summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/pk11wrap/pk11cert.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/pk11wrap/pk11cert.c')
-rw-r--r--security/nss/lib/pk11wrap/pk11cert.c129
1 files changed, 43 insertions, 86 deletions
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index 655c5f970..9c745d7b8 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -5,6 +5,8 @@
* This file manages PKCS #11 instances of certificates.
*/
+#include <stddef.h>
+
#include "secport.h"
#include "seccomon.h"
#include "secmod.h"
@@ -445,7 +447,7 @@ PK11_FindCertHandlesForKeyHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle,
idTemplate[0],
{ CKA_CLASS, &searchClass, sizeof(searchClass) }
};
- const int searchAttrCount = sizeof(searchTemplate) / sizeof(searchTemplate[0]);
+ const size_t searchAttrCount = sizeof(searchTemplate) / sizeof(searchTemplate[0]);
CK_OBJECT_HANDLE *ids = pk11_FindObjectsByTemplate(slot, searchTemplate, searchAttrCount, certHandleCountOut);
PORT_DestroyCheapArena(&arena);
@@ -1146,8 +1148,11 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
}
/* need to get the cert as a stan cert */
- if (cert->nssCertificate) {
- c = cert->nssCertificate;
+ CERT_LockCertTempPerm(cert);
+ NSSCertificate *nssCert = cert->nssCertificate;
+ CERT_UnlockCertTempPerm(cert);
+ if (nssCert) {
+ c = nssCert;
} else {
c = STAN_GetNSSCertificate(cert);
if (c == NULL) {
@@ -1253,29 +1258,6 @@ PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
}
/*
- * get a certificate handle, look at the cached handle first..
- */
-CK_OBJECT_HANDLE
-pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert,
- CK_ATTRIBUTE *theTemplate, int tsize)
-{
- CK_OBJECT_HANDLE certh;
-
- if (cert->slot == slot) {
- certh = cert->pkcs11ID;
- if ((certh == CK_INVALID_HANDLE) ||
- (cert->series != slot->series)) {
- certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize);
- cert->pkcs11ID = certh;
- cert->series = slot->series;
- }
- } else {
- certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize);
- }
- return certh;
-}
-
-/*
* return the private key From a given Cert
*/
SECKEYPrivateKey *
@@ -1283,33 +1265,12 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
void *wincx)
{
int err;
- CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
- CK_ATTRIBUTE theTemplate[] = {
- { CKA_VALUE, NULL, 0 },
- { CKA_CLASS, NULL, 0 }
- };
- /* if you change the array, change the variable below as well */
- int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
CK_OBJECT_HANDLE certh;
CK_OBJECT_HANDLE keyh;
- CK_ATTRIBUTE *attrs = theTemplate;
PRBool needLogin;
SECStatus rv;
- PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
- cert->derCert.len);
- attrs++;
- PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
- /*
- * issue the find
- */
- rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
- if (rv != SECSuccess) {
- return NULL;
- }
-
- certh = pk11_getcerthandle(slot, cert, theTemplate, tsize);
+ certh = PK11_FindCertInSlot(slot, cert, wincx);
if (certh == CK_INVALID_HANDLE) {
return NULL;
}
@@ -1459,7 +1420,7 @@ PK11_ImportDERCertForKey(SECItem *derCert, char *nickname, void *wincx)
static CK_OBJECT_HANDLE
pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr,
- CK_ATTRIBUTE *searchTemplate, int count, void *wincx)
+ CK_ATTRIBUTE *searchTemplate, size_t count, void *wincx)
{
PK11SlotList *list;
PK11SlotListElement *le;
@@ -2041,7 +2002,7 @@ PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
{ CKA_CLASS, NULL, 0 },
{ CKA_VALUE, NULL, 0 },
};
- int templateSize = sizeof(searchTemplate) / sizeof(searchTemplate[0]);
+ const size_t templateSize = sizeof(searchTemplate) / sizeof(searchTemplate[0]);
attr = searchTemplate;
PK11_SETATTRS(attr, CKA_CLASS, &certClass, sizeof(certClass));
@@ -2049,8 +2010,7 @@ PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
PK11_SETATTRS(attr, CKA_VALUE, cert->derCert.data, cert->derCert.len);
if (cert->slot) {
- certHandle = pk11_getcerthandle(cert->slot, cert, searchTemplate,
- templateSize);
+ certHandle = PK11_FindCertInSlot(cert->slot, cert, wincx);
if (certHandle != CK_INVALID_HANDLE) {
*pSlot = PK11_ReferenceSlot(cert->slot);
return certHandle;
@@ -2590,7 +2550,7 @@ PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
if (rv != SECSuccess)
continue;
- if (le->slot->session == CK_INVALID_SESSION) {
+ if (le->slot->session == CK_INVALID_HANDLE) {
continue;
}
returnedCert = pk11_GetKEAMate(le->slot, server);
@@ -2628,36 +2588,51 @@ PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
return SECFailure;
}
-/*
- * return the private key From a given Cert
- */
CK_OBJECT_HANDLE
-PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
+PK11_FindEncodedCertInSlot(PK11SlotInfo *slot, SECItem *derCert, void *wincx)
{
+ if (!slot || !derCert) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
CK_ATTRIBUTE theTemplate[] = {
{ CKA_VALUE, NULL, 0 },
{ CKA_CLASS, NULL, 0 }
};
- /* if you change the array, change the variable below as well */
- int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
+ const size_t tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
CK_ATTRIBUTE *attrs = theTemplate;
- SECStatus rv;
- PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
- cert->derCert.len);
+ PK11_SETATTRS(attrs, CKA_VALUE, derCert->data, derCert->len);
attrs++;
PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
- /*
- * issue the find
- */
- rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
+ SECStatus rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
if (rv != SECSuccess) {
return CK_INVALID_HANDLE;
}
- return pk11_getcerthandle(slot, cert, theTemplate, tsize);
+ return pk11_FindObjectByTemplate(slot, theTemplate, tsize);
+}
+
+CK_OBJECT_HANDLE
+PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
+{
+ CK_OBJECT_HANDLE certh;
+
+ if (cert->slot == slot) {
+ certh = cert->pkcs11ID;
+ if ((certh == CK_INVALID_HANDLE) ||
+ (cert->series != slot->series)) {
+ certh = PK11_FindEncodedCertInSlot(slot, &cert->derCert, wincx);
+ cert->pkcs11ID = certh;
+ cert->series = slot->series;
+ }
+ } else {
+ certh = PK11_FindEncodedCertInSlot(slot, &cert->derCert, wincx);
+ }
+ return certh;
}
/* Looking for PK11_GetKeyIDFromCert?
@@ -2785,30 +2760,12 @@ SECItem *
PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx)
{
- CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
- CK_ATTRIBUTE theTemplate[] = {
- { CKA_VALUE, NULL, 0 },
- { CKA_CLASS, NULL, 0 }
- };
- /* if you change the array, change the variable below as well */
- int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]);
CK_OBJECT_HANDLE certHandle;
- CK_ATTRIBUTE *attrs = theTemplate;
PK11SlotInfo *slotRef = NULL;
SECItem *item;
- SECStatus rv;
if (slot) {
- PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
- cert->derCert.len);
- attrs++;
- PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
- rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
- if (rv != SECSuccess) {
- return NULL;
- }
- certHandle = pk11_getcerthandle(slot, cert, theTemplate, tsize);
+ certHandle = PK11_FindCertInSlot(slot, cert, wincx);
} else {
certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
if (certHandle == CK_INVALID_HANDLE) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-04 06:18:10 +0000