Back to index

lightning-sunbird  0.9+nobinonly
Classes | Defines | Typedefs | Functions | Variables
pk11cert.c File Reference
#include "secport.h"
#include "seccomon.h"
#include "secmod.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "cert.h"
#include "certi.h"
#include "secitem.h"
#include "key.h"
#include "secoid.h"
#include "pkcs7t.h"
#include "cmsreclist.h"
#include "certdb.h"
#include "secerr.h"
#include "sslerr.h"
#include "pki3hack.h"
#include "dev3hack.h"
#include "devm.h"
#include "nsspki.h"
#include "pki.h"
#include "pkim.h"
#include "pkitm.h"
#include "pkistore.h"
#include "devt.h"

Go to the source code of this file.

Classes

struct  nss3_cert_cbstr
struct  pk11DoCertCallbackStr
struct  pk11CertCallbackStr
struct  fake_der_cb_argstr
struct  listCertsStr
struct  ListCertsArg

Defines

#define NSS_3_4_CODE
#define MAX_CERT_ID   4
#define DEFAULT_STRING   "Cert ID "
#define SEC_OID_MISSI_KEA   300 /* until we have v3 stuff merged */

Typedefs

typedef struct
pk11DoCertCallbackStr 
pk11DoCertCallback
typedef struct pk11CertCallbackStr pk11CertCallback

Functions

static PRStatus convert_cert (NSSCertificate *c, void *arg)
static int toHex (int x)
static char * pk11_buildNickname (PK11SlotInfo *slot, CK_ATTRIBUTE *cert_label, CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id)
PRBool PK11_IsUserCert (PK11SlotInfo *slot, CERTCertificate *cert, CK_OBJECT_HANDLE certID)
PRBool pk11_isID0 (PK11SlotInfo *slot, CK_OBJECT_HANDLE certID)
static CERTCertificate * pk11_fastCert (PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, CK_ATTRIBUTE *privateLabel, char **nickptr)
CERTCertificate * PK11_MakeCertFromHandle (PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, CK_ATTRIBUTE *privateLabel)
CERTCertificate * PK11_GetCertFromPrivateKey (SECKEYPrivateKey *privKey)
SECStatus PK11_DeleteTokenCertAndKey (CERTCertificate *cert, void *wincx)
static SECStatus fake_der_cb (CERTCertificate *c, void *a)
SECStatus PK11_TraverseSlotCerts (SECStatus(*callback)(CERTCertificate *, SECItem *, void *), void *arg, void *wincx)
static void transfer_token_certs_to_collection (nssList *certList, NSSToken *token, nssPKIObjectCollection *collection)
CERTCertificate * PK11_FindCertFromNickname (char *nickname, void *wincx)
CERTCertList * PK11_FindCertsFromNickname (char *nickname, void *wincx)
SECItem * PK11_GetPubIndexKeyID (CERTCertificate *cert)
SECItem * pk11_mkcertKeyID (CERTCertificate *cert)
SECStatus PK11_ImportCert (PK11SlotInfo *slot, CERTCertificate *cert, CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust)
SECStatus PK11_ImportDERCert (PK11SlotInfo *slot, SECItem *derCert, CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust)
CK_OBJECT_HANDLE pk11_getcerthandle (PK11SlotInfo *slot, CERTCertificate *cert, CK_ATTRIBUTE *theTemplate, int tsize)
SECKEYPrivateKey * PK11_FindPrivateKeyFromCert (PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
PK11SlotInfo * PK11_KeyForCertExists (CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, void *wincx)
PK11SlotInfo * PK11_KeyForDERCertExists (SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, void *wincx)
PK11SlotInfo * PK11_ImportCertForKey (CERTCertificate *cert, char *nickname, void *wincx)
PK11SlotInfo * PK11_ImportDERCertForKey (SECItem *derCert, char *nickname, void *wincx)
static CK_OBJECT_HANDLE pk11_FindCertObjectByTemplate (PK11SlotInfo **slotPtr, CK_ATTRIBUTE *searchTemplate, int count, void *wincx)
CERTCertificate * PK11_FindCertByIssuerAndSNOnToken (PK11SlotInfo *slot, CERTIssuerAndSN *issuerSN, void *wincx)
static CERTCertificate * pk11_FindCertObjectByRecipientNew (PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex, void *pwarg)
static CERTCertificate * pk11_AllFindCertObjectByRecipientNew (NSSCMSRecipient **recipientlist, void *wincx, int *rlIndex)
static CERTCertificate * pk11_FindCertObjectByRecipient (PK11SlotInfo *slot, SEC_PKCS7RecipientInfo **recipientArray, SEC_PKCS7RecipientInfo **rip, void *pwarg)
static CERTCertificate * pk11_AllFindCertObjectByRecipient (PK11SlotInfo **slotPtr, SEC_PKCS7RecipientInfo **recipientArray, SEC_PKCS7RecipientInfo **rip, void *wincx)
CERTCertificate * PK11_FindCertAndKeyByRecipientList (PK11SlotInfo **slotPtr, SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip, SECKEYPrivateKey **privKey, void *wincx)
static PRStatus PR_CALLBACK pk11_keyIDHash_populate (void *wincx)
int PK11_FindCertAndKeyByRecipientListNew (NSSCMSRecipient **recipientlist, void *wincx)
CERTCertificate * PK11_FindCertByIssuerAndSN (PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN, void *wincx)
CK_OBJECT_HANDLE PK11_FindObjectForCert (CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
SECKEYPrivateKey * PK11_FindKeyByAnyCert (CERTCertificate *cert, void *wincx)
CK_OBJECT_HANDLE pk11_FindPubKeyByAnyCert (CERTCertificate *cert, PK11SlotInfo **slot, void *wincx)
int PK11_NumberCertsForCertSubject (CERTCertificate *cert)
SECStatus PK11_TraverseCertsForSubject (CERTCertificate *cert, SECStatus(*callback)(CERTCertificate *, void *), void *arg)
SECStatus PK11_TraverseCertsForSubjectInSlot (CERTCertificate *cert, PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), void *arg)
SECStatus PK11_TraverseCertsForNicknameInSlot (SECItem *nickname, PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), void *arg)
SECStatus PK11_TraverseCertsInSlot (PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), void *arg)
CERTCertificate * PK11_FindCertFromDERCert (PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
CERTCertificate * PK11_FindCertFromDERCertItem (PK11SlotInfo *slot, SECItem *inDerCert, void *wincx)
CERTCertificate * PK11_FindCertFromDERSubjectAndNickname (PK11SlotInfo *slot, CERTCertificate *cert, char *nickname, void *wincx)
static CK_OBJECT_HANDLE pk11_findKeyObjectByDERCert (PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
SECKEYPrivateKey * PK11_FindKeyByDERCert (PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
SECStatus PK11_ImportCertForKeyToSlot (PK11SlotInfo *slot, CERTCertificate *cert, char *nickname, PRBool addCertUsage, void *wincx)
PRBool KEAPQGCompare (CERTCertificate *server, CERTCertificate *cert)
PRBool PK11_FortezzaHasKEA (CERTCertificate *cert)
static CERTCertificate * pk11_GetKEAMate (PK11SlotInfo *slot, CERTCertificate *peer)
CERTCertificate * PK11_FindBestKEAMatch (CERTCertificate *server, void *wincx)
SECStatus PK11_GetKEAMatchedCerts (PK11SlotInfo *slot1, PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2)
CK_OBJECT_HANDLE PK11_FindCertInSlot (PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
SECItem * PK11_GetKeyIDFromCert (CERTCertificate *cert, void *wincx)
static PRStatus pk11ListCertCallback (NSSCertificate *c, void *arg)
CERTCertList * PK11_ListCerts (PK11CertListType type, void *pwarg)
SECItem * PK11_GetLowLevelKeyIDForCert (PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
static SECStatus listCertsCallback (CERTCertificate *cert, void *arg)
CERTCertList * PK11_ListCertsInSlot (PK11SlotInfo *slot)

Variables

const NSSError NSS_ERROR_NOT_FOUND
const NSSError NSS_ERROR_INVALID_CERTIFICATE
static PRCallOnceType keyIDHashCallOnce

Class Documentation

struct listCertsStr

Definition at line 2262 of file pk11cert.c.

Class Members
CERTCertList * certList
PK11CertListType type
struct ListCertsArg

Definition at line 2414 of file pk11cert.c.

Class Members
CERTCertList * list
PK11SlotInfo * slot

Define Documentation

#define DEFAULT_STRING   "Cert ID "

Definition at line 104 of file pk11cert.c.

Definition at line 103 of file pk11cert.c.

Definition at line 61 of file pk11cert.c.

#define SEC_OID_MISSI_KEA   300 /* until we have v3 stuff merged */

Definition at line 2076 of file pk11cert.c.


Typedef Documentation


Function Documentation

static PRStatus convert_cert ( NSSCertificate *  c,
void arg 
) [static]

Definition at line 86 of file pk11cert.c.

{
    CERTCertificate *nss3cert;
    SECStatus secrv;
    struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg;
    /* 'c' is not adopted. caller will free it */
    nss3cert = STAN_GetCERTCertificate(c);
    if (!nss3cert) return PR_FAILURE;
    secrv = (*nss3cb->callback)(nss3cert, nss3cb->arg);
    return (secrv) ? PR_FAILURE : PR_SUCCESS;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static SECStatus fake_der_cb ( CERTCertificate *  c,
void a 
) [static]

Definition at line 466 of file pk11cert.c.

{
    struct fake_der_cb_argstr *fda = (struct fake_der_cb_argstr *)a;
    return (*fda->callback)(c, &c->derCert, fda->arg);
}

Here is the caller graph for this function:

PRBool KEAPQGCompare ( CERTCertificate *  server,
CERTCertificate *  cert 
)

Definition at line 2078 of file pk11cert.c.

                                                             {

    if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) {
        return PR_TRUE;
    } else {
       return PR_FALSE;
    }
}

Here is the call graph for this function:

static SECStatus listCertsCallback ( CERTCertificate *  cert,
void arg 
) [static]

Definition at line 2404 of file pk11cert.c.

{
    ListCertsArg *cdata = (ListCertsArg*)arg;
    char *nickname = NULL;
    nssCryptokiObject *instance, **ci;
    nssCryptokiObject **instances;
    NSSCertificate *c = STAN_GetNSSCertificate(cert);

    instances = nssPKIObject_GetInstances(&c->object);
    if (!instances) {
        return SECFailure;
    }
    instance = NULL;
    for (ci = instances; *ci; ci++) {
       if ((*ci)->token->pk11slot == cdata->slot) {
           instance = *ci;
           break;
       }
    }
    PORT_Assert(instance != NULL);
    if (!instance) {
       nssCryptokiObjectArray_Destroy(instances);
       PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
       return SECFailure;
    }
    nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena,
       c, instance);
    nssCryptokiObjectArray_Destroy(instances);

    return CERT_AddCertToListTailWithData(cdata->list, 
                            CERT_DupCertificate(cert),nickname);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTCertificate* pk11_AllFindCertObjectByRecipient ( PK11SlotInfo **  slotPtr,
SEC_PKCS7RecipientInfo **  recipientArray,
SEC_PKCS7RecipientInfo **  rip,
void wincx 
) [static]

Definition at line 1351 of file pk11cert.c.

                                                              {
    PK11SlotList *list;
    PK11SlotListElement *le;
    CERTCertificate * cert = NULL;
    PK11SlotInfo *slot = NULL;
    SECStatus rv;

    *slotPtr = NULL;

    /* get them all! */
    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
    if (list == NULL) {
       return CK_INVALID_HANDLE;
    }

    *rip = NULL;

    /* Look for the slot that holds the Key */
    for (le = list->head ; le; le = le->next) {
       rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
       if (rv != SECSuccess) continue;

       cert = pk11_FindCertObjectByRecipient(le->slot, recipientArray, 
                                                 rip, wincx);
       if (cert) {
           slot = PK11_ReferenceSlot(le->slot);
           break;
       }
    }

    PK11_FreeSlotList(list);

    if (slot == NULL) {
       return NULL;
    }
    *slotPtr = slot;
    PORT_Assert(cert != NULL);
    return cert;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTCertificate* pk11_AllFindCertObjectByRecipientNew ( NSSCMSRecipient **  recipientlist,
void wincx,
int rlIndex 
) [static]

Definition at line 1285 of file pk11cert.c.

{
    PK11SlotList *list;
    PK11SlotListElement *le;
    CERTCertificate *cert = NULL;
    SECStatus rv;

    /* get them all! */
    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
    if (list == NULL) {
       return CK_INVALID_HANDLE;
    }

    /* Look for the slot that holds the Key */
    for (le = list->head ; le; le = le->next) {
       rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
       if (rv != SECSuccess) continue;

       cert = pk11_FindCertObjectByRecipientNew(le->slot, 
                                   recipientlist, rlIndex, wincx);
       if (cert)
           break;
    }

    PK11_FreeSlotList(list);

    return cert;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static char* pk11_buildNickname ( PK11SlotInfo *  slot,
CK_ATTRIBUTE cert_label,
CK_ATTRIBUTE key_label,
CK_ATTRIBUTE cert_id 
) [static]

Definition at line 106 of file pk11cert.c.

{
    int prefixLen = PORT_Strlen(slot->token_name);
    int suffixLen = 0;
    char *suffix = NULL;
    char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2];
    char *next,*nickname;

    if (cert_label && (cert_label->ulValueLen)) {
       suffixLen = cert_label->ulValueLen;
       suffix = (char*)cert_label->pValue;
    } else if (key_label && (key_label->ulValueLen)) {
       suffixLen = key_label->ulValueLen;
       suffix = (char*)key_label->pValue;
    } else if (cert_id && cert_id->ulValueLen > 0) {
       int i,first = cert_id->ulValueLen - MAX_CERT_ID;
       int offset = sizeof(DEFAULT_STRING);
       char *idValue = (char *)cert_id->pValue;

       PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1);
       next = buildNew + offset;
       if (first < 0) first = 0;
       for (i=first; i < (int) cert_id->ulValueLen; i++) {
              *next++ = toHex((idValue[i] >> 4) & 0xf);
              *next++ = toHex(idValue[i] & 0xf);
       }
       *next++ = 0;
       suffix = buildNew;
       suffixLen = PORT_Strlen(buildNew);
    } else {
       PORT_SetError( SEC_ERROR_LIBRARY_FAILURE );
       return NULL;
    }

    /* if is internal key slot, add code to skip the prefix!! */
    next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1);
    if (nickname == NULL) return NULL;

    PORT_Memcpy(next,slot->token_name,prefixLen);
    next += prefixLen;
    *next++ = ':';
    PORT_Memcpy(next,suffix,suffixLen);
    next += suffixLen;
    *next++ = 0;
    return nickname;
}

Here is the call graph for this function:

Here is the caller graph for this function:

SECStatus PK11_DeleteTokenCertAndKey ( CERTCertificate *  cert,
void wincx 
)

Definition at line 425 of file pk11cert.c.

{
    SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx);
    CK_OBJECT_HANDLE pubKey;
    PK11SlotInfo *slot = NULL;

    pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx);
    if (privKey) {
       /* For 3.4, utilize the generic cert delete function */
       SEC_DeletePermCertificate(cert);
       PK11_DeleteTokenPrivateKey(privKey, PR_FALSE);
    }
    if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) { 
       PK11_DestroyTokenObject(slot,pubKey);
        PK11_FreeSlot(slot);
    }
    return SECSuccess;
}

Here is the call graph for this function:

static CERTCertificate* pk11_fastCert ( PK11SlotInfo *  slot,
CK_OBJECT_HANDLE  certID,
CK_ATTRIBUTE privateLabel,
char **  nickptr 
) [static]

Definition at line 259 of file pk11cert.c.

{
    NSSCertificate *c;
    nssCryptokiObject *co;
    nssPKIObject *pkio;
    NSSToken *token;
    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();

    /* Get the cryptoki object from the handle */
    token = PK11Slot_GetNSSToken(slot);
    co = nssCryptokiObject_Create(token, token->defaultSession, certID);
    if (!co) {
       return NULL;
    }

    /* Create a PKI object from the cryptoki instance */
    pkio = nssPKIObject_Create(NULL, co, td, NULL, nssPKIMonitor);
    if (!pkio) {
       nssCryptokiObject_Destroy(co);
       return NULL;
    }

    /* Create a certificate */
    c = nssCertificate_Create(pkio);
    if (!c) {
       nssPKIObject_Destroy(pkio);
       return NULL;
    }

    nssTrustDomain_AddCertsToCache(td, &c, 1);

    /* Build the old-fashioned nickname */
    if ((nickptr) && (co->label)) {
       CK_ATTRIBUTE label, id;
       label.type = CKA_LABEL;
       label.pValue = co->label;
       label.ulValueLen = PORT_Strlen(co->label);
       id.type = CKA_ID;
       id.pValue = c->id.data;
       id.ulValueLen = c->id.size;
       *nickptr = pk11_buildNickname(slot, &label, privateLabel, &id);
    }
    return STAN_GetCERTCertificateOrRelease(c);
}

Here is the call graph for this function:

Here is the caller graph for this function:

CERTCertificate* PK11_FindBestKEAMatch ( CERTCertificate *  server,
void wincx 
)

Definition at line 2132 of file pk11cert.c.

{
    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
                                                 PR_FALSE,PR_TRUE,wincx);
    PK11SlotListElement *le;
    CERTCertificate *returnedCert = NULL;
    SECStatus rv;

    /* loop through all the fortezza tokens */
    for (le = keaList->head; le; le = le->next) {
        rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
        if (rv != SECSuccess) continue;
       if (le->slot->session == CK_INVALID_SESSION) {
           continue;
       }
       returnedCert = pk11_GetKEAMate(le->slot,server);
       if (returnedCert) break;
    }
    PK11_FreeSlotList(keaList);

    return returnedCert;
}

Here is the call graph for this function:

CERTCertificate* PK11_FindCertAndKeyByRecipientList ( PK11SlotInfo **  slotPtr,
SEC_PKCS7RecipientInfo **  array,
SEC_PKCS7RecipientInfo **  rip,
SECKEYPrivateKey **  privKey,
void wincx 
)

Definition at line 1401 of file pk11cert.c.

{
    CERTCertificate *cert = NULL;

    *privKey = NULL;
    *slotPtr = NULL;
    cert = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx);
    if (!cert) {
       return NULL;
    }

    *privKey = PK11_FindKeyByAnyCert(cert, wincx);
    if (*privKey == NULL) {
       goto loser;
    }

    return cert;
loser:
    if (cert) CERT_DestroyCertificate(cert);
    if (*slotPtr) PK11_FreeSlot(*slotPtr);
    *slotPtr = NULL;
    return NULL;
}

Here is the call graph for this function:

int PK11_FindCertAndKeyByRecipientListNew ( NSSCMSRecipient **  recipientlist,
void wincx 
)

Definition at line 1461 of file pk11cert.c.

{
    CERTCertificate *cert;
    NSSCMSRecipient *rl;
    PRStatus rv;
    int rlIndex;

    rv = PR_CallOnceWithArg(&keyIDHashCallOnce, pk11_keyIDHash_populate, wincx);
    if (rv != PR_SUCCESS)
       return -1;

    cert = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex);
    if (!cert) {
       return -1;
    }

    rl = recipientlist[rlIndex];

    /* at this point, rl->slot is set */

    rl->privkey = PK11_FindKeyByAnyCert(cert, wincx);
    if (rl->privkey == NULL) {
       goto loser;
    }

    /* make a cert from the cert handle */
    rl->cert = cert;
    return rlIndex;

loser:
    if (cert) CERT_DestroyCertificate(cert);
    if (rl->slot) PK11_FreeSlot(rl->slot);
    rl->slot = NULL;
    return -1;
}

Here is the call graph for this function:

CERTCertificate* PK11_FindCertByIssuerAndSN ( PK11SlotInfo **  slotPtr,
CERTIssuerAndSN *  issuerSN,
void wincx 
)

Definition at line 1498 of file pk11cert.c.

{
    CERTCertificate *rvCert = NULL;
    NSSCertificate *cert;
    NSSDER issuer, serial;
    NSSCryptoContext *cc;
    SECItem *derSerial;

    if (slotPtr) *slotPtr = NULL;

    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
     * CERTIssuerAndSN that actually has the encoded value and pass that
     * to PKCS#11 (and the crypto context).
     */
    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
                                   &issuerSN->serialNumber,
                                   SEC_IntegerTemplate);
    if (!derSerial) {
       return NULL;
    }

    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
    NSSITEM_FROM_SECITEM(&serial, derSerial);

    cc = STAN_GetDefaultCryptoContext();
    cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc, 
                                                                &issuer, 
                                                                &serial);
    if (cert) {
       SECITEM_FreeItem(derSerial, PR_TRUE);
       return STAN_GetCERTCertificateOrRelease(cert);
    }

    do {
       /* free the old cert on retry. Associated slot was not present */
       if (rvCert) {
           CERT_DestroyCertificate(rvCert);
           rvCert = NULL;
       }

       cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber(
                                                  STAN_GetDefaultTrustDomain(),
                                                  &issuer,
                                                  &serial);
       if (!cert) {
           break;
       }

       rvCert = STAN_GetCERTCertificateOrRelease(cert);
       if (rvCert == NULL) {
          break;
       }

       /* Check to see if the cert's token is still there */
    } while (!PK11_IsPresent(rvCert->slot));

    if (rvCert && slotPtr) *slotPtr = PK11_ReferenceSlot(rvCert->slot);

    SECITEM_FreeItem(derSerial, PR_TRUE);
    return rvCert;
}

Here is the call graph for this function:

CERTCertificate* PK11_FindCertByIssuerAndSNOnToken ( PK11SlotInfo *  slot,
CERTIssuerAndSN *  issuerSN,
void wincx 
)

Definition at line 1158 of file pk11cert.c.

{
    CERTCertificate *rvCert = NULL;
    NSSCertificate *cert = NULL;
    NSSDER issuer, serial;
    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
    NSSToken *token = slot->nssToken;
    nssSession *session;
    nssCryptokiObject *instance = NULL;
    nssPKIObject *object = NULL;
    SECItem *derSerial;
    PRStatus status;

    /* Paranoia */
    if (token == NULL) {
       PORT_SetError(SEC_ERROR_NO_TOKEN);
       return NULL;
    }


    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
     * CERTIssuerAndSN that actually has the encoded value and pass that
     * to PKCS#11 (and the crypto context).
     */
    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
                                   &issuerSN->serialNumber,
                                   SEC_IntegerTemplate);
    if (!derSerial) {
       return NULL;
    }

    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
    NSSITEM_FROM_SECITEM(&serial, derSerial);

    session = nssToken_GetDefaultSession(token);
    if (!session) {
       goto loser;
    }

    instance = nssToken_FindCertificateByIssuerAndSerialNumber(token,session,
              &issuer, &serial, nssTokenSearchType_TokenForced, &status);

    SECITEM_FreeItem(derSerial, PR_TRUE);

    if (!instance) {
       goto loser;
    }
    object = nssPKIObject_Create(NULL, instance, td, NULL, nssPKIMonitor);
    if (!object) {
       goto loser;
    }
    instance = NULL; /* adopted by the previous call */
    cert = nssCertificate_Create(object);
    if (!cert) {
       goto loser;
    }
    object = NULL; /* adopted by the previous call */
    nssTrustDomain_AddCertsToCache(td, &cert,1);
    /* on failure, cert is freed below */
    rvCert = STAN_GetCERTCertificate(cert);
    if (!rvCert) {
       goto loser;
    }
    return rvCert;

loser:
    if (instance) {
       nssCryptokiObject_Destroy(instance);
    }
    if (object) {
       nssPKIObject_Destroy(object);
    }
    if (cert) {
       nssCertificate_Destroy(cert);
    }
    return NULL;
}

Here is the call graph for this function:

CERTCertificate* PK11_FindCertFromDERCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
void wincx 
)

Definition at line 1905 of file pk11cert.c.

{
    return PK11_FindCertFromDERCertItem(slot, &cert->derCert, wincx);
}

Here is the call graph for this function:

CERTCertificate* PK11_FindCertFromDERCertItem ( PK11SlotInfo *  slot,
SECItem *  inDerCert,
void wincx 
)

Definition at line 1912 of file pk11cert.c.

{
    NSSCertificate *c;
    NSSDER derCert;
    NSSToken *tok;
    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
    SECStatus rv;

    tok = PK11Slot_GetNSSToken(slot);
    NSSITEM_FROM_SECITEM(&derCert, inDerCert);
    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
    if (rv != SECSuccess) {
       PK11_FreeSlot(slot);
       return NULL;
    }
    c = NSSTrustDomain_FindCertificateByEncodedCertificate(td, &derCert);
    if (c) {
       PRBool isToken = PR_FALSE;
       NSSToken **tp;
       NSSToken **tokens = nssPKIObject_GetTokens(&c->object, NULL);
       if (tokens) {
           for (tp = tokens; *tp; tp++) {
              if (*tp == tok) {
                  isToken = PR_TRUE;
                  break;
              }
           }
           if (!isToken) {
              NSSCertificate_Destroy(c);
              c = NULL;
           }
           nssTokenArray_Destroy(tokens);
       }
    }
    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
} 

Here is the call graph for this function:

CERTCertificate* PK11_FindCertFromDERSubjectAndNickname ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
char *  nickname,
void wincx 
)

Definition at line 1956 of file pk11cert.c.

{
    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
    CK_ATTRIBUTE theTemplate[] = {
       { CKA_SUBJECT, NULL, 0 },
       { CKA_LABEL, NULL, 0 },
       { CKA_CLASS, NULL, 0 }
    };
    /* if you change the array, change the variable below as well */
    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
    CK_OBJECT_HANDLE certh;
    CK_ATTRIBUTE *attrs = theTemplate;
    SECStatus rv;

    PK11_SETATTRS(attrs, CKA_SUBJECT, cert->derSubject.data, 
                                          cert->derSubject.len); attrs++;
    PK11_SETATTRS(attrs, CKA_LABEL, nickname, PORT_Strlen(nickname));
    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));

    /*
     * issue the find
     */
    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
    if (rv != SECSuccess) return NULL;

    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
    if (certh == CK_INVALID_HANDLE) {
       return NULL;
    }

    return PK11_MakeCertFromHandle(slot, certh, NULL);
}

Here is the call graph for this function:

CERTCertificate* PK11_FindCertFromNickname ( char *  nickname,
void wincx 
)

Definition at line 527 of file pk11cert.c.

{
    PRStatus status;
    CERTCertificate *rvCert = NULL;
    NSSCertificate *cert = NULL;
    NSSCertificate **certs = NULL;
    static const NSSUsage usage = {PR_TRUE /* ... */ };
    NSSToken *token;
    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
    PK11SlotInfo *slot = NULL;
    SECStatus rv;
    char *nickCopy;
    char *delimit = NULL;
    char *tokenName;

    nickCopy = PORT_Strdup(nickname);
    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
       tokenName = nickCopy;
       nickname = delimit + 1;
       *delimit = '\0';
       /* find token by name */
       token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
       if (token) {
              slot = PK11_ReferenceSlot(token->pk11slot);
       }
       *delimit = ':';
    } else {
       slot = PK11_GetInternalKeySlot();
       token = PK11Slot_GetNSSToken(slot);
    }
    if (token) {
       nssList *certList;
       nssCryptokiObject **instances;
       nssPKIObjectCollection *collection;
       nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
       if (!PK11_IsPresent(slot)) {
           goto loser;
       }
       rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
       if (rv != SECSuccess) {
           goto loser;
       }
       collection = nssCertificateCollection_Create(defaultTD, NULL);
       if (!collection) {
           goto loser;
       }
       certList = nssList_Create(NULL, PR_FALSE);
       if (!certList) {
           nssPKIObjectCollection_Destroy(collection);
           goto loser;
       }
       (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, 
                                                         nickname, 
                                                         certList);
       transfer_token_certs_to_collection(certList, token, collection);
       instances = nssToken_FindCertificatesByNickname(token,
                                                       NULL,
                                                       nickname,
                                                       tokenOnly,
                                                       0,
                                                       &status);
       nssPKIObjectCollection_AddInstances(collection, instances, 0);
       nss_ZFreeIf(instances);
       /* if it wasn't found, repeat the process for email address */
       if (nssPKIObjectCollection_Count(collection) == 0 &&
           PORT_Strchr(nickname, '@') != NULL) 
       {
           char* lowercaseName = CERT_FixupEmailAddr(nickname);
           if (lowercaseName) {
              (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, 
                                                              lowercaseName, 
                                                              certList);
              transfer_token_certs_to_collection(certList, token, collection);
              instances = nssToken_FindCertificatesByEmail(token,
                                                      NULL,
                                                      lowercaseName,
                                                      tokenOnly,
                                                      0,
                                                      &status);
              nssPKIObjectCollection_AddInstances(collection, instances, 0);
              nss_ZFreeIf(instances);
              PORT_Free(lowercaseName);
           }
       }
       certs = nssPKIObjectCollection_GetCertificates(collection, 
                                                      NULL, 0, NULL);
       nssPKIObjectCollection_Destroy(collection);
       if (certs) {
           cert = nssCertificateArray_FindBestCertificate(certs, NULL, 
                                                          &usage, NULL);
           if (cert) {
              rvCert = STAN_GetCERTCertificateOrRelease(cert);
           }
           nssCertificateArray_Destroy(certs);
       }
       nssList_Destroy(certList);
    }
    if (slot) {
       PK11_FreeSlot(slot);
    }
    if (nickCopy) PORT_Free(nickCopy);
    return rvCert;
loser:
    if (slot) {
       PK11_FreeSlot(slot);
    }
    if (nickCopy) PORT_Free(nickCopy);
    return NULL;
}

Here is the call graph for this function:

CK_OBJECT_HANDLE PK11_FindCertInSlot ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
void wincx 
)

Definition at line 2185 of file pk11cert.c.

{
    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
    CK_ATTRIBUTE theTemplate[] = {
       { CKA_VALUE, NULL, 0 },
       { CKA_CLASS, NULL, 0 }
    };
    /* if you change the array, change the variable below as well */
    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
    CK_ATTRIBUTE *attrs = theTemplate;
    SECStatus rv;

    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
                                          cert->derCert.len); attrs++;
    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));

    /*
     * issue the find
     */
    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
    if (rv != SECSuccess) {
       return CK_INVALID_HANDLE;
    }

    return pk11_getcerthandle(slot,cert,theTemplate,tsize);
}

Here is the call graph for this function:

static CERTCertificate* pk11_FindCertObjectByRecipient ( PK11SlotInfo *  slot,
SEC_PKCS7RecipientInfo **  recipientArray,
SEC_PKCS7RecipientInfo **  rip,
void pwarg 
) [static]

Definition at line 1319 of file pk11cert.c.

{
    SEC_PKCS7RecipientInfo *ri = NULL;
    int i;

    for (i=0; (ri = recipientArray[i]) != NULL; i++) {
       CERTCertificate *cert;

       cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, 
                                                        pwarg);
        if (cert) {
           /* this isn't our cert */
           if ((cert->trust == NULL) ||
                     ((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
               CERT_DestroyCertificate(cert);
              continue;
           }
           *rip = ri;
           return cert;
       }

    }
    *rip = NULL;
    return NULL;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTCertificate* pk11_FindCertObjectByRecipientNew ( PK11SlotInfo *  slot,
NSSCMSRecipient **  recipientlist,
int rlIndex,
void pwarg 
) [static]

Definition at line 1245 of file pk11cert.c.

{
    NSSCMSRecipient *ri = NULL;
    int i;

    for (i=0; (ri = recipientlist[i]) != NULL; i++) {
       CERTCertificate *cert = NULL;
       if (ri->kind == RLSubjKeyID) {
           SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
           if (derCert) {
              cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg);
              SECITEM_FreeItem(derCert, PR_TRUE);
           }
       } else {
           cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, 
                                               pwarg);
       }
       if (cert) {
           /* this isn't our cert */
           if ((cert->trust == NULL) ||
                     ((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
               CERT_DestroyCertificate(cert);
              continue;
           }
           ri->slot = PK11_ReferenceSlot(slot);
           *rlIndex = i;
           return cert;
       }
    }
    *rlIndex = -1;
    return NULL;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CK_OBJECT_HANDLE pk11_FindCertObjectByTemplate ( PK11SlotInfo **  slotPtr,
CK_ATTRIBUTE searchTemplate,
int  count,
void wincx 
) [static]

Definition at line 1119 of file pk11cert.c.

                                                                    {
    PK11SlotList *list;
    PK11SlotListElement *le;
    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
    PK11SlotInfo *slot = NULL;
    SECStatus rv;

    *slotPtr = NULL;

    /* get them all! */
    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
    if (list == NULL) {
       return CK_INVALID_HANDLE;
    }


    /* Look for the slot that holds the Key */
    for (le = list->head ; le; le = le->next) {
       rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
       if (rv != SECSuccess) continue;

       certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count);
       if (certHandle != CK_INVALID_HANDLE) {
           slot = PK11_ReferenceSlot(le->slot);
           break;
       }
    }

    PK11_FreeSlotList(list);

    if (slot == NULL) {
       return CK_INVALID_HANDLE;
    }
    *slotPtr = slot;
    return certHandle;
}

Here is the call graph for this function:

Here is the caller graph for this function:

CERTCertList* PK11_FindCertsFromNickname ( char *  nickname,
void wincx 
)

Definition at line 638 of file pk11cert.c.

{
    char *nickCopy;
    char *delimit = NULL;
    char *tokenName;
    int i;
    CERTCertList *certList = NULL;
    nssPKIObjectCollection *collection = NULL;
    NSSCertificate **foundCerts = NULL;
    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
    NSSCertificate *c;
    NSSToken *token;
    PK11SlotInfo *slot;
    SECStatus rv;

    nickCopy = PORT_Strdup(nickname);
    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
       tokenName = nickCopy;
       nickname = delimit + 1;
       *delimit = '\0';
       /* find token by name */
       token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
       if (token) {
           slot = PK11_ReferenceSlot(token->pk11slot);
       } else {
           slot = NULL;
       }
       *delimit = ':';
    } else {
       slot = PK11_GetInternalKeySlot();
       token = PK11Slot_GetNSSToken(slot);
    }
    if (token) {
       PRStatus status;
       nssList *nameList;
       nssCryptokiObject **instances;
       nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
       rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
       if (rv != SECSuccess) {
           PK11_FreeSlot(slot);
           if (nickCopy) PORT_Free(nickCopy);
           return NULL;
       }
       collection = nssCertificateCollection_Create(defaultTD, NULL);
       if (!collection) {
           PK11_FreeSlot(slot);
           if (nickCopy) PORT_Free(nickCopy);
           return NULL;
       }
       nameList = nssList_Create(NULL, PR_FALSE);
       if (!nameList) {
           PK11_FreeSlot(slot);
           if (nickCopy) PORT_Free(nickCopy);
           return NULL;
       }
       (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
                                                         nickname, 
                                                         nameList);
       transfer_token_certs_to_collection(nameList, token, collection);
       instances = nssToken_FindCertificatesByNickname(token,
                                                       NULL,
                                                       nickname,
                                                       tokenOnly,
                                                       0,
                                                       &status);
       nssPKIObjectCollection_AddInstances(collection, instances, 0);
       nss_ZFreeIf(instances);

        /* if it wasn't found, repeat the process for email address */
        if (nssPKIObjectCollection_Count(collection) == 0 &&
            PORT_Strchr(nickname, '@') != NULL) 
        {
            char* lowercaseName = CERT_FixupEmailAddr(nickname);
            if (lowercaseName) {
                (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, 
                                                                      lowercaseName, 
                                                                      nameList);
                transfer_token_certs_to_collection(nameList, token, collection);
                instances = nssToken_FindCertificatesByEmail(token,
                                                             NULL,
                                                             lowercaseName,
                                                             tokenOnly,
                                                             0,
                                                             &status);
                nssPKIObjectCollection_AddInstances(collection, instances, 0);
                nss_ZFreeIf(instances);
                PORT_Free(lowercaseName);
            }
        }

        nssList_Destroy(nameList);
       foundCerts = nssPKIObjectCollection_GetCertificates(collection,
                                                           NULL, 0, NULL);
       nssPKIObjectCollection_Destroy(collection);
    }
    if (slot) {
       PK11_FreeSlot(slot);
    }
    if (nickCopy) PORT_Free(nickCopy);
    if (foundCerts) {
       PRTime now = PR_Now();
       certList = CERT_NewCertList();
       for (i=0, c = *foundCerts; c; c = foundCerts[++i]) {
           CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c);
           /* c may be invalid after this, don't reference it */
           if (certCert) {
               /* CERT_AddCertToListSorted adopts certCert  */
              CERT_AddCertToListSorted(certList, certCert,
                     CERT_SortCBValidity, &now);
           }
       }
       if (CERT_LIST_HEAD(certList) == NULL) {
           CERT_DestroyCertList(certList);
           certList = NULL;
       }
       /* all the certs have been adopted or freed, free the  raw array */
       nss_ZFreeIf(foundCerts);
    }
    return certList;
}

Here is the call graph for this function:

SECKEYPrivateKey* PK11_FindKeyByAnyCert ( CERTCertificate *  cert,
void wincx 
)

Definition at line 1592 of file pk11cert.c.

{
    CK_OBJECT_HANDLE certHandle;
    CK_OBJECT_HANDLE keyHandle;
    PK11SlotInfo *slot = NULL;
    SECKEYPrivateKey *privKey = NULL;
    PRBool needLogin;
    SECStatus rv;
    int err;

    certHandle = PK11_FindObjectForCert(cert, wincx, &slot);
    if (certHandle == CK_INVALID_HANDLE) {
        return NULL;
    }
    /*
     * prevent a login race condition. If slot is logged in between
     * our call to pk11_LoginStillRequired and the 
     * PK11_MatchItem. The matchItem call will either succeed, or
     * we will call it one more time after calling PK11_Authenticate 
     * (which is a noop on an authenticated token).
     */
    needLogin = pk11_LoginStillRequired(slot,wincx);
    keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
    if ((keyHandle == CK_INVALID_HANDLE) &&  needLogin &&
                     (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
                      SEC_ERROR_TOKEN_NOT_LOGGED_IN == err ) ) {
       /* authenticate and try again */
       rv = PK11_Authenticate(slot, PR_TRUE, wincx);
       if (rv == SECSuccess) {
            keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
       }
    }
    if (keyHandle != CK_INVALID_HANDLE) { 
        privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
    }
    if (slot) {
       PK11_FreeSlot(slot);
    }
    return privKey;
}

Here is the call graph for this function:

SECKEYPrivateKey* PK11_FindKeyByDERCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
void wincx 
)

Definition at line 2038 of file pk11cert.c.

{
    CK_OBJECT_HANDLE keyHandle;

    if((slot == NULL) || (cert == NULL)) {
       return NULL;
    }

    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
    if (keyHandle == CK_INVALID_HANDLE) {
       return NULL;
    }

    return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx);
}

Here is the call graph for this function:

static CK_OBJECT_HANDLE pk11_findKeyObjectByDERCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
void wincx 
) [static]

Definition at line 1996 of file pk11cert.c.

{
    SECItem *keyID;
    CK_OBJECT_HANDLE key;
    SECStatus rv;
    PRBool needLogin;
    int err;

    if((slot == NULL) || (cert == NULL)) {
       return CK_INVALID_HANDLE;
    }

    keyID = pk11_mkcertKeyID(cert);
    if(keyID == NULL) {
       return CK_INVALID_HANDLE;
    }

    /*
     * prevent a login race condition. If slot is logged in between
     * our call to pk11_LoginStillRequired and the 
     * pk11_FindPrivateKeyFromCerID. The matchItem call will either succeed, or
     * we will call it one more time after calling PK11_Authenticate 
     * (which is a noop on an authenticated token).
     */
    needLogin = pk11_LoginStillRequired(slot,wincx);
    key = pk11_FindPrivateKeyFromCertID(slot, keyID);
    if ((key == CK_INVALID_HANDLE) && needLogin &&
                     (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
                      SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
       /* authenticate and try again */
       rv = PK11_Authenticate(slot, PR_TRUE, wincx);
       if (rv != SECSuccess) goto loser;
       key = pk11_FindPrivateKeyFromCertID(slot, keyID);
   }

loser:
    SECITEM_ZfreeItem(keyID, PR_TRUE);
    return key;
}

Here is the call graph for this function:

Here is the caller graph for this function:

CK_OBJECT_HANDLE PK11_FindObjectForCert ( CERTCertificate *  cert,
void wincx,
PK11SlotInfo **  pSlot 
)

Definition at line 1562 of file pk11cert.c.

{
    CK_OBJECT_HANDLE certHandle;
    CK_ATTRIBUTE searchTemplate    = { CKA_VALUE, NULL, 0 };
    
    PK11_SETATTRS(&searchTemplate, CKA_VALUE, cert->derCert.data,
                cert->derCert.len);

    if (cert->slot) {
       certHandle = pk11_getcerthandle(cert->slot,cert,&searchTemplate,1);
       if (certHandle != CK_INVALID_HANDLE) {
           *pSlot = PK11_ReferenceSlot(cert->slot);
           return certHandle;
       }
    }

    certHandle = pk11_FindCertObjectByTemplate(pSlot,&searchTemplate,1,wincx);
    if (certHandle != CK_INVALID_HANDLE) {
       if (cert->slot == NULL) {
           cert->slot = PK11_ReferenceSlot(*pSlot);
           cert->pkcs11ID = certHandle;
           cert->ownSlot = PR_TRUE;
           cert->series = cert->slot->series;
       }
    }

    return(certHandle);
}

Here is the call graph for this function:

SECKEYPrivateKey* PK11_FindPrivateKeyFromCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
void wincx 
)

Definition at line 952 of file pk11cert.c.

                                                                      {
    int err;
    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
    CK_ATTRIBUTE theTemplate[] = {
       { CKA_VALUE, NULL, 0 },
       { CKA_CLASS, NULL, 0 }
    };
    /* if you change the array, change the variable below as well */
    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
    CK_OBJECT_HANDLE certh;
    CK_OBJECT_HANDLE keyh;
    CK_ATTRIBUTE *attrs = theTemplate;
    PRBool needLogin;
    SECStatus rv;

    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
                                          cert->derCert.len); attrs++;
    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));

    /*
     * issue the find
     */
    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
    if (rv != SECSuccess) {
       return NULL;
    }

    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
    if (certh == CK_INVALID_HANDLE) {
       return NULL;
    }
    /*
     * prevent a login race condition. If slot is logged in between
     * our call to pk11_LoginStillRequired and the 
     * PK11_MatchItem. The matchItem call will either succeed, or
     * we will call it one more time after calling PK11_Authenticate 
     * (which is a noop on an authenticated token).
     */
    needLogin = pk11_LoginStillRequired(slot,wincx);
    keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
    if ((keyh == CK_INVALID_HANDLE) && needLogin &&
                        (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
                      SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
       /* try it again authenticated */
       rv = PK11_Authenticate(slot, PR_TRUE, wincx);
       if (rv != SECSuccess) {
           return NULL;
       }
       keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
    }
    if (keyh == CK_INVALID_HANDLE) { 
       return NULL; 
    }
    return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx);
} 

Here is the call graph for this function:

CK_OBJECT_HANDLE pk11_FindPubKeyByAnyCert ( CERTCertificate *  cert,
PK11SlotInfo **  slot,
void wincx 
)

Definition at line 1634 of file pk11cert.c.

{
    CK_OBJECT_HANDLE certHandle;
    CK_OBJECT_HANDLE keyHandle;

    certHandle = PK11_FindObjectForCert(cert, wincx, slot);
    if (certHandle == CK_INVALID_HANDLE) {
        return CK_INVALID_HANDLE;
    }
    keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY);
    if (keyHandle == CK_INVALID_HANDLE) { 
       PK11_FreeSlot(*slot);
       return CK_INVALID_HANDLE;
    }
    return keyHandle;
}

Here is the call graph for this function:

PRBool PK11_FortezzaHasKEA ( CERTCertificate *  cert)

Definition at line 2088 of file pk11cert.c.

                                           {
   /* look at the subject and see if it is a KEA for MISSI key */
   SECOidData *oid;

   if ((cert->trust == NULL) ||
       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
       return PR_FALSE;
   }

   oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);


   return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || 
              (oid->offset == SEC_OID_MISSI_KEA_DSS) ||
                            (oid->offset == SEC_OID_MISSI_KEA)) ;
}

Here is the call graph for this function:

CERTCertificate* PK11_GetCertFromPrivateKey ( SECKEYPrivateKey *  privKey)

Definition at line 403 of file pk11cert.c.

{
    PK11SlotInfo *slot = privKey->pkcs11Slot;
    CK_OBJECT_HANDLE handle = privKey->pkcs11ID;
    CK_OBJECT_HANDLE certID = 
              PK11_MatchItem(slot,handle,CKO_CERTIFICATE);
    CERTCertificate *cert;

    if (certID == CK_INVALID_HANDLE) {
       PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
       return NULL;
    }
    cert = PK11_MakeCertFromHandle(slot,certID,NULL);
    return (cert);

}

Here is the call graph for this function:

CK_OBJECT_HANDLE pk11_getcerthandle ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
CK_ATTRIBUTE theTemplate,
int  tsize 
)

Definition at line 929 of file pk11cert.c.

{
    CK_OBJECT_HANDLE certh;

    if (cert->slot == slot) {
       certh = cert->pkcs11ID;
       if ((certh == CK_INVALID_HANDLE) ||
                     (cert->series != slot->series)) {
            certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
            cert->pkcs11ID = certh;
            cert->series = slot->series;
       }
    } else {
       certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
    }
    return certh;
}

Here is the call graph for this function:

SECStatus PK11_GetKEAMatchedCerts ( PK11SlotInfo *  slot1,
PK11SlotInfo *  slot2,
CERTCertificate **  cert1,
CERTCertificate **  cert2 
)

Definition at line 2160 of file pk11cert.c.

{
    CERTCertificate *returnedCert = NULL;
    int i;

    for (i=0; i < slot1->cert_count; i++) {
       CERTCertificate *cert = slot1->cert_array[i];

       if (PK11_FortezzaHasKEA(cert)) {
           returnedCert = pk11_GetKEAMate(slot2,cert);
           if (returnedCert != NULL) {
              *cert2 = returnedCert;
              *cert1 = CERT_DupCertificate(cert);
              return SECSuccess;
           }
       }
    }
    return SECFailure;
}

Here is the call graph for this function:

static CERTCertificate* pk11_GetKEAMate ( PK11SlotInfo *  slot,
CERTCertificate *  peer 
) [static]

Definition at line 2109 of file pk11cert.c.

{
    int i;
    CERTCertificate *returnedCert = NULL;

    for (i=0; i < slot->cert_count; i++) {
       CERTCertificate *cert = slot->cert_array[i];

       if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) {
              returnedCert = CERT_DupCertificate(cert);
              break;
       }
    }
    return returnedCert;
}

Here is the call graph for this function:

Here is the caller graph for this function:

SECItem* PK11_GetKeyIDFromCert ( CERTCertificate *  cert,
void wincx 
)

Definition at line 2213 of file pk11cert.c.

{
    CK_OBJECT_HANDLE handle;
    PK11SlotInfo *slot = NULL;
    CK_ATTRIBUTE theTemplate[] = {
       { CKA_ID, NULL, 0 },
    };
    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
    SECItem *item = NULL;
    CK_RV crv;

    handle = PK11_FindObjectForCert(cert,wincx,&slot);
    if (handle == CK_INVALID_HANDLE) {
       goto loser;
    }

    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
    if (crv != CKR_OK) {
       PORT_SetError( PK11_MapError(crv) );
       goto loser;
    }

    item = PORT_ZNew(SECItem);
    if (item) {
        item->data = (unsigned char*) theTemplate[0].pValue;
        item->len = theTemplate[0].ulValueLen;
    }

loser:
    PK11_FreeSlot(slot);
    return item;
}

Here is the call graph for this function:

SECItem* PK11_GetLowLevelKeyIDForCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
void wincx 
)

Definition at line 2356 of file pk11cert.c.

{
    CK_ATTRIBUTE theTemplate[] = {
       { CKA_VALUE, NULL, 0 },
       { CKA_CLASS, NULL, 0 }
    };
    /* if you change the array, change the variable below as well */
    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
    CK_OBJECT_HANDLE certHandle;
    CK_ATTRIBUTE *attrs = theTemplate;
    PK11SlotInfo *slotRef = NULL;
    SECItem *item;
    SECStatus rv;

    if (slot) {
       PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
                                          cert->derCert.len); attrs++;
 
       rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
       if (rv != SECSuccess) {
           return NULL;
       }
        certHandle = pk11_getcerthandle(slot,cert,theTemplate,tsize);
    } else {
       certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
       if (certHandle == CK_INVALID_HANDLE) {
          return pk11_mkcertKeyID(cert);
       }
       slot = slotRef;
    }

    if (certHandle == CK_INVALID_HANDLE) {
        return NULL;
    }

    item = pk11_GetLowLevelKeyFromHandle(slot,certHandle);
    if (slotRef) PK11_FreeSlot(slotRef);
    return item;
}

Here is the call graph for this function:

SECItem* PK11_GetPubIndexKeyID ( CERTCertificate *  cert)

Definition at line 765 of file pk11cert.c.

                                             {
    SECKEYPublicKey *pubk;
    SECItem *newItem = NULL;

    pubk = CERT_ExtractPublicKey(cert);
    if (pubk == NULL) return NULL;

    switch (pubk->keyType) {
    case rsaKey:
       newItem = SECITEM_DupItem(&pubk->u.rsa.modulus);
       break;
    case dsaKey:
        newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue);
       break;
    case dhKey:
        newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
       break;
    case ecKey:
        newItem = SECITEM_DupItem(&pubk->u.ec.publicValue);
       break;
    case fortezzaKey:
    default:
       newItem = NULL; /* Fortezza Fix later... */
    }
    SECKEY_DestroyPublicKey(pubk);
    /* make hash of it */
    return newItem;
}

Here is the call graph for this function:

SECStatus PK11_ImportCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
CK_OBJECT_HANDLE  key,
char *  nickname,
PRBool  includeTrust 
)

Definition at line 813 of file pk11cert.c.

{
    PRStatus status;
    NSSCertificate *c;
    nssCryptokiObject *keyobj, *certobj;
    NSSToken *token = PK11Slot_GetNSSToken(slot);
    SECItem *keyID = pk11_mkcertKeyID(cert);
    char *emailAddr = NULL;
    nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
    nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};

    if (keyID == NULL) {
       goto loser;
    }

    if (PK11_IsInternal(slot) && cert->emailAddr && cert->emailAddr[0]) {
       emailAddr = cert->emailAddr;
    }

    /* need to get the cert as a stan cert */
    if (cert->nssCertificate) {
       c = cert->nssCertificate;
    } else {
       c = STAN_GetNSSCertificate(cert);
    }

    if (c->object.cryptoContext) {
       /* Delete the temp instance */
       NSSCryptoContext *cc = c->object.cryptoContext;
       nssCertificateStore_Lock(cc->certStore, &lockTrace);
       nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
       nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace);
        nssCertificateStore_Check(&lockTrace, &unlockTrace);
       c->object.cryptoContext = NULL;
       cert->istemp = PR_FALSE;
       cert->isperm = PR_TRUE;
    }

    /* set the id for the cert */
    nssItem_Create(c->object.arena, &c->id, keyID->len, keyID->data);
    if (!c->id.data) {
       goto loser;
    }

    if (key != CK_INVALID_HANDLE) {
       /* create an object for the key, ... */
       keyobj = nss_ZNEW(NULL, nssCryptokiObject);
       if (!keyobj) {
           goto loser;
       }
       keyobj->token = nssToken_AddRef(token);
       keyobj->handle = key;
       keyobj->isTokenObject = PR_TRUE;

       /* ... in order to set matching attributes for the key */
       status = nssCryptokiPrivateKey_SetCertificate(keyobj, NULL, nickname, 
                                                     &c->id, &c->subject);
       nssCryptokiObject_Destroy(keyobj);
       if (status != PR_SUCCESS) {
           goto loser;
       }
    }

    /* do the token import */
    certobj = nssToken_ImportCertificate(token, NULL,
                                         NSSCertificateType_PKIX,
                                         &c->id,
                                         nickname,
                                         &c->encoding,
                                         &c->issuer,
                                         &c->subject,
                                         &c->serial,
                                    emailAddr,
                                         PR_TRUE);
    if (!certobj) {
       if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
           PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
           SECITEM_FreeItem(keyID,PR_TRUE);
           return SECFailure;
       }
       goto loser;
    }
    /* add the new instance to the cert, force an update of the
     * CERTCertificate, and finish
     */
    nssPKIObject_AddInstance(&c->object, certobj);
    nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
    (void)STAN_ForceCERTCertificateUpdate(c);
    SECITEM_FreeItem(keyID,PR_TRUE);
    return SECSuccess;
loser:
    SECITEM_FreeItem(keyID,PR_TRUE);
    PORT_SetError(SEC_ERROR_ADDING_CERT);
    return SECFailure;
}

Here is the call graph for this function:

PK11SlotInfo* PK11_ImportCertForKey ( CERTCertificate *  cert,
char *  nickname,
void wincx 
)

Definition at line 1086 of file pk11cert.c.

                                                                         {
    PK11SlotInfo *slot = NULL;
    CK_OBJECT_HANDLE key;

    slot = PK11_KeyForCertExists(cert,&key,wincx);

    if (slot) {
       if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) {
           PK11_FreeSlot(slot);
           slot = NULL;
       }
    } else {
       PORT_SetError(SEC_ERROR_ADDING_CERT);
    }

    return slot;
}

Here is the call graph for this function:

SECStatus PK11_ImportCertForKeyToSlot ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
char *  nickname,
PRBool  addCertUsage,
void wincx 
)

Definition at line 2056 of file pk11cert.c.

{
    CK_OBJECT_HANDLE keyHandle;

    if((slot == NULL) || (cert == NULL) || (nickname == NULL)) {
       return SECFailure;
    }

    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
    if (keyHandle == CK_INVALID_HANDLE) {
       return SECFailure;
    }

    return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage);
}   

Here is the call graph for this function:

SECStatus PK11_ImportDERCert ( PK11SlotInfo *  slot,
SECItem *  derCert,
CK_OBJECT_HANDLE  key,
char *  nickname,
PRBool  includeTrust 
)

Definition at line 911 of file pk11cert.c.

                                                                         {
    CERTCertificate *cert;
    SECStatus rv;

    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                   derCert, NULL, PR_FALSE, PR_TRUE);
    if (cert == NULL) return SECFailure;

    rv = PK11_ImportCert(slot, cert, key, nickname, includeTrust);
    CERT_DestroyCertificate (cert);
    return rv;
}

Here is the call graph for this function:

PK11SlotInfo* PK11_ImportDERCertForKey ( SECItem *  derCert,
char *  nickname,
void wincx 
)

Definition at line 1105 of file pk11cert.c.

                                                                       {
    CERTCertificate *cert;
    PK11SlotInfo *slot = NULL;

    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                   derCert, NULL, PR_FALSE, PR_TRUE);
    if (cert == NULL) return NULL;

    slot = PK11_ImportCertForKey(cert, nickname, wincx);
    CERT_DestroyCertificate (cert);
    return slot;
}

Here is the call graph for this function:

PRBool pk11_isID0 ( PK11SlotInfo *  slot,
CK_OBJECT_HANDLE  certID 
)

Definition at line 226 of file pk11cert.c.

{
    CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0};
    PRBool isZero = PR_FALSE;
    int i;
    CK_RV crv;


    crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1);
    if (crv != CKR_OK) {
       return isZero;
    }

    if (keyID.ulValueLen != 0) {
       char *value = (char *)keyID.pValue;
       isZero = PR_TRUE; /* ID exists, may be zero */
       for (i=0; i < (int) keyID.ulValueLen; i++) {
           if (value[i] != 0) {
              isZero = PR_FALSE; /* nope */
              break;
           }
       }
    }
    PORT_Free(keyID.pValue);
    return isZero;

}

Here is the call graph for this function:

PRBool PK11_IsUserCert ( PK11SlotInfo *  slot,
CERTCertificate *  cert,
CK_OBJECT_HANDLE  certID 
)

Definition at line 155 of file pk11cert.c.

{
    CK_OBJECT_CLASS theClass;

    if (slot == NULL) return PR_FALSE;
    if (cert == NULL) return PR_FALSE;

    theClass = CKO_PRIVATE_KEY;
    if (pk11_LoginStillRequired(slot,NULL)) {
       theClass = CKO_PUBLIC_KEY;
    }
    if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_HANDLE) {
       return PR_TRUE;
    }

   if (theClass == CKO_PUBLIC_KEY) {
       SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert);
       CK_ATTRIBUTE theTemplate;

       if (pubKey == NULL) {
          return PR_FALSE;
       }

       PK11_SETATTRS(&theTemplate,0,NULL,0);
       switch (pubKey->keyType) {
       case rsaKey:
           PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
                                          pubKey->u.rsa.modulus.len);
           break;
       case dsaKey:
           PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data,
                                          pubKey->u.dsa.publicValue.len);
           break;
       case dhKey:
           PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
                                          pubKey->u.dh.publicValue.len);
           break;
       case ecKey:
           PK11_SETATTRS(&theTemplate,CKA_EC_POINT, 
                       pubKey->u.ec.publicValue.data,
                       pubKey->u.ec.publicValue.len);
           break;
       case keaKey:
       case fortezzaKey:
       case nullKey:
           /* fall through and return false */
           break;
       }

       if (theTemplate.ulValueLen == 0) {
           SECKEY_DestroyPublicKey(pubKey);
           return PR_FALSE;
       }
       pk11_SignedToUnsigned(&theTemplate);
       if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) {
           SECKEY_DestroyPublicKey(pubKey);
           return PR_TRUE;
       }
       SECKEY_DestroyPublicKey(pubKey);
    }
    return PR_FALSE;
}

Here is the call graph for this function:

PK11SlotInfo* PK11_KeyForCertExists ( CERTCertificate *  cert,
CK_OBJECT_HANDLE keyPtr,
void wincx 
)

Definition at line 1014 of file pk11cert.c.

                                                                     {
    PK11SlotList *list;
    PK11SlotListElement *le;
    SECItem *keyID;
    CK_OBJECT_HANDLE key;
    PK11SlotInfo *slot = NULL;
    SECStatus rv;
    int err;

    keyID = pk11_mkcertKeyID(cert);
    /* get them all! */
    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
    if ((keyID == NULL) || (list == NULL)) {
       if (keyID) SECITEM_FreeItem(keyID,PR_TRUE);
       if (list) PK11_FreeSlotList(list);
       return NULL;
    }

    /* Look for the slot that holds the Key */
    for (le = list->head ; le; le = le->next) {
       /*
        * prevent a login race condition. If le->slot is logged in between
        * our call to pk11_LoginStillRequired and the 
        * pk11_FindPrivateKeyFromCertID, the find will either succeed, or
        * we will call it one more time after calling PK11_Authenticate 
        * (which is a noop on an authenticated token).
        */
       PRBool needLogin = pk11_LoginStillRequired(le->slot,wincx);
       key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
       if ((key == CK_INVALID_HANDLE) && needLogin &&
                     (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) ||
                      SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) {
           /* authenticate and try again */
           rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
           if (rv != SECSuccess) continue;
           key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
       }
       if (key != CK_INVALID_HANDLE) {
           slot = PK11_ReferenceSlot(le->slot);
           if (keyPtr) *keyPtr = key;
           break;
       }
    }

    SECITEM_FreeItem(keyID,PR_TRUE);
    PK11_FreeSlotList(list);
    return slot;

}

Here is the call graph for this function:

PK11SlotInfo* PK11_KeyForDERCertExists ( SECItem *  derCert,
CK_OBJECT_HANDLE keyPtr,
void wincx 
)

Definition at line 1069 of file pk11cert.c.

                                                                     {
    CERTCertificate *cert;
    PK11SlotInfo *slot = NULL;

    /* letting this use go -- the only thing that the cert is used for is
     * to get the ID attribute.
     */
    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
    if (cert == NULL) return NULL;

    slot = PK11_KeyForCertExists(cert, keyPtr, wincx);
    CERT_DestroyCertificate (cert);
    return slot;
}

Here is the call graph for this function:

static PRStatus PR_CALLBACK pk11_keyIDHash_populate ( void wincx) [static]

Definition at line 1430 of file pk11cert.c.

{
    CERTCertList     *certList;
    CERTCertListNode *node = NULL;
    SECItem           subjKeyID = {siBuffer, NULL, 0};

    certList = PK11_ListCerts(PK11CertListUser, wincx);
    if (!certList) {
       return PR_FAILURE;
    }

    for (node = CERT_LIST_HEAD(certList);
         !CERT_LIST_END(node, certList);
         node = CERT_LIST_NEXT(node)) {
       if (CERT_FindSubjectKeyIDExtension(node->cert, 
                                          &subjKeyID) == SECSuccess && 
           subjKeyID.data != NULL) {
           cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert);
           SECITEM_FreeItem(&subjKeyID, PR_FALSE);
       }
    }
    CERT_DestroyCertList(certList);
    return PR_SUCCESS;
}

Here is the call graph for this function:

Here is the caller graph for this function:

CERTCertList* PK11_ListCerts ( PK11CertListType  type,
void pwarg 
)

Definition at line 2339 of file pk11cert.c.

{
    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
    CERTCertList *certList = NULL;
    struct listCertsStr listCerts;
    certList = CERT_NewCertList();
    listCerts.type = type;
    listCerts.certList = certList;

    /* authenticate to the slots */
    (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, pwarg);
    NSSTrustDomain_TraverseCertificates(defaultTD, pk11ListCertCallback,
                                                         &listCerts);
    return certList;
}

Here is the call graph for this function:

CERTCertList* PK11_ListCertsInSlot ( PK11SlotInfo *  slot)

Definition at line 2438 of file pk11cert.c.

{
    SECStatus status;
    CERTCertList *certs;
    ListCertsArg cdata;

    certs = CERT_NewCertList();
    if(certs == NULL) return NULL;
    cdata.list = certs;
    cdata.slot = slot;

    status = PK11_TraverseCertsInSlot(slot, listCertsCallback,
              &cdata);

    if( status != SECSuccess ) {
       CERT_DestroyCertList(certs);
       certs = NULL;
    }

    return certs;
}

Here is the call graph for this function:

CERTCertificate* PK11_MakeCertFromHandle ( PK11SlotInfo *  slot,
CK_OBJECT_HANDLE  certID,
CK_ATTRIBUTE privateLabel 
)

Definition at line 310 of file pk11cert.c.

{
    char * nickname = NULL;
    CERTCertificate *cert = NULL;
    CERTCertTrust *trust;
    PRBool isFortezzaRootCA = PR_FALSE;
    PRBool swapNickname = PR_FALSE;

    cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
    if (cert == NULL) goto loser;
       
    if (nickname) {
       if (cert->nickname != NULL) {
              cert->dbnickname = cert->nickname;
       } 
       cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
       PORT_Free(nickname);
       nickname = NULL;
       swapNickname = PR_TRUE;
    }

    /* remember where this cert came from.... If we have just looked
     * it up from the database and it already has a slot, don't add a new
     * one. */
    if (cert->slot == NULL) {
       cert->slot = PK11_ReferenceSlot(slot);
       cert->pkcs11ID = certID;
       cert->ownSlot = PR_TRUE;
       cert->series = slot->series;
    }

    trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
    if (trust == NULL) goto loser;
    PORT_Memset(trust,0, sizeof(CERTCertTrust));
    cert->trust = trust;

    

    if(! pk11_HandleTrustObject(slot, cert, trust) ) {
       unsigned int type;

       /* build some cert trust flags */
       if (CERT_IsCACert(cert, &type)) {
           unsigned int trustflags = CERTDB_VALID_CA;
          
           /* Allow PKCS #11 modules to give us trusted CA's. We only accept
            * valid CA's which are self-signed here. They must have an object
            * ID of '0'.  */ 
           if (pk11_isID0(slot,certID) && 
              SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer)
                                                    == SECEqual) {
              trustflags |= CERTDB_TRUSTED_CA;
              /* is the slot a fortezza card? allow the user or
               * admin to turn on objectSigning, but don't turn
               * full trust on explicitly */
              if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
                  trust->objectSigningFlags |= CERTDB_VALID_CA;
                  isFortezzaRootCA = PR_TRUE;
              }
           }
           if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
              trust->sslFlags |= trustflags;
           }
           if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
              trust->emailFlags |= trustflags;
           }
           if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) 
                                   == NS_CERT_TYPE_OBJECT_SIGNING_CA) {
              trust->objectSigningFlags |= trustflags;
           }
       }
    }

    if (PK11_IsUserCert(slot,cert,certID)) {
       trust->sslFlags |= CERTDB_USER;
       trust->emailFlags |= CERTDB_USER;
       /*    trust->objectSigningFlags |= CERTDB_USER; */
    }

    return cert;

loser:
    if (nickname) PORT_Free(nickname);
    if (cert) CERT_DestroyCertificate(cert);
    return NULL;
}

Here is the call graph for this function:

SECItem* pk11_mkcertKeyID ( CERTCertificate *  cert)

Definition at line 798 of file pk11cert.c.

                                        {
    SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
    SECItem *certCKA_ID;

    if (pubKeyData == NULL) return NULL;
    
    certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData);
    SECITEM_FreeItem(pubKeyData,PR_TRUE);
    return certCKA_ID;
}

Here is the call graph for this function:

int PK11_NumberCertsForCertSubject ( CERTCertificate *  cert)

Definition at line 1655 of file pk11cert.c.

{
    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
    CK_ATTRIBUTE theTemplate[] = {
       { CKA_CLASS, NULL, 0 },
       { CKA_SUBJECT, NULL, 0 },
    };
    CK_ATTRIBUTE *attr = theTemplate;
   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);

    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);

    if (cert->slot == NULL) {
       PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
                                                 PR_FALSE,PR_TRUE,NULL);
       PK11SlotListElement *le;
       int count = 0;

       /* loop through all the fortezza tokens */
       for (le = list->head; le; le = le->next) {
           count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize);
       }
       PK11_FreeSlotList(list);
       return count;
    }

    return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize);
}

Here is the call graph for this function:

SECStatus PK11_TraverseCertsForNicknameInSlot ( SECItem *  nickname,
PK11SlotInfo *  slot,
SECStatus(*)(CERTCertificate *, void *)  callback,
void arg 
)

Definition at line 1771 of file pk11cert.c.

{
    struct nss3_cert_cbstr pk11cb;
    PRStatus nssrv = PR_SUCCESS;
    NSSToken *token;
    NSSTrustDomain *td;
    NSSUTF8 *nick;
    PRBool created = PR_FALSE;
    nssCryptokiObject **instances;
    nssPKIObjectCollection *collection = NULL;
    NSSCertificate **certs;
    nssList *nameList = NULL;
    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
    pk11cb.callback = callback;
    pk11cb.arg = arg;
    token = PK11Slot_GetNSSToken(slot);
    if (!nssToken_IsPresent(token)) {
       return SECSuccess;
    }
    if (nickname->data[nickname->len-1] != '\0') {
       nick = nssUTF8_Create(NULL, nssStringType_UTF8String, 
                             nickname->data, nickname->len);
       created = PR_TRUE;
    } else {
       nick = (NSSUTF8 *)nickname->data;
    }
    td = STAN_GetDefaultTrustDomain();
    collection = nssCertificateCollection_Create(td, NULL);
    if (!collection) {
       goto loser;
    }
    nameList = nssList_Create(NULL, PR_FALSE);
    if (!nameList) {
       goto loser;
    }
    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, nick, nameList);
    transfer_token_certs_to_collection(nameList, token, collection);
    instances = nssToken_FindCertificatesByNickname(token, NULL,
                                                   nick,
                                                   tokenOnly, 0, &nssrv);
    nssPKIObjectCollection_AddInstances(collection, instances, 0);
    nss_ZFreeIf(instances);
    nssList_Destroy(nameList);
    certs = nssPKIObjectCollection_GetCertificates(collection,
                                                   NULL, 0, NULL);
    nssPKIObjectCollection_Destroy(collection);
    if (certs) {
       CERTCertificate *oldie;
       NSSCertificate **cp;
       for (cp = certs; *cp; cp++) {
           oldie = STAN_GetCERTCertificate(*cp);
           if (!oldie) {
              continue;
           }
           if ((*callback)(oldie, arg) != SECSuccess) {
              nssrv = PR_FAILURE;
              break;
           }
       }
       nssCertificateArray_Destroy(certs);
    }
    if (created) nss_ZFreeIf(nick);
    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
loser:
    if (created) {
       nss_ZFreeIf(nick);
    }
    if (collection) {
       nssPKIObjectCollection_Destroy(collection);
    }
    if (nameList) {
       nssList_Destroy(nameList);
    }
    return SECFailure;
}

Here is the call graph for this function:

SECStatus PK11_TraverseCertsForSubject ( CERTCertificate *  cert,
SECStatus(*)(CERTCertificate *, void *)  callback,
void arg 
)

Definition at line 1689 of file pk11cert.c.

{
    if(!cert) {
       return SECFailure;
    }
    if (cert->slot == NULL) {
       PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
                                                 PR_FALSE,PR_TRUE,NULL);
       PK11SlotListElement *le;

       /* loop through all the tokens */
       for (le = list->head; le; le = le->next) {
           PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg);
       }
       PK11_FreeSlotList(list);
       return SECSuccess;

    }

    return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg);
}

Here is the call graph for this function:

SECStatus PK11_TraverseCertsForSubjectInSlot ( CERTCertificate *  cert,
PK11SlotInfo *  slot,
SECStatus(*)(CERTCertificate *, void *)  callback,
void arg 
)

Definition at line 1713 of file pk11cert.c.

{
    PRStatus nssrv = PR_SUCCESS;
    NSSToken *token;
    NSSDER subject;
    NSSTrustDomain *td;
    nssList *subjectList;
    nssPKIObjectCollection *collection;
    nssCryptokiObject **instances;
    NSSCertificate **certs;
    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
    td = STAN_GetDefaultTrustDomain();
    NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
    token = PK11Slot_GetNSSToken(slot);
    if (!nssToken_IsPresent(token)) {
       return SECSuccess;
    }
    collection = nssCertificateCollection_Create(td, NULL);
    if (!collection) {
       return SECFailure;
    }
    subjectList = nssList_Create(NULL, PR_FALSE);
    if (!subjectList) {
       nssPKIObjectCollection_Destroy(collection);
       return SECFailure;
    }
    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, 
                                                     subjectList);
    transfer_token_certs_to_collection(subjectList, token, collection);
    instances = nssToken_FindCertificatesBySubject(token, NULL,
                                                  &subject, 
                                                  tokenOnly, 0, &nssrv);
    nssPKIObjectCollection_AddInstances(collection, instances, 0);
    nss_ZFreeIf(instances);
    nssList_Destroy(subjectList);
    certs = nssPKIObjectCollection_GetCertificates(collection,
                                                   NULL, 0, NULL);
    nssPKIObjectCollection_Destroy(collection);
    if (certs) {
       CERTCertificate *oldie;
       NSSCertificate **cp;
       for (cp = certs; *cp; cp++) {
           oldie = STAN_GetCERTCertificate(*cp);
           if (!oldie) {
              continue;
           }
           if ((*callback)(oldie, arg) != SECSuccess) {
              nssrv = PR_FAILURE;
              break;
           }
       }
       nssCertificateArray_Destroy(certs);
    }
    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
}

Here is the call graph for this function:

SECStatus PK11_TraverseCertsInSlot ( PK11SlotInfo *  slot,
SECStatus(*)(CERTCertificate *, void *)  callback,
void arg 
)

Definition at line 1849 of file pk11cert.c.

{
    PRStatus nssrv;
    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
    NSSToken *tok;
    nssList *certList = NULL;
    nssCryptokiObject **instances;
    nssPKIObjectCollection *collection;
    NSSCertificate **certs;
    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
    tok = PK11Slot_GetNSSToken(slot);
    if (!nssToken_IsPresent(tok)) {
       return SECSuccess;
    }
    collection = nssCertificateCollection_Create(td, NULL);
    if (!collection) {
       return SECFailure;
    }
    certList = nssList_Create(NULL, PR_FALSE);
    if (!certList) {
       nssPKIObjectCollection_Destroy(collection);
       return SECFailure;
    }
    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
    transfer_token_certs_to_collection(certList, tok, collection);
    instances = nssToken_FindCertificates(tok, NULL,
                                          tokenOnly, 0, &nssrv);
    nssPKIObjectCollection_AddInstances(collection, instances, 0);
    nss_ZFreeIf(instances);
    nssList_Destroy(certList);
    certs = nssPKIObjectCollection_GetCertificates(collection,
                                                   NULL, 0, NULL);
    nssPKIObjectCollection_Destroy(collection);
    if (certs) {
       CERTCertificate *oldie;
       NSSCertificate **cp;
       for (cp = certs; *cp; cp++) {
           oldie = STAN_GetCERTCertificate(*cp);
           if (!oldie) {
              continue;
           }
           if ((*callback)(oldie, arg) != SECSuccess) {
              nssrv = PR_FAILURE;
              break;
           }
       }
       nssCertificateArray_Destroy(certs);
    }
    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
}

Here is the call graph for this function:

SECStatus PK11_TraverseSlotCerts ( SECStatus(*)(CERTCertificate *, SECItem *, void *)  callback,
void arg,
void wincx 
)

Definition at line 476 of file pk11cert.c.

{
    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
    struct fake_der_cb_argstr fda;
    struct nss3_cert_cbstr pk11cb;

    /* authenticate to the tokens first */
    (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, wincx);

    fda.callback = callback;
    fda.arg = arg;
    pk11cb.callback = fake_der_cb;
    pk11cb.arg = &fda;
    NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
    return SECSuccess;
}

Here is the call graph for this function:

static PRStatus pk11ListCertCallback ( NSSCertificate *  c,
void arg 
) [static]

Definition at line 2252 of file pk11cert.c.

{
    struct listCertsStr *listCertP = (struct listCertsStr *)arg;
    CERTCertificate *newCert = NULL;
    PK11CertListType type = listCertP->type;
    CERTCertList *certList = listCertP->certList;
    PRBool isUnique = PR_FALSE;
    PRBool isCA = PR_FALSE;
    char *nickname = NULL;
    unsigned int certType;

    if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) ||
        (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) {
        /* only list one instance of each certificate, even if several exist */
       isUnique = PR_TRUE;
    }
    if ((type == PK11CertListCA) || (type == PK11CertListRootUnique) ||
        (type == PK11CertListCAUnique)) {
       isCA = PR_TRUE;
    }

    /* if we want user certs and we don't have one skip this cert */
    if ( ( (type == PK11CertListUser) || (type == PK11CertListUserUnique) ) && 
              !NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
       return PR_SUCCESS;
    }

    /* PK11CertListRootUnique means we want CA certs without a private key.
     * This is for legacy app support . PK11CertListCAUnique should be used
     * instead to get all CA certs, regardless of private key
     */
    if ((type == PK11CertListRootUnique) && 
              NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
       return PR_SUCCESS;
    }

    /* caller still owns the reference to 'c' */
    newCert = STAN_GetCERTCertificate(c);
    if (!newCert) {
       return PR_SUCCESS;
    }
    /* if we want CA certs and it ain't one, skip it */
    if( isCA  && (!CERT_IsCACert(newCert, &certType)) ) {
       return PR_SUCCESS;
    }
    if (isUnique) {
       CERT_DupCertificate(newCert);

       nickname = STAN_GetCERTCertificateName(certList->arena, c);

       /* put slot certs at the end */
       if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
           CERT_AddCertToListTailWithData(certList,newCert,nickname);
       } else {
           CERT_AddCertToListHeadWithData(certList,newCert,nickname);
       }
    } else {
       /* add multiple instances to the cert list */
       nssCryptokiObject **ip;
       nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
       if (!instances) {
           return PR_SUCCESS;
       }
       for (ip = instances; *ip; ip++) {
           nssCryptokiObject *instance = *ip;
           PK11SlotInfo *slot = instance->token->pk11slot;

           /* put the same CERTCertificate in the list for all instances */
           CERT_DupCertificate(newCert);

           nickname = STAN_GetCERTCertificateNameForInstance(
                     certList->arena, c, instance);

           /* put slot certs at the end */
           if (slot && !PK11_IsInternal(slot)) {
              CERT_AddCertToListTailWithData(certList,newCert,nickname);
           } else {
              CERT_AddCertToListHeadWithData(certList,newCert,nickname);
           }
       }
       nssCryptokiObjectArray_Destroy(instances);
    }
    return PR_SUCCESS;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static int toHex ( int  x) [static]

Definition at line 102 of file pk11cert.c.

{ return (x < 10) ? (x+'0') : (x+'a'-10); }

Here is the caller graph for this function:

static void transfer_token_certs_to_collection ( nssList *  certList,
NSSToken *  token,
nssPKIObjectCollection *  collection 
) [static]

Definition at line 495 of file pk11cert.c.

{
    NSSCertificate **certs;
    PRUint32 i, count;
    NSSToken **tokens, **tp;
    count = nssList_Count(certList);
    if (count == 0) {
       return;
    }
    certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
    if (!certs) {
       return;
    }
    nssList_GetArray(certList, (void **)certs, count);
    for (i=0; i<count; i++) {
       tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL);
       if (tokens) {
           for (tp = tokens; *tp; tp++) {
              if (*tp == token) {
                  nssPKIObjectCollection_AddObject(collection, 
                                                   (nssPKIObject *)certs[i]);
              }
           }
           nssTokenArray_Destroy(tokens);
       }
       CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i]));
    }
    nss_ZFreeIf(certs);
}

Here is the call graph for this function:

Here is the caller graph for this function:


Variable Documentation

Definition at line 1427 of file pk11cert.c.

Definition at line 93 of file errorval.c.

Definition at line 80 of file errorval.c.