mfind.c - This C code implements a function to find objects…

/security/nss/lib/ckfw/nssmkey/mfind.c

http://github.com/zpao/v8monkey · C · 404 lines · 292 code · 46 blank · 66 comment · 54 complexity · 455191a3fede912ffdae164876b7d919 MD5 · raw file

/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is the Netscape security libraries.
 *
 * The Initial Developer of the Original Code is
 * Netscape Communications Corporation.
 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 * the Initial Developer. All Rights Reserved.
 * Portions created by Red Hat, Inc, are Copyright (C) 2005
 *
 * Contributor(s):
 *   Bob Relyea (rrelyea@redhat.com)
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: mfind.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $";
#endif /* DEBUG */

#ifndef CKMK_H
#include "ckmk.h"
#endif /* CKMK_H */

/*
 * nssmkey/mfind.c
 *
 * This file implements the NSSCKMDFindObjects object for the
 * "nssmkey" cryptoki module.
 */

struct ckmkFOStr {
  NSSArena *arena;
  CK_ULONG n;
  CK_ULONG i;
  ckmkInternalObject **objs;
};

static void
ckmk_mdFindObjects_Final
(
  NSSCKMDFindObjects *mdFindObjects,
  NSSCKFWFindObjects *fwFindObjects,
  NSSCKMDSession *mdSession,
  NSSCKFWSession *fwSession,
  NSSCKMDToken *mdToken,
  NSSCKFWToken *fwToken,
  NSSCKMDInstance *mdInstance,
  NSSCKFWInstance *fwInstance
)
{
  struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc;
  NSSArena *arena = fo->arena;
  PRUint32 i;

  /* walk down an free the unused 'objs' */
  for (i=fo->i; i < fo->n ; i++) {
    nss_ckmk_DestroyInternalObject(fo->objs[i]);
  }

  nss_ZFreeIf(fo->objs);
  nss_ZFreeIf(fo);
  nss_ZFreeIf(mdFindObjects);
  if ((NSSArena *)NULL != arena) {
    NSSArena_Destroy(arena);
  }

  return;
}

static NSSCKMDObject *
ckmk_mdFindObjects_Next
(
  NSSCKMDFindObjects *mdFindObjects,
  NSSCKFWFindObjects *fwFindObjects,
  NSSCKMDSession *mdSession,
  NSSCKFWSession *fwSession,
  NSSCKMDToken *mdToken,
  NSSCKFWToken *fwToken,
  NSSCKMDInstance *mdInstance,
  NSSCKFWInstance *fwInstance,
  NSSArena *arena,
  CK_RV *pError
)
{
  struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc;
  ckmkInternalObject *io;

  if( fo->i == fo->n ) {
    *pError = CKR_OK;
    return (NSSCKMDObject *)NULL;
  }

  io = fo->objs[ fo->i ];
  fo->i++;

  return nss_ckmk_CreateMDObject(arena, io, pError);
}

static CK_BBOOL
ckmk_attrmatch
(
  CK_ATTRIBUTE_PTR a,
  ckmkInternalObject *o
)
{
  PRBool prb;
  const NSSItem *b;
  CK_RV error;

  b = nss_ckmk_FetchAttribute(o, a->type,  &error);
  if (b == NULL) {
    return CK_FALSE;
  }

  if( a->ulValueLen != b->size ) {
    /* match a decoded serial number */
    if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
	int len;
	unsigned char *data;

	data = nss_ckmk_DERUnwrap(b->data, b->size, &len, NULL);
	if ((len == a->ulValueLen) && 
		nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
	    return CK_TRUE;
	}
    }
    return CK_FALSE;
  }

  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);

  if( PR_TRUE == prb ) {
    return CK_TRUE;
  } else {
    return CK_FALSE;
  }
}


static CK_BBOOL
ckmk_match
(
  CK_ATTRIBUTE_PTR pTemplate,
  CK_ULONG ulAttributeCount,
  ckmkInternalObject *o
)
{
  CK_ULONG i;

  for( i = 0; i < ulAttributeCount; i++ ) {
    if (CK_FALSE == ckmk_attrmatch(&pTemplate[i], o)) {
      return CK_FALSE;
    }
  }

  /* Every attribute passed */
  return CK_TRUE;
}

#define CKMK_ITEM_CHUNK  20

#define PUT_OBJECT(obj, err, size, count, list) \
  { \
    if (count >= size) { \
    (list) = (list) ? \
		nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
		               ((size)+CKMK_ITEM_CHUNK) ) : \
		nss_ZNEWARRAY(NULL, ckmkInternalObject *, \
		               ((size)+CKMK_ITEM_CHUNK) ) ; \
      if ((ckmkInternalObject **)NULL == list) { \
        err = CKR_HOST_MEMORY; \
        goto loser; \
      } \
      (size) += CKMK_ITEM_CHUNK; \
    } \
    (list)[ count ] = (obj); \
    count++; \
  }


/* find all the certs that represent the appropriate object (cert, priv key, or
 *  pub key) in the cert store.
 */
static PRUint32
collect_class(
  CK_OBJECT_CLASS objClass,
  SecItemClass itemClass,
  CK_ATTRIBUTE_PTR pTemplate, 
  CK_ULONG ulAttributeCount, 
  ckmkInternalObject ***listp,
  PRUint32 *sizep,
  PRUint32 count,
  CK_RV *pError
)
{
  ckmkInternalObject *next = NULL;
  SecKeychainSearchRef searchRef = 0;
  SecKeychainItemRef itemRef = 0;
  OSStatus error;

  /* future, build the attribute list based on the template
   * so we can refine the search */
  error = SecKeychainSearchCreateFromAttributes( 
		NULL, itemClass, NULL, &searchRef);

  while (noErr == SecKeychainSearchCopyNext(searchRef, &itemRef)) {
    /* if we don't have an internal object structure, get one */
    if ((ckmkInternalObject *)NULL == next) {
      next = nss_ZNEW(NULL, ckmkInternalObject);
      if ((ckmkInternalObject *)NULL == next) {
        *pError = CKR_HOST_MEMORY;
        goto loser;
      }
    }
    /* fill in the relevant object data */
    next->type = ckmkItem;
    next->objClass = objClass;
    next->u.item.itemRef = itemRef;
    next->u.item.itemClass = itemClass;

    /* see if this is one of the objects we are looking for */
    if( CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, next) ) {
      /* yes, put it on the list */
      PUT_OBJECT(next, *pError, *sizep, count, *listp);
      next = NULL; /* this one is on the list, need to allocate a new one now */
    } else {
      /* no , release the current item and clear out the structure for reuse */
      CFRelease(itemRef);
      /* don't cache the values we just loaded */
      nsslibc_memset(next, 0, sizeof(*next));
    }
  }
loser:
  if (searchRef) {
    CFRelease(searchRef);
  }
  nss_ZFreeIf(next);
  return count;
}

static PRUint32
collect_objects(
  CK_ATTRIBUTE_PTR pTemplate, 
  CK_ULONG ulAttributeCount, 
  ckmkInternalObject ***listp,
  CK_RV *pError
)
{
  PRUint32 i;
  PRUint32 count = 0;
  PRUint32 size = 0;
  CK_OBJECT_CLASS objClass;

  /*
   * first handle the static build in objects (if any)
   */
  for( i = 0; i < nss_ckmk_nObjects; i++ ) {
    ckmkInternalObject *o = (ckmkInternalObject *)&nss_ckmk_data[i];

    if( CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, o) ) {
      PUT_OBJECT(o, *pError, size, count, *listp);
    }
  }

  /*
   * now handle the various object types
   */
  objClass = nss_ckmk_GetULongAttribute(CKA_CLASS, 
		pTemplate, ulAttributeCount, pError);
  if (CKR_OK != *pError) {
    objClass = CK_INVALID_HANDLE;
  }
  *pError = CKR_OK;
  switch (objClass) {
  case CKO_CERTIFICATE:
    count = collect_class(objClass, kSecCertificateItemClass,
                              pTemplate, ulAttributeCount, listp, 
                              &size, count, pError);
    break;
  case CKO_PUBLIC_KEY:
    count = collect_class(objClass,  CSSM_DL_DB_RECORD_PUBLIC_KEY,
                              pTemplate, ulAttributeCount, listp, 
                              &size, count, pError);
    break;
  case CKO_PRIVATE_KEY:
    count = collect_class(objClass,  CSSM_DL_DB_RECORD_PRIVATE_KEY,
                              pTemplate, ulAttributeCount, listp, 
                              &size, count, pError);
    break;
  /* all of them */
  case CK_INVALID_HANDLE:
    count = collect_class(CKO_CERTIFICATE, kSecCertificateItemClass,
                              pTemplate, ulAttributeCount, listp, 
                              &size, count, pError);
    count = collect_class(CKO_PUBLIC_KEY,  CSSM_DL_DB_RECORD_PUBLIC_KEY,
                              pTemplate, ulAttributeCount, listp, 
                              &size, count, pError);
    count = collect_class(CKO_PUBLIC_KEY,  CSSM_DL_DB_RECORD_PRIVATE_KEY,
                              pTemplate, ulAttributeCount, listp, 
                              &size, count, pError);
    break;
  default:
    break;
  }
  if (CKR_OK != *pError) {
    goto loser;
  }

  return count;
loser:
  nss_ZFreeIf(*listp);
  return 0;
}


NSS_IMPLEMENT NSSCKMDFindObjects *
nss_ckmk_FindObjectsInit
(
  NSSCKFWSession *fwSession,
  CK_ATTRIBUTE_PTR pTemplate,
  CK_ULONG ulAttributeCount,
  CK_RV *pError
)
{
  /* This could be made more efficient.  I'm rather rushed. */
  NSSArena *arena;
  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
  struct ckmkFOStr *fo = (struct ckmkFOStr *)NULL;
  ckmkInternalObject **temp = (ckmkInternalObject **)NULL;

  arena = NSSArena_Create();
  if( (NSSArena *)NULL == arena ) {
    goto loser;
  }

  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
  if( (NSSCKMDFindObjects *)NULL == rv ) {
    *pError = CKR_HOST_MEMORY;
    goto loser;
  }

  fo = nss_ZNEW(arena, struct ckmkFOStr);
  if( (struct ckmkFOStr *)NULL == fo ) {
    *pError = CKR_HOST_MEMORY;
    goto loser;
  }

  fo->arena = arena;
  /* fo->n and fo->i are already zero */

  rv->etc = (void *)fo;
  rv->Final = ckmk_mdFindObjects_Final;
  rv->Next = ckmk_mdFindObjects_Next;
  rv->null = (void *)NULL;

  fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
  if (*pError != CKR_OK) {
    goto loser;
  }

  fo->objs = nss_ZNEWARRAY(arena, ckmkInternalObject *, fo->n);
  if( (ckmkInternalObject **)NULL == fo->objs ) {
    *pError = CKR_HOST_MEMORY;
    goto loser;
  }

  (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckmkInternalObject *) * fo->n);
  nss_ZFreeIf(temp);
  temp = (ckmkInternalObject **)NULL;

  return rv;

 loser:
  nss_ZFreeIf(temp);
  nss_ZFreeIf(fo);
  nss_ZFreeIf(rv);
  if ((NSSArena *)NULL != arena) {
     NSSArena_Destroy(arena);
  }
  return (NSSCKMDFindObjects *)NULL;
}
Summary ✨

This C code implements a function to find objects based on a template, similar to the CKMFindObjects API in the Cryptographic Toolkit (PKCS#11). It takes an attribute template and returns a list of matching objects, which can be certificates, public keys, or private keys. The function uses a custom data structure called NSSCKMDFindObjects to manage the search results.
Alerts (4)

Complexity hotspot; line 139 (total complexity: 3)
139
Complexity hotspot; line 144 (total complexity: 3)
144
Complexity hotspot; lines 172 to 173 (total complexity: 3)
172 173