Make building and using a local sqlite3 default.

git-svn-id: svn://10.0.0.236/branches/NSS_BOB_SHARED@227924 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/nss/lib/softoken/Makefile

@@ -0,0 +1,95 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# pkcs11c.c in 64-bit mode for unknown reasons.  A workaround is
+# to compile it with optimizations turned on.  (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/pkcs11.o: pkcs11.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+$(OBJDIR)/pkcs11c.o: pkcs11c.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif

mozilla/security/nss/lib/softoken/config.mk

@@ -0,0 +1,107 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+SQLITE_LIB = $(DIST)/lib/$(LIB_PREFIX)sqlite3.$(LIB_SUFFIX) 
+ifdef NSS_USE_SYTEM_SQLITE
+	SQLITE_LIB = -lsqlite3
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(SQLITE_LIB) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+
+EXTRA_SHARED_LIBS += \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+OS_LIBS += -lbsm 
+endif
+
+ifeq ($(OS_TARGET),WINCE)
+DEFINES += -DDBM_USING_NSPR
+endif
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)

mozilla/security/nss/lib/softoken/ecdecode.c

@@ -0,0 +1,641 @@
+/*
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Elliptic Curve Cryptography library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef NSS_ENABLE_ECC
+
+#include "blapi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "ec.h"
+#include "ecl-curve.h"
+
+#define CHECK_OK(func) if (func == NULL) goto cleanup
+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+
+/*
+ * Initializes a SECItem from a hexadecimal string
+ *
+ * Warning: This function ignores leading 00's, so any leading 00's
+ * in the hexadecimal string must be optional.
+ */
+static SECItem *
+hexString2SECItem(PRArenaPool *arena, SECItem *item, const char *str)
+{
+    int i = 0;
+    int byteval = 0;
+    int tmp = PORT_Strlen(str);
+
+    if ((tmp % 2) != 0) return NULL;
+    
+    /* skip leading 00's unless the hex string is "00" */
+    while ((tmp > 2) && (str[0] == '0') && (str[1] == '0')) {
+        str += 2;
+        tmp -= 2;
+    }
+
+    item->data = (unsigned char *) PORT_ArenaAlloc(arena, tmp/2);
+    if (item->data == NULL) return NULL;
+    item->len = tmp/2;
+
+    while (str[i]) {
+        if ((str[i] >= '0') && (str[i] <= '9'))
+	    tmp = str[i] - '0';
+	else if ((str[i] >= 'a') && (str[i] <= 'f'))
+	    tmp = str[i] - 'a' + 10;
+	else if ((str[i] >= 'A') && (str[i] <= 'F'))
+	    tmp = str[i] - 'A' + 10;
+	else
+	    return NULL;
+
+	byteval = byteval * 16 + tmp;
+	if ((i % 2) != 0) {
+	    item->data[i/2] = byteval;
+	    byteval = 0;
+	}
+	i++;
+    }
+
+    return item;
+}
+
+/* Copy all of the fields from srcParams into dstParams
+ */
+SECStatus
+EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams)
+{
+    SECStatus rv = SECFailure;
+
+    dstParams->arena = arena;
+    dstParams->type = srcParams->type;
+    dstParams->fieldID.size = srcParams->fieldID.size;
+    dstParams->fieldID.type = srcParams->fieldID.type;
+    if (srcParams->fieldID.type == ec_field_GFp) {
+	CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.prime,
+	    &srcParams->fieldID.u.prime));
+    } else {
+	CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.poly,
+	    &srcParams->fieldID.u.poly));
+    }
+    dstParams->fieldID.k1 = srcParams->fieldID.k1;
+    dstParams->fieldID.k2 = srcParams->fieldID.k2;
+    dstParams->fieldID.k3 = srcParams->fieldID.k3;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.a,
+	&srcParams->curve.a));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.b,
+	&srcParams->curve.b));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.seed,
+	&srcParams->curve.seed));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->base,
+	&srcParams->base));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->order,
+	&srcParams->order));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->DEREncoding,
+	&srcParams->DEREncoding));
+	dstParams->name = srcParams->name;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curveOID,
+ 	&srcParams->curveOID));
+    dstParams->cofactor = srcParams->cofactor;
+
+    return SECSuccess;
+
+cleanup:
+    return SECFailure;
+}
+
+static SECStatus
+gf_populate_params(ECCurveName name, ECFieldType field_type, ECParams *params)
+{
+    SECStatus rv = SECFailure;
+    const ECCurveParams *curveParams;
+    /* 2 ['0'+'4'] + MAX_ECKEY_LEN * 2 [x,y] * 2 [hex string] + 1 ['\0'] */
+    char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
+
+    if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve)) goto cleanup;
+    params->name = name;
+    curveParams = ecCurve_map[params->name];
+    CHECK_OK(curveParams);
+    params->fieldID.size = curveParams->size;
+    params->fieldID.type = field_type;
+    if (field_type == ec_field_GFp) {
+	CHECK_OK(hexString2SECItem(params->arena, &params->fieldID.u.prime, 
+	    curveParams->irr));
+    } else {
+	CHECK_OK(hexString2SECItem(params->arena, &params->fieldID.u.poly, 
+	    curveParams->irr));
+    }
+    CHECK_OK(hexString2SECItem(params->arena, &params->curve.a, 
+	curveParams->curvea));
+    CHECK_OK(hexString2SECItem(params->arena, &params->curve.b, 
+	curveParams->curveb));
+    genenc[0] = '0';
+    genenc[1] = '4';
+    genenc[2] = '\0';
+    strcat(genenc, curveParams->genx);
+    strcat(genenc, curveParams->geny);
+    CHECK_OK(hexString2SECItem(params->arena, &params->base, genenc));
+    CHECK_OK(hexString2SECItem(params->arena, &params->order, 
+    	curveParams->order));
+    params->cofactor = curveParams->cofactor;
+
+    rv = SECSuccess;
+
+cleanup:
+    return rv;
+}
+
+SECStatus
+EC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
+    ECParams *params)
+{
+    SECStatus rv = SECFailure;
+    SECOidTag tag;
+    SECItem oid = { siBuffer, NULL, 0};
+
+#if EC_DEBUG
+    int i;
+
+    printf("Encoded params in EC_DecodeParams: ");
+    for (i = 0; i < encodedParams->len; i++) {
+	    printf("%02x:", encodedParams->data[i]);
+    }
+    printf("\n");
+#endif
+
+    if ((encodedParams->len != ANSI_X962_CURVE_OID_TOTAL_LEN) &&
+	(encodedParams->len != SECG_CURVE_OID_TOTAL_LEN)) {
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+    };
+
+    oid.len = encodedParams->len - 2;
+    oid.data = encodedParams->data + 2;
+    if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) ||
+	((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) { 
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+    }
+
+    params->arena = arena;
+    params->cofactor = 0;
+    params->type = ec_params_named;
+    params->name = ECCurve_noName;
+
+    /* For named curves, fill out curveOID */
+    params->curveOID.len = oid.len;
+    params->curveOID.data = (unsigned char *) PORT_ArenaAlloc(arena, oid.len);
+    if (params->curveOID.data == NULL) goto cleanup;
+    memcpy(params->curveOID.data, oid.data, oid.len);
+
+#if EC_DEBUG
+    printf("Curve: %s\n", SECOID_FindOIDTagDescription(tag));
+#endif
+
+    switch (tag) {
+
+    /* Binary curves */
+
+    case SEC_OID_ANSIX962_EC_C2PNB163V1:
+	/* Populate params for c2pnb163v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB163V2:
+	/* Populate params for c2pnb163v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB163V3:
+	/* Populate params for c2pnb163v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V3, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB176V1:
+	/* Populate params for c2pnb176v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB176V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V1:
+	/* Populate params for c2tnb191v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V2:
+	/* Populate params for c2tnb191v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB191V3:
+	/* Populate params for c2tnb191v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V3, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB208W1:
+	/* Populate params for c2pnb208w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB208W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB239V1:
+	/* Populate params for c2tnb239v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB239V2:
+	/* Populate params for c2tnb239v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB239V3:
+	/* Populate params for c2tnb239v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V3, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB272W1:
+	/* Populate params for c2pnb272w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB272W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB304W1:
+	/* Populate params for c2pnb304w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB304W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB359V1:
+	/* Populate params for c2tnb359v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB359V1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2PNB368W1:
+	/* Populate params for c2pnb368w1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB368W1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_C2TNB431R1:
+	/* Populate params for c2tnb431r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB431R1, ec_field_GF2m,
+	    params) );
+	break;
+	
+    case SEC_OID_SECG_EC_SECT113R1:
+	/* Populate params for sect113r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_113R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT113R2:
+	/* Populate params for sect113r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_113R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT131R1:
+	/* Populate params for sect131r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_131R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT131R2:
+	/* Populate params for sect131r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_131R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT163K1:
+	/* Populate params for sect163k1
+	 * (the NIST K-163 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT163R1:
+	/* Populate params for sect163r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT163R2:
+	/* Populate params for sect163r2
+	 * (the NIST B-163 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT193R1:
+	/* Populate params for sect193r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_193R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT193R2:
+	/* Populate params for sect193r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_193R2, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT233K1:
+	/* Populate params for sect233k1
+	 * (the NIST K-233 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_233K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT233R1:
+	/* Populate params for sect233r1
+	 * (the NIST B-233 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_233R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT239K1:
+	/* Populate params for sect239k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_239K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT283K1:
+        /* Populate params for sect283k1
+	 * (the NIST K-283 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_283K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT283R1:
+	/* Populate params for sect283r1
+	 * (the NIST B-283 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_283R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT409K1:
+	/* Populate params for sect409k1
+	 * (the NIST K-409 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_409K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT409R1:
+	/* Populate params for sect409r1
+	 * (the NIST B-409 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_409R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT571K1:
+	/* Populate params for sect571k1
+	 * (the NIST K-571 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_571K1, ec_field_GF2m,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECT571R1:
+	/* Populate params for sect571r1
+	 * (the NIST B-571 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_571R1, ec_field_GF2m,
+	    params) );
+	break;
+
+    /* Prime curves */
+
+    case SEC_OID_ANSIX962_EC_PRIME192V1:
+	/* Populate params for prime192v1 aka secp192r1 
+	 * (the NIST P-192 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME192V2:
+	/* Populate params for prime192v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME192V3:
+	/* Populate params for prime192v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V3, ec_field_GFp,
+	    params) );
+	break;
+	
+    case SEC_OID_ANSIX962_EC_PRIME239V1:
+	/* Populate params for prime239v1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME239V2:
+	/* Populate params for prime239v2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME239V3:
+	/* Populate params for prime239v3 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V3, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_ANSIX962_EC_PRIME256V1:
+	/* Populate params for prime256v1 aka secp256r1
+	 * (the NIST P-256 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_256V1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP112R1:
+        /* Populate params for secp112r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_112R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP112R2:
+        /* Populate params for secp112r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_112R2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP128R1:
+        /* Populate params for secp128r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_128R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP128R2:
+        /* Populate params for secp128r2 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_128R2, ec_field_GFp,
+	    params) );
+	break;
+	
+    case SEC_OID_SECG_EC_SECP160K1:
+        /* Populate params for secp160k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP160R1:
+        /* Populate params for secp160r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP160R2:
+	/* Populate params for secp160r1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160R2, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP192K1:
+	/* Populate params for secp192k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_192K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP224K1:
+	/* Populate params for secp224k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_224K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP224R1:
+	/* Populate params for secp224r1 
+	 * (the NIST P-224 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_224R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP256K1:
+	/* Populate params for secp256k1 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_256K1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP384R1:
+	/* Populate params for secp384r1
+	 * (the NIST P-384 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_384R1, ec_field_GFp,
+	    params) );
+	break;
+
+    case SEC_OID_SECG_EC_SECP521R1:
+	/* Populate params for secp521r1 
+	 * (the NIST P-521 curve)
+	 */
+	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_521R1, ec_field_GFp,
+	    params) );
+	break;
+
+    default:
+	break;
+    };
+
+cleanup:
+    if (!params->cofactor) {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+#if EC_DEBUG
+	printf("Unrecognized curve, returning NULL params\n");
+#endif
+    }
+
+    return rv;
+}
+
+SECStatus
+EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams)
+{
+    PRArenaPool *arena;
+    ECParams *params;
+    SECStatus rv = SECFailure;
+
+    /* Initialize an arena for the ECParams structure */
+    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
+	return SECFailure;
+
+    params = (ECParams *)PORT_ArenaZAlloc(arena, sizeof(ECParams));
+    if (!params) {
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+
+    /* Copy the encoded params */
+    SECITEM_AllocItem(arena, &(params->DEREncoding),
+	encodedParams->len);
+    memcpy(params->DEREncoding.data, encodedParams->data, encodedParams->len);
+
+    /* Fill out the rest of the ECParams structure based on 
+     * the encoded params 
+     */
+    rv = EC_FillParams(arena, encodedParams, params);
+    if (rv == SECFailure) {
+	PORT_FreeArena(arena, PR_TRUE);	
+	return SECFailure;
+    } else {
+	*ecparams = params;;
+	return SECSuccess;
+    }
+}
+
+#endif /* NSS_ENABLE_ECC */

mozilla/security/nss/lib/softoken/fipsaudt.c

@@ -0,0 +1,351 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Network Security Services (NSS).
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2006
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This file implements audit logging required by FIPS 140-2 Security
+ * Level 2.
+ */
+
+#include "prprf.h"
+#include "softoken.h"
+
+/*
+ * Print the value of the returned object handle in the output buffer
+ * on a successful return of the PKCS #11 function.  If the PKCS #11
+ * function failed or the pointer to object handle is NULL (which is
+ * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
+ * string is stored in the output buffer.
+ *
+ * out: the output buffer
+ * outlen: the length of the output buffer
+ * argName: the name of the "pointer to object handle" argument
+ * phObject: the pointer to object handle
+ * rv: the return value of the PKCS #11 function
+ */
+static void sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
+    const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
+{
+    if ((rv == CKR_OK) && phObject) {
+	PR_snprintf(out, outlen,
+	    " *%s=0x%08lX", argName, (PRUint32)*phObject);
+    } else {
+	PORT_Assert(outlen != 0);
+	out[0] = '\0';
+    }
+}
+
+/*
+ * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
+ * which uses <= 49 bytes.
+ */
+#define MECHANISM_BUFSIZE 64
+
+static void sftk_PrintMechanism(char *out, PRUint32 outlen,
+    CK_MECHANISM_PTR pMechanism)
+{
+    if (pMechanism) {
+	/*
+	 * If we change the format string, we need to make sure
+	 * MECHANISM_BUFSIZE is still large enough.  We allow
+	 * 20 bytes for %p on a 64-bit platform.
+	 */
+	PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
+	    pMechanism, (PRUint32)pMechanism->mechanism);
+    } else {
+	PR_snprintf(out, outlen, "%p", pMechanism);
+    }
+}
+
+void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+    CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
+{
+    char msg[256];
+    char shObject[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
+	"phObject", phObject, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
+	"phObject=%p)=0x%08lX%s",
+	(PRUint32)hSession, pTemplate, (PRUint32)ulCount,
+	phObject, (PRUint32)rv, shObject);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+    CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
+{
+    char msg[256];
+    char shNewObject[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
+	"phNewObject", phNewObject, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
+	"pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+/* WARNING: hObject has been destroyed and can only be printed. */
+void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
+	"pulSize=%p)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pulSize, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulCount, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
+	"pTemplate=%p, ulCount=%lu)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pTemplate, (PRUint32)ulCount, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulCount, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
+	"pTemplate=%p, ulCount=%lu)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hObject,
+	pTemplate, (PRUint32)ulCount, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    PR_snprintf(msg, sizeof msg,
+	"C_%sInit(hSession=0x%08lX, pMechanism=%s, "
+	"hKey=0x%08lX)=0x%08lX",
+	opName, (PRUint32)hSession, mech,
+	(PRUint32)hKey, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    char shKey[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
+	"pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
+	(PRUint32)hSession, mech,
+	pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+    CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
+{
+    char msg[512];
+    char mech[MECHANISM_BUFSIZE];
+    char shPublicKey[32];
+    char shPrivateKey[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
+	"phPublicKey", phPublicKey, rv);
+    sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
+	"phPrivateKey", phPrivateKey, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
+	"pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
+	"pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
+	"phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
+	(PRUint32)hSession, mech,
+	pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
+	pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
+	phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+    CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    PR_snprintf(msg, sizeof msg,
+	"C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
+	"hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
+	(PRUint32)hSession, mech, (PRUint32)hWrappingKey,
+	(PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+    CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+    char msg[256];
+    char mech[MECHANISM_BUFSIZE];
+    char shKey[32];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+    PR_snprintf(msg, sizeof msg,
+	"C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
+	"hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
+	"pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
+	(PRUint32)hSession, mech,
+	(PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
+	pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+    CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+    char msg[512];
+    char mech[MECHANISM_BUFSIZE];
+    char shKey[32];
+    char sTlsKeys[128];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+    if ((rv == CKR_OK) &&
+	(pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
+	CK_SSL3_KEY_MAT_PARAMS *param =
+	    (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
+	CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
+	PR_snprintf(sTlsKeys, sizeof sTlsKeys,
+	    " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
+	    " hClientKey=0x%08lX hServerKey=0x%08lX",
+	    (PRUint32)keymat->hClientMacSecret,
+	    (PRUint32)keymat->hServerMacSecret,
+	    (PRUint32)keymat->hClientKey,
+	    (PRUint32)keymat->hServerKey);
+    } else {
+	sTlsKeys[0] = '\0';
+    }
+    PR_snprintf(msg, sizeof msg,
+	"C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
+	"hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
+	"phKey=%p)=0x%08lX%s%s",
+	(PRUint32)hSession, mech,
+	(PRUint32)hBaseKey, pTemplate,(PRUint32)ulAttributeCount,
+	phKey, (PRUint32)rv, shKey, sTlsKeys);
+    sftk_LogAuditMessage(severity, msg);
+}
+
+void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hKey, CK_RV rv)
+{
+    char msg[256];
+    NSSAuditSeverity severity = (rv == CKR_OK) ?
+	NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+    PR_snprintf(msg, sizeof msg,
+	"C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
+	(PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
+    sftk_LogAuditMessage(severity, msg);
+}

mozilla/security/nss/lib/softoken/legacydb/Makefile

@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+

mozilla/security/nss/lib/softoken/legacydb/cdbhdl.h

@@ -0,0 +1,85 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * cdbhdl.h - certificate database handle
+ *   private to the certdb module
+ *
+ * $Id: cdbhdl.h,v 1.1.2.1 2007-04-03 22:50:02 rrelyea%redhat.com Exp $
+ */
+#ifndef _CDBHDL_H_
+#define _CDBHDL_H_
+
+#include "nspr.h"
+#include "mcom_db.h"
+#include "pcertt.h"
+#include "prtypes.h"
+
+/*
+ * Handle structure for open certificate databases
+ */
+struct NSSLOWCERTCertDBHandleStr {
+    DB *permCertDB;
+    PZMonitor *dbMon;
+    PRBool dbVerify;
+    PRInt32  ref; /* reference count */
+};
+
+#ifdef DBM_USING_NSPR
+#define NO_RDONLY	PR_RDONLY
+#define NO_RDWR		PR_RDWR
+#define NO_CREATE	(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
+#else
+#define NO_RDONLY	O_RDONLY
+#define NO_RDWR		O_RDWR
+#define NO_CREATE	(O_RDWR | O_CREAT | O_TRUNC)
+#endif
+
+typedef DB * (*rdbfunc)(const char *appName, const char *prefix, 
+				const char *type, int flags);
+typedef int (*rdbstatusfunc)(void);
+
+#define RDB_FAIL 1
+#define RDB_RETRY 2
+
+DB * rdbopen(const char *appName, const char *prefix, 
+				const char *type, int flags, int *status);
+
+DB *dbsopen (const char *dbname , int flags, int mode, DBTYPE type, 
+						const void * appData);
+SECStatus db_Copy(DB *dest,DB *src);
+int db_InitComplete(DB *db);
+
+#endif

mozilla/security/nss/lib/softoken/legacydb/config.mk

@@ -0,0 +1,102 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else # ! NS_USE_GCC
+
+EXTRA_SHARED_LIBS += \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+OS_LIBS += -lbsm 
+endif
+
+ifeq ($(OS_TARGET),WINCE)
+DEFINES += -DDBM_USING_NSPR
+endif
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)

mozilla/security/nss/lib/softoken/legacydb/dbmshim.c

@@ -0,0 +1,647 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Berkeley DB 1.85 Shim code to handle blobs.
+ *
+ * $Id: dbmshim.c,v 1.1.2.1 2007-04-03 22:50:02 rrelyea%redhat.com Exp $
+ */
+#include "mcom_db.h"
+#include "secitem.h"
+#include "nssb64.h"
+#include "blapi.h"
+#include "secerr.h"
+
+#include "lgdb.h"
+
+/*
+ *   Blob block:
+ *   Byte 0   CERTDB Version           -+                       -+
+ *   Byte 1   certDBEntryTypeBlob       |  BLOB_HEAD_LEN         |
+ *   Byte 2   flags (always '0');       |                        |
+ *   Byte 3   reserved (always '0');   -+                        |
+ *   Byte 4   LSB length                | <--BLOB_LENGTH_START   | BLOB_BUF_LEN
+ *   Byte 5       .                     |                        |
+ *   Byte 6       .                     | BLOB_LENGTH_LEN        |
+ *   Byte 7   MSB length                |                        |
+ *   Byte 8   blob_filename   -+       -+  <-- BLOB_NAME_START   |
+ *   Byte 9       .            | BLOB_NAME_LEN                   |
+ *     .          .            |                                 |
+ *   Byte 37      .           -+                                -+
+ */
+#define DBS_BLOCK_SIZE (16*1024) /* 16 k */
+#define DBS_MAX_ENTRY_SIZE (DBS_BLOCK_SIZE - (2048)) /* 14 k */
+#define DBS_CACHE_SIZE	DBS_BLOCK_SIZE*8
+#define ROUNDDIV(x,y) (x+(y-1))/y
+#define BLOB_HEAD_LEN 4
+#define BLOB_LENGTH_START BLOB_HEAD_LEN
+#define BLOB_LENGTH_LEN 4
+#define BLOB_NAME_START BLOB_LENGTH_START+BLOB_LENGTH_LEN
+#define BLOB_NAME_LEN 1+ROUNDDIV(SHA1_LENGTH,3)*4+1
+#define BLOB_BUF_LEN BLOB_HEAD_LEN+BLOB_LENGTH_LEN+BLOB_NAME_LEN
+
+/* a Shim data structure. This data structure has a db built into it. */
+typedef struct DBSStr DBS;
+
+struct DBSStr {
+    DB db;
+    char *blobdir;
+    int mode;
+    PRBool readOnly;
+    PRFileMap *dbs_mapfile;
+    unsigned char *dbs_addr;
+    PRUint32 dbs_len;
+    char staticBlobArea[BLOB_BUF_LEN];
+};
+    
+    
+
+/*
+ * return true if the Datablock contains a blobtype
+ */
+static PRBool
+dbs_IsBlob(DBT *blobData)
+{
+    unsigned char *addr = (unsigned char *)blobData->data;
+    if (blobData->size < BLOB_BUF_LEN) {
+	return PR_FALSE;
+    }
+    return addr && ((certDBEntryType) addr[1] == certDBEntryTypeBlob);
+}
+
+/*
+ * extract the filename in the blob of the real data set.
+ * This value is not malloced (does not need to be freed by the caller.
+ */
+static const char *
+dbs_getBlobFileName(DBT *blobData)
+{
+    char *addr = (char *)blobData->data;
+
+    return &addr[BLOB_NAME_START];
+}
+
+/*
+ * extract the size of the actual blob from the blob record
+ */
+static PRUint32
+dbs_getBlobSize(DBT *blobData)
+{
+    unsigned char *addr = (unsigned char *)blobData->data;
+
+    return (PRUint32)(addr[BLOB_LENGTH_START+3] << 24) | 
+			(addr[BLOB_LENGTH_START+2] << 16) | 
+			(addr[BLOB_LENGTH_START+1] << 8) | 
+			addr[BLOB_LENGTH_START];
+}
+
+
+/* We are using base64 data for the filename, but base64 data can include a
+ * '/' which is interpreted as a path separator on  many platforms. Replace it
+ * with an inocuous '-'. We don't need to convert back because we never actual
+ * decode the filename.
+ */
+
+static void
+dbs_replaceSlash(char *cp, int len)
+{
+   while (len--) {
+	if (*cp == '/') *cp = '-';
+	cp++;
+   }
+}
+
+/*
+ * create a blob record from a key, data and return it in blobData.
+ * NOTE: The data element is static data (keeping with the dbm model).
+ */
+static void
+dbs_mkBlob(DBS *dbsp,const DBT *key, const DBT *data, DBT *blobData)
+{
+   unsigned char sha1_data[SHA1_LENGTH];
+   char *b = dbsp->staticBlobArea;
+   PRUint32 length = data->size;
+   SECItem sha1Item;
+
+   b[0] = CERT_DB_FILE_VERSION; /* certdb version number */
+   b[1] = (char) certDBEntryTypeBlob; /* type */
+   b[2] = 0; /* flags */
+   b[3] = 0; /* reserved */
+   b[BLOB_LENGTH_START] = length & 0xff;
+   b[BLOB_LENGTH_START+1] = (length >> 8) & 0xff;
+   b[BLOB_LENGTH_START+2] = (length >> 16) & 0xff;
+   b[BLOB_LENGTH_START+3] = (length >> 24) & 0xff;
+   sha1Item.data = sha1_data;
+   sha1Item.len = SHA1_LENGTH;
+   SHA1_HashBuf(sha1_data,key->data,key->size);
+   b[BLOB_NAME_START]='b'; /* Make sure we start with a alpha */
+   NSSBase64_EncodeItem(NULL,&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1,&sha1Item);
+   b[BLOB_BUF_LEN-1] = 0;
+   dbs_replaceSlash(&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1);
+   blobData->data = b;
+   blobData->size = BLOB_BUF_LEN;
+   return;
+}
+   
+
+/*
+ * construct a path to the actual blob. The string returned must be
+ * freed by the caller with PR_smprintf_free.
+ *
+ * Note: this file does lots of consistancy checks on the DBT. The
+ * routines that call this depend on these checks, so they don't worry
+ * about them (success of this routine implies a good blobdata record).
+ */ 
+static char *
+dbs_getBlobFilePath(char *blobdir,DBT *blobData)
+{
+    const char *name;
+
+    if (blobdir == NULL) {
+	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	return NULL;
+    }
+    if (!dbs_IsBlob(blobData)) {
+	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	return NULL;
+    }
+    name = dbs_getBlobFileName(blobData);
+    if (!name || *name == 0) {
+	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	return NULL;
+    }
+    return  PR_smprintf("%s" PATH_SEPARATOR "%s", blobdir, name);
+}
+
+/*
+ * Delete a blob file pointed to by the blob record.
+ */
+static void
+dbs_removeBlob(DBS *dbsp, DBT *blobData)
+{
+    char *file;
+
+    file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
+    if (!file) {
+	return;
+    }
+    PR_Delete(file);
+    PR_smprintf_free(file);
+}
+
+/*
+ * Directory modes are slightly different, the 'x' bit needs to be on to
+ * access them. Copy all the read bits to 'x' bits
+ */
+static int
+dbs_DirMode(int mode)
+{
+  int x_bits = (mode >> 2) &  0111;
+  return mode | x_bits;
+}
+
+/*
+ * write a data blob to it's file. blobdData is the blob record that will be
+ * stored in the database. data is the actual data to go out on disk.
+ */
+static int
+dbs_writeBlob(DBS *dbsp, int mode, DBT *blobData, const DBT *data)
+{
+    char *file = NULL;
+    PRFileDesc *filed;
+    PRStatus status;
+    int len;
+    int error = 0;
+
+    file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
+    if (!file) {
+	goto loser;
+    }
+    if (PR_Access(dbsp->blobdir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+	status = PR_MkDir(dbsp->blobdir,dbs_DirMode(mode));
+	if (status != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+    filed = PR_OpenFile(file,PR_CREATE_FILE|PR_TRUNCATE|PR_WRONLY, mode);
+    if (filed == NULL) {
+	error = PR_GetError();
+	goto loser;
+    }
+    len = PR_Write(filed,data->data,data->size);
+    error = PR_GetError();
+    PR_Close(filed);
+    if (len < (int)data->size) {
+	goto loser;
+    }
+    PR_smprintf_free(file);
+    return 0;
+
+loser:
+    if (file) {
+	PR_Delete(file);
+	PR_smprintf_free(file);
+    }
+    /* don't let close or delete reset the error */
+    PR_SetError(error,0);
+    return -1;
+}
+
+
+/*
+ * we need to keep a address map in memory between calls to DBM.
+ * remember what we have mapped can close it when we get another dbm
+ * call. 
+ *
+ * NOTE: Not all platforms support mapped files. This code is designed to
+ * detect this at runtime. If map files aren't supported the OS will indicate
+ * this by failing the PR_Memmap call. In this case we emulate mapped files
+ * by just reading in the file into regular memory. We signal this state by
+ * making dbs_mapfile NULL and dbs_addr non-NULL.
+ */
+
+static void
+dbs_freemap(DBS *dbsp)
+{
+    if (dbsp->dbs_mapfile) {
+	PR_MemUnmap(dbsp->dbs_addr,dbsp->dbs_len);
+	PR_CloseFileMap(dbsp->dbs_mapfile);
+	dbsp->dbs_mapfile = NULL;
+	dbsp->dbs_addr = NULL;
+	dbsp->dbs_len = 0;
+    } else if (dbsp->dbs_addr) {
+	PORT_Free(dbsp->dbs_addr);
+	dbsp->dbs_addr = NULL;
+	dbsp->dbs_len = 0;
+    }
+    return;
+}
+
+static void
+dbs_setmap(DBS *dbsp, PRFileMap *mapfile, unsigned char *addr, PRUint32 len)
+{
+    dbsp->dbs_mapfile = mapfile;
+    dbsp->dbs_addr = addr;
+    dbsp->dbs_len = len;
+}
+
+/*
+ * platforms that cannot map the file need to read it into a temp buffer.
+ */
+static unsigned char *
+dbs_EmulateMap(PRFileDesc *filed, int len)
+{
+    unsigned char *addr;
+    PRInt32 dataRead;
+
+    addr = PORT_Alloc(len);
+    if (addr == NULL) {
+	return NULL;
+    }
+
+    dataRead = PR_Read(filed,addr,len);
+    if (dataRead != len) {
+	PORT_Free(addr);
+	if (dataRead > 0) {
+	    /* PR_Read didn't set an error, we need to */
+	    PR_SetError(SEC_ERROR_BAD_DATABASE,0);
+	}
+	return NULL;
+    }
+
+    return addr;
+}
+
+
+/*
+ * pull a database record off the disk
+ * data points to the blob record on input and the real record (if we could
+ * read it) on output. if there is an error data is not modified.
+ */
+static int
+dbs_readBlob(DBS *dbsp, DBT *data)
+{
+    char *file = NULL;
+    PRFileDesc *filed = NULL;
+    PRFileMap *mapfile = NULL;
+    unsigned char *addr = NULL;
+    int error;
+    int len = -1;
+
+    file = dbs_getBlobFilePath(dbsp->blobdir, data);
+    if (!file) {
+	goto loser;
+    }
+    filed = PR_OpenFile(file,PR_RDONLY,0);
+    PR_smprintf_free(file); file = NULL;
+    if (filed == NULL) {
+	goto loser;
+    }
+
+    len = dbs_getBlobSize(data);
+    mapfile = PR_CreateFileMap(filed, len, PR_PROT_READONLY);
+    if (mapfile == NULL) {
+	 /* USE PR_GetError instead of PORT_GetError here
+	  * because we are getting the error from PR_xxx
+	  * function */
+	if (PR_GetError() != PR_NOT_IMPLEMENTED_ERROR) {
+	    goto loser;
+	}
+	addr = dbs_EmulateMap(filed, len);
+    } else {
+	addr = PR_MemMap(mapfile, 0, len);
+    }
+    if (addr == NULL) {
+	goto loser;
+    }
+    PR_Close(filed);
+    dbs_setmap(dbsp,mapfile,addr,len);
+
+    data->data = addr;
+    data->size = len;
+    return 0;
+
+loser:
+    /* preserve the error code */
+    error = PR_GetError();
+    if (mapfile) {
+	PR_CloseFileMap(mapfile);
+    }
+    if (filed) {
+	PR_Close(filed);
+    }
+    PR_SetError(error,0);
+    return -1;
+}
+
+/*
+ * actual DBM shims
+ */
+static int
+dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags)
+{
+    int ret;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+    
+
+    dbs_freemap(dbsp);
+    
+    ret = (* db->get)(db, key, data, flags);
+    if ((ret == 0) && dbs_IsBlob(data)) {
+	ret = dbs_readBlob(dbsp,data);
+    }
+
+    return(ret);
+}
+
+static int
+dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags)
+{
+    DBT blob;
+    int ret = 0;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+
+    dbs_freemap(dbsp);
+
+    /* If the db is readonly, just pass the data down to rdb and let it fail */
+    if (!dbsp->readOnly) {
+	DBT oldData;
+	int ret1;
+
+	/* make sure the current record is deleted if it's a blob */
+	ret1 = (*db->get)(db,key,&oldData,0);
+        if ((ret1 == 0) && flags == R_NOOVERWRITE) {
+	    /* let DBM return the error to maintain consistancy */
+	    return (* db->put)(db, key, data, flags);
+	}
+	if ((ret1 == 0) && dbs_IsBlob(&oldData)) {
+	    dbs_removeBlob(dbsp, &oldData);
+	}
+
+	if (data->size > DBS_MAX_ENTRY_SIZE) {
+	    dbs_mkBlob(dbsp,key,data,&blob);
+	    ret = dbs_writeBlob(dbsp, dbsp->mode, &blob, data);
+	    data = &blob;
+	}
+    }
+
+    if (ret == 0) {
+	ret = (* db->put)(db, key, data, flags);
+    }
+    return(ret);
+}
+
+static int
+dbs_sync(const DB *dbs, unsigned int flags)
+{
+    DB *db = (DB *)dbs->internal;
+    DBS *dbsp = (DBS *)dbs;
+
+    dbs_freemap(dbsp);
+
+    return (* db->sync)(db, flags);
+}
+
+static int
+dbs_del(const DB *dbs, const DBT *key, unsigned int flags)
+{
+    int ret;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+
+    dbs_freemap(dbsp);
+
+    if (!dbsp->readOnly) {
+	DBT oldData;
+	ret = (*db->get)(db,key,&oldData,0);
+	if ((ret == 0) && dbs_IsBlob(&oldData)) {
+	    dbs_removeBlob(dbsp,&oldData);
+	}
+    }
+
+    return (* db->del)(db, key, flags);
+}
+
+static int
+dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags)
+{
+    int ret;
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+    
+    dbs_freemap(dbsp);
+    
+    ret = (* db->seq)(db, key, data, flags);
+    if ((ret == 0) && dbs_IsBlob(data)) {
+	/* don't return a blob read as an error so traversals keep going */
+	(void) dbs_readBlob(dbsp,data);
+    }
+
+    return(ret);
+}
+
+static int
+dbs_close(DB *dbs)
+{
+    DBS *dbsp = (DBS *)dbs;
+    DB *db = (DB *)dbs->internal;
+    int ret;
+
+    dbs_freemap(dbsp);
+    ret = (* db->close)(db);
+    PORT_Free(dbsp->blobdir);
+    PORT_Free(dbsp);
+    return ret;
+}
+
+static int
+dbs_fd(const DB *dbs)
+{
+    DB *db = (DB *)dbs->internal;
+
+    return (* db->fd)(db);
+}
+
+/*
+ * the naming convention we use is
+ * change the .xxx into .dir. (for nss it's always .db);
+ * if no .extension exists or is equal to .dir, add a .dir 
+ * the returned data must be freed.
+ */
+#define DIRSUFFIX ".dir"
+static char *
+dbs_mkBlobDirName(const char *dbname)
+{
+    int dbname_len = PORT_Strlen(dbname);
+    int dbname_end = dbname_len;
+    const char *cp;
+    char *blobDir = NULL;
+
+    /* scan back from the end looking for either a directory separator, a '.',
+     * or the end of the string. NOTE: Windows should check for both separators
+     * here. For now this is safe because we know NSS always uses a '.'
+     */
+    for (cp = &dbname[dbname_len]; 
+		(cp > dbname) && (*cp != '.') && (*cp != *PATH_SEPARATOR) ;
+			cp--)
+	/* Empty */ ;
+    if (*cp == '.') {
+	dbname_end = cp - dbname;
+	if (PORT_Strcmp(cp,DIRSUFFIX) == 0) {
+	    dbname_end = dbname_len;
+	}
+    }
+    blobDir = PORT_ZAlloc(dbname_end+sizeof(DIRSUFFIX));
+    if (blobDir == NULL) {
+	return NULL;
+    }
+    PORT_Memcpy(blobDir,dbname,dbname_end);
+    PORT_Memcpy(&blobDir[dbname_end],DIRSUFFIX,sizeof(DIRSUFFIX));
+    return blobDir;
+}
+
+#define DBM_DEFAULT 0
+static const HASHINFO dbs_hashInfo = {
+	DBS_BLOCK_SIZE,		/* bucket size, must be greater than = to
+				 * or maximum entry size (+ header)
+				 * we allow before blobing */
+	DBM_DEFAULT,		/* Fill Factor */
+	DBM_DEFAULT,		/* number of elements */
+	DBS_CACHE_SIZE,		/* cache size */
+	DBM_DEFAULT,		/* hash function */
+	DBM_DEFAULT,		/* byte order */
+};
+
+/*
+ * the open function. NOTE: this is the only exposed function in this file.
+ * everything else is called through the function table pointer.
+ */
+DB *
+dbsopen(const char *dbname, int flags, int mode, DBTYPE type,
+							 const void *userData)
+{
+    DB *db = NULL,*dbs = NULL;
+    DBS *dbsp = NULL;
+
+    /* NOTE: we are overriding userData with dbs_hashInfo. since all known
+     * callers pass 0, this is ok, otherwise we should merge the two */
+
+    dbsp = (DBS *)PORT_ZAlloc(sizeof(DBS));
+    if (!dbsp) {
+	return NULL;
+    }
+    dbs = &dbsp->db;
+
+    dbsp->blobdir=dbs_mkBlobDirName(dbname);
+    if (dbsp->blobdir == NULL) {
+	goto loser;
+    }
+    dbsp->mode = mode;
+    dbsp->readOnly = (PRBool)(flags == NO_RDONLY);
+    dbsp->dbs_mapfile = NULL;
+    dbsp->dbs_addr = NULL;
+    dbsp->dbs_len = 0;
+
+    /* the real dbm call */
+    db = dbopen(dbname, flags, mode, type, &dbs_hashInfo);
+    if (db == NULL) {
+	goto loser;
+    }
+    dbs->internal = (void *) db;
+    dbs->type = type;
+    dbs->close = dbs_close;
+    dbs->get = dbs_get;
+    dbs->del = dbs_del;
+    dbs->put = dbs_put;
+    dbs->seq = dbs_seq;
+    dbs->sync = dbs_sync;
+    dbs->fd = dbs_fd;
+
+    return dbs;
+loser:
+    if (db) {
+	(*db->close)(db);
+    }
+    if (dbsp) {
+	if (dbsp->blobdir) {
+	    PORT_Free(dbsp->blobdir);
+	}
+	PORT_Free(dbsp);
+    }
+    return NULL;
+}

mozilla/security/nss/lib/softoken/legacydb/keydbi.h

@@ -0,0 +1,86 @@
+/*
+ * private.h - Private data structures for the software token library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: keydbi.h,v 1.1.2.1 2007-04-03 22:50:02 rrelyea%redhat.com Exp $ */
+
+#ifndef _KEYDBI_H_
+#define _KEYDBI_H_
+
+#include "nspr.h"
+#include "seccomon.h"
+#include "mcom_db.h"
+
+/*
+ * Handle structure for open key databases
+ */
+struct NSSLOWKEYDBHandleStr {
+    DB *db;
+    DB *updatedb;		/* used when updating an old version */
+    SECItem *global_salt;	/* password hashing salt for this db */
+    int version;		/* version of the database */
+    char *appname;		/* multiaccess app name */
+    char *dbname;		/* name of the openned DB */
+    PRBool readOnly;		/* is the DB read only */
+    PRLock *lock;
+    PRInt32 ref;		/* reference count */
+};
+
+/*
+** Typedef for callback for traversing key database.
+**      "key" is the key used to index the data in the database (nickname)
+**      "data" is the key data
+**      "pdata" is the user's data 
+*/
+typedef SECStatus (* NSSLOWKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata);
+
+
+SEC_BEGIN_PROTOS
+
+/*
+** Traverse the entire key database, and pass the nicknames and keys to a 
+** user supplied function.
+**      "f" is the user function to call for each key
+**      "udata" is the user's data, which is passed through to "f"
+*/
+extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
+				NSSLOWKEYTraverseKeysFunc f,
+				void *udata);
+
+SEC_END_PROTOS
+
+#endif /* _KEYDBI_H_ */

mozilla/security/nss/lib/softoken/legacydb/lgcreate.c

@@ -0,0 +1,955 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secitem.h"
+#include "pkcs11.h"
+#include "lgdb.h" 
+#include "pcert.h"
+#include "lowkeyi.h"
+#include "blapi.h"
+#include "secder.h"
+
+#include "keydbi.h" 
+
+/*
+ * ******************** Object Creation Utilities ***************************
+ */
+
+/*
+ * check the consistancy and initialize a Certificate Object 
+ */
+static CK_RV
+lg_createCertObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    SECItem derCert;
+    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTCertTrust *trust = NULL;
+    NSSLOWCERTCertTrust userTrust = 
+		{ CERTDB_USER, CERTDB_USER, CERTDB_USER };
+    NSSLOWCERTCertTrust defTrust = 
+		{ CERTDB_TRUSTED_UNKNOWN, 
+			CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN };
+    char *label = NULL;
+    char *email = NULL;
+    SECStatus rv;
+    PRBool inDB = PR_TRUE;
+    NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb);
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+    CK_CERTIFICATE_TYPE type;
+    const CK_ATTRIBUTE *attribute;
+
+    /* we can't store any certs private */
+    if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+	
+    /* We only support X.509 Certs for now */
+    attribute = lg_FindAttribute(CKA_CERTIFICATE_TYPE, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    type = *(CK_CERTIFICATE_TYPE *)attribute->pValue;
+
+    if (type != CKC_X_509) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* X.509 Certificate */
+    
+
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* get the der cert */ 
+    attribute = lg_FindAttribute(CKA_VALUE, templ, count);
+    if (!attribute) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    derCert.type = 0;
+    derCert.data = (unsigned char *)attribute->pValue;
+    derCert.len = attribute->ulValueLen ;
+
+    label = lg_getString(CKA_LABEL, templ, count);
+
+    cert =  nsslowcert_FindCertByDERCert(certHandle, &derCert);
+    if (cert == NULL) {
+	cert = nsslowcert_DecodeDERCertificate(&derCert, label);
+	inDB = PR_FALSE;
+    }
+    if (cert == NULL) {
+	if (label) PORT_Free(label);
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle) {
+	if (nsslowkey_KeyForCertExists(keyHandle,cert)) {
+	    trust = &userTrust;
+	}
+    }
+
+    if (!inDB) {
+	if (!trust) trust = &defTrust;
+	rv = nsslowcert_AddPermCert(certHandle, cert, label, trust);
+    } else {
+	rv = trust ? nsslowcert_ChangeCertTrust(certHandle,cert,trust) :
+				SECSuccess;
+    }
+
+    if (label) PORT_Free(label);
+
+    if (rv != SECSuccess) {
+	nsslowcert_DestroyCertificate(cert);
+	return CKR_DEVICE_ERROR;
+    }
+
+    /*
+     * Add a NULL S/MIME profile if necessary.
+     */
+    email = lg_getString(CKA_NETSCAPE_EMAIL, templ, count);
+    if (email) {
+	certDBEntrySMime *entry;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,email);
+	if (!entry) {
+	    nsslowcert_SaveSMimeProfile(certHandle, email, 
+						&cert->derSubject, NULL, NULL);
+	} else {
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(email);
+    }
+    *handle=lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_CERT);
+    nsslowcert_DestroyCertificate(cert);
+
+    return CKR_OK;
+}
+
+unsigned int
+lg_MapTrust(CK_TRUST trust, PRBool clientAuth)
+{
+    unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA :
+							CERTDB_TRUSTED_CA;
+    switch (trust) {
+    case CKT_NETSCAPE_TRUSTED:
+	return CERTDB_VALID_PEER|CERTDB_TRUSTED;
+    case CKT_NETSCAPE_TRUSTED_DELEGATOR:
+	return CERTDB_VALID_CA|trustCA;
+    case CKT_NETSCAPE_UNTRUSTED:
+	return CERTDB_NOT_TRUSTED;
+    case CKT_NETSCAPE_MUST_VERIFY:
+	return 0;
+    case CKT_NETSCAPE_VALID: /* implies must verify */
+	return CERTDB_VALID_PEER;
+    case CKT_NETSCAPE_VALID_DELEGATOR: /* implies must verify */
+	return CERTDB_VALID_CA;
+    default:
+	break;
+    }
+    return CERTDB_TRUSTED_UNKNOWN;
+}
+    
+	
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+lg_createTrustObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    const CK_ATTRIBUTE *issuer = NULL;
+    const CK_ATTRIBUTE *serial = NULL;
+    NSSLOWCERTCertificate *cert = NULL;
+    const CK_ATTRIBUTE *trust;
+    CK_TRUST sslTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST clientTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST emailTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST signTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_BBOOL stepUp;
+    NSSLOWCERTCertTrust dbTrust = { 0 };
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb);
+    NSSLOWCERTIssuerAndSN issuerSN;
+
+    /* we can't store any certs private */
+    if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    issuer = lg_FindAttribute(CKA_ISSUER, templ, count);
+    serial = lg_FindAttribute(CKA_SERIAL_NUMBER, templ, count);
+
+    if (issuer && serial) {
+	issuerSN.derIssuer.data = (unsigned char *)issuer->pValue;
+	issuerSN.derIssuer.len = issuer->ulValueLen ;
+
+	issuerSN.serialNumber.data = (unsigned char *)serial->pValue;
+	issuerSN.serialNumber.len = serial->ulValueLen ;
+
+	cert = nsslowcert_FindCertByIssuerAndSN(certHandle,&issuerSN);
+    }
+
+    if (cert == NULL) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+	
+    lg_GetULongAttribute(CKA_TRUST_SERVER_AUTH, templ, count, &sslTrust);
+    lg_GetULongAttribute(CKA_TRUST_CLIENT_AUTH, templ, count, &clientTrust);
+    lg_GetULongAttribute(CKA_TRUST_EMAIL_PROTECTION, templ, count, &emailTrust);
+    lg_GetULongAttribute(CKA_TRUST_CODE_SIGNING, templ, count, &signTrust);
+    stepUp = CK_FALSE;
+    trust = lg_FindAttribute(CKA_TRUST_STEP_UP_APPROVED, templ, count);
+    if (trust) {
+	if (trust->ulValueLen == sizeof(CK_BBOOL)) {
+	    stepUp = *(CK_BBOOL*)trust->pValue;
+	}
+    }
+
+    /* preserve certain old fields */
+    if (cert->trust) {
+	dbTrust.sslFlags = cert->trust->sslFlags & CERTDB_PRESERVE_TRUST_BITS;
+	dbTrust.emailFlags=
+			cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS;
+	dbTrust.objectSigningFlags = 
+		cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS;
+    }
+
+    dbTrust.sslFlags |= lg_MapTrust(sslTrust,PR_FALSE);
+    dbTrust.sslFlags |= lg_MapTrust(clientTrust,PR_TRUE);
+    dbTrust.emailFlags |= lg_MapTrust(emailTrust,PR_FALSE);
+    dbTrust.objectSigningFlags |= lg_MapTrust(signTrust,PR_FALSE);
+    if (stepUp) {
+	dbTrust.sslFlags |= CERTDB_GOVT_APPROVED_CA;
+    }
+
+    rv = nsslowcert_ChangeCertTrust(certHandle,cert,&dbTrust);
+    *handle=lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_TRUST);
+    nsslowcert_DestroyCertificate(cert);
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    SECItem derSubj,rawProfile,rawTime,emailKey;
+    SECItem *pRawProfile = NULL;
+    SECItem *pRawTime = NULL;
+    char *email = NULL;
+    const CK_ATTRIBUTE *subject = NULL,
+		 *profile = NULL,
+		 *time    = NULL;
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *certHandle;
+    CK_RV ck_rv = CKR_OK;
+
+    /* we can't store any certs private */
+    if (lg_isTrue(CKA_PRIVATE,templ,count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* lookup SUBJECT */
+    subject = lg_FindAttribute(CKA_SUBJECT,templ,count);
+    PORT_Assert(subject);
+    if (!subject) {
+	ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
+	goto loser;
+    }
+
+    derSubj.data = (unsigned char *)subject->pValue;
+    derSubj.len = subject->ulValueLen ;
+    derSubj.type = 0;
+
+    /* lookup VALUE */
+    profile = lg_FindAttribute(CKA_VALUE,templ,count);
+    if (profile) {
+	rawProfile.data = (unsigned char *)profile->pValue;
+	rawProfile.len = profile->ulValueLen ;
+	rawProfile.type = siBuffer;
+	pRawProfile = &rawProfile;
+    }
+
+    /* lookup Time */
+    time = lg_FindAttribute(CKA_NETSCAPE_SMIME_TIMESTAMP,templ,count);
+    if (time) {
+	rawTime.data = (unsigned char *)time->pValue;
+	rawTime.len = time->ulValueLen ;
+	rawTime.type = siBuffer;
+	pRawTime = &rawTime;
+    }
+
+
+    email = lg_getString(CKA_NETSCAPE_EMAIL,templ,count);
+    if (!email) {
+	ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
+	goto loser;
+    }
+
+    /* Store S/MIME Profile by SUBJECT */
+    rv = nsslowcert_SaveSMimeProfile(certHandle, email, &derSubj, 
+				pRawProfile,pRawTime);
+    if (rv != SECSuccess) {
+	ck_rv = CKR_DEVICE_ERROR;
+	goto loser;
+    }
+    emailKey.data = (unsigned char *)email;
+    emailKey.len = PORT_Strlen(email)+1;
+
+    *handle = lg_mkHandle(sdb, &emailKey, LG_TOKEN_TYPE_SMIME);
+
+loser:
+    if (email)   PORT_Free(email);
+
+    return ck_rv;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+lg_createCrlObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    PRBool isKRL = PR_FALSE;
+    SECItem derSubj,derCrl;
+    char *url = NULL;
+    const CK_ATTRIBUTE *subject,*crl;
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *certHandle;
+
+    certHandle = lg_getCertDB(sdb);
+
+    /* we can't store any private crls */
+    if (lg_isTrue(CKA_PRIVATE,templ,count)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    if (certHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* lookup SUBJECT */
+    subject = lg_FindAttribute(CKA_SUBJECT,templ,count);
+    if (!subject) {
+	 return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    derSubj.data = (unsigned char *)subject->pValue;
+    derSubj.len = subject->ulValueLen ;
+
+    /* lookup VALUE */
+    crl = lg_FindAttribute(CKA_VALUE,templ,count);
+    PORT_Assert(crl);
+    if (!crl) {
+	 return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    derCrl.data = (unsigned char *)crl->pValue;
+    derCrl.len = crl->ulValueLen ;
+
+    url = lg_getString(CKA_NETSCAPE_URL,templ,count);
+    isKRL = lg_isTrue(CKA_NETSCAPE_KRL,templ,count);
+
+    /* Store CRL by SUBJECT */
+    rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL);
+
+    if (url) {
+	PORT_Free(url);
+    }
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    /* if we overwrote the existing CRL, poison the handle entry so we get
+     * a new object handle */
+    (void) lg_poisonHandle(sdb, &derSubj,
+			isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL);
+    *handle = lg_mkHandle(sdb, &derSubj,
+			isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL);
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Public Key Object 
+ */
+static CK_RV
+lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+     CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
+    CK_RV crv;
+    NSSLOWKEYPrivateKey *priv;
+    SECItem pubKey;
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+
+    switch (key_type) {
+    case CKK_RSA:
+	pubKeyAttr = CKA_MODULUS;
+	break;
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	pubKeyAttr = CKA_EC_POINT;
+	break;
+#endif /* NSS_ENABLE_ECC */
+    case CKK_DSA:
+    case CKK_DH:
+	break;
+    default:
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+
+    crv = lg_Attribute2SSecItem(NULL,pubKeyAttr,templ,count,&pubKey);
+    if (crv != CKR_OK) return crv;
+
+    PORT_Assert(pubKey.data);
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle == NULL) {
+	PORT_Free(pubKey.data);
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    if (keyHandle->version != 3) {
+	unsigned char buf[SHA1_LENGTH];
+	SHA1_HashBuf(buf,pubKey.data,pubKey.len);
+	PORT_Memcpy(pubKey.data,buf,sizeof(buf));
+	pubKey.len = sizeof(buf);
+    }
+    /* make sure the associated private key already exists */
+    /* only works if we are logged in */
+    priv = nsslowkey_FindKeyByPublicKey(keyHandle, &pubKey, sdb /*password*/);
+    if (priv == NULL) {
+	PORT_Free(pubKey.data);
+	return crv;
+    }
+    nsslowkey_DestroyPrivateKey(priv);
+
+    *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_PUB);
+    PORT_Free(pubKey.data);
+
+    return CKR_OK;
+}
+
+/* make a private key from a verified object */
+static NSSLOWKEYPrivateKey *
+lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
+	     CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    PLArenaPool *arena;
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL)  {
+	PORT_FreeArena(arena,PR_FALSE);
+	*crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+
+    /* in future this would be a switch on key_type */
+    privKey->arena = arena;
+    switch (key_type) {
+    case CKK_RSA:
+	privKey->keyType = NSSLOWKEYRSAKey;
+	crv=lg_Attribute2SSecItem(arena,CKA_MODULUS,templ,count,
+					&privKey->u.rsa.modulus);
+	if (crv != CKR_OK) break;
+	crv=lg_Attribute2SSecItem(arena,CKA_PUBLIC_EXPONENT,templ,count,
+					&privKey->u.rsa.publicExponent);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_PRIVATE_EXPONENT,templ,count,
+				&privKey->u.rsa.privateExponent, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_PRIME_1,templ,count,
+					&privKey->u.rsa.prime1, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_PRIME_2,templ,count,
+					&privKey->u.rsa.prime2, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_EXPONENT_1,templ,count,
+					&privKey->u.rsa.exponent1, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_EXPONENT_2,templ,count,
+					&privKey->u.rsa.exponent2, sdb);
+	if (crv != CKR_OK) break;
+	crv=lg_PrivAttr2SSecItem(arena,CKA_COEFFICIENT,templ,count,
+					&privKey->u.rsa.coefficient, sdb);
+	if (crv != CKR_OK) break;
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
+                          NSSLOWKEY_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+
+    case CKK_DSA:
+	privKey->keyType = NSSLOWKEYDSAKey;
+	crv = lg_Attribute2SSecItem(arena,CKA_PRIME,templ,count,
+					&privKey->u.dsa.params.prime);
+    	if (crv != CKR_OK) break;
+	crv = lg_Attribute2SSecItem(arena,CKA_SUBPRIME,templ,count,
+					&privKey->u.dsa.params.subPrime);
+    	if (crv != CKR_OK) break;
+	crv = lg_Attribute2SSecItem(arena,CKA_BASE,templ,count,
+					&privKey->u.dsa.params.base);
+    	if (crv != CKR_OK) break;
+    	crv = lg_PrivAttr2SSecItem(arena,CKA_VALUE,templ,count,
+					&privKey->u.dsa.privateValue, sdb);
+    	if (crv != CKR_OK) break;
+	if (lg_hasAttribute(CKA_NETSCAPE_DB, templ,count)) {
+	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
+						&privKey->u.dsa.publicValue);
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+	break;
+
+    case CKK_DH:
+	privKey->keyType = NSSLOWKEYDHKey;
+	crv = lg_Attribute2SSecItem(arena,CKA_PRIME,templ,count,
+					&privKey->u.dh.prime);
+    	if (crv != CKR_OK) break;
+	crv = lg_Attribute2SSecItem(arena,CKA_BASE,templ,count,
+					&privKey->u.dh.base);
+    	if (crv != CKR_OK) break;
+    	crv = lg_PrivAttr2SSecItem(arena,CKA_VALUE,templ,count,
+					&privKey->u.dh.privateValue, sdb);
+    	if (crv != CKR_OK) break;
+	if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
+	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
+					&privKey->u.dh.publicValue);
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+	break;
+
+#ifdef NSS_ENABLE_ECC
+    case CKK_EC:
+	privKey->keyType = NSSLOWKEYECKey;
+	crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS,templ,count,
+	                              &privKey->u.ec.ecParams.DEREncoding);
+    	if (crv != CKR_OK) break;
+
+	/* Fill out the rest of the ecParams structure
+	 * based on the encoded params
+	 */
+	if (LGEC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
+		    &privKey->u.ec.ecParams) != SECSuccess) {
+	    crv = CKR_DOMAIN_PARAMS_INVALID;
+	    break;
+	}
+	crv = lg_PrivAttr2SSecItem(arena,CKA_VALUE,templ,count,
+					&privKey->u.ec.privateValue, sdb);
+	if (crv != CKR_OK) break;
+	if (lg_hasAttribute(CKA_NETSCAPE_DB,templ,count)) {
+	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
+					&privKey->u.ec.publicValue);
+	    if (crv != CKR_OK) break;
+	    /* privKey was zero'd so public value is already set to NULL, 0
+	     * if we don't set it explicitly */
+	}
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
+                          NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+#endif /* NSS_ENABLE_ECC */
+
+    default:
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	break;
+    }
+    *crvp = crv;
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    return privKey;
+}
+
+/*
+ * check the consistancy and initialize a Private Key Object 
+ */
+static CK_RV
+lg_createPrivateKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+     CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    char *label;
+    SECStatus rv = SECSuccess;
+    CK_RV crv = CKR_DEVICE_ERROR;
+    SECItem pubKey;
+    NSSLOWKEYDBHandle *keyHandle = lg_getKeyDB(sdb);
+
+    if (keyHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    privKey=lg_mkPrivKey(sdb, templ,count,key_type,&crv);
+    if (privKey == NULL) return crv;
+    label = lg_getString(CKA_LABEL,templ,count);
+
+    crv = lg_Attribute2SSecItem(NULL,CKA_NETSCAPE_DB,templ,count,&pubKey);
+    if (crv != CKR_OK) {
+	crv = CKR_TEMPLATE_INCOMPLETE;
+	rv = SECFailure;
+	goto fail;
+    }
+#ifdef notdef
+    if (keyHandle->version != 3) {
+	unsigned char buf[SHA1_LENGTH];
+	SHA1_HashBuf(buf,pubKey.data,pubKey.len);
+	PORT_Memcpy(pubKey.data,buf,sizeof(buf));
+	pubKey.len = sizeof(buf);
+    }
+#endif
+    /* get the key type */
+    if (key_type == CKK_RSA) {
+	rv = RSA_PrivateKeyCheck(&privKey->u.rsa);
+	if (rv == SECFailure) {
+	    goto fail;
+	}
+    }
+    rv = nsslowkey_StoreKeyByPublicKey(keyHandle, privKey, &pubKey, 
+					   label, sdb /*->password*/);
+
+fail:
+    if (label) PORT_Free(label);
+    *handle = lg_mkHandle(sdb,&pubKey,LG_TOKEN_TYPE_PRIV);
+    if (pubKey.data) PORT_Free(pubKey.data);
+    nsslowkey_DestroyPrivateKey(privKey);
+    if (rv != SECSuccess) return crv;
+
+    return CKR_OK;
+}
+
+
+#define LG_KEY_MAX_RETRIES 10 /* don't hang if we are having problems with the rng */
+#define LG_KEY_ID_SIZE 18 /* don't use either SHA1 or MD5 sizes */
+/*
+ * Secret keys must have a CKA_ID value to be stored in the database. This code
+ * will generate one if there wasn't one already. 
+ */
+static CK_RV
+lg_GenerateSecretCKA_ID(NSSLOWKEYDBHandle *handle, SECItem *id, char *label)
+{
+    unsigned int retries;
+    SECStatus rv = SECSuccess;
+    CK_RV crv = CKR_OK;
+
+    id->data = NULL;
+    if (label) {
+	id->data = (unsigned char *)PORT_Strdup(label);
+	if (id->data == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	id->len = PORT_Strlen(label)+1;
+	if (!nsslowkey_KeyForIDExists(handle,id)) { 
+	    return CKR_OK;
+	}
+	PORT_Free(id->data);
+	id->data = NULL;
+	id->len = 0;
+    }
+    id->data = (unsigned char *)PORT_Alloc(LG_KEY_ID_SIZE);
+    if (id->data == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    id->len = LG_KEY_ID_SIZE;
+
+    retries = 0;
+    do {
+	rv = RNG_GenerateGlobalRandomBytes(id->data,id->len);
+    } while (rv == SECSuccess && nsslowkey_KeyForIDExists(handle,id) && 
+				(++retries <= LG_KEY_MAX_RETRIES));
+
+    if ((rv != SECSuccess) || (retries > LG_KEY_MAX_RETRIES)) {
+	crv = CKR_DEVICE_ERROR; /* random number generator is bad */
+	PORT_Free(id->data);
+	id->data = NULL;
+	id->len = 0;
+    }
+    return crv;
+}
+
+
+static NSSLOWKEYPrivateKey *lg_mkSecretKeyRep(const CK_ATTRIBUTE *templ,
+		 CK_ULONG count, CK_KEY_TYPE key_type, 
+		 SECItem *pubkey, SDB *sdbpw)
+{
+    NSSLOWKEYPrivateKey *privKey = 0;
+    PLArenaPool *arena = 0;
+    CK_KEY_TYPE keyType;
+    PRUint32 keyTypeStorage;
+    SECItem keyTypeItem;
+    CK_RV crv;
+    SECStatus rv;
+    static unsigned char derZero[1] = { 0 };
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
+
+    privKey->arena = arena;
+
+    /* Secret keys are represented in the database as "fake" RSA keys.  
+     * The RSA key is marked as a secret key representation by setting the 
+     * public exponent field to 0, which is an invalid RSA exponent.  
+     * The other fields are set as follows:
+     *   modulus - CKA_ID value for the secret key
+     *   private exponent - CKA_VALUE (the key itself)
+     *   coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
+     *      is used for the key.
+     *   all others - set to integer 0
+     */
+    privKey->keyType = NSSLOWKEYRSAKey;
+
+    /* The modulus is set to the key id of the symmetric key */
+    crv = lg_Attribute2SecItem(arena, CKA_ID, templ, count, 
+				&privKey->u.rsa.modulus);
+    if (crv != CKR_OK) goto loser;
+
+    /* The public exponent is set to 0 length to indicate a special key */
+    privKey->u.rsa.publicExponent.len = sizeof derZero;
+    privKey->u.rsa.publicExponent.data = derZero;
+
+    /* The private exponent is the actual key value */
+    crv = lg_PrivAttr2SecItem(arena, CKA_VALUE, templ, count,
+				&privKey->u.rsa.privateExponent, sdbpw);
+    if (crv != CKR_OK) goto loser;
+
+    /* All other fields empty - needs testing */
+    privKey->u.rsa.prime1.len = sizeof derZero;
+    privKey->u.rsa.prime1.data = derZero;
+
+    privKey->u.rsa.prime2.len = sizeof derZero;
+    privKey->u.rsa.prime2.data = derZero;
+
+    privKey->u.rsa.exponent1.len = sizeof derZero;
+    privKey->u.rsa.exponent1.data = derZero;
+
+    privKey->u.rsa.exponent2.len = sizeof derZero;
+    privKey->u.rsa.exponent2.data = derZero;
+
+    /* Coeficient set to KEY_TYPE */
+    crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &keyType);
+    if (crv != CKR_OK) goto loser; 
+    /* on 64 bit platforms, we still want to store 32 bits of keyType (This is
+     * safe since the PKCS #11 defines for all types are 32 bits or less). */
+    keyTypeStorage = (PRUint32) keyType;
+    keyTypeStorage = PR_htonl(keyTypeStorage);
+    keyTypeItem.data = (unsigned char *)&keyTypeStorage;
+    keyTypeItem.len = sizeof (keyTypeStorage);
+    rv = SECITEM_CopyItem(arena, &privKey->u.rsa.coefficient, &keyTypeItem);
+    if (rv != SECSuccess) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    
+    /* Private key version field set normally for compatibility */
+    rv = DER_SetUInteger(privKey->arena, 
+			&privKey->u.rsa.version, NSSLOWKEY_VERSION);
+    if (rv != SECSuccess) { crv = CKR_HOST_MEMORY; goto loser; }
+
+loser:
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	privKey = 0;
+    }
+
+    return privKey;
+}
+
+/*
+ * check the consistancy and initialize a Secret Key Object 
+ */
+static CK_RV
+lg_createSecretKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+     CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_RV crv;
+    NSSLOWKEYPrivateKey *privKey   = NULL;
+    NSSLOWKEYDBHandle   *keyHandle = NULL;
+    SECItem pubKey;
+    char *label = NULL;
+    SECStatus rv = SECSuccess;
+
+    pubKey.data = 0;
+
+    /* If the object is a TOKEN object, store in the database */
+    keyHandle = lg_getKeyDB(sdb);
+
+    if (keyHandle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    label = lg_getString(CKA_LABEL,templ,count);
+
+    crv = lg_Attribute2SecItem(NULL,CKA_ID,templ,count,&pubKey);
+						/* Should this be ID? */
+    if (crv != CKR_OK) goto loser;
+
+    /* if we don't have an ID, generate one */
+    if (pubKey.len == 0) {
+	if (pubKey.data) { 
+	    PORT_Free(pubKey.data);
+	    pubKey.data = NULL;
+	}
+	crv = lg_GenerateSecretCKA_ID(keyHandle, &pubKey, label);
+	if (crv != CKR_OK) goto loser;
+    }
+
+    privKey = lg_mkSecretKeyRep(templ, count, key_type, &pubKey, sdb);
+    if (privKey == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+
+    rv = nsslowkey_StoreKeyByPublicKey(keyHandle,
+			privKey, &pubKey, label, sdb /*->password*/);
+    if (rv != SECSuccess) {
+	crv = CKR_DEVICE_ERROR;
+	goto loser;
+    }
+
+    *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_KEY);
+
+loser:
+    if (label) PORT_Free(label);
+    if (privKey) nsslowkey_DestroyPrivateKey(privKey);
+    if (pubKey.data) PORT_Free(pubKey.data);
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Object 
+ */
+static CK_RV
+lg_createKeyObject(SDB *sdb, CK_OBJECT_CLASS objclass, 
+	CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_RV crv;
+    CK_KEY_TYPE key_type;
+
+    /* get the key type */
+    crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &key_type);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    switch (objclass) {
+    case CKO_PUBLIC_KEY:
+	return lg_createPublicKeyObject(sdb,key_type,handle,templ,count);
+    case CKO_PRIVATE_KEY:
+	return lg_createPrivateKeyObject(sdb,key_type,handle,templ,count);
+    case CKO_SECRET_KEY:
+	return lg_createSecretKeyObject(sdb,key_type,handle,templ,count);
+    default:
+	break;
+    }
+    return CKR_ATTRIBUTE_VALUE_INVALID;
+}
+
+/* 
+ * Parse the template and create an object stored in the DB that reflects.
+ * the object specified in the database.
+ */
+CK_RV
+lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    CK_RV crv;
+    CK_OBJECT_CLASS objclass;
+
+    /* get the object class */
+    crv = lg_GetULongAttribute(CKA_CLASS, templ, count, &objclass);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /* Now handle the specific object class. 
+     */
+    switch (objclass) {
+    case CKO_CERTIFICATE:
+	crv = lg_createCertObject(sdb,handle,templ,count);
+	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = lg_createTrustObject(sdb,handle,templ,count);
+	break;
+    case CKO_NETSCAPE_CRL:
+	crv = lg_createCrlObject(sdb,handle,templ,count);
+	break;
+    case CKO_NETSCAPE_SMIME:
+	crv = lg_createSMimeObject(sdb,handle,templ,count);
+	break;
+    case CKO_PRIVATE_KEY:
+    case CKO_PUBLIC_KEY:
+    case CKO_SECRET_KEY:
+	crv = lg_createKeyObject(sdb,objclass,handle,templ,count);
+	break;
+    default:
+	crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	break;
+    }
+
+    return crv;
+}
+

mozilla/security/nss/lib/softoken/legacydb/lgdb.h

@@ -0,0 +1,197 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _LGDB_H_
+#define _LGDB_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+#include "sdb.h"
+#include "cdbhdl.h" 
+
+
+#define MULTIACCESS "multiaccess:"
+
+
+/* machine dependent path stuff used by dbinit.c and pk11db.c */
+#ifdef macintosh
+#define PATH_SEPARATOR ":"
+#define SECMOD_DB "Security Modules"
+#define CERT_DB_FMT "%sCertificates%s"
+#define KEY_DB_FMT "%sKey Database%s"
+#else
+#define PATH_SEPARATOR "/"
+#define SECMOD_DB "secmod.db"
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+#endif
+
+SEC_BEGIN_PROTOS
+
+
+/* internal utility functions used by pkcs11.c */
+extern const CK_ATTRIBUTE *lg_FindAttribute(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern CK_RV lg_Attribute2SecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item);
+extern CK_RV lg_Attribute2SSecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item);
+extern CK_RV lg_PrivAttr2SecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw);
+extern CK_RV lg_PrivAttr2SSecItem(PLArenaPool *,CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw);
+extern CK_RV lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count, 
+			CK_ULONG *out);
+extern PRBool lg_hasAttribute(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern PRBool lg_isTrue(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern PRBool lg_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *lg_getString(CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern unsigned int lg_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+/* clear out all the existing object ID to database key mappings.
+ * used to reinit a token */
+extern CK_RV SFTK_ClearTokenKeyHashTable(SDB *sdb);
+
+
+extern void lg_FreeSearch(SDBFind *search);
+
+NSSLOWCERTCertDBHandle *lg_getCertDB(SDB *sdb);
+NSSLOWKEYDBHandle *lg_getKeyDB(SDB *sdb);
+
+const char *lg_EvaluateConfigDir(const char *configdir, char **domain);
+
+
+/*
+ * object handle modifiers
+ */
+#define LG_TOKEN_MASK		0xc0000000L
+#define LG_TOKEN_TYPE_MASK	0x38000000L
+#define LG_TOKEN_TYPE_SHIFT	27
+/* keydb (high bit == 0) */
+#define LG_TOKEN_TYPE_PRIV	0x08000000L
+#define LG_TOKEN_TYPE_PUB	0x10000000L
+#define LG_TOKEN_TYPE_KEY	0x18000000L
+/* certdb (high bit == 1) */
+#define LG_TOKEN_TYPE_TRUST	0x20000000L
+#define LG_TOKEN_TYPE_CRL	0x28000000L
+#define LG_TOKEN_TYPE_SMIME	0x30000000L
+#define LG_TOKEN_TYPE_CERT	0x38000000L
+
+#define LG_TOKEN_KRL_HANDLE	(LG_TOKEN_TYPE_CRL|1)
+
+#define LG_SEARCH_BLOCK_SIZE   10
+#define LG_BUF_SPACE	  50
+#define LG_STRICT   PR_FALSE
+
+/*
+ * token object utilities
+ */
+void lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle);
+PRBool lg_poisonHandle(SDB *sdb, SECItem *dbkey, CK_OBJECT_HANDLE handle);
+PRBool lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
+				const CK_ATTRIBUTE *templ, CK_ULONG count);
+const SECItem *lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle);
+CK_OBJECT_HANDLE lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class);
+SECStatus lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle);
+
+SECStatus lg_util_encrypt(PLArenaPool *arena, SDB *sdbpw, 
+			  SECItem *plainText, SECItem **cipherText);
+SECStatus lg_util_decrypt(SDB *sdbpw, 
+			  SECItem *cipherText, SECItem **plainText);
+PLHashTable *lg_GetHashTable(SDB *sdb);
+void lg_DBLock(SDB *sdb);
+void lg_DBUnlock(SDB *sdb);
+
+typedef void (*LGFreeFunc)(void *);
+
+
+/*
+ * database functions
+ */
+
+/* lg_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_RV lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate, 
+			 CK_ULONG ulCount, SDBFind **search);
+/* lg_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_RV lg_FindObjects(SDB *sdb, SDBFind *search, 
+    CK_OBJECT_HANDLE *phObject,CK_ULONG ulMaxObjectCount,
+    CK_ULONG *pulObjectCount);
+
+/* lg_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV lg_FindObjectsFinal(SDB* lgdb, SDBFind *search);
+
+/* lg_CreateObject parses the template and create an object stored in the 
+ * DB that reflects the object specified in the template.  */
+CK_RV lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+			const CK_ATTRIBUTE *templ, CK_ULONG count);
+
+CK_RV lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+				CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, 
+			const CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id);
+
+CK_RV lg_Close(SDB *sdb);
+CK_RV lg_Reset(SDB *sdb);
+
+/*
+ * The old database doesn't share and doesn't support
+ * transactions.
+ */
+CK_RV lg_Begin(SDB *sdb);
+CK_RV lg_Commit(SDB *sdb);
+CK_RV lg_Abort(SDB *sdb);
+CK_RV lg_GetPWEntry(SDB *sdb, SDBPasswordEntry *entry);
+CK_RV lg_PutPWEntry(SDB *sdb, SDBPasswordEntry *entry);
+
+SEC_END_PROTOS
+
+#endif /* _LGDB_H_ */

mozilla/security/nss/lib/softoken/legacydb/lgdbm.def

@@ -0,0 +1,64 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+LGDBM_3.12 {       # NSS 3.12 release
+;+    global:
+LIBRARY lgdbm3 ;-
+EXPORTS ;-
+legacy_Open;
+legacy_Shutdown;
+legacy_ReadSecmodDB;
+legacy_ReleaseSecmodDBData;
+legacy_AddSecmodDB;
+legacy_DeleteSecmodDB;
+legacy_SetCryptFunctions;
+;+    local:
+;+       *;
+;+};

mozilla/security/nss/lib/softoken/legacydb/lgdestroy.c

@@ -0,0 +1,144 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "pcert.h"
+#include "lowkeyi.h"
+
+/*
+ * remove an object.
+ */
+CK_RV
+lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTCertTrust tmptrust;
+    PRBool isKrl;
+    NSSLOWKEYDBHandle *keyHandle;
+    NSSLOWCERTCertDBHandle *certHandle;
+    const SECItem *dbKey;
+
+    object_id &= ~LG_TOKEN_MASK;
+    dbKey = lg_lookupTokenKeyByHandle(sdb,object_id);
+    if (dbKey == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* remove the objects from the real data base */
+    switch (object_id & LG_TOKEN_TYPE_MASK) {
+    case LG_TOKEN_TYPE_PRIV:
+    case LG_TOKEN_TYPE_KEY:
+	/* KEYID is the public KEY for DSA and DH, and the MODULUS for
+	 *  RSA */
+	keyHandle = lg_getKeyDB(sdb);
+	if (!keyHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	rv = nsslowkey_DeleteKey(keyHandle, dbKey);
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	}
+	break;
+    case LG_TOKEN_TYPE_PUB:
+	break; /* public keys only exist at the behest of the priv key */
+    case LG_TOKEN_TYPE_CERT:
+	certHandle = lg_getCertDB(sdb);
+	if (!certHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	cert = nsslowcert_FindCertByKey(certHandle,dbKey);
+	if (cert == NULL) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+	rv = nsslowcert_DeletePermCertificate(cert);
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	}
+	nsslowcert_DestroyCertificate(cert);
+	break;
+    case LG_TOKEN_TYPE_CRL:
+	certHandle = lg_getCertDB(sdb);
+	if (!certHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	isKrl = (PRBool) (object_id == LG_TOKEN_KRL_HANDLE);
+	rv = nsslowcert_DeletePermCRL(certHandle, dbKey, isKrl);
+	if (rv == SECFailure) crv = CKR_DEVICE_ERROR;
+	break;
+    case LG_TOKEN_TYPE_TRUST:
+	certHandle = lg_getCertDB(sdb);
+	if (!certHandle) {
+	    crv = CKR_TOKEN_WRITE_PROTECTED;
+	    break;
+	}
+	cert = nsslowcert_FindCertByKey(certHandle, dbKey);
+	if (cert == NULL) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+	tmptrust = *cert->trust;
+	tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN;
+	tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN;
+	tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN;
+	rv = nsslowcert_ChangeCertTrust(certHandle, cert, &tmptrust);
+	if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
+	nsslowcert_DestroyCertificate(cert);
+	break;
+    default:
+	break;
+    }
+    lg_DBLock(sdb);
+    lg_deleteTokenKeyByHandle(sdb,object_id);
+    lg_DBUnlock(sdb);
+
+    return crv;
+}
+
+
+

mozilla/security/nss/lib/softoken/legacydb/lgfind.c

@@ -0,0 +1,941 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "secitem.h"
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "blapi.h"
+
+#include "keydbi.h" 
+
+/*
+ * This code maps PKCS #11 Finds to legacy database searches. This code
+ * was orginally in pkcs11.c in previous versions of NSS.
+ */
+
+struct SDBFindStr {
+    CK_OBJECT_HANDLE    *handles;
+    int                 size;
+    int                 index;
+    int                 array_size;
+};
+
+
+/*
+ * free a search structure
+ */
+void
+lg_FreeSearch(SDBFind *search)
+{
+    if (search->handles) {
+	PORT_Free(search->handles);
+    }
+    PORT_Free(search);
+}
+
+void
+lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle)
+{
+    if (search->handles == NULL) {
+	return;
+    }
+    if (search->size >= search->array_size) {
+	search->array_size += LG_SEARCH_BLOCK_SIZE;
+	search->handles = (CK_OBJECT_HANDLE *) PORT_Realloc(search->handles,
+				 sizeof(CK_OBJECT_HANDLE)* search->array_size);
+	if (search->handles == NULL) {
+	   return;
+	}
+    }
+    search->handles[search->size] = handle;
+    search->size++;
+}
+
+/*
+ * find any certs that may match the template and load them.
+ */
+#define LG_CERT 	0x00000001
+#define LG_TRUST	0x00000002
+#define LG_CRL		0x00000004
+#define LG_SMIME	0x00000008
+#define LG_PRIVATE	0x00000010
+#define LG_PUBLIC	0x00000020
+#define LG_KEY		0x00000040
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct lgEntryDataStr {
+    SDB *sdb;
+    SDBFind *searchHandles;
+    const CK_ATTRIBUTE *template;
+    CK_ULONG templ_count;
+} lgEntryData;
+
+
+static SECStatus
+lg_crl_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+    lgEntryData *crlData;
+    CK_OBJECT_HANDLE class_handle;
+    SDB *sdb;
+    
+    crlData = (lgEntryData *)arg;
+    sdb = crlData->sdb;
+
+    class_handle = (type == certDBEntryTypeRevocation) ? LG_TOKEN_TYPE_CRL :
+							LG_TOKEN_KRL_HANDLE;
+    if (lg_tokenMatch(sdb, key, class_handle,
+			crlData->template, crlData->templ_count)) {
+	lg_addHandle(crlData->searchHandles,
+				 lg_mkHandle(sdb,key,class_handle));
+    }
+    return(SECSuccess);
+}
+
+static void
+lg_searchCrls(SDB *sdb, SECItem *derSubject, PRBool isKrl, 
+		unsigned long classFlags, SDBFind *search,
+		const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) {
+	return;
+    }
+    if (derSubject->data != NULL)  {
+	certDBEntryRevocation *crl = 
+	    nsslowcert_FindCrlByKey(certHandle, derSubject, isKrl);
+
+	if (crl != NULL) {
+	    lg_addHandle(search, lg_mkHandle(sdb, derSubject,
+		isKrl ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL));
+	    nsslowcert_DestroyDBEntry((certDBEntry *)crl);
+	}
+    } else {
+	lgEntryData crlData;
+
+	/* traverse */
+	crlData.sdb = sdb;
+	crlData.searchHandles = search;
+	crlData.template = pTemplate;
+	crlData.templ_count = ulCount;
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeRevocation,
+		lg_crl_collect, (void *)&crlData);
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeKeyRevocation,
+		lg_crl_collect, (void *)&crlData);
+    } 
+}
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct lgKeyDataStr {
+    SDB *sdb;
+    NSSLOWKEYDBHandle *keyHandle;
+    SDBFind *searchHandles;
+    SECItem *id;
+    const CK_ATTRIBUTE *template;
+    CK_ULONG templ_count;
+    unsigned long classFlags;
+    PRBool strict;
+} lgKeyData;
+
+static PRBool
+isSecretKey(NSSLOWKEYPrivateKey *privKey)
+{
+  if (privKey->keyType == NSSLOWKEYRSAKey &&
+                privKey->u.rsa.publicExponent.len == 1 &&
+                                privKey->u.rsa.publicExponent.data[0] == 0)
+    return PR_TRUE;
+
+  return PR_FALSE;
+}
+
+
+
+static SECStatus
+lg_key_collect(DBT *key, DBT *data, void *arg)
+{
+    lgKeyData *keyData;
+    NSSLOWKEYPrivateKey *privKey = NULL;
+    SECItem tmpDBKey;
+    SDB *sdb;
+    unsigned long classFlags;
+    
+    keyData = (lgKeyData *)arg;
+    sdb = keyData->sdb;
+    classFlags = keyData->classFlags;
+
+    tmpDBKey.data = key->data;
+    tmpDBKey.len = key->size;
+    tmpDBKey.type = siBuffer;
+
+    PORT_Assert(keyData->keyHandle);
+    if (!keyData->strict && keyData->id) {
+	SECItem result;
+	PRBool haveMatch= PR_FALSE;
+	unsigned char hashKey[SHA1_LENGTH];
+	result.data = hashKey;
+	result.len = sizeof(hashKey);
+
+	if (keyData->id->len == 0) {
+	    /* Make sure this isn't a LG_KEY */
+	    privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, 
+					&tmpDBKey, keyData->sdb/*->password*/);
+	    if (privKey) {
+		/* turn off the unneeded class flags */
+		classFlags &= isSecretKey(privKey) ?  ~(LG_PRIVATE|LG_PUBLIC) :
+							~LG_KEY;
+		haveMatch = (PRBool)
+			((classFlags & (LG_KEY|LG_PRIVATE|LG_PUBLIC)) != 0);
+		nsslowkey_DestroyPrivateKey(privKey);
+	    }
+	} else {
+	    SHA1_HashBuf( hashKey, key->data, key->size ); /* match id */
+	    haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
+	    if (!haveMatch && ((unsigned char *)key->data)[0] == 0) {
+		/* This is a fix for backwards compatibility.  The key
+		 * database indexes private keys by the public key, and
+		 * versions of NSS prior to 3.4 stored the public key as
+		 * a signed integer.  The public key is now treated as an
+		 * unsigned integer, with no leading zero.  In order to
+		 * correctly compute the hash of an old key, it is necessary
+		 * to fallback and detect the leading zero.
+		 */
+		SHA1_HashBuf(hashKey, 
+		             (unsigned char *)key->data + 1, key->size - 1);
+		haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
+	    }
+	}
+	if (haveMatch) {
+	    if (classFlags & LG_PRIVATE)  {
+		lg_addHandle(keyData->searchHandles,
+			lg_mkHandle(sdb,&tmpDBKey,LG_TOKEN_TYPE_PRIV));
+	    }
+	    if (classFlags & LG_PUBLIC) {
+		lg_addHandle(keyData->searchHandles,
+			lg_mkHandle(sdb,&tmpDBKey,LG_TOKEN_TYPE_PUB));
+	    }
+	    if (classFlags & LG_KEY) {
+		lg_addHandle(keyData->searchHandles,
+			lg_mkHandle(sdb,&tmpDBKey,LG_TOKEN_TYPE_KEY));
+	    }
+	}
+	return SECSuccess;
+    }
+
+    privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, &tmpDBKey, 
+						 keyData->sdb/*->password*/);
+    if ( privKey == NULL ) {
+	goto loser;
+    }
+
+    if (isSecretKey(privKey)) {
+	if ((classFlags & LG_KEY) && 
+		lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY,
+			keyData->template, keyData->templ_count)) {
+	    lg_addHandle(keyData->searchHandles,
+		lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY));
+	}
+    } else {
+	if ((classFlags & LG_PRIVATE) && 
+		lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV,
+			keyData->template, keyData->templ_count)) {
+	    lg_addHandle(keyData->searchHandles,
+		lg_mkHandle(keyData->sdb,&tmpDBKey,LG_TOKEN_TYPE_PRIV));
+	}
+	if ((classFlags & LG_PUBLIC) && 
+		lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB,
+			keyData->template, keyData->templ_count)) {
+	    lg_addHandle(keyData->searchHandles,
+		lg_mkHandle(keyData->sdb, &tmpDBKey,LG_TOKEN_TYPE_PUB));
+	}
+    }
+
+loser:
+    if ( privKey ) {
+	nsslowkey_DestroyPrivateKey(privKey);
+    }
+    return(SECSuccess);
+}
+
+static void
+lg_searchKeys(SDB *sdb, SECItem *key_id,
+	unsigned long classFlags, SDBFind *search, PRBool mustStrict,
+	const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+    NSSLOWKEYPrivateKey *privKey;
+    lgKeyData keyData;
+    PRBool found = PR_FALSE;
+
+    keyHandle = lg_getKeyDB(sdb);
+    if (keyHandle == NULL) {
+	return;
+    }
+
+    if (key_id->data) {
+	privKey = nsslowkey_FindKeyByPublicKey(keyHandle, key_id, sdb);
+	if (privKey) {
+	    if ((classFlags & LG_KEY) && isSecretKey(privKey)) {
+    	        lg_addHandle(search,
+			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_KEY));
+		found = PR_TRUE;
+	    }
+	    if ((classFlags & LG_PRIVATE) && !isSecretKey(privKey)) {
+    	        lg_addHandle(search,
+			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_PRIV));
+		found = PR_TRUE;
+	    }
+	    if ((classFlags & LG_PUBLIC) && !isSecretKey(privKey)) {
+    	        lg_addHandle(search,
+			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_PUB));
+		found = PR_TRUE;
+	    }
+    	    nsslowkey_DestroyPrivateKey(privKey);
+	}
+	/* don't do the traversal if we have an up to date db */
+	if (keyHandle->version != 3) {
+	    goto loser;
+	}
+	/* don't do the traversal if it can't possibly be the correct id */
+	/* all soft token id's are SHA1_HASH_LEN's */
+	if (key_id->len != SHA1_LENGTH) {
+	    goto loser;
+	}
+	if (found) {
+	   /* if we already found some keys, don't do the traversal */
+	   goto loser;
+	}
+    }
+    keyData.sdb = sdb;
+    keyData.keyHandle = keyHandle;
+    keyData.searchHandles = search;
+    keyData.id = key_id;
+    keyData.template = pTemplate;
+    keyData.templ_count = ulCount;
+    keyData.classFlags = classFlags;
+    keyData.strict = mustStrict ? mustStrict : LG_STRICT;
+
+    nsslowkey_TraverseKeys(keyHandle, lg_key_collect, &keyData);
+
+loser:
+    return;
+}
+
+/*
+ * structure to collect certs into
+ */
+typedef struct lgCertDataStr {
+    SDB *sdb;
+    int cert_count;
+    int max_cert_count;
+    NSSLOWCERTCertificate **certs;
+    const CK_ATTRIBUTE *template;
+    CK_ULONG	templ_count;
+    unsigned long classFlags;
+    PRBool	strict;
+} lgCertData;
+
+/*
+ * collect all the certs from the traverse call.
+ */	
+static SECStatus
+lg_cert_collect(NSSLOWCERTCertificate *cert,void *arg)
+{
+    lgCertData *cd = (lgCertData *)arg;
+
+    if (cert == NULL) {
+	return SECSuccess;
+    }
+
+    if (cd->certs == NULL) {
+	return SECFailure;
+    }
+
+    if (cd->strict) {
+	if ((cd->classFlags & LG_CERT) && !lg_tokenMatch(cd->sdb,
+	  &cert->certKey, LG_TOKEN_TYPE_CERT, cd->template,cd->templ_count)) {
+	    return SECSuccess;
+	}
+	if ((cd->classFlags & LG_TRUST) && !lg_tokenMatch(cd->sdb,
+	  &cert->certKey, LG_TOKEN_TYPE_TRUST, 
+					     cd->template, cd->templ_count)) {
+	    return SECSuccess;
+	}
+    }
+
+    /* allocate more space if we need it. This should only happen in
+     * the general traversal case */
+    if (cd->cert_count >= cd->max_cert_count) {
+	int size;
+	cd->max_cert_count += LG_SEARCH_BLOCK_SIZE;
+	size = cd->max_cert_count * sizeof (NSSLOWCERTCertificate *);
+	cd->certs = (NSSLOWCERTCertificate **)PORT_Realloc(cd->certs,size);
+	if (cd->certs == NULL) {
+	    return SECFailure;
+	}
+    }
+
+    cd->certs[cd->cert_count++] = nsslowcert_DupCertificate(cert);
+    return SECSuccess;
+}
+
+/* provide impedence matching ... */
+static SECStatus
+lg_cert_collect2(NSSLOWCERTCertificate *cert, SECItem *dymmy, void *arg)
+{
+    return lg_cert_collect(cert, arg);
+}
+
+static void
+lg_searchSingleCert(lgCertData *certData,NSSLOWCERTCertificate *cert)
+{
+    if (cert == NULL) {
+	    return;
+    }
+    if (certData->strict && 
+	!lg_tokenMatch(certData->sdb, &cert->certKey, LG_TOKEN_TYPE_CERT, 
+				certData->template,certData->templ_count)) {
+	nsslowcert_DestroyCertificate(cert);
+	return;
+    }
+    certData->certs = (NSSLOWCERTCertificate **) 
+				PORT_Alloc(sizeof (NSSLOWCERTCertificate *));
+    if (certData->certs == NULL) {
+	nsslowcert_DestroyCertificate(cert);
+	return;
+    }
+    certData->certs[0] = cert;
+    certData->cert_count = 1;
+}
+
+static void
+lg_CertSetupData(lgCertData *certData,int count)
+{
+    certData->max_cert_count = count;
+
+    if (certData->max_cert_count <= 0) {
+	return;
+    }
+    certData->certs = (NSSLOWCERTCertificate **)
+			 PORT_Alloc( count * sizeof(NSSLOWCERTCertificate *));
+    return;
+}
+
+static void
+lg_searchCertsAndTrust(SDB *sdb, SECItem *derCert, SECItem *name, 
+			SECItem *derSubject, NSSLOWCERTIssuerAndSN *issuerSN, 
+			SECItem *email,
+			unsigned long classFlags, SDBFind *handles, 
+			const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+    lgCertData certData;
+    int i;
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) return;
+
+    certData.sdb = sdb;
+    certData.max_cert_count = 0;
+    certData.certs = NULL;
+    certData.cert_count = 0;
+    certData.template = pTemplate;
+    certData.templ_count = ulCount;
+    certData.classFlags = classFlags; 
+    certData.strict = LG_STRICT; 
+
+
+    /*
+     * Find the Cert.
+     */
+    if (derCert->data != NULL) {
+	NSSLOWCERTCertificate *cert = 
+			nsslowcert_FindCertByDERCert(certHandle,derCert);
+	lg_searchSingleCert(&certData,cert);
+    } else if (name->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(name->len+1);
+	int count;
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,name->data,name->len);
+	tmp_name[name->len] = 0;
+
+	count= nsslowcert_NumPermCertsForNickname(certHandle,tmp_name);
+	lg_CertSetupData(&certData,count);
+	nsslowcert_TraversePermCertsForNickname(certHandle,tmp_name,
+				lg_cert_collect, &certData);
+	PORT_Free(tmp_name);
+    } else if (derSubject->data != NULL) {
+	int count;
+
+	count = nsslowcert_NumPermCertsForSubject(certHandle,derSubject);
+	lg_CertSetupData(&certData,count);
+	nsslowcert_TraversePermCertsForSubject(certHandle,derSubject,
+				lg_cert_collect, &certData);
+    } else if ((issuerSN->derIssuer.data != NULL) && 
+			(issuerSN->serialNumber.data != NULL)) {
+        if (classFlags & LG_CERT) {
+	    NSSLOWCERTCertificate *cert = 
+		nsslowcert_FindCertByIssuerAndSN(certHandle,issuerSN);
+
+	    lg_searchSingleCert(&certData,cert);
+	}
+	if (classFlags & LG_TRUST) {
+	    NSSLOWCERTTrust *trust = 
+		nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN);
+
+	    if (trust) {
+		lg_addHandle(handles,
+		    lg_mkHandle(sdb,&trust->dbKey,LG_TOKEN_TYPE_TRUST));
+		nsslowcert_DestroyTrust(trust);
+	    }
+	}
+    } else if (email->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(email->len+1);
+	certDBEntrySMime *entry = NULL;
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,email->data,email->len);
+	tmp_name[email->len] = 0;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
+	if (entry) {
+	    int count;
+	    SECItem *subjectName = &entry->subjectName;
+
+	    count = nsslowcert_NumPermCertsForSubject(certHandle, subjectName);
+	    lg_CertSetupData(&certData,count);
+	    nsslowcert_TraversePermCertsForSubject(certHandle, subjectName, 
+						lg_cert_collect, &certData);
+
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(tmp_name);
+    } else {
+	/* we aren't filtering the certs, we are working on all, so turn
+	 * on the strict filters. */
+	certData.strict = PR_TRUE;
+	lg_CertSetupData(&certData,LG_SEARCH_BLOCK_SIZE);
+	nsslowcert_TraversePermCerts(certHandle, lg_cert_collect2, &certData);
+    }
+
+    /*
+     * build the handles
+     */	
+    for (i=0 ; i < certData.cert_count ; i++) {
+	NSSLOWCERTCertificate *cert = certData.certs[i];
+
+	/* if we filtered it would have been on the stuff above */
+	if (classFlags & LG_CERT) {
+	    lg_addHandle(handles,
+		lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_CERT));
+	}
+	if ((classFlags & LG_TRUST) && nsslowcert_hasTrust(cert->trust)) {
+	    lg_addHandle(handles,
+		lg_mkHandle(sdb,&cert->certKey,LG_TOKEN_TYPE_TRUST));
+	}
+	nsslowcert_DestroyCertificate(cert);
+    }
+
+    if (certData.certs) PORT_Free(certData.certs);
+    return;
+}
+
+static SECStatus
+lg_smime_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+    lgEntryData *smimeData;
+    SDB *sdb;
+    
+    smimeData = (lgEntryData *)arg;
+    sdb = smimeData->sdb;
+
+    if (lg_tokenMatch(sdb, key, LG_TOKEN_TYPE_SMIME,
+			smimeData->template, smimeData->templ_count)) {
+	lg_addHandle(smimeData->searchHandles,
+				 lg_mkHandle(sdb,key,LG_TOKEN_TYPE_SMIME));
+    }
+    return(SECSuccess);
+}
+
+static void
+lg_searchSMime(SDB *sdb, SECItem *email, SDBFind *handles, 
+			const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+    certDBEntrySMime *entry;
+
+    certHandle = lg_getCertDB(sdb);
+    if (certHandle == NULL) return;
+
+    if (email->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(email->len+1);
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,email->data,email->len);
+	tmp_name[email->len] = 0;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
+	if (entry) {
+	    SECItem emailKey;
+
+	    emailKey.data = (unsigned char *)tmp_name;
+	    emailKey.len = PORT_Strlen(tmp_name)+1;
+	    emailKey.type = 0;
+	    lg_addHandle(handles,
+		lg_mkHandle(sdb,&emailKey,LG_TOKEN_TYPE_SMIME));
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(tmp_name);
+    } else {
+	/* traverse */
+	lgEntryData smimeData;
+
+	/* traverse */
+	smimeData.sdb = sdb;
+	smimeData.searchHandles = handles;
+	smimeData.template = pTemplate;
+	smimeData.templ_count = ulCount;
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeSMimeProfile,
+		lg_smime_collect, (void *)&smimeData);
+    }
+    return;
+}
+
+static CK_RV
+lg_searchTokenList(SDB *sdb, SDBFind *search,
+	 		const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    int i;
+    PRBool isKrl = PR_FALSE;
+    SECItem derCert = { siBuffer, NULL, 0 };
+    SECItem derSubject = { siBuffer, NULL, 0 };
+    SECItem name = { siBuffer, NULL, 0 };
+    SECItem email = { siBuffer, NULL, 0 };
+    SECItem key_id = { siBuffer, NULL, 0 };
+    SECItem cert_sha1_hash = { siBuffer, NULL, 0 };
+    SECItem cert_md5_hash  = { siBuffer, NULL, 0 };
+    NSSLOWCERTIssuerAndSN issuerSN = {
+	{ siBuffer, NULL, 0 },
+	{ siBuffer, NULL, 0 }
+    };
+    SECItem *copy = NULL;
+    CK_CERTIFICATE_TYPE certType;
+    CK_OBJECT_CLASS objectClass;
+    CK_RV crv;
+    unsigned long classFlags = 
+	LG_CERT|LG_TRUST|LG_PRIVATE|LG_PUBLIC|LG_KEY|LG_SMIME|LG_CRL;
+
+    if (lg_getCertDB(sdb) == NULL) {
+	classFlags = LG_PRIVATE|LG_KEY;
+    } else {
+	classFlags = LG_CERT|LG_TRUST|LG_PUBLIC|LG_SMIME|LG_CRL;
+    }
+
+    /*
+     * look for things to search on token objects for. If the right options
+     * are specified, we can use them as direct indeces into the database
+     * (rather than using linear searches. We can also use the attributes to
+     * limit the kinds of objects we are searching for. Later we can use this
+     * array to filter the remaining objects more finely.
+     */
+    for (i=0 ;classFlags && i < (int)ulCount; i++) {
+
+	switch (pTemplate[i].type) {
+	case CKA_SUBJECT:
+	    copy = &derSubject;
+	    classFlags &= (LG_CERT|LG_PRIVATE|LG_PUBLIC|LG_SMIME|LG_CRL);
+	    break;
+	case CKA_ISSUER: 
+	    copy = &issuerSN.derIssuer;
+	    classFlags &= (LG_CERT|LG_TRUST);
+	    break;
+	case CKA_SERIAL_NUMBER: 
+	    copy = &issuerSN.serialNumber;
+	    classFlags &= (LG_CERT|LG_TRUST);
+	    break;
+	case CKA_VALUE:
+	    copy = &derCert;
+	    classFlags &= (LG_CERT|LG_CRL|LG_SMIME);
+	    break;
+	case CKA_LABEL:
+	    copy = &name;
+	    break;
+	case CKA_NETSCAPE_EMAIL:
+	    copy = &email;
+	    classFlags &= LG_SMIME|LG_CERT;
+	    break;
+	case CKA_NETSCAPE_SMIME_TIMESTAMP:
+	    classFlags &= LG_SMIME;
+	    break;
+	case CKA_CLASS:
+	    crv = lg_GetULongAttribute(CKA_CLASS,&pTemplate[i],1, &objectClass);
+	    if (crv != CKR_OK) {
+		classFlags = 0;
+		break;;
+	    }
+	    switch (objectClass) {
+	    case CKO_CERTIFICATE:
+		classFlags &= LG_CERT;
+		break;
+	    case CKO_NETSCAPE_TRUST:
+		classFlags &= LG_TRUST;
+		break;
+	    case CKO_NETSCAPE_CRL:
+		classFlags &= LG_CRL;
+		break;
+	    case CKO_NETSCAPE_SMIME:
+		classFlags &= LG_SMIME;
+		break;
+	    case CKO_PRIVATE_KEY:
+		classFlags &= LG_PRIVATE;
+		break;
+	    case CKO_PUBLIC_KEY:
+		classFlags &= LG_PUBLIC;
+		break;
+	    case CKO_SECRET_KEY:
+		classFlags &= LG_KEY;
+		break;
+	    default:
+		classFlags = 0;
+		break;
+	    }
+	    break;
+	case CKA_PRIVATE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		classFlags &= (LG_PRIVATE|LG_KEY);
+	    } else {
+		classFlags &= ~(LG_PRIVATE|LG_KEY);
+	    }
+	    break;
+	case CKA_SENSITIVE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		classFlags &= (LG_PRIVATE|LG_KEY);
+	    } else {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_TOKEN:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) != CK_TRUE) {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_CERT_SHA1_HASH:
+	    classFlags &= LG_TRUST;
+	    copy = &cert_sha1_hash; break;
+	case CKA_CERT_MD5_HASH:
+	    classFlags &= LG_TRUST;
+	    copy = &cert_md5_hash; break;
+	case CKA_CERTIFICATE_TYPE:
+	    crv = lg_GetULongAttribute(CKA_CLASS,&pTemplate[i],1,&certType);
+	    if (crv != CKR_OK) {
+		classFlags = 0;
+	    }
+	    classFlags &= LG_CERT;
+	    if (certType != CKC_X_509) {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_ID:
+	    copy = &key_id;
+	    classFlags &= (LG_CERT|LG_PRIVATE|LG_KEY|LG_PUBLIC);
+	    break;
+	case CKA_NETSCAPE_KRL:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    classFlags &= LG_CRL;
+	    isKrl = (PRBool)(*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE);
+	    break;
+	case CKA_MODIFIABLE:
+	     break;
+	case CKA_KEY_TYPE:
+	case CKA_DERIVE:
+	    classFlags &= LG_PUBLIC|LG_PRIVATE|LG_KEY;
+	    break;
+	case CKA_VERIFY_RECOVER:
+	    classFlags &= LG_PUBLIC;
+	    break;
+	case CKA_SIGN_RECOVER:
+	    classFlags &= LG_PRIVATE;
+	    break;
+	case CKA_ENCRYPT:
+	case CKA_VERIFY:
+	case CKA_WRAP:
+	    classFlags &= LG_PUBLIC|LG_KEY;
+	    break;
+	case CKA_DECRYPT:
+	case CKA_SIGN:
+	case CKA_UNWRAP:
+	case CKA_ALWAYS_SENSITIVE:
+	case CKA_EXTRACTABLE:
+	case CKA_NEVER_EXTRACTABLE:
+	    classFlags &= LG_PRIVATE|LG_KEY;
+	    break;
+	/* can't be a certificate if it doesn't match one of the above 
+	 * attributes */
+	default: 
+	     classFlags  = 0;
+	     break;
+	}
+ 	if (copy) {
+	    copy->data = (unsigned char*)pTemplate[i].pValue;
+	    copy->len = pTemplate[i].ulValueLen;
+	}
+	copy = NULL;
+    }
+
+    /* certs */
+    if (classFlags & (LG_CERT|LG_TRUST)) {
+	lg_searchCertsAndTrust(sdb,&derCert,&name,&derSubject,
+				 &issuerSN, &email,classFlags,search, 
+				pTemplate, ulCount);
+    }
+
+    /* keys */
+    if (classFlags & (LG_PRIVATE|LG_PUBLIC|LG_KEY)) {
+	PRBool mustStrict = ((classFlags & LG_KEY) != 0) && (name.len != 0);
+	lg_searchKeys(sdb, &key_id, classFlags, search,
+			 mustStrict, pTemplate, ulCount);
+    }
+
+    /* crl's */
+    if (classFlags & LG_CRL) {
+	lg_searchCrls(sdb, &derSubject, isKrl, classFlags, search,
+			pTemplate, ulCount);
+    }
+    /* Add S/MIME entry stuff */
+    if (classFlags & LG_SMIME) {
+	lg_searchSMime(sdb, &email, search, pTemplate, ulCount);
+    }
+    return CKR_OK;
+}
+	
+
+/* lg_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_RV lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate,
+			 CK_ULONG ulCount, SDBFind **retSearch)
+{
+    SDBFind *search;
+    CK_RV crv = CKR_OK;
+  
+    *retSearch = NULL; 
+
+    search = (SDBFind *)PORT_Alloc(sizeof(SDBFind));
+    if (search == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->handles = (CK_OBJECT_HANDLE *)
+		PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * LG_SEARCH_BLOCK_SIZE);
+    if (search->handles == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->index = 0;
+    search->size = 0;
+    search->array_size = LG_SEARCH_BLOCK_SIZE;
+    /* FIXME - do we still need to get Login state? */
+
+    crv = lg_searchTokenList(sdb, search, pTemplate, ulCount);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    *retSearch = search;
+    return CKR_OK;
+
+loser:
+    if (search) {
+	lg_FreeSearch(search);
+    }
+    return crv;
+}
+
+
+/* lg_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_RV lg_FindObjects(SDB *sdb, SDBFind *search, 
+    CK_OBJECT_HANDLE *phObject,CK_ULONG ulMaxObjectCount,
+    					CK_ULONG *pulObjectCount)
+{
+    int	transfer;
+    int left;
+
+    *pulObjectCount = 0;
+    left = search->size - search->index;
+    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+    if (transfer > 0) {
+	PORT_Memcpy(phObject,&search->handles[search->index],
+                                        transfer*sizeof(CK_OBJECT_HANDLE_PTR));
+    } else {
+       *phObject = CK_INVALID_HANDLE;
+    }
+
+    search->index += transfer;
+    *pulObjectCount = transfer;
+    return CKR_OK;
+}
+
+/* lg_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV lg_FindObjectsFinal(SDB* lgdb, SDBFind *search)
+{
+
+    if (search != NULL) {
+	lg_FreeSearch(search);
+    }
+    return CKR_OK;
+}

mozilla/security/nss/lib/softoken/legacydb/lginit.c

@@ -0,0 +1,644 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: lginit.c,v 1.1.2.1 2007-04-03 22:50:02 rrelyea%redhat.com Exp $ */
+
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "keydbi.h"
+#include "lgdb.h"
+
+typedef struct LGPrivateStr {
+    NSSLOWCERTCertDBHandle *certDB;
+    NSSLOWKEYDBHandle *keyDB;
+    PRLock *dbLock;
+    PLHashTable *hashTable;
+} LGPrivate;
+
+static char *
+lg_certdb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+
+    switch (dbVersion) {
+      case 8:
+	dbver = "8";
+	break;
+      case 7:
+	dbver = "7";
+	break;
+      case 6:
+	dbver = "6";
+	break;
+      case 5:
+	dbver = "5";
+	break;
+      case 4:
+      default:
+	dbver = "";
+	break;
+    }
+
+    /* make sure we return something allocated with PORT_ so we have properly
+     * matched frees at the end */
+    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+    
+static char *
+lg_keydb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    char *smpname = NULL;
+    char *dbname = NULL;
+    
+    switch (dbVersion) {
+      case 4:
+	dbver = "4";
+	break;
+      case 3:
+	dbver = "3";
+	break;
+      case 1:
+	dbver = "1";
+	break;
+      case 2:
+      default:
+	dbver = "";
+	break;
+    }
+
+    smpname = PR_smprintf(KEY_DB_FMT, configdir, dbver);
+    if (smpname) {
+	dbname = PORT_Strdup(smpname);
+	PR_smprintf_free(smpname);
+    }
+    return dbname;
+}
+
+const char *
+lg_EvaluateConfigDir(const char *configdir,char **appName)
+{
+    if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS)-1) == 0) {
+	char *cdir;
+
+	*appName = PORT_Strdup(configdir+sizeof(MULTIACCESS)-1);
+	if (*appName == NULL) {
+	    return configdir;
+	}
+	cdir = *appName;
+	while (*cdir && *cdir != ':') {
+	    cdir++;
+	}
+	if (*cdir == ':') {
+	   *cdir = 0;
+	   cdir++;
+	}
+	configdir = cdir;
+    }
+    return configdir;
+}
+
+static int rdbmapflags(int flags);
+static rdbfunc lg_rdbfunc = NULL;
+static rdbstatusfunc lg_rdbstatusfunc = NULL;
+
+/* NOTE: SHLIB_SUFFIX is defined on the command line */
+#define RDBLIB SHLIB_PREFIX"rdb."SHLIB_SUFFIX
+
+DB * rdbopen(const char *appName, const char *prefix, 
+			const char *type, int flags, int *status)
+{
+    PRLibrary *lib;
+    DB *db;
+
+    if (lg_rdbfunc) {
+	db = (*lg_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
+	if (!db && status && lg_rdbstatusfunc) {
+	    *status = (*lg_rdbstatusfunc)();
+	}
+	return db;
+    }
+
+    /*
+     * try to open the library.
+     */
+    lib = PR_LoadLibrary(RDBLIB);
+
+    if (!lib) {
+	return NULL;
+    }
+
+    /* get the entry points */
+    lg_rdbstatusfunc = (rdbstatusfunc) PR_FindSymbol(lib,"rdbstatus");
+    lg_rdbfunc = (rdbfunc) PR_FindSymbol(lib,"rdbopen");
+    if (lg_rdbfunc) {
+	db = (*lg_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
+	if (!db && status && lg_rdbstatusfunc) {
+	    *status = (*lg_rdbstatusfunc)();
+	}
+	return db;
+    }
+
+    /* couldn't find the entry point, unload the library and fail */
+    PR_UnloadLibrary(lib);
+    return NULL;
+}
+
+/*
+ * the following data structures are from rdb.h.
+ */
+struct RDBStr {
+    DB	db;
+    int (*xactstart)(DB *db);
+    int (*xactdone)(DB *db, PRBool abort);
+    int version;
+    int (*dbinitcomplete)(DB *db);
+};
+
+#define DB_RDB ((DBTYPE) 0xff)
+#define RDB_RDONLY	1
+#define RDB_RDWR 	2
+#define RDB_CREATE      4
+
+static int
+rdbmapflags(int flags) {
+   switch (flags) {
+   case NO_RDONLY:
+	return RDB_RDONLY;
+   case NO_RDWR:
+	return RDB_RDWR;
+   case NO_CREATE:
+	return RDB_CREATE;
+   default:
+	break;
+   }
+   return 0;
+}
+
+PRBool
+db_IsRDB(DB *db)
+{
+    return (PRBool) db->type == DB_RDB;
+}
+
+int
+db_BeginTransaction(DB *db)
+{
+    struct RDBStr *rdb = (struct RDBStr *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+
+    return rdb->xactstart(db);
+}
+
+int
+db_FinishTransaction(DB *db, PRBool abort)
+{
+    struct RDBStr *rdb = (struct RDBStr *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+
+    return rdb->xactdone(db, abort);
+}
+
+static DB *
+lg_getRawDB(SDB *sdb)
+{
+    NSSLOWCERTCertDBHandle *certDB;
+    NSSLOWKEYDBHandle *keyDB;
+
+    certDB = lg_getCertDB(sdb);
+    if (certDB) {
+	return certDB->permCertDB;
+    }
+    keyDB = lg_getKeyDB(sdb);
+    if (keyDB) {
+	return keyDB->db;
+    }
+    return NULL;
+}
+
+CK_RV
+lg_Begin(SDB *sdb)
+{
+    DB *db = lg_getRawDB(sdb);
+    int ret;
+
+    if (db == NULL) {
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    ret = db_BeginTransaction(db);
+    if (ret != 0) {
+	return CKR_GENERAL_ERROR; /* could happen */
+    }
+    return CKR_OK;
+}
+
+CK_RV
+lg_Commit(SDB *sdb)
+{
+    DB *db = lg_getRawDB(sdb);
+    int ret;
+
+    if (db == NULL) {
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    ret = db_FinishTransaction(db, PR_FALSE);
+    if (ret != 0) {
+	return CKR_GENERAL_ERROR; /* could happen */
+    }
+    return CKR_OK;
+}
+
+CK_RV
+lg_Abort(SDB *sdb)
+{
+    DB *db = lg_getRawDB(sdb);
+    int ret;
+
+    if (db == NULL) {
+	return CKR_GENERAL_ERROR; /* shouldn't happen */
+    }
+    ret = db_FinishTransaction(db, PR_TRUE);
+    if (ret != 0) {
+	return CKR_GENERAL_ERROR; /* could happen */
+    }
+    return CKR_OK;
+}
+
+int
+db_InitComplete(DB *db)
+{
+    struct RDBStr *rdb = (struct RDBStr *)db;
+    if (db->type != DB_RDB) {
+	return 0;
+    }
+    /* we should have added a version number to the RDBS structure. Since we
+     * didn't, we detect that we have and 'extended' structure if the rdbstatus
+     * func exists */
+    if (!lg_rdbstatusfunc) {
+	return 0;
+    }
+
+    return rdb->dbinitcomplete(db);
+}
+
+
+
+SECStatus
+db_Copy(DB *dest,DB *src)
+{
+    int ret;
+    DBT key,data;
+    ret = (*src->seq)(src, &key, &data, R_FIRST);
+    if (ret)  {
+	return SECSuccess;
+    }
+
+    do {
+	(void)(*dest->put)(dest,&key,&data, R_NOOVERWRITE);
+    } while ( (*src->seq)(src, &key, &data, R_NEXT) == 0);
+    (void)(*dest->sync)(dest,0);
+
+    return SECSuccess;
+}
+
+
+static CK_RV
+lg_OpenCertDB(const char * configdir, const char *prefix, PRBool readOnly,
+    					    NSSLOWCERTCertDBHandle **certdbPtr)
+{
+    NSSLOWCERTCertDBHandle *certdb = NULL;
+    CK_RV        crv = CKR_NETSCAPE_CERTDB_FAILED;
+    SECStatus    rv;
+    char * name = NULL;
+    char * appName = NULL;
+
+    if (prefix == NULL) {
+	prefix = "";
+    }
+
+    configdir = lg_EvaluateConfigDir(configdir, &appName);
+
+    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);
+    if (name == NULL) goto loser;
+
+    certdb = (NSSLOWCERTCertDBHandle*)PORT_ZAlloc(sizeof(NSSLOWCERTCertDBHandle));
+    if (certdb == NULL) 
+    	goto loser;
+
+    certdb->ref = 1;
+/* fix when we get the DB in */
+    rv = nsslowcert_OpenCertDB(certdb, readOnly, appName, prefix,
+				lg_certdb_name_cb, (void *)name, PR_FALSE);
+    if (rv == SECSuccess) {
+	crv = CKR_OK;
+	*certdbPtr = certdb;
+	certdb = NULL;
+    }
+loser: 
+    if (certdb) PR_Free(certdb);
+    if (name) PR_smprintf_free(name);
+    if (appName) PORT_Free(appName);
+    return crv;
+}
+
+static CK_RV
+lg_OpenKeyDB(const char * configdir, const char *prefix, PRBool readOnly,
+    						NSSLOWKEYDBHandle **keydbPtr)
+{
+    NSSLOWKEYDBHandle *keydb;
+    char * name = NULL;
+    char * appName = NULL;
+
+    if (prefix == NULL) {
+	prefix = "";
+    }
+    configdir = lg_EvaluateConfigDir(configdir, &appName);
+
+    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);	
+    if (name == NULL) 
+	return CKR_HOST_MEMORY;
+    keydb = nsslowkey_OpenKeyDB(readOnly, appName, prefix, 
+					lg_keydb_name_cb, (void *)name);
+    PR_smprintf_free(name);
+    if (appName) PORT_Free(appName);
+    if (keydb == NULL)
+	return CKR_NETSCAPE_KEYDB_FAILED;
+    *keydbPtr = keydb;
+
+    return CKR_OK;
+}
+
+/*
+ * Accessors for the private parts of the sdb structure.
+ */
+void
+lg_DBLock(SDB *sdb) 
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    PR_Lock(lgdb_p->dbLock);
+}
+
+void
+lg_DBUnlock(SDB *sdb) 
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    PR_Unlock(lgdb_p->dbLock);
+}
+
+PLHashTable *
+lg_GetHashTable(SDB *sdb) 
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    return lgdb_p->hashTable;
+}
+
+NSSLOWCERTCertDBHandle *
+lg_getCertDB(SDB *sdb)
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+
+    return lgdb_p->certDB;
+}
+
+NSSLOWKEYDBHandle *
+lg_getKeyDB(SDB *sdb)
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+
+    return lgdb_p->keyDB;
+}
+
+CK_RV
+lg_Close(SDB *sdb)
+{
+    LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+    if (lgdb_p) {
+    	if (lgdb_p->certDB) {
+	    nsslowcert_ClosePermCertDB(lgdb_p->certDB);
+	} else if (lgdb_p->keyDB) {
+	    nsslowkey_CloseKeyDB(lgdb_p->keyDB);
+	}
+	if (lgdb_p->dbLock) {
+	    PR_DestroyLock(lgdb_p->dbLock);
+	}
+	if (lgdb_p->hashTable) {
+	    PL_HashTableDestroy(lgdb_p->hashTable);
+	}
+	PORT_Free(lgdb_p);
+    }
+    PORT_Free(sdb);
+    return CKR_OK;
+}
+
+static PLHashNumber
+lg_HashNumber(const void *key)
+{
+    return (PLHashNumber) key;
+}
+
+
+/*
+ * helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle
+ * with and sdb structure.
+ */
+CK_RV 
+lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr,
+	 NSSLOWKEYDBHandle *keydbPtr)
+{
+    SDB *sdb = NULL;
+    LGPrivate *lgdb_p = NULL;
+    CK_RV error = CKR_HOST_MEMORY;
+
+    *pSdb = NULL;
+    sdb = (SDB *) PORT_Alloc(sizeof(SDB));
+    if (sdb == NULL) {
+	goto loser;
+    }
+    lgdb_p = (LGPrivate *) PORT_Alloc(sizeof(LGPrivate));
+    if (lgdb_p == NULL) {
+	goto loser;
+    }
+    /* invariant fields */
+    lgdb_p->certDB = certdbPtr;
+    lgdb_p->keyDB = keydbPtr;
+    lgdb_p->dbLock = PR_NewLock();
+    if (lgdb_p->dbLock == NULL) {
+	goto loser;
+    }
+    lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, PL_CompareValues,
+			SECITEM_HashCompare, NULL, 0);
+    if (lgdb_p->hashTable == NULL) {
+	goto loser;
+    }
+
+    sdb->sdb_type = SDB_LEGACY;
+    sdb->sdb_flags = flags;
+    sdb->private = lgdb_p;
+    sdb->sdb_FindObjectsInit = lg_FindObjectsInit;
+    sdb->sdb_FindObjects = lg_FindObjects;
+    sdb->sdb_FindObjectsFinal = lg_FindObjectsFinal;
+    sdb->sdb_GetAttributeValue = lg_GetAttributeValue;
+    sdb->sdb_SetAttributeValue = lg_SetAttributeValue;
+    sdb->sdb_CreateObject = lg_CreateObject;
+    sdb->sdb_DestroyObject = lg_DestroyObject;
+    sdb->sdb_GetPWEntry = lg_GetPWEntry;
+    sdb->sdb_PutPWEntry = lg_PutPWEntry;
+    sdb->sdb_Begin = lg_Begin;
+    sdb->sdb_Commit = lg_Commit;
+    sdb->sdb_Abort = lg_Abort;
+    sdb->sdb_Close = lg_Reset;
+    sdb->sdb_Close = lg_Close;
+
+
+    *pSdb = sdb;
+    return CKR_OK;
+
+loser:
+    if (sdb) {
+	PORT_Free(sdb);
+    }
+    if (lgdb_p) {
+	if (lgdb_p->dbLock) {
+	    PR_DestroyLock(lgdb_p->dbLock);
+	}
+	if (lgdb_p->hashTable) {
+	    PL_HashTableDestroy(lgdb_p->hashTable);
+	}
+	PORT_Free(lgdb_p);
+    }
+    return error;
+
+}
+
+extern SECStatus secoid_Init(void); /* util *REALLY* needs 
+				     * to be a shared library */
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the 
+ *			Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the 
+ *			PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * 			be opened.
+ */
+CK_RV
+legacy_Open(const char *configdir, const char *certPrefix, 
+	    const char *keyPrefix, int certVersion, int keyVersion,
+	    int flags, SDB **certDB, SDB **keyDB)
+{
+    CK_RV crv = CKR_OK;
+    PRBool readOnly = (flags == SDB_RDONLY)? PR_TRUE: PR_FALSE;
+
+    secoid_Init();
+    nsslowcert_InitLocks();
+
+    if (keyDB) *keyDB = NULL;
+    if (certDB) *certDB = NULL;
+
+    if (certDB) {
+	NSSLOWCERTCertDBHandle *certdbPtr;
+
+	crv = lg_OpenCertDB(configdir, certPrefix, readOnly, &certdbPtr);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+	crv = lg_init(certDB, flags, certdbPtr, NULL);
+	if (crv != CKR_OK) {
+	    nsslowcert_ClosePermCertDB(certdbPtr);
+	    goto loser;
+	}
+    }
+    if (keyDB) {
+	NSSLOWKEYDBHandle *keydbPtr;
+
+	crv = lg_OpenKeyDB(configdir, keyPrefix, readOnly, &keydbPtr);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+	crv = lg_init(keyDB, flags, NULL, keydbPtr);
+	if (crv != CKR_OK) {
+	    nsslowkey_CloseKeyDB(keydbPtr);
+	    goto loser;
+	}
+	if (certDB && *certDB) {
+	    LGPrivate *lgdb_p = (LGPrivate *)(*certDB)->private;
+	    lgdb_p->keyDB = keydbPtr;
+	}
+    }
+
+loser:
+    if (crv != CKR_OK) {
+	if (keyDB && *keyDB) {
+	    lg_Close(*keyDB);
+	    *keyDB = NULL;
+	}
+	if (certDB && *certDB) {
+	    lg_Close(*certDB);
+	    *certDB = NULL;
+	}
+    }
+    return crv;
+}
+
+CK_RV
+legacy_Shutdown(void)
+{
+    nsslowcert_DestroyFreeLists();
+    nsslowcert_DestroyGlobalLocks();
+}

mozilla/security/nss/lib/softoken/legacydb/lgutil.c

@@ -0,0 +1,424 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "lgdb.h"
+#include "secerr.h"
+#include "lgglue.h"
+
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when 
+ * it is no longer needed.
+ */
+const CK_ATTRIBUTE *
+lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+		 CK_ULONG count )
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	if (templ[i].type == type) {
+	    return &templ[i];
+	}
+    }
+    return NULL;
+}
+
+
+/*
+ * return true if object has attribute
+ */
+PRBool
+lg_hasAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+		 CK_ULONG count )
+{
+   if (lg_FindAttribute(type, templ, count) == NULL) {
+	return PR_FALSE;
+   }
+   return PR_TRUE;
+}
+
+/* 
+ * copy an attribute into a SECItem. Secitem is allocated in the specified
+ * arena.
+ */
+CK_RV
+lg_Attribute2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item)
+{
+    int len;
+    const CK_ATTRIBUTE *attribute;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    len = attribute->ulValueLen;
+
+    if (arena) {
+    	item->data = (unsigned char *) PORT_ArenaAlloc(arena,len);
+    } else {
+    	item->data = (unsigned char *) PORT_Alloc(len);
+    }
+    if (item->data == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    item->len = len;
+    PORT_Memcpy(item->data, attribute->pValue, len);
+    return CKR_OK;
+}
+
+
+/* 
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+lg_Attribute2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item)
+{
+    const CK_ATTRIBUTE *attribute;
+    item->data = NULL;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    (void)SECITEM_AllocItem(arena, item, attribute->ulValueLen);
+    if (item->data == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    PORT_Memcpy(item->data, attribute->pValue, item->len);
+    return CKR_OK;
+}
+
+/* 
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+lg_PrivAttr2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw)
+{
+    const CK_ATTRIBUTE *attribute;
+    SECItem epki, *dest = NULL;
+    SECStatus rv;
+
+    item->data = NULL;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    epki.data = attribute->pValue;
+    epki.len = attribute->ulValueLen;
+
+    rv = lg_util_decrypt(sdbpw, &epki, &dest);
+    if (rv != SECSuccess) {
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+    (void)SECITEM_AllocItem(arena, item, dest->len);
+    if (item->data == NULL) {
+	SECITEM_FreeItem(dest, PR_TRUE);
+	return CKR_HOST_MEMORY;
+    }
+    
+    PORT_Memcpy(item->data, dest->data, item->len);
+    SECITEM_FreeItem(dest, PR_TRUE);
+    return CKR_OK;
+}
+
+CK_RV
+lg_PrivAttr2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+			const CK_ATTRIBUTE *templ, CK_ULONG count,
+			SECItem *item, SDB *sdbpw)
+{
+    return lg_PrivAttr2SSecItem(arena, type, templ, count, item, sdbpw);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+PRBool
+lg_isTrue(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    const CK_ATTRIBUTE *attribute;
+    PRBool tok = PR_FALSE;
+
+    attribute=lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) { return PR_FALSE; }
+    tok = (PRBool)(*(CK_BBOOL *)attribute->pValue);
+
+    return tok;
+}
+
+/*
+ * return a null terminated string from attribute 'type'. This string
+ * is allocated and needs to be freed with PORT_Free() When complete.
+ */
+char *
+lg_getString(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+    const CK_ATTRIBUTE *attribute;
+    char *label = NULL;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return NULL;
+
+    if (attribute->pValue != NULL) {
+	label = (char *) PORT_Alloc(attribute->ulValueLen+1);
+	if (label == NULL) {
+	    return NULL;
+	}
+
+	PORT_Memcpy(label,attribute->pValue, attribute->ulValueLen);
+	label[attribute->ulValueLen] = 0;
+    }
+    return label;
+}
+
+CK_RV
+lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+				 CK_ULONG count, CK_ULONG *longData)
+{
+    const CK_ATTRIBUTE *attribute;
+    CK_ULONG value = 0;
+    const unsigned char *data;
+    int i;
+
+    attribute = lg_FindAttribute(type, templ, count);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    if (attribute->ulValueLen != sizeof(CK_ULONG)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    data = (const unsigned char *)attribute->pValue;
+    for (i=0; i < 4; i++) {
+	value |= (CK_ULONG)(data[i]) << ((3-i)*8);
+    }
+
+    *longData = value;
+    return CKR_OK;
+}
+
+/*
+ * ******************** Object Utilities *******************************
+ */
+
+SECStatus
+lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle)
+{
+    SECItem *item;
+    PRBool rem;
+    PLHashTable *hashTable= lg_GetHashTable(sdb);
+
+    item = (SECItem *)PL_HashTableLookup(hashTable, (void *)handle);
+    rem = PL_HashTableRemove(hashTable,(void *)handle) ;
+    if (rem && item) {
+	SECITEM_FreeItem(item,PR_TRUE);
+    }
+    return rem ? SECSuccess : SECFailure;
+}
+
+/* must be called holding lg_DBLock(sdb) */
+static SECStatus
+lg_addTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle, SECItem *key)
+{
+    PLHashEntry *entry;
+    SECItem *item;
+    PLHashTable *hashTable= lg_GetHashTable(sdb);
+
+    item = SECITEM_DupItem(key);
+    if (item == NULL) {
+	return SECFailure;
+    }
+    entry = PL_HashTableAdd(hashTable,(void *)handle,item);
+    if (entry == NULL) {
+	SECITEM_FreeItem(item,PR_TRUE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* must be called holding lg_DBLock(sdb) */
+const SECItem *
+lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle)
+{
+    PLHashTable *hashTable= lg_GetHashTable(sdb);
+    return (const SECItem *)PL_HashTableLookup(hashTable, (void *)handle);
+}
+
+
+static PRIntn
+lg_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg)
+{
+    SECItem *item = (SECItem *)entry->value;
+
+    SECITEM_FreeItem(item, PR_TRUE);
+    return HT_ENUMERATE_NEXT;
+}
+
+CK_RV
+LG_ClearTokenKeyHashTable(SDB *sdb)
+{
+    PLHashTable *hashTable;
+    lg_DBLock(sdb);
+    hashTable= lg_GetHashTable(sdb);
+    PL_HashTableEnumerateEntries(hashTable, lg_freeHashItem, NULL);
+    lg_DBLock(sdb);
+    return CKR_OK;
+}
+
+/*
+ * handle Token Object stuff
+ */
+static void
+lg_XORHash(unsigned char *key, unsigned char *dbkey, int len)
+{
+   int i;
+
+   PORT_Memset(key, 0, 4);
+
+   for (i=0; i < len-4; i += 4) {
+	key[0] ^= dbkey[i];
+	key[1] ^= dbkey[i+1];
+	key[2] ^= dbkey[i+2];
+	key[3] ^= dbkey[i+3];
+   }
+}
+
+/* Make a token handle for an object and record it so we can find it again */
+CK_OBJECT_HANDLE
+lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+    unsigned char hashBuf[4];
+    CK_OBJECT_HANDLE handle;
+    const SECItem *key;
+
+    handle = class;
+    /* there is only one KRL, use a fixed handle for it */
+    if (handle != LG_TOKEN_KRL_HANDLE) {
+	lg_XORHash(hashBuf,dbKey->data,dbKey->len);
+	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
+					(hashBuf[2] << 8)  | hashBuf[3];
+	handle =  class | (handle & ~(LG_TOKEN_TYPE_MASK|LG_TOKEN_MASK));
+	/* we have a CRL who's handle has randomly matched the reserved KRL
+	 * handle, increment it */
+	if (handle == LG_TOKEN_KRL_HANDLE) {
+	    handle++;
+	}
+    }
+
+    lg_DBLock(sdb);
+    while ((key = lg_lookupTokenKeyByHandle(sdb,handle)) != NULL) {
+	if (SECITEM_ItemsAreEqual(key,dbKey)) {
+    	   lg_DBUnlock(sdb);
+	   return handle;
+	}
+	handle++;
+    }
+    lg_addTokenKeyByHandle(sdb,handle,dbKey);
+    lg_DBUnlock(sdb);
+    return handle;
+}
+
+PRBool
+lg_poisonHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+    unsigned char hashBuf[4];
+    CK_OBJECT_HANDLE handle;
+    const SECItem *key;
+
+    handle = class;
+    /* there is only one KRL, use a fixed handle for it */
+    if (handle != LG_TOKEN_KRL_HANDLE) {
+	lg_XORHash(hashBuf,dbKey->data,dbKey->len);
+	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
+					(hashBuf[2] << 8)  | hashBuf[3];
+	handle = class | (handle & ~(LG_TOKEN_TYPE_MASK|LG_TOKEN_MASK));
+	/* we have a CRL who's handle has randomly matched the reserved KRL
+	 * handle, increment it */
+	if (handle == LG_TOKEN_KRL_HANDLE) {
+	    handle++;
+	}
+    }
+    lg_DBLock(sdb);
+    while ((key = lg_lookupTokenKeyByHandle(sdb,handle)) != NULL) {
+	if (SECITEM_ItemsAreEqual(key,dbKey)) {
+	   key->data[0] ^= 0x80;
+    	   lg_DBUnlock(sdb);
+	   return PR_TRUE;
+	}
+	handle++;
+    }
+    lg_DBUnlock(sdb);
+    return PR_FALSE;
+}
+
+static LGEncryptFunc lg_encrypt_stub = NULL;
+static LGDecryptFunc lg_decrypt_stub = NULL;
+
+void
+legacy_SetCryptFunctions(LGEncryptFunc enc, LGDecryptFunc dec)
+{
+   lg_encrypt_stub = enc;
+   lg_decrypt_stub = dec;
+}
+
+SECStatus lg_util_encrypt(PLArenaPool *arena, SDB *sdb, 
+			  SECItem *plainText, SECItem **cipherText)
+{
+    if (lg_encrypt_stub == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*lg_encrypt_stub)(arena, sdb, plainText, cipherText);
+}
+
+SECStatus lg_util_decrypt(SDB *sdb, SECItem *cipherText, SECItem **plainText)
+{
+    if (lg_decrypt_stub == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*lg_decrypt_stub)(sdb, cipherText, plainText);
+}
+
+

mozilla/security/nss/lib/softoken/legacydb/lowcert.c

@@ -0,0 +1,824 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Certificate handling code
+ *
+ * $Id: lowcert.c,v 1.1.2.2 2007-05-15 21:59:52 rrelyea%redhat.com Exp $
+ */
+
+#include "seccomon.h"
+#include "secder.h"
+#include "nssilock.h"
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secerr.h"
+#include "pcert.h"
+
+static const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) },
+    { SEC_ASN1_INLINE, offsetof(NSSLOWCERTSubjectPublicKeyInfo,algorithm),
+          SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+          offsetof(NSSLOWCERTSubjectPublicKeyInfo,subjectPublicKey), },
+    { 0, }
+};
+
+static const SEC_ASN1Template nsslowcert_RSAPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.modulus), },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.publicExponent), },
+    { 0, }
+};
+static const SEC_ASN1Template nsslowcert_DSAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dsa.publicValue), },
+    { 0, }
+};
+static const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dh.publicValue), },
+    { 0, }
+};
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+static void
+prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.rsa.modulus.type = siUnsignedInteger;
+    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.dsa.publicValue.type = siUnsignedInteger;
+    pubk->u.dsa.params.prime.type = siUnsignedInteger;
+    pubk->u.dsa.params.subPrime.type = siUnsignedInteger;
+    pubk->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dh_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.dh.prime.type = siUnsignedInteger;
+    pubk->u.dh.base.type = siUnsignedInteger;
+    pubk->u.dh.publicValue.type = siUnsignedInteger;
+}
+
+/*
+ * simple cert decoder to avoid the cost of asn1 engine
+ */ 
+static unsigned char *
+nsslowcert_dataStart(unsigned char *buf, unsigned int length, 
+			unsigned int *data_length, PRBool includeTag,
+                        unsigned char* rettag) {
+    unsigned char tag;
+    unsigned int used_length= 0;
+
+    tag = buf[used_length++];
+
+    if (rettag) {
+        *rettag = tag;
+    }
+
+    /* blow out when we come to the end */
+    if (tag == 0) {
+	return NULL;
+    }
+
+    *data_length = buf[used_length++];
+
+    if (*data_length&0x80) {
+	int  len_count = *data_length & 0x7f;
+
+	*data_length = 0;
+
+	while (len_count-- > 0) {
+	    *data_length = (*data_length << 8) | buf[used_length++];
+	} 
+    }
+
+    if (*data_length > (length-used_length) ) {
+	*data_length = length-used_length;
+	return NULL;
+    }
+    if (includeTag) *data_length += used_length;
+
+    return (buf + (includeTag ? 0 : used_length));	
+}
+
+static void SetTimeType(SECItem* item, unsigned char tagtype)
+{
+    switch (tagtype) {
+        case SEC_ASN1_UTC_TIME:
+            item->type = siUTCTime;
+            break;
+
+        case SEC_ASN1_GENERALIZED_TIME:
+            item->type = siGeneralizedTime;
+            break;
+
+        default:
+            PORT_Assert(0);
+            break;
+    }
+}
+
+static int
+nsslowcert_GetValidityFields(unsigned char *buf,int buf_length,
+	SECItem *notBefore, SECItem *notAfter)
+{
+    unsigned char tagtype;
+    notBefore->data = nsslowcert_dataStart(buf,buf_length,
+						&notBefore->len,PR_FALSE, &tagtype);
+    if (notBefore->data == NULL) return SECFailure;
+    SetTimeType(notBefore, tagtype);
+    buf_length -= (notBefore->data-buf) + notBefore->len;
+    buf = notBefore->data + notBefore->len;
+    notAfter->data = nsslowcert_dataStart(buf,buf_length,
+						&notAfter->len,PR_FALSE, &tagtype);
+    if (notAfter->data == NULL) return SECFailure;
+    SetTimeType(notAfter, tagtype);
+    return SECSuccess;
+}
+
+static int
+nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
+	SECItem *issuer, SECItem *serial, SECItem *derSN, SECItem *subject,
+	SECItem *valid, SECItem *subjkey, SECItem *extensions)
+{
+    unsigned char *buf;
+    unsigned int buf_length;
+    unsigned char *dummy;
+    unsigned int dummylen;
+
+    /* get past the signature wrap */
+    buf = nsslowcert_dataStart(cert,cert_length,&buf_length,PR_FALSE, NULL);
+    if (buf == NULL) return SECFailure;
+    /* get into the raw cert data */
+    buf = nsslowcert_dataStart(buf,buf_length,&buf_length,PR_FALSE, NULL);
+    if (buf == NULL) return SECFailure;
+    /* skip past any optional version number */
+    if ((buf[0] & 0xa0) == 0xa0) {
+	dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
+	if (dummy == NULL) return SECFailure;
+	buf_length -= (dummy-buf) + dummylen;
+	buf = dummy + dummylen;
+    }
+    /* serial number */
+    if (derSN) {
+	derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE, NULL);
+    }
+    serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE, NULL);
+    if (serial->data == NULL) return SECFailure;
+    buf_length -= (serial->data-buf) + serial->len;
+    buf = serial->data + serial->len;
+    /* skip the OID */
+    dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
+    if (dummy == NULL) return SECFailure;
+    buf_length -= (dummy-buf) + dummylen;
+    buf = dummy + dummylen;
+    /* issuer */
+    issuer->data = nsslowcert_dataStart(buf,buf_length,&issuer->len,PR_TRUE, NULL);
+    if (issuer->data == NULL) return SECFailure;
+    buf_length -= (issuer->data-buf) + issuer->len;
+    buf = issuer->data + issuer->len;
+
+    /* only wanted issuer/SN */
+    if (valid == NULL) {
+	return SECSuccess;
+    }
+    /* validity */
+    valid->data = nsslowcert_dataStart(buf,buf_length,&valid->len,PR_FALSE, NULL);
+    if (valid->data == NULL) return SECFailure;
+    buf_length -= (valid->data-buf) + valid->len;
+    buf = valid->data + valid->len;
+    /*subject */
+    subject->data=nsslowcert_dataStart(buf,buf_length,&subject->len,PR_TRUE, NULL);
+    if (subject->data == NULL) return SECFailure;
+    buf_length -= (subject->data-buf) + subject->len;
+    buf = subject->data + subject->len;
+    /* subject  key info */
+    subjkey->data=nsslowcert_dataStart(buf,buf_length,&subjkey->len,PR_TRUE, NULL);
+    if (subjkey->data == NULL) return SECFailure;
+    buf_length -= (subjkey->data-buf) + subjkey->len;
+    buf = subjkey->data + subjkey->len;
+
+    extensions->data = NULL;
+    extensions->len = 0;
+    while (buf_length > 0) {
+	/* EXTENSIONS */
+	if (buf[0] == 0xa3) {
+	    extensions->data = nsslowcert_dataStart(buf,buf_length, 
+					&extensions->len, PR_FALSE, NULL);
+	    break;
+	}
+	dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE,NULL);
+	if (dummy == NULL) return SECFailure;
+	buf_length -= (dummy - buf) + dummylen;
+	buf = dummy + dummylen;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    NSSLOWCERTValidity validity;
+
+    rv = nsslowcert_GetValidityFields(c->validity.data,c->validity.len,
+				&validity.notBefore,&validity.notAfter);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    
+    /* convert DER not-before time */
+    rv = DER_DecodeTimeChoice(notBefore, &validity.notBefore);
+    if (rv) {
+        return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    rv = DER_DecodeTimeChoice(notAfter, &validity.notAfter);
+    if (rv) {
+        return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
+{
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    
+    rv = nsslowcert_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = nsslowcert_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+    
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    /* get current time */
+    now = PR_Now();
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	/* if A is expired, then pick B */
+	if ( LL_CMP(notAfterA, <, now ) ) {
+	    return(PR_FALSE);
+	}
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	/* if B is expired, then pick A */
+	if ( LL_CMP(notAfterB, <, now ) ) {
+	    return(PR_TRUE);
+	}
+	return(PR_FALSE);
+    }
+}
+
+#define SOFT_DEFAULT_CHUNKSIZE 2048
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, 
+			      SECItem *issuer, SECItem *sn, SECItem *key)
+{
+    unsigned int len = sn->len + issuer->len;
+
+    if (!arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	goto loser;
+    }
+    key->data = (unsigned char*)PORT_ArenaAlloc(arena, len);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    key->len = len;
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSNStatic(unsigned char *space,
+	int spaceLen, SECItem *issuer, SECItem *sn, SECItem *key)
+{
+    unsigned int len = sn->len + issuer->len;
+
+    key->data = pkcs11_allocStaticData(len, space, spaceLen);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    key->len = len;
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+static char *
+nsslowcert_EmailName(SECItem *derDN, char *space, unsigned int len)
+{
+    unsigned char *buf;
+    unsigned int buf_length;
+
+    /* unwrap outer sequence */
+    buf=nsslowcert_dataStart(derDN->data,derDN->len,&buf_length,PR_FALSE,NULL);
+    if (buf == NULL) return NULL;
+
+    /* Walk each RDN */
+    while (buf_length > 0) {
+	unsigned char *rdn;
+	unsigned int rdn_length;
+
+	/* grab next rdn */
+	rdn=nsslowcert_dataStart(buf, buf_length, &rdn_length, PR_FALSE, NULL);
+	if (rdn == NULL) { return NULL; }
+	buf_length -= (rdn - buf) + rdn_length;
+	buf = rdn+rdn_length;
+
+	while (rdn_length > 0) {
+	    unsigned char *ava;
+	    unsigned int ava_length;
+	    unsigned char *oid;
+	    unsigned int oid_length;
+	    unsigned char *name;
+	    unsigned int name_length;
+	    SECItem oidItem;
+	    SECOidTag type;
+
+	    /* unwrap the ava */
+	    ava=nsslowcert_dataStart(rdn, rdn_length, &ava_length, PR_FALSE, 
+					NULL);
+	    if (ava == NULL) return NULL;
+	    rdn_length -= (ava-rdn)+ava_length;
+	    rdn = ava + ava_length;
+
+	    oid=nsslowcert_dataStart(ava, ava_length, &oid_length, PR_FALSE, 
+					NULL);
+	    if (oid == NULL) { return NULL; }
+	    ava_length -= (oid-ava)+oid_length;
+	    ava = oid+oid_length;
+
+	    name=nsslowcert_dataStart(ava, ava_length, &name_length, PR_FALSE, 
+					NULL);
+	    if (oid == NULL) { return NULL; }
+	    ava_length -= (name-ava)+name_length;
+	    ava = name+name_length;
+
+	    oidItem.data = oid;
+	    oidItem.len = oid_length;
+	    type = SECOID_FindOIDTag(&oidItem);
+	    if ((type == SEC_OID_PKCS9_EMAIL_ADDRESS) || 
+					(type == SEC_OID_RFC1274_MAIL)) {
+		/* Email is supposed to be IA5String, so no 
+		 * translation necessary */
+		char *emailAddr;
+		emailAddr = (char *)pkcs11_copyStaticData(name,name_length+1,
+					(unsigned char *)space,len);
+		if (emailAddr) {
+		    emailAddr[name_length] = 0;
+		}
+		return emailAddr;
+	    }
+	}
+    }
+    return NULL;
+}
+
+static char *
+nsslowcert_EmailAltName(NSSLOWCERTCertificate *cert, char *space, 
+			unsigned int len)
+{
+    unsigned char *exts;
+    unsigned int exts_length;
+
+    /* unwrap the sequence */
+    exts = nsslowcert_dataStart(cert->extensions.data, cert->extensions.len,
+				 &exts_length, PR_FALSE, NULL);
+    /* loop through extension */
+    while (exts && exts_length > 0) {
+	unsigned char * ext;
+	unsigned int ext_length;
+	unsigned char *oid;	
+	unsigned int oid_length;
+	unsigned char *nameList;
+	unsigned int nameList_length;
+	SECItem oidItem;
+	SECOidTag type;
+
+	ext = nsslowcert_dataStart(exts, exts_length, &ext_length, 
+					PR_FALSE, NULL);
+	if (ext == NULL) { break; }
+	exts_length -= (ext - exts) + ext_length;
+	exts = ext+ext_length;
+
+	oid=nsslowcert_dataStart(ext, ext_length, &oid_length, PR_FALSE, NULL);
+	if (oid == NULL) { break; }
+	ext_length -= (oid - ext) + oid_length;
+	ext = oid+oid_length;
+	oidItem.data = oid;
+	oidItem.len = oid_length;
+	type = SECOID_FindOIDTag(&oidItem);
+
+	/* get Alt Extension */
+	if (type != SEC_OID_X509_SUBJECT_ALT_NAME) {
+		continue;
+	}
+
+	/* skip passed the critical flag */
+	if (ext[0] == 0x01) { /* BOOLEAN */
+	    unsigned char *dummy;
+	    unsigned int dummy_length;
+	    dummy = nsslowcert_dataStart(ext, ext_length, &dummy_length, 
+					PR_FALSE, NULL);
+	    if (dummy == NULL) { break; } 
+	    ext_length -= (dummy - ext) + dummy_length;
+	    ext = dummy+dummy_length;
+	}
+
+	   
+	/* unwrap the name list */ 
+	nameList = nsslowcert_dataStart(ext, ext_length, &nameList_length, 
+					PR_FALSE, NULL);
+	if (nameList == NULL) { break; }
+	ext_length -= (nameList - ext) + nameList_length;
+	ext = nameList+nameList_length;
+	nameList = nsslowcert_dataStart(nameList, nameList_length,
+					&nameList_length, PR_FALSE, NULL);
+	/* loop through the name list */
+	while (nameList && nameList_length > 0) {
+	    unsigned char *thisName;
+	    unsigned int thisName_length;
+
+	    thisName = nsslowcert_dataStart(nameList, nameList_length,
+					&thisName_length, PR_FALSE, NULL);
+	    if (thisName == NULL) { break; }
+	    if (nameList[0] == 0xa2) { /* DNS Name */
+		SECItem dn;
+	        char *emailAddr;
+
+		dn.data = thisName;
+		dn.len = thisName_length;
+		emailAddr = nsslowcert_EmailName(&dn, space, len);
+		if (emailAddr) {
+		    return emailAddr;
+		}
+	    }
+	    if (nameList[0] == 0x81) { /* RFC 822name */
+		char *emailAddr;
+		emailAddr = (char *)pkcs11_copyStaticData(thisName,
+			thisName_length+1, (unsigned char *)space,len);
+		if (emailAddr) {
+		    emailAddr[thisName_length] = 0;
+		}
+		return emailAddr;
+	    }
+	    nameList_length -= (thisName-nameList) + thisName_length;
+	    nameList = thisName + thisName_length;
+	}
+	break;
+    }
+    return NULL;
+}
+
+static char *
+nsslowcert_GetCertificateEmailAddress(NSSLOWCERTCertificate *cert)
+{
+    char *emailAddr = NULL;
+    char *str;
+
+    emailAddr = nsslowcert_EmailName(&cert->derSubject,cert->emailAddrSpace,
+					sizeof(cert->emailAddrSpace));
+    /* couldn't find the email address in the DN, check the subject Alt name */
+    if (!emailAddr && cert->extensions.data) {
+	emailAddr = nsslowcert_EmailAltName(cert, cert->emailAddrSpace,
+					sizeof(cert->emailAddrSpace));
+    }
+
+
+    /* make it lower case */
+    str = emailAddr;
+    while ( str && *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    return emailAddr;
+
+}
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname)
+{
+    NSSLOWCERTCertificate *cert;
+    int rv;
+
+    /* allocate the certificate structure */
+    cert = nsslowcert_CreateCert();
+    
+    if ( !cert ) {
+	goto loser;
+    }
+    
+	/* point to passed in DER data */
+    cert->derCert = *derSignedCert;
+    cert->nickname = NULL;
+    cert->certKey.data = NULL;
+    cert->referenceCount = 1;
+
+    /* decode the certificate info */
+    rv = nsslowcert_GetCertFields(cert->derCert.data, cert->derCert.len,
+	&cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject,
+	&cert->validity, &cert->derSubjKeyInfo, &cert->extensions);
+
+    /* cert->subjectKeyID;	 x509v3 subject key identifier */
+    cert->subjectKeyID.data = NULL;
+    cert->subjectKeyID.len = 0;
+    cert->dbEntry = NULL;
+    cert ->trust = NULL;
+    cert ->dbhandle = NULL;
+
+    /* generate and save the database key for the cert */
+    rv = nsslowcert_KeyFromIssuerAndSNStatic(cert->certKeySpace,
+		sizeof(cert->certKeySpace), &cert->derIssuer, 
+		&cert->serialNumber, &cert->certKey);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* set the nickname */
+    if ( nickname == NULL ) {
+	cert->nickname = NULL;
+    } else {
+	/* copy and install the nickname */
+	cert->nickname = pkcs11_copyNickname(nickname,cert->nicknameSpace,
+				sizeof(cert->nicknameSpace));
+    }
+
+#ifdef FIXME
+    /* initialize the subjectKeyID */
+    rv = cert_GetKeyID(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+#endif
+
+    /* set the email address */
+    cert->emailAddr = nsslowcert_GetCertificateEmailAddress(cert);
+    
+    
+    cert->referenceCount = 1;
+    
+    return(cert);
+    
+loser:
+    if (cert) {
+	nsslowcert_DestroyCertificate(cert);
+    }
+    
+    return(0);
+}
+
+char *
+nsslowcert_FixupEmailAddr(char *emailAddr)
+{
+    char *retaddr;
+    char *str;
+
+    if ( emailAddr == NULL ) {
+	return(NULL);
+    }
+    
+    /* copy the string */
+    str = retaddr = PORT_Strdup(emailAddr);
+    if ( str == NULL ) {
+	return(NULL);
+    }
+    
+    /* make it lower case */
+    while ( *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    
+    return(retaddr);
+}
+
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
+{
+    int rv;
+    NSSLOWCERTCertKey certkey;
+
+    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));    
+
+    rv = nsslowcert_GetCertFields(derCert->data, derCert->len,
+	&certkey.derIssuer, &certkey.serialNumber, NULL, NULL, 
+	NULL, NULL, NULL);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    return(nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+				   &certkey.serialNumber, key));
+loser:
+    return(SECFailure);
+}
+
+NSSLOWKEYPublicKey *
+nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
+{
+    NSSLOWCERTSubjectPublicKeyInfo spki;
+    NSSLOWKEYPublicKey *pubk;
+    SECItem os;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag tag;
+    SECItem newDerSubjKeyInfo;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+        return NULL;
+
+    pubk = (NSSLOWKEYPublicKey *) 
+		PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPublicKey));
+    if (pubk == NULL) {
+        PORT_FreeArena (arena, PR_FALSE);
+        return NULL;
+    }
+
+    pubk->arena = arena;
+    PORT_Memset(&spki,0,sizeof(spki));
+
+    /* copy the DER into the arena, since Quick DER returns data that points
+       into the DER input, which may get freed by the caller */
+    rv = SECITEM_CopyItem(arena, &newDerSubjKeyInfo, &cert->derSubjKeyInfo);
+    if ( rv != SECSuccess ) {
+        PORT_FreeArena (arena, PR_FALSE);
+        return NULL;
+    }
+
+    /* we haven't bothered decoding the spki struct yet, do it now */
+    rv = SEC_QuickDERDecodeItem(arena, &spki, 
+		nsslowcert_SubjectPublicKeyInfoTemplate, &newDerSubjKeyInfo);
+    if (rv != SECSuccess) {
+ 	PORT_FreeArena (arena, PR_FALSE);
+ 	return NULL;
+    }
+
+    /* Convert bit string length from bits to bytes */
+    os = spki.subjectPublicKey;
+    DER_ConvertBitString (&os);
+
+    tag = SECOID_GetAlgorithmTag(&spki.algorithm);
+    switch ( tag ) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        pubk->keyType = NSSLOWKEYRSAKey;
+        prepare_low_rsa_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk, 
+				nsslowcert_RSAPublicKeyTemplate, &os);
+        if (rv == SECSuccess)
+            return pubk;
+        break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+        pubk->keyType = NSSLOWKEYDSAKey;
+        prepare_low_dsa_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk,
+				 nsslowcert_DSAPublicKeyTemplate, &os);
+        if (rv == SECSuccess) return pubk;
+        break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+        pubk->keyType = NSSLOWKEYDHKey;
+        prepare_low_dh_pub_key_for_asn1(pubk);
+        rv = SEC_QuickDERDecodeItem(arena, pubk,
+				 nsslowcert_DHPublicKeyTemplate, &os);
+        if (rv == SECSuccess) return pubk;
+        break;
+#ifdef NSS_ENABLE_ECC
+      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+        pubk->keyType = NSSLOWKEYECKey;
+	/* Since PKCS#11 directly takes the DER encoding of EC params
+	 * and public value, we don't need any decoding here.
+	 */
+        rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding, 
+	    &spki.algorithm.parameters);
+        if ( rv != SECSuccess )
+            break;	
+
+	/* Fill out the rest of the ecParams structure 
+	 * based on the encoded params
+	 */
+	if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
+	    &pubk->u.ec.ecParams) != SECSuccess) 
+	    break;
+
+        rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
+	if (rv == SECSuccess) return pubk;
+        break;
+#endif /* NSS_ENABLE_ECC */
+      default:
+        rv = SECFailure;
+        break;
+    }
+
+    nsslowkey_DestroyPublicKey (pubk);
+    return NULL;
+}
+

mozilla/security/nss/lib/softoken/legacydb/lowkey.c

@@ -0,0 +1,462 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "lowkeyi.h" 
+#include "secoid.h" 
+#include "secitem.h"
+#include "secder.h" 
+#include "secasn1.h"
+#include "secerr.h" 
+
+static const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(NSSLOWKEYAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+    { SEC_ASN1_SET_OF, offsetof(NSSLOWKEYAttribute, attrValue), 
+	SEC_AnyTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
+};
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE,
+	offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+	nsslowkey_SetOfAttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
+    { 0 }                                                                     
+};                                                                            
+
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
+    { 0, }
+};
+
+#ifdef NSS_ENABLE_ECC
+
+/* XXX This is just a placeholder for later when we support
+ * generic curves and need full-blown support for parsing EC
+ * parameters. For now, we only support named curves in which
+ * EC params are simply encoded as an object ID and we don't
+ * use nsslowkey_ECParamsTemplate.
+ */
+const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) },
+    { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named },
+    { 0, }
+};
+
+
+/* NOTE: The SECG specification allows the private key structure
+ * to contain curve parameters but recommends that they be stored
+ * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
+ * instead.
+ */
+const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) },
+    { SEC_ASN1_OCTET_STRING, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.privateValue) },
+    /* XXX The following template works for now since we only
+     * support named curves for which the parameters are
+     * encoded as an object ID. When we support generic curves,
+     * we'll need to define nsslowkey_ECParamsTemplate
+     */
+#if 1
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams.curveOID), 
+      SEC_ObjectIDTemplate }, 
+#else
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), 
+      nsslowkey_ECParamsTemplate }, 
+#endif
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.publicValue),
+      SEC_BitStringTemplate }, 
+    { 0, }
+};
+
+
+/*
+ * smaller version of EC_FillParams. In this code, we only need
+ * oid and DER data.
+ */
+SECStatus
+LGEC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
+    ECParams *params)
+{
+    SECOidTag tag;
+    SECItem oid = { siBuffer, NULL, 0};
+
+#if EC_DEBUG
+    int i;
+
+    printf("Encoded params in EC_DecodeParams: ");
+    for (i = 0; i < encodedParams->len; i++) {
+	    printf("%02x:", encodedParams->data[i]);
+    }
+    printf("\n");
+#endif
+
+    oid.len = encodedParams->len - 2;
+    oid.data = encodedParams->data + 2;
+    if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) ||
+	((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) { 
+	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+	    return SECFailure;
+    }
+
+    params->arena = arena;
+
+    /* For named curves, fill out curveOID */
+    params->curveOID.len = oid.len;
+    params->curveOID.data = (unsigned char *) PORT_ArenaAlloc(arena, oid.len);
+    if (params->curveOID.data == NULL)  {
+	return SECFailure;
+    }
+    memcpy(params->curveOID.data, oid.data, oid.len);
+
+    return SECSuccess;
+}
+
+/* Copy all of the fields from srcParams into dstParams
+ */
+SECStatus
+LGEC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams)
+{
+    SECStatus rv = SECFailure;
+
+    dstParams->arena = arena;
+    rv = SECITEM_CopyItem(arena, &dstParams->DEREncoding,
+				 &srcParams->DEREncoding);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv =SECITEM_CopyItem(arena, &dstParams->curveOID,
+				&srcParams->curveOID);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+#endif /* NSS_ENABLE_ECC */
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.publicValue.type = siUnsignedInteger;
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+    key->u.dh.publicValue.type = siUnsignedInteger;
+    key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+#ifdef NSS_ENABLE_ECC
+void
+prepare_low_ecparams_for_asn1(ECParams *params)
+{
+    params->DEREncoding.type = siUnsignedInteger;
+    params->curveOID.type = siUnsignedInteger;
+}
+
+void
+prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.ec.version.type = siUnsignedInteger;
+    key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
+    key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
+    key->u.ec.privateValue.type = siUnsignedInteger;
+    key->u.ec.publicValue.type = siUnsignedInteger;
+}
+#endif /* NSS_ENABLE_ECC */
+
+void
+nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+    if (privk && privk->arena) {
+	PORT_FreeArena(privk->arena, PR_TRUE);
+    }
+}
+
+void
+nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+    if (pubk && pubk->arena) {
+	PORT_FreeArena(pubk->arena, PR_FALSE);
+    }
+}
+unsigned
+nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+{
+    unsigned char b0;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case NSSLOWKEYRSAKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+unsigned
+nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
+{
+
+    unsigned char b0;
+
+    switch (privk->keyType) {
+    case NSSLOWKEYRSAKey:
+	b0 = privk->u.rsa.modulus.data[0];
+	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+    NSSLOWKEYPublicKey *pubk;
+    PLArenaPool *arena;
+
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        PORT_SetError (SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    switch(privk->keyType) {
+      case NSSLOWKEYRSAKey:
+      case NSSLOWKEYNullKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						sizeof (NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    if (privk->keyType == NSSLOWKEYNullKey) return pubk;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+				  &privk->u.rsa.modulus);
+	    if (rv == SECSuccess) {
+		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
+				       &privk->u.rsa.publicExponent);
+		if (rv == SECSuccess)
+		    return pubk;
+	    }
+	} else {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	}
+	break;
+      case NSSLOWKEYDSAKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+				  &privk->u.dsa.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+				  &privk->u.dsa.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+				  &privk->u.dsa.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+				  &privk->u.dsa.params.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+      case NSSLOWKEYDHKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+				  &privk->u.dh.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+				  &privk->u.dh.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+				  &privk->u.dh.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+      case NSSLOWKEYECKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
+				  &privk->u.ec.publicValue);
+	    if (rv != SECSuccess) break;
+	    pubk->u.ec.ecParams.arena = arena;
+	    /* Copy the rest of the params */
+	    rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams),
+			       &(privk->u.ec.ecParams));
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#endif /* NSS_ENABLE_ECC */
+	/* No Fortezza in Low Key implementations (Fortezza keys aren't
+	 * stored in our data base */
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+

mozilla/security/nss/lib/softoken/legacydb/lowkeyi.h

@@ -0,0 +1,198 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: lowkeyi.h,v 1.1.2.1 2007-04-03 22:50:02 rrelyea%redhat.com Exp $ */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "pcertt.h"
+#include "lowkeyti.h"
+#include "sdb.h" 
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+#ifdef NSS_ENABLE_ECC
+extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_ecparams_for_asn1(ECParams *params);
+#endif /* NSS_ENABLE_ECC */
+
+typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
+    
+/*
+** Open a key database.
+*/
+extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
+					   const char *domain,
+					   const char *prefix,
+					   NSSLOWKEYDBNameFunc namecb,
+					   void *cbarg);
+
+/*
+** Close the specified key database.
+*/
+extern void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle);
+
+/*
+ * Get the version number of the database
+ */
+extern int nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle);
+
+/*
+** Delete a key from the database
+*/
+extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, 
+				  const SECItem *pubkey);
+
+/*
+** Store a key in the database, indexed by its public key modulus.
+**	"pk" is the private key to store
+**	"f" is a the callback function for getting the password
+**	"arg" is the argument for the callback
+*/
+extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
+					    NSSLOWKEYPrivateKey *pk,
+					    SECItem *pubKeyData,
+					    char *nickname,
+					    SDB *sdb);
+
+/* does the key for this cert exist in the database filed by modulus */
+extern PRBool nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle,
+					 NSSLOWCERTCertificate *cert);
+/* does a key with this ID already exist? */
+extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id);
+
+/*
+** Destroy a private key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Return the modulus length of "pubKey".
+*/
+extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
+
+
+/*
+** Return the modulus length of "privKey".
+*/
+extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey 
+		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle,
+                           NSSLOWKEYPrivateKey *privkey,
+                           SECItem *pubKeyData,
+                           char *nickname,
+                           SDB *sdb);
+
+/* Store key by modulus and specify an encryption algorithm to use.
+ *   handle is the pointer to the key database,
+ *   privkey is the private key to be stored,
+ *   f and arg are the function and arguments to the callback
+ *       to get a password,
+ *   algorithm is the algorithm which the privKey is to be stored.
+ * A return of anything but SECSuccess indicates failure.
+ */
+extern SECStatus 
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
+			      NSSLOWKEYPrivateKey *privkey, 
+			      SECItem *pubKeyData,
+			      char *nickname,
+			      SDB *sdb,
+                              PRBool update); 
+
+/* Find key by modulus.  This function is the inverse of store key
+ * by modulus.  An attempt to locate the key with "modulus" is 
+ * performed.  If the key is found, the private key is returned,
+ * else NULL is returned.
+ *   modulus is the modulus to locate
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, 
+			  SDB *sdb);
+
+extern char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
+                                        SECItem *modulus, SDB *sdb);
+
+#ifdef NSS_ENABLE_ECC
+/*
+ * smaller version of EC_FillParams. In this code, we only need
+ * oid and DER data.
+ */
+SECStatus LGEC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
+    ECParams *params);
+
+/* Copy all of the fields from srcParams into dstParams */
+SECStatus LGEC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+	      const ECParams *srcParams);
+#endif
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */

mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h

@@ -0,0 +1,161 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+
+
+/*
+ * a key in/for the data base
+ */
+struct NSSLOWKEYDBKeyStr {
+    PLArenaPool *arena;
+    int version;
+    char *nickname;
+    SECItem salt;
+    SECItem derPK;
+};
+typedef struct NSSLOWKEYDBKeyStr NSSLOWKEYDBKey;
+
+typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle;
+
+#ifdef NSS_USE_KEY4_DB
+#define NSSLOWKEY_DB_FILE_VERSION 4
+#else
+#define NSSLOWKEY_DB_FILE_VERSION 3
+#endif
+
+#define NSSLOWKEY_VERSION	    0	/* what we *create* */
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+#ifdef NSS_ENABLE_ECC
+#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
+extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+#endif /* NSS_ENABLE_ECC */
+
+extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+
+/*
+ * PKCS #8 attributes
+ */
+struct NSSLOWKEYAttributeStr {
+    SECItem attrType;
+    SECItem *attrValue;
+};
+typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    NSSLOWKEYAttribute **attributes;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION	0	/* what we *create* */
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYEncryptedPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct NSSLOWKEYEncryptedPrivateKeyInfoStr NSSLOWKEYEncryptedPrivateKeyInfo;
+
+
+typedef enum { 
+    NSSLOWKEYNullKey = 0, 
+    NSSLOWKEYRSAKey = 1, 
+    NSSLOWKEYDSAKey = 2, 
+    NSSLOWKEYDHKey = 4,
+    NSSLOWKEYECKey = 5
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType ;
+    union {
+        RSAPublicKey rsa;
+	DSAPublicKey dsa;
+	DHPublicKey  dh;
+	ECPublicKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType;
+    union {
+        RSAPrivateKey rsa;
+	DSAPrivateKey dsa;
+	DHPrivateKey  dh;
+	ECPrivateKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+#endif	/* _LOWKEYTI_H_ */

mozilla/security/nss/lib/softoken/legacydb/manifest.mn

@@ -0,0 +1,68 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+
+REQUIRES = dbm 
+
+LIBRARY_NAME = lgdbm
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/lgdbm.def
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
+
+
+CSRCS = \
+	dbmshim.c \
+	keydb.c \
+	lgattr.c \
+	lgcreate.c \
+	lgdestroy.c \
+	lgfind.c \
+	lginit.c \
+	lgutil.c \
+	lowcert.c \
+	lowkey.c \
+	pcertdb.c \
+	pk11db.c \
+	$(NULL)
+
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
+

mozilla/security/nss/lib/softoken/legacydb/pcert.h

@@ -0,0 +1,261 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PCERTDB_H_
+#define _PCERTDB_H_
+
+#include "plarena.h"
+#include "prlong.h"
+#include "pcertt.h"
+
+#include "lowkeyti.h" 	/* for struct NSSLOWKEYPublicKeyStr */
+
+SEC_BEGIN_PROTOS
+
+/*
+ * initialize any global certificate locks
+ */
+SECStatus nsslowcert_InitLocks(void);
+
+/*
+** Add a DER encoded certificate to the permanent database.
+**	"derCert" is the DER encoded certificate.
+**	"nickname" is the nickname to use for the cert
+**	"trust" is the trust parameters for the cert
+*/
+SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, 
+			NSSLOWCERTCertificate *cert,
+				char *nickname, NSSLOWCERTCertTrust *trust);
+SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname);
+
+SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert);
+
+typedef SECStatus (PR_CALLBACK * PermCertCallback)(NSSLOWCERTCertificate *cert,
+                                                   SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+**	"certfunc" is the user function to call for each certificate
+**	"udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+		      PermCertCallback certfunc,
+		      void *udata );
+
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle);
+
+certDBEntryRevocation *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle,
+					 SECItem *crlKey, PRBool isKRL);
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle,const SECItem *derName,
+								PRBool isKRL);
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl ,
+				SECItem *derKey, char *url, PRBool isKRL);
+
+NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB();
+NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *);
+
+NSSLOWCERTCertificate *
+nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
+                        char *nickname, PRBool isperm, PRBool copyDER);
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust);
+
+/*
+ * Lookup a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey);
+
+/*
+ * Lookup trust for a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+
+/* convert an email address to lower case */
+char *nsslowcert_FixupEmailAddr(char *emailAddr);
+
+/*
+** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure
+**      "derSignedCert" is the DER encoded signed certificate
+**      "copyDER" is true if the DER should be copied, false if the
+**              existing copy should be referenced
+**      "nickname" is the nickname to use in the database.  If it is NULL
+**              then a temporary nickname is generated.
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate (SECItem *derSignedCert, char *nickname);
+
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
+
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *certHandle,
+							 char *emailAddr);
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry);
+
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+		const char *domain, const char *prefix,
+                NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile);
+
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle);
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb);
+
+
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+		      certDBEntryType type,
+		      SECStatus (* callback)(SECItem *data, SECItem *key,
+					    certDBEntryType type, void *pdata),
+		      void *udata );
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+				 SECItem *derSubject,
+				 NSSLOWCERTCertCallback cb, void *cbarg);
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+							 SECItem *derSubject);
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+	 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg);
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
+							char *nickname);
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert,
+					 NSSLOWCERTCertTrust *trust);
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
+	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime);
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
+	  	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
+
+PRBool
+nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle);
+
+void
+nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value);
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust);
+
+void
+nsslowcert_DestroyFreeLists(void);
+
+void
+nsslowcert_DestroyGlobalLocks(void);
+
+void
+pkcs11_freeNickname(char *nickname, char *space);
+
+char *
+pkcs11_copyNickname(char *nickname, char *space, int spaceLen);
+
+void
+pkcs11_freeStaticData(unsigned char *data, unsigned char *space);
+
+unsigned char *
+pkcs11_allocStaticData(int datalen, unsigned char *space, int spaceLen);
+
+unsigned char *
+pkcs11_copyStaticData(unsigned char *data, int datalen, unsigned char *space,
+						int spaceLen);
+NSSLOWCERTCertificate *
+nsslowcert_CreateCert(void);
+
+certDBEntry *
+nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey, 
+                            certDBEntryType entryType, void *pdata);
+
+SEC_END_PROTOS
+
+ #endif /* _PCERTDB_H_ */

mozilla/security/nss/lib/softoken/legacydb/pcertt.h

@@ -0,0 +1,450 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id: pcertt.h,v 1.1.2.2 2007-05-15 21:59:52 rrelyea%redhat.com Exp $
+ */
+#ifndef _PCERTT_H_
+#define _PCERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+/* Non-opaque objects */
+typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
+typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
+
+typedef struct NSSLOWCERTTrustStr                      NSSLOWCERTTrust;
+typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
+typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
+typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
+typedef struct NSSLOWCERTIssuerAndSNStr                NSSLOWCERTIssuerAndSN;
+typedef struct NSSLOWCERTSignedDataStr                 NSSLOWCERTSignedData;
+typedef struct NSSLOWCERTSubjectPublicKeyInfoStr       NSSLOWCERTSubjectPublicKeyInfo;
+typedef struct NSSLOWCERTValidityStr                   NSSLOWCERTValidity;
+
+/*
+** An X.509 validity object
+*/
+struct NSSLOWCERTValidityStr {
+    PRArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct NSSLOWCERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct NSSLOWCERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct NSSLOWCERTSubjectPublicKeyInfoStr {
+    PRArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+typedef struct _certDBEntryCert certDBEntryCert;
+typedef struct _certDBEntryRevocation certDBEntryRevocation;
+
+struct NSSLOWCERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+** PKCS11 Trust representation
+*/
+struct NSSLOWCERTTrustStr {
+    NSSLOWCERTTrust *next;
+    NSSLOWCERTCertDBHandle *dbhandle;
+    SECItem dbKey;			/* database key for this cert */
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    NSSLOWCERTCertTrust *trust;
+    SECItem *derCert;			/* original DER for the cert */
+    unsigned char dbKeySpace[512];
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct NSSLOWCERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    NSSLOWCERTCertificate *next;
+    NSSLOWCERTCertDBHandle *dbhandle;
+
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem derSN;
+    SECItem serialNumber;
+    SECItem derSubject;			/* DER for subject name */
+    SECItem derSubjKeyInfo;
+    NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
+    SECItem certKey;			/* database key for this cert */
+    SECItem validity;
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    SECItem extensions;
+    char *nickname;
+    char *emailAddr;
+    NSSLOWCERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+
+    char nicknameSpace[200];
+    char emailAddrSpace[200];
+    unsigned char certKeySpace[512];
+};
+
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+struct NSSLOWCERTIssuerAndSNStr {
+    SECItem derIssuer;
+    SECItem serialNumber;
+};
+
+typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
+
+/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+/*
+ * Certificate Database related definitions and data structures
+ */
+
+/* version number of certificate database */
+#define CERT_DB_FILE_VERSION		8
+#define CERT_DB_V7_FILE_VERSION		7
+#define CERT_DB_CONTENT_VERSION		2
+
+#define SEC_DB_ENTRY_HEADER_LEN		3
+#define SEC_DB_KEY_HEADER_LEN		1
+
+/* All database entries have this form:
+ * 	
+ *	byte offset	field
+ *	-----------	-----
+ *	0		version
+ *	1		type
+ *	2		flags
+ */
+
+/* database entry types */
+typedef enum {
+    certDBEntryTypeVersion = 0,
+    certDBEntryTypeCert = 1,
+    certDBEntryTypeNickname = 2,
+    certDBEntryTypeSubject = 3,
+    certDBEntryTypeRevocation = 4,
+    certDBEntryTypeKeyRevocation = 5,
+    certDBEntryTypeSMimeProfile = 6,
+    certDBEntryTypeContentVersion = 7,
+    certDBEntryTypeBlob = 8
+} certDBEntryType;
+
+typedef struct {
+    certDBEntryType type;
+    unsigned int version;
+    unsigned int flags;
+    PRArenaPool *arena;
+} certDBEntryCommon;
+
+/*
+ * Certificate entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		sslFlags-msb
+ *	1		sslFlags-lsb
+ *	2		emailFlags-msb
+ *	3		emailFlags-lsb
+ *	4		objectSigningFlags-msb
+ *	5		objectSigningFlags-lsb
+ *	6		derCert-len-msb
+ *	7		derCert-len-lsb
+ *	8		nickname-len-msb
+ *	9		nickname-len-lsb
+ *	...		derCert
+ *	...		nickname
+ *
+ * NOTE: the nickname string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present.
+ * NOTE: if nickname is not present, then nickname-len-msb and
+ *		nickname-len-lsb will both be zero.
+ */
+struct _certDBEntryCert {
+    certDBEntryCommon common;
+    certDBEntryCert *next;
+    NSSLOWCERTCertTrust trust;
+    SECItem derCert;
+    char *nickname;
+    char nicknameSpace[200];
+    unsigned char derCertSpace[2048];
+};
+
+/*
+ * Certificate Nickname entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2...		subjectname
+ *
+ * The database key for this type of entry is a nickname string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *nickname;
+    SECItem subjectName;
+} certDBEntryNickname;
+
+#define DB_NICKNAME_ENTRY_HEADER_LEN 2
+
+/*
+ * Certificate Subject entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		ncerts-msb
+ *	1		ncerts-lsb
+ *	2		nickname-msb
+ *	3		nickname-lsb
+ *	4		emailAddr-msb
+ *	5		emailAddr-lsb
+ *	...		nickname
+ *	...		emailAddr
+ *	...+2*i		certkey-len-msb
+ *	...+1+2*i       certkey-len-lsb
+ *	...+2*ncerts+2*i keyid-len-msb
+ *	...+1+2*ncerts+2*i keyid-len-lsb
+ *	...		certkeys
+ *	...		keyids
+ *
+ * The database key for this type of entry is the DER encoded subject name
+ * The "certkey" value is an array of  certificate database lookup keys that
+ *   points to the database entries for the certificates that matche
+ *   this subject.
+ *
+ */
+typedef struct _certDBEntrySubject {
+    certDBEntryCommon common;
+    SECItem derSubject;
+    unsigned int ncerts;
+    char *nickname;
+    SECItem *certKeys;
+    SECItem *keyIDs;
+    char **emailAddrs;
+    unsigned int nemailAddrs;
+} certDBEntrySubject;
+
+#define DB_SUBJECT_ENTRY_HEADER_LEN 6
+
+/*
+ * Certificate SMIME profile entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2		smimeoptions-len-msb
+ *	3		smimeoptions-len-lsb
+ *	4		options-date-len-msb
+ *	5		options-date-len-lsb
+ *	6...		subjectname
+ *	...		smimeoptions
+ *	...		options-date
+ *
+ * The database key for this type of entry is the email address string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ * The "smimeoptions" value is a string that represents the algorithm
+ *   capabilities on the remote user.
+ * The "options-date" is the date that the smime options value was created.
+ *   This is generally the signing time of the signed message that contained
+ *   the options.  It is a UTCTime value.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *emailAddr;
+    SECItem subjectName;
+    SECItem smimeOptions;
+    SECItem optionsDate;
+} certDBEntrySMime;
+
+#define DB_SMIME_ENTRY_HEADER_LEN 6
+
+/*
+ * Crl/krl entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		derCert-len-msb
+ *	1		derCert-len-lsb
+ *	2		url-len-msb
+ *	3		url-len-lsb
+ *	...		derCert
+ *	...		url
+ *
+ * NOTE: the url string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present. 
+ * NOTE: if url is not present, then url-len-msb and
+ *		url-len-lsb will both be zero.
+ */
+#define DB_CRL_ENTRY_HEADER_LEN	4
+struct _certDBEntryRevocation {
+    certDBEntryCommon common;
+    SECItem	derCrl;
+    char	*url;	/* where to load the crl from */
+};
+
+/*
+ * Database Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	only the low level header...
+ *
+ * The database key for this type of entry is the string "Version"
+ */
+typedef struct {
+    certDBEntryCommon common;
+} certDBEntryVersion;
+
+#define SEC_DB_VERSION_KEY "Version"
+#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
+
+/*
+ * Database Content Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		contentVersion
+ *
+ * The database key for this type of entry is the string "ContentVersion"
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char contentVersion;
+} certDBEntryContentVersion;
+
+#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
+#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
+
+typedef union {
+    certDBEntryCommon         common;
+    certDBEntryCert           cert;
+    certDBEntryContentVersion content;
+    certDBEntryNickname       nickname;
+    certDBEntryRevocation     revocation;
+    certDBEntrySMime          smime;
+    certDBEntrySubject        subject;
+    certDBEntryVersion        version;
+} certDBEntry;
+
+/* length of the fixed part of a database entry */
+#define DBCERT_V4_HEADER_LEN	7
+#define DB_CERT_V5_ENTRY_HEADER_LEN	7
+#define DB_CERT_V6_ENTRY_HEADER_LEN	7
+#define DB_CERT_ENTRY_HEADER_LEN	10
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+#define CERTDB_NOT_TRUSTED	(1<<10) /* explicitly don't trust this cert */
+#define CERTDB_TRUSTED_UNKNOWN	(1<<11) /* accept trust from another source */
+
+/* bits not affected by the CKO_NETSCAPE_TRUST object */
+#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
+        CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
+                                        CERTDB_GOVT_APPROVED_CA)
+
+#endif /* _PCERTT_H_ */

mozilla/security/nss/lib/softoken/legacydb/pk11db.c

@@ -0,0 +1,773 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+
+#include "pk11pars.h"
+#include "lgdb.h"
+#include "mcom_db.h"
+#include "secerr.h"
+
+#define FREE_CLEAR(p) if (p) { PORT_Free(p); p = NULL; }
+
+/* Construct a database key for a given module */
+static SECStatus secmod_MakeKey(DBT *key, char * module) {
+    int len = 0;
+    char *commonName;
+
+    commonName = secmod_argGetParamValue("name",module);
+    if (commonName == NULL) {
+	commonName = secmod_argGetParamValue("library",module);
+    }
+    if (commonName == NULL) return SECFailure;
+    len = PORT_Strlen(commonName);
+    key->data = commonName;
+    key->size = len;
+    return SECSuccess;
+}
+
+/* free out constructed database key */
+static void 
+secmod_FreeKey(DBT *key) 
+{
+    if (key->data) {
+	PORT_Free(key->data);
+    }
+    key->data = NULL;
+    key->size = 0;
+}
+
+typedef struct secmodDataStr secmodData;
+typedef struct secmodSlotDataStr secmodSlotData;
+struct secmodDataStr {
+    unsigned char major;
+    unsigned char minor;
+    unsigned char nameStart[2];
+    unsigned char slotOffset[2];
+    unsigned char internal;
+    unsigned char fips;
+    unsigned char ssl[8];
+    unsigned char trustOrder[4];
+    unsigned char cipherOrder[4];
+    unsigned char reserved1;
+    unsigned char isModuleDB;
+    unsigned char isModuleDBOnly;
+    unsigned char isCritical;
+    unsigned char reserved[4];
+    unsigned char names[6];	/* enough space for the length fields */
+};
+
+struct secmodSlotDataStr {
+    unsigned char slotID[4];
+    unsigned char defaultFlags[4];
+    unsigned char timeout[4];
+    unsigned char askpw;
+    unsigned char hasRootCerts;
+    unsigned char reserved[18]; /* this makes it a round 32 bytes */
+};
+
+#define SECMOD_DB_VERSION_MAJOR 0
+#define SECMOD_DB_VERSION_MINOR 6
+#define SECMOD_DB_EXT1_VERSION_MAJOR 0
+#define SECMOD_DB_EXT1_VERSION_MINOR 6
+#define SECMOD_DB_NOUI_VERSION_MAJOR 0
+#define SECMOD_DB_NOUI_VERSION_MINOR 4
+
+#define SECMOD_PUTSHORT(dest,src) \
+	(dest)[1] = (unsigned char) ((src)&0xff); \
+	(dest)[0] = (unsigned char) (((src) >> 8) & 0xff);
+#define SECMOD_PUTLONG(dest,src) \
+	(dest)[3] = (unsigned char) ((src)&0xff); \
+	(dest)[2] = (unsigned char) (((src) >> 8) & 0xff); \
+	(dest)[1] = (unsigned char) (((src) >> 16) & 0xff); \
+	(dest)[0] = (unsigned char) (((src) >> 24) & 0xff);
+#define SECMOD_GETSHORT(src) \
+	((unsigned short) (((src)[0] << 8) | (src)[1]))
+#define SECMOD_GETLONG(src) \
+	((unsigned long) (( (unsigned long) (src)[0] << 24) | \
+			( (unsigned long) (src)[1] << 16)  | \
+			( (unsigned long) (src)[2] << 8) | \
+			(unsigned long) (src)[3]))
+
+/*
+ * build a data base entry from a module 
+ */
+static SECStatus 
+secmod_EncodeData(DBT *data, char * module) 
+{
+    secmodData *encoded = NULL;
+    secmodSlotData *slot;
+    unsigned char *dataPtr;
+    unsigned short len, len2 = 0, len3 = 0;
+    int count = 0;
+    unsigned short offset;
+    int dataLen, i;
+    unsigned long order;
+    unsigned long  ssl[2];
+    char *commonName = NULL , *dllName = NULL, *param = NULL, *nss = NULL;
+    char *slotParams, *ciphers;
+    PK11PreSlotInfo *slotInfo = NULL;
+    SECStatus rv = SECFailure;
+
+    rv = secmod_argParseModuleSpec(module,&dllName,&commonName,&param,&nss);
+    if (rv != SECSuccess) return rv;
+    rv = SECFailure;
+
+    if (commonName == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    len = PORT_Strlen(commonName);
+    if (dllName) {
+    	len2 = PORT_Strlen(dllName);
+    }
+    if (param) {
+	len3 = PORT_Strlen(param);
+    }
+
+    slotParams = secmod_argGetParamValue("slotParams",nss); 
+    slotInfo = secmod_argParseSlotInfo(NULL,slotParams,&count);
+    if (slotParams) PORT_Free(slotParams);
+
+    if (count && slotInfo == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    dataLen = sizeof(secmodData) + len + len2 + len3 + sizeof(unsigned short) +
+				 count*sizeof(secmodSlotData);
+
+    data->data = (unsigned char *) PORT_ZAlloc(dataLen);
+    encoded = (secmodData *)data->data;
+    dataPtr = (unsigned char *) data->data;
+    data->size = dataLen;
+
+    if (encoded == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    encoded->major = SECMOD_DB_VERSION_MAJOR;
+    encoded->minor = SECMOD_DB_VERSION_MINOR;
+    encoded->internal = (unsigned char) 
+			(secmod_argHasFlag("flags","internal",nss) ? 1 : 0);
+    encoded->fips = (unsigned char) 
+			(secmod_argHasFlag("flags","FIPS",nss) ? 1 : 0);
+    encoded->isModuleDB = (unsigned char) 
+			(secmod_argHasFlag("flags","isModuleDB",nss) ? 1 : 0);
+    encoded->isModuleDBOnly = (unsigned char) 
+		    (secmod_argHasFlag("flags","isModuleDBOnly",nss) ? 1 : 0);
+    encoded->isCritical = (unsigned char) 
+			(secmod_argHasFlag("flags","critical",nss) ? 1 : 0);
+
+    order = secmod_argReadLong("trustOrder", nss, SECMOD_DEFAULT_TRUST_ORDER, 
+                               NULL);
+    SECMOD_PUTLONG(encoded->trustOrder,order);
+    order = secmod_argReadLong("cipherOrder", nss, SECMOD_DEFAULT_CIPHER_ORDER, 
+                               NULL);
+    SECMOD_PUTLONG(encoded->cipherOrder,order);
+
+   
+    ciphers = secmod_argGetParamValue("ciphers",nss); 
+    secmod_argSetNewCipherFlags(&ssl[0], ciphers);
+    SECMOD_PUTLONG(encoded->ssl,ssl[0]);
+    SECMOD_PUTLONG(&encoded->ssl[4],ssl[1]);
+    if (ciphers) PORT_Free(ciphers);
+
+    offset = (unsigned short) &(((secmodData *)0)->names[0]);
+    SECMOD_PUTSHORT(encoded->nameStart,offset);
+    offset = offset + len + len2 + len3 + 3*sizeof(unsigned short);
+    SECMOD_PUTSHORT(encoded->slotOffset,offset);
+
+
+    SECMOD_PUTSHORT(&dataPtr[offset],((unsigned short)count));
+    slot = (secmodSlotData *)(dataPtr+offset+sizeof(unsigned short));
+
+    offset = 0;
+    SECMOD_PUTSHORT(encoded->names,len);
+    offset += sizeof(unsigned short);
+    PORT_Memcpy(&encoded->names[offset],commonName,len);
+    offset += len;
+
+
+    SECMOD_PUTSHORT(&encoded->names[offset],len2);
+    offset += sizeof(unsigned short);
+    if (len2) PORT_Memcpy(&encoded->names[offset],dllName,len2);
+    offset += len2;
+
+    SECMOD_PUTSHORT(&encoded->names[offset],len3);
+    offset += sizeof(unsigned short);
+    if (len3) PORT_Memcpy(&encoded->names[offset],param,len3);
+    offset += len3;
+
+    if (count) {
+	for (i=0; i < count; i++) {
+	    SECMOD_PUTLONG(slot[i].slotID, slotInfo[i].slotID);
+	    SECMOD_PUTLONG(slot[i].defaultFlags,
+					slotInfo[i].defaultFlags);
+	    SECMOD_PUTLONG(slot[i].timeout,slotInfo[i].timeout);
+	    slot[i].askpw = slotInfo[i].askpw;
+	    slot[i].hasRootCerts = slotInfo[i].hasRootCerts;
+	    PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved));
+	}
+    }
+    rv = SECSuccess;
+
+loser:
+    if (commonName) PORT_Free(commonName);
+    if (dllName) PORT_Free(dllName);
+    if (param) PORT_Free(param);
+    if (slotInfo) PORT_Free(slotInfo);
+    if (nss) PORT_Free(nss);
+    return rv;
+
+}
+
+static void 
+secmod_FreeData(DBT *data)
+{
+    if (data->data) {
+	PORT_Free(data->data);
+    }
+}
+
+static void
+secmod_FreeSlotStrings(char **slotStrings, int count)
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	if (slotStrings[i]) {
+	    PR_smprintf_free(slotStrings[i]);
+	    slotStrings[i] = NULL;
+	}
+    }
+}
+
+/*
+ * build a module from the data base entry.
+ */
+static char *
+secmod_DecodeData(char *defParams, DBT *data, PRBool *retInternal)
+{
+    secmodData *encoded;
+    secmodSlotData *slots;
+    PLArenaPool *arena;
+    char *commonName 		= NULL;
+    char *dllName    		= NULL;
+    char *parameters 		= NULL;
+    char *nss;
+    char *moduleSpec;
+    char **slotStrings 		= NULL;
+    unsigned char *names;
+    unsigned long slotCount;
+    unsigned long ssl0		=0;
+    unsigned long ssl1		=0;
+    unsigned long slotID;
+    unsigned long defaultFlags;
+    unsigned long timeout;
+    unsigned long trustOrder	=SECMOD_DEFAULT_TRUST_ORDER;
+    unsigned long cipherOrder	=SECMOD_DEFAULT_CIPHER_ORDER;
+    unsigned short len;
+    unsigned short namesOffset  = 0;	/* start of the names block */
+    unsigned long namesRunningOffset;	/* offset to name we are 
+					 * currently processing */
+    unsigned short slotOffset;
+    PRBool isOldVersion  	= PR_FALSE;
+    PRBool internal;
+    PRBool isFIPS;
+    PRBool isModuleDB    	=PR_FALSE;
+    PRBool isModuleDBOnly	=PR_FALSE;
+    PRBool extended      	=PR_FALSE;
+    int i;
+
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) 
+    	return NULL;
+
+#define CHECK_SIZE(x) \
+    if ((unsigned int) data->size < (unsigned int)(x)) goto db_loser
+
+    /* -------------------------------------------------------------
+    ** Process the buffer header, which is the secmodData struct. 
+    ** It may be an old or new version.  Check the length for each. 
+    */
+
+    CHECK_SIZE( offsetof(secmodData, trustOrder[0]) );
+
+    encoded = (secmodData *)data->data;
+
+    internal = (encoded->internal != 0) ? PR_TRUE: PR_FALSE;
+    isFIPS   = (encoded->fips     != 0) ? PR_TRUE: PR_FALSE;
+
+    if (retInternal)
+	*retInternal = internal;
+    if (internal) {
+	parameters = PORT_ArenaStrdup(arena,defParams);
+	if (parameters == NULL) 
+	    goto loser;
+    }
+    if (internal && (encoded->major == SECMOD_DB_NOUI_VERSION_MAJOR) &&
+ 	(encoded->minor <= SECMOD_DB_NOUI_VERSION_MINOR)) {
+	isOldVersion = PR_TRUE;
+    }
+    if ((encoded->major == SECMOD_DB_EXT1_VERSION_MAJOR) &&
+	(encoded->minor >= SECMOD_DB_EXT1_VERSION_MINOR)) {
+	CHECK_SIZE( sizeof(secmodData));
+	trustOrder     = SECMOD_GETLONG(encoded->trustOrder);
+	cipherOrder    = SECMOD_GETLONG(encoded->cipherOrder);
+	isModuleDB     = (encoded->isModuleDB != 0) ? PR_TRUE: PR_FALSE;
+	isModuleDBOnly = (encoded->isModuleDBOnly != 0) ? PR_TRUE: PR_FALSE;
+	extended       = PR_TRUE;
+    } 
+    if (internal && !extended) {
+	trustOrder = 0;
+	cipherOrder = 100;
+    }
+    /* decode SSL cipher enable flags */
+    ssl0 = SECMOD_GETLONG(encoded->ssl);
+    ssl1 = SECMOD_GETLONG(encoded->ssl + 4);
+
+    slotOffset  = SECMOD_GETSHORT(encoded->slotOffset);
+    namesOffset = SECMOD_GETSHORT(encoded->nameStart);
+
+
+    /*--------------------------------------------------------------
+    ** Now process the variable length set of names.                
+    ** The names have this structure:
+    ** struct {
+    **     BYTE  commonNameLen[ 2 ];
+    **     BYTE  commonName   [ commonNameLen ];
+    **     BTTE  libNameLen   [ 2 ];
+    **     BYTE  libName      [ libNameLen ];
+    ** If it is "extended" it also has these members:
+    **     BYTE  initStringLen[ 2 ];
+    **     BYTE  initString   [ initStringLen ];
+    ** }
+    */
+
+    namesRunningOffset = namesOffset;
+    /* copy the module's common name */
+    CHECK_SIZE( namesRunningOffset + 2);
+    names = (unsigned char *)data->data;
+    len   = SECMOD_GETSHORT(names+namesRunningOffset);
+
+    CHECK_SIZE( namesRunningOffset + 2 + len);
+    commonName = (char*)PORT_ArenaAlloc(arena,len+1);
+    if (commonName == NULL) 
+	goto loser;
+    PORT_Memcpy(commonName, names + namesRunningOffset + 2, len);
+    commonName[len] = 0;
+    namesRunningOffset += len + 2;
+
+    /* copy the module's shared library file name. */
+    CHECK_SIZE( namesRunningOffset + 2);
+    len = SECMOD_GETSHORT(names + namesRunningOffset);
+    if (len) {
+	CHECK_SIZE( namesRunningOffset + 2 + len);
+	dllName = (char*)PORT_ArenaAlloc(arena,len + 1);
+	if (dllName == NULL) 
+	    goto loser;
+	PORT_Memcpy(dllName, names + namesRunningOffset + 2, len);
+	dllName[len] = 0;
+    }
+    namesRunningOffset += len + 2;
+
+    /* copy the module's initialization string, if present. */
+    if (!internal && extended) {
+	CHECK_SIZE( namesRunningOffset + 2);
+	len = SECMOD_GETSHORT(names+namesRunningOffset);
+	if (len) {
+	    CHECK_SIZE( namesRunningOffset + 2 + len );
+	    parameters = (char*)PORT_ArenaAlloc(arena,len + 1);
+	    if (parameters == NULL) 
+		goto loser;
+	    PORT_Memcpy(parameters,names + namesRunningOffset + 2, len);
+	    parameters[len] = 0;
+	}
+	namesRunningOffset += len + 2;
+    }
+
+    /* 
+     * Consistency check: Make sure the slot and names blocks don't
+     * overlap. These blocks can occur in any order, so this check is made 
+     * in 2 parts. First we check the case where the slot block starts 
+     * after the name block. Later, when we have the slot block length,
+     * we check the case where slot block starts before the name block.
+     * NOTE: in most cases any overlap will likely be detected by invalid 
+     * data read from the blocks, but it's better to find out sooner 
+     * than later.
+     */
+    if (slotOffset >= namesOffset) { /* slot block starts after name block */
+	if (slotOffset < namesRunningOffset) {
+	    goto db_loser;
+	}
+    }
+
+    /* ------------------------------------------------------------------
+    ** Part 3, process the slot table.
+    ** This part has this structure:
+    ** struct {
+    **     BYTE slotCount [ 2 ];
+    **     secmodSlotData [ slotCount ];
+    ** {
+    */
+
+    CHECK_SIZE( slotOffset + 2 );
+    slotCount = SECMOD_GETSHORT((unsigned char *)data->data + slotOffset);
+
+    /* 
+     * Consistency check: Part 2. We now have the slot block length, we can 
+     * check the case where the slotblock procedes the name block.
+     */
+    if (slotOffset < namesOffset) { /* slot block starts before name block */
+	if (namesOffset < slotOffset + 2 + slotCount*sizeof(secmodSlotData)) {
+	    goto db_loser;
+	}
+    }
+
+    CHECK_SIZE( (slotOffset + 2 + slotCount * sizeof(secmodSlotData)));
+    slots = (secmodSlotData *) ((unsigned char *)data->data + slotOffset + 2);
+
+    /*  slotCount; */
+    slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *));
+    if (slotStrings == NULL)
+	goto loser;
+    for (i=0; i < (int) slotCount; i++, slots++) {
+	PRBool hasRootCerts	=PR_FALSE;
+	PRBool hasRootTrust	=PR_FALSE;
+	slotID       = SECMOD_GETLONG(slots->slotID);
+	defaultFlags = SECMOD_GETLONG(slots->defaultFlags);
+	timeout      = SECMOD_GETLONG(slots->timeout);
+	hasRootCerts = slots->hasRootCerts;
+	if (isOldVersion && internal && (slotID != 2)) {
+		unsigned long internalFlags=
+			secmod_argSlotFlags("slotFlags",SECMOD_SLOT_FLAGS);
+		defaultFlags |= internalFlags;
+	}
+	if (hasRootCerts && !extended) {
+	    trustOrder = 100;
+	}
+
+	slotStrings[i] = secmod_mkSlotString(slotID, defaultFlags, timeout, 
+	                                   (unsigned char)slots->askpw, 
+	                                   hasRootCerts, hasRootTrust);
+	if (slotStrings[i] == NULL) {
+	    secmod_FreeSlotStrings(slotStrings,i);
+	    goto loser;
+	}
+    }
+
+    nss = secmod_mkNSS(slotStrings, slotCount, internal, isFIPS, isModuleDB, 
+		     isModuleDBOnly, internal, trustOrder, cipherOrder, 
+		     ssl0, ssl1);
+    secmod_FreeSlotStrings(slotStrings,slotCount);
+    /* it's permissible (and normal) for nss to be NULL. it simply means
+     * there are no NSS specific parameters in the database */
+    moduleSpec = secmod_mkNewModuleSpec(dllName,commonName,parameters,nss);
+    PR_smprintf_free(nss);
+    PORT_FreeArena(arena,PR_TRUE);
+    return moduleSpec;
+
+db_loser:
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+loser:
+    PORT_FreeArena(arena,PR_TRUE);
+    return NULL;
+}
+
+static DB *
+secmod_OpenDB(const char *appName, const char *filename, const char *dbName, 
+				PRBool readOnly, PRBool update)
+{
+    DB *pkcs11db = NULL;
+
+
+    if (appName) {
+	char *secname = PORT_Strdup(filename);
+	int len = strlen(secname);
+	int status = RDB_FAIL;
+
+	if (len >= 3 && PORT_Strcmp(&secname[len-3],".db") == 0) {
+	   secname[len-3] = 0;
+	}
+    	pkcs11db=
+	   rdbopen(appName, "", secname, readOnly ? NO_RDONLY:NO_RDWR, NULL);
+	if (update && !pkcs11db) {
+	    DB *updatedb;
+
+    	    pkcs11db = rdbopen(appName, "", secname, NO_CREATE, &status);
+	    if (!pkcs11db) {
+		if (status == RDB_RETRY) {
+ 		    pkcs11db= rdbopen(appName, "", secname, 
+					readOnly ? NO_RDONLY:NO_RDWR, NULL);
+		}
+		PORT_Free(secname);
+		return pkcs11db;
+	    }
+	    updatedb = dbopen(dbName, NO_RDONLY, 0600, DB_HASH, 0);
+	    if (updatedb) {
+		db_Copy(pkcs11db,updatedb);
+		(*updatedb->close)(updatedb);
+	    } else {
+		(*pkcs11db->close)(pkcs11db);
+		PORT_Free(secname);
+		return NULL;
+	   }
+	}
+	PORT_Free(secname);
+	return pkcs11db;
+    }
+  
+    /* I'm sure we should do more checks here sometime... */
+    pkcs11db = dbopen(dbName, readOnly ? NO_RDONLY : NO_RDWR, 0600, DB_HASH, 0);
+
+    /* didn't exist? create it */
+    if (pkcs11db == NULL) {
+	 if (readOnly) 
+	     return NULL;
+
+	 pkcs11db = dbopen( dbName, NO_CREATE, 0600, DB_HASH, 0 );
+	 if (pkcs11db) 
+	     (* pkcs11db->sync)(pkcs11db, 0);
+    }
+    return pkcs11db;
+}
+
+static void 
+secmod_CloseDB(DB *pkcs11db) 
+{
+     (*pkcs11db->close)(pkcs11db);
+}
+
+static char *
+secmod_addEscape(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1); 
+    if (newString == NULL) {
+	return NULL;
+    }
+
+    for (src=string, dest=newString; *src; src++,dest++) {
+	if ((*src == '\\') || (*src == quote)) {
+	    *dest++ = '\\';
+	}
+	*dest = *src;
+    }
+
+    return newString;
+}
+
+SECStatus legacy_AddSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *module, PRBool rw);
+
+#define SECMOD_STEP 10
+#define SFTK_DEFAULT_INTERNAL_INIT "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"%s\" NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})\""
+/*
+ * Read all the existing modules in
+ */
+char **
+legacy_ReadSecmodDB(const char *appName, const char *filename,
+				const char *dbname, char *params, PRBool rw)
+{
+    DBT key,data;
+    int ret;
+    DB *pkcs11db = NULL;
+    char **moduleList = NULL, **newModuleList = NULL;
+    int moduleCount = 1;
+    int useCount = SECMOD_STEP;
+
+    moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+    if (moduleList == NULL) return NULL;
+
+    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_TRUE,rw);
+    if (pkcs11db == NULL) goto done;
+
+    /* read and parse the file or data base */
+    ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST);
+    if (ret)  goto done;
+
+
+    do {
+	char *moduleString;
+	PRBool internal = PR_FALSE;
+	if ((moduleCount+1) >= useCount) {
+	    useCount += SECMOD_STEP;
+	    newModuleList =
+		(char **)PORT_Realloc(moduleList,useCount*sizeof(char *));
+	    if (newModuleList == NULL) goto done;
+	    moduleList = newModuleList;
+	    PORT_Memset(&moduleList[moduleCount+1],0,
+						sizeof(char *)*SECMOD_STEP);
+	}
+	moduleString = secmod_DecodeData(params,&data,&internal);
+	if (internal) {
+	    moduleList[0] = moduleString;
+	} else {
+	    moduleList[moduleCount] = moduleString;
+	    moduleCount++;
+	}
+    } while ( (*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0);
+
+done:
+    if (!moduleList[0]) {
+	char * newparams = secmod_addEscape(params,'"');
+	if (newparams) {
+	    moduleList[0] = PR_smprintf(SFTK_DEFAULT_INTERNAL_INIT,newparams,
+						SECMOD_SLOT_FLAGS);
+	    PORT_Free(newparams);
+	}
+    }
+    /* deal with trust cert db here */
+
+    if (pkcs11db) {
+	secmod_CloseDB(pkcs11db);
+    } else if (moduleList[0] && rw) {
+	legacy_AddSecmodDB(appName,filename,dbname,moduleList[0], rw) ;
+    }
+    if (!moduleList[0]) {
+	PORT_Free(moduleList);
+	moduleList = NULL;
+    }
+    return moduleList;
+}
+
+SECStatus
+legacy_ReleaseSecmodDBData(const char *appName, const char *filename, 
+			const char *dbname, char **moduleSpecList, PRBool rw)
+{
+    if (moduleSpecList) {
+	char **index;
+	for(index = moduleSpecList; *index; index++) {
+	    PR_smprintf_free(*index);
+	}
+	PORT_Free(moduleSpecList);
+    }
+    return SECSuccess;
+}
+
+/*
+ * Delete a module from the Data Base
+ */
+SECStatus
+legacy_DeleteSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *args, PRBool rw)
+{
+    DBT key;
+    SECStatus rv = SECFailure;
+    DB *pkcs11db = NULL;
+    int ret;
+
+    if (!rw) return SECFailure;
+
+    /* make sure we have a db handle */
+    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_FALSE,PR_FALSE);
+    if (pkcs11db == NULL) {
+	return SECFailure;
+    }
+
+    rv = secmod_MakeKey(&key,args);
+    if (rv != SECSuccess) goto done;
+    rv = SECFailure;
+    ret = (*pkcs11db->del)(pkcs11db, &key, 0);
+    secmod_FreeKey(&key);
+    if (ret != 0) goto done;
+
+
+    ret = (*pkcs11db->sync)(pkcs11db, 0);
+    if (ret == 0) rv = SECSuccess;
+
+done:
+    secmod_CloseDB(pkcs11db);
+    return rv;
+}
+
+/*
+ * Add a module to the Data base 
+ */
+SECStatus
+legacy_AddSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *module, PRBool rw)
+{
+    DBT key,data;
+    SECStatus rv = SECFailure;
+    DB *pkcs11db = NULL;
+    int ret;
+
+
+    if (!rw) return SECFailure;
+
+    /* make sure we have a db handle */
+    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_FALSE,PR_FALSE);
+    if (pkcs11db == NULL) {
+	return SECFailure;
+    }
+
+    rv = secmod_MakeKey(&key,module);
+    if (rv != SECSuccess) goto done;
+    rv = secmod_EncodeData(&data,module);
+    if (rv != SECSuccess) {
+	secmod_FreeKey(&key);
+	goto done;
+    }
+    rv = SECFailure;
+    ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0);
+    secmod_FreeKey(&key);
+    secmod_FreeData(&data);
+    if (ret != 0) goto done;
+
+    ret = (*pkcs11db->sync)(pkcs11db, 0);
+    if (ret == 0) rv = SECSuccess;
+
+done:
+    secmod_CloseDB(pkcs11db);
+    return rv;
+}

mozilla/security/nss/lib/softoken/lgglue.c

@@ -0,0 +1,341 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+#include "sftkdb.h"
+#include "sdb.h"
+#include "prsystem.h"
+#include "prprf.h" 
+#include "lgglue.h"
+#include "secerr.h"
+
+static LGOpenFunc legacy_glue_open = NULL;
+static LGReadSecmodFunc legacy_glue_readSecmod = NULL;
+static LGReleaseSecmodFunc legacy_glue_releaseSecmod = NULL;
+static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL;
+static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
+static LGShutdownFunc legacy_glue_shutdown = NULL;
+
+/*
+ * The following 3 functions duplicate the work done by bl_LoadLibrary.
+ * We should make bl_LoadLibrary a global and replace the call to
+ * sftkdb_LoadLibrary(const char *libname) with it.
+ */
+#ifdef XP_UNIX
+#include <unistd.h>
+#define LG_MAX_LINKS 20
+static char *
+sftkdb_resolvePath(const char *orig)
+{
+    int count = 0;
+    int len =0;
+    int ret = -1;
+    char *resolved = NULL;
+    char *source = NULL;
+
+    len = 1025; /* MAX PATH +1*/
+    if (strlen(orig)+1 > len) {
+	/* PATH TOO LONG */
+	return NULL;
+    }
+    resolved = PORT_Alloc(len);
+    if (!resolved) {
+	return NULL;
+    }
+    source = PORT_Alloc(len);
+    if (!source) {
+	goto loser;
+    }
+    PORT_Strcpy(source, orig);
+    /* Walk down all the links */
+    while ( count++ < LG_MAX_LINKS) {
+	char *tmp;
+	/* swap our previous sorce out with resolved */
+	/* read it */
+	ret = readlink(source, resolved, len-1);
+	if (ret  < 0) {
+	    break;
+ 	}
+	resolved[ret] = 0;
+	tmp = source; source = resolved; resolved = tmp;
+    }
+    if (count > 1) {
+	ret = 0;
+    }
+loser:
+    if (resolved) {
+	PORT_Free(resolved);
+    }
+    if (ret < 0) {
+	if (source) {
+	    PORT_Free(source);
+	    source = NULL;
+	}
+    }
+    return source;
+}
+
+#endif
+
+static PRLibrary *
+sftkdb_LoadFromPath(const char *path, const char *libname)
+{
+    char *c;
+    int pathLen, nameLen, fullPathLen;
+    char *fullPathName = NULL;
+    PRLibSpec libSpec;
+    PRLibrary *lib = NULL;
+
+
+    /* strip of our parent's library name */ 
+    c = strrchr(path, PR_GetDirectorySeparator());
+    if (!c) {
+	return NULL; /* invalid path */
+    }
+    pathLen = (c-path)+1;
+    nameLen = strlen(libname);
+    fullPathLen = pathLen + nameLen +1;
+    fullPathName = (char *)PORT_Alloc(fullPathLen);
+    if (fullPathName == NULL) {
+	return NULL; /* memory allocation error */
+    }
+    PORT_Memcpy(fullPathName, path, pathLen);
+    PORT_Memcpy(fullPathName+pathLen, libname, nameLen);
+    fullPathName[fullPathLen-1] = 0;
+
+    libSpec.type = PR_LibSpec_Pathname;
+    libSpec.value.pathname = fullPathName;
+    lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+    PORT_Free(fullPathName);
+    return lib;
+}
+
+static PRLibrary *
+sftkdb_LoadLibrary(const char *libname)
+{
+    PRLibrary *lib = NULL;
+    PRFuncPtr fn_addr;
+    char *parentLibPath = NULL;
+
+    fn_addr  = (PRFuncPtr) &sftkdb_LoadLibrary;
+    parentLibPath = PR_GetLibraryFilePathname(SOFTOKEN_LIB_NAME, fn_addr);
+
+    if (!parentLibPath) {
+	goto done;
+    }
+
+    lib = sftkdb_LoadFromPath(parentLibPath, libname);
+#ifdef XP_UNIX
+    /* handle symbolic link case */
+    if (!lib) {
+	char *trueParentLibPath = sftkdb_resolvePath(parentLibPath);
+	if (!trueParentLibPath) {
+	    goto done;
+	}
+    	lib = sftkdb_LoadFromPath(trueParentLibPath, libname);
+	PORT_Free(trueParentLibPath);
+    }
+#endif
+    PORT_Free(parentLibPath);
+
+done:
+    /* still couldn't load it, try the generic path */
+    if (!lib) {
+	PRLibSpec libSpec;
+	libSpec.type = PR_LibSpec_Pathname;
+	libSpec.value.pathname = libname;
+	lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+    }
+    return lib;
+}
+
+static PRLibrary *legacy_glue_lib = NULL;
+static SECStatus 
+sftkdbLoad_Legacy()
+{
+    PRLibrary *lib = NULL;
+    LGSetCryptFunc setCryptFunction = NULL;
+
+    if (legacy_glue_lib) {
+	return SECSuccess;
+    }
+
+    lib = sftkdb_LoadLibrary(SHLIB_PREFIX"lgdbm"SHLIB_VERSION"."SHLIB_SUFFIX);
+    if (lib == NULL) {
+	return SECFailure;
+    }
+    
+    legacy_glue_open = (LGOpenFunc)PR_FindFunctionSymbol(lib, "legacy_Open");
+    legacy_glue_readSecmod = (LGReadSecmodFunc) PR_FindFunctionSymbol(lib,
+						 "legacy_ReadSecmodDB");
+    legacy_glue_releaseSecmod = (LGReleaseSecmodFunc) PR_FindFunctionSymbol(lib,
+					 	 "legacy_ReleaseSecmodDBData");
+    legacy_glue_deleteSecmod = (LGDeleteSecmodFunc) PR_FindFunctionSymbol(lib,
+						 "legacy_DeleteSecmodDB");
+    legacy_glue_addSecmod = (LGAddSecmodFunc)PR_FindFunctionSymbol(lib, 
+						 "legacy_AddSecmodDB");
+    legacy_glue_shutdown = (LGShutdownFunc) PR_FindFunctionSymbol(lib, 
+						"legacy_Shutdown");
+    setCryptFunction = (LGSetCryptFunc) PR_FindFunctionSymbol(lib, 
+						"legacy_SetCryptFunctions");
+
+    if (!legacy_glue_open || !legacy_glue_readSecmod || 
+	    !legacy_glue_releaseSecmod || !legacy_glue_deleteSecmod || 
+	    !legacy_glue_addSecmod || !setCryptFunction) {
+	PR_UnloadLibrary(lib);
+	return SECFailure;
+    }
+    setCryptFunction(sftkdb_encrypt_stub,sftkdb_decrypt_stub);
+    legacy_glue_lib = lib;
+    return SECSuccess;
+}
+
+CK_RV
+sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return CKR_GENERAL_ERROR;
+    }
+    if (!legacy_glue_open) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_open)(dir, certPrefix, keyPrefix, 
+				certVersion, keyVersion,
+				flags, certDB, keyDB);
+}
+
+char **
+sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *params, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    if (!legacy_glue_readSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+    return (*legacy_glue_readSecmod)(appName, filename, dbname, params, rw);
+}
+
+SECStatus
+sftkdbCall_ReleaseSecmodDBData(const char *appName, 
+			const char *filename, const char *dbname, 
+			char **moduleSpecList, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (!legacy_glue_releaseSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_releaseSecmod)(appName, filename, dbname, 
+					  moduleSpecList, rw);
+}
+
+SECStatus
+sftkdbCall_DeleteSecmodDB(const char *appName, 
+		      const char *filename, const char *dbname, 
+		      char *args, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (!legacy_glue_deleteSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_deleteSecmod)(appName, filename, dbname, args, rw);
+}
+
+SECStatus
+sftkdbCall_AddSecmodDB(const char *appName, 
+		   const char *filename, const char *dbname, 
+		   char *module, PRBool rw)
+{
+    SECStatus rv;
+
+    rv = sftkdbLoad_Legacy();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+    if (!legacy_glue_addSecmod) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    return (*legacy_glue_addSecmod)(appName, filename, dbname, module, rw);
+}
+
+CK_RV
+sftkdbCall_Shutdown(void)
+{
+    CK_RV crv = CKR_OK;
+    if (legacy_glue_lib) {
+	return CKR_OK;
+    }
+    if (legacy_glue_shutdown) {
+	crv = (*legacy_glue_shutdown)();
+    }
+    PR_UnloadLibrary(legacy_glue_lib);
+    legacy_glue_lib = NULL;
+    legacy_glue_open = NULL;
+    legacy_glue_readSecmod = NULL;
+    legacy_glue_releaseSecmod = NULL;
+    legacy_glue_deleteSecmod = NULL;
+    legacy_glue_addSecmod = NULL;
+    return crv;
+}
+    
+

mozilla/security/nss/lib/softoken/lgglue.h

@@ -0,0 +1,92 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ * This code defines the glue layer between softoken and the legacy DB library
+ */
+#include "sdb.h"
+
+/*
+ * function prototypes for the callbacks into softoken from the legacyDB
+ */
+
+typedef SECStatus (*LGEncryptFunc)(PRArenaPool *arena, SDB *sdb, 
+				  SECItem *plainText, SECItem **cipherText);
+typedef SECStatus (*LGDecryptFunc)(SDB *sdb, SECItem *cipherText, 
+				   SECItem **plainText);
+
+/*
+ * function prototypes for the exported functions.
+ */
+typedef CK_RV (*LGOpenFunc) (const char *dir, const char *certPrefix, 
+		const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB);
+typedef char ** (*LGReadSecmodFunc)(const char *appName, 
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGReleaseSecmodFunc)(const char *appName,
+			const char *filename, 
+			const char *dbname, char **params, PRBool rw);
+typedef SECStatus (*LGDeleteSecmodFunc)(const char *appName,
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGAddSecmodFunc)(const char *appName, 
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGShutdownFunc)(void);
+typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+
+
+/*
+ * Softoken Glue Functions
+ */
+CK_RV sftkdbCall_open(const char *dir, const char *certPrefix, 
+		const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB);
+char ** sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+SECStatus sftkdbCall_ReleaseSecmodDBData(const char *appName, 
+			const char *filename, const char *dbname, 
+			char **moduleSpecList, PRBool rw);
+SECStatus sftkdbCall_DeleteSecmodDB(const char *appName, 
+		      const char *filename, const char *dbname, 
+		      char *args, PRBool rw);
+SECStatus sftkdbCall_AddSecmodDB(const char *appName, 
+		   const char *filename, const char *dbname, 
+		   char *module, PRBool rw);
+CK_RV sftkdbCall_Shutdown(void);
+

mozilla/security/nss/lib/softoken/lowkey.c

@@ -0,0 +1,517 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "lowkeyi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+#ifdef NSS_ENABLE_ECC
+#include "softoken.h"
+#endif
+
+const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(NSSLOWKEYAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+    { SEC_ASN1_SET_OF, offsetof(NSSLOWKEYAttribute, attrValue), 
+	SEC_AnyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
+};
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE,
+	offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+	nsslowkey_SetOfAttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
+    { 0 }                                                                     
+};                                                                            
+
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
+    { 0, }
+};
+
+#ifdef NSS_ENABLE_ECC
+
+/* XXX This is just a placeholder for later when we support
+ * generic curves and need full-blown support for parsing EC
+ * parameters. For now, we only support named curves in which
+ * EC params are simply encoded as an object ID and we don't
+ * use nsslowkey_ECParamsTemplate.
+ */
+const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
+    { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) },
+    { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named },
+    { 0, }
+};
+
+
+/* NOTE: The SECG specification allows the private key structure
+ * to contain curve parameters but recommends that they be stored
+ * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
+ * instead.
+ */
+const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) },
+    { SEC_ASN1_OCTET_STRING, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.privateValue) },
+    /* XXX The following template works for now since we only
+     * support named curves for which the parameters are
+     * encoded as an object ID. When we support generic curves,
+     * we'll need to define nsslowkey_ECParamsTemplate
+     */
+#if 1
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams.curveOID), 
+      SEC_ObjectIDTemplate }, 
+#else
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), 
+      nsslowkey_ECParamsTemplate }, 
+#endif
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+      offsetof(NSSLOWKEYPrivateKey,u.ec.publicValue),
+      SEC_BitStringTemplate }, 
+    { 0, }
+};
+#endif /* NSS_ENABLE_ECC */
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.publicValue.type = siUnsignedInteger;
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+    key->u.dh.publicValue.type = siUnsignedInteger;
+    key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+#ifdef NSS_ENABLE_ECC
+void
+prepare_low_ecparams_for_asn1(ECParams *params)
+{
+    params->DEREncoding.type = siUnsignedInteger;
+    params->curveOID.type = siUnsignedInteger;
+}
+
+void
+prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.ec.version.type = siUnsignedInteger;
+    key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
+    key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
+    key->u.ec.privateValue.type = siUnsignedInteger;
+    key->u.ec.publicValue.type = siUnsignedInteger;
+}
+#endif /* NSS_ENABLE_ECC */
+
+void
+nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+    if (privk && privk->arena) {
+	PORT_FreeArena(privk->arena, PR_TRUE);
+    }
+}
+
+void
+nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+    if (pubk && pubk->arena) {
+	PORT_FreeArena(pubk->arena, PR_FALSE);
+    }
+}
+unsigned
+nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+{
+    unsigned char b0;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case NSSLOWKEYRSAKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+unsigned
+nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
+{
+
+    unsigned char b0;
+
+    switch (privk->keyType) {
+    case NSSLOWKEYRSAKey:
+	b0 = privk->u.rsa.modulus.data[0];
+	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+    NSSLOWKEYPublicKey *pubk;
+    PLArenaPool *arena;
+
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        PORT_SetError (SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    switch(privk->keyType) {
+      case NSSLOWKEYRSAKey:
+      case NSSLOWKEYNullKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						sizeof (NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    if (privk->keyType == NSSLOWKEYNullKey) return pubk;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+				  &privk->u.rsa.modulus);
+	    if (rv == SECSuccess) {
+		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
+				       &privk->u.rsa.publicExponent);
+		if (rv == SECSuccess)
+		    return pubk;
+	    }
+	} else {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	}
+	break;
+      case NSSLOWKEYDSAKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+				  &privk->u.dsa.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+				  &privk->u.dsa.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+				  &privk->u.dsa.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+				  &privk->u.dsa.params.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+      case NSSLOWKEYDHKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+				  &privk->u.dh.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+				  &privk->u.dh.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+				  &privk->u.dh.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#ifdef NSS_ENABLE_ECC
+      case NSSLOWKEYECKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
+				  &privk->u.ec.publicValue);
+	    if (rv != SECSuccess) break;
+	    pubk->u.ec.ecParams.arena = arena;
+	    /* Copy the rest of the params */
+	    rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
+			       &(privk->u.ec.ecParams));
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+#endif /* NSS_ENABLE_ECC */
+	/* No Fortezza in Low Key implementations (Fortezza keys aren't
+	 * stored in our data base */
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
+{
+    NSSLOWKEYPrivateKey *returnKey = NULL;
+    SECStatus rv = SECFailure;
+    PLArenaPool *poolp;
+
+    if(!privKey) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(!poolp) {
+	return NULL;
+    }
+
+    returnKey = (NSSLOWKEYPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(NSSLOWKEYPrivateKey));
+    if(!returnKey) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    returnKey->keyType = privKey->keyType;
+    returnKey->arena = poolp;
+
+    switch(privKey->keyType) {
+	case NSSLOWKEYRSAKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus), 
+	    				&(privKey->u.rsa.modulus));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version), 
+	    				&(privKey->u.rsa.version));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent), 
+	    				&(privKey->u.rsa.publicExponent));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent), 
+	    				&(privKey->u.rsa.privateExponent));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1), 
+	    				&(privKey->u.rsa.prime1));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2), 
+	    				&(privKey->u.rsa.prime2));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1), 
+	    				&(privKey->u.rsa.exponent1));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2), 
+	    				&(privKey->u.rsa.exponent2));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient), 
+	    				&(privKey->u.rsa.coefficient));
+	    if(rv != SECSuccess) break;
+	    break;
+	case NSSLOWKEYDSAKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue),
+	    				&(privKey->u.dsa.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue),
+	    				&(privKey->u.dsa.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime),
+					&(privKey->u.dsa.params.prime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime),
+					&(privKey->u.dsa.params.subPrime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base),
+					&(privKey->u.dsa.params.base));
+	    if(rv != SECSuccess) break;
+	    break;
+	case NSSLOWKEYDHKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue),
+	    				&(privKey->u.dh.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue),
+	    				&(privKey->u.dh.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
+					&(privKey->u.dh.prime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
+					&(privKey->u.dh.base));
+	    if(rv != SECSuccess) break;
+	    break;
+#ifdef NSS_ENABLE_ECC
+	case NSSLOWKEYECKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
+	    				&(privKey->u.ec.version));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
+	    				&(privKey->u.ec.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.privateValue),
+	    				&(privKey->u.ec.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.ec.ecParams.arena = poolp;
+	    /* Copy the rest of the params */
+	    rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
+			       &(privKey->u.ec.ecParams));
+	    if (rv != SECSuccess) break;
+	    break;
+#endif /* NSS_ENABLE_ECC */
+	default:
+	    rv = SECFailure;
+    }
+
+loser:
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	returnKey = NULL;
+    }
+
+    return returnKey;
+}

mozilla/security/nss/lib/softoken/lowkeyi.h

@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: lowkeyi.h,v 1.10.70.3 2007-02-28 20:44:54 rrelyea%redhat.com Exp $ */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+#ifdef NSS_ENABLE_ECC
+extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_ecparams_for_asn1(ECParams *params);
+#endif /* NSS_ENABLE_ECC */
+
+/*
+** Destroy a private key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Return the modulus length of "pubKey".
+*/
+extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
+
+
+/*
+** Return the modulus length of "privKey".
+*/
+extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey 
+		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+/* Make a copy of a low private key in it's own arena.
+ * a return of NULL indicates an error.
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey);
+
+
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */

mozilla/security/nss/lib/softoken/lowkeyti.h

@@ -0,0 +1,127 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+#ifdef NSS_ENABLE_ECC
+#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
+extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+#endif /* NSS_ENABLE_ECC */
+
+extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+
+/*
+ * PKCS #8 attributes
+ */
+struct NSSLOWKEYAttributeStr {
+    SECItem attrType;
+    SECItem *attrValue;
+};
+typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    NSSLOWKEYAttribute **attributes;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION	0	/* what we *create* */
+
+typedef enum { 
+    NSSLOWKEYNullKey = 0, 
+    NSSLOWKEYRSAKey = 1, 
+    NSSLOWKEYDSAKey = 2, 
+    NSSLOWKEYDHKey = 4,
+    NSSLOWKEYECKey = 5
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType ;
+    union {
+        RSAPublicKey rsa;
+	DSAPublicKey dsa;
+	DHPublicKey  dh;
+	ECPublicKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType;
+    union {
+        RSAPrivateKey rsa;
+	DSAPrivateKey dsa;
+	DHPrivateKey  dh;
+	ECPrivateKey  ec;
+    } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+#endif	/* _LOWKEYTI_H_ */

mozilla/security/nss/lib/softoken/lowpbe.h

@@ -0,0 +1,135 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SECPKCS5_H_
+#define _SECPKCS5_H_
+
+#include "plarena.h"
+#include "secitem.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "hasht.h"
+
+typedef SECItem * (* SEC_PKCS5GetPBEPassword)(void *arg);
+
+/* used for V2 PKCS 12 Draft Spec */ 
+typedef enum {
+    pbeBitGenIDNull = 0,
+    pbeBitGenCipherKey = 0x01,
+    pbeBitGenCipherIV = 0x02,
+    pbeBitGenIntegrityKey = 0x03
+} PBEBitGenID;
+
+typedef enum {
+    NSSPKCS5_PBKDF1 = 0,
+    NSSPKCS5_PBKDF2 = 1,
+    NSSPKCS5_PKCS12_V2 = 2
+} NSSPKCS5PBEType;
+
+typedef struct NSSPKCS5PBEParameterStr NSSPKCS5PBEParameter;
+
+struct NSSPKCS5PBEParameterStr {
+    PRArenaPool *poolp;
+    SECItem	salt;		/* octet string */
+    SECItem	iteration;	/* integer */
+
+    /* used locally */
+    int		iter;
+    int 	keyLen;
+    int		ivLen;
+    HASH_HashType hashType;
+    NSSPKCS5PBEType pbeType;
+    PBEBitGenID	keyID;
+    SECOidTag	encAlg;
+    PRBool	is2KeyDES;
+};
+
+
+SEC_BEGIN_PROTOS
+/* Create a PKCS5 Algorithm ID
+ * The algorithm ID is set up using the PKCS #5 parameter structure
+ *  algorithm is the PBE algorithm ID for the desired algorithm
+ *  pbe is a pbe param block with all the info needed to create the 
+ *   algorithm id.
+ * If an error occurs or the algorithm specified is not supported 
+ * or is not a password based encryption algorithm, NULL is returned.
+ * Otherwise, a pointer to the algorithm id is returned.
+ */
+extern SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
+						NSSPKCS5PBEParameter *pbe);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator);
+
+
+/* Encrypt/Decrypt data using password based encryption.  
+ *  algid is the PBE algorithm identifier,
+ *  pwitem is the password,
+ *  src is the source for encryption/decryption,
+ *  encrypt is PR_TRUE for encryption, PR_FALSE for decryption.
+ * The key and iv are generated based upon PKCS #5 then the src
+ * is either encrypted or decrypted.  If an error occurs, NULL
+ * is returned, otherwise the ciphered contents is returned.
+ */
+extern SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *, SECItem *pwitem,
+		    SECItem *src, PRBool encrypt, PRBool *update);
+
+extern SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *, SECItem *pwitem,
+		    			SECItem *iv, PRBool faulty3DES);
+
+/* Destroys PBE parameter */
+extern void
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *param);
+
+SEC_END_PROTOS
+
+#endif

mozilla/security/nss/lib/softoken/manifest.mn

@@ -0,0 +1,98 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+DIRS = legacydb
+
+REQUIRES = dbm
+
+LIBRARY_NAME = softokn
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/softokn.def
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
+
+
+EXPORTS = \
+	pkcs11.h \
+	pkcs11f.h \
+	pkcs11p.h \
+	pkcs11t.h \
+	pkcs11n.h \
+	pkcs11u.h \
+	sdb.h \
+	sftkdbt.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	lgglue.h  \
+	pk11pars.h \
+	pkcs11ni.h \
+	softoken.h \
+	softoknt.h \
+	softkver.h \
+	$(NULL)
+
+CSRCS = \
+	ecdecode.c \
+	fipsaudt.c \
+	fipstest.c \
+	fipstokn.c \
+	lgglue.c   \
+	lowkey.c   \
+	lowpbe.c   \
+	padbuf.c   \
+	pkcs11.c   \
+	pkcs11c.c  \
+	pkcs11u.c  \
+	rsawrapr.c  \
+	sdb.c  \
+	sftkdb.c  \
+	sftkpars.c  \
+	softkver.c  \
+	tlsprf.c   \
+	$(NULL)
+
+ifdef NSS_ENABLE_ECC
+DEFINES += -DNSS_ENABLE_ECC
+endif
+
+ifdef SQLITE_UNSAFE_THREADS
+DEFINES += -DSQLITE_UNSAFE_THREADS
+endif
+

mozilla/security/nss/lib/softoken/padbuf.c

@@ -0,0 +1,80 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "blapit.h"
+#include "secport.h"
+#include "secerr.h"
+
+/*
+ * Prepare a buffer for DES encryption, growing to the appropriate boundary,
+ * filling with the appropriate padding.
+ *
+ * NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+ * we assume (and use) XP memory (re)allocation.
+ */
+unsigned char *
+DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, unsigned int inlen,
+	      unsigned int *outlen)
+{
+    unsigned char *outbuf;
+    unsigned int   des_len;
+    unsigned int   i;
+    unsigned char  des_pad_len;
+
+    /*
+     * We need from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
+     * The extra bytes contain the value of the length of the padding:
+     * if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+     */
+    des_len = (inlen + DES_KEY_LENGTH) & ~(DES_KEY_LENGTH - 1);
+
+    if (arena != NULL) {
+	outbuf = (unsigned char*)PORT_ArenaGrow (arena, inbuf, inlen, des_len);
+    } else {
+	outbuf = (unsigned char*)PORT_Realloc (inbuf, des_len);
+    }
+
+    if (outbuf == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    des_pad_len = des_len - inlen;
+    for (i = inlen; i < des_len; i++)
+	outbuf[i] = des_pad_len;
+
+    *outlen = des_len;
+    return outbuf;
+}

mozilla/security/nss/lib/softoken/pk11pars.h

@@ -0,0 +1,871 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+
+
+/*
+ * this header file contains routines for parsing PKCS #11 module spec
+ * strings. It contains 'C' code and should only be included in one module.
+ * Currently it is included in both softoken and the wrapper.
+ */
+#include <ctype.h>
+#include "pkcs11.h"
+#include "seccomon.h"
+#include "prprf.h"
+#include "secmodt.h"
+#include "pk11init.h"
+
+#define SECMOD_ARG_LIBRARY_PARAMETER "library="
+#define SECMOD_ARG_NAME_PARAMETER "name="
+#define SECMOD_ARG_MODULE_PARAMETER "parameters="
+#define SECMOD_ARG_NSS_PARAMETER "NSS="
+#define SECMOD_ARG_FORTEZZA_FLAG "FORTEZZA"
+#define SECMOD_ARG_ESCAPE '\\'
+
+struct secmodargSlotFlagTable {
+    char *name;
+    int len;
+    unsigned long value;
+};
+
+#define SECMOD_DEFAULT_CIPHER_ORDER 0
+#define SECMOD_DEFAULT_TRUST_ORDER 50
+
+
+#define SECMOD_ARG_ENTRY(arg,flag) \
+{ #arg , sizeof(#arg)-1, flag }
+static struct secmodargSlotFlagTable secmod_argSlotFlagTable[] = {
+	SECMOD_ARG_ENTRY(RSA,SECMOD_RSA_FLAG),
+	SECMOD_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
+	SECMOD_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
+	SECMOD_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
+	SECMOD_ARG_ENTRY(DES,SECMOD_DES_FLAG),
+	SECMOD_ARG_ENTRY(DH,SECMOD_DH_FLAG),
+	SECMOD_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
+	SECMOD_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
+	SECMOD_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
+	SECMOD_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
+	SECMOD_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
+	SECMOD_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
+	SECMOD_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
+	SECMOD_ARG_ENTRY(AES,SECMOD_AES_FLAG),
+	SECMOD_ARG_ENTRY(Camellia,SECMOD_CAMELLIA_FLAG),
+	SECMOD_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
+	SECMOD_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
+};
+
+#define SECMOD_HANDLE_STRING_ARG(param,target,value,command) \
+    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
+	param += sizeof(value)-1; \
+	if (target) PORT_Free(target); \
+	target = secmod_argFetchValue(param,&next); \
+	param += next; \
+	command ;\
+    } else  
+
+#define SECMOD_HANDLE_FINAL_ARG(param) \
+    { param = secmod_argSkipParameter(param); } param = secmod_argStrip(param);
+	
+
+static int secmod_argSlotFlagTableSize = 
+	sizeof(secmod_argSlotFlagTable)/sizeof(secmod_argSlotFlagTable[0]);
+
+
+static PRBool secmod_argGetPair(char c) {
+    switch (c) {
+    case '\'': return c;
+    case '\"': return c;
+    case '<': return '>';
+    case '{': return '}';
+    case '[': return ']';
+    case '(': return ')';
+    default: break;
+    }
+    return ' ';
+}
+
+static PRBool secmod_argIsBlank(char c) {
+   return isspace(c);
+}
+
+static PRBool secmod_argIsEscape(char c) {
+    return c == '\\';
+}
+
+static PRBool secmod_argIsQuote(char c) {
+    switch (c) {
+    case '\'':
+    case '\"':
+    case '<':
+    case '{': /* } end curly to keep vi bracket matching working */
+    case '(': /* ) */
+    case '[': /* ] */ return PR_TRUE;
+    default: break;
+    }
+    return PR_FALSE;
+}
+
+static PRBool secmod_argHasChar(char *v, char c)
+{
+   for ( ;*v; v++) {
+	if (*v == c) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static PRBool secmod_argHasBlanks(char *v)
+{
+   for ( ;*v; v++) {
+	if (secmod_argIsBlank(*v)) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static char *secmod_argStrip(char *c) {
+   while (*c && secmod_argIsBlank(*c)) c++;
+   return c;
+}
+
+static char *
+secmod_argFindEnd(char *string) {
+    char endChar = ' ';
+    PRBool lastEscape = PR_FALSE;
+
+    if (secmod_argIsQuote(*string)) {
+	endChar = secmod_argGetPair(*string);
+	string++;
+    }
+
+    for (;*string; string++) {
+	if (lastEscape) {
+	    lastEscape = PR_FALSE;
+	    continue;
+	}
+	if (secmod_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	} 
+	if ((endChar == ' ') && secmod_argIsBlank(*string)) break;
+	if (*string == endChar) {
+	    break;
+	}
+    }
+
+    return string;
+}
+
+static char *
+secmod_argFetchValue(char *string, int *pcount)
+{
+    char *end = secmod_argFindEnd(string);
+    char *retString, *copyString;
+    PRBool lastEscape = PR_FALSE;
+    int len;
+
+    len = end - string;
+    if (len == 0) {
+	*pcount = 0;
+	return NULL;
+    }
+
+    copyString = retString = (char *)PORT_Alloc(len+1);
+
+    if (*end) len++;
+    *pcount = len;
+    if (retString == NULL) return NULL;
+
+
+    if (secmod_argIsQuote(*string)) string++;
+    for (; string < end; string++) {
+	if (secmod_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	}
+	lastEscape = PR_FALSE;
+	*copyString++ = *string;
+    }
+    *copyString = 0;
+    return retString;
+}
+
+static char *
+secmod_argSkipParameter(char *string) 
+{
+     char *end;
+     /* look for the end of the <name>= */
+     for (;*string; string++) {
+	if (*string == '=') { string++; break; }
+	if (secmod_argIsBlank(*string)) return(string); 
+     }
+
+     end = secmod_argFindEnd(string);
+     if (*end) end++;
+     return end;
+}
+
+
+static SECStatus
+secmod_argParseModuleSpec(char *modulespec, char **lib, char **mod, 
+					char **parameters, char **nss)
+{
+    int next;
+    modulespec = secmod_argStrip(modulespec);
+
+    *lib = *mod = *parameters = *nss = 0;
+
+    while (*modulespec) {
+	SECMOD_HANDLE_STRING_ARG(modulespec,*lib,SECMOD_ARG_LIBRARY_PARAMETER,;)
+	SECMOD_HANDLE_STRING_ARG(modulespec,*mod,SECMOD_ARG_NAME_PARAMETER,;)
+	SECMOD_HANDLE_STRING_ARG(modulespec,*parameters,
+						SECMOD_ARG_MODULE_PARAMETER,;)
+	SECMOD_HANDLE_STRING_ARG(modulespec,*nss,SECMOD_ARG_NSS_PARAMETER,;)
+	SECMOD_HANDLE_FINAL_ARG(modulespec)
+   }
+   return SECSuccess;
+}
+
+
+static char *
+secmod_argGetParamValue(char *paramName,char *parameters)
+{
+    char searchValue[256];
+    int paramLen = strlen(paramName);
+    char *returnValue = NULL;
+    int next;
+
+    if ((parameters == NULL) || (*parameters == 0)) return NULL;
+
+    PORT_Assert(paramLen+2 < sizeof(searchValue));
+
+    PORT_Strcpy(searchValue,paramName);
+    PORT_Strcat(searchValue,"=");
+    while (*parameters) {
+	if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
+	    parameters += paramLen+1;
+	    returnValue = secmod_argFetchValue(parameters,&next);
+	    break;
+	} else {
+	    parameters = secmod_argSkipParameter(parameters);
+	}
+	parameters = secmod_argStrip(parameters);
+   }
+   return returnValue;
+}
+    
+
+static char *
+secmod_argNextFlag(char *flags)
+{
+    for (; *flags ; flags++) {
+	if (*flags == ',') {
+	    flags++;
+	    break;
+	}
+    }
+    return flags;
+}
+
+static PRBool
+secmod_argHasFlag(char *label, char *flag, char *parameters)
+{
+    char *flags,*index;
+    int len = strlen(flag);
+    PRBool found = PR_FALSE;
+
+    flags = secmod_argGetParamValue(label,parameters);
+    if (flags == NULL) return PR_FALSE;
+
+    for (index=flags; *index; index=secmod_argNextFlag(index)) {
+	if (PORT_Strncasecmp(index,flag,len) == 0) {
+	    found=PR_TRUE;
+	    break;
+	}
+    }
+    PORT_Free(flags);
+    return found;
+}
+
+static void
+secmod_argSetNewCipherFlags(unsigned long *newCiphers,char *cipherList)
+{
+    newCiphers[0] = newCiphers[1] = 0;
+    if ((cipherList == NULL) || (*cipherList == 0)) return;
+
+    for (;*cipherList; cipherList=secmod_argNextFlag(cipherList)) {
+	if (PORT_Strncasecmp(cipherList,SECMOD_ARG_FORTEZZA_FLAG,
+				sizeof(SECMOD_ARG_FORTEZZA_FLAG)-1) == 0) {
+	    newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
+	} 
+
+	/* add additional flags here as necessary */
+	/* direct bit mapping escape */
+	if (*cipherList == 0) {
+	   if (cipherList[1] == 'l') {
+		newCiphers[1] |= atoi(&cipherList[2]);
+	   } else {
+		newCiphers[0] |= atoi(&cipherList[2]);
+	   }
+	}
+    }
+}
+
+
+/*
+ * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
+ */
+static long
+secmod_argDecodeNumber(char *num)
+{
+    int	radix = 10;
+    unsigned long value = 0;
+    long retValue = 0;
+    int sign = 1;
+    int digit;
+
+    if (num == NULL) return retValue;
+
+    num = secmod_argStrip(num);
+
+    if (*num == '-') {
+	sign = -1;
+	num++;
+    }
+
+    if (*num == '0') {
+	radix = 8;
+	num++;
+	if ((*num == 'x') || (*num == 'X')) {
+	    radix = 16;
+	    num++;
+	}
+    }
+
+   
+    for ( ;*num; num++ ) {
+	if (isdigit(*num)) {
+	    digit = *num - '0';
+	} else if ((*num >= 'a') && (*num <= 'f'))  {
+	    digit = *num - 'a' + 10;
+	} else if ((*num >= 'A') && (*num <= 'F'))  {
+	    digit = *num - 'A' + 10;
+	} else {
+	    break;
+	}
+	if (digit >= radix) break;
+	value = value*radix + digit;
+    }
+
+    retValue = ((int) value) * sign;
+    return retValue;
+}
+
+static long
+secmod_argReadLong(char *label,char *params, long defValue, PRBool *isdefault)
+{
+    char *value;
+    long retValue;
+    if (isdefault) *isdefault = PR_FALSE; 
+
+    value = secmod_argGetParamValue(label,params);
+    if (value == NULL) {
+	if (isdefault) *isdefault = PR_TRUE;
+	return defValue;
+    }
+    retValue = secmod_argDecodeNumber(value);
+    if (value) PORT_Free(value);
+
+    return retValue;
+}
+
+
+static unsigned long
+secmod_argSlotFlags(char *label,char *params)
+{
+    char *flags,*index;
+    unsigned long retValue = 0;
+    int i;
+    PRBool all = PR_FALSE;
+
+    flags = secmod_argGetParamValue(label,params);
+    if (flags == NULL) return 0;
+
+    if (PORT_Strcasecmp(flags,"all") == 0) all = PR_TRUE;
+
+    for (index=flags; *index; index=secmod_argNextFlag(index)) {
+	for (i=0; i < secmod_argSlotFlagTableSize; i++) {
+	    if (all || (PORT_Strncasecmp(index, secmod_argSlotFlagTable[i].name,
+				secmod_argSlotFlagTable[i].len) == 0)) {
+		retValue |= secmod_argSlotFlagTable[i].value;
+	    }
+	}
+    }
+    PORT_Free(flags);
+    return retValue;
+}
+
+
+static void
+secmod_argDecodeSingleSlotInfo(char *name, char *params, 
+                               PK11PreSlotInfo *slotInfo)
+{
+    char *askpw;
+
+    slotInfo->slotID=secmod_argDecodeNumber(name);
+    slotInfo->defaultFlags=secmod_argSlotFlags("slotFlags",params);
+    slotInfo->timeout=secmod_argReadLong("timeout",params, 0, NULL);
+
+    askpw = secmod_argGetParamValue("askpw",params);
+    slotInfo->askpw = 0;
+
+    if (askpw) {
+	if (PORT_Strcasecmp(askpw,"every") == 0) {
+    	    slotInfo->askpw = -1;
+	} else if (PORT_Strcasecmp(askpw,"timeout") == 0) {
+    	    slotInfo->askpw = 1;
+	} 
+	PORT_Free(askpw);
+	slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+    }
+    slotInfo->hasRootCerts = secmod_argHasFlag("rootFlags", "hasRootCerts", 
+                                               params);
+    slotInfo->hasRootTrust = secmod_argHasFlag("rootFlags", "hasRootTrust", 
+                                               params);
+}
+
+static char *
+secmod_argGetName(char *inString, int *next) 
+{
+    char *name=NULL;
+    char *string;
+    int len;
+
+    /* look for the end of the <name>= */
+    for (string = inString;*string; string++) {
+	if (*string == '=') { break; }
+	if (secmod_argIsBlank(*string)) break;
+    }
+
+    len = string - inString;
+
+    *next = len; 
+    if (*string == '=') (*next) += 1;
+    if (len > 0) {
+	name = PORT_Alloc(len+1);
+	PORT_Strncpy(name,inString,len);
+	name[len] = 0;
+    }
+    return name;
+}
+
+static PK11PreSlotInfo *
+secmod_argParseSlotInfo(PRArenaPool *arena, char *slotParams, int *retCount)
+{
+    char *slotIndex;
+    PK11PreSlotInfo *slotInfo = NULL;
+    int i=0,count = 0,next;
+
+    *retCount = 0;
+    if ((slotParams == NULL) || (*slotParams == 0))  return NULL;
+
+    /* first count the number of slots */
+    for (slotIndex = secmod_argStrip(slotParams); *slotIndex; 
+	 slotIndex = secmod_argStrip(secmod_argSkipParameter(slotIndex))) {
+	count++;
+    }
+
+    /* get the data structures */
+    if (arena) {
+	slotInfo = (PK11PreSlotInfo *) 
+			PORT_ArenaAlloc(arena,count*sizeof(PK11PreSlotInfo));
+	PORT_Memset(slotInfo,0,count*sizeof(PK11PreSlotInfo));
+    } else {
+	slotInfo = (PK11PreSlotInfo *) 
+			PORT_ZAlloc(count*sizeof(PK11PreSlotInfo));
+    }
+    if (slotInfo == NULL) return NULL;
+
+    for (slotIndex = secmod_argStrip(slotParams), i = 0; 
+					*slotIndex && i < count ; ) {
+	char *name;
+	name = secmod_argGetName(slotIndex,&next);
+	slotIndex += next;
+
+	if (!secmod_argIsBlank(*slotIndex)) {
+	    char *args = secmod_argFetchValue(slotIndex,&next);
+	    slotIndex += next;
+	    if (args) {
+		secmod_argDecodeSingleSlotInfo(name,args,&slotInfo[i]);
+		i++;
+		PORT_Free(args);
+	    }
+	}
+	if (name) PORT_Free(name);
+	slotIndex = secmod_argStrip(slotIndex);
+    }
+    *retCount = i;
+    return slotInfo;
+}
+
+static char *secmod_nullString = "";
+
+static char *
+secmod_formatValue(PRArenaPool *arena, char *value, char quote)
+{
+    char *vp,*vp2,*retval;
+    int size = 0, escapes = 0;
+
+    for (vp=value; *vp ;vp++) {
+	if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) escapes++;
+	size++;
+    }
+    if (arena) {
+	retval = PORT_ArenaZAlloc(arena,size+escapes+1);
+    } else {
+	retval = PORT_ZAlloc(size+escapes+1);
+    }
+    if (retval == NULL) return NULL;
+    vp2 = retval;
+    for (vp=value; *vp; vp++) {
+	if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) 
+				*vp2++ = SECMOD_ARG_ESCAPE;
+	*vp2++ = *vp;
+    }
+    return retval;
+}
+    
+static char *secmod_formatPair(char *name,char *value, char quote)
+{
+    char openQuote = quote;
+    char closeQuote = secmod_argGetPair(quote);
+    char *newValue = NULL;
+    char *returnValue;
+    PRBool need_quote = PR_FALSE;
+
+    if (!value || (*value == 0)) return secmod_nullString;
+
+    if (secmod_argHasBlanks(value) || secmod_argIsQuote(value[0]))
+							 need_quote=PR_TRUE;
+
+    if ((need_quote && secmod_argHasChar(value,closeQuote))
+				 || secmod_argHasChar(value,SECMOD_ARG_ESCAPE)) {
+	value = newValue = secmod_formatValue(NULL, value,quote);
+	if (newValue == NULL) return secmod_nullString;
+    }
+    if (need_quote) {
+    	returnValue = PR_smprintf("%s=%c%s%c",name,openQuote,value,closeQuote);
+    } else {
+    	returnValue = PR_smprintf("%s=%s",name,value);
+    }
+    if (returnValue == NULL) returnValue = secmod_nullString;
+
+    if (newValue) PORT_Free(newValue);
+
+    return returnValue;
+}
+
+static char *secmod_formatIntPair(char *name, unsigned long value, 
+                                  unsigned long def)
+{
+    char *returnValue;
+
+    if (value == def) return secmod_nullString;
+
+    returnValue = PR_smprintf("%s=%d",name,value);
+
+    return returnValue;
+}
+
+static void
+secmod_freePair(char *pair)
+{
+    if (pair && pair != secmod_nullString) {
+	PR_smprintf_free(pair);
+    }
+}
+
+#define MAX_FLAG_SIZE  sizeof("internal")+sizeof("FIPS")+sizeof("moduleDB")+\
+				sizeof("moduleDBOnly")+sizeof("critical")
+static char *
+secmod_mkNSSFlags(PRBool internal, PRBool isFIPS,
+		PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
+{
+    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,MAX_FLAG_SIZE);
+    if (internal) {
+	PORT_Strcat(flags,"internal");
+	first = PR_FALSE;
+    }
+    if (isFIPS) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"FIPS");
+	first = PR_FALSE;
+    }
+    if (isModuleDB) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"moduleDB");
+	first = PR_FALSE;
+    }
+    if (isModuleDBOnly) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"moduleDBOnly");
+	first = PR_FALSE;
+    }
+    if (isCritical) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"critical");
+	first = PR_FALSE;
+    }
+    return flags;
+}
+
+static char *
+secmod_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
+{
+    char *cipher = NULL;
+    int i;
+
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+	if (ssl0 & (1<<i)) {
+	    char *string;
+	    if ((1<<i) == SECMOD_FORTEZZA_FLAG) {
+		string = PR_smprintf("%s","FORTEZZA");
+	    } else {
+		string = PR_smprintf("0h0x%08x",1<<i);
+	    }
+	    if (cipher) {
+		char *tmp;
+		tmp = PR_smprintf("%s,%s",cipher,string);
+		PR_smprintf_free(cipher);
+		PR_smprintf_free(string);
+		cipher = tmp;
+	    } else {
+		cipher = string;
+	    }
+	}
+    }
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+	if (ssl1 & (1<<i)) {
+	    if (cipher) {
+		char *tmp;
+		tmp = PR_smprintf("%s,0l0x%08x",cipher,1<<i);
+		PR_smprintf_free(cipher);
+		cipher = tmp;
+	    } else {
+		cipher = PR_smprintf("0l0x%08x",1<<i);
+	    }
+	}
+    }
+
+    return cipher;
+}
+
+static char *
+secmod_mkSlotFlags(unsigned long defaultFlags)
+{
+    char *flags=NULL;
+    int i,j;
+
+    for (i=0; i < sizeof(defaultFlags)*8; i++) {
+	if (defaultFlags & (1<<i)) {
+	    char *string = NULL;
+
+	    for (j=0; j < secmod_argSlotFlagTableSize; j++) {
+		if (secmod_argSlotFlagTable[j].value == ( 1UL << i )) {
+		    string = secmod_argSlotFlagTable[j].name;
+		    break;
+		}
+	    }
+	    if (string) {
+		if (flags) {
+		    char *tmp;
+		    tmp = PR_smprintf("%s,%s",flags,string);
+		    PR_smprintf_free(flags);
+		    flags = tmp;
+		} else {
+		    flags = PR_smprintf("%s",string);
+		}
+	    }
+	}
+    }
+
+    return flags;
+}
+
+#define SECMOD_MAX_ROOT_FLAG_SIZE  sizeof("hasRootCerts")+sizeof("hasRootTrust")
+
+static char *
+secmod_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
+{
+    char *flags= (char *)PORT_ZAlloc(SECMOD_MAX_ROOT_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,SECMOD_MAX_ROOT_FLAG_SIZE);
+    if (hasRootCerts) {
+	PORT_Strcat(flags,"hasRootCerts");
+	first = PR_FALSE;
+    }
+    if (hasRootTrust) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"hasRootTrust");
+	first = PR_FALSE;
+    }
+    return flags;
+}
+
+static char *
+secmod_mkSlotString(unsigned long slotID, unsigned long defaultFlags,
+		  unsigned long timeout, unsigned char askpw_in,
+		  PRBool hasRootCerts, PRBool hasRootTrust) {
+    char *askpw,*flags,*rootFlags,*slotString;
+    char *flagPair,*rootFlagsPair;
+	
+    switch (askpw_in) {
+    case 0xff:
+	askpw = "every";
+	break;
+    case 1:
+	askpw = "timeout";
+	break;
+    default:
+	askpw = "any";
+	break;
+    }
+    flags = secmod_mkSlotFlags(defaultFlags);
+    rootFlags = secmod_mkRootFlags(hasRootCerts,hasRootTrust);
+    flagPair=secmod_formatPair("slotFlags",flags,'\'');
+    rootFlagsPair=secmod_formatPair("rootFlags",rootFlags,'\'');
+    if (flags) PR_smprintf_free(flags);
+    if (rootFlags) PORT_Free(rootFlags);
+    if (defaultFlags & PK11_OWN_PW_DEFAULTS) {
+    	slotString = PR_smprintf("0x%08lx=[%s askpw=%s timeout=%d %s]",
+				(PRUint32)slotID,flagPair,askpw,timeout,
+				rootFlagsPair);
+    } else {
+    	slotString = PR_smprintf("0x%08lx=[%s %s]",
+				(PRUint32)slotID,flagPair,rootFlagsPair);
+    }
+    secmod_freePair(flagPair);
+    secmod_freePair(rootFlagsPair);
+    return slotString;
+}
+
+static char *
+secmod_mkNSS(char **slotStrings, int slotCount, PRBool internal, PRBool isFIPS,
+	  PRBool isModuleDB,  PRBool isModuleDBOnly, PRBool isCritical, 
+	  unsigned long trustOrder, unsigned long cipherOrder,
+				unsigned long ssl0, unsigned long ssl1) {
+    int slotLen, i;
+    char *slotParams, *ciphers, *nss, *nssFlags, *tmp;
+    char *trustOrderPair,*cipherOrderPair,*slotPair,*cipherPair,*flagPair;
+
+
+    /* now let's build up the string
+     * first the slot infos
+     */
+    slotLen=0;
+    for (i=0; i < (int)slotCount; i++) {
+	slotLen += PORT_Strlen(slotStrings[i])+1;
+    }
+    slotLen += 1; /* space for the final NULL */
+
+    slotParams = (char *)PORT_ZAlloc(slotLen);
+    PORT_Memset(slotParams,0,slotLen);
+    for (i=0; i < (int)slotCount; i++) {
+	PORT_Strcat(slotParams,slotStrings[i]);
+	PORT_Strcat(slotParams," ");
+	PR_smprintf_free(slotStrings[i]);
+	slotStrings[i]=NULL;
+    }
+    
+    /*
+     * now the NSS structure
+     */
+    nssFlags = secmod_mkNSSFlags(internal,isFIPS,isModuleDB,isModuleDBOnly,
+							isCritical); 
+	/* for now only the internal module is critical */
+    ciphers = secmod_mkCipherFlags(ssl0, ssl1);
+
+    trustOrderPair=secmod_formatIntPair("trustOrder",trustOrder,
+					SECMOD_DEFAULT_TRUST_ORDER);
+    cipherOrderPair=secmod_formatIntPair("cipherOrder",cipherOrder,
+					SECMOD_DEFAULT_CIPHER_ORDER);
+    slotPair=secmod_formatPair("slotParams",slotParams,'{'); /* } */
+    if (slotParams) PORT_Free(slotParams);
+    cipherPair=secmod_formatPair("ciphers",ciphers,'\'');
+    if (ciphers) PR_smprintf_free(ciphers);
+    flagPair=secmod_formatPair("Flags",nssFlags,'\'');
+    if (nssFlags) PORT_Free(nssFlags);
+    nss = PR_smprintf("%s %s %s %s %s",trustOrderPair,
+			cipherOrderPair,slotPair,cipherPair,flagPair);
+    secmod_freePair(trustOrderPair);
+    secmod_freePair(cipherOrderPair);
+    secmod_freePair(slotPair);
+    secmod_freePair(cipherPair);
+    secmod_freePair(flagPair);
+    tmp = secmod_argStrip(nss);
+    if (*tmp == '\0') {
+	PR_smprintf_free(nss);
+	nss = NULL;
+    }
+    return nss;
+}
+
+static char *
+secmod_mkNewModuleSpec(char *dllName, char *commonName, char *parameters, 
+								char *NSS) {
+    char *moduleSpec;
+    char *lib,*name,*param,*nss;
+
+    /*
+     * now the final spec
+     */
+    lib = secmod_formatPair("library",dllName,'\"');
+    name = secmod_formatPair("name",commonName,'\"');
+    param = secmod_formatPair("parameters",parameters,'\"');
+    nss = secmod_formatPair("NSS",NSS,'\"');
+    moduleSpec = PR_smprintf("%s %s %s %s", lib,name,param,nss);
+    secmod_freePair(lib);
+    secmod_freePair(name);
+    secmod_freePair(param);
+    secmod_freePair(nss);
+    return (moduleSpec);
+}
+

mozilla/security/nss/lib/softoken/pkcs11.h

@@ -0,0 +1,323 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   RSA Labs
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ *
+ * The latest version of this header can be found at:
+ *    http://www.rsalabs.com/pkcs/pkcs-11/index.html
+ */
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a PKCS #11 library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for PKCS #11 structures should be set.  The PKCS #11
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * In a Win32 environment, this might be done by using the
+ * following preprocessor directive before including pkcs11.h
+ * or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * In a Win16 environment, this might be done by using the
+ * following preprocessor directive before including pkcs11.h
+ * or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own here.  You might
+ * not need to do anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * In a Win32 environment, it might be defined by
+ *
+ * #define CK_PTR *
+ *
+ * In a Win16 environment, it might be defined by
+ *
+ * #define CK_PTR far *
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable PKCS #11 library function definition out of a
+ * return type and a function name.  It should be used in the
+ * following fashion to define the exposed PKCS #11 functions in
+ * a PKCS #11 library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * )
+ * {
+ *   ...
+ * }
+ *
+ * For defining a function in a Win32 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllexport) name
+ *
+ * For defining a function in a Win16 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable PKCS #11 library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * For declaring a function in a Win32 PKCS #11 .dll, it might
+ * be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * For declaring a function in a Win16 PKCS #11 .dll, it might
+ * be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a PKCS #11 API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a PKCS #11 API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // PKCS #11 API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * For accessing functions in a Win32 PKCS #11 .dll, in might be
+ * defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * For accessing functions in a Win16 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * In a Win32 environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * In a Win16 environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various PKCS #11 types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* packing defines */
+#include "pkcs11p.h"
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each PKCS #11 function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's PKCS #11 version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+  
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* PKCS #11 version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h" 
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+/* unpack */
+#include "pkcs11u.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

mozilla/security/nss/lib/softoken/pkcs11f.h

@@ -0,0 +1,937 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * RSA Security INC.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* This function contains pretty much everything about all the */
+/* PKCS #11  function prototypes.  Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+
+
+/* General-purpose */
+
+/* C_Initialize initializes the PKCS #11 library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * PKCS #11 library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about PKCS #11. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+  CK_SLOT_ID         slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR    pPin,      /* the SO's initial PIN */
+  CK_ULONG           ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ *  cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session
+                                                     * handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
+                                                     * mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
+                                                     * for pub.
+                                                     * key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
+                                                     * attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
+                                                     * for priv.
+                                                     * key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
+                                                     * attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
+                                                     * key
+                                                     * handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
+                                                     * priv. key
+                                                     * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for PKCS #11 Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif

mozilla/security/nss/lib/softoken/pkcs11i.h

@@ -0,0 +1,687 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _PKCS11I_H_
+#define _PKCS11I_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+
+#include "sftkdbt.h"
+
+
+/* 
+ * Configuration Defines 
+ *
+ * The following defines affect the space verse speed trade offs of
+ * the PKCS #11 module. For the most part the current settings are optimized
+ * for web servers, where we want faster speed and lower lock contention at
+ * the expense of space.
+ */
+
+/* 
+ * The attribute allocation strategy is static allocation:
+ *   Attributes are pre-allocated as part of the session object and used from
+ *   the object array.
+ */
+#define MAX_OBJS_ATTRS 45	/* number of attributes to preallocate in
+				 * the object (must me the absolute max) */
+#define ATTR_SPACE 50  		/* Maximum size of attribute data before extra
+				 * data needs to be allocated. This is set to
+				 * enough space to hold an SSL MASTER secret */
+
+#define NSC_STRICT      PR_FALSE  /* forces the code to do strict template
+				   * matching when doing C_FindObject on token
+				   * objects. This will slow down search in
+				   * NSS. */
+/* default search block allocations and increments */
+#define NSC_CERT_BLOCK_SIZE     50
+#define NSC_SEARCH_BLOCK_SIZE   5 
+#define NSC_SLOT_LIST_BLOCK_SIZE 10
+
+#define NSC_FIPS_MODULE 1
+#define NSC_NON_FIPS_MODULE 0
+
+/* these are data base storage hashes, not cryptographic hashes.. The define
+ * the effective size of the various object hash tables */
+/* clients care more about memory usage than lookup performance on
+ * cyrptographic objects. Clients also have less objects around to play with 
+ *
+ * we eventually should make this configurable at runtime! Especially now that
+ * NSS is a shared library.
+ */
+#define SPACE_ATTRIBUTE_HASH_SIZE 32 
+#define SPACE_SESSION_OBJECT_HASH_SIZE 32
+#define SPACE_SESSION_HASH_SIZE 32
+#define TIME_ATTRIBUTE_HASH_SIZE 32
+#define TIME_SESSION_OBJECT_HASH_SIZE 1024
+#define TIME_SESSION_HASH_SIZE 1024
+#define MAX_OBJECT_LIST_SIZE 800  
+				  /* how many objects to keep on the free list
+				   * before we start freeing them */
+#define MAX_KEY_LEN 256 	  /* maximum symmetric key length in bytes */
+
+#define MULTIACCESS "multiaccess:"
+
+/*
+ * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
+ * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
+ * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
+ *
+ * HASH_SIZE   LOG2_BUCKETS_PER   BUCKETS_PER_LOCK  NUMBER_OF_BUCKETS
+ * 1024        9                  512               2
+ * 1024        5                  32                32
+ * 1024        1                  2                 512
+ * 1024        0                  1                 1024
+ * 4096        11                 2048              2
+ * 4096        9                  512               8
+ * 4096        5                  32                128
+ * 4096        1                  2                 2048
+ * 4096        0                  1                 4096
+ */
+#define LOG2_BUCKETS_PER_SESSION_LOCK 1
+#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
+/* NOSPREAD sessionID to hash table index macro has been slower. */
+
+/* define typedefs, double as forward declarations as well */
+typedef struct SFTKAttributeStr SFTKAttribute;
+typedef struct SFTKObjectListStr SFTKObjectList;
+typedef struct SFTKObjectFreeListStr SFTKObjectFreeList;
+typedef struct SFTKObjectListElementStr SFTKObjectListElement;
+typedef struct SFTKObjectStr SFTKObject;
+typedef struct SFTKSessionObjectStr SFTKSessionObject;
+typedef struct SFTKTokenObjectStr SFTKTokenObject;
+typedef struct SFTKSessionStr SFTKSession;
+typedef struct SFTKSlotStr SFTKSlot;
+typedef struct SFTKSessionContextStr SFTKSessionContext;
+typedef struct SFTKSearchResultsStr SFTKSearchResults;
+typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo;
+typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
+typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
+
+/* define function pointer typdefs for pointer tables */
+typedef void (*SFTKDestroy)(void *, PRBool);
+typedef void (*SFTKBegin)(void *);
+typedef SECStatus (*SFTKCipher)(void *,void *,unsigned int *,unsigned int,
+					void *, unsigned int);
+typedef SECStatus (*SFTKVerify)(void *,void *,unsigned int,void *,unsigned int);
+typedef void (*SFTKHash)(void *,void *,unsigned int);
+typedef void (*SFTKEnd)(void *,void *,unsigned int *,unsigned int);
+typedef void (*SFTKFree)(void *);
+
+/* Value to tell if an attribute is modifiable or not.
+ *    NEVER: attribute is only set on creation.
+ *    ONCOPY: attribute is set on creation and can only be changed on copy.
+ *    SENSITIVE: attribute can only be changed to TRUE.
+ *    ALWAYS: attribute can always be changed.
+ */
+typedef enum {
+	SFTK_NEVER = 0,
+	SFTK_ONCOPY = 1,
+	SFTK_SENSITIVE = 2,
+	SFTK_ALWAYS = 3
+} SFTKModifyType;
+
+/*
+ * Free Status Enum... tell us more information when we think we're
+ * deleting an object.
+ */
+typedef enum {
+	SFTK_DestroyFailure,
+	SFTK_Destroyed,
+	SFTK_Busy
+} SFTKFreeStatus;
+
+/*
+ * attribute values of an object.
+ */
+struct SFTKAttributeStr {
+    SFTKAttribute  	*next;
+    SFTKAttribute  	*prev;
+    PRBool		freeAttr;
+    PRBool		freeData;
+    /*must be called handle to make sftkqueue_find work */
+    CK_ATTRIBUTE_TYPE	handle;
+    CK_ATTRIBUTE 	attrib;
+    unsigned char space[ATTR_SPACE];
+};
+
+
+/*
+ * doubly link list of objects
+ */
+struct SFTKObjectListStr {
+    SFTKObjectList *next;
+    SFTKObjectList *prev;
+    SFTKObject	   *parent;
+};
+
+struct SFTKObjectFreeListStr {
+    SFTKObject	*head;
+    PZLock	*lock;
+    int		count;
+};
+
+/*
+ * PKCS 11 crypto object structure
+ */
+struct SFTKObjectStr {
+    SFTKObject *next;
+    SFTKObject	*prev;
+    CK_OBJECT_CLASS 	objclass;
+    CK_OBJECT_HANDLE	handle;
+    int 		refCount;
+    PZLock 		*refLock;
+    SFTKSlot	   	*slot;
+    void 		*objectInfo;
+    SFTKFree 		infoFree;
+};
+
+struct SFTKTokenObjectStr {
+    SFTKObject  obj;
+    SECItem	dbKey;
+};
+
+struct SFTKSessionObjectStr {
+    SFTKObject	   obj;
+    SFTKObjectList sessionList;
+    PZLock		*attributeLock;
+    SFTKSession   	*session;
+    PRBool		wasDerived;
+    int nextAttr;
+    SFTKAttribute	attrList[MAX_OBJS_ATTRS];
+    PRBool		optimizeSpace;
+    unsigned int	hashSize;
+    SFTKAttribute 	*head[1];
+};
+
+/*
+ * struct to deal with a temparary list of objects
+ */
+struct SFTKObjectListElementStr {
+    SFTKObjectListElement	*next;
+    SFTKObject 			*object;
+};
+
+/*
+ * Area to hold Search results
+ */
+struct SFTKSearchResultsStr {
+    CK_OBJECT_HANDLE	*handles;
+    int			size;
+    int			index;
+    int			array_size;
+};
+
+
+/* 
+ * the universal crypto/hash/sign/verify context structure
+ */
+typedef enum {
+    SFTK_ENCRYPT,
+    SFTK_DECRYPT,
+    SFTK_HASH,
+    SFTK_SIGN,
+    SFTK_SIGN_RECOVER,
+    SFTK_VERIFY,
+    SFTK_VERIFY_RECOVER
+} SFTKContextType;
+
+
+#define SFTK_MAX_BLOCK_SIZE 16
+/* currently SHA512 is the biggest hash length */
+#define SFTK_MAX_MAC_LENGTH 64
+#define SFTK_INVALID_MAC_SIZE 0xffffffff
+
+struct SFTKSessionContextStr {
+    SFTKContextType	type;
+    PRBool		multi; 		/* is multipart */
+    PRBool		doPad; 		/* use PKCS padding for block ciphers */
+    unsigned int	blockSize; 	/* blocksize for padding */
+    unsigned int	padDataLength; 	/* length of the valid data in padbuf */
+    unsigned char	padBuf[SFTK_MAX_BLOCK_SIZE];
+    unsigned char	macBuf[SFTK_MAX_BLOCK_SIZE];
+    CK_ULONG		macSize;	/* size of a general block cipher mac*/
+    void		*cipherInfo;
+    void		*hashInfo;
+    unsigned int	cipherInfoLen;
+    CK_MECHANISM_TYPE	currentMech;
+    SFTKCipher		update;
+    SFTKHash		hashUpdate;
+    SFTKEnd		end;
+    SFTKDestroy		destroy;
+    SFTKDestroy		hashdestroy;
+    SFTKVerify		verify;
+    unsigned int	maxLen;
+    SFTKObject		*key;
+};
+
+/*
+ * Sessions (have objects)
+ */
+struct SFTKSessionStr {
+    SFTKSession        *next;
+    SFTKSession        *prev;
+    CK_SESSION_HANDLE	handle;
+    int			refCount;
+    PZLock		*objectLock;
+    int			objectIDCount;
+    CK_SESSION_INFO	info;
+    CK_NOTIFY		notify;
+    CK_VOID_PTR		appData;
+    SFTKSlot		*slot;
+    SFTKSearchResults	*search;
+    SFTKSessionContext	*enc_context;
+    SFTKSessionContext	*hash_context;
+    SFTKSessionContext	*sign_context;
+    SFTKObjectList	*objects[1];
+};
+
+/*
+ * slots (have sessions and objects)
+ *
+ * The array of sessionLock's protect the session hash table (head[])
+ * as well as the reference count of session objects in that bucket
+ * (head[]->refCount),  objectLock protects all elements of the slot's
+ * object hash tables (sessObjHashTable[] and tokObjHashTable), and
+ * sessionObjectHandleCount.
+ * slotLock protects the remaining protected elements:
+ * password, isLoggedIn, ssoLoggedIn, and sessionCount,
+ * and pwCheckLock serializes the key database password checks in
+ * NSC_SetPIN and NSC_Login.
+ *
+ * Each of the fields below has the following lifetime as commented
+ * next to the fields:
+ *   invariant  - This value is set when the slot is first created and
+ * never changed until it is destroyed.
+ *   per load   - This value is set when the slot is first created, or 
+ * when the slot is used to open another directory. Between open and close
+ * this field does not change.
+ *   variable - This value changes through the normal process of slot operation.
+ *      - reset. The value of this variable is cleared during an open/close 
+ *   cycles.
+ *      - preserved. The value of this variable is preserved over open/close
+ *   cycles.
+ */
+struct SFTKSlotStr {
+    CK_SLOT_ID		slotID;			/* invariant */
+    PZLock		*slotLock;		/* invariant */
+    PZLock		**sessionLock;		/* invariant */
+    unsigned int	numSessionLocks;	/* invariant */
+    unsigned long	sessionLockMask;	/* invariant */
+    PZLock		*objectLock;		/* invariant */
+    PRLock		*pwCheckLock;		/* invariant */
+    PRBool		present;		/* variable -set */
+    PRBool		hasTokens;		/* per load */
+    PRBool		isLoggedIn;		/* variable - reset */
+    PRBool		ssoLoggedIn;		/* variable - reset */
+    PRBool		needLogin;		/* per load */
+    PRBool		DB_loaded;		/* per load */
+    PRBool		readOnly;		/* per load */
+    PRBool		optimizeSpace;		/* invariant */
+    SFTKDBHandle	*certDB;		/* per load */
+    SFTKDBHandle	*keyDB;			/* per load */
+    int			minimumPinLen;		/* per load */
+    PRInt32		sessionIDCount;		/* atomically incremented */
+                                        	/* (preserved) */
+    int			sessionIDConflict; 	/* not protected by a lock */
+                                            	/* (preserved) */
+    int			sessionCount;           /* variable - reset */
+    PRInt32             rwSessionCount;    	/* set by atomic operations */
+                                          	/* (reset) */
+    int			sessionObjectHandleCount;/* variable - perserved */
+    int			index;			/* invariant */
+    PLHashTable		*tokObjHashTable;	/* invariant */
+    SFTKObject		**sessObjHashTable;	/* variable - reset */
+    unsigned int	sessObjHashSize;	/* invariant */
+    SFTKSession		**head;			/* variable -reset */
+    unsigned int	sessHashSize;		/* invariant */
+    char		tokDescription[33];	/* per load */
+    char		slotDescription[64];	/* invariant */
+};
+
+/*
+ * special joint operations Contexts
+ */
+struct SFTKHashVerifyInfoStr {
+    SECOidTag   	hashOid;
+    NSSLOWKEYPublicKey	*key;
+};
+
+struct SFTKHashSignInfoStr {
+    SECOidTag   	hashOid;
+    NSSLOWKEYPrivateKey	*key;
+};
+
+/* context for the Final SSLMAC message */
+struct SFTKSSLMACInfoStr {
+    void 		*hashContext;
+    SFTKBegin		begin;
+    SFTKHash		update;
+    SFTKEnd		end;
+    CK_ULONG		macSize;
+    int			padSize;
+    unsigned char	key[MAX_KEY_LEN];
+    unsigned int	keySize;
+};
+
+/*
+ * session handle modifiers
+ */
+#define SFTK_SESSION_SLOT_MASK	0xff000000L
+
+/*
+ * object handle modifiers
+ */
+#define SFTK_TOKEN_MASK		0x80000000L
+#define SFTK_TOKEN_MAGIC	0x80000000L
+#define SFTK_TOKEN_TYPE_MASK	0x70000000L
+/* keydb (high bit == 0) */
+#define SFTK_TOKEN_TYPE_PRIV	0x10000000L
+#define SFTK_TOKEN_TYPE_PUB	0x20000000L
+#define SFTK_TOKEN_TYPE_KEY	0x30000000L
+/* certdb (high bit == 1) */
+#define SFTK_TOKEN_TYPE_TRUST	0x40000000L
+#define SFTK_TOKEN_TYPE_CRL	0x50000000L
+#define SFTK_TOKEN_TYPE_SMIME	0x60000000L
+#define SFTK_TOKEN_TYPE_CERT	0x70000000L
+
+#define SFTK_TOKEN_KRL_HANDLE	(SFTK_TOKEN_MAGIC|SFTK_TOKEN_TYPE_CRL|1)
+/* how big (in bytes) a password/pin we can deal with */
+#define SFTK_MAX_PIN	255
+/* minimum password/pin length (in Unicode characters) in FIPS mode */
+#define FIPS_MIN_PIN	7
+
+/* slot ID's */
+#define NETSCAPE_SLOT_ID 1
+#define PRIVATE_KEY_SLOT_ID 2
+#define FIPS_SLOT_ID 3
+
+/* slot helper macros */
+#define sftk_SlotFromSession(sp) ((sp)->slot)
+#define sftk_isToken(id) (((id) & SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC)
+
+/* the session hash multiplier (see bug 201081) */
+#define SHMULTIPLIER 1791398085
+
+/* queueing helper macros */
+#define sftk_hash(value,size) \
+	((PRUint32)((value) * SHMULTIPLIER) & (size-1))
+#define sftkqueue_add(element,id,head,hash_size) \
+	{ int tmp = sftk_hash(id,hash_size); \
+	(element)->next = (head)[tmp]; \
+	(element)->prev = NULL; \
+	if ((head)[tmp]) (head)[tmp]->prev = (element); \
+	(head)[tmp] = (element); }
+#define sftkqueue_find(element,id,head,hash_size) \
+	for( (element) = (head)[sftk_hash(id,hash_size)]; (element) != NULL; \
+					 (element) = (element)->next) { \
+	    if ((element)->handle == (id)) { break; } }
+#define sftkqueue_is_queued(element,id,head,hash_size) \
+	( ((element)->next) || ((element)->prev) || \
+	 ((head)[sftk_hash(id,hash_size)] == (element)) )
+#define sftkqueue_delete(element,id,head,hash_size) \
+	if ((element)->next) (element)->next->prev = (element)->prev; \
+	if ((element)->prev) (element)->prev->next = (element)->next; \
+	   else (head)[sftk_hash(id,hash_size)] = ((element)->next); \
+	(element)->next = NULL; \
+	(element)->prev = NULL; \
+
+#define sftkqueue_init_element(element) \
+    (element)->prev = NULL;
+
+#define sftkqueue_add2(element, id, index, head) \
+    {                                            \
+	(element)->next = (head)[index];         \
+	if ((head)[index])                       \
+	    (head)[index]->prev = (element);     \
+	(head)[index] = (element);               \
+    }
+
+#define sftkqueue_find2(element, id, index, head) \
+    for ( (element) = (head)[index];              \
+          (element) != NULL;                      \
+          (element) = (element)->next) {          \
+	if ((element)->handle == (id)) { break; } \
+    }
+
+#define sftkqueue_delete2(element, id, index, head) \
+	if ((element)->next) (element)->next->prev = (element)->prev; \
+	if ((element)->prev) (element)->prev->next = (element)->next; \
+	   else (head)[index] = ((element)->next);
+
+#define sftkqueue_clear_deleted_element(element) \
+	(element)->next = NULL; \
+	(element)->prev = NULL; \
+
+
+/* sessionID (handle) is used to determine session lock bucket */
+#ifdef NOSPREAD
+/* NOSPREAD:	(ID>>L2LPB) & (perbucket-1) */
+#define SFTK_SESSION_LOCK(slot,handle) \
+    ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
+        & (slot)->sessionLockMask])
+#else
+/* SPREAD:	ID & (perbucket-1) */
+#define SFTK_SESSION_LOCK(slot,handle) \
+    ((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
+#endif
+
+/* expand an attribute & secitem structures out */
+#define sftk_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
+#define sftk_item_expand(ip) (ip)->data,(ip)->len
+
+typedef struct sftk_token_parametersStr {
+    CK_SLOT_ID slotID;
+    char *configdir;
+    char *certPrefix;
+    char *keyPrefix;
+    char *tokdes;
+    char *slotdes;
+    int minPW; 
+    PRBool readOnly;
+    PRBool noCertDB;
+    PRBool noKeyDB;
+    PRBool forceOpen;
+    PRBool pwRequired;
+    PRBool optimizeSpace;
+} sftk_token_parameters;
+
+typedef struct sftk_parametersStr {
+    char *configdir;
+    char *secmodName;
+    char *man;
+    char *libdes; 
+    PRBool readOnly;
+    PRBool noModDB;
+    PRBool noCertDB;
+    PRBool forceOpen;
+    PRBool pwRequired;
+    PRBool optimizeSpace;
+    sftk_token_parameters *tokens;
+    int token_count;
+} sftk_parameters;
+
+
+/* machine dependent path stuff used by dbinit.c and pk11db.c */
+#ifdef macintosh
+#define PATH_SEPARATOR ":"
+#define SECMOD_DB "Security Modules"
+#define CERT_DB_FMT "%sCertificates%s"
+#define KEY_DB_FMT "%sKey Database%s"
+#else
+#define PATH_SEPARATOR "/"
+#define SECMOD_DB "secmod.db"
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+#endif
+
+SEC_BEGIN_PROTOS
+
+/* shared functions between pkcs11.c and fipstokn.c */
+extern PRBool nsf_init;
+extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
+extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
+extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, 
+	CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
+
+/* slot initialization, reinit, shutdown and destruction */
+extern CK_RV SFTK_SlotInit(char *configdir,
+			sftk_token_parameters *params, int moduleIndex);
+extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir,
+			sftk_token_parameters *params, int moduleIndex);
+extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot);
+extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot);
+
+
+/* internal utility functions used by pkcs11.c */
+extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
+					 CK_ATTRIBUTE_TYPE type);
+extern void sftk_FreeAttribute(SFTKAttribute *attribute);
+extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+				   void *valPtr,
+				  CK_ULONG length);
+extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+				    SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern unsigned int sftk_GetLengthInBits(unsigned char *buf,
+							 unsigned int bufLen);
+extern CK_RV sftk_ConstrainAttribute(SFTKObject *object, 
+	CK_ATTRIBUTE_TYPE type, int minLength, int maxLength, int minMultiple);
+extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern void sftk_DeleteAttributeType(SFTKObject *object,
+				     CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+				    SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
+				     SFTKObject *object,
+				     CK_ATTRIBUTE_TYPE type);
+extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type,
+				      CK_OBJECT_CLASS inClass);
+extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern void sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+                                                         CK_ULONG *longData);
+extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+				 void *value, unsigned int len);
+extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+				   void *value, unsigned int len);
+extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+extern SFTKObject *sftk_NewObject(SFTKSlot *slot);
+extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject);
+extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object);
+extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object);
+extern void sftk_ReferenceObject(SFTKObject *object);
+extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
+					 SFTKSession *session);
+extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
+extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
+/* clear out all the existing object ID to database key mappings.
+ * used to reinit a token */
+extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot);
+
+extern CK_RV sftk_searchObjectList(SFTKSearchResults *search,
+				   SFTKObject **head, unsigned int size,
+				   PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
+				   int count, PRBool isLoggedIn);
+extern SFTKObjectListElement *sftk_FreeObjectListElement(
+					     SFTKObjectListElement *objectList);
+extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
+extern void sftk_FreeSearch(SFTKSearchResults *search);
+extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
+
+extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
+extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
+extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
+extern void sftk_FreeSession(SFTKSession *session);
+extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
+				    CK_VOID_PTR pApplication, CK_FLAGS flags);
+extern void sftk_update_state(SFTKSlot *slot,SFTKSession *session);
+extern void sftk_update_all_states(SFTKSlot *slot);
+extern void sftk_FreeContext(SFTKSessionContext *context);
+extern void sftk_InitFreeLists(void);
+extern void sftk_CleanupFreeLists(void);
+
+extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
+					  CK_KEY_TYPE key_type, CK_RV *crvp);
+extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
+					    CK_KEY_TYPE key_type, CK_RV *crvp);
+extern void sftk_FormatDESKey(unsigned char *key, int length);
+extern PRBool sftk_CheckDESKey(unsigned char *key);
+extern PRBool sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
+
+/* mechanism allows this operation */
+extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
+
+/* helper function which calls nsslowkey_FindKeyByPublicKey after safely
+ * acquiring a reference to the keydb from the slot */
+NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
+
+/*
+ * narrow objects
+ */
+SFTKSessionObject * sftk_narrowToSessionObject(SFTKObject *);
+SFTKTokenObject * sftk_narrowToTokenObject(SFTKObject *);
+
+/*
+ * token object utilities
+ */
+void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle);
+PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey, 
+						CK_OBJECT_HANDLE handle);
+SFTKObject * sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, 
+						CK_OBJECT_HANDLE handle);
+SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so);
+
+/****************************************
+ * implement TLS Pseudo Random Function (PRF)
+ */
+
+extern CK_RV
+sftk_TLSPRFInit(SFTKSessionContext *context, 
+		  SFTKObject *        key, 
+		  CK_KEY_TYPE         key_type);
+
+SEC_END_PROTOS
+
+#endif /* _PKCS11I_H_ */

mozilla/security/nss/lib/softoken/pkcs11n.h

@@ -0,0 +1,281 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Stephen Henson <stephen.henson@gemplus.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PKCS11N_H_
+#define _PKCS11N_H_
+
+#ifdef DEBUG
+static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.15.22.1 $ $Date: 2007-05-17 01:08:18 $";
+#endif /* DEBUG */
+
+/*
+ * pkcs11n.h
+ *
+ * This file contains the NSS-specific type definitions for Cryptoki
+ * (PKCS#11).
+ */
+
+/*
+ * NSSCK_VENDOR_NSS
+ *
+ * Cryptoki reserves the high half of all the number spaces for
+ * vendor-defined use.  I'd like to keep all of our NSS-
+ * specific values together, but not in the oh-so-obvious
+ * 0x80000001, 0x80000002, etc. area.  So I've picked an offset,
+ * and constructed values for the beginnings of our spaces.
+ *
+ * Note that some "historical" Netscape values don't fall within
+ * this range.
+ */
+#define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */
+
+/*
+ * NSS-defined object classes
+ * 
+ */
+#define CKO_NSS (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKO_NSS_CRL                (CKO_NSS + 1)
+#define CKO_NSS_SMIME              (CKO_NSS + 2)
+#define CKO_NSS_TRUST              (CKO_NSS + 3)
+#define CKO_NSS_BUILTIN_ROOT_LIST  (CKO_NSS + 4)
+#define CKO_NSS_NEWSLOT            (CKO_NSS + 5)
+#define CKO_NSS_DELSLOT            (CKO_NSS + 6)
+
+
+/*
+ * NSS-defined key types
+ *
+ */
+#define CKK_NSS (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKK_NSS_PKCS8              (CKK_NSS + 1)
+/*
+ * NSS-defined certificate types
+ *
+ */
+#define CKC_NSS (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+/*
+ * NSS-defined object attributes
+ *
+ */
+#define CKA_NSS (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKA_NSS_URL                (CKA_NSS +  1)
+#define CKA_NSS_EMAIL              (CKA_NSS +  2)
+#define CKA_NSS_SMIME_INFO         (CKA_NSS +  3)
+#define CKA_NSS_SMIME_TIMESTAMP    (CKA_NSS +  4)
+#define CKA_NSS_PKCS8_SALT         (CKA_NSS +  5)
+#define CKA_NSS_PASSWORD_CHECK     (CKA_NSS +  6)
+#define CKA_NSS_EXPIRES            (CKA_NSS +  7)
+#define CKA_NSS_KRL                (CKA_NSS +  8)
+
+#define CKA_NSS_PQG_COUNTER        (CKA_NSS +  20)
+#define CKA_NSS_PQG_SEED           (CKA_NSS +  21)
+#define CKA_NSS_PQG_H              (CKA_NSS +  22)
+#define CKA_NSS_PQG_SEED_BITS      (CKA_NSS +  23)
+#define CKA_NSS_MODULE_SPEC        (CKA_NSS +  24)
+#define CKA_NSS_OVERRIDE_EXTENSIONS (CKA_NSS +  25)
+
+/*
+ * Trust attributes:
+ *
+ * If trust goes standard, these probably will too.  So I'll
+ * put them all in one place.
+ */
+
+#define CKA_TRUST (CKA_NSS + 0x2000)
+
+/* "Usage" key information */
+#define CKA_TRUST_DIGITAL_SIGNATURE     (CKA_TRUST +  1)
+#define CKA_TRUST_NON_REPUDIATION       (CKA_TRUST +  2)
+#define CKA_TRUST_KEY_ENCIPHERMENT      (CKA_TRUST +  3)
+#define CKA_TRUST_DATA_ENCIPHERMENT     (CKA_TRUST +  4)
+#define CKA_TRUST_KEY_AGREEMENT         (CKA_TRUST +  5)
+#define CKA_TRUST_KEY_CERT_SIGN         (CKA_TRUST +  6)
+#define CKA_TRUST_CRL_SIGN              (CKA_TRUST +  7)
+
+/* "Purpose" trust information */
+#define CKA_TRUST_SERVER_AUTH           (CKA_TRUST +  8)
+#define CKA_TRUST_CLIENT_AUTH           (CKA_TRUST +  9)
+#define CKA_TRUST_CODE_SIGNING          (CKA_TRUST + 10)
+#define CKA_TRUST_EMAIL_PROTECTION      (CKA_TRUST + 11)
+#define CKA_TRUST_IPSEC_END_SYSTEM      (CKA_TRUST + 12)
+#define CKA_TRUST_IPSEC_TUNNEL          (CKA_TRUST + 13)
+#define CKA_TRUST_IPSEC_USER            (CKA_TRUST + 14)
+#define CKA_TRUST_TIME_STAMPING         (CKA_TRUST + 15)
+#define CKA_TRUST_STEP_UP_APPROVED      (CKA_TRUST + 16)
+
+#define CKA_CERT_SHA1_HASH	        (CKA_TRUST + 100)
+#define CKA_CERT_MD5_HASH		(CKA_TRUST + 101)
+
+/* NSS trust stuff */
+/* XXX fgmr new ones here-- step-up, etc. */
+
+/* HISTORICAL: define used to pass in the database key for DSA private keys */
+#define CKA_NETSCAPE_DB                 0xD5A0DB00L
+#define CKA_NETSCAPE_TRUST              0x80000001L
+
+/*
+ * NSS-defined crypto mechanisms
+ *
+ */
+#define CKM_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKM_NSS_AES_KEY_WRAP      (CKM_NSS + 1)
+#define CKM_NSS_AES_KEY_WRAP_PAD  (CKM_NSS + 2)
+
+/*
+ * HISTORICAL:
+ * Do not attempt to use these. They are only used by NETSCAPE's internal
+ * PKCS #11 interface. Most of these are place holders for other mechanism
+ * and will change in the future.
+ */
+#define CKM_NETSCAPE_PBE_SHA1_DES_CBC           0x80000002L
+#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC    0x80000003L
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC    0x80000004L
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC   0x80000005L
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4        0x80000006L
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4       0x80000007L
+#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC   0x80000008L
+#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN      0x80000009L
+#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN       0x8000000aL
+#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN       0x8000000bL
+
+#define CKM_TLS_PRF_GENERAL                     0x80000373L
+
+/*
+ * NSS-defined return values
+ *
+ */
+#define CKR_NSS (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+#define CKR_NSS_CERTDB_FAILED      (CKR_NSS + 1)
+#define CKR_NSS_KEYDB_FAILED       (CKR_NSS + 2)
+
+/*
+ * Trust info
+ *
+ * This isn't part of the Cryptoki standard (yet), so I'm putting
+ * all the definitions here.  Some of this would move to nssckt.h
+ * if trust info were made part of the standard.  In view of this
+ * possibility, I'm putting my (NSS) values in the NSS
+ * vendor space, like everything else.
+ */
+
+typedef CK_ULONG          CK_TRUST;
+
+/* The following trust types are defined: */
+#define CKT_VENDOR_DEFINED     0x80000000
+
+#define CKT_NSS (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NSS)
+
+/* If trust goes standard, these'll probably drop out of vendor space. */
+#define CKT_NSS_TRUSTED            (CKT_NSS + 1)
+#define CKT_NSS_TRUSTED_DELEGATOR  (CKT_NSS + 2)
+#define CKT_NSS_UNTRUSTED          (CKT_NSS + 3)
+#define CKT_NSS_MUST_VERIFY        (CKT_NSS + 4)
+#define CKT_NSS_TRUST_UNKNOWN      (CKT_NSS + 5) /* default */
+
+/* 
+ * These may well remain NSS-specific; I'm only using them
+ * to cache resolution data.
+ */
+#define CKT_NSS_VALID              (CKT_NSS + 10)
+#define CKT_NSS_VALID_DELEGATOR    (CKT_NSS + 11)
+
+/* don't leave old programs in a lurch just yet, give them the old NETSCAPE
+ * synonym */
+#define CKO_NETSCAPE_CRL                CKO_NSS_CRL
+#define CKO_NETSCAPE_SMIME              CKO_NSS_SMIME
+#define CKO_NETSCAPE_TRUST              CKO_NSS_TRUST
+#define CKO_NETSCAPE_BUILTIN_ROOT_LIST  CKO_NSS_BUILTIN_ROOT_LIST
+#define CKO_NETSCAPE_NEWSLOT            CKO_NSS_NEWSLOT
+#define CKO_NETSCAPE_DELSLOT            CKO_NSS_DELSLOT
+#define CKK_NETSCAPE_PKCS8              CKK_NSS_PKCS8
+#define CKA_NETSCAPE_URL                CKA_NSS_URL
+#define CKA_NETSCAPE_EMAIL              CKA_NSS_EMAIL
+#define CKA_NETSCAPE_SMIME_INFO         CKA_NSS_SMIME_INFO
+#define CKA_NETSCAPE_SMIME_TIMESTAMP    CKA_NSS_SMIME_TIMESTAMP
+#define CKA_NETSCAPE_PKCS8_SALT         CKA_NSS_PKCS8_SALT
+#define CKA_NETSCAPE_PASSWORD_CHECK     CKA_NSS_PASSWORD_CHECK
+#define CKA_NETSCAPE_EXPIRES            CKA_NSS_EXPIRES
+#define CKA_NETSCAPE_KRL                CKA_NSS_KRL
+#define CKA_NETSCAPE_PQG_COUNTER        CKA_NSS_PQG_COUNTER
+#define CKA_NETSCAPE_PQG_SEED           CKA_NSS_PQG_SEED
+#define CKA_NETSCAPE_PQG_H              CKA_NSS_PQG_H
+#define CKA_NETSCAPE_PQG_SEED_BITS      CKA_NSS_PQG_SEED_BITS
+#define CKA_NETSCAPE_MODULE_SPEC        CKA_NSS_MODULE_SPEC
+#define CKM_NETSCAPE_AES_KEY_WRAP	CKM_NSS_AES_KEY_WRAP
+#define CKM_NETSCAPE_AES_KEY_WRAP_PAD	CKM_NSS_AES_KEY_WRAP_PAD
+#define CKR_NETSCAPE_CERTDB_FAILED      CKR_NSS_CERTDB_FAILED
+#define CKR_NETSCAPE_KEYDB_FAILED       CKR_NSS_KEYDB_FAILED
+#define CKT_NETSCAPE_TRUSTED            CKT_NSS_TRUSTED
+#define CKT_NETSCAPE_TRUSTED_DELEGATOR  CKT_NSS_TRUSTED_DELEGATOR
+#define CKT_NETSCAPE_UNTRUSTED          CKT_NSS_UNTRUSTED
+#define CKT_NETSCAPE_MUST_VERIFY        CKT_NSS_MUST_VERIFY
+#define CKT_NETSCAPE_TRUST_UNKNOWN      CKT_NSS_TRUST_UNKNOWN
+#define CKT_NETSCAPE_VALID              CKT_NSS_VALID
+#define CKT_NETSCAPE_VALID_DELEGATOR    CKT_NSS_VALID_DELEGATOR
+
+/*
+ * These are not really PKCS #11 values specifically. They are the 'loadable'
+ * module spec NSS uses. The are available for others to use as well, but not
+ * part of the formal PKCS #11 spec.
+ *
+ * The function 'FIND' returns an array of PKCS #11 initialization strings
+ * The function 'ADD' takes a PKCS #11 initialization string and stores it.
+ * The function 'DEL' takes a 'name= library=' value and deletes the associated
+ *  string.
+ * The function 'RELEASE' frees the array returned by 'FIND'
+ */
+#define SECMOD_MODULE_DB_FUNCTION_FIND  0
+#define SECMOD_MODULE_DB_FUNCTION_ADD   1
+#define SECMOD_MODULE_DB_FUNCTION_DEL   2
+#define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 
+typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function,
+                                        char *parameters, void *moduleSpec);
+
+/* softoken slot ID's */
+#define SFTK_MIN_USER_SLOT_ID 4
+#define SFTK_MAX_USER_SLOT_ID 100
+#define SFTK_MIN_FIPS_USER_SLOT_ID 101
+#define SFTK_MAX_FIPS_USER_SLOT_ID 127
+
+
+#endif /* _PKCS11N_H_ */

mozilla/security/nss/lib/softoken/pkcs11ni.h

@@ -0,0 +1,52 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _PKCS11NI_H_
+#define _PKCS11NI_H_
+
+/*
+ * pkcs11ni.h
+ *
+ * This file contains softoken private exports for NSS
+ */
+
+/* softoken slot ID's */
+#define SFTK_MIN_USER_SLOT_ID 4
+#define SFTK_MAX_USER_SLOT_ID 100
+#define SFTK_MIN_FIPS_USER_SLOT_ID 101
+#define SFTK_MAX_FIPS_USER_SLOT_ID 127
+
+
+#endif /* _PKCS11NI_H_ */

mozilla/security/nss/lib/softoken/pkcs11p.h

@@ -0,0 +1,54 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security Inc. Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* these data types are platform/implementation dependent. */
+/*
+ * Packing was removed from the shipped RSA header files, even
+ * though it's still needed. put in a central file to help merging..
+ */
+
+#if defined(_WIN32)
+#ifdef _MSC_VER
+#pragma warning(disable:4103)
+#endif
+#pragma pack(push, cryptoki, 1)
+#endif
+

mozilla/security/nss/lib/softoken/pkcs11u.h

@@ -0,0 +1,52 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security Inc. Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/*
+ * reset any packing set by pkcs11p.h
+ */
+
+#if defined (_WIN32)
+#ifdef _MSC_VER
+#pragma warning(disable:4103)
+#endif
+#pragma pack(pop, cryptoki)
+#endif
+

mozilla/security/nss/lib/softoken/rsawrapr.c

@@ -0,0 +1,917 @@
+/*
+ * PKCS#1 encoding and decoding functions.
+ * This file is believed to contain no code licensed from other parties.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: rsawrapr.c,v 1.11 2006-10-23 21:24:38 wtchang%redhat.com Exp $ */
+
+#include "blapi.h"
+#include "softoken.h"
+#include "sechash.h"
+
+#include "lowkeyi.h"
+#include "secerr.h"
+
+#define RSA_BLOCK_MIN_PAD_LEN		8
+#define RSA_BLOCK_FIRST_OCTET		0x00
+#define RSA_BLOCK_PRIVATE0_PAD_OCTET	0x00
+#define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
+#define RSA_BLOCK_AFTER_PAD_OCTET	0x00
+
+#define OAEP_SALT_LEN		8
+#define OAEP_PAD_LEN		8
+#define OAEP_PAD_OCTET		0x00
+
+#define FLAT_BUFSIZE 512	/* bytes to hold flattened SHA1Context. */
+
+static SHA1Context *
+SHA1_CloneContext(SHA1Context *original)
+{
+    SHA1Context *  clone	= NULL;
+    unsigned char *pBuf;
+    int            sha1ContextSize = SHA1_FlattenSize(original);
+    SECStatus      frv;
+    unsigned char  buf[FLAT_BUFSIZE];
+
+    PORT_Assert(sizeof buf >= sha1ContextSize);
+    if (sizeof buf >= sha1ContextSize) {
+    	pBuf = buf;
+    } else {
+        pBuf = PORT_Alloc(sha1ContextSize);
+	if (!pBuf)
+	    goto done;
+    }
+
+    frv = SHA1_Flatten(original, pBuf);
+    if (frv == SECSuccess) {
+	clone = SHA1_Resurrect(pBuf, NULL);
+	memset(pBuf, 0, sha1ContextSize);
+    }
+done:
+    if (pBuf != buf)
+    	PORT_Free(pBuf);
+    return clone;
+}
+
+/*
+ * Modify data by XORing it with a special hash of salt.
+ */
+static SECStatus
+oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
+		 unsigned char *salt, unsigned int saltlen)
+{
+    SHA1Context *sha1cx;
+    unsigned char *dp, *dataend;
+    unsigned char end_octet;
+
+    sha1cx = SHA1_NewContext();
+    if (sha1cx == NULL) {
+	return SECFailure;
+    }
+
+    /*
+     * Get a hash of salt started; we will use it several times,
+     * adding in a different end octet (x00, x01, x02, ...).
+     */
+    SHA1_Begin (sha1cx);
+    SHA1_Update (sha1cx, salt, saltlen);
+    end_octet = 0;
+
+    dp = data;
+    dataend = data + datalen;
+
+    while (dp < dataend) {
+	SHA1Context *sha1cx_h1;
+	unsigned int sha1len, sha1off;
+	unsigned char sha1[SHA1_LENGTH];
+
+	/*
+	 * Create hash of (salt || end_octet)
+	 */
+	sha1cx_h1 = SHA1_CloneContext (sha1cx);
+	SHA1_Update (sha1cx_h1, &end_octet, 1);
+	SHA1_End (sha1cx_h1, sha1, &sha1len, sizeof(sha1));
+	SHA1_DestroyContext (sha1cx_h1, PR_TRUE);
+	PORT_Assert (sha1len == SHA1_LENGTH);
+
+	/*
+	 * XOR that hash with the data.
+	 * When we have fewer than SHA1_LENGTH octets of data
+	 * left to xor, use just the low-order ones of the hash.
+	 */
+	sha1off = 0;
+	if ((dataend - dp) < SHA1_LENGTH)
+	    sha1off = SHA1_LENGTH - (dataend - dp);
+	while (sha1off < SHA1_LENGTH)
+	    *dp++ ^= sha1[sha1off++];
+
+	/*
+	 * Bump for next hash chunk.
+	 */
+	end_octet++;
+    }
+
+    SHA1_DestroyContext (sha1cx, PR_TRUE);
+    return SECSuccess;
+}
+
+/*
+ * Modify salt by XORing it with a special hash of data.
+ */
+static SECStatus
+oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
+		 unsigned char *data, unsigned int datalen)
+{
+    unsigned char sha1[SHA1_LENGTH];
+    unsigned char *psalt, *psha1, *saltend;
+    SECStatus rv;
+
+    /*
+     * Create a hash of data.
+     */
+    rv = SHA1_HashBuf (sha1, data, datalen);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    /*
+     * XOR the low-order octets of that hash with salt.
+     */
+    PORT_Assert (saltlen <= SHA1_LENGTH);
+    saltend = salt + saltlen;
+    psalt = salt;
+    psha1 = sha1 + SHA1_LENGTH - saltlen;
+    while (psalt < saltend) {
+	*psalt++ ^= *psha1++;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1.
+ */
+static unsigned char *
+rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
+		   SECItem *data)
+{
+    unsigned char *block;
+    unsigned char *bp;
+    int padLen;
+    int i;
+    SECStatus rv;
+
+    block = (unsigned char *) PORT_Alloc(modulusLen);
+    if (block == NULL)
+	return NULL;
+
+    bp = block;
+
+    /*
+     * All RSA blocks start with two octets:
+     *	0x00 || BlockType
+     */
+    *bp++ = RSA_BLOCK_FIRST_OCTET;
+    *bp++ = (unsigned char) blockType;
+
+    switch (blockType) {
+
+      /*
+       * Blocks intended for private-key operation.
+       */
+      case RSA_BlockPrivate0: /* essentially unused */
+      case RSA_BlockPrivate:	 /* preferred method */
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *   1      1   padLen    1      data->len
+	 * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
+	 */
+	padLen = modulusLen - data->len - 3;
+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+	PORT_Memset (bp,
+		   blockType == RSA_BlockPrivate0
+			? RSA_BLOCK_PRIVATE0_PAD_OCTET
+			: RSA_BLOCK_PRIVATE_PAD_OCTET,
+		   padLen);
+	bp += padLen;
+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+	PORT_Memcpy (bp, data->data, data->len);
+	break;
+
+      /*
+       * Blocks intended for public-key operation.
+       */
+      case RSA_BlockPublic:
+
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *   1      1   padLen    1      data->len
+	 * Pad is all non-zero random bytes.
+	 */
+	padLen = modulusLen - data->len - 3;
+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+	for (i = 0; i < padLen; i++) {
+	    /* Pad with non-zero random data. */
+	    do {
+		rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
+	    } while (rv == SECSuccess && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+	    if (rv != SECSuccess) {
+		sftk_fatalError = PR_TRUE;
+		PORT_Free (block);
+		return NULL;
+	    }
+	}
+	bp += padLen;
+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+	PORT_Memcpy (bp, data->data, data->len);
+
+	break;
+
+      /*
+       * Blocks intended for public-key operation, using
+       * Optimal Asymmetric Encryption Padding (OAEP).
+       */
+      case RSA_BlockOAEP:
+	/*
+	 * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
+	 *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
+	 *
+	 * where:
+	 *   PaddedData is "Pad1 || ActualData [|| Pad2]"
+	 *   Salt is random data.
+	 *   Pad1 is all zeros.
+	 *   Pad2, if present, is random data.
+	 *   (The "modified" fields are all the same length as the original
+	 * unmodified values; they are just xor'd with other values.)
+	 *
+	 *   Modified1 is an XOR of PaddedData with a special octet
+	 * string constructed of iterated hashing of Salt (see below).
+	 *   Modified2 is an XOR of Salt with the low-order octets of
+	 * the hash of Modified1 (see farther below ;-).
+	 *
+	 * Whew!
+	 */
+
+
+	/*
+	 * Salt
+	 */
+	rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+	if (rv != SECSuccess) {
+	    sftk_fatalError = PR_TRUE;
+	    PORT_Free (block);
+	    return NULL;
+	}
+	bp += OAEP_SALT_LEN;
+
+	/*
+	 * Pad1
+	 */
+	PORT_Memset (bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
+	bp += OAEP_PAD_LEN;
+
+	/*
+	 * Data
+	 */
+	PORT_Memcpy (bp, data->data, data->len);
+	bp += data->len;
+
+	/*
+	 * Pad2
+	 */
+	if (bp < (block + modulusLen)) {
+	    rv = RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
+	    if (rv != SECSuccess) {
+		sftk_fatalError = PR_TRUE;
+		PORT_Free (block);
+		return NULL;
+	    }
+	}
+
+	/*
+	 * Now we have the following:
+	 * 0x00 || BT || Salt || PaddedData
+	 * (From this point on, "Pad1 || Data [|| Pad2]" is treated
+	 * as the one entity PaddedData.)
+	 *
+	 * We need to turn PaddedData into Modified1.
+	 */
+	if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
+			     modulusLen - 2 - OAEP_SALT_LEN,
+			     block + 2, OAEP_SALT_LEN) != SECSuccess) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+
+	/*
+	 * Now we have:
+	 * 0x00 || BT || Salt || Modified1(PaddedData)
+	 *
+	 * The remaining task is to turn Salt into Modified2.
+	 */
+	if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
+			     block + 2 + OAEP_SALT_LEN,
+			     modulusLen - 2 - OAEP_SALT_LEN) != SECSuccess) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+
+	break;
+
+      default:
+	PORT_Assert (0);
+	PORT_Free (block);
+	return NULL;
+    }
+
+    return block;
+}
+
+static SECStatus
+rsa_FormatBlock(SECItem *result, unsigned modulusLen,
+		RSA_BlockType blockType, SECItem *data)
+{
+    /*
+     * XXX For now assume that the data length fits in a single
+     * XXX encryption block; the ASSERTs below force this.
+     * XXX To fix it, each case will have to loop over chunks whose
+     * XXX lengths satisfy the assertions, until all data is handled.
+     * XXX (Unless RSA has more to say about how to handle data
+     * XXX which does not fit in a single encryption block?)
+     * XXX And I do not know what the result is supposed to be,
+     * XXX so the interface to this function may need to change
+     * XXX to allow for returning multiple blocks, if they are
+     * XXX not wanted simply concatenated one after the other.
+     */
+
+    switch (blockType) {
+      case RSA_BlockPrivate0:
+      case RSA_BlockPrivate:
+      case RSA_BlockPublic:
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *
+	 * The "3" below is the first octet + the second octet + the 0x00
+	 * octet that always comes just before the ActualData.
+	 */
+	PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+
+	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+	if (result->data == NULL) {
+	    result->len = 0;
+	    return SECFailure;
+	}
+	result->len = modulusLen;
+
+	break;
+
+      case RSA_BlockOAEP:
+	/*
+	 * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
+	 *
+	 * The "2" below is the first octet + the second octet.
+	 * (The other fields do not contain the clear values, but are
+	 * the same length as the clear values.)
+	 */
+	PORT_Assert (data->len <= (modulusLen - (2 + OAEP_SALT_LEN
+						 + OAEP_PAD_LEN)));
+
+	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+	if (result->data == NULL) {
+	    result->len = 0;
+	    return SECFailure;
+	}
+	result->len = modulusLen;
+
+	break;
+
+      case RSA_BlockRaw:
+	/*
+	 * Pad || ActualData
+	 * Pad is zeros. The application is responsible for recovering
+	 * the actual data.
+	 */
+	if (data->len > modulusLen ) {
+	    return SECFailure;
+	}
+	result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
+	result->len = modulusLen;
+	PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
+	break;
+
+      default:
+	PORT_Assert (0);
+	result->data = NULL;
+	result->len = 0;
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_Sign(NSSLOWKEYPrivateKey *key, 
+         unsigned char *      output, 
+	 unsigned int *       output_len,
+         unsigned int         maxOutputLen, 
+	 unsigned char *      input, 
+	 unsigned int         input_len)
+{
+    SECStatus     rv          = SECSuccess;
+    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    if (maxOutputLen < modulus_len) 
+    	return SECFailure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	return SECFailure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
+			 &unformatted);
+    if (rv != SECSuccess) 
+    	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *output_len = modulus_len;
+
+    goto done;
+
+done:
+    if (formatted.data != NULL) 
+    	PORT_ZFree(formatted.data, modulus_len);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSign(NSSLOWKEYPublicKey *key,
+              unsigned char *     sign, 
+	      unsigned int        sign_len, 
+	      unsigned char *     hash, 
+	      unsigned int        hash_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    modulus_len = nsslowkey_PublicModulusLen(key);
+    if (sign_len != modulus_len) 
+    	goto failure;
+    /*
+     * 0x00 || BT || Pad || 0x00 || ActualData
+     *
+     * The "3" below is the first octet + the second octet + the 0x00
+     * octet that always comes just before the ActualData.
+     */
+    if (hash_len > modulus_len - (3 + RSA_BLOCK_MIN_PAD_LEN)) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != 0 || buffer[1] != 1) 
+    	goto loser;
+    for (i = 2; i < modulus_len - hash_len - 1; i++) {
+	if (buffer[i] != 0xff) 
+	    goto loser;
+    }
+    if (buffer[i] != 0) 
+	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
+	goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecover(NSSLOWKEYPublicKey *key,
+                     unsigned char *     data,
+                     unsigned int *      data_len, 
+		     unsigned int        max_output_len, 
+		     unsigned char *     sign,
+		     unsigned int        sign_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+    	goto loser;
+    *data_len = 0;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != 0 || buffer[1] != 1) 
+    	goto loser;
+    for (i = 2; i < modulus_len; i++) {
+	if (buffer[i] == 0) {
+	    *data_len = modulus_len - i - 1;
+	    break;
+	}
+	if (buffer[i] != 0xff) 
+	    goto loser;
+    }
+    if (*data_len == 0) 
+    	goto loser;
+    if (*data_len > max_output_len) 
+    	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptBlock(NSSLOWKEYPublicKey *key, 
+                 unsigned char *     output, 
+		 unsigned int *      output_len,
+                 unsigned int        max_output_len, 
+		 unsigned char *     input, 
+		 unsigned int        input_len)
+{
+    SECStatus     rv;
+    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    formatted.data = NULL;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
+			 &unformatted);
+    if (rv != SECSuccess) 
+	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess) 
+    	goto failure;
+
+    PORT_ZFree(formatted.data, modulus_len);
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL) 
+	PORT_ZFree(formatted.data, modulus_len);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, 
+                 unsigned char *      output, 
+		 unsigned int *       output_len,
+                 unsigned int         max_output_len, 
+		 unsigned char *      input, 
+		 unsigned int         input_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PrivateModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+    if (input_len != modulus_len)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	    sftk_fatalError = PR_TRUE;
+	}
+    	goto loser;
+    }
+
+    if (buffer[0] != 0 || buffer[1] != 2) 
+    	goto loser;
+    *output_len = 0;
+    for (i = 2; i < modulus_len; i++) {
+	if (buffer[i] == 0) {
+	    *output_len = modulus_len - i - 1;
+	    break;
+	}
+    }
+    if (*output_len == 0) 
+    	goto loser;
+    if (*output_len > max_output_len) 
+    	goto loser;
+
+    PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+/*
+ * added to make pkcs #11 happy
+ *   RAW is RSA_X_509
+ */
+SECStatus
+RSA_SignRaw(NSSLOWKEYPrivateKey *key, 
+            unsigned char *      output, 
+	    unsigned int *       output_len,
+            unsigned int         maxOutputLen, 
+	    unsigned char *      input, 
+	    unsigned int         input_len)
+{
+    SECStatus    rv          = SECSuccess;
+    unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+    SECItem      formatted;
+    SECItem      unformatted;
+
+    if (maxOutputLen < modulus_len) 
+    	return SECFailure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	return SECFailure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess) 
+    	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *output_len = modulus_len;
+
+done:
+    if (formatted.data != NULL) 
+    	PORT_ZFree(formatted.data, modulus_len);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRaw(NSSLOWKEYPublicKey *key,
+                 unsigned char *     sign, 
+		 unsigned int        sign_len, 
+		 unsigned char *     hash, 
+		 unsigned int        hash_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned char * buffer;
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (hash_len > modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    /* NOTE: should we verify the leading zeros? */
+    if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
+	goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey *key,
+                        unsigned char *     data,
+                        unsigned int *      data_len, 
+			unsigned int        max_output_len, 
+			unsigned char *     sign,
+			unsigned int        sign_len)
+{
+    SECStatus      rv;
+    unsigned int   modulus_len = nsslowkey_PublicModulusLen(key);
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
+    if (rv != SECSuccess)
+	goto failure;
+
+    *data_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
+
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptRaw(NSSLOWKEYPublicKey *key, 
+	       unsigned char *     output, 
+	       unsigned int *      output_len,
+               unsigned int        max_output_len, 
+	       unsigned char *     input, 
+	       unsigned int        input_len)
+{
+    SECStatus rv;
+    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    formatted.data = NULL;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess)
+	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess) 
+    	goto failure;
+
+    PORT_ZFree(formatted.data, modulus_len);
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL) 
+	PORT_ZFree(formatted.data, modulus_len);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, 
+               unsigned char *      output, 
+	       unsigned int *       output_len,
+               unsigned int         max_output_len, 
+	       unsigned char *      input, 
+	       unsigned int         input_len)
+{
+    SECStatus     rv;
+    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
+
+    if (modulus_len <= 0) 
+    	goto failure;
+    if (modulus_len > max_output_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+    if (input_len != modulus_len) 
+    	goto failure;
+
+    rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	    sftk_fatalError = PR_TRUE;
+	}
+    	goto failure;
+    }
+
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}

mozilla/security/nss/lib/softoken/sdb.h

@@ -0,0 +1,115 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Red Hat, Inc.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Robert Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+
+/*
+ * the following data structures should be moved to a 'rdb.h'.
+ */
+
+#ifndef _SDB_H
+#define _SDB_H 1
+#include "pkcs11t.h"
+#include "secitem.h"
+#include "sftkdbt.h"
+#include <sqlite3.h>
+
+#define STATIC_CMD_SIZE 2048
+
+typedef struct SDBFindStr SDBFind;
+typedef struct SDBStr SDB;
+typedef struct SDBPasswordEntryStr SDBPasswordEntry;
+
+struct SDBStr {
+    void *private;
+    int  version;
+    SDBType sdb_type;
+    int  sdb_flags;
+    void *app_private;
+    CK_RV (*sdb_FindObjectsInit)(SDB *sdb, const CK_ATTRIBUTE *template, 
+				 CK_ULONG count, SDBFind **find);
+    CK_RV (*sdb_FindObjects)(SDB *sdb, SDBFind *find, CK_OBJECT_HANDLE *ids, 
+				CK_ULONG arraySize, CK_ULONG *count);
+    CK_RV (*sdb_FindObjectsFinal)(SDB *sdb, SDBFind *find);
+    CK_RV (*sdb_GetAttributeValue)(SDB *sdb, CK_OBJECT_HANDLE object, 
+				CK_ATTRIBUTE *template, CK_ULONG count);
+    CK_RV (*sdb_SetAttributeValue)(SDB *sdb, CK_OBJECT_HANDLE object, 
+				const CK_ATTRIBUTE *template, CK_ULONG count);
+    CK_RV (*sdb_CreateObject)(SDB *sdb, CK_OBJECT_HANDLE *object, 
+				const CK_ATTRIBUTE *template, CK_ULONG count);
+    CK_RV (*sdb_DestroyObject)(SDB *sdb, CK_OBJECT_HANDLE object);
+    CK_RV (*sdb_GetPWEntry)(SDB *sdb, SDBPasswordEntry *entry);
+    CK_RV (*sdb_PutPWEntry)(SDB *sdb, SDBPasswordEntry *entry);
+    CK_RV (*sdb_Begin)(SDB *sdb);
+    CK_RV (*sdb_Commit)(SDB *sdb);
+    CK_RV (*sdb_Abort)(SDB *sdb);
+    CK_RV (*sdb_Reset)(SDB *sdb);
+    CK_RV (*sdb_Close)(SDB *sdb);
+};
+
+struct SDBPasswordEntryStr {
+    SECItem salt;
+    SECItem value;
+    unsigned char data[128];
+};
+
+CK_RV s_open(const char *directory, const char *certPrefix, 
+	     const char *keyPrefix,
+	     int cert_version, int key_version, 
+	     int flags, SDB **certdb, SDB **keydb, int *newInit);
+CK_RV s_shutdown();
+
+/* flags */
+#define SDB_RDONLY      1
+#define SDB_RDWR        2
+#define SDB_CREATE      4
+
+#endif

mozilla/security/nss/lib/softoken/sftkdb.h

@@ -0,0 +1,89 @@
+/*
+ * license
+ */
+
+#include "sftkdbt.h"
+#include "sdb.h"
+#include "pkcs11i.h"
+#include "pkcs11t.h"
+
+/* raw database stuff */
+CK_RV sftkdb_write(SFTKDBHandle *handle, SFTKObject *,CK_OBJECT_HANDLE *);
+CK_RV sftkdb_FindObjectsInit(SFTKDBHandle *sdb, const CK_ATTRIBUTE *template,
+				 CK_ULONG count, SDBFind **find);
+CK_RV sftkdb_FindObjects(SFTKDBHandle *sdb, SDBFind *find, 
+			CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count);
+CK_RV sftkdb_FindObjectsFinal(SFTKDBHandle *sdb, SDBFind *find);
+CK_RV sftkdb_GetAttributeValue(SFTKDBHandle *handle,
+	 CK_OBJECT_HANDLE object_id, CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV sftkdb_SetAttributeValue(SFTKDBHandle *handle, 
+	 CK_OBJECT_HANDLE object_id, const CK_ATTRIBUTE *template, 
+	 CK_ULONG count);
+CK_RV sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE object_id);
+CK_RV sftkdb_closeDB(SFTKDBHandle *handle);
+
+
+/* secmod.db functions */
+char ** sftkdb_ReadSecmodDB(SDBType dbType, const char *appName, 
+			    const char *filename, const char *dbname, 
+			    char *params, PRBool rw);
+SECStatus sftkdb_ReleaseSecmodDBData(SDBType dbType, const char *appName, 
+				     const char *filename, const char *dbname, 
+				     char **moduleSpecList, PRBool rw);
+SECStatus sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName, 
+				const char *filename, const char *dbname, 
+				char *args, PRBool rw);
+SECStatus sftkdb_AddSecmodDB(SDBType dbType, const char *appName, 
+			     const char *filename, const char *dbname, 
+			     char *module, PRBool rw);
+
+/* keydb functions */
+
+SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb);
+SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw);
+SECStatus sftkdb_PWCached(SFTKDBHandle *keydb);
+SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb);
+SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb);
+SECStatus sftkdb_ChangePassword(SFTKDBHandle *keydb, char *oldPin, char *newPin);
+SECStatus sftkdb_ClearPassword(SFTKDBHandle *keydb);
+
+/* Utility functions */
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ *                      "https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ *                      "https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the
+ *                      Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the
+ *                      PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ *                      be opened.
+ */
+CK_RV sftk_DBInit(const char *configdir, const char *certPrefix,
+	 	const char *keyPrefix, PRBool readOnly, PRBool noCertDB, 
+		PRBool noKeyDB, PRBool forceOpen, 
+		SFTKDBHandle **certDB, SFTKDBHandle **keyDB);
+CK_RV sftkdb_Shutdown(void);
+
+SFTKDBHandle *sftk_getCertDB(SFTKSlot *slot);
+SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot);
+SFTKDBHandle *sftk_getDBForObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID);
+void sftk_freeDB(SFTKDBHandle *certHandle);
+
+/*
+ * for lgglue, stubs to encrypt and decrypt password entries
+ */
+SECStatus sftkdb_encrypt_stub(PRArenaPool *arena, SDB *sdb, SECItem *plainText,
+                    SECItem **cipherText);
+SECStatus sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, 
+		    SECItem **plainText);
+
+
+
+

mozilla/security/nss/lib/softoken/sftkdbt.h

@@ -0,0 +1,17 @@
+/*
+ * license
+ */
+
+
+#ifndef SFTKDBT_H
+#define SFTKDBT_H 1
+typedef struct SFTKDBHandleStr SFTKDBHandle;
+
+typedef enum {
+   SDB_SQL,
+   SDB_EXTERN,
+   SDB_LEGACY,
+   SDB_MULTIACCESS
+} SDBType;
+
+#endif

mozilla/security/nss/lib/softoken/sftkpars.c

@@ -0,0 +1,616 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+#include "sftkpars.h"
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h" 
+#include "prenv.h"
+
+/*
+ * this file contains routines for parsing PKCS #11 module spec
+ * strings.
+ */
+
+#define SFTK_HANDLE_STRING_ARG(param,target,value,command) \
+    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
+	param += sizeof(value)-1; \
+	target = sftk_argFetchValue(param,&next); \
+	param += next; \
+	command ;\
+    } else  
+
+#define SFTK_HANDLE_FINAL_ARG(param) \
+    { param = sftk_argSkipParameter(param); } param = sftk_argStrip(param);
+
+static PRBool sftk_argGetPair(char c) {
+    switch (c) {
+    case '\'': return c;
+    case '\"': return c;
+    case '<': return '>';
+    case '{': return '}';
+    case '[': return ']';
+    case '(': return ')';
+    default: break;
+    }
+    return ' ';
+}
+
+static PRBool sftk_argIsBlank(char c) {
+   return isspace(c);
+}
+
+static PRBool sftk_argIsEscape(char c) {
+    return c == '\\';
+}
+
+static PRBool sftk_argIsQuote(char c) {
+    switch (c) {
+    case '\'':
+    case '\"':
+    case '<':
+    case '{': /* } end curly to keep vi bracket matching working */
+    case '(': /* ) */
+    case '[': /* ] */ return PR_TRUE;
+    default: break;
+    }
+    return PR_FALSE;
+}
+
+char *sftk_argStrip(char *c) {
+   while (*c && sftk_argIsBlank(*c)) c++;
+   return c;
+}
+
+static char *
+sftk_argFindEnd(char *string) {
+    char endChar = ' ';
+    PRBool lastEscape = PR_FALSE;
+
+    if (sftk_argIsQuote(*string)) {
+	endChar = sftk_argGetPair(*string);
+	string++;
+    }
+
+    for (;*string; string++) {
+	if (lastEscape) {
+	    lastEscape = PR_FALSE;
+	    continue;
+	}
+	if (sftk_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	} 
+	if ((endChar == ' ') && sftk_argIsBlank(*string)) break;
+	if (*string == endChar) {
+	    break;
+	}
+    }
+
+    return string;
+}
+
+char *
+sftk_argFetchValue(char *string, int *pcount)
+{
+    char *end = sftk_argFindEnd(string);
+    char *retString, *copyString;
+    PRBool lastEscape = PR_FALSE;
+    int len;
+
+    len = end - string;
+    if (len == 0) {
+	*pcount = 0;
+	return NULL;
+    }
+
+    copyString = retString = (char *)PORT_Alloc(len+1);
+
+    if (*end) len++;
+    *pcount = len;
+    if (retString == NULL) return NULL;
+
+
+    if (sftk_argIsQuote(*string)) string++;
+    for (; string < end; string++) {
+	if (sftk_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	}
+	lastEscape = PR_FALSE;
+	*copyString++ = *string;
+    }
+    *copyString = 0;
+    return retString;
+}
+
+static char *
+sftk_argSkipParameter(char *string) 
+{
+     char *end;
+     /* look for the end of the <name>= */
+     for (;*string; string++) {
+	if (*string == '=') { string++; break; }
+	if (sftk_argIsBlank(*string)) return(string); 
+     }
+
+     end = sftk_argFindEnd(string);
+     if (*end) end++;
+     return end;
+}
+
+char *
+sftk_argGetParamValue(char *paramName,char *parameters)
+{
+    char searchValue[256];
+    int paramLen = strlen(paramName);
+    char *returnValue = NULL;
+    int next;
+
+    if ((parameters == NULL) || (*parameters == 0)) return NULL;
+
+    PORT_Assert(paramLen+2 < sizeof(searchValue));
+
+    PORT_Strcpy(searchValue,paramName);
+    PORT_Strcat(searchValue,"=");
+    while (*parameters) {
+	if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
+	    parameters += paramLen+1;
+	    returnValue = sftk_argFetchValue(parameters,&next);
+	    break;
+	} else {
+	    parameters = sftk_argSkipParameter(parameters);
+	}
+	parameters = sftk_argStrip(parameters);
+   }
+   return returnValue;
+}
+    
+static char *
+sftk_argNextFlag(char *flags)
+{
+    for (; *flags ; flags++) {
+	if (*flags == ',') {
+	    flags++;
+	    break;
+	}
+    }
+    return flags;
+}
+
+static PRBool
+sftk_argHasFlag(char *label, char *flag, char *parameters)
+{
+    char *flags,*index;
+    int len = strlen(flag);
+    PRBool found = PR_FALSE;
+
+    flags = sftk_argGetParamValue(label,parameters);
+    if (flags == NULL) return PR_FALSE;
+
+    for (index=flags; *index; index=sftk_argNextFlag(index)) {
+	if (PORT_Strncasecmp(index,flag,len) == 0) {
+	    found=PR_TRUE;
+	    break;
+	}
+    }
+    PORT_Free(flags);
+    return found;
+}
+
+/*
+ * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
+ */
+static long
+sftk_argDecodeNumber(char *num)
+{
+    int	radix = 10;
+    unsigned long value = 0;
+    long retValue = 0;
+    int sign = 1;
+    int digit;
+
+    if (num == NULL) return retValue;
+
+    num = sftk_argStrip(num);
+
+    if (*num == '-') {
+	sign = -1;
+	num++;
+    }
+
+    if (*num == '0') {
+	radix = 8;
+	num++;
+	if ((*num == 'x') || (*num == 'X')) {
+	    radix = 16;
+	    num++;
+	}
+    }
+
+   
+    for ( ;*num; num++ ) {
+	if (isdigit(*num)) {
+	    digit = *num - '0';
+	} else if ((*num >= 'a') && (*num <= 'f'))  {
+	    digit = *num - 'a' + 10;
+	} else if ((*num >= 'A') && (*num <= 'F'))  {
+	    digit = *num - 'A' + 10;
+	} else {
+	    break;
+	}
+	if (digit >= radix) break;
+	value = value*radix + digit;
+    }
+
+    retValue = ((int) value) * sign;
+    return retValue;
+}
+
+static char *
+sftk_argGetName(char *inString, int *next) 
+{
+    char *name=NULL;
+    char *string;
+    int len;
+
+    /* look for the end of the <name>= */
+    for (string = inString;*string; string++) {
+	if (*string == '=') { break; }
+	if (sftk_argIsBlank(*string)) break;
+    }
+
+    len = string - inString;
+
+    *next = len; 
+    if (*string == '=') (*next) += 1;
+    if (len > 0) {
+	name = PORT_Alloc(len+1);
+	PORT_Strncpy(name,inString,len);
+	name[len] = 0;
+    }
+    return name;
+}
+
+#define FREE_CLEAR(p) if (p) { PORT_Free(p); p = NULL; }
+
+static void
+sftk_parseTokenFlags(char *tmp, sftk_token_parameters *parsed) { 
+    parsed->readOnly = sftk_argHasFlag("flags","readOnly",tmp);
+    parsed->noCertDB = sftk_argHasFlag("flags","noCertDB",tmp);
+    parsed->noKeyDB = sftk_argHasFlag("flags","noKeyDB",tmp);
+    parsed->forceOpen = sftk_argHasFlag("flags","forceOpen",tmp);
+    parsed->pwRequired = sftk_argHasFlag("flags","passwordRequired",tmp);
+    parsed->optimizeSpace = sftk_argHasFlag("flags","optimizeSpace",tmp);
+    return;
+}
+
+static void
+sftk_parseFlags(char *tmp, sftk_parameters *parsed) { 
+    parsed->noModDB = sftk_argHasFlag("flags","noModDB",tmp);
+    parsed->readOnly = sftk_argHasFlag("flags","readOnly",tmp);
+    /* keep legacy interface working */
+    parsed->noCertDB = sftk_argHasFlag("flags","noCertDB",tmp);
+    parsed->forceOpen = sftk_argHasFlag("flags","forceOpen",tmp);
+    parsed->pwRequired = sftk_argHasFlag("flags","passwordRequired",tmp);
+    parsed->optimizeSpace = sftk_argHasFlag("flags","optimizeSpace",tmp);
+    return;
+}
+
+static CK_RV
+sftk_parseTokenParameters(char *param, sftk_token_parameters *parsed) 
+{
+    int next;
+    char *tmp;
+    char *index;
+    index = sftk_argStrip(param);
+
+    while (*index) {
+	SFTK_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->certPrefix,"certPrefix=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->keyPrefix,"keyPrefix=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->tokdes,"tokenDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->slotdes,"slotDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,tmp,"minPWLen=", 
+			if(tmp) { parsed->minPW=atoi(tmp); PORT_Free(tmp); })
+	SFTK_HANDLE_STRING_ARG(index,tmp,"flags=", 
+	   if(tmp) { sftk_parseTokenFlags(param,parsed); PORT_Free(tmp); })
+	SFTK_HANDLE_FINAL_ARG(index)
+   }
+   return CKR_OK;
+}
+
+static void
+sftk_parseTokens(char *tokenParams, sftk_parameters *parsed)
+{
+    char *tokenIndex;
+    sftk_token_parameters *tokens = NULL;
+    int i=0,count = 0,next;
+
+    if ((tokenParams == NULL) || (*tokenParams == 0))  return;
+
+    /* first count the number of slots */
+    for (tokenIndex = sftk_argStrip(tokenParams); *tokenIndex;
+	 tokenIndex = sftk_argStrip(sftk_argSkipParameter(tokenIndex))) {
+	count++;
+    }
+
+    /* get the data structures */
+    tokens = (sftk_token_parameters *) 
+			PORT_ZAlloc(count*sizeof(sftk_token_parameters));
+    if (tokens == NULL) return;
+
+    for (tokenIndex = sftk_argStrip(tokenParams), i = 0;
+					*tokenIndex && i < count ; i++ ) {
+	char *name;
+	name = sftk_argGetName(tokenIndex,&next);
+	tokenIndex += next;
+
+	tokens[i].slotID = sftk_argDecodeNumber(name);
+        tokens[i].readOnly = PR_FALSE;
+	tokens[i].noCertDB = PR_FALSE;
+	tokens[i].noKeyDB = PR_FALSE;
+	if (!sftk_argIsBlank(*tokenIndex)) {
+	    char *args = sftk_argFetchValue(tokenIndex,&next);
+	    tokenIndex += next;
+	    if (args) {
+		sftk_parseTokenParameters(args,&tokens[i]);
+		PORT_Free(args);
+	    }
+	}
+	if (name) PORT_Free(name);
+	tokenIndex = sftk_argStrip(tokenIndex);
+    }
+    parsed->token_count = i;
+    parsed->tokens = tokens;
+    return; 
+}
+
+CK_RV
+sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS) 
+{
+    int next;
+    char *tmp;
+    char *index;
+    char *certPrefix = NULL, *keyPrefix = NULL;
+    char *tokdes = NULL, *ptokdes = NULL;
+    char *slotdes = NULL, *pslotdes = NULL;
+    char *fslotdes = NULL, *fpslotdes = NULL;
+    char *minPW = NULL;
+    index = sftk_argStrip(param);
+
+    PORT_Memset(parsed, 0, sizeof(sftk_parameters));
+
+    while (*index) {
+	SFTK_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->secmodName,"secmod=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->man,"manufacturerID=",;)
+	SFTK_HANDLE_STRING_ARG(index,parsed->libdes,"libraryDescription=",;)
+	/* constructed values, used so legacy interfaces still work */
+	SFTK_HANDLE_STRING_ARG(index,certPrefix,"certPrefix=",;)
+        SFTK_HANDLE_STRING_ARG(index,keyPrefix,"keyPrefix=",;)
+        SFTK_HANDLE_STRING_ARG(index,tokdes,"cryptoTokenDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,ptokdes,"dbTokenDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,slotdes,"cryptoSlotDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,pslotdes,"dbSlotDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,fslotdes,"FIPSSlotDescription=",;)
+        SFTK_HANDLE_STRING_ARG(index,fpslotdes,"FIPSTokenDescription=",;)
+	SFTK_HANDLE_STRING_ARG(index,minPW,"minPWLen=",;)
+
+	SFTK_HANDLE_STRING_ARG(index,tmp,"flags=", 
+		if(tmp) { sftk_parseFlags(param,parsed); PORT_Free(tmp); })
+	SFTK_HANDLE_STRING_ARG(index,tmp,"tokens=", 
+		if(tmp) { sftk_parseTokens(tmp,parsed); PORT_Free(tmp); })
+	SFTK_HANDLE_FINAL_ARG(index)
+    }
+    if (parsed->tokens == NULL) {
+	int  count = isFIPS ? 1 : 2;
+	int  index = count-1;
+	sftk_token_parameters *tokens = NULL;
+
+	tokens = (sftk_token_parameters *) 
+			PORT_ZAlloc(count*sizeof(sftk_token_parameters));
+	if (tokens == NULL) {
+	    goto loser;
+	}
+	parsed->tokens = tokens;
+    	parsed->token_count = count;
+	tokens[index].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
+	tokens[index].certPrefix = certPrefix;
+	tokens[index].keyPrefix = keyPrefix;
+	tokens[index].minPW = minPW ? atoi(minPW) : 0;
+	tokens[index].readOnly = parsed->readOnly;
+	tokens[index].noCertDB = parsed->noCertDB;
+	tokens[index].noKeyDB = parsed->noCertDB;
+	tokens[index].forceOpen = parsed->forceOpen;
+	tokens[index].pwRequired = parsed->pwRequired;
+	tokens[index].optimizeSpace = parsed->optimizeSpace;
+	tokens[0].optimizeSpace = parsed->optimizeSpace;
+	certPrefix = NULL;
+	keyPrefix = NULL;
+	if (isFIPS) {
+	    tokens[index].tokdes = fslotdes;
+	    tokens[index].slotdes = fpslotdes;
+	    fslotdes = NULL;
+	    fpslotdes = NULL;
+	} else {
+	    tokens[index].tokdes = ptokdes;
+	    tokens[index].slotdes = pslotdes;
+	    tokens[0].slotID = NETSCAPE_SLOT_ID;
+	    tokens[0].tokdes = tokdes;
+	    tokens[0].slotdes = slotdes;
+	    tokens[0].noCertDB = PR_TRUE;
+	    tokens[0].noKeyDB = PR_TRUE;
+	    ptokdes = NULL;
+	    pslotdes = NULL;
+	    tokdes = NULL;
+	    slotdes = NULL;
+	}
+    }
+
+loser:
+    FREE_CLEAR(certPrefix);
+    FREE_CLEAR(keyPrefix);
+    FREE_CLEAR(tokdes);
+    FREE_CLEAR(ptokdes);
+    FREE_CLEAR(slotdes);
+    FREE_CLEAR(pslotdes);
+    FREE_CLEAR(fslotdes);
+    FREE_CLEAR(fpslotdes);
+    FREE_CLEAR(minPW);
+    return CKR_OK;
+}
+
+void
+sftk_freeParams(sftk_parameters *params)
+{
+    int i;
+
+    for (i=0; i < params->token_count; i++) {
+	FREE_CLEAR(params->tokens[i].configdir);
+	FREE_CLEAR(params->tokens[i].certPrefix);
+	FREE_CLEAR(params->tokens[i].keyPrefix);
+	FREE_CLEAR(params->tokens[i].tokdes);
+	FREE_CLEAR(params->tokens[i].slotdes);
+    }
+
+    FREE_CLEAR(params->configdir);
+    FREE_CLEAR(params->secmodName);
+    FREE_CLEAR(params->man);
+    FREE_CLEAR(params->libdes); 
+    FREE_CLEAR(params->tokens);
+}
+
+#define SQLDB "sql:"
+#define EXTERNDB "extern:"
+#define LEGACY "dbm:"
+const char *
+sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **appName)
+{
+    *appName = NULL;
+    *dbType = SDB_LEGACY;
+    if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS)-1) == 0) {
+	char *cdir;
+	*dbType = SDB_MULTIACCESS;
+
+	*appName = PORT_Strdup(configdir+sizeof(MULTIACCESS)-1);
+	if (*appName == NULL) {
+	    return configdir;
+	}
+	cdir = *appName;
+	while (*cdir && *cdir != ':') {
+	    cdir++;
+	}
+	if (*cdir == ':') {
+	   *cdir = 0;
+	   cdir++;
+	}
+	configdir = cdir;
+    } else if (PORT_Strncmp(configdir, SQLDB, sizeof(SQLDB)-1) == 0) {
+	*dbType = SDB_SQL;
+	configdir = configdir + sizeof(SQLDB) -1;
+    } else if (PORT_Strncmp(configdir, EXTERNDB, sizeof(EXTERNDB)-1) == 0) {
+	*dbType = SDB_EXTERN;
+	configdir = configdir + sizeof(EXTERNDB) -1;
+    } else if (PORT_Strncmp(configdir, LEGACY, sizeof(LEGACY)-1) == 0) {
+	*dbType = SDB_LEGACY;
+	configdir = configdir + sizeof(LEGACY) -1;
+    } else {
+	/* look up the default from the environment */
+	char *defaultType = PR_GetEnv("NSS_DEFAULT_DB_TYPE");
+	if (defaultType == NULL) {
+	    /* none specified, go with the legacy */
+	    return configdir;
+	}
+	if (PORT_Strncmp(defaultType, SQLDB, sizeof(SQLDB)-2) == 0) {
+	    *dbType = SDB_SQL;
+	} else if (PORT_Strncmp(defaultType,EXTERNDB,sizeof(EXTERNDB)-2)==0) {
+	    *dbType = SDB_EXTERN;
+	} else if (PORT_Strncmp(defaultType, LEGACY, sizeof(LEGACY)-2) == 0) {
+	    *dbType = SDB_LEGACY;
+	}
+    }
+    return configdir;
+}
+
+char *
+sftk_getSecmodName(char *param, SDBType *dbType, char **appName,
+		   char **filename, PRBool *rw)
+{
+    int next;
+    char *configdir = NULL;
+    char *secmodName = NULL;
+    char *value = NULL;
+    char *save_params = param;
+    const char *lconfigdir;
+    param = sftk_argStrip(param);
+	
+
+    while (*param) {
+	SFTK_HANDLE_STRING_ARG(param,configdir,"configDir=",;)
+	SFTK_HANDLE_STRING_ARG(param,secmodName,"secmod=",;)
+	SFTK_HANDLE_FINAL_ARG(param)
+   }
+
+   *rw = PR_TRUE;
+   if (sftk_argHasFlag("flags","readOnly",save_params) ||
+	sftk_argHasFlag("flags","noModDB",save_params)) *rw = PR_FALSE;
+
+   if (!secmodName || *secmodName == '\0') {
+	if (secmodName) PORT_Free(secmodName);
+	secmodName = PORT_Strdup(SECMOD_DB);
+   }
+
+   *filename = secmodName;
+   lconfigdir = sftk_EvaluateConfigDir(configdir, dbType, appName);
+
+   /* only use the renamed secmod for legacy databases */
+   if ((*dbType != SDB_LEGACY) && (*dbType != SDB_MULTIACCESS)) {
+	secmodName="pkcs11.txt";
+   }
+
+   if (lconfigdir) {
+	value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
+   } else {
+	value = PR_smprintf("%s",secmodName);
+   }
+   if (configdir) PORT_Free(configdir);
+   return value;
+}

mozilla/security/nss/lib/softoken/sftkpars.h

@@ -0,0 +1,17 @@
+/*
+ * license
+ */
+#include "pkcs11i.h"
+#include "sftkdbt.h"
+
+/* parsing functions */
+char * sftk_argFetchValue(char *string, int *pcount);
+char * sftk_getSecmodName(char *param, SDBType *dbType, char **appName, char **filename,PRBool *rw);
+char *sftk_argStrip(char *c);
+CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
+void sftk_freeParams(sftk_parameters *params);
+const char *sftk_EvaluateConfigDir(const char *configdir, SDBType *dbType, char **app);
+char * sftk_argGetParamValue(char *paramName,char *parameters);
+
+
+

mozilla/security/nss/lib/softoken/softkver.c

@@ -0,0 +1,56 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2002
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* Library identity and versioning */
+
+#include "softkver.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_softokn_rcsid[] = "$Header: NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_softokn_sccsid[] = "@(#)NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;

mozilla/security/nss/lib/softoken/softkver.h

@@ -0,0 +1,66 @@
+/*
+ * Softoken version numbers
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _SOFTKVER_H_
+#define _SOFTKVER_H_
+
+#ifdef NSS_ENABLE_ECC
+#ifdef NSS_ECC_MORE_THAN_SUITE_B
+#define SOFTOKEN_ECC_STRING " Extended ECC"
+#else
+#define SOFTOKEN_ECC_STRING " Basic ECC"
+#endif
+#else
+#define SOFTOKEN_ECC_STRING ""
+#endif
+
+/*
+ * Softoken's major version, minor version, patch level, and whether
+ * this is a beta release.
+ *
+ * The format of the version string should be
+ *     "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
+ */
+#define SOFTOKEN_VERSION  "3.12" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VMAJOR   3
+#define SOFTOKEN_VMINOR   12
+#define SOFTOKEN_VPATCH   0
+#define SOFTOKEN_BETA     PR_TRUE
+
+#endif /* _SOFTKVER_H_ */

mozilla/security/nss/lib/softoken/softoken.h

@@ -0,0 +1,263 @@
+/*
+ * softoken.h - private data structures and prototypes for the softoken lib
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: softoken.h,v 1.14.2.1 2007-04-03 22:50:01 rrelyea%redhat.com Exp $ */
+
+#ifndef _SOFTOKEN_H_
+#define _SOFTOKEN_H_
+
+#include "blapi.h"
+#include "lowkeyti.h"
+#include "softoknt.h"
+#include "secoidt.h"
+
+#include "pkcs11t.h"     /* CK_RV Required for sftk_fipsPowerUpSelfTest(). */
+
+SEC_BEGIN_PROTOS
+
+/*
+** RSA encryption/decryption. When encrypting/decrypting the output
+** buffer must be at least the size of the public key modulus.
+*/
+
+/*
+** Format some data into a PKCS#1 encryption block, preparing the
+** data for RSA encryption.
+**	"result" where the formatted block is stored (memory is allocated)
+**	"modulusLen" the size of the formatted block
+**	"blockType" what block type to use (SEC_RSABlock*)
+**	"data" the data to format
+*/
+extern SECStatus RSA_FormatBlock(SECItem *result,
+				 unsigned int modulusLen,
+				 RSA_BlockType blockType,
+				 SECItem *data);
+/*
+** Similar, but just returns a pointer to the allocated memory, *and*
+** will *only* format one block, even if we (in the future) modify
+** RSA_FormatBlock() to loop over multiples of modulusLen.
+*/
+extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
+					 RSA_BlockType blockType,
+					 SECItem *data);
+
+
+
+/*
+ * convenience wrappers for doing single RSA operations. They create the
+ * RSA context internally and take care of the formatting
+ * requirements. Blinding happens automagically within RSA_Sign and
+ * RSA_DecryptBlock.
+ */
+extern
+SECStatus RSA_Sign(NSSLOWKEYPrivateKey *key, unsigned char *output,
+		       unsigned int *outputLen, unsigned int maxOutputLen,
+		       unsigned char *input, unsigned int inputLen);
+extern
+SECStatus RSA_HashSign(SECOidTag hashOid,
+			NSSLOWKEYPrivateKey *key, unsigned char *sig,
+			unsigned int *sigLen, unsigned int maxLen,
+			unsigned char *hash, unsigned int hashLen);
+extern
+SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
+			    unsigned int signLength, unsigned char *hash,
+			    unsigned int hashLength);
+extern
+SECStatus RSA_HashCheckSign(SECOidTag hashOid,
+			    NSSLOWKEYPublicKey *key, unsigned char *sig,
+			    unsigned int sigLen, unsigned char *digest,
+			    unsigned int digestLen);
+extern
+SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
+    			    unsigned int *data_len,unsigned int max_output_len, 
+			    unsigned char *sign, unsigned int sign_len);
+extern
+SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey *key, unsigned char *output,
+			   unsigned int *outputLen, unsigned int maxOutputLen,
+			   unsigned char *input, unsigned int inputLen);
+extern
+SECStatus RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, unsigned char *output,
+			   unsigned int *outputLen, unsigned int maxOutputLen,
+			   unsigned char *input, unsigned int inputLen);
+
+/*
+ * added to make pkcs #11 happy
+ *   RAW is RSA_X_509
+ */
+extern
+SECStatus RSA_SignRaw( NSSLOWKEYPrivateKey *key, unsigned char *output,
+			 unsigned int *output_len, unsigned int maxOutputLen,
+			 unsigned char *input, unsigned int input_len);
+extern
+SECStatus RSA_CheckSignRaw( NSSLOWKEYPublicKey *key, unsigned char *sign, 
+			    unsigned int sign_len, unsigned char *hash, 
+			    unsigned int hash_len);
+extern
+SECStatus RSA_CheckSignRecoverRaw( NSSLOWKEYPublicKey *key, unsigned char *data,
+			    unsigned int *data_len, unsigned int max_output_len,
+			    unsigned char *sign, unsigned int sign_len);
+extern
+SECStatus RSA_EncryptRaw( NSSLOWKEYPublicKey *key, unsigned char *output,
+			    unsigned int *output_len,
+			    unsigned int max_output_len, 
+			    unsigned char *input, unsigned int input_len);
+extern
+SECStatus RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+			     unsigned int *output_len,
+    			     unsigned int max_output_len,
+			     unsigned char *input, unsigned int input_len);
+#ifdef NSS_ENABLE_ECC
+/*
+** pepare an ECParam structure from DEREncoded params
+ */
+extern SECStatus EC_FillParams(PRArenaPool *arena,
+                               const SECItem *encodedParams, ECParams *params);
+extern SECStatus EC_DecodeParams(const SECItem *encodedParams, 
+				ECParams **ecparams);
+extern SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
+              			const ECParams *srcParams);
+#endif
+
+
+/*
+** Prepare a buffer for DES encryption, growing to the appropriate boundary,
+** filling with the appropriate padding.
+** We add from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
+** The extra bytes contain the value of the length of the padding:
+** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+**
+** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+** we assume (and use) PR memory (re)allocation.
+** Maybe this belongs in util?
+*/
+extern unsigned char * DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, 
+                                     unsigned int inlen, unsigned int *outlen);
+
+
+/****************************************/
+/*
+** Power-Up selftests required for FIPS and invoked only
+** under PKCS #11 FIPS mode.
+*/
+extern CK_RV sftk_fipsPowerUpSelfTest( void ); 
+
+/*
+** make known fixed PKCS #11 key types to their sizes in bytes
+*/	
+unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
+
+/*
+** FIPS 140-2 auditing
+*/
+extern PRBool sftk_audit_enabled;
+
+extern void sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg);
+
+extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+			CK_OBJECT_HANDLE_PTR phObject, CK_RV rv);
+
+extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+			CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv);
+
+extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_RV rv);
+
+extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize,
+			CK_RV rv);
+
+extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+			CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+			CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditCryptInit(const char *opName,
+			CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+			CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+			CK_ULONG ulPublicKeyAttributeCount,
+			CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+			CK_ULONG ulPrivateKeyAttributeCount,
+			CK_OBJECT_HANDLE_PTR phPublicKey,
+			CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv);
+
+extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
+			CK_BYTE_PTR pWrappedKey,
+			CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv);
+
+extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hUnwrappingKey,
+			CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+			CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,
+			CK_OBJECT_HANDLE hBaseKey,
+			CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+			CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+			CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+/*
+** FIPS 140-2 Error state
+*/
+extern PRBool sftk_fatalError;
+
+SEC_END_PROTOS
+
+#endif /* _SOFTOKEN_H_ */

mozilla/security/nss/lib/softoken/softokn.def

@@ -0,0 +1,61 @@
+;+#
+;+# ***** BEGIN LICENSE BLOCK *****
+;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+;+#
+;+# The contents of this file are subject to the Mozilla Public License Version
+;+# 1.1 (the "License"); you may not use this file except in compliance with
+;+# the License. You may obtain a copy of the License at
+;+# http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS IS" basis,
+;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+;+# for the specific language governing rights and limitations under the
+;+# License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is
+;+# Netscape Communications Corporation.
+;+# Portions created by the Initial Developer are Copyright (C) 2000
+;+# the Initial Developer. All Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the terms of
+;+# either the GNU General Public License Version 2 or later (the "GPL"), or
+;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+;+# in which case the provisions of the GPL or the LGPL are applicable instead
+;+# of those above. If you wish to allow use of your version of this file only
+;+# under the terms of either the GPL or the LGPL, and not to allow others to
+;+# use your version of this file under the terms of the MPL, indicate your
+;+# decision by deleting the provisions above and replace them with the notice
+;+# and other provisions required by the GPL or the LGPL. If you do not delete
+;+# the provisions above, a recipient may use your version of this file under
+;+# the terms of any one of the MPL, the GPL or the LGPL.
+;+#
+;+# ***** END LICENSE BLOCK *****
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.4 {       # NSS 3.4 release
+;+    global:
+LIBRARY softokn3 ;-
+EXPORTS ;-
+C_GetFunctionList; Make this function like a real PKCS #11 module as well
+FC_GetFunctionList;
+NSC_GetFunctionList;
+NSC_ModuleDBFunc;
+;+    local:
+;+       *;
+;+};

mozilla/security/nss/lib/softoken/softokn.rc

@@ -0,0 +1,100 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "softkver.h"
+#include <winver.h>
+
+#define MY_LIBNAME "softokn"
+#define MY_FILEDESCRIPTION "NSS PKCS #11 Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if SOFTOKEN_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", SOFTOKEN_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", SOFTOKEN_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END

mozilla/security/nss/lib/softoken/softoknt.h

@@ -0,0 +1,73 @@
+/*
+ * softoknt.h - public data structures for the software token library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: softoknt.h,v 1.4 2006-05-05 20:02:47 wtchang%redhat.com Exp $ */
+
+#ifndef _SOFTOKNT_H_
+#define _SOFTOKNT_H_
+
+/*
+ * RSA block types
+ *
+ * The actual values are important -- they are fixed, *not* arbitrary.
+ * The explicit value assignments are not needed (because C would give
+ * us those same values anyway) but are included as a reminder...
+ */
+typedef enum {
+    RSA_BlockPrivate0 = 0,	/* unused, really */
+    RSA_BlockPrivate = 1,	/* pad for a private-key operation */
+    RSA_BlockPublic = 2,	/* pad for a public-key operation */
+    RSA_BlockOAEP = 3,		/* use OAEP padding */
+				/* XXX is this only for a public-key
+				   operation? If so, add "Public" */
+    RSA_BlockRaw = 4,		/* simply justify the block appropriately */
+    RSA_BlockTotal
+} RSA_BlockType;
+
+#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE   2048
+
+/*
+ * FIPS 140-2 auditing
+ */
+typedef enum {
+    NSS_AUDIT_ERROR = 3,    /* errors */
+    NSS_AUDIT_WARNING = 2,  /* warning messages */
+    NSS_AUDIT_INFO = 1      /* informational messages */
+} NSSAuditSeverity;
+
+#endif /* _SOFTOKNT_H_ */

mozilla/security/nss/lib/softoken/tlsprf.c

@@ -0,0 +1,215 @@
+/* tlsprf.c - TLS Pseudo Random Function (PRF) implementation
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: tlsprf.c,v 1.6 2005-08-06 09:27:28 nelsonb%netscape.com Exp $ */
+
+#include "pkcs11i.h"
+#include "blapi.h"
+
+#define SFTK_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
+
+static void sftk_TLSPRFNull(void *data, PRBool freeit)
+{
+    return;
+} 
+
+typedef struct {
+    PRUint32	   cxSize;	/* size of allocated block, in bytes.        */
+    PRUint32       cxBufSize;   /* sizeof buffer at cxBufPtr.                */
+    unsigned char *cxBufPtr;	/* points to real buffer, may be cxBuf.      */
+    PRUint32	   cxKeyLen;	/* bytes of cxBufPtr containing key.         */
+    PRUint32	   cxDataLen;	/* bytes of cxBufPtr containing data.        */
+    SECStatus	   cxRv;	/* records failure of void functions.        */
+    PRBool	   cxIsFIPS;	/* true if conforming to FIPS 198.           */
+    unsigned char  cxBuf[512];	/* actual size may be larger than 512.       */
+} TLSPRFContext;
+
+static void
+sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, 
+                        unsigned int data_len)
+{
+    PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen;
+
+    if (cx->cxRv != SECSuccess)	/* function has previously failed. */
+    	return;
+    if (bytesUsed + data_len > cx->cxBufSize) {
+	/* We don't use realloc here because 
+	** (a) realloc doesn't zero out the old block, and 
+	** (b) if realloc fails, we lose the old block.
+	*/
+	PRUint32 newBufSize = bytesUsed + data_len + 512;
+    	unsigned char * newBuf = (unsigned char *)PORT_Alloc(newBufSize);
+	if (!newBuf) {
+	   cx->cxRv = SECFailure;
+	   return;
+	}
+	PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed);
+	if (cx->cxBufPtr != cx->cxBuf) {
+	    PORT_ZFree(cx->cxBufPtr, bytesUsed);
+	}
+	cx->cxBufPtr  = newBuf;
+	cx->cxBufSize = newBufSize;
+    }
+    PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len);
+    cx->cxDataLen += data_len;
+}
+
+static void 
+sftk_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
+	 unsigned int *pDigestLen, unsigned int maxDigestLen)
+{
+    *pDigestLen = 0; /* tells Verify that no data has been input yet. */
+}
+
+/* Compute the PRF values from the data previously input. */
+static SECStatus
+sftk_TLSPRFUpdate(TLSPRFContext *cx, 
+                  unsigned char *sig,		/* output goes here. */
+		  unsigned int * sigLen, 	/* how much output.  */
+		  unsigned int   maxLen, 	/* output buffer size */
+		  unsigned char *hash, 		/* unused. */
+		  unsigned int   hashLen)	/* unused. */
+{
+    SECStatus rv;
+    SECItem sigItem;
+    SECItem seedItem;
+    SECItem secretItem;
+
+    if (cx->cxRv != SECSuccess)
+    	return cx->cxRv;
+
+    secretItem.data = cx->cxBufPtr;
+    secretItem.len  = cx->cxKeyLen;
+
+    seedItem.data = cx->cxBufPtr + cx->cxKeyLen;
+    seedItem.len  = cx->cxDataLen;
+
+    sigItem.data = sig;
+    sigItem.len  = maxLen;
+
+    rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS);
+    if (rv == SECSuccess && sigLen != NULL)
+    	*sigLen = sigItem.len;
+    return rv;
+
+}
+
+static SECStatus
+sftk_TLSPRFVerify(TLSPRFContext *cx, 
+                  unsigned char *sig, 		/* input, for comparison. */
+		  unsigned int   sigLen,	/* length of sig.         */
+		  unsigned char *hash, 		/* data to be verified.   */
+		  unsigned int   hashLen)	/* size of hash data.     */
+{
+    unsigned char * tmp    = (unsigned char *)PORT_Alloc(sigLen);
+    unsigned int    tmpLen = sigLen;
+    SECStatus       rv;
+
+    if (!tmp)
+    	return SECFailure;
+    if (hashLen) {
+    	/* hashLen is non-zero when the user does a one-step verify.
+	** In this case, none of the data has been input yet.
+	*/
+    	sftk_TLSPRFHashUpdate(cx, hash, hashLen);
+    }
+    rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
+    if (rv == SECSuccess) {
+    	rv = (SECStatus)(1 - !PORT_Memcmp(tmp, sig, sigLen));
+    }
+    PORT_ZFree(tmp, sigLen);
+    return rv;
+}
+
+static void
+sftk_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
+{
+    if (freeit) {
+	if (cx->cxBufPtr != cx->cxBuf) 
+	    PORT_ZFree(cx->cxBufPtr, cx->cxBufSize);
+	PORT_ZFree(cx, cx->cxSize);
+    }
+}
+
+CK_RV
+sftk_TLSPRFInit(SFTKSessionContext *context, 
+		  SFTKObject *        key, 
+		  CK_KEY_TYPE         key_type)
+{
+    SFTKAttribute * keyVal;
+    TLSPRFContext * prf_cx;
+    CK_RV           crv = CKR_HOST_MEMORY;
+    PRUint32        keySize;
+    PRUint32        blockSize;
+
+    if (key_type != CKK_GENERIC_SECRET)
+    	return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
+
+    context->multi = PR_TRUE;
+
+    keyVal = sftk_FindAttribute(key, CKA_VALUE);
+    keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
+    blockSize = keySize + sizeof(TLSPRFContext);
+    prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
+    if (!prf_cx) 
+    	goto done;
+    prf_cx->cxSize    = blockSize;
+    prf_cx->cxKeyLen  = keySize;
+    prf_cx->cxDataLen = 0;
+    prf_cx->cxBufSize = blockSize - SFTK_OFFSETOF(TLSPRFContext, cxBuf);
+    prf_cx->cxRv      = SECSuccess;
+    prf_cx->cxIsFIPS  = (key->slot->slotID == FIPS_SLOT_ID);
+    prf_cx->cxBufPtr  = prf_cx->cxBuf;
+    if (keySize)
+	PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize);
+
+    context->hashInfo    = (void *) prf_cx;
+    context->cipherInfo  = (void *) prf_cx;
+    context->hashUpdate  = (SFTKHash)    sftk_TLSPRFHashUpdate;
+    context->end         = (SFTKEnd)     sftk_TLSPRFEnd;
+    context->update      = (SFTKCipher)  sftk_TLSPRFUpdate;
+    context->verify      = (SFTKVerify)  sftk_TLSPRFVerify;
+    context->destroy     = (SFTKDestroy) sftk_TLSPRFNull;
+    context->hashdestroy = (SFTKDestroy) sftk_TLSPRFHashDestroy;
+    crv = CKR_OK;
+
+done:
+    if (keyVal) 
+	sftk_FreeAttribute(keyVal);
+    return crv;
+}
+

mozilla/security/nss/lib/sqlite/Makefile

@@ -0,0 +1,80 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+

mozilla/security/nss/lib/sqlite/config.mk

@@ -0,0 +1,57 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
+
+#RES = $(OBJDIR)/$(LIBRARY_NAME).res
+#RESNAME = $(LIBRARY_NAME).rc
+endif
+
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+OS_LIBS += -lbsm 
+endif
+

mozilla/security/nss/lib/sqlite/manifest.mn

@@ -0,0 +1,63 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+LIBRARY_NAME = sqlite
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/sqlite.def
+DEFINES += -DTHREADSAFE=1
+
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	sqlite3.h \
+	$(NULL)
+
+
+CSRCS = \
+	sqlite3.c \
+	$(NULL)
+
+
+
+# only add module debugging in opt builds if DEBUG_PKCS11 is set
+ifdef DEBUG_PKCS11
+  DEFINES += -DDEBUG_MODULE
+endif

mozilla/security/nss/lib/sqlite/sqlite.def

@@ -0,0 +1,141 @@
+;+#
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+SQLITE_3 {       
+;+    global:
+LIBRARY sqlite3 ;-
+EXPORTS ;-
+sqlite3_aggregate_context;
+sqlite3_aggregate_count;
+sqlite3_apis;
+sqlite3_auto_extension;
+sqlite3_bind_blob;
+sqlite3_bind_double;
+sqlite3_bind_int;
+sqlite3_bind_int64;
+sqlite3_bind_null;
+sqlite3_bind_parameter_count;
+sqlite3_bind_parameter_index;
+sqlite3_bind_parameter_name;
+sqlite3_bind_text;
+sqlite3_bind_text16;
+sqlite3_bind_value;
+sqlite3_busy_handler;
+sqlite3_busy_timeout;
+sqlite3_changes;
+sqlite3_clear_bindings;
+sqlite3_close;
+sqlite3_collation_needed;
+sqlite3_collation_needed16;
+sqlite3_column_blob;
+sqlite3_column_bytes;
+sqlite3_column_bytes16;
+sqlite3_column_count;
+sqlite3_column_decltype;
+sqlite3_column_decltype16;
+sqlite3_column_double;
+sqlite3_column_int;
+sqlite3_column_int64;
+sqlite3_column_name;
+sqlite3_column_name16;
+sqlite3_column_text;
+sqlite3_column_text16;
+sqlite3_column_type;
+sqlite3_column_value;
+sqlite3_commit_hook;
+sqlite3_complete;
+sqlite3_complete16;
+sqlite3_create_collation;
+sqlite3_create_collation16;
+sqlite3_create_function;
+sqlite3_create_function16;
+sqlite3_create_module;
+sqlite3_data_count;
+sqlite3_db_handle;
+sqlite3_declare_vtab;
+sqlite3_enable_load_extension;
+sqlite3_enable_shared_cache;
+sqlite3_errcode;
+sqlite3_errmsg;
+sqlite3_errmsg16;
+sqlite3_exec;
+sqlite3_expired;
+sqlite3_extended_result_codes;
+sqlite3_finalize;
+sqlite3_free;
+sqlite3_free_table;
+sqlite3_get_autocommit;
+sqlite3_get_auxdata;
+sqlite3_get_table;
+sqlite3_global_recover;
+sqlite3_interrupt;
+sqlite3_last_insert_rowid;
+sqlite3_libversion;
+sqlite3_libversion_number;
+sqlite3_load_extension;
+sqlite3_malloc;
+sqlite3_mprintf;
+sqlite3_open;
+sqlite3_open16;
+sqlite3_overload_function;
+sqlite3_prepare;
+sqlite3_prepare16;
+sqlite3_prepare16_v2;
+sqlite3_prepare_v2;
+sqlite3_profile;
+sqlite3_progress_handler;
+sqlite3_realloc;
+sqlite3_reset;
+sqlite3_reset_auto_extension;
+sqlite3_result_blob;
+sqlite3_result_double;
+sqlite3_result_error;
+sqlite3_result_error16;
+sqlite3_result_int;
+sqlite3_result_int64;
+sqlite3_result_null;
+sqlite3_result_text;
+sqlite3_result_text16;
+sqlite3_result_text16be;
+sqlite3_result_text16le;
+sqlite3_result_value;
+sqlite3_rollback_hook;
+sqlite3_set_authorizer;
+sqlite3_set_auxdata;
+sqlite3_sleep;
+sqlite3_snprintf;
+sqlite3_step;
+sqlite3_thread_cleanup;
+sqlite3_total_changes;
+sqlite3_trace;
+sqlite3_transfer_bindings;
+sqlite3_update_hook;
+sqlite3_user_data;
+sqlite3_value_blob;
+sqlite3_value_bytes;
+sqlite3_value_bytes16;
+sqlite3_value_double;
+sqlite3_value_int;
+sqlite3_value_int64;
+sqlite3_value_numeric_type;
+sqlite3_value_text;
+sqlite3_value_text16;
+sqlite3_value_text16be;
+sqlite3_value_text16le;
+sqlite3_value_type;
+sqlite3_version;
+sqlite3_vmprintf;
+;+    local:
+;+       *;
+;+};

mozilla/webtools/bugzilla/docs/en/xml/Bugzilla-Guide.xml

@@ -1,135 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-
-]>
-
-
-<!-- Coding standards for this document 
-
-*  Other than the GFDL, please use the "section" tag instead of "sect1", 
-   "sect2", etc.
-*  Use Entities to include files for new chapters in Bugzilla-Guide.xml.
-*  Try to use Entities for frequently-used passages of text as well.
-*  Ensure all documents compile cleanly to HTML after modification.
-   The warning, "DTDDECL catalog types not supported" is normal.
-*  Try to index important terms wherever possible.
-*  Use "glossterm" whenever you introduce a new term.
-*  Follow coding standards at http://www.tldp.org, and
-   check out the KDE guidelines (they are nice, too)
-   http://i18n.kde.org/doc/markup.html
-*  All tags should be lowercase.
-*  Please use sensible spacing.  The comments at the very end of each
-   file define reasonable defaults for PSGML mode in EMACS.
-*  Double-indent tags, use double spacing whenever possible, and
-   try to avoid clutter and feel free to waste space in the code to make it 
-   more readable.
-
--->
-
-<book id="index">
-
-<!-- Header -->
-
-  <bookinfo>
-    <title>The Bugzilla Guide - &bz-ver; 
-    <!-- BZ-DEVEL -->Development <!-- /BZ-DEVEL -->
-    Release</title>
-
-    <authorgroup>
-      <corpauthor>The Bugzilla Team</corpauthor>
-    </authorgroup>
-
-    <pubdate>&bz-date;</pubdate>
-
-    <abstract>
-      <para>
-	      This is the documentation for Bugzilla, a 
-	      bug-tracking system from mozilla.org.
-	      Bugzilla is an enterprise-class piece of software
-	      that tracks millions of bugs and issues for hundreds of
-	      organizations around the world.
-      </para>
-
-      <para>
-        The most current version of this document can always be found on the
-        <ulink url="http://www.bugzilla.org/docs/">Bugzilla 
-        Documentation Page</ulink>.
-      </para>
-
-    </abstract>
-
-    <keywordset>
-      <keyword>Bugzilla</keyword>
-      <keyword>Guide</keyword>
-      <keyword>installation</keyword>
-      <keyword>FAQ</keyword>
-      <keyword>administration</keyword>
-      <keyword>integration</keyword>
-      <keyword>MySQL</keyword>
-      <keyword>Mozilla</keyword>
-      <keyword>webtools</keyword>
-    </keywordset>
-  </bookinfo>
-
-  <!-- About This Guide -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="about.xml" /> 
-  
-  <!-- Installing Bugzilla -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="installation.xml" />
-
-  <!-- Administering Bugzilla -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="administration.xml" />
-
-  <!-- Securing Bugzilla -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="security.xml" />
-  
-  <!-- Customizing Bugzilla -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="customization.xml" />
-
-  <!-- Using Bugzilla -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="using.xml" />
-
-  <!-- Appendix: Troubleshooting -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="troubleshooting.xml" />
-
-  <!-- Appendix: Custom Patches -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="patches.xml" />
-
-  <!-- Appendix: Manually Installing Perl Modules -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="modules.xml" />
-  
-  <!-- Appendix: GNU Free Documentation License -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gfdl.xml" />
- 
-  <!-- Glossary -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="glossary.xml" />
-
-  <!-- Index -->
-  <!--xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="index.xml" /-->
-
-</book>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/about.xml

@@ -1,246 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                         "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<!-- $Id: about.xml,v 1.26.4.1 2008-07-13 16:44:28 mozilla%colinogilvie.co.uk Exp $ -->
-
-<chapter id="about">
-<title>About This Guide</title>
-
-  <section id="copyright">
-    <title>Copyright Information</title>
-
-    <para>This document is copyright (c) 2000-&current-year; by the various
-    Bugzilla contributors who wrote it.</para>
-    
-    <blockquote>
-      <para>
-	Permission is granted to copy, distribute and/or modify this
-	document under the terms of the GNU Free Documentation
-	License, Version 1.1 or any later version published by the
-	Free Software Foundation; with no Invariant Sections, no
-	Front-Cover Texts, and with no Back-Cover Texts. A copy of
-	the license is included in <xref linkend="gfdl"/>.
-      </para>
-    </blockquote>
-    <para>
-      If you have any questions regarding this document, its
-      copyright, or publishing this document in non-electronic form,
-      please contact the Bugzilla Team. 
-    </para>
-  </section>
-
-  <section id="disclaimer">
-    <title>Disclaimer</title>
-    <para>
-      No liability for the contents of this document can be accepted.
-      Follow the instructions herein at your own risk.
-      This document may contain errors
-      and inaccuracies that may damage your system, cause your partner 
-      to leave you, your boss to fire you, your cats to
-      pee on your furniture and clothing, and global thermonuclear
-      war. Proceed with caution.
-    </para>
-    <para>
-      Naming of particular products or brands should not be seen as
-      endorsements, with the exception of the term "GNU/Linux". We
-      wholeheartedly endorse the use of GNU/Linux; it is an extremely 
-      versatile, stable,
-      and robust operating system that offers an ideal operating
-      environment for Bugzilla.
-    </para>
-    <para>
-      Although the Bugzilla development team has taken great care to
-      ensure that all exploitable bugs have been fixed, security holes surely 
-      exist in any piece of code. Great care should be taken both in 
-      the installation and usage of this software. The Bugzilla development
-      team members assume no liability for your use of Bugzilla. You have 
-      the source code, and are responsible for auditing it yourself to ensure
-      your security needs are met.
-    </para>
-  </section>
-
-<!-- Section 2: New Versions -->
-
-  <section id="newversions">
-    <title>New Versions</title>
-    <para>
-      This is the &bz-ver; version of The Bugzilla Guide. It is so named 
-      to match the current version of Bugzilla. 
-      <!-- BZ-DEVEL --> This version of the guide, like its associated Bugzilla version, is a
-      development version.<!-- /BZ-DEVEL --> 
-    </para>
-    <para>
-      The latest version of this guide can always be found at <ulink
-      url="http://www.bugzilla.org"/>, or checked out via CVS by
-      following the <ulink url="http://www.mozilla.org/cvs.html">Mozilla 
-      CVS</ulink> instructions and check out the 
-      <filename>mozilla/webtools/bugzilla/docs/</filename>
-      subtree. However, you should read the version
-      which came with the Bugzilla release you are using.
-    </para>
-    <para>
-      The Bugzilla Guide, or a section of it, is also available in
-      the following languages:
-      <ulink url="http://www.traduc.org/docs/guides/lecture/bugzilla/">French</ulink>,
-      <ulink url="http://bugzilla-de.sourceforge.net/docs/html/">German</ulink>,
-      <ulink url="http://www.bugzilla.jp/docs/2.18/">Japanese</ulink>.
-      Note that these may be outdated or not up to date.
-    </para>
-    
-    <para>  
-      In addition, there are Bugzilla template localization projects in
-      the following languages. They may have translated documentation 
-      available: 
-      <ulink url="http://sourceforge.net/projects/bugzilla-ar/">Arabic</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-be/">Belarusian</ulink>,
-      <ulink url="http://openfmi.net/projects/mozilla-bg/">Bulgarian</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-br/">Brazilian Portuguese</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-cn/">Chinese</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-fr/">French</ulink>,
-      <ulink url="http://germzilla.ganderbay.net/">German</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-it/">Italian</ulink>,
-      <ulink url="http://www.bugzilla.jp/about/jp.html">Japanese</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-kr/">Korean</ulink>,
-      <ulink url="http://sourceforge.net/projects/bugzilla-ru/">Russian</ulink> and
-      <ulink url="http://sourceforge.net/projects/bugzilla-es/">Spanish</ulink>.
-    </para>
-    
-    <para>  
-      If you would like to volunteer to translate the Guide into additional
-      languages, please contact
-      <ulink url="mailto:justdave@bugzilla.org">Dave Miller</ulink>.
-    </para>
-  </section>
-
-  <section id="credits">
-    <title>Credits</title>
-    <para>
-      The people listed below have made enormous contributions to the
-      creation of this Guide, through their writing, dedicated hacking efforts,
-      numerous e-mail and IRC support sessions, and overall excellent
-      contribution to the Bugzilla community:
-    </para>
-
-    <!-- TODO: This is evil... there has to be a valid way to get this look -->
-    <variablelist>
-      <varlistentry>
-        <term>Matthew P. Barnson <email>mbarnson@sisna.com</email></term>
-        <listitem>
-          <para>for the Herculean task of pulling together the Bugzilla Guide
-          and shepherding it to 2.14.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Terry Weissman <email>terry@mozilla.org</email></term>
-        <listitem>
-          <para>for initially writing Bugzilla and creating the README upon
-          which the UNIX installation documentation is largely based.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Tara Hernandez <email>tara@tequilarists.org</email></term>
-        <listitem>
-          <para>for keeping Bugzilla development going strong after Terry left
-          mozilla.org and for running landfill.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Dave Lawrence <email>dkl@redhat.com</email></term>
-        <listitem>
-          <para>for providing insight into the key differences between Red
-          Hat's customized Bugzilla.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Dawn Endico <email>endico@mozilla.org</email></term>
-        <listitem>
-          <para>for being a hacker extraordinaire and putting up with Matthew's
-          incessant questions and arguments on irc.mozilla.org in #mozwebtools
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Jacob Steenhagen <email>jake@bugzilla.org</email></term>
-        <listitem>
-          <para>for taking over documentation during the 2.17 development
-          period.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>Dave Miller <email>justdave@bugzilla.org</email></term>
-	<listitem>
-          <para>for taking over as project lead when Tara stepped down and
-	  continually pushing for the documentation to be the best it can be.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-
-    <para>
-      Thanks also go to the following people for significant contributions 
-      to this documentation:
-      <simplelist type="inline">
-        <member>Kevin Brannen</member>
-        <member>Vlad Dascalu</member>
-        <member>Ben FrantzDale</member>
-        <member>Eric Hanson</member>
-        <member>Zach Lipton</member>
-        <member>Gervase Markham</member>
-        <member>Andrew Pearson</member>
-        <member>Joe Robins</member>
-        <member>Spencer Smith</member>
-        <member>Ron Teitelbaum</member>
-        <member>Shane Travis</member>
-        <member>Martin Wulffeld</member>
-      </simplelist>.
-    </para>
-    
-    <para>
-      Also, thanks are due to the members of the 
-      <ulink url="news://news.mozilla.org/mozilla.support.bugzilla">
-      mozilla.support.bugzilla</ulink>
-      newsgroup (and its predecessor, netscape.public.mozilla.webtools).
-      Without your discussions, insight, suggestions, and patches,
-      this could never have happened.
-    </para>
-  </section>
-
-  <!-- conventions used here (didn't want to give it a chapter of its own) -->
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="conventions.xml" /> 
-</chapter> 
-
-<!-- Keep this comment at the end of the file 
-Local variables: 
-mode: sgml 
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t 
-sgml-indent-step:2 
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil 
-sgml-minimize-attributes:nil
-sgml-namecase-general:t 
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t 
-sgml-tag-region-if-active:t 
-End: -->
-

mozilla/webtools/bugzilla/docs/en/xml/conventions.xml

@@ -1,168 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<section id="conventions">
-  <title>Document Conventions</title>
-
-  <indexterm zone="conventions">
-    <primary>conventions</primary>
-  </indexterm>
-
-  <para>This document uses the following conventions:</para>
-
-  <informaltable frame="none">
-    <tgroup cols="2">
-      <thead>
-        <row>
-          <entry>Descriptions</entry>
-
-          <entry>Appearance</entry>
-        </row>
-      </thead>
-
-      <tbody>
-        <row>
-          <entry>Caution</entry>
-
-          <entry>
-            <caution>
-              <para>Don't run with scissors!</para>
-            </caution>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Hint or Tip</entry>
-
-          <entry>
-            <tip>
-              <para>For best results... </para>
-            </tip>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Note</entry>
-
-          <entry>
-            <note>
-              <para>Dear John...</para>
-            </note>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Warning</entry>
-
-          <entry>
-            <warning>
-              <para>Read this or the cat gets it.</para>
-            </warning>
-          </entry>
-        </row>
-
-        <row>
-          <entry>File or directory name</entry>
-
-          <entry>
-            <filename>filename</filename>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Command to be typed</entry>
-
-          <entry>
-            <command>command</command>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Application name</entry>
-
-          <entry>
-            <application>application</application>
-          </entry>
-        </row>
-
-        <row>
-          <entry>
-          Normal user's prompt under bash shell</entry>
-
-          <entry>bash$</entry>
-        </row>
-
-        <row>
-          <entry>
-          Root user's prompt under bash shell</entry>
-
-          <entry>bash#</entry>
-        </row>
-
-        <row>
-          <entry>
-          Normal user's prompt under tcsh shell</entry>
-
-          <entry>tcsh$</entry>
-        </row>
-
-        <row>
-          <entry>Environment variables</entry>
-
-          <entry>
-            <envar>VARIABLE</envar>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Term found in the glossary</entry>
-
-          <entry>
-            <glossterm linkend="gloss-bugzilla">Bugzilla</glossterm>
-          </entry>
-        </row>
-
-        <row>
-          <entry>Code example</entry>
-
-          <entry>
-            <programlisting><sgmltag class="starttag">para</sgmltag>
-Beginning and end of paragraph
-<sgmltag class="endtag">para</sgmltag></programlisting>
-          </entry>
-        </row>
-      </tbody>
-    </tgroup>
-  </informaltable>
-
-  <para>  
-	  This documentation is maintained in DocBook 4.1.2 XML format.
-    Changes are best submitted as plain text or XML diffs, attached
-    to a bug filed in the &bzg-bugs; component.
-  </para>
-  
-</section>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/customization.xml

@@ -1,821 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<chapter id="customization">
-  <title>Customizing Bugzilla</title>
-
-  <section id="cust-skins">
-    <title>Custom Skins</title>
-    
-    <para>
-      Bugzilla allows you to have multiple skins. These are custom CSS and possibly
-      also custom images for Bugzilla. To create a new custom skin, you have two
-      choices:
-      <itemizedlist>
-        <listitem>
-          <para>
-            Make a single CSS file, and put it in the 
-            <filename>skins/contrib</filename> directory.
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            Make a directory that contains all the same CSS file
-            names as <filename>skins/standard/</filename>, and put
-            your directory in <filename>skins/contrib/</filename>.
-          </para>
-        </listitem>
-      </itemizedlist>
-    </para>
-      
-    <para>
-      After you put the file or the directory there, make sure to run checksetup.pl
-      so that it can reset the file permissions correctly.
-    </para>
-    <para>
-      After you have installed the new skin, it will show up as an option in the
-      user's General Preferences. If you would like to force a particular skin on all
-      users, just select it in the Default Preferences and then uncheck "Enabled" on
-      the preference.
-    </para>
-  </section>
-  
-  <section id="cust-templates">
-    <title>Template Customization</title>
-    
-    <para>
-      Administrators can configure the look and feel of Bugzilla without
-      having to edit Perl files or face the nightmare of massive merge
-      conflicts when they upgrade to a newer version in the future.
-    </para>
-    
-    <para>
-      Templatization also makes localized versions of Bugzilla possible, 
-      for the first time. It's possible to have Bugzilla's UI language 
-      determined by the user's browser. More information is available in
-      <xref linkend="template-http-accept"/>.
-    </para>
-    
-    <section id="template-directory">
-      <title>Template Directory Structure</title>
-      <para>
-        The template directory structure starts with top level directory 
-        named <filename>template</filename>, which contains a directory
-        for each installed localization. The next level defines the
-        language used in the templates. Bugzilla comes with English
-        templates, so the directory name is <filename>en</filename>,
-        and we will discuss <filename>template/en</filename> throughout
-        the documentation. Below <filename>template/en</filename> is the
-        <filename>default</filename> directory, which contains all the
-        standard templates shipped with Bugzilla.
-      </para>
-
-      <warning>
-        <para>
-          A directory <filename>data/templates</filename> also exists;
-          this is where Template Toolkit puts the compiled versions of
-          the templates from either the default or custom directories.
-          <emphasis>Do not</emphasis> directly edit the files in this
-          directory, or all your changes will be lost the next time
-          Template Toolkit recompiles the templates.
-        </para>
-      </warning>
-    </section>
-
-    <section id="template-method">
-      <title>Choosing a Customization Method</title>
-      <para>
-        If you want to edit Bugzilla's templates, the first decision
-        you must make is how you want to go about doing so. There are two
-        choices, and which you use depends mainly on the scope of your 
-        modifications, and the method you plan to use to upgrade Bugzilla.
-      </para> 
-
-      <para>
-        The first method of making customizations is to directly edit the
-        templates found in <filename>template/en/default</filename>.
-        This is probably the best way to go about it if you are going to
-        be upgrading Bugzilla through CVS, because if you then execute
-        a <command>cvs update</command>, any changes you have made will
-        be merged automagically with the updated versions.
-      </para>
-
-      <note>
-        <para>
-          If you use this method, and CVS conflicts occur during an
-          update, the conflicted templates (and possibly other parts
-          of your installation) will not work until they are resolved.
-        </para>
-      </note>
-
-      <para>
-        The second method is to copy the templates to be modified
-        into a mirrored directory structure under 
-        <filename>template/en/custom</filename>. Templates in this
-        directory structure automatically override any identically-named
-        and identically-located templates in the 
-        <filename>default</filename> directory. 
-      </para>
-
-      <note>
-        <para>
-          The <filename>custom</filename> directory does not exist
-          at first and must be created if you want to use it.
-        </para>
-      </note>
-
-      <para>
-        The second method of customization should be used if you 
-        use the overwriting method of upgrade, because otherwise 
-        your changes will be lost.  This method may also be better if
-        you are using the CVS method of upgrading and are going to make major
-        changes, because it is guaranteed that the contents of this directory
-        will not be touched during an upgrade, and you can then decide whether
-        to continue using your own templates, or make the effort to merge your
-        changes into the new versions by hand.
-      </para>
-
-      <para>
-        Using this method, your installation may break if incompatible
-        changes are made to the template interface.  Such changes should
-        be documented in the release notes, provided you are using a
-        stable release of Bugzilla.  If you use using unstable code, you will
-        need to deal with this one yourself, although if possible the changes
-        will be mentioned before they occur in the deprecations section of the
-        previous stable release's release notes.
-      </para>
-
-      <note>
-        <para>
-          Regardless of which method you choose, it is recommended that
-          you run <command>./checksetup.pl</command> after creating or
-          editing any templates in the <filename>template/en/default</filename>
-          directory, and after editing any templates in the 
-          <filename>custom</filename> directory.
-        </para>
-      </note>
-
-      <warning>
-        <para>
-          It is <emphasis>required</emphasis> that you run 
-          <command>./checksetup.pl</command> after creating a new
-          template in the <filename>custom</filename> directory. Failure
-          to do so will raise an incomprehensible error message.
-        </para>
-      </warning>
-    </section>
-    
-    <section id="template-edit">
-      <title>How To Edit Templates</title>
-      
-      <note>
-        <para>
-          If you are making template changes that you intend on submitting back
-          for inclusion in standard Bugzilla, you should read the relevant
-          sections of the 
-          <ulink url="http://www.bugzilla.org/docs/developer.html">Developers'
-          Guide</ulink>.
-        </para>
-      </note>
-      
-      <para>
-        The syntax of the Template Toolkit language is beyond the scope of
-        this guide. It's reasonably easy to pick up by looking at the current 
-        templates; or, you can read the manual, available on the
-        <ulink url="http://www.template-toolkit.org">Template Toolkit home
-        page</ulink>.
-      </para>
-      
-      <para>
-        One thing you should take particular care about is the need
-        to properly HTML filter data that has been passed into the template.
-        This means that if the data can possibly contain special HTML characters
-        such as &lt;, and the data was not intended to be HTML, they need to be
-        converted to entity form, i.e. &amp;lt;.  You use the 'html' filter in the
-        Template Toolkit to do this.  If you forget, you may open up
-        your installation to cross-site scripting attacks.
-      </para>
-
-      <para>
-        Also note that Bugzilla adds a few filters of its own, that are not
-        in standard Template Toolkit.  In particular, the 'url_quote' filter
-        can convert characters that are illegal or have special meaning in URLs,
-        such as &amp;, to the encoded form, i.e. %26.  This actually encodes most
-        characters (but not the common ones such as letters and numbers and so
-        on), including the HTML-special characters, so there's never a need to
-        HTML filter afterwards.
-      </para>
- 
-      <para>
-        Editing templates is a good way of doing a <quote>poor man's custom
-        fields</quote>.
-        For example, if you don't use the Status Whiteboard, but want to have
-        a free-form text entry box for <quote>Build Identifier</quote>,
-        then you can just
-        edit the templates to change the field labels. It's still be called
-        status_whiteboard internally, but your users don't need to know that.
-      </para>
-      
-    </section>
-            
-    
-    <section id="template-formats">
-      <title>Template Formats and Types</title>
-      
-      <para>
-        Some CGI's have the ability to use more than one template. For example,
-        <filename>buglist.cgi</filename> can output itself as RDF, or as two 
-        formats of HTML (complex and simple). The mechanism that provides this 
-        feature is extensible.
-      </para>
-
-      <para>
-        Bugzilla can support different types of output, which again can have 
-        multiple formats. In order to request a certain type, you can append 
-        the &amp;ctype=&lt;contenttype&gt; (such as rdf or html) to the 
-        <filename>&lt;cginame&gt;.cgi</filename> URL. If you would like to 
-        retrieve a certain format, you can use the &amp;format=&lt;format&gt; 
-        (such as simple or complex) in the URL.
-      </para>
-      
-      <para>
-        To see if a CGI supports multiple output formats and types, grep the
-        CGI for <quote>get_format</quote>. If it's not present, adding
-        multiple format/type support isn't too hard - see how it's done in
-        other CGIs, e.g. config.cgi.
-      </para>
-      
-      <para>
-        To make a new format template for a CGI which supports this, 
-        open a current template for
-        that CGI and take note of the INTERFACE comment (if present.) This 
-        comment defines what variables are passed into this template. If 
-        there isn't one, I'm afraid you'll have to read the template and
-        the code to find out what information you get. 
-      </para>     
-  
-      <para>
-        Write your template in whatever markup or text style is appropriate.
-      </para>
-      
-      <para>
-        You now need to decide what content type you want your template
-        served as. The content types are defined in the
-        <filename>Bugzilla/Constants.pm</filename> file in the 
-        <filename>contenttypes</filename>
-        constant. If your content type is not there, add it. Remember
-        the three- or four-letter tag assigned to your content type. 
-        This tag will be part of the template filename.
-      </para>
-
-      <note>
-        <para>
-          After adding or changing a content type, it's suitable to edit
-          <filename>Bugzilla/Constants.pm</filename> in order to reflect
-          the changes. Also, the file should be kept up to date after an
-          upgrade if content types have been customized in the past. 
-        </para>
-      </note>
-      
-      <para>
-        Save the template as <filename>&lt;stubname&gt;-&lt;formatname&gt;.&lt;contenttypetag&gt;.tmpl</filename>. 
-        Try out the template by calling the CGI as 
-        <filename>&lt;cginame&gt;.cgi?format=&lt;formatname&gt;&amp;ctype=&lt;type&gt;</filename> .
-      </para>       
-    </section>
-    
-    
-    <section id="template-specific">
-      <title>Particular Templates</title>
-      
-      <para>
-        There are a few templates you may be particularly interested in
-        customizing for your installation.
-      </para>
-      
-      <para>
-        <command>index.html.tmpl</command>:
-        This is the Bugzilla front page.
-      </para>      
-
-      <para>
-        <command>global/header.html.tmpl</command>:
-        This defines the header that goes on all Bugzilla pages.
-        The header includes the banner, which is what appears to users
-        and is probably what you want to edit instead.  However the
-        header also includes the HTML HEAD section, so you could for
-        example add a stylesheet or META tag by editing the header.
-      </para>
-
-      <para>
-        <command>global/banner.html.tmpl</command>:
-        This contains the <quote>banner</quote>, the part of the header
-        that appears
-        at the top of all Bugzilla pages.  The default banner is reasonably
-        barren, so you'll probably want to customize this to give your
-        installation a distinctive look and feel.  It is recommended you
-        preserve the Bugzilla version number in some form so the version 
-        you are running can be determined, and users know what docs to read.
-      </para>
-
-      <para>
-        <command>global/footer.html.tmpl</command>:
-        This defines the footer that goes on all Bugzilla pages.  Editing
-        this is another way to quickly get a distinctive look and feel for
-        your Bugzilla installation.
-      </para>
-
-      <para>
-        <command>global/variables.none.tmpl</command>:
-        This defines a list of terms that may be changed in order to
-        <quote>brand</quote> the Bugzilla instance In this way, terms
-        like <quote>bugs</quote> can be replaced with <quote>issues</quote>
-        across the whole Bugzilla installation. The name
-        <quote>Bugzilla</quote> and other words can be customized as well.
-      </para>
-
-      <para>
-        <command>list/table.html.tmpl</command>:
-        This template controls the appearance of the bug lists created
-        by Bugzilla. Editing this template allows per-column control of 
-        the width and title of a column, the maximum display length of
-        each entry, and the wrap behaviour of long entries.
-        For long bug lists, Bugzilla inserts a 'break' every 100 bugs by
-        default; this behaviour is also controlled by this template, and
-        that value can be modified here.
-       </para>
-
-      <para>
-        <command>bug/create/user-message.html.tmpl</command>:
-        This is a message that appears near the top of the bug reporting page.
-        By modifying this, you can tell your users how they should report
-        bugs.
-      </para>
-
-      <para>
-        <command>bug/process/midair.html.tmpl</command>:
-        This is the page used if two people submit simultaneous changes to the
-        same bug.  The second person to submit their changes will get this page
-        to tell them what the first person did, and ask if they wish to
-        overwrite those changes or go back and revisit the bug.  The default
-        title and header on this page read "Mid-air collision detected!"  If
-        you work in the aviation industry, or other environment where this
-        might be found offensive (yes, we have true stories of this happening)
-        you'll want to change this to something more appropriate for your
-        environment.
-      </para>
-
-      <para>
-        <command>bug/create/create.html.tmpl</command> and
-        <command>bug/create/comment.txt.tmpl</command>:
-        You may not wish to go to the effort of creating custom fields in
-        Bugzilla, yet you want to make sure that each bug report contains
-        a number of pieces of important information for which there is not
-        a special field. The bug entry system has been designed in an
-        extensible fashion to enable you to add arbitrary HTML widgets,
-        such as drop-down lists or textboxes, to the bug entry page
-        and have their values appear formatted in the initial comment.
-        A hidden field that indicates the format should be added inside
-        the form in order to make the template functional. Its value should
-        be the suffix of the template filename. For example, if the file
-        is called <filename>create-cust.html.tmpl</filename>, then
-        <programlisting>&lt;input type="hidden" name="format" value="cust"&gt;</programlisting>
-        should be used inside the form.
-      </para>
-
-      <para>  
-        An example of this is the mozilla.org 
-        <ulink url="http://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi?product=WorldControl&amp;format=guided">guided 
-        bug submission form</ulink>. The code for this comes with the Bugzilla
-        distribution as an example for you to copy. It can be found in the
-        files 
-        <filename>create-guided.html.tmpl</filename> and
-        <filename>comment-guided.html.tmpl</filename>.
-      </para>  
-
-      <para>
-        So to use this feature, create a custom template for 
-        <filename>enter_bug.cgi</filename>. The default template, on which you
-        could base it, is 
-        <filename>custom/bug/create/create.html.tmpl</filename>.
-        Call it <filename>create-&lt;formatname&gt;.html.tmpl</filename>, and
-        in it, add widgets for each piece of information you'd like
-        collected - such as a build number, or set of steps to reproduce.
-      </para>
-
-      <para>
-        Then, create a template like 
-        <filename>custom/bug/create/comment.txt.tmpl</filename>, and call it 
-        <filename>comment-&lt;formatname&gt;.txt.tmpl</filename>. This 
-        template should reference the form fields you have created using
-        the syntax <filename>[% form.&lt;fieldname&gt; %]</filename>. When a 
-        bug report is
-        submitted, the initial comment attached to the bug report will be
-        formatted according to the layout of this template.
-      </para> 
-
-      <para>
-        For example, if your custom enter_bug template had a field
-        <programlisting>&lt;input type="text" name="buildid" size="30"&gt;</programlisting>
-        and then your comment.txt.tmpl had
-        <programlisting>BuildID: [% form.buildid %]</programlisting>
-        then something like
-        <programlisting>BuildID: 20020303</programlisting>
-        would appear in the initial comment.
-      </para>            
-    </section>          
-
-
-    <section id="template-http-accept">
-      <title>Configuring Bugzilla to Detect the User's Language</title>
-
-      <para>Bugzilla honours the user's Accept: HTTP header. You can install
-      templates in other languages, and Bugzilla will pick the most appropriate
-      according to a priority order defined by you. Many
-      language templates can be obtained from <ulink 
-      url="http://www.bugzilla.org/download.html#localizations"/>. Instructions
-      for submitting new languages are also available from that location.
-      </para>
-    </section>
-      
-  </section>
-
-  <section id="cust-hooks">
-    <title>The Bugzilla Extension Mechanism</title>
-    
-    <warning>
-      <para>
-        Note that the below paths are inconsistent and confusing. They will
-        likely be changed in Bugzilla 4.0.
-      </para>
-    </warning>
-       
-    <para>
-      Extensions are a way for extensions to Bugzilla to insert code
-      into the standard Bugzilla templates and source files
-      without modifying these files themselves.  The extension mechanism 
-      defines a consistent API for extending the standard templates and source files 
-      in a way that cleanly separates standard code from extension code.  
-      Hooks reduce merge conflicts and make it easier to write extensions that work 
-      across multiple versions of Bugzilla, making upgrading a Bugzilla installation 
-      with installed extensions easier. Furthermore, they make it easy to install 
-      and remove extensions as each extension is nothing more than a 
-      simple directory structure. 
-    </para>
-    
-    <para>
-      There are two main types of hooks: code hooks and template hooks. Code 
-      hooks allow extensions to invoke code at specific points in various 
-      source files, while template hooks allow extensions to add elements to 
-      the Bugzilla user interface. 
-    </para>
-
-    <para>
-      A hook is just a named place in a standard source or template file
-      where extension source code or template files for that hook get processed. 
-      Each extension has a corresponding directory in the Bugzilla directory 
-      tree (<filename>BUGZILLA_ROOT/extensions/extension_name</filename>).  Hooking 
-      an extension source file or template to a hook is as simple as putting 
-      the extension file into extension's template or code directory. 
-      When Bugzilla processes the source file or template and reaches the hook, 
-      it will process all extension files in the hook's directory. 
-      The hooks themselves can be added into any source file or standard template 
-      upon request by extension authors.
-    </para>
-    
-    <para>
-      To use hooks to extend Bugzilla, first make sure there is
-      a hook at the appropriate place within the source file or template you 
-      want to extend. The exact appearance of a hook depends on if the hook 
-      is a code hook or a template hook. 
-    </para>
-    
-    <para>
-      Code hooks appear in Bugzilla source files as a single method call 
-      in the format <literal role="code">Bugzilla::Hook->process("<varname>name</varname>");</literal>.
-      For instance, <filename>enter_bug.cgi</filename> may invoke the hook 
-      "<varname>enter_bug-entrydefaultvars</varname>". Thus, a source file at 
-      <filename>BUGZILLA_ROOT/extensions/EXTENSION_NAME/code/enter_bug-entrydefaultvars.pl</filename>
-      will be automatically invoked when the code hook is reached. 
-    </para>
-   
-    <para>  
-      Template hooks appear in the standard Bugzilla templates as a 
-      single directive in the format
-      <literal role="code">[% Hook.process("<varname>name</varname>") %]</literal>,
-      where <varname>name</varname> is the unique name of the hook.
-    </para>
-
-    <para>
-      If you aren't sure what you want to extend or just want to browse the 
-      available hooks, either use your favorite multi-file search
-      tool (e.g. <command>grep</command>) to search the standard templates
-      for occurrences of <methodname>Hook.process</methodname> or the source 
-      files for occurrences of <methodname>Bugzilla::Hook::process</methodname>.
-    </para>
-
-    <para>
-      If there is no hook at the appropriate place within the Bugzilla 
-      source file or template you want to extend,
-      <ulink url="http://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&amp;component=User%20Interface">file
-      a bug requesting one</ulink>, specifying:
-    </para>
-
-    <simplelist>
-      <member>the source or template file for which you are 
-          requesting a hook;</member>
-      <member>
-        where in the file you would like the hook to be placed
-        (line number/position for latest version of the file in CVS
-        or description of location);
-      </member>
-      <member>the purpose of the hook;</member>
-      <member>a link to information about your extension, if any.</member>
-    </simplelist>
-
-    <para>
-      The Bugzilla reviewers will promptly review each hook request,
-      name the hook, add it to the template or source file, and check 
-      the new version of the template into CVS.
-    </para>
-
-    <para>
-      You may optionally attach a patch to the bug which implements the hook
-      and check it in yourself after receiving approval from a Bugzilla
-      reviewer.  The developers may suggest changes to the location of the
-      hook based on their analysis of your needs or so the hook can satisfy
-      the needs of multiple extensions, but the process of getting hooks
-      approved and checked in is not as stringent as the process for general
-      changes to Bugzilla, and any extension, whether released or still in
-      development, can have hooks added to meet their needs.
-    </para>
-
-    <para>
-      After making sure the hook you need exists (or getting it added if not),
-      add your extension to the directory within the Bugzilla
-      extensions tree corresponding to the hook. 
-    </para>
-    
-    <para>
-      That's it!  Now, when the source file or template containing the hook
-      is processed, your extension file will be processed at the point 
-      where the hook appears.
-    </para>
-
-    <para>
-      For example, let's say you have an extension named Projman that adds
-      project management capabilities to Bugzilla.  Projman has an
-      administration interface <filename>edit-projects.cgi</filename>, 
-      and you want to add a link to it into the navigation bar at the bottom
-      of every Bugzilla page for those users who are authorized
-      to administer projects.
-    </para>
-
-    <para>
-      The navigation bar is generated by the template file
-      <filename>useful-links.html.tmpl</filename>, which is located in
-      the <filename>global/</filename> subdirectory on the standard Bugzilla 
-      template path
-      <filename>BUGZILLA_ROOT/template/en/default/</filename>.
-      Looking in <filename>useful-links.html.tmpl</filename>, you find
-      the following hook at the end of the list of standard Bugzilla
-      administration links:
-    </para>
-
-    <programlisting><![CDATA[...
-    [% ', <a href="editkeywords.cgi">keywords</a>' 
-                                              IF user.groups.editkeywords %]
-    [% Hook.process("edit") %]
-...]]></programlisting>
-
-    <para>
-      The corresponding extension file for this hook is
-      <filename>BUGZILLA_ROOT/extensions/projman/template/en/global/useful-links-edit.html.tmpl</filename>.
-      You then create that template file and add the following constant:
-    </para>
-
-    <programlisting><![CDATA[...[% ', <a href="edit-projects.cgi">projects</a>' IF user.groups.projman_admins %]]]></programlisting>
-
-    <para>
-      Voila!  The link now appears after the other administration links in the
-      navigation bar for users in the <literal>projman_admins</literal> group.
-    </para>
-    
-    <para>
-      Now, let us say your extension adds a custom "project_manager" field 
-      to enter_bug.cgi. You want to modify the CGI script to set the default 
-      project manager to be productname@company.com. Looking at 
-      <filename>enter_bug.cgi</filename>, you see the enter_bug-entrydefaultvars 
-      hook near the bottom of the file before the default form values are set. 
-      The corresponding extension source file for this hook is located at 
-      <filename>BUGZILLA_ROOT/extensions/projman/code/enter_bug-entrydefaultvars.pl</filename>.
-      You then create that file and add the following:
-    </para>
-    
-    <programlisting>$default{'project_manager'} = $product.'@company.com';</programlisting>
-    
-    <para>
-      This code will be invoked whenever enter_bug.cgi is executed. 
-      Assuming that the rest of the customization was completed (e.g. the 
-      custom field was added to the enter_bug template and the required hooks 
-      were used in process_bug.cgi), the new field will now have this 
-      default value. 
-    </para>
-      
-    <para>
-      Notes:
-    </para>
-
-    <itemizedlist>
-      <listitem>
-        <para>
-          If your extension includes entirely new templates in addition to
-          extensions of standard templates, it should store those new
-          templates in its
-          <filename>BUGZILLA_ROOT/extensions/template/en/</filename> 
-          directory. Extension template directories, like the 
-          <filename>default/</filename> and <filename>custom/</filename>
-          directories, are part of the template search path, so putting templates
-          there enables them to be found by the template processor.
-        </para>
-
-        <para>
-          The template processor looks for templates first in the
-          <filename>custom/</filename> directory (i.e. templates added by the 
-          specific installation), then in the <filename>extensions/</filename>
-          directory (i.e. templates added by extensions), and finally in the 
-          <filename>default/</filename> directory (i.e. the standard Bugzilla 
-          templates). Thus, installation-specific templates override both 
-          default and extension templates.
-        </para>
-      </listitem>
-
-      <listitem>
-        <para>
-          If you are looking to customize Bugzilla, you can also take advantage 
-          of template hooks. To do so, create a directory in
-          <filename>BUGZILLA_ROOT/template/en/custom/hook/</filename>
-          that corresponds to the hook you wish to use, then place your 
-          customization templates into those directories. For example, 
-          if you wanted to use the hook "end" in 
-          <filename>global/useful-links.html.tmpl</filename>, you would 
-          create the directory <filename>BUGZILLA_ROOT/template/en/custom/hook/
-          global/useful-links.html.tmpl/end/</filename> and add your customization 
-          template to this directory. 
-        </para>
-
-        <para>
-          Obviously this method of customizing Bugzilla only lets you add code
-          to the standard source files and templates; you cannot change the 
-          existing code. Nevertheless, for those customizations that only add 
-          code, this method can reduce conflicts when merging changes, 
-          making upgrading your customized Bugzilla installation easier.
-        </para>
-      </listitem>
-    </itemizedlist>    
-  </section>
-
-  <section id="cust-change-permissions">
-    <title>Customizing Who Can Change What</title>
-    
-    <warning>
-      <para>
-        This feature should be considered experimental; the Bugzilla code you
-        will be changing is not stable, and could change or move between 
-        versions. Be aware that if you make modifications as outlined here, 
-        you may have
-        to re-make them or port them if Bugzilla changes internally between
-        versions, and you upgrade.
-      </para>
-    </warning>
-      
-    <para>
-      Companies often have rules about which employees, or classes of employees,
-      are allowed to change certain things in the bug system. For example, 
-      only the bug's designated QA Contact may be allowed to VERIFY the bug.
-      Bugzilla has been
-      designed to make it easy for you to write your own custom rules to define
-      who is allowed to make what sorts of value transition.
-    </para>
-
-    <para>
-     By default, assignees, QA owners and users
-     with <emphasis>editbugs</emphasis> privileges can edit all fields of bugs, 
-     except group restrictions (unless they are members of the groups they 
-     are trying to change). Bug reporters also have the ability to edit some 
-     fields, but in a more restrictive manner. Other users, without 
-     <emphasis>editbugs</emphasis> privileges, can not edit 
-     bugs, except to comment and add themselves to the CC list.
-    </para> 
-    
-    <para>
-      For maximum flexibility, customizing this means editing Bugzilla's Perl 
-      code. This gives the administrator complete control over exactly who is
-      allowed to do what. The relevant method is called
-      <filename>check_can_change_field()</filename>,
-      and is found in <filename>Bug.pm</filename> in your
-      Bugzilla/ directory. If you open that file and search for
-      <quote>sub check_can_change_field</quote>, you'll find it.
-    </para>
-    
-    <para>
-      This function has been carefully commented to allow you to see exactly
-      how it works, and give you an idea of how to make changes to it.
-      Certain marked sections should not be changed - these are
-      the <quote>plumbing</quote> which makes the rest of the function work.
-      In between those sections, you'll find snippets of code like:
-      <programlisting>    # Allow the assignee to change anything.
-    if ($ownerid eq $whoid) {
-        return 1;
-    }</programlisting>
-      It's fairly obvious what this piece of code does.
-    </para>      
-      
-    <para>
-      So, how does one go about changing this function? Well, simple changes
-      can be made just by removing pieces - for example, if you wanted to 
-      prevent any user adding a comment to a bug, just remove the lines marked
-      <quote>Allow anyone to change comments.</quote> If you don't want the
-      Reporter to have any special rights on bugs they have filed, just
-      remove the entire section that deals with the Reporter.
-    </para>
-    
-    <para>
-      More complex customizations are not much harder. Basically, you add
-      a check in the right place in the function, i.e. after all the variables
-      you are using have been set up. So, don't look at $ownerid before 
-      $ownerid has been obtained from the database. You can either add a
-      positive check, which returns 1 (allow) if certain conditions are true,
-      or a negative check, which returns 0 (deny.) E.g.:
-      <programlisting>    if ($field eq "qacontact") {
-        if (Bugzilla->user->groups("quality_assurance")) {
-            return 1;
-        } 
-        else {
-            return 0;
-        }
-    }</programlisting>
-      This says that only users in the group "quality_assurance" can change
-      the QA Contact field of a bug.
-    </para>
-
-    <para>
-      Getting more weird:
-      <programlisting><![CDATA[    if (($field eq "priority") &&
-        (Bugzilla->user->email =~ /.*\@example\.com$/))
-    {
-        if ($oldvalue eq "P1") {
-            return 1;
-        } 
-        else {
-            return 0;
-        }
-    }]]></programlisting>
-      This says that if the user is trying to change the priority field,
-      and their email address is @example.com, they can only do so if the
-      old value of the field was "P1". Not very useful, but illustrative.
-    </para>
-
-    <warning>
-      <para>
-        If you are modifying <filename>process_bug.cgi</filename> in any
-        way, do not change the code that is bounded by DO_NOT_CHANGE blocks.
-        Doing so could compromise security, or cause your installation to
-        stop working entirely.
-      </para>
-    </warning>
-    
-    <para>
-      For a list of possible field names, look at the bugs table in the 
-      database. If you need help writing custom rules for your organization,
-      ask in the newsgroup.
-    </para>    
-  </section>   
-
-  <!-- Integrating Bugzilla with Third-Party Tools -->
-<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="integration.xml" />
-</chapter>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/gfdl.xml

@@ -1,449 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<appendix id="gfdl">
-  <title>GNU Free Documentation License</title>
-
-<!-- - GNU Project - Free Software Foundation (FSF) -->
-<!-- LINK REV="made" HREF="mailto:webmasters@gnu.org" -->
-<!-- section>
-    <title>GNU Free Documentation License</title -->
-  <para>Version 1.1, March 2000</para>
-
-  <blockquote>
-    <para>Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place,
-    Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and
-    distribute verbatim copies of this license document, but changing it is
-    not allowed.</para>
-  </blockquote>
-
-  <section label="0" id="gfdl-0">
-    <title>Preamble</title>
-
-    <para>The purpose of this License is to make a manual, textbook, or other
-    written document "free" in the sense of freedom: to assure everyone the
-    effective freedom to copy and redistribute it, with or without modifying
-    it, either commercially or noncommercially. Secondarily, this License
-    preserves for the author and publisher a way to get credit for their
-    work, while not being considered responsible for modifications made by
-    others.</para>
-
-    <para>This License is a kind of "copyleft", which means that derivative
-    works of the document must themselves be free in the same sense. It
-    complements the GNU General Public License, which is a copyleft license
-    designed for free software.</para>
-
-    <para>We have designed this License in order to use it for manuals for
-    free software, because free software needs free documentation: a free
-    program should come with manuals providing the same freedoms that the
-    software does. But this License is not limited to software manuals; it
-    can be used for any textual work, regardless of subject matter or whether
-    it is published as a printed book. We recommend this License principally
-    for works whose purpose is instruction or reference.</para>
-  </section>
-
-  <section label="1" id="gfdl-1">
-    <title>Applicability and Definition</title>
-
-    <para>This License applies to any manual or other work that contains a
-    notice placed by the copyright holder saying it can be distributed under
-    the terms of this License. The "Document", below, refers to any such
-    manual or work. Any member of the public is a licensee, and is addressed
-    as "you".</para>
-
-    <para>A "Modified Version" of the Document means any work containing the
-    Document or a portion of it, either copied verbatim, or with
-    modifications and/or translated into another language.</para>
-
-    <para>A "Secondary Section" is a named appendix or a front-matter section
-    of the Document that deals exclusively with the relationship of the
-    publishers or authors of the Document to the Document's overall subject
-    (or to related matters) and contains nothing that could fall directly
-    within that overall subject. (For example, if the Document is in part a
-    textbook of mathematics, a Secondary Section may not explain any
-    mathematics.) The relationship could be a matter of historical connection
-    with the subject or with related matters, or of legal, commercial,
-    philosophical, ethical or political position regarding them.</para>
-
-    <para>The "Invariant Sections" are certain Secondary Sections whose
-    titles are designated, as being those of Invariant Sections, in the
-    notice that says that the Document is released under this License.</para>
-
-    <para>The "Cover Texts" are certain short passages of text that are
-    listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says
-    that the Document is released under this License.</para>
-
-    <para>A "Transparent" copy of the Document means a machine-readable copy,
-    represented in a format whose specification is available to the general
-    public, whose contents can be viewed and edited directly and
-    straightforwardly with generic text editors or (for images composed of
-    pixels) generic paint programs or (for drawings) some widely available
-    drawing editor, and that is suitable for input to text formatters or for
-    automatic translation to a variety of formats suitable for input to text
-    formatters. A copy made in an otherwise Transparent file format whose
-    markup has been designed to thwart or discourage subsequent modification
-    by readers is not Transparent. A copy that is not "Transparent" is called
-    "Opaque".</para>
-
-    <para>Examples of suitable formats for Transparent copies include plain
-    ASCII without markup, Texinfo input format, LaTeX input format, SGML or
-    XML using a publicly available DTD, and standard-conforming simple HTML
-    designed for human modification. Opaque formats include PostScript, PDF,
-    proprietary formats that can be read and edited only by proprietary word
-    processors, SGML or XML for which the DTD and/or processing tools are not
-    generally available, and the machine-generated HTML produced by some word
-    processors for output purposes only.</para>
-
-    <para>The "Title Page" means, for a printed book, the title page itself,
-    plus such following pages as are needed to hold, legibly, the material
-    this License requires to appear in the title page. For works in formats
-    which do not have any title page as such, "Title Page" means the text
-    near the most prominent appearance of the work's title, preceding the
-    beginning of the body of the text.</para>
-  </section>
-
-  <section label="2" id="gfdl-2">
-    <title>Verbatim Copying</title>
-
-    <para>You may copy and distribute the Document in any medium, either
-    commercially or noncommercially, provided that this License, the
-    copyright notices, and the license notice saying this License applies to
-    the Document are reproduced in all copies, and that you add no other
-    conditions whatsoever to those of this License. You may not use technical
-    measures to obstruct or control the reading or further copying of the
-    copies you make or distribute. However, you may accept compensation in
-    exchange for copies. If you distribute a large enough number of copies
-    you must also follow the conditions in section 3.</para>
-
-    <para>You may also lend copies, under the same conditions stated above,
-    and you may publicly display copies.</para>
-  </section>
-
-  <section label="3" id="gfdl-3">
-    <title>Copying in Quantity</title>
-
-    <para>If you publish printed copies of the Document numbering more than
-    100, and the Document's license notice requires Cover Texts, you must
-    enclose the copies in covers that carry, clearly and legibly, all these
-    Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts
-    on the back cover. Both covers must also clearly and legibly identify you
-    as the publisher of these copies. The front cover must present the full
-    title with all words of the title equally prominent and visible. You may
-    add other material on the covers in addition. Copying with changes
-    limited to the covers, as long as they preserve the title of the Document
-    and satisfy these conditions, can be treated as verbatim copying in other
-    respects.</para>
-
-    <para>If the required texts for either cover are too voluminous to fit
-    legibly, you should put the first ones listed (as many as fit reasonably)
-    on the actual cover, and continue the rest onto adjacent pages.</para>
-
-    <para>If you publish or distribute Opaque copies of the Document
-    numbering more than 100, you must either include a machine-readable
-    Transparent copy along with each Opaque copy, or state in or with each
-    Opaque copy a publicly-accessible computer-network location containing a
-    complete Transparent copy of the Document, free of added material, which
-    the general network-using public has access to download anonymously at no
-    charge using public-standard network protocols. If you use the latter
-    option, you must take reasonably prudent steps, when you begin
-    distribution of Opaque copies in quantity, to ensure that this
-    Transparent copy will remain thus accessible at the stated location until
-    at least one year after the last time you distribute an Opaque copy
-    (directly or through your agents or retailers) of that edition to the
-    public.</para>
-
-    <para>It is requested, but not required, that you contact the authors of
-    the Document well before redistributing any large number of copies, to
-    give them a chance to provide you with an updated version of the
-    Document.</para>
-  </section>
-
-  <section label="4" id="gfdl-4">
-    <title>Modifications</title>
-
-    <para>You may copy and distribute a Modified Version of the Document
-    under the conditions of sections 2 and 3 above, provided that you release
-    the Modified Version under precisely this License, with the Modified
-    Version filling the role of the Document, thus licensing distribution and
-    modification of the Modified Version to whoever possesses a copy of it.
-    In addition, you must do these things in the Modified Version:</para>
-
-    <orderedlist numeration="upperalpha">
-      <listitem>
-        <para>Use in the Title Page (and on the covers, if any) a title
-        distinct from that of the Document, and from those of previous
-        versions (which should, if there were any, be listed in the History
-        section of the Document). You may use the same title as a previous
-        version if the original publisher of that version gives
-        permission.</para>
-      </listitem>
-
-      <listitem>
-        <para>List on the Title Page, as authors, one or more persons or
-        entities responsible for authorship of the modifications in the
-        Modified Version, together with at least five of the principal
-        authors of the Document (all of its principal authors, if it has less
-        than five).</para>
-      </listitem>
-
-      <listitem>
-        <para>State on the Title page the name of the publisher of the
-        Modified Version, as the publisher.</para>
-      </listitem>
-
-      <listitem>
-        <para>Preserve all the copyright notices of the Document.</para>
-      </listitem>
-
-      <listitem>
-        <para>Add an appropriate copyright notice for your modifications
-        adjacent to the other copyright notices.</para>
-      </listitem>
-
-      <listitem>
-        <para>Include, immediately after the copyright notices, a license
-        notice giving the public permission to use the Modified Version under
-        the terms of this License, in the form shown in the Addendum
-        below.</para>
-      </listitem>
-
-      <listitem>
-        <para>Preserve in that license notice the full lists of Invariant
-        Sections and required Cover Texts given in the Document's license
-        notice.</para>
-      </listitem>
-
-      <listitem>
-        <para>Include an unaltered copy of this License.</para>
-      </listitem>
-
-      <listitem>
-        <para>Preserve the section entitled "History", and its title, and add
-        to it an item stating at least the title, year, new authors, and
-        publisher of the Modified Version as given on the Title Page. If
-        there is no section entitled "History" in the Document, create one
-        stating the title, year, authors, and publisher of the Document as
-        given on its Title Page, then add an item describing the Modified
-        Version as stated in the previous sentence.</para>
-      </listitem>
-
-      <listitem>
-        <para>Preserve the network location, if any, given in the Document
-        for public access to a Transparent copy of the Document, and likewise
-        the network locations given in the Document for previous versions it
-        was based on. These may be placed in the "History" section. You may
-        omit a network location for a work that was published at least four
-        years before the Document itself, or if the original publisher of the
-        version it refers to gives permission.</para>
-      </listitem>
-
-      <listitem>
-        <para>In any section entitled "Acknowledgements" or "Dedications",
-        preserve the section's title, and preserve in the section all the
-        substance and tone of each of the contributor acknowledgements and/or
-        dedications given therein.</para>
-      </listitem>
-
-      <listitem>
-        <para>Preserve all the Invariant Sections of the Document, unaltered
-        in their text and in their titles. Section numbers or the equivalent
-        are not considered part of the section titles.</para>
-      </listitem>
-
-      <listitem>
-        <para>Delete any section entitled "Endorsements". Such a section may
-        not be included in the Modified Version.</para>
-      </listitem>
-
-      <listitem>
-        <para>Do not retitle any existing section as "Endorsements" or to
-        conflict in title with any Invariant Section.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>If the Modified Version includes new front-matter sections or
-    appendices that qualify as Secondary Sections and contain no material
-    copied from the Document, you may at your option designate some or all of
-    these sections as invariant. To do this, add their titles to the list of
-    Invariant Sections in the Modified Version's license notice. These titles
-    must be distinct from any other section titles.</para>
-
-    <para>You may add a section entitled "Endorsements", provided it contains
-    nothing but endorsements of your Modified Version by various parties--for
-    example, statements of peer review or that the text has been approved by
-    an organization as the authoritative definition of a standard.</para>
-
-    <para>You may add a passage of up to five words as a Front-Cover Text,
-    and a passage of up to 25 words as a Back-Cover Text, to the end of the
-    list of Cover Texts in the Modified Version. Only one passage of
-    Front-Cover Text and one of Back-Cover Text may be added by (or through
-    arrangements made by) any one entity. If the Document already includes a
-    cover text for the same cover, previously added by you or by arrangement
-    made by the same entity you are acting on behalf of, you may not add
-    another; but you may replace the old one, on explicit permission from the
-    previous publisher that added the old one.</para>
-
-    <para>The author(s) and publisher(s) of the Document do not by this
-    License give permission to use their names for publicity for or to assert
-    or imply endorsement of any Modified Version.</para>
-  </section>
-
-  <section label="5" id="gfdl-5">
-    <title>Combining Documents</title>
-
-    <para>You may combine the Document with other documents released under
-    this License, under the terms defined in section 4 above for modified
-    versions, provided that you include in the combination all of the
-    Invariant Sections of all of the original documents, unmodified, and list
-    them all as Invariant Sections of your combined work in its license
-    notice.</para>
-
-    <para>The combined work need only contain one copy of this License, and
-    multiple identical Invariant Sections may be replaced with a single copy.
-    If there are multiple Invariant Sections with the same name but different
-    contents, make the title of each such section unique by adding at the end
-    of it, in parentheses, the name of the original author or publisher of
-    that section if known, or else a unique number. Make the same adjustment
-    to the section titles in the list of Invariant Sections in the license
-    notice of the combined work.</para>
-
-    <para>In the combination, you must combine any sections entitled
-    "History" in the various original documents, forming one section entitled
-    "History"; likewise combine any sections entitled "Acknowledgements", and
-    any sections entitled "Dedications". You must delete all sections
-    entitled "Endorsements."</para>
-  </section>
-
-  <section label="6" id="gfdl-6">
-    <title>Collections of Documents</title>
-
-    <para>You may make a collection consisting of the Document and other
-    documents released under this License, and replace the individual copies
-    of this License in the various documents with a single copy that is
-    included in the collection, provided that you follow the rules of this
-    License for verbatim copying of each of the documents in all other
-    respects.</para>
-
-    <para>You may extract a single document from such a collection, and
-    distribute it individually under this License, provided you insert a copy
-    of this License into the extracted document, and follow this License in
-    all other respects regarding verbatim copying of that document.</para>
-  </section>
-
-  <section label="7" id="gfdl-7">
-    <title>Aggregation with Independent Works</title>
-
-    <para>A compilation of the Document or its derivatives with other
-    separate and independent documents or works, in or on a volume of a
-    storage or distribution medium, does not as a whole count as a Modified
-    Version of the Document, provided no compilation copyright is claimed for
-    the compilation. Such a compilation is called an "aggregate", and this
-    License does not apply to the other self-contained works thus compiled
-    with the Document, on account of their being thus compiled, if they are
-    not themselves derivative works of the Document.</para>
-
-    <para>If the Cover Text requirement of section 3 is applicable to these
-    copies of the Document, then if the Document is less than one quarter of
-    the entire aggregate, the Document's Cover Texts may be placed on covers
-    that surround only the Document within the aggregate. Otherwise they must
-    appear on covers around the whole aggregate.</para>
-  </section>
-
-  <section label="8" id="gfdl-8">
-    <title>Translation</title>
-
-    <para>Translation is considered a kind of modification, so you may
-    distribute translations of the Document under the terms of section 4.
-    Replacing Invariant Sections with translations requires special
-    permission from their copyright holders, but you may include translations
-    of some or all Invariant Sections in addition to the original versions of
-    these Invariant Sections. You may include a translation of this License
-    provided that you also include the original English version of this
-    License. In case of a disagreement between the translation and the
-    original English version of this License, the original English version
-    will prevail.</para>
-  </section>
-
-  <section label="9" id="gfdl-9">
-    <title>Termination</title>
-
-    <para>You may not copy, modify, sublicense, or distribute the Document
-    except as expressly provided for under this License. Any other attempt to
-    copy, modify, sublicense or distribute the Document is void, and will
-    automatically terminate your rights under this License. However, parties
-    who have received copies, or rights, from you under this License will not
-    have their licenses terminated so long as such parties remain in full
-    compliance.</para>
-  </section>
-
-  <section label="10" id="gfdl-10">
-    <title>Future Revisions of this License</title>
-
-    <para>The Free Software Foundation may publish new, revised versions of
-    the GNU Free Documentation License from time to time. Such new versions
-    will be similar in spirit to the present version, but may differ in
-    detail to address new problems or concerns. See 
-    <ulink url="http://www.gnu.org/copyleft/"/>.</para>
-
-    <para>Each version of the License is given a distinguishing version
-    number. If the Document specifies that a particular numbered version of
-    this License "or any later version" applies to it, you have the option of
-    following the terms and conditions either of that specified version or of
-    any later version that has been published (not as a draft) by the Free
-    Software Foundation. If the Document does not specify a version number of
-    this License, you may choose any version ever published (not as a draft)
-    by the Free Software Foundation.</para>
-  </section>
-
-  <section label="" id="gfdl-howto">
-    <title>How to use this License for your documents</title>
-
-    <para>To use this License in a document you have written, include a copy
-    of the License in the document and put the following copyright and
-    license notices just after the title page:</para>
-
-    <blockquote>
-      <para>Copyright (c) YEAR YOUR NAME. Permission is granted to copy,
-      distribute and/or modify this document under the terms of the GNU Free
-      Documentation License, Version 1.1 or any later version published by
-      the Free Software Foundation; with the Invariant Sections being LIST
-      THEIR TITLES, with the Front-Cover Texts being LIST, and with the
-      Back-Cover Texts being LIST. A copy of the license is included in the
-      section entitled "GNU Free Documentation License".</para>
-    </blockquote>
-
-    <para>If you have no Invariant Sections, write "with no Invariant
-    Sections" instead of saying which ones are invariant. If you have no
-    Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover
-    Texts being LIST"; likewise for Back-Cover Texts.</para>
-
-    <para>If your document contains nontrivial examples of program code, we
-    recommend releasing these examples in parallel under your choice of free
-    software license, such as the GNU General Public License, to permit their
-    use in free software.</para>
-  </section>
-</appendix>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/glossary.xml

@@ -1,555 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<glossary id="glossary">
-  <glossdiv>
-    <title>0-9, high ascii</title>
-
-    <glossentry id="gloss-htaccess">
-      <glossterm>.htaccess</glossterm>
-
-      <glossdef>
-        <para>Apache web server, and other NCSA-compliant web servers,
-        observe the convention of using files in directories called 
-        <filename>.htaccess</filename>
-
-        to restrict access to certain files. In Bugzilla, they are used
-        to keep secret files which would otherwise
-        compromise your installation - e.g. the 
-        <filename>localconfig</filename>
-        file contains the password to your database.
-        curious.</para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-a">
-    <title>A</title>
-
-    <glossentry id="gloss-apache">
-      <glossterm>Apache</glossterm>
-
-      <glossdef>
-        <para>In this context, Apache is the web server most commonly used
-        for serving up Bugzilla 
-        pages. Contrary to popular belief, the apache web server has nothing
-        to do with the ancient and noble Native American tribe, but instead
-        derived its name from the fact that it was 
-        <quote>a patchy</quote>
-        version of the original 
-        <acronym>NCSA</acronym>
-        world-wide-web server.</para>
-
-        <variablelist>
-          <title>Useful Directives when configuring Bugzilla</title>
-
-          <varlistentry>
-            <term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#addhandler">AddHandler</ulink></computeroutput></term>
-            <listitem>
-              <para>Tell Apache that it's OK to run CGI scripts.</para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#allowoverride">AllowOverride</ulink></computeroutput></term>
-            <term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#options">Options</ulink></computeroutput></term>
-            <listitem>
-              <para>These directives are used to tell Apache many things about
-              the directory they apply to. For Bugzilla's purposes, we need
-              them to allow script execution and <filename>.htaccess</filename>
-              overrides.
-              </para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/mod_dir.html#directoryindex">DirectoryIndex</ulink></computeroutput></term>
-            <listitem>
-              <para>Used to tell Apache what files are indexes. If you can
-              not add <filename>index.cgi</filename> to the list of valid files,
-              you'll need to set <computeroutput>$index_html</computeroutput> to
-              1 in <filename>localconfig</filename> so
-              <command>./checksetup.pl</command> will create an
-              <filename>index.html</filename> that redirects to
-              <filename>index.cgi</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><computeroutput><ulink url="http://httpd.apache.org/docs-2.0/mod/core.html#scriptinterpretersource">ScriptInterpreterSource</ulink></computeroutput></term>
-            <listitem>
-              <para>Used when running Apache on windows so the shebang line
-              doesn't have to be changed in every Bugzilla script.
-              </para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-
-        <para>For more information about how to configure Apache for Bugzilla,
-        see <xref linkend="http-apache"/>.
-        </para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-b">
-    <title>B</title>
-
-    <glossentry>
-      <glossterm>Bug</glossterm>
-
-      <glossdef>
-        <para>A 
-        <quote>bug</quote>
-
-        in Bugzilla refers to an issue entered into the database which has an
-        associated number, assignments, comments, etc. Some also refer to a 
-        <quote>tickets</quote>
-        or 
-        <quote>issues</quote>; 
-        in the context of Bugzilla, they are synonymous.</para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry>
-      <glossterm>Bug Number</glossterm>
-
-      <glossdef>
-        <para>Each Bugzilla bug is assigned a number that uniquely identifies
-        that bug. The bug associated with a bug number can be pulled up via a
-        query, or easily from the very front page by typing the number in the
-        "Find" box.</para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-bugzilla">
-      <glossterm>Bugzilla</glossterm>
-
-      <glossdef>
-        <para>Bugzilla is the world-leading free software bug tracking system.
-        </para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-c">
-    <title>C</title>
-
-    <glossentry id="gloss-cgi">
-      <glossterm>Common Gateway Interface</glossterm>
-      <acronym>CGI</acronym>
-      <glossdef>
-        <para><acronym>CGI</acronym> is an acronym for Common Gateway Interface. This is
-        a standard for interfacing an external application with a web server. Bugzilla
-        is an example of a <acronym>CGI</acronym> application.
-        </para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-component">
-      <glossterm>Component</glossterm>
-
-      <glossdef>
-        <para>A Component is a subsection of a Product. It should be a narrow
-        category, tailored to your organization. All Products must contain at
-        least one Component (and, as a matter of fact, creating a Product
-        with no Components will create an error in Bugzilla).</para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-cpan">
-      <glossterm>Comprehensive Perl Archive Network</glossterm>
-      <acronym>CPAN</acronym>
-
-      <!-- TODO: Rewrite def for CPAN -->
-      <glossdef>
-        <para>
-        <acronym>CPAN</acronym>
-
-        stands for the 
-        <quote>Comprehensive Perl Archive Network</quote>. 
-        CPAN maintains a large number of extremely useful 
-        <glossterm>Perl</glossterm>
-        modules - encapsulated chunks of code for performing a
-        particular task.</para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-contrib">
-      <glossterm><filename class="directory">contrib</filename></glossterm>
-
-      <glossdef>
-        <para>The <filename class="directory">contrib</filename> directory is
-        a location to put scripts that have been contributed to Bugzilla but
-        are not a part of the official distribution. These scripts are written
-        by third parties and may be in languages other than perl. For those
-        that are in perl, there may be additional modules or other requirements
-        than those of the official distribution.
-        <note>
-          <para>Scripts in the <filename class="directory">contrib</filename>
-          directory are not officially supported by the Bugzilla team and may
-          break in between versions.
-          </para>
-        </note>
-        </para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-d">
-    <title>D</title>
-
-    <glossentry id="gloss-daemon">
-      <glossterm>daemon</glossterm>
-
-      <glossdef>
-        <para>A daemon is a computer program which runs in the background. In
-        general, most daemons are started at boot time via System V init
-        scripts, or through RC scripts on BSD-based systems. 
-        <glossterm>mysqld</glossterm>, 
-        the MySQL server, and 
-        <glossterm>apache</glossterm>, 
-        a web server, are generally run as daemons.</para>
-      </glossdef>
-    </glossentry>
-    
-    <glossentry id="gloss-dos">
-      <glossterm>DOS Attack</glossterm>
-      
-      <glossdef>
-        <para>A DOS, or Denial of Service attack, is when a user attempts to
-        deny access to a web server by repeatedly accessing a page or sending
-        malformed requests to a webserver. A D-DOS, or
-        Distributed Denial of Service attack, is when these requests come
-        from multiple sources at the same time. Unfortunately, these are much
-        more difficult to defend against.
-        </para>
-      </glossdef>
-    </glossentry>
-    
-  </glossdiv>
-
-  <glossdiv id="gloss-g">
-    <title>G</title>
-
-    <glossentry id="gloss-groups">
-      <glossterm>Groups</glossterm>
-
-      <glossdef>
-        <para>The word 
-        <quote>Groups</quote>
-
-        has a very special meaning to Bugzilla. Bugzilla's main security
-        mechanism comes by placing users in groups, and assigning those
-        groups certain privileges to view bugs in particular
-        <glossterm>Products</glossterm>
-        in the 
-        <glossterm>Bugzilla</glossterm>
-        database.</para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-j">
-    <title>J</title>
-
-    <glossentry id="gloss-javascript">
-      <glossterm>JavaScript</glossterm>
-      <glossdef>
-        <para>JavaScript is cool, we should talk about it.
-        </para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-m">
-    <title>M</title>
-
-    <glossentry id="gloss-mta">
-      <glossterm>Message Transport Agent</glossterm>
-      <acronym>MTA</acronym>
-
-      <glossdef>
-        <para>A Message Transport Agent is used to control the flow of email on a system.
-        The <ulink url="http://search.cpan.org/dist/Email-Send/lib/Email/Send.pm">Email::Send</ulink>
-        Perl module, which Bugzilla uses to send email, can be configured to
-        use many different underlying implementations for actually sending the
-        mail using the <option>mail_delivery_method</option> parameter.
-        Implementations other than <literal>sendmail</literal> require that the
-        <option>sendmailnow</option> param be set to <literal>on</literal>.
-        </para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-mysql">
-      <glossterm>MySQL</glossterm>
-
-      <glossdef>
-        <para>MySQL is currently the required
-        <glossterm linkend="gloss-rdbms">RDBMS</glossterm> for Bugzilla. MySQL
-        can be downloaded from <ulink url="http://www.mysql.com"/>. While you
-        should familiarize yourself with all of the documentation, some high
-        points are:
-        </para>
-        <variablelist>
-          <varlistentry>
-            <term><ulink url="http://www.mysql.com/doc/en/Backup.html">Backup</ulink></term>
-            <listitem>
-              <para>Methods for backing up your Bugzilla database.
-              </para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><ulink url="http://www.mysql.com/doc/en/Option_files.html">Option Files</ulink></term>
-            <listitem>
-              <para>Information about how to configure MySQL using
-              <filename>my.cnf</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><ulink url="http://www.mysql.com/doc/en/Privilege_system.html">Privilege System</ulink></term>
-            <listitem>
-              <para>Much more detailed information about the suggestions in
-              <xref linkend="security-mysql"/>.
-              </para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-p">
-    <title>P</title>
-
-    <glossentry id="gloss-ppm">
-      <glossterm>Perl Package Manager</glossterm>
-      <acronym>PPM</acronym>
-
-      <glossdef>
-        <para><ulink url="http://aspn.activestate.com/ASPN/Downloads/ActivePerl/PPM/"/>
-        </para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry>
-      <glossterm id="gloss-product">Product</glossterm>
-
-      <glossdef>
-        <para>A Product is a broad category of types of bugs, normally
-        representing a single piece of software or entity. In general,
-        there are several Components to a Product. A Product may define a
-        group (used for security) for all bugs entered into
-        its Components.</para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry>
-      <glossterm>Perl</glossterm>
-
-      <glossdef>
-        <para>First written by Larry Wall, Perl is a remarkable program
-        language. It has the benefits of the flexibility of an interpreted
-        scripting language (such as shell script), combined with the speed
-        and power of a compiled language, such as C. 
-        <glossterm>Bugzilla</glossterm>
-
-        is maintained in Perl.</para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-q">
-    <title>Q</title>
-
-    <glossentry>
-      <glossterm>QA</glossterm>
-
-      <glossdef>
-        <para>
-        <quote>QA</quote>, 
-        <quote>Q/A</quote>, and 
-        <quote>Q.A.</quote>
-        are short for 
-        <quote>Quality Assurance</quote>. 
-        In most large software development organizations, there is a team
-        devoted to ensuring the product meets minimum standards before
-        shipping. This team will also generally want to track the progress of
-        bugs over their life cycle, thus the need for the 
-        <quote>QA Contact</quote>
-
-        field in a bug.</para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-r">
-    <title>R</title>
-
-    <glossentry id="gloss-rdbms">
-      <glossterm>Relational DataBase Management System</glossterm>
-      <acronym>RDBMS</acronym>
-
-      <glossdef>
-        <para>A relational database management system is a database system
-        that stores information in tables that are related to each other.
-        </para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-regexp">
-      <glossterm>Regular Expression</glossterm>
-      <acronym>regexp</acronym>
-
-      <glossdef>
-          <para>A regular expression is an expression used for pattern matching.
-              <ulink url="http://perldoc.com/perl5.6/pod/perlre.html#Regular-Expressions">Documentation</ulink>
-        </para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-s">
-    <title>S</title>
-
-    <glossentry id="gloss-service">
-      <glossterm>Service</glossterm>
-      
-      <glossdef>
-        <para>In Windows NT environment, a boot-time background application
-        is referred to as a service. These are generally managed through the
-        control panel while logged in as an account with
-        <quote>Administrator</quote> level capabilities. For more
-        information, consult your Windows manual or the MSKB.
-        </para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry>
-      <glossterm>
-        <acronym>SGML</acronym>
-      </glossterm>
-
-      <glossdef>
-        <para>
-        <acronym>SGML</acronym>
-
-        stands for 
-        <quote>Standard Generalized Markup Language</quote>. 
-        Created in the 1980's to provide an extensible means to maintain
-        documentation based upon content instead of presentation, 
-        <acronym>SGML</acronym>
-
-        has withstood the test of time as a robust, powerful language. 
-        <glossterm>
-          <acronym>XML</acronym>
-        </glossterm>
-
-        is the 
-        <quote>baby brother</quote>
-
-        of SGML; any valid 
-        <acronym>XML</acronym>
-
-        document it, by definition, a valid 
-        <acronym>SGML</acronym>
-
-        document. The document you are reading is written and maintained in 
-        <acronym>SGML</acronym>, 
-        and is also valid 
-        <acronym>XML</acronym>
-
-        if you modify the Document Type Definition.</para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-t">
-    <title>T</title>
-
-    <glossentry id="gloss-target-milestone" xreflabel="Target Milestone">
-      <glossterm>Target Milestone</glossterm>
-
-      <glossdef>
-        <para>Target Milestones are Product goals. They are configurable on a
-        per-Product basis. Most software development houses have a concept of
-        
-        <quote>milestones</quote>
-
-        where the people funding a project expect certain functionality on
-        certain dates. Bugzilla facilitates meeting these milestones by
-        giving you the ability to declare by which milestone a bug will be
-        fixed, or an enhancement will be implemented.</para>
-      </glossdef>
-    </glossentry>
-
-    <glossentry id="gloss-tcl">
-      <glossterm>Tool Command Language</glossterm>
-      <acronym>TCL</acronym>
-      <glossdef>
-        <para>TCL is an open source scripting language available for Windows,
-        Macintosh, and Unix based systems. Bugzilla 1.0 was written in TCL but
-        never released. The first release of Bugzilla was 2.0, which was when
-        it was ported to perl.
-        </para>
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-
-  <glossdiv id="gloss-z">
-    <title>Z</title>
-
-    <glossentry id="gloss-zarro">
-      <glossterm>Zarro Boogs Found</glossterm>
-
-      <glossdef>
-        <para>This is just a goofy way of saying that there were no bugs
-        found matching your query. When asked to explain this message,
-        Terry had the following to say:
-        </para>
-
-        <blockquote>
-          <attribution>Terry Weissman</attribution>
-          <para>I've been asked to explain this ... way back when, when
-          Netscape released version 4.0 of its browser, we had a release
-          party.  Naturally, there had been a big push to try and fix every
-          known bug before the release. Naturally, that hadn't actually
-          happened.  (This is not unique to Netscape or to 4.0; the same thing
-          has happened with every software project I've ever seen.)  Anyway,
-          at the release party, T-shirts were handed out that said something
-          like "Netscape 4.0: Zarro Boogs". Just like the software, the
-          T-shirt had no known bugs.  Uh-huh.
-          </para>
-
-          <para>So, when you query for a list of bugs, and it gets no results,
-          you can think of this as a friendly reminder.  Of *course* there are
-          bugs matching your query, they just aren't in the bugsystem yet...
-          </para>
-        </blockquote>
-
-      </glossdef>
-    </glossentry>
-  </glossdiv>
-</glossary>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->

mozilla/webtools/bugzilla/docs/en/xml/index.xml

@@ -1,21 +0,0 @@
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/integration.xml

@@ -1,124 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<!-- Keep these tools listings in alphabetical order please. -MPB -->
-<section id="integration">
-  <title>Integrating Bugzilla with Third-Party Tools</title>
-
-  <section id="bonsai"
-  xreflabel="Bonsai, the Mozilla automated CVS management system">
-    <title>Bonsai</title>
-
-    <para>Bonsai is a web-based tool for managing 
-    <xref linkend="cvs" />
-
-    . Using Bonsai, administrators can control open/closed status of trees,
-    query a fast relational database back-end for change, branch, and comment
-    information, and view changes made since the last time the tree was
-    closed. Bonsai
-    also integrates with  
-    <xref linkend="tinderbox" />.
-    </para>
-  </section>
-
-  <section id="cvs" xreflabel="CVS, the Concurrent Versioning System">
-    <title>CVS</title>
-
-    <para>CVS integration is best accomplished, at this point, using the
-    Bugzilla Email Gateway.</para>
-
-    <para>Follow the instructions in this Guide for enabling Bugzilla e-mail
-    integration. Ensure that your check-in script sends an email to your
-    Bugzilla e-mail gateway with the subject of 
-    <quote>[Bug XXXX]</quote>, 
-    and you can have CVS check-in comments append to your Bugzilla bug. If
-    you  want to have the bug be closed automatically, you'll have to modify
-    the <filename>contrib/bugzilla_email_append.pl</filename> script.
-    </para>
-
-    <para>There is also a CVSZilla project, based upon somewhat dated 
-    Bugzilla code, to integrate CVS and Bugzilla through CVS' ability to 
-    email. Check it out at: <ulink url="http://www.cvszilla.org/"/>.
-    </para>
-
-    <para>Another system capable of CVS integration with Bugzilla is
-    Scmbug. This system provides generic integration of Source code
-    Configuration Management with Bugtracking. Check it out at: <ulink
-    url="http://freshmeat.net/projects/scmbug/"/>.
-    </para>
-
-  </section>
-
-  <section id="scm"
-  xreflabel="Perforce SCM (Fast Software Configuration Management System, a powerful commercial alternative to CVS">
-
-    <title>Perforce SCM</title>
-
-    <para>You can find the project page for Bugzilla and Teamtrack Perforce
-    integration (p4dti) at: 
-    <ulink url="http://www.ravenbrook.com/project/p4dti/"/>
-
-    . 
-    <quote>p4dti</quote>
-
-    is now an officially supported product from Perforce, and you can find
-    the "Perforce Public Depot" p4dti page at 
-    <ulink url="http://public.perforce.com/public/perforce/p4dti/index.html"/>
-
-    .</para>
-
-    <para>Integration of Perforce with Bugzilla, once patches are applied, is
-    seamless. Perforce replication information will appear below the comments
-    of each bug. Be certain you have a matching set of patches for the
-    Bugzilla version you are installing. p4dti is designed to support
-    multiple defect trackers, and maintains its own documentation for it.
-    Please consult the pages linked above for further information.</para>
-  </section>
-
-  <section id="svn"
-  xreflabel="Subversion, a compelling replacement for CVS">
-     <title>Subversion</title>
-     <para>Subversion is a free/open-source version control system,
-     designed to overcome various limitations of CVS. Integration of
-     Subversion with Bugzilla is possible using Scmbug, a system
-     providing generic integration of Source Code Configuration
-     Management with Bugtracking. Scmbug is available at <ulink
-     url="http://freshmeat.net/projects/scmbug/"/>.</para>
-  </section>
-
-  <section id="tinderbox"
-  xreflabel="Tinderbox, the Mozilla automated build management system">
-    <title>Tinderbox/Tinderbox2</title>
-
-    <para>Tinderbox is a continuous-build system which can integrate with
-    Bugzilla - see
-    <ulink url="http://www.mozilla.org/projects/tinderbox"/> for details
-    of Tinderbox, and 
-    <ulink url="http://tinderbox.mozilla.org/showbuilds.cgi"/> to see it
-    in action.</para>
-  </section>
-</section>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/introduction.xml

@@ -1,121 +0,0 @@
-<chapter id="introduction">
-  <title>Introduction</title>
-
-  <section id="what-is-bugzilla">
-    <title>What is Bugzilla?</title>
-
-    <para>
-    Bugzilla is a bug- or issue-tracking system. Bug-tracking
-    systems allow individual or groups of developers effectively to keep track
-    of outstanding problems with their products. 
-    </para>
-    
-    <para><emphasis>Do we need more here?</emphasis></para>
-    
-  </section>
-
-  <section id="why-tracking">
-    <title>Why use a bug-tracking system?</title>
-    
-    <para>Those who do not use a bug-tracking system tend to rely on
-    shared lists, email, spreadsheets and/or Post-It notes to monitor the 
-    status of defects. This procedure
-    is usually error-prone and tends to cause those bugs judged least 
-    significant by developers to be dropped or ignored.</para>
-
-    <para>Integrated defect-tracking systems make sure that nothing gets
-    swept under the carpet; they provide a method of creating, storing,
-    arranging and processing defect reports and enhancement requests.</para>
-    
-  </section>
-    
-  <section id="why-bugzilla">
-    <title>Why use Bugzilla?</title>
-
-    <para>Bugzilla is the leading open-source/free software bug tracking 
-    system. It boasts many advanced features, including: 
-    <itemizedlist>
-      <listitem>
-        <para>Powerful searching</para>
-      </listitem>
-
-      <listitem>
-        <para>User-configurable email notifications of bug changes</para>
-      </listitem>
-
-      <listitem>
-        <para>Full change history</para>
-      </listitem>
-
-      <listitem>
-        <para>Inter-bug dependency tracking and graphing</para>
-      </listitem>
-
-      <listitem>
-        <para>Excellent attachment management</para>
-      </listitem>
-
-      <listitem>
-        <para>Integrated, product-based, granular security schema</para>
-      </listitem>
-
-      <listitem>
-        <para>Fully security-audited, and runs under Perl's taint mode</para>
-      </listitem>
-
-      <listitem>
-        <para>A robust, stable RDBMS back-end</para>
-      </listitem>
-
-      <listitem>
-        <para>Completely customizable and/or localizable web user
-        interface</para>
-      </listitem>
-
-      <listitem>
-        <para>Additional XML, email and console interfaces</para>
-      </listitem>
-
-      <listitem>
-        <para>Extensive configurability</para>
-      </listitem>
-
-      <listitem>
-        <para>Smooth upgrade pathway between versions</para>
-      </listitem>
-    </itemizedlist>
-    </para>
-    
-    <para>Bugzilla is very adaptable to various situations. Known uses
-    currently include IT support queues, Systems Administration deployment
-    management, chip design and development problem tracking (both
-    pre-and-post fabrication), and software and hardware bug tracking for
-    luminaries such as Redhat, NASA, Linux-Mandrake, and VA Systems.
-    Combined with systems such as 
-    <ulink url="http://www.cvshome.org">CVS</ulink>, 
-    <ulink url="http://www.mozilla.org/bonsai.html">Bonsai</ulink>, or 
-    <ulink url="http://www.perforce.com">Perforce SCM</ulink>, Bugzilla
-    provides a powerful, easy-to-use configuration management solution.</para>
-  </section>
-</chapter>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->

mozilla/webtools/bugzilla/docs/en/xml/modules.xml

@@ -1,197 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<appendix id="install-perlmodules-manual">
-  <title>Manual Installation of Perl Modules</title>
-  
-  <section id="modules-manual-instructions">
-    <title>Instructions</title>
-    <para>
-      If you need to install Perl modules manually, here's how it's done.
-      Download the module using the link given in the next section, and then
-      apply this magic incantation, as root:
-    </para>
-
-    <para>  
-      <screen><prompt>bash#</prompt> tar -xzvf &lt;module&gt;.tar.gz
-<prompt>bash#</prompt> cd &lt;module&gt;
-<prompt>bash#</prompt> perl Makefile.PL
-<prompt>bash#</prompt> make
-<prompt>bash#</prompt> make test
-<prompt>bash#</prompt> make install</screen>
-    </para>
-    <note>
-      <para>
-        In order to compile source code under Windows you will need to obtain
-        a 'make' utility.  The <command>nmake</command> utility provided with
-        Microsoft Visual C++ may be used.  As an alternative, there is a
-        utility called <command>dmake</command> available from CPAN which is
-        written entirely in Perl.
-      </para>
-      <para>
-        As described in <xref linkend="modules-manual-download" />, however, most
-        packages already exist and are available from ActiveState or theory58S.
-        We highly recommend that you install them using the ppm GUI available with
-        ActiveState and to add the theory58S repository to your list of repositories.
-      </para>
-    </note>
-  </section>
-    
-  <section id="modules-manual-download">
-    <title>Download Locations</title>
-    
-    <note>
-      <para>
-        Running Bugzilla on Windows requires the use of ActiveState
-        Perl 5.8.1 or higher. Many modules already exist in the core
-        distribution of ActiveState Perl. Additional modules can be downloaded
-        from <ulink url="http://theoryx5.uwinnipeg.ca/ppms/" /> if you use
-        Perl 5.8.x or from <ulink url="http://cpan.uwinnipeg.ca/PPMPackages/10xx/" />
-        if you use Perl 5.10.x.
-      </para>
-    </note>
-
-    <para>
-      CGI:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/CGI.pm/"/>
-        Documentation: <ulink url="http://perldoc.perl.org/CGI.html"/>
-      </literallayout>
-    </para>
-
-    <para>
-      Data-Dumper:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/Data-Dumper/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/Data-Dumper/Dumper.pm"/>
-      </literallayout>
-    </para>
-    
-    <para>
-      Date::Format (part of TimeDate):
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/TimeDate/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/TimeDate/lib/Date/Format.pm"/>
-      </literallayout>
-    </para>
-
-    <para>
-      DBI:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/DBI/"/>
-        Documentation: <ulink url="http://dbi.perl.org/docs/"/>
-      </literallayout>
-    </para>
-
-    <para>
-      DBD::mysql:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/DBD-mysql/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/DBD-mysql/lib/DBD/mysql.pm"/>
-      </literallayout>
-    </para>
-
-    <para>
-      DBD::Pg:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/DBD-Pg/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/DBD-Pg/Pg.pm"/>
-      </literallayout>
-    </para>
-
-    <para>
-      File::Spec:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/File-Spec/"/>
-        Documentation: <ulink url="http://perldoc.perl.org/File/Spec.html"/>
-      </literallayout>
-    </para>
-
-    <para>
-      Template-Toolkit:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/Template-Toolkit/"/>
-        Documentation: <ulink url="http://www.template-toolkit.org/docs.html"/>
-      </literallayout>
-    </para>
-
-    <para>
-      GD:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/GD/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/GD/GD.pm"/>
-      </literallayout>
-    </para>
-
-    <para>
-      Template::Plugin::GD:
-      <literallayout>
-       CPAN Download Page: <ulink url="http://search.cpan.org/dist/Template-GD/" />
-       Documentation: <ulink url="http://www.template-toolkit.org/docs/aqua/Modules/index.html" />
-      </literallayout>
-    </para>
-
-    <para>
-      MIME::Parser (part of MIME-tools):
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/MIME-tools/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/MIME-tools/lib/MIME/Parser.pm"/>
-      </literallayout>
-    </para>
-
-  </section>
-
-  <section id="modules-manual-optional">
-    <title>Optional Modules</title>
-
-    <para>
-      Chart::Base:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/Chart/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/Chart/Chart.pod"/>
-      </literallayout>
-    </para>
-
-     <para>
-      GD::Graph:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/GDGraph/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/GDGraph/Graph.pm"/>
-      </literallayout>
-    </para>
-
-    <para>
-      GD::Text::Align (part of GD::Text::Util):
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/GDTextUtil/"/>
-        Documentation: <ulink url="http://search.cpan.org/dist/GDTextUtil/Text/Align.pm"/>
-      </literallayout>
-    </para>
-
-   <para>
-      XML::Twig:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/XML-Twig/"/>
-        Documentation: <ulink url="http://standards.ieee.org/resources/spasystem/twig/twig_stable.html"/>
-      </literallayout>
-    </para>
-
-    <para>
-      PatchReader:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/author/JKEISER/PatchReader/"/>
-        Documentation: <ulink url="http://www.johnkeiser.com/mozilla/Patch_Viewer.html"/>
-      </literallayout>
-    </para>
-
-   <para>
-      Image::Magick:
-      <literallayout>
-        CPAN Download Page: <ulink url="http://search.cpan.org/dist/PerlMagick/"/>
-        Documentation: <ulink url="http://www.imagemagick.org/script/resources.php"/>
-      </literallayout>
-    </para>
-   </section>
-</appendix>

mozilla/webtools/bugzilla/docs/en/xml/patches.xml

@@ -1,135 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<appendix id="patches" xreflabel="Useful Patches and Utilities for Bugzilla">
-  <title>Contrib</title>
-
-  <para>
-    There are a number of unofficial Bugzilla add-ons in the 
-    <filename class="directory">$BUGZILLA_ROOT/contrib/</filename>
-    directory. This section documents them.
-  </para>
-
-  <section id="cmdline">
-    <title>Command-line Search Interface</title>
-
-    <para>
-      There are a suite of Unix utilities for searching Bugzilla from the 
-      command line. They live in the 
-      <filename class="directory">contrib/cmdline</filename> directory.
-      There are three files - <filename>query.conf</filename>,
-      <filename>buglist</filename> and <filename>bugs</filename>.
-    </para>
-
-    <warning>
-      <para>
-        These files pre-date the templatization work done as part of the
-        2.16 release, and have not been updated.
-      </para>
-    </warning>
-    
-    <para>
-      <filename>query.conf</filename> contains the mapping from
-      options to field names and comparison types. Quoted option names
-      are <quote>grepped</quote> for, so it should be easy to edit this
-      file. Comments (#) have no effect; you must make sure these lines
-      do not contain any quoted <quote>option</quote>.
-    </para>
-
-    <para>
-      <filename>buglist</filename> is a shell script that submits a
-      Bugzilla query and writes the resulting HTML page to stdout.
-      It supports both short options, (such as <quote>-Afoo</quote>
-      or <quote>-Rbar</quote>) and long options (such
-      as <quote>--assignedto=foo</quote> or <quote>--reporter=bar</quote>).
-      If the first character of an option is not <quote>-</quote>, it is
-      treated as if it were prefixed with <quote>--default=</quote>.
-    </para>
-
-    <para>
-      The column list is taken from the COLUMNLIST environment variable.
-      This is equivalent to the <quote>Change Columns</quote> option
-      that is available when you list bugs in buglist.cgi. If you have
-      already used Bugzilla, grep for COLUMNLIST in your cookies file
-      to see your current COLUMNLIST setting.
-    </para>
-
-    <para>
-      <filename>bugs</filename> is a simple shell script which calls
-      <filename>buglist</filename> and extracts the
-      bug numbers from the output. Adding the prefix
-      <quote>http://bugzilla.mozilla.org/buglist.cgi?bug_id=</quote>
-      turns the bug list into a working link if any bugs are found.
-      Counting bugs is easy. Pipe the results through 
-      <command>sed -e 's/,/ /g' | wc | awk '{printf $2 "\n"}'</command>
-    </para>
-
-    <para>
-      Akkana Peck says she has good results piping 
-      <filename>buglist</filename> output through 
-      <command>w3m -T text/html -dump</command>
-    </para>
-
-  </section>
-
-  <section id="cmdline-bugmail">
-    <title>Command-line 'Send Unsent Bug-mail' tool</title>
-
-    <para>
-      Within the <filename class="directory">contrib</filename> directory
-      exists a utility with the descriptive (if compact) name
-      of <filename>sendunsentbugmail.pl</filename>. The purpose of this
-      script is, simply, to send out any bug-related mail that should
-      have been sent by now, but for one reason or another has not.
-    </para>
-
-    <para>
-      To accomplish this task, <filename>sendunsentbugmail.pl</filename> uses
-      the same mechanism as the <filename>sanitycheck.cgi</filename> script;
-      it scans through the entire database looking for bugs with changes that
-      were made more than 30 minutes ago, but where there is no record of
-      anyone related to that bug having been sent mail. Having compiled a list,
-      it then uses the standard rules to determine who gets mail, and sends it
-      out.
-    </para>
-
-    <para>
-      As the script runs, it indicates the bug for which it is currently
-      sending mail; when it has finished, it gives a numerical count of how
-      many mails were sent and how many people were excluded. (Individual
-      user names are not recorded or displayed.) If the script produces
-      no output, that means no unsent mail was detected.
-    </para>
-
-    <para>
-      <emphasis>Usage</emphasis>: move the sendunsentbugmail.pl script
-      up into the main directory, ensure it has execute permission, and run it
-      from the command line (or from a cron job) with no parameters.
-    </para>
-  </section>
-
-</appendix>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/requiredsoftware.xml

@@ -1,77 +0,0 @@
-<!-- <!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> -->
-<appendix id="downloadlinks">
-  <title>Software Download Links</title>
-
-  <para>All of these sites are current as of April, 2001. Hopefully they'll
-  stay current for a while.</para>
-
-  <para>Apache Web Server: 
-  <ulink url="http://www.apache.org/"/>
-
-  Optional web server for Bugzilla, but recommended because of broad user
-  base and support.</para>
-
-  <para>Bugzilla: 
-  <ulink url="http://www.bugzilla.org/"/>
-  </para>
-
-  <para>MySQL: 
-  <ulink url="http://www.mysql.com/"/>
-  </para>
-
-  <para>Perl: 
-  <ulink url="http://www.perl.org/"/>
-  </para>
-
-  <para>CPAN: 
-  <ulink url="http://www.cpan.org/"/>
-  </para>
-
-  <para>DBI Perl module: 
-  <ulink url="http://www.cpan.org/modules/by-module/DBI/"/>
-  </para>
-
-  <para>MySQL related Perl modules: 
-  <ulink url="http://www.cpan.org/modules/by-module/Mysql/"/>
-  </para>
-
-  <para>TimeDate Perl module collection: 
-  <ulink url="http://www.cpan.org/modules/by-module/Date/"/>
-  </para>
-
-  <para>GD Perl module: 
-  <ulink url="http://www.cpan.org/modules/by-module/GD/"/>
-
-  Alternately, you should be able to find the latest version of GD at 
-  <ulink url="http://www.boutell.com/gd/"/>
-  </para>
-
-  <para>Chart::Base module: 
-  <ulink url="http://www.cpan.org/modules/by-module/Chart/"/>
-  </para>
-
-  <para>(But remember, Bundle::Bugzilla will install all the modules for you.)
-  </para>
-</appendix>
-
-<!-- Keep this comment at the end of the file
-Local variables:
-mode: sgml
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t
-sgml-indent-step:2
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil
-sgml-minimize-attributes:nil
-sgml-namecase-general:t
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t
-sgml-tag-region-if-active:t
-End:
--->
-

mozilla/webtools/bugzilla/docs/en/xml/security.xml

@@ -1,364 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-    <!ENTITY % myents SYSTEM "bugzilla.ent">
-    %myents;
-]>
-<!-- $Id: security.xml,v 1.19.2.1 2008-07-13 16:44:28 mozilla%colinogilvie.co.uk Exp $ -->
-
-<chapter id="security">
-<title>Bugzilla Security</title>
-
-  <para>While some of the items in this chapter are related to the operating
-  system Bugzilla is running on or some of the support software required to
-  run Bugzilla, it is all related to protecting your data. This is not
-  intended to be a comprehensive guide to securing Linux, Apache, MySQL, or
-  any other piece of software mentioned. There is no substitute for active
-  administration and monitoring of a machine. The key to good security is
-  actually right in the middle of the word: <emphasis>U R It</emphasis>.
-  </para>
-  
-  <para>While programmers in general always strive to write secure code,
-  accidents can and do happen. The best approach to security is to always
-  assume that the program you are working with isn't 100% secure and restrict
-  its access to other parts of your machine as much as possible.
-  </para>
- 
-  <section id="security-os">
-  <title>Operating System</title>
-  
-    <section id="security-os-ports">
-    <title>TCP/IP Ports</title>
-    
-      <!-- TODO: Get exact number of ports -->
-      <para>The TCP/IP standard defines more than 65,000 ports for sending
-      and receiving traffic. Of those, Bugzilla needs exactly one to operate
-      (different configurations and options may require up to 3). You should
-      audit your server and make sure that you aren't listening on any ports
-      you don't need to be. It's also highly recommended that the server
-      Bugzilla resides on, along with any other machines you administer, be
-      placed behind some kind of firewall.
-      </para>
-    
-    </section>
-    
-    <section id="security-os-accounts">
-    <title>System User Accounts</title>
-    
-      <para>Many <glossterm linkend="gloss-daemon">daemons</glossterm>, such
-      as Apache's <filename>httpd</filename> or MySQL's
-      <filename>mysqld</filename>, run as either <quote>root</quote> or
-      <quote>nobody</quote>. This is even worse on Windows machines where the
-      majority of <glossterm linkend="gloss-service">services</glossterm>
-      run as <quote>SYSTEM</quote>. While running as <quote>root</quote> or
-      <quote>SYSTEM</quote> introduces obvious security concerns, the
-      problems introduced by running everything as <quote>nobody</quote> may
-      not be so obvious. Basically, if you run every daemon as
-      <quote>nobody</quote> and one of them gets compromised it can
-      compromise every other daemon running as <quote>nobody</quote> on your
-      machine. For this reason, it is recommended that you create a user
-      account for each daemon.
-      </para>
-    
-      <note>
-        <para>You will need to set the <option>webservergroup</option> option
-        in <filename>localconfig</filename> to the group your web server runs
-        as. This will allow <filename>./checksetup.pl</filename> to set file
-        permissions on Unix systems so that nothing is world-writable.
-        </para>
-      </note>
-    
-    </section>
-    
-    <section id="security-os-chroot">
-    <title>The <filename>chroot</filename> Jail</title>
-    
-      <para>
-        If your system supports it, you may wish to consider running
-        Bugzilla inside of a <filename>chroot</filename> jail. This option
-        provides unprecedented security by restricting anything running
-        inside the jail from accessing any information outside of it. If you
-        wish to use this option, please consult the documentation that came
-        with your system.
-      </para>
-      
-    </section>
-  
-  </section>
-  
-  
-  
-  <section id="security-mysql">
-  <title>MySQL</title>
-  
-    <section id="security-mysql-account">
-    <title>The MySQL System Account</title>
-    
-      <para>As mentioned in <xref linkend="security-os-accounts"/>, the MySQL
-      daemon should run as a non-privileged, unique user. Be sure to consult
-      the MySQL documentation or the documentation that came with your system
-      for instructions.
-      </para>
-    </section>
-    
-    <section id="security-mysql-root">
-    <title>The MySQL <quote>root</quote> and <quote>anonymous</quote> Users</title>
-    
-      <para>By default, MySQL comes with a <quote>root</quote> user with a
-      blank password and an <quote>anonymous</quote> user, also with a blank
-      password. In order to protect your data, the <quote>root</quote> user
-      should be given a password and the anonymous user should be disabled.
-      </para>
-      
-      <example id="security-mysql-account-root">
-      <title>Assigning the MySQL <quote>root</quote> User a Password</title>
-      
-        <screen>
-<prompt>bash$</prompt> mysql mysql
-<prompt>mysql&gt;</prompt> UPDATE user SET password = password('<replaceable>new_password</replaceable>') WHERE user = 'root';
-<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
-        </screen>
-      </example>
-      
-      <example id="security-mysql-account-anonymous">
-      <title>Disabling the MySQL <quote>anonymous</quote> User</title>
-        <screen>
-<prompt>bash$</prompt> mysql -u root -p mysql           <co id="security-mysql-account-anonymous-mysql"/>
-<prompt>Enter Password:</prompt> <replaceable>new_password</replaceable>
-<prompt>mysql&gt;</prompt> DELETE FROM user WHERE user = '';
-<prompt>mysql&gt;</prompt> FLUSH PRIVILEGES;
-        </screen>
-        <calloutlist>
-          <callout arearefs="security-mysql-account-anonymous-mysql">
-            <para>This command assumes that you have already completed
-            <xref linkend="security-mysql-account-root"/>.
-            </para>
-          </callout>
-        </calloutlist>
-      </example>
-          
-    </section>
-    
-    <section id="security-mysql-network">
-    <title>Network Access</title>
-    
-      <para>If MySQL and your web server both run on the same machine and you
-      have no other reason to access MySQL remotely, then you should disable
-      the network access. This, along with the suggestion in
-      <xref linkend="security-os-ports"/>, will help protect your system from
-      any remote vulnerabilities in MySQL.
-      </para>
-      
-      <example id="security-mysql-network-ex">
-      <title>Disabling Networking in MySQL</title>
-      
-        <para>Simply enter the following in <filename>/etc/my.cnf</filename>:
-        <screen>
-[mysqld]
-# Prevent network access to MySQL.
-skip-networking
-        </screen>
-        </para>
-      </example>
-      
-    </section>
-
-
-<!-- For possible addition in the future: How to better control the bugs user
-    <section id="security-mysql-bugs">
-    <title>The bugs User</title>
-    
-    </section>
--->
-  
-  </section>
-  
-  
-  
-  <section id="security-webserver">
-  <title>Web server</title>
-
-    <section id="security-webserver-access">
-    <title>Disabling Remote Access to Bugzilla Configuration Files</title>
-    
-      <para>
-        There are many files that are placed in the Bugzilla directory
-        area that should not be accessible from the web server. Because of the way
-        Bugzilla is currently layed out, the list of what should and should not
-        be accessible is rather complicated. A quick way is to run
-        <filename>testserver.pl</filename> to check if your web server serves
-        Bugzilla files as expected. If not, you may want to follow the few
-        steps below.
-      </para>
-      
-      <tip>
-        <para>Bugzilla ships with the ability to create
-        <glossterm linkend="gloss-htaccess"><filename>.htaccess</filename></glossterm>
-        files that enforce these rules. Instructions for enabling these
-        directives in Apache can be found in <xref linkend="http-apache"/>
-        </para>
-      </tip>
-        
-      <itemizedlist spacing="compact">
-        <listitem>
-          <para>In the main Bugzilla directory, you should:</para>
-          <itemizedlist spacing="compact">
-            <listitem>
-              <para>Block:
-              <simplelist type="inline">
-                <member><filename>*.pl</filename></member>
-                <member><filename>*localconfig*</filename></member>
-              </simplelist>
-              </para>
-            </listitem>
-          </itemizedlist>
-        </listitem>
-
-        <listitem>
-          <para>In <filename class="directory">data</filename>:</para>
-          <itemizedlist spacing="compact">
-            <listitem>
-              <para>Block everything</para>
-            </listitem>
-          </itemizedlist>
-        </listitem>
-
-        <listitem>
-          <para>In <filename class="directory">data/webdot</filename>:</para>
-          <itemizedlist spacing="compact">
-            <listitem>
-              <para>If you use a remote webdot server:</para>
-              <itemizedlist spacing="compact">
-                <listitem>
-                  <para>Block everything</para>
-                </listitem>
-                <listitem>
-                  <para>But allow
-                  <simplelist type="inline">
-                    <member><filename>*.dot</filename></member>
-                  </simplelist>
-                  only for the remote webdot server</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-            <listitem>
-              <para>Otherwise, if you use a local GraphViz:</para>
-              <itemizedlist spacing="compact">
-                <listitem>
-                  <para>Block everything</para>
-                </listitem>
-                <listitem>
-                  <para>But allow:
-                  <simplelist type="inline">
-                    <member><filename>*.png</filename></member>
-                    <member><filename>*.gif</filename></member>
-                    <member><filename>*.jpg</filename></member>
-                    <member><filename>*.map</filename></member>
-                  </simplelist>
-                  </para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-            <listitem>
-              <para>And if you don't use any dot:</para>
-              <itemizedlist spacing="compact">
-                <listitem>
-                  <para>Block everything</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-          </itemizedlist>
-        </listitem>
-
-        <listitem>
-          <para>In <filename class="directory">Bugzilla</filename>:</para>
-          <itemizedlist spacing="compact">
-            <listitem>
-              <para>Block everything</para>
-            </listitem>
-          </itemizedlist>
-        </listitem>
-
-        <listitem>
-          <para>In <filename class="directory">template</filename>:</para>
-          <itemizedlist spacing="compact">
-            <listitem>
-              <para>Block everything</para>
-            </listitem>
-          </itemizedlist>
-        </listitem>
-      </itemizedlist>
-
-      <para>Be sure to test that data that should not be accessed remotely is
-      properly blocked. Of particular interest is the localconfig file which
-      contains your database password. Also, be aware that many editors
-      create temporary and backup files in the working directory and that
-      those should also not be accessible. For more information, see
-      <ulink url="http://bugzilla.mozilla.org/show_bug.cgi?id=186383">bug 186383</ulink>
-      or
-      <ulink url="http://online.securityfocus.com/bid/6501">Bugtraq ID 6501</ulink>.
-      To test, simply run <filename>testserver.pl</filename>, as said above.
-      </para>
-      
-      <tip>
-        <para>Be sure to check <xref linkend="http"/> for instructions
-        specific to the web server you use.
-        </para>
-      </tip>
-    
-    </section>
-
-      
-  </section>
-  
-  
-  <section id="security-bugzilla">
-  <title>Bugzilla</title>
-
-    <section id="security-bugzilla-charset">
-    <title>Prevent users injecting malicious Javascript</title>
-
-      <para>If you installed Bugzilla version 2.22 or later from scratch,
-      then the <emphasis>utf8</emphasis> parameter is switched on by default.
-      This makes Bugzilla explicitly set the character encoding, following
-      <ulink
-      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a
-      CERT advisory</ulink> recommending exactly this.
-      The following therefore does not apply to you; just keep
-      <emphasis>utf8</emphasis> turned on.
-      </para>
-
-      <para>If you've upgraded from an older version, then it may be possible
-      for a Bugzilla user to take advantage of character set encoding
-      ambiguities to inject HTML into Bugzilla comments.
-      This could include malicious scripts. 
-      This is because due to internationalization concerns, we are unable to
-      turn the <emphasis>utf8</emphasis> parameter on by default for upgraded
-      installations.
-      Turning it on manually will prevent this problem.
-      </para>
-    </section>    
-    
-  </section>
-
-</chapter> 
-
-<!-- Keep this comment at the end of the file 
-Local variables: 
-mode: sgml 
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t 
-sgml-indent-step:2 
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil 
-sgml-minimize-attributes:nil
-sgml-namecase-general:t 
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t 
-sgml-tag-region-if-active:t 
-End: -->
-

mozilla/webtools/bugzilla/docs/en/xml/troubleshooting.xml

@@ -1,311 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-                      "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
-     <!ENTITY % myents SYSTEM "bugzilla.ent">
-     %myents;
- ]>
-<!-- $Id: troubleshooting.xml,v 1.13.4.1 2008-07-13 16:44:28 mozilla%colinogilvie.co.uk Exp $ -->
-
-<appendix id="troubleshooting">
-<title>Troubleshooting</title>
-
-  <para>This section gives solutions to common Bugzilla installation
-  problems. If none of the section headings seems to match your
-  problem, read the general advice.
-  </para>
-    
-  <section id="general-advice">
-  <title>General Advice</title>
-    <para>If you can't get <filename>checksetup.pl</filename> to run to 
-    completion, it normally explains what's wrong and how to fix it.
-    If you can't work it out, or if it's being uncommunicative, post 
-    the errors in the 
-    <ulink url="news://news.mozilla.org/mozilla.support.bugzilla">mozilla.support.bugzilla</ulink>
-    newsgroup.
-    </para>
-
-    <para>If you have made it all the way through
-    <xref linkend="installation"/> (Installation) and
-    <xref linkend="configuration"/> (Configuration) but accessing the Bugzilla
-    URL doesn't work, the first thing to do is to check your web server error
-    log. For Apache, this is often located at
-    <filename>/etc/logs/httpd/error_log</filename>. The error messages
-    you see may be self-explanatory enough to enable you to diagnose and
-    fix the problem. If not, see below for some commonly-encountered 
-    errors. If that doesn't help, post the errors to the newsgroup.
-    </para>
-
-    <para>
-      Bugzilla can also log all user-based errors (and many code-based errors)
-      that occur, without polluting the web server's error log.  To enable
-      Bugzilla error logging, create a file that Bugzilla can write to, named
-      <filename>errorlog</filename>, in the Bugzilla <filename>data</filename>
-      directory.  Errors will be logged as they occur, and will include the type
-      of the error, the IP address and username (if available) of the user who
-      triggered the error, and the values of all environment variables; if a
-      form was being submitted, the data in the form will also be included.
-      To disable error logging, delete or rename the
-      <filename>errorlog</filename> file.
-    </para>
-  </section>
-        
-  <section id="trbl-testserver">
-  <title>The Apache web server is not serving Bugzilla pages</title>
-    <para>After you have run <command>checksetup.pl</command> twice,
-    run <command>testserver.pl http://yoursite.yourdomain/yoururl</command>
-    to confirm that your web server is configured properly for
-    Bugzilla.
-    </para>
-    <programlisting>
-<prompt>bash$</prompt> ./testserver.pl http://landfill.bugzilla.org/bugzilla-tip
-TEST-OK Webserver is running under group id in $webservergroup.
-TEST-OK Got ant picture.
-TEST-OK Webserver is executing CGIs.
-TEST-OK Webserver is preventing fetch of http://landfill.bugzilla.org/bugzilla-tip/localconfig.
-</programlisting>
-  </section>
-
-  <section id="trbl-perlmodule">
-  <title>I installed a Perl module, but 
-      <filename>checksetup.pl</filename> claims it's not installed!</title>
-      
-    <para>This could be caused by one of two things:</para>
-    <orderedlist>
-      <listitem>
-        <para>You have two versions of Perl on your machine. You are installing
-        modules into one, and Bugzilla is using the other. Rerun the CPAN
-        commands (or manual compile) using the full path to Perl from the 
-        top of <filename>checksetup.pl</filename>. This will make sure you 
-        are installing the modules in the right place.
-        </para>
-      </listitem>
-      <listitem>
-        <para>The permissions on your library directories are set incorrectly.
-        They must, at the very least, be readable by the web server user or
-        group. It is recommended that they be world readable.
-        </para>
-      </listitem>
-    </orderedlist>
-  </section>
-
-  <section id="trbl-dbdSponge">
-  <title>DBD::Sponge::db prepare failed</title>
-      
-    <para>The following error message may appear due to a bug in DBD::mysql
-    (over which the Bugzilla team have no control):
-    </para>
-      
-<programlisting><![CDATA[ DBD::Sponge::db prepare failed: Cannot determine NUM_OF_FIELDS at D:/Perl/site/lib/DBD/mysql.pm line 248.
-  SV = NULL(0x0) at 0x20fc444
-  REFCNT = 1
-  FLAGS = (PADBUSY,PADMY)
-]]></programlisting>
-
-    <para>To fix this, go to 
-    <filename>&lt;path-to-perl&gt;/lib/DBD/sponge.pm</filename> 
-    in your Perl installation and replace
-    </para>
-        
-<programlisting><![CDATA[ my $numFields;
- if ($attribs->{'NUM_OF_FIELDS'}) {
-     $numFields = $attribs->{'NUM_OF_FIELDS'};
- } elsif ($attribs->{'NAME'}) {
-     $numFields = @{$attribs->{NAME}};
-]]></programlisting>
-
-    <para>with</para>
-
-<programlisting><![CDATA[ my $numFields;
- if ($attribs->{'NUM_OF_FIELDS'}) {
-     $numFields = $attribs->{'NUM_OF_FIELDS'};
- } elsif ($attribs->{'NAMES'}) {
-     $numFields = @{$attribs->{NAMES}};
-]]></programlisting>
-
-     <para>(note the S added to NAME.)</para>
-  </section>
-    
-  <section id="paranoid-security">
-  <title>cannot chdir(/var/spool/mqueue)</title>
-
-    <para>If you are installing Bugzilla on SuSE Linux, or some other
-    distributions with <quote>paranoid</quote> security options, it is
-    possible that the checksetup.pl script may fail with the error: 
-<programlisting><![CDATA[cannot chdir(/var/spool/mqueue): Permission denied
-]]></programlisting>
-    </para>
-      
-    <para>This is because your <filename>/var/spool/mqueue</filename>
-    directory has a mode of <computeroutput>drwx------</computeroutput>.
-    Type <command>chmod 755 <filename>/var/spool/mqueue</filename></command>
-    as root to fix this problem. This will allow any process running on your
-    machine the ability to <emphasis>read</emphasis> the
-    <filename>/var/spool/mqueue</filename> directory.
-    </para>
-  </section>    
-
-  <section id="trbl-relogin-everyone">
-  <title>Everybody is constantly being forced to relogin</title>
-  
-  <para>The most-likely cause is that the <quote>cookiepath</quote> parameter
-  is not set correctly in the Bugzilla configuration.  You can change this (if
-  you're a Bugzilla administrator) from the editparams.cgi page via the web interface.
-  </para>
-
-  <para>The value of the cookiepath parameter should be the actual directory
-  containing your Bugzilla installation, <emphasis>as seen by the end-user's
-  web browser</emphasis>. Leading and trailing slashes are mandatory. You can
-  also set the cookiepath to any directory which is a parent of the Bugzilla
-  directory (such as '/', the root directory). But you can't put something
-  that isn't at least a partial match or it won't work. What you're actually
-  doing is restricting the end-user's browser to sending the cookies back only
-  to that directory.
-  </para>
-
-  <para>How do you know if you want your specific Bugzilla directory or the
-  whole site?
-  </para>
-
-  <para>If you have only one Bugzilla running on the server, and you don't
-  mind having other applications on the same server with it being able to see
-  the cookies (you might be doing this on purpose if you have other things on
-  your site that share authentication with Bugzilla), then you'll want to have
-  the cookiepath set to "/", or to a sufficiently-high enough directory that
-  all of the involved apps can see the cookies.
-  </para>
-
-  <example id="trbl-relogin-everyone-share">
-  <title>Examples of urlbase/cookiepath pairs for sharing login cookies</title>
-
-    <blockquote>
-      <literallayout>
-        urlbase is <ulink url="http://bugzilla.mozilla.org/"/>
-        cookiepath is /
-
-        urlbase is <ulink url="http://tools.mysite.tld/bugzilla/"/>
-                but you have http://tools.mysite.tld/someotherapp/ which shares
-                authentication with your Bugzilla
-        cookiepath is /
-      </literallayout>
-    </blockquote>
-  </example>
-          
-   <para>On the other hand, if you have more than one Bugzilla running on the
-   server (some people do - we do on landfill) then you need to have the
-   cookiepath restricted enough so that the different Bugzillas don't
-   confuse their cookies with one another.
-   </para>
-
-
-   <example id="trbl-relogin-everyone-restrict">
-   <title>Examples of urlbase/cookiepath pairs to restrict the login cookie</title>
-      <blockquote>
-        <literallayout>
-        urlbase is <ulink url="http://landfill.bugzilla.org/bugzilla-tip/"/>
-        cookiepath is /bugzilla-tip/
-
-        urlbase is <ulink url="http://landfill.bugzilla.org/bugzilla-2.16-branch/"/>
-        cookiepath is /bugzilla-2.16-branch/
-        </literallayout>
-      </blockquote>
-    </example>
-
-    <para>If you had cookiepath set to <quote>/</quote> at any point in the
-    past and need to set it to something more restrictive
-    (i.e. <quote>/bugzilla/</quote>), you can safely do this without
-    requiring users to delete their Bugzilla-related cookies in their
-    browser (this is true starting with Bugzilla 2.18 and Bugzilla 2.16.5).
-    </para>
-  </section>
-
-  <section id="trbl-relogin-some">
-  <title>Some users are constantly being forced to relogin</title>
-
-    <para>First, make sure cookies are enabled in the user's browser.
-    </para>
-
-    <para>If that doesn't fix the problem, it may be that the user's ISP
-     implements a rotating proxy server. This causes the user's effective IP
-     address (the address which the Bugzilla server perceives him coming from)
-     to change periodically. Since Bugzilla cookies are tied to a specific IP
-     address, each time the effective address changes, the user will have to
-     log in again.
-     </para>
-
-     <para>If you are using 2.18 (or later), there is a
-     parameter called <quote>loginnetmask</quote>, which you can use to set
-     the number of bits of the user's IP address to require to be matched when
-     authenticating the cookies. If you set this to something less than 32,
-     then the user will be given a checkbox for <quote>Restrict this login to
-     my IP address</quote> on the login screen, which defaults to checked. If
-     they leave the box checked, Bugzilla will behave the same as it did
-     before, requiring an exact match on their IP address to remain logged in.
-     If they uncheck the box, then only the left side of their IP address (up
-     to the number of bits you specified in the parameter) has to match to
-     remain logged in.
-     </para>
-
-   </section>
-
-  <section id="trbl-index">
-  <title><filename>index.cgi</filename> doesn't show up unless specified in the URL</title>
-    <para>
-      You probably need to set up your web server in such a way that it
-      will serve the index.cgi page as an index page.
-    </para>
-    <para>
-      If you are using Apache, you can do this by adding 
-      <filename>index.cgi</filename> to the end of the 
-      <computeroutput>DirectoryIndex</computeroutput> line
-      as mentioned in <xref linkend="http-apache"/>.
-    </para>
-
-  </section>
-
-  <section id="trbl-passwd-encryption">
-    <title>
-      checksetup.pl reports "Client does not support authentication protocol
-      requested by server..."
-    </title>
-
-    <para>
-      This error is occurring because you are using the new password
-      encryption that comes with MySQL 4.1, while your
-      <filename>DBD::mysql</filename> module was compiled against an
-      older version of MySQL. If you recompile <filename>DBD::mysql</filename>
-      against the current MySQL libraries (or just obtain a newer version
-      of this module) then the error may go away.
-    </para>
-
-    <para>
-      If that does not fix the problem, or if you cannot recompile the
-      existing module (e.g. you're running Windows) and/or don't want to
-      replace it (e.g. you want to keep using a packaged version), then a
-      workaround is available from the MySQL docs:
-      <ulink url="http://dev.mysql.com/doc/mysql/en/Old_client.html"/>
-    </para>
-
-  </section>
-
-</appendix> 
-
-<!-- Keep this comment at the end of the file 
-Local variables: 
-mode: sgml 
-sgml-always-quote-attributes:t
-sgml-auto-insert-required-elements:t
-sgml-balanced-tag-edit:t
-sgml-exposed-tags:nil
-sgml-general-insert-case:lower
-sgml-indent-data:t 
-sgml-indent-step:2 
-sgml-local-catalogs:nil
-sgml-local-ecat-files:nil 
-sgml-minimize-attributes:nil
-sgml-namecase-general:t 
-sgml-omittag:t
-sgml-parent-document:("Bugzilla-Guide.xml" "book" "chapter")
-sgml-shorttag:t 
-sgml-tag-region-if-active:t 
-End: -->
-
-

mozilla/webtools/bugzilla/docs/makedocs.pl

@@ -1,217 +0,0 @@
-#!/usr/bin/perl -w
-# -*- Mode: perl; indent-tabs-mode: nil -*-
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-#
-# The Original Code is the Bugzilla Bug Tracking System.
-#
-# The Initial Developer of the Original Code is Netscape Communications
-# Corporation. Portions created by Netscape are
-# Copyright (C) 1998 Netscape Communications Corporation. All
-# Rights Reserved.
-#
-# Contributor(s): Matthew Tuck <matty@chariot.net.au>
-#                 Jacob Steenhagen <jake@bugzilla.org>
-#                 Colin Ogilvie <colin.ogilvie@gmail.com>
-#                 Max Kanat-Alexander <mkanat@bugzilla.org>
-
-# This script compiles all the documentation.
-
-use strict;
-use Cwd;
-
-# We need to be in this directory to use our libraries.
-BEGIN {
-    require File::Basename;
-    import File::Basename qw(dirname);
-    chdir dirname($0);
-}
-
-use lib qw(.. ../lib lib);
-
-# We only compile our POD if Pod::Simple is installed. We do the checks
-# this way so that if there's a compile error in Pod::Simple::HTML::Bugzilla,
-# makedocs doesn't just silently fail, but instead actually tells us there's
-# a compile error.
-my $pod_simple;
-if (eval { require Pod::Simple }) {
-    require Pod::Simple::HTMLBatch::Bugzilla;
-    require Pod::Simple::HTML::Bugzilla;
-    $pod_simple = 1;
-};
-
-use Bugzilla::Install::Requirements 
-    qw(REQUIRED_MODULES OPTIONAL_MODULES);
-use Bugzilla::Constants qw(DB_MODULE BUGZILLA_VERSION);
-
-###############################################################################
-# Generate minimum version list
-###############################################################################
-
-my $modules = REQUIRED_MODULES;
-my $opt_modules = OPTIONAL_MODULES;
-
-open(ENTITIES, '>', 'bugzilla.ent') or die('Could not open bugzilla.ent: ' . $!);
-print ENTITIES <<END_ENTITIES;
-<?xml version="1.0" encoding="UTF-8" ?>
-
-<!ENTITY bz-ver "3.3">
-<!ENTITY bz-nextver "4.0">
-<!ENTITY bz-date "2008-05-20">
-<!ENTITY current-year "2008">
-
-<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-tip/">
-<!ENTITY bz "http://www.bugzilla.org/">
-<!ENTITY bzg-bugs "<ulink url='https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&amp;component=Documentation'>Bugzilla Documentation</ulink>">
-<!ENTITY mysql "http://www.mysql.com/">
-
-<!ENTITY min-perl-ver "5.8.1">
-
-
-<!-- Module Versions -->
-END_ENTITIES
-foreach my $module (@$modules, @$opt_modules)
-{
-    my $name = $module->{'module'};
-    $name =~ s/::/-/g;
-    $name = lc($name);
-    #This needs to be a string comparison, due to the modules having
-    #version numbers like 0.9.4
-    my $version = $module->{'version'} eq 0 ? 'any' : $module->{'version'};
-    print ENTITIES '<!ENTITY min-' . $name . '-ver "'.$version.'">' . "\n";
-}
-
-# CGI is a special case, because for Perl versions below 5.10, it has an
-# optional version *and* a required version.
-# We check @opt_modules first, then @modules, and pick the first we get.
-# We'll get the optional one then, if it is given, otherwise the required one.
-my ($cgi_opt) = grep($_->{module} eq 'CGI', @$opt_modules, @$modules);
-print ENTITIES '<!ENTITY min-mp-cgi-ver "' . $cgi_opt->{version} . '">' . "\n";
-
-print ENTITIES "\n <!-- Database Versions --> \n";
-
-my $db_modules = DB_MODULE;
-foreach my $db (keys %$db_modules) {
-    my $dbd  = $db_modules->{$db}->{dbd};
-    my $name = $dbd->{module};
-    $name =~ s/::/-/g;
-    $name = lc($name);
-    my $version    = $dbd->{version} || 'any';
-    my $db_version = $db_modules->{$db}->{'db_version'};
-    print ENTITIES '<!ENTITY min-' . $name . '-ver "'.$version.'">' . "\n";
-    print ENTITIES '<!ENTITY min-' . lc($db) . '-ver "'.$db_version.'">' . "\n";
-}
-close(ENTITIES);
-
-###############################################################################
-# Subs
-###############################################################################
-
-sub MakeDocs {
-
-    my ($name, $cmdline) = @_;
-
-    print "Creating $name documentation ...\n" if defined $name;
-    print "$cmdline\n\n";
-    system $cmdline;
-    print "\n";
-
-}
-
-sub make_pod {
-
-    print "Creating API documentation...\n";
-
-    my $converter = Pod::Simple::HTMLBatch::Bugzilla->new;
-    # Don't output progress information.
-    $converter->verbose(0);
-    $converter->html_render_class('Pod::Simple::HTML::Bugzilla');
-
-    my $doctype      = Pod::Simple::HTML::Bugzilla->DOCTYPE;
-    my $content_type = Pod::Simple::HTML::Bugzilla->META_CT;
-    my $bz_version   = BUGZILLA_VERSION;
-
-    my $contents_start = <<END_HTML;
-$doctype
-<html>
-  <head>
-    $content_type
-    <title>Bugzilla $bz_version API Documentation</title>
-  </head>
-  <body class="contentspage">
-    <h1>Bugzilla $bz_version API Documentation</h1>
-END_HTML
-
-    $converter->contents_page_start($contents_start);
-    $converter->contents_page_end("</body></html>");
-    $converter->add_css('./../../../style.css');
-    $converter->javascript_flurry(0);
-    $converter->css_flurry(0);
-    $converter->batch_convert(['../../'], 'html/api/');
-
-    print "\n";
-}
-
-###############################################################################
-# Make the docs ...
-###############################################################################
-
-my @langs;
-# search for sub directories which have a 'xml' sub-directory
-opendir(LANGS, './');
-foreach my $dir (readdir(LANGS)) {
-    next if (($dir eq '.') || ($dir eq '..') || (! -d $dir));
-    if (-d "$dir/xml") {
-        push(@langs, $dir);
-    }
-}
-closedir(LANGS);
-
-my $docparent = getcwd();
-foreach my $lang (@langs) {
-    chdir "$docparent/$lang";
-    MakeDocs(undef, 'cp ../bugzilla.ent ./xml/');
-
-    if (!-d 'txt') {
-        unlink 'txt';
-        mkdir 'txt', 0755;
-    }
-    if (!-d 'pdf') {
-        unlink 'pdf';
-        mkdir 'pdf', 0755;
-    }
-    if (!-d 'html') {
-        unlink 'html';
-        mkdir 'html', 0755;
-    }
-    if (!-d 'html/api') {
-        unlink 'html/api';
-        mkdir 'html/api', 0755;
-    }
-
-	MakeDocs(undef, 'cp ../style.css html/api/');
-
-    make_pod() if $pod_simple;
-
-    MakeDocs('separate HTML', 'xmlto -m ../xsl/chunks.xsl -o html html ' .
-             'xml/Bugzilla-Guide.xml');
-    MakeDocs('big HTML', 'xmlto -m ../xsl/nochunks.xsl -o html html-nochunks ' .
-             'xml/Bugzilla-Guide.xml');
-    MakeDocs('big text', "lynx -dump -justify=off -nolist html/Bugzilla-Guide.html " .
-        "> txt/Bugzilla-Guide.txt");
-
-    if (! grep($_ eq "--with-pdf", @ARGV)) {
-        next;
-    }
-	
-    MakeDocs('PDF', 'xmlto -m ../xsl/pdf.xsl -o pdf pdf xml/Bugzilla-Guide.xml');
-}
-

mozilla/webtools/bugzilla/docs/style.css

@@ -1,112 +0,0 @@
-/* The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- *
- * The Original Code is the Bugzilla Bug Tracking System.
- *
- * The Initial Developer of the Original Code is Everything Solved.
- * Portions created by Everything Solved are Copyright (C) 2006 
- * Everything Solved. All Rights Reserved.
- *
- * Contributor(s): Max Kanat-Alexander <mkanat@bugzilla.org>
- */
-
-body {
-  background: white;
-  color: #111;
-  padding: 0 1em;
-  margin: 0;
-  font-family: Verdana, Arial, sans-serif;
-  font-size: small;
-}
-
-td, th {
-  font-family: Verdana, Arial, sans-serif;
-  font-size: small;
-}
-
-a:link, a:active { color: #36415c; }
-a:visited { color: #666; }
-a:hover   { color: #888; }
-
-h1 {
-  font-size: 150%;
-  font-weight: bold;
-  border-bottom: 2px solid #ccc;
-}
-h2 {
-  font-size: 125%;
-  font-weight: bold;
-  border-bottom: 1px solid #ccc;
-  margin-bottom: 8px;
-}
-h3 {
-  font-size: 115%;
-  font-weight: bold;
-  margin-bottom: 0;
-  padding-bottom: 0;
-}
-
-/* This makes Description/Params/Returns look nice. */
-dd   { margin-top: .2em; }
-dd p { margin-top: 0; }
-dl   { margin-bottom: 1em; }
-
-/* This makes the names of functions slightly larger, in Gecko. */
-body > dl > dt code { font-size: 1.35em; }
-
-#pod h1 a, #pod h2 a, #pod h3 a {
-  color: #36415c;
-  text-decoration: none;
-}
-
-pre, code, tt, kbd, samp {
-  /* Unfortunately, the default monospace fonts on most browsers
-     look odd with relative sizing. */
-  font-size: 12px;
-}
-
-.code {
-  background: #eed;
-  border: 1px solid #ccc;
-}
-
-pre.code {
-  margin-left: 10px;
-  width: 90%;
-  padding: 10px;
-}
-
-/* Special styles for the Contents page */
-
-.contentspage dt {
-  font-size: large;
-  font-weight: bold;
-}
-
-.pod_desc_table {
-  border-collapse: collapse;
-  table-layout: auto;
-  border: 1px solid #ccc;
-}
-
-.pod_desc_table th {
-  text-align: left;
-}
-
-.pod_desc_table td, .pod_desc_table th {
-  padding: .25em;
-  border-top: 1px solid #ccc;
-}
-
-.pod_desc_table .odd th, .pod_desc_table .odd td {
-  background-color: #eee;
-}
-
-.pod_desc_table 

mozilla/webtools/bugzilla/docs/xsl/bugzilla-docs.xsl

@@ -1,102 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-<!-- Nicer Filenames -->
-<xsl:param name="use.id.as.filename" select="1"/>
-
-<!-- Label sections if they aren't automatically labeled -->
-<xsl:param name="section.autolabel" select="1"/>
-
-<!-- Table of Contents Depth -->
-<xsl:param name="toc.section.depth">1</xsl:param>
-
-<!-- Set chunk parameters -->
-<xsl:param name="chunk.section.depth" select="1"/>
-<xsl:param name="chunk.first.sections" select="1"/>
-<xsl:param name="chunker.output.encoding" select="UTF-8"/>
-
-<!-- Show titles of next/previous page -->
-<xsl:param name="navig.showtitles">1</xsl:param>
-
-<!-- Tidy up the HTML a bit... -->
-<xsl:param name="html.cleanup" select="1"/>
-<xsl:param name="make.valid.html" select="1"/>
-<xsl:param name="html.stylesheet">api/style.css</xsl:param>
-<!-- make links nicer... -->
-<xsl:param name="refentry.generate.title" select="1"/>
-<xsl:param name="refentry.generate.name" select="0"/>
-
-<!-- Use Graphics, specify their Path and Extension -->
-<xsl:param name="admon.graphics" select="1"/>
-<xsl:param name="admon.graphics.path">../images/</xsl:param>
-<xsl:param name="admon.graphics.extension">.gif</xsl:param>
-
-<xsl:param name="qanda.inherit.numeration" select="0" />
-
-<!--
-****
-CODE BELOW HERE IS EXTRACTED AND EDITED FROM THE DOCBOOK XSL SOURCES
-****
--->
-
-<xsl:template match="simplelist[@type='inline']/member">
-    <xsl:apply-templates/>
-</xsl:template>
-
-<!--
-To generate valid HTML, we need to redefine this section... Code extracted from
-http://cvs.sourceforge.net/viewcvs.py/docbook/xsl/html/qandaset.xsl?rev=1.19&view=log
-
-and modified below. Basic change: Remove the colspan attribute of the tr tags - no
-other changes have been made to the document.
--->
-
-<xsl:template match="qandadiv">
-  <xsl:variable name="preamble" select="*[name(.) != 'title'
-                                          and name(.) != 'titleabbrev'
-                                          and name(.) != 'qandadiv'
-                                          and name(.) != 'qandaentry']"/>
-
-  <xsl:if test="blockinfo/title|title">
-    <tr class="qandadiv">
-      <td align="left" valign="top" colspan="2">
-        <xsl:call-template name="anchor">
-          <xsl:with-param name="conditional" select="0"/>
-        </xsl:call-template>
-        <xsl:apply-templates select="(blockinfo/title|title)[1]"/>
-      </td>
-    </tr>
-  </xsl:if>
-
-  <xsl:variable name="toc">
-    <xsl:call-template name="dbhtml-attribute">
-      <xsl:with-param name="pis"
-                      select="processing-instruction('dbhtml')"/>
-      <xsl:with-param name="attribute" select="'toc'"/>
-    </xsl:call-template>
-  </xsl:variable>
-
-  <xsl:variable name="toc.params">
-    <xsl:call-template name="find.path.params">
-      <xsl:with-param name="table" select="normalize-space($generate.toc)"/>
-    </xsl:call-template>
-  </xsl:variable>
-
-  <xsl:if test="(contains($toc.params, 'toc') and $toc != '0') or $toc = '1'">
-    <tr class="toc">
-      <td align="left" valign="top" colspan="2">
-        <xsl:call-template name="process.qanda.toc"/>
-      </td>
-    </tr>
-  </xsl:if>
-  <xsl:if test="$preamble">
-    <tr class="toc"	>
-      <td align="left" valign="top" colspan="2">
-        <xsl:apply-templates select="$preamble"/>
-      </td>
-    </tr>
-  </xsl:if>
-  <xsl:apply-templates select="qandadiv|qandaentry"/>
-</xsl:template>
-</xsl:stylesheet>
-

mozilla/webtools/bugzilla/docs/xsl/chunks.xsl

@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-	<!-- Include default bugzilla XSL -->
-	<xsl:include href="bugzilla-docs.xsl"/>
-	<!-- Set Chunk Specific XSL Params -->
-	<xsl:param name="chunker.output.doctype-public">-//W3C//DTD HTML 4.01 Transitional//EN</xsl:param>
-	<xsl:param name="chunker.output.doctype-system">http://www.w3.org/TR/html4/loose.dtd</xsl:param>
-	<xsl:param name="chunk.section.depth" select="1"/>
-	<xsl:param name="chunk.first.sections" select="1"/>
-	<!-- Don't output filename list - mimic old behaviour-->
-	<xsl:param name="chunk.quietly" select="0" />
-</xsl:stylesheet>		

mozilla/webtools/bugzilla/docs/xsl/nochunks.xsl

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-	<!-- Include default bugzilla XSL -->
-	<xsl:include href="bugzilla-docs.xsl"/>
-	<!-- No other params necessary -->
-</xsl:stylesheet>		

mozilla/webtools/bugzilla/docs/xsl/pdf.xsl

@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-    <!-- Enable passivetex extensions -->
-	<xsl:param name="passivetex.extensions" select="1"/>
-    <xsl:param name="tablecolumns.extensions" select="1"/>
-    
-	<!-- Show <ulink>s as footnotes -->
-    <xsl:param name="ulink.footnotes" select="1" />
-	<xsl:param name="ulink.show" select="1" />
-	
-	<!-- Don't use Graphics -->
-	<xsl:param name="admon.graphics" select="0"/>
-	<xsl:param name="callout.graphics" select="'0'"/>
-	
-	<xsl:template match="simplelist[@type='inline']/member">
-        <xsl:apply-templates/>
-    </xsl:template>
-
-</xsl:stylesheet>