lib/dev/devutil.c
author Wan-Teh Chang <wtc@google.com>
Mon, 20 May 2013 18:41:57 -0700
changeset 10782 d197ed6c2d5a214eeef44d0de18770ceca9958fd
parent 10743 9483ef9455fe7b4ede49c938d17415edad36a4f3
child 11653 04625985b8ba79f0d182bbccebfe2d4f9d66c825
permissions -rw-r--r--
Bug 868678: SECITEM_DupArray should allow |from| to be an empty SECItemArray. Fix coding style nits. r=kaie.

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef DEVM_H
#include "devm.h"
#endif /* DEVM_H */

#ifndef CKHELPER_H
#include "ckhelper.h"
#endif /* CKHELPER_H */

NSS_IMPLEMENT nssCryptokiObject *
nssCryptokiObject_Create (
  NSSToken *t, 
  nssSession *session,
  CK_OBJECT_HANDLE h
)
{
    PRStatus status;
    NSSSlot *slot;
    nssCryptokiObject *object;
    CK_BBOOL *isTokenObject;
    CK_ATTRIBUTE cert_template[] = {
	{ CKA_TOKEN, NULL, 0 },
	{ CKA_LABEL, NULL, 0 }
    };
    slot = nssToken_GetSlot(t);
    status = nssCKObject_GetAttributes(h, cert_template, 2,
                                       NULL, session, slot);
    nssSlot_Destroy(slot);
    if (status != PR_SUCCESS) {
	/* a failure here indicates a device error */
	return (nssCryptokiObject *)NULL;
    }
    object = nss_ZNEW(NULL, nssCryptokiObject);
    if (!object) {
	return (nssCryptokiObject *)NULL;
    }
    object->handle = h;
    object->token = nssToken_AddRef(t);
    isTokenObject = (CK_BBOOL *)cert_template[0].pValue;
    object->isTokenObject = *isTokenObject;
    nss_ZFreeIf(isTokenObject);
    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template[1], object->label);
    return object;
}

NSS_IMPLEMENT void
nssCryptokiObject_Destroy (
  nssCryptokiObject *object
)
{
    if (object) {
	nssToken_Destroy(object->token);
	nss_ZFreeIf(object->label);
	nss_ZFreeIf(object);
    }
}

NSS_IMPLEMENT nssCryptokiObject *
nssCryptokiObject_Clone (
  nssCryptokiObject *object
)
{
    nssCryptokiObject *rvObject;
    rvObject = nss_ZNEW(NULL, nssCryptokiObject);
    if (rvObject) {
	rvObject->handle = object->handle;
	rvObject->token = nssToken_AddRef(object->token);
	rvObject->isTokenObject = object->isTokenObject;
	if (object->label) {
	    rvObject->label = nssUTF8_Duplicate(object->label, NULL);
	}
    }
    return rvObject;
}

NSS_EXTERN PRBool
nssCryptokiObject_Equal (
  nssCryptokiObject *o1,
  nssCryptokiObject *o2
)
{
    return (o1->token == o2->token && o1->handle == o2->handle);
}

NSS_IMPLEMENT PRUint32
nssPKCS11String_Length(CK_CHAR *pkcs11Str, PRUint32 bufLen)
{
    PRInt32 i;
    for (i = bufLen - 1; i>=0; ) {
	if (pkcs11Str[i] != ' ' && pkcs11Str[i] != '\0') break;
	--i;
    }
    return (PRUint32)(i + 1);
}

/*
 * Slot arrays
 */

NSS_IMPLEMENT NSSSlot **
nssSlotArray_Clone (
  NSSSlot **slots
)
{
    NSSSlot **rvSlots = NULL;
    NSSSlot **sp = slots;
    PRUint32 count = 0;
    while (sp && *sp) count++;
    if (count > 0) {
	rvSlots = nss_ZNEWARRAY(NULL, NSSSlot *, count + 1);
	if (rvSlots) {
	    for (sp = slots, count = 0; *sp; sp++) {
		rvSlots[count++] = nssSlot_AddRef(*sp);
	    }
	}
    }
    return rvSlots;
}

NSS_IMPLEMENT void
nssSlotArray_Destroy (
  NSSSlot **slots
)
{
    if (slots) {
	NSSSlot **slotp;
	for (slotp = slots; *slotp; slotp++) {
	    nssSlot_Destroy(*slotp);
	}
	nss_ZFreeIf(slots);
    }
}

NSS_IMPLEMENT void
NSSSlotArray_Destroy (
  NSSSlot **slots
)
{
    nssSlotArray_Destroy(slots);
}

NSS_IMPLEMENT void
nssTokenArray_Destroy (
  NSSToken **tokens
)
{
    if (tokens) {
	NSSToken **tokenp;
	for (tokenp = tokens; *tokenp; tokenp++) {
	    nssToken_Destroy(*tokenp);
	}
	nss_ZFreeIf(tokens);
    }
}

NSS_IMPLEMENT void
NSSTokenArray_Destroy (
  NSSToken **tokens
)
{
    nssTokenArray_Destroy(tokens);
}

NSS_IMPLEMENT void
nssCryptokiObjectArray_Destroy (
  nssCryptokiObject **objects
)
{
    if (objects) {
	nssCryptokiObject **op;
	for (op = objects; *op; op++) {
	    nssCryptokiObject_Destroy(*op);
	}
	nss_ZFreeIf(objects);
    }
}

/* object cache for token */

typedef struct
{
  NSSArena *arena;
  nssCryptokiObject *object;
  CK_ATTRIBUTE_PTR attributes;
  CK_ULONG numAttributes;
}
nssCryptokiObjectAndAttributes;

enum {
  cachedCerts = 0,
  cachedTrust = 1,
  cachedCRLs = 2
} cachedObjectType;

struct nssTokenObjectCacheStr
{
  NSSToken *token;
  PZLock *lock;
  PRBool loggedIn;
  PRBool doObjectType[3];
  PRBool searchedObjectType[3];
  nssCryptokiObjectAndAttributes **objects[3];
};

NSS_IMPLEMENT nssTokenObjectCache *
nssTokenObjectCache_Create (
  NSSToken *token,
  PRBool cacheCerts,
  PRBool cacheTrust,
  PRBool cacheCRLs
)
{
    nssTokenObjectCache *rvCache;
    rvCache = nss_ZNEW(NULL, nssTokenObjectCache);
    if (!rvCache) {
	goto loser;
    }
    rvCache->lock = PZ_NewLock(nssILockOther); /* XXX */
    if (!rvCache->lock) {
	goto loser;
    }
    rvCache->doObjectType[cachedCerts] = cacheCerts;
    rvCache->doObjectType[cachedTrust] = cacheTrust;
    rvCache->doObjectType[cachedCRLs] = cacheCRLs;
    rvCache->token = token; /* cache goes away with token */
    return rvCache;
loser:
    nssTokenObjectCache_Destroy(rvCache);
    return (nssTokenObjectCache *)NULL;
}

static void
clear_cache (
  nssTokenObjectCache *cache
)
{
    nssCryptokiObjectAndAttributes **oa;
    PRUint32 objectType;
    for (objectType = cachedCerts; objectType <= cachedCRLs; objectType++) {
	cache->searchedObjectType[objectType] = PR_FALSE;
	if (!cache->objects[objectType]) {
	    continue;
	}
	for (oa = cache->objects[objectType]; *oa; oa++) {
	    /* prevent the token from being destroyed */
	    (*oa)->object->token = NULL;
	    nssCryptokiObject_Destroy((*oa)->object);
	    nssArena_Destroy((*oa)->arena);
	}
	nss_ZFreeIf(cache->objects[objectType]);
	cache->objects[objectType] = NULL;
    }
}

NSS_IMPLEMENT void
nssTokenObjectCache_Clear (
  nssTokenObjectCache *cache
)
{
    if (cache) {
	PZ_Lock(cache->lock);
	clear_cache(cache);
	PZ_Unlock(cache->lock);
    }
}

NSS_IMPLEMENT void
nssTokenObjectCache_Destroy (
  nssTokenObjectCache *cache
)
{
    if (cache) {
	clear_cache(cache);
	if (cache->lock) {
	    PZ_DestroyLock(cache->lock);
	}
	nss_ZFreeIf(cache);
    }
}

NSS_IMPLEMENT PRBool
nssTokenObjectCache_HaveObjectClass (
  nssTokenObjectCache *cache,
  CK_OBJECT_CLASS objclass
)
{
    PRBool haveIt;
    PZ_Lock(cache->lock);
    switch (objclass) {
    case CKO_CERTIFICATE:    haveIt = cache->doObjectType[cachedCerts]; break;
    case CKO_NETSCAPE_TRUST: haveIt = cache->doObjectType[cachedTrust]; break;
    case CKO_NETSCAPE_CRL:   haveIt = cache->doObjectType[cachedCRLs];  break;
    default:                 haveIt = PR_FALSE;
    }
    PZ_Unlock(cache->lock);
    return haveIt;
}

static nssCryptokiObjectAndAttributes **
create_object_array (
  nssCryptokiObject **objects,
  PRBool *doObjects,
  PRUint32 *numObjects,
  PRStatus *status
)
{
    nssCryptokiObjectAndAttributes **rvOandA = NULL;
    *numObjects = 0;
    /* There are no objects for this type */
    if (!objects || !*objects) {
	*status = PR_SUCCESS;
	return rvOandA;
    }
    while (*objects++) (*numObjects)++;
    if (*numObjects >= MAX_LOCAL_CACHE_OBJECTS) {
	/* Hit the maximum allowed, so don't use a cache (there are
	 * too many objects to make caching worthwhile, presumably, if
	 * the token can handle that many objects, it can handle searching.
	 */
	*doObjects = PR_FALSE;
	*status = PR_FAILURE;
	*numObjects = 0;
    } else {
	rvOandA = nss_ZNEWARRAY(NULL, 
	                        nssCryptokiObjectAndAttributes *, 
	                        *numObjects + 1);
	*status = rvOandA ? PR_SUCCESS : PR_FAILURE;
    }
    return rvOandA;
}

static nssCryptokiObjectAndAttributes *
create_object (
  nssCryptokiObject *object,
  const CK_ATTRIBUTE_TYPE *types,
  PRUint32 numTypes,
  PRStatus *status
)
{
    PRUint32 j;
    NSSArena *arena = NULL;
    NSSSlot *slot = NULL;
    nssSession *session = NULL;
    nssCryptokiObjectAndAttributes *rvCachedObject = NULL;

    slot = nssToken_GetSlot(object->token);
    if (!slot) {
        nss_SetError(NSS_ERROR_INVALID_POINTER);
        goto loser;
    }
    session = nssToken_GetDefaultSession(object->token);
    if (!session) {
        nss_SetError(NSS_ERROR_INVALID_POINTER);
        goto loser;
    }
    arena = nssArena_Create();
    if (!arena) {
	goto loser;
    }
    rvCachedObject = nss_ZNEW(arena, nssCryptokiObjectAndAttributes);
    if (!rvCachedObject) {
	goto loser;
    }
    rvCachedObject->arena = arena;
    /* The cache is tied to the token, and therefore the objects
     * in it should not hold references to the token.
     */
    nssToken_Destroy(object->token);
    rvCachedObject->object = object;
    rvCachedObject->attributes = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, numTypes);
    if (!rvCachedObject->attributes) {
	goto loser;
    }
    for (j=0; j<numTypes; j++) {
	rvCachedObject->attributes[j].type = types[j];
    }
    *status = nssCKObject_GetAttributes(object->handle,
                                        rvCachedObject->attributes,
                                        numTypes,
                                        arena,
                                        session,
                                        slot);
    if (*status != PR_SUCCESS) {
	goto loser;
    }
    rvCachedObject->numAttributes = numTypes;
    *status = PR_SUCCESS;
    nssSlot_Destroy(slot);

    return rvCachedObject;
loser:
    *status = PR_FAILURE;
    if (slot) {
	nssSlot_Destroy(slot);
    }
    if (arena)
	nssArena_Destroy(arena);
    return (nssCryptokiObjectAndAttributes *)NULL;
}

/*
 *
 * State diagram for cache:
 *
 *            token !present            token removed
 *        +-------------------------+<----------------------+
 *        |                         ^                       |
 *        v                         |                       |
 *  +----------+   slot friendly    |  token present   +----------+ 
 *  |   cache  | -----------------> % ---------------> |   cache  |
 *  | unloaded |                                       |  loaded  |
 *  +----------+                                       +----------+
 *    ^   |                                                 ^   |
 *    |   |   slot !friendly           slot logged in       |   |
 *    |   +-----------------------> % ----------------------+   |
 *    |                             |                           |
 *    | slot logged out             v  slot !friendly           |
 *    +-----------------------------+<--------------------------+
 *
 */

/* This function must not be called with cache->lock locked. */
static PRBool
token_is_present (
  nssTokenObjectCache *cache
)
{
    NSSSlot *slot = nssToken_GetSlot(cache->token);
    PRBool tokenPresent = nssSlot_IsTokenPresent(slot);
    nssSlot_Destroy(slot);
    return tokenPresent;
}

static PRBool
search_for_objects (
  nssTokenObjectCache *cache
)
{
    PRBool doSearch = PR_FALSE;
    NSSSlot *slot = nssToken_GetSlot(cache->token);
    /* Handle non-friendly slots (slots which require login for objects) */
    if (!nssSlot_IsFriendly(slot)) {
	if (nssSlot_IsLoggedIn(slot)) {
	    /* Either no state change, or went from !logged in -> logged in */
	    cache->loggedIn = PR_TRUE;
	    doSearch = PR_TRUE;
	} else {
	    if (cache->loggedIn) {
		/* went from logged in -> !logged in, destroy cached objects */
		clear_cache(cache);
		cache->loggedIn = PR_FALSE;
	    } /* else no state change, still not logged in, so exit */
	}
    } else {
	/* slot is friendly, thus always available for search */
	doSearch = PR_TRUE;
    }
    nssSlot_Destroy(slot);
    return doSearch;
}

static nssCryptokiObjectAndAttributes *
create_cert (
  nssCryptokiObject *object,
  PRStatus *status
)
{
    static const CK_ATTRIBUTE_TYPE certAttr[] = {
	CKA_CLASS,
	CKA_TOKEN,
	CKA_LABEL,
	CKA_CERTIFICATE_TYPE,
	CKA_ID,
	CKA_VALUE,
	CKA_ISSUER,
	CKA_SERIAL_NUMBER,
	CKA_SUBJECT,
	CKA_NETSCAPE_EMAIL
    };
    static const PRUint32 numCertAttr = sizeof(certAttr) / sizeof(certAttr[0]);
    return create_object(object, certAttr, numCertAttr, status);
}

static nssCryptokiObjectAndAttributes *
create_trust (
  nssCryptokiObject *object,
  PRStatus *status
)
{
    static const CK_ATTRIBUTE_TYPE trustAttr[] = {
	CKA_CLASS,
	CKA_TOKEN,
	CKA_LABEL,
	CKA_CERT_SHA1_HASH,
	CKA_CERT_MD5_HASH,
	CKA_ISSUER,
	CKA_SUBJECT,
	CKA_TRUST_SERVER_AUTH,
	CKA_TRUST_CLIENT_AUTH,
	CKA_TRUST_EMAIL_PROTECTION,
	CKA_TRUST_CODE_SIGNING
    };
    static const PRUint32 numTrustAttr = sizeof(trustAttr) / sizeof(trustAttr[0]);
    return create_object(object, trustAttr, numTrustAttr, status);
}

static nssCryptokiObjectAndAttributes *
create_crl (
  nssCryptokiObject *object,
  PRStatus *status
)
{
    static const CK_ATTRIBUTE_TYPE crlAttr[] = {
	CKA_CLASS,
	CKA_TOKEN,
	CKA_LABEL,
	CKA_VALUE,
	CKA_SUBJECT,
	CKA_NETSCAPE_KRL,
	CKA_NETSCAPE_URL
    };
    static const PRUint32 numCRLAttr = sizeof(crlAttr) / sizeof(crlAttr[0]);
    return create_object(object, crlAttr, numCRLAttr, status);
}

/* Dispatch to the create function for the object type */
static nssCryptokiObjectAndAttributes *
create_object_of_type (
  nssCryptokiObject *object,
  PRUint32 objectType,
  PRStatus *status
)
{
    if (objectType == cachedCerts) {
	return create_cert(object, status);
    }
    if (objectType == cachedTrust) {
	return create_trust(object, status);
    }
    if (objectType == cachedCRLs) {
	return create_crl(object, status);
    }
    return (nssCryptokiObjectAndAttributes *)NULL;
}

static PRStatus
get_token_objects_for_cache (
  nssTokenObjectCache *cache,
  PRUint32 objectType,
  CK_OBJECT_CLASS objclass
)
{
    PRStatus status;
    nssCryptokiObject **objects;
    PRBool *doIt = &cache->doObjectType[objectType];
    PRUint32 i, numObjects;

    if (!search_for_objects(cache) || 
         cache->searchedObjectType[objectType] || 
        !cache->doObjectType[objectType]) 
    {
	/* Either there was a state change that prevents a search
	 * (token logged out), or the search was already done,
	 * or objects of this type are not being cached.
	 */
	return PR_SUCCESS;
    }
    objects = nssToken_FindObjects(cache->token, NULL, objclass,
                                   nssTokenSearchType_TokenForced,
                                   MAX_LOCAL_CACHE_OBJECTS, &status);
    if (status != PR_SUCCESS) {
	return status;
    }
    cache->objects[objectType] = create_object_array(objects,
                                                     doIt,
                                                     &numObjects,
                                                     &status);
    if (status != PR_SUCCESS) {
	return status;
    }
    for (i=0; i<numObjects; i++) {
	cache->objects[objectType][i] = create_object_of_type(objects[i],
	                                                      objectType,
	                                                      &status);
	if (status != PR_SUCCESS) {
	    break;
	}
    }
    if (status == PR_SUCCESS) {
	nss_ZFreeIf(objects);
    } else {
	PRUint32 j;
	for (j=0; j<i; j++) {
	    /* sigh */
	    nssToken_AddRef(cache->objects[objectType][j]->object->token);
	    nssArena_Destroy(cache->objects[objectType][j]->arena);
	}
	nss_ZFreeIf(cache->objects[objectType]);
	cache->objects[objectType] = NULL;
	nssCryptokiObjectArray_Destroy(objects);
    }
    cache->searchedObjectType[objectType] = PR_TRUE;
    return status;
}

static CK_ATTRIBUTE_PTR
find_attribute_in_object (
  nssCryptokiObjectAndAttributes *obj,
  CK_ATTRIBUTE_TYPE attrType
)
{
    PRUint32 j;
    for (j=0; j<obj->numAttributes; j++) {
	if (attrType == obj->attributes[j].type) {
	    return &obj->attributes[j];
	}
    }
    return (CK_ATTRIBUTE_PTR)NULL;
}

/* Find all objects in the array that match the supplied template */
static nssCryptokiObject **
find_objects_in_array (
  nssCryptokiObjectAndAttributes **objArray,
  CK_ATTRIBUTE_PTR ot,
  CK_ULONG otlen,
  PRUint32 maximumOpt
)
{
    PRIntn oi = 0;
    PRUint32 i;
    NSSArena *arena;
    PRUint32 size = 8;
    PRUint32 numMatches = 0;
    nssCryptokiObject **objects = NULL;
    nssCryptokiObjectAndAttributes **matches = NULL;
    CK_ATTRIBUTE_PTR attr;

    if (!objArray) {
	return (nssCryptokiObject **)NULL;
    }
    arena = nssArena_Create();
    if (!arena) {
	return (nssCryptokiObject **)NULL;
    }
    matches = nss_ZNEWARRAY(arena, nssCryptokiObjectAndAttributes *, size);
    if (!matches) {
	goto loser;
    }
    if (maximumOpt == 0) maximumOpt = ~0;
    /* loop over the cached objects */
    for (; *objArray && numMatches < maximumOpt; objArray++) {
	nssCryptokiObjectAndAttributes *obj = *objArray;
	/* loop over the test template */
	for (i=0; i<otlen; i++) {
	    /* see if the object has the attribute */
	    attr = find_attribute_in_object(obj, ot[i].type);
	    if (!attr) {
		/* nope, match failed */
		break;
	    }
	    /* compare the attribute against the test value */
	    if (ot[i].ulValueLen != attr->ulValueLen ||
	        !nsslibc_memequal(ot[i].pValue, 
	                          attr->pValue,
	                          attr->ulValueLen, NULL))
	    {
		/* nope, match failed */
		break;
	    }
	}
	if (i == otlen) {
	    /* all of the attributes in the test template were found
	     * in the object's template, and they all matched
	     */
	    matches[numMatches++] = obj;
	    if (numMatches == size) {
		size *= 2;
		matches = nss_ZREALLOCARRAY(matches, 
		                            nssCryptokiObjectAndAttributes *, 
		                            size);
		if (!matches) {
		    goto loser;
		}
	    }
	}
    }
    if (numMatches > 0) {
	objects = nss_ZNEWARRAY(NULL, nssCryptokiObject *, numMatches + 1);
	if (!objects) {
	    goto loser;
	}
	for (oi=0; oi<(PRIntn)numMatches; oi++) {
	    objects[oi] = nssCryptokiObject_Clone(matches[oi]->object);
	    if (!objects[oi]) {
		goto loser;
	    }
	}
    }
    nssArena_Destroy(arena);
    return objects;
loser:
    nssCryptokiObjectArray_Destroy(objects);
    nssArena_Destroy(arena);
    return (nssCryptokiObject **)NULL;
}

NSS_IMPLEMENT nssCryptokiObject **
nssTokenObjectCache_FindObjectsByTemplate (
  nssTokenObjectCache *cache,
  CK_OBJECT_CLASS objclass,
  CK_ATTRIBUTE_PTR otemplate,
  CK_ULONG otlen,
  PRUint32 maximumOpt,
  PRStatus *statusOpt
)
{
    PRStatus status = PR_FAILURE;
    nssCryptokiObject **rvObjects = NULL;
    PRUint32 objectType;
    if (!token_is_present(cache)) {
	status = PR_SUCCESS;
	goto finish;
    }
    switch (objclass) {
    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
    default: goto finish;
    }
    PZ_Lock(cache->lock);
    if (cache->doObjectType[objectType]) {
	status = get_token_objects_for_cache(cache, objectType, objclass);
	if (status == PR_SUCCESS) {
	    rvObjects = find_objects_in_array(cache->objects[objectType], 
	                                      otemplate, otlen, maximumOpt);
	}
    }
    PZ_Unlock(cache->lock);
finish:
    if (statusOpt) {
	*statusOpt = status;
    }
    return rvObjects;
}

static PRBool
cache_available_for_object_type (
  nssTokenObjectCache *cache,
  PRUint32 objectType
)
{
    if (!cache->doObjectType[objectType]) {
	/* not caching this object kind */
	return PR_FALSE;
    }
    if (!cache->searchedObjectType[objectType]) {
	/* objects are not cached yet */
	return PR_FALSE;
    }
    if (!search_for_objects(cache)) {
	/* not logged in */
	return PR_FALSE;
    }
    return PR_TRUE;
}

NSS_IMPLEMENT PRStatus
nssTokenObjectCache_GetObjectAttributes (
  nssTokenObjectCache *cache,
  NSSArena *arenaOpt,
  nssCryptokiObject *object,
  CK_OBJECT_CLASS objclass,
  CK_ATTRIBUTE_PTR atemplate,
  CK_ULONG atlen
)
{
    PRUint32 i, j;
    NSSArena *arena = NULL;
    nssArenaMark *mark = NULL;
    nssCryptokiObjectAndAttributes *cachedOA = NULL;
    nssCryptokiObjectAndAttributes **oa = NULL;
    PRUint32 objectType;
    if (!token_is_present(cache)) {
	return PR_FAILURE;
    }
    PZ_Lock(cache->lock);
    switch (objclass) {
    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
    default: goto loser;
    }
    if (!cache_available_for_object_type(cache, objectType)) {
	goto loser;
    }
    oa = cache->objects[objectType];
    if (!oa) {
	goto loser;
    }
    for (; *oa; oa++) {
	if (nssCryptokiObject_Equal((*oa)->object, object)) {
	    cachedOA = *oa;
	    break;
	}
    }
    if (!cachedOA) {
	goto loser; /* don't have this object */
    }
    if (arenaOpt) {
	arena = arenaOpt;
	mark = nssArena_Mark(arena);
    }
    for (i=0; i<atlen; i++) {
	for (j=0; j<cachedOA->numAttributes; j++) {
	    if (atemplate[i].type == cachedOA->attributes[j].type) {
		CK_ATTRIBUTE_PTR attr = &cachedOA->attributes[j];
		if (cachedOA->attributes[j].ulValueLen == 0 ||
		    cachedOA->attributes[j].ulValueLen == (CK_ULONG)-1) 
		{
		    break; /* invalid attribute */
		}
		if (atemplate[i].ulValueLen > 0) {
		    if (atemplate[i].pValue == NULL ||
		        atemplate[i].ulValueLen < attr->ulValueLen) 
		    {
			goto loser;
		    }
		} else {
		    atemplate[i].pValue = nss_ZAlloc(arena, attr->ulValueLen);
		    if (!atemplate[i].pValue) {
			goto loser;
		    }
		}
		nsslibc_memcpy(atemplate[i].pValue,
		               attr->pValue, attr->ulValueLen);
		atemplate[i].ulValueLen = attr->ulValueLen;
		break;
	    }
	}
	if (j == cachedOA->numAttributes) {
	    atemplate[i].ulValueLen = (CK_ULONG)-1;
	}
    }
    PZ_Unlock(cache->lock);
    if (mark) {
	nssArena_Unmark(arena, mark);
    }
    return PR_SUCCESS;
loser:
    PZ_Unlock(cache->lock);
    if (mark) {
	nssArena_Release(arena, mark);
    }
    return PR_FAILURE;
}

NSS_IMPLEMENT PRStatus
nssTokenObjectCache_ImportObject (
  nssTokenObjectCache *cache,
  nssCryptokiObject *object,
  CK_OBJECT_CLASS objclass,
  CK_ATTRIBUTE_PTR ot,
  CK_ULONG otlen
)
{
    PRStatus status = PR_SUCCESS;
    PRUint32 count;
    nssCryptokiObjectAndAttributes **oa, ***otype;
    PRUint32 objectType;
    PRBool haveIt = PR_FALSE;

    if (!token_is_present(cache)) {
	return PR_SUCCESS; /* cache not active, ignored */
    }
    PZ_Lock(cache->lock);
    switch (objclass) {
    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
    default:
	PZ_Unlock(cache->lock);
	return PR_SUCCESS; /* don't need to import it here */
    }
    if (!cache_available_for_object_type(cache, objectType)) {
	PZ_Unlock(cache->lock);
	return PR_SUCCESS; /* cache not active, ignored */
    }
    count = 0;
    otype = &cache->objects[objectType]; /* index into array of types */
    oa = *otype; /* the array of objects for this type */
    while (oa && *oa) {
	if (nssCryptokiObject_Equal((*oa)->object, object)) {
	    haveIt = PR_TRUE;
	    break;
	}
	count++;
	oa++;
    }
    if (haveIt) {
	/* Destroy the old entry */
	(*oa)->object->token = NULL;
	nssCryptokiObject_Destroy((*oa)->object);
	nssArena_Destroy((*oa)->arena);
    } else {
	/* Create space for a new entry */
	if (count > 0) {
	    *otype = nss_ZREALLOCARRAY(*otype,
	                               nssCryptokiObjectAndAttributes *, 
	                               count + 2);
	} else {
	    *otype = nss_ZNEWARRAY(NULL, nssCryptokiObjectAndAttributes *, 2);
	}
    }
    if (*otype) {
	nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object);
	(*otype)[count] = create_object_of_type(copyObject, objectType,
	                                        &status);
    } else {
	status = PR_FAILURE;
    }
    PZ_Unlock(cache->lock);
    return status;
}

NSS_IMPLEMENT void
nssTokenObjectCache_RemoveObject (
  nssTokenObjectCache *cache,
  nssCryptokiObject *object
)
{
    PRUint32 oType;
    nssCryptokiObjectAndAttributes **oa, **swp = NULL;
    if (!token_is_present(cache)) {
	return;
    }
    PZ_Lock(cache->lock);
    for (oType=0; oType<3; oType++) {
	if (!cache_available_for_object_type(cache, oType) ||
	    !cache->objects[oType])
	{
	    continue;
	}
	for (oa = cache->objects[oType]; *oa; oa++) {
	    if (nssCryptokiObject_Equal((*oa)->object, object)) {
		swp = oa; /* the entry to remove */
		while (oa[1]) oa++; /* go to the tail */
		(*swp)->object->token = NULL;
		nssCryptokiObject_Destroy((*swp)->object);
		nssArena_Destroy((*swp)->arena); /* destroy it */
		*swp = *oa; /* swap the last with the removed */
		*oa = NULL; /* null-terminate the array */
		break;
	    }
	}
	if (swp) {
	    break;
	}
    }
    if ((oType <3) &&
		cache->objects[oType] && cache->objects[oType][0] == NULL) {
	nss_ZFreeIf(cache->objects[oType]); /* no entries remaining */
	cache->objects[oType] = NULL;
    }
    PZ_Unlock(cache->lock);
}

/* These two hash algorithms are presently sufficient.
** They are used for fingerprints of certs which are stored as the 
** CKA_CERT_SHA1_HASH and CKA_CERT_MD5_HASH attributes.
** We don't need to add SHAxxx to these now.
*/
/* XXX of course this doesn't belong here */
NSS_IMPLEMENT NSSAlgorithmAndParameters *
NSSAlgorithmAndParameters_CreateSHA1Digest (
  NSSArena *arenaOpt
)
{
    NSSAlgorithmAndParameters *rvAP = NULL;
    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
    if (rvAP) {
	rvAP->mechanism.mechanism = CKM_SHA_1;
	rvAP->mechanism.pParameter = NULL;
	rvAP->mechanism.ulParameterLen = 0;
    }
    return rvAP;
}

NSS_IMPLEMENT NSSAlgorithmAndParameters *
NSSAlgorithmAndParameters_CreateMD5Digest (
  NSSArena *arenaOpt
)
{
    NSSAlgorithmAndParameters *rvAP = NULL;
    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
    if (rvAP) {
	rvAP->mechanism.mechanism = CKM_MD5;
	rvAP->mechanism.pParameter = NULL;
	rvAP->mechanism.ulParameterLen = 0;
    }
    return rvAP;
}