Bug 1095307 - Clean up nssPKIX509_GetIssuerAndSerialFromDER(). r=relyea. NSS_3_18_BETA3
authorNicholas Nethercote <nnethercote@mozilla.com>
Tue, 18 Nov 2014 15:16:24 -0800
changeset 11309 f9bac028f79a6b2129c561137f1d4312c981cedd
parent 11308 5ed8c0a6f1c192596ad14e534a9e199b51d2b5f1
child 11310 ed68aaa2feaf12814fff1fbb3b688850c3397fd5
push id518
push userkaie@kuix.de
push dateWed, 19 Nov 2014 14:03:20 +0000
reviewersrelyea
bugs1095307
Bug 1095307 - Clean up nssPKIX509_GetIssuerAndSerialFromDER(). r=relyea. This patch: - Removes the two static issuer_and_serial_from_encoding() functions. - Rewrites nssPKIX509_GetIssuerAndSerialFromDER() to be almost identical to the issuer_and_serial_from_encoding() from pkistore.c. This new version avoids unnecessary heap allocations (and so doesn't need an |arena| argument), obtains the issuer and serial in the order suggested by the function name, and is more readable than the old version. - Tweaks nssTrustDomain_FindCertificateByEncodedCertificate() to be more like nssTrustDomain_GetCertByDERFromCache() and nssCertificateStore_FindCertificateByEncodedCertificate(), which are the other two functions that now call nssPKIX509_GetIssuerAndSerialFromDER().
lib/pki/pki3hack.c
lib/pki/pki3hack.h
lib/pki/pkistore.c
lib/pki/tdcache.c
lib/pki/trustdomain.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -242,37 +242,38 @@ STAN_GetCertIdentifierFromDER(NSSArena *
 	return NULL;
     }
     rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
     PORT_FreeArena(arena,PR_FALSE);
     return rvKey;
 }
 
 NSS_IMPLEMENT PRStatus
-nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
+nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der,
                                      NSSDER *issuer, NSSDER *serial)
 {
-    SECStatus secrv;
-    SECItem derCert;
+    SECItem derCert   = { 0 };
     SECItem derIssuer = { 0 };
     SECItem derSerial = { 0 };
-    SECITEM_FROM_NSSITEM(&derCert, der);
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    SECStatus secrv;
+    derCert.data = (unsigned char *)der->data;
+    derCert.len = der->size;
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
     if (secrv != SECSuccess) {
 	return PR_FAILURE;
     }
-    (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
     if (secrv != SECSuccess) {
 	PORT_Free(derSerial.data);
 	return PR_FAILURE;
     }
-    (void)nssItem_Create(arena, issuer, derIssuer.len, derIssuer.data);
-    PORT_Free(derSerial.data);
-    PORT_Free(derIssuer.data);
+    issuer->data = derIssuer.data;
+    issuer->size = derIssuer.len;
+    serial->data = derSerial.data;
+    serial->size = derSerial.len;
     return PR_SUCCESS;
 }
 
 static NSSItem *
 nss3certificate_getIdentifier(nssDecodedCert *dc)
 {
     NSSItem *rvID;
     CERTCertificate *c = (CERTCertificate *)dc->data;
--- a/lib/pki/pki3hack.h
+++ b/lib/pki/pki3hack.h
@@ -72,17 +72,17 @@ nssTrust_GetCERTCertTrustForCert(NSSCert
 
 NSS_EXTERN PRStatus
 STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c);
 
 NSS_EXTERN PRStatus
 STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust);
 
 NSS_EXTERN PRStatus
-nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
+nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der,
                                      NSSDER *issuer, NSSDER *serial);
 
 NSS_EXTERN char *
 STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c);
 
 NSS_EXTERN char *
 STAN_GetCERTCertificateNameForInstance(PLArenaPool *arenaOpt,
                                        NSSCertificate *c,
--- a/lib/pki/pkistore.c
+++ b/lib/pki/pkistore.c
@@ -18,16 +18,17 @@
 #include "base.h"
 #endif /* BASE_H */
 
 #ifndef PKISTORE_H
 #include "pkistore.h"
 #endif /* PKISTORE_H */
 
 #include "cert.h"
+#include "pki3hack.h"
 
 #include "prbit.h"
 
 /* 
  * Certificate Store
  *
  * This differs from the cache in that it is a true storage facility.  Items
  * stay in until they are explicitly removed.  It is only used by crypto
@@ -549,53 +550,26 @@ nssCertificateStore_FindCertificateByIss
 
     PZ_Lock(store->lock);
     rvCert = nssCertStore_FindCertByIssuerAndSerialNumberLocked (
                            store, issuer, serial);
     PZ_Unlock(store->lock);
     return rvCert;
 }
 
-static PRStatus
-issuer_and_serial_from_encoding (
-  NSSBER *encoding, 
-  NSSDER *issuer, 
-  NSSDER *serial
-)
-{
-    SECItem derCert, derIssuer, derSerial;
-    SECStatus secrv;
-    derCert.data = (unsigned char *)encoding->data;
-    derCert.len = encoding->size;
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	PORT_Free(derIssuer.data);
-	return PR_FAILURE;
-    }
-    issuer->data = derIssuer.data;
-    issuer->size = derIssuer.len;
-    serial->data = derSerial.data;
-    serial->size = derSerial.len;
-    return PR_SUCCESS;
-}
-
 NSS_IMPLEMENT NSSCertificate *
 nssCertificateStore_FindCertificateByEncodedCertificate (
   nssCertificateStore *store,
   NSSDER *encoding
 )
 {
     PRStatus nssrv = PR_FAILURE;
     NSSDER issuer, serial;
     NSSCertificate *rvCert = NULL;
-    nssrv = issuer_and_serial_from_encoding(encoding, &issuer, &serial);
+    nssrv = nssPKIX509_GetIssuerAndSerialFromDER(encoding, &issuer, &serial);
     if (nssrv != PR_SUCCESS) {
 	return NULL;
     }
     rvCert = nssCertificateStore_FindCertificateByIssuerAndSerialNumber(store, 
                                                                      &issuer, 
                                                                      &serial);
     PORT_Free(issuer.data);
     PORT_Free(serial.data);
--- a/lib/pki/tdcache.c
+++ b/lib/pki/tdcache.c
@@ -1041,55 +1041,29 @@ nssTrustDomain_GetCertForIssuerAndSNFrom
 #ifdef DEBUG_CACHE
 	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
 #endif
     }
     PZ_Unlock(td->cache->lock);
     return rvCert;
 }
 
-static PRStatus
-issuer_and_serial_from_encoding (
-  NSSBER *encoding, 
-  NSSDER *issuer, 
-  NSSDER *serial
-)
-{
-    SECItem derCert, derIssuer, derSerial;
-    SECStatus secrv;
-    derCert.data = (unsigned char *)encoding->data;
-    derCert.len = encoding->size;
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    issuer->data = derIssuer.data;
-    issuer->size = derIssuer.len;
-    serial->data = derSerial.data;
-    serial->size = derSerial.len;
-    return PR_SUCCESS;
-}
-
 /*
  * Look for a specific cert in the cache
  */
 NSS_IMPLEMENT NSSCertificate *
 nssTrustDomain_GetCertByDERFromCache (
   NSSTrustDomain *td,
   NSSDER *der
 )
 {
     PRStatus nssrv = PR_FAILURE;
     NSSDER issuer, serial;
     NSSCertificate *rvCert;
-    nssrv = issuer_and_serial_from_encoding(der, &issuer, &serial);
+    nssrv = nssPKIX509_GetIssuerAndSerialFromDER(der, &issuer, &serial);
     if (nssrv != PR_SUCCESS) {
 	return NULL;
     }
 #ifdef DEBUG_CACHE
     log_item_dump("looking for cert by DER", der);
 #endif
     rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td, 
                                                            &issuer, &serial);
--- a/lib/pki/trustdomain.c
+++ b/lib/pki/trustdomain.c
@@ -826,30 +826,26 @@ nssTrustDomain_FindCertificateByEncodedC
   NSSTrustDomain *td,
   NSSBER *ber
 )
 {
     PRStatus status;
     NSSCertificate *rvCert = NULL;
     NSSDER issuer = { 0 };
     NSSDER serial = { 0 };
-    NSSArena *arena = nssArena_Create();
-    if (!arena) {
-	return (NSSCertificate *)NULL;
-    }
     /* XXX this is not generic...  will any cert crack into issuer/serial? */
-    status = nssPKIX509_GetIssuerAndSerialFromDER(ber, arena, &issuer, &serial);
+    status = nssPKIX509_GetIssuerAndSerialFromDER(ber, &issuer, &serial);
     if (status != PR_SUCCESS) {
-	goto finish;
+	return NULL;
     }
     rvCert = nssTrustDomain_FindCertificateByIssuerAndSerialNumber(td,
                                                                    &issuer,
                                                                    &serial);
-finish:
-    nssArena_Destroy(arena);
+    PORT_Free(issuer.data);
+    PORT_Free(serial.data);
     return rvCert;
 }
 
 NSS_IMPLEMENT NSSCertificate *
 NSSTrustDomain_FindCertificateByEncodedCertificate (
   NSSTrustDomain *td,
   NSSBER *ber
 )