Back to index

lightning-sunbird  0.9+nobinonly
Functions | Variables
pki3hack.c File Reference
#include "nsspki.h"
#include "pki.h"
#include "pkim.h"
#include "dev.h"
#include "dev3hack.h"
#include "pki3hack.h"
#include "secitem.h"
#include "certdb.h"
#include "certt.h"
#include "cert.h"
#include "pk11func.h"
#include "pkistore.h"
#include "secmod.h"
#include "nssrwlk.h"

Go to the source code of this file.

Functions

NSSTrustDomain * STAN_GetDefaultTrustDomain ()
NSSCryptoContext * STAN_GetDefaultCryptoContext ()
NSS_IMPLEMENT PRStatus STAN_InitTokenForSlotInfo (NSSTrustDomain *td, PK11SlotInfo *slot)
NSS_IMPLEMENT PRStatus STAN_ResetTokenInterator (NSSTrustDomain *td)
NSS_IMPLEMENT PRStatus STAN_LoadDefaultNSS3TrustDomain (void)
NSS_IMPLEMENT SECStatus STAN_AddModuleToDefaultTrustDomain (SECMODModule *module)
NSS_IMPLEMENT SECStatus STAN_RemoveModuleFromDefaultTrustDomain (SECMODModule *module)
NSS_IMPLEMENT PRStatus STAN_Shutdown ()
NSS_IMPLEMENT NSSItem * STAN_GetCertIdentifierFromDER (NSSArena *arenaOpt, NSSDER *der)
NSS_IMPLEMENT PRStatus nssPKIX509_GetIssuerAndSerialFromDER (NSSDER *der, NSSArena *arena, NSSDER *issuer, NSSDER *serial)
static NSSItem * nss3certificate_getIdentifier (nssDecodedCert *dc)
static voidnss3certificate_getIssuerIdentifier (nssDecodedCert *dc)
static nssCertIDMatch nss3certificate_matchIdentifier (nssDecodedCert *dc, void *id)
static PRBool nss3certificate_isValidIssuer (nssDecodedCert *dc)
static NSSUsage * nss3certificate_getUsage (nssDecodedCert *dc)
static PRBool nss3certificate_isValidAtTime (nssDecodedCert *dc, NSSTime *time)
static PRBool nss3certificate_isNewerThan (nssDecodedCert *dc, nssDecodedCert *cmpdc)
static PRBool nss3certificate_matchUsage (nssDecodedCert *dc, const NSSUsage *usage)
static NSSASCII7nss3certificate_getEmailAddress (nssDecodedCert *dc)
static PRStatus nss3certificate_getDERSerialNumber (nssDecodedCert *dc, NSSDER *serial, NSSArena *arena)
NSS_IMPLEMENT nssDecodedCert * nssDecodedPKIXCertificate_Create (NSSArena *arenaOpt, NSSDER *encoding)
static nssDecodedCert * create_decoded_pkix_cert_from_nss3cert (NSSArena *arenaOpt, CERTCertificate *cc)
NSS_IMPLEMENT PRStatus nssDecodedPKIXCertificate_Destroy (nssDecodedCert *dc)
static unsigned int get_nss3trust_from_nss4trust (CK_TRUST t)
static CERTCertTrust * cert_trust_from_stan_trust (NSSTrust *t, PRArenaPool *arena)
CERTCertTrust * nssTrust_GetCERTCertTrustForCert (NSSCertificate *c, CERTCertificate *cc)
static nssCryptokiInstance * get_cert_instance (NSSCertificate *c)
char * STAN_GetCERTCertificateNameForInstance (PLArenaPool *arenaOpt, NSSCertificate *c, nssCryptokiInstance *instance)
char * STAN_GetCERTCertificateName (PLArenaPool *arenaOpt, NSSCertificate *c)
static void fill_CERTCertificateFields (NSSCertificate *c, CERTCertificate *cc, PRBool forced)
static CERTCertificate * stan_GetCERTCertificate (NSSCertificate *c, PRBool forceUpdate)
NSS_IMPLEMENT CERTCertificate * STAN_ForceCERTCertificateUpdate (NSSCertificate *c)
NSS_IMPLEMENT CERTCertificate * STAN_GetCERTCertificate (NSSCertificate *c)
NSS_IMPLEMENT CERTCertificate * STAN_GetCERTCertificateOrRelease (NSSCertificate *c)
static nssTrustLevel get_stan_trust (unsigned int t, PRBool isClientAuth)
NSS_EXTERN NSSCertificate * STAN_GetNSSCertificate (CERTCertificate *cc)
static NSSToken * stan_GetTrustToken (NSSCertificate *c)
NSS_EXTERN PRStatus STAN_ChangeCertTrust (CERTCertificate *cc, CERTCertTrust *trust)
NSS_IMPLEMENT PRStatus nssTrustDomain_TraverseCertificatesBySubject (NSSTrustDomain *td, NSSDER *subject, PRStatus(*callback)(NSSCertificate *c, void *arg), void *arg)
NSS_IMPLEMENT PRStatus nssTrustDomain_TraverseCertificatesByNickname (NSSTrustDomain *td, NSSUTF8 *nickname, PRStatus(*callback)(NSSCertificate *c, void *arg), void *arg)
static void cert_dump_iter (const void *k, void *v, void *a)
void nss_DumpCertificateCacheInfo ()

Variables

NSSTrustDomain * g_default_trust_domain = NULL
NSSCryptoContext * g_default_crypto_context = NULL
const NSSError NSS_ERROR_ALREADY_INITIALIZED
const NSSError NSS_ERROR_INTERNAL_ERROR

Function Documentation

static void cert_dump_iter ( const void k,
void v,
void a 
) [static]

Definition at line 1254 of file pki3hack.c.

{
    NSSCertificate *c = (NSSCertificate *)k;
    CERTCertificate *cert = STAN_GetCERTCertificate(c);
    printf("[%2d] \"%s\"\n", c->object.refCount, cert->subjectName);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static CERTCertTrust* cert_trust_from_stan_trust ( NSSTrust *  t,
PRArenaPool arena 
) [static]

Definition at line 576 of file pki3hack.c.

{
    CERTCertTrust *rvTrust;
    unsigned int client;
    if (!t) {
       return NULL;
    }
    rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
    if (!rvTrust) return NULL;
    rvTrust->sslFlags = get_nss3trust_from_nss4trust(t->serverAuth);
    client = get_nss3trust_from_nss4trust(t->clientAuth);
    if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
       client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
       rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
    }
    rvTrust->sslFlags |= client;
    rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
    rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning);
    /* The cert is a valid step-up cert (in addition to/lieu of trust above */
    if (t->stepUpApproved) {
       rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA;
    }
    return rvTrust;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static nssDecodedCert* create_decoded_pkix_cert_from_nss3cert ( NSSArena *  arenaOpt,
CERTCertificate *  cc 
) [static]

Definition at line 506 of file pki3hack.c.

{
    nssDecodedCert *rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
    if (rvDC) {
       rvDC->type                = NSSCertificateType_PKIX;
       rvDC->data                = (void *)cc;
       rvDC->getIdentifier       = nss3certificate_getIdentifier;
       rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
       rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
       rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
       rvDC->getUsage            = nss3certificate_getUsage;
       rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
       rvDC->isNewerThan         = nss3certificate_isNewerThan;
       rvDC->matchUsage          = nss3certificate_matchUsage;
       rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
    }
    return rvDC;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void fill_CERTCertificateFields ( NSSCertificate *  c,
CERTCertificate *  cc,
PRBool  forced 
) [static]

Definition at line 719 of file pki3hack.c.

{
    CERTCertTrust* trust = NULL;
    NSSTrust *nssTrust;
    NSSCryptoContext *context = c->object.cryptoContext;
    nssCryptokiInstance *instance;
    NSSUTF8 *stanNick = NULL;

    /* We are holding the base class object's lock on entry of this function
     * This lock protects writes to fields of the CERTCertificate .
     * It is also needed by some functions to compute values such as trust.
     */
    instance = get_cert_instance(c);

    if (instance) {
       stanNick = instance->label;
    } else if (context) {
       stanNick = c->object.tempName;
    }
    /* fill other fields needed by NSS3 functions using CERTCertificate */
    if ((!cc->nickname && stanNick) || forced) {
       PRStatus nssrv;
       int nicklen, tokenlen, len;
       NSSUTF8 *tokenName = NULL;
       char *nick;
       if (instance && !PK11_IsInternal(instance->token->pk11slot)) {
           tokenName = nssToken_GetName(instance->token);
           tokenlen = nssUTF8_Size(tokenName, &nssrv);
       } else {
           /* don't use token name for internal slot; 3.3 didn't */
           tokenlen = 0;
       }
       if (stanNick) {
           nicklen = nssUTF8_Size(stanNick, &nssrv);
           len = tokenlen + nicklen;
           nick = PORT_ArenaAlloc(cc->arena, len);
           if (tokenName) {
              memcpy(nick, tokenName, tokenlen-1);
              nick[tokenlen-1] = ':';
              memcpy(nick+tokenlen, stanNick, nicklen-1);
           } else {
              memcpy(nick, stanNick, nicklen-1);
           }
           nick[len-1] = '\0';
            cc->nickname = nick;
       } else {
           cc->nickname = NULL;
       }
    }
    if (context) {
       /* trust */
       nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
       if (nssTrust) {
            trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
            if (trust) {
                /* we should destroy cc->trust before replacing it, but it's
                   allocated in cc->arena, so memory growth will occur on each
                   refresh */
                cc->trust = trust;
            }
           nssTrust_Destroy(nssTrust);
       }
    } else if (instance) {
       /* slot */
       if (cc->slot != instance->token->pk11slot) {
           if (cc->slot) {
              PK11_FreeSlot(cc->slot);
           }
           cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
       }
       cc->ownSlot = PR_TRUE;
       /* pkcs11ID */
       cc->pkcs11ID = instance->handle;
       /* trust */
       trust = nssTrust_GetCERTCertTrustForCert(c, cc);
        if (trust) {
            /* we should destroy cc->trust before replacing it, but it's
               allocated in cc->arena, so memory growth will occur on each
               refresh */
            cc->trust = trust;
        }
       nssCryptokiObject_Destroy(instance);
    } 
    /* database handle is now the trust domain */
    cc->dbhandle = c->object.trustDomain;
    /* subjectList ? */
    /* istemp and isperm are supported in NSS 3.4 */
    cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */
    cc->isperm = PR_TRUE;  /* by default */
    /* pointer back */
    cc->nssCertificate = c;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static nssCryptokiInstance* get_cert_instance ( NSSCertificate *  c) [static]

Definition at line 631 of file pki3hack.c.

{
    nssCryptokiObject *instance, **ci;
    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
    if (!instances) {
       return NULL;
    }
    instance = NULL;
    for (ci = instances; *ci; ci++) {
       if (!instance) {
           instance = nssCryptokiObject_Clone(*ci);
       } else {
           /* This only really works for two instances...  But 3.4 can't
            * handle more anyway.  The logic is, if there are multiple
            * instances, prefer the one that is not internal (e.g., on
            * a hardware device.
            */
           if (PK11_IsInternal(instance->token->pk11slot)) {
              nssCryptokiObject_Destroy(instance);
              instance = nssCryptokiObject_Clone(*ci);
           }
       }
    }
    nssCryptokiObjectArray_Destroy(instances);
    return instance;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static unsigned int get_nss3trust_from_nss4trust ( CK_TRUST  t) [static]

Definition at line 557 of file pki3hack.c.

{
    unsigned int rt = 0;
    if (t == nssTrustLevel_Trusted) {
       rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
    }
    if (t == nssTrustLevel_TrustedDelegator) {
       rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/;
    }
    if (t == nssTrustLevel_Valid) {
       rt |= CERTDB_VALID_PEER;
    }
    if (t == nssTrustLevel_ValidDelegator) {
       rt |= CERTDB_VALID_CA;
    }
    return rt;
}

Here is the caller graph for this function:

static nssTrustLevel get_stan_trust ( unsigned int  t,
PRBool  isClientAuth 
) [static]

Definition at line 899 of file pki3hack.c.

Here is the caller graph for this function:

static PRStatus nss3certificate_getDERSerialNumber ( nssDecodedCert *  dc,
NSSDER serial,
NSSArena *  arena 
) [static]

Definition at line 455 of file pki3hack.c.

{
    CERTCertificate *cc = (CERTCertificate *)dc->data;
    SECItem derSerial = { 0 };
    SECStatus secrv;
    secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
    if (secrv == SECSuccess) {
       (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
       PORT_Free(derSerial.data);
       return PR_SUCCESS;
    }
    return PR_FAILURE;
}

Here is the caller graph for this function:

static NSSASCII7* nss3certificate_getEmailAddress ( nssDecodedCert *  dc) [static]

Definition at line 447 of file pki3hack.c.

{
    CERTCertificate *cc = (CERTCertificate *)dc->data;
    return (cc && cc->emailAddr && cc->emailAddr[0])
           ? (NSSASCII7 *)cc->emailAddr : NULL;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static NSSItem* nss3certificate_getIdentifier ( nssDecodedCert *  dc) [static]

Definition at line 297 of file pki3hack.c.

{
    NSSItem *rvID;
    CERTCertificate *c = (CERTCertificate *)dc->data;
    rvID = nssItem_Create(NULL, NULL, c->certKey.len, c->certKey.data);
    return rvID;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static void* nss3certificate_getIssuerIdentifier ( nssDecodedCert *  dc) [static]

Definition at line 306 of file pki3hack.c.

{
    CERTCertificate *c = (CERTCertificate *)dc->data;
    return (void *)c->authKeyID;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static NSSUsage* nss3certificate_getUsage ( nssDecodedCert *  dc) [static]

Definition at line 377 of file pki3hack.c.

{
    /* CERTCertificate *c = (CERTCertificate *)dc->data; */
    return NULL;
}

Here is the caller graph for this function:

static PRBool nss3certificate_isNewerThan ( nssDecodedCert *  dc,
nssDecodedCert *  cmpdc 
) [static]

Definition at line 396 of file pki3hack.c.

{
    /* I know this isn't right, but this is glue code anyway */
    if (cmpdc->type == dc->type) {
       CERTCertificate *certa = (CERTCertificate *)dc->data;
       CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
       return CERT_IsNewer(certa, certb);
    }
    return PR_FALSE;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static PRBool nss3certificate_isValidAtTime ( nssDecodedCert *  dc,
NSSTime *  time 
) [static]

Definition at line 384 of file pki3hack.c.

{
    SECCertTimeValidity validity;
    CERTCertificate *c = (CERTCertificate *)dc->data;
    validity = CERT_CheckCertValidTimes(c, NSSTime_GetPRTime(time), PR_TRUE);
    if (validity == secCertTimeValid) {
       return PR_TRUE;
    }
    return PR_FALSE;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static PRBool nss3certificate_isValidIssuer ( nssDecodedCert *  dc) [static]

Definition at line 369 of file pki3hack.c.

{
    CERTCertificate *c = (CERTCertificate *)dc->data;
    unsigned int ignore;
    return CERT_IsCACert(c, &ignore);
}

Here is the call graph for this function:

Here is the caller graph for this function:

static nssCertIDMatch nss3certificate_matchIdentifier ( nssDecodedCert *  dc,
void id 
) [static]

Definition at line 313 of file pki3hack.c.

{
    CERTCertificate *c = (CERTCertificate *)dc->data;
    CERTAuthKeyID *authKeyID = (CERTAuthKeyID *)id;
    SECItem skid;
    nssCertIDMatch match = nssCertIDMatch_Unknown;

    /* keyIdentifier */
    if (authKeyID->keyID.len > 0) {
       if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
           PRBool skiEqual;
           skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
           PORT_Free(skid.data);
           if (skiEqual) {
              /* change the state to positive match, but keep going */
              match = nssCertIDMatch_Yes;
           } else {
              /* exit immediately on failure */
              return nssCertIDMatch_No;
           }
       } /* else fall through */
    }

    /* issuer/serial (treated as pair) */
    if (authKeyID->authCertIssuer) {
       SECItem *caName = NULL;
       SECItem *caSN = &authKeyID->authCertSerialNumber;

       caName = (SECItem *)CERT_GetGeneralNameByType(
                                               authKeyID->authCertIssuer,
                                          certDirectoryName, PR_TRUE);
       if (caName == NULL) {
           /* this is some kind of error, so treat it as unknown */
           return nssCertIDMatch_Unknown;
       }
       if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
           SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) 
       {
           /* change the state to positive match, but keep going */
           match = nssCertIDMatch_Yes;
       } else {
           /* exit immediately on failure */
           return nssCertIDMatch_No;
       }
    }

    /* If the issued cert has a keyIdentifier field with a value, but
     * this issuer cert does not have a subjectKeyID extension, and
     * the issuer/serial number fields of the authKeyID extension
     * are empty, the state will be Unknown.  Otherwise it should have
     * been set to Yes.
     */
    return match;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static PRBool nss3certificate_matchUsage ( nssDecodedCert *  dc,
const NSSUsage *  usage 
) [static]

Definition at line 409 of file pki3hack.c.

{
    CERTCertificate *cc;
    unsigned int requiredKeyUsage = 0;
    unsigned int requiredCertType = 0;
    SECStatus secrv;
    PRBool match;
    PRBool ca;

    /* This is for NSS 3.3 functions that do not specify a usage */
    if (usage->anyUsage) {
       return PR_TRUE;
    }
    ca = usage->nss3lookingForCA;
    secrv = CERT_KeyUsageAndTypeForCertUsage(usage->nss3usage, ca,
                                             &requiredKeyUsage,
                                             &requiredCertType);
    if (secrv != SECSuccess) {
       return PR_FALSE;
    }
    cc = (CERTCertificate *)dc->data;
    secrv = CERT_CheckKeyUsage(cc, requiredKeyUsage);
    match = (PRBool)(secrv == SECSuccess);
    if (match) {
       unsigned int certType = 0;
       if (ca) {
           (void)CERT_IsCACert(cc, &certType);
       } else {
           certType = cc->nsCertType;
       }
       if (!(certType & requiredCertType)) {
           match = PR_FALSE;
       }
    }
    return match;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 1262 of file pki3hack.c.

{
    NSSTrustDomain *td;
    NSSCryptoContext *cc;
    td = STAN_GetDefaultTrustDomain();
    cc = STAN_GetDefaultCryptoContext();
    printf("\n\nCertificates in the cache:\n");
    nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
    printf("\n\nCertificates in the temporary store:\n");
    if (cc->certStore) {
       nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
    }
}

Here is the call graph for this function:

Here is the caller graph for this function:

NSS_IMPLEMENT nssDecodedCert* nssDecodedPKIXCertificate_Create ( NSSArena *  arenaOpt,
NSSDER encoding 
)

Definition at line 472 of file pki3hack.c.

{
    nssDecodedCert  *rvDC = NULL;
    CERTCertificate *cert;
    SECItem          secDER;

    SECITEM_FROM_NSSITEM(&secDER, encoding);
    cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
    if (cert) {
       rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
       if (rvDC) {
           rvDC->type                = NSSCertificateType_PKIX;
           rvDC->data                = (void *)cert;
           rvDC->getIdentifier       = nss3certificate_getIdentifier;
           rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
           rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
           rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
           rvDC->getUsage            = nss3certificate_getUsage;
           rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
           rvDC->isNewerThan         = nss3certificate_isNewerThan;
           rvDC->matchUsage          = nss3certificate_matchUsage;
           rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
           rvDC->getDERSerialNumber  = nss3certificate_getDERSerialNumber;
       } else {
           CERT_DestroyCertificate(cert);
       }
    }
    return rvDC;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 529 of file pki3hack.c.

{
    CERTCertificate *cert = (CERTCertificate *)dc->data;

    /* The decoder may only be half initialized (the case where we find we 
     * could not decode the certificate). In this case, there is not cert to
     * free, just free the dc structure. */
    if (cert) {
       PRBool freeSlot = cert->ownSlot;
       PK11SlotInfo *slot = cert->slot;
       PRArenaPool *arena  = cert->arena;
       /* zero cert before freeing. Any stale references to this cert
        * after this point will probably cause an exception.  */
       PORT_Memset(cert, 0, sizeof *cert);
       /* free the arena that contains the cert. */
       PORT_FreeArena(arena, PR_FALSE);
       if (slot && freeSlot) {
           PK11_FreeSlot(slot);
       }
    }
    nss_ZFreeIf(dc);
    return PR_SUCCESS;
}

Here is the call graph for this function:

Here is the caller graph for this function:

NSS_IMPLEMENT PRStatus nssPKIX509_GetIssuerAndSerialFromDER ( NSSDER der,
NSSArena *  arena,
NSSDER issuer,
NSSDER serial 
)

Definition at line 272 of file pki3hack.c.

{
    SECStatus secrv;
    SECItem derCert;
    SECItem derIssuer = { 0 };
    SECItem derSerial = { 0 };
    SECITEM_FROM_NSSITEM(&derCert, der);
    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
    if (secrv != SECSuccess) {
       return PR_FAILURE;
    }
    (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
    if (secrv != SECSuccess) {
       PORT_Free(derSerial.data);
       return PR_FAILURE;
    }
    (void)nssItem_Create(arena, issuer, derIssuer.len, derIssuer.data);
    PORT_Free(derSerial.data);
    PORT_Free(derIssuer.data);
    return PR_SUCCESS;
}

Here is the call graph for this function:

CERTCertTrust* nssTrust_GetCERTCertTrustForCert ( NSSCertificate *  c,
CERTCertificate *  cc 
)

Definition at line 602 of file pki3hack.c.

{
    CERTCertTrust *rvTrust = NULL;
    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
    NSSTrust *t;
    t = nssTrustDomain_FindTrustForCertificate(td, c);
    if (t) {
       rvTrust = cert_trust_from_stan_trust(t, cc->arena);
       if (!rvTrust) {
           nssTrust_Destroy(t);
           return NULL;
       }
       nssTrust_Destroy(t);
    } else {
       rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
       if (!rvTrust) {
           return NULL;
       }
       memset(rvTrust, 0, sizeof(*rvTrust));
    }
    if (NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) {
       rvTrust->sslFlags |= CERTDB_USER;
       rvTrust->emailFlags |= CERTDB_USER;
       rvTrust->objectSigningFlags |= CERTDB_USER;
    }
    return rvTrust;
}

Here is the call graph for this function:

NSS_IMPLEMENT PRStatus nssTrustDomain_TraverseCertificatesByNickname ( NSSTrustDomain *  td,
NSSUTF8 nickname,
PRStatus(*)(NSSCertificate *c, void *arg callback,
void arg 
)

Definition at line 1226 of file pki3hack.c.

{
    PRStatus nssrv = PR_SUCCESS;
    NSSArena *tmpArena;
    NSSCertificate **nickCerts;
    NSSCertificate *c;
    PRIntn i;
    tmpArena = NSSArena_Create();
    if (!tmpArena) {
        return PR_FAILURE;
    }
    nickCerts = NSSTrustDomain_FindCertificatesByNickname(td, nickname, NULL,
                                                          0, tmpArena);
    if (nickCerts) {
       for (i=0, c = nickCerts[i]; c; i++) {
           nssrv = callback(c, arg);
           if (nssrv != PR_SUCCESS) break;
       }
    }
    nssArena_Destroy(tmpArena);
    return nssrv;
}

Here is the call graph for this function:

NSS_IMPLEMENT PRStatus nssTrustDomain_TraverseCertificatesBySubject ( NSSTrustDomain *  td,
NSSDER subject,
PRStatus(*)(NSSCertificate *c, void *arg callback,
void arg 
)

Definition at line 1196 of file pki3hack.c.

{
    PRStatus nssrv = PR_SUCCESS;
    NSSArena *tmpArena;
    NSSCertificate **subjectCerts;
    NSSCertificate *c;
    PRIntn i;
    tmpArena = NSSArena_Create();
    if (!tmpArena) {
        return PR_FAILURE;
    }
    subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td, subject, NULL,
                                                            0, tmpArena);
    if (subjectCerts) {
       for (i=0, c = subjectCerts[i]; c; i++) {
           nssrv = callback(c, arg);
           if (nssrv != PR_SUCCESS) break;
       }
    }
    nssArena_Destroy(tmpArena);
    return nssrv;
}

Here is the call graph for this function:

Definition at line 182 of file pki3hack.c.

{
    NSSTrustDomain *td;
    int i;
    td = STAN_GetDefaultTrustDomain();
    for (i=0; i<module->slotCount; i++) {
       STAN_InitTokenForSlotInfo(td, module->slots[i]);
    }
    STAN_ResetTokenInterator(td);
    return SECSuccess;
}

Here is the call graph for this function:

NSS_EXTERN PRStatus STAN_ChangeCertTrust ( CERTCertificate *  cc,
CERTCertTrust *  trust 
)

Definition at line 1037 of file pki3hack.c.

{
    PRStatus nssrv;
    NSSCertificate *c = STAN_GetNSSCertificate(cc);
    NSSToken *tok;
    NSSTrustDomain *td;
    NSSTrust *nssTrust;
    NSSArena *arena;
    CERTCertTrust *oldTrust;
    nssListIterator *tokens;
    PRBool moving_object;
    nssCryptokiObject *newInstance;
    nssPKIObject *pkiob;
    oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
    if (oldTrust) {
       if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
           /* ... and the new trust is no different, done) */
           return PR_SUCCESS;
       } else {
           /* take over memory already allocated in cc's arena */
           cc->trust = oldTrust;
       }
    } else {
       cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
    }
    memcpy(cc->trust, trust, sizeof(CERTCertTrust));
    /* Set the NSSCerticate's trust */
    arena = nssArena_Create();
    if (!arena) return PR_FAILURE;
    nssTrust = nss_ZNEW(arena, NSSTrust);
    pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKILock);
    if (!pkiob) {
       nssArena_Destroy(arena);
       return PR_FAILURE;
    }
    nssTrust->object = *pkiob;
    nssTrust->certificate = c;
    nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
    nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
    nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
    nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
    nssTrust->stepUpApproved = 
                    (PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
    if (c->object.cryptoContext != NULL) {
       /* The cert is in a context, set the trust there */
       NSSCryptoContext *cc = c->object.cryptoContext;
       nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
       if (nssrv != PR_SUCCESS) {
           goto done;
       }
       if (c->object.numInstances == 0) {
           /* The context is the only instance, finished */
           goto done;
       }
    }
    td = STAN_GetDefaultTrustDomain();
    tok = stan_GetTrustToken(c);
    moving_object = PR_FALSE;
    if (tok && PK11_IsReadOnly(tok->pk11slot))  {
       NSSRWLock_LockRead(td->tokensLock);
       tokens = nssList_CreateIterator(td->tokenList);
       if (!tokens) {
           nssrv = PR_FAILURE;
           NSSRWLock_UnlockRead(td->tokensLock);
           goto done;
       }
       for (tok  = (NSSToken *)nssListIterator_Start(tokens);
            tok != (NSSToken *)NULL;
            tok  = (NSSToken *)nssListIterator_Next(tokens))
       {
           if (!PK11_IsReadOnly(tok->pk11slot)) break;
       }
       nssListIterator_Finish(tokens);
       nssListIterator_Destroy(tokens);
       NSSRWLock_UnlockRead(td->tokensLock);
       moving_object = PR_TRUE;
    } 
    if (tok) {
       if (moving_object) {
           /* this is kind of hacky.  the softoken needs the cert
            * object in order to store trust.  forcing it to be perm
            */
           NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
           NSSASCII7 *email = NULL;

           if (PK11_IsInternal(tok->pk11slot)) {
              email = c->email;
           }
           newInstance = nssToken_ImportCertificate(tok, NULL,
                                                    NSSCertificateType_PKIX,
                                                    &c->id,
                                                    nickname,
                                                    &c->encoding,
                                                    &c->issuer,
                                                    &c->subject,
                                                    &c->serial,
                                               email,
                                                    PR_TRUE);
           if (!newInstance) {
              nssrv = PR_FAILURE;
              goto done;
           }
           nssPKIObject_AddInstance(&c->object, newInstance);
       }
       newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
                                          &c->issuer, &c->serial,
                                          nssTrust->serverAuth,
                                          nssTrust->clientAuth,
                                          nssTrust->codeSigning,
                                          nssTrust->emailProtection,
                                          nssTrust->stepUpApproved, PR_TRUE);
       /* If the selected token can't handle trust, dump the trust on 
        * the internal token */
       if (!newInstance && !PK11_IsInternal(tok->pk11slot)) {
           PK11SlotInfo *slot = PK11_GetInternalKeySlot();
           NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
           NSSASCII7 *email = c->email;
           tok = PK11Slot_GetNSSToken(slot);
           PK11_FreeSlot(slot);
       
           newInstance = nssToken_ImportCertificate(tok, NULL,
                                                    NSSCertificateType_PKIX,
                                                    &c->id,
                                                    nickname,
                                                    &c->encoding,
                                                    &c->issuer,
                                                    &c->subject,
                                                    &c->serial,
                                               email,
                                                    PR_TRUE);
           if (!newInstance) {
              nssrv = PR_FAILURE;
              goto done;
           }
           nssPKIObject_AddInstance(&c->object, newInstance);
           newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
                                          &c->issuer, &c->serial,
                                          nssTrust->serverAuth,
                                          nssTrust->clientAuth,
                                          nssTrust->codeSigning,
                                          nssTrust->emailProtection,
                                          nssTrust->stepUpApproved, PR_TRUE);
       }
       if (newInstance) {
           nssCryptokiObject_Destroy(newInstance);
           nssrv = PR_SUCCESS;
       } else {
           nssrv = PR_FAILURE;
       }
    } else {
       nssrv = PR_FAILURE;
    }
done:
    (void)nssTrust_Destroy(nssTrust);
    return nssrv;
}

Here is the call graph for this function:

NSS_IMPLEMENT CERTCertificate* STAN_ForceCERTCertificateUpdate ( NSSCertificate *  c)

Definition at line 867 of file pki3hack.c.

{
    if (c->decoding) {
       return stan_GetCERTCertificate(c, PR_TRUE);
    }
    return NULL;
}

Here is the call graph for this function:

static CERTCertificate* stan_GetCERTCertificate ( NSSCertificate *  c,
PRBool  forceUpdate 
) [static]

Definition at line 813 of file pki3hack.c.

{
    nssDecodedCert *dc = NULL;
    CERTCertificate *cc = NULL;

    nssPKIObject_Lock(&c->object);

    dc = c->decoding;
    if (!dc) {
       dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
       if (!dc) {
            goto loser;
        }
       cc = (CERTCertificate *)dc->data;
       PORT_Assert(cc); /* software error */
       if (!cc) {
           nssDecodedPKIXCertificate_Destroy(dc);
           nss_SetError(NSS_ERROR_INTERNAL_ERROR);
           goto loser;
       }
       PORT_Assert(!c->decoding); 
       if (!c->decoding) {
           c->decoding = dc;
       } else { 
            /* this should never happen. Fail. */
           nssDecodedPKIXCertificate_Destroy(dc);
           nss_SetError(NSS_ERROR_INTERNAL_ERROR);
            goto loser;
       }
    }
    cc = (CERTCertificate *)dc->data;
    PORT_Assert(cc);
    if (!cc) {
        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
        goto loser;
    }
    if (!cc->nssCertificate || forceUpdate) {
        fill_CERTCertificateFields(c, cc, forceUpdate);
    } else if (!cc->trust && !c->object.cryptoContext) {
        /* if it's a perm cert, it might have been stored before the
         * trust, so look for the trust again.  But a temp cert can be
         * ignored.
         */
        CERTCertTrust* trust = NULL;
        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
        cc->trust = trust;
    }

  loser:
    nssPKIObject_Unlock(&c->object);
    return cc;
}

Here is the call graph for this function:

Here is the caller graph for this function:

NSS_IMPLEMENT CERTCertificate* STAN_GetCERTCertificate ( NSSCertificate *  c)

Definition at line 876 of file pki3hack.c.

Here is the call graph for this function:

char* STAN_GetCERTCertificateName ( PLArenaPool arenaOpt,
NSSCertificate *  c 
)

Definition at line 707 of file pki3hack.c.

{
    char * result;
    nssCryptokiInstance *instance = get_cert_instance(c);
    /* It's OK to call this function, even if instance is NULL */
    result = STAN_GetCERTCertificateNameForInstance(arenaOpt, c, instance);
    if (instance)
       nssCryptokiObject_Destroy(instance);
    return result;
}

Here is the call graph for this function:

char* STAN_GetCERTCertificateNameForInstance ( PLArenaPool arenaOpt,
NSSCertificate *  c,
nssCryptokiInstance *  instance 
)

Definition at line 659 of file pki3hack.c.

{
    NSSCryptoContext *context = c->object.cryptoContext;
    PRStatus nssrv;
    int nicklen, tokenlen, len;
    NSSUTF8 *tokenName = NULL;
    NSSUTF8 *stanNick = NULL;
    char *nickname = NULL;
    char *nick;

    if (instance) {
       stanNick = instance->label;
    } else if (context) {
       stanNick = c->object.tempName;
    }
    if (stanNick) {
       /* fill other fields needed by NSS3 functions using CERTCertificate */
       if (instance && !PK11_IsInternal(instance->token->pk11slot)) {
           tokenName = nssToken_GetName(instance->token);
           tokenlen = nssUTF8_Size(tokenName, &nssrv);
       } else {
       /* don't use token name for internal slot; 3.3 didn't */
           tokenlen = 0;
       }
       nicklen = nssUTF8_Size(stanNick, &nssrv);
       len = tokenlen + nicklen;
       if (arenaOpt) {
           nickname = PORT_ArenaAlloc(arenaOpt, len);
       } else {
           nickname = PORT_Alloc(len);
       }
       nick = nickname;
       if (tokenName) {
           memcpy(nick, tokenName, tokenlen-1);
           nick += tokenlen-1;
           *nick++ = ':';
       }
       memcpy(nick, stanNick, nicklen-1);
       nickname[len-1] = '\0';
    }
    return nickname;
}

Here is the call graph for this function:

NSS_IMPLEMENT CERTCertificate* STAN_GetCERTCertificateOrRelease ( NSSCertificate *  c)

Definition at line 889 of file pki3hack.c.

{
    CERTCertificate *nss3cert = stan_GetCERTCertificate(c, PR_FALSE);
    if (!nss3cert) {
       nssCertificate_Destroy(c);
    }
    return nss3cert;
}

Here is the call graph for this function:

NSS_IMPLEMENT NSSItem* STAN_GetCertIdentifierFromDER ( NSSArena *  arenaOpt,
NSSDER der 
)

Definition at line 247 of file pki3hack.c.

{
    NSSItem *rvKey;
    SECItem secDER;
    SECItem secKey = { 0 };
    SECStatus secrv;
    PRArenaPool *arena;

    SECITEM_FROM_NSSITEM(&secDER, der);

    /* nss3 call uses nss3 arena's */
    arena = PORT_NewArena(256);
    if (!arena) {
       return NULL;
    }
    secrv = CERT_KeyFromDERCert(arena, &secDER, &secKey);
    if (secrv != SECSuccess) {
       return NULL;
    }
    rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
    PORT_FreeArena(arena,PR_FALSE);
    return rvKey;
}

Here is the call graph for this function:

NSSCryptoContext* STAN_GetDefaultCryptoContext ( )

Definition at line 89 of file pki3hack.c.

NSSTrustDomain* STAN_GetDefaultTrustDomain ( )

Definition at line 83 of file pki3hack.c.

NSS_EXTERN NSSCertificate* STAN_GetNSSCertificate ( CERTCertificate *  cc)

Definition at line 923 of file pki3hack.c.

{
    NSSCertificate *c;
    nssCryptokiInstance *instance;
    nssPKIObject *pkiob;
    NSSArena *arena;
    c = cc->nssCertificate;
    if (c) {
       return c;
    }
    /* i don't think this should happen.  but if it can, need to create
     * NSSCertificate from CERTCertificate values here.  */
    /* Yup, it can happen. */
    arena = NSSArena_Create();
    if (!arena) {
       return NULL;
    }
    c = nss_ZNEW(arena, NSSCertificate);
    if (!c) {
       nssArena_Destroy(arena);
       return NULL;
    }
    NSSITEM_FROM_SECITEM(&c->encoding, &cc->derCert);
    c->type = NSSCertificateType_PKIX;
    pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL, nssPKIMonitor);
    if (!pkiob) {
       nssArena_Destroy(arena);
       return NULL;
    }
    c->object = *pkiob;
    nssItem_Create(arena,
                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
    nssItem_Create(arena,
                   &c->subject, cc->derSubject.len, cc->derSubject.data);
    if (PR_TRUE) {
       /* CERTCertificate stores serial numbers decoded.  I need the DER
       * here.  sigh.
       */
       SECItem derSerial;
       SECStatus secrv;
       secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
       if (secrv == SECFailure) {
           nssArena_Destroy(arena);
           return NULL;
       }
       nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
       PORT_Free(derSerial.data);
    }
    if (cc->emailAddr && cc->emailAddr[0]) {
        c->email = nssUTF8_Create(arena,
                                  nssStringType_PrintableString,
                                  (NSSUTF8 *)cc->emailAddr,
                                  PORT_Strlen(cc->emailAddr));
    }
    if (cc->slot) {
       instance = nss_ZNEW(arena, nssCryptokiInstance);
       instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
       instance->handle = cc->pkcs11ID;
       instance->isTokenObject = PR_TRUE;
       if (cc->nickname) {
           instance->label = nssUTF8_Create(arena,
                                            nssStringType_UTF8String,
                                            (NSSUTF8 *)cc->nickname,
                                            PORT_Strlen(cc->nickname));
       }
       nssPKIObject_AddInstance(&c->object, instance);
    }
    c->decoding = create_decoded_pkix_cert_from_nss3cert(NULL, cc);
    cc->nssCertificate = c;
    return c;
}

Here is the call graph for this function:

static NSSToken* stan_GetTrustToken ( NSSCertificate *  c) [static]

Definition at line 996 of file pki3hack.c.

{
    NSSToken *ttok = NULL;
    NSSToken *rtok = NULL;
    NSSToken *tok = NULL;
    nssCryptokiObject **ip;
    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
    if (!instances) {
       return PR_FALSE;
    }
    for (ip = instances; *ip; ip++) {
       nssCryptokiObject *instance = *ip;
        nssCryptokiObject *to = 
              nssToken_FindTrustForCertificate(instance->token, NULL,
              &c->encoding, &c->issuer, &c->serial, 
              nssTokenSearchType_TokenOnly);
       NSSToken *ctok = instance->token;
       PRBool ro = PK11_IsReadOnly(ctok->pk11slot);

       if (to) {
           nssCryptokiObject_Destroy(to);
           ttok = ctok;
           if (!ro) {
              break;
           }
       } else {
           if (!rtok && ro) {
              rtok = ctok;
           } 
           if (!tok && !ro) {
              tok = ctok;
           }
       }
    }
    nssCryptokiObjectArray_Destroy(instances);
    return ttok ? ttok : (tok ? tok : rtok);
}

Here is the call graph for this function:

Here is the caller graph for this function:

NSS_IMPLEMENT PRStatus STAN_InitTokenForSlotInfo ( NSSTrustDomain *  td,
PK11SlotInfo *  slot 
)

Definition at line 98 of file pki3hack.c.

{
    NSSToken *token;
    if (!td) {
       td = g_default_trust_domain;
    }
    token = nssToken_CreateFromPK11SlotInfo(td, slot);
    PK11Slot_SetNSSToken(slot, token);
    NSSRWLock_LockWrite(td->tokensLock);
    nssList_Add(td->tokenList, token);
    NSSRWLock_UnlockWrite(td->tokensLock);
    return PR_SUCCESS;
}

Here is the call graph for this function:

Definition at line 126 of file pki3hack.c.

{
    NSSTrustDomain *td;
    SECMODModuleList *mlp;
    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
    int i;

    if (g_default_trust_domain || g_default_crypto_context) {
       /* Stan is already initialized or a previous shutdown failed. */
       nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
       return PR_FAILURE;
    }
    td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
    if (!td) {
       return PR_FAILURE;
    }
    /*
     * Deadlock warning: we should never acquire the moduleLock while
     * we hold the tokensLock. We can use the NSSRWLock Rank feature to
     * guarrentee this. tokensLock have a higher rank than module lock.
     */
    td->tokenList = nssList_Create(td->arena, PR_TRUE);
    if (!td->tokenList) {
       goto loser;
    }
    SECMOD_GetReadLock(moduleLock);
    NSSRWLock_LockWrite(td->tokensLock);
    for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
       for (i=0; i < mlp->module->slotCount; i++) {
           STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
       }
    }
    td->tokens = nssList_CreateIterator(td->tokenList);
    NSSRWLock_UnlockWrite(td->tokensLock);
    SECMOD_ReleaseReadLock(moduleLock);
    if (!td->tokens) {
       goto loser;
    }
    g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
    if (!g_default_crypto_context) {
       goto loser;
    }
    g_default_trust_domain = td;
    return PR_SUCCESS;

  loser:
    NSSTrustDomain_Destroy(td);
    return PR_FAILURE;
}

Here is the call graph for this function:

Definition at line 200 of file pki3hack.c.

{
    NSSToken *token;
    NSSTrustDomain *td;
    int i;
    td = STAN_GetDefaultTrustDomain();
    NSSRWLock_LockWrite(td->tokensLock);
    for (i=0; i<module->slotCount; i++) {
       token = PK11Slot_GetNSSToken(module->slots[i]);
       if (token) {
           nssToken_NotifyCertsNotVisible(token);
           nssList_Remove(td->tokenList, token);
           PK11Slot_SetNSSToken(module->slots[i], NULL);
           nssToken_Destroy(token);
       }
    }
    nssListIterator_Destroy(td->tokens);
    td->tokens = nssList_CreateIterator(td->tokenList);
    NSSRWLock_UnlockWrite(td->tokensLock);
    return SECSuccess;
}

Here is the call graph for this function:

Definition at line 113 of file pki3hack.c.

{
    if (!td) {
       td = g_default_trust_domain;
    }
    NSSRWLock_LockWrite(td->tokensLock);
    nssListIterator_Destroy(td->tokens);
    td->tokens = nssList_CreateIterator(td->tokenList);
    NSSRWLock_UnlockWrite(td->tokensLock);
    return PR_SUCCESS;
}

Here is the call graph for this function:

Definition at line 225 of file pki3hack.c.

Here is the call graph for this function:


Variable Documentation

NSSCryptoContext* g_default_crypto_context = NULL

Definition at line 80 of file pki3hack.c.

NSSTrustDomain* g_default_trust_domain = NULL

Definition at line 78 of file pki3hack.c.

Definition at line 95 of file errorval.c.

Definition at line 52 of file errorval.c.