NSS_IMPLEMENT NSSTrust *
nssTrust_Create (
nssPKIObject *object,
NSSItem *certData
)
{
PRStatus status;
PRUint32 i;
PRUint32 lastTrustOrder, myTrustOrder;
unsigned char sha1_hashcmp[SHA1_LENGTH];
unsigned char sha1_hashin[SHA1_LENGTH];
NSSItem sha1_hash;
NSSTrust *rvt;
nssCryptokiObject *instance;
nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection;
SECStatus rv; /* Should be stan flavor */
PRBool stepUp;
lastTrustOrder = 1<<16; /* just make it big */
PR_ASSERT(object->instances != NULL && object->numInstances > 0);
rvt = nss_ZNEW(object->arena, NSSTrust);
if (!rvt) {
return (NSSTrust *)NULL;
}
rvt->object = *object;
/* should be stan flavor of Hashbuf */
rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size);
if (rv != SECSuccess) {
return (NSSTrust *)NULL;
}
sha1_hash.data = sha1_hashin;
sha1_hash.size = sizeof (sha1_hashin);
/* trust has to peek into the base object members */
nssPKIObject_Lock(object);
for (i=0; i<object->numInstances; i++) {
instance = object->instances[i];
myTrustOrder = nssToken_GetTrustOrder(instance->token);
status = nssCryptokiTrust_GetAttributes(instance, NULL,
&sha1_hash,
&serverAuth,
&clientAuth,
&codeSigning,
&emailProtection,
&stepUp);
if (status != PR_SUCCESS) {
nssPKIObject_Unlock(object);
return (NSSTrust *)NULL;
}
if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) {
nssPKIObject_Unlock(object);
return (NSSTrust *)NULL;
}
if (rvt->serverAuth == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->serverAuth = serverAuth;
}
if (rvt->clientAuth == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->clientAuth = clientAuth;
}
if (rvt->emailProtection == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->emailProtection = emailProtection;
}
if (rvt->codeSigning == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->codeSigning = codeSigning;
}
rvt->stepUpApproved = stepUp;
lastTrustOrder = myTrustOrder;
}
nssPKIObject_Unlock(object);
return rvt;
}
NSS_IMPLEMENT NSSTrust *
nssTrust_Create (
nssPKIObject *object,
NSSItem *certData
)
{
PRStatus status;
PRUint32 i;
PRUint32 lastTrustOrder, myTrustOrder;
unsigned char sha1_hashcmp[SHA1_LENGTH];
unsigned char sha1_hashin[SHA1_LENGTH];
NSSItem sha1_hash;
NSSTrust *rvt;
nssCryptokiObject *instance;
nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection;
SECStatus rv; /* Should be stan flavor */
PRBool stepUp;
lastTrustOrder = 1<<16; /* just make it big */
PR_ASSERT(object->instances != NULL && object->numInstances > 0);
rvt = nss_ZNEW(object->arena, NSSTrust);
if (!rvt) {
return (NSSTrust *)NULL;
}
rvt->object = *object;
/* should be stan flavor of Hashbuf */
rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size);
if (rv != SECSuccess) {
return (NSSTrust *)NULL;
}
sha1_hash.data = sha1_hashin;
sha1_hash.size = sizeof (sha1_hashin);
/* trust has to peek into the base object members */
nssPKIObject_Lock(object);
for (i=0; i<object->numInstances; i++) {
instance = object->instances[i];
myTrustOrder = nssToken_GetTrustOrder(instance->token);
status = nssCryptokiTrust_GetAttributes(instance, NULL,
&sha1_hash,
&serverAuth,
&clientAuth,
&codeSigning,
&emailProtection,
&stepUp);
if (status != PR_SUCCESS) {
nssPKIObject_Unlock(object);
return (NSSTrust *)NULL;
}
/* if no hash is specified, then trust applies to all certs with
* this issuer/SN. NOTE: This is only true for entries that
* have distrust and unknown record */
if (!(
/* we continue if there is no hash, and the trust type is
* safe to accept without a hash ... or ... */
((sha1_hash.size == 0) &&
nssTrust_IsSafeToIgnoreCertHash(serverAuth,clientAuth,
codeSigning, emailProtection,stepUp))
||
/* we have a hash of the correct size, and it matches */
((sha1_hash.size == SHA1_LENGTH) && (PORT_Memcmp(sha1_hashin,
sha1_hashcmp,SHA1_LENGTH) == 0)) )) {
nssPKIObject_Unlock(object);
return (NSSTrust *)NULL;
}
if (rvt->serverAuth == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->serverAuth = serverAuth;
}
if (rvt->clientAuth == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->clientAuth = clientAuth;
}
if (rvt->emailProtection == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->emailProtection = emailProtection;
}
if (rvt->codeSigning == nssTrustLevel_Unknown ||
myTrustOrder < lastTrustOrder)
{
rvt->codeSigning = codeSigning;
}
rvt->stepUpApproved = stepUp;
lastTrustOrder = myTrustOrder;
}
nssPKIObject_Unlock(object);
return rvt;
}
