From f2db8950e4bedadbd70f955077c2bd80fcce438f Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon, 8 Nov 2010 23:23:11 -0500
Subject: [PATCH 111/150] - first cut at caching CRLs

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   44 ++++++++++++++++++++++--
 1 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 108150b..b9ca9c2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -116,6 +116,7 @@ struct _pkinit_identity_crypto_context {
 	PK11SlotInfo **id_userdbs;		/* used for NSS: */
 	PK11SlotInfo *id_p12_slot;		/* used for PKCS12: */
 	PK11GenericObject **id_objects;		/* used with FILE: and DIR: */
+	SECItem **id_crls;
 	CERTCertList *id_certs, *ca_certs;
 	CERTCertificate *id_cert;
 	struct {
@@ -760,6 +761,12 @@ pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx)
 			SECMOD_UnloadUserModule(id_cryptoctx->id_modules[i]);
 		}
 	}
+	if (id_cryptoctx->id_crls != NULL) {
+		for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) {
+			CERT_UncacheCRL(CERT_GetDefaultCertDB(),
+					id_cryptoctx->id_crls[i]);
+		}
+	}
 	if (id_cryptoctx->pem_module != NULL) {
 		SECMOD_UnloadUserModule(id_cryptoctx->pem_module);
 	}
@@ -2341,9 +2348,9 @@ crypto_load_files(krb5_context context,
 	CK_ATTRIBUTE attrs[4];
 	CK_BBOOL cktrue = CK_TRUE, cktrust;
 	CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
-	SECItem a, b;
+	SECItem a, b, tmp, *crl, **crls;
 	SECStatus status;
-	int n_attrs, i, n_objs;
+	int i, j, n_attrs, n_objs, n_crls;
 
 	if ((slot = crypto_get_pem_slot(id_cryptoctx)) == NULL) {
 		if (certfile != NULL) {
@@ -2523,7 +2530,38 @@ crypto_load_files(krb5_context context,
 	/* If we succeeded to this point, or more likely didn't do anything
 	 * yet, cache a CRL. */
 	if ((status == SECSuccess) && (crlfile != NULL)) {
-		/* FIXME: cache a CRL from the named file  */
+		memset(&tmp, 0, sizeof(tmp));
+		if (secitem_from_file(id_cryptoctx->pool, crlfile, &tmp) == 0) {
+			crl = SECITEM_ArenaDupItem(id_cryptoctx->pool, &tmp);
+			/* Count the CRLs. */
+			if (id_cryptoctx->id_crls != NULL) {
+				for (i = 0;
+				     id_cryptoctx->id_crls[i] != NULL;
+				     i++) {
+					continue;
+				}
+			} else {
+				i = 0;
+			}
+			n_crls = i;
+			/* Allocate a bigger list. */
+			crls = PORT_ArenaZAlloc(id_cryptoctx->pool,
+						sizeof(crls[0]) * (i + 2));
+			for (j = 0; j < i; j++) {
+				crls[j] = id_cryptoctx->id_crls[j];
+			}
+			if (crl != NULL) {
+				status = CERT_CacheCRL(CERT_GetDefaultCertDB(),
+						       crl);
+				if (status == SECSuccess) {
+					crls[j++] = crl;
+				}
+			}
+			crls[j++] = NULL;
+			id_cryptoctx->id_crls = crls;
+		} else {
+			status = SECFailure;
+		}
 	}
 	return status;
 }
-- 
1.7.6.4