSBER
+ *  NSS_ERROR_INVALID_BER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_DecodeBER
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[],
+  const NSSBER *data
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+
+/*
+ * nssASN1Encoder
+ *
+ * ... description here ...
+ *
+ *  nssASN1Encoder_Create (Factory/Constructor)
+ *  nssASN1Encoder_Update
+ *  nssASN1Encoder_Finish (Destructor)
+ *  nssASN1Encoder_SetNotify
+ *  nssASN1Encoder_GetNotify
+ *  nssASN1Encoder_SetStreaming
+ *  nssASN1Encoder_GetStreaming
+ *  nssASN1Encoder_SetTakeFromBuffer
+ *  nssASN1Encoder_GetTakeFromBuffer
+ *
+ * Debug builds only:
+ *
+ *  nssASN1Encoder_verify
+ *
+ * Related functions that aren't type methods:
+ *
+ *  nssASN1_Encode
+ *  nssASN1_EncodeItem
+ */
+
+/*
+ * nssASN1Encoder_Create
+ *
+ * This routine creates an ASN.1 Encoder, blah blah blah.  This 
+ * may return NULL upon error, in which case an error will have been
+ * placed on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *  ...
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an ASN.1 Encoder upon success
+ */
+
+NSS_EXTERN nssASN1Encoder *
+nssASN1Encoder_Create
+(
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding,
+  nssASN1EncoderWriteFunction *sink,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
+
+/*
+ * nssASN1Encoder_Update
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_Update
+(
+  nssASN1Encoder *encoder,
+  const void *data,
+  PRUint32 length
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Encoder_Finish
+ *
+ * Destructor.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_Finish
+(
+  nssASN1Encoder *encoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_SetNotify
+ *
+ * This routine registers a callback notify routine with the encoder,
+ * which will be called whenever.. The specified argument will be
+ * passed as-is to the notify routine.  The routine pointer may be
+ * NULL, in which case no notify routine will be called.  This routine
+ * returns a PRStatus value; in the event of an error it will place
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_SetNotify
+(
+  nssASN1Encoder *encoder,
+  nssASN1NotifyFunction *callback,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_GetNotify
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Encoder_SetNotify will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt pointer is
+ * non-null, the filter's closure argument will be stored there.
+ * This routine returns a PRStatus value; in the event of an error it
+ * will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetNotify
+(
+  nssASN1Encoder *encoder,
+  nssASN1NotifyFunction **pCallbackOpt,
+  void **pArgumentOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_SetStreaming
+ *
+ * 
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_SetStreaming
+(
+  nssASN1Encoder *encoder,
+  PRBool streaming
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_GetStreaming
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetStreaming
+(
+  nssASN1Encoder *encoder,
+  PRBool *pStreaming
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Encoder_SetTakeFromBuffer
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_SetTakeFromBuffer
+(
+  nssASN1Encoder *encoder,
+  PRBool takeFromBuffer
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_GetTakeFromBuffer
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetTakeFromBuffer
+(
+  nssASN1Encoder *encoder,
+  PRBool *pTakeFromBuffer
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Encoder_verify
+ *
+ * This routine is only available in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an nssASN1Encoder
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssASN1Encoder_verify
+(
+  nssASN1Encoder *encoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+#endif /* DEBUG */
+
+/*
+ * nssASN1_Encode
+ *
+ * 
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *  ...
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_Encode
+(
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding,
+  nssASN1EncoderWriteFunction *sink,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
+
+/*
+ * nssASN1_EncodeItem
+ *
+ * There must be a better name.  If the optional arena argument is
+ * non-null, it'll be used for the space.  If the optional rvOpt is
+ * non-null, it'll be the return value-- if it is null, a new one
+ * will be allocated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *
+ * Return value:
+ *  NULL upon error
+ *  A valid pointer to an NSSDER upon success
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_EncodeItem
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
+
+/*
+ * Other basic types' encoding and decoding helper functions:
+ *
+ *  nssASN1_CreatePRUint32FromBER
+ *  nssASN1_GetDERFromPRUint32
+ *  nssASN1_CreatePRInt32FromBER
+ *  nssASN1_GetDERFromPRInt32
+ * ..etc..
+ */
+
+/*
+ * nssASN1_CreatePRUint32FromBER
+ *
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_CreatePRUint32FromBER
+(
+  NSSBER *encoded,
+  PRUint32 *pResult
+);
+
+/*
+ * nssASN1_GetDERFromPRUint32
+ *
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_GetDERFromPRUint32
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  PRUint32 value
+);
+
+/*
+ * nssASN1_CreatePRInt32FromBER
+ *
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_CreatePRInt32FromBER
+(
+  NSSBER *encoded,
+  PRInt32 *pResult
+);
+
+/*
+ * nssASN1_GetDERFromPRInt32
+ *
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_GetDERFromPRInt32
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  PRInt32 value
+);
+
+/*
+ * Builtin templates
+ */
+
+/*
+ * Generic Templates
+ * One for each of the simple types, plus a special one for ANY, plus:
+ *	- a pointer to each one of those
+ *	- a set of each one of those
+ *
+ * Note that these are alphabetical (case insensitive); please add new
+ * ones in the appropriate place.
+ */
+
+extern const nssASN1Template *nssASN1Template_Any;
+extern const nssASN1Template *nssASN1Template_BitString;
+extern const nssASN1Template *nssASN1Template_BMPString;
+extern const nssASN1Template *nssASN1Template_Boolean;
+extern const nssASN1Template *nssASN1Template_Enumerated;
+extern const nssASN1Template *nssASN1Template_GeneralizedTime;
+extern const nssASN1Template *nssASN1Template_IA5String;
+extern const nssASN1Template *nssASN1Template_Integer;
+extern const nssASN1Template *nssASN1Template_Null;
+extern const nssASN1Template *nssASN1Template_ObjectID;
+extern const nssASN1Template *nssASN1Template_OctetString;
+extern const nssASN1Template *nssASN1Template_PrintableString;
+extern const nssASN1Template *nssASN1Template_T61String;
+extern const nssASN1Template *nssASN1Template_UniversalString;
+extern const nssASN1Template *nssASN1Template_UTCTime;
+extern const nssASN1Template *nssASN1Template_UTF8String;
+extern const nssASN1Template *nssASN1Template_VisibleString;
+
+extern const nssASN1Template *nssASN1Template_PointerToAny;
+extern const nssASN1Template *nssASN1Template_PointerToBitString;
+extern const nssASN1Template *nssASN1Template_PointerToBMPString;
+extern const nssASN1Template *nssASN1Template_PointerToBoolean;
+extern const nssASN1Template *nssASN1Template_PointerToEnumerated;
+extern const nssASN1Template *nssASN1Template_PointerToGeneralizedTime;
+extern const nssASN1Template *nssASN1Template_PointerToIA5String;
+extern const nssASN1Template *nssASN1Template_PointerToInteger;
+extern const nssASN1Template *nssASN1Template_PointerToNull;
+extern const nssASN1Template *nssASN1Template_PointerToObjectID;
+extern const nssASN1Template *nssASN1Template_PointerToOctetString;
+extern const nssASN1Template *nssASN1Template_PointerToPrintableString;
+extern const nssASN1Template *nssASN1Template_PointerToT61String;
+extern const nssASN1Template *nssASN1Template_PointerToUniversalString;
+extern const nssASN1Template *nssASN1Template_PointerToUTCTime;
+extern const nssASN1Template *nssASN1Template_PointerToUTF8String;
+extern const nssASN1Template *nssASN1Template_PointerToVisibleString;
+
+extern const nssASN1Template *nssASN1Template_SetOfAny;
+extern const nssASN1Template *nssASN1Template_SetOfBitString;
+extern const nssASN1Template *nssASN1Template_SetOfBMPString;
+extern const nssASN1Template *nssASN1Template_SetOfBoolean;
+extern const nssASN1Template *nssASN1Template_SetOfEnumerated;
+extern const nssASN1Template *nssASN1Template_SetOfGeneralizedTime;
+extern const nssASN1Template *nssASN1Template_SetOfIA5String;
+extern const nssASN1Template *nssASN1Template_SetOfInteger;
+extern const nssASN1Template *nssASN1Template_SetOfNull;
+extern const nssASN1Template *nssASN1Template_SetOfObjectID;
+extern const nssASN1Template *nssASN1Template_SetOfOctetString;
+extern const nssASN1Template *nssASN1Template_SetOfPrintableString;
+extern const nssASN1Template *nssASN1Template_SetOfT61String;
+extern const nssASN1Template *nssASN1Template_SetOfUniversalString;
+extern const nssASN1Template *nssASN1Template_SetOfUTCTime;
+extern const nssASN1Template *nssASN1Template_SetOfUTF8String;
+extern const nssASN1Template *nssASN1Template_SetOfVisibleString;
+
+/*
+ *
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssUTF8_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  NSSBER *berData
+);
+
+NSS_EXTERN NSSDER *
+nssUTF8_GetDEREncoding
+(
+  NSSArena *arenaOpt,
+  /* Should have an NSSDER *rvOpt */
+  nssStringType type,
+  const NSSUTF8 *string
+);
+
+PR_END_EXTERN_C
+
+#endif /* ASN1_H */

mozilla/security/nss/lib/asn1/asn1m.h

@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef ASN1M_H
+#define ASN1M_H
+
+#ifdef DEBUG
+static const char ASN1M_CVS_ID[] = "@(#) $RCSfile: asn1m.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:55:23 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * asn1m.h
+ *
+ * This file contains the ASN.1 encoder/decoder routines available
+ * only within the ASN.1 module itself.
+ */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssasn1_number_length
+ *
+ */
+
+NSS_EXTERN PRUint32
+nssasn1_length_length
+(
+  PRUint32 number
+);
+
+/*
+ * nssasn1_get_subtemplate
+ *
+ */
+
+NSS_EXTERN const nssASN1Template *
+nssasn1_get_subtemplate
+(
+  const nssASN1Template template[],
+  void *thing,
+  PRBool encoding
+);
+
+PR_END_EXTERN_C
+
+#endif /* ASN1M_H */

mozilla/security/nss/lib/asn1/asn1t.h

@@ -0,0 +1,166 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef ASN1T_H
+#define ASN1T_H
+
+#ifdef DEBUG
+static const char ASN1T_CVS_ID[] = "@(#) $RCSfile: asn1t.h,v $ $Revision: 1.2 $ $Date: 2001-01-07 08:12:46 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * asn1t.h
+ *
+ * This file contains the ASN.1 encoder/decoder types available 
+ * internally within NSS.  It's not clear right now if this file
+ * will be folded into baset.h or something, I just needed to
+ * get this going.  At the moment, these types are wrappers for
+ * the old types.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSASN1T_H
+#include "nssasn1t.h"
+#endif /* NSSASN1T_H */
+
+#include "seccomon.h"
+#include "secasn1t.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * XXX fgmr
+ *
+ * This sort of bites.  Let's keep an eye on this, to make sure
+ * we aren't stuck with it forever.
+ */
+
+struct nssASN1ItemStr {
+  PRUint32 reserved;
+  PRUint8 *data;
+  PRUint32 size;
+};
+
+typedef struct nssASN1ItemStr nssASN1Item;
+
+/*
+ * I'm not documenting these here, since this'll require another
+ * pass anyway.
+ */
+
+typedef SEC_ASN1Template nssASN1Template;
+
+#define nssASN1_TAG_MASK               SEC_ASN1_TAG_MASK
+
+#define nssASN1_TAGNUM_MASK            SEC_ASN1_TAGNUM_MASK
+#define nssASN1_BOOLEAN                SEC_ASN1_BOOLEAN
+#define nssASN1_INTEGER                SEC_ASN1_INTEGER
+#define nssASN1_BIT_STRING             SEC_ASN1_BIT_STRING
+#define nssASN1_OCTET_STRING           SEC_ASN1_OCTET_STRING
+#define nssASN1_NULL                   SEC_ASN1_NULL
+#define nssASN1_OBJECT_ID              SEC_ASN1_OBJECT_ID
+#define nssASN1_OBJECT_DESCRIPTOR      SEC_ASN1_OBJECT_DESCRIPTOR
+/* External type and instance-of type   0x08 */
+#define nssASN1_REAL                   SEC_ASN1_REAL
+#define nssASN1_ENUMERATED             SEC_ASN1_ENUMERATED
+#define nssASN1_EMBEDDED_PDV           SEC_ASN1_EMBEDDED_PDV
+#define nssASN1_UTF8_STRING            SEC_ASN1_UTF8_STRING
+#define nssASN1_SEQUENCE               SEC_ASN1_SEQUENCE
+#define nssASN1_SET                    SEC_ASN1_SET
+#define nssASN1_NUMERIC_STRING         SEC_ASN1_NUMERIC_STRING
+#define nssASN1_PRINTABLE_STRING       SEC_ASN1_PRINTABLE_STRING
+#define nssASN1_T61_STRING             SEC_ASN1_T61_STRING
+#define nssASN1_TELETEX_STRING         nssASN1_T61_STRING
+#define nssASN1_VIDEOTEX_STRING        SEC_ASN1_VIDEOTEX_STRING
+#define nssASN1_IA5_STRING             SEC_ASN1_IA5_STRING
+#define nssASN1_UTC_TIME               SEC_ASN1_UTC_TIME
+#define nssASN1_GENERALIZED_TIME       SEC_ASN1_GENERALIZED_TIME
+#define nssASN1_GRAPHIC_STRING         SEC_ASN1_GRAPHIC_STRING
+#define nssASN1_VISIBLE_STRING         SEC_ASN1_VISIBLE_STRING
+#define nssASN1_GENERAL_STRING         SEC_ASN1_GENERAL_STRING
+#define nssASN1_UNIVERSAL_STRING       SEC_ASN1_UNIVERSAL_STRING
+/*                                      0x1d */
+#define nssASN1_BMP_STRING             SEC_ASN1_BMP_STRING
+#define nssASN1_HIGH_TAG_NUMBER        SEC_ASN1_HIGH_TAG_NUMBER
+
+#define nssASN1_METHOD_MASK            SEC_ASN1_METHOD_MASK
+#define nssASN1_PRIMITIVE              SEC_ASN1_PRIMITIVE
+#define nssASN1_CONSTRUCTED            SEC_ASN1_CONSTRUCTED
+                                                                
+#define nssASN1_CLASS_MASK             SEC_ASN1_CLASS_MASK
+#define nssASN1_UNIVERSAL              SEC_ASN1_UNIVERSAL
+#define nssASN1_APPLICATION            SEC_ASN1_APPLICATION
+#define nssASN1_CONTEXT_SPECIFIC       SEC_ASN1_CONTEXT_SPECIFIC
+#define nssASN1_PRIVATE                SEC_ASN1_PRIVATE
+
+#define nssASN1_OPTIONAL               SEC_ASN1_OPTIONAL 
+#define nssASN1_EXPLICIT               SEC_ASN1_EXPLICIT 
+#define nssASN1_ANY                    SEC_ASN1_ANY      
+#define nssASN1_INLINE                 SEC_ASN1_INLINE   
+#define nssASN1_POINTER                SEC_ASN1_POINTER  
+#define nssASN1_GROUP                  SEC_ASN1_GROUP    
+#define nssASN1_DYNAMIC                SEC_ASN1_DYNAMIC  
+#define nssASN1_SKIP                   SEC_ASN1_SKIP     
+#define nssASN1_INNER                  SEC_ASN1_INNER    
+#define nssASN1_SAVE                   SEC_ASN1_SAVE     
+#define nssASN1_MAY_STREAM             SEC_ASN1_MAY_STREAM
+#define nssASN1_SKIP_REST              SEC_ASN1_SKIP_REST
+#define nssASN1_CHOICE                 SEC_ASN1_CHOICE
+
+#define nssASN1_SEQUENCE_OF            SEC_ASN1_SEQUENCE_OF 
+#define nssASN1_SET_OF                 SEC_ASN1_SET_OF      
+#define nssASN1_ANY_CONTENTS           SEC_ASN1_ANY_CONTENTS
+
+typedef SEC_ASN1TemplateChooserPtr nssASN1ChooseTemplateFunction;
+
+typedef SEC_ASN1DecoderContext nssASN1Decoder;
+typedef SEC_ASN1EncoderContext nssASN1Encoder;
+
+typedef enum {
+  nssASN1EncodingPartIdentifier    = SEC_ASN1_Identifier,
+  nssASN1EncodingPartLength        = SEC_ASN1_Length,
+  nssASN1EncodingPartContents      = SEC_ASN1_Contents,
+  nssASN1EncodingPartEndOfContents = SEC_ASN1_EndOfContents
+} nssASN1EncodingPart;
+
+typedef SEC_ASN1NotifyProc nssASN1NotifyFunction;
+
+typedef SEC_ASN1WriteProc nssASN1EncoderWriteFunction;
+typedef SEC_ASN1WriteProc nssASN1DecoderFilterFunction;
+
+PR_END_EXTERN_C
+
+#endif /* ASN1T_H */

mozilla/security/nss/lib/asn1/config.mk

@@ -0,0 +1,48 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.2 $ $Date: 2001-10-11 17:41:40 $ $Name: not supported by cvs2svn $"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+

mozilla/security/nss/lib/asn1/manifest.mn

@@ -0,0 +1,55 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile: manifest.mn,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:56:37 $ $Name: not supported by cvs2svn $"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	asn1t.h		  \
+	asn1m.h		  \
+	asn1.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	nssasn1t.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		   \
+	asn1.c	   \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = asn1

mozilla/security/nss/lib/asn1/nssasn1t.h

@@ -0,0 +1,67 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSASN1T_H
+#define NSSASN1T_H
+
+#ifdef DEBUG
+static const char NSSASN1T_CVS_ID[] = "@(#) $RCSfile: nssasn1t.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:57:16 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * nssasn1t.h
+ *
+ * This file contains the public types related to our ASN.1 encoder 
+ * and decoder.
+ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSASN1EncodingType
+ *
+ * This type enumerates specific types of ASN.1 encodings.
+ */
+
+typedef enum {
+  NSSASN1BER,               /* Basic Encoding Rules */
+  NSSASN1CER,               /* Canonical Encoding Rules */
+  NSSASN1DER,               /* Distinguished Encoding Rules */
+  NSSASN1LWER,              /* LightWeight Encoding Rules */
+  NSSASN1PER,               /* Packed Encoding Rules */
+  NSSASN1UnknownEncoding = -1
+} NSSASN1EncodingType;
+
+PR_END_EXTERN_C
+
+#endif /* NSSASN1T_H */

mozilla/security/nss/lib/base/Makefile

@@ -0,0 +1,40 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.2 $ $Date: 2000-09-06 22:11:57 $ $Name: not supported by cvs2svn $"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export

mozilla/security/nss/lib/base/baset.h

@@ -0,0 +1,158 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef BASET_H
+#define BASET_H
+
+#ifdef DEBUG
+static const char BASET_CVS_ID[] = "@(#) $RCSfile: baset.h,v $ $Revision: 1.6 $ $Date: 2001-10-15 16:50:01 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * baset.h
+ *
+ * This file contains definitions for the basic types used throughout
+ * nss but not available publicly.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#include "plhash.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssArenaMark
+ *
+ * This type is used to mark the current state of an NSSArena.
+ */
+
+struct nssArenaMarkStr;
+typedef struct nssArenaMarkStr nssArenaMark;
+
+#ifdef DEBUG
+/*
+ * ARENA_THREADMARK
+ * 
+ * Optionally, this arena implementation can be compiled with some
+ * runtime checking enabled, which will catch the situation where
+ * one thread "marks" the arena, another thread allocates memory,
+ * and then the mark is released.  Usually this is a surprise to
+ * the second thread, and this leads to weird runtime errors.
+ * Define ARENA_THREADMARK to catch these cases; we define it for all
+ * (internal and external) debug builds.
+ */
+#define ARENA_THREADMARK
+
+/*
+ * ARENA_DESTRUCTOR_LIST
+ *
+ * Unfortunately, our pointer-tracker facility, used in debug
+ * builds to agressively fight invalid pointers, requries that
+ * pointers be deregistered when objects are destroyed.  This
+ * conflicts with the standard arena usage where "memory-only"
+ * objects (that don't hold onto resources outside the arena)
+ * can be allocated in an arena, and never destroyed other than
+ * when the arena is destroyed.  Therefore we have added a
+ * destructor-registratio facility to our arenas.  This was not
+ * a simple decision, since we're getting ever-further away from
+ * the original arena philosophy.  However, it was felt that
+ * adding this in debug builds wouldn't be so bad; as it would
+ * discourage them from being used for "serious" purposes.
+ * This facility requires ARENA_THREADMARK to be defined.
+ */
+#ifdef ARENA_THREADMARK
+#define ARENA_DESTRUCTOR_LIST
+#endif /* ARENA_THREADMARK */
+
+#endif /* DEBUG */
+
+typedef struct nssListStr nssList;
+typedef struct nssListIteratorStr nssListIterator;
+typedef PRBool (* nssListCompareFunc)(void *a, void *b);
+typedef PRIntn (* nssListSortFunc)(void *a, void *b);
+typedef void (* nssListElementDestructorFunc)(void *el);
+
+typedef struct nssHashStr nssHash;
+typedef void (PR_CALLBACK *nssHashIterator)(const void *key, 
+                                            void *value, 
+                                            void *arg);
+
+/*
+ * nssPointerTracker
+ *
+ * This type is used in debug builds (both external and internal) to
+ * track our object pointers.  Objects of this type must be statically
+ * allocated, which means the structure size must be available to the
+ * compiler.  Therefore we must expose the contents of this structure.
+ * But please don't access elements directly; use the accessors.
+ */
+
+#ifdef DEBUG
+struct nssPointerTrackerStr {
+  PRCallOnceType once;
+  PZLock *lock;
+  PLHashTable *table;
+};
+typedef struct nssPointerTrackerStr nssPointerTracker;
+#endif /* DEBUG */
+
+/*
+ * nssStringType
+ *
+ * There are several types of strings in the real world.  We try to
+ * use only UTF8 and avoid the rest, but that's not always possible.
+ * So we have a couple converter routines to go to and from the other
+ * string types.  We have to be able to specify those string types,
+ * so we have this enumeration.
+ */
+
+enum nssStringTypeEnum {
+  nssStringType_DirectoryString,
+  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
+  nssStringType_PrintableString,
+  nssStringType_UniversalString,
+  nssStringType_BMPString,
+  nssStringType_UTF8String,
+  nssStringType_PHGString,
+  nssStringType_GeneralString,
+
+  nssStringType_Unknown = -1
+};
+typedef enum nssStringTypeEnum nssStringType;
+
+PR_END_EXTERN_C
+
+#endif /* BASET_H */

mozilla/security/nss/lib/base/config.mk

@@ -0,0 +1,48 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.3 $ $Date: 2001-02-02 01:49:22 $ $Name: not supported by cvs2svn $"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+

mozilla/security/nss/lib/base/error.c

@@ -0,0 +1,297 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: error.c,v $ $Revision: 1.3 $ $Date: 2002-01-31 19:18:55 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * error.c
+ *
+ * This file contains the code implementing the per-thread error 
+ * stacks upon which most NSS routines report their errors.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * The stack itself has a header, and a sequence of integers.
+ * The header records the amount of space (as measured in stack
+ * slots) already allocated for the stack, and the count of the
+ * number of records currently being used.
+ */
+
+struct stack_header_str {
+  PRUint16 space;
+  PRUint16 count;
+};
+
+struct error_stack_str {
+  struct stack_header_str header;
+  PRInt32 stack[1];
+};
+typedef struct error_stack_str error_stack;
+
+/*
+ * error_stack_index
+ *
+ * Thread-private data must be indexed.  This is that index.
+ * See PR_NewThreadPrivateIndex for more information.
+ */
+
+static PRUintn error_stack_index;
+
+/*
+ * call_once
+ *
+ * The thread-private index must be obtained (once!) at runtime.
+ * This block is used for that one-time call.
+ */
+
+static PRCallOnceType error_call_once;
+
+/*
+ * error_once_function
+ *
+ * This is the once-called callback.
+ */
+
+static PRStatus
+error_once_function
+(
+  void
+)
+{
+  return nss_NewThreadPrivateIndex(&error_stack_index,PR_Free);
+  /* return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free); */
+}
+
+/*
+ * error_get_my_stack
+ *
+ * This routine returns the calling thread's error stack, creating
+ * it if necessary.  It may return NULL upon error, which implicitly
+ * means that it ran out of memory.
+ */
+
+static error_stack *
+error_get_my_stack
+(
+  void
+)
+{
+  PRStatus st;
+  error_stack *rv;
+  PRUintn new_size;
+  PRUint32 new_bytes;
+  error_stack *new_stack;
+
+  if( 0 == error_stack_index ) {
+    st = PR_CallOnce(&error_call_once, error_once_function);
+    if( PR_SUCCESS != st ) {
+      return (error_stack *)NULL;
+    }
+  }
+
+  rv = (error_stack *)nss_GetThreadPrivate(error_stack_index);
+  if( (error_stack *)NULL == rv ) {
+    /* Doesn't exist; create one */
+    new_size = 16;
+  } else {
+    if( rv->header.count == rv->header.space ) {
+      /* Too small, expand it */
+      new_size = rv->header.space + 16;
+    } else {
+      /* Okay, return it */
+      return rv;
+    }
+  }
+
+  new_bytes = (new_size * sizeof(PRInt32)) + 
+    sizeof(struct stack_header_str);
+  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
+  new_stack = PR_Calloc(1, new_bytes);
+  
+  if( (error_stack *)NULL != new_stack ) {
+    if( (error_stack *)NULL != rv ) {
+	(void)nsslibc_memcpy(new_stack,rv,rv->header.space);
+    }
+    new_stack->header.space = new_size;
+  }
+
+  /* Set the value, whether or not the allocation worked */
+  nss_SetThreadPrivate(error_stack_index, new_stack);
+  return new_stack;
+}
+
+/*
+ * The error stack
+ *
+ * The public methods relating to the error stack are:
+ *
+ *  NSS_GetError
+ *  NSS_GetErrorStack
+ *
+ * The nonpublic methods relating to the error stack are:
+ *
+ *  nss_SetError
+ *  nss_ClearErrorStack
+ *
+ */
+
+/*
+ * NSS_GetError
+ *
+ * This routine returns the highest-level (most general) error set
+ * by the most recent NSS library routine called by the same thread
+ * calling this routine.
+ *
+ * This routine cannot fail.  However, it may return zero, which
+ * indicates that the previous NSS library call did not set an error.
+ *
+ * Return value:
+ *  0 if no error has been set
+ *  A nonzero error number
+ */
+
+NSS_IMPLEMENT PRInt32
+NSS_GetError
+(
+  void
+)
+{
+  error_stack *es = error_get_my_stack();
+
+  if( (error_stack *)NULL == es ) {
+    return NSS_ERROR_NO_MEMORY; /* Good guess! */
+  }
+
+  if( 0 == es->header.count ) {
+    return 0;
+  }
+
+  return es->stack[ es->header.count-1 ];
+}
+
+/*
+ * NSS_GetErrorStack
+ *
+ * This routine returns a pointer to an array of integers, containing
+ * the entire sequence or "stack" of errors set by the most recent NSS
+ * library routine called by the same thread calling this routine.
+ * NOTE: the caller DOES NOT OWN the memory pointed to by the return
+ * value.  The pointer will remain valid until the calling thread
+ * calls another NSS routine.  The lowest-level (most specific) error 
+ * is first in the array, and the highest-level is last.  The array is
+ * zero-terminated.  This routine may return NULL upon error; this
+ * indicates a low-memory situation.
+ *
+ * Return value:
+ *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
+ *  A NON-caller-owned pointer to an array of integers
+ */
+
+NSS_IMPLEMENT PRInt32 *
+NSS_GetErrorStack
+(
+  void
+)
+{
+  error_stack *es = error_get_my_stack();
+
+  if( (error_stack *)NULL == es ) {
+    return (PRInt32 *)NULL;
+  }
+
+  /* Make sure it's terminated */
+  es->stack[ es->header.count ] = 0;
+
+  return es->stack;
+}
+
+/*
+ * nss_SetError
+ *
+ * This routine places a new error code on the top of the calling 
+ * thread's error stack.  Calling this routine wiht an error code
+ * of zero will clear the error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_SetError
+(
+  PRUint32 error
+)
+{
+  error_stack *es;
+
+  if( 0 == error ) {
+    nss_ClearErrorStack();
+    return;
+  }
+
+  es = error_get_my_stack();
+  if( (error_stack *)NULL == es ) {
+    /* Oh, well. */
+    return;
+  }
+
+  es->stack[ es->header.count ] = error;
+  es->header.count++;
+  return;
+}
+
+/*
+ * nss_ClearErrorStack
+ *
+ * This routine clears the calling thread's error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_ClearErrorStack
+(
+  void
+)
+{
+  error_stack *es = error_get_my_stack();
+  if( (error_stack *)NULL == es ) {
+    /* Oh, well. */
+    return;
+  }
+
+  es->header.count = 0;
+  es->stack[0] = 0;
+  return;
+}

mozilla/security/nss/lib/base/errorval.c

@@ -0,0 +1,89 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: errorval.c,v $ $Revision: 1.6 $ $Date: 2001-12-12 20:23:06 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * errorval.c
+ *
+ * This file contains the actual error constants used in NSS.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+const NSSError NSS_ERROR_NO_ERROR                       =  0;
+const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
+const NSSError NSS_ERROR_NO_MEMORY                      =  2;
+const NSSError NSS_ERROR_INVALID_POINTER                =  3;
+const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
+const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
+const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
+const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
+const NSSError NSS_ERROR_TRACKER_NOT_EMPTY              =  8;
+const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED        =  9;
+const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD = 10;
+const NSSError NSS_ERROR_VALUE_TOO_LARGE                = 11;
+const NSSError NSS_ERROR_UNSUPPORTED_TYPE               = 12;
+const NSSError NSS_ERROR_BUFFER_TOO_SHORT               = 13;
+const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT           = 14;
+const NSSError NSS_ERROR_INVALID_BASE64                 = 15;
+const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT           = 16;
+const NSSError NSS_ERROR_INVALID_ITEM                   = 17;
+const NSSError NSS_ERROR_INVALID_STRING                 = 18;
+const NSSError NSS_ERROR_INVALID_ASN1ENCODER            = 19;
+const NSSError NSS_ERROR_INVALID_ASN1DECODER            = 20;
+
+const NSSError NSS_ERROR_INVALID_BER                    = 21;
+const NSSError NSS_ERROR_INVALID_ATAV                   = 22;
+const NSSError NSS_ERROR_INVALID_ARGUMENT               = 23;
+const NSSError NSS_ERROR_INVALID_UTF8                   = 24;
+const NSSError NSS_ERROR_INVALID_NSSOID                 = 25;
+const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE              = 26;
+
+const NSSError NSS_ERROR_NOT_FOUND                      = 27;
+
+const NSSError NSS_ERROR_INVALID_PASSWORD               = 28;
+const NSSError NSS_ERROR_USER_CANCELED                  = 29;
+
+const NSSError NSS_ERROR_MAXIMUM_FOUND                  = 30;
+
+const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND   = 31;
+
+const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE           = 32;
+
+const NSSError NSS_ERROR_HASH_COLLISION                 = 33;
+

mozilla/security/nss/lib/base/hash.c

@@ -0,0 +1,404 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.6 $ $Date: 2001-12-12 20:23:07 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * hash.c
+ *
+ * This is merely a couple wrappers around NSPR's PLHashTable, using
+ * the identity hash and arena-aware allocators.
+ * This is a copy of ckfw/hash.c, with modifications to use NSS types
+ * (not Cryptoki types).  Would like for this to be a single implementation,
+ * but doesn't seem like it will work.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * nssHash
+ *
+ *  nssHash_Create
+ *  nssHash_Destroy
+ *  nssHash_Add
+ *  nssHash_Remove
+ *  nssHash_Count
+ *  nssHash_Exists
+ *  nssHash_Lookup
+ *  nssHash_Iterate
+ */
+
+struct nssHashStr {
+  NSSArena *arena;
+  PRBool i_alloced_arena;
+  PRLock *mutex;
+
+  /*
+   * The invariant that mutex protects is:
+   *   The count accurately reflects the hashtable state.
+   */
+
+  PLHashTable *plHashTable;
+  PRUint32 count;
+};
+
+static PLHashNumber
+nss_identity_hash
+(
+  const void *key
+)
+{
+  PRUint32 i = (PRUint32)key;
+  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
+  return (PLHashNumber)i;
+}
+
+static PLHashNumber
+nss_item_hash
+(
+  const void *key
+)
+{
+  int i;
+  PLHashNumber h;
+  NSSItem *it = (NSSItem *)key;
+  h = 0;
+  for (i=0; i<it->size; i++)
+    h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)it->data)[i];
+  return h;
+}
+
+static int
+nss_compare_items(const void *v1, const void *v2)
+{
+  PRStatus ignore;
+  return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
+}
+
+/*
+ * nssHash_create
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets,
+  PLHashFunction keyHash,
+  PLHashComparator keyCompare,
+  PLHashComparator valueCompare
+)
+{
+  nssHash *rv;
+  NSSArena *arena;
+  PRBool i_alloced;
+
+#ifdef NSSDEBUG
+  if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if (arenaOpt) {
+    arena = arenaOpt;
+    i_alloced = PR_FALSE;
+  } else {
+    arena = nssArena_Create();
+    i_alloced = PR_TRUE;
+  }
+
+  rv = nss_ZNEW(arena, nssHash);
+  if( (nssHash *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->mutex = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == rv->mutex ) {
+    goto loser;
+  }
+
+  rv->plHashTable = PL_NewHashTable(numBuckets, 
+                                    keyHash, keyCompare, valueCompare,
+                                    &nssArenaHashAllocOps, arena);
+  if( (PLHashTable *)NULL == rv->plHashTable ) {
+    (void)PZ_DestroyLock(rv->mutex);
+    goto loser;
+  }
+
+  rv->count = 0;
+  rv->arena = arena;
+  rv->i_alloced_arena = i_alloced;
+
+  return rv;
+loser:
+  (void)nss_ZFreeIf(rv);
+  return (nssHash *)NULL;
+}
+
+/*
+ * nssHash_CreatePointer
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreatePointer
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        nss_identity_hash, PL_CompareValues, PL_CompareValues);
+}
+
+/*
+ * nssHash_CreateString
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreateString
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        PL_HashString, PL_CompareStrings, PL_CompareStrings);
+}
+
+/*
+ * nssHash_CreateItem
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreateItem
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        nss_item_hash, nss_compare_items, PL_CompareValues);
+}
+
+/*
+ * nssHash_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssHash_Destroy
+(
+  nssHash *hash
+)
+{
+  (void)PZ_DestroyLock(hash->mutex);
+  PL_HashTableDestroy(hash->plHashTable);
+  if (hash->i_alloced_arena) {
+    nssArena_Destroy(hash->arena);
+  } else {
+    nss_ZFreeIf(hash);
+  }
+}
+
+/*
+ * nssHash_Add
+ *
+ */
+NSS_IMPLEMENT PRStatus
+nssHash_Add
+(
+  nssHash *hash,
+  const void *key,
+  const void *value
+)
+{
+  PRStatus error = PR_FAILURE;
+  PLHashEntry *he;
+
+  PZ_Lock(hash->mutex);
+  
+  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+  if( (PLHashEntry *)NULL == he ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+  } else if (he->value != value) {
+    nss_SetError(NSS_ERROR_HASH_COLLISION);
+  } else {
+    hash->count++;
+    error = PR_SUCCESS;
+  }
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return error;
+}
+
+/*
+ * nssHash_Remove
+ *
+ */
+NSS_IMPLEMENT void
+nssHash_Remove
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  PRBool found;
+
+  PZ_Lock(hash->mutex);
+
+  found = PL_HashTableRemove(hash->plHashTable, it);
+  if( found ) {
+    hash->count--;
+  }
+
+  (void)PZ_Unlock(hash->mutex);
+  return;
+}
+
+/*
+ * nssHash_Count
+ *
+ */
+NSS_IMPLEMENT PRUint32
+nssHash_Count
+(
+  nssHash *hash
+)
+{
+  PRUint32 count;
+
+  PZ_Lock(hash->mutex);
+
+  count = hash->count;
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return count;
+}
+
+/*
+ * nssHash_Exists
+ *
+ */
+NSS_IMPLEMENT PRBool
+nssHash_Exists
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  void *value;
+
+  PZ_Lock(hash->mutex);
+
+  value = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  if( (void *)NULL == value ) {
+    return PR_FALSE;
+  } else {
+    return PR_TRUE;
+  }
+}
+
+/*
+ * nssHash_Lookup
+ *
+ */
+NSS_IMPLEMENT void *
+nssHash_Lookup
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  void *rv;
+
+  PZ_Lock(hash->mutex);
+
+  rv = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return rv;
+}
+
+struct arg_str {
+  nssHashIterator fcn;
+  void *closure;
+};
+
+static PRIntn
+nss_hash_enumerator
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  struct arg_str *as = (struct arg_str *)arg;
+  as->fcn(he->key, he->value, as->closure);
+  return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * nssHash_Iterate
+ *
+ * NOTE that the iteration function will be called with the hashtable locked.
+ */
+NSS_IMPLEMENT void
+nssHash_Iterate
+(
+  nssHash *hash,
+  nssHashIterator fcn,
+  void *closure
+)
+{
+  struct arg_str as;
+  as.fcn = fcn;
+  as.closure = closure;
+
+  PZ_Lock(hash->mutex);
+
+  PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return;
+}

mozilla/security/nss/lib/base/hashops.c

@@ -0,0 +1,117 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: hashops.c,v $ $Revision: 1.4 $ $Date: 2002-02-13 02:26:43 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * hashops.c
+ *
+ * This file includes a set of PLHashAllocOps that use NSSArenas.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+static void * PR_CALLBACK
+nss_arena_hash_alloc_table
+(
+  void *pool,
+  PRSize size
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+
+#ifdef NSSDEBUG
+  if( (void *)NULL != arena ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nss_ZAlloc(arena, size);
+}
+
+static void PR_CALLBACK
+nss_arena_hash_free_table
+(
+  void *pool, 
+  void *item
+)
+{
+  (void)nss_ZFreeIf(item);
+}
+
+static PLHashEntry * PR_CALLBACK
+nss_arena_hash_alloc_entry
+(
+  void *pool,
+  const void *key
+)
+{
+  NSSArena *arena = NULL;
+
+#ifdef NSSDEBUG
+  if( (void *)NULL != arena ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nss_ZNEW(arena, PLHashEntry);
+}
+
+static void PR_CALLBACK
+nss_arena_hash_free_entry
+(
+  void *pool,
+  PLHashEntry *he,
+  PRUintn flag
+)
+{
+  if( HT_FREE_ENTRY == flag ) {
+    (void)nss_ZFreeIf(he);
+  }
+}
+
+NSS_IMPLEMENT_DATA PLHashAllocOps 
+nssArenaHashAllocOps = {
+  nss_arena_hash_alloc_table,
+  nss_arena_hash_free_table,
+  nss_arena_hash_alloc_entry,
+  nss_arena_hash_free_entry
+};

mozilla/security/nss/lib/base/item.c

@@ -0,0 +1,241 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: item.c,v $ $Revision: 1.2 $ $Date: 2001-11-28 16:23:35 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * item.c
+ *
+ * This contains some item-manipulation code.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * nssItem_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *  NSS_ERROR_INVALID_POINTER
+ *  
+ * Return value:
+ *  A pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssItem_Create
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  PRUint32 length,
+  const void *data
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (const void *)NULL == data ) {
+    if( length > 0 ) {
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return (NSSItem *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  if( (NSSItem *)NULL == rvOpt ) {
+    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
+    if( (NSSItem *)NULL == rv ) {
+      goto loser;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->size = length;
+  rv->data = nss_ZAlloc(arenaOpt, length);
+  if( (void *)NULL == rv->data ) {
+    goto loser;
+  }
+
+  if( length > 0 ) {
+    (void)nsslibc_memcpy(rv->data, data, length);
+  }
+
+  return rv;
+
+ loser:
+  if( rv != rvOpt ) {
+    nss_ZFreeIf(rv);
+  }
+
+  return (NSSItem *)NULL;
+}
+
+NSS_IMPLEMENT void
+nssItem_Destroy
+(
+  NSSItem *item
+)
+{
+  nss_ClearErrorStack();
+
+  nss_ZFreeIf(item->data);
+  nss_ZFreeIf(item);
+
+}
+
+/*
+ * nssItem_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *  NSS_ERROR_INVALID_ITEM
+ *  
+ * Return value:
+ *  A pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssItem_Duplicate
+(
+  NSSItem *obj,
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt
+)
+{
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (NSSItem *)NULL == obj ) {
+    nss_SetError(NSS_ERROR_INVALID_ITEM);
+    return (NSSItem *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+}
+
+#ifdef DEBUG
+/*
+ * nssItem_verifyPointer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssItem_verifyPointer
+(
+  const NSSItem *item
+)
+{
+  if( ((const NSSItem *)NULL == item) ||
+      (((void *)NULL == item->data) && (item->size > 0)) ) {
+    nss_SetError(NSS_ERROR_INVALID_ITEM);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * nssItem_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_TRUE if the items are identical
+ *  PR_FALSE if they aren't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssItem_Equal
+(
+  const NSSItem *one,
+  const NSSItem *two,
+  PRStatus *statusOpt
+)
+{
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
+    return PR_TRUE;
+  }
+
+  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
+    return PR_FALSE;
+  }
+
+  if( one->size != two->size ) {
+    return PR_FALSE;
+  }
+
+  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
+}

mozilla/security/nss/lib/base/libc.c

@@ -0,0 +1,197 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: libc.c,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:50:16 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * libc.c
+ *
+ * This file contains our wrappers/reimplementations for "standard" 
+ * libc functions.  Things like "memcpy."  We add to this as we need 
+ * it.  Oh, and let's keep it in alphabetical order, should it ever 
+ * get large.  Most string/character stuff should be in utf8.c, not 
+ * here.  This file (and maybe utf8.c) should be the only ones in
+ * NSS to include files with angle brackets.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include <string.h> /* memcpy, memset */
+
+/*
+ * nsslibc_memcpy
+ * nsslibc_memset
+ * nsslibc_offsetof
+ * nsslibc_memequal
+ */
+
+/*
+ * nsslibc_memcpy
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_IMPLEMENT void *
+nsslibc_memcpy
+(
+  void *dest,
+  const void *source,
+  PRUint32 n
+)
+{
+#ifdef NSSDEBUG
+  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return memcpy(dest, source, (size_t)n);
+}
+
+/*
+ * nsslibc_memset
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_IMPLEMENT void *
+nsslibc_memset
+(
+  void *dest,
+  PRUint8 byte,
+  PRUint32 n
+)
+{
+#ifdef NSSDEBUG
+  if( ((void *)NULL == dest) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return memset(dest, (int)byte, (size_t)n);
+}
+
+/*
+ * nsslibc_memequal
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if they match
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nsslibc_memequal
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( 0 == memcmp(a, b, len) ) {
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nsslibc_memcmp
+ */
+
+NSS_IMPLEMENT PRInt32
+nsslibc_memcmp
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+)
+{
+  int v;
+
+#ifdef NSSDEBUG
+  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return -2;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  v = memcmp(a, b, len);
+  return (PRInt32)v;
+}
+
+/*
+ * offsetof is a preprocessor definition
+ */

mozilla/security/nss/lib/base/list.c

@@ -0,0 +1,426 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: list.c,v $ $Revision: 1.15 $ $Date: 2002-03-01 02:13:42 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * list.c
+ *
+ * This contains the implementation of NSS's thread-safe linked list.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+struct nssListElementStr {
+    PRCList  link;
+    void    *data;
+};
+
+typedef struct nssListElementStr nssListElement;
+
+struct nssListStr {
+    NSSArena       *arena;
+    PZLock         *lock;
+    nssListElement *head;
+    PRUint32        count;
+    nssListCompareFunc compareFunc;
+    nssListSortFunc    sortFunc;
+    PRBool i_alloced_arena;
+};
+
+struct nssListIteratorStr {
+    PZLock *lock;
+    nssList *list;
+    nssListElement *current;
+};
+
+#define NSSLIST_LOCK_IF(list) \
+    if ((list)->lock) PZ_Lock((list)->lock)
+
+#define NSSLIST_UNLOCK_IF(list) \
+    if ((list)->lock) PZ_Unlock((list)->lock)
+
+static PRBool
+pointer_compare(void *a, void *b)
+{
+    return (PRBool)(a == b);
+}
+
+static nssListElement *
+nsslist_get_matching_element(nssList *list, void *data)
+{
+    PRCList *link;
+    nssListElement *node;
+    node = list->head;
+    if (!node) {
+	return NULL;
+    }
+    link = &node->link;
+    while (node) {
+	/* using a callback slows things down when it's just compare ... */
+	if (list->compareFunc(node->data, data)) {
+	    break;
+	}
+	link = &node->link;
+	if (link == PR_LIST_TAIL(&list->head->link)) {
+	    node = NULL;
+	    break;
+	}
+	node = (nssListElement *)PR_NEXT_LINK(&node->link);
+    }
+    return node;
+}
+
+NSS_IMPLEMENT nssList *
+nssList_Create
+(
+  NSSArena *arenaOpt,
+  PRBool threadSafe
+)
+{
+    NSSArena *arena;
+    nssList *list;
+    PRBool i_alloced;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	i_alloced = PR_FALSE;
+    } else {
+	arena = nssArena_Create();
+	i_alloced = PR_TRUE;
+    }
+    if (!arena) {
+	return (nssList *)NULL;
+    }
+    list = nss_ZNEW(arena, nssList);
+    if (!list) {
+	return (nssList *)NULL;
+    }
+    if (threadSafe) {
+	list->lock = PZ_NewLock(nssILockOther);
+	if (!list->lock) {
+	    if (arenaOpt) {
+		nss_ZFreeIf(list);
+	    } else {
+		NSSArena_Destroy(arena);
+	    }
+	    return (nssList *)NULL;
+	}
+    }
+    list->arena = arena;
+    list->i_alloced_arena = i_alloced;
+    list->compareFunc = pointer_compare;
+    return list;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Destroy(nssList *list)
+{
+    if (!list->i_alloced_arena) {
+	nssList_Clear(list, NULL);
+    }
+    if (list->lock) {
+	(void)PZ_DestroyLock(list->lock);
+    }
+    if (list->i_alloced_arena) {
+	NSSArena_Destroy(list->arena);
+	list = NULL;
+    }
+    nss_ZFreeIf(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void
+nssList_SetCompareFunction(nssList *list, nssListCompareFunc compareFunc)
+{
+    list->compareFunc = compareFunc;
+}
+
+NSS_IMPLEMENT void
+nssList_SetSortFunction(nssList *list, nssListSortFunc sortFunc)
+{
+    /* XXX if list already has elements, sort them */
+    list->sortFunc = sortFunc;
+}
+
+NSS_IMPLEMENT nssListCompareFunc
+nssList_GetCompareFunction(nssList *list)
+{
+    return list->compareFunc;
+}
+
+NSS_IMPLEMENT void
+nssList_Clear(nssList *list, nssListElementDestructorFunc destructor)
+{
+    PRCList *link;
+    nssListElement *node, *tmp;
+    NSSLIST_LOCK_IF(list);
+    node = list->head;
+    list->head = NULL;
+    while (node && list->count > 0) {
+	if (destructor) (*destructor)(node->data);
+	link = &node->link;
+	tmp = (nssListElement *)PR_NEXT_LINK(link);
+	PR_REMOVE_LINK(link);
+	nss_ZFreeIf(node);
+	node = tmp;
+	--list->count;
+    }
+    NSSLIST_UNLOCK_IF(list);
+}
+
+static PRStatus
+nsslist_add_element(nssList *list, void *data)
+{
+    nssListElement *node = nss_ZNEW(list->arena, nssListElement);
+    if (!node) {
+	return PR_FAILURE;
+    }
+    PR_INIT_CLIST(&node->link);
+    node->data = data;
+    if (list->head) {
+	if (list->sortFunc) {
+	    PRCList *link;
+	    nssListElement *currNode;
+	    currNode = list->head;
+	    /* insert in ordered list */
+	    while (currNode) {
+		link = &currNode->link;
+		if (list->sortFunc(data, currNode->data) <= 0) {
+		    /* new element goes before current node */
+		    PR_INSERT_BEFORE(&node->link, link);
+		    /* reset head if this is first */
+		    if (currNode == list->head) list->head = node;
+		    break;
+		}
+		if (link == PR_LIST_TAIL(&list->head->link)) {
+		    /* reached end of list, append */
+		    PR_INSERT_AFTER(&node->link, link);
+		    break;
+		}
+		currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
+	    }
+	} else {
+	    /* not sorting */
+	    PR_APPEND_LINK(&node->link, &list->head->link);
+	}
+    } else {
+	list->head = node;
+    }
+    ++list->count;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Add(nssList *list, void *data)
+{
+    PRStatus nssrv;
+    NSSLIST_LOCK_IF(list);
+    nssrv = nsslist_add_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_AddUnique(nssList *list, void *data)
+{
+    PRStatus nssrv;
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    if (node) {
+	/* already in, finish */
+	NSSLIST_UNLOCK_IF(list);
+	return PR_SUCCESS;
+    }
+    nssrv = nsslist_add_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Remove(nssList *list, void *data)
+{
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    if (node) {
+	if (node == list->head) {
+	    list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
+	}
+	PR_REMOVE_LINK(&node->link);
+	nss_ZFreeIf(node);
+	if (--list->count == 0) {
+	    list->head = NULL;
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void *
+nssList_Get(nssList *list, void *data)
+{
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return (node) ? node->data : NULL;
+}
+
+NSS_IMPLEMENT PRUint32
+nssList_Count(nssList *list)
+{
+    return list->count;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
+{
+    nssListIterator *iter;
+    void *el;
+    PRUint32 i = 0;
+    PR_ASSERT(maxElements > 0);
+    iter = nssList_CreateIterator(list);
+    for (el = nssListIterator_Start(iter); el != NULL;
+         el = nssListIterator_Next(iter)) 
+    {
+	rvArray[i++] = el;
+	if (i == maxElements) break;
+    }
+    nssListIterator_Finish(iter);
+    nssListIterator_Destroy(iter);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT nssList *
+nssList_Clone(nssList *list)
+{
+    nssList *rvList;
+    nssListElement *node;
+    rvList = nssList_Create(NULL, (list->lock != NULL));
+    if (!rvList) {
+	return NULL;
+    }
+    NSSLIST_LOCK_IF(list);
+    if (list->count > 0) {
+	node = list->head;
+	while (PR_TRUE) {
+	    nssList_Add(rvList, node->data);
+	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
+	    if (node == list->head) {
+		break;
+	    }
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return rvList;
+}
+
+NSS_IMPLEMENT nssListIterator *
+nssList_CreateIterator(nssList *list)
+{
+    nssListIterator *rvIterator;
+    rvIterator = nss_ZNEW(NULL, nssListIterator);
+    if (!rvIterator) {
+	return NULL;
+    }
+    rvIterator->list = nssList_Clone(list);
+    if (!rvIterator->list) {
+	nss_ZFreeIf(rvIterator);
+	return NULL;
+    }
+    rvIterator->current = rvIterator->list->head;
+    if (list->lock) {
+	rvIterator->lock = PZ_NewLock(nssILockOther);
+	if (!rvIterator->lock) {
+	    nssList_Destroy(rvIterator->list);
+	    nss_ZFreeIf(rvIterator);
+	}
+    }
+    return rvIterator;
+}
+
+NSS_IMPLEMENT void
+nssListIterator_Destroy(nssListIterator *iter)
+{
+    if (iter->lock) {
+	(void)PZ_DestroyLock(iter->lock);
+    }
+    nssList_Destroy(iter->list);
+    nss_ZFreeIf(iter);
+}
+
+NSS_IMPLEMENT void *
+nssListIterator_Start(nssListIterator *iter)
+{
+    NSSLIST_LOCK_IF(iter);
+    if (iter->list->count == 0) {
+	return NULL;
+    }
+    iter->current = iter->list->head;
+    return iter->current->data;
+}
+
+NSS_IMPLEMENT void *
+nssListIterator_Next(nssListIterator *iter)
+{
+    nssListElement *node;
+    PRCList *link;
+    if (iter->list->count == 1 || iter->current == NULL) {
+	/* Reached the end of the list.  Don't change the state, force to
+	 * user to call nssList_Finish to clean up.
+	 */
+	return NULL;
+    }
+    node = (nssListElement *)PR_NEXT_LINK(&iter->current->link);
+    link = &node->link;
+    if (link == PR_LIST_TAIL(&iter->list->head->link)) {
+	/* Signal the end of the list. */
+	iter->current = NULL;
+	return node->data;
+    }
+    iter->current = node;
+    return node->data;
+}
+
+NSS_IMPLEMENT PRStatus
+nssListIterator_Finish(nssListIterator *iter)
+{
+    iter->current = iter->list->head;
+    return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
+}
+

mozilla/security/nss/lib/base/manifest.mn

@@ -0,0 +1,65 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile: manifest.mn,v $ $Revision: 1.5 $ $Date: 2001-09-25 20:48:51 $ $Name: not supported by cvs2svn $"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	baset.h		  \
+	base.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	nssbaset.h \
+	nssbase.h  \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		   \
+	arena.c	   \
+	error.c	   \
+	errorval.c \
+	hashops.c  \
+	libc.c	   \
+	tracker.c  \
+	item.c     \
+	utf8.c	   \
+	list.c     \
+	hash.c     \
+	whatnspr.c \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nssb

mozilla/security/nss/lib/base/nssbase.h

@@ -0,0 +1,167 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSBASE_H
+#define NSSBASE_H
+
+#ifdef DEBUG
+static const char NSSBASE_CVS_ID[] = "@(#) $RCSfile: nssbase.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:50:22 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * nssbase.h
+ *
+ * This header file contains the prototypes of the basic public
+ * NSS routines.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSArena
+ *
+ * The public methods relating to this type are:
+ *
+ *  NSSArena_Create  -- constructor
+ *  NSSArena_Destroy
+ */
+
+/*
+ * NSSArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_EXTERN NSSArena *
+NSSArena_Create
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSArena_Destroy
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+
+/*
+ * The error stack
+ *
+ * The public methods relating to the error stack are:
+ *
+ *  NSS_GetError
+ *  NSS_GetErrorStack
+ */
+
+/*
+ * NSS_GetError
+ *
+ * This routine returns the highest-level (most general) error set
+ * by the most recent NSS library routine called by the same thread
+ * calling this routine.
+ *
+ * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
+ * indicates that the previous NSS library call did not set an error.
+ *
+ * Return value:
+ *  0 if no error has been set
+ *  A nonzero error number
+ */
+
+NSS_EXTERN NSSError
+NSS_GetError
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_ERROR;
+
+/*
+ * NSS_GetErrorStack
+ *
+ * This routine returns a pointer to an array of NSSError values, 
+ * containingthe entire sequence or "stack" of errors set by the most 
+ * recent NSS library routine called by the same thread calling this 
+ * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
+ * the return value.  The pointer will remain valid until the calling 
+ * thread calls another NSS routine.  The lowest-level (most specific) 
+ * error is first in the array, and the highest-level is last.  The 
+ * array is zero-terminated.  This routine may return NULL upon error; 
+ * this indicates a low-memory situation.
+ *
+ * Return value:
+ *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
+ *  A NON-caller-owned pointer to an array of NSSError values
+ */
+
+NSS_EXTERN NSSError *
+NSS_GetErrorStack
+(
+  void
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSBASE_H */

mozilla/security/nss/lib/base/nssbaset.h

@@ -0,0 +1,153 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSBASET_H
+#define NSSBASET_H
+
+#ifdef DEBUG
+static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.4 $ $Date: 2001-11-08 00:14:37 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * nssbaset.h
+ *
+ * This file contains the most low-level, fundamental public types.
+ */
+
+#include "nspr.h"
+#include "nssilock.h"
+
+/*
+ * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
+ *
+ * NSS has its own versions of these NSPR macros, in a form which
+ * does not confuse ctags and other related utilities.  NSPR 
+ * defines these macros to take the type as an argument, because
+ * of a requirement to support win16 dlls.  We do not have that
+ * requirement, so we can drop that restriction.
+ */
+
+#define DUMMY	/* dummy */
+#define NSS_EXTERN         PR_EXTERN(DUMMY)
+#define NSS_IMPLEMENT      PR_IMPLEMENT(DUMMY)
+#define NSS_EXTERN_DATA    PR_EXTERN_DATA(DUMMY)
+#define NSS_IMPLEMENT_DATA PR_IMPLEMENT_DATA(DUMMY)
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSError
+ *
+ * Calls to NSS routines may result in one or more errors being placed
+ * on the calling thread's "error stack."  Every possible error that
+ * may be returned from a function is declared where the function is 
+ * prototyped.  All errors are of the following type.
+ */
+
+typedef PRInt32 NSSError;
+
+/*
+ * NSSArena
+ *
+ * Arenas are logical sets of heap memory, from which memory may be
+ * allocated.  When an arena is destroyed, all memory allocated within
+ * that arena is implicitly freed.  These arenas are thread-safe: 
+ * an arena pointer may be used by multiple threads simultaneously.
+ * However, as they are not backed by shared memory, they may only be
+ * used within one process.
+ */
+
+struct NSSArenaStr;
+typedef struct NSSArenaStr NSSArena;
+
+/*
+ * NSSItem
+ *
+ * This is the basic type used to refer to an unconstrained datum of
+ * arbitrary size.
+ */
+
+struct NSSItemStr {
+  void *data;
+  PRUint32 size;
+};
+typedef struct NSSItemStr NSSItem;
+
+
+/*
+ * NSSBER
+ *
+ * Data packed according to the Basic Encoding Rules of ASN.1.
+ */
+
+typedef NSSItem NSSBER;
+
+/*
+ * NSSDER
+ *
+ * Data packed according to the Distinguished Encoding Rules of ASN.1;
+ * this form is also known as the Canonical Encoding Rules form (CER).
+ */
+
+typedef NSSBER NSSDER;
+
+/*
+ * NSSBitString
+ *
+ * Some ASN.1 types use "bit strings," which are passed around as
+ * octet strings but whose length is counted in bits.  We use this
+ * typedef of NSSItem to point out the occasions when the length
+ * is counted in bits, not octets.
+ */
+
+typedef NSSItem NSSBitString;
+
+/*
+ * NSSUTF8
+ *
+ * Character strings encoded in UTF-8, as defined by RFC 2279.
+ */
+
+typedef char NSSUTF8;
+
+/*
+ * NSSASCII7
+ *
+ * Character strings guaranteed to be 7-bit ASCII.
+ */
+
+typedef char NSSASCII7;
+
+PR_END_EXTERN_C
+
+#endif /* NSSBASET_H */

mozilla/security/nss/lib/base/tracker.c

@@ -0,0 +1,543 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: tracker.c,v $ $Revision: 1.4 $ $Date: 2001-12-06 21:25:32 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * tracker.c
+ * 
+ * This file contains the code used by the pointer-tracking calls used
+ * in the debug builds to catch bad pointers.  The entire contents are
+ * only available in debug builds (both internal and external builds).
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifdef DEBUG
+
+/*
+ * call_once
+ *
+ * Unfortunately, NSPR's PR_CallOnce function doesn't accept a closure
+ * variable.  So I have a static version here which does.  This code 
+ * is based on NSPR's, and uses the NSPR function to initialize the
+ * required lock.
+ */
+
+/*
+ * The is the "once block" that's passed to the "real" PR_CallOnce
+ * function, to call the local initializer myOnceFunction once.
+ */
+static PRCallOnceType myCallOnce;
+
+/*
+ * This structure is used by the call_once function to make sure that
+ * any "other" threads calling the call_once don't return too quickly,
+ * before the initializer has finished.
+ */
+static struct {
+  PZLock *ml;
+  PZCondVar *cv;
+} mod_init;
+
+/*
+ * This is the initializer for the above mod_init structure.
+ */
+static PRStatus
+myOnceFunction
+(
+  void
+)
+{
+  mod_init.ml = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == mod_init.ml ) {
+    return PR_FAILURE;
+  }
+
+  mod_init.cv = PZ_NewCondVar(mod_init.ml);
+  if( (PZCondVar *)NULL == mod_init.cv ) {
+    PZ_DestroyLock(mod_init.ml);
+    mod_init.ml = (PZLock *)NULL;
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * The nss call_once callback takes a closure argument.
+ */
+typedef PRStatus (PR_CALLBACK *nssCallOnceFN)(void *arg);
+
+/*
+ * NSS's call_once function.
+ */
+static PRStatus
+call_once
+(
+  PRCallOnceType *once,
+  nssCallOnceFN func,
+  void *arg
+)
+{
+  PRStatus rv;
+
+  if( !myCallOnce.initialized ) {
+    rv = PR_CallOnce(&myCallOnce, myOnceFunction);
+    if( PR_SUCCESS != rv ) {
+      return rv;
+    }
+  }
+
+  if( !once->initialized ) {
+    if( 0 == PR_AtomicSet(&once->inProgress, 1) ) {
+      once->status = (*func)(arg);
+      PZ_Lock(mod_init.ml);
+      once->initialized = 1;
+      PZ_NotifyAllCondVar(mod_init.cv);
+      PZ_Unlock(mod_init.ml);
+    } else {
+      PZ_Lock(mod_init.ml);
+      while( !once->initialized ) {
+        PZ_WaitCondVar(mod_init.cv, PR_INTERVAL_NO_TIMEOUT);
+      }
+      PZ_Unlock(mod_init.ml);
+    }
+  }
+
+  return once->status;
+}
+
+/*
+ * Now we actually get to my own "call once" payload function.
+ * But wait, to create the hash, I need a hash function!
+ */
+
+/*
+ * identity_hash
+ *
+ * This static callback is a PLHashFunction as defined in plhash.h
+ * It merely returns the value of the object pointer as its hash.
+ * There are no possible errors.
+ */
+
+static PLHashNumber PR_CALLBACK
+identity_hash
+(
+  const void *key
+)
+{
+  return (PLHashNumber)key;
+}
+
+/*
+ * trackerOnceFunc
+ *
+ * This function is called once, using the nssCallOnce function above.
+ * It creates a new pointer tracker object; initialising its hash
+ * table and protective lock.
+ */
+
+static PRStatus
+trackerOnceFunc
+(
+  void *arg
+)
+{
+  nssPointerTracker *tracker = (nssPointerTracker *)arg;
+
+  tracker->lock = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == tracker->lock ) {
+    return PR_FAILURE;
+  }
+
+  tracker->table = PL_NewHashTable(0, 
+                                   identity_hash, 
+                                   PL_CompareValues,
+                                   PL_CompareValues,
+                                   (PLHashAllocOps *)NULL, 
+                                   (void *)NULL);
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_DestroyLock(tracker->lock);
+    tracker->lock = (PZLock *)NULL;
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_initialize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine initializes an nssPointerTracker object.  Note that
+ * the object must have been declared *static* to guarantee that it
+ * is in a zeroed state initially.  This routine is idempotent, and
+ * may even be safely called by multiple threads simultaneously with 
+ * the same argument.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_initialize
+(
+  nssPointerTracker *tracker
+)
+{
+  PRStatus rv = call_once(&tracker->once, trackerOnceFunc, tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+  }
+
+  return rv;
+}
+
+#ifdef DONT_DESTROY_EMPTY_TABLES
+/* See same #ifdef below */
+/*
+ * count_entries
+ *
+ * This static routine is a PLHashEnumerator, as defined in plhash.h.
+ * It merely causes the enumeration function to count the number of
+ * entries.
+ */
+
+static PRIntn PR_CALLBACK
+count_entries
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  return HT_ENUMERATE_NEXT;
+}
+#endif /* DONT_DESTROY_EMPTY_TABLES */
+
+/*
+ * zero_once
+ *
+ * This is a guaranteed zeroed once block.  It's used to help clear
+ * the tracker.
+ */
+
+static const PRCallOnceType zero_once;
+
+/*
+ * nssPointerTracker_finalize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine returns the nssPointerTracker object to the pre-
+ * initialized state, releasing all resources used by the object.
+ * It will *NOT* destroy the objects being tracked by the pointer
+ * (should any remain), and therefore cannot be used to "sweep up"
+ * remaining objects.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCES.  On failure it will set an
+ * error on the error stack and return PR_FAILURE.  If any objects
+ * remain in the tracker when it is finalized, that will be treated
+ * as an error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_TRACKER_NOT_EMPTY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_finalize
+(
+  nssPointerTracker *tracker
+)
+{
+  PZLock *lock;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  lock = tracker->lock;
+  PZ_Lock(lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+#ifdef DONT_DESTROY_EMPTY_TABLES
+  /*
+   * I changed my mind; I think we don't want this after all.
+   * Comments?
+   */
+  count = PL_HashTableEnumerateEntries(tracker->table, 
+                                       count_entries,
+                                       (void *)NULL);
+
+  if( 0 != count ) {
+    PZ_Unlock(lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
+    return PR_FAILURE;
+  }
+#endif /* DONT_DESTROY_EMPTY_TABLES */
+
+  PL_HashTableDestroy(tracker->table);
+  /* memset(tracker, 0, sizeof(nssPointerTracker)); */
+  tracker->once = zero_once;
+  tracker->lock = (PZLock *)NULL;
+  tracker->table = (PLHashTable *)NULL;
+
+  PZ_Unlock(lock);
+  PZ_DestroyLock(lock);
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_add
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine adds the specified pointer to the nssPointerTracker
+ * object.  It should be called in constructor objects to register
+ * new valid objects.  The nssPointerTracker is threadsafe, but this
+ * call is not idempotent.  This routine returns a PRStatus value;
+ * if successful it will return PR_SUCCESS.  On failure it will set
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_DUPLICATE_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_add
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  void *check;
+  PLHashEntry *entry;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  check = PL_HashTableLookup(tracker->table, pointer);
+  if( (void *)NULL != check ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
+    return PR_FAILURE;
+  }
+
+  entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
+
+  PZ_Unlock(tracker->lock);
+
+  if( (PLHashEntry *)NULL == entry ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+  
+/*
+ * nssPointerTracker_remove
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine removes the specified pointer from the 
+ * nssPointerTracker object.  It does not call any destructor for the
+ * object; rather, this should be called from the object's destructor.
+ * The nssPointerTracker is threadsafe, but this call is not 
+ * idempotent.  This routine returns a PRStatus value; if successful 
+ * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_remove
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  PRBool registered;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  registered = PL_HashTableRemove(tracker->table, pointer);
+  PZ_Unlock(tracker->lock);
+
+  if( !registered ) {
+    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_verify
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine verifies that the specified pointer has been registered
+ * with the nssPointerTracker object.  The nssPointerTracker object is
+ * threadsafe, and this call may be safely called from multiple threads
+ * simultaneously with the same arguments.  This routine returns a
+ * PRStatus value; if the pointer is registered this will return 
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
+ * return PR_FAILURE.  Although the error is suitable for leaving on 
+ * the stack, callers may wish to augment the information available by 
+ * placing a more type-specific error on the stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILRUE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_verify
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  void *check;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  check = PL_HashTableLookup(tracker->table, pointer);
+  PZ_Unlock(tracker->lock);
+
+  if( (void *)NULL == check ) {
+    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */

mozilla/security/nss/lib/base/utf8.c

@@ -0,0 +1,759 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: utf8.c,v $ $Revision: 1.5 $ $Date: 2001-11-08 00:14:37 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * utf8.c
+ *
+ * This file contains some additional utility routines required for
+ * handling UTF8 strings.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "plstr.h"
+
+/*
+ * NOTES:
+ *
+ * There's an "is hex string" function in pki1/atav.c.  If we need
+ * it in more places, pull that one out.
+ */
+
+/*
+ * nssUTF8_CaseIgnoreMatch
+ * 
+ * Returns true if the two UTF8-encoded strings pointed to by the 
+ * two specified NSSUTF8 pointers differ only in typcase.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_CaseIgnoreMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  /*
+   * XXX fgmr
+   *
+   * This is, like, so wrong!
+   */
+  if( 0 == PL_strcasecmp((const char *)a, (const char *)b) ) {
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nssUTF8_PrintableMatch
+ *
+ * Returns true if the two Printable strings pointed to by the 
+ * two specified NSSUTF8 pointers match when compared with the 
+ * rules for Printable String (leading and trailing spaces are 
+ * disregarded, extents of whitespace match irregardless of length, 
+ * and case is not significant), then PR_TRUE will be returned.
+ * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
+ * will be returned.  If the optional statusOpt argument is not
+ * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
+ * location.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_PrintableMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+  PRUint8 *c;
+  PRUint8 *d;
+
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  c = (PRUint8 *)a;
+  d = (PRUint8 *)b;
+
+  while( ' ' == *c ) {
+    c++;
+  }
+
+  while( ' ' == *d ) {
+    d++;
+  }
+
+  while( ('\0' != *c) && ('\0' != *d) ) {
+    PRUint8 e, f;
+
+    e = *c;
+    f = *d;
+    
+    if( ('a' <= e) && (e <= 'z') ) {
+      e -= ('a' - 'A');
+    }
+
+    if( ('a' <= f) && (f <= 'z') ) {
+      f -= ('a' - 'A');
+    }
+
+    if( e != f ) {
+      return PR_FALSE;
+    }
+
+    c++;
+    d++;
+
+    if( ' ' == *c ) {
+      while( ' ' == *c ) {
+        c++;
+      }
+      c--;
+    }
+
+    if( ' ' == *d ) {
+      while( ' ' == *d ) {
+        d++;
+      }
+      d--;
+    }
+  }
+
+  while( ' ' == *c ) {
+    c++;
+  }
+
+  while( ' ' == *d ) {
+    d++;
+  }
+
+  if( *c == *d ) {
+    /* And both '\0', btw */
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nssUTF8_Duplicate
+ *
+ * This routine duplicates the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
+ * not null, the memory required will be obtained from that arena;
+ * otherwise, the memory required will be obtained from the heap.
+ * A pointer to the new string will be returned.  In case of error,
+ * an error will be placed on the error stack and NULL will be 
+ * returned.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_Duplicate
+(
+  const NSSUTF8 *s,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint32 len;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  len = PL_strlen((const char *)s);
+#ifdef PEDANTIC
+  if( '\0' != ((const char *)s)[ len ] ) {
+    /* must have wrapped, e.g., too big for PRUint32 */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* PEDANTIC */
+  len++; /* zero termination */
+
+  rv = nss_ZAlloc(arenaOpt, len);
+  if( (void *)NULL == rv ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  (void)nsslibc_memcpy(rv, s, len);
+  return rv;
+}
+
+/*
+ * nssUTF8_Size
+ *
+ * This routine returns the length in bytes (including the terminating
+ * null) of the UTF8-encoded string pointed to by the specified
+ * NSSUTF8 pointer.  Zero is returned on error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  0 on error
+ *  nonzero length of the string.
+ */
+
+NSS_IMPLEMENT PRUint32
+nssUTF8_Size
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 sv;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* NSSDEBUG */
+
+  sv = PL_strlen((const char *)s) + 1;
+#ifdef PEDANTIC
+  if( '\0' != ((const char *)s)[ sv-1 ] ) {
+    /* wrapped */
+    nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* PEDANTIC */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  return sv;
+}
+
+/*
+ * nssUTF8_Length
+ *
+ * This routine returns the length in characters (not including the
+ * terminating null) of the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  length of the string (which may be zero)
+ *  0 on error
+ */
+
+NSS_IMPLEMENT PRUint32
+nssUTF8_Length
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 l = 0;
+  const PRUint8 *c = (const PRUint8 *)s;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    goto loser;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * From RFC 2044:
+   *
+   * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+   * 0000 0000-0000 007F   0xxxxxxx
+   * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+   * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+   * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+   * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+   * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
+   */  
+
+  while( 0 != *c ) {
+    PRUint32 incr;
+    if( (*c & 0x80) == 0 ) {
+      incr = 1;
+    } else if( (*c & 0xE0) == 0xC0 ) {
+      incr = 2;
+    } else if( (*c & 0xF0) == 0xE0 ) {
+      incr = 3;
+    } else if( (*c & 0xF8) == 0xF0 ) {
+      incr = 4;
+    } else if( (*c & 0xFC) == 0xF8 ) {
+      incr = 5;
+    } else if( (*c & 0xFE) == 0xFC ) {
+      incr = 6;
+    } else {
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      goto loser;
+    }
+
+    l += incr;
+
+#ifdef PEDANTIC
+    if( l < incr ) {
+      /* Wrapped-- too big */
+      nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+      goto loser;
+    }
+
+    {
+      PRUint8 *d;
+      for( d = &c[1]; d < &c[incr]; d++ ) {
+        if( (*d & 0xC0) != 0xF0 ) {
+          nss_SetError(NSS_ERROR_INVALID_STRING);
+          goto loser;
+        }
+      }
+    }
+#endif /* PEDANTIC */
+
+    c += incr;
+  }
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  return l;
+
+ loser:
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_FAILURE;
+  }
+
+  return 0;
+}
+
+
+/*
+ * nssUTF8_Create
+ *
+ * This routine creates a UTF8 string from a string in some other
+ * format.  Some types of string may include embedded null characters,
+ * so for them the length parameter must be used.  For string types
+ * that are null-terminated, the length parameter is optional; if it
+ * is zero, it will be ignored.  If the optional arena argument is
+ * non-null, the memory used for the new string will be obtained from
+ * that arena, otherwise it will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_UNSUPPORTED_TYPE
+ *
+ * Return value:
+ *  NULL upon error
+ *  A non-null pointer to a new UTF8 string otherwise
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR; /* XXX fgmr */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const void *inputString,
+  PRUint32 size /* in bytes, not characters */
+)
+{
+  NSSUTF8 *rv = NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  if( (const void *)NULL == inputString ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    /* This is a composite type requiring BER */
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  case nssStringType_TeletexString:
+    /*
+     * draft-ietf-pkix-ipki-part1-11 says in part:
+     *
+     * In addition, many legacy implementations support names encoded 
+     * in the ISO 8859-1 character set (Latin1String) but tag them as 
+     * TeletexString.  The Latin1String includes characters used in 
+     * Western European countries which are not part of the 
+     * TeletexString charcter set.  Implementations that process 
+     * TeletexString SHOULD be prepared to handle the entire ISO 
+     * 8859-1 character set.[ISO 8859-1].
+     */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_PrintableString:
+    /*
+     * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
+     * This is a subset of ASCII, which is a subset of UTF8.
+     * So we can just duplicate the string over.
+     */
+
+    if( 0 == size ) {
+      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+    } else {
+      rv = nss_ZAlloc(arenaOpt, size+1);
+      if( (NSSUTF8 *)NULL == rv ) {
+        return (NSSUTF8 *)NULL;
+      }
+
+      (void)nsslibc_memcpy(rv, inputString, size);
+    }
+
+    break;
+  case nssStringType_UniversalString:
+    /* 4-byte unicode */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_BMPString:
+    /* Base Multilingual Plane of Unicode */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UTF8String:
+    if( 0 == size ) {
+      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+    } else {
+      rv = nss_ZAlloc(arenaOpt, size+1);
+      if( (NSSUTF8 *)NULL == rv ) {
+        return (NSSUTF8 *)NULL;
+      }
+
+      (void)nsslibc_memcpy(rv, inputString, size);
+    }
+
+    break;
+  case nssStringType_PHGString:
+    /* 
+     * PHGString is an IA5String (with case-insensitive comparisons).
+     * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
+     * currency symbol.
+     */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_GeneralString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSItem *
+nssUTF8_GetEncoding
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  nssStringType type,
+  NSSUTF8 *string
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  PRStatus status = PR_SUCCESS;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSItem *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_TeletexString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_PrintableString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UniversalString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_BMPString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UTF8String:
+    {
+      NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
+      if( (NSSUTF8 *)NULL == dup ) {
+        return (NSSItem *)NULL;
+      }
+
+      if( (NSSItem *)NULL == rvOpt ) {
+        rv = nss_ZNEW(arenaOpt, NSSItem);
+        if( (NSSItem *)NULL == rv ) {
+          (void)nss_ZFreeIf(dup);
+          return (NSSItem *)NULL;
+        }
+      } else {
+        rv = rvOpt;
+      }
+
+      rv->data = dup;
+      dup = (NSSUTF8 *)NULL;
+      rv->size = nssUTF8_Size(rv->data, &status);
+      if( (0 == rv->size) && (PR_SUCCESS != status) ) {
+        if( (NSSItem *)NULL == rvOpt ) {
+          (void)nss_ZFreeIf(rv);
+        }
+        return (NSSItem *)NULL;
+      }
+    }
+    break;
+  case nssStringType_PHGString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  }
+
+  return rv;
+}
+
+/*
+ * nssUTF8_CopyIntoFixedBuffer
+ *
+ * This will copy a UTF8 string into a fixed-length buffer, making 
+ * sure that the all characters are valid.  Any remaining space will
+ * be padded with the specified ASCII character, typically either 
+ * null or space.
+ *
+ * Blah, blah, blah.
+ */
+
+NSS_IMPLEMENT PRStatus
+nssUTF8_CopyIntoFixedBuffer
+(
+  NSSUTF8 *string,
+  char *buffer,
+  PRUint32 bufferSize,
+  char pad
+)
+{
+  PRUint32 stringSize = 0;
+
+#ifdef NSSDEBUG
+  if( (char *)NULL == buffer ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FALSE;
+  }
+
+  if( 0 == bufferSize ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FALSE;
+  }
+
+  if( (pad & 0x80) != 0x00 ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == string ) {
+    string = (NSSUTF8 *) "";
+  }
+
+  stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
+  stringSize--; /* don't count the trailing null */
+  if( stringSize > bufferSize ) {
+    PRUint32 bs = bufferSize;
+    (void)nsslibc_memcpy(buffer, string, bufferSize);
+    
+    if( (            ((buffer[ bs-1 ] & 0x80) == 0x00)) ||
+        ((bs > 1) && ((buffer[ bs-2 ] & 0xE0) == 0xC0)) ||
+        ((bs > 2) && ((buffer[ bs-3 ] & 0xF0) == 0xE0)) ||
+        ((bs > 3) && ((buffer[ bs-4 ] & 0xF8) == 0xF0)) ||
+        ((bs > 4) && ((buffer[ bs-5 ] & 0xFC) == 0xF8)) ||
+        ((bs > 5) && ((buffer[ bs-6 ] & 0xFE) == 0xFC)) ) {
+      /* It fit exactly */
+      return PR_SUCCESS;
+    }
+
+    /* Too long.  We have to trim the last character */
+    for( /*bs*/; bs != 0; bs-- ) {
+      if( (buffer[bs-1] & 0xC0) != 0x80 ) {
+        buffer[bs-1] = pad;
+        break;
+      } else {
+        buffer[bs-1] = pad;
+      }
+    }      
+  } else {
+    (void)nsslibc_memset(buffer, pad, bufferSize);
+    (void)nsslibc_memcpy(buffer, string, stringSize);
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssUTF8_Equal
+ *
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_Equal
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 la, lb;
+
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  la = nssUTF8_Size(a, statusOpt);
+  if( 0 == la ) {
+    return PR_FALSE;
+  }
+
+  lb = nssUTF8_Size(b, statusOpt);
+  if( 0 == lb ) {
+    return PR_FALSE;
+  }
+
+  if( la != lb ) {
+    return PR_FALSE;
+  }
+
+  return nsslibc_memequal(a, b, la, statusOpt);
+}

mozilla/security/nss/lib/base/whatnspr.c

@@ -0,0 +1,171 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: whatnspr.c,v $ $Revision: 1.2 $ $Date: 2002-01-31 19:18:55 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This file isolates us from differences in NSPR versions.
+ * We have to detect the library with which we're running at
+ * runtime, and switch behaviours there.  This lets us do
+ * stuff like load cryptoki modules in Communicator.
+ *
+ * Hey, it's the PORT layer all over again!
+ */
+
+static int whatnspr = 0;
+
+static int
+set_whatnspr
+(
+  void
+)
+{
+  /*
+   * The only runtime difference I could find was the
+   * return value of PR_dtoa.  We can't just look for
+   * a symbol in NSPR >=2, because it'll always be
+   * found (because we compile against NSPR >=2).
+   * Maybe we could look for a symbol merely in NSPR 1?
+   *
+   */
+
+  char buffer[64];
+  int decpt = 0, sign = 0;
+  char *rve = (char *)0;
+  /* extern int PR_dtoa(double, int, int, int *, int *, char **, char *, int); */
+  int r = (int)PR_dtoa((double)1.0, 0, 5, &decpt, &sign, &rve, 
+                       buffer, sizeof(buffer));
+
+  switch( r ) {
+  case 0:
+  case -1:
+    whatnspr = 2;
+    /*
+     * If we needed to, *now* we could look up "libVersionPoint"
+     * and get more data there.. except all current NSPR's (up
+     * to NSPR 4.x at time of writing) still say 2 in their
+     * version structure.
+     */
+    break;
+  default:
+    whatnspr = 1;
+    break;
+  }
+
+  return whatnspr;
+}
+
+#define WHATNSPR (whatnspr ? whatnspr : set_whatnspr())
+
+NSS_IMPLEMENT PRStatus
+nss_NewThreadPrivateIndex
+(
+  PRUintn *ip,
+  PRThreadPrivateDTOR dtor
+)
+{
+  switch( WHATNSPR ) {
+  case 1:
+    {
+      PRLibrary *l = (PRLibrary *)0;
+      void *f = PR_FindSymbolAndLibrary("PR_NewThreadPrivateID", &l);
+      typedef PRInt32 (*ntpt)(void);
+      ntpt ntp = (ntpt) f;
+
+      PR_ASSERT((void *)0 != f);
+
+      *ip = ntp();
+      return PR_SUCCESS;
+    }
+  case 2:
+  default:
+    return PR_NewThreadPrivateIndex(ip, dtor);
+  }
+}
+
+NSS_IMPLEMENT void *
+nss_GetThreadPrivate
+(
+  PRUintn i
+)
+{
+  switch( WHATNSPR ) {
+  case 1:
+    {
+      PRLibrary *l = (PRLibrary *)0;
+      void *f = PR_FindSymbolAndLibrary("PR_GetThreadPrivate", &l);
+      typedef void *(*gtpt)(PRThread *, PRInt32);
+      gtpt gtp = (gtpt) f;
+
+      PR_ASSERT((void *)0 != f);
+
+      return gtp(PR_CurrentThread(), i);
+    }
+  case 2:
+  default:
+    return PR_GetThreadPrivate(i);
+  }
+}
+
+NSS_IMPLEMENT void
+nss_SetThreadPrivate
+(
+  PRUintn i,
+  void *v
+)
+{
+  switch( WHATNSPR ) {
+  case 1:
+    {
+      PRLibrary *l = (PRLibrary *)0;
+      void *f = PR_FindSymbolAndLibrary("PR_SetThreadPrivate", &l);
+      typedef PRStatus (*stpt)(PRThread *, PRInt32, void *);
+      stpt stp = (stpt) f;
+
+      PR_ASSERT((void *)0 != f);
+
+      (void)stp(PR_CurrentThread(), i, v);
+      return;
+    }
+  case 2:
+  default:
+    (void)PR_SetThreadPrivate(i, v);
+    return;
+  }
+}

mozilla/security/nss/lib/certdb/Makefile

@@ -0,0 +1,76 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+

mozilla/security/nss/lib/certdb/alg1485.c

@@ -0,0 +1,969 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cert.h"
+#include "xconst.h"
+#include "genname.h"
+#include "secitem.h"
+#include "secerr.h"
+
+struct NameToKind {
+    char *name;
+    SECOidTag kind;
+};
+
+static struct NameToKind name2kinds[] = {
+    { "CN",   		SEC_OID_AVA_COMMON_NAME, 		},
+    { "ST",   		SEC_OID_AVA_STATE_OR_PROVINCE, 		},
+    { "OU",   		SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,	},
+    { "DC",   		SEC_OID_AVA_DC,	},
+    { "C",    		SEC_OID_AVA_COUNTRY_NAME, 		},
+    { "O",    		SEC_OID_AVA_ORGANIZATION_NAME, 		},
+    { "L",    		SEC_OID_AVA_LOCALITY, 			},
+    { "dnQualifier",	SEC_OID_AVA_DN_QUALIFIER, 		},
+    { "E",    		SEC_OID_PKCS9_EMAIL_ADDRESS, 		},
+    { "UID",  		SEC_OID_RFC1274_UID, 			},
+    { "MAIL", 		SEC_OID_RFC1274_MAIL, 			},
+    { 0,      		SEC_OID_UNKNOWN 			},
+};
+
+#define C_DOUBLE_QUOTE '\042'
+
+#define C_BACKSLASH '\134'
+
+#define C_EQUAL '='
+
+#define OPTIONAL_SPACE(c) \
+    (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
+
+#define SPECIAL_CHAR(c)						\
+    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
+     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
+     ((c) == '<') || ((c) == '>') || ((c) == '#') ||		\
+     ((c) == ';') || ((c) == C_BACKSLASH))
+
+
+
+
+
+
+
+#if 0
+/*
+** Find the start and end of a <string>. Strings can be wrapped in double
+** quotes to protect special characters.
+*/
+static int BracketThing(char **startp, char *end, char *result)
+{
+    char *start = *startp;
+    char c;
+
+    /* Skip leading white space */
+    while (start < end) {
+	c = *start++;
+	if (!OPTIONAL_SPACE(c)) {
+	    start--;
+	    break;
+	}
+    }
+    if (start == end) return 0;
+
+    switch (*start) {
+      case '#':
+	/* Process hex thing */
+	start++;
+	*startp = start;
+	while (start < end) {
+	    c = *start++;
+	    if (((c >= '0') && (c <= '9')) ||
+		((c >= 'a') && (c <= 'f')) ||
+		((c >= 'A') && (c <= 'F'))) {
+		continue;
+	    }
+	    break;
+	}
+	rv = IS_HEX;
+	break;
+
+      case C_DOUBLE_QUOTE:
+	start++;
+	*startp = start;
+	while (start < end) {
+	    c = *start++;
+	    if (c == C_DOUBLE_QUOTE) {
+		break;
+	    }
+	    *result++ = c;
+	}
+	rv = IS_STRING;
+	break;
+
+      default:
+	while (start < end) {
+	    c = *start++;
+	    if (SPECIAL_CHAR(c)) {
+		start--;
+		break;
+	    }
+	    *result++ = c;
+	}
+	rv = IS_STRING;
+	break;
+    }
+
+    /* Terminate result string */
+    *result = 0;
+    return start;
+}
+
+static char *BracketSomething(char **startp, char* end, int spacesOK)
+{
+    char *start = *startp;
+    char c;
+    int stopAtDQ;
+
+    /* Skip leading white space */
+    while (start < end) {
+	c = *start;
+	if (!OPTIONAL_SPACE(c)) {
+	    break;
+	}
+	start++;
+    }
+    if (start == end) return 0;
+    stopAtDQ = 0;
+    if (*start == C_DOUBLE_QUOTE) {
+	stopAtDQ = 1;
+    }
+
+    /*
+    ** Find the end of the something. The something is terminated most of
+    ** the time by a space. However, if spacesOK is true then it is
+    ** terminated by a special character only.
+    */
+    *startp = start;
+    while (start < end) {
+	c = *start;
+	if (stopAtDQ) {
+	    if (c == C_DOUBLE_QUOTE) {
+		*start = ' ';
+		break;
+	    }
+	} else {
+	if (SPECIAL_CHAR(c)) {
+	    break;
+	}
+	if (!spacesOK && OPTIONAL_SPACE(c)) {
+	    break;
+	}
+	}
+	start++;
+    }
+    return start;
+}
+#endif
+
+#define IS_PRINTABLE(c)						\
+    ((((c) >= 'a') && ((c) <= 'z')) ||				\
+     (((c) >= 'A') && ((c) <= 'Z')) ||				\
+     (((c) >= '0') && ((c) <= '9')) ||				\
+     ((c) == ' ') ||						\
+     ((c) == '\'') ||						\
+     ((c) == '\050') ||				/* ( */		\
+     ((c) == '\051') ||				/* ) */		\
+     (((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
+     ((c) == ':') ||						\
+     ((c) == '=') ||						\
+     ((c) == '?'))
+
+static PRBool
+IsPrintable(unsigned char *data, unsigned len)
+{
+    unsigned char ch, *end;
+
+    end = data + len;
+    while (data < end) {
+	ch = *data++;
+	if (!IS_PRINTABLE(ch)) {
+	    return PR_FALSE;
+	}
+    }
+    return PR_TRUE;
+}
+
+static PRBool
+Is7Bit(unsigned char *data, unsigned len)
+{
+    unsigned char ch, *end;
+
+    end = data + len;
+    while (data < end) {
+        ch = *data++;
+        if ((ch & 0x80)) {
+            return PR_FALSE;
+        }
+    }
+    return PR_TRUE;
+}
+
+static void
+skipSpace(char **pbp, char *endptr)
+{
+    char *bp = *pbp;
+    while (bp < endptr && OPTIONAL_SPACE(*bp)) {
+	bp++;
+    }
+    *pbp = bp;
+}
+
+static SECStatus
+scanTag(char **pbp, char *endptr, char *tagBuf, int tagBufSize)
+{
+    char *bp, *tagBufp;
+    int taglen;
+
+    PORT_Assert(tagBufSize > 0);
+    
+    /* skip optional leading space */
+    skipSpace(pbp, endptr);
+    if (*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    
+    /* fill tagBuf */
+    taglen = 0;
+    bp = *pbp;
+    tagBufp = tagBuf;
+    while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
+	if (++taglen >= tagBufSize) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	*tagBufp++ = *bp++;
+    }
+    /* null-terminate tagBuf -- guaranteed at least one space left */
+    *tagBufp++ = 0;
+    *pbp = bp;
+    
+    /* skip trailing spaces till we hit something - should be an equal sign */
+    skipSpace(pbp, endptr);
+    if (*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    if (**pbp != C_EQUAL) {
+	/* should be an equal sign */
+	return SECFailure;
+    }
+    /* skip over the equal sign */
+    (*pbp)++;
+    
+    return SECSuccess;
+}
+
+static SECStatus
+scanVal(char **pbp, char *endptr, char *valBuf, int valBufSize)  
+{
+    char *bp, *valBufp;
+    int vallen;
+    PRBool isQuoted;
+    
+    PORT_Assert(valBufSize > 0);
+    
+    /* skip optional leading space */
+    skipSpace(pbp, endptr);
+    if(*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    
+    bp = *pbp;
+    
+    /* quoted? */
+    if (*bp == C_DOUBLE_QUOTE) {
+	isQuoted = PR_TRUE;
+	/* skip over it */
+	bp++;
+    } else {
+	isQuoted = PR_FALSE;
+    }
+    
+    valBufp = valBuf;
+    vallen = 0;
+    while (bp < endptr) {
+	char c = *bp;
+	if (c == C_BACKSLASH) {
+	    /* escape character */
+	    bp++;
+	    if (bp >= endptr) {
+		/* escape charater must appear with paired char */
+		*pbp = bp;
+		return SECFailure;
+	    }
+	} else if (!isQuoted && SPECIAL_CHAR(c)) {
+	    /* unescaped special and not within quoted value */
+	    break;
+	} else if (c == C_DOUBLE_QUOTE) {
+	    /* reached unescaped double quote */
+	    break;
+	}
+	/* append character */
+        vallen++;
+	if (vallen >= valBufSize) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	*valBufp++ = *bp++;
+    }
+    
+    /* stip trailing spaces from unquoted values */
+    if (!isQuoted) {
+	if (valBufp > valBuf) {
+	    valBufp--;
+	    while ((valBufp > valBuf) && OPTIONAL_SPACE(*valBufp)) {
+		valBufp--;
+	    }
+	    valBufp++;
+	}
+    }
+    
+    if (isQuoted) {
+	/* insist that we stopped on a double quote */
+	if (*bp != C_DOUBLE_QUOTE) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	/* skip over the quote and skip optional space */
+	bp++;
+	skipSpace(&bp, endptr);
+    }
+    
+    *pbp = bp;
+    
+    if (valBufp == valBuf) {
+	/* empty value -- not allowed */
+	return SECFailure;
+    }
+    
+    /* null-terminate valBuf -- guaranteed at least one space left */
+    *valBufp++ = 0;
+    
+    return SECSuccess;
+}
+
+CERTAVA *
+CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr,
+		    PRBool singleAVA) 
+{
+    CERTAVA *a;
+    struct NameToKind *n2k;
+    int vt;
+    int valLen;
+    char *bp;
+
+    char tagBuf[32];
+    char valBuf[384];
+
+    if (scanTag(pbp, endptr, tagBuf, sizeof(tagBuf)) == SECFailure ||
+	scanVal(pbp, endptr, valBuf, sizeof(valBuf)) == SECFailure) {
+	PORT_SetError(SEC_ERROR_INVALID_AVA);
+	return 0;
+    }
+
+    /* insist that if we haven't finished we've stopped on a separator */
+    bp = *pbp;
+    if (bp < endptr) {
+	if (singleAVA || (*bp != ',' && *bp != ';')) {
+	    PORT_SetError(SEC_ERROR_INVALID_AVA);
+	    *pbp = bp;
+	    return 0;
+	}
+	/* ok, skip over separator */
+	bp++;
+    }
+    *pbp = bp;
+
+    for (n2k = name2kinds; n2k->name; n2k++) {
+	if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
+	    valLen = PORT_Strlen(valBuf);
+	    if (n2k->kind == SEC_OID_AVA_COUNTRY_NAME) {
+		vt = SEC_ASN1_PRINTABLE_STRING;
+		if (valLen != 2) {
+		    PORT_SetError(SEC_ERROR_INVALID_AVA);
+		    return 0;
+		}
+		if (!IsPrintable((unsigned char*) valBuf, 2)) {
+		    PORT_SetError(SEC_ERROR_INVALID_AVA);
+		    return 0;
+		}
+	    } else if ((n2k->kind == SEC_OID_PKCS9_EMAIL_ADDRESS) ||
+		       (n2k->kind == SEC_OID_RFC1274_MAIL)) {
+		vt = SEC_ASN1_IA5_STRING;
+	    } else {
+		/* Hack -- for rationale see X.520 DirectoryString defn */
+		if (IsPrintable((unsigned char*)valBuf, valLen)) {
+		    vt = SEC_ASN1_PRINTABLE_STRING;
+                } else if (Is7Bit((unsigned char *)valBuf, valLen)) {
+                    vt = SEC_ASN1_T61_STRING;
+		} else {
+		    vt = SEC_ASN1_UNIVERSAL_STRING;
+		}
+	    }
+	    a = CERT_CreateAVA(arena, n2k->kind, vt, (char *) valBuf);
+	    return a;
+	}
+    }
+    /* matched no kind -- invalid tag */
+    PORT_SetError(SEC_ERROR_INVALID_AVA);
+    return 0;
+}
+
+static CERTName *
+ParseRFC1485Name(char *buf, int len)
+{
+    SECStatus rv;
+    CERTName *name;
+    char *bp, *e;
+    CERTAVA *ava;
+    CERTRDN *rdn;
+
+    name = CERT_CreateName(NULL);
+    if (name == NULL) {
+	return NULL;
+    }
+    
+    e = buf + len;
+    bp = buf;
+    while (bp < e) {
+	ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE);
+	if (ava == 0) goto loser;
+	rdn = CERT_CreateRDN(name->arena, ava, 0);
+	if (rdn == 0) goto loser;
+	rv = CERT_AddRDN(name, rdn);
+	if (rv) goto loser;
+	skipSpace(&bp, e);
+    }
+
+    if (name->rdns[0] == 0) {
+	/* empty name -- illegal */
+	goto loser;
+    }
+
+    /* Reverse order of RDNS to comply with RFC */
+    {
+	CERTRDN **firstRdn;
+	CERTRDN **lastRdn;
+	CERTRDN *tmp;
+	
+	/* get first one */
+	firstRdn = name->rdns;
+	
+	/* find last one */
+	lastRdn = name->rdns;
+	while (*lastRdn) lastRdn++;
+	lastRdn--;
+	
+	/* reverse list */
+	for ( ; firstRdn < lastRdn; firstRdn++, lastRdn--) {
+	    tmp = *firstRdn;
+	    *firstRdn = *lastRdn;
+	    *lastRdn = tmp;
+	}
+    }
+    
+    /* return result */
+    return name;
+    
+  loser:
+    CERT_DestroyName(name);
+    return NULL;
+}
+
+CERTName *
+CERT_AsciiToName(char *string)
+{
+    CERTName *name;
+    name = ParseRFC1485Name(string, PORT_Strlen(string));
+    return name;
+}
+
+/************************************************************************/
+
+static SECStatus
+AppendStr(char **bufp, unsigned *buflenp, char *str)
+{
+    char *buf;
+    unsigned bufLen, bufSize, len;
+
+    /* Figure out how much to grow buf by (add in the '\0') */
+    buf = *bufp;
+    bufLen = *buflenp;
+    len = PORT_Strlen(str);
+    bufSize = bufLen + len;
+    if (buf) {
+	buf = (char*) PORT_Realloc(buf, bufSize);
+    } else {
+	bufSize++;
+	buf = (char*) PORT_Alloc(bufSize);
+    }
+    if (!buf) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    *bufp = buf;
+    *buflenp = bufSize;
+
+    /* Concatenate str onto buf */
+    buf = buf + bufLen;
+    if (bufLen) buf--;			/* stomp on old '\0' */
+    PORT_Memcpy(buf, str, len+1);		/* put in new null */
+    return SECSuccess;
+}
+
+SECStatus
+CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen)
+{
+    int i, reqLen=0;
+    char *d = dst;
+    PRBool needsQuoting = PR_FALSE;
+    
+    /* need to make an initial pass to determine if quoting is needed */
+    for (i = 0; i < srclen; i++) {
+	char c = src[i];
+	reqLen++;
+	if (SPECIAL_CHAR(c)) {
+	    /* entirety will need quoting */
+	    needsQuoting = PR_TRUE;
+	}
+	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
+	    /* this char will need escaping */
+	    reqLen++;
+	}
+    }
+    /* if it begins or ends in optional space it needs quoting */
+    if (srclen > 0 &&
+	(OPTIONAL_SPACE(src[srclen-1]) || OPTIONAL_SPACE(src[0]))) {
+	needsQuoting = PR_TRUE;
+    }
+    
+    if (needsQuoting) reqLen += 2;
+
+    /* space for terminal null */
+    reqLen++;
+    
+    if (reqLen > dstlen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    
+    d = dst;
+    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
+    for (i = 0; i < srclen; i++) {
+	char c = src[i];
+	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
+	    /* escape it */
+	    *d++ = C_BACKSLASH;
+	}
+	*d++ = c;
+    }
+    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
+    *d++ = 0;
+    return SECSuccess;
+}
+
+static SECStatus
+AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava)
+{
+    char *tagName;
+    char tmpBuf[384];
+    unsigned len, maxLen;
+    int tag;
+    SECStatus rv;
+    SECItem *avaValue = NULL;
+
+    tag = CERT_GetAVATag(ava);
+    switch (tag) {
+      case SEC_OID_AVA_COUNTRY_NAME:
+	tagName = "C";
+	maxLen = 2;
+	break;
+      case SEC_OID_AVA_ORGANIZATION_NAME:
+	tagName = "O";
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_COMMON_NAME:
+	tagName = "CN";
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_LOCALITY:
+	tagName = "L";
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_STATE_OR_PROVINCE:
+	tagName = "ST";
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+	tagName = "OU";
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_DC:
+	tagName = "DC";
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_DN_QUALIFIER:
+	tagName = "dnQualifier";
+	maxLen = 0x7fff;
+	break;
+      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	tagName = "E";
+	maxLen = 128;
+	break;
+      case SEC_OID_RFC1274_UID:
+	tagName = "UID";
+	maxLen = 256;
+	break;
+      case SEC_OID_RFC1274_MAIL:
+	tagName = "MAIL";
+	maxLen = 256;
+	break;
+      default:
+#if 0
+	PORT_SetError(SEC_ERROR_INVALID_AVA);
+	return SECFailure;
+#else
+	rv = AppendStr(bufp, buflenp, "ERR=Unknown AVA");
+	return rv;
+#endif
+    }
+
+    avaValue = CERT_DecodeAVAValue(&ava->value);
+    if(!avaValue) {
+	return SECFailure;
+    }
+
+    /* Check value length */
+    if (avaValue->len > maxLen) {
+	PORT_SetError(SEC_ERROR_INVALID_AVA);
+	return SECFailure;
+    }
+
+    len = PORT_Strlen(tagName);
+    PORT_Memcpy(tmpBuf, tagName, len);
+    tmpBuf[len++] = '=';
+    
+    /* escape and quote as necessary */
+    rv = CERT_RFC1485_EscapeAndQuote(tmpBuf+len, sizeof(tmpBuf)-len, 
+		    		     (char *)avaValue->data, avaValue->len);
+    SECITEM_FreeItem(avaValue, PR_TRUE);
+    if (rv) return SECFailure;
+    
+    rv = AppendStr(bufp, buflenp, tmpBuf);
+    return rv;
+}
+
+char *
+CERT_NameToAscii(CERTName *name)
+{
+    SECStatus rv;
+    CERTRDN** rdns;
+    CERTRDN** lastRdn;
+    CERTRDN** rdn;
+    CERTAVA** avas;
+    CERTAVA* ava;
+    PRBool first = PR_TRUE;
+    char *buf = NULL;
+    unsigned buflen = 0;
+    
+    rdns = name->rdns;
+    if (rdns == NULL) {
+	return NULL;
+    }
+    
+    /* find last RDN */
+    lastRdn = rdns;
+    while (*lastRdn) lastRdn++;
+    lastRdn--;
+    
+    /*
+     * Loop over name contents in _reverse_ RDN order appending to string
+     */
+    for (rdn = lastRdn; rdn >= rdns; rdn--) {
+	avas = (*rdn)->avas;
+	while ((ava = *avas++) != NULL) {
+	    /* Put in comma separator */
+	    if (!first) {
+		rv = AppendStr(&buf, &buflen, ", ");
+		if (rv) goto loser;
+	    } else {
+		first = PR_FALSE;
+	    }
+	    
+	    /* Add in tag type plus value into buf */
+	    rv = AppendAVA(&buf, &buflen, ava);
+	    if (rv) goto loser;
+	}
+    }
+    return buf;
+  loser:
+    PORT_Free(buf);
+    return NULL;
+}
+
+/*
+ * Return the string representation of a DER encoded distinguished name
+ * "dername" - The DER encoded name to convert
+ */
+char *
+CERT_DerNameToAscii(SECItem *dername)
+{
+    int rv;
+    PRArenaPool *arena = NULL;
+    CERTName name;
+    char *retstr = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( arena == NULL) {
+	goto loser;
+    }
+    
+    rv = SEC_ASN1DecodeItem(arena, &name, CERT_NameTemplate, dername);
+    
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retstr = CERT_NameToAscii(&name);
+
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(retstr);
+}
+
+static char *
+CERT_GetNameElement(CERTName *name, int wantedTag)
+{
+    CERTRDN** rdns;
+    CERTRDN *rdn;
+    CERTAVA** avas;
+    CERTAVA* ava;
+    char *buf = 0;
+    int tag;
+    SECItem *decodeItem = NULL;
+    
+    rdns = name->rdns;
+    while ((rdn = *rdns++) != 0) {
+	avas = rdn->avas;
+	while ((ava = *avas++) != 0) {
+	    tag = CERT_GetAVATag(ava);
+	    if ( tag == wantedTag ) {
+		decodeItem = CERT_DecodeAVAValue(&ava->value);
+		if(!decodeItem) {
+		    return NULL;
+		}
+		buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
+		if ( buf ) {
+		    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
+		    buf[decodeItem->len] = 0;
+		}
+		SECITEM_FreeItem(decodeItem, PR_TRUE);
+		goto done;
+	    }
+	}
+    }
+    
+  done:
+    return buf;
+}
+
+char *
+CERT_GetCertificateEmailAddress(CERTCertificate *cert)
+{
+    char *rawEmailAddr = NULL;
+    char *emailAddr = NULL;
+    SECItem subAltName;
+    SECStatus rv;
+    CERTGeneralName *nameList = NULL;
+    CERTGeneralName *current;
+    PRArenaPool *arena = NULL;
+    int i;
+    
+    subAltName.data = NULL;
+
+    rawEmailAddr = CERT_GetNameElement(&(cert->subject), SEC_OID_PKCS9_EMAIL_ADDRESS);
+    if ( rawEmailAddr == NULL ) {
+	rawEmailAddr = CERT_GetNameElement(&(cert->subject), SEC_OID_RFC1274_MAIL);
+    }
+    if ( rawEmailAddr == NULL) {
+
+	rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, &subAltName);
+	if (rv != SECSuccess) {
+	    goto finish;
+	}
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (!arena) {
+	    goto finish;
+	}
+	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
+	if (!nameList ) {
+	    goto finish;
+	}
+	if (nameList != NULL) {
+	    do {
+		if (current->type == certDirectoryName) {
+		    rawEmailAddr = CERT_GetNameElement(&(current->name.directoryName), 
+						       SEC_OID_PKCS9_EMAIL_ADDRESS);
+		    if ( rawEmailAddr == NULL ) {
+			rawEmailAddr = CERT_GetNameElement(&(current->name.directoryName), 
+							   SEC_OID_RFC1274_MAIL);
+		    }
+		} else if (current->type == certRFC822Name) {
+		    rawEmailAddr = (char*)PORT_ZAlloc(current->name.other.len + 1);
+		    if (!rawEmailAddr) {
+			goto finish;
+		    }
+		    PORT_Memcpy(rawEmailAddr, current->name.other.data, 
+				current->name.other.len);
+		    rawEmailAddr[current->name.other.len] = '\0';
+		}
+		if (rawEmailAddr) {
+		    break;
+		}
+		current = cert_get_next_general_name(current);
+	    } while (current != nameList);
+	}
+    }
+    if (rawEmailAddr) {
+	emailAddr = (char*)PORT_ArenaZAlloc(cert->arena, PORT_Strlen(rawEmailAddr) + 1);
+	for (i = 0; i <= PORT_Strlen(rawEmailAddr); i++) {
+	    emailAddr[i] = tolower(rawEmailAddr[i]);
+	}
+    } else {
+	emailAddr = NULL;
+    }
+
+finish:
+    if ( rawEmailAddr ) {
+	PORT_Free(rawEmailAddr);
+    }
+
+    /* Don't free nameList, it's part of the arena. */
+
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    if ( subAltName.data ) {
+	SECITEM_FreeItem(&subAltName, PR_FALSE);
+    }
+
+    return(emailAddr);
+}
+
+char *
+CERT_GetCertEmailAddress(CERTName *name)
+{
+    char *rawEmailAddr;
+    char *emailAddr;
+
+    
+    rawEmailAddr = CERT_GetNameElement(name, SEC_OID_PKCS9_EMAIL_ADDRESS);
+    if ( rawEmailAddr == NULL ) {
+	rawEmailAddr = CERT_GetNameElement(name, SEC_OID_RFC1274_MAIL);
+    }
+    emailAddr = CERT_FixupEmailAddr(rawEmailAddr);
+    if ( rawEmailAddr ) {
+	PORT_Free(rawEmailAddr);
+    }
+    return(emailAddr);
+}
+
+char *
+CERT_GetCommonName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_COMMON_NAME));
+}
+
+char *
+CERT_GetCountryName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_COUNTRY_NAME));
+}
+
+char *
+CERT_GetLocalityName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_LOCALITY));
+}
+
+char *
+CERT_GetStateName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_STATE_OR_PROVINCE));
+}
+
+char *
+CERT_GetOrgName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_ORGANIZATION_NAME));
+}
+
+char *
+CERT_GetDomainComponentName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_DC));
+}
+
+char *
+CERT_GetOrgUnitName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME));
+}
+
+char *
+CERT_GetDnQualifier(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_DN_QUALIFIER));
+}
+
+char *
+CERT_GetCertUid(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_RFC1274_UID));
+}
+

mozilla/security/nss/lib/certdb/certdb.h

@@ -0,0 +1,159 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _CERTDB_H_
+#define _CERTDB_H_
+
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+
+
+SEC_BEGIN_PROTOS
+
+CERTSignedCrl *
+SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+CERTSignedCrl *
+SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+CERTSignedCrl *
+SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type);
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 CERTCertDBHandle *handle);
+CERTSignedCrl *
+SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
+
+SECStatus
+SEC_DeletePermCRL(CERTSignedCrl *crl);
+
+
+SECStatus
+SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type);
+
+SECStatus 
+SEC_DestroyCrl(CERTSignedCrl *crl);
+
+SECStatus
+CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust);
+
+SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
+
+PRBool
+SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
+
+SECCertTimeValidity
+SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
+
+#ifdef notdef
+/*
+** Add a DER encoded certificate to the permanent database.
+**	"derCert" is the DER encoded certificate.
+**	"nickname" is the nickname to use for the cert
+**	"trust" is the trust parameters for the cert
+*/
+SECStatus SEC_AddPermCertificate(PCERTCertDBHandle *handle, SECItem *derCert,
+				char *nickname, PCERTCertTrust *trust);
+
+certDBEntryCert *
+SEC_FindPermCertByKey(PCERTCertDBHandle *handle, SECItem *certKey);
+
+certDBEntryCert
+*SEC_FindPermCertByName(PCERTCertDBHandle *handle, SECItem *name);
+
+SECStatus SEC_OpenPermCertDB(PCERTCertDBHandle *handle,
+			     PRBool readOnly,
+			     PCERTDBNameFunc namecb,
+			     void *cbarg);
+
+
+typedef SECStatus (PR_CALLBACK * PermCertCallback)(PCERTCertificate *cert,
+                                                   SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+**	"certfunc" is the user function to call for each certificate
+**	"udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+PCERT_TraversePermCerts(PCERTCertDBHandle *handle,
+		      PermCertCallback certfunc,
+		      void *udata );
+
+SECStatus
+SEC_AddTempNickname(PCERTCertDBHandle *handle, char *nickname, SECItem *certKey);
+
+SECStatus
+SEC_DeleteTempNickname(PCERTCertDBHandle *handle, char *nickname);
+
+
+PRBool
+SEC_CertDBKeyConflict(SECItem *derCert, PCERTCertDBHandle *handle);
+
+SECStatus
+SEC_GetCrlTimes(PCERTCrl *dates, PRTime *notBefore, PRTime *notAfter);
+
+PCERTSignedCrl *
+SEC_AddPermCrlToTemp(PCERTCertDBHandle *handle, certDBEntryRevocation *entry);
+
+SECStatus
+SEC_DeleteTempCrl(PCERTSignedCrl *crl);
+
+
+SECStatus
+SEC_CheckKRL(PCERTCertDBHandle *handle,SECKEYLowPublicKey *key,
+	     PCERTCertificate *rootCert, int64 t, void *wincx);
+
+SECStatus
+SEC_CheckCRL(PCERTCertDBHandle *handle,PCERTCertificate *cert,
+	     PCERTCertificate *caCert, int64 t, void *wincx);
+
+SECStatus
+SEC_CrlReplaceUrl(PCERTSignedCrl *crl,char *url);
+#endif
+
+SEC_END_PROTOS
+
+#endif /* _CERTDB_H_ */

mozilla/security/nss/lib/certdb/certt.h

@@ -0,0 +1,833 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id: certt.h,v 1.14 2002-01-11 17:31:09 relyea%netscape.com Exp $
+ */
+#ifndef _CERTT_H_
+#define _CERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secmodt.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "nsspkit.h"
+
+/* Non-opaque objects */
+typedef struct CERTAVAStr                        CERTAVA;
+typedef struct CERTAttributeStr                  CERTAttribute;
+typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
+typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
+typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
+#ifdef NSS_CLASSIC
+typedef struct CERTCertDBHandleStr               CERTCertDBHandle;
+#else
+typedef NSSTrustDomain                           CERTCertDBHandle;
+#endif
+typedef struct CERTCertExtensionStr              CERTCertExtension;
+typedef struct CERTCertKeyStr                    CERTCertKey;
+typedef struct CERTCertListStr                   CERTCertList;
+typedef struct CERTCertListNodeStr               CERTCertListNode;
+typedef struct CERTCertNicknamesStr              CERTCertNicknames;
+typedef struct CERTCertTrustStr                  CERTCertTrust;
+typedef struct CERTCertificateStr                CERTCertificate;
+typedef struct CERTCertificateListStr            CERTCertificateList;
+typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
+typedef struct CERTCrlStr                        CERTCrl;
+typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
+typedef struct CERTCrlEntryStr                   CERTCrlEntry;
+typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
+typedef struct CERTCrlKeyStr                     CERTCrlKey;
+typedef struct CERTCrlNodeStr                    CERTCrlNode;
+typedef struct CERTDERCertsStr                   CERTDERCerts;
+typedef struct CERTDistNamesStr                  CERTDistNames;
+typedef struct CERTGeneralNameStr                CERTGeneralName;
+typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
+typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
+typedef struct CERTNameStr                       CERTName;
+typedef struct CERTNameConstraintStr             CERTNameConstraint;
+typedef struct CERTNameConstraintsStr            CERTNameConstraints;
+typedef struct CERTOKDomainNameStr               CERTOKDomainName;
+typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
+typedef struct CERTRDNStr                        CERTRDN;
+typedef struct CERTSignedCrlStr                  CERTSignedCrl;
+typedef struct CERTSignedDataStr                 CERTSignedData;
+typedef struct CERTStatusConfigStr               CERTStatusConfig;
+typedef struct CERTSubjectListStr                CERTSubjectList;
+typedef struct CERTSubjectNodeStr                CERTSubjectNode;
+typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
+typedef struct CERTValidityStr                   CERTValidity;
+typedef struct CERTVerifyLogStr                  CERTVerifyLog;
+typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
+typedef struct CRLDistributionPointStr           CRLDistributionPoint;
+
+/* CRL extensions type */
+typedef unsigned long CERTCrlNumber;
+
+/*
+** An X.500 AVA object
+*/
+struct CERTAVAStr {
+    SECItem type;
+    SECItem value;
+};
+
+/*
+** An X.500 RDN object
+*/
+struct CERTRDNStr {
+    CERTAVA **avas;
+};
+
+/*
+** An X.500 name object
+*/
+struct CERTNameStr {
+    PRArenaPool *arena;
+    CERTRDN **rdns;
+};
+
+/*
+** An X.509 validity object
+*/
+struct CERTValidityStr {
+    PRArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct CERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct CERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct CERTSubjectPublicKeyInfoStr {
+    PRArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+struct CERTPublicKeyAndChallengeStr {
+    SECItem spki;
+    SECItem challenge;
+};
+
+struct CERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+ * defined the types of trust that exist
+ */
+typedef enum {
+    trustSSL = 0,
+    trustEmail = 1,
+    trustObjectSigning = 2,
+    trustTypeNone = 3
+} SECTrustType;
+
+#define SEC_GET_TRUST_FLAGS(trust,type) \
+        (((type)==trustSSL)?((trust)->sslFlags): \
+	 (((type)==trustEmail)?((trust)->emailFlags): \
+	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
+
+/*
+** An X.509.3 certificate extension
+*/
+struct CERTCertExtensionStr {
+    SECItem id;
+    SECItem critical;
+    SECItem value;
+};
+
+struct CERTSubjectNodeStr {
+    struct CERTSubjectNodeStr *next;
+    struct CERTSubjectNodeStr *prev;
+    SECItem certKey;
+    SECItem keyID;
+};
+
+struct CERTSubjectListStr {
+    PRArenaPool *arena;
+    int ncerts;
+    char *emailAddr;
+    CERTSubjectNode *head;
+    CERTSubjectNode *tail; /* do we need tail? */
+    void *entry;
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct CERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    PRArenaPool *arena;
+
+    /* The following fields are static after the cert has been decoded */
+    char *subjectName;
+    char *issuerName;
+    CERTSignedData signatureWrap;	/* XXX */
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem derSubject;			/* DER for subject name */
+    SECItem derPublicKey;		/* DER for the public key */
+    SECItem certKey;			/* database key for this cert */
+    SECItem version;
+    SECItem serialNumber;
+    SECAlgorithmID signature;
+    CERTName issuer;
+    CERTValidity validity;
+    CERTName subject;
+    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem issuerID;
+    SECItem subjectID;
+    CERTCertExtension **extensions;
+    char *emailAddr;
+    CERTCertDBHandle *dbhandle;
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    PRBool keyIDGenerated;	/* was the keyid generated? */
+    unsigned int keyUsage;	/* what uses are allowed for this cert */
+    unsigned int rawKeyUsage;	/* value of the key usage extension */
+    PRBool keyUsagePresent;	/* was the key usage extension present */
+    unsigned int nsCertType;	/* value of the ns cert type extension */
+
+    /* these values can be set by the application to bypass certain checks
+     * or to keep the cert in memory for an entire session.
+     * XXX - need an api to set these
+     */
+    PRBool keepSession;			/* keep this cert for entire session*/
+    PRBool timeOK;			/* is the bad validity time ok? */
+    CERTOKDomainName *domainOK;		/* these domain names are ok */
+
+    /*
+     * these values can change when the cert changes state.  These state
+     * changes include transitions from temp to perm or vice-versa, and
+     * changes of trust flags
+     */
+    PRBool isperm;
+    PRBool istemp;
+    char *nickname;
+    char *dbnickname;
+    void *dbEntry;		 /* database entry struct */
+    CERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+
+    /* The subject list is a list of all certs with the same subject name.
+     * It can be modified any time a cert is added or deleted from either
+     * the in-memory(temporary) or on-disk(permanent) database.
+     */
+    CERTSubjectList *subjectList;
+
+    /* these fields are used by client GUI code to keep track of ssl sockets
+     * that are blocked waiting on GUI feedback related to this cert.
+     * XXX - these should be moved into some sort of application specific
+     *       data structure.  They are only used by the browser right now.
+     */
+    struct SECSocketNode *socketlist;
+    int socketcount;
+    struct SECSocketNode *authsocketlist;
+    int authsocketcount;
+
+    /* This is PKCS #11 stuff. */
+    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
+    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
+    PRBool ownSlot;		/*true if the cert owns the slot reference */
+
+    /* This is Stan stuff. */
+    NSSCertificate *nssCertificate;
+};
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+/*
+ * used to identify class of cert in mime stream code
+ */
+#define SEC_CERT_CLASS_CA	1
+#define SEC_CERT_CLASS_SERVER	2
+#define SEC_CERT_CLASS_USER	3
+#define SEC_CERT_CLASS_EMAIL	4
+
+struct CERTDERCertsStr {
+    PRArenaPool *arena;
+    int numcerts;
+    SECItem *rawCerts;
+};
+
+/*
+** A PKCS ? Attribute
+** XXX this is duplicated through out the code, it *should* be moved
+** to a central location.  Where would be appropriate?
+*/
+struct CERTAttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+
+/*
+** A PKCS#10 certificate-request object (the unsigned form)
+*/
+struct CERTCertificateRequestStr {
+    PRArenaPool *arena;
+    SECItem version;
+    CERTName subject;
+    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem **attributes;
+};
+#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
+
+
+/*
+** A certificate list object.
+*/
+struct CERTCertificateListStr {
+    SECItem *certs;
+    int len;					/* number of certs */
+    PRArenaPool *arena;
+};
+
+struct CERTCertListNodeStr {
+    PRCList links;
+    CERTCertificate *cert;
+    void *appData;
+};
+
+struct CERTCertListStr {
+    PRCList list;
+    PRArenaPool *arena;
+};
+
+#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
+#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
+#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+
+struct CERTCrlEntryStr {
+    SECItem serialNumber;
+    SECItem revocationDate;
+    CERTCertExtension **extensions;    
+};
+
+struct CERTCrlStr {
+    PRArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID signatureAlg;
+    SECItem derName;
+    CERTName name;
+    SECItem lastUpdate;
+    SECItem nextUpdate;				/* optional for x.509 CRL  */
+    CERTCrlEntry **entries;
+    CERTCertExtension **extensions;    
+};
+
+struct CERTCrlKeyStr {
+    SECItem derName;
+    SECItem dummy;			/* The decoder can not skip a primitive,
+					   this serves as a place holder for the
+					   decoder to finish its task only
+					*/
+};
+
+struct CERTSignedCrlStr {
+    PRArenaPool *arena;
+    CERTCrl crl;
+    /*certDBEntryRevocation *dbEntry;	 database entry struct */
+    SECItem *derCrl;
+    PK11SlotInfo *slot;
+    /* PRBool keep;		 keep this crl in the cache for the  session*/
+    CK_OBJECT_HANDLE pkcs11ID;
+    PRBool isperm;
+    PRBool istemp;
+    int referenceCount;
+    CERTCertDBHandle *dbhandle;
+    CERTSignedData signatureWrap;	/* XXX */
+    char *url;
+};
+
+
+struct CERTCrlHeadNodeStr {
+    PRArenaPool *arena;
+    CERTCertDBHandle *dbhandle;
+    CERTCrlNode *first;
+    CERTCrlNode *last;
+};
+
+
+struct CERTCrlNodeStr {
+    CERTCrlNode *next;
+    int 	type;
+    CERTSignedCrl *crl;
+};
+
+
+/*
+ * Array of X.500 Distinguished Names
+ */
+struct CERTDistNamesStr {
+    PRArenaPool *arena;
+    int nnames;
+    SECItem  *names;
+    void *head; /* private */
+};
+
+
+#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
+#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
+#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
+#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
+#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
+#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
+#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
+
+#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
+#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
+
+#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
+			  NS_CERT_TYPE_SSL_SERVER | \
+			  NS_CERT_TYPE_EMAIL | \
+			  NS_CERT_TYPE_OBJECT_SIGNING )
+
+#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
+			 NS_CERT_TYPE_EMAIL_CA | \
+			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
+			 EXT_KEY_USAGE_STATUS_RESPONDER )
+typedef enum {
+    certUsageSSLClient = 0,
+    certUsageSSLServer = 1,
+    certUsageSSLServerWithStepUp = 2,
+    certUsageSSLCA = 3,
+    certUsageEmailSigner = 4,
+    certUsageEmailRecipient = 5,
+    certUsageObjectSigner = 6,
+    certUsageUserCertImport = 7,
+    certUsageVerifyCA = 8,
+    certUsageProtectedObjectSigner = 9,
+    certUsageStatusResponder = 10,
+    certUsageAnyCA = 11
+} SECCertUsage;
+
+/*
+ * Does the cert belong to the user, a peer, or a CA.
+ */
+typedef enum {
+    certOwnerUser = 0,
+    certOwnerPeer = 1,
+    certOwnerCA = 2
+} CERTCertOwner;
+
+/*
+ * This enum represents the state of validity times of a certificate
+ */
+typedef enum {
+    secCertTimeValid = 0,
+    secCertTimeExpired = 1,
+    secCertTimeNotValidYet = 2
+} SECCertTimeValidity;
+
+/*
+ * Interface for getting certificate nickname strings out of the database
+ */
+
+/* these are values for the what argument below */
+#define SEC_CERT_NICKNAMES_ALL		1
+#define SEC_CERT_NICKNAMES_USER		2
+#define SEC_CERT_NICKNAMES_SERVER	3
+#define SEC_CERT_NICKNAMES_CA		4
+
+struct CERTCertNicknamesStr {
+    PRArenaPool *arena;
+    void *head;
+    int numnicknames;
+    char **nicknames;
+    int what;
+    int totallen;
+};
+
+struct CERTIssuerAndSNStr {
+    SECItem derIssuer;
+    CERTName issuer;
+    SECItem serialNumber;
+};
+
+
+/* X.509 v3 Key Usage Extension flags */
+#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
+#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
+#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
+#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
+#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
+#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
+#define KU_CRL_SIGN			(0x02)  /* bit 6 */
+#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
+					 KU_NON_REPUDIATION | \
+					 KU_KEY_ENCIPHERMENT | \
+					 KU_DATA_ENCIPHERMENT | \
+					 KU_KEY_AGREEMENT | \
+					 KU_KEY_CERT_SIGN | \
+					 KU_CRL_SIGN)
+
+/* This value will not occur in certs.  It is used internally for the case
+ * when the key type is not know ahead of time and either key agreement or
+ * key encipherment are the correct value based on key type
+ */
+#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
+
+/* internal bits that do not match bits in the x509v3 spec, but are used
+ * for similar purposes
+ */
+#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
+/*
+ * x.509 v3 Basic Constraints Extension
+ * If isCA is false, the pathLenConstraint is ignored.
+ * Otherwise, the following pathLenConstraint values will apply:
+ *	< 0 - there is no limit to the certificate path
+ *	0   - CA can issues end-entity certificates only
+ *	> 0 - the number of certificates in the certificate path is
+ *	      limited to this number
+ */
+#define CERT_UNLIMITED_PATH_CONSTRAINT -2
+
+struct CERTBasicConstraintsStr {
+    PRBool isCA;			/* on if is CA */
+    int pathLenConstraint;		/* maximum number of certificates that can be
+					   in the cert path.  Only applies to a CA
+					   certificate; otherwise, it's ignored.
+					 */
+};
+
+/* Maximum length of a certificate chain */
+#define CERT_MAX_CERT_CHAIN 20
+
+/* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
+#define RF_UNUSED			(0x80)	/* bit 0 */
+#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
+#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
+#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
+#define RF_SUPERSEDED			(0x08)  /* bit 4 */
+#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
+#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
+
+/* If we needed to extract the general name field, use this */
+/* General Name types */
+typedef enum {
+    certOtherName = 1,
+    certRFC822Name = 2,
+    certDNSName = 3,
+    certX400Address = 4,
+    certDirectoryName = 5,
+    certEDIPartyName = 6,
+    certURI = 7,
+    certIPAddress = 8,
+    certRegisterID = 9
+} CERTGeneralNameType;
+
+
+typedef struct OtherNameStr {
+    SECItem          name;
+    SECItem          oid;
+}OtherName;
+
+
+
+struct CERTGeneralNameStr {
+    CERTGeneralNameType type;		/* name type */
+    union {
+	CERTName directoryName;         /* distinguish name */
+	OtherName  OthName;		/* Other Name */
+	SECItem other;                  /* the rest of the name forms */
+    }name;
+    SECItem derDirectoryName;		/* this is saved to simplify directory name
+					   comparison */
+    PRCList l;
+};
+
+struct CERTGeneralNameListStr {
+    PRArenaPool *arena;
+    CERTGeneralName *name;
+    int refCount;
+    int len;
+    PZLock *lock;
+};
+
+struct CERTNameConstraintStr {
+    CERTGeneralName  name;
+    SECItem          DERName;
+    SECItem          min;
+    SECItem          max;
+    PRCList          l;
+};
+
+
+struct CERTNameConstraintsStr {
+    CERTNameConstraint  *permited;
+    CERTNameConstraint  *excluded;
+    SECItem             **DERPermited;
+    SECItem             **DERExcluded;
+};
+
+
+/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
+   issuer field, we only support URI now.
+ */
+struct CERTAuthKeyIDStr {
+    SECItem keyID;			/* unique key identifier */
+    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
+    SECItem authCertSerialNumber;	/* CA's certificate serial number */
+    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
+					   the authCertIssuer field. It is used
+					   by the encoding engine. It should be
+					   used as a read only field by the caller.
+					*/
+};
+
+/* x.509 v3 CRL Distributeion Point */
+
+/*
+ * defined the types of CRL Distribution points
+ */
+typedef enum {
+    generalName = 1,			/* only support this for now */
+    relativeDistinguishedName = 2
+} DistributionPointTypes;
+
+struct CRLDistributionPointStr {
+    DistributionPointTypes distPointType;
+    union {
+	CERTGeneralName *fullName;
+	CERTRDN relativeName;
+    } distPoint;
+    SECItem reasons;
+    CERTGeneralName *crlIssuer;
+    
+    /* Reserved for internal use only*/
+    SECItem derDistPoint;
+    SECItem derRelativeName;
+    SECItem **derCrlIssuer;
+    SECItem **derFullName;
+    SECItem bitsmap;
+};
+
+struct CERTCrlDistributionPointsStr {
+    CRLDistributionPoint **distPoints;
+};
+
+/*
+ * This structure is used to keep a log of errors when verifying
+ * a cert chain.  This allows multiple errors to be reported all at
+ * once.
+ */
+struct CERTVerifyLogNodeStr {
+    CERTCertificate *cert;	/* what cert had the error */
+    long error;			/* what error was it? */
+    unsigned int depth;		/* how far up the chain are we */
+    void *arg;			/* error specific argument */
+    struct CERTVerifyLogNodeStr *next; /* next in the list */
+    struct CERTVerifyLogNodeStr *prev; /* next in the list */
+};
+
+
+struct CERTVerifyLogStr {
+    PRArenaPool *arena;
+    unsigned int count;
+    struct CERTVerifyLogNodeStr *head;
+    struct CERTVerifyLogNodeStr *tail;
+};
+
+
+struct CERTOKDomainNameStr {
+    CERTOKDomainName *next;
+    char              name[1]; /* actual length may be longer. */
+};
+
+
+typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
+						    CERTCertificate *cert,
+						    int64 time,
+						    void *pwArg);
+
+typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
+
+struct CERTStatusConfigStr {
+    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
+    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
+    void *statusContext;		/* cx specific to checking protocol */
+};
+
+struct CERTAuthInfoAccessStr {
+    SECItem method;
+    SECItem derLocation;
+    CERTGeneralName *location;		/* decoded location */
+};
+
+
+/* This is the typedef for the callback passed to CERT_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
+
+/*
+ * types of cert packages that we can decode
+ */
+typedef enum {
+    certPackageNone = 0,
+    certPackageCert = 1,
+    certPackagePKCS7 = 2,
+    certPackageNSCertSeq = 3,
+    certPackageNSCertWrap = 4
+} CERTPackageType;
+
+/*
+ * these types are for the PKIX Certificate Policies extension
+ */
+typedef struct {
+    SECOidTag oid;
+    SECItem qualifierID;
+    SECItem qualifierValue;
+} CERTPolicyQualifier;
+
+typedef struct {
+    SECOidTag oid;
+    SECItem policyID;
+    CERTPolicyQualifier **policyQualifiers;
+} CERTPolicyInfo;
+
+typedef struct {
+    PRArenaPool *arena;
+    CERTPolicyInfo **policyInfos;
+} CERTCertificatePolicies;
+
+typedef struct {
+    SECItem organization;
+    SECItem **noticeNumbers;
+} CERTNoticeReference;
+
+typedef struct {
+    PRArenaPool *arena;
+    CERTNoticeReference noticeReference;
+    SECItem derNoticeReference;
+    SECItem displayText;
+} CERTUserNotice;
+
+typedef struct {
+    PRArenaPool *arena;
+    SECItem **oids;
+} CERTOidSequence;
+
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
+extern const SEC_ASN1Template CERT_CertificateTemplate[];
+extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
+extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
+extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
+extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
+extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template CERT_ValidityTemplate[];
+extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
+extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
+
+extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
+extern const SEC_ASN1Template CERT_NameTemplate[];
+extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
+extern const SEC_ASN1Template CERT_RDNTemplate[];
+extern const SEC_ASN1Template CERT_SignedDataTemplate[];
+extern const SEC_ASN1Template CERT_CrlTemplate[];
+
+/*
+** XXX should the attribute stuff be centralized for all of ns/security?
+*/
+extern const SEC_ASN1Template CERT_AttributeTemplate[];
+extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
+
+SEC_END_PROTOS
+
+#endif /* _CERTT_H_ */

mozilla/security/nss/lib/certdb/certv3.c

@@ -0,0 +1,406 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Code for dealing with X509.V3 extensions.
+ *
+ * $Id: certv3.c,v 1.1 2000-03-31 19:42:36 relyea%netscape.com Exp $
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+#include "secerr.h"
+
+SECStatus
+CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid,
+			    SECItem *value)
+{
+    return (cert_FindExtensionByOID (cert->extensions, oid, value));
+}
+    
+
+SECStatus
+CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+{
+    return (cert_FindExtension (cert->extensions, tag, value));
+}
+
+static void
+SetExts(void *object, CERTCertExtension **exts)
+{
+    CERTCertificate *cert = (CERTCertificate *)object;
+
+    cert->extensions = exts;
+    DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
+}
+
+void *
+CERT_StartCertExtensions(CERTCertificate *cert)
+{
+    return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
+}
+
+/* find the given extension in the certificate of the Issuer of 'cert' */
+SECStatus
+CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+{
+    CERTCertificate *issuercert;
+    SECStatus rv;
+
+    issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
+    if ( issuercert ) {
+	rv = cert_FindExtension(issuercert->extensions, tag, value);
+	CERT_DestroyCertificate(issuercert);
+    } else {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+/* find a URL extension in the cert or its CA
+ * apply the base URL string if it exists
+ */
+char *
+CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
+{
+    SECStatus rv;
+    SECItem urlitem;
+    SECItem baseitem;
+    SECItem urlstringitem = {siBuffer,0};
+    SECItem basestringitem = {siBuffer,0};
+    PRArenaPool *arena = NULL;
+    PRBool hasbase;
+    char *urlstring;
+    char *str;
+    int len;
+    int i;
+    
+    urlstring = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( ! arena ) {
+	goto loser;
+    }
+    
+    hasbase = PR_FALSE;
+    urlitem.data = NULL;
+    baseitem.data = NULL;
+    
+    rv = cert_FindExtension(cert->extensions, tag, &urlitem);
+    if ( rv == SECSuccess ) {
+	rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
+				   &baseitem);
+	if ( rv == SECSuccess ) {
+	    hasbase = PR_TRUE;
+	}
+	
+    } else if ( catag ) {
+	/* if the cert doesn't have the extensions, see if the issuer does */
+	rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}	    
+	rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
+					 &baseitem);
+	if ( rv == SECSuccess ) {
+	    hasbase = PR_TRUE;
+	}
+    } else {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, &urlstringitem, SEC_IA5StringTemplate, 
+			    &urlitem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    if ( hasbase ) {
+	rv = SEC_ASN1DecodeItem(arena, &basestringitem, SEC_IA5StringTemplate,
+				&baseitem);
+
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
+    
+    str = urlstring = (char *)PORT_Alloc(len);
+    if ( urlstring == NULL ) {
+	goto loser;
+    }
+    
+    /* copy the URL base first */
+    if ( hasbase ) {
+
+	/* if the urlstring has a : in it, then we assume it is an absolute
+	 * URL, and will not get the base string pre-pended
+	 */
+	for ( i = 0; i < urlstringitem.len; i++ ) {
+	    if ( urlstringitem.data[i] == ':' ) {
+		goto nobase;
+	    }
+	}
+	
+	PORT_Memcpy(str, basestringitem.data, basestringitem.len);
+	str += basestringitem.len;
+	
+    }
+
+nobase:
+    /* copy the rest (or all) of the URL */
+    PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
+    str += urlstringitem.len;
+    
+    *str = '\0';
+    goto done;
+    
+loser:
+    if ( urlstring ) {
+	PORT_Free(urlstring);
+    }
+    
+    urlstring = NULL;
+done:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if ( baseitem.data ) {
+	PORT_Free(baseitem.data);
+    }
+    if ( urlitem.data ) {
+	PORT_Free(urlitem.data);
+    }
+
+    return(urlstring);
+}
+
+/*
+ * get the value of the Netscape Certificate Type Extension
+ */
+SECStatus
+CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    return (CERT_FindBitStringExtension
+	    (cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));    
+}
+
+
+/*
+ * get the value of a string type extension
+ */
+char *
+CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
+{
+    SECItem wrapperItem, tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    char *retstring = NULL;
+    
+    wrapperItem.data = NULL;
+    tmpItem.data = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	goto loser;
+    }
+    
+    rv = cert_FindExtension(cert->extensions, oidtag,
+			       &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, &tmpItem, SEC_IA5StringTemplate, 
+			    &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retstring = (char *)PORT_Alloc(tmpItem.len + 1 );
+    if ( retstring == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
+    retstring[tmpItem.len] = '\0';
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return(retstring);
+}
+
+/*
+ * get the value of the X.509 v3 Key Usage Extension
+ */
+SECStatus
+CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    return (CERT_FindBitStringExtension(cert->extensions,
+					SEC_OID_X509_KEY_USAGE, retItem));    
+}
+
+/*
+ * get the value of the X.509 v3 Key Usage Extension
+ */
+SECStatus
+CERT_FindSubjectKeyIDExten(CERTCertificate *cert, SECItem *retItem)
+{
+
+    SECItem encodedValue;
+    SECStatus rv;
+
+    encodedValue.data = NULL;
+    rv = cert_FindExtension
+	 (cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID, &encodedValue);
+    if (rv != SECSuccess)
+	return (rv);
+    rv = SEC_ASN1DecodeItem (NULL, retItem, SEC_OctetStringTemplate,
+			     &encodedValue);
+    PORT_Free (encodedValue.data);
+
+    return (rv);
+}
+
+SECStatus
+CERT_FindBasicConstraintExten(CERTCertificate *cert,
+			      CERTBasicConstraints *value)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (rv);
+    }
+
+    rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue);
+    
+    /* free the raw extension data */
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(rv);
+}
+
+CERTAuthKeyID *
+CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+    CERTAuthKeyID *ret;
+    
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (NULL);
+    }
+
+    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
+
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(ret);
+}
+
+SECStatus
+CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
+{
+    PRBool critical;    
+    SECItem keyUsage;
+    SECStatus rv;
+
+    /* There is no extension, v1 or v2 certificate */
+    if (cert->extensions == NULL) {
+	return (SECSuccess);
+    }
+    
+    keyUsage.data = NULL;
+
+    do {
+	/* if the keyUsage extension exists and is critical, make sure that the
+	   CA certificate is used for certificate signing purpose only. If the
+	   extension does not exist, we will assum that it can be used for
+	   certificate signing purpose.
+	*/
+	rv = CERT_GetExtenCriticality(cert->extensions,
+				      SEC_OID_X509_KEY_USAGE,
+				      &critical);
+	if (rv == SECFailure) {
+	    rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ?
+		SECSuccess : SECFailure;
+	    break;
+	}
+
+	if (critical == PR_FALSE) {
+	    rv = SECSuccess;
+	    break;
+	}
+
+	rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
+	if (rv != SECSuccess) {
+	    break;
+	}	
+	if (!(keyUsage.data[0] & usage)) {
+	    PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID);
+	    rv = SECFailure;
+	}
+    }while (0);
+    PORT_Free (keyUsage.data);
+    return (rv);
+}

mozilla/security/nss/lib/certdb/certxutl.c

@@ -0,0 +1,482 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Certificate Extensions handling code
+ *
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+#include "secerr.h"
+
+#ifdef OLD
+#include "ocspti.h"	/* XXX a better extensions interface would not
+			 * require knowledge of data structures of callers */
+#endif
+
+static CERTCertExtension *
+GetExtension (CERTCertExtension **extensions, SECItem *oid)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    SECComparison comp;
+
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    comp = SECITEM_CompareItem(oid, &ext->id);
+	    if ( comp == SECEqual ) 
+		break;
+
+	    exts++;
+	}
+	return (*exts ? ext : NULL);
+    }
+    return (NULL);
+}
+
+SECStatus
+cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value)
+{
+    CERTCertExtension *ext;
+    SECStatus rv = SECSuccess;
+    
+    ext = GetExtension (extensions, oid);
+    if (ext == NULL) {
+	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
+	return (SECFailure);
+    }
+    if (value)
+	rv = SECITEM_CopyItem(NULL, value, &ext->value);
+    return (rv);
+}
+    
+
+SECStatus
+CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical)
+{
+    CERTCertExtension *ext;
+    SECOidData *oid;
+
+    if (!isCritical)
+	return (SECSuccess);
+    
+    /* find the extension in the extensions list */
+    oid = SECOID_FindOIDByTag((SECOidTag)tag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+    ext = GetExtension (extensions, &oid->oid);
+    if (ext == NULL) {
+	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
+	return (SECFailure);
+    }
+
+    /* If the criticality is omitted, then it is false by default.
+       ex->critical.data is NULL */
+    if (ext->critical.data == NULL)
+	*isCritical = PR_FALSE;
+    else
+	*isCritical = (ext->critical.data[0] == 0xff) ? PR_TRUE : PR_FALSE;
+    return (SECSuccess);    
+}
+
+SECStatus
+cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value)
+{
+    SECOidData *oid;
+    
+    oid = SECOID_FindOIDByTag((SECOidTag)tag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+
+    return(cert_FindExtensionByOID(extensions, &oid->oid, value));
+}
+
+
+typedef struct _extNode {
+    struct _extNode *next;
+    CERTCertExtension *ext;
+} extNode;
+
+typedef struct {
+    void (*setExts)(void *object, CERTCertExtension **exts);
+    void *object;
+    PRArenaPool *ownerArena;
+    PRArenaPool *arena;
+    extNode *head;
+    int count;
+}extRec;
+
+/*
+ * cert_StartExtensions
+ *
+ * NOTE: This interface changed significantly to remove knowledge
+ *   about callers data structures (owner objects)
+ */
+void *
+cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
+   void (*setExts)(void *object, CERTCertExtension **exts))
+{
+    PRArenaPool *arena;
+    extRec *handle;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return(0);
+    }
+
+    handle = (extRec *)PORT_ArenaAlloc(arena, sizeof(extRec));
+    if ( !handle ) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return(0);
+    }
+
+    handle->object = owner;
+    handle->ownerArena = ownerArena;
+    handle->setExts = setExts;
+
+    handle->arena = arena;
+    handle->head = 0;
+    handle->count = 0;
+    
+    return(handle);
+}
+
+static unsigned char hextrue = 0xff;
+
+/*
+ * Note - assumes that data pointed to by oid->data will not move
+ */
+SECStatus
+CERT_AddExtensionByOID (void *exthandle, SECItem *oid, SECItem *value,
+			PRBool critical, PRBool copyData)
+{
+    CERTCertExtension *ext;
+    SECStatus rv;
+    extNode *node;
+    extRec *handle;
+    
+    handle = (extRec *)exthandle;
+
+    /* allocate space for extension and list node */
+    ext = (CERTCertExtension*)PORT_ArenaZAlloc(handle->ownerArena,
+                                               sizeof(CERTCertExtension));
+    if ( !ext ) {
+	return(SECFailure);
+    }
+
+    node = (extNode*)PORT_ArenaAlloc(handle->arena, sizeof(extNode));
+    if ( !node ) {
+	return(SECFailure);
+    }
+
+    /* add to list */
+    node->next = handle->head;
+    handle->head = node;
+   
+    /* point to ext struct */
+    node->ext = ext;
+    
+    /* the object ID of the extension */
+    ext->id = *oid;
+    
+    /* set critical field */
+    if ( critical ) {
+	ext->critical.data = (unsigned char*)&hextrue;
+	ext->critical.len = 1;
+    }
+
+    /* set the value */
+    if ( copyData ) {
+	rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
+	if ( rv ) {
+	    return(SECFailure);
+	}
+    } else {
+	ext->value = *value;
+    }
+    
+    handle->count++;
+    
+    return(SECSuccess);
+
+}
+
+SECStatus
+CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
+		     PRBool critical, PRBool copyData)
+{
+    SECOidData *oid;
+    
+    oid = SECOID_FindOIDByTag((SECOidTag)idtag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+
+    return(CERT_AddExtensionByOID(exthandle, &oid->oid, value, critical, copyData));
+}
+
+SECStatus
+CERT_EncodeAndAddExtension(void *exthandle, int idtag, void *value,
+			   PRBool critical, const SEC_ASN1Template *atemplate)
+{
+    extRec *handle;
+    SECItem *encitem;
+
+    handle = (extRec *)exthandle;
+
+    encitem = SEC_ASN1EncodeItem(handle->ownerArena, NULL, value, atemplate);
+    if ( encitem == NULL ) {
+	return(SECFailure);
+    }
+
+    return CERT_AddExtension(exthandle, idtag, encitem, critical, PR_FALSE);
+}
+
+void
+PrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
+{
+  unsigned char onebyte;
+  unsigned int i, len = 0;
+
+  /* to prevent warning on some platform at compile time */ 
+  onebyte = '\0';   
+  /* Get the position of the right-most turn-on bit */ 
+  for (i = 0; i < (value->len ) * 8; ++i) {
+      if (i % 8 == 0)
+	  onebyte = value->data[i/8];
+      if (onebyte & 0x80)
+	  len = i;            
+      onebyte <<= 1;
+      
+  }
+  bitsmap->data = value->data;
+  /* Add one here since we work with base 1 */ 
+  bitsmap->len = len + 1;
+}
+
+SECStatus
+CERT_EncodeAndAddBitStrExtension (void *exthandle, int idtag,
+				  SECItem *value, PRBool critical)
+{
+  SECItem bitsmap;
+  
+  PrepareBitStringForEncoding (&bitsmap, value);
+  return (CERT_EncodeAndAddExtension
+	  (exthandle, idtag, &bitsmap, critical, SEC_BitStringTemplate));
+}
+
+SECStatus
+CERT_FinishExtensions(void *exthandle)
+{
+    extRec *handle;
+    extNode *node;
+    CERTCertExtension **exts;
+    SECStatus rv = SECFailure;
+    
+    handle = (extRec *)exthandle;
+
+    /* allocate space for extensions array */
+    exts = PORT_ArenaNewArray(handle->ownerArena, CERTCertExtension *,
+			      handle->count + 1);
+    if (exts == NULL) {
+	goto loser;
+    }
+
+    /* put extensions in owner object and update its version number */
+
+#ifdef OLD
+    switch (handle->type) {
+      case CertificateExtensions:
+	handle->owner.cert->extensions = exts;
+	DER_SetUInteger (ownerArena, &(handle->owner.cert->version),
+			 SEC_CERTIFICATE_VERSION_3);
+	break;
+      case CrlExtensions:
+	handle->owner.crl->extensions = exts;
+	DER_SetUInteger (ownerArena, &(handle->owner.crl->version),
+			 SEC_CRL_VERSION_2);
+	break;
+      case OCSPRequestExtensions:
+	handle->owner.request->tbsRequest->requestExtensions = exts;
+	break;
+      case OCSPSingleRequestExtensions:
+	handle->owner.singleRequest->singleRequestExtensions = exts;	
+	break;
+      case OCSPResponseSingleExtensions:
+	handle->owner.singleResponse->singleExtensions = exts;	
+	break;
+    }
+#endif
+
+    handle->setExts(handle->object, exts);
+	
+    /* update the version number */
+
+    /* copy each extension pointer */
+    node = handle->head;
+    while ( node ) {
+	*exts = node->ext;
+	
+	node = node->next;
+	exts++;
+    }
+
+    /* terminate the array of extensions */
+    *exts = 0;
+
+    rv = SECSuccess;
+
+loser:
+    /* free working arena */
+    PORT_FreeArena(handle->arena, PR_FALSE);
+    return rv;
+}
+
+/*
+ * get the value of the Netscape Certificate Type Extension
+ */
+SECStatus
+CERT_FindBitStringExtension (CERTCertExtension **extensions, int tag,
+			     SECItem *retItem)
+{
+    SECItem wrapperItem, tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    
+    wrapperItem.data = NULL;
+    tmpItem.data = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+    
+    rv = cert_FindExtension(extensions, tag, &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, &tmpItem, SEC_BitStringTemplate, 
+			    &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retItem->data = (unsigned char *)PORT_Alloc( ( tmpItem.len + 7 ) >> 3 );
+    if ( retItem->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(retItem->data, tmpItem.data, ( tmpItem.len + 7 ) >> 3);
+    retItem->len = tmpItem.len;
+    
+    rv = SECSuccess;
+    goto done;
+    
+loser:
+    rv = SECFailure;
+
+done:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return(rv);
+}
+
+PRBool
+cert_HasCriticalExtension (CERTCertExtension **extensions)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    PRBool hasCriticalExten = PR_FALSE;
+    
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    /* If the criticality is omitted, it's non-critical */
+	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
+		hasCriticalExten = PR_TRUE;
+		break;
+	    }
+	    exts++;
+	}
+    }
+    return (hasCriticalExten);
+}
+
+PRBool
+cert_HasUnknownCriticalExten (CERTCertExtension **extensions)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    PRBool hasUnknownCriticalExten = PR_FALSE;
+    
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    /* If the criticality is omitted, it's non-critical.
+	       If an extension is critical, make sure that we know
+	       how to process the extension.
+             */
+	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
+		if (SECOID_KnownCertExtenOID (&ext->id) == PR_FALSE) {
+		    hasUnknownCriticalExten = PR_TRUE;
+		    break;
+		}
+	    }
+	    exts++;
+	}
+    }
+    return (hasUnknownCriticalExten);
+}

mozilla/security/nss/lib/certdb/certxutl.h

@@ -0,0 +1,79 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * x.509 v3 certificate extension helper routines
+ *
+ */
+
+
+#ifndef _CERTXUTL_H_
+#define _CERTXUTL_H_
+
+#include "nspr.h"
+
+#ifdef OLD
+typedef enum {
+    CertificateExtensions,
+    CrlExtensions,
+    OCSPRequestExtensions,
+    OCSPSingleRequestExtensions,
+    OCSPResponseSingleExtensions
+} ExtensionsType;
+#endif
+
+extern PRBool
+cert_HasCriticalExtension (CERTCertExtension **extensions);
+
+extern SECStatus
+CERT_FindBitStringExtension (CERTCertExtension **extensions,
+			     int tag, SECItem *retItem);
+extern void *
+cert_StartExtensions (void *owner, PLArenaPool *arena,
+                      void (*setExts)(void *object, CERTCertExtension **exts));
+
+extern SECStatus
+cert_FindExtension (CERTCertExtension **extensions, int tag, SECItem *value);
+
+extern SECStatus
+cert_FindExtensionByOID (CERTCertExtension **extensions,
+			 SECItem *oid, SECItem *value);
+
+extern SECStatus
+cert_GetExtenCriticality (CERTCertExtension **extensions,
+			  int tag, PRBool *isCritical);
+
+extern PRBool
+cert_HasUnknownCriticalExten (CERTCertExtension **extensions);
+
+#endif

mozilla/security/nss/lib/certdb/config.mk

@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+

mozilla/security/nss/lib/certdb/crl.c

@@ -0,0 +1,635 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Moved from secpkcs7.c
+ *
+ * $Id: crl.c,v 1.8 2002-02-26 02:02:47 relyea%netscape.com Exp $
+ */
+
+#include "cert.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "certxutl.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "pk11func.h"
+
+const SEC_ASN1Template SEC_CERTExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(CERTCertExtension,critical), },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCertExtension,value) },
+    { 0, }
+};
+
+static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
+};
+
+/*
+ * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
+ * be tested; Lisa did the obvious translation but they still should be
+ * verified.
+ */
+
+const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTIssuerAndSN) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTIssuerAndSN,derIssuer) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTIssuerAndSN,issuer),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTIssuerAndSN,serialNumber) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlEntry) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCrlEntry,serialNumber) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrlEntry,revocationDate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_KrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,signatureAlg),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,lastUpdate) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,nextUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_KrlEntryTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  cert_KrlTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlKey) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
+    { SEC_ASN1_SKIP },
+    { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlEntry) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCrlEntry,serialNumber) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrlEntry,revocationDate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrlEntry, extensions),
+	  SEC_CERTExtensionTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,signatureAlg),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,lastUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,nextUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_CrlEntryTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	  SEC_ASN1_EXPLICIT | 0,
+	  offsetof(CERTCrl,extensions),
+	  SEC_CERTExtensionsTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_SignedCrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  CERT_CrlTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, cert_SignedCrlTemplate },
+};
+
+/* Check the version of the CRL.  If there is a critical extension in the crl
+   or crl entry, then the version must be v2. Otherwise, it should be v1.  If
+   the crl contains critical extension(s), then we must recognized the extension's
+   OID.
+   */
+SECStatus cert_check_crl_version (CERTCrl *crl)
+{
+    CERTCrlEntry **entries;
+    CERTCrlEntry *entry;
+    PRBool hasCriticalExten = PR_FALSE;
+    SECStatus rv = SECSuccess;
+    int version;
+
+    /* CRL version is defaulted to v1 */
+    version = SEC_CRL_VERSION_1;
+    if (crl->version.data != 0) 
+	version = (int)DER_GetUInteger (&crl->version);
+	
+    if (version > SEC_CRL_VERSION_2) {
+	PORT_SetError (SEC_ERROR_BAD_DER);
+	return (SECFailure);
+    }
+
+    /* Check the crl extensions for a critial extension.  If one is found,
+       and the version is not v2, then we are done.
+     */
+    if (crl->extensions) {
+	hasCriticalExten = cert_HasCriticalExtension (crl->extensions);
+	if (hasCriticalExten) {
+	    if (version != SEC_CRL_VERSION_2)
+		return (SECFailure);
+	    /* make sure that there is no unknown critical extension */
+	    if (cert_HasUnknownCriticalExten (crl->extensions) == PR_TRUE) {
+		PORT_SetError (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+		return (SECFailure);
+	    }
+	}
+    }
+
+	
+    if (crl->entries == NULL) {
+	if (hasCriticalExten == PR_FALSE && version == SEC_CRL_VERSION_2) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    return (SECFailure);
+	}
+        return (SECSuccess);
+    }
+    /* Look in the crl entry extensions.  If there is a critical extension,
+       then the crl version must be v2; otherwise, it should be v1.
+     */
+    entries = crl->entries;
+    while (*entries) {
+	entry = *entries;
+	if (entry->extensions) {
+	    /* If there is a critical extension in the entries, then the
+	       CRL must be of version 2.  If we already saw a critical extension,
+	       there is no need to check the version again.
+	    */
+	    if (hasCriticalExten == PR_FALSE) {
+		hasCriticalExten = cert_HasCriticalExtension (entry->extensions);
+		if (hasCriticalExten && version != SEC_CRL_VERSION_2) { 
+		    rv = SECFailure;
+		    break;
+		}
+	    }
+
+	    /* For each entry, make sure that it does not contain an unknown
+	       critical extension.  If it does, we must reject the CRL since
+	       we don't know how to process the extension.
+	    */
+	    if (cert_HasUnknownCriticalExten (entry->extensions) == PR_TRUE) {
+		PORT_SetError (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+		rv = SECFailure;
+		break;
+	    }
+	}
+	++entries;
+    }
+    if (rv == SECFailure)
+	return (rv);
+
+    return (SECSuccess);
+}
+
+/*
+ * Generate a database key, based on the issuer name from a
+ * DER crl.
+ */
+SECStatus
+CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key)
+{
+    SECStatus rv;
+    CERTSignedData sd;
+    CERTCrlKey crlkey;
+
+    PORT_Memset (&sd, 0, sizeof (sd));
+    rv = SEC_ASN1DecodeItem (arena, &sd, CERT_SignedDataTemplate, derCrl);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    PORT_Memset (&crlkey, 0, sizeof (crlkey));
+    rv = SEC_ASN1DecodeItem(arena, &crlkey, cert_CrlKeyTemplate, &sd.data);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    key->len =  crlkey.derName.len;
+    key->data = crlkey.derName.data;
+
+    return(SECSuccess);
+}
+
+/*
+ * take a DER CRL or KRL  and decode it into a CRL structure
+ */
+CERTSignedCrl *
+CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
+{
+    PRArenaPool *arena;
+    CERTSignedCrl *crl;
+    SECStatus rv;
+
+    /* make a new arena */
+    if (narena == NULL) {
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    return NULL;
+	}
+    } else {
+	arena = narena;
+    }
+
+    /* allocate the CRL structure */
+    crl = (CERTSignedCrl *)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
+    if ( !crl ) {
+	goto loser;
+    }
+    
+    crl->arena = arena;
+
+    crl->derCrl = (SECItem *)PORT_ArenaZAlloc(arena,sizeof(SECItem));
+    if (crl->derCrl == NULL) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* Save the arena in the inner crl for CRL extensions support */
+    crl->crl.arena = arena;
+
+    /* decode the CRL info */
+    switch (type) {
+    case SEC_CRL_TYPE: 
+	rv = SEC_ASN1DecodeItem
+	     (arena, crl, cert_SignedCrlTemplate, derSignedCrl);
+	if (rv != SECSuccess)
+	    break;
+        /* check for critical extentions */
+	rv =  cert_check_crl_version (&crl->crl);
+	break;
+
+    case SEC_KRL_TYPE:
+	rv = SEC_ASN1DecodeItem
+	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    crl->referenceCount = 1;
+    
+    return(crl);
+    
+loser:
+
+    if ((narena == NULL) && arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+/*
+ * Lookup a CRL in the databases. We mirror the same fast caching data base
+ *  caching stuff used by certificates....?
+ */
+CERTSignedCrl *
+SEC_FindCrlByKeyOnSlot(PK11SlotInfo *slot, SECItem *crlKey, int type)
+{
+    CERTSignedCrl *crl = NULL;
+    SECItem *derCrl;
+    CK_OBJECT_HANDLE crlHandle;
+    char *url = NULL;
+
+    if (slot) {
+	PK11_ReferenceSlot(slot);
+    }
+     
+    derCrl = PK11_FindCrlByName(&slot, &crlHandle, crlKey, type, &url);
+    if (derCrl == NULL) {
+	goto loser;
+    }
+    
+    crl = CERT_DecodeDERCrl(NULL, derCrl, type);
+    if (crl) {
+	crl->slot = slot;
+	slot = NULL; /* adopt it */
+    }
+    if (url) {
+	crl->url = PORT_ArenaStrdup(crl->arena,url);
+	PORT_Free(url);
+    }
+
+loser:
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (derCrl) {
+	SECITEM_FreeItem(derCrl,PR_TRUE);
+    }
+    return(crl);
+}
+
+SECStatus SEC_DestroyCrl(CERTSignedCrl *crl);
+
+CERTSignedCrl *
+crl_storeCRL (PK11SlotInfo *slot,char *url,
+                  CERTSignedCrl *newCrl, SECItem *derCrl, int type)
+{
+    CERTSignedCrl *oldCrl = NULL, *crl = NULL;
+    CK_OBJECT_HANDLE crlHandle;
+
+    oldCrl = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type);
+
+
+
+    /* if there is an old crl, make sure the one we are installing
+     * is newer. If not, exit out, otherwise delete the old crl.
+     */
+    if (oldCrl != NULL) {
+	/* if it's already there, quietly continue */
+	if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl) 
+						== SECEqual) {
+	    crl = newCrl;
+	    crl->slot = PK11_ReferenceSlot(slot);
+	    crl->pkcs11ID = oldCrl->pkcs11ID;
+	    goto done;
+	}
+        if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
+
+            if (type == SEC_CRL_TYPE) {
+                PORT_SetError(SEC_ERROR_OLD_CRL);
+            } else {
+                PORT_SetError(SEC_ERROR_OLD_KRL);
+            }
+
+            goto done;
+        }
+
+        if ((SECITEM_CompareItem(&newCrl->crl.derName,
+                &oldCrl->crl.derName) != SECEqual) &&
+            (type == SEC_KRL_TYPE) ) {
+
+            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
+            goto done;
+        }
+
+        /* if we have a url in the database, use that one */
+        if (oldCrl->url) {
+	    url = oldCrl->url;
+        }
+
+
+        /* really destroy this crl */
+        /* first drum it out of the permanment Data base */
+        SEC_DeletePermCRL(oldCrl);
+    }
+
+    /* Write the new entry into the data base */
+    crlHandle = PK11_PutCrl(slot, derCrl, &newCrl->crl.derName, url, type);
+    if (crlHandle != CK_INVALID_HANDLE) {
+	crl = newCrl;
+	crl->slot = PK11_ReferenceSlot(slot);
+	crl->pkcs11ID = crlHandle;
+	if (url) {
+	    crl->url = PORT_ArenaStrdup(crl->arena,url);
+	}
+    }
+
+done:
+    if (oldCrl) SEC_DestroyCrl(oldCrl);
+
+    return crl;
+}
+
+CERTSignedCrl *
+SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
+{
+	return SEC_FindCrlByKeyOnSlot(NULL,crlKey,type);
+}
+
+/*
+ *
+ * create a new CRL from DER material.
+ *
+ * The signature on this CRL must be checked before you
+ * load it. ???
+ */
+CERTSignedCrl *
+SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type)
+{
+    CERTSignedCrl *newCrl = NULL, *crl = NULL;
+    PK11SlotInfo *slot;
+
+    /* make this decode dates! */
+    newCrl = CERT_DecodeDERCrl(NULL, derCrl, type);
+    if (newCrl == NULL) {
+        if (type == SEC_CRL_TYPE) {
+            PORT_SetError(SEC_ERROR_CRL_INVALID);
+        } else {
+            PORT_SetError(SEC_ERROR_KRL_INVALID);
+        }
+        goto done;
+    }
+
+    slot = PK11_GetInternalKeySlot();
+    crl = crl_storeCRL(slot, url, newCrl, derCrl, type);
+    PK11_FreeSlot(slot);
+
+
+done:
+    if (crl == NULL) {
+	if (newCrl) {
+	    PORT_FreeArena(newCrl->arena, PR_FALSE);
+	}
+    }
+
+    return crl;
+}
+
+
+CERTSignedCrl *
+SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type)
+{
+    PRArenaPool *arena;
+    SECItem crlKey;
+    SECStatus rv;
+    CERTSignedCrl *crl = NULL;
+    
+    /* create a scratch arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* extract the database key from the cert */
+    rv = CERT_KeyFromDERCrl(arena, derCrl, &crlKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* find the crl */
+    crl = SEC_FindCrlByName(handle, &crlKey, type);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(crl);
+}
+
+
+SECStatus
+SEC_DestroyCrl(CERTSignedCrl *crl)
+{
+    if (crl) {
+	if (crl->referenceCount-- <= 1) {
+	    if (crl->slot) {
+		PK11_FreeSlot(crl->slot);
+	    }
+	    PORT_FreeArena(crl->arena, PR_FALSE);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
+{
+    CERTCrlHeadNode *head;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+
+    *nodes = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return SECFailure;
+    }
+
+    /* build a head structure */
+    head = (CERTCrlHeadNode *)PORT_ArenaAlloc(arena, sizeof(CERTCrlHeadNode));
+    head->arena = arena;
+    head->first = NULL;
+    head->last = NULL;
+    head->dbhandle = handle;
+
+    /* Look up the proper crl types */
+    *nodes = head;
+
+    rv = PK11_LookupCrls(head, type, NULL);
+    
+    if (rv != SECSuccess) {
+	if ( arena ) {
+	    PORT_FreeArena(arena, PR_FALSE);
+	    *nodes = NULL;
+	}
+    }
+
+    return rv;
+}
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SetOfSignedCrlTemplate)
+

mozilla/security/nss/lib/certdb/genname.h

@@ -0,0 +1,125 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _GENAME_H_
+#define _GENAME_H_
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template CERT_GeneralNamesTemplate[];
+
+extern CERTGeneralName *
+cert_get_next_general_name(CERTGeneralName *current);
+
+extern CERTGeneralName *
+cert_get_prev_general_name(CERTGeneralName *current);
+
+extern SECItem *
+CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
+		       PRArenaPool *arena);
+
+extern SECItem **
+cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names);
+
+extern CERTGeneralName *
+CERT_DecodeGeneralName(PRArenaPool *arena, SECItem *encodedName,
+		       CERTGeneralName  *genName);
+
+extern CERTGeneralName *
+cert_DecodeGeneralNames(PRArenaPool *arena, SECItem **encodedGenName);
+
+extern SECStatus
+cert_DestroyGeneralNames(CERTGeneralName *name);
+
+extern SECStatus 
+cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena,
+			   SECItem *dest);
+
+extern CERTNameConstraints *
+cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints);
+
+extern CERTGeneralName *
+cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2);
+
+extern CERTNameConstraint *
+cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2);
+
+SECStatus
+CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b);
+
+SECStatus
+CERT_CopyGeneralName(PRArenaPool      *arena, 
+		     CERTGeneralName  *dest, 
+		     CERTGeneralName  *src);
+
+/* General Name Lists are a thread safe, reference counting layer to 
+ * general names */
+
+void
+CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
+
+CERTGeneralNameList *
+CERT_CreateGeneralNameList(CERTGeneralName *name);
+
+SECStatus
+CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
+
+void *
+CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
+				  CERTGeneralNameType type,
+				  PRArenaPool *arena);
+
+void
+CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
+			  CERTGeneralNameType type,
+			  void *data, SECItem *oid);
+
+
+CERTGeneralNameList *
+CERT_DupGeneralNameList(CERTGeneralNameList *list);
+
+
+int
+CERT_GetNamesLength(CERTGeneralName *names);
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif

mozilla/security/nss/lib/certdb/manifest.mn

@@ -0,0 +1,67 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	cert.h \
+	certt.h \
+	certdb.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	genname.h \
+	xconst.h \
+	certxutl.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	alg1485.c \
+	certdb.c \
+	certv3.c \
+	certxutl.c \
+	crl.c \
+	genname.c \
+	stanpcertdb.c \
+	polcyxtn.c \
+	secname.c \
+	xauthkid.c \
+	xbsconst.c \
+	xconst.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = certdb
+

mozilla/security/nss/lib/certdb/polcyxtn.c

@@ -0,0 +1,541 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support for various policy related extensions
+ *
+ * $Id: polcyxtn.c,v 1.1 2000-03-31 19:42:44 relyea%netscape.com Exp $
+ */
+
+#include "seccomon.h"
+#include "secport.h"
+#include "secder.h"
+#include "cert.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "nspr.h"
+
+const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTNoticeReference) },
+/* NOTE: this should be a choice */
+    { SEC_ASN1_IA5_STRING,
+	  offsetof(CERTNoticeReference, organization) },
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTNoticeReference, noticeNumbers),
+	  SEC_IntegerTemplate }, 
+    { 0 }
+};
+
+/* this template can not be encoded because of the option inline */
+const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTUserNotice) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED,
+	  offsetof(CERTUserNotice, derNoticeReference) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(CERTUserNotice, displayText) }, 
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyQualifier) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyQualifier, qualifierID) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTPolicyQualifier, qualifierValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyInfo, policyID) },
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTPolicyInfo, policyQualifiers),
+	  CERT_PolicyQualifierTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCertificatePolicies, policyInfos),
+	  CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
+};
+
+static void
+breakLines(char *string)
+{
+    char *tmpstr;
+    char *lastspace = NULL;
+    int curlen = 0;
+    int c;
+    
+    tmpstr = string;
+
+    while ( ( c = *tmpstr ) != '\0' ) {
+	switch ( c ) {
+	  case ' ':
+	    lastspace = tmpstr;
+	    break;
+	  case '\n':
+	    lastspace = NULL;
+	    curlen = 0;
+	    break;
+	}
+	
+	if ( ( curlen >= 55 ) && ( lastspace != NULL ) ) {
+	    *lastspace = '\n';
+	    curlen = ( tmpstr - lastspace );
+	    lastspace = NULL;
+	}
+	
+	curlen++;
+	tmpstr++;
+    }
+    
+    return;
+}
+
+CERTCertificatePolicies *
+CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTCertificatePolicies *policies;
+    CERTPolicyInfo **policyInfos, *policyInfo;
+    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the certifiate policies structure */
+    policies = (CERTCertificatePolicies *)
+	PORT_ArenaZAlloc(arena, sizeof(CERTCertificatePolicies));
+    
+    if ( policies == NULL ) {
+	goto loser;
+    }
+    
+    policies->arena = arena;
+
+    /* decode the policy info */
+    rv = SEC_ASN1DecodeItem(arena, policies, CERT_CertificatePoliciesTemplate,
+			    extnValue);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the oid tags */
+    policyInfos = policies->policyInfos;
+    while (*policyInfos != NULL ) {
+	policyInfo = *policyInfos;
+	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
+	policyQualifiers = policyInfo->policyQualifiers;
+	while ( *policyQualifiers != NULL ) {
+	    policyQualifier = *policyQualifiers;
+	    policyQualifier->oid =
+		SECOID_FindOIDTag(&policyQualifier->qualifierID);
+	    policyQualifiers++;
+	}
+	policyInfos++;
+    }
+
+    return(policies);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
+{
+    if ( policies != NULL ) {
+	PORT_FreeArena(policies->arena, PR_FALSE);
+    }
+    return;
+}
+
+
+CERTUserNotice *
+CERT_DecodeUserNotice(SECItem *noticeItem)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTUserNotice *userNotice;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the userNotice structure */
+    userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena,
+						    sizeof(CERTUserNotice));
+    
+    if ( userNotice == NULL ) {
+	goto loser;
+    }
+    
+    userNotice->arena = arena;
+
+    /* decode the user notice */
+    rv = SEC_ASN1DecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
+			    noticeItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    if (userNotice->derNoticeReference.data != NULL) {
+	/* sigh, the asn1 parser stripped the sequence encoding, re add it
+	 * before we decode.
+	 */
+	SECItem tmpbuf;
+	int	newBytes;
+
+	newBytes = SEC_ASN1LengthLength(userNotice->derNoticeReference.len)+1;
+	tmpbuf.len = newBytes + userNotice->derNoticeReference.len;
+	tmpbuf.data = PORT_ZAlloc(tmpbuf.len);
+	if (tmpbuf.data == NULL) {
+	    goto loser;
+	}
+	tmpbuf.data[0] = SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED;
+	SEC_ASN1EncodeLength(&tmpbuf.data[1],userNotice->derNoticeReference.len);
+	PORT_Memcpy(&tmpbuf.data[newBytes],userNotice->derNoticeReference.data,
+				userNotice->derNoticeReference.len);
+
+	/* OK, no decode it */
+    	rv = SEC_ASN1DecodeItem(arena, &userNotice->noticeReference, 
+	    CERT_NoticeReferenceTemplate, &tmpbuf);
+
+	PORT_Free(tmpbuf.data); tmpbuf.data = NULL;
+    	if ( rv != SECSuccess ) {
+	    goto loser;
+    	}
+    }
+
+    return(userNotice);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyUserNotice(CERTUserNotice *userNotice)
+{
+    if ( userNotice != NULL ) {
+	PORT_FreeArena(userNotice->arena, PR_FALSE);
+    }
+    return;
+}
+
+static CERTPolicyStringCallback policyStringCB = NULL;
+static void *policyStringCBArg = NULL;
+
+void
+CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
+{
+    policyStringCB = cb;
+    policyStringCBArg = cbarg;
+    return;
+}
+
+char *
+stringFromUserNotice(SECItem *noticeItem)
+{
+    SECItem *org;
+    unsigned int len, headerlen;
+    char *stringbuf;
+    CERTUserNotice *userNotice;
+    char *policystr;
+    char *retstr = NULL;
+    SECItem *displayText;
+    SECItem **noticeNumbers;
+    unsigned int strnum;
+    
+    /* decode the user notice */
+    userNotice = CERT_DecodeUserNotice(noticeItem);
+    if ( userNotice == NULL ) {
+	return(NULL);
+    }
+    
+    org = &userNotice->noticeReference.organization;
+    if ( (org->len != 0 ) && ( policyStringCB != NULL ) ) {
+	/* has a noticeReference */
+
+	/* extract the org string */
+	len = org->len;
+	stringbuf = (char*)PORT_Alloc(len + 1);
+	if ( stringbuf != NULL ) {
+	    PORT_Memcpy(stringbuf, org->data, len);
+	    stringbuf[len] = '\0';
+
+	    noticeNumbers = userNotice->noticeReference.noticeNumbers;
+	    while ( *noticeNumbers != NULL ) {
+		/* XXX - only one byte integers right now*/
+		strnum = (*noticeNumbers)->data[0];
+		policystr = (* policyStringCB)(stringbuf,
+					       strnum,
+					       policyStringCBArg);
+		if ( policystr != NULL ) {
+		    if ( retstr != NULL ) {
+			retstr = PR_sprintf_append(retstr, "\n%s", policystr);
+		    } else {
+			retstr = PR_sprintf_append(retstr, "%s", policystr);
+		    }
+
+		    PORT_Free(policystr);
+		}
+		
+		noticeNumbers++;
+	    }
+
+	    PORT_Free(stringbuf);
+	}
+    }
+
+    if ( retstr == NULL ) {
+	if ( userNotice->displayText.len != 0 ) {
+	    displayText = &userNotice->displayText;
+
+	    if ( displayText->len > 2 ) {
+		if ( displayText->data[0] == SEC_ASN1_VISIBLE_STRING ) {
+		    headerlen = 2;
+		    if ( displayText->data[1] & 0x80 ) {
+			/* multibyte length */
+			headerlen += ( displayText->data[1] & 0x7f );
+		    }
+
+		    len = displayText->len - headerlen;
+		    retstr = (char*)PORT_Alloc(len + 1);
+		    if ( retstr != NULL ) {
+			PORT_Memcpy(retstr, &displayText->data[headerlen],len);
+			retstr[len] = '\0';
+		    }
+		}
+	    }
+	}
+    }
+    
+    CERT_DestroyUserNotice(userNotice);
+    
+    return(retstr);
+}
+
+char *
+CERT_GetCertCommentString(CERTCertificate *cert)
+{
+    char *retstring = NULL;
+    SECStatus rv;
+    SECItem policyItem;
+    CERTCertificatePolicies *policies = NULL;
+    CERTPolicyInfo **policyInfos;
+    CERTPolicyQualifier **policyQualifiers, *qualifier;
+
+    policyItem.data = NULL;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
+				&policyItem);
+    if ( rv != SECSuccess ) {
+	goto nopolicy;
+    }
+
+    policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
+    if ( policies == NULL ) {
+	goto nopolicy;
+    }
+
+    policyInfos = policies->policyInfos;
+    /* search through policyInfos looking for the verisign policy */
+    while (*policyInfos != NULL ) {
+	if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) {
+	    policyQualifiers = (*policyInfos)->policyQualifiers;
+	    /* search through the policy qualifiers looking for user notice */
+	    while ( *policyQualifiers != NULL ) {
+		qualifier = *policyQualifiers;
+		if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) {
+		    retstring =
+			stringFromUserNotice(&qualifier->qualifierValue);
+		    break;
+		}
+
+		policyQualifiers++;
+	    }
+	    break;
+	}
+	policyInfos++;
+    }
+
+nopolicy:
+    if ( policyItem.data != NULL ) {
+	PORT_Free(policyItem.data);
+    }
+
+    if ( policies != NULL ) {
+	CERT_DestroyCertificatePoliciesExtension(policies);
+    }
+    
+    if ( retstring == NULL ) {
+	retstring = CERT_FindNSStringExtension(cert,
+					       SEC_OID_NS_CERT_EXT_COMMENT);
+    }
+    
+    if ( retstring != NULL ) {
+	breakLines(retstring);
+    }
+    
+    return(retstring);
+}
+
+
+const SEC_ASN1Template CERT_OidSeqTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTOidSequence, oids),
+	  SEC_ObjectIDTemplate }
+};
+
+CERTOidSequence *
+CERT_DecodeOidSequence(SECItem *seqItem)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTOidSequence *oidSeq;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the userNotice structure */
+    oidSeq = (CERTOidSequence *)PORT_ArenaZAlloc(arena,
+						 sizeof(CERTOidSequence));
+    
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+    
+    oidSeq->arena = arena;
+
+    /* decode the user notice */
+    rv = SEC_ASN1DecodeItem(arena, oidSeq, CERT_OidSeqTemplate, seqItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    return(oidSeq);
+    
+loser:
+    return(NULL);
+}
+
+
+void
+CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
+{
+    if ( oidSeq != NULL ) {
+	PORT_FreeArena(oidSeq->arena, PR_FALSE);
+    }
+    return;
+}
+
+PRBool
+CERT_GovtApprovedBitSet(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem extItem;
+    CERTOidSequence *oidSeq = NULL;
+    PRBool ret;
+    SECItem **oids;
+    SECItem *oid;
+    SECOidTag oidTag;
+    
+    extItem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    oidSeq = CERT_DecodeOidSequence(&extItem);
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+
+    oids = oidSeq->oids;
+    while ( oids != NULL && *oids != NULL ) {
+	oid = *oids;
+	
+	oidTag = SECOID_FindOIDTag(oid);
+	
+	if ( oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED ) {
+	    goto success;
+	}
+	
+	oids++;
+    }
+
+loser:
+    ret = PR_FALSE;
+    goto done;
+success:
+    ret = PR_TRUE;
+done:
+    if ( oidSeq != NULL ) {
+	CERT_DestroyOidSequence(oidSeq);
+    }
+    if (extItem.data != NULL) {
+	PORT_Free(extItem.data);
+    }
+    return(ret);
+}

mozilla/security/nss/lib/certdb/secname.c

@@ -0,0 +1,641 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cert.h"
+#include "secoid.h"
+#include "secder.h"	/* XXX remove this when remove the DERTemplates */
+#include "secasn1.h"
+#include "secitem.h"
+#include <stdarg.h>
+#include "secerr.h"
+
+static const SEC_ASN1Template cert_AVATemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTAVA) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTAVA,type), },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTAVA,value), },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_RDNTemplate[] = {
+    { SEC_ASN1_SET_OF,
+	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
+};
+
+
+static int
+CountArray(void **array)
+{
+    int count = 0;
+    if (array) {
+	while (*array++) {
+	    count++;
+	}
+    }
+    return count;
+}
+
+static void
+**AddToArray(PRArenaPool *arena, void **array, void *element)
+{
+    unsigned count;
+    void **ap;
+
+    /* Count up number of slots already in use in the array */
+    count = 0;
+    ap = array;
+    if (ap) {
+	while (*ap++) {
+	    count++;
+	}
+    }
+
+    if (array) {
+	array = (void**) PORT_ArenaGrow(arena, array,
+					(count + 1) * sizeof(void *),
+					(count + 2) * sizeof(void *));
+    } else {
+	array = (void**) PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
+    }
+    if (array) {
+	array[count] = element;
+	array[count+1] = 0;
+    }
+    return array;
+}
+
+#if 0
+static void
+**RemoveFromArray(void **array, void *element)
+{
+    unsigned count;
+    void **ap;
+    int slot;
+
+    /* Look for element */
+    ap = array;
+    if (ap) {
+	count = 1;			/* count the null at the end */
+	slot = -1;
+	for (; *ap; ap++, count++) {
+	    if (*ap == element) {
+		/* Found it */
+		slot = ap - array;
+	    }
+	}
+	if (slot >= 0) {
+	    /* Found it. Squish array down */
+	    PORT_Memmove((void*) (array + slot), (void*) (array + slot + 1),
+		       (count - slot - 1) * sizeof(void*));
+	    /* Don't bother reallocing the memory */
+	}
+    }
+    return array;
+}
+#endif /* 0 */
+
+SECOidTag
+CERT_GetAVATag(CERTAVA *ava)
+{
+    SECOidData *oid;
+    if (!ava->type.data) return (SECOidTag)-1;
+
+    oid = SECOID_FindOID(&ava->type);
+    
+    if ( oid ) {
+	return(oid->offset);
+    }
+    return (SECOidTag)-1;
+}
+
+static SECStatus
+SetupAVAType(PRArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
+{
+    unsigned char *oid;
+    unsigned oidLen;
+    unsigned char *cp;
+    unsigned maxLen;
+    SECOidData *oidrec;
+
+    oidrec = SECOID_FindOIDByTag(type);
+    if (oidrec == NULL)
+	return SECFailure;
+
+    oid = oidrec->oid.data;
+    oidLen = oidrec->oid.len;
+
+    switch (type) {
+      case SEC_OID_AVA_COUNTRY_NAME:
+	maxLen = 2;
+	break;
+      case SEC_OID_AVA_ORGANIZATION_NAME:
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_COMMON_NAME:
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_LOCALITY:
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_STATE_OR_PROVINCE:
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_DC:
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_DN_QUALIFIER:
+	maxLen = 0x7fff;
+	break;
+      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	maxLen = 128;
+	break;
+      case SEC_OID_RFC1274_UID:
+	maxLen = 256;  /* RFC 1274 specifies 256 */
+	break;
+      case SEC_OID_RFC1274_MAIL:
+	maxLen = 256;  /* RFC 1274 specifies 256 */
+	break; 
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, oidLen);
+    if (cp == NULL) {
+	return SECFailure;
+    }
+    it->len = oidLen;
+    PORT_Memcpy(cp, oid, oidLen);
+    *maxLenp = maxLen;
+    return SECSuccess;
+}
+
+static SECStatus
+SetupAVAValue(PRArenaPool *arena, int valueType, char *value, SECItem *it,
+	      unsigned maxLen)
+{
+    unsigned valueLen, valueLenLen, total;
+    unsigned ucs4Len = 0, ucs4MaxLen;
+    unsigned char *cp, *ucs4Val;
+
+    switch (valueType) {
+      case SEC_ASN1_PRINTABLE_STRING:
+      case SEC_ASN1_IA5_STRING:
+      case SEC_ASN1_T61_STRING:
+	valueLen = PORT_Strlen(value);
+	break;
+      case SEC_ASN1_UNIVERSAL_STRING:
+	valueLen = PORT_Strlen(value);
+	ucs4Val = (unsigned char *)PORT_ArenaZAlloc(arena, 
+						    PORT_Strlen(value) * 6);
+	ucs4MaxLen = PORT_Strlen(value) * 6;
+	if(!ucs4Val || !PORT_UCS4_UTF8Conversion(PR_TRUE, (unsigned char *)value, valueLen,
+					ucs4Val, ucs4MaxLen, &ucs4Len)) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	value = (char *)ucs4Val;
+	valueLen = ucs4Len;
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (((valueType != SEC_ASN1_UNIVERSAL_STRING) && (valueLen > maxLen)) ||
+      ((valueType == SEC_ASN1_UNIVERSAL_STRING) && (valueLen > (maxLen * 4)))) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    } 
+
+    valueLenLen = DER_LengthLength(valueLen);
+    total = 1 + valueLenLen + valueLen;
+    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, total);
+    if (!cp) {
+	return SECFailure;
+    }
+    it->len = total;
+    cp = (unsigned char*) DER_StoreHeader(cp, valueType, valueLen);
+    PORT_Memcpy(cp, value, valueLen);
+    return SECSuccess;
+}
+
+CERTAVA *
+CERT_CreateAVA(PRArenaPool *arena, SECOidTag kind, int valueType, char *value)
+{
+    CERTAVA *ava;
+    int rv;
+    unsigned maxLen;
+
+    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+    if (ava) {
+	rv = SetupAVAType(arena, kind, &ava->type, &maxLen);
+	if (rv) {
+	    /* Illegal AVA type */
+	    return 0;
+	}
+	rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen);
+	if (rv) {
+	    /* Illegal value type */
+	    return 0;
+	}
+    }
+    return ava;
+}
+
+CERTAVA *
+CERT_CopyAVA(PRArenaPool *arena, CERTAVA *from)
+{
+    CERTAVA *ava;
+    int rv;
+
+    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+    if (ava) {
+	rv = SECITEM_CopyItem(arena, &ava->type, &from->type);
+	if (rv) goto loser;
+	rv = SECITEM_CopyItem(arena, &ava->value, &from->value);
+	if (rv) goto loser;
+    }
+    return ava;
+
+  loser:
+    return 0;
+}
+
+/************************************************************************/
+/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
+static const SEC_ASN1Template cert_RDNTemplate[] = {
+    { SEC_ASN1_SET_OF,
+	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
+};
+
+
+CERTRDN *
+CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...)
+{
+    CERTAVA *ava;
+    CERTRDN *rdn;
+    va_list ap;
+    unsigned count;
+    CERTAVA **avap;
+
+    rdn = (CERTRDN*) PORT_ArenaAlloc(arena, sizeof(CERTRDN));
+    if (rdn) {
+	/* Count number of avas going into the rdn */
+	count = 1;
+	va_start(ap, ava0);
+	while ((ava = va_arg(ap, CERTAVA*)) != 0) {
+	    count++;
+	}
+	va_end(ap);
+
+	/* Now fill in the pointers */
+	rdn->avas = avap =
+	    (CERTAVA**) PORT_ArenaAlloc( arena, (count + 1)*sizeof(CERTAVA*));
+	if (!avap) {
+	    return 0;
+	}
+	*avap++ = ava0;
+	va_start(ap, ava0);
+	while ((ava = va_arg(ap, CERTAVA*)) != 0) {
+	    *avap++ = ava;
+	}
+	va_end(ap);
+	*avap++ = 0;
+    }
+    return rdn;
+}
+
+SECStatus
+CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava)
+{
+    rdn->avas = (CERTAVA**) AddToArray(arena, (void**) rdn->avas, ava);
+    return rdn->avas ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyRDN(PRArenaPool *arena, CERTRDN *to, CERTRDN *from)
+{
+    CERTAVA **avas, *fava, *tava;
+    SECStatus rv;
+
+    /* Copy each ava from from */
+    avas = from->avas;
+    while ((fava = *avas++) != 0) {
+	tava = CERT_CopyAVA(arena, fava);
+	if (!tava) return SECFailure;
+	rv = CERT_AddAVA(arena, to, tava);
+	if (rv) return rv;
+    }
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+const SEC_ASN1Template CERT_NameTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTName,rdns), CERT_RDNTemplate, sizeof(CERTName) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate)
+
+CERTName *
+CERT_CreateName(CERTRDN *rdn0, ...)
+{
+    CERTRDN *rdn;
+    CERTName *name;
+    va_list ap;
+    unsigned count;
+    CERTRDN **rdnp;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return(0);
+    }
+    
+    name = (CERTName*) PORT_ArenaAlloc(arena, sizeof(CERTName));
+    if (name) {
+	name->arena = arena;
+	
+	/* Count number of RDNs going into the Name */
+	if (!rdn0) {
+	    count = 0;
+	} else {
+	    count = 1;
+	    va_start(ap, rdn0);
+	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
+		count++;
+	    }
+	    va_end(ap);
+	}
+
+	/* Allocate space (including space for terminal null ptr) */
+	name->rdns = rdnp =
+	    (CERTRDN**) PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN*));
+	if (!name->rdns) {
+	    goto loser;
+	}
+
+	/* Now fill in the pointers */
+	if (count > 0) {
+	    *rdnp++ = rdn0;
+	    va_start(ap, rdn0);
+	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
+		*rdnp++ = rdn;
+	    }
+	    va_end(ap);
+	}
+
+	/* null terminate the list */
+	*rdnp++ = 0;
+    }
+    return name;
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(0);
+}
+
+void
+CERT_DestroyName(CERTName *name)
+{
+    if (name)
+    {
+        PRArenaPool *arena = name->arena;
+        name->rdns = NULL;
+	name->arena = NULL;
+	if (arena) PORT_FreeArena(arena, PR_FALSE);
+    }
+}
+
+SECStatus
+CERT_AddRDN(CERTName *name, CERTRDN *rdn)
+{
+    name->rdns = (CERTRDN**) AddToArray(name->arena, (void**) name->rdns, rdn);
+    return name->rdns ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from)
+{
+    CERTRDN **rdns, *frdn, *trdn;
+    SECStatus rv;
+
+    CERT_DestroyName(to);
+    to->arena = arena;
+
+    /* Copy each rdn from from */
+    rdns = from->rdns;
+    while ((frdn = *rdns++) != 0) {
+	trdn = CERT_CreateRDN(arena, 0);
+	if ( trdn == NULL ) {
+	    return(SECFailure);
+	}
+	rv = CERT_CopyRDN(arena, trdn, frdn);
+	if (rv) return rv;
+	rv = CERT_AddRDN(to, trdn);
+	if (rv) return rv;
+    }
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+SECComparison
+CERT_CompareAVA(CERTAVA *a, CERTAVA *b)
+{
+    SECComparison rv;
+
+    rv = SECITEM_CompareItem(&a->type, &b->type);
+    if (rv) {
+	/*
+	** XXX for now we are going to just assume that a bitwise
+	** comparison of the value codes will do the trick.
+	*/
+    }
+    rv = SECITEM_CompareItem(&a->value, &b->value);
+    return rv;
+}
+
+SECComparison
+CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
+{
+    CERTAVA **aavas, *aava;
+    CERTAVA **bavas, *bava;
+    int ac, bc;
+    SECComparison rv = SECEqual;
+
+    aavas = a->avas;
+    bavas = b->avas;
+
+    /*
+    ** Make sure array of ava's are the same length. If not, then we are
+    ** not equal
+    */
+    ac = CountArray((void**) aavas);
+    bc = CountArray((void**) bavas);
+    if (ac < bc) return SECLessThan;
+    if (ac > bc) return SECGreaterThan;
+
+    for (;;) {
+	aava = *aavas++;
+	bava = *bavas++;
+	if (!aava) {
+	    break;
+	}
+	rv = CERT_CompareAVA(aava, bava);
+	if (rv) return rv;
+    }
+    return rv;
+}
+
+SECComparison
+CERT_CompareName(CERTName *a, CERTName *b)
+{
+    CERTRDN **ardns, *ardn;
+    CERTRDN **brdns, *brdn;
+    int ac, bc;
+    SECComparison rv = SECEqual;
+
+    ardns = a->rdns;
+    brdns = b->rdns;
+
+    /*
+    ** Make sure array of rdn's are the same length. If not, then we are
+    ** not equal
+    */
+    ac = CountArray((void**) ardns);
+    bc = CountArray((void**) brdns);
+    if (ac < bc) return SECLessThan;
+    if (ac > bc) return SECGreaterThan;
+
+    for (;;) {
+	ardn = *ardns++;
+	brdn = *brdns++;
+	if (!ardn) {
+	    break;
+	}
+	rv = CERT_CompareRDN(ardn, brdn);
+	if (rv) return rv;
+    }
+    return rv;
+}
+
+/* Moved from certhtml.c */
+SECItem *
+CERT_DecodeAVAValue(SECItem *derAVAValue)
+{
+          SECItem          *retItem; 
+    const SEC_ASN1Template *theTemplate       = NULL;
+          PRBool            convertUCS4toUTF8 = PR_FALSE;
+          PRBool            convertUCS2toUTF8 = PR_FALSE;
+          SECItem           avaValue          = {siBuffer, 0}; 
+
+    if(!derAVAValue) {
+	return NULL;
+    }
+
+    switch(derAVAValue->data[0]) {
+	case SEC_ASN1_UNIVERSAL_STRING:
+	    convertUCS4toUTF8 = PR_TRUE;
+	    theTemplate = SEC_UniversalStringTemplate;
+	    break;
+	case SEC_ASN1_IA5_STRING:
+	    theTemplate = SEC_IA5StringTemplate;
+	    break;
+	case SEC_ASN1_PRINTABLE_STRING:
+	    theTemplate = SEC_PrintableStringTemplate;
+	    break;
+	case SEC_ASN1_T61_STRING:
+	    theTemplate = SEC_T61StringTemplate;
+	    break;
+	case SEC_ASN1_BMP_STRING:
+	    convertUCS2toUTF8 = PR_TRUE;
+	    theTemplate = SEC_BMPStringTemplate;
+	    break;
+	case SEC_ASN1_UTF8_STRING:
+	    /* No conversion needed ! */
+	    theTemplate = SEC_UTF8StringTemplate;
+	    break;
+	default:
+	    return NULL;
+    }
+
+    PORT_Memset(&avaValue, 0, sizeof(SECItem));
+    if(SEC_ASN1DecodeItem(NULL, &avaValue, theTemplate, derAVAValue) 
+				!= SECSuccess) {
+	return NULL;
+    }
+
+    if (convertUCS4toUTF8) {
+	unsigned int   utf8ValLen = avaValue.len * 3;
+	unsigned char *utf8Val    = (unsigned char*)PORT_ZAlloc(utf8ValLen);
+
+	if(!PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
+				     utf8Val, utf8ValLen, &utf8ValLen)) {
+	    PORT_Free(utf8Val);
+	    PORT_Free(avaValue.data);
+	    return NULL;
+	}
+
+	PORT_Free(avaValue.data);
+	avaValue.data = utf8Val;
+	avaValue.len = utf8ValLen;
+
+    } else if (convertUCS2toUTF8) {
+
+	unsigned int   utf8ValLen = avaValue.len * 3;
+	unsigned char *utf8Val    = (unsigned char*)PORT_ZAlloc(utf8ValLen);
+
+	if(!PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
+				     utf8Val, utf8ValLen, &utf8ValLen)) {
+	    PORT_Free(utf8Val);
+	    PORT_Free(avaValue.data);
+	    return NULL;
+	}
+
+	PORT_Free(avaValue.data);
+	avaValue.data = utf8Val;
+	avaValue.len = utf8ValLen;
+    }
+
+    retItem = SECITEM_DupItem(&avaValue);
+    PORT_Free(avaValue.data);
+    return retItem;
+}

mozilla/security/nss/lib/certdb/stanpcertdb.c

@@ -0,0 +1,891 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prtime.h"
+
+#include "cert.h"
+#include "mcom_db.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "secder.h"
+
+/* Call to PK11_FreeSlot below */
+
+#include "secasn1.h"
+#include "secerr.h"
+#include "nssilock.h"
+#include "prmon.h"
+#include "nsslocks.h"
+#include "base64.h"
+#include "sechash.h"
+#include "plhash.h"
+#include "pk11func.h" /* sigh */
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "nsspki.h"
+#include "pki.h"
+#include "pkim.h"
+#include "pki3hack.h"
+#include "ckhelper.h"
+#include "base.h"
+#include "pkistore.h"
+#include "dev3hack.h"
+#include "dev.h"
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 CERTCertDBHandle *handle)
+{
+    CERTCertificate *cert;
+    PRBool conflict = PR_FALSE;
+
+    cert=CERT_FindCertByNickname(handle, nickname);
+
+    if (!cert) {
+	return conflict;
+    }
+
+    conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject);
+    CERT_DestroyCertificate(cert);
+    return conflict;
+}
+
+SECStatus
+SEC_DeletePermCertificate(CERTCertificate *cert)
+{
+    PRStatus nssrv;
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
+{
+    SECStatus rv;
+    CERT_LockCertTrust(cert);
+    if ( cert->trust == NULL ) {
+	rv = SECFailure;
+    } else {
+	*trust = *cert->trust;
+	rv = SECSuccess;
+    }
+    CERT_UnlockCertTrust(cert);
+    return(rv);
+}
+
+#ifdef notdef
+static char *
+cert_parseNickname(char *nickname)
+{
+    char *cp;
+    for (cp=nickname; *cp && *cp != ':'; cp++);
+    if (*cp == ':') return cp+1;
+    return nickname;
+}
+#endif
+
+SECStatus
+CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
+		    CERTCertTrust *trust)
+{
+    SECStatus rv = SECFailure;
+    PRStatus ret;
+
+    CERT_LockCertTrust(cert);
+    ret = STAN_ChangeCertTrust(cert, trust);
+    rv = (ret == PR_SUCCESS) ? SECSuccess : SECFailure;
+    CERT_UnlockCertTrust(cert);
+    return rv;
+}
+
+SECStatus
+__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust)
+{
+    PRStatus nssrv;
+    PK11SlotInfo *slot;
+    NSSToken *internal;
+    NSSCryptoContext *context;
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    context = c->object.cryptoContext;
+    if (!context) {
+	return PR_FAILURE; /* wasn't a temp cert */
+    }
+    if (c->nickname && strcmp(nickname, c->nickname) != 0) {
+	nss_ZFreeIf(c->nickname);
+	PORT_Free(cert->nickname);
+	c->nickname = NULL;
+    }
+    if (!c->nickname) {
+	c->nickname = nssUTF8_Duplicate((NSSUTF8 *)nickname, c->object.arena);
+	cert->nickname = PORT_Strdup(nickname);
+    }
+    /* Delete the temp instance */
+    nssCertificateStore_Remove(context->certStore, c);
+    c->object.cryptoContext = NULL;
+    /* the perm instance will assume the reference */
+    nssList_Clear(c->object.instanceList, NULL);
+    /* Import the perm instance onto the internal token */
+    slot = PK11_GetInternalKeySlot();
+    internal = PK11Slot_GetNSSToken(slot);
+    nssrv = nssToken_ImportCertificate(internal, NULL, c, PR_TRUE);
+    if (nssrv != PR_SUCCESS) {
+	return SECFailure;
+    }
+    /* reset the CERTCertificate fields */
+    cert->nssCertificate = NULL;
+    cert = STAN_GetCERTCertificate(c); /* will return same pointer */
+    cert->istemp = PR_FALSE;
+    cert->isperm = PR_TRUE;
+    return (STAN_ChangeCertTrust(cert, trust) == PR_SUCCESS) ? 
+							SECSuccess: SECFailure;
+}
+
+SECStatus
+CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust)
+{
+    return __CERT_AddTempCertToPerm(cert, nickname, trust);
+}
+
+CERTCertificate *
+__CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+			  char *nickname, PRBool isperm, PRBool copyDER)
+{
+    PRStatus nssrv;
+    NSSCertificate *c;
+    NSSCryptoContext *context;
+    NSSArena *arena;
+    CERTCertificate *cc;
+    NSSCertificate *tempCert;
+    NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
+    if (!isperm) {
+	NSSDER encoding;
+	NSSITEM_FROM_SECITEM(&encoding, derCert);
+	/* First, see if it is already a temp cert */
+	c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, 
+	                                                       &encoding);
+	if (!c) {
+	    /* Then, see if it is already a perm cert */
+	    c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
+	                                                           &encoding);
+	}
+	if (c) {
+	    return STAN_GetCERTCertificate(c);
+	}
+    }
+    arena = NSSArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    c = nss_ZNEW(arena, NSSCertificate);
+    if (!c) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    NSSITEM_FROM_SECITEM(&c->encoding, derCert);
+    nssrv = nssPKIObject_Initialize(&c->object, arena, NULL, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    /* Forces a decoding of the cert in order to obtain the parts used
+     * below
+     */
+    cc = STAN_GetCERTCertificate(c);
+    nssItem_Create(arena, 
+                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
+    nssItem_Create(arena, 
+                   &c->subject, cc->derSubject.len, cc->derSubject.data);
+    if (PR_TRUE) {
+	/* CERTCertificate stores serial numbers decoded.  I need the DER
+	* here.  sigh.
+	*/
+	SECItem derSerial = { 0 };
+	CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+	if (!derSerial.data) goto loser;
+	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+    }
+    if (nickname) {
+	c->nickname = nssUTF8_Create(arena, 
+                                     nssStringType_UTF8String, 
+                                     (NSSUTF8 *)nickname, 
+                                     PORT_Strlen(nickname));
+    }
+    if (cc->emailAddr) {
+	c->email = nssUTF8_Create(arena, 
+	                          nssStringType_PrintableString, 
+	                          (NSSUTF8 *)cc->emailAddr, 
+	                          PORT_Strlen(cc->emailAddr));
+    }
+    context = STAN_GetDefaultCryptoContext();
+    /* this function cannot detect if the cert exists as a temp cert now, but
+     * didn't when CERT_NewTemp was first called.
+     */
+    nssrv = NSSCryptoContext_ImportCertificate(context, c);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    /* so find the entry in the temp store */
+    tempCert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(context,
+                                                                   &c->issuer,
+                                                                   &c->serial);
+    /* destroy the copy */
+    NSSCertificate_Destroy(c);
+    if (tempCert) {
+	/* and use the "official" entry */
+	c = tempCert;
+	cc = STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
+    c->object.trustDomain = STAN_GetDefaultTrustDomain();
+    cc->istemp = PR_TRUE;
+    cc->isperm = PR_FALSE;
+    return cc;
+loser:
+    nssPKIObject_Destroy(&c->object);
+    return NULL;
+}
+
+CERTCertificate *
+CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+			char *nickname, PRBool isperm, PRBool copyDER)
+{
+    return( __CERT_NewTempCertificate(handle, derCert, nickname,
+                                      isperm, copyDER) );
+}
+
+/* maybe all the wincx's should be some const for internal token login? */
+CERTCertificate *
+CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
+{
+    PK11SlotInfo *slot;
+    CERTCertificate *cert;
+
+    cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL);
+    if (cert && slot) {
+        PK11_FreeSlot(slot);
+    }
+
+    return cert;
+}
+
+static NSSCertificate *
+get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
+{
+    nssBestCertificateCB best;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    nssBestCertificate_SetArgs(&best, NULL, &usage, NULL);
+    if (ct) {
+	nssBestCertificate_Callback(ct, (void *)&best);
+    }
+    if (cp) {
+	nssBestCertificate_Callback(cp, (void *)&best);
+    }
+    return best.cert;
+}
+
+CERTCertificate *
+CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
+{
+    NSSCertificate *cp, *ct, *c;
+    NSSDER subject;
+    NSSUsage usage;
+    NSSCryptoContext *cc;
+    NSSITEM_FROM_SECITEM(&subject, name);
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject, 
+                                                       NULL, &usage, NULL);
+    cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, 
+                                                     NULL, &usage, NULL);
+    c = get_best_temp_or_perm(ct, cp);
+    if (ct) {
+	CERTCertificate *cert = STAN_GetCERTCertificate(ct);
+	CERT_DestroyCertificate(cert);
+    }
+    if (cp) {
+	CERTCertificate *cert = STAN_GetCERTCertificate(cp);
+	CERT_DestroyCertificate(cert);
+    }
+    if (c) {
+	return STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
+}
+
+CERTCertificate *
+CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
+{
+   CERTCertList *list =
+                        CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE);
+    CERTCertificate *cert = NULL;
+    CERTCertListNode *node = CERT_LIST_HEAD(list);
+
+    if (list == NULL) return NULL;
+
+    for (node = CERT_LIST_HEAD(list); node ; node = CERT_LIST_NEXT(node)) {
+        if (SECITEM_ItemsAreEqual(&cert->subjectKeyID, keyID) ) {
+            cert = CERT_DupCertificate(node->cert);
+            break;
+        }
+    }
+    return cert;
+}
+
+CERTCertificate *
+CERT_FindCertByNickname(CERTCertDBHandle *handle, char *nickname)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c, *ct;
+    CERTCertificate *cert;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, 
+                                                       NULL, &usage, NULL);
+    cert = PK11_FindCertFromNickname(nickname, NULL);
+    c = NULL;
+    if (cert) {
+	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
+	CERT_DestroyCertificate(cert);
+	if (ct) {
+	    CERTCertificate *cert2 = STAN_GetCERTCertificate(ct);
+	    CERT_DestroyCertificate(cert2);
+	}
+    } else {
+	c = ct;
+    }
+    if (c) {
+	return STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
+}
+
+CERTCertificate *
+CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c;
+    NSSDER encoding;
+    NSSITEM_FROM_SECITEM(&encoding, derCert);
+    cc = STAN_GetDefaultCryptoContext();
+    c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
+    if (!c) {
+	c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
+	                                                       &encoding);
+	if (!c) return NULL;
+    }
+    return STAN_GetCERTCertificate(c);
+}
+
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c, *ct;
+    CERTCertificate *cert;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, 
+                                                       NULL, &usage, NULL);
+    if (!ct) {
+	ct = NSSCryptoContext_FindBestCertificateByEmail(cc, name, 
+	                                                NULL, &usage, NULL);
+    }
+    cert = PK11_FindCertFromNickname(name, NULL);
+    if (cert) {
+	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
+	CERT_DestroyCertificate(cert);
+	if (ct) {
+	    CERTCertificate *cert2 = STAN_GetCERTCertificate(ct);
+	    CERT_DestroyCertificate(cert2);
+	}
+    } else {
+	c = ct;
+    }
+    if (c) {
+	return STAN_GetCERTCertificate(c);
+    }
+    return NULL;
+}
+
+static void 
+add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
+                    PRBool validOnly, int64 sorttime)
+{
+    SECStatus secrv;
+    if (!validOnly ||
+	CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) 
+	 == secCertTimeValid) {
+	    secrv = CERT_AddCertToListSorted(certList, cert, 
+	                                     CERT_SortCBValidity, 
+	                                     (void *)&sorttime);
+	    if (secrv != SECSuccess) {
+		CERT_DestroyCertificate(cert);
+	    }
+    } else {
+	CERT_DestroyCertificate(cert);
+    }
+}
+
+CERTCertList *
+CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			   SECItem *name, int64 sorttime, PRBool validOnly)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate **tSubjectCerts, **pSubjectCerts;
+    NSSCertificate **ci;
+    CERTCertificate *cert;
+    NSSDER subject;
+    PRBool myList = PR_FALSE;
+    cc = STAN_GetDefaultCryptoContext();
+    NSSITEM_FROM_SECITEM(&subject, name);
+    /* Collect both temp and perm certs for the subject */
+    tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
+                                                               &subject,
+                                                               NULL,
+                                                               0,
+                                                               NULL);
+    pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle,
+                                                             &subject,
+                                                             NULL,
+                                                             0,
+                                                             NULL);
+    if (!tSubjectCerts && !pSubjectCerts) {
+	return NULL;
+    }
+    if (certList == NULL) {
+	certList = CERT_NewCertList();
+	myList = PR_TRUE;
+	if (!certList) goto loser;
+    }
+    /* Iterate over the matching temp certs.  Add them to the list */
+    ci = tSubjectCerts;
+    while (ci && *ci) {
+	cert = STAN_GetCERTCertificate(*ci);
+	add_to_subject_list(certList, cert, validOnly, sorttime);
+	ci++;
+    }
+    /* Iterate over the matching perm certs.  Add them to the list */
+    ci = pSubjectCerts;
+    while (ci && *ci) {
+	cert = STAN_GetCERTCertificate(*ci);
+	add_to_subject_list(certList, cert, validOnly, sorttime);
+	ci++;
+    }
+    nss_ZFreeIf(tSubjectCerts);
+    nss_ZFreeIf(pSubjectCerts);
+    return certList;
+loser:
+    nss_ZFreeIf(tSubjectCerts);
+    nss_ZFreeIf(pSubjectCerts);
+    if (myList && certList != NULL) {
+	CERT_DestroyCertList(certList);
+    }
+    return NULL;
+}
+
+void
+CERT_DestroyCertificate(CERTCertificate *cert)
+{
+    int refCount;
+    CERTCertDBHandle *handle;
+    if ( cert ) {
+	NSSCertificate *tmp = STAN_GetNSSCertificate(cert);
+	handle = cert->dbhandle;
+#ifdef NSS_CLASSIC
+        CERT_LockCertRefCount(cert);
+	PORT_Assert(cert->referenceCount > 0);
+	refCount = --cert->referenceCount;
+        CERT_UnlockCertRefCount(cert);
+	if ( ( refCount == 0 ) && !cert->keepSession ) {
+	    PRArenaPool *arena  = cert->arena;
+	    /* zero cert before freeing. Any stale references to this cert
+	     * after this point will probably cause an exception.  */
+	    PORT_Memset(cert, 0, sizeof *cert);
+	    cert = NULL;
+	    /* free the arena that contains the cert. */
+	    PORT_FreeArena(arena, PR_FALSE);
+        }
+#else
+	if (tmp) {
+	    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+	    refCount = (int)tmp->object.refCount;
+	    /* This is a hack.  For 3.4, there are persistent references
+	     * to 4.0 certificates during the lifetime of a cert.  In the
+	     * case of a temp cert, the persistent reference is in the
+	     * cert store of the global crypto context.  For a perm cert,
+	     * the persistent reference is in the cache.  Thus, the last
+	     * external reference is really the penultimate NSS reference.
+	     * When the count drops to two, it is really one, but the
+	     * persistent reference must be explicitly deleted.  In 4.0,
+	     * this ugliness will not appear.  Crypto contexts will remove
+	     * their own cert references, and the cache will have its
+	     * own management code also.
+	     */
+	    if (refCount == 2) {
+		NSSCryptoContext *cc = tmp->object.cryptoContext;
+		if (cc != NULL) {
+		    nssCertificateStore_Remove(cc->certStore, tmp);
+		} else {
+		    nssTrustDomain_RemoveCertFromCache(td, tmp);
+		}
+	    }
+	    /* delete the NSSCertificate */
+	    NSSCertificate_Destroy(tmp);
+	} 
+#endif
+    }
+    return;
+}
+
+#ifdef notdef
+SECStatus
+CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb,
+			    CERTCertificate *cert, SECCertUsage usage)
+{
+    SECStatus rv;
+    CERTCertTrust trust;
+    CERTCertTrust tmptrust;
+    unsigned int certtype;
+    PRBool saveit;
+    
+    saveit = PR_TRUE;
+    
+    PORT_Memset((void *)&trust, 0, sizeof(trust));
+
+    certtype = cert->nsCertType;
+
+    /* if no app bits in cert type, then set all app bits */
+    if ( ! ( certtype & NS_CERT_TYPE_APP ) ) {
+	certtype |= NS_CERT_TYPE_APP;
+    }
+
+    switch ( usage ) {
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+	if ( certtype & NS_CERT_TYPE_EMAIL ) {
+	     trust.emailFlags = CERTDB_VALID_PEER;
+	     if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
+		/* don't save it if KeyEncipherment is not allowed */
+		saveit = PR_FALSE;
+	    }
+	}
+	break;
+      case certUsageUserCertImport:
+	if ( certtype & NS_CERT_TYPE_EMAIL ) {
+	    trust.emailFlags = CERTDB_VALID_PEER;
+	}
+	/* VALID_USER is already set if the cert was imported, 
+	 * in the case that the cert was already in the database
+	 * through SMIME or other means, we should set the USER
+	 * flags, if they are not already set.
+	 */
+	if( cert->isperm ) {
+	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
+		if( !(cert->trust->sslFlags & CERTDB_USER) ) {
+		    trust.sslFlags |= CERTDB_USER;
+		}
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
+		if( !(cert->trust->emailFlags & CERTDB_USER) ) {
+		    trust.emailFlags |= CERTDB_USER;
+		}
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
+		if( !(cert->trust->objectSigningFlags & CERTDB_USER) ) {
+		    trust.objectSigningFlags |= CERTDB_USER;
+		}
+	    }
+	}
+	break;
+      default:	/* XXX added to quiet warnings; no other cases needed? */
+	break;
+    }
+
+    if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){
+	saveit = PR_FALSE;
+    }
+
+    if ( saveit && cert->isperm ) {
+	/* Cert already in the DB.  Just adjust flags */
+	tmptrust = *cert->trust;
+	tmptrust.sslFlags |= trust.sslFlags;
+	tmptrust.emailFlags |= trust.emailFlags;
+	tmptrust.objectSigningFlags |= trust.objectSigningFlags;
+	    
+	rv = CERT_ChangeCertTrust(cert->dbhandle, cert,
+				  &tmptrust);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+
+    rv = SECSuccess;
+    goto done;
+
+loser:
+    rv = SECFailure;
+done:
+
+    return(rv);
+}
+#endif
+
+int
+CERT_GetDBContentVersion(CERTCertDBHandle *handle)
+{
+    /* should read the DB content version from the pkcs #11 device */
+    return 0;
+}
+
+/*
+ *
+ * Manage S/MIME profiles
+ *
+ */
+
+SECStatus
+CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
+		      SECItem *profileTime)
+{
+    int64 oldtime;
+    int64 newtime;
+    SECStatus rv = SECFailure;
+    PRBool saveit;
+    char *emailAddr;
+    SECItem oldprof;
+    SECItem *oldProfile = NULL;
+    SECItem *oldProfileTime = NULL;
+    PK11SlotInfo *slot = NULL;
+    NSSCertificate *c;
+    NSSCryptoContext *cc;
+    nssSMIMEProfile *stanProfile = NULL;
+    
+    emailAddr = cert->emailAddr;
+    
+    if ( emailAddr == NULL ) {
+	goto loser;
+    }
+
+    c = STAN_GetNSSCertificate(cert);
+    if (!c) return SECFailure;
+    cc = c->object.cryptoContext;
+    if (cc != NULL) {
+	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
+	if (stanProfile) {
+	    PORT_Assert(stanProfile->profileData);
+	    SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
+	    oldProfile = &oldprof;
+	}
+    } else {
+	oldProfile = PK11_FindSMimeProfile(&slot, emailAddr, &cert->derSubject, 
+							&oldProfileTime); 
+    }
+
+    saveit = PR_FALSE;
+    
+    /* both profileTime and emailProfile have to exist or not exist */
+    if ( emailProfile == NULL ) {
+	profileTime = NULL;
+    } else if ( profileTime == NULL ) {
+	emailProfile = NULL;
+    }
+   
+    if ( oldProfileTime == NULL ) {
+	saveit = PR_TRUE;
+    } else {
+	/* there was already a profile for this email addr */
+	if ( profileTime ) {
+	    /* we have an old and new profile - save whichever is more recent*/
+	    if ( oldProfileTime->len == 0 ) {
+		/* always replace if old entry doesn't have a time */
+		oldtime = LL_MININT;
+	    } else {
+		rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
+		if ( rv != SECSuccess ) {
+		    goto loser;
+		}
+	    }
+	    
+	    rv = DER_UTCTimeToTime(&newtime, profileTime);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	
+	    if ( LL_CMP(newtime, >, oldtime ) ) {
+		/* this is a newer profile, save it and cert */
+		saveit = PR_TRUE;
+	    }
+	} else {
+	    saveit = PR_TRUE;
+	}
+    }
+
+
+    if (saveit) {
+	if (cc) {
+	    if (stanProfile) {
+		/* well, it's hashed and in an arena, might as well just
+		 * overwrite the buffer
+		 */
+		NSSITEM_FROM_SECITEM(stanProfile->profileTime, profileTime);
+		NSSITEM_FROM_SECITEM(stanProfile->profileData, emailProfile);
+	    } else if (profileTime && emailProfile) {
+		PRStatus nssrv;
+		NSSDER subject;
+		NSSItem profTime, profData;
+		NSSItem *pprofTime, *pprofData;
+		NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
+		if (profileTime) {
+		    NSSITEM_FROM_SECITEM(&profTime, profileTime);
+		    pprofTime = &profTime;
+		} else {
+		    pprofTime = NULL;
+		}
+		if (emailProfile) {
+		    NSSITEM_FROM_SECITEM(&profData, emailProfile);
+		    pprofData = &profData;
+		} else {
+		    pprofData = NULL;
+		}
+		stanProfile = nssSMIMEProfile_Create(c, pprofTime, pprofData);
+		if (!stanProfile) goto loser;
+		nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
+		rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+	    }
+	} else {
+	    rv = PK11_SaveSMimeProfile(slot, emailAddr, &cert->derSubject, 
+						emailProfile, profileTime);
+	}
+    } else {
+	rv = SECSuccess;
+    }
+
+loser:
+    if (oldProfile) {
+    	SECITEM_FreeItem(oldProfile,PR_TRUE);
+    }
+    if (oldProfileTime) {
+    	SECITEM_FreeItem(oldProfileTime,PR_TRUE);
+    }
+    
+    return(rv);
+}
+
+SECItem *
+CERT_FindSMimeProfile(CERTCertificate *cert)
+{
+    PK11SlotInfo *slot = NULL;
+    NSSCertificate *c;
+    NSSCryptoContext *cc;
+    c = STAN_GetNSSCertificate(cert);
+    if (!c) return NULL;
+    cc = c->object.cryptoContext;
+    if (cc != NULL) {
+	SECItem *rvItem = NULL;
+	nssSMIMEProfile *stanProfile;
+	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
+	if (stanProfile) {
+	    rvItem = SECITEM_AllocItem(NULL, NULL, 
+	                               stanProfile->profileData->size);
+	    if (rvItem) {
+		rvItem->data = stanProfile->profileData->data;
+	    }
+	    nssPKIObject_Destroy(&stanProfile->object);
+	}
+	return rvItem;
+    }
+    return 
+	PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
+}
+
+/*
+ * depricated functions that are now just stubs.
+ */
+/*
+ * Close the database
+ */
+void
+__CERT_ClosePermCertDB(CERTCertDBHandle *handle)
+{
+    PORT_Assert("CERT_ClosePermCertDB is Depricated" == NULL);
+    return;
+}
+
+SECStatus
+CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
+                        PRBool readOnly)
+{
+    PORT_Assert("CERT_OpenCertDBFilename is Depricated" == NULL);
+    return SECFailure;
+}
+
+SECItem *
+SECKEY_HashPassword(char *pw, SECItem *salt)
+{
+    PORT_Assert("SECKEY_HashPassword is Depricated" == NULL);
+    return NULL;
+}
+
+SECStatus
+__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
+                                 SECItem *derSubject,
+                                 void *cb, void *cbarg)
+{
+    PORT_Assert("CERT_TraversePermCertsForSubject is Depricated" == NULL);
+    return SECFailure;
+}
+
+
+SECStatus
+__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
+                                  void *cb, void *cbarg)
+{
+    PORT_Assert("CERT_TraversePermCertsForNickname is Depricated" == NULL);
+    return SECFailure;
+}
+
+
+

mozilla/security/nss/lib/certdb/xauthkid.c

@@ -0,0 +1,147 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * X.509 v3 Subject Key Usage Extension 
+ *
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "secport.h"
+#include "certt.h"  
+#include "genname.h"
+#include "secerr.h"
+
+   
+const SEC_ASN1Template CERTAuthKeyIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(CERTAuthKeyID,keyID), SEC_OctetStringTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
+          offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(CERTAuthKeyID,authCertSerialNumber), SEC_IntegerTemplate},
+    { 0 }
+};
+
+
+
+SECStatus CERT_EncodeAuthKeyID (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue)
+{
+    SECStatus rv = SECFailure;
+ 
+    PORT_Assert (value);
+    PORT_Assert (arena);
+    PORT_Assert (value->DERAuthCertIssuer == NULL);
+    PORT_Assert (encodedValue);
+
+    do {
+	
+	/* If both of the authCertIssuer and the serial number exist, encode
+	   the name first.  Otherwise, it is an error if one exist and the other
+	   is not.
+	 */
+	if (value->authCertIssuer) {
+	    if (!value->authCertSerialNumber.data) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	    }
+
+	    value->DERAuthCertIssuer = cert_EncodeGeneralNames
+		(arena, value->authCertIssuer);
+	    if (!value->DERAuthCertIssuer) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	    }
+	}
+	else if (value->authCertSerialNumber.data) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	}
+
+	if (SEC_ASN1EncodeItem (arena, encodedValue, value,
+				CERTAuthKeyIDTemplate) == NULL)
+	    break;
+	rv = SECSuccess;
+
+    } while (0);
+     return(rv);
+}
+
+CERTAuthKeyID *
+CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue)
+{
+    CERTAuthKeyID * value = NULL;
+    SECStatus       rv    = SECFailure;
+    void *          mark;
+
+    PORT_Assert (arena);
+   
+    do {
+	mark = PORT_ArenaMark (arena);
+        value = (CERTAuthKeyID*)PORT_ArenaZAlloc (arena, sizeof (*value));
+	value->DERAuthCertIssuer = NULL;
+	if (value == NULL)
+	    break;
+	rv = SEC_ASN1DecodeItem
+	     (arena, value, CERTAuthKeyIDTemplate, encodedValue);
+	if (rv != SECSuccess)
+	    break;
+
+        value->authCertIssuer = cert_DecodeGeneralNames (arena, value->DERAuthCertIssuer);
+	if (value->authCertIssuer == NULL)
+	    break;
+	
+	/* what if the general name contains other format but not URI ?
+	   hl
+	 */
+	if ((value->authCertSerialNumber.data && !value->authCertIssuer) ||
+	    (!value->authCertSerialNumber.data && value->authCertIssuer)){
+	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+	    break;
+	}
+    } while (0);
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (arena, mark);
+	return ((CERTAuthKeyID *)NULL);	    
+    } 
+    PORT_ArenaUnmark(arena, mark);
+    return (value);
+}

mozilla/security/nss/lib/certdb/xbsconst.c

@@ -0,0 +1,168 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * X.509 v3 Basic Constraints Extension 
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "certt.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secerr.h"
+
+typedef struct EncodedContext{
+    SECItem isCA;
+    SECItem pathLenConstraint;
+    SECItem encodedValue;
+    PRArenaPool *arena;
+}EncodedContext;
+
+static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(EncodedContext) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(EncodedContext,isCA)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
+	  offsetof(EncodedContext,pathLenConstraint) },
+    { 0, }
+};
+
+static unsigned char hexTrue = 0xff;
+static unsigned char hexFalse = 0x00;
+
+#define GEN_BREAK(status) rv = status; break;
+
+SECStatus CERT_EncodeBasicConstraintValue
+   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
+{
+    EncodedContext encodeContext;
+    PRArenaPool *our_pool = NULL;   
+    SECStatus rv = SECSuccess;
+
+    do {
+	PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+	if (!value->isCA && value->pathLenConstraint >= 0) {
+	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+	    GEN_BREAK (SECFailure);
+	}
+
+        encodeContext.arena = arena;
+	if (value->isCA == PR_TRUE) {
+	    encodeContext.isCA.data =  &hexTrue ;
+	    encodeContext.isCA.len = 1;
+	}
+
+	/* If the pathLenConstraint is less than 0, then it should be
+	 * omitted from the encoding.
+	 */
+	if (value->isCA && value->pathLenConstraint >= 0) {
+	    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	    if (our_pool == NULL) {
+		PORT_SetError (SEC_ERROR_NO_MEMORY);
+		GEN_BREAK (SECFailure);
+	    }
+	    if (SEC_ASN1EncodeUnsignedInteger
+		(our_pool, &encodeContext.pathLenConstraint,
+		 (unsigned long)value->pathLenConstraint) == NULL) {
+		PORT_SetError (SEC_ERROR_NO_MEMORY);
+		GEN_BREAK (SECFailure);
+	    }
+	}
+	if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+				CERTBasicConstraintsTemplate) == NULL) {
+	    GEN_BREAK (SECFailure);
+	}
+    } while (0);
+    if (our_pool)
+	PORT_FreeArena (our_pool, PR_FALSE);
+    return(rv);
+
+}
+
+SECStatus CERT_DecodeBasicConstraintValue
+   (CERTBasicConstraints *value, SECItem *encodedValue)
+{
+    EncodedContext decodeContext;
+    PRArenaPool *our_pool;
+    SECStatus rv = SECSuccess;
+
+    do {
+	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
+	/* initialize the value just in case we got "0x30 00", or when the
+	   pathLenConstraint is omitted.
+         */
+	decodeContext.isCA.data =&hexFalse;
+	decodeContext.isCA.len = 1;
+	
+	our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (our_pool == NULL) {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	    GEN_BREAK (SECFailure);
+	}
+
+	rv = SEC_ASN1DecodeItem
+	     (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
+	if (rv == SECFailure)
+	    break;
+	
+	value->isCA = (PRBool)(*decodeContext.isCA.data);
+	if (decodeContext.pathLenConstraint.data == NULL) {
+	    /* if the pathLenConstraint is not encoded, and the current setting
+	      is CA, then the pathLenConstraint should be set to a negative number
+	      for unlimited certificate path.
+	     */
+	    if (value->isCA)
+		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
+	}
+	else if (value->isCA)
+	    value->pathLenConstraint = DER_GetUInteger (&decodeContext.pathLenConstraint);
+	else {
+	    /* here we get an error where the subject is not a CA, but
+	       the pathLenConstraint is set */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    GEN_BREAK (SECFailure);
+	    break;
+	}
+	 
+    } while (0);
+    PORT_FreeArena (our_pool, PR_FALSE);
+    return (rv);
+
+}

mozilla/security/nss/lib/certdb/xconst.c

@@ -0,0 +1,253 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * X.509 Extension Encoding  
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "certt.h"
+#include "secder.h"
+#include "prprf.h"
+#include "xconst.h"
+#include "genname.h"
+#include "secasn1.h"
+
+
+
+static const SEC_ASN1Template CERTSubjectKeyIDTemplate[] = {
+{ SEC_ASN1_OCTET_STRING }
+};
+
+
+static const SEC_ASN1Template CERTIA5TypeTemplate[] = {
+{ SEC_ASN1_IA5_STRING }
+};
+
+
+static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(PKUPEncodedContext) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 0,	
+	  offsetof(PKUPEncodedContext, notBefore), SEC_GeneralizedTimeTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
+	  offsetof(PKUPEncodedContext, notAfter), SEC_GeneralizedTimeTemplate},
+    { 0, } 
+};
+
+
+const SEC_ASN1Template CERTAltNameTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED, offsetof(AltNameEncodedContext, encodedGenName), 
+      CERT_GeneralNamesTemplate}
+};
+
+const SEC_ASN1Template CERTAuthInfoAccessItemTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(CERTAuthInfoAccess) },
+    { SEC_ASN1_OBJECT_ID,
+      offsetof(CERTAuthInfoAccess, method) },
+    { SEC_ASN1_ANY,
+      offsetof(CERTAuthInfoAccess, derLocation) },
+    { 0, }
+};
+
+const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CERTAuthInfoAccessItemTemplate }
+};
+
+
+SECStatus 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue)
+{
+    SECItem encodeContext;
+    SECStatus rv = SECSuccess;
+
+
+    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+    
+    if (value != NULL) {
+	encodeContext.data = (unsigned char *)value;
+	encodeContext.len = len;
+    }
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+			    CERTSubjectKeyIDTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+
+SECStatus
+CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup, SECItem *encodedValue)
+{
+    SECStatus rv = SECSuccess;
+
+    if (SEC_ASN1EncodeItem (arena, encodedValue, pkup,
+			    CERTPrivateKeyUsagePeriodTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
+
+
+SECStatus 
+CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue)
+{
+    SECItem encodeContext;
+    SECStatus rv = SECSuccess;
+
+
+    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+    
+    if (value != NULL) {
+	encodeContext.data = (unsigned char *)value;
+	encodeContext.len = strlen(value);
+    }
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+			    CERTIA5TypeTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+SECStatus
+CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue)
+{
+    SECItem                **encodedGenName;
+    SECStatus              rv = SECSuccess;
+
+    encodedGenName = cert_EncodeGeneralNames(arena, value);
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodedGenName,
+			    CERT_GeneralNamesTemplate) == NULL) {
+	rv = SECFailure;
+    }
+
+    return rv;
+}
+
+CERTGeneralName *
+CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName)
+{
+    SECStatus              rv = SECSuccess;
+    AltNameEncodedContext  encodedContext;
+
+    encodedContext.encodedGenName = NULL;
+    PORT_Memset(&encodedContext, 0, sizeof(AltNameEncodedContext));
+    rv = SEC_ASN1DecodeItem (arena, &encodedContext, CERT_GeneralNamesTemplate,
+			     EncodedAltName);
+    if (rv == SECFailure) {
+	goto loser;
+    }
+    return cert_DecodeGeneralNames(arena, encodedContext.encodedGenName);
+loser:
+    return NULL;
+}
+
+
+SECStatus
+CERT_EncodeNameConstraintsExtension(PRArenaPool          *arena, 
+				    CERTNameConstraints  *value,
+				    SECItem              *encodedValue)
+{
+    SECStatus     rv = SECSuccess;
+    
+    rv = cert_EncodeNameConstraints(value, arena, encodedValue);
+    return rv;
+}
+
+
+CERTNameConstraints *
+CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
+				    SECItem              *encodedConstraints)
+{
+    return  cert_DecodeNameConstraints(arena, encodedConstraints);
+}
+
+
+CERTAuthInfoAccess **
+cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   SECItem     *encodedExtension)
+{
+    CERTAuthInfoAccess **info = NULL;
+    SECStatus rv;
+    int i;
+
+    rv = SEC_ASN1DecodeItem(arena, &info, CERTAuthInfoAccessTemplate, 
+			    encodedExtension);
+    if (rv != SECSuccess || info == NULL) {
+	return NULL;
+    }
+
+    for (i = 0; info[i] != NULL; i++) {
+	info[i]->location = CERT_DecodeGeneralName(arena,
+						   &(info[i]->derLocation),
+						   NULL);
+    }
+    return info;
+}
+
+SECStatus
+cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   CERTAuthInfoAccess **info,
+				   SECItem *dest)
+{
+    SECItem *dummy;
+    int i;
+
+    PORT_Assert(info != NULL);
+    PORT_Assert(dest != NULL);
+    if (info == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    for (i = 0; info[i] != NULL; i++) {
+	if (CERT_EncodeGeneralName(info[i]->location, &(info[i]->derLocation),
+				   arena) == NULL)
+	    /* Note that this may leave some of the locations filled in. */
+	    return SECFailure;
+    }
+    dummy = SEC_ASN1EncodeItem(arena, dest, &info,
+			       CERTAuthInfoAccessTemplate);
+    if (dummy == NULL) {
+	return SECFailure;
+    }
+    return SECSuccess;
+}

mozilla/security/nss/lib/certdb/xconst.h

@@ -0,0 +1,85 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "certt.h"
+
+typedef struct PKUPEncodedContext{
+    SECItem notBefore;
+    SECItem notAfter;
+    /*    SECItem encodedValue; */
+    PRArenaPool *arena;
+}PKUPEncodedContext;
+
+typedef struct AltNameEncodedContext{
+    SECItem **encodedGenName;
+}AltNameEncodedContext;
+
+
+typedef struct NameConstraint{
+    CERTGeneralName  generalName;
+    int              min;
+    int              max;
+}NameConstraint;
+
+
+
+extern SECStatus
+CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup,
+				SECItem *encodedValue);
+
+extern SECStatus
+CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
+
+extern SECStatus
+CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, CERTNameConstraints  *value,
+			    SECItem *encodedValue);
+extern CERTGeneralName *
+CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName);
+
+extern CERTNameConstraints *
+CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedConstraints);
+
+extern SECStatus 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
+
+extern SECStatus 
+CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue);
+
+CERTAuthInfoAccess **
+cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   SECItem     *encodedExtension);
+
+SECStatus
+cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   CERTAuthInfoAccess **info,
+				   SECItem *dest);

mozilla/security/nss/lib/certhigh/Makefile

@@ -0,0 +1,76 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+

mozilla/security/nss/lib/certhigh/certhtml.c

@@ -0,0 +1,605 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * certhtml.c --- convert a cert to html
+ *
+ * $Id: certhtml.c,v 1.3 2001-10-26 21:30:58 wtc%netscape.com Exp $
+ */
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "sechash.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secport.h"
+#include "secasn1.h"
+#include "pk11func.h"
+
+static char *hex = "0123456789ABCDEF";
+
+/*
+** Convert a der-encoded integer to a hex printable string form
+*/
+char *CERT_Hexify (SECItem *i, int do_colon)
+{
+    unsigned char *cp, *end;
+    char *rv, *o;
+
+    if (!i->len) {
+	return PORT_Strdup("00");
+    }
+
+    rv = o = (char*) PORT_Alloc(i->len * 3);
+    if (!rv) return rv;
+
+    cp = i->data;
+    end = cp + i->len;
+    while (cp < end) {
+	unsigned char ch = *cp++;
+	*o++ = hex[(ch >> 4) & 0xf];
+	*o++ = hex[ch & 0xf];
+	if (cp != end) {
+	    if (do_colon) {
+		*o++ = ':';
+	    }
+	} 
+    }
+    *o = 0;           /* Null terminate the string */
+    return rv;
+}
+
+static char *
+gatherStrings(char **strings)
+{
+    char **strs;
+    int len;
+    char *ret;
+    char *s;
+
+    /* find total length of all strings */
+    strs = strings;
+    len = 0;
+    while ( *strs ) {
+	len += PORT_Strlen(*strs);
+	strs++;
+    }
+    
+    /* alloc enough memory for it */
+    ret = (char*)PORT_Alloc(len + 1);
+    if ( !ret ) {
+	return(ret);
+    }
+
+    s = ret;
+    
+    /* copy the strings */
+    strs = strings;
+    while ( *strs ) {
+	PORT_Strcpy(s, *strs);
+	s += PORT_Strlen(*strs);
+	strs++;
+    }
+
+    return( ret );
+}
+
+#define BREAK "<br>"
+#define BREAKLEN 4
+#define COMMA ", "
+#define COMMALEN 2
+
+#define MAX_OUS 20
+#define MAX_DC MAX_OUS
+
+
+char *CERT_FormatName (CERTName *name)
+{
+    CERTRDN** rdns;
+    CERTRDN * rdn;
+    CERTAVA** avas;
+    CERTAVA*  ava;
+    char *    buf	= 0;
+    char *    tmpbuf	= 0;
+    SECItem * cn	= 0;
+    SECItem * email	= 0;
+    SECItem * org	= 0;
+    SECItem * loc	= 0;
+    SECItem * state	= 0;
+    SECItem * country	= 0;
+    SECItem * dq     	= 0;
+
+    unsigned  len 	= 0;
+    int       tag;
+    int       i;
+    int       ou_count = 0;
+    int       dc_count = 0;
+    PRBool    first;
+    SECItem * orgunit[MAX_OUS];
+    SECItem * dc[MAX_DC];
+
+    /* Loop over name components and gather the interesting ones */
+    rdns = name->rdns;
+    while ((rdn = *rdns++) != 0) {
+	avas = rdn->avas;
+	while ((ava = *avas++) != 0) {
+	    tag = CERT_GetAVATag(ava);
+	    switch(tag) {
+	      case SEC_OID_AVA_COMMON_NAME:
+		cn = CERT_DecodeAVAValue(&ava->value);
+		len += cn->len;
+		break;
+	      case SEC_OID_AVA_COUNTRY_NAME:
+		country = CERT_DecodeAVAValue(&ava->value);
+		len += country->len;
+		break;
+	      case SEC_OID_AVA_LOCALITY:
+		loc = CERT_DecodeAVAValue(&ava->value);
+		len += loc->len;
+		break;
+	      case SEC_OID_AVA_STATE_OR_PROVINCE:
+		state = CERT_DecodeAVAValue(&ava->value);
+		len += state->len;
+		break;
+	      case SEC_OID_AVA_ORGANIZATION_NAME:
+		org = CERT_DecodeAVAValue(&ava->value);
+		len += org->len;
+		break;
+	      case SEC_OID_AVA_DN_QUALIFIER:
+		dq = CERT_DecodeAVAValue(&ava->value);
+		len += dq->len;
+		break;
+	      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+		if (ou_count < MAX_OUS) {
+			orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
+			len += orgunit[ou_count++]->len;
+		}
+		break;
+	      case SEC_OID_AVA_DC:
+		if (dc_count < MAX_DC) {
+			dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
+			len += dc[dc_count++]->len;
+		}
+		break;
+	      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	      case SEC_OID_RFC1274_MAIL:
+		email = CERT_DecodeAVAValue(&ava->value);
+		len += email->len;
+		break;
+	      default:
+		break;
+	    }
+	}
+    }
+
+    /* XXX - add some for formatting */
+    len += 128;
+
+    /* allocate buffer */
+    buf = (char *)PORT_Alloc(len);
+    if ( !buf ) {
+	return(0);
+    }
+
+    tmpbuf = buf;
+    
+    if ( cn ) {
+	PORT_Memcpy(tmpbuf, cn->data, cn->len);
+	tmpbuf += cn->len;
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(cn, PR_TRUE);
+    }
+    if ( email ) {
+	PORT_Memcpy(tmpbuf, email->data, email->len);
+	tmpbuf += ( email->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(email, PR_TRUE);
+    }
+    for (i=ou_count-1; i >= 0; i--) {
+	PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
+	tmpbuf += ( orgunit[i]->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(orgunit[i], PR_TRUE);
+    }
+    if ( dq ) {
+	PORT_Memcpy(tmpbuf, dq->data, dq->len);
+	tmpbuf += ( dq->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(dq, PR_TRUE);
+    }
+    if ( org ) {
+	PORT_Memcpy(tmpbuf, org->data, org->len);
+	tmpbuf += ( org->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(org, PR_TRUE);
+    }
+    for (i=dc_count-1; i >= 0; i--) {
+	PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
+	tmpbuf += ( dc[i]->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(dc[i], PR_TRUE);
+    }
+    first = PR_TRUE;
+    if ( loc ) {
+	PORT_Memcpy(tmpbuf, loc->data,  loc->len);
+	tmpbuf += ( loc->len );
+	first = PR_FALSE;
+	SECITEM_FreeItem(loc, PR_TRUE);
+    }
+    if ( state ) {
+	if ( !first ) {
+	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+	    tmpbuf += COMMALEN;
+	}
+	PORT_Memcpy(tmpbuf, state->data, state->len);
+	tmpbuf += ( state->len );
+	first = PR_FALSE;
+	SECITEM_FreeItem(state, PR_TRUE);
+    }
+    if ( country ) {
+	if ( !first ) {
+	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+	    tmpbuf += COMMALEN;
+	}
+	PORT_Memcpy(tmpbuf, country->data, country->len);
+	tmpbuf += ( country->len );
+	first = PR_FALSE;
+	SECITEM_FreeItem(country, PR_TRUE);
+    }
+    if ( !first ) {
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+
+    *tmpbuf = 0;
+
+    return(buf);
+}
+
+static char *sec_FortezzaClearance(SECItem *clearance) {
+    unsigned char clr = 0;
+
+    if (clearance->len > 0) { clr = clearance->data[0]; }
+
+    if (clr & 0x4) return "Top Secret";
+    if (clr & 0x8) return "Secret";
+    if (clr & 0x10) return "Confidential";
+    if (clr & 0x20) return "Sensitive";
+    if (clr & 0x40) return "Unclassified";
+    return "None";
+}
+
+static char *sec_FortezzaMessagePrivilege(SECItem *priv) {
+    unsigned char clr = 0;
+
+    if (priv->len > 0) { clr = (priv->data[0]) & 0x78; }
+
+    if (clr == 0x00) {
+	return "None";
+    } else {
+
+	return PR_smprintf("%s%s%s%s%s%s%s",
+
+	    clr&0x40?"Critical/Flash":"",
+	    (clr&0x40) && (clr&0x38) ? ", " : "" ,
+
+	    clr&0x20?"Immediate/Priority":"",
+	    (clr&0x20) && (clr&0x18) ? ", " : "" ,
+
+	    clr&0x10?"Routine/Deferred":"",
+	    (clr&0x10) && (clr&0x08) ? ", " : "" ,
+
+	    clr&0x08?"Rekey Agent":"");
+    }
+
+}
+					
+static char *sec_FortezzaCertPrivilege(SECItem *priv) {
+    unsigned char clr = 0;
+
+    if (priv->len > 0) { clr = priv->data[0]; }
+
+    return PR_smprintf("%s%s%s%s%s%s%s%s%s%s%s%s",
+	clr&0x40?"Organizational Releaser":"",
+	(clr&0x40) && (clr&0x3e) ? "," : "" ,
+	clr&0x20?"Policy Creation Authority":"",
+	(clr&0x20) && (clr&0x1e) ? "," : "" ,
+	clr&0x10?"Certificate Authority":"",
+	(clr&0x10) && (clr&0x0e) ? "," : "" ,
+	clr&0x08?"Local Managment Authority":"",
+	(clr&0x08) && (clr&0x06) ? "," : "" ,
+	clr&0x04?"Configuration Vector Authority":"",
+	(clr&0x04) && (clr&0x02) ? "," : "" ,
+	clr&0x02?"No Signature Capability":"",
+	clr&0x7e?"":"Signing Only"
+    );
+}
+
+static char *htmlcertstrings[] = {
+    "<table border=0 cellspacing=0 cellpadding=0><tr><td valign=top>"
+    "<font size=2><b>This Certificate belongs to:</b><br>"
+    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
+    0, /* image goes here */
+    0,
+    0,
+    "</td><td width=10> </td><td><font size=2>",
+    0, /* subject name goes here */
+    "</td></tr></table></font></td><td width=20> </td><td valign=top>"
+    "<font size=2><b>This Certificate was issued by:</b><br>"
+    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
+    0, /* image goes here */
+    0,
+    0,
+    "</td><td width=10> </td><td><font size=2>",
+    0, /* issuer name goes here */
+    "</td></tr></table></font></td></tr></table>"
+    "<b>Serial Number:</b> ",
+    0,
+    "<br><b>This Certificate is valid from ",
+    0, /* notBefore goes here */
+    " to ",
+    0, /* notAfter does here */
+    "</b><br><b>Clearance:</b>",
+    0,
+    "<br><b>DSS Privileges:</b>",
+    0,
+    "<br><b>KEA Privileges:</b>",
+    0,
+    "<br><b>KMID:</b>",
+    0,
+    "<br><b>Certificate Fingerprint:</b>"
+    "<table border=0 cellspacing=0 cellpadding=0><tr>"
+    "<td width=10> </td><td><font size=2>",
+    0, /* fingerprint goes here */
+    "</td></tr></table>",
+    0, /* comment header goes here */
+    0, /* comment goes here */
+    0, /* comment trailer goes here */
+    0
+};
+
+char *
+CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
+{
+    SECStatus rv;
+    char *issuer, *subject, *serialNumber, *version;
+    char *notBefore, *notAfter;
+    char *ret;
+    char *nickname;
+    SECItem dummyitem;
+    unsigned char fingerprint[16];   /* result of MD5, always 16 bytes */
+    char *fpstr;
+    SECItem fpitem;
+    char *commentstring = NULL;
+    SECKEYPublicKey *pubk;
+    char *DSSPriv;
+    char *KMID = NULL;
+    char *servername;
+    
+    if (!cert) {
+	return(0);
+    }
+
+    issuer = CERT_FormatName (&cert->issuer);
+    subject = CERT_FormatName (&cert->subject);
+    version = CERT_Hexify (&cert->version,1);
+    serialNumber = CERT_Hexify (&cert->serialNumber,1);
+    notBefore = DER_UTCDayToAscii(&cert->validity.notBefore);
+    notAfter = DER_UTCDayToAscii(&cert->validity.notAfter);
+    servername = CERT_FindNSStringExtension(cert,
+				   SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
+
+    nickname = cert->nickname;
+    if ( nickname == NULL ) {
+	showImages = PR_FALSE;
+    }
+
+    dummyitem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
+			       &dummyitem);
+    if ( dummyitem.data ) {
+	PORT_Free(dummyitem.data);
+    }
+    
+    if ( rv || !showImages ) {
+	htmlcertstrings[1] = "";
+	htmlcertstrings[2] = "";
+	htmlcertstrings[3] = "";
+    } else {
+	htmlcertstrings[1] = "<img src=\"about:security?subject-logo=";
+	htmlcertstrings[2] = nickname;
+	htmlcertstrings[3] = "\">";
+    }
+
+    if ( servername ) {
+	char *tmpstr;
+	tmpstr = (char *)PORT_Alloc(PORT_Strlen(subject) +
+				    PORT_Strlen(servername) +
+				    sizeof("<br>") + 1);
+	if ( tmpstr ) {
+	    PORT_Strcpy(tmpstr, servername);
+	    PORT_Strcat(tmpstr, "<br>");
+	    PORT_Strcat(tmpstr, subject);
+	    PORT_Free(subject);
+	    subject = tmpstr;
+	}
+    }
+    
+    htmlcertstrings[5] = subject;
+
+    dummyitem.data = NULL;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
+			       &dummyitem);
+    if ( dummyitem.data ) {
+	PORT_Free(dummyitem.data);
+    }
+    
+    if ( rv || !showImages ) {
+	htmlcertstrings[7] = "";
+	htmlcertstrings[8] = "";
+	htmlcertstrings[9] = "";
+    } else {
+	htmlcertstrings[7] = "<img src=\"about:security?issuer-logo=";
+	htmlcertstrings[8] = nickname;
+	htmlcertstrings[9] = "\">";
+    }
+
+    
+    if (showIssuer == PR_TRUE) {
+        htmlcertstrings[11] = issuer;
+    } else {
+	htmlcertstrings[11] = "";
+    }
+
+    htmlcertstrings[13] = serialNumber;
+    htmlcertstrings[15] = notBefore;
+    htmlcertstrings[17] = notAfter;
+
+    pubk = CERT_ExtractPublicKey(cert);
+    DSSPriv = NULL;
+    if (pubk && (pubk->keyType == fortezzaKey)) {
+	htmlcertstrings[18] = "</b><br><b>Clearance:</b>";
+	htmlcertstrings[19] = sec_FortezzaClearance(
+					&pubk->u.fortezza.clearance);
+	htmlcertstrings[20] = "<br><b>DSS Privileges:</b>";
+	DSSPriv = sec_FortezzaCertPrivilege(
+					&pubk->u.fortezza.DSSpriviledge);
+	htmlcertstrings[21] = DSSPriv;
+	htmlcertstrings[22] = "<br><b>KEA Privileges:</b>";
+	htmlcertstrings[23] = sec_FortezzaMessagePrivilege(
+					&pubk->u.fortezza.KEApriviledge);
+	htmlcertstrings[24] = "<br><b>KMID:</b>";
+	dummyitem.data = &pubk->u.fortezza.KMID[0];
+	dummyitem.len = sizeof(pubk->u.fortezza.KMID);
+	KMID = CERT_Hexify (&dummyitem,0);
+	htmlcertstrings[25] = KMID;
+    } else {
+	/* clear out the headers in the non-fortezza cases */
+	htmlcertstrings[18] = "";
+	htmlcertstrings[19] = "";
+	htmlcertstrings[20] = "";
+	htmlcertstrings[21] = "";
+	htmlcertstrings[22] = "";
+	htmlcertstrings[23] = "";
+	htmlcertstrings[24] = "";
+	htmlcertstrings[25] = "</b>";
+    }
+
+    if (pubk) {
+      SECKEY_DestroyPublicKey(pubk);
+    }
+
+#define HTML_OFF 27
+    rv = PK11_HashBuf(SEC_OID_MD5, fingerprint, 
+    	              cert->derCert.data, cert->derCert.len);
+    
+    fpitem.data = fingerprint;
+    fpitem.len = sizeof(fingerprint);
+
+    fpstr = CERT_Hexify (&fpitem,1);
+    
+    htmlcertstrings[HTML_OFF] = fpstr;
+
+    commentstring = CERT_GetCertCommentString(cert);
+
+    if (commentstring == NULL) {
+	htmlcertstrings[HTML_OFF+2] = "";
+	htmlcertstrings[HTML_OFF+3] = "";
+	htmlcertstrings[HTML_OFF+4] = "";
+    } else {
+	htmlcertstrings[HTML_OFF+2] =
+	    "<b>Comment:</b>"
+	    "<table border=0 cellspacing=0 cellpadding=0><tr>"
+	    "<td width=10> </td><td><font size=3>"
+	    "<textarea name=foobar rows=4 cols=55 onfocus=\"this.blur()\">";
+	htmlcertstrings[HTML_OFF+3] = commentstring;
+	htmlcertstrings[HTML_OFF+4] = "</textarea></font></td></tr></table>";
+    }
+    
+    ret = gatherStrings(htmlcertstrings);
+    
+    if ( issuer ) {
+	PORT_Free(issuer);
+    }
+    
+    if ( subject ) {
+	PORT_Free(subject);
+    }
+    
+    if ( version ) {
+	PORT_Free(version);
+    }
+    
+    if ( serialNumber ) {
+	PORT_Free(serialNumber);
+    }
+    
+    if ( notBefore ) {
+	PORT_Free(notBefore);
+    }
+    
+    if ( notAfter ) {
+	PORT_Free(notAfter);
+    }
+    
+    if ( fpstr ) {
+	PORT_Free(fpstr);
+    }
+    if (DSSPriv) {
+	PORT_Free(DSSPriv);
+    }
+
+    if (KMID) {
+	PORT_Free(KMID);
+    }
+
+    if ( commentstring ) {
+	PORT_Free(commentstring);
+    }
+    
+    if ( servername ) {
+	PORT_Free(servername);
+    }
+    
+    return(ret);
+}
+

mozilla/security/nss/lib/certhigh/certreq.c

@@ -0,0 +1,230 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cert.h"
+#include "secder.h"
+#include "key.h"
+#include "secitem.h"
+#include "secasn1.h"
+
+const SEC_ASN1Template CERT_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
+    { SEC_ASN1_SET_OF, offsetof(CERTAttribute, attrValue),
+	SEC_AnyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
+};
+
+const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertificateRequest) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertificateRequest,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificateRequest,subject),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
+	  CERT_SubjectPublicKeyInfoTemplate },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(CERTCertificateRequest,attributes), 
+	  CERT_SetOfAttributeTemplate },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
+
+CERTCertificate *
+CERT_CreateCertificate(unsigned long serialNumber,
+		      CERTName *issuer,
+		      CERTValidity *validity,
+		      CERTCertificateRequest *req)
+{
+    CERTCertificate *c;
+    int rv;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return(0);
+    }
+
+    c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+    
+    if (c) {
+	c->referenceCount = 1;
+	c->arena = arena;
+
+	/*
+	 * Default is a plain version 1.
+	 * If extensions are added, it will get changed as appropriate.
+	 */
+	rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
+	if (rv) goto loser;
+
+	rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
+	if (rv) goto loser;
+
+	rv = CERT_CopyName(arena, &c->issuer, issuer);
+	if (rv) goto loser;
+
+	rv = CERT_CopyValidity(arena, &c->validity, validity);
+	if (rv) goto loser;
+
+	rv = CERT_CopyName(arena, &c->subject, &req->subject);
+	if (rv) goto loser;
+	rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
+					  &req->subjectPublicKeyInfo);
+	if (rv) goto loser;
+    }
+    return c;
+
+  loser:
+    CERT_DestroyCertificate(c);
+    return 0;
+}
+
+/************************************************************************/
+
+CERTCertificateRequest *
+CERT_CreateCertificateRequest(CERTName *subject,
+			     CERTSubjectPublicKeyInfo *spki,
+			     SECItem **attributes)
+{
+    CERTCertificateRequest *certreq;
+    PRArenaPool *arena;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return NULL;
+    }
+    
+    certreq = (CERTCertificateRequest *)
+			PORT_ArenaZAlloc(arena, sizeof(CERTCertificateRequest));
+
+    if (certreq != NULL) {
+	certreq->arena = arena;
+	
+	rv = DER_SetUInteger(arena, &certreq->version,
+			     SEC_CERTIFICATE_REQUEST_VERSION);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	rv = CERT_CopyName(arena, &certreq->subject, subject);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	rv = SECKEY_CopySubjectPublicKeyInfo(arena,
+					  &certreq->subjectPublicKeyInfo,
+					  spki);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	/* Copy over attribute information */
+	if (attributes) {
+	    int i = 0;
+
+	    /* allocate space for attributes */
+	    while(attributes[i] != NULL) i++;
+	    certreq->attributes = (SECItem**)PORT_ArenaZAlloc(arena, 
+						   	      sizeof(SECItem *) * (i + 1));
+	    if(!certreq->attributes) {
+		goto loser;
+	    }
+
+	    /* copy attributes */
+	    i = 0;
+	    while(attributes[i]) {
+		/*
+		** Attributes are a SetOf Attribute which implies
+		** lexigraphical ordering.  It is assumes that the
+		** attributes are passed in sorted.  If we need to
+		** add functionality to sort them, there is an
+		** example in the PKCS 7 code.
+		*/
+		certreq->attributes[i] = (SECItem*)PORT_ArenaZAlloc(arena, 
+							  	    sizeof(SECItem));
+		if(!certreq->attributes[i]) {
+		    goto loser;
+		};
+		rv = SECITEM_CopyItem(arena, certreq->attributes[i], 
+				      attributes[i]);
+		if (rv != SECSuccess) {
+		    goto loser;
+		}
+		i++;
+	    }
+	    certreq->attributes[i] = NULL;
+	} else {
+	    /*
+	     ** Invent empty attribute information. According to the
+	     ** pkcs#10 spec, attributes has this ASN.1 type:
+	     **
+	     ** attributes [0] IMPLICIT Attributes
+	     ** 
+	     ** Which means, we should create a NULL terminated list
+	     ** with the first entry being NULL;
+	     */
+	    certreq->attributes = (SECItem**)PORT_ArenaZAlloc(arena, sizeof(SECItem *));
+	    if(!certreq->attributes) {
+		goto loser;
+	    }
+	    certreq->attributes[0] = NULL;
+	} 
+    } else {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return certreq;
+
+loser:
+    CERT_DestroyCertificateRequest(certreq);
+    return NULL;
+}
+
+void
+CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
+{
+    if (req && req->arena) {
+	PORT_FreeArena(req->arena, PR_FALSE);
+    }
+    return;
+}
+

mozilla/security/nss/lib/certhigh/config.mk

@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+

mozilla/security/nss/lib/certhigh/crlv2.c

@@ -0,0 +1,126 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Code for dealing with x.509 v3 crl and crl entries extensions.
+ *
+ * $Id: crlv2.c,v 1.1 2000-03-31 19:43:00 relyea%netscape.com Exp $
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secoidt.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+
+SECStatus
+CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value)
+{
+    return (cert_FindExtensionByOID (crl->extensions, oid, value));
+}
+    
+
+SECStatus
+CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value)
+{
+    return (cert_FindExtension (crl->extensions, tag, value));
+}
+
+
+/* Callback to set extensions and adjust verison */
+static void
+SetCrlExts(void *object, CERTCertExtension **exts)
+{
+    CERTCrl *crl = (CERTCrl *)object;
+
+    crl->extensions = exts;
+    DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
+}
+
+void *
+CERT_StartCRLExtensions(CERTCrl *crl)
+{
+    return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts));
+}
+
+
+SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension
+	 (crl->extensions, SEC_OID_X509_CRL_NUMBER, &encodedExtenValue);
+    if ( rv != SECSuccess )
+	return (rv);
+
+    rv = SEC_ASN1DecodeItem (NULL, value, SEC_IntegerTemplate,
+			     &encodedExtenValue);
+    PORT_Free (encodedExtenValue.data);
+    return (rv);
+}
+
+SECStatus CERT_FindCRLReasonExten (CERTCrl *crl, SECItem *value)
+{
+    return (CERT_FindBitStringExtension
+	    (crl->extensions, SEC_OID_X509_REASON_CODE, value));    
+}
+
+SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value)
+{
+    SECItem encodedExtenValue;
+    SECItem decodedExtenValue = {siBuffer,0};
+    SECStatus rv;
+
+    encodedExtenValue.data = decodedExtenValue.data = NULL;
+    encodedExtenValue.len = decodedExtenValue.len = 0;
+
+    rv = cert_FindExtension
+	 (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
+    if ( rv != SECSuccess )
+	return (rv);
+
+    rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
+			     SEC_GeneralizedTimeTemplate, &encodedExtenValue);
+    if (rv != SECSuccess)
+	return (rv);
+    rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
+    PORT_Free (decodedExtenValue.data);
+    PORT_Free (encodedExtenValue.data);
+    return (rv);
+}

mozilla/security/nss/lib/certhigh/manifest.mn

@@ -0,0 +1,59 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	ocsp.h \
+	ocspt.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	ocspti.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	certhtml.c \
+	certreq.c \
+	crlv2.c \
+	ocsp.c \
+	certhigh.c \
+    certvfy.c \
+    xcrldist.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = certhi
+

mozilla/security/nss/lib/certhigh/ocsp.h

@@ -0,0 +1,455 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Interface to the OCSP implementation.
+ *
+ * $Id: ocsp.h,v 1.2 2001-11-08 00:14:45 relyea%netscape.com Exp $
+ */
+
+#ifndef _OCSP_H_
+#define _OCSP_H_
+
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "keyt.h"
+#include "certt.h"
+#include "ocspt.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * FUNCTION: CERT_EnableOCSPChecking
+ *   Turns on OCSP checking for the given certificate database.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be enabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (likely only problem
+ *   allocating memory); SECSuccess otherwise.
+ */
+extern SECStatus
+CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_DisableOCSPChecking
+ *   Turns off OCSP checking for the given certificate database.
+ *   This routine disables OCSP checking.  Though it will return
+ *   SECFailure if OCSP checking is not enabled, it is "safe" to
+ *   call it that way and just ignore the return value, if it is
+ *   easier to just call it than to "remember" whether it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be disabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (usually means that OCSP
+ *   checking was not enabled or status contexts were not initialized --
+ *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
+ */
+extern SECStatus
+CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_SetOCSPDefaultResponder
+ *   Specify the location and cert of the default responder.
+ *   If OCSP checking is already enabled *and* use of a default responder
+ *   is also already enabled, all OCSP checking from now on will go directly
+ *   to the specified responder.  If OCSP checking is not enabled, or if
+ *   it is but use of a default responder is not enabled, the information
+ *   will be recorded and take effect whenever both are enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ *   char *url
+ *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
+ *     Note that the location will not be tested until the first attempt
+ *     to send a request there.
+ *   char *name
+ *     The nickname of the cert to trust (expected) to sign the OCSP responses.
+ *     If the corresponding cert cannot be found, SECFailure is returned.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   The most likely error is that the cert for "name" could not be found
+ *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
+ *   bad database, etc.).
+ */
+extern SECStatus
+CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
+			     const char *url, const char *name);
+
+/*
+ * FUNCTION: CERT_EnableOCSPDefaultResponder
+ *   Turns on use of a default responder when OCSP checking.
+ *   If OCSP checking is already enabled, this will make subsequent checks
+ *   go directly to the default responder.  (The location of the responder
+ *   and the nickname of the responder cert must already be specified.)
+ *   If OCSP checking is not enabled, this will be recorded and take effect
+ *   whenever it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   No errors are especially likely unless the caller did not previously
+ *   perform a successful call to SetOCSPDefaultResponder (in which case
+ *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
+ */
+extern SECStatus
+CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_DisableOCSPDefaultResponder
+ *   Turns off use of a default responder when OCSP checking.
+ *   (Does nothing if use of a default responder is not enabled.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should stop using a default
+ *     responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   Errors very unlikely (like random memory corruption...).
+ */
+extern SECStatus
+CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
+/*
+ * -------------------------------------------------------
+ * The Functions above are those expected to be used by a client
+ * providing OCSP status checking along with every cert verification.
+ * The functions below are for OCSP testing, debugging, or clients
+ * or servers performing more specialized OCSP tasks.
+ * -------------------------------------------------------
+ */
+
+/*
+ * FUNCTION: CERT_CreateOCSPRequest
+ *   Creates a CERTOCSPRequest, requesting the status of the certs in 
+ *   the given list.
+ * INPUTS:
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no effect on the request itself.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *     XXX note that request signing is not yet supported; see comment in code
+ * RETURN:
+ *   A pointer to a CERTOCSPRequest structure containing an OCSP request
+ *   for the cert list.  On error, null is returned, with an error set
+ *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
+ *   (The issuer is needed to create a request for the certificate.)
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern CERTOCSPRequest *
+CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
+		       PRBool addServiceLocator,
+		       CERTCertificate *signerCert);
+
+/*
+ * FUNCTION: CERT_AddOCSPAcceptableResponses
+ *   Add the AcceptableResponses extension to an OCSP Request.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     The request to which the extension should be added.
+ *   ...
+ *     A list (of one or more) of SECOidTag -- each of the response types
+ *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
+ *     (This marks the end of the list, and it must be specified because a
+ *     client conforming to the OCSP standard is required to handle the basic
+ *     response type.)  The OIDs are not checked in any way.
+ * RETURN:
+ *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
+ *   All errors are internal or low-level problems (e.g. no memory).
+ */
+extern SECStatus
+CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, ...);
+
+/* 
+ * FUNCTION: CERT_EncodeOCSPRequest
+ *   DER encodes an OCSP Request, possibly adding a signature as well.
+ *   XXX Signing is not yet supported, however; see comments in code.
+ * INPUTS: 
+ *   PRArenaPool *arena
+ *     The return value is allocated from here.
+ *     If a NULL is passed in, allocation is done from the heap instead.
+ *   CERTOCSPRequest *request
+ *     The request to be encoded.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * RETURN:
+ *   Returns a NULL on error and a pointer to the SECItem with the
+ *   encoded value otherwise.  Any error is likely to be low-level
+ *   (e.g. no memory).
+ */
+extern SECItem *
+CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
+		       void *pwArg);
+
+/*
+ * FUNCTION: CERT_DecodeOCSPRequest
+ *   Decode a DER encoded OCSP Request.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Request.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
+ *   On error, returns NULL.  Most likely error is trouble decoding
+ *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
+ */
+extern CERTOCSPRequest *
+CERT_DecodeOCSPRequest(SECItem *src);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPRequest
+ *   Frees an OCSP Request structure.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     Pointer to CERTOCSPRequest to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+extern void
+CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
+
+/*
+ * FUNCTION: CERT_DecodeOCSPResponse
+ *   Decode a DER encoded OCSP Response.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Response.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
+ *   the caller is responsible for destroying it.  Or NULL if error (either
+ *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
+ *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
+ *   or a low-level or internal error occurred).
+ */
+extern CERTOCSPResponse *
+CERT_DecodeOCSPResponse(SECItem *src);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPResponse
+ *   Frees an OCSP Response structure.
+ * INPUTS:
+ *   CERTOCSPResponse *request
+ *     Pointer to CERTOCSPResponse to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+extern void
+CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
+
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ *   Creates and sends a request to an OCSP responder, then reads and
+ *   returns the (encoded) response.
+ * INPUTS:
+ *   PRArenaPool *arena
+ *     Pointer to arena from which return value will be allocated.
+ *     If NULL, result will be allocated from the heap (and thus should
+ *     be freed via SECITEM_FreeItem).
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   char *location
+ *     The location of the OCSP responder (a URL).
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no other bearing on the operation.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * OUTPUTS:
+ *   CERTOCSPRequest **pRequest
+ *     Pointer in which to store the OCSP request created for the given
+ *     list of certificates.  It is only filled in if the entire operation
+ *     is successful and the pointer is not null -- and in that case the
+ *     caller is then reponsible for destroying it.
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern SECItem *
+CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
+			    char *location, int64 time,
+			    PRBool addServiceLocator,
+			    CERTCertificate *signerCert, void *pwArg,
+			    CERTOCSPRequest **pRequest);
+
+/*
+ * FUNCTION: CERT_VerifyOCSPResponseSignature
+ *   Check the signature on an OCSP Response.  Will also perform a
+ *   verification of the signer's certificate.  Note, however, that a
+ *   successful verification does not make any statement about the
+ *   signer's *authority* to provide status for the certificate(s),
+ *   that must be checked individually for each certificate.
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     Pointer to response structure with signature to be checked.
+ *   CERTCertDBHandle *handle
+ *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.
+ *   CERTCertificate *issuerCert
+ *     Issuer of the certificate that generated the OCSP request.
+ * OUTPUTS:
+ *   CERTCertificate **pSignerCert
+ *     Pointer in which to store signer's certificate; only filled-in if
+ *     non-null.
+ * RETURN:
+ *   Returns SECSuccess when signature is valid, anything else means invalid.
+ *   Possible errors set:
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
+ *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
+ *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
+ *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (no memory, etc.)
+ */
+extern SECStatus
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
+				 CERTCertDBHandle *handle, void *pwArg,
+				 CERTCertificate **pSignerCert,
+				 CERTCertificate *issuerCert);
+
+/*
+ * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
+ *   Get the value of the URI of the OCSP responder for the given cert.
+ *   This is found in the (optional) Authority Information Access extension
+ *   in the cert.
+ * INPUTS:
+ *   CERTCertificate *cert
+ *     The certificate being examined.
+ * RETURN:
+ *   char *
+ *     A copy of the URI for the OCSP method, if found.  If either the
+ *     extension is not present or it does not contain an entry for OCSP,
+ *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
+ *     Any other error will also result in a NULL being returned.
+ *     
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ */
+extern char *
+CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
+
+/*
+ * FUNCTION: CERT_CheckOCSPStatus
+ *   Checks the status of a certificate via OCSP.  Will only check status for
+ *   a certificate that has an AIA (Authority Information Access) extension
+ *   for OCSP *or* when a "default responder" is specified and enabled.
+ *   (If no AIA extension for OCSP and no default responder in place, the
+ *   cert is considered to have a good status and SECSuccess is returned.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     certificate DB of the cert that is being checked
+ *   CERTCertificate *cert
+ *     the certificate being checked
+ *   XXX in the long term also need a boolean parameter that specifies
+ *	whether to check the cert chain, as well; for now we check only
+ *	the leaf (the specified certificate)
+ *   int64 time
+ *     time for which status is to be determined
+ *   void *pwArg
+ *     argument for password prompting, if needed
+ * RETURN:
+ *   Returns SECSuccess if an approved OCSP responder "knows" the cert
+ *   *and* returns a non-revoked status for it; SECFailure otherwise,
+ *   with an error set describing the reason:
+ *
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *	SEC_ERROR_OCSP_SERVER_ERROR
+ *	SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ *	SEC_ERROR_OCSP_UNKNOWN_CERT
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
+ *
+ *	SEC_ERROR_BAD_SIGNATURE
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_INVALID_TIME
+ *	SEC_ERROR_REVOKED_CERTIFICATE
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_UNKNOWN_SIGNER
+ *
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (error allocating
+ *   memory, error performing ASN.1 decoding, etc.).
+ */    
+extern SECStatus 
+CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     int64 time, void *pwArg);
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _OCSP_H_ */

mozilla/security/nss/lib/certhigh/ocspt.h

@@ -0,0 +1,59 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Public header for exported OCSP types.
+ *
+ * $Id: ocspt.h,v 1.1 2000-03-31 19:43:03 relyea%netscape.com Exp $
+ */
+
+#ifndef _OCSPT_H_
+#define _OCSPT_H_
+
+/*
+ * The following are all opaque types.  If someone needs to get at
+ * a field within, then we need to fix the API.  Try very hard not
+ * make the type available to them.
+ */
+typedef struct CERTOCSPRequestStr CERTOCSPRequest;
+typedef struct CERTOCSPResponseStr CERTOCSPResponse;
+
+/*
+ * XXX I think only those first two above should need to be exported,
+ * but until I know for certain I am leaving the rest of these here, too.
+ */
+typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
+typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
+typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
+
+#endif /* _OCSPT_H_ */

mozilla/security/nss/lib/certhigh/ocspti.h

@@ -0,0 +1,404 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Private header defining OCSP types.
+ *
+ * $Id: ocspti.h,v 1.2 2001-11-08 00:14:45 relyea%netscape.com Exp $
+ */
+
+#ifndef _OCSPTI_H_
+#define _OCSPTI_H_
+
+#include "ocspt.h"
+
+#include "certt.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+
+
+/*
+ * Some notes about naming conventions...
+ *
+ * The public data types all start with "CERTOCSP" (e.g. CERTOCSPRequest).
+ * (Even the public types are opaque, however.  Only their names are
+ * "exported".)
+ *
+ * Internal-only data types drop the "CERT" prefix and use only the
+ * lower-case "ocsp" (e.g. ocspTBSRequest), for brevity sake.
+ *
+ * In either case, the base/suffix of the type name usually matches the
+ * name as defined in the OCSP specification.  The exceptions to this are:
+ *  - When there is overlap between the "OCSP" or "ocsp" prefix and
+ *    the name used in the standard.  That is, you cannot strip off the
+ *    "CERTOCSP" or "ocsp" prefix and necessarily get the name of the
+ *    type as it is defined in the standard; the "real" name will be
+ *    *either* "OCSPSuffix" or just "Suffix".
+ *  - When the name in the standard was a little too generic.  (e.g. The
+ *    standard defines "Request" but we call it a "SingleRequest".)
+ *    In this case a comment above the type definition calls attention
+ *    to the difference.
+ *
+ * The definitions laid out in this header file are intended to follow
+ * the same order as the definitions in the OCSP specification itself.
+ * With the OCSP standard in hand, you should be able to move through
+ * this file and follow along.  To future modifiers of this file: please
+ * try to keep it that way.  The only exceptions are the few cases where
+ * we need to define a type before it is referenced (e.g. enumerations),
+ * whereas in the OCSP specification these are usually defined the other
+ * way around (reference before definition).
+ */
+
+
+/*
+ * Forward-declarations of internal-only data structures.
+ *
+ * These are in alphabetical order (case-insensitive); please keep it that way!
+ */
+typedef struct ocspBasicOCSPResponseStr ocspBasicOCSPResponse;
+typedef struct ocspCertStatusStr ocspCertStatus;
+typedef struct ocspResponderIDStr ocspResponderID;
+typedef struct ocspResponseBytesStr ocspResponseBytes;
+typedef struct ocspResponseDataStr ocspResponseData;
+typedef struct ocspRevokedInfoStr ocspRevokedInfo;
+typedef struct ocspServiceLocatorStr ocspServiceLocator;
+typedef struct ocspSignatureStr ocspSignature;
+typedef struct ocspSingleRequestStr ocspSingleRequest;
+typedef struct ocspSingleResponseStr ocspSingleResponse;
+typedef struct ocspTBSRequestStr ocspTBSRequest;
+
+
+/*
+ * An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
+ */
+struct CERTOCSPRequestStr {
+    PRArenaPool *arena;			/* local; not part of encoding */
+    ocspTBSRequest *tbsRequest;
+    ocspSignature *optionalSignature;
+};
+
+/*
+ * A TBSRequest; when an OCSPRequest is signed, the encoding of this
+ * is what the signature is actually applied to.  ("TBS" == To Be Signed)
+ * Whether signed or not, however, this structure will be present, and
+ * is the "meat" of the OCSPRequest.
+ *
+ * Note that the "requestorName" field cannot be encoded/decoded in the
+ * same pass as the entire request -- it needs to be handled with a special
+ * call to convert to/from our internal form of a GeneralName.  Thus the
+ * "derRequestorName" field, which is the actual DER-encoded bytes.
+ *
+ * The "extensionHandle" field is used on creation only; it holds
+ * in-progress extensions as they are optionally added to the request.
+ */
+struct ocspTBSRequestStr {
+    SECItem version;			/* an INTEGER */
+    SECItem *derRequestorName;		/* encoded GeneralName; see above */
+    CERTGeneralNameList *requestorName;	/* local; not part of encoding */
+    ocspSingleRequest **requestList;
+    CERTCertExtension **requestExtensions;
+    void *extensionHandle;		/* local; not part of encoding */
+};
+
+/*
+ * This is the actual signature information for an OCSPRequest (applied to
+ * the TBSRequest structure) or for a BasicOCSPResponse (applied to a
+ * ResponseData structure).
+ *
+ * Note that the "signature" field itself is a BIT STRING; operations on
+ * it need to keep that in mind, converting the length to bytes as needed
+ * and back again afterward (so that the length is usually expressing bits).
+ *
+ * The "cert" field is the signer's certificate.  In the case of a received
+ * signature, it will be filled in when the signature is verified.  In the
+ * case of a created signature, it is filled in on creation and will be the
+ * cert used to create the signature when the signing-and-encoding occurs,
+ * as well as the cert (and its chain) to fill in derCerts if requested.
+ *
+ * The extra fields cache information about the signature after we have
+ * attempted a verification.  "wasChecked", if true, means the signature
+ * has been checked against the appropriate data and thus that "status"
+ * contains the result of that verification.  If "status" is not SECSuccess,
+ * "failureReason" is a copy of the error code that was set at the time;
+ * presumably it tells why the signature verification failed.
+ */
+struct ocspSignatureStr {
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;			/* a BIT STRING */
+    SECItem **derCerts;			/* a SEQUENCE OF Certificate */
+    CERTCertificate *cert;		/* local; not part of encoding */
+    PRBool wasChecked;			/* local; not part of encoding */
+    SECStatus status;			/* local; not part of encoding */
+    int failureReason;			/* local; not part of encoding */
+};
+
+/*
+ * An OCSPRequest contains a SEQUENCE OF these, one for each certificate
+ * whose status is being checked.
+ *
+ * Note that in the OCSP specification this is just called "Request",
+ * but since that seemed confusing (vs. an OCSPRequest) and to be more
+ * consistent with the parallel type "SingleResponse", I called it a
+ * "SingleRequest".
+ * 
+ * XXX figure out how to get rid of that arena -- there must be a way
+ */
+struct ocspSingleRequestStr {
+    PRArenaPool *arena;			/* just a copy of the response arena,
+					 * needed here for extension handling
+					 * routines, on creation only */
+    CERTOCSPCertID *reqCert;
+    CERTCertExtension **singleRequestExtensions;
+};
+
+/*
+ * A CertID is the means of identifying a certificate, used both in requests
+ * and in responses.
+ *
+ * When in a SingleRequest it specifies the certificate to be checked.
+ * When in a SingleResponse it is the cert whose status is being given.
+ */
+struct CERTOCSPCertIDStr {
+    SECAlgorithmID hashAlgorithm;
+    SECItem issuerNameHash;		/* an OCTET STRING */
+    SECItem issuerKeyHash;		/* an OCTET STRING */
+    SECItem serialNumber;		/* an INTEGER */
+    SECItem issuerSHA1NameHash;		/* keep other hashes around when */
+    SECItem issuerMD5NameHash;              /* we have them */
+    SECItem issuerMD2NameHash;
+    SECItem issuerSHA1KeyHash;		/* keep other hashes around when */
+    SECItem issuerMD5KeyHash;              /* we have them */
+    SECItem issuerMD2KeyHash;
+};
+
+/*
+ * This describes the value of the responseStatus field in an OCSPResponse.
+ * The corresponding ASN.1 definition is:
+ *
+ * OCSPResponseStatus	::=	ENUMERATED {
+ *	successful		(0),	--Response has valid confirmations
+ *	malformedRequest	(1),	--Illegal confirmation request
+ *	internalError		(2),	--Internal error in issuer
+ *	tryLater		(3),	--Try again later
+ *					--(4) is not used
+ *	sigRequired		(5),	--Must sign the request
+ *	unauthorized		(6),	--Request unauthorized
+ * }
+ */
+typedef enum {
+    ocspResponse_successful = 0,
+    ocspResponse_malformedRequest = 1,
+    ocspResponse_internalError = 2,
+    ocspResponse_tryLater = 3,
+    ocspResponse_unused = 4,
+    ocspResponse_sigRequired = 5,
+    ocspResponse_unauthorized = 6,
+    ocspResponse_other			/* unknown/unrecognized value */
+} ocspResponseStatus;
+
+/*
+ * An OCSPResponse is what is sent (encoded) by an OCSP responder.
+ *
+ * The field "responseStatus" is the ASN.1 encoded value; the field
+ * "statusValue" is simply that same value translated into our local
+ * type ocspResponseStatus.
+ */
+struct CERTOCSPResponseStr {
+    PRArenaPool *arena;			/* local; not part of encoding */
+    SECItem responseStatus;		/* an ENUMERATED, see above */
+    ocspResponseStatus statusValue;	/* local; not part of encoding */
+    ocspResponseBytes *responseBytes;	/* only when status is successful */
+};
+
+/*
+ * A ResponseBytes (despite appearances) is what contains the meat
+ * of a successful response -- but still in encoded form.  The type
+ * given as "responseType" tells you how to decode the string.
+ *
+ * We look at the OID and translate it into our local OID representation
+ * "responseTypeTag", and use that value to tell us how to decode the
+ * actual response itself.  For now the only kind of OCSP response we
+ * know about is a BasicOCSPResponse.  However, the intention in the
+ * OCSP specification is to allow for other response types, so we are
+ * building in that flexibility from the start and thus put a pointer
+ * to that data structure inside of a union.  Whenever OCSP adds more
+ * response types, just add them to the union.
+ */
+struct ocspResponseBytesStr {
+    SECItem responseType;		/* an OBJECT IDENTIFIER */
+    SECOidTag responseTypeTag;		/* local; not part of encoding */
+    SECItem response;			/* an OCTET STRING */
+    union {
+	ocspBasicOCSPResponse *basic;	/* when type is id-pkix-ocsp-basic */
+    } decodedResponse;			/* local; not part of encoding */
+};
+
+/*
+ * A BasicOCSPResponse -- when the responseType in a ResponseBytes is
+ * id-pkix-ocsp-basic, the "response" OCTET STRING above is the DER
+ * encoding of one of these.
+ *
+ * Note that in the OCSP specification, the signature fields are not
+ * part of a separate sub-structure.  But since they are the same fields
+ * as we define for the signature in a request, it made sense to share
+ * the C data structure here and in some shared code to operate on them.
+ */
+struct ocspBasicOCSPResponseStr {
+    ocspResponseData *tbsResponseData;	/* "tbs" == To Be Signed */
+    ocspSignature responseSignature;
+};
+
+/*
+ * A ResponseData is the part of a BasicOCSPResponse that is signed
+ * (after it is DER encoded).  It contains the real details of the response
+ * (a per-certificate status).
+ */
+struct ocspResponseDataStr {
+    SECItem version;			/* an INTEGER */
+    SECItem derResponderID;
+    ocspResponderID *responderID;	/* local; not part of encoding */
+    SECItem producedAt;			/* a GeneralizedTime */
+    CERTOCSPSingleResponse **responses;
+    CERTCertExtension **responseExtensions;
+};
+
+/*
+ * A ResponderID identifies the responder -- or more correctly, the
+ * signer of the response.  The ASN.1 definition of a ResponderID is:
+ *
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * Because it is CHOICE, the type of identification used and the
+ * identification itself are actually encoded together.  To represent
+ * this same information internally, we explicitly define a type and
+ * save it, along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspResponderID_byName,
+    ocspResponderID_byKey,
+    ocspResponderID_other		/* unknown kind of responderID */
+} ocspResponderIDType;
+
+struct ocspResponderIDStr {
+    ocspResponderIDType responderIDType;/* local; not part of encoding */
+    union {
+	CERTName name;			/* when ocspResponderID_byName */
+	SECItem keyHash;		/* when ocspResponderID_byKey */
+	SECItem other;			/* when ocspResponderID_other */
+    } responderIDValue;
+};
+
+/*
+ * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
+ * SingleResponse -- one for each certificate whose status is being supplied.
+ * 
+ * XXX figure out how to get rid of that arena -- there must be a way
+ */
+struct CERTOCSPSingleResponseStr {
+    PRArenaPool *arena;			/* just a copy of the response arena,
+					 * needed here for extension handling
+					 * routines, on creation only */
+    CERTOCSPCertID *certID;
+    SECItem derCertStatus;
+    ocspCertStatus *certStatus;		/* local; not part of encoding */
+    SECItem thisUpdate;			/* a GeneralizedTime */
+    SECItem *nextUpdate;		/* a GeneralizedTime */
+    CERTCertExtension **singleExtensions;
+};
+
+/*
+ * A CertStatus is the actual per-certificate status.  Its ASN.1 definition:
+ *
+ * CertStatus	::=	CHOICE {
+ *	good			[0] IMPLICIT NULL,
+ *	revoked			[1] IMPLICIT RevokedInfo,
+ *	unknown			[2] IMPLICIT UnknownInfo }
+ *
+ * (where for now UnknownInfo is defined to be NULL but in the
+ * future may be replaced with an enumeration).
+ *
+ * Because it is CHOICE, the status value and its associated information
+ * (if any) are actually encoded together.  To represent this same
+ * information internally, we explicitly define a type and save it,
+ * along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspCertStatus_good,		/* cert is not revoked */
+    ocspCertStatus_revoked,		/* cert is revoked */
+    ocspCertStatus_unknown,		/* cert was unknown to the responder */
+    ocspCertStatus_other		/* status was not an expected value */
+} ocspCertStatusType;
+
+/*
+ * This is the actual per-certificate status.
+ *
+ * The "goodInfo" and "unknownInfo" items are only place-holders for a NULL.
+ * (Though someday OCSP may replace UnknownInfo with an enumeration that
+ * gives more detailed information.)
+ */
+struct ocspCertStatusStr {
+    ocspCertStatusType certStatusType;	/* local; not part of encoding */
+    union {
+	SECItem *goodInfo;		/* when ocspCertStatus_good */
+	ocspRevokedInfo *revokedInfo;	/* when ocspCertStatus_revoked */
+	SECItem *unknownInfo;		/* when ocspCertStatus_unknown */
+	SECItem *otherInfo;		/* when ocspCertStatus_other */
+    } certStatusInfo; 
+};
+
+/*
+ * A RevokedInfo gives information about a revoked certificate -- when it
+ * was revoked and why.
+ */
+struct ocspRevokedInfoStr {
+    SECItem revocationTime;		/* a GeneralizedTime */
+    SECItem *revocationReason;		/* a CRLReason; ignored for now */
+};
+
+/*
+ * ServiceLocator can be included as one of the singleRequestExtensions.
+ * When added, it specifies the (name of the) issuer of the cert being
+ * checked, and optionally the value of the AuthorityInfoAccess extension
+ * if the cert has one.
+ */
+struct ocspServiceLocatorStr {
+    CERTName *issuer;
+    SECItem locator;	/* DER encoded authInfoAccess extension from cert */
+};
+
+#endif /* _OCSPTI_H_ */

mozilla/security/nss/lib/certhigh/xcrldist.c

@@ -0,0 +1,222 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Code for dealing with x.509 v3 CRL Distribution Point extension.
+ */
+#include "genname.h"
+#include "certt.h"
+#include "secerr.h"
+
+extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value);
+
+static const SEC_ASN1Template FullNameTemplate[] = {
+    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof (CRLDistributionPoint,derFullName), CERT_GeneralNamesTemplate}
+};
+
+static const SEC_ASN1Template RelativeNameTemplate[] = {
+    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
+	offsetof (CRLDistributionPoint,distPoint.relativeName), CERT_RDNTemplate}
+};
+	 
+static const SEC_ASN1Template CRLDistributionPointTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) },
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+	    SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
+	    offsetof(CRLDistributionPoint,derDistPoint), SEC_AnyTemplate},
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	    offsetof(CRLDistributionPoint,bitsmap), SEC_BitStringTemplate},
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+	    SEC_ASN1_CONSTRUCTED | 2,
+	    offsetof(CRLDistributionPoint, derCrlIssuer), CERT_GeneralNamesTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = {
+    {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate}
+};
+
+SECStatus
+CERT_EncodeCRLDistributionPoints (PRArenaPool *arena, CERTCrlDistributionPoints *value,
+				  SECItem *derValue)
+{
+    CRLDistributionPoint **pointList, *point;
+    PRArenaPool *ourPool = NULL;
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert (derValue);
+    PORT_Assert (value && value->distPoints);
+
+    do {
+	ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (ourPool == NULL) {
+	    rv = SECFailure;
+	    break;
+	}    
+	
+	pointList = value->distPoints;
+	while (*pointList) {
+	    point = *pointList;
+	    point->derFullName = NULL;
+	    point->derDistPoint.data = NULL;
+
+	    if (point->distPointType == generalName) {
+		point->derFullName = cert_EncodeGeneralNames
+		    (ourPool, point->distPoint.fullName);
+		
+		if (point->derFullName) {
+		    rv = (SEC_ASN1EncodeItem (ourPool, &point->derDistPoint,
+			  point, FullNameTemplate) == NULL) ? SECFailure : SECSuccess;
+		} else {
+		    rv = SECFailure;
+		}
+	    }
+	    else if (point->distPointType == relativeDistinguishedName) {
+		if (SEC_ASN1EncodeItem
+		     (ourPool, &point->derDistPoint, 
+		      point, RelativeNameTemplate) == NULL) 
+		    rv = SECFailure;
+	    }
+	    /* distributionPointName is omitted */
+	    else if (point->distPointType != 0) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		rv = SECFailure;
+	    }
+	    if (rv != SECSuccess)
+		break;
+
+	    if (point->reasons.data)
+		PrepareBitStringForEncoding (&point->bitsmap, &point->reasons);
+
+	    if (point->crlIssuer) {
+		point->derCrlIssuer = cert_EncodeGeneralNames
+		    (ourPool, point->crlIssuer);
+		if (!point->crlIssuer)
+		    break;
+	    }
+	    
+	    ++pointList;
+	}
+	if (rv != SECSuccess)
+	    break;
+	if (SEC_ASN1EncodeItem
+	     (arena, derValue, value, CERTCRLDistributionPointsTemplate) == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+    } while (0);
+    PORT_FreeArena (ourPool, PR_FALSE);
+    return (rv);
+}
+
+CERTCrlDistributionPoints *
+CERT_DecodeCRLDistributionPoints (PRArenaPool *arena, SECItem *encodedValue)
+{
+   CERTCrlDistributionPoints *value = NULL;    
+   CRLDistributionPoint **pointList, *point;    
+   SECStatus rv;
+
+   PORT_Assert (arena);
+   do {
+	value = (CERTCrlDistributionPoints*)PORT_ArenaZAlloc (arena, sizeof (*value));
+	if (value == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	    
+	rv = SEC_ASN1DecodeItem
+	     (arena, &value->distPoints, CERTCRLDistributionPointsTemplate,
+	      encodedValue);
+	if (rv != SECSuccess)
+	    break;
+
+	pointList = value->distPoints;
+	while (*pointList) {
+	    point = *pointList;
+
+	    /* get the data if the distributionPointName is not omitted */
+	    if (point->derDistPoint.data != NULL) {
+		point->distPointType = (DistributionPointTypes)
+					((point->derDistPoint.data[0] & 0x1f) +1);
+		if (point->distPointType == generalName) {
+		    SECItem innerDER;
+		
+		    innerDER.data = NULL;
+		    rv = SEC_ASN1DecodeItem
+			 (arena, point, FullNameTemplate, &(point->derDistPoint));
+		    if (rv != SECSuccess)
+			break;
+		    point->distPoint.fullName = cert_DecodeGeneralNames
+			(arena, point->derFullName);
+
+		    if (!point->distPoint.fullName)
+			break;
+		}
+		else if ( relativeDistinguishedName) {
+		    rv = SEC_ASN1DecodeItem
+			 (arena, point, RelativeNameTemplate, &(point->derDistPoint));
+		    if (rv != SECSuccess)
+			break;
+		}
+		else {
+		    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		    break;
+		}
+	    }
+
+	    /* Get the reason code if it's not omitted in the encoding */
+	    if (point->bitsmap.data != NULL) {
+		point->reasons.data = (unsigned char*) PORT_ArenaAlloc
+				      (arena, (point->bitsmap.len + 7) >> 3);
+		if (!point->reasons.data) {
+		    rv = SECFailure;
+		    break;
+		}
+		PORT_Memcpy (point->reasons.data, point->bitsmap.data,
+			     point->reasons.len = ((point->bitsmap.len + 7) >> 3));
+	    }
+
+	    /* Get the crl issuer name if it's not omitted in the encoding */
+	    if (point->derCrlIssuer != NULL) {
+		point->crlIssuer = cert_DecodeGeneralNames
+		    (arena, point->derCrlIssuer);
+
+		if (!point->crlIssuer)
+		    break;
+	    }
+	    ++pointList;
+	}
+   } while (0);
+   return (rv == SECSuccess ? value : NULL);
+}

mozilla/security/nss/lib/ckfw/Makefile

@@ -0,0 +1,49 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.4 $ $Date: 2000-09-11 22:37:01 $ $Name: not supported by cvs2svn $"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# This'll need some help from a build person.
+
+nssckepv.h: ck.api ckapi.perl
+nssckft.h: ck.api ckapi.perl
+nssckg.h: ck.api ckapi.perl
+nssck.api: ck.api ckapi.perl
+	perl ckapi.perl ck.api
+
+export:: private_export
+

mozilla/security/nss/lib/ckfw/builtins/Makefile

@@ -0,0 +1,91 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.10 $ $Date: 2002-02-15 22:53:42 $ $Name: not supported by cvs2svn $"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+EXTRA_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4_s.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4_s.lib \
+	wsock32.lib \
+	winmm.lib \
+	$(NULL)
+
+else
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(NULL)
+
+endif
+
+
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate certdata.c.
+generate:
+	perl certdata.perl < certdata.txt
+
+# This'll need some help from a build person.
+
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = xlC $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+

mozilla/security/nss/lib/ckfw/builtins/anchor.c

@@ -0,0 +1,50 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: anchor.c,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:43:46 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * builtins/anchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "builtins.h"
+
+#define MODULE_NAME builtins
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance
+#include "nssck.api"

mozilla/security/nss/lib/ckfw/builtins/bfind.c

@@ -0,0 +1,245 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: bfind.c,v $ $Revision: 1.2 $ $Date: 2002-02-13 02:26:47 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#ifndef BUILTINS_H
+#include "builtins.h"
+#endif /* BUILTINS_H */
+
+/*
+ * builtins/find.c
+ *
+ * This file implements the NSSCKMDFindObjects object for the
+ * "builtin objects" cryptoki module.
+ */
+
+struct builtinsFOStr {
+  NSSArena *arena;
+  CK_ULONG n;
+  CK_ULONG i;
+  builtinsInternalObject **objs;
+};
+
+static void
+builtins_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
+  NSSArena *arena = fo->arena;
+
+  nss_ZFreeIf(fo->objs);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(mdFindObjects);
+  if ((NSSArena *)NULL != arena) {
+    NSSArena_Destroy(arena);
+  }
+
+  return;
+}
+
+static NSSCKMDObject *
+builtins_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
+  builtinsInternalObject *io;
+
+  if( fo->i == fo->n ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  io = fo->objs[ fo->i ];
+  fo->i++;
+
+  return nss_builtins_CreateMDObject(arena, io, pError);
+}
+
+static CK_BBOOL
+builtins_attrmatch
+(
+  CK_ATTRIBUTE_PTR a,
+  const NSSItem *b
+)
+{
+  PRBool prb;
+
+  if( a->ulValueLen != b->size ) {
+    return CK_FALSE;
+  }
+
+  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
+
+  if( PR_TRUE == prb ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+
+static CK_BBOOL
+builtins_match
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  builtinsInternalObject *o
+)
+{
+  CK_ULONG i;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    CK_ULONG j;
+
+    for( j = 0; j < o->n; j++ ) {
+      if( o->types[j] == pTemplate[i].type ) {
+        if( CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j]) ) {
+          return CK_FALSE;
+        } else {
+          break;
+        }
+      }
+    }
+
+    if( j == o->n ) {
+      /* Loop ran to the end: no matching attribute */
+      return CK_FALSE;
+    }
+  }
+
+  /* Every attribute passed */
+  return CK_TRUE;
+}
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_builtins_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  /* This could be made more efficient.  I'm rather rushed. */
+  NSSArena *arena;
+  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
+  struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL;
+  builtinsInternalObject **temp = (builtinsInternalObject **)NULL;
+  PRUint32 i;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo = nss_ZNEW(arena, struct builtinsFOStr);
+  if( (struct builtinsFOStr *)NULL == fo ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo->arena = arena;
+  /* fo->n and fo->i are already zero */
+
+  rv->etc = (void *)fo;
+  rv->Final = builtins_mdFindObjects_Final;
+  rv->Next = builtins_mdFindObjects_Next;
+  rv->null = (void *)NULL;
+
+  temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, 
+                       nss_builtins_nObjects);
+  if( (builtinsInternalObject **)NULL == temp ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  for( i = 0; i < nss_builtins_nObjects; i++ ) {
+    builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i];
+
+    if( CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o) ) {
+      temp[ fo->n ] = o;
+      fo->n++;
+    }
+  }
+
+  fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n);
+  if( (builtinsInternalObject **)NULL == fo->objs ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n);
+  nss_ZFreeIf(temp);
+  temp = (builtinsInternalObject **)NULL;
+
+  return rv;
+
+ loser:
+  nss_ZFreeIf(temp);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(rv);
+  if ((NSSArena *)NULL != arena) {
+     NSSArena_Destroy(arena);
+  }
+  return (NSSCKMDFindObjects *)NULL;
+}
+

mozilla/security/nss/lib/ckfw/builtins/binst.c

@@ -0,0 +1,130 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: binst.c,v $ $Revision: 1.1 $ $Date: 2002-02-08 00:10:02 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/instance.c
+ *
+ * This file implements the NSSCKMDInstance object for the 
+ * "builtin objects" cryptoki module.
+ */
+
+/*
+ * NSSCKMDInstance methods
+ */
+
+static CK_ULONG
+builtins_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_VERSION
+builtins_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_CryptokiVersion;
+}
+
+static NSSUTF8 *
+builtins_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_ManufacturerID;
+}
+
+static NSSUTF8 *
+builtins_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_LibraryDescription;
+}
+
+static CK_VERSION
+builtins_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_LibraryVersion;
+}
+
+static CK_RV
+builtins_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  slots[0] = (NSSCKMDSlot *)&nss_builtins_mdSlot;
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDInstance
+nss_builtins_mdInstance = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Finalize */
+  builtins_mdInstance_GetNSlots,
+  builtins_mdInstance_GetCryptokiVersion,
+  builtins_mdInstance_GetManufacturerID,
+  builtins_mdInstance_GetLibraryDescription,
+  builtins_mdInstance_GetLibraryVersion,
+  NULL, /* ModuleHandlesSessionObjects -- defaults to false */
+  builtins_mdInstance_GetSlots,
+  NULL, /* WaitForSlotEvent */
+  (void *)NULL /* null terminator */
+};

mozilla/security/nss/lib/ckfw/builtins/bobject.c

@@ -0,0 +1,249 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: bobject.c,v $ $Revision: 1.1 $ $Date: 2002-02-08 00:10:03 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/object.c
+ *
+ * This file implements the NSSCKMDObject object for the
+ * "builtin objects" cryptoki module.
+ */
+
+/*
+ * Finalize - unneeded
+ * Destroy - CKR_SESSION_READ_ONLY
+ * IsTokenObject - CK_TRUE
+ * GetAttributeCount
+ * GetAttributeTypes
+ * GetAttributeSize
+ * GetAttribute
+ * SetAttribute - unneeded
+ * GetObjectSize
+ */
+
+static CK_RV
+builtins_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_SESSION_READ_ONLY;
+}
+
+static CK_BBOOL
+builtins_mdObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_ULONG
+builtins_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  return io->n;
+}
+
+static CK_RV
+builtins_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+
+  if( io->n != ulCount ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  for( i = 0; i < io->n; i++ ) {
+    typeArray[i] = io->types[i];
+  }
+
+  return CKR_OK;
+}
+
+static CK_ULONG
+builtins_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+
+  for( i = 0; i < io->n; i++ ) {
+    if( attribute == io->types[i] ) {
+      return (CK_ULONG)(io->items[i].size);
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return 0;
+}
+
+static const NSSItem *
+builtins_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+
+  for( i = 0; i < io->n; i++ ) {
+    if( attribute == io->types[i] ) {
+      return &io->items[i];
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return (NSSItem *)NULL;
+}
+
+static CK_ULONG
+builtins_mdObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+  CK_ULONG rv = sizeof(CK_ULONG);
+
+  for( i = 0; i < io->n; i++ ) {
+    rv += sizeof(CK_ATTRIBUTE_TYPE) + sizeof(NSSItem) + io->items[i].size;
+  }
+
+  return rv;
+}
+
+static const NSSCKMDObject
+builtins_prototype_mdObject = {
+  (void *)NULL, /* etc */
+  NULL, /* Finalize */
+  builtins_mdObject_Destroy,
+  builtins_mdObject_IsTokenObject,
+  builtins_mdObject_GetAttributeCount,
+  builtins_mdObject_GetAttributeTypes,
+  builtins_mdObject_GetAttributeSize,
+  builtins_mdObject_GetAttribute,
+  NULL, /* SetAttribute */
+  builtins_mdObject_GetObjectSize,
+  (void *)NULL /* null terminator */
+};
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_builtins_CreateMDObject
+(
+  NSSArena *arena,
+  builtinsInternalObject *io,
+  CK_RV *pError
+)
+{
+  if ( (void*)NULL == io->mdObject.etc) {
+    (void) nsslibc_memcpy(&io->mdObject,&builtins_prototype_mdObject,
+					sizeof(builtins_prototype_mdObject));
+    io->mdObject.etc = (void *)io;
+  }
+
+  return &io->mdObject;
+}

mozilla/security/nss/lib/ckfw/builtins/bsession.c

@@ -0,0 +1,108 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: bsession.c,v $ $Revision: 1.1 $ $Date: 2002-02-08 00:10:03 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/session.c
+ *
+ * This file implements the NSSCKMDSession object for the 
+ * "builtin objects" cryptoki module.
+ */
+
+static NSSCKMDFindObjects *
+builtins_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_builtins_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_builtins_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  /* 
+   * rv was zeroed when allocated, so we only 
+   * need to set the non-zero members.
+   */
+
+  rv->etc = (void *)fwSession;
+  /* rv->Close */
+  /* rv->GetDeviceError */
+  /* rv->Login */
+  /* rv->Logout */
+  /* rv->InitPIN */
+  /* rv->SetPIN */
+  /* rv->GetOperationStateLen */
+  /* rv->GetOperationState */
+  /* rv->SetOperationState */
+  /* rv->CreateObject */
+  /* rv->CopyObject */
+  rv->FindObjectsInit = builtins_mdSession_FindObjectsInit;
+  /* rv->SeedRandom */
+  /* rv->GetRandom */
+  /* rv->null */
+
+  return rv;
+}

mozilla/security/nss/lib/ckfw/builtins/bslot.c

@@ -0,0 +1,124 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: bslot.c,v $ $Revision: 1.1 $ $Date: 2002-02-08 00:10:03 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/slot.c
+ *
+ * This file implements the NSSCKMDSlot object for the
+ * "builtin objects" cryptoki module.
+ */
+
+static NSSUTF8 *
+builtins_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_SlotDescription;
+}
+
+static NSSUTF8 *
+builtins_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_ManufacturerID;
+}
+
+static CK_VERSION
+builtins_mdSlot_GetHardwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_HardwareVersion;
+}
+
+static CK_VERSION
+builtins_mdSlot_GetFirmwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_FirmwareVersion;
+}
+
+static NSSCKMDToken *
+builtins_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSCKMDToken *)&nss_builtins_mdToken;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDSlot
+nss_builtins_mdSlot = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Destroy */
+  builtins_mdSlot_GetSlotDescription,
+  builtins_mdSlot_GetManufacturerID,
+  NULL, /* GetTokenPresent -- defaults to true */
+  NULL, /* GetRemovableDevice -- defaults to false */
+  NULL, /* GetHardwareSlot -- defaults to false */
+  builtins_mdSlot_GetHardwareVersion,
+  builtins_mdSlot_GetFirmwareVersion,
+  builtins_mdSlot_GetToken,
+  (void *)NULL /* null terminator */
+};

mozilla/security/nss/lib/ckfw/builtins/btoken.c

@@ -0,0 +1,184 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: btoken.c,v $ $Revision: 1.1 $ $Date: 2002-02-08 00:10:05 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/token.c
+ *
+ * This file implements the NSSCKMDToken object for the
+ * "builtin objects" cryptoki module.
+ */
+
+static NSSUTF8 *
+builtins_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_TokenLabel;
+}
+
+static NSSUTF8 *
+builtins_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_ManufacturerID;
+}
+
+static NSSUTF8 *
+builtins_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_TokenModel;
+}
+
+static NSSUTF8 *
+builtins_mdToken_GetSerialNumber
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_TokenSerialNumber;
+}
+
+static CK_BBOOL
+builtins_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_VERSION
+builtins_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_HardwareVersion;
+}
+
+static CK_VERSION
+builtins_mdToken_GetFirmwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_FirmwareVersion;
+}
+
+static NSSCKMDSession *
+builtins_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  return nss_builtins_CreateSession(fwSession, pError);
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDToken
+nss_builtins_mdToken = {
+  (void *)NULL, /* etc */
+  NULL, /* Setup */
+  NULL, /* Invalidate */
+  NULL, /* InitToken -- default errs */
+  builtins_mdToken_GetLabel,
+  builtins_mdToken_GetManufacturerID,
+  builtins_mdToken_GetModel,
+  builtins_mdToken_GetSerialNumber,
+  NULL, /* GetHasRNG -- default is false */
+  builtins_mdToken_GetIsWriteProtected,
+  NULL, /* GetLoginRequired -- default is false */
+  NULL, /* GetUserPinInitialized -- default is false */
+  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
+  NULL, /* GetHasClockOnToken -- default is false */
+  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
+  NULL, /* GetSupportsDualCryptoOperations -- default is false */
+  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxPinLen -- irrelevant */
+  NULL, /* GetMinPinLen -- irrelevant */
+  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  builtins_mdToken_GetHardwareVersion,
+  builtins_mdToken_GetFirmwareVersion,
+  NULL, /* GetUTCTime -- no clock */
+  builtins_mdToken_OpenSession,
+  NULL, /* GetMechanismCount -- default is zero */
+  NULL, /* GetMechanismTypes -- irrelevant */
+  NULL, /* GetMechanism -- irrelevant */
+  (void *)NULL /* null terminator */
+};

mozilla/security/nss/lib/ckfw/builtins/builtins.h

@@ -0,0 +1,104 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile: builtins.h,v $ $Revision: 1.3 $ $Date: 2002-02-08 00:10:05 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+struct builtinsInternalObjectStr {
+  CK_ULONG n;
+  const CK_ATTRIBUTE_TYPE *types;
+  const NSSItem *items;
+  NSSCKMDObject mdObject;
+};
+typedef struct builtinsInternalObjectStr builtinsInternalObject;
+
+NSS_EXTERN_DATA builtinsInternalObject nss_builtins_data[];
+NSS_EXTERN_DATA const PRUint32               nss_builtins_nObjects;
+
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_CryptokiVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_ManufacturerID;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_LibraryDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_LibraryVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_SlotDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_HardwareVersion;
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_FirmwareVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenLabel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenModel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenSerialNumber;
+
+NSS_EXTERN_DATA const NSSCKMDInstance nss_builtins_mdInstance;
+NSS_EXTERN_DATA const NSSCKMDSlot     nss_builtins_mdSlot;
+NSS_EXTERN_DATA const NSSCKMDToken    nss_builtins_mdToken;
+
+NSS_EXTERN NSSCKMDSession *
+nss_builtins_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_builtins_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_builtins_CreateMDObject
+(
+  NSSArena *arena,
+  builtinsInternalObject *io,
+  CK_RV *pError
+);

mozilla/security/nss/lib/ckfw/builtins/certdata.perl

@@ -0,0 +1,292 @@
+#!perl -w
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+my $cvs_id = '@(#) $RCSfile: certdata.perl,v $ $Revision: 1.7 $ $Date: 2002-02-08 00:10:06 $ $Name: not supported by cvs2svn $';
+use strict;
+
+my %constants;
+my $count = 0;
+my $o;
+my @objects = ();
+my @objsize;
+my $cvsid;
+
+$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
+$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
+$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";
+
+while(<>) {
+  my @fields = ();
+  my $size;
+
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+  if( /(^CVS_ID\s+)(.*)/ ) {
+#    print "The CVS ID is $2\n";
+    $cvsid = $2 . "\"; $cvs_id\"";
+    my $scratch = $cvsid;
+    $size = 1 + $scratch =~ s/[^"\n]//g;
+    @{$objects[0][0]} = ( "CKA_CLASS", "&cko_data", "sizeof(CK_OBJECT_CLASS)" );
+    @{$objects[0][1]} = ( "CKA_TOKEN", "&ck_true", "sizeof(CK_BBOOL)" );
+    @{$objects[0][2]} = ( "CKA_PRIVATE", "&ck_false", "sizeof(CK_BBOOL)" );
+    @{$objects[0][3]} = ( "CKA_MODIFIABLE", "&ck_false", "sizeof(CK_BBOOL)" );
+    @{$objects[0][4]} = ( "CKA_LABEL", "\"CVS ID\"", "7" );
+    @{$objects[0][5]} = ( "CKA_APPLICATION", "\"NSS\"", "4" );
+    @{$objects[0][6]} = ( "CKA_VALUE", $cvsid, "$size" );
+    $objsize[0] = 7;
+    next;
+  }
+
+  # This was taken from the perl faq #4.
+  my $text = $_;
+  push(@fields, $+) while $text =~ m{
+      "([^\"\\]*(?:\\.[^\"\\]*)*)"\s?  # groups the phrase inside the quotes
+    | ([^\s]+)\s?
+    | \s
+  }gx;
+  push(@fields, undef) if substr($text,-1,1) eq '\s';
+
+  if( $fields[0] =~ /BEGINDATA/ ) {
+    next;
+  }
+
+  if( $fields[1] =~ /MULTILINE/ ) {
+    $fields[2] = "";
+    while(<>) {
+      last if /END/;
+      chomp;
+      $fields[2] .= "\"$_\"\n";
+    }
+  }
+
+  if( $fields[1] =~ /UTF8/ ) {
+    if( $fields[2] =~ /^"/ ) {
+      ;
+    } else {
+      $fields[2] = "\"" . $fields[2] . "\"";
+    }
+
+    my $scratch = $fields[2];
+    $size = $scratch =~ s/[^"\n]//g; # should supposedly handle multilines, too..
+    $size += 1; # null terminate
+  }
+
+  if( $fields[1] =~ /OCTAL/ ) {
+    if( $fields[2] =~ /^"/ ) {
+      ;
+    } else {
+      $fields[2] = "\"" . $fields[2] . "\"";
+    }
+
+    my $scratch = $fields[2];
+    $size = $scratch =~ tr/\\//;
+    # no null termination
+  }
+
+  if( $fields[1] =~ /^CK_/ ) {
+    my $lcv = $fields[2];
+    $lcv =~ tr/A-Z/a-z/;
+    if( !defined($constants{$fields[2]}) ) {
+      $constants{$fields[2]} = "static const $fields[1] $lcv = $fields[2];\n";
+    }
+    
+    $size = "sizeof($fields[1])";
+    $fields[2] = "&$lcv";
+  }
+
+  if( $fields[0] =~ /CKA_CLASS/ ) {
+    $count++;
+    $objsize[$count] = 0;
+  }
+
+  @{$objects[$count][$objsize[$count]++]} = ( "$fields[0]", $fields[2], "$size" );
+
+ # print "$fields[0] | $fields[1] | $size | $fields[2]\n";
+}
+
+doprint();
+
+sub dudump {
+my $i;
+for( $i = 0; $i <= $count; $i++ ) {
+  print "\n";
+  $o = $objects[$i];
+  my @ob = @{$o};
+  my $l;
+  my $j;
+  for( $j = 0; $j < @ob; $j++ ) {
+    $l = $ob[$j];
+    my @a = @{$l};
+    print "$a[0] ! $a[1] ! $a[2]\n";
+  }
+}
+
+}
+
+sub doprint {
+my $i;
+
+open(CFILE, ">certdata.c") || die "Can't open certdata.c: $!";
+
+print CFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifdef DEBUG
+static const char CVS_ID[] = $cvsid;
+#endif /* DEBUG */
+
+#ifndef BUILTINS_H
+#include "builtins.h"
+#endif /* BUILTINS_H */
+
+EOD
+    ;
+
+while(($a,$b) = each(%constants)) {
+  print CFILE $b;
+}
+
+for( $i = 0; $i <= $count; $i++ ) {
+  if( 0 == $i ) {
+    print CFILE "#ifdef DEBUG\n";
+  }
+
+  print CFILE "static const CK_ATTRIBUTE_TYPE nss_builtins_types_$i [] = {\n";
+  $o = $objects[$i];
+ # print STDOUT "type $i object $o \n";
+  my @ob = @{$o};
+  my $j;
+  for( $j = 0; $j < @ob; $j++ ) {
+    my $l = $ob[$j];
+    my @a = @{$l};
+    print CFILE " $a[0]";
+    if( $j+1 != @ob ) {
+      print CFILE ", ";
+    }
+  }
+  print CFILE "\n};\n";
+
+  if( 0 == $i ) {
+    print CFILE "#endif /* DEBUG */\n";
+  }
+}
+
+for( $i = 0; $i <= $count; $i++ ) {
+  if( 0 == $i ) {
+    print CFILE "#ifdef DEBUG\n";
+  }
+
+  print CFILE "static const NSSItem nss_builtins_items_$i [] = {\n";
+  $o = $objects[$i];
+  my @ob = @{$o};
+  my $j;
+  for( $j = 0; $j < @ob; $j++ ) {
+    my $l = $ob[$j];
+    my @a = @{$l};
+    print CFILE "  { (void *)$a[1], (PRUint32)$a[2] }";
+    if( $j+1 != @ob ) {
+      print CFILE ",\n";
+    } else {
+      print CFILE "\n";
+    }
+  }
+  print CFILE "};\n";
+
+  if( 0 == $i ) {
+    print CFILE "#endif /* DEBUG */\n";
+  }
+}
+
+print CFILE "\nPR_IMPLEMENT_DATA(builtinsInternalObject)\n";
+print CFILE "nss_builtins_data[] = {\n";
+
+for( $i = 0; $i <= $count; $i++ ) {
+
+  if( 0 == $i ) {
+    print CFILE "#ifdef DEBUG\n";
+  }
+
+  print CFILE "  { $objsize[$i], nss_builtins_types_$i, nss_builtins_items_$i, {NULL} }";
+
+  if( $i == $count ) {
+    print CFILE "\n";
+  } else {
+    print CFILE ",\n";
+  }
+
+  if( 0 == $i ) {
+    print CFILE "#endif /* DEBUG */\n";
+  }
+}
+
+print CFILE "};\n";
+
+print CFILE "PR_IMPLEMENT_DATA(const PRUint32)\n";
+print CFILE "#ifdef DEBUG\n";
+print CFILE "  nss_builtins_nObjects = $count+1;\n";
+print CFILE "#else\n";
+print CFILE "  nss_builtins_nObjects = $count;\n";
+print CFILE "#endif /* DEBUG */\n";
+}

mozilla/security/nss/lib/ckfw/builtins/config.mk

@@ -0,0 +1,58 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.5 $ $Date: 2002-02-15 22:53:42 $ $Name: not supported by cvs2svn $"
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+ifeq (,$(filter-out OS2 WIN%,$(OS_TARGET)))
+    SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+endif
+
+ifdef BUILD_IDG
+    DEFINES += -DNSSDEBUG
+endif
+
+#
+# To create a loadable module on Darwin, we must use -bundle.
+#
+ifeq ($(OS_TARGET),Darwin)
+DSO_LDOPTS := $(subst -dynamiclib,-bundle,$(DSO_LDOPTS))
+endif

mozilla/security/nss/lib/ckfw/builtins/constants.c

@@ -0,0 +1,82 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: constants.c,v $ $Revision: 1.4 $ $Date: 2001-09-20 22:09:49 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * builtins/constants.c
+ *
+ * Identification and other constants, all collected here in one place.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_CryptokiVersion = { 2, 1 };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_ManufacturerID = (NSSUTF8 *) "Netscape Communications Corp.";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_LibraryDescription = (NSSUTF8 *) "NSS Builtin Object Cryptoki Module";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_LibraryVersion = { 1, 0 };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_SlotDescription = (NSSUTF8 *) "";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_HardwareVersion = { 1, 0 };
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_FirmwareVersion = { 1, 0 };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_TokenLabel = (NSSUTF8 *) "Builtin Object Token";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_TokenModel = (NSSUTF8 *) "1";
+
+/* should this be e.g. the certdata.txt RCS revision number? */
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_TokenSerialNumber = (NSSUTF8 *) "1";
+

mozilla/security/nss/lib/ckfw/builtins/manifest.mn

@@ -0,0 +1,55 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile: manifest.mn,v $ $Revision: 1.4 $ $Date: 2002-02-08 00:10:07 $ $Name: not supported by cvs2svn $"
+
+CORE_DEPTH = ../../../..
+
+MODULE = security
+
+CSRCS =			\
+	anchor.c	\
+	constants.c	\
+	bfind.c		\
+	binst.c	\
+	bobject.c	\
+	bsession.c	\
+	bslot.c		\
+	btoken.c	\
+	certdata.c	\
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nssckbi
+
+#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4

mozilla/security/nss/lib/ckfw/ck.api

@@ -0,0 +1,571 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+# This file is in part derived from a file "pkcs11f.h" made available
+# by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11f.h
+
+CVS_ID "@(#) $RCSfile: ck.api,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:43:09 $ $Name: not supported by cvs2svn $"
+
+# Fields
+#  FUNCTION introduces a Cryptoki function
+#  CK_type specifies and introduces an argument
+#
+
+# General-purpose
+
+# C_Initialize initializes the Cryptoki library.
+FUNCTION C_Initialize
+CK_VOID_PTR pInitArgs   # if this is not NULL_PTR, it gets
+                        # cast to CK_C_INITIALIZE_ARGS_PTR
+                        # and dereferenced
+
+# C_Finalize indicates that an application is done with the
+# Cryptoki library.
+FUNCTION C_Finalize
+CK_VOID_PTR pReserved   # reserved.  Should be NULL_PTR
+
+# C_GetInfo returns general information about Cryptoki. 
+FUNCTION C_GetInfo
+CK_INFO_PTR pInfo       # location that receives information
+
+# C_GetFunctionList returns the function list. 
+FUNCTION C_GetFunctionList
+CK_FUNCTION_LIST_PTR_PTR ppFunctionList # receives pointer to function 
+                                        # list
+
+
+# Slot and token management 
+
+# C_GetSlotList obtains a list of slots in the system. 
+FUNCTION C_GetSlotList
+CK_BBOOL       tokenPresent # only slots with tokens? 
+CK_SLOT_ID_PTR pSlotList    # receives array of slot IDs 
+CK_ULONG_PTR   pulCount     # receives number of slots 
+
+# C_GetSlotInfo obtains information about a particular slot in the 
+# system.
+FUNCTION C_GetSlotInfo
+CK_SLOT_ID       slotID     # the ID of the slot 
+CK_SLOT_INFO_PTR pInfo      # receives the slot information 
+
+# C_GetTokenInfo obtains information about a particular token in the 
+# system. 
+FUNCTION C_GetTokenInfo
+CK_SLOT_ID        slotID    # ID of the token's slot 
+CK_TOKEN_INFO_PTR pInfo     # receives the token information 
+
+# C_GetMechanismList obtains a list of mechanism types supported by a 
+# token. 
+FUNCTION C_GetMechanismList
+CK_SLOT_ID            slotID            # ID of token's slot 
+CK_MECHANISM_TYPE_PTR pMechanismList    # gets mech. array 
+CK_ULONG_PTR          pulCount          # gets # of mechs. 
+
+# C_GetMechanismInfo obtains information about a particular mechanism 
+# possibly supported by a token. 
+FUNCTION C_GetMechanismInfo
+CK_SLOT_ID            slotID    # ID of the token's slot 
+CK_MECHANISM_TYPE     type      # type of mechanism 
+CK_MECHANISM_INFO_PTR pInfo     # receives mechanism info 
+
+# C_InitToken initializes a token. 
+FUNCTION C_InitToken
+CK_SLOT_ID  slotID      # ID of the token's slot 
+CK_CHAR_PTR pPin        # the SO's initial PIN 
+CK_ULONG    ulPinLen    # length in bytes of the PIN 
+CK_CHAR_PTR pLabel      # 32-byte token label (blank padded) 
+
+# C_InitPIN initializes the normal user's PIN. 
+FUNCTION C_InitPIN
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_CHAR_PTR       pPin      # the normal user's PIN 
+CK_ULONG          ulPinLen  # length in bytes of the PIN 
+
+# C_SetPIN modifies the PIN of the user who is logged in. 
+FUNCTION C_SetPIN
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_CHAR_PTR       pOldPin   # the old PIN 
+CK_ULONG          ulOldLen  # length of the old PIN 
+CK_CHAR_PTR       pNewPin   # the new PIN 
+CK_ULONG          ulNewLen  # length of the new PIN 
+
+
+# Session management 
+
+# C_OpenSession opens a session between an application and a token. 
+FUNCTION C_OpenSession
+CK_SLOT_ID            slotID        # the slot's ID 
+CK_FLAGS              flags         # from CK_SESSION_INFO 
+CK_VOID_PTR           pApplication  # passed to callback 
+CK_NOTIFY             Notify        # callback function 
+CK_SESSION_HANDLE_PTR phSession     # gets session handle 
+
+# C_CloseSession closes a session between an application and a token. 
+FUNCTION C_CloseSession
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+# C_CloseAllSessions closes all sessions with a token. 
+FUNCTION C_CloseAllSessions
+CK_SLOT_ID slotID   # the token's slot 
+
+# C_GetSessionInfo obtains information about the session. 
+FUNCTION C_GetSessionInfo
+CK_SESSION_HANDLE   hSession    # the session's handle 
+CK_SESSION_INFO_PTR pInfo       # receives session info 
+
+# C_GetOperationState obtains the state of the cryptographic 
+# operation in a session. 
+FUNCTION C_GetOperationState
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pOperationState       # gets state 
+CK_ULONG_PTR      pulOperationStateLen  # gets state length 
+
+# C_SetOperationState restores the state of the cryptographic 
+# operation in a session. 
+FUNCTION C_SetOperationState
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR      pOperationState        # holds state 
+CK_ULONG         ulOperationStateLen    # holds state length 
+CK_OBJECT_HANDLE hEncryptionKey         # en/decryption key 
+CK_OBJECT_HANDLE hAuthenticationKey     # sign/verify key 
+
+# C_Login logs a user into a token. 
+FUNCTION C_Login
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_USER_TYPE      userType  # the user type 
+CK_CHAR_PTR       pPin      # the user's PIN 
+CK_ULONG          ulPinLen  # the length of the PIN 
+
+# C_Logout logs a user out from a token. 
+FUNCTION C_Logout
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Object management 
+
+# C_CreateObject creates a new object. 
+FUNCTION C_CreateObject
+CK_SESSION_HANDLE    hSession   # the session's handle 
+CK_ATTRIBUTE_PTR     pTemplate  # the object's template 
+CK_ULONG             ulCount    # attributes in template 
+CK_OBJECT_HANDLE_PTR phObject   # gets new object's handle. 
+
+# C_CopyObject copies an object, creating a new object for the copy.
+FUNCTION C_CopyObject
+CK_SESSION_HANDLE    hSession       # the session's handle 
+CK_OBJECT_HANDLE     hObject        # the object's handle 
+CK_ATTRIBUTE_PTR     pTemplate      # template for new object 
+CK_ULONG             ulCount        # attributes in template 
+CK_OBJECT_HANDLE_PTR phNewObject    # receives handle of copy 
+
+# C_DestroyObject destroys an object. 
+FUNCTION C_DestroyObject
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hObject   # the object's handle 
+
+# C_GetObjectSize gets the size of an object in bytes. 
+FUNCTION C_GetObjectSize
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hObject   # the object's handle 
+CK_ULONG_PTR      pulSize   # receives size of object 
+
+# C_GetAttributeValue obtains the value of one or more object 
+# attributes. 
+FUNCTION C_GetAttributeValue
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_OBJECT_HANDLE  hObject     # the object's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs; gets vals 
+CK_ULONG          ulCount     # attributes in template 
+
+# C_SetAttributeValue modifies the value of one or more object 
+# attributes 
+FUNCTION C_SetAttributeValue
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_OBJECT_HANDLE  hObject     # the object's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs and values 
+CK_ULONG          ulCount     # attributes in template 
+
+# C_FindObjectsInit initializes a search for token and session 
+# objects that match a template. 
+FUNCTION C_FindObjectsInit
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # attribute values to match 
+CK_ULONG          ulCount     # attrs in search template 
+
+# C_FindObjects continues a search for token and session objects that 
+# match a template, obtaining additional object handles. 
+FUNCTION C_FindObjects
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_OBJECT_HANDLE_PTR phObject           # gets obj. handles 
+CK_ULONG             ulMaxObjectCount   # max handles to get 
+CK_ULONG_PTR         pulObjectCount     # actual # returned 
+
+# C_FindObjectsFinal finishes a search for token and session objects. 
+FUNCTION C_FindObjectsFinal
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Encryption and decryption 
+
+# C_EncryptInit initializes an encryption operation. 
+FUNCTION C_EncryptInit
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_MECHANISM_PTR  pMechanism  # the encryption mechanism 
+CK_OBJECT_HANDLE  hKey        # handle of encryption key 
+
+# C_Encrypt encrypts single-part data. 
+FUNCTION C_Encrypt
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pData                 # the plaintext data 
+CK_ULONG          ulDataLen             # bytes of plaintext 
+CK_BYTE_PTR       pEncryptedData        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedDataLen   # gets c-text size 
+
+# C_EncryptUpdate continues a multiple-part encryption operation. 
+FUNCTION C_EncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext data len 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text size 
+
+# C_EncryptFinal finishes a multiple-part encryption operation. 
+FUNCTION C_EncryptFinal
+CK_SESSION_HANDLE hSession                  # session handle 
+CK_BYTE_PTR       pLastEncryptedPart        # last c-text 
+CK_ULONG_PTR      pulLastEncryptedPartLen   # gets last size 
+
+# C_DecryptInit initializes a decryption operation. 
+FUNCTION C_DecryptInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the decryption mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of decryption key 
+
+# C_Decrypt decrypts encrypted data in a single part. 
+FUNCTION C_Decrypt
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedData        # ciphertext 
+CK_ULONG          ulEncryptedDataLen    # ciphertext length 
+CK_BYTE_PTR       pData                 # gets plaintext 
+CK_ULONG_PTR      pulDataLen            # gets p-text size 
+
+# C_DecryptUpdate continues a multiple-part decryption operation. 
+FUNCTION C_DecryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # encrypted data 
+CK_ULONG          ulEncryptedPartLen    # input length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # p-text size 
+
+# C_DecryptFinal finishes a multiple-part decryption operation. 
+FUNCTION C_DecryptFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pLastPart         # gets plaintext 
+CK_ULONG_PTR      pulLastPartLen    # p-text size 
+
+
+# Message digesting 
+
+# C_DigestInit initializes a message-digesting operation. 
+FUNCTION C_DigestInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the digesting mechanism 
+
+# C_Digest digests data in a single part. 
+FUNCTION C_Digest
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       pData         # data to be digested 
+CK_ULONG          ulDataLen     # bytes of data to digest 
+CK_BYTE_PTR       pDigest       # gets the message digest 
+CK_ULONG_PTR      pulDigestLen  # gets digest length 
+
+# C_DigestUpdate continues a multiple-part message-digesting operation.
+FUNCTION C_DigestUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # data to be digested 
+CK_ULONG          ulPartLen # bytes of data to be digested 
+
+# C_DigestKey continues a multi-part message-digesting operation, by 
+# digesting the value of a secret key as part of the data already 
+# digested. 
+FUNCTION C_DigestKey
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hKey      # secret key to digest 
+
+# C_DigestFinal finishes a multiple-part message-digesting operation. 
+FUNCTION C_DigestFinal
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       pDigest       # gets the message digest 
+CK_ULONG_PTR      pulDigestLen  # gets byte count of digest 
+
+
+# Signing and MACing 
+
+# C_SignInit initializes a signature (private key encryption) 
+# operation, where the signature is (will be) an appendix to the 
+# data, and plaintext cannot be recovered from the signature. 
+FUNCTION C_SignInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of signature key 
+
+# C_Sign signs (encrypts with private key) data in a single part, 
+# where the signature is (will be) an appendix to the data, and 
+# plaintext cannot be recovered from the signature. 
+FUNCTION C_Sign
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # the data to sign 
+CK_ULONG          ulDataLen         # count of bytes to sign 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+# C_SignUpdate continues a multiple-part signature operation, where 
+# the signature is (will be) an appendix to the data, and plaintext 
+# cannot be recovered from the signature. 
+FUNCTION C_SignUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # the data to sign 
+CK_ULONG          ulPartLen # count of bytes to sign 
+
+# C_SignFinal finishes a multiple-part signature operation, returning 
+# the signature. 
+FUNCTION C_SignFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+# C_SignRecoverInit initializes a signature operation, where the data 
+# can be recovered from the signature. 
+FUNCTION C_SignRecoverInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of the signature key 
+
+# C_SignRecover signs data in a single operation, where the data can 
+# be recovered from the signature. 
+FUNCTION C_SignRecover
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # the data to sign 
+CK_ULONG          ulDataLen         # count of bytes to sign 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+
+# Verifying signatures and MACs 
+
+# C_VerifyInit initializes a verification operation, where the 
+# signature is an appendix to the data, and plaintext cannot cannot 
+# be recovered from the signature (e.g. DSA). 
+FUNCTION C_VerifyInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
+CK_OBJECT_HANDLE  hKey          # verification key  
+
+# C_Verify verifies a signature in a single-part operation, where the 
+# signature is an appendix to the data, and plaintext cannot be 
+# recovered from the signature. 
+FUNCTION C_Verify
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # signed data 
+CK_ULONG          ulDataLen         # length of signed data 
+CK_BYTE_PTR       pSignature        # signature 
+CK_ULONG          ulSignatureLen    # signature length
+
+# C_VerifyUpdate continues a multiple-part verification operation, 
+# where the signature is an appendix to the data, and plaintext cannot be 
+# recovered from the signature. 
+FUNCTION C_VerifyUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # signed data 
+CK_ULONG          ulPartLen # length of signed data 
+
+# C_VerifyFinal finishes a multiple-part verification operation, 
+# checking the signature. 
+FUNCTION C_VerifyFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # signature to verify 
+CK_ULONG          ulSignatureLen    # signature length 
+
+# C_VerifyRecoverInit initializes a signature verification operation, 
+# where the data is recovered from the signature. 
+FUNCTION C_VerifyRecoverInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
+CK_OBJECT_HANDLE  hKey          # verification key 
+
+# C_VerifyRecover verifies a signature in a single-part operation, 
+# where the data is recovered from the signature. 
+FUNCTION C_VerifyRecover
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # signature to verify 
+CK_ULONG          ulSignatureLen    # signature length 
+CK_BYTE_PTR       pData             # gets signed data 
+CK_ULONG_PTR      pulDataLen        # gets signed data len 
+
+
+# Dual-function cryptographic operations 
+
+# C_DigestEncryptUpdate continues a multiple-part digesting and 
+# encryption operation. 
+FUNCTION C_DigestEncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext length 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
+
+# C_DecryptDigestUpdate continues a multiple-part decryption and 
+# digesting operation. 
+FUNCTION C_DecryptDigestUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # ciphertext 
+CK_ULONG          ulEncryptedPartLen    # ciphertext length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # gets plaintext len 
+
+# C_SignEncryptUpdate continues a multiple-part signing and 
+# encryption operation. 
+FUNCTION C_SignEncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext length 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
+
+# C_DecryptVerifyUpdate continues a multiple-part decryption and 
+# verify operation. 
+FUNCTION C_DecryptVerifyUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # ciphertext 
+CK_ULONG          ulEncryptedPartLen    # ciphertext length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # gets p-text length 
+
+
+# Key management 
+
+# C_GenerateKey generates a secret key, creating a new key object. 
+FUNCTION C_GenerateKey
+CK_SESSION_HANDLE    hSession   # the session's handle 
+CK_MECHANISM_PTR     pMechanism # key generation mech. 
+CK_ATTRIBUTE_PTR     pTemplate  # template for new key 
+CK_ULONG             ulCount    # # of attrs in template 
+CK_OBJECT_HANDLE_PTR phKey      # gets handle of new key 
+
+# C_GenerateKeyPair generates a public-key/private-key pair, creating 
+# new key objects. 
+FUNCTION C_GenerateKeyPair
+CK_SESSION_HANDLE    hSession                   # session handle
+CK_MECHANISM_PTR     pMechanism                 # key-gen mech.
+CK_ATTRIBUTE_PTR     pPublicKeyTemplate         # template for pub. key
+CK_ULONG             ulPublicKeyAttributeCount  # # pub. attrs.
+CK_ATTRIBUTE_PTR     pPrivateKeyTemplate        # template for priv. key
+CK_ULONG             ulPrivateKeyAttributeCount # # priv. attrs.
+CK_OBJECT_HANDLE_PTR phPublicKey                # gets pub. key handle
+CK_OBJECT_HANDLE_PTR phPrivateKey               # gets priv. key handle
+
+# C_WrapKey wraps (i.e., encrypts) a key. 
+FUNCTION C_WrapKey
+CK_SESSION_HANDLE hSession         # the session's handle 
+CK_MECHANISM_PTR  pMechanism       # the wrapping mechanism 
+CK_OBJECT_HANDLE  hWrappingKey     # wrapping key 
+CK_OBJECT_HANDLE  hKey             # key to be wrapped 
+CK_BYTE_PTR       pWrappedKey      # gets wrapped key 
+CK_ULONG_PTR      pulWrappedKeyLen # gets wrapped key size 
+
+# C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key 
+# object. 
+FUNCTION C_UnwrapKey
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_MECHANISM_PTR     pMechanism         # unwrapping mech. 
+CK_OBJECT_HANDLE     hUnwrappingKey     # unwrapping key 
+CK_BYTE_PTR          pWrappedKey        # the wrapped key 
+CK_ULONG             ulWrappedKeyLen    # wrapped key len 
+CK_ATTRIBUTE_PTR     pTemplate          # new key template 
+CK_ULONG             ulAttributeCount   # template length 
+CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
+
+# C_DeriveKey derives a key from a base key, creating a new key object.
+FUNCTION C_DeriveKey
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_MECHANISM_PTR     pMechanism         # key deriv. mech. 
+CK_OBJECT_HANDLE     hBaseKey           # base key 
+CK_ATTRIBUTE_PTR     pTemplate          # new key template 
+CK_ULONG             ulAttributeCount   # template length 
+CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
+
+
+# Random number generation 
+
+# C_SeedRandom mixes additional seed material into the token's random 
+# number generator. 
+FUNCTION C_SeedRandom
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pSeed     # the seed material 
+CK_ULONG          ulSeedLen # length of seed material 
+
+# C_GenerateRandom generates random data. 
+FUNCTION C_GenerateRandom
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       RandomData    # receives the random data 
+CK_ULONG          ulRandomLen   # # of bytes to generate 
+
+
+# Parallel function management 
+
+# C_GetFunctionStatus is a legacy function; it obtains an updated 
+# status of a function running in parallel with an application.
+FUNCTION C_GetFunctionStatus
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+# C_CancelFunction is a legacy function; it cancels a function running 
+# in parallel. 
+FUNCTION C_CancelFunction
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Functions added in for Cryptoki Version 2.01 or later 
+
+# C_WaitForSlotEvent waits for a slot event (token insertion, removal, 
+# etc.) to occur. 
+FUNCTION C_WaitForSlotEvent
+CK_FLAGS       flags    # blocking/nonblocking flag 
+CK_SLOT_ID_PTR pSlot    # location that receives the slot ID 
+CK_VOID_PTR    pRserved # reserved.  Should be NULL_PTR 
+
+## C_ConfigureSlot passes an installation-specified bytestring to a 
+## slot. 
+#FUNCTION C_ConfigureSlot
+#CK_SLOT_ID slotID      # the slot to configure 
+#CK_BYTE_PTR pConfig    # the configuration string 
+#CK_ULONG ulConfigLen   # length of the config string 

mozilla/security/nss/lib/ckfw/ck.h

@@ -0,0 +1,121 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CK_H
+#define CK_H
+
+#ifdef DEBUG
+static const char CK_CVS_ID[] = "@(#) $RCSfile: ck.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:43:09 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * ck.h
+ *
+ * This header file consolidates all header files needed by the source
+ * files implementing the NSS Cryptoki Framework.  This makes managing
+ * the source files a bit easier.
+ */
+
+/* Types */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFT_H
+#include "nssckft.h"
+#endif /* NSSCKFT_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#ifndef CKFWTM_H
+#include "ckfwtm.h"
+#endif /* CKFWTM_H */
+
+/* Prototypes */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef NSSCKG_H
+#include "nssckg.h"
+#endif /* NSSCKG_H */
+
+#ifndef NSSCKFW_H
+#include "nssckfw.h"
+#endif /* NSSCKFW_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef CKFW_H
+#include "ckfw.h"
+#endif /* CKFW_H */
+
+#ifndef CKFWM_H
+#include "ckfwm.h"
+#endif /* CKFWM_H */
+
+#ifndef CKMD_H
+#include "ckmd.h"
+#endif /* CKMD_H */
+
+/* NSS-private */
+
+/* nss_ZNEW and the like.  We might want to publish the memory APIs.. */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#endif /* CK_H */

mozilla/security/nss/lib/ckfw/ckapi.perl

@@ -0,0 +1,510 @@
+#!perl
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+$cvs_id = '@(#) $RCSfile: ckapi.perl,v $ $Revision: 1.4 $ $Date: 2000-10-13 22:41:36 $ $Name: not supported by cvs2svn $';
+
+$copyright = '/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+';
+
+$count = -1;
+$i = 0;
+
+open(INPUT, "<$ARGV[0]") || die "Can't open $ARGV[0]: $!";
+
+while(<INPUT>) {
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+#  print;
+
+  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
+  $name = $1;
+  $value = $2;
+
+  if( ($name =~ "FUNCTION") && !($name =~ "CK_FUNCTION") ) {
+    $count++;
+    $x[$count]{name} = $value;
+    $i = 0;
+  } else {
+    if( $count < 0 ) {
+      $value =~ s/"//g;
+      $g{$name} = $value;
+    } else {
+      $x[$count]{args}[$i]{type} = $name;
+      $x[$count]{args}[$i]{name} = $value;
+      $i++;
+      $x[$count]{nargs} = $i; # rewritten each time, oh well
+    }
+  }
+}
+
+close INPUT;
+
+# dodump();
+doprint();
+
+sub dodump {
+  for( $j = 0; $j <= $count; $j++ ) {
+    print "CK_RV CK_ENTRY $x[$j]{name}\n";
+    for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+      print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+      if( $i == ($x[$j]{nargs} - 1) ) {
+        print "\n";
+      } else {
+        print ",\n";
+      }
+    }
+  }
+}
+
+sub doprint {
+open(PROTOTYPE, ">nssckg.h") || die "Can't open nssckg.h: $!";
+open(TYPEDEF, ">nssckft.h") || die "Can't open nssckft.h: $!";
+open(EPV, ">nssckepv.h") || die "Can't open nssckepv.h: $!";
+open(API, ">nssck.api") || die "Can't open nssck.api: $!";
+
+select PROTOTYPE;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKG_H
+#define NSSCKG_H
+
+#ifdef DEBUG
+static const char NSSCKG_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckg.h
+ *
+ * This automatically-generated header file prototypes the Cryptoki
+ * functions specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "CK_RV CK_ENTRY $x[$j]{name}\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ");\n\n";
+}
+
+print <<EOD
+#endif /* NSSCKG_H */
+EOD
+    ;
+
+select TYPEDEF;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKFT_H
+#define NSSCKFT_H
+
+#ifdef DEBUG
+static const char NSSCKFT_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckft.h
+ *
+ * The automatically-generated header file declares a typedef
+ * each of the Cryptoki functions specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+#  print "typedef CK_RV (CK_ENTRY *CK_$x[$j]{name})(\n";
+  print "typedef CK_CALLBACK_FUNCTION(CK_RV, CK_$x[$j]{name})(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ");\n\n";
+}
+
+print <<EOD
+#endif /* NSSCKFT_H */
+EOD
+    ;
+
+select EPV;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKEPV_H
+#define NSSCKEPV_H
+
+#ifdef DEBUG
+static const char NSSCKEPV_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckepv.h
+ *
+ * This automatically-generated header file defines the type
+ * CK_FUNCTION_LIST specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFT_H
+#include "nssckft.h"
+#endif /* NSSCKFT_H */
+
+#include "nssckp.h"
+
+struct CK_FUNCTION_LIST {
+  CK_VERSION version;
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "  CK_$x[$j]{name} $x[$j]{name};\n";
+}
+
+print <<EOD
+};
+
+#include "nsscku.h"
+
+#endif /* NSSCKEPV_H */
+EOD
+    ;
+
+select API;
+
+print $copyright;
+print <<EOD
+
+#ifdef DEBUG
+static const char NSSCKAPI_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssck.api
+ *
+ * This automatically-generated file is used to generate a set of
+ * Cryptoki entry points within the object space of a Module using
+ * the NSS Cryptoki Framework.
+ *
+ * The Module should have a .c file with the following:
+ *
+ *  #define MODULE_NAME name
+ *  #define INSTANCE_NAME instance
+ *  #include "nssck.api"
+ *
+ * where "name" is some module-specific name that can be used to
+ * disambiguate various modules.  This included file will then
+ * define the actual Cryptoki routines which pass through to the
+ * Framework calls.  All routines, except C_GetFunctionList, will
+ * be prefixed with the name; C_GetFunctionList will be generated
+ * to return an entry-point vector with these routines.  The
+ * instance specified should be the basic instance of NSSCKMDInstance.
+ *
+ * If, prior to including nssck.api, the .c file also specifies
+ *
+ *  #define DECLARE_STRICT_CRYTPOKI_NAMES
+ *
+ * Then a set of "stub" routines not prefixed with the name will
+ * be included.  This would allow the combined module and framework
+ * to be used in applications which are hard-coded to use the
+ * PKCS#11 names (instead of going through the EPV).  Please note
+ * that such applications should be careful resolving symbols when
+ * more than one PKCS#11 module is loaded.
+ */
+
+#ifndef MODULE_NAME
+#error "Error: MODULE_NAME must be defined."
+#endif /* MODULE_NAME */
+
+#ifndef INSTANCE_NAME
+#error "Error: INSTANCE_NAME must be defined."
+#endif /* INSTANCE_NAME */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#define __ADJOIN(x,y) x##y
+
+/*
+ * The anchor.  This object is used to store an "anchor" pointer in
+ * the Module's object space, so the wrapper functions can relate
+ * back to this instance.
+ */
+
+static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Initialize)
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY 
+C_Initialize
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Finalize)
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return NSSCKFWC_Finalize(&fwInstance);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Finalize
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetInfo)
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetInfo(fwInstance, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetInfo
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+/*
+ * C_GetFunctionList is defined at the end.
+ */
+
+EOD
+    ;
+
+for( $j = 4; $j <= $count; $j++ ) {
+  print "CK_RV CK_ENTRY\n";
+  print "__ADJOIN(MODULE_NAME,$x[$j]{name})\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ")\n";
+  print "{\n";
+  print "  return NSSCKFW$x[$j]{name}(fwInstance, ";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "$x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print ");\n";
+    } else {
+      print ", ";
+    }
+  }
+  print "}\n\n";
+
+  print "#ifdef DECLARE_STRICT_CRYPTOKI_NAMES\n";
+  print "CK_RV CK_ENTRY\n";
+  print "$x[$j]{name}\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ")\n";
+  print "{\n";
+  print "  return __ADJOIN(MODULE_NAME,$x[$j]{name})(";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "$x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print ");\n";
+    } else {
+      print ", ";
+    }
+  }
+  print "}\n";
+  print "#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */\n\n";
+}
+
+print <<EOD
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+);
+
+static CK_FUNCTION_LIST FunctionList = {
+  { 2, 1 },
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "__ADJOIN(MODULE_NAME,$x[$j]{name})";
+  if( $j < $count ) {
+    print ",\n";
+  } else {
+    print "\n};\n\n";
+  }
+}
+
+print <<EOD
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  *ppFunctionList = &FunctionList;
+  return CKR_OK;
+}
+
+/* This one is always present */
+#ifdef WIN32
+CK_RV _declspec(dllexport)
+#else
+CK_RV CK_ENTRY
+#endif
+C_GetFunctionList
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
+}
+
+#undef __ADJOIN
+
+EOD
+    ;
+
+select STDOUT;
+
+}

mozilla/security/nss/lib/ckfw/ckfwm.h

@@ -0,0 +1,167 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKFWM_H
+#define CKFWM_H
+
+#ifdef DEBUG
+static const char CKFWM_CVS_ID[] = "@(#) $RCSfile: ckfwm.h,v $ $Revision: 1.2 $ $Date: 2001-12-07 01:35:51 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * ckfwm.h
+ *
+ * This file prototypes the module-private calls of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+/*
+ * nssCKFWHash
+ *
+ *  nssCKFWHash_Create
+ *  nssCKFWHash_Destroy
+ *  nssCKFWHash_Add
+ *  nssCKFWHash_Remove
+ *  nssCKFWHash_Count
+ *  nssCKFWHash_Exists
+ *  nssCKFWHash_Lookup
+ *  nssCKFWHash_Iterate
+ */
+
+/*
+ * nssCKFWHash_Create
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWHash_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWHash_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Destroy
+(
+  nssCKFWHash *hash
+);
+
+/*
+ * nssCKFWHash_Add
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWHash_Add
+(
+  nssCKFWHash *hash,
+  const void *key,
+  const void *value
+);
+
+/*
+ * nssCKFWHash_Remove
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Remove
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Count
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWHash_Count
+(
+  nssCKFWHash *hash
+);
+
+/*
+ * nssCKFWHash_Exists
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWHash_Exists
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Lookup
+ *
+ */
+NSS_EXTERN void *
+nssCKFWHash_Lookup
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Iterate
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Iterate
+(
+  nssCKFWHash *hash,
+  nssCKFWHashIterator fcn,
+  void *closure
+);
+
+NSS_EXTERN void
+nssSetLockArgs(
+   CK_C_INITIALIZE_ARGS_PTR pInitArgs
+);
+
+
+#endif /* CKFWM_H */

mozilla/security/nss/lib/ckfw/ckfwtm.h

@@ -0,0 +1,56 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKFWTM_H
+#define CKFWTM_H
+
+#ifdef DEBUG
+static const char CKFWTM_CVS_ID[] = "@(#) $RCSfile: ckfwtm.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:43:13 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * ckfwtm.h
+ *
+ * This file declares the module-private types of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+struct nssCKFWHashStr;
+typedef struct nssCKFWHashStr nssCKFWHash;
+
+typedef void (PR_CALLBACK *nssCKFWHashIterator)(const void *key, void *value, void *closure);
+
+#endif /* CKFWTM_H */

mozilla/security/nss/lib/ckfw/ckmd.h

@@ -0,0 +1,65 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKMD_H
+#define CKMD_H
+
+#ifdef DEBUG
+static const char CKMD_CVS_ID[] = "@(#) $RCSfile: ckmd.h,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:43:13 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * ckmd.h
+ *
+ */
+
+NSS_EXTERN NSSCKMDObject *
+nssCKMDSessionObject_Create
+(
+  NSSCKFWToken *fwToken,
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR attributes,
+  CK_ULONG ulCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKMDFindSessionObjects_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_RV *pError
+);
+
+#endif /* CKMD_H */

mozilla/security/nss/lib/ckfw/ckt.h

@@ -0,0 +1,37 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* get back to just one set of PKCS #11 headers. Use the onese that
+ * are easiest to maintain from the RSA website */
+/* this one is the one that defines NSS specific data */
+#include "pkcs11n.h"

mozilla/security/nss/lib/ckfw/config.mk

@@ -0,0 +1,54 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.3 $ $Date: 2001-02-02 01:49:29 $ $Name: not supported by cvs2svn $"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+# Hack to see if everything still builds
+#
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+

mozilla/security/nss/lib/ckfw/dbm/Makefile

@@ -0,0 +1,38 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:53 $ $Name: not supported by cvs2svn $"
+
+include manifest.mn
+include config.mk
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk

mozilla/security/nss/lib/ckfw/dbm/anchor.c

@@ -0,0 +1,50 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: anchor.c,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:54 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * dbm/anchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "ckdbm.h"
+
+#define MODULE_NAME dbm
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
+#include "nssck.api"

mozilla/security/nss/lib/ckfw/dbm/ckdbm.h

@@ -0,0 +1,281 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CKDBM_CVS_ID[] = "@(#) $RCSfile: ckdbm.h,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:54 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#ifndef CKDBM_H
+#define CKDBM_H
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#include "mcom_db.h"
+
+NSS_EXTERN_DATA NSSCKMDInstance nss_dbm_mdInstance;
+
+typedef struct nss_dbm_db_struct nss_dbm_db_t;
+struct nss_dbm_db_struct {
+  DB *db;
+  NSSCKFWMutex *crustylock;
+};
+
+typedef struct nss_dbm_dbt_struct nss_dbm_dbt_t;
+struct nss_dbm_dbt_struct {
+  DBT dbt;
+  nss_dbm_db_t *my_db;
+};
+
+typedef struct nss_dbm_instance_struct nss_dbm_instance_t;
+struct nss_dbm_instance_struct {
+  NSSArena *arena;
+  CK_ULONG nSlots;
+  char **filenames;
+  int *flags; /* e.g. O_RDONLY, O_RDWR */
+};
+
+typedef struct nss_dbm_slot_struct nss_dbm_slot_t;
+struct nss_dbm_slot_struct {
+  nss_dbm_instance_t *instance;
+  char *filename;
+  int flags;
+  nss_dbm_db_t *token_db;
+};
+
+typedef struct nss_dbm_token_struct nss_dbm_token_t;
+struct nss_dbm_token_struct {
+  NSSArena *arena;
+  nss_dbm_slot_t *slot;
+  nss_dbm_db_t *session_db;
+  NSSUTF8 *label;
+};
+
+struct nss_dbm_dbt_node {
+  struct nss_dbm_dbt_node *next;
+  nss_dbm_dbt_t *dbt;
+};
+
+typedef struct nss_dbm_session_struct nss_dbm_session_t;
+struct nss_dbm_session_struct {
+  NSSArena *arena;
+  nss_dbm_token_t *token;
+  CK_ULONG deviceError;
+  struct nss_dbm_dbt_node *session_objects;
+  NSSCKFWMutex *list_lock;
+};
+
+typedef struct nss_dbm_object_struct nss_dbm_object_t;
+struct nss_dbm_object_struct {
+  NSSArena *arena; /* token or session */
+  nss_dbm_dbt_t *handle;
+};
+
+typedef struct nss_dbm_find_struct nss_dbm_find_t;
+struct nss_dbm_find_struct {
+  NSSArena *arena;
+  struct nss_dbm_dbt_node *found;
+  NSSCKFWMutex *list_lock;
+};
+
+NSS_EXTERN NSSCKMDSlot *
+nss_dbm_mdSlot_factory
+(
+  nss_dbm_instance_t *instance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDToken *
+nss_dbm_mdToken_factory
+(
+  nss_dbm_slot_t *slot,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDSession *
+nss_dbm_mdSession_factory
+(
+  nss_dbm_token_t *token,
+  NSSCKFWSession *fwSession,
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL rw,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_dbm_mdObject_factory
+(
+  nss_dbm_object_t *object,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_dbm_mdFindObjects_factory
+(
+  nss_dbm_find_t *find,
+  CK_RV *pError
+);
+
+NSS_EXTERN nss_dbm_db_t *
+nss_dbm_db_open
+(
+  NSSArena *arena,
+  NSSCKFWInstance *fwInstance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+);
+
+NSS_EXTERN void
+nss_dbm_db_close
+(
+  nss_dbm_db_t *db
+);
+
+NSS_EXTERN CK_VERSION
+nss_dbm_db_get_format_version
+(
+  nss_dbm_db_t *db
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_set_label
+(
+  nss_dbm_db_t *db,
+  NSSUTF8 *label
+);
+
+NSS_EXTERN NSSUTF8 *
+nss_dbm_db_get_label
+(
+  nss_dbm_db_t *db,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_delete_object
+(
+  nss_dbm_dbt_t *dbt
+);
+
+NSS_EXTERN nss_dbm_dbt_t *
+nss_dbm_db_create_object
+(
+  NSSArena *arena,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_find_objects
+(
+  nss_dbm_find_t *find,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_BBOOL
+nss_dbm_db_object_still_exists
+(
+  nss_dbm_dbt_t *dbt
+);
+
+NSS_EXTERN CK_ULONG
+nss_dbm_db_get_object_attribute_count
+(
+  nss_dbm_dbt_t *dbt,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_get_object_attribute_types
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_ULONG
+nss_dbm_db_get_object_attribute_size
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN NSSItem *
+nss_dbm_db_get_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  NSSArena *arena,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_set_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  NSSItem *value,
+  CK_ULONG *pdbrv
+);
+
+#endif /* CKDBM_H */

mozilla/security/nss/lib/ckfw/dbm/config.mk

@@ -0,0 +1,37 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:54 $ $Name: not supported by cvs2svn $"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif

mozilla/security/nss/lib/ckfw/dbm/find.c

@@ -0,0 +1,166 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: find.c,v $ $Revision: 1.2 $ $Date: 2000-05-15 20:58:19 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
+
+  /* Locks might have system resources associated */
+  (void)NSSCKFWMutex_Destroy(find->list_lock);
+  (void)NSSArena_Destroy(find->arena);
+}
+
+
+static NSSCKMDObject *
+nss_dbm_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
+  struct nss_dbm_dbt_node *node;
+  nss_dbm_object_t *object;
+  NSSCKMDObject *rv;
+
+  while(1) {
+    /* Lock */
+    {
+      *pError = NSSCKFWMutex_Lock(find->list_lock);
+      if( CKR_OK != *pError ) {
+        return (NSSCKMDObject *)NULL;
+      }
+      
+      node = find->found;
+      if( (struct nss_dbm_dbt_node *)NULL != node ) {
+        find->found = node->next;
+      }
+      
+      *pError = NSSCKFWMutex_Unlock(find->list_lock);
+      if( CKR_OK != *pError ) {
+        /* screwed now */
+        return (NSSCKMDObject *)NULL;
+      }
+    }
+
+    if( (struct nss_dbm_dbt_node *)NULL == node ) {
+      break;
+    }
+
+    if( nss_dbm_db_object_still_exists(node->dbt) ) {
+      break;
+    }
+  }
+
+  if( (struct nss_dbm_dbt_node *)NULL == node ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object = nss_ZNEW(arena, nss_dbm_object_t);
+  if( (nss_dbm_object_t *)NULL == object ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->arena = arena;
+  object->handle = nss_ZNEW(arena, nss_dbm_dbt_t);
+  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->handle->my_db = node->dbt->my_db;
+  object->handle->dbt.size = node->dbt->dbt.size;
+  object->handle->dbt.data = nss_ZAlloc(arena, node->dbt->dbt.size);
+  if( (void *)NULL == object->handle->dbt.data ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  (void)memcpy(object->handle->dbt.data, node->dbt->dbt.data, node->dbt->dbt.size);
+
+  rv = nss_dbm_mdObject_factory(object, pError);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_dbm_mdFindObjects_factory
+(
+  nss_dbm_find_t *find,
+  CK_RV *pError
+)
+{
+  NSSCKMDFindObjects *rv;
+
+  rv = nss_ZNEW(find->arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  rv->etc = (void *)find;
+  rv->Final = nss_dbm_mdFindObjects_Final;
+  rv->Next = nss_dbm_mdFindObjects_Next;
+
+  return rv;
+}

mozilla/security/nss/lib/ckfw/dbm/instance.c

@@ -0,0 +1,196 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: instance.c,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:56 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdInstance_Initialize
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  NSSUTF8 *configurationData
+)
+{
+  CK_RV rv = CKR_OK;
+  NSSArena *arena;
+  nss_dbm_instance_t *instance;
+
+  arena = NSSCKFWInstance_GetArena(fwInstance, &rv);
+  if( ((NSSArena *)NULL == arena) && (CKR_OK != rv) ) {
+    return rv;
+  }
+
+  instance = nss_ZNEW(arena, nss_dbm_instance_t);
+  if( (nss_dbm_instance_t *)NULL == instance ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->arena = arena;
+
+  /*
+   * This should parse the configuration data for information on
+   * number and locations of databases, modes (e.g. readonly), etc.
+   * But for now, we'll have one slot with a creatable read-write
+   * database called "cert8.db."
+   */
+
+  instance->nSlots = 1;
+  instance->filenames = nss_ZNEWARRAY(arena, char *, instance->nSlots);
+  if( (char **)NULL == instance->filenames ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->flags = nss_ZNEWARRAY(arena, int, instance->nSlots);
+  if( (int *)NULL == instance->flags ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->filenames[0] = "cert8.db";
+  instance->flags[0] = O_RDWR|O_CREAT;
+
+  mdInstance->etc = (void *)instance;
+  return CKR_OK;
+}
+
+/* nss_dbm_mdInstance_Finalize is not required */
+
+static CK_ULONG
+nss_dbm_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  return instance->nSlots;
+}
+
+static CK_VERSION
+nss_dbm_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  static CK_VERSION rv = { 2, 1 };
+  return rv;
+}
+
+static NSSUTF8 *
+nss_dbm_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Netscape Communications Corp.";
+}
+
+static NSSUTF8 *
+nss_dbm_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Berkeley Database Module";
+}
+
+static CK_VERSION
+nss_dbm_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  static CK_VERSION rv = { 1, 0 }; /* My own version number */
+  return rv;
+}
+
+static CK_BBOOL
+nss_dbm_mdInstance_ModuleHandlesSessionObjects
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_RV
+nss_dbm_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_ULONG i;
+  CK_RV rv = CKR_OK;
+
+  for( i = 0; i < instance->nSlots; i++ ) {
+    slots[i] = nss_dbm_mdSlot_factory(instance, instance->filenames[i], 
+                                      instance->flags[i], &rv);
+    if( (NSSCKMDSlot *)NULL == slots[i] ) {
+      return rv;
+    }
+  }
+
+  return rv;
+}
+
+/* nss_dbm_mdInstance_WaitForSlotEvent is not relevant */
+
+NSS_IMPLEMENT_DATA NSSCKMDInstance 
+nss_dbm_mdInstance = {
+  NULL, /* etc; filled in later */
+  nss_dbm_mdInstance_Initialize,
+  NULL, /* nss_dbm_mdInstance_Finalize */
+  nss_dbm_mdInstance_GetNSlots,
+  nss_dbm_mdInstance_GetCryptokiVersion,
+  nss_dbm_mdInstance_GetManufacturerID,
+  nss_dbm_mdInstance_GetLibraryDescription,
+  nss_dbm_mdInstance_GetLibraryVersion,
+  nss_dbm_mdInstance_ModuleHandlesSessionObjects,
+  nss_dbm_mdInstance_GetSlots,
+  NULL, /* nss_dbm_mdInstance_WaitForSlotEvent */
+  NULL /* terminator */
+};

mozilla/security/nss/lib/ckfw/dbm/manifest.mn

@@ -0,0 +1,54 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile: manifest.mn,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:56 $ $Name: not supported by cvs2svn $"
+
+CORE_DEPTH = ../../../..
+
+MODULE = security
+
+CSRCS =		   \
+	anchor.c   \
+	instance.c \
+	slot.c	   \
+	token.c	   \
+	session.c  \
+	object.c   \
+	find.c	   \
+	db.c	   \
+	$(NULL)
+
+REQUIRES = security dbm nspr
+
+LIBRARY_NAME = nssckdbm
+
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -ldbm -lnspr4 -lplc4 -lplds4

mozilla/security/nss/lib/ckfw/dbm/object.c

@@ -0,0 +1,204 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: object.c,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:56 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ;
+}
+
+static CK_RV
+nss_dbm_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  return nss_dbm_db_delete_object(object->handle);
+}
+
+static CK_ULONG
+nss_dbm_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_count(object->handle, pError, 
+                                               &session->deviceError);
+}
+
+static CK_RV
+nss_dbm_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_types(object->handle, typeArray,
+                                               ulCount, &session->deviceError);
+}
+
+static CK_ULONG
+nss_dbm_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_size(object->handle, attribute, pError, 
+                                              &session->deviceError);
+}
+
+static NSSItem *
+nss_dbm_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute(object->handle, object->arena, attribute,
+                                         pError, &session->deviceError);
+}
+
+static CK_RV
+nss_dbm_mdObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_set_object_attribute(object->handle, attribute, value,
+                                         &session->deviceError);
+}
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_dbm_mdObject_factory
+(
+  nss_dbm_object_t *object,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *rv;
+
+  rv = nss_ZNEW(object->arena, NSSCKMDObject);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  rv->etc = (void *)object;
+  rv->Finalize = nss_dbm_mdObject_Finalize;
+  rv->Destroy = nss_dbm_mdObject_Destroy;
+  /*  IsTokenObject can be deferred */
+  rv->GetAttributeCount = nss_dbm_mdObject_GetAttributeCount;
+  rv->GetAttributeTypes = nss_dbm_mdObject_GetAttributeTypes;
+  rv->GetAttributeSize = nss_dbm_mdObject_GetAttributeSize;
+  rv->GetAttribute = nss_dbm_mdObject_GetAttribute;
+  rv->SetAttribute = nss_dbm_mdObject_SetAttribute;
+  /*  GetObjectSize can be deferred */
+
+  return rv;
+}

mozilla/security/nss/lib/ckfw/dbm/session.c

@@ -0,0 +1,298 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:57 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdSession_Close
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+
+  struct nss_dbm_dbt_node *w;
+
+  /* Lock */
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(session->list_lock) ) {
+      return;
+    }
+
+    w = session->session_objects;
+    session->session_objects = (struct nss_dbm_dbt_node *)NULL; /* sanity */
+    
+    (void)NSSCKFWMutex_Unlock(session->list_lock);
+  }
+
+  for( ; (struct nss_dbm_dbt_node *)NULL != w; w = w->next ) {
+    (void)nss_dbm_db_delete_object(w->dbt);
+  }
+}
+
+static CK_ULONG
+nss_dbm_mdSession_GetDeviceError
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return session->deviceError;
+}
+
+/* Login isn't needed */
+/* Logout isn't needed */
+/* InitPIN is irrelevant */
+/* SetPIN is irrelevant */
+/* GetOperationStateLen is irrelevant */
+/* GetOperationState is irrelevant */
+/* SetOperationState is irrelevant */
+
+static NSSCKMDObject *
+nss_dbm_mdSession_CreateObject
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *handyArenaPointer,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  CK_ULONG i;
+  CK_BBOOL isToken = CK_FALSE; /* defaults to false */
+  NSSCKMDObject *rv;
+  struct nss_dbm_dbt_node *node = (struct nss_dbm_dbt_node *)NULL;
+  nss_dbm_object_t *object;
+  nss_dbm_db_t *which_db;
+
+  /* This framework should really pass this to me */
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      isToken = *(CK_BBOOL *)pTemplate[i].pValue;
+      break;
+    }
+  }
+
+  object = nss_ZNEW(handyArenaPointer, nss_dbm_object_t);
+  if( (nss_dbm_object_t *)NULL == object ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->arena = handyArenaPointer;
+  which_db = isToken ? token->slot->token_db : token->session_db;
+
+  /* Do this before the actual database call; it's easier to recover from */
+  rv = nss_dbm_mdObject_factory(object, pError);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  if( CK_FALSE == isToken ) {
+    node = nss_ZNEW(session->arena, struct nss_dbm_dbt_node);
+    if( (struct nss_dbm_dbt_node *)NULL == node ) {
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKMDObject *)NULL;
+    }
+  }
+
+  object->handle = nss_dbm_db_create_object(handyArenaPointer, which_db, 
+                                            pTemplate, ulAttributeCount,
+                                            pError, &session->deviceError);
+  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  if( CK_FALSE == isToken ) {
+    node->dbt = object->handle;
+    /* Lock */
+    {
+      *pError = NSSCKFWMutex_Lock(session->list_lock);
+      if( CKR_OK != *pError ) {
+        (void)nss_dbm_db_delete_object(object->handle);
+        return (NSSCKMDObject *)NULL;
+      }
+      
+      node->next = session->session_objects;
+      session->session_objects = node;
+      
+      *pError = NSSCKFWMutex_Unlock(session->list_lock);
+    }
+  }
+
+  return rv;
+}
+
+/* CopyObject isn't needed; the framework will use CreateObject */
+
+static NSSCKMDFindObjects *
+nss_dbm_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  NSSArena *arena;
+  nss_dbm_find_t *find;
+  NSSCKMDFindObjects *rv;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  find = nss_ZNEW(arena, nss_dbm_find_t);
+  if( (nss_dbm_find_t *)NULL == find ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  find->arena = arena;
+  find->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == find->list_lock ) {
+    goto loser;
+  }
+
+  *pError = nss_dbm_db_find_objects(find, token->slot->token_db, pTemplate, 
+                                    ulAttributeCount, &session->deviceError);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  *pError = nss_dbm_db_find_objects(find, token->session_db, pTemplate, 
+                                    ulAttributeCount, &session->deviceError);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  rv = nss_dbm_mdFindObjects_factory(find, pError);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    goto loser;
+  }
+
+  return rv;
+
+ loser:
+  if( (NSSArena *)NULL != arena ) {
+    (void)NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKMDFindObjects *)NULL;
+}
+
+/* SeedRandom is irrelevant */
+/* GetRandom is irrelevant */
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_dbm_mdSession_factory
+(
+  nss_dbm_token_t *token,
+  NSSCKFWSession *fwSession,
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  nss_dbm_session_t *session;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+
+  session = nss_ZNEW(arena, nss_dbm_session_t);
+  if( (nss_dbm_session_t *)NULL == session ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  session->arena = arena;
+  session->token = token;
+  session->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == session->list_lock ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv->etc = (void *)session;
+  rv->Close = nss_dbm_mdSession_Close;
+  rv->GetDeviceError = nss_dbm_mdSession_GetDeviceError;
+  /*  Login isn't needed */
+  /*  Logout isn't needed */
+  /*  InitPIN is irrelevant */
+  /*  SetPIN is irrelevant */
+  /*  GetOperationStateLen is irrelevant */
+  /*  GetOperationState is irrelevant */
+  /*  SetOperationState is irrelevant */
+  rv->CreateObject = nss_dbm_mdSession_CreateObject;
+  /*  CopyObject isn't needed; the framework will use CreateObject */
+  rv->FindObjectsInit = nss_dbm_mdSession_FindObjectsInit;
+  rv->null = NULL;
+
+  return rv;
+}

mozilla/security/nss/lib/ckfw/dbm/slot.c

@@ -0,0 +1,214 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: slot.c,v $ $Revision: 1.1 $ $Date: 2000-05-15 20:39:57 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdSlot_Initialize
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_RV rv = CKR_OK;
+
+  slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, slot->filename, 
+                                   slot->flags, &rv);
+  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
+    if( CKR_TOKEN_NOT_PRESENT == rv ) {
+      /* This is not an error-- just means "the token isn't there" */
+      rv = CKR_OK;
+    }
+  }
+
+  return rv;
+}
+
+static void
+nss_dbm_mdSlot_Destroy
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+
+  if( (nss_dbm_db_t *)NULL != slot->token_db ) {
+    nss_dbm_db_close(slot->token_db);
+    slot->token_db = (nss_dbm_db_t *)NULL;
+  }
+}
+
+static NSSUTF8 *
+nss_dbm_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Database";
+}
+
+static NSSUTF8 *
+nss_dbm_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Berkeley";
+}
+
+static CK_BBOOL
+nss_dbm_mdSlot_GetTokenPresent
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+
+  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+static CK_BBOOL
+nss_dbm_mdSlot_GetRemovableDevice
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  /*
+   * Well, this supports "tokens" (databases) that aren't there, so in
+   * that sense they're removable.  It'd be nice to handle databases
+   * that suddenly disappear (NFS-mounted home directories and network
+   * errors, for instance) but that's a harder problem.  We'll say
+   * we support removable devices, badly.
+   */
+
+  return CK_TRUE;
+}
+
+/* nss_dbm_mdSlot_GetHardwareSlot defaults to CK_FALSE */
+/* 
+ * nss_dbm_mdSlot_GetHardwareVersion
+ * nss_dbm_mdSlot_GetFirmwareVersion
+ *
+ * These are kinda fuzzy concepts here.  I suppose we could return the
+ * Berkeley DB version for one of them, if we had an actual number we
+ * were confident in.  But mcom's "dbm" has been hacked enough that I
+ * don't really know from what "real" version it stems..
+ */
+
+static NSSCKMDToken *
+nss_dbm_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+  return nss_dbm_mdToken_factory(slot, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSlot *
+nss_dbm_mdSlot_factory
+(
+  nss_dbm_instance_t *instance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+)
+{
+  nss_dbm_slot_t *slot;
+  NSSCKMDSlot *rv;
+
+  slot = nss_ZNEW(instance->arena, nss_dbm_slot_t);
+  if( (nss_dbm_slot_t *)NULL == slot ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSlot *)NULL;
+  }
+
+  slot->instance = instance;
+  slot->filename = filename;
+  slot->flags = flags;
+  slot->token_db = (nss_dbm_db_t *)NULL;
+
+  rv = nss_ZNEW(instance->arena, NSSCKMDSlot);
+  if( (NSSCKMDSlot *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSlot *)NULL;
+  }
+
+  rv->etc = (void *)slot;
+  rv->Initialize = nss_dbm_mdSlot_Initialize;
+  rv->Destroy = nss_dbm_mdSlot_Destroy;
+  rv->GetSlotDescription = nss_dbm_mdSlot_GetSlotDescription;
+  rv->GetManufacturerID = nss_dbm_mdSlot_GetManufacturerID;
+  rv->GetTokenPresent = nss_dbm_mdSlot_GetTokenPresent;
+  rv->GetRemovableDevice = nss_dbm_mdSlot_GetRemovableDevice;
+  /*  GetHardwareSlot */
+  /*  GetHardwareVersion */
+  /*  GetFirmwareVersion */
+  rv->GetToken = nss_dbm_mdSlot_GetToken;
+  rv->null = (void *)NULL;
+
+  return rv;
+}

mozilla/security/nss/lib/ckfw/dbm/token.c

@@ -0,0 +1,315 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: token.c,v $ $Revision: 1.2 $ $Date: 2000-05-17 18:28:13 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdToken_Setup
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  CK_RV rv = CKR_OK;
+
+  token->arena = NSSCKFWToken_GetArena(fwToken, &rv);
+  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
+                                      O_RDWR|O_CREAT, &rv);
+  if( (nss_dbm_db_t *)NULL == token->session_db ) {
+    return rv;
+  }
+
+  /* Add a label record if there isn't one? */
+
+  return CKR_OK;
+}
+
+static void
+nss_dbm_mdToken_Invalidate
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( (nss_dbm_db_t *)NULL != token->session_db ) {
+    nss_dbm_db_close(token->session_db);
+    token->session_db = (nss_dbm_db_t *)NULL;
+  }
+}
+
+static CK_RV
+nss_dbm_mdToken_InitToken
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSItem *pin,
+  NSSUTF8 *label
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_RV rv;
+
+  /* Wipe the session object data */
+  
+  if( (nss_dbm_db_t *)NULL != token->session_db ) {
+    nss_dbm_db_close(token->session_db);
+  }
+
+  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
+                                      O_RDWR|O_CREAT, &rv);
+  if( (nss_dbm_db_t *)NULL == token->session_db ) {
+    return rv;
+  }
+
+  /* Wipe the token object data */
+
+  if( token->slot->flags & O_RDWR ) {
+    if( (nss_dbm_db_t *)NULL != token->slot->token_db ) {
+      nss_dbm_db_close(token->slot->token_db);
+    }
+
+    token->slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, 
+                                            token->slot->filename,
+                                            token->slot->flags | O_CREAT | O_TRUNC, 
+                                            &rv);
+    if( (nss_dbm_db_t *)NULL == token->slot->token_db ) {
+      return rv;
+    }
+
+    /* PIN is irrelevant */
+
+    rv = nss_dbm_db_set_label(token->slot->token_db, label);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+  }
+
+  return CKR_OK;
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( (NSSUTF8 *)NULL == token->label ) {
+    token->label = nss_dbm_db_get_label(token->slot->token_db, token->arena, pError);
+  }
+
+  /* If no label has been set, return *something* */
+  if( (NSSUTF8 *)NULL == token->label ) {
+    return token->slot->filename;
+  }
+
+  return token->label;
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "mozilla.org NSS";
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "dbm";
+}
+
+/* GetSerialNumber is irrelevant */
+/* GetHasRNG defaults to CK_FALSE */
+
+static CK_BBOOL
+nss_dbm_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( token->slot->flags & O_RDWR ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+/* GetLoginRequired defaults to CK_FALSE */
+/* GetUserPinInitialized defaults to CK_FALSE */
+/* GetRestoreKeyNotNeeded is irrelevant */
+/* GetHasClockOnToken defaults to CK_FALSE */
+/* GetHasProtectedAuthenticationPath defaults to CK_FALSE */
+/* GetSupportsDualCryptoOperations is irrelevant */
+
+static CK_ULONG
+nss_dbm_mdToken_effectively_infinite
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_EFFECTIVELY_INFINITE;
+}
+
+static CK_VERSION
+nss_dbm_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  return nss_dbm_db_get_format_version(token->slot->token_db);
+}
+
+/* GetFirmwareVersion is irrelevant */
+/* GetUTCTime is irrelevant */
+
+static NSSCKMDSession *
+nss_dbm_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  return nss_dbm_mdSession_factory(token, fwSession, fwInstance, rw, pError);
+}
+
+/* GetMechanismCount defaults to zero */
+/* GetMechanismTypes is irrelevant */
+/* GetMechanism is irrelevant */
+
+NSS_IMPLEMENT NSSCKMDToken *
+nss_dbm_mdToken_factory
+(
+  nss_dbm_slot_t *slot,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token;
+  NSSCKMDToken *rv;
+
+  token = nss_ZNEW(slot->instance->arena, nss_dbm_token_t);
+  if( (nss_dbm_token_t *)NULL == token ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDToken *)NULL;
+  }
+
+  rv = nss_ZNEW(slot->instance->arena, NSSCKMDToken);
+  if( (NSSCKMDToken *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDToken *)NULL;
+  }
+
+  token->slot = slot;
+
+  rv->etc = (void *)token;
+  rv->Setup = nss_dbm_mdToken_Setup;
+  rv->Invalidate = nss_dbm_mdToken_Invalidate;
+  rv->InitToken = nss_dbm_mdToken_InitToken;
+  rv->GetLabel = nss_dbm_mdToken_GetLabel;
+  rv->GetManufacturerID = nss_dbm_mdToken_GetManufacturerID;
+  rv->GetModel = nss_dbm_mdToken_GetModel;
+  /*  GetSerialNumber is irrelevant */
+  /*  GetHasRNG defaults to CK_FALSE */
+  rv->GetIsWriteProtected = nss_dbm_mdToken_GetIsWriteProtected;
+  /*  GetLoginRequired defaults to CK_FALSE */
+  /*  GetUserPinInitialized defaults to CK_FALSE */
+  /*  GetRestoreKeyNotNeeded is irrelevant */
+  /*  GetHasClockOnToken defaults to CK_FALSE */
+  /*  GetHasProtectedAuthenticationPath defaults to CK_FALSE */
+  /*  GetSupportsDualCryptoOperations is irrelevant */
+  rv->GetMaxSessionCount = nss_dbm_mdToken_effectively_infinite;
+  rv->GetMaxRwSessionCount = nss_dbm_mdToken_effectively_infinite;
+  /*  GetMaxPinLen is irrelevant */
+  /*  GetMinPinLen is irrelevant */
+  /*  GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  rv->GetHardwareVersion = nss_dbm_mdToken_GetHardwareVersion;
+  /*  GetFirmwareVersion is irrelevant */
+  /*  GetUTCTime is irrelevant */
+  rv->OpenSession = nss_dbm_mdToken_OpenSession;
+  rv->null = NULL;
+
+  return rv;
+}

mozilla/security/nss/lib/ckfw/find.c

@@ -0,0 +1,410 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: find.c,v $ $Revision: 1.3 $ $Date: 2002-02-08 00:10:00 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * find.c
+ *
+ * This file implements the nssCKFWFindObjects type and methods.
+ */
+
+#ifndef CK_H
+#include "ck.h"
+#endif /* CK_H */
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  -- create/destroy --
+ *  nssCKFWFindObjects_Create
+ *  nssCKFWFindObjects_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWFindObjects_GetMDFindObjects
+ * 
+ *  -- implement public accessors --
+ *  nssCKFWFindObjects_GetMDFindObjects
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWFindObjects_Next
+ */
+
+struct NSSCKFWFindObjectsStr {
+  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
+  NSSCKMDFindObjects *mdfo1;
+  NSSCKMDFindObjects *mdfo2;
+  NSSCKFWSession *fwSession;
+  NSSCKMDSession *mdSession;
+  NSSCKFWToken *fwToken;
+  NSSCKMDToken *mdToken;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+
+  NSSCKMDFindObjects *mdFindObjects; /* varies */
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do these routines as no-ops.
+ */
+
+static CK_RV
+findObjects_add_pointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+findObjects_remove_pointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWFindObjects_verifyPointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWFindObjects_Create
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWFindObjects_Create
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDFindObjects *mdFindObjects1,
+  NSSCKMDFindObjects *mdFindObjects2,
+  CK_RV *pError
+)
+{
+  NSSCKFWFindObjects *fwFindObjects = NULL;
+  NSSArena *arena;
+  NSSCKMDSession *mdSession;
+  NSSCKMDToken *mdToken;
+  NSSCKMDInstance *mdInstance;
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdToken = nssCKFWToken_GetMDToken(fwToken);
+  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+
+#ifdef notdef
+  arena = nssCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+#endif
+
+  fwFindObjects = nss_ZNEW(NULL, NSSCKFWFindObjects);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwFindObjects->mdfo1 = mdFindObjects1;
+  fwFindObjects->mdfo2 = mdFindObjects2;
+  fwFindObjects->fwSession = fwSession;
+  fwFindObjects->mdSession = mdSession;
+  fwFindObjects->fwToken = fwToken;
+  fwFindObjects->mdToken = mdToken;
+  fwFindObjects->fwInstance = fwInstance;
+  fwFindObjects->mdInstance = mdInstance;
+
+  fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, NULL, pError);
+  if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) {
+    goto loser;
+  }
+
+#ifdef DEBUG
+  *pError = findObjects_add_pointer(fwFindObjects);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return fwFindObjects;
+
+ loser:
+  nss_ZFreeIf(fwFindObjects);
+
+  if( (NSSCKMDFindObjects *)NULL != mdFindObjects1 ) {
+    if( (void *)NULL != (void *)mdFindObjects1->Final ) {
+      fwFindObjects->mdFindObjects = mdFindObjects1;
+      mdFindObjects1->Final(mdFindObjects1, fwFindObjects, mdSession, 
+        fwSession, mdToken, fwToken, mdInstance, fwInstance);
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != mdFindObjects2 ) {
+    if( (void *)NULL != (void *)mdFindObjects2->Final ) {
+      fwFindObjects->mdFindObjects = mdFindObjects2;
+      mdFindObjects2->Final(mdFindObjects2, fwFindObjects, mdSession, 
+        fwSession, mdToken, fwToken, mdInstance, fwInstance);
+    }
+  }
+
+  if( CKR_OK == *pError ) {
+    *pError = CKR_GENERAL_ERROR;
+  }
+
+  return (NSSCKFWFindObjects *)NULL;
+}
+
+
+/*
+ * nssCKFWFindObjects_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWFindObjects_Destroy
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwFindObjects->mutex);
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
+      fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
+        fwFindObjects->mdSession, fwFindObjects->fwSession, 
+        fwFindObjects->mdToken, fwFindObjects->fwToken,
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
+      fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
+        fwFindObjects->mdSession, fwFindObjects->fwSession, 
+        fwFindObjects->mdToken, fwFindObjects->fwToken,
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+    }
+  }
+
+  nss_ZFreeIf(fwFindObjects);
+
+#ifdef DEBUG
+  (void)findObjects_remove_pointer(fwFindObjects);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWFindObjects_GetMDFindObjects
+ *
+ */
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwFindObjects->mdFindObjects;
+}
+
+/*
+ * nssCKFWFindObjects_Next
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWFindObjects_Next
+(
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *mdObject;
+  NSSCKFWObject *fwObject = (NSSCKFWObject *)NULL;
+  NSSArena *objArena;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWFindObjects_verifyPointer(fwFindObjects);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwFindObjects->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
+      mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1,
+        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
+        fwFindObjects->mdToken, fwFindObjects->fwToken, 
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
+        arenaOpt, pError);
+      if( (NSSCKMDObject *)NULL == mdObject ) {
+        if( CKR_OK != *pError ) {
+          goto done;
+        }
+
+        /* All done. */
+        fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
+          fwFindObjects->mdSession, fwFindObjects->fwSession,
+          fwFindObjects->mdToken, fwFindObjects->fwToken, 
+          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+        fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
+      } else {
+        goto wrap;
+      }
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
+      mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2,
+        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
+        fwFindObjects->mdToken, fwFindObjects->fwToken, 
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
+        arenaOpt, pError);
+      if( (NSSCKMDObject *)NULL == mdObject ) {
+        if( CKR_OK != *pError ) {
+          goto done;
+        }
+
+        /* All done. */
+        fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
+          fwFindObjects->mdSession, fwFindObjects->fwSession,
+          fwFindObjects->mdToken, fwFindObjects->fwToken, 
+          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+        fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
+      } else {
+        goto wrap;
+      }
+    }
+  }
+  
+  /* No more objects */
+  *pError = CKR_OK;
+  goto done;
+
+ wrap:
+  /*
+   * This is less than ideal-- we should determine if it's a token
+   * object or a session object, and use the appropriate arena.
+   * But that duplicates logic in nssCKFWObject_IsTokenObject.
+   * Worry about that later.  For now, be conservative, and use
+   * the token arena.
+   */
+  objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError);
+  if( (NSSArena *)NULL == objArena ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_HOST_MEMORY;
+    }
+    goto done;
+  }
+
+  fwObject = nssCKFWObject_Create(objArena, mdObject,
+               fwFindObjects->fwSession, fwFindObjects->fwToken, 
+               fwFindObjects->fwInstance, pError);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwFindObjects->mutex);
+  return fwObject;
+}
+
+/*
+ * NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+NSS_EXTERN NSSCKMDFindObjects *
+NSSCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWFindObjects_GetMDFindObjects(fwFindObjects);
+}

mozilla/security/nss/lib/ckfw/hash.c

@@ -0,0 +1,334 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.1 $ $Date: 2000-03-31 19:43:15 $ $Name: not supported by cvs2svn $";
+#endif /* DEBUG */
+
+/*
+ * hash.c
+ *
+ * This is merely a couple wrappers around NSPR's PLHashTable, using
+ * the identity hash and arena-aware allocators.  The reason I did
+ * this is that hash tables are used in a few places throughout the
+ * NSS Cryptoki Framework in a fairly stereotyped way, and this allows
+ * me to pull the commonalities into one place.  Should we ever want
+ * to change the implementation, it's all right here.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * nssCKFWHash
+ *
+ *  nssCKFWHash_Create
+ *  nssCKFWHash_Destroy
+ *  nssCKFWHash_Add
+ *  nssCKFWHash_Remove
+ *  nssCKFWHash_Count
+ *  nssCKFWHash_Exists
+ *  nssCKFWHash_Lookup
+ *  nssCKFWHash_Iterate
+ */
+
+struct nssCKFWHashStr {
+  NSSCKFWMutex *mutex;
+
+  /*
+   * The invariant that mutex protects is:
+   *   The count accurately reflects the hashtable state.
+   */
+
+  PLHashTable *plHashTable;
+  CK_ULONG count;
+};
+
+static PLHashNumber
+nss_ckfw_identity_hash
+(
+  const void *key
+)
+{
+  PRUint32 i = (PRUint32)key;
+  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
+  return (PLHashNumber)i;
+}
+
+/*
+ * nssCKFWHash_Create
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWHash_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nssCKFWHash *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (nssCKFWHash *)NULL;
+  }
+
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arena, nssCKFWHash);
+  if( (nssCKFWHash *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == rv->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, 
+    PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena);
+  if( (PLHashTable *)NULL == rv->plHashTable ) {
+    (void)nssCKFWMutex_Destroy(rv->mutex);
+    (void)nss_ZFreeIf(rv);
+    *pError = CKR_HOST_MEMORY;
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->count = 0;
+
+  return rv;
+}
+
+/*
+ * nssCKFWHash_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Destroy
+(
+  nssCKFWHash *hash
+)
+{
+  (void)nssCKFWMutex_Destroy(hash->mutex);
+  PL_HashTableDestroy(hash->plHashTable);
+  (void)nss_ZFreeIf(hash);
+}
+
+/*
+ * nssCKFWHash_Add
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWHash_Add
+(
+  nssCKFWHash *hash,
+  const void *key,
+  const void *value
+)
+{
+  CK_RV error = CKR_OK;
+  PLHashEntry *he;
+
+  error = nssCKFWMutex_Lock(hash->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+  
+  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+  if( (PLHashEntry *)NULL == he ) {
+    error = CKR_HOST_MEMORY;
+  } else {
+    hash->count++;
+  }
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return error;
+}
+
+/*
+ * nssCKFWHash_Remove
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Remove
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  PRBool found;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return;
+  }
+
+  found = PL_HashTableRemove(hash->plHashTable, it);
+  if( found ) {
+    hash->count--;
+  }
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+  return;
+}
+
+/*
+ * nssCKFWHash_Count
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWHash_Count
+(
+  nssCKFWHash *hash
+)
+{
+  CK_ULONG count;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  count = hash->count;
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return count;
+}
+
+/*
+ * nssCKFWHash_Exists
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWHash_Exists
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  void *value;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return CK_FALSE;
+  }
+
+  value = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  if( (void *)NULL == value ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+/*
+ * nssCKFWHash_Lookup
+ *
+ */
+NSS_IMPLEMENT void *
+nssCKFWHash_Lookup
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  void *rv;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return (void *)NULL;
+  }
+
+  rv = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return rv;
+}
+
+struct arg_str {
+  nssCKFWHashIterator fcn;
+  void *closure;
+};
+
+static PRIntn
+nss_ckfwhash_enumerator
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  struct arg_str *as = (struct arg_str *)arg;
+  as->fcn(he->key, he->value, as->closure);
+  return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * nssCKFWHash_Iterate
+ *
+ * NOTE that the iteration function will be called with the hashtable locked.
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Iterate
+(
+  nssCKFWHash *hash,
+  nssCKFWHashIterator fcn,
+  void *closure
+)
+{
+  struct arg_str as;
+  as.fcn = fcn;
+  as.closure = closure;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return;
+  }
+
+  PL_HashTableEnumerateEntries(hash->plHashTable, nss_ckfwhash_enumerator, &as);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return;
+}