Bug 1227795 - Add NSS_DISABLE_LIBPKIX to allow compiling without libpkix, r=franziskus,wtc
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -53,17 +53,16 @@ NSS_SRCDIRS = \
p7content \
p7env \
p7sign \
p7verify \
pk12util \
pk11gcmtest \
pk11mode \
pk1sign \
- pkix-errcodes \
pp \
pwdecrypt \
rsaperf \
sdrtest \
selfserv \
signtool \
signver \
smimetools \
@@ -71,16 +70,23 @@ NSS_SRCDIRS = \
strsclnt \
symkeyutil \
tests \
tstclnt \
vfychain \
vfyserv \
modutil \
$(NULL)
+
+ifndef NSS_DISABLE_LIBPKIX
+NSS_SRCDIRS += \
+ pkix-errcodes \
+ $(NULL)
+endif
+
endif
endif
DIRS = \
$(LIB_SRCDIRS) \
$(SOFTOKEN_SRCDIRS) \
$(NSS_SRCDIRS)
--- a/cmd/platlibs.mk
+++ b/cmd/platlibs.mk
@@ -46,31 +46,33 @@ else
CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
SOFTOKENLIB=
EXTRA_SHARED_LIBS += \
-L$(SOFTOKEN_LIB_DIR) \
-lsoftokn3 \
$(NULL)
endif
+ifndef NSS_DISABLE_LIBPKIX
ifndef NSS_BUILD_SOFTOKEN_ONLY
PKIXLIB = \
$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
endif
+endif
NSS_LIBS_1=
SECTOOL_LIB=
NSS_LIBS_2=
NSS_LIBS_3=
NSS_LIBS_4=
ifneq ($(NSS_BUILD_UTIL_ONLY),1)
--- a/coreconf/config.mk
+++ b/coreconf/config.mk
@@ -157,16 +157,20 @@ endif
ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
endif
ifdef BUILD_LIBPKIX_TESTS
DEFINES += -DBUILD_LIBPKIX_TESTS
endif
+ifdef NSS_DISABLE_LIBPKIX
+DEFINES += -DNSS_DISABLE_LIBPKIX
+endif
+
ifdef NSS_DISABLE_DBM
DEFINES += -DNSS_DISABLE_DBM
endif
ifdef NSS_DISABLE_CHACHAPOLY
DEFINES += -DNSS_DISABLE_CHACHAPOLY
endif
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -45,16 +45,20 @@ endif
ifndef NSS_DISABLE_DBM
DBM_SRCDIR = dbm # Add the dbm directory to DIRS.
endif
ifeq ($(NSS_BUILD_UTIL_ONLY),1)
SYSINIT_SRCDIR=
endif
+ifndef NSS_DISABLE_LIBPKIX
+LIBPKIX_SRCDIR = libpkix # Add the libpkix directory to DIRS.
+endif
+
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -7,19 +7,23 @@
#include "seccomon.h"
#include "secoid.h"
#include "genname.h"
#include "keyhi.h"
#include "cert.h"
#include "certdb.h"
#include "certi.h"
#include "cryptohi.h"
+
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkix.h"
-/*#include "pkix_sample_modules.h" */
#include "pkix_pl_cert.h"
+#else
+#include "nss.h"
+#endif /* NSS_DISABLE_LIBPKIX */
#include "nsspki.h"
#include "pkitm.h"
#include "pkim.h"
#include "pki3hack.h"
#include "base.h"
#include "keyhi.h"
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -18,32 +18,34 @@
#include "certdb.h"
#include "cert.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
#include "secder.h"
#include "pkit.h"
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkix_pl_common.h"
extern PRLogModuleInfo *pkixLog;
#ifdef PKIX_OBJECT_LEAK_TEST
extern PKIX_UInt32
pkix_pl_lifecycle_ObjectLeakCheck(int *);
extern SECStatus
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
static PRBool usePKIXValidationEngine = PR_FALSE;
+#endif /* NSS_DISABLE_LIBPKIX */
/*
* FUNCTION: CERT_SetUsePKIXForValidation
* DESCRIPTION:
*
* Enables or disables use of libpkix for certificate validation
*
* PARAMETERS:
@@ -53,18 +55,23 @@ static PRBool usePKIXValidationEngine =
* THREAD SAFETY:
* NOT Thread Safe.
* RETURNS:
* Returns SECSuccess if successfully enabled
*/
SECStatus
CERT_SetUsePKIXForValidation(PRBool enable)
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+#else
usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE;
return SECSuccess;
+#endif /* NSS_DISABLE_LIBPKIX */
}
/*
* FUNCTION: CERT_GetUsePKIXForValidation
* DESCRIPTION:
*
* Checks if libpkix building function should be use for certificate
* chain building.
@@ -74,19 +81,24 @@ CERT_SetUsePKIXForValidation(PRBool enab
* THREAD SAFETY:
* NOT Thread Safe
* RETURNS:
* Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise.
*/
PRBool
CERT_GetUsePKIXForValidation()
{
+#ifdef NSS_DISABLE_LIBPKIX
+ return PR_FALSE;
+#else
return usePKIXValidationEngine;
+#endif /* NSS_DISABLE_LIBPKIX */
}
+#ifndef NSS_DISABLE_LIBPKIX
#ifdef NOTDEF
/*
* FUNCTION: cert_NssKeyUsagesToPkix
* DESCRIPTION:
*
* Converts nss key usage bit field(PRUint32) to pkix key usage
* bit field.
*
@@ -1057,16 +1069,17 @@ cleanup:
PKIX_DECREF(pkixCertChain);
PKIX_DECREF(validResult);
PKIX_DECREF(error);
PKIX_DECREF(verifyNode);
PKIX_DECREF(buildResult);
PKIX_RETURN(CERTVFYPKIX);
}
+#endif /* NSS_DISABLE_LIBPKIX */
/*
* FUNCTION: cert_VerifyCertChainPkix
* DESCRIPTION:
*
* The main wrapper function that is called from CERT_VerifyCert and
* CERT_VerifyCACertForUsage functions to validate cert with libpkix.
*
@@ -1103,16 +1116,20 @@ cert_VerifyCertChainPkix(
PRBool checkSig,
SECCertUsage requiredUsage,
PRTime time,
void *wincx,
CERTVerifyLog *log,
PRBool *pSigerror,
PRBool *pRevoked)
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+#else
PKIX_ProcessingParams *procParams = NULL;
PKIX_BuildResult *result = NULL;
PKIX_VerifyNode *verifyNode = NULL;
PKIX_Error *error = NULL;
SECStatus rv = SECFailure;
void *plContext = NULL;
@@ -1221,18 +1238,20 @@ cert_VerifyCertChainPkix(
} while (errorGenerated);
runningLeakTest = PKIX_FALSE;
PR_ATOMIC_DECREMENT(¶llelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
return rv;
+#endif /* NSS_DISABLE_LIBPKIX */
}
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_CertSelector *
cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
{
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
PKIX_CertSelector *r = NULL;
PKIX_PL_Cert *eeCert = NULL;
PKIX_Error *error = NULL;
@@ -1751,23 +1770,30 @@ static const CERTRevocationFlags certRev
0 },
{ /* chainTests */
2,
certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
0,
0,
0 }
};
+#endif /* NSS_DISABLE_LIBPKIX */
extern const CERTRevocationFlags *
CERT_GetClassicOCSPEnabledSoftFailurePolicy()
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return NULL;
+#else
return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
}
+#ifndef NSS_DISABLE_LIBPKIX
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
/* crl */
CERT_REV_M_TEST_USING_THIS_METHOD |
CERT_REV_M_FORBID_NETWORK_FETCHING |
CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
/* ocsp */
CERT_REV_M_TEST_USING_THIS_METHOD |
CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
@@ -1796,23 +1822,30 @@ static const CERTRevocationFlags certRev
0 },
{ /* chainTests */
2,
certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
0,
0,
0 }
};
+#endif /* NSS_DISABLE_LIBPKIX */
extern const CERTRevocationFlags *
CERT_GetClassicOCSPEnabledHardFailurePolicy()
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return NULL;
+#else
return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
}
+#ifndef NSS_DISABLE_LIBPKIX
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
/* crl */
CERT_REV_M_TEST_USING_THIS_METHOD |
CERT_REV_M_FORBID_NETWORK_FETCHING |
CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
/* ocsp */
0
};
@@ -1835,23 +1868,30 @@ static const CERTRevocationFlags certRev
0 },
{ /* chainTests */
2,
certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
0,
0,
0 }
};
+#endif /* NSS_DISABLE_LIBPKIX */
extern const CERTRevocationFlags *
CERT_GetClassicOCSPDisabledPolicy()
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return NULL;
+#else
return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
}
+#ifndef NSS_DISABLE_LIBPKIX
static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
/* crl */
CERT_REV_M_TEST_USING_THIS_METHOD |
CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
/* ocsp */
0
};
@@ -1874,28 +1914,38 @@ static const CERTRevocationFlags certRev
0 },
{ /* chainTests */
2,
certRev_PKIX_Verify_Nist_Policy_ChainFlags,
0,
0,
0 }
};
+#endif /* NSS_DISABLE_LIBPKIX */
extern const CERTRevocationFlags *
CERT_GetPKIXVerifyNistRevocationPolicy()
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return NULL;
+#else
return &certRev_PKIX_Verify_Nist_Policy;
+#endif /* NSS_DISABLE_LIBPKIX */
}
CERTRevocationFlags *
CERT_AllocCERTRevocationFlags(
PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return NULL;
+#else
CERTRevocationFlags *flags;
flags = PORT_New(CERTRevocationFlags);
if (!flags)
return (NULL);
flags->leafTests.number_of_defined_methods = number_leaf_methods;
flags->leafTests.cert_rev_flags_per_method =
@@ -1917,37 +1967,43 @@ CERT_AllocCERTRevocationFlags(
!flags->leafTests.preferred_methods ||
!flags->chainTests.cert_rev_flags_per_method ||
!flags->chainTests.preferred_methods) {
CERT_DestroyCERTRevocationFlags(flags);
return (NULL);
}
return flags;
+#endif /* NSS_DISABLE_LIBPKIX */
}
void
CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return;
+#else
if (!flags)
return;
if (flags->leafTests.cert_rev_flags_per_method)
PORT_Free(flags->leafTests.cert_rev_flags_per_method);
if (flags->leafTests.preferred_methods)
PORT_Free(flags->leafTests.preferred_methods);
if (flags->chainTests.cert_rev_flags_per_method)
PORT_Free(flags->chainTests.cert_rev_flags_per_method);
if (flags->chainTests.preferred_methods)
PORT_Free(flags->chainTests.preferred_methods);
PORT_Free(flags);
+#endif /* NSS_DISABLE_LIBPKIX */
}
/*
* CERT_PKIXVerifyCert
*
* Verify a Certificate using the PKIX library.
*
* Parameters:
@@ -1973,16 +2029,20 @@ CERT_DestroyCERTRevocationFlags(CERTRevo
SECStatus
CERT_PKIXVerifyCert(
CERTCertificate *cert,
SECCertificateUsage usages,
CERTValInParam *paramsIn,
CERTValOutParam *paramsOut,
void *wincx)
{
+#ifdef NSS_DISABLE_LIBPKIX
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+#else
SECStatus r = SECFailure;
PKIX_Error *error = NULL;
PKIX_ProcessingParams *procParams = NULL;
PKIX_BuildResult *buildResult = NULL;
void *nbioContext = NULL; /* for non-blocking IO */
void *buildState = NULL; /* for non-blocking IO */
PKIX_CertSelector *certSelector = NULL;
PKIX_List *certStores = NULL;
@@ -2236,9 +2296,10 @@ CERT_PKIXVerifyCert(
} while (errorGenerated);
runningLeakTest = PKIX_FALSE;
PR_ATOMIC_DECREMENT(¶llelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
return r;
+#endif /* NSS_DISABLE_LIBPKIX */
}
--- a/lib/manifest.mn
+++ b/lib/manifest.mn
@@ -22,17 +22,17 @@ SOFTOKEN_SRCDIRS = \
$(SQLITE_SRCDIR) \
$(DBM_SRCDIR) \
$(SOFTOKEN_SRCDIR) \
$(NULL)
ifndef NSS_BUILD_SOFTOKEN_ONLY
# the rest of nss
NSS_SRCDIRS = \
base dev pki \
- libpkix \
+ $(LIBPKIX_SRCDIR) \
certdb certhigh pk11wrap cryptohi nss \
$(ZLIB_SRCDIR) ssl \
pkcs7 pkcs12 smime \
crmf jar \
ckfw $(SYSINIT_SRCDIR) \
$(NULL)
endif
endif
--- a/lib/nss/config.mk
+++ b/lib/nss/config.mk
@@ -74,28 +74,33 @@ SHARED_LIBRARY_LIBS = \
SHARED_LIBRARY_DIRS = \
../certhigh \
../cryptohi \
../pk11wrap \
../certdb \
../pki \
../dev \
../base \
+ $(NULL)
+
+ifndef NSS_DISABLE_LIBPKIX
+SHARED_LIBRARY_DIRS += \
../libpkix/pkix/certsel \
../libpkix/pkix/checker \
../libpkix/pkix/params \
../libpkix/pkix/results \
../libpkix/pkix/top \
../libpkix/pkix/util \
../libpkix/pkix/crlsel \
../libpkix/pkix/store \
../libpkix/pkix_pl_nss/pki \
../libpkix/pkix_pl_nss/system \
../libpkix/pkix_pl_nss/module \
$(NULL)
+endif
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
ifndef NS_USE_GCC
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
# but do not put it in the import library. See bug 142575.
DEFINES += -DWIN32_NSS3_DLL_COMPAT
DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
endif
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -15,19 +15,22 @@
#include "key.h"
#include "secmod.h"
#include "secoid.h"
#include "nss.h"
#include "pk11func.h"
#include "secerr.h"
#include "nssbase.h"
#include "nssutil.h"
+
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkixt.h"
#include "pkix.h"
#include "pkix_tools.h"
+#endif /* NSS_DISABLE_LIBPKIX */
#include "pki3hack.h"
#include "certi.h"
#include "secmodi.h"
#include "ocspti.h"
#include "ocspi.h"
#include "utilpars.h"
@@ -476,17 +479,20 @@ loser:
* smart card tokens will not work).
* allowAlreadyInitializedModules - if a module has already been loaded and
* initialize try to use it.
* don'tFinalizeModules - dont shutdown modules we may have loaded.
*/
static PRBool nssIsInitted = PR_FALSE;
static NSSInitContext *nssInitContextList = NULL;
+
+#ifndef NSS_DISABLE_LIBPKIX
static void* plContext = NULL;
+#endif /* NSS_DISABLE_LIBPKIX */
struct NSSInitContextStr {
NSSInitContext *next;
PRUint32 magic;
};
#define NSS_INIT_MAGIC 0x1413A91C
static SECStatus nss_InitShutdownList(void);
@@ -521,18 +527,20 @@ nss_Init(const char *configdir, const ch
NSSInitParameters *initParams,
PRBool readOnly, PRBool noCertDB,
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
PRBool optimizeSpace, PRBool noSingleThreadedModules,
PRBool allowAlreadyInitializedModules,
PRBool dontFinalizeModules)
{
SECStatus rv = SECFailure;
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_UInt32 actualMinorVersion = 0;
PKIX_Error *pkixError = NULL;
+#endif /* NSS_DISABLE_LIBPKIX */
PRBool isReallyInitted;
char *configStrings = NULL;
char *configName = NULL;
PRBool passwordRequired = PR_FALSE;
/* if we are trying to init with a traditional NSS_Init call, maintain
* the traditional idempotent behavior. */
if (!initContextPtr && nssIsInitted) {
@@ -679,30 +687,30 @@ nss_Init(const char *configdir, const ch
nss_FindExternalRoot(dbpath, secmodName);
}
}
}
pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable();
+#ifndef NSS_DISABLE_LIBPKIX
pkixError = PKIX_Initialize
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
if (pkixError != NULL) {
goto loser;
} else {
char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
if (ev && ev[0]) {
CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
-
-
+#endif /* NSS_DISABLE_LIBPKIX */
}
/*
* Now mark the appropriate init state. If initContextPtr was passed
* in, then return the new context pointer and add it to the
* nssInitContextList. Otherwise set the global nss_isInitted flag
*/
PZ_Lock(nssInitLock);
@@ -1075,17 +1083,19 @@ nss_Shutdown(void)
rv = nss_ShutdownShutdownList();
if (rv != SECSuccess) {
shutdownRV = SECFailure;
}
cert_DestroyLocks();
ShutdownCRLCache();
OCSP_ShutdownGlobal();
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_Shutdown(plContext);
+#endif /* NSS_DISABLE_LIBPKIX */
SECOID_Shutdown();
status = STAN_Shutdown();
cert_DestroySubjectKeyIDHashTable();
pk11_SetInternalKeySlot(NULL);
rv = SECMOD_Shutdown();
if (rv != SECSuccess) {
shutdownRV = SECFailure;
}