summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certdb
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/certdb')
-rw-r--r--security/nss/lib/certdb/alg1485.c22
-rw-r--r--security/nss/lib/certdb/cert.h8
-rw-r--r--security/nss/lib/certdb/certdb.c1
-rw-r--r--security/nss/lib/certdb/crl.c3
-rw-r--r--security/nss/lib/certdb/stanpcertdb.c56
5 files changed, 71 insertions, 19 deletions
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
index 38b2fe4b5..9a69c5bc5 100644
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -703,14 +703,19 @@ CERT_GetOidString(const SECItem* oid)
return NULL;
}
+ /* If the OID has length 1, we bail. */
+ if (oid->len < 2) {
+ return NULL;
+ }
+
/* first will point to the next sequence of bytes to decode */
first = (PRUint8*)oid->data;
/* stop points to one past the legitimate data */
stop = &first[oid->len];
/*
- * Check for our pseudo-encoded single-digit OIDs
- */
+ * Check for our pseudo-encoded single-digit OIDs
+ */
if ((*first == 0x80) && (2 == oid->len)) {
/* Funky encoding. The second byte is the number */
rvString = PR_smprintf("%lu", (PRUint32)first[1]);
@@ -728,6 +733,10 @@ CERT_GetOidString(const SECItem* oid)
break;
}
}
+ /* There's no first bit set, so this isn't valid. Bail.*/
+ if (last == stop) {
+ goto unsupported;
+ }
bytesBeforeLast = (unsigned int)(last - first);
if (bytesBeforeLast <= 3U) { /* 0-28 bit number */
PRUint32 n = 0;
@@ -748,12 +757,12 @@ CERT_GetOidString(const SECItem* oid)
CASE(2, 0x7f);
CASE(1, 0x7f);
case 0:
- n |=
- last[0] & 0x7f;
+ n |= last[0] & 0x7f;
break;
}
- if (last[0] & 0x80)
+ if (last[0] & 0x80) {
goto unsupported;
+ }
if (!rvString) {
/* This is the first number.. decompose it */
@@ -1305,8 +1314,7 @@ CERT_GetCertificateEmailAddress(CERTCertificate* cert)
}
} else if (current->type == certRFC822Name) {
rawEmailAddr =
- (char*)PORT_ArenaZAlloc(cert->arena, current->name.other.len +
- 1);
+ (char*)PORT_ArenaZAlloc(cert->arena, current->name.other.len + 1);
if (!rawEmailAddr) {
goto finish;
}
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 4224da108..c76a5a9b0 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -504,6 +504,8 @@ extern CERTCertificate *CERT_FindCertByKeyID(CERTCertDBHandle *handle,
*/
extern CERTCertificate *CERT_FindCertByIssuerAndSN(
CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
+extern CERTCertificate *CERT_FindCertByIssuerAndSNCX(
+ CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN, void *wincx);
/*
** Find a certificate in the database by a subject key ID
@@ -547,6 +549,9 @@ CERTCertificate *CERT_FindCertByEmailAddr(CERTCertDBHandle *handle,
*/
CERTCertificate *CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle,
const char *name);
+CERTCertificate *CERT_FindCertByNicknameOrEmailAddrCX(CERTCertDBHandle *handle,
+ const char *name,
+ void *wincx);
/*
** Find a certificate in the database by a email address or nickname
@@ -555,6 +560,9 @@ CERTCertificate *CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle,
*/
CERTCertificate *CERT_FindCertByNicknameOrEmailAddrForUsage(
CERTCertDBHandle *handle, const char *name, SECCertUsage lookingForUsage);
+CERTCertificate *CERT_FindCertByNicknameOrEmailAddrForUsageCX(
+ CERTCertDBHandle *handle, const char *name, SECCertUsage lookingForUsage,
+ void *wincx);
/*
** Find a certificate in the database by a digest of a subject public key
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 7864edc08..1a676a720 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1192,6 +1192,7 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
case rsaKey:
requiredUsage |= KU_KEY_ENCIPHERMENT;
break;
+ case rsaPssKey:
case dsaKey:
requiredUsage |= KU_DIGITAL_SIGNATURE;
break;
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index 87469085e..d1c48dfba 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -1294,8 +1294,7 @@ DPCache_AddCRL(CRLDPCache* cache, CachedCrl* newcrl, PRBool* added)
}
}
- newcrls = (CachedCrl**)PORT_Realloc(cache->crls, (cache->ncrls + 1) *
- sizeof(CachedCrl*));
+ newcrls = (CachedCrl**)PORT_Realloc(cache->crls, (cache->ncrls + 1) * sizeof(CachedCrl*));
if (!newcrls) {
return SECFailure;
}
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index 4d42bd50d..beaa66040 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -457,15 +457,15 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
return CERT_NewTempCertificate(handle, derCert, nickname, isperm, copyDER);
}
-/* maybe all the wincx's should be some const for internal token login? */
-CERTCertificate *
-CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle,
- CERTIssuerAndSN *issuerAndSN)
+static CERTCertificate *
+common_FindCertByIssuerAndSN(CERTCertDBHandle *handle,
+ CERTIssuerAndSN *issuerAndSN,
+ void *wincx)
{
PK11SlotInfo *slot;
CERTCertificate *cert;
- cert = PK11_FindCertByIssuerAndSN(&slot, issuerAndSN, NULL);
+ cert = PK11_FindCertByIssuerAndSN(&slot, issuerAndSN, wincx);
if (cert && slot) {
PK11_FreeSlot(slot);
}
@@ -473,6 +473,23 @@ CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle,
return cert;
}
+/* maybe all the wincx's should be some const for internal token login? */
+CERTCertificate *
+CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle,
+ CERTIssuerAndSN *issuerAndSN)
+{
+ return common_FindCertByIssuerAndSN(handle, issuerAndSN, NULL);
+}
+
+/* maybe all the wincx's should be some const for internal token login? */
+CERTCertificate *
+CERT_FindCertByIssuerAndSNCX(CERTCertDBHandle *handle,
+ CERTIssuerAndSN *issuerAndSN,
+ void *wincx)
+{
+ return common_FindCertByIssuerAndSN(handle, issuerAndSN, wincx);
+}
+
static NSSCertificate *
get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
{
@@ -587,7 +604,8 @@ CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
static CERTCertificate *
common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
const char *name, PRBool anyUsage,
- SECCertUsage lookingForUsage)
+ SECCertUsage lookingForUsage,
+ void *wincx)
{
NSSCryptoContext *cc;
NSSCertificate *c, *ct;
@@ -620,7 +638,7 @@ common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
}
if (anyUsage) {
- cert = PK11_FindCertFromNickname(name, NULL);
+ cert = PK11_FindCertFromNickname(name, wincx);
} else {
if (ct) {
/* Does ct really have the required usage? */
@@ -632,7 +650,7 @@ common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
}
}
- certlist = PK11_FindCertsFromNickname(name, NULL);
+ certlist = PK11_FindCertsFromNickname(name, wincx);
if (certlist) {
SECStatus rv =
CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE);
@@ -659,7 +677,15 @@ CERTCertificate *
CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
{
return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, PR_TRUE,
- 0);
+ 0, NULL);
+}
+
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddrCX(CERTCertDBHandle *handle, const char *name,
+ void *wincx)
+{
+ return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, PR_TRUE,
+ 0, wincx);
}
CERTCertificate *
@@ -668,7 +694,17 @@ CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
SECCertUsage lookingForUsage)
{
return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, PR_FALSE,
- lookingForUsage);
+ lookingForUsage, NULL);
+}
+
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddrForUsageCX(CERTCertDBHandle *handle,
+ const char *name,
+ SECCertUsage lookingForUsage,
+ void *wincx)
+{
+ return common_FindCertByNicknameOrEmailAddrForUsage(handle, name, PR_FALSE,
+ lookingForUsage, wincx);
}
static void