Skip to content

Instantly share code, notes, and snippets.

@fcelda
Created June 12, 2012 11:50
Show Gist options
  • Save fcelda/2917086 to your computer and use it in GitHub Desktop.
Save fcelda/2917086 to your computer and use it in GitHub Desktop.
Patch for Mozilla NSS PEM module adding support for custom certificate nicknames.
diff -uNPrp nss-3.13.4.orig/mozilla/security/nss/lib/ckfw/pem/ckpem.h nss-3.13.4/mozilla/security/nss/lib/ckfw/pem/ckpem.h
--- nss-3.13.4.orig/mozilla/security/nss/lib/ckfw/pem/ckpem.h 2012-04-02 18:27:20.000000000 +0200
+++ nss-3.13.4/mozilla/security/nss/lib/ckfw/pem/ckpem.h 2012-06-12 12:24:28.289901209 +0200
@@ -243,9 +243,11 @@ PRBool pem_ParseString(const char* input
PRInt32* numStrings, char*** returnedstrings);
PRBool pem_FreeParsedStrings(PRInt32 numStrings, char** instrings);
+char * pem_ObjectNickname(char *filename, char *certname);
+
pemInternalObject *
AddObjectIfNeeded(CK_OBJECT_CLASS objClass, pemObjectType type,
- SECItem *certDER, SECItem *keyDER, char *filename, int objid,
+ SECItem *certDER, SECItem *keyDER, const char *nickname, int objid,
CK_SLOT_ID slotID);
void pem_DestroyInternalObject (pemInternalObject *io);
diff -uNPrp nss-3.13.4.orig/mozilla/security/nss/lib/ckfw/pem/pinst.c nss-3.13.4/mozilla/security/nss/lib/ckfw/pem/pinst.c
--- nss-3.13.4.orig/mozilla/security/nss/lib/ckfw/pem/pinst.c 2012-04-02 18:27:20.000000000 +0200
+++ nss-3.13.4/mozilla/security/nss/lib/ckfw/pem/pinst.c 2012-06-12 11:00:38.075787540 +0200
@@ -177,10 +177,28 @@ GetCertFields(unsigned char *cert, int c
return SECSuccess;
}
+char *
+pem_ObjectNickname(char *filename, char *certname)
+{
+ char *nickname = NULL;
+
+ if (certname) {
+ nickname = certname;
+ } else if (filename) {
+ nickname = strrchr(filename, '/');
+ if (nickname)
+ nickname++;
+ else
+ nickname = filename;
+ }
+
+ return nickname;
+}
+
static pemInternalObject *
CreateObject(CK_OBJECT_CLASS objClass,
pemObjectType type, SECItem * certDER,
- SECItem * keyDER, char *filename,
+ SECItem * keyDER, const char *nickname,
int objid, CK_SLOT_ID slotID)
{
pemInternalObject *o;
@@ -191,7 +209,6 @@ CreateObject(CK_OBJECT_CLASS objClass,
SECItem valid;
SECItem subjkey;
char id[16];
- char *nickname;
int len;
o = nss_ZNEW(NULL, pemInternalObject);
@@ -199,12 +216,6 @@ CreateObject(CK_OBJECT_CLASS objClass,
return NULL;
}
- nickname = strrchr(filename, '/');
- if (nickname)
- nickname++;
- else
- nickname = filename;
-
switch (objClass) {
case CKO_CERTIFICATE:
plog("Creating cert nick %s id %d in slot %ld\n", nickname, objid, slotID);
@@ -213,7 +224,6 @@ CreateObject(CK_OBJECT_CLASS objClass,
case CKO_PRIVATE_KEY:
plog("Creating key id %d in slot %ld\n", objid, slotID);
memset(&o->u.key, 0, sizeof(o->u.key));
- nickname = filename;
break;
case CKO_NETSCAPE_TRUST:
plog("Creating trust nick %s id %d in slot %ld\n", nickname, objid, slotID);
@@ -312,18 +322,11 @@ fail:
pemInternalObject *
AddObjectIfNeeded(CK_OBJECT_CLASS objClass,
pemObjectType type, SECItem * certDER,
- SECItem * keyDER, char *filename,
+ SECItem * keyDER, const char *nickname,
int objid, CK_SLOT_ID slotID)
{
int i;
- /* FIXME: copy-pasted from CreateObject */
- const char *nickname = strrchr(filename, '/');
- if (nickname && CKO_PRIVATE_KEY != objClass)
- nickname++;
- else
- nickname = filename;
-
/* first look for the object in gobj, it might be already there */
for (i = 0; i < pem_nobjs; i++) {
if (NULL == gobj[i])
@@ -346,7 +349,7 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
/* object not found, we need to create it */
pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
- filename, objid, slotID);
+ nickname, objid, slotID);
if (io == NULL)
return NULL;
@@ -385,6 +388,7 @@ AddCertificate(char *certfile, char *key
int nobjs = 0;
SECItem **objs = NULL;
char *ivstring = NULL;
+ char *nickname;
int cipher;
nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
@@ -393,16 +397,18 @@ AddCertificate(char *certfile, char *key
return CKR_GENERAL_ERROR;
}
+ nickname = pem_ObjectNickname(certfile, NULL);
+
/* For now load as many certs as are in the file for CAs only */
if (cacert) {
for (i = 0; i < nobjs; i++) {
- char nickname[1024];
+ char nicknameCA[1024];
objid = pem_nobjs + 1;
- snprintf(nickname, 1024, "%s - %d", certfile, i);
+ snprintf(nicknameCA, 1024, "%s - %d", nickname, i);
o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL,
- nickname, 0, slotID);
+ nicknameCA, 0, slotID);
if (o == NULL) {
error = CKR_GENERAL_ERROR;
goto loser;
@@ -410,7 +416,7 @@ AddCertificate(char *certfile, char *key
/* Add the CA trust object */
o = AddObjectIfNeeded(CKO_NETSCAPE_TRUST, pemTrust, objs[i], NULL,
- nickname, 0, slotID);
+ nicknameCA, 0, slotID);
if (o == NULL) {
error = CKR_GENERAL_ERROR;
goto loser;
@@ -418,7 +424,7 @@ AddCertificate(char *certfile, char *key
} /* for */
} else {
objid = pem_nobjs + 1;
- o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[0], NULL, certfile,
+ o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[0], NULL, nickname,
objid, slotID);
if (o == NULL) {
error = CKR_GENERAL_ERROR;
@@ -437,8 +443,9 @@ AddCertificate(char *certfile, char *key
error = CKR_GENERAL_ERROR;
goto loser;
}
+ /* keyfile used as a nickname for private keys */
o = AddObjectIfNeeded(CKO_PRIVATE_KEY, pemBareKey, objs[0],
- keyobjs[0], certfile, objid, slotID);
+ keyobjs[0], keyfile, objid, slotID);
if (o == NULL) {
error = CKR_GENERAL_ERROR;
goto loser;
diff -uNPrp nss-3.13.4.orig/mozilla/security/nss/lib/ckfw/pem/pobject.c nss-3.13.4/mozilla/security/nss/lib/ckfw/pem/pobject.c
--- nss-3.13.4.orig/mozilla/security/nss/lib/ckfw/pem/pobject.c 2012-04-02 18:27:20.000000000 +0200
+++ nss-3.13.4/mozilla/security/nss/lib/ckfw/pem/pobject.c 2012-06-12 11:09:40.238009579 +0200
@@ -1039,6 +1039,7 @@ pem_CreateObject
CK_SLOT_ID slotID;
CK_BBOOL cacert;
char *filename;
+ char *certname;
SECItem **derlist = NULL;
int nobjs = 0;
int i;
@@ -1092,6 +1093,9 @@ pem_CreateObject
return (NSSCKMDObject *) NULL;
}
+ certname = pem_GetStringAttribute(CKA_VALUE, pTemplate,
+ ulAttributeCount, pError);
+
#ifdef notdef
if (objClass == CKO_PUBLIC_KEY) {
return CKR_OK; /* fake public key creation, happens as a side effect of
@@ -1102,6 +1106,7 @@ pem_CreateObject
listObj = nss_ZNEW(NULL, pemInternalObject);
if (NULL == listObj) {
nss_ZFreeIf(filename);
+ nss_ZFreeIf(certname);
return NULL;
}
@@ -1109,6 +1114,7 @@ pem_CreateObject
if (NULL == listItem) {
nss_ZFreeIf(listObj);
nss_ZFreeIf(filename);
+ nss_ZFreeIf(certname);
return NULL;
}
@@ -1120,19 +1126,21 @@ pem_CreateObject
/* We're just adding a cert, we'll assume the key is next */
objid = pem_nobjs + 1;
+ char *nickname = pem_ObjectNickname(filename, certname);
+
if (cacert) {
/* Add the certificate. There may be more than one */
int c;
for (c = 0; c < nobjs; c++) {
- char nickname[1024];
+ char nicknameCA[1024];
objid = pem_nobjs + 1;
- snprintf(nickname, 1024, "%s - %d", filename, c);
+ snprintf(nicknameCA, 1024, "%s - %d", nickname, c);
if (c)
APPEND_LIST_ITEM(listItem);
listItem->io = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert,
- derlist[c], NULL, nickname, 0,
+ derlist[c], NULL, nicknameCA, 0,
slotID);
if (listItem->io == NULL)
goto loser;
@@ -1140,14 +1148,14 @@ pem_CreateObject
/* Add the trust object */
APPEND_LIST_ITEM(listItem);
listItem->io = AddObjectIfNeeded(CKO_NETSCAPE_TRUST, pemTrust,
- derlist[c], NULL, nickname, 0,
+ derlist[c], NULL, nicknameCA, 0,
slotID);
if (listItem->io == NULL)
goto loser;
}
} else {
listItem->io = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert,
- derlist[0], NULL, filename, objid,
+ derlist[0], NULL, nickname, objid,
slotID);
if (listItem->io == NULL)
goto loser;
@@ -1184,6 +1192,7 @@ pem_CreateObject
if (objid == -1)
objid = pem_nobjs + 1;
+ /* filename used as a nickname for private key */
listItem->io = AddObjectIfNeeded(CKO_PRIVATE_KEY, pemBareKey, &certDER,
derlist[0], filename, objid, slotID);
if (listItem->io == NULL)
@@ -1223,6 +1232,7 @@ pem_CreateObject
free(derlist[i]);
}
nss_ZFreeIf(filename);
+ nss_ZFreeIf(certname);
nss_ZFreeIf(derlist);
if ((pemInternalObject *) NULL == listItem->io) {
pem_DestroyInternalObject(listObj);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment