1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/certdb/stanpcertdb.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1072 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include "prtime.h"
1.9 +
1.10 +#include "cert.h"
1.11 +#include "certi.h"
1.12 +#include "certdb.h"
1.13 +#include "secitem.h"
1.14 +#include "secder.h"
1.15 +
1.16 +/* Call to PK11_FreeSlot below */
1.17 +
1.18 +#include "secasn1.h"
1.19 +#include "secerr.h"
1.20 +#include "nssilock.h"
1.21 +#include "prmon.h"
1.22 +#include "base64.h"
1.23 +#include "sechash.h"
1.24 +#include "plhash.h"
1.25 +#include "pk11func.h" /* sigh */
1.26 +
1.27 +#include "nsspki.h"
1.28 +#include "pki.h"
1.29 +#include "pkim.h"
1.30 +#include "pki3hack.h"
1.31 +#include "ckhelper.h"
1.32 +#include "base.h"
1.33 +#include "pkistore.h"
1.34 +#include "dev3hack.h"
1.35 +#include "dev.h"
1.36 +
1.37 +PRBool
1.38 +SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject,
1.39 + CERTCertDBHandle *handle)
1.40 +{
1.41 + CERTCertificate *cert;
1.42 + PRBool conflict = PR_FALSE;
1.43 +
1.44 + cert=CERT_FindCertByNickname(handle, nickname);
1.45 +
1.46 + if (!cert) {
1.47 + return conflict;
1.48 + }
1.49 +
1.50 + conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject);
1.51 + CERT_DestroyCertificate(cert);
1.52 + return conflict;
1.53 +}
1.54 +
1.55 +SECStatus
1.56 +SEC_DeletePermCertificate(CERTCertificate *cert)
1.57 +{
1.58 + PRStatus nssrv;
1.59 + NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
1.60 + NSSCertificate *c = STAN_GetNSSCertificate(cert);
1.61 + CERTCertTrust *certTrust;
1.62 +
1.63 + if (c == NULL) {
1.64 + /* error code is set */
1.65 + return SECFailure;
1.66 + }
1.67 +
1.68 + certTrust = nssTrust_GetCERTCertTrustForCert(c, cert);
1.69 + if (certTrust) {
1.70 + NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
1.71 + if (nssTrust) {
1.72 + nssrv = STAN_DeleteCertTrustMatchingSlot(c);
1.73 + if (nssrv != PR_SUCCESS) {
1.74 + CERT_MapStanError();
1.75 + }
1.76 + /* This call always returns PR_SUCCESS! */
1.77 + (void) nssTrust_Destroy(nssTrust);
1.78 + }
1.79 + }
1.80 +
1.81 + /* get rid of the token instances */
1.82 + nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
1.83 +
1.84 + /* get rid of the cache entry */
1.85 + nssTrustDomain_LockCertCache(td);
1.86 + nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
1.87 + nssTrustDomain_UnlockCertCache(td);
1.88 +
1.89 + return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
1.90 +}
1.91 +
1.92 +SECStatus
1.93 +CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust)
1.94 +{
1.95 + SECStatus rv;
1.96 + CERT_LockCertTrust(cert);
1.97 + if ( cert->trust == NULL ) {
1.98 + rv = SECFailure;
1.99 + } else {
1.100 + *trust = *cert->trust;
1.101 + rv = SECSuccess;
1.102 + }
1.103 + CERT_UnlockCertTrust(cert);
1.104 + return(rv);
1.105 +}
1.106 +
1.107 +extern const NSSError NSS_ERROR_NO_ERROR;
1.108 +extern const NSSError NSS_ERROR_INTERNAL_ERROR;
1.109 +extern const NSSError NSS_ERROR_NO_MEMORY;
1.110 +extern const NSSError NSS_ERROR_INVALID_POINTER;
1.111 +extern const NSSError NSS_ERROR_INVALID_ARENA;
1.112 +extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
1.113 +extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
1.114 +extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
1.115 +extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
1.116 +extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
1.117 +extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
1.118 +extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
1.119 +extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
1.120 +extern const NSSError NSS_ERROR_BUFFER_TOO_SHORT;
1.121 +extern const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT;
1.122 +extern const NSSError NSS_ERROR_INVALID_BASE64;
1.123 +extern const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT;
1.124 +extern const NSSError NSS_ERROR_INVALID_ITEM;
1.125 +extern const NSSError NSS_ERROR_INVALID_STRING;
1.126 +extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
1.127 +extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
1.128 +extern const NSSError NSS_ERROR_INVALID_BER;
1.129 +extern const NSSError NSS_ERROR_INVALID_ATAV;
1.130 +extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
1.131 +extern const NSSError NSS_ERROR_INVALID_UTF8;
1.132 +extern const NSSError NSS_ERROR_INVALID_NSSOID;
1.133 +extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
1.134 +extern const NSSError NSS_ERROR_NOT_FOUND;
1.135 +extern const NSSError NSS_ERROR_INVALID_PASSWORD;
1.136 +extern const NSSError NSS_ERROR_USER_CANCELED;
1.137 +extern const NSSError NSS_ERROR_MAXIMUM_FOUND;
1.138 +extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
1.139 +extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE;
1.140 +extern const NSSError NSS_ERROR_HASH_COLLISION;
1.141 +extern const NSSError NSS_ERROR_DEVICE_ERROR;
1.142 +extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
1.143 +extern const NSSError NSS_ERROR_BUSY;
1.144 +extern const NSSError NSS_ERROR_ALREADY_INITIALIZED;
1.145 +extern const NSSError NSS_ERROR_PKCS11;
1.146 +
1.147 +
1.148 +/* Look at the stan error stack and map it to NSS 3 errors */
1.149 +#define STAN_MAP_ERROR(x,y) \
1.150 + else if (error == (x)) { \
1.151 + secError = y; \
1.152 + } \
1.153 +
1.154 +/*
1.155 + * map Stan errors into NSS errors
1.156 + * This function examines the stan error stack and automatically sets
1.157 + * PORT_SetError(); to the appropriate SEC_ERROR value.
1.158 + */
1.159 +void
1.160 +CERT_MapStanError()
1.161 +{
1.162 + PRInt32 *errorStack;
1.163 + NSSError error, prevError;
1.164 + int secError;
1.165 + int i;
1.166 +
1.167 + error = 0;
1.168 +
1.169 + errorStack = NSS_GetErrorStack();
1.170 + if (errorStack == 0) {
1.171 + PORT_SetError(0);
1.172 + return;
1.173 + }
1.174 + error = prevError = CKR_GENERAL_ERROR;
1.175 + /* get the 'top 2' error codes from the stack */
1.176 + for (i=0; errorStack[i]; i++) {
1.177 + prevError = error;
1.178 + error = errorStack[i];
1.179 + }
1.180 + if (error == NSS_ERROR_PKCS11) {
1.181 + /* map it */
1.182 + secError = PK11_MapError(prevError);
1.183 + }
1.184 + STAN_MAP_ERROR(NSS_ERROR_NO_ERROR, 0)
1.185 + STAN_MAP_ERROR(NSS_ERROR_NO_MEMORY, SEC_ERROR_NO_MEMORY)
1.186 + STAN_MAP_ERROR(NSS_ERROR_INVALID_BASE64, SEC_ERROR_BAD_DATA)
1.187 + STAN_MAP_ERROR(NSS_ERROR_INVALID_BER, SEC_ERROR_BAD_DER)
1.188 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ATAV, SEC_ERROR_INVALID_AVA)
1.189 + STAN_MAP_ERROR(NSS_ERROR_INVALID_PASSWORD,SEC_ERROR_BAD_PASSWORD)
1.190 + STAN_MAP_ERROR(NSS_ERROR_BUSY, SEC_ERROR_BUSY)
1.191 + STAN_MAP_ERROR(NSS_ERROR_DEVICE_ERROR, SEC_ERROR_IO)
1.192 + STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND,
1.193 + SEC_ERROR_UNKNOWN_ISSUER)
1.194 + STAN_MAP_ERROR(NSS_ERROR_INVALID_CERTIFICATE, SEC_ERROR_CERT_NOT_VALID)
1.195 + STAN_MAP_ERROR(NSS_ERROR_INVALID_UTF8, SEC_ERROR_BAD_DATA)
1.196 + STAN_MAP_ERROR(NSS_ERROR_INVALID_NSSOID, SEC_ERROR_BAD_DATA)
1.197 +
1.198 + /* these are library failure for lack of a better error code */
1.199 + STAN_MAP_ERROR(NSS_ERROR_NOT_FOUND, SEC_ERROR_LIBRARY_FAILURE)
1.200 + STAN_MAP_ERROR(NSS_ERROR_CERTIFICATE_IN_CACHE,
1.201 + SEC_ERROR_LIBRARY_FAILURE)
1.202 + STAN_MAP_ERROR(NSS_ERROR_MAXIMUM_FOUND, SEC_ERROR_LIBRARY_FAILURE)
1.203 + STAN_MAP_ERROR(NSS_ERROR_USER_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
1.204 + STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_INITIALIZED,
1.205 + SEC_ERROR_LIBRARY_FAILURE)
1.206 + STAN_MAP_ERROR(NSS_ERROR_ALREADY_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE)
1.207 + STAN_MAP_ERROR(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD,
1.208 + SEC_ERROR_LIBRARY_FAILURE)
1.209 + STAN_MAP_ERROR(NSS_ERROR_HASH_COLLISION, SEC_ERROR_LIBRARY_FAILURE)
1.210 +
1.211 + STAN_MAP_ERROR(NSS_ERROR_INTERNAL_ERROR, SEC_ERROR_LIBRARY_FAILURE)
1.212 +
1.213 + /* these are all invalid arguments */
1.214 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ARGUMENT, SEC_ERROR_INVALID_ARGS)
1.215 + STAN_MAP_ERROR(NSS_ERROR_INVALID_POINTER, SEC_ERROR_INVALID_ARGS)
1.216 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA, SEC_ERROR_INVALID_ARGS)
1.217 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ARENA_MARK, SEC_ERROR_INVALID_ARGS)
1.218 + STAN_MAP_ERROR(NSS_ERROR_DUPLICATE_POINTER, SEC_ERROR_INVALID_ARGS)
1.219 + STAN_MAP_ERROR(NSS_ERROR_POINTER_NOT_REGISTERED, SEC_ERROR_INVALID_ARGS)
1.220 + STAN_MAP_ERROR(NSS_ERROR_TRACKER_NOT_EMPTY, SEC_ERROR_INVALID_ARGS)
1.221 + STAN_MAP_ERROR(NSS_ERROR_VALUE_TOO_LARGE, SEC_ERROR_INVALID_ARGS)
1.222 + STAN_MAP_ERROR(NSS_ERROR_UNSUPPORTED_TYPE, SEC_ERROR_INVALID_ARGS)
1.223 + STAN_MAP_ERROR(NSS_ERROR_BUFFER_TOO_SHORT, SEC_ERROR_INVALID_ARGS)
1.224 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ATOB_CONTEXT, SEC_ERROR_INVALID_ARGS)
1.225 + STAN_MAP_ERROR(NSS_ERROR_INVALID_BTOA_CONTEXT, SEC_ERROR_INVALID_ARGS)
1.226 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ITEM, SEC_ERROR_INVALID_ARGS)
1.227 + STAN_MAP_ERROR(NSS_ERROR_INVALID_STRING, SEC_ERROR_INVALID_ARGS)
1.228 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1ENCODER, SEC_ERROR_INVALID_ARGS)
1.229 + STAN_MAP_ERROR(NSS_ERROR_INVALID_ASN1DECODER, SEC_ERROR_INVALID_ARGS)
1.230 + STAN_MAP_ERROR(NSS_ERROR_UNKNOWN_ATTRIBUTE, SEC_ERROR_INVALID_ARGS)
1.231 + else {
1.232 + secError = SEC_ERROR_LIBRARY_FAILURE;
1.233 + }
1.234 + PORT_SetError(secError);
1.235 +}
1.236 +
1.237 +
1.238 +
1.239 +SECStatus
1.240 +CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
1.241 + CERTCertTrust *trust)
1.242 +{
1.243 + SECStatus rv = SECSuccess;
1.244 + PRStatus ret;
1.245 +
1.246 + ret = STAN_ChangeCertTrust(cert, trust);
1.247 + if (ret != PR_SUCCESS) {
1.248 + rv = SECFailure;
1.249 + CERT_MapStanError();
1.250 + }
1.251 + return rv;
1.252 +}
1.253 +
1.254 +extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
1.255 +
1.256 +SECStatus
1.257 +__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
1.258 + CERTCertTrust *trust)
1.259 +{
1.260 + NSSUTF8 *stanNick;
1.261 + PK11SlotInfo *slot;
1.262 + NSSToken *internal;
1.263 + NSSCryptoContext *context;
1.264 + nssCryptokiObject *permInstance;
1.265 + NSSCertificate *c = STAN_GetNSSCertificate(cert);
1.266 + nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
1.267 + nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE};
1.268 + SECStatus rv;
1.269 + PRStatus ret;
1.270 +
1.271 + if (c == NULL) {
1.272 + CERT_MapStanError();
1.273 + return SECFailure;
1.274 + }
1.275 +
1.276 + context = c->object.cryptoContext;
1.277 + if (!context) {
1.278 + PORT_SetError(SEC_ERROR_ADDING_CERT);
1.279 + return SECFailure; /* wasn't a temp cert */
1.280 + }
1.281 + stanNick = nssCertificate_GetNickname(c, NULL);
1.282 + if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
1.283 + /* different: take the new nickname */
1.284 + cert->nickname = NULL;
1.285 + nss_ZFreeIf(stanNick);
1.286 + stanNick = NULL;
1.287 + }
1.288 + if (!stanNick && nickname) {
1.289 + /* Either there was no nickname yet, or we have a new nickname */
1.290 + stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, NULL);
1.291 + } /* else: old stanNick is identical to new nickname */
1.292 + /* Delete the temp instance */
1.293 + nssCertificateStore_Lock(context->certStore, &lockTrace);
1.294 + nssCertificateStore_RemoveCertLOCKED(context->certStore, c);
1.295 + nssCertificateStore_Unlock(context->certStore, &lockTrace, &unlockTrace);
1.296 + c->object.cryptoContext = NULL;
1.297 + /* Import the perm instance onto the internal token */
1.298 + slot = PK11_GetInternalKeySlot();
1.299 + internal = PK11Slot_GetNSSToken(slot);
1.300 + permInstance = nssToken_ImportCertificate(internal, NULL,
1.301 + NSSCertificateType_PKIX,
1.302 + &c->id,
1.303 + stanNick,
1.304 + &c->encoding,
1.305 + &c->issuer,
1.306 + &c->subject,
1.307 + &c->serial,
1.308 + cert->emailAddr,
1.309 + PR_TRUE);
1.310 + nss_ZFreeIf(stanNick);
1.311 + stanNick = NULL;
1.312 + PK11_FreeSlot(slot);
1.313 + if (!permInstance) {
1.314 + if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
1.315 + PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
1.316 + }
1.317 + return SECFailure;
1.318 + }
1.319 + nssPKIObject_AddInstance(&c->object, permInstance);
1.320 + nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
1.321 + /* reset the CERTCertificate fields */
1.322 + cert->nssCertificate = NULL;
1.323 + cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */
1.324 + if (!cert) {
1.325 + CERT_MapStanError();
1.326 + return SECFailure;
1.327 + }
1.328 + cert->istemp = PR_FALSE;
1.329 + cert->isperm = PR_TRUE;
1.330 + if (!trust) {
1.331 + return SECSuccess;
1.332 + }
1.333 + ret = STAN_ChangeCertTrust(cert, trust);
1.334 + rv = SECSuccess;
1.335 + if (ret != PR_SUCCESS) {
1.336 + rv = SECFailure;
1.337 + CERT_MapStanError();
1.338 + }
1.339 + return rv;
1.340 +}
1.341 +
1.342 +SECStatus
1.343 +CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
1.344 + CERTCertTrust *trust)
1.345 +{
1.346 + return __CERT_AddTempCertToPerm(cert, nickname, trust);
1.347 +}
1.348 +
1.349 +CERTCertificate *
1.350 +CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
1.351 + char *nickname, PRBool isperm, PRBool copyDER)
1.352 +{
1.353 + NSSCertificate *c;
1.354 + CERTCertificate *cc;
1.355 + NSSCertificate *tempCert = NULL;
1.356 + nssPKIObject *pkio;
1.357 + NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
1.358 + NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
1.359 + if (!isperm) {
1.360 + NSSDER encoding;
1.361 + NSSITEM_FROM_SECITEM(&encoding, derCert);
1.362 + /* First, see if it is already a temp cert */
1.363 + c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC,
1.364 + &encoding);
1.365 + if (!c) {
1.366 + /* Then, see if it is already a perm cert */
1.367 + c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
1.368 + &encoding);
1.369 + }
1.370 + if (c) {
1.371 + /* actually, that search ends up going by issuer/serial,
1.372 + * so it is still possible to return a cert with the same
1.373 + * issuer/serial but a different encoding, and we're
1.374 + * going to reject that
1.375 + */
1.376 + if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
1.377 + nssCertificate_Destroy(c);
1.378 + PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
1.379 + cc = NULL;
1.380 + } else {
1.381 + cc = STAN_GetCERTCertificateOrRelease(c);
1.382 + if (cc == NULL) {
1.383 + CERT_MapStanError();
1.384 + }
1.385 + }
1.386 + return cc;
1.387 + }
1.388 + }
1.389 + pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC, nssPKIMonitor);
1.390 + if (!pkio) {
1.391 + CERT_MapStanError();
1.392 + return NULL;
1.393 + }
1.394 + c = nss_ZNEW(pkio->arena, NSSCertificate);
1.395 + if (!c) {
1.396 + CERT_MapStanError();
1.397 + nssPKIObject_Destroy(pkio);
1.398 + return NULL;
1.399 + }
1.400 + c->object = *pkio;
1.401 + if (copyDER) {
1.402 + nssItem_Create(c->object.arena, &c->encoding,
1.403 + derCert->len, derCert->data);
1.404 + } else {
1.405 + NSSITEM_FROM_SECITEM(&c->encoding, derCert);
1.406 + }
1.407 + /* Forces a decoding of the cert in order to obtain the parts used
1.408 + * below
1.409 + */
1.410 + /* 'c' is not adopted here, if we fail loser frees what has been
1.411 + * allocated so far for 'c' */
1.412 + cc = STAN_GetCERTCertificate(c);
1.413 + if (!cc) {
1.414 + CERT_MapStanError();
1.415 + goto loser;
1.416 + }
1.417 + nssItem_Create(c->object.arena,
1.418 + &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
1.419 + nssItem_Create(c->object.arena,
1.420 + &c->subject, cc->derSubject.len, cc->derSubject.data);
1.421 + if (PR_TRUE) {
1.422 + /* CERTCertificate stores serial numbers decoded. I need the DER
1.423 + * here. sigh.
1.424 + */
1.425 + SECItem derSerial = { 0 };
1.426 + CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
1.427 + if (!derSerial.data) goto loser;
1.428 + nssItem_Create(c->object.arena, &c->serial, derSerial.len, derSerial.data);
1.429 + PORT_Free(derSerial.data);
1.430 + }
1.431 + if (nickname) {
1.432 + c->object.tempName = nssUTF8_Create(c->object.arena,
1.433 + nssStringType_UTF8String,
1.434 + (NSSUTF8 *)nickname,
1.435 + PORT_Strlen(nickname));
1.436 + }
1.437 + if (cc->emailAddr && cc->emailAddr[0]) {
1.438 + c->email = nssUTF8_Create(c->object.arena,
1.439 + nssStringType_PrintableString,
1.440 + (NSSUTF8 *)cc->emailAddr,
1.441 + PORT_Strlen(cc->emailAddr));
1.442 + }
1.443 +
1.444 + tempCert = NSSCryptoContext_FindOrImportCertificate(gCC, c);
1.445 + if (!tempCert) {
1.446 + CERT_MapStanError();
1.447 + goto loser;
1.448 + }
1.449 + /* destroy our copy */
1.450 + NSSCertificate_Destroy(c);
1.451 + /* and use the stored entry */
1.452 + c = tempCert;
1.453 + cc = STAN_GetCERTCertificateOrRelease(c);
1.454 + if (!cc) {
1.455 + /* STAN_GetCERTCertificateOrRelease destroys c on failure. */
1.456 + CERT_MapStanError();
1.457 + return NULL;
1.458 + }
1.459 +
1.460 + cc->istemp = PR_TRUE;
1.461 + cc->isperm = PR_FALSE;
1.462 + return cc;
1.463 +loser:
1.464 + /* Perhaps this should be nssCertificate_Destroy(c) */
1.465 + nssPKIObject_Destroy(&c->object);
1.466 + return NULL;
1.467 +}
1.468 +
1.469 +/* This symbol is exported for backward compatibility. */
1.470 +CERTCertificate *
1.471 +__CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
1.472 + char *nickname, PRBool isperm, PRBool copyDER)
1.473 +{
1.474 + return CERT_NewTempCertificate(handle, derCert, nickname,
1.475 + isperm, copyDER);
1.476 +}
1.477 +
1.478 +/* maybe all the wincx's should be some const for internal token login? */
1.479 +CERTCertificate *
1.480 +CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
1.481 +{
1.482 + PK11SlotInfo *slot;
1.483 + CERTCertificate *cert;
1.484 +
1.485 + cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL);
1.486 + if (cert && slot) {
1.487 + PK11_FreeSlot(slot);
1.488 + }
1.489 +
1.490 + return cert;
1.491 +}
1.492 +
1.493 +static NSSCertificate *
1.494 +get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
1.495 +{
1.496 + NSSUsage usage;
1.497 + NSSCertificate *arr[3];
1.498 + if (!ct) {
1.499 + return nssCertificate_AddRef(cp);
1.500 + } else if (!cp) {
1.501 + return nssCertificate_AddRef(ct);
1.502 + }
1.503 + arr[0] = ct;
1.504 + arr[1] = cp;
1.505 + arr[2] = NULL;
1.506 + usage.anyUsage = PR_TRUE;
1.507 + return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
1.508 +}
1.509 +
1.510 +CERTCertificate *
1.511 +CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
1.512 +{
1.513 + NSSCertificate *cp, *ct, *c;
1.514 + NSSDER subject;
1.515 + NSSUsage usage;
1.516 + NSSCryptoContext *cc;
1.517 + NSSITEM_FROM_SECITEM(&subject, name);
1.518 + usage.anyUsage = PR_TRUE;
1.519 + cc = STAN_GetDefaultCryptoContext();
1.520 + ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject,
1.521 + NULL, &usage, NULL);
1.522 + cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject,
1.523 + NULL, &usage, NULL);
1.524 + c = get_best_temp_or_perm(ct, cp);
1.525 + if (ct) {
1.526 + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
1.527 + }
1.528 + if (cp) {
1.529 + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(cp));
1.530 + }
1.531 + return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
1.532 +}
1.533 +
1.534 +CERTCertificate *
1.535 +CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
1.536 +{
1.537 + CERTCertList *list;
1.538 + CERTCertificate *cert = NULL;
1.539 + CERTCertListNode *node, *head;
1.540 +
1.541 + list = CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE);
1.542 + if (list == NULL) return NULL;
1.543 +
1.544 + node = head = CERT_LIST_HEAD(list);
1.545 + if (head) {
1.546 + do {
1.547 + if (node->cert &&
1.548 + SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID) ) {
1.549 + cert = CERT_DupCertificate(node->cert);
1.550 + goto done;
1.551 + }
1.552 + node = CERT_LIST_NEXT(node);
1.553 + } while (node && head != node);
1.554 + }
1.555 + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
1.556 +done:
1.557 + if (list) {
1.558 + CERT_DestroyCertList(list);
1.559 + }
1.560 + return cert;
1.561 +}
1.562 +
1.563 +CERTCertificate *
1.564 +CERT_FindCertByNickname(CERTCertDBHandle *handle, const char *nickname)
1.565 +{
1.566 + NSSCryptoContext *cc;
1.567 + NSSCertificate *c, *ct;
1.568 + CERTCertificate *cert;
1.569 + NSSUsage usage;
1.570 + usage.anyUsage = PR_TRUE;
1.571 + cc = STAN_GetDefaultCryptoContext();
1.572 + ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname,
1.573 + NULL, &usage, NULL);
1.574 + cert = PK11_FindCertFromNickname(nickname, NULL);
1.575 + c = NULL;
1.576 + if (cert) {
1.577 + c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
1.578 + CERT_DestroyCertificate(cert);
1.579 + if (ct) {
1.580 + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
1.581 + }
1.582 + } else {
1.583 + c = ct;
1.584 + }
1.585 + return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
1.586 +}
1.587 +
1.588 +CERTCertificate *
1.589 +CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
1.590 +{
1.591 + NSSCryptoContext *cc;
1.592 + NSSCertificate *c;
1.593 + NSSDER encoding;
1.594 + NSSITEM_FROM_SECITEM(&encoding, derCert);
1.595 + cc = STAN_GetDefaultCryptoContext();
1.596 + c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
1.597 + if (!c) {
1.598 + c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
1.599 + &encoding);
1.600 + if (!c) return NULL;
1.601 + }
1.602 + return STAN_GetCERTCertificateOrRelease(c);
1.603 +}
1.604 +
1.605 +static CERTCertificate *
1.606 +common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
1.607 + const char *name,
1.608 + PRBool anyUsage,
1.609 + SECCertUsage lookingForUsage)
1.610 +{
1.611 + NSSCryptoContext *cc;
1.612 + NSSCertificate *c, *ct;
1.613 + CERTCertificate *cert = NULL;
1.614 + NSSUsage usage;
1.615 + CERTCertList *certlist;
1.616 +
1.617 + if (NULL == name) {
1.618 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.619 + return NULL;
1.620 + }
1.621 +
1.622 + usage.anyUsage = anyUsage;
1.623 +
1.624 + if (!anyUsage) {
1.625 + usage.nss3lookingForCA = PR_FALSE;
1.626 + usage.nss3usage = lookingForUsage;
1.627 + }
1.628 +
1.629 + cc = STAN_GetDefaultCryptoContext();
1.630 + ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name,
1.631 + NULL, &usage, NULL);
1.632 + if (!ct && PORT_Strchr(name, '@') != NULL) {
1.633 + char* lowercaseName = CERT_FixupEmailAddr(name);
1.634 + if (lowercaseName) {
1.635 + ct = NSSCryptoContext_FindBestCertificateByEmail(cc, lowercaseName,
1.636 + NULL, &usage, NULL);
1.637 + PORT_Free(lowercaseName);
1.638 + }
1.639 + }
1.640 +
1.641 + if (anyUsage) {
1.642 + cert = PK11_FindCertFromNickname(name, NULL);
1.643 + }
1.644 + else {
1.645 + if (ct) {
1.646 + /* Does ct really have the required usage? */
1.647 + nssDecodedCert *dc;
1.648 + dc = nssCertificate_GetDecoding(ct);
1.649 + if (!dc->matchUsage(dc, &usage)) {
1.650 + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
1.651 + ct = NULL;
1.652 + }
1.653 + }
1.654 +
1.655 + certlist = PK11_FindCertsFromNickname(name, NULL);
1.656 + if (certlist) {
1.657 + SECStatus rv = CERT_FilterCertListByUsage(certlist,
1.658 + lookingForUsage,
1.659 + PR_FALSE);
1.660 + if (SECSuccess == rv &&
1.661 + !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) {
1.662 + cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert);
1.663 + }
1.664 + CERT_DestroyCertList(certlist);
1.665 + }
1.666 + }
1.667 +
1.668 + if (cert) {
1.669 + c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
1.670 + CERT_DestroyCertificate(cert);
1.671 + if (ct) {
1.672 + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
1.673 + }
1.674 + } else {
1.675 + c = ct;
1.676 + }
1.677 + return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
1.678 +}
1.679 +
1.680 +CERTCertificate *
1.681 +CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
1.682 +{
1.683 + return common_FindCertByNicknameOrEmailAddrForUsage(handle, name,
1.684 + PR_TRUE, 0);
1.685 +}
1.686 +
1.687 +CERTCertificate *
1.688 +CERT_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle,
1.689 + const char *name,
1.690 + SECCertUsage lookingForUsage)
1.691 +{
1.692 + return common_FindCertByNicknameOrEmailAddrForUsage(handle, name,
1.693 + PR_FALSE,
1.694 + lookingForUsage);
1.695 +}
1.696 +
1.697 +static void
1.698 +add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
1.699 + PRBool validOnly, PRTime sorttime)
1.700 +{
1.701 + SECStatus secrv;
1.702 + if (!validOnly ||
1.703 + CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE)
1.704 + == secCertTimeValid) {
1.705 + secrv = CERT_AddCertToListSorted(certList, cert,
1.706 + CERT_SortCBValidity,
1.707 + (void *)&sorttime);
1.708 + if (secrv != SECSuccess) {
1.709 + CERT_DestroyCertificate(cert);
1.710 + }
1.711 + } else {
1.712 + CERT_DestroyCertificate(cert);
1.713 + }
1.714 +}
1.715 +
1.716 +CERTCertList *
1.717 +CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
1.718 + const SECItem *name, PRTime sorttime,
1.719 + PRBool validOnly)
1.720 +{
1.721 + NSSCryptoContext *cc;
1.722 + NSSCertificate **tSubjectCerts, **pSubjectCerts;
1.723 + NSSCertificate **ci;
1.724 + CERTCertificate *cert;
1.725 + NSSDER subject;
1.726 + PRBool myList = PR_FALSE;
1.727 + cc = STAN_GetDefaultCryptoContext();
1.728 + NSSITEM_FROM_SECITEM(&subject, name);
1.729 + /* Collect both temp and perm certs for the subject */
1.730 + tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
1.731 + &subject,
1.732 + NULL,
1.733 + 0,
1.734 + NULL);
1.735 + pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle,
1.736 + &subject,
1.737 + NULL,
1.738 + 0,
1.739 + NULL);
1.740 + if (!tSubjectCerts && !pSubjectCerts) {
1.741 + return NULL;
1.742 + }
1.743 + if (certList == NULL) {
1.744 + certList = CERT_NewCertList();
1.745 + myList = PR_TRUE;
1.746 + if (!certList) goto loser;
1.747 + }
1.748 + /* Iterate over the matching temp certs. Add them to the list */
1.749 + ci = tSubjectCerts;
1.750 + while (ci && *ci) {
1.751 + cert = STAN_GetCERTCertificateOrRelease(*ci);
1.752 + /* *ci may be invalid at this point, don't reference it again */
1.753 + if (cert) {
1.754 + /* NOTE: add_to_subject_list adopts the incoming cert. */
1.755 + add_to_subject_list(certList, cert, validOnly, sorttime);
1.756 + }
1.757 + ci++;
1.758 + }
1.759 + /* Iterate over the matching perm certs. Add them to the list */
1.760 + ci = pSubjectCerts;
1.761 + while (ci && *ci) {
1.762 + cert = STAN_GetCERTCertificateOrRelease(*ci);
1.763 + /* *ci may be invalid at this point, don't reference it again */
1.764 + if (cert) {
1.765 + /* NOTE: add_to_subject_list adopts the incoming cert. */
1.766 + add_to_subject_list(certList, cert, validOnly, sorttime);
1.767 + }
1.768 + ci++;
1.769 + }
1.770 + /* all the references have been adopted or freed at this point, just
1.771 + * free the arrays now */
1.772 + nss_ZFreeIf(tSubjectCerts);
1.773 + nss_ZFreeIf(pSubjectCerts);
1.774 + return certList;
1.775 +loser:
1.776 + /* need to free the references in tSubjectCerts and pSubjectCerts! */
1.777 + nssCertificateArray_Destroy(tSubjectCerts);
1.778 + nssCertificateArray_Destroy(pSubjectCerts);
1.779 + if (myList && certList != NULL) {
1.780 + CERT_DestroyCertList(certList);
1.781 + }
1.782 + return NULL;
1.783 +}
1.784 +
1.785 +void
1.786 +CERT_DestroyCertificate(CERTCertificate *cert)
1.787 +{
1.788 + if ( cert ) {
1.789 + /* don't use STAN_GetNSSCertificate because we don't want to
1.790 + * go to the trouble of translating the CERTCertificate into
1.791 + * an NSSCertificate just to destroy it. If it hasn't been done
1.792 + * yet, don't do it at all.
1.793 + */
1.794 + NSSCertificate *tmp = cert->nssCertificate;
1.795 + if (tmp) {
1.796 + /* delete the NSSCertificate */
1.797 + NSSCertificate_Destroy(tmp);
1.798 + } else if (cert->arena) {
1.799 + PORT_FreeArena(cert->arena, PR_FALSE);
1.800 + }
1.801 + }
1.802 + return;
1.803 +}
1.804 +
1.805 +int
1.806 +CERT_GetDBContentVersion(CERTCertDBHandle *handle)
1.807 +{
1.808 + /* should read the DB content version from the pkcs #11 device */
1.809 + return 0;
1.810 +}
1.811 +
1.812 +SECStatus
1.813 +certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr,
1.814 + SECItem *emailProfile, SECItem *profileTime)
1.815 +{
1.816 + PRTime oldtime;
1.817 + PRTime newtime;
1.818 + SECStatus rv = SECFailure;
1.819 + PRBool saveit;
1.820 + SECItem oldprof, oldproftime;
1.821 + SECItem *oldProfile = NULL;
1.822 + SECItem *oldProfileTime = NULL;
1.823 + PK11SlotInfo *slot = NULL;
1.824 + NSSCertificate *c;
1.825 + NSSCryptoContext *cc;
1.826 + nssSMIMEProfile *stanProfile = NULL;
1.827 + PRBool freeOldProfile = PR_FALSE;
1.828 +
1.829 + c = STAN_GetNSSCertificate(cert);
1.830 + if (!c) return SECFailure;
1.831 + cc = c->object.cryptoContext;
1.832 + if (cc != NULL) {
1.833 + stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
1.834 + if (stanProfile) {
1.835 + PORT_Assert(stanProfile->profileData);
1.836 + SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
1.837 + oldProfile = &oldprof;
1.838 + SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
1.839 + oldProfileTime = &oldproftime;
1.840 + }
1.841 + } else {
1.842 + oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr,
1.843 + &cert->derSubject, &oldProfileTime);
1.844 + freeOldProfile = PR_TRUE;
1.845 + }
1.846 +
1.847 + saveit = PR_FALSE;
1.848 +
1.849 + /* both profileTime and emailProfile have to exist or not exist */
1.850 + if ( emailProfile == NULL ) {
1.851 + profileTime = NULL;
1.852 + } else if ( profileTime == NULL ) {
1.853 + emailProfile = NULL;
1.854 + }
1.855 +
1.856 + if ( oldProfileTime == NULL ) {
1.857 + saveit = PR_TRUE;
1.858 + } else {
1.859 + /* there was already a profile for this email addr */
1.860 + if ( profileTime ) {
1.861 + /* we have an old and new profile - save whichever is more recent*/
1.862 + if ( oldProfileTime->len == 0 ) {
1.863 + /* always replace if old entry doesn't have a time */
1.864 + oldtime = LL_MININT;
1.865 + } else {
1.866 + rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
1.867 + if ( rv != SECSuccess ) {
1.868 + goto loser;
1.869 + }
1.870 + }
1.871 +
1.872 + rv = DER_UTCTimeToTime(&newtime, profileTime);
1.873 + if ( rv != SECSuccess ) {
1.874 + goto loser;
1.875 + }
1.876 +
1.877 + if ( LL_CMP(newtime, >, oldtime ) ) {
1.878 + /* this is a newer profile, save it and cert */
1.879 + saveit = PR_TRUE;
1.880 + }
1.881 + } else {
1.882 + saveit = PR_TRUE;
1.883 + }
1.884 + }
1.885 +
1.886 +
1.887 + if (saveit) {
1.888 + if (cc) {
1.889 + if (stanProfile) {
1.890 + /* stanProfile is already stored in the crypto context,
1.891 + * overwrite the data
1.892 + */
1.893 + NSSArena *arena = stanProfile->object.arena;
1.894 + stanProfile->profileTime = nssItem_Create(arena,
1.895 + NULL,
1.896 + profileTime->len,
1.897 + profileTime->data);
1.898 + stanProfile->profileData = nssItem_Create(arena,
1.899 + NULL,
1.900 + emailProfile->len,
1.901 + emailProfile->data);
1.902 + } else if (profileTime && emailProfile) {
1.903 + PRStatus nssrv;
1.904 + NSSItem profTime, profData;
1.905 + NSSITEM_FROM_SECITEM(&profTime, profileTime);
1.906 + NSSITEM_FROM_SECITEM(&profData, emailProfile);
1.907 + stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData);
1.908 + if (!stanProfile) goto loser;
1.909 + nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
1.910 + rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
1.911 + }
1.912 + } else {
1.913 + rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr,
1.914 + &cert->derSubject, emailProfile, profileTime);
1.915 + }
1.916 + } else {
1.917 + rv = SECSuccess;
1.918 + }
1.919 +
1.920 +loser:
1.921 + if (oldProfile && freeOldProfile) {
1.922 + SECITEM_FreeItem(oldProfile,PR_TRUE);
1.923 + }
1.924 + if (oldProfileTime && freeOldProfile) {
1.925 + SECITEM_FreeItem(oldProfileTime,PR_TRUE);
1.926 + }
1.927 + if (stanProfile) {
1.928 + nssSMIMEProfile_Destroy(stanProfile);
1.929 + }
1.930 + if (slot) {
1.931 + PK11_FreeSlot(slot);
1.932 + }
1.933 +
1.934 + return(rv);
1.935 +}
1.936 +
1.937 +/*
1.938 + *
1.939 + * Manage S/MIME profiles
1.940 + *
1.941 + */
1.942 +
1.943 +SECStatus
1.944 +CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
1.945 + SECItem *profileTime)
1.946 +{
1.947 + const char *emailAddr;
1.948 + SECStatus rv;
1.949 +
1.950 + if (!cert) {
1.951 + return SECFailure;
1.952 + }
1.953 +
1.954 + if (cert->slot && !PK11_IsInternal(cert->slot)) {
1.955 + /* this cert comes from an external source, we need to add it
1.956 + to the cert db before creating an S/MIME profile */
1.957 + PK11SlotInfo* internalslot = PK11_GetInternalKeySlot();
1.958 + if (!internalslot) {
1.959 + return SECFailure;
1.960 + }
1.961 + rv = PK11_ImportCert(internalslot, cert,
1.962 + CK_INVALID_HANDLE, NULL, PR_FALSE);
1.963 +
1.964 + PK11_FreeSlot(internalslot);
1.965 + if (rv != SECSuccess ) {
1.966 + return SECFailure;
1.967 + }
1.968 + }
1.969 +
1.970 + if (cert->slot && cert->isperm && CERT_IsUserCert(cert) &&
1.971 + (!emailProfile || !emailProfile->len)) {
1.972 + /* Don't clobber emailProfile for user certs. */
1.973 + return SECSuccess;
1.974 + }
1.975 +
1.976 + for (emailAddr = CERT_GetFirstEmailAddress(cert); emailAddr != NULL;
1.977 + emailAddr = CERT_GetNextEmailAddress(cert,emailAddr)) {
1.978 + rv = certdb_SaveSingleProfile(cert,emailAddr,emailProfile,profileTime);
1.979 + if (rv != SECSuccess) {
1.980 + return SECFailure;
1.981 + }
1.982 + }
1.983 + return SECSuccess;
1.984 +
1.985 +}
1.986 +
1.987 +
1.988 +SECItem *
1.989 +CERT_FindSMimeProfile(CERTCertificate *cert)
1.990 +{
1.991 + PK11SlotInfo *slot = NULL;
1.992 + NSSCertificate *c;
1.993 + NSSCryptoContext *cc;
1.994 + SECItem *rvItem = NULL;
1.995 +
1.996 + if (!cert || !cert->emailAddr || !cert->emailAddr[0]) {
1.997 + PORT_SetError(SEC_ERROR_INVALID_ARGS);
1.998 + return NULL;
1.999 + }
1.1000 + c = STAN_GetNSSCertificate(cert);
1.1001 + if (!c) return NULL;
1.1002 + cc = c->object.cryptoContext;
1.1003 + if (cc != NULL) {
1.1004 + nssSMIMEProfile *stanProfile;
1.1005 + stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
1.1006 + if (stanProfile) {
1.1007 + rvItem = SECITEM_AllocItem(NULL, NULL,
1.1008 + stanProfile->profileData->size);
1.1009 + if (rvItem) {
1.1010 + rvItem->data = stanProfile->profileData->data;
1.1011 + }
1.1012 + nssSMIMEProfile_Destroy(stanProfile);
1.1013 + }
1.1014 + return rvItem;
1.1015 + }
1.1016 + rvItem =
1.1017 + PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
1.1018 + if (slot) {
1.1019 + PK11_FreeSlot(slot);
1.1020 + }
1.1021 + return rvItem;
1.1022 +}
1.1023 +
1.1024 +/*
1.1025 + * deprecated functions that are now just stubs.
1.1026 + */
1.1027 +/*
1.1028 + * Close the database
1.1029 + */
1.1030 +void
1.1031 +__CERT_ClosePermCertDB(CERTCertDBHandle *handle)
1.1032 +{
1.1033 + PORT_Assert("CERT_ClosePermCertDB is Deprecated" == NULL);
1.1034 + return;
1.1035 +}
1.1036 +
1.1037 +SECStatus
1.1038 +CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
1.1039 + PRBool readOnly)
1.1040 +{
1.1041 + PORT_Assert("CERT_OpenCertDBFilename is Deprecated" == NULL);
1.1042 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
1.1043 + return SECFailure;
1.1044 +}
1.1045 +
1.1046 +SECItem *
1.1047 +SECKEY_HashPassword(char *pw, SECItem *salt)
1.1048 +{
1.1049 + PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL);
1.1050 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
1.1051 + return NULL;
1.1052 +}
1.1053 +
1.1054 +SECStatus
1.1055 +__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
1.1056 + SECItem *derSubject,
1.1057 + void *cb, void *cbarg)
1.1058 +{
1.1059 + PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL);
1.1060 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
1.1061 + return SECFailure;
1.1062 +}
1.1063 +
1.1064 +
1.1065 +SECStatus
1.1066 +__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
1.1067 + void *cb, void *cbarg)
1.1068 +{
1.1069 + PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL);
1.1070 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
1.1071 + return SECFailure;
1.1072 +}
1.1073 +
1.1074 +
1.1075 +
