Uprev NSS to 3.18 RTM

nss/lib/pk11wrap/pk11cert.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file manages PKCS #11 instances of certificates.
  */
 
 #include "secport.h"
 #include "seccomon.h"
 #include "secmod.h"
@@ skipping 275 matching lines @@
  * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
  * Must be a CertObject. This code does not explicitly checks that.
  */
 CERTCertificate *
 PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
                                                 CK_ATTRIBUTE *privateLabel)
 {
     char * nickname = NULL;
     CERTCertificate *cert = NULL;
     CERTCertTrust *trust;
-    PRBool isFortezzaRootCA = PR_FALSE;
-    PRBool swapNickname = PR_FALSE;
 
     cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
     if (cert == NULL) 
         goto loser;
-        
+
     if (nickname) {
         if (cert->nickname != NULL) {
             cert->dbnickname = cert->nickname;
         } 
         cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
         PORT_Free(nickname);
         nickname = NULL;
-        swapNickname = PR_TRUE;
     }
 
     /* remember where this cert came from.... If we have just looked
      * it up from the database and it already has a slot, don't add a new
      * one. */
     if (cert->slot == NULL) {
         cert->slot = PK11_ReferenceSlot(slot);
         cert->pkcs11ID = certID;
         cert->ownSlot = PR_TRUE;
         cert->series = slot->series;
@@ skipping 15 matching lines @@
              * valid CA's which are self-signed here. They must have an object
              * ID of '0'.  */ 
             if (pk11_isID0(slot,certID) && 
                 cert->isRoot) {
                 trustflags |= CERTDB_TRUSTED_CA;
                 /* is the slot a fortezza card? allow the user or
                  * admin to turn on objectSigning, but don't turn
                  * full trust on explicitly */
                 if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
                     trust->objectSigningFlags |= CERTDB_VALID_CA;
-                    isFortezzaRootCA = PR_TRUE;
                 }
             }
             if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
                 trust->sslFlags |= trustflags;
             }
             if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
                 trust->emailFlags |= trustflags;
             }
             if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) 
                                         == NS_CERT_TYPE_OBJECT_SIGNING_CA) {
@@ skipping 618 matching lines @@
         c->object.cryptoContext = NULL;
         cert->istemp = PR_FALSE;
         cert->isperm = PR_TRUE;
     }
 
     /* add the new instance to the cert, force an update of the
      * CERTCertificate, and finish
      */
     nssPKIObject_AddInstance(&c->object, certobj);
     /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
-     * replace 'c' by a different value. So we add a reference to 'c' to
+     * replace 'c' with a different value. So we add a reference to 'c' to
      * prevent 'c' from being destroyed. */
     nssCertificate_AddRef(c);
     nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
-    /* XXX should we pass the original value of 'c' to
-     * STAN_ForceCERTCertificateUpdate? */
     (void)STAN_ForceCERTCertificateUpdate(c);
     nssCertificate_Destroy(c);
     SECITEM_FreeItem(keyID,PR_TRUE);
     return SECSuccess;
 loser:
     CERT_MapStanError();
     SECITEM_FreeItem(keyID,PR_TRUE);
     if (PORT_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
         PORT_SetError(SEC_ERROR_ADDING_CERT);
     }
@@ skipping 1147 matching lines @@
     return PK11_FindCertFromDERCertItem(slot, &cert->derCert, wincx);
 }
 
 CERTCertificate *
 PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert,
                                                                  void *wincx)
 
 {
     NSSDER derCert;
     NSSToken *tok;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
     nssCryptokiObject *co = NULL;
     SECStatus rv;
 
     tok = PK11Slot_GetNSSToken(slot);
     NSSITEM_FROM_SECITEM(&derCert, inDerCert);
     rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
     if (rv != SECSuccess) {
         PK11_FreeSlot(slot);
         return NULL;
     }
@@ skipping 513 matching lines @@
     }
     if (!found) {
         PK11_FreeSlotList(slotList);
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         slotList = NULL;
     }
 
     nssCryptokiObjectArray_Destroy(instances);
     return slotList;
 }
+
+/*
+ * Using __PK11_SetCertificateNickname is *DANGEROUS*.
+ *
+ * The API will update the NSS database, but it *will NOT* update the in-memory data.
+ * As a result, after calling this API, there will be INCONSISTENCY between
+ * in-memory data and the database.
+ *
+ * Use of the API should be limited to short-lived tools, which will exit immediately
+ * after using this API.
+ *
+ * If you ignore this warning, your process is TAINTED and will most likely misbehave.
+ */
+SECStatus
+__PK11_SetCertificateNickname(CERTCertificate *cert, const char *nickname)
+{
+    /* Can't set nickname of temp cert. */
+    if (!cert->slot || cert->pkcs11ID == CK_INVALID_HANDLE) {
+        return SEC_ERROR_INVALID_ARGS;
+    }
+    return PK11_SetObjectNickname(cert->slot, cert->pkcs11ID, nickname);
+}