The Tor Browser: security/nss/lib/pkcs12/p12d.c@b8a032363ba2 (annotated)

security/nss/lib/pkcs12/p12d.c@b8a032363ba2 (annotated)

security/nss/lib/pkcs12/p12d.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "nssrenam.h"
 #include "p12t.h"
 #include "p12.h"
 #include "plarena.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "seccomon.h"
 #include "secport.h"
 #include "cert.h"
 #include "secpkcs7.h"
 #include "secasn1.h"
 #include "secerr.h"
 #include "pk11func.h"
 #include "p12plcy.h"
 #include "p12local.h"
 #include "secder.h"
 #include "secport.h"
 #include "certdb.h"
 #include "prcpucfg.h"
 /* This belongs in secport.h */
 #define PORT_ArenaGrowArray(poolp, oldptr, type, oldnum, newnum) \
     (type *)PORT_ArenaGrow((poolp), (oldptr), \
 			   (oldnum) * sizeof(type), (newnum) * sizeof(type))
 typedef struct sec_PKCS12SafeContentsContextStr sec_PKCS12SafeContentsContext;
 /* Opaque structure for decoding SafeContents.  These are used
  * for each authenticated safe as well as any nested safe contents.
  */
 struct sec_PKCS12SafeContentsContextStr {
     /* the parent decoder context */
     SEC_PKCS12DecoderContext *p12dcx;
     /* memory arena to allocate space from */
     PLArenaPool *arena;
     /* decoder context and destination for decoding safe contents */
     SEC_ASN1DecoderContext *safeContentsA1Dcx;
     sec_PKCS12SafeContents safeContents;
     /* information for decoding safe bags within the safe contents.
      * these variables are updated for each safe bag decoded.
      */
     SEC_ASN1DecoderContext *currentSafeBagA1Dcx;
     sec_PKCS12SafeBag *currentSafeBag;
     PRBool skipCurrentSafeBag;
     /* if the safe contents is nested, the parent is pointed to here. */
     sec_PKCS12SafeContentsContext *nestedSafeContentsCtx;
 };
 /* opaque decoder context structure.  information for decoding a pkcs 12
  * PDU are stored here as well as decoding pointers for intermediary
  * structures which are part of the PKCS 12 PDU.  Upon a successful
  * decode, the safe bags containing certificates and keys encountered.
  */
 struct SEC_PKCS12DecoderContextStr {
     PLArenaPool *arena;
     PK11SlotInfo *slot;
     void *wincx;
     PRBool error;
     int errorValue;
     /* password */
     SECItem *pwitem;
     /* used for decoding the PFX structure */
     SEC_ASN1DecoderContext 	*pfxA1Dcx;
     sec_PKCS12PFXItem 		pfx;
     /* safe bags found during decoding */
     sec_PKCS12SafeBag 		**safeBags;
     unsigned int 		safeBagCount;
     /* state variables for decoding authenticated safes. */
     SEC_PKCS7DecoderContext 	*currentASafeP7Dcx;
     SEC_ASN1DecoderContext 	*aSafeA1Dcx;
     SEC_PKCS7DecoderContext 	*aSafeP7Dcx;
     SEC_PKCS7ContentInfo 	*aSafeCinfo;
     sec_PKCS12AuthenticatedSafe authSafe;
     sec_PKCS12SafeContents 	safeContents;
     /* safe contents info */
     unsigned int 		safeContentsCnt;
     sec_PKCS12SafeContentsContext **safeContentsList;
     /* HMAC info */
     sec_PKCS12MacData		macData;
     /* routines for reading back the data to be hmac'd */
     /* They are called as follows.
      *
      * Stage 1: decode the aSafes cinfo into a buffer in dArg,
      * which p12d.c sometimes refers to as the "temp file".
      * This occurs during SEC_PKCS12DecoderUpdate calls.
      *
      * dOpen(dArg, PR_FALSE)
      * dWrite(dArg, buf, len)
      * ...
      * dWrite(dArg, buf, len)
      * dClose(dArg, PR_FALSE)
      *
      * Stage 2: verify MAC
      * This occurs SEC_PKCS12DecoderVerify.
      *
      * dOpen(dArg, PR_TRUE)
      * dRead(dArg, buf, IN_BUF_LEN)
      * ...
      * dRead(dArg, buf, IN_BUF_LEN)
      * dClose(dArg, PR_TRUE)
      */
     digestOpenFn 		dOpen;
     digestCloseFn 		dClose;
     digestIOFn 			dRead, dWrite;
     void 			*dArg;
     PRBool			dIsOpen;  /* is the temp file created? */
     /* helper functions */
     SECKEYGetPasswordKey 	pwfn;
     void 			*pwfnarg;
     PRBool 			swapUnicodeBytes;
     /* import information */
     PRBool 			bagsVerified;
     /* buffer management for the default callbacks implementation */
     void        *buffer;      /* storage area */
     PRInt32     filesize;     /* actual data size */
     PRInt32     allocated;    /* total buffer size allocated */
     PRInt32     currentpos;   /* position counter */
     SECPKCS12TargetTokenCAs tokenCAs;
     sec_PKCS12SafeBag **keyList;/* used by ...IterateNext() */
     unsigned int iteration;
     SEC_PKCS12DecoderItem decitem;
 };
 /* forward declarations of functions that are used when decoding
  * safeContents bags which are nested and when decoding the
  * authenticatedSafes.
  */
 static SECStatus
 sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext
 							*safeContentsCtx);
 static SECStatus
 sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
 							*safeContentsCtx);
 /* make sure that the PFX version being decoded is a version
  * which we support.
  */
 static PRBool
 sec_pkcs12_proper_version(sec_PKCS12PFXItem *pfx)
 {
     /* if no version, assume it is not supported */
     if(pfx->version.len == 0) {
 	return PR_FALSE;
     }
     if(DER_GetInteger(&pfx->version) > SEC_PKCS12_VERSION) {
 	return PR_FALSE;
     }
     return PR_TRUE;
 }
 /* retrieve the key for decrypting the safe contents */
 static PK11SymKey *
 sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid)
 {
     SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *) arg;
     PK11SlotInfo *slot;
     PK11SymKey *bulkKey;
     if(!p12dcx) {
 	return NULL;
     }
     /* if no slot specified, use the internal key slot */
     if(p12dcx->slot) {
 	slot = PK11_ReferenceSlot(p12dcx->slot);
     } else {
 	slot = PK11_GetInternalKeySlot();
     }
     bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem,
 						PR_FALSE, p12dcx->wincx);
     /* some tokens can't generate PBE keys on their own, generate the
      * key in the internal slot, and let the Import code deal with it,
      * (if the slot can't generate PBEs, then we need to use the internal
      * slot anyway to unwrap). */
     if (!bulkKey && !PK11_IsInternal(slot)) {
 	PK11_FreeSlot(slot);
 	slot = PK11_GetInternalKeySlot();
 	bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem,
 						PR_FALSE, p12dcx->wincx);
     }
     PK11_FreeSlot(slot);
     /* set the password data on the key */
     if (bulkKey) {
         PK11_SetSymKeyUserData(bulkKey,p12dcx->pwitem, NULL);
     }
     return bulkKey;
 }
 /* XXX this needs to be modified to handle enveloped data.  most
  * likely, it should mirror the routines for SMIME in that regard.
  */
 static PRBool
 sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid,
 				      PK11SymKey *bulkkey)
 {
     PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid);
     if(!decryptionAllowed) {
 	return PR_FALSE;
     }
     return PR_TRUE;
 }
 /* when we encounter a new safe bag during the decoding, we need
  * to allocate space for the bag to be decoded to and set the
  * state variables appropriately.  all of the safe bags are allocated
  * in a buffer in the outer SEC_PKCS12DecoderContext, however,
  * a pointer to the safeBag is also used in the sec_PKCS12SafeContentsContext
  * for the current bag.
  */
 static SECStatus
 sec_pkcs12_decoder_init_new_safe_bag(sec_PKCS12SafeContentsContext
 						*safeContentsCtx)
 {
     void *mark = NULL;
     SEC_PKCS12DecoderContext *p12dcx;
     /* make sure that the structures are defined, and there has
      * not been an error in the decoding
      */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx
 		|| safeContentsCtx->p12dcx->error) {
 	return SECFailure;
     }
     p12dcx = safeContentsCtx->p12dcx;
     mark = PORT_ArenaMark(p12dcx->arena);
     /* allocate a new safe bag, if bags already exist, grow the
      * list of bags, otherwise allocate a new list.  the list is
      * NULL terminated.
      */
     p12dcx->safeBags = (!p12dcx->safeBagCount)
 	? PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeBag *, 2)
         : PORT_ArenaGrowArray(p12dcx->arena, p12dcx->safeBags,
 				sec_PKCS12SafeBag *, p12dcx->safeBagCount + 1,
 				p12dcx->safeBagCount + 2);
     if(!p12dcx->safeBags) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     /* append the bag to the end of the list and update the reference
      * in the safeContentsCtx.
      */
     p12dcx->safeBags[p12dcx->safeBagCount] =
     safeContentsCtx->currentSafeBag =
 			    PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeBag);
     if(!safeContentsCtx->currentSafeBag) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     p12dcx->safeBags[++p12dcx->safeBagCount] = NULL;
     safeContentsCtx->currentSafeBag->slot = safeContentsCtx->p12dcx->slot;
     safeContentsCtx->currentSafeBag->pwitem = safeContentsCtx->p12dcx->pwitem;
     safeContentsCtx->currentSafeBag->swapUnicodeBytes =
 				safeContentsCtx->p12dcx->swapUnicodeBytes;
     safeContentsCtx->currentSafeBag->arena = safeContentsCtx->p12dcx->arena;
     safeContentsCtx->currentSafeBag->tokenCAs =
 				safeContentsCtx->p12dcx->tokenCAs;
     PORT_ArenaUnmark(p12dcx->arena, mark);
     return SECSuccess;
 loser:
     /* if an error occurred, release the memory and set the error flag
      * the only possible errors triggered by this function are memory
      * related.
      */
     if(mark) {
 	PORT_ArenaRelease(p12dcx->arena, mark);
     }
     p12dcx->error = PR_TRUE;
     return SECFailure;
 }
 /* A wrapper for updating the ASN1 context in which a safeBag is
  * being decoded.  This function is called as a callback from
  * secasn1d when decoding SafeContents structures.
  */
 static void
 sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data,
 				   unsigned long len, int depth,
 				   SEC_ASN1EncodingPart data_kind)
 {
     sec_PKCS12SafeContentsContext *safeContentsCtx =
         (sec_PKCS12SafeContentsContext *)arg;
     SEC_PKCS12DecoderContext *p12dcx;
     SECStatus rv;
     /* make sure that we are not skipping the current safeBag,
      * and that there are no errors.  If so, just return rather
      * than continuing to process.
      */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx
 		|| safeContentsCtx->p12dcx->error
 		|| safeContentsCtx->skipCurrentSafeBag) {
 	return;
     }
     p12dcx = safeContentsCtx->p12dcx;
     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
     if(rv != SECSuccess) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     return;
 loser:
     /* set the error, and finish the decoder context.  because there
      * is not a way of returning an error message, it may be worth
      * while to do a check higher up and finish any decoding contexts
      * that are still open.
      */
     p12dcx->error = PR_TRUE;
     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
     safeContentsCtx->currentSafeBagA1Dcx = NULL;
     return;
 }
 /* notify function for decoding safeBags.  This function is
  * used to filter safeBag types which are not supported,
  * initiate the decoding of nested safe contents, and decode
  * safeBags in general.  this function is set when the decoder
  * context for the safeBag is first created.
  */
 static void
 sec_pkcs12_decoder_safe_bag_notify(void *arg, PRBool before,
 				   void *dest, int real_depth)
 {
     sec_PKCS12SafeContentsContext *safeContentsCtx =
         (sec_PKCS12SafeContentsContext *)arg;
     SEC_PKCS12DecoderContext *p12dcx;
     sec_PKCS12SafeBag *bag;
     PRBool after;
     /* if an error is encountered, return */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx ||
 		safeContentsCtx->p12dcx->error) {
 	return;
     }
     p12dcx = safeContentsCtx->p12dcx;
     /* to make things more readable */
     if(before)
 	after = PR_FALSE;
     else
 	after = PR_TRUE;
     /* have we determined the safeBagType yet? */
     bag = safeContentsCtx->currentSafeBag;
     if(bag->bagTypeTag == NULL) {
 	if(after && (dest == &(bag->safeBagType))) {
 	    bag->bagTypeTag = SECOID_FindOID(&(bag->safeBagType));
 	    if(bag->bagTypeTag == NULL) {
 		p12dcx->error = PR_TRUE;
 		p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
 	    }
 	}
 	return;
     }
     /* process the safeBag depending on it's type.  those
      * which we do not support, are ignored.  we start a decoding
      * context for a nested safeContents.
      */
     switch(bag->bagTypeTag->offset) {
 	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
 	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
 	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
 	    break;
 	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
 	    /* if we are just starting to decode the safeContents, initialize
 	     * a new safeContentsCtx to process it.
 	     */
 	    if(before && (dest == &(bag->safeBagContent))) {
 		sec_pkcs12_decoder_begin_nested_safe_contents(safeContentsCtx);
 	    } else if(after && (dest == &(bag->safeBagContent))) {
 		/* clean up the nested decoding */
 		sec_pkcs12_decoder_finish_nested_safe_contents(safeContentsCtx);
 	    }
 	    break;
 	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
 	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
 	default:
 	    /* skip any safe bag types we don't understand or handle */
 	    safeContentsCtx->skipCurrentSafeBag = PR_TRUE;
 	    break;
     }
     return;
 }
 /* notify function for decoding safe contents.  each entry in the
  * safe contents is a safeBag which needs to be allocated and
  * the decoding context initialized at the beginning and then
  * the context needs to be closed and finished at the end.
  *
  * this function is set when the safeContents decode context is
  * initialized.
  */
 static void
 sec_pkcs12_decoder_safe_contents_notify(void *arg, PRBool before,
 					void *dest, int real_depth)
 {
     sec_PKCS12SafeContentsContext *safeContentsCtx =
         (sec_PKCS12SafeContentsContext*)arg;
     SEC_PKCS12DecoderContext *p12dcx;
     SECStatus rv;
     /* if there is an error we don't want to continue processing,
      * just return and keep going.
      */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx
 		|| safeContentsCtx->p12dcx->error) {
 	return;
     }
     p12dcx = safeContentsCtx->p12dcx;
     /* if we are done with the current safeBag, then we need to
      * finish the context and set the state variables appropriately.
      */
     if(!before) {
 	SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsA1Dcx);
 	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
 	safeContentsCtx->currentSafeBagA1Dcx = NULL;
 	safeContentsCtx->skipCurrentSafeBag = PR_FALSE;
     } else {
 	/* we are starting a new safe bag.  we need to allocate space
 	 * for the bag and initialize the decoding context.
 	 */
 	rv = sec_pkcs12_decoder_init_new_safe_bag(safeContentsCtx);
 	if(rv != SECSuccess) {
 	    goto loser;
 	}
 	/* set up the decoder context */
 	safeContentsCtx->currentSafeBagA1Dcx =
 		SEC_ASN1DecoderStart(p12dcx->arena,
 				     safeContentsCtx->currentSafeBag,
 				     sec_PKCS12SafeBagTemplate);
 	if(!safeContentsCtx->currentSafeBagA1Dcx) {
 	    p12dcx->errorValue = PORT_GetError();
 	    goto loser;
 	}
 	/* set the notify and filter procs so that the safe bag
 	 * data gets sent to the proper location when decoding.
 	 */
 	SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->currentSafeBagA1Dcx,
 				 sec_pkcs12_decoder_safe_bag_notify,
 				 safeContentsCtx);
 	SEC_ASN1DecoderSetFilterProc(safeContentsCtx->safeContentsA1Dcx,
 				 sec_pkcs12_decoder_safe_bag_update,
 				 safeContentsCtx, PR_TRUE);
     }
     return;
 loser:
     /* in the event of an error, we want to close the decoding
      * context and clear the filter and notify procedures.
      */
     p12dcx->error = PR_TRUE;
     if(safeContentsCtx->currentSafeBagA1Dcx) {
 	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
 	safeContentsCtx->currentSafeBagA1Dcx = NULL;
     }
     SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->safeContentsA1Dcx);
     SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsA1Dcx);
     return;
 }
 /* initialize the safeContents for decoding.  this routine
  * is used for authenticatedSafes as well as nested safeContents.
  */
 static sec_PKCS12SafeContentsContext *
 sec_pkcs12_decoder_safe_contents_init_decode(SEC_PKCS12DecoderContext *p12dcx,
 					     PRBool nestedSafe)
 {
     sec_PKCS12SafeContentsContext *safeContentsCtx = NULL;
     const SEC_ASN1Template *theTemplate;
     if(!p12dcx || p12dcx->error) {
 	return NULL;
     }
     /* allocate a new safeContents list or grow the existing list and
      * append the new safeContents onto the end.
      */
     p12dcx->safeContentsList = (!p12dcx->safeContentsCnt)
 	? PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeContentsContext *, 2)
 	: PORT_ArenaGrowArray(p12dcx->arena, p12dcx->safeContentsList,
 			        sec_PKCS12SafeContentsContext *,
 + p12dcx->safeContentsCnt,
 + p12dcx->safeContentsCnt);
     if(!p12dcx->safeContentsList) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     p12dcx->safeContentsList[p12dcx->safeContentsCnt] = safeContentsCtx =
         PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeContentsContext);
     if(!p12dcx->safeContentsList[p12dcx->safeContentsCnt]) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     p12dcx->safeContentsList[++p12dcx->safeContentsCnt] = NULL;
     /* set up the state variables */
     safeContentsCtx->p12dcx = p12dcx;
     safeContentsCtx->arena = p12dcx->arena;
     /* begin the decoding -- the template is based on whether we are
      * decoding a nested safeContents or not.
      */
     if(nestedSafe == PR_TRUE) {
 	theTemplate = sec_PKCS12NestedSafeContentsDecodeTemplate;
     } else {
 	theTemplate = sec_PKCS12SafeContentsDecodeTemplate;
     }
     /* start the decoder context */
     safeContentsCtx->safeContentsA1Dcx = SEC_ASN1DecoderStart(p12dcx->arena,
 					&safeContentsCtx->safeContents,
 					theTemplate);
     if(!safeContentsCtx->safeContentsA1Dcx) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     /* set the safeContents notify procedure to look for
      * and start the decode of safeBags.
      */
     SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->safeContentsA1Dcx,
 				sec_pkcs12_decoder_safe_contents_notify,
 				safeContentsCtx);
     return safeContentsCtx;
 loser:
     /* in the case of an error, we want to finish the decoder
      * context and set the error flag.
      */
     if(safeContentsCtx && safeContentsCtx->safeContentsA1Dcx) {
 	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx);
 	safeContentsCtx->safeContentsA1Dcx = NULL;
     }
     p12dcx->error = PR_TRUE;
     return NULL;
 }
 /* wrapper for updating safeContents.  this is set as the filter of
  * safeBag when there is a nested safeContents.
  */
 static void
 sec_pkcs12_decoder_nested_safe_contents_update(void *arg, const char *buf,
 					  unsigned long len, int depth,
 					  SEC_ASN1EncodingPart data_kind)
 {
     sec_PKCS12SafeContentsContext *safeContentsCtx =
         (sec_PKCS12SafeContentsContext *)arg;
     SEC_PKCS12DecoderContext *p12dcx;
     SECStatus rv;
     /* check for an error */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx
 			|| safeContentsCtx->p12dcx->error
 			|| !safeContentsCtx->safeContentsA1Dcx) {
 	return;
     }
     /* no need to update if no data sent in */
     if(!len || !buf) {
 	return;
     }
     /* update the decoding context */
     p12dcx = safeContentsCtx->p12dcx;
     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsA1Dcx, buf, len);
     if(rv != SECSuccess) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     return;
 loser:
     /* handle any errors.  If a decoding context is open, close it. */
     p12dcx->error = PR_TRUE;
     if(safeContentsCtx->safeContentsA1Dcx) {
 	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx);
 	safeContentsCtx->safeContentsA1Dcx = NULL;
     }
 }
 /* whenever a new safeContentsSafeBag is encountered, we need
  * to init a safeContentsContext.
  */
 static SECStatus
 sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext
 							*safeContentsCtx)
 {
     /* check for an error */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx ||
 		safeContentsCtx->p12dcx->error) {
 	return SECFailure;
     }
     safeContentsCtx->nestedSafeContentsCtx =
     	sec_pkcs12_decoder_safe_contents_init_decode(safeContentsCtx->p12dcx,
 						     PR_TRUE);
     if(!safeContentsCtx->nestedSafeContentsCtx) {
 	return SECFailure;
     }
     /* set up new filter proc */
     SEC_ASN1DecoderSetNotifyProc(
                      safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx,
 				 sec_pkcs12_decoder_safe_contents_notify,
 				 safeContentsCtx->nestedSafeContentsCtx);
     SEC_ASN1DecoderSetFilterProc(safeContentsCtx->currentSafeBagA1Dcx,
 				 sec_pkcs12_decoder_nested_safe_contents_update,
 				 safeContentsCtx->nestedSafeContentsCtx,
 				 PR_TRUE);
     return SECSuccess;
 }
 /* when the safeContents is done decoding, we need to reset the
  * proper filter and notify procs and close the decoding context
  */
 static SECStatus
 sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
 							*safeContentsCtx)
 {
     /* check for error */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx ||
 		safeContentsCtx->p12dcx->error) {
 	return SECFailure;
     }
     /* clean up */
     SEC_ASN1DecoderClearFilterProc(safeContentsCtx->currentSafeBagA1Dcx);
     SEC_ASN1DecoderClearNotifyProc(
                     safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx);
     SEC_ASN1DecoderFinish(
                     safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx);
     safeContentsCtx->nestedSafeContentsCtx->safeContentsA1Dcx = NULL;
     safeContentsCtx->nestedSafeContentsCtx = NULL;
     return SECSuccess;
 }
 /* wrapper for updating safeContents.  This is used when decoding
  * the nested safeContents and any authenticatedSafes.
  */
 static void
 sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf,
 					  unsigned long len)
 {
     SECStatus rv;
     sec_PKCS12SafeContentsContext *safeContentsCtx =
         (sec_PKCS12SafeContentsContext *)arg;
     SEC_PKCS12DecoderContext *p12dcx;
     /* check for error */
     if(!safeContentsCtx || !safeContentsCtx->p12dcx
 		|| safeContentsCtx->p12dcx->error
 		|| !safeContentsCtx->safeContentsA1Dcx) {
 	return;
     }
     p12dcx = safeContentsCtx->p12dcx;
     /* update the decoder */
     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsA1Dcx, buf, len);
     if(rv != SECSuccess) {
 	/* if we fail while trying to decode a 'safe', it's probably because
 	 * we didn't have the correct password. */
 	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
 	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
 	SEC_PKCS7DecoderAbort(p12dcx->currentASafeP7Dcx,SEC_ERROR_BAD_PASSWORD);
 	goto loser;
     }
     return;
 loser:
     /* set the error and finish the context */
     p12dcx->error = PR_TRUE;
     if(safeContentsCtx->safeContentsA1Dcx) {
 	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx);
 	safeContentsCtx->safeContentsA1Dcx = NULL;
     }
     return;
 }
 /* this is a wrapper for the ASN1 decoder to call SEC_PKCS7DecoderUpdate
  */
 static void
 sec_pkcs12_decoder_wrap_p7_update(void *arg, const char *data,
 				  unsigned long len, int depth,
 				  SEC_ASN1EncodingPart data_kind)
 {
     SEC_PKCS7DecoderContext *p7dcx = (SEC_PKCS7DecoderContext *)arg;
     SEC_PKCS7DecoderUpdate(p7dcx, data, len);
 }
 /* notify function for decoding aSafes.  at the beginning,
  * of an authenticatedSafe, we start a decode of a safeContents.
  * at the end, we clean up the safeContents decoder context and
  * reset state variables
  */
 static void
 sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest,
 			       int real_depth)
 {
     SEC_PKCS12DecoderContext *p12dcx;
     sec_PKCS12SafeContentsContext *safeContentsCtx;
     /* make sure no error occurred. */
     p12dcx = (SEC_PKCS12DecoderContext *)arg;
     if(!p12dcx || p12dcx->error) {
 	return;
     }
     if(before) {
 	/* init a new safeContentsContext */
 	safeContentsCtx = sec_pkcs12_decoder_safe_contents_init_decode(p12dcx,
 								PR_FALSE);
 	if(!safeContentsCtx) {
 	    goto loser;
 	}
 	/* initiate the PKCS7ContentInfo decode */
 	p12dcx->currentASafeP7Dcx = SEC_PKCS7DecoderStart(
 				sec_pkcs12_decoder_safe_contents_callback,
 				safeContentsCtx,
 				p12dcx->pwfn, p12dcx->pwfnarg,
 				sec_pkcs12_decoder_get_decrypt_key, p12dcx,
 				sec_pkcs12_decoder_decryption_allowed);
 	if(!p12dcx->currentASafeP7Dcx) {
 	    p12dcx->errorValue = PORT_GetError();
 	    goto loser;
 	}
 	SEC_ASN1DecoderSetFilterProc(p12dcx->aSafeA1Dcx,
 				     sec_pkcs12_decoder_wrap_p7_update,
 				     p12dcx->currentASafeP7Dcx, PR_TRUE);
     }
     if(!before) {
 	/* if one is being decoded, finish the decode */
 	if(p12dcx->currentASafeP7Dcx != NULL) {
 	    SEC_PKCS7ContentInfo * cinfo;
 	    unsigned int cnt = p12dcx->safeContentsCnt - 1;
 	    safeContentsCtx = p12dcx->safeContentsList[cnt];
 	    if (safeContentsCtx->safeContentsA1Dcx) {
 		SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx);
 		safeContentsCtx->safeContentsA1Dcx = NULL;
 	    }
 	    cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
 	    p12dcx->currentASafeP7Dcx = NULL;
 	    if(!cinfo) {
 		p12dcx->errorValue = PORT_GetError();
 		goto loser;
 	    }
 	    SEC_PKCS7DestroyContentInfo(cinfo); /* don't leak it */
 	}
     }
     return;
 loser:
     /* set the error flag */
     p12dcx->error = PR_TRUE;
     return;
 }
 /* wrapper for updating asafes decoding context.  this function
  * writes data being decoded to disk, so that a mac can be computed
  * later.
  */
 static void
 sec_pkcs12_decoder_asafes_callback(void *arg, const char *buf,
 				  unsigned long len)
 {
     SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
     SECStatus rv;
     if(!p12dcx || p12dcx->error) {
 	return;
     }
     /* update the context */
     rv = SEC_ASN1DecoderUpdate(p12dcx->aSafeA1Dcx, buf, len);
     if(rv != SECSuccess) {
 	p12dcx->errorValue = PORT_GetError();
 	p12dcx->error = PR_TRUE;
 	goto loser;
     }
     /* if we are writing to a file, write out the new information */
     if(p12dcx->dWrite) {
 	unsigned long writeLen = (*p12dcx->dWrite)(p12dcx->dArg,
 						   (unsigned char *)buf, len);
 	if(writeLen != len) {
 	    p12dcx->errorValue = PORT_GetError();
 	    goto loser;
 	}
     }
     return;
 loser:
     /* set the error flag */
     p12dcx->error = PR_TRUE;
     SEC_ASN1DecoderFinish(p12dcx->aSafeA1Dcx);
     p12dcx->aSafeA1Dcx = NULL;
     return;
 }
 /* start the decode of an authenticatedSafe contentInfo.
  */
 static SECStatus
 sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx)
 {
     if(!p12dcx || p12dcx->error) {
 	return SECFailure;
     }
     /* start the decode context */
     p12dcx->aSafeA1Dcx = SEC_ASN1DecoderStart(p12dcx->arena,
     					&p12dcx->authSafe,
     					sec_PKCS12AuthenticatedSafeTemplate);
     if(!p12dcx->aSafeA1Dcx) {
 	p12dcx->errorValue = PORT_GetError();
    	goto loser;
     }
     /* set the notify function */
     SEC_ASN1DecoderSetNotifyProc(p12dcx->aSafeA1Dcx,
     				 sec_pkcs12_decoder_asafes_notify, p12dcx);
     /* begin the authSafe decoder context */
     p12dcx->aSafeP7Dcx = SEC_PKCS7DecoderStart(
     				sec_pkcs12_decoder_asafes_callback, p12dcx,
     				p12dcx->pwfn, p12dcx->pwfnarg, NULL, NULL, NULL);
     if(!p12dcx->aSafeP7Dcx) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     /* open the temp file for writing, if the digest functions were set */
     if(p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE)
 				!= SECSuccess) {
 	p12dcx->errorValue = PORT_GetError();
 	goto loser;
     }
     /* dOpen(dArg, PR_FALSE) creates the temp file */
     p12dcx->dIsOpen = PR_TRUE;
     return SECSuccess;
 loser:
     p12dcx->error = PR_TRUE;
     if(p12dcx->aSafeA1Dcx) {
 	SEC_ASN1DecoderFinish(p12dcx->aSafeA1Dcx);
 	p12dcx->aSafeA1Dcx = NULL;
     }
     if(p12dcx->aSafeP7Dcx) {
 	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
 	p12dcx->aSafeP7Dcx = NULL;
     }
     return SECFailure;
 }
 /* wrapper for updating the safeContents.  this function is used as
  * a filter for the pfx when decoding the authenticated safes
  */
 static void
 sec_pkcs12_decode_asafes_cinfo_update(void *arg, const char *buf,
 				      unsigned long len, int depth,
 				      SEC_ASN1EncodingPart data_kind)
 {
     SEC_PKCS12DecoderContext *p12dcx;
     SECStatus rv;
     p12dcx = (SEC_PKCS12DecoderContext*)arg;
     if(!p12dcx || p12dcx->error) {
 	return;
     }
     /* update the safeContents decoder */
     rv = SEC_PKCS7DecoderUpdate(p12dcx->aSafeP7Dcx, buf, len);
     if(rv != SECSuccess) {
 	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
 	goto loser;
     }
     return;
 loser:
     /* did we find an error?  if so, close the context and set the
      * error flag.
      */
     SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
     p12dcx->aSafeP7Dcx = NULL;
     p12dcx->error = PR_TRUE;
 }
 /* notify procedure used while decoding the pfx.  When we encounter
  * the authSafes, we want to trigger the decoding of authSafes as well
  * as when we encounter the macData, trigger the decoding of it.  we do
  * this because we we are streaming the decoder and not decoding in place.
  * the pfx which is the destination, only has the version decoded into it.
  */
 static void
 sec_pkcs12_decoder_pfx_notify_proc(void *arg, PRBool before, void *dest,
 				   int real_depth)
 {
     SECStatus rv;
     SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext*)arg;
     /* if an error occurs, clear the notifyProc and the filterProc
      * and continue.
      */
     if(p12dcx->error) {
 	SEC_ASN1DecoderClearNotifyProc(p12dcx->pfxA1Dcx);
 	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxA1Dcx);
 	return;
     }
     if(before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
 	/* we want to make sure this is a version we support */
 	if(!sec_pkcs12_proper_version(&p12dcx->pfx)) {
 	    p12dcx->errorValue = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
 	    goto loser;
 	}
 	/* start the decode of the aSafes cinfo... */
 	rv = sec_pkcs12_decode_start_asafes_cinfo(p12dcx);
 	if(rv != SECSuccess) {
 	    goto loser;
 	}
 	/* set the filter proc to update the authenticated safes. */
 	SEC_ASN1DecoderSetFilterProc(p12dcx->pfxA1Dcx,
 				     sec_pkcs12_decode_asafes_cinfo_update,
 				     p12dcx, PR_TRUE);
     }
     if(!before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
 	/* we are done decoding the authenticatedSafes, so we need to
 	 * finish the decoderContext and clear the filter proc
 	 * and close the hmac callback, if present
 	 */
 	p12dcx->aSafeCinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
 	p12dcx->aSafeP7Dcx = NULL;
 	if(!p12dcx->aSafeCinfo) {
 	    p12dcx->errorValue = PORT_GetError();
 	    goto loser;
 	}
 	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxA1Dcx);
 	if(p12dcx->dClose && ((*p12dcx->dClose)(p12dcx->dArg, PR_FALSE)
 				!= SECSuccess)) {
 	    p12dcx->errorValue = PORT_GetError();
 	    goto loser;
 	}
     }
     return;
 loser:
     p12dcx->error = PR_TRUE;
 }
 /*  default implementations of the open/close/read/write functions for
     SEC_PKCS12DecoderStart
 */
 #define DEFAULT_TEMP_SIZE 4096
 static SECStatus
 p12u_DigestOpen(void *arg, PRBool readData)
 {
     SEC_PKCS12DecoderContext* p12cxt = arg;
     p12cxt->currentpos = 0;
     if (PR_FALSE == readData) {
         /* allocate an initial buffer */
         p12cxt->filesize = 0;
         p12cxt->allocated = DEFAULT_TEMP_SIZE;
         p12cxt->buffer = PORT_Alloc(DEFAULT_TEMP_SIZE);
         PR_ASSERT(p12cxt->buffer);
     }
     else
     {
         PR_ASSERT(p12cxt->buffer);
         if (!p12cxt->buffer) {
             return SECFailure; /* no data to read */
         }
     }
     return SECSuccess;
 }
 static SECStatus
 p12u_DigestClose(void *arg, PRBool removeFile)
 {
     SEC_PKCS12DecoderContext* p12cxt = arg;
     PR_ASSERT(p12cxt);
     if (!p12cxt) {
         return SECFailure;
     }
     p12cxt->currentpos = 0;
     if (PR_TRUE == removeFile) {
         PR_ASSERT(p12cxt->buffer);
         if (!p12cxt->buffer) {
             return SECFailure;
         }
         if (p12cxt->buffer) {
             PORT_Free(p12cxt->buffer);
             p12cxt->buffer = NULL;
             p12cxt->allocated = 0;
             p12cxt->filesize = 0;
         }
     }
     return SECSuccess;
 }
 static int
 p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len)
 {
     int toread = len;
     SEC_PKCS12DecoderContext* p12cxt = arg;
     if(!buf || len == 0 || !p12cxt->buffer) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return -1;
     }
     if ((p12cxt->filesize - p12cxt->currentpos) < (long)len) {
         /* trying to read past the end of the buffer */
         toread = p12cxt->filesize - p12cxt->currentpos;
     }
     memcpy(buf, (char*)p12cxt->buffer + p12cxt->currentpos, toread);
     p12cxt->currentpos += toread;
     return toread;
 }
 static int
 p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len)
 {
     SEC_PKCS12DecoderContext* p12cxt = arg;
     if(!buf || len == 0) {
         return -1;
     }
     if (p12cxt->currentpos+(long)len > p12cxt->filesize) {
         p12cxt->filesize = p12cxt->currentpos + len;
     }
     else {
         p12cxt->filesize += len;
     }
     if (p12cxt->filesize > p12cxt->allocated) {
         void* newbuffer;
         size_t newsize = p12cxt->filesize + DEFAULT_TEMP_SIZE;
         newbuffer  = PORT_Realloc(p12cxt->buffer, newsize);
         if (NULL == newbuffer) {
             return -1; /* can't extend the buffer */
         }
         p12cxt->buffer = newbuffer;
         p12cxt->allocated = newsize;
     }
     PR_ASSERT(p12cxt->buffer);
     memcpy((char*)p12cxt->buffer + p12cxt->currentpos, buf, len);
     p12cxt->currentpos += len;
     return len;
 }
 /* SEC_PKCS12DecoderStart
  *	Creates a decoder context for decoding a PKCS 12 PDU objct.
  *	This function sets up the initial decoding context for the
  *	PFX and sets the needed state variables.
  *
  *	pwitem - the password for the hMac and any encoded safes.
  *		 this should be changed to take a callback which retrieves
  *		 the password.  it may be possible for different safes to
  *		 have different passwords.  also, the password is already
  *		 in unicode.  it should probably be converted down below via
  *		 a unicode conversion callback.
  *	slot - the slot to import the dataa into should multiple slots
  *		 be supported based on key type and cert type?
  *	dOpen, dClose, dRead, dWrite - digest routines for writing data
  *		 to a file so it could be read back and the hmac recomputed
  *		 and verified.  doesn't seem to be a way for both encoding
  *		 and decoding to be single pass, thus the need for these
  *		 routines.
  *	dArg - the argument for dOpen, etc.
  *
  *      if NULL == dOpen == dClose == dRead == dWrite == dArg, then default
  *      implementations using a memory buffer are used
  *
  *	This function returns the decoder context, if it was successful.
  *	Otherwise, null is returned.
  */
 SEC_PKCS12DecoderContext *
 SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
 		       digestOpenFn dOpen, digestCloseFn dClose,
 		       digestIOFn dRead, digestIOFn dWrite, void *dArg)
 {
     SEC_PKCS12DecoderContext *p12dcx;
     PLArenaPool *arena;
     arena = PORT_NewArena(2048); /* different size? */
     if(!arena) {
 	return NULL;	/* error is already set */
     }
     /* allocate the decoder context and set the state variables */
     p12dcx = PORT_ArenaZNew(arena, SEC_PKCS12DecoderContext);
     if(!p12dcx) {
 	goto loser;	/* error is already set */
     }
     if (!dOpen && !dClose && !dRead && !dWrite && !dArg) {
         /* use default implementations */
         dOpen = p12u_DigestOpen;
         dClose = p12u_DigestClose;
         dRead = p12u_DigestRead;
         dWrite = p12u_DigestWrite;
         dArg = (void*)p12dcx;
     }
     p12dcx->arena = arena;
     p12dcx->pwitem = pwitem;
     p12dcx->slot = (slot ? PK11_ReferenceSlot(slot)
 						: PK11_GetInternalKeySlot());
     p12dcx->wincx = wincx;
     p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs;
 #ifdef IS_LITTLE_ENDIAN
     p12dcx->swapUnicodeBytes = PR_TRUE;
 #else
     p12dcx->swapUnicodeBytes = PR_FALSE;
 #endif
     p12dcx->errorValue = 0;
     p12dcx->error = PR_FALSE;
     /* start the decoding of the PFX and set the notify proc
      * for the PFX item.
      */
     p12dcx->pfxA1Dcx = SEC_ASN1DecoderStart(p12dcx->arena, &p12dcx->pfx,
     					  sec_PKCS12PFXItemTemplate);
     if(!p12dcx->pfxA1Dcx) {
 	PK11_FreeSlot(p12dcx->slot);
 	goto loser;
     }
     SEC_ASN1DecoderSetNotifyProc(p12dcx->pfxA1Dcx,
 				 sec_pkcs12_decoder_pfx_notify_proc,
     				 p12dcx);
     /* set up digest functions */
     p12dcx->dOpen = dOpen;
     p12dcx->dWrite = dWrite;
     p12dcx->dClose = dClose;
     p12dcx->dRead = dRead;
     p12dcx->dArg = dArg;
     p12dcx->dIsOpen = PR_FALSE;
     p12dcx->keyList = NULL;
     p12dcx->decitem.type = 0;
     p12dcx->decitem.der = NULL;
     p12dcx->decitem.hasKey = PR_FALSE;
     p12dcx->decitem.friendlyName = NULL;
     p12dcx->iteration = 0;
     return p12dcx;
 loser:
     PORT_FreeArena(arena, PR_TRUE);
     return NULL;
 }
 SECStatus
 SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx,
 		SECPKCS12TargetTokenCAs tokenCAs)
 {
     if (!p12dcx || p12dcx->error) {
 	return SECFailure;
     }
     p12dcx->tokenCAs = tokenCAs;
     return SECSuccess;
 }
 /* SEC_PKCS12DecoderUpdate
  *	Streaming update sending more data to the decoder.  If
  *	an error occurs, SECFailure is returned.
  *
  *	p12dcx - the decoder context
  *	data, len - the data buffer and length of data to send to
  *		the update functions.
  */
 SECStatus
 SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx,
 			unsigned char *data, unsigned long len)
 {
     SECStatus rv;
     if(!p12dcx || p12dcx->error) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* update the PFX decoder context */
     rv = SEC_ASN1DecoderUpdate(p12dcx->pfxA1Dcx, (const char *)data, len);
     if(rv != SECSuccess) {
 	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
 	goto loser;
     }
     return SECSuccess;
 loser:
     p12dcx->error = PR_TRUE;
     return SECFailure;
 }
 /* This should be a nice sized buffer for reading in data (potentially large
 ** amounts) to be MACed.  It should be MUCH larger than HASH_LENGTH_MAX.
 */
 #define IN_BUF_LEN	1024
 #ifdef DEBUG
 static const char bufferEnd[] = { "BufferEnd" } ;
 #endif
 #define FUDGE 128 /* must be as large as bufferEnd or more. */
 /* verify the hmac by reading the data from the temporary file
  * using the routines specified when the decodingContext was
  * created and return SECSuccess if the hmac matches.
  */
 static SECStatus
 sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
 {
     PK11Context *     pk11cx = NULL;
     PK11SymKey *      symKey = NULL;
     SECItem *         params = NULL;
     unsigned char *   buf;
     SECStatus         rv     = SECFailure;
     SECStatus         lrv;
     unsigned int      bufLen;
     int               iteration;
     int               bytesRead;
     SECOidTag         algtag;
     SECItem           hmacRes;
     SECItem           ignore = {0};
     CK_MECHANISM_TYPE integrityMech;
     if(!p12dcx || p12dcx->error) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     buf = (unsigned char *)PORT_Alloc(IN_BUF_LEN + FUDGE);
     if (!buf)
     	return SECFailure;  /* error code has been set. */
 #ifdef DEBUG
     memcpy(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd);
 #endif
     /* generate hmac key */
     if(p12dcx->macData.iter.data) {
 	iteration = (int)DER_GetInteger(&p12dcx->macData.iter);
     } else {
 	iteration = 1;
     }
     params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem,
                                   iteration);
     algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm);
     switch (algtag) {
     case SEC_OID_SHA1:
 	integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break;
     case SEC_OID_MD5:
 	integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
     case SEC_OID_MD2:
 	integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
     default:
 	goto loser;
     }
     symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
     PK11_DestroyPBEParams(params);
     params = NULL;
     if (!symKey) goto loser;
     /* init hmac */
     pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag),
                                         CKA_SIGN, symKey, &ignore);
     if(!pk11cx) {
 	goto loser;
     }
     lrv = PK11_DigestBegin(pk11cx);
     if (lrv == SECFailure ) {
 	goto loser;
     }
     /* try to open the data for readback */
     if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE)
 			!= SECSuccess)) {
 	goto loser;
     }
     /* read the data back IN_BUF_LEN bytes at a time and recompute
      * the hmac.  if fewer bytes are read than are requested, it is
      * assumed that the end of file has been reached. if bytesRead
      * is returned as -1, then an error occurred reading from the
      * file.
      */
     do {
 	bytesRead = (*p12dcx->dRead)(p12dcx->dArg, buf, IN_BUF_LEN);
 	if (bytesRead < 0) {
 	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_READ);
 	    goto loser;
 	}
 	PORT_Assert(bytesRead <= IN_BUF_LEN);
 	PORT_Assert(!memcmp(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd));
 	if (bytesRead > IN_BUF_LEN) {
 	    /* dRead callback overflowed buffer. */
 	    PORT_SetError(SEC_ERROR_INPUT_LEN);
 	    goto loser;
 	}
 	if (bytesRead) {
 	    lrv = PK11_DigestOp(pk11cx, buf, bytesRead);
 	    if (lrv == SECFailure) {
 		goto loser;
 	    }
     	}
     } while (bytesRead == IN_BUF_LEN);
     /* finish the hmac context */
     lrv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);
     if (lrv == SECFailure ) {
 	goto loser;
     }
     hmacRes.data = buf;
     hmacRes.len = bufLen;
     /* is the hmac computed the same as the hmac which was decoded? */
     rv = SECSuccess;
     if(SECITEM_CompareItem(&hmacRes, &p12dcx->macData.safeMac.digest)
 			!= SECEqual) {
 	PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
 	rv = SECFailure;
     }
 loser:
     /* close the file and remove it */
     if(p12dcx->dClose) {
 	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
 	p12dcx->dIsOpen = PR_FALSE;
     }
     if(pk11cx) {
 	PK11_DestroyContext(pk11cx, PR_TRUE);
     }
     if (params) {
 	PK11_DestroyPBEParams(params);
     }
     if (symKey) {
 	PK11_FreeSymKey(symKey);
     }
     PORT_ZFree(buf, IN_BUF_LEN + FUDGE);
     return rv;
 }
 /* SEC_PKCS12DecoderVerify
  * 	Verify the macData or the signature of the decoded PKCS 12 PDU.
  *	If the signature or the macData do not match, SECFailure is
  *	returned.
  *
  * 	p12dcx - the decoder context
  */
 SECStatus
 SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx)
 {
     SECStatus rv = SECSuccess;
     /* make sure that no errors have occurred... */
     if(!p12dcx) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(p12dcx->error) {
 	/* error code is already set! PORT_SetError(p12dcx->errorValue); */
 	return SECFailure;
     }
     rv = SEC_ASN1DecoderFinish(p12dcx->pfxA1Dcx);
     p12dcx->pfxA1Dcx = NULL;
     if(rv != SECSuccess) {
 	return rv;
     }
     /* check the signature or the mac depending on the type of
      * integrity used.
      */
     if(p12dcx->pfx.encodedMacData.len) {
 	rv = SEC_ASN1DecodeItem(p12dcx->arena, &p12dcx->macData,
 				sec_PKCS12MacDataTemplate,
 				&p12dcx->pfx.encodedMacData);
 	if(rv == SECSuccess) {
 	    return sec_pkcs12_decoder_verify_mac(p12dcx);
 	}
 	return rv;
     }
     if (SEC_PKCS7VerifySignature(p12dcx->aSafeCinfo, certUsageEmailSigner,
                                  PR_FALSE)) {
 	return SECSuccess;
     }
     PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
     return SECFailure;
 }
 /* SEC_PKCS12DecoderFinish
  *	Free any open ASN1 or PKCS7 decoder contexts and then
  *	free the arena pool which everything should be allocated
  *	from.  This function should be called upon completion of
  *	decoding and installing of a pfx pdu.  This should be
  *	called even if an error occurs.
  *
  *	p12dcx - the decoder context
  */
 void
 SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx)
 {
     unsigned int i;
     if(!p12dcx) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     if(p12dcx->pfxA1Dcx) {
 	SEC_ASN1DecoderFinish(p12dcx->pfxA1Dcx);
 	p12dcx->pfxA1Dcx = NULL;
     }
     if(p12dcx->aSafeA1Dcx) {
 	SEC_ASN1DecoderFinish(p12dcx->aSafeA1Dcx);
 	p12dcx->aSafeA1Dcx = NULL;
     }
     /* cleanup any old ASN1 decoder contexts */
     for (i = 0; i < p12dcx->safeContentsCnt; ++i) {
 	sec_PKCS12SafeContentsContext *safeContentsCtx, *nested;
 	safeContentsCtx = p12dcx->safeContentsList[i];
 	if (safeContentsCtx) {
 	    nested = safeContentsCtx->nestedSafeContentsCtx;
 	    while (nested) {
 		if (nested->safeContentsA1Dcx) {
 		    SEC_ASN1DecoderFinish(nested->safeContentsA1Dcx);
 		    nested->safeContentsA1Dcx = NULL;
 		}
 		nested = nested->nestedSafeContentsCtx;
 	    }
 	    if (safeContentsCtx->safeContentsA1Dcx) {
 		SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx);
 		safeContentsCtx->safeContentsA1Dcx = NULL;
 	    }
 	}
     }
     if (p12dcx->currentASafeP7Dcx &&
 	p12dcx->currentASafeP7Dcx != p12dcx->aSafeP7Dcx) {
 	SEC_PKCS7ContentInfo * cinfo;
 	cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
 	if (cinfo) {
 	    SEC_PKCS7DestroyContentInfo(cinfo); /* don't leak it */
 	}
     }
     p12dcx->currentASafeP7Dcx = NULL;
     if(p12dcx->aSafeP7Dcx) {
 	SEC_PKCS7ContentInfo * cinfo;
 	cinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
 	if (cinfo) {
 	    SEC_PKCS7DestroyContentInfo(cinfo);
 	}
 	p12dcx->aSafeP7Dcx = NULL;
     }
     if(p12dcx->aSafeCinfo) {
 	SEC_PKCS7DestroyContentInfo(p12dcx->aSafeCinfo);
 	p12dcx->aSafeCinfo = NULL;
     }
     if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) {
         SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE);
     }
     if (p12dcx->decitem.friendlyName != NULL) {
         SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE);
     }
     if(p12dcx->slot) {
 	PK11_FreeSlot(p12dcx->slot);
 	p12dcx->slot = NULL;
     }
     if(p12dcx->dIsOpen && p12dcx->dClose) {
 	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
 	p12dcx->dIsOpen = PR_FALSE;
     }
     if(p12dcx->arena) {
 	PORT_FreeArena(p12dcx->arena, PR_TRUE);
     }
 }
 static SECStatus
 sec_pkcs12_decoder_set_attribute_value(sec_PKCS12SafeBag *bag,
 			       SECOidTag attributeType,
 			       SECItem *attrValue)
 {
     int i = 0;
     SECOidData *oid;
     if(!bag || !attrValue) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     oid = SECOID_FindOIDByTag(attributeType);
     if(!oid) {
 	return SECFailure;
     }
     if(!bag->attribs) {
 	bag->attribs =
 		PORT_ArenaZNewArray(bag->arena, sec_PKCS12Attribute *, 2);
     } else {
 	while(bag->attribs[i])
 	    i++;
 	bag->attribs = PORT_ArenaGrowArray(bag->arena, bag->attribs,
 				           sec_PKCS12Attribute *, i + 1, i + 2);
     }
     if(!bag->attribs) {
 	return SECFailure;
     }
     bag->attribs[i] = PORT_ArenaZNew(bag->arena, sec_PKCS12Attribute);
     if(!bag->attribs) {
 	return SECFailure;
     }
     bag->attribs[i]->attrValue = PORT_ArenaZNewArray(bag->arena, SECItem *, 2);
     if(!bag->attribs[i]->attrValue) {
 	return SECFailure;
     }
     bag->attribs[i+1] = NULL;
     bag->attribs[i]->attrValue[0] = attrValue;
     bag->attribs[i]->attrValue[1] = NULL;
     return SECITEM_CopyItem(bag->arena, &bag->attribs[i]->attrType, &oid->oid);
 }
 static SECItem *
 sec_pkcs12_get_attribute_value(sec_PKCS12SafeBag *bag,
 			       SECOidTag attributeType)
 {
     int i;
     if(!bag->attribs) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     for (i = 0; bag->attribs[i] != NULL; i++) {
 	if (SECOID_FindOIDTag(&bag->attribs[i]->attrType) == attributeType) {
 	    return bag->attribs[i]->attrValue[0];
 	}
     }
     return NULL;
 }
 /* For now, this function will merely remove any ":"
  * in the nickname which the PK11 functions may have
  * placed there.  This will keep dual certs from appearing
  * twice under "Your" certificates when imported onto smart
  * cards.  Once with the name "Slot:Cert" and another with
  * the nickname "Slot:Slot:Cert"
  */
 static void
 sec_pkcs12_sanitize_nickname(PK11SlotInfo *slot, SECItem *nick)
 {
     char *nickname;
     char *delimit;
     int delimitlen;
     nickname = (char*)nick->data;
     if ((delimit = PORT_Strchr(nickname, ':')) != NULL) {
         char *slotName;
 	int slotNameLen;
 	slotNameLen = delimit-nickname;
 	slotName = PORT_NewArray(char, (slotNameLen+1));
 	PORT_Assert(slotName);
 	if (slotName == NULL) {
 	  /* What else can we do?*/
 	  return;
 	}
 	PORT_Memcpy(slotName, nickname, slotNameLen);
 	slotName[slotNameLen] = '\0';
 	if (PORT_Strcmp(PK11_GetTokenName(slot), slotName) == 0) {
 	  delimitlen = PORT_Strlen(delimit+1);
 	  PORT_Memmove(nickname, delimit+1, delimitlen+1);
 	  nick->len = delimitlen;
 	}
 	PORT_Free(slotName);
     }
 }
 static SECItem *
 sec_pkcs12_get_nickname(sec_PKCS12SafeBag *bag)
 {
     SECItem *src, *dest;
     if(!bag) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     src = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
     /* The return value src is 16-bit Unicode characters, in big-endian format.
      * Check if it is NULL or empty name.
      */
     if(!src || !src->data || src->len < 2 || (!src->data[0] && !src->data[1])) {
 	return NULL;
     }
     dest = (SECItem*)PORT_ZAlloc(sizeof(SECItem));
     if(!dest) {
 	goto loser;
     }
     if(!sec_pkcs12_convert_item_to_unicode(NULL, dest, src, PR_FALSE,
 				PR_FALSE, PR_FALSE)) {
 	goto loser;
     }
     sec_pkcs12_sanitize_nickname(bag->slot, dest);
     return dest;
 loser:
     if(dest) {
 	SECITEM_ZfreeItem(dest, PR_TRUE);
     }
     bag->problem = PR_TRUE;
     bag->error = PORT_GetError();
     return NULL;
 }
 static SECStatus
 sec_pkcs12_set_nickname(sec_PKCS12SafeBag *bag, SECItem *name)
 {
     sec_PKCS12Attribute *attr = NULL;
     SECOidData *oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_FRIENDLY_NAME);
     if(!bag || !bag->arena || !name) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(!bag->attribs) {
 	if(!oid) {
 	    goto loser;
 	}
 	bag->attribs =
 	    PORT_ArenaZNewArray(bag->arena, sec_PKCS12Attribute *, 2);
 	if(!bag->attribs) {
 	    goto loser;
 	}
 	bag->attribs[0] = PORT_ArenaZNew(bag->arena, sec_PKCS12Attribute);
 	if(!bag->attribs[0]) {
 	    goto loser;
 	}
 	bag->attribs[1] = NULL;
 	attr = bag->attribs[0];
 	if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid)
 			!= SECSuccess) {
 	    goto loser;
 	}
     } else {
 	int i;
 	for (i = 0; bag->attribs[i]; i++) {
 	    if(SECOID_FindOIDTag(&bag->attribs[i]->attrType)
 			== SEC_OID_PKCS9_FRIENDLY_NAME) {
 		attr = bag->attribs[i];
 		break;
 	    }
 	}
 	if(!attr) {
 	    if(!oid) {
 		goto loser;
 	    }
 	    bag->attribs = PORT_ArenaGrowArray(bag->arena, bag->attribs,
 					       sec_PKCS12Attribute *, i+1, i+2);
 	    if(!bag->attribs) {
 		goto loser;
 	    }
 	    bag->attribs[i] = PORT_ArenaZNew(bag->arena, sec_PKCS12Attribute);
 	    if(!bag->attribs[i]) {
 		goto loser;
 	    }
 	    bag->attribs[i+1] = NULL;
 	    attr = bag->attribs[i];
 	    if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid)
 				!= SECSuccess) {
 		goto loser;
 	    }
 	}
     }
     PORT_Assert(attr);
     if(!attr->attrValue) {
 	attr->attrValue = PORT_ArenaZNewArray(bag->arena, SECItem *, 2);
 	if(!attr->attrValue) {
 	    goto loser;
 	}
 	attr->attrValue[0] = PORT_ArenaZNew(bag->arena, SECItem);
 	if(!attr->attrValue[0]) {
 	    goto loser;
 	}
 	attr->attrValue[1] = NULL;
     }
     name->len = PORT_Strlen((char *)name->data);
     if(!sec_pkcs12_convert_item_to_unicode(bag->arena, attr->attrValue[0],
 				name, PR_FALSE, PR_FALSE, PR_TRUE)) {
 	goto loser;
     }
     return SECSuccess;
 loser:
     bag->problem = PR_TRUE;
     bag->error = PORT_GetError();
     return SECFailure;
 }
 static SECStatus
 sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key)
 {
     int i = 0;
     SECKEYPrivateKeyInfo *pki = NULL;
     if(!key) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* if the bag does *not* contain an unencrypted PrivateKeyInfo
      * then we cannot convert the attributes.  We are propagating
      * attributes within the PrivateKeyInfo to the SafeBag level.
      */
     if(SECOID_FindOIDTag(&(key->safeBagType)) !=
 			SEC_OID_PKCS12_V1_KEY_BAG_ID) {
 	return SECSuccess;
     }
     pki = key->safeBagContent.pkcs8KeyBag;
     if(!pki || !pki->attributes) {
 	return SECSuccess;
     }
     while(pki->attributes[i]) {
 	SECOidTag tag = SECOID_FindOIDTag(&pki->attributes[i]->attrType);
 	if (tag == SEC_OID_PKCS9_LOCAL_KEY_ID ||
 	    tag == SEC_OID_PKCS9_FRIENDLY_NAME) {
 	    SECItem *attrValue = sec_pkcs12_get_attribute_value(key, tag);
 	    if(!attrValue) {
 		if(sec_pkcs12_decoder_set_attribute_value(key, tag,
 					pki->attributes[i]->attrValue[0])
 					!= SECSuccess) {
 		    key->problem = PR_TRUE;
 		    key->error = PORT_GetError();
 		    return SECFailure;
 		}
 	    }
 	}
 	i++;
     }
     return SECSuccess;
 }
 /* retrieve the nickname for the certificate bag.  first look
  * in the cert bag, otherwise get it from the key.
  */
 static SECItem *
 sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
 				 sec_PKCS12SafeBag *key)
 {
     SECItem *nickname;
     if(!cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     nickname = sec_pkcs12_get_nickname(cert);
     if(nickname) {
 	return nickname;
     }
     if(key) {
 	nickname = sec_pkcs12_get_nickname(key);
         if(nickname && sec_pkcs12_set_nickname(cert, nickname)
 			!= SECSuccess) {
 	    SECITEM_ZfreeItem(nickname, PR_TRUE);
 	    return NULL;
 	}
     }
     return nickname;
 }
 /* set the nickname for the certificate */
 static SECStatus
 sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert,
 				 sec_PKCS12SafeBag *key,
 				 SECItem *nickname)
 {
     if(!nickname || !cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) {
 	return SECFailure;
     }
     if(key) {
 	if(sec_pkcs12_set_nickname(key, nickname) != SECSuccess) {
 	    cert->problem = PR_TRUE;
 	    cert->error   = key->error;
 	    return SECFailure;
 	}
     }
     return SECSuccess;
 }
 /* retrieve the DER cert from the cert bag */
 static SECItem *
 sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert)
 {
     if(!cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     if(SECOID_FindOIDTag(&cert->safeBagType) != SEC_OID_PKCS12_V1_CERT_BAG_ID) {
 	return NULL;
     }
     /* only support X509 certs not SDSI */
     if(SECOID_FindOIDTag(&cert->safeBagContent.certBag->bagID)
 			!= SEC_OID_PKCS9_X509_CERT) {
 	return NULL;
     }
     return SECITEM_DupItem(&(cert->safeBagContent.certBag->value.x509Cert));
 }
 struct certNickInfo {
     PLArenaPool *arena;
     unsigned int nNicks;
     SECItem **nickList;
     unsigned int error;
 };
 /* callback for traversing certificates to gather the nicknames
  * used in a particular traversal.  for instance, when using
  * CERT_TraversePermCertsForSubject, gather the nicknames and
  * store them in the certNickInfo for a particular DN.
  *
  * this handles the case where multiple nicknames are allowed
  * for the same dn, which is not currently allowed, but may be
  * in the future.
  */
 static SECStatus
 gatherNicknames(CERTCertificate *cert, void *arg)
 {
     struct certNickInfo *nickArg = (struct certNickInfo *)arg;
     SECItem tempNick;
     unsigned int i;
     if(!cert || !nickArg || nickArg->error) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(!cert->nickname) {
 	return SECSuccess;
     }
     tempNick.data = (unsigned char *)cert->nickname;
     tempNick.len = PORT_Strlen(cert->nickname) + 1;
     /* do we already have the nickname in the list? */
     if(nickArg->nNicks > 0) {
 	/* nicknames have been encountered, but there is no list -- bad */
 	if(!nickArg->nickList) {
 	    nickArg->error = SEC_ERROR_INVALID_ARGS;
 	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	    return SECFailure;
 	}
 	for(i = 0; i < nickArg->nNicks; i++) {
 	    if(SECITEM_CompareItem(nickArg->nickList[i], &tempNick)
 				== SECEqual) {
 		return SECSuccess;
 	    }
 	}
     }
     /* add the nickname to the list */
     nickArg->nickList = (nickArg->nNicks == 0)
 	? PORT_ArenaZNewArray(nickArg->arena, SECItem *, 2)
 	: PORT_ArenaGrowArray(nickArg->arena, nickArg->nickList, SECItem *,
 	                      nickArg->nNicks + 1, nickArg->nNicks + 2);
     if(!nickArg->nickList) {
 	nickArg->error = SEC_ERROR_NO_MEMORY;
 	return SECFailure;
     }
     nickArg->nickList[nickArg->nNicks] =
 				    PORT_ArenaZNew(nickArg->arena, SECItem);
     if(!nickArg->nickList[nickArg->nNicks]) {
 	nickArg->error = PORT_GetError();
 	return SECFailure;
     }
     if(SECITEM_CopyItem(nickArg->arena, nickArg->nickList[nickArg->nNicks],
 			&tempNick) != SECSuccess) {
 	nickArg->error = PORT_GetError();
 	return SECFailure;
     }
     nickArg->nNicks++;
     return SECSuccess;
 }
 /* traverses the certs in the data base or in the token for the
  * DN to see if any certs currently have a nickname set.
  * If so, return it.
  */
 static SECItem *
 sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert)
 {
     struct certNickInfo *nickArg = NULL;
     SECItem *derCert, *returnDn = NULL;
     PLArenaPool *arena = NULL;
     CERTCertificate *tempCert;
     if(!cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     derCert = sec_pkcs12_get_der_cert(cert);
     if(!derCert) {
 	return NULL;
     }
     tempCert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
     if(!tempCert) {
 	returnDn = NULL;
 	goto loser;
     }
     arena = PORT_NewArena(1024);
     if(!arena) {
 	returnDn = NULL;
 	goto loser;
     }
     nickArg = PORT_ArenaZNew(arena, struct certNickInfo);
     if(!nickArg) {
 	returnDn = NULL;
 	goto loser;
     }
     nickArg->error = 0;
     nickArg->nNicks = 0;
     nickArg->nickList = NULL;
     nickArg->arena = arena;
     /* if the token is local, first traverse the cert database
      * then traverse the token.
      */
     if(PK11_TraverseCertsForSubjectInSlot(tempCert, cert->slot, gatherNicknames,
 			(void *)nickArg) != SECSuccess) {
 	returnDn = NULL;
 	goto loser;
     }
     if(nickArg->error) {
 	/* XXX do we want to set the error? */
 	returnDn = NULL;
 	goto loser;
     }
     if(nickArg->nNicks == 0) {
 	returnDn = NULL;
 	goto loser;
     }
     /* set it to the first name, for now.  handle multiple names? */
     returnDn = SECITEM_DupItem(nickArg->nickList[0]);
 loser:
     if(arena) {
 	PORT_FreeArena(arena, PR_TRUE);
     }
     if(tempCert) {
 	CERT_DestroyCertificate(tempCert);
     }
     if(derCert) {
 	SECITEM_FreeItem(derCert, PR_TRUE);
     }
     return (returnDn);
 }
 /* counts certificates found for a given traversal function */
 static SECStatus
 countCertificate(CERTCertificate *cert, void *arg)
 {
     unsigned int *nCerts = (unsigned int *)arg;
     if(!cert || !arg) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     (*nCerts)++;
     return SECSuccess;
 }
 static PRBool
 sec_pkcs12_certs_for_nickname_exist(SECItem *nickname, PK11SlotInfo *slot)
 {
     unsigned int nCerts = 0;
     if(!nickname || !slot) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return PR_TRUE;
     }
     /* we want to check the local database first if we are importing to it */
     PK11_TraverseCertsForNicknameInSlot(nickname, slot, countCertificate,
 					(void *)&nCerts);
     return (PRBool)(nCerts != 0);
 }
 /* validate cert nickname such that there is a one-to-one relation
  * between nicknames and dn's.  we want to enforce the case that the
  * nickname is non-NULL and that there is only one nickname per DN.
  *
  * if there is a problem with a nickname or the nickname is not present,
  * the user will be prompted for it.
  */
 static void
 sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
 				sec_PKCS12SafeBag *key,
 				SEC_PKCS12NicknameCollisionCallback nicknameCb,
 				CERTCertificate *leafCert)
 {
     SECItem *certNickname, *existingDNNick;
     PRBool setNickname = PR_FALSE, cancel = PR_FALSE;
     SECItem *newNickname = NULL;
     if(!cert || !cert->hasKey) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     if(!nicknameCb) {
 	cert->problem = PR_TRUE;
 	cert->error = SEC_ERROR_INVALID_ARGS;
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     if(cert->hasKey && !key) {
 	cert->problem = PR_TRUE;
 	cert->error = SEC_ERROR_INVALID_ARGS;
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     certNickname = sec_pkcs12_get_nickname_for_cert(cert, key);
     existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert);
     /* nickname is already used w/ this dn, so it is safe to return */
     if(certNickname && existingDNNick &&
 		SECITEM_CompareItem(certNickname, existingDNNick) == SECEqual) {
 	goto loser;
     }
     /* nickname not set in pkcs 12 bags, but a nick is already used for
      * this dn.  set the nicks in the p12 bags and finish.
      */
     if(existingDNNick) {
 	sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick);
 	goto loser;
     }
     /* at this point, we have a certificate for which the DN is not located
      * on the token.  the nickname specified may or may not be NULL.  if it
      * is not null, we need to make sure that there are no other certificates
      * with this nickname in the token for it to be valid.  this imposes a
      * one to one relationship between DN and nickname.
      *
      * if the nickname is null, we need the user to enter a nickname for
      * the certificate.
      *
      * once we have a nickname, we make sure that the nickname is unique
      * for the DN.  if it is not, the user is reprompted to enter a new
      * nickname.
      *
      * in order to exit this loop, the nickname entered is either unique
      * or the user hits cancel and the certificate is not imported.
      */
     setNickname = PR_FALSE;
     while(1) {
 	/* we will use the nickname so long as no other certs have the
 	 * same nickname.  and the nickname is not NULL.
 	 */
 	if (certNickname && certNickname->data &&
 	    !sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) {
 	    if (setNickname) {
 		sec_pkcs12_set_nickname_for_cert(cert, key, certNickname);
 	    }
 	    break;
 	}
 	setNickname = PR_FALSE;
 	newNickname = (*nicknameCb)(certNickname, &cancel, leafCert);
 	if(cancel) {
 	    cert->problem = PR_TRUE;
 	    cert->error = SEC_ERROR_USER_CANCELLED;
 	    break;
 	}
 	if(!newNickname) {
 	    cert->problem = PR_TRUE;
 	    cert->error = PORT_GetError();
 	    break;
 	}
 	/* at this point we have a new nickname, if we have an existing
 	 * certNickname, we need to free it and assign the new nickname
 	 * to it to avoid a memory leak.  happy?
 	 */
 	if(certNickname) {
 	    SECITEM_ZfreeItem(certNickname, PR_TRUE);
 	    certNickname = NULL;
 	}
 	certNickname = newNickname;
 	setNickname = PR_TRUE;
 	/* go back and recheck the new nickname */
     }
 loser:
     if(certNickname) {
 	SECITEM_ZfreeItem(certNickname, PR_TRUE);
     }
     if(existingDNNick) {
 	SECITEM_ZfreeItem(existingDNNick, PR_TRUE);
     }
 }
 static void
 sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
 			 sec_PKCS12SafeBag *key,
 			 SEC_PKCS12NicknameCollisionCallback nicknameCb)
 {
     CERTCertificate *leafCert;
     if(!cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     cert->validated = PR_TRUE;
     if(!nicknameCb) {
 	cert->noInstall = PR_TRUE;
 	cert->problem = PR_TRUE;
 	cert->error   = SEC_ERROR_INVALID_ARGS;
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     if(!cert->safeBagContent.certBag) {
 	cert->noInstall = PR_TRUE;
 	cert->problem = PR_TRUE;
 	cert->error = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
 	return;
     }
     cert->noInstall = PR_FALSE;
     cert->unused = PR_FALSE;
     cert->problem = PR_FALSE;
     cert->error = 0;
     leafCert = CERT_DecodeDERCertificate(
 	 &cert->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
     if(!leafCert) {
 	cert->noInstall = PR_TRUE;
 	cert->problem = PR_TRUE;
 	cert->error = PORT_GetError();
 	return;
     }
     sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, leafCert);
     CERT_DestroyCertificate(leafCert);
 }
 static void
 sec_pkcs12_validate_key_by_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key,
 				void *wincx)
 {
     CERTCertificate *leafCert;
     SECKEYPrivateKey *privk;
     if(!key) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return;
     }
     key->validated = PR_TRUE;
     if(!cert) {
 	key->problem = PR_TRUE;
 	key->noInstall = PR_TRUE;
 	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
 	return;
     }
     leafCert = CERT_DecodeDERCertificate(
 	&(cert->safeBagContent.certBag->value.x509Cert), PR_FALSE, NULL);
     if(!leafCert) {
 	key->problem = PR_TRUE;
 	key->noInstall = PR_TRUE;
 	key->error = PORT_GetError();
 	return;
     }
     privk = PK11_FindPrivateKeyFromCert(key->slot, leafCert, wincx);
     if(!privk) {
 	privk = PK11_FindKeyByDERCert(key->slot, leafCert, wincx);
     }
     if(privk) {
 	SECKEY_DestroyPrivateKey(privk);
 	key->noInstall = PR_TRUE;
     }
     CERT_DestroyCertificate(leafCert);
 }
 static SECStatus
 sec_pkcs12_add_cert(sec_PKCS12SafeBag *cert, PRBool keyExists, void *wincx)
 {
     SECItem *derCert, *nickName;
     char *nickData = NULL;
     PRBool isIntermediateCA;
     SECStatus rv;
     if(!cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(cert->problem || cert->noInstall || cert->installed) {
 	return SECSuccess;
     }
     derCert = &cert->safeBagContent.certBag->value.x509Cert;
     PORT_Assert(!cert->problem && !cert->noInstall);
     nickName = sec_pkcs12_get_nickname(cert);
     if(nickName) {
 	nickData = (char *)nickName->data;
     }
     isIntermediateCA = CERT_IsCADERCert(derCert, NULL) &&
 						!CERT_IsRootDERCert(derCert);
     if(keyExists) {
 	CERTCertificate *newCert;
 	newCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
 	                                  derCert, NULL, PR_FALSE, PR_FALSE);
 	if(!newCert) {
 	     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
 	     cert->error = PORT_GetError();
 	     cert->problem = PR_TRUE;
 	     return SECFailure;
 	}
 	rv = PK11_ImportCertForKeyToSlot(cert->slot, newCert, nickData,
 					 PR_TRUE, wincx);
 	CERT_DestroyCertificate(newCert);
     } else if ((cert->tokenCAs == SECPKCS12TargetTokenNoCAs) ||
      ((cert->tokenCAs == SECPKCS12TargetTokenIntermediateCAs) &&
 							!isIntermediateCA)) {
 	SECItem *certList[2];
 	certList[0] = derCert;
 	certList[1] = NULL;
 	rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport,
 , certList, NULL, PR_TRUE, PR_FALSE, nickData);
     } else {
 	rv = PK11_ImportDERCert(cert->slot, derCert, CK_INVALID_HANDLE,
 							nickData, PR_FALSE);
     }
     if (rv) {
 	cert->problem = 1;
 	cert->error = PORT_GetError();
     }
     cert->installed = PR_TRUE;
     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
     return rv;
 }
 static SECItem *
 sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey, KeyType *type);
 static SECStatus
 sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey,
 		   unsigned int keyUsage,
 		   SECItem *nickName, void *wincx)
 {
     SECStatus rv;
     SECItem *publicValue = NULL;
     KeyType keyType;
     /* We should always have values for "key" and "pubKey"
        so they can be dereferenced later. */
     if(!key || !pubKey) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(key->problem || key->noInstall) {
 	return SECSuccess;
     }
     /* get the value and type from the public key */
     publicValue = sec_pkcs12_get_public_value_and_type(pubKey, &keyType);
     if (!publicValue) {
 	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
 	key->problem = PR_TRUE;
 	return SECFailure;
     }
     switch(SECOID_FindOIDTag(&key->safeBagType))
     {
 	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
 	    rv = PK11_ImportPrivateKeyInfo(key->slot,
 			  key->safeBagContent.pkcs8KeyBag,
 			  nickName, publicValue, PR_TRUE, PR_TRUE,
 			  keyUsage,  wincx);
 	    break;
 	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
 	    rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
 					key->safeBagContent.pkcs8ShroudedKeyBag,
 					key->pwitem, nickName, publicValue,
 					PR_TRUE, PR_TRUE, keyType, keyUsage,
 					wincx);
 	    break;
 	default:
 	    key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
 	    key->problem = PR_TRUE;
 	    if(nickName) {
 		SECITEM_ZfreeItem(nickName, PR_TRUE);
 	    }
 	    return SECFailure;
     }
     if(rv != SECSuccess) {
 	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
 	key->problem = PR_TRUE;
     } else {
 	/* try to import the public key. Failure to do so is not fatal,
 	 * not all tokens can store the public key */
 	if (pubKey) {
 	    PK11_ImportPublicKey(key->slot, pubKey, PR_TRUE);
 	}
 	key->installed = PR_TRUE;
     }
     return rv;
 }
 /*
  * The correctness of the code in this file ABSOLUTELY REQUIRES
  * that ALL BAGs share a single common arena.
  *
  * This function allocates the bag list from the arena of whatever bag
  * happens to be passed to it.  Each time a new bag is handed to it,
  * it grows (resizes) the arena of the bag that was handed to it.
  * If the bags have different arenas, it will grow the wrong arena.
  *
  * Worse, if the bags had separate arenas, then while destroying the bags
  * in a bag list, when the bag whose arena contained the bag list was
  * destroyed, the baglist itself would be destroyed, making it difficult
  * or impossible to continue to destroy the bags in the destroyed list.
  */
 static SECStatus
 sec_pkcs12_add_item_to_bag_list(sec_PKCS12SafeBag ***bagList,
 				sec_PKCS12SafeBag *bag)
 {
     sec_PKCS12SafeBag **newBagList = NULL;
     int i = 0;
     if(!bagList || !bag) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(!(*bagList)) {
 	newBagList = PORT_ArenaZNewArray(bag->arena, sec_PKCS12SafeBag *, 2);
     } else {
 	while((*bagList)[i])
 	    i++;
 	newBagList = PORT_ArenaGrowArray(bag->arena, *bagList,
 				         sec_PKCS12SafeBag *, i + 1, i + 2);
     }
     if(!newBagList) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
     newBagList[i]   = bag;
     newBagList[i+1] = NULL;
     *bagList = newBagList;
     return SECSuccess;
 }
 static sec_PKCS12SafeBag **
 sec_pkcs12_find_certs_for_key(sec_PKCS12SafeBag **safeBags,
                               sec_PKCS12SafeBag *key )
 {
     sec_PKCS12SafeBag **certList = NULL;
     SECItem *keyId;
     int i;
     if(!safeBags || !safeBags[0]) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     keyId = sec_pkcs12_get_attribute_value(key, SEC_OID_PKCS9_LOCAL_KEY_ID);
     if(!keyId) {
 	return NULL;
     }
     for (i = 0; safeBags[i]; i++) {
 	if(SECOID_FindOIDTag(&(safeBags[i]->safeBagType))
 				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
 	    SECItem *certKeyId = sec_pkcs12_get_attribute_value(safeBags[i],
 						SEC_OID_PKCS9_LOCAL_KEY_ID);
 	    if(certKeyId && (SECITEM_CompareItem(certKeyId, keyId)
 				== SECEqual)) {
 		if(sec_pkcs12_add_item_to_bag_list(&certList, safeBags[i])
 				!= SECSuccess) {
 		    /* This would leak the partial list of safeBags,
 		     * but that list is allocated from the arena of
 		     * one of the safebags, and will be destroyed when
 		     * that arena is destroyed.  So this is not a real leak.
 		     */
 		    return NULL;
 		}
 	    }
 	}
     }
     return certList;
 }
 CERTCertList *
 SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx)
 {
     CERTCertList *certList = NULL;
     sec_PKCS12SafeBag **safeBags;
     int i;
     if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     safeBags = p12dcx->safeBags;
     certList = CERT_NewCertList();
     if (certList == NULL) {
 	 return NULL;
     }
     for (i = 0; safeBags[i]; i++) {
 	if (SECOID_FindOIDTag(&(safeBags[i]->safeBagType))
 				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
 		SECItem *derCert = sec_pkcs12_get_der_cert(safeBags[i]) ;
 		CERTCertificate *tempCert = NULL;
 		if (derCert == NULL)
 		    continue;
     		tempCert=CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
 		                                 derCert, NULL,
 		                                 PR_FALSE, PR_TRUE);
 		if (tempCert) {
 		    CERT_AddCertToListTail(certList,tempCert);
 		}
 		SECITEM_FreeItem(derCert,PR_TRUE);
 	}
 	/* fixed an infinite loop here, by ensuring that i gets incremented
 	 * if derCert is NULL above.
 	 */
     }
     return certList;
 }
 static sec_PKCS12SafeBag **
 sec_pkcs12_get_key_bags(sec_PKCS12SafeBag **safeBags)
 {
     int i;
     sec_PKCS12SafeBag **keyList = NULL;
     SECOidTag bagType;
     if(!safeBags || !safeBags[0]) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     for (i = 0; safeBags[i]; i++) {
 	bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
 	switch(bagType) {
 	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
 	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
 		if(sec_pkcs12_add_item_to_bag_list(&keyList, safeBags[i])
 				!= SECSuccess) {
 		    /* This would leak, except that keyList is allocated
 		     * from the arena shared by all the safeBags.
 		     */
 		    return NULL;
 		}
 		break;
 	    default:
 		break;
 	}
     }
     return keyList;
 }
 /* This function takes two passes over the bags, validating them
  * The two passes are intended to mirror exactly the two passes in
  * sec_pkcs12_install_bags.  But they don't. :(
  */
 static SECStatus
 sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags,
 			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
 			 void *wincx)
 {
     sec_PKCS12SafeBag **keyList;
     int i;
     if(!safeBags || !nicknameCb) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(!safeBags[0]) {
 	return SECSuccess;
     }
     /* First pass.  Find all the key bags.
      * Find the matching cert(s) for each key.
      */
     keyList = sec_pkcs12_get_key_bags(safeBags);
     if(keyList) {
 	for (i = 0; keyList[i]; ++i) {
 	    sec_PKCS12SafeBag *key = keyList[i];
 	    sec_PKCS12SafeBag **certList =
 			    sec_pkcs12_find_certs_for_key(safeBags, key);
 	    if(certList) {
 		int j;
 		if(SECOID_FindOIDTag(&(key->safeBagType)) ==
 					SEC_OID_PKCS12_V1_KEY_BAG_ID) {
 		    /* if it is an unencrypted private key then make sure
 		     * the attributes are propageted to the appropriate
 		     * level
 		     */
 		    if(sec_pkcs12_get_key_info(key) != SECSuccess) {
 			return SECFailure;
 		    }
 		}
 		sec_pkcs12_validate_key_by_cert(certList[0], key, wincx);
 		for (j = 0; certList[j]; ++j) {
 		    sec_PKCS12SafeBag *cert = certList[j];
 		    cert->hasKey = PR_TRUE;
 		    if(key->problem) {
 			cert->problem = PR_TRUE;
 			cert->error   = key->error;
 			continue;
 		    }
 		    sec_pkcs12_validate_cert(cert, key, nicknameCb);
 		    if(cert->problem) {
 			key->problem = cert->problem;
 			key->error   = cert->error;
 		    }
 		}
 	    }
 	}
     }
     /* Now take a second pass over the safebags and mark for installation any
      * certs that were neither installed nor disqualified by the first pass.
      */
     for (i = 0; safeBags[i]; ++i) {
 	sec_PKCS12SafeBag *bag = safeBags[i];
 	if(!bag->validated) {
 	    SECOidTag bagType = SECOID_FindOIDTag(&bag->safeBagType);
 	    switch(bagType) {
 	    case SEC_OID_PKCS12_V1_CERT_BAG_ID:
 		sec_pkcs12_validate_cert(bag, NULL, nicknameCb);
 		break;
 	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
 	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
 		bag->noInstall = PR_TRUE;
 		bag->problem = PR_TRUE;
 		bag->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
 		break;
 	    default:
 		bag->noInstall = PR_TRUE;
 	    }
 	}
     }
     return SECSuccess;
 }
 SECStatus
 SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
 			      SEC_PKCS12NicknameCollisionCallback nicknameCb)
 {
     SECStatus rv;
     int i, noInstallCnt, probCnt, bagCnt, errorVal = 0;
     if(!p12dcx || p12dcx->error || !p12dcx->safeBags) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     rv = sec_pkcs12_validate_bags(p12dcx->safeBags, nicknameCb, p12dcx->wincx);
     if(rv == SECSuccess) {
 	p12dcx->bagsVerified = PR_TRUE;
     }
     noInstallCnt = probCnt = bagCnt = 0;
     i = 0;
     while(p12dcx->safeBags[i]) {
 	bagCnt++;
 	if(p12dcx->safeBags[i]->noInstall)
 	    noInstallCnt++;
 	if(p12dcx->safeBags[i]->problem) {
 	    probCnt++;
 	    errorVal = p12dcx->safeBags[i]->error;
 	}
 	i++;
     }
     /* formerly was erroneous code here that assumed that if all bags
      * failed to import, then the problem was duplicated data;
      * that is, it assume that the problem must be that the file had
      * previously been successfully imported.  But importing a
      * previously imported file causes NO ERRORS at all, and this
      * false assumption caused real errors to be hidden behind false
      * errors about duplicated data.
      */
     if(probCnt) {
 	PORT_SetError(errorVal);
 	return SECFailure;
     }
     return rv;
 }
 static SECKEYPublicKey *
 sec_pkcs12_get_public_key_and_usage(sec_PKCS12SafeBag *certBag,
 					 unsigned int *usage)
 {
     SECKEYPublicKey *pubKey = NULL;
     CERTCertificate *cert = NULL;
     if(!certBag || !usage) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     *usage = 0;
     cert = CERT_DecodeDERCertificate(
 	 &certBag->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
     if(!cert) {
 	return NULL;
     }
     *usage = cert->keyUsage;
     pubKey = CERT_ExtractPublicKey(cert);
     CERT_DestroyCertificate(cert);
     return pubKey;
 }
 static SECItem *
 sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey,
 					KeyType *type)
 {
     SECItem *pubValue = NULL;
     if(!type || !pubKey) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     *type = pubKey->keyType;
     switch(pubKey->keyType) {
 	case dsaKey:
 	    pubValue = &pubKey->u.dsa.publicValue;
 	    break;
 	case dhKey:
 	    pubValue = &pubKey->u.dh.publicValue;
 	    break;
 	case rsaKey:
 	    pubValue = &pubKey->u.rsa.modulus;
 	    break;
         case ecKey:
 	    pubValue = &pubKey->u.ec.publicValue;
 	    break;
 	default:
 	    pubValue = NULL;
     }
     return pubValue;
 }
 /* This function takes two passes over the bags, installing them in the
  * desired slot.  The two passes are intended to mirror exactly the
  * two passes in sec_pkcs12_validate_bags.
  */
 static SECStatus
 sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx)
 {
     sec_PKCS12SafeBag **keyList;
     int i;
     int failedKeys = 0;
     if(!safeBags) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(!safeBags[0]) {
 	return SECSuccess;
     }
     /* First pass.  Find all the key bags.
      * Try to install them, and any certs associated with them.
      */
     keyList = sec_pkcs12_get_key_bags(safeBags);
     if(keyList) {
 	for (i = 0; keyList[i]; i++) {
 	    SECStatus rv;
 	    SECKEYPublicKey *pubKey = NULL;
 	    SECItem *nickName    = NULL;
 	    sec_PKCS12SafeBag *key = keyList[i];
 	    sec_PKCS12SafeBag **certList;
 	    unsigned int keyUsage;
 	    if(key->problem) {
 		++failedKeys;
 		continue;
 	    }
 	    certList = sec_pkcs12_find_certs_for_key(safeBags, key);
 	    if(certList && certList[0]) {
 		pubKey = sec_pkcs12_get_public_key_and_usage(certList[0],
 					&keyUsage);
 		/* use the cert's nickname, if it has one, else use the
 		 * key's nickname, else fail.
 		 */
 		nickName = sec_pkcs12_get_nickname_for_cert(certList[0], key);
 	    } else {
 		nickName = sec_pkcs12_get_nickname(key);
 	    }
 	    if (!nickName) {
 		key->error = SEC_ERROR_BAD_NICKNAME;
 		key->problem = PR_TRUE;
 		rv = SECFailure;
 	    } else if (!pubKey) {
                 key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
 		key->problem = PR_TRUE;
                 rv = SECFailure;
 	    } else {
 		rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, wincx);
             }
 	    if (pubKey) {
 		SECKEY_DestroyPublicKey(pubKey);
 		pubKey = NULL;
 	    }
 	    if (nickName) {
 		SECITEM_FreeItem(nickName, PR_TRUE);
 		nickName = NULL;
 	    }
 	    if(rv != SECSuccess) {
 		PORT_SetError(key->error);
 		++failedKeys;
 	    }
 	    if(certList) {
 		int j;
 		for (j = 0; certList[j]; j++) {
 		    sec_PKCS12SafeBag *cert = certList[j];
 		    SECStatus certRv;
 		    if (!cert)
 		    	continue;
 		    if(rv != SECSuccess) {
 			cert->problem = key->problem;
 			cert->error   = key->error;
 			cert->noInstall = PR_TRUE;
 			continue;
 		    }
 		    certRv = sec_pkcs12_add_cert(cert, cert->hasKey, wincx);
 		    if(certRv != SECSuccess) {
 			key->problem = cert->problem;
 			key->error   = cert->error;
 			PORT_SetError(cert->error);
 			return SECFailure;
 		    }
 		}
 	    }
 	}
     }
     if (failedKeys)
     	return SECFailure;
     /* Now take a second pass over the safebags and install any certs
      * that were neither installed nor disqualified by the first pass.
      */
     for (i = 0; safeBags[i]; i++) {
 	sec_PKCS12SafeBag *bag = safeBags[i];
 	if (!bag->installed && !bag->problem && !bag->noInstall) {
 	    SECStatus rv;
 	    SECOidTag bagType = SECOID_FindOIDTag(&(bag->safeBagType));
 	    switch(bagType) {
 	    case SEC_OID_PKCS12_V1_CERT_BAG_ID:
 		rv = sec_pkcs12_add_cert(bag, bag->hasKey, wincx);
 		if(rv != SECSuccess) {
 		    PORT_SetError(bag->error);
 		    return SECFailure;
 		}
 		break;
 	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
 	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
 	    default:
 		break;
 	    }
 	}
     }
     return SECSuccess;
 }
 SECStatus
 SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
 {
     if(!p12dcx || p12dcx->error) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(!p12dcx->bagsVerified) {
 	return SECFailure;
     }
     return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
 }
 PRBool
 sec_pkcs12_bagHasKey(SEC_PKCS12DecoderContext *p12dcx, sec_PKCS12SafeBag *bag)
 {
     int i;
     SECItem *keyId;
     SECItem *certKeyId;
     certKeyId = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_LOCAL_KEY_ID);
     if (certKeyId == NULL) {
         return PR_FALSE;
     }
     for (i=0; p12dcx->keyList && p12dcx->keyList[i]; i++) {
         keyId = sec_pkcs12_get_attribute_value(p12dcx->keyList[i],
                                                 SEC_OID_PKCS9_LOCAL_KEY_ID);
         if(!keyId) {
             continue;
         }
         if(SECITEM_CompareItem(certKeyId, keyId) == SECEqual) {
             return PR_TRUE;
         }
     }
     return PR_FALSE;
 }
 SECItem *
 sec_pkcs12_get_friendlyName(sec_PKCS12SafeBag *bag)
 {
     SECItem *friendlyName;
     SECItem *tempnm;
     tempnm = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
     friendlyName = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
     if (friendlyName) {
         if (!sec_pkcs12_convert_item_to_unicode(NULL, friendlyName,
                                    tempnm, PR_TRUE, PR_FALSE, PR_FALSE)) {
             SECITEM_FreeItem(friendlyName, PR_TRUE);
             friendlyName = NULL;
         }
     }
     return friendlyName;
 }
 /* Following two functions provide access to selected portions of the safe bags.
  * Iteration is implemented per decoder context and may be accessed after
  * SEC_PKCS12DecoderVerify() returns success.
  * When ...DecoderIterateNext() returns SUCCESS a decoder item has been returned
  * where item.type is always set; item.friendlyName is set if it is non-null;
  * item.der, item.hasKey are set only for SEC_OID_PKCS12_V1_CERT_BAG_ID items.
  * ...DecoderIterateNext() returns FAILURE when the list is exhausted or when
  * arguments are invalid; PORT_GetError() is 0 at end-of-list.
  * Caller has read-only access to decoder items. Any SECItems generated are
  * owned by the decoder context and are freed by ...DecoderFinish().
  */
 SECStatus
 SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx)
 {
     if(!p12dcx || p12dcx->error) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     p12dcx->iteration = 0;
     return SECSuccess;
 }
 SECStatus
 SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx,
                              const SEC_PKCS12DecoderItem **ipp)
 {
     sec_PKCS12SafeBag *bag;
     if(!p12dcx || p12dcx->error) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) {
         SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE);
     }
     if (p12dcx->decitem.shroudAlg != NULL) {
         SECOID_DestroyAlgorithmID(p12dcx->decitem.shroudAlg, PR_TRUE);
     }
     if (p12dcx->decitem.friendlyName != NULL) {
         SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE);
     }
     p12dcx->decitem.type = 0;
     p12dcx->decitem.der = NULL;
     p12dcx->decitem.shroudAlg = NULL;
     p12dcx->decitem.friendlyName = NULL;
     p12dcx->decitem.hasKey = PR_FALSE;
     *ipp = NULL;
     if (p12dcx->keyList == NULL) {
         p12dcx->keyList = sec_pkcs12_get_key_bags(p12dcx->safeBags);
     }
     for (; p12dcx->iteration < p12dcx->safeBagCount; p12dcx->iteration++) {
         bag = p12dcx->safeBags[p12dcx->iteration];
  	if(bag == NULL || bag->problem) {
             continue;
         }
         p12dcx->decitem.type = SECOID_FindOIDTag(&(bag->safeBagType));
         switch(p12dcx->decitem.type) {
             case SEC_OID_PKCS12_V1_CERT_BAG_ID:
                 p12dcx->decitem.der = sec_pkcs12_get_der_cert(bag);
                 p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag);
                 p12dcx->decitem.hasKey = sec_pkcs12_bagHasKey(p12dcx, bag);
                 break;
             case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
                 p12dcx->decitem.shroudAlg = PORT_ZNew(SECAlgorithmID);
 		if (p12dcx->decitem.shroudAlg) {
 		    SECOID_CopyAlgorithmID(NULL, p12dcx->decitem.shroudAlg,
 			&bag->safeBagContent.pkcs8ShroudedKeyBag->algorithm);
 		}
                 /* fall through */
             case SEC_OID_PKCS12_V1_KEY_BAG_ID:
                 p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag);
                 break;
             default:
                 /* return these even though we don't expect them */
                 break;
             case SEC_OID_UNKNOWN:
                 /* ignore these */
                 continue;
         }
         *ipp = &p12dcx->decitem;
         p12dcx->iteration++;
         break;  /* end for() */
     }
     PORT_SetError(0);       /* end-of-list is SECFailure with no PORT error */
     return ((p12dcx->decitem.type == 0) ? SECFailure : SECSuccess);
 }
 static SECStatus
 sec_pkcs12_decoder_append_bag_to_context(SEC_PKCS12DecoderContext *p12dcx,
 					 sec_PKCS12SafeBag *bag)
 {
     if(!p12dcx || p12dcx->error) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     p12dcx->safeBags = !p12dcx->safeBagCount
 	? PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeBag *, 2)
 	: PORT_ArenaGrowArray(p12dcx->arena, p12dcx->safeBags,
 	                      sec_PKCS12SafeBag *, p12dcx->safeBagCount + 1,
 			      p12dcx->safeBagCount + 2);
     if(!p12dcx->safeBags) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
     p12dcx->safeBags[p12dcx->safeBagCount] = bag;
     p12dcx->safeBags[p12dcx->safeBagCount+1] = NULL;
     p12dcx->safeBagCount++;
     return SECSuccess;
 }
 static sec_PKCS12SafeBag *
 sec_pkcs12_decoder_convert_old_key(SEC_PKCS12DecoderContext *p12dcx,
 				   void *key, PRBool isEspvk)
 {
     sec_PKCS12SafeBag *keyBag;
     SECOidData *oid;
     SECOidTag keyTag;
     SECItem *keyID, *nickName, *newNickName;
     if(!p12dcx || p12dcx->error || !key) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     newNickName = PORT_ArenaZNew(p12dcx->arena, SECItem);
     keyBag      = PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeBag);
     if(!keyBag || !newNickName) {
 	return NULL;
     }
     keyBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
     keyBag->slot = p12dcx->slot;
     keyBag->arena = p12dcx->arena;
     keyBag->pwitem = p12dcx->pwitem;
     keyBag->tokenCAs = p12dcx->tokenCAs;
     keyBag->oldBagType = PR_TRUE;
     keyTag = (isEspvk) ? SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID :
 			 SEC_OID_PKCS12_V1_KEY_BAG_ID;
     oid = SECOID_FindOIDByTag(keyTag);
     if(!oid) {
 	return NULL;
     }
     if(SECITEM_CopyItem(p12dcx->arena, &keyBag->safeBagType, &oid->oid)
 			!= SECSuccess) {
 	return NULL;
     }
     if(isEspvk) {
 	SEC_PKCS12ESPVKItem *espvk = (SEC_PKCS12ESPVKItem *)key;
 	keyBag->safeBagContent.pkcs8ShroudedKeyBag  =
 					espvk->espvkCipherText.pkcs8KeyShroud;
 	nickName = &(espvk->espvkData.uniNickName);
 	if(!espvk->espvkData.assocCerts || !espvk->espvkData.assocCerts[0]) {
 	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
 	    return NULL;
 	}
 	keyID = &espvk->espvkData.assocCerts[0]->digest;
     } else {
 	SEC_PKCS12PrivateKey *pk = (SEC_PKCS12PrivateKey *)key;
 	keyBag->safeBagContent.pkcs8KeyBag = &pk->pkcs8data;
 	nickName= &(pk->pvkData.uniNickName);
 	if(!pk->pvkData.assocCerts || !pk->pvkData.assocCerts[0]) {
 	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
 	    return NULL;
 	}
 	keyID = &pk->pvkData.assocCerts[0]->digest;
     }
     if(nickName->len) {
 	if(nickName->len >= 2) {
 	    if(nickName->data[0] && nickName->data[1]) {
 		if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName,
 					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
 		    return NULL;
 		}
 		nickName = newNickName;
 	    } else if(nickName->data[0] && !nickName->data[1]) {
 		unsigned int j = 0;
 		unsigned char t;
 		for(j = 0; j < nickName->len; j+=2) {
 		    t = nickName->data[j+1];
 		    nickName->data[j+1] = nickName->data[j];
 		    nickName->data[j] = t;
 		}
 	    }
 	} else {
 	    if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName,
 					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
 		return NULL;
 	    }
 	    nickName = newNickName;
 	}
     }
     if(sec_pkcs12_decoder_set_attribute_value(keyBag,
 					      SEC_OID_PKCS9_FRIENDLY_NAME,
 					      nickName) != SECSuccess) {
 	return NULL;
     }
     if(sec_pkcs12_decoder_set_attribute_value(keyBag,SEC_OID_PKCS9_LOCAL_KEY_ID,
 					keyID) != SECSuccess) {
 	return NULL;
     }
     return keyBag;
 }
 static sec_PKCS12SafeBag *
 sec_pkcs12_decoder_create_cert(SEC_PKCS12DecoderContext *p12dcx,
 			       SECItem *derCert)
 {
     sec_PKCS12SafeBag *certBag;
     SECOidData *oid;
     SGNDigestInfo *digest;
     SECItem *keyId;
     SECStatus rv;
     if(!p12dcx || p12dcx->error || !derCert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     keyId = PORT_ArenaZNew(p12dcx->arena, SECItem);
     if(!keyId) {
 	return NULL;
     }
     digest = sec_pkcs12_compute_thumbprint(derCert);
     if(!digest) {
 	return NULL;
     }
     rv = SECITEM_CopyItem(p12dcx->arena, keyId, &digest->digest);
     SGN_DestroyDigestInfo(digest);
     if(rv != SECSuccess) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return NULL;
     }
     oid = SECOID_FindOIDByTag(SEC_OID_PKCS12_V1_CERT_BAG_ID);
     certBag = PORT_ArenaZNew(p12dcx->arena, sec_PKCS12SafeBag);
     if(!certBag || !oid || (SECITEM_CopyItem(p12dcx->arena,
 			&certBag->safeBagType, &oid->oid) != SECSuccess)) {
 	return NULL;
     }
     certBag->slot = p12dcx->slot;
     certBag->pwitem = p12dcx->pwitem;
     certBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
     certBag->arena = p12dcx->arena;
     certBag->tokenCAs = p12dcx->tokenCAs;
     oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_X509_CERT);
     certBag->safeBagContent.certBag =
 			PORT_ArenaZNew(p12dcx->arena, sec_PKCS12CertBag);
     if(!certBag->safeBagContent.certBag || !oid ||
 			(SECITEM_CopyItem(p12dcx->arena,
 				 &certBag->safeBagContent.certBag->bagID,
 				 &oid->oid) != SECSuccess)) {
 	return NULL;
     }
     if(SECITEM_CopyItem(p12dcx->arena,
 			 &(certBag->safeBagContent.certBag->value.x509Cert),
 			 derCert) != SECSuccess) {
 	return NULL;
     }
     if(sec_pkcs12_decoder_set_attribute_value(certBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
 					keyId) != SECSuccess) {
 	return NULL;
     }
     return certBag;
 }
 static sec_PKCS12SafeBag **
 sec_pkcs12_decoder_convert_old_cert(SEC_PKCS12DecoderContext *p12dcx,
 				    SEC_PKCS12CertAndCRL *oldCert)
 {
     sec_PKCS12SafeBag **certList;
     SECItem **derCertList;
     int i, j;
     if(!p12dcx || p12dcx->error || !oldCert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     derCertList = SEC_PKCS7GetCertificateList(&oldCert->value.x509->certOrCRL);
     if(!derCertList) {
 	return NULL;
     }
     i = 0;
     while(derCertList[i]) i++;
     certList = PORT_ArenaZNewArray(p12dcx->arena, sec_PKCS12SafeBag *, (i + 1));
     if(!certList) {
 	return NULL;
     }
     for(j = 0; j < i; j++) {
 	certList[j] = sec_pkcs12_decoder_create_cert(p12dcx, derCertList[j]);
 	if(!certList[j]) {
 	    return NULL;
 	}
     }
     return certList;
 }
 static SECStatus
 sec_pkcs12_decoder_convert_old_key_and_certs(SEC_PKCS12DecoderContext *p12dcx,
 					     void *oldKey, PRBool isEspvk,
 					     SEC_PKCS12SafeContents *safe,
 					     SEC_PKCS12Baggage *baggage)
 {
     sec_PKCS12SafeBag *key, **certList;
     SEC_PKCS12CertAndCRL *oldCert;
     SEC_PKCS12PVKSupportingData *pvkData;
     int i;
     SECItem *keyName;
     if(!p12dcx || !oldKey) {
 	return SECFailure;
     }
     if(isEspvk) {
 	pvkData = &((SEC_PKCS12ESPVKItem *)(oldKey))->espvkData;
     } else {
 	pvkData = &((SEC_PKCS12PrivateKey *)(oldKey))->pvkData;
     }
     if(!pvkData->assocCerts || !pvkData->assocCerts[0]) {
 	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
 	return SECFailure;
     }
     oldCert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage,
 				     SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, NULL,
 				     pvkData->assocCerts[0]);
     if(!oldCert) {
 	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
 	return SECFailure;
     }
     key = sec_pkcs12_decoder_convert_old_key(p12dcx,oldKey, isEspvk);
     certList = sec_pkcs12_decoder_convert_old_cert(p12dcx, oldCert);
     if(!key || !certList) {
 	return SECFailure;
     }
     if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, key) != SECSuccess) {
 	return SECFailure;
     }
     keyName = sec_pkcs12_get_nickname(key);
     if(!keyName) {
 	return SECFailure;
     }
     i = 0;
     while(certList[i]) {
 	if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, certList[i])
 				!= SECSuccess) {
 	    return SECFailure;
 	}
 	i++;
     }
     certList = sec_pkcs12_find_certs_for_key(p12dcx->safeBags, key);
     if(!certList) {
 	return SECFailure;
     }
     i = 0;
     while(certList[i] != 0) {
 	if(sec_pkcs12_set_nickname(certList[i], keyName) != SECSuccess) {
 	    return SECFailure;
 	}
 	i++;
     }
     return SECSuccess;
 }
 static SECStatus
 sec_pkcs12_decoder_convert_old_safe_to_bags(SEC_PKCS12DecoderContext *p12dcx,
 					    SEC_PKCS12SafeContents *safe,
 					    SEC_PKCS12Baggage *baggage)
 {
     SECStatus rv;
     if(!p12dcx || p12dcx->error) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     if(safe && safe->contents) {
 	int i = 0;
 	while(safe->contents[i] != NULL) {
 	    if(SECOID_FindOIDTag(&safe->contents[i]->safeBagType)
 				== SEC_OID_PKCS12_KEY_BAG_ID) {
 		int j = 0;
 		SEC_PKCS12PrivateKeyBag *privBag =
 					safe->contents[i]->safeContent.keyBag;
 		while(privBag->privateKeys[j] != NULL) {
 		    SEC_PKCS12PrivateKey *pk = privBag->privateKeys[j];
 		    rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx,pk,
 						PR_FALSE, safe, baggage);
 		    if(rv != SECSuccess) {
 			goto loser;
 		    }
 		    j++;
 		}
 	    }
 	    i++;
 	}
     }
     if(baggage && baggage->bags) {
 	int i = 0;
 	while(baggage->bags[i] != NULL) {
 	    SEC_PKCS12BaggageItem *bag = baggage->bags[i];
 	    int j = 0;
 	    if(!bag->espvks) {
 		i++;
 		continue;
 	    }
 	    while(bag->espvks[j] != NULL) {
 		SEC_PKCS12ESPVKItem *espvk = bag->espvks[j];
 		rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, espvk,
 							PR_TRUE, safe, baggage);
 		if(rv != SECSuccess) {
 		    goto loser;
 		}
 		j++;
 	    }
 	    i++;
 	}
     }
     return SECSuccess;
 loser:
     return SECFailure;
 }
 SEC_PKCS12DecoderContext *
 sec_PKCS12ConvertOldSafeToNew(PLArenaPool *arena, PK11SlotInfo *slot,
 			      PRBool swapUnicode, SECItem *pwitem,
 			      void *wincx, SEC_PKCS12SafeContents *safe,
 			      SEC_PKCS12Baggage *baggage)
 {
     SEC_PKCS12DecoderContext *p12dcx;
     if(!arena || !slot || !pwitem) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     if(!safe && !baggage) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     p12dcx = PORT_ArenaZNew(arena, SEC_PKCS12DecoderContext);
     if(!p12dcx) {
 	return NULL;
     }
     p12dcx->arena = arena;
     p12dcx->slot = PK11_ReferenceSlot(slot);
     p12dcx->wincx = wincx;
     p12dcx->error = PR_FALSE;
     p12dcx->swapUnicodeBytes = swapUnicode;
     p12dcx->pwitem = pwitem;
     p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs;
     if(sec_pkcs12_decoder_convert_old_safe_to_bags(p12dcx, safe, baggage)
 				!= SECSuccess) {
 	p12dcx->error = PR_TRUE;
 	return NULL;
     }
     return p12dcx;
 }

The Tor Browser / annotate

security/nss/lib/pkcs12/p12d.c@b8a032363ba2 (annotated)

security/nss/lib/pkcs12/p12d.c