bug 135521, change cert lookups on tokens to be actual finds instead …

…of traversals
sailfishos-mirror · Apr 15, 2002 · 75658af · 75658af
1 parent b0b3355
commit 75658af
Show file tree

Hide file tree

Showing 24 changed files with 2,304 additions and 1,888 deletions.
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
@@ -135,17 +135,17 @@ SECStatus
 __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
 		       CERTCertTrust *trust)
 {
-    PRStatus nssrv;
     NSSUTF8 *stanNick;
     PK11SlotInfo *slot;
     NSSToken *internal;
     NSSCryptoContext *context;
+    nssCryptokiObject *permInstance;
     NSSCertificate *c = STAN_GetNSSCertificate(cert);
     context = c->object.cryptoContext;
     if (!context) {
 	return SECFailure; /* wasn't a temp cert */
     }
-    stanNick = NSSCertificate_GetNickname(c, NULL);
+    stanNick = nssCertificate_GetNickname(c, NULL);
     if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
 	/* take the new nickname */
 	cert->nickname = NULL;
@@ -157,15 +157,23 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
     /* Delete the temp instance */
     nssCertificateStore_Remove(context->certStore, c);
     c->object.cryptoContext = NULL;
-    /* the perm instance will assume the reference */
-    nssList_Clear(c->object.instanceList, NULL);
     /* Import the perm instance onto the internal token */
     slot = PK11_GetInternalKeySlot();
     internal = PK11Slot_GetNSSToken(slot);
-    nssrv = nssToken_ImportCertificate(internal, NULL, c, stanNick, PR_TRUE);
-    if (nssrv != PR_SUCCESS) {
+    permInstance = nssToken_ImportCertificate(internal, NULL,
+                                              NSSCertificateType_PKIX,
+                                              &c->id,
+                                              stanNick,
+                                              &c->encoding,
+                                              &c->issuer,
+                                              &c->subject,
+                                              &c->serial,
+                                              PR_TRUE);
+    PK11_FreeSlot(slot);
+    if (!permInstance) {
 	return SECFailure;
     }
+    nssPKIObject_AddInstance(&c->object, permInstance);
     /* reset the CERTCertificate fields */
     cert->nssCertificate = NULL;
     cert = STAN_GetCERTCertificate(c); /* will return same pointer */
@@ -188,11 +196,11 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
 {
     PRStatus nssrv;
     NSSCertificate *c;
-    NSSCryptoContext *context;
-    NSSArena *arena;
     CERTCertificate *cc;
     NSSCertificate *tempCert;
+    nssPKIObject *pkio;
     NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
+    NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
     if (!isperm) {
 	NSSDER encoding;
 	NSSITEM_FROM_SECITEM(&encoding, derCert);
@@ -208,27 +216,24 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
 	    return STAN_GetCERTCertificate(c);
 	}
     }
-    arena = NSSArena_Create();
-    if (!arena) {
+    pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC);
+    if (!pkio) {
 	return NULL;
     }
-    c = nss_ZNEW(arena, NSSCertificate);
+    c = nss_ZNEW(pkio->arena, NSSCertificate);
     if (!c) {
-	nssArena_Destroy(arena);
+	nssPKIObject_Destroy(pkio);
 	return NULL;
     }
+    c->object = *pkio;
     NSSITEM_FROM_SECITEM(&c->encoding, derCert);
-    nssrv = nssPKIObject_Initialize(&c->object, arena, NULL, NULL);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
     /* Forces a decoding of the cert in order to obtain the parts used
      * below
      */
     cc = STAN_GetCERTCertificate(c);
-    nssItem_Create(arena, 
+    nssItem_Create(c->object.arena, 
                    &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
-    nssItem_Create(arena, 
+    nssItem_Create(c->object.arena, 
                    &c->subject, cc->derSubject.len, cc->derSubject.data);
     if (PR_TRUE) {
 	/* CERTCertificate stores serial numbers decoded.  I need the DER
@@ -237,31 +242,30 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
 	SECItem derSerial = { 0 };
 	CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
 	if (!derSerial.data) goto loser;
-	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+	nssItem_Create(c->object.arena, &c->serial, derSerial.len, derSerial.data);
 	PORT_Free(derSerial.data);
     }
     if (nickname) {
-	c->object.tempName = nssUTF8_Create(arena, 
+	c->object.tempName = nssUTF8_Create(c->object.arena, 
                                             nssStringType_UTF8String, 
                                             (NSSUTF8 *)nickname, 
                                             PORT_Strlen(nickname));
     }
     if (cc->emailAddr) {
-	c->email = nssUTF8_Create(arena, 
+	c->email = nssUTF8_Create(c->object.arena, 
 	                          nssStringType_PrintableString, 
 	                          (NSSUTF8 *)cc->emailAddr, 
 	                          PORT_Strlen(cc->emailAddr));
     }
-    context = STAN_GetDefaultCryptoContext();
     /* this function cannot detect if the cert exists as a temp cert now, but
      * didn't when CERT_NewTemp was first called.
      */
-    nssrv = NSSCryptoContext_ImportCertificate(context, c);
+    nssrv = NSSCryptoContext_ImportCertificate(gCC, c);
     if (nssrv != PR_SUCCESS) {
 	goto loser;
     }
     /* so find the entry in the temp store */
-    tempCert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(context,
+    tempCert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(gCC,
                                                                    &c->issuer,
                                                                    &c->serial);
     /* destroy the copy */
@@ -273,7 +277,6 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
     } else {
 	return NULL;
     }
-    c->object.trustDomain = STAN_GetDefaultTrustDomain();
     cc->istemp = PR_TRUE;
     cc->isperm = PR_FALSE;
     return cc;
@@ -308,17 +311,18 @@ CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndS
 static NSSCertificate *
 get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
 {
-    nssBestCertificateCB best;
     NSSUsage usage;
-    usage.anyUsage = PR_TRUE;
-    nssBestCertificate_SetArgs(&best, NULL, &usage, NULL);
-    if (ct) {
-	nssBestCertificate_Callback(ct, (void *)&best);
-    }
-    if (cp) {
-	nssBestCertificate_Callback(cp, (void *)&best);
+    NSSCertificate *arr[3];
+    if (!ct) {
+	return nssCertificate_AddRef(cp);
+    } else if (!cp) {
+	return nssCertificate_AddRef(ct);
     }
-    return best.cert;
+    arr[0] = ct;
+    arr[1] = cp;
+    arr[2] = NULL;
+    usage.anyUsage = PR_TRUE;
+    return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
 }
 
 CERTCertificate *

diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
@@ -287,7 +287,6 @@ nssCKObject_IsTokenObjectTemplate
     return PR_FALSE;
 }
 
-#ifdef PURE_STAN_BUILD
 static NSSCertificateType
 nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
 {
@@ -358,10 +357,14 @@ nssCryptokiCertificate_GetAttributes
 	return PR_SUCCESS;
     }
 
+#ifdef PURE_STAN_BUILD
     status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
                                                 certObject, CKO_CERTIFICATE,
                                                 cert_template, template_size);
     if (status != PR_SUCCESS) {
+#else
+    if (PR_TRUE) {
+#endif
 
 	session = sessionOpt ? 
 	          sessionOpt : 
@@ -402,6 +405,7 @@ nssCryptokiCertificate_GetAttributes
     return PR_SUCCESS;
 }
 
+#ifdef PURE_STAN_BUILD
 static NSSKeyPairType
 nss_key_pair_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
 {
@@ -523,6 +527,7 @@ nssCryptokiPublicKey_GetAttributes
     }
     return PR_SUCCESS;
 }
+#endif /* PURE_STAN_BUILD */
 
 static nssTrustLevel 
 get_nss_trust
@@ -572,11 +577,15 @@ nssCryptokiTrust_GetAttributes
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
     NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
 
+#ifdef PURE_STAN_BUILD
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject, 
                                                 CKO_NETSCAPE_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
+#else
+    if (PR_TRUE) {
+#endif
 	session = sessionOpt ? 
 	          sessionOpt : 
 	          nssToken_GetDefaultSession(trustObject->token);
@@ -598,6 +607,7 @@ nssCryptokiTrust_GetAttributes
     return PR_SUCCESS;
 }
 
+#ifdef PURE_STAN_BUILD
 NSS_IMPLEMENT PRStatus
 nssCryptokiCRL_GetAttributes
 (

diff --git a/security/nss/lib/dev/ckhelper.h b/security/nss/lib/dev/ckhelper.h
@@ -86,6 +86,12 @@ NSS_EXTERN_DATA const NSSItem g_ck_class_privkey;
     (pattr)->ulValueLen = (CK_ULONG)sizeof(var);      \
     (pattr)++;
 
+#define NSS_CK_SET_ATTRIBUTE_NULL(pattr, kind)        \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)NULL;              \
+    (pattr)->ulValueLen = 0;                          \
+    (pattr)++;
+
 #define NSS_CK_TEMPLATE_FINISH(_template, attr, size) \
     size = (attr) - (_template);                      \
     PR_ASSERT(size <= sizeof(_template)/sizeof(_template[0]));
@@ -127,7 +133,7 @@ nssCKObject_GetAttributes
   CK_ULONG count,
   NSSArena *arenaOpt,
   nssSession *session,
-  NSSSlot  *slot
+  NSSSlot *slot
 );
 
 /* Get a single attribute as an item. */