自学教程：C++ CERT_DestroyCertificate函数代码示例

/* BEWARE: This function gets called for both client and server SIDs !! * If the unreferenced sid is not in the cache, Free sid and its contents. */static voidssl_DestroySID(sslSessionID *sid){    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));    PORT_Assert((sid->references == 0));    if (sid->cached == in_client_cache)    	return;	/* it will get taken care of next time cache is traversed. */    if (sid->version < SSL_LIBRARY_VERSION_3_0) {	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);    }    if (sid->peerID != NULL)	PORT_Free((void *)sid->peerID);		/* CONST */    if (sid->urlSvrName != NULL)	PORT_Free((void *)sid->urlSvrName);	/* CONST */    if ( sid->peerCert ) {	CERT_DestroyCertificate(sid->peerCert);    }    if ( sid->localCert ) {	CERT_DestroyCertificate(sid->localCert);    }    if (sid->u.ssl3.sessionTicket.ticket.data) {	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);    }        PORT_ZFree(sid, sizeof(sslSessionID));}

SECStatusCMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent){    PORT_Assert(inCertRepContent != NULL);    if (inCertRepContent != NULL) {        CMMFCertResponse **pResponse = inCertRepContent->response;        if (pResponse != NULL) {            for (; *pResponse != NULL; pResponse++) {                CMMFCertifiedKeyPair *certKeyPair = (*pResponse)->certifiedKeyPair;                /* XXX Why not call CMMF_DestroyCertifiedKeyPair or                 ** XXX cmmf_DestroyCertOrEncCert ?                 */                if (certKeyPair != NULL &&                    certKeyPair->certOrEncCert.choice == cmmfCertificate &&                    certKeyPair->certOrEncCert.cert.certificate != NULL) {                    CERT_DestroyCertificate(certKeyPair->certOrEncCert.cert.certificate);                    certKeyPair->certOrEncCert.cert.certificate = NULL;                }            }        }        if (inCertRepContent->caPubs) {            CERTCertificate **caPubs = inCertRepContent->caPubs;            for (; *caPubs; ++caPubs) {                CERT_DestroyCertificate(*caPubs);                *caPubs = NULL;            }        }        if (inCertRepContent->poolp != NULL) {            PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);        }    }    return SECSuccess;}

/** * * Check that the Peer certificate's issuer certificate matches the one found * by issuer_nickname.  This is not exactly the way OpenSSL and GNU TLS do the * issuer check, so we provide comments that mimic the OpenSSL * X509_check_issued function (in x509v3/v3_purp.c) */static SECStatus check_issuer_cert(PRFileDesc *sock,                                   char *issuer_nickname){  CERTCertificate *cert,*cert_issuer,*issuer;  SECStatus res=SECSuccess;  void *proto_win = NULL;  /*    PRArenaPool   *tmpArena = NULL;    CERTAuthKeyID *authorityKeyID = NULL;    SECITEM       *caname = NULL;  */  cert = SSL_PeerCertificate(sock);  cert_issuer = CERT_FindCertIssuer(cert,PR_Now(),certUsageObjectSigner);  proto_win = SSL_RevealPinArg(sock);  issuer = PK11_FindCertFromNickname(issuer_nickname, proto_win);  if((!cert_issuer) || (!issuer))    res = SECFailure;  else if(SECITEM_CompareItem(&cert_issuer->derCert,                              &issuer->derCert)!=SECEqual)    res = SECFailure;  CERT_DestroyCertificate(cert);  CERT_DestroyCertificate(issuer);  CERT_DestroyCertificate(cert_issuer);  return res;}

/* Reset sec back to its initial state.** Caller holds any relevant locks.*/voidssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset){    if (sec->localCert) {        CERT_DestroyCertificate(sec->localCert);        sec->localCert = NULL;    }    if (sec->peerCert) {        CERT_DestroyCertificate(sec->peerCert);        sec->peerCert = NULL;    }    if (sec->peerKey) {        SECKEY_DestroyPublicKey(sec->peerKey);        sec->peerKey = NULL;    }    /* cleanup the ci */    if (sec->ci.sid != NULL) {        ssl_FreeSID(sec->ci.sid);    }    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);    if (doMemset) {        memset(&sec->ci, 0, sizeof sec->ci);    }}

/* BEWARE: This function gets called for both client and server SIDs !! * If the unreferenced sid is not in the cache, Free sid and its contents. */static voidssl_DestroySID(sslSessionID *sid){    int i;    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));    PORT_Assert(sid->references == 0);    PORT_Assert(sid->cached != in_client_cache);    if (sid->version < SSL_LIBRARY_VERSION_3_0) {        SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);        SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);    } else {        if (sid->u.ssl3.locked.sessionTicket.ticket.data) {            SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,                             PR_FALSE);        }        if (sid->u.ssl3.srvName.data) {            SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);        }        if (sid->u.ssl3.originalHandshakeHash.data) {            SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);        }        if (sid->u.ssl3.signedCertTimestamps.data) {            SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);        }        if (sid->u.ssl3.lock) {            NSSRWLock_Destroy(sid->u.ssl3.lock);        }    }    if (sid->peerID != NULL)        PORT_Free((void *)sid->peerID);		/* CONST */    if (sid->urlSvrName != NULL)        PORT_Free((void *)sid->urlSvrName);	/* CONST */    if ( sid->peerCert ) {        CERT_DestroyCertificate(sid->peerCert);    }    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {        CERT_DestroyCertificate(sid->peerCertChain[i]);    }    if (sid->peerCertStatus.items) {        SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE);    }    if ( sid->localCert ) {        CERT_DestroyCertificate(sid->localCert);    }    PORT_ZFree(sid, sizeof(sslSessionID));}

/* Reset sec back to its initial state.** Caller holds any relevant locks.*/void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset){    /* Destroy MAC */    if (sec->hash && sec->hashcx) {	(*sec->hash->destroy)(sec->hashcx, PR_TRUE);	sec->hashcx = NULL;	sec->hash = NULL;    }    SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);    SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);    /* Destroy ciphers */    if (sec->destroy) {	(*sec->destroy)(sec->readcx, PR_TRUE);	(*sec->destroy)(sec->writecx, PR_TRUE);	sec->readcx = NULL;	sec->writecx = NULL;    } else {	PORT_Assert(sec->readcx == 0);	PORT_Assert(sec->writecx == 0);    }    sec->readcx = 0;    sec->writecx = 0;    if (sec->localCert) {	CERT_DestroyCertificate(sec->localCert);	sec->localCert = NULL;    }    if (sec->peerCert) {	CERT_DestroyCertificate(sec->peerCert);	sec->peerCert = NULL;    }    if (sec->peerKey) {	SECKEY_DestroyPublicKey(sec->peerKey);	sec->peerKey = NULL;    }    /* cleanup the ci */    if (sec->ci.sid != NULL) {	ssl_FreeSID(sec->ci.sid);    }    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);    if (doMemset) {        memset(&sec->ci, 0, sizeof sec->ci);    }    }

static CERTCertificate *FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,                char *certNickName){    CERTCertificate *cert = NULL, *certTemp = NULL;    SECStatus rv = SECFailure;    CERTAuthKeyID *authorityKeyID = NULL;    SECItem *subject = NULL;    PORT_Assert(certHandle != NULL);    if (!certHandle || (!signCrl && !certNickName)) {        SECU_PrintError(progName, "invalid args for function "                                  "FindSigningCert /n");        return NULL;    }    if (signCrl) {#if 0        authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);#endif        subject = &signCrl->crl.derName;    } else {        certTemp = CERT_FindCertByNickname(certHandle, certNickName);        if (!certTemp) {            SECU_PrintError(progName, "could not find certificate /"%s/" "                                      "in database",                            certNickName);            goto loser;        }        subject = &certTemp->derSubject;    }    cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());    if (!cert) {        SECU_PrintError(progName, "could not find signing certificate "                                  "in database");        goto loser;    } else {        rv = SECSuccess;    }loser:    if (certTemp)        CERT_DestroyCertificate(certTemp);    if (cert && rv != SECSuccess)        CERT_DestroyCertificate(cert);    return cert;}

static SECStatus nss_bad_cert_cb(void *arg, PRFileDesc *fd) {    struct tls_connection *conn = arg;    SECStatus res = SECSuccess;    PRErrorCode err;    CERTCertificate *cert;    char *subject, *issuer;    err = PR_GetError();    if (IS_SEC_ERROR(err))        wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (sec err "            "%d)", err - SEC_ERROR_BASE);    else        wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (err %d)",            err);    cert = SSL_PeerCertificate(fd);    subject = CERT_NameToAscii(&cert->subject);    issuer = CERT_NameToAscii(&cert->issuer);    wpa_printf(MSG_DEBUG, "NSS: Peer certificate subject='%s' issuer='%s'",            subject, issuer);    CERT_DestroyCertificate(cert);    PR_Free(subject);    PR_Free(issuer);    if (conn->verify_peer)        res = SECFailure;    return res;}

SECStatus TransportLayerDtls::GetClientAuthDataHook(void *arg, PRFileDesc *fd,                                                    CERTDistNames *caNames,                                                    CERTCertificate **pRetCert,                                                    SECKEYPrivateKey **pRetKey) {  MOZ_MTLOG(ML_DEBUG, "Server requested client auth");  TransportLayerDtls *stream = reinterpret_cast<TransportLayerDtls *>(arg);  stream->CheckThread();  if (!stream->identity_) {    MOZ_MTLOG(ML_ERROR, "No identity available");    PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);    return SECFailure;  }  *pRetCert = CERT_DupCertificate(stream->identity_->cert());  if (!*pRetCert) {    PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);    return SECFailure;  }  *pRetKey = SECKEY_CopyPrivateKey(stream->identity_->privkey());  if (!*pRetKey) {    CERT_DestroyCertificate(*pRetCert);    *pRetCert = nullptr;    PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);    return SECFailure;  }  return SECSuccess;}

/* * Host name checking according to RFC 2595. */static enum okaynss_check_host(const char *server, struct sock *sp){	CERTCertificate	*cert;	char	*cn = NULL;	enum okay	ok = STOP;	PRArenaPool	*arena;	CERTGeneralName	*gn;	SECItem	altname;	CERTAltNameEncodedContext	ec;	int	i;	const SEC_ASN1Template	gntempl[] = {		{ SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }	};	if ((cert = SSL_PeerCertificate(sp->s_prfd)) == NULL) {		fprintf(stderr, "no certificate from /"%s/"/n", server);		return STOP;	}	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);	if (CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,				&altname) == SECSuccess &&			SEC_ASN1DecodeItem(arena, &ec, gntempl,				&altname) == SECSuccess &&			ec.encodedGenName != NULL) {		for (i = 0; ec.encodedGenName[i] != NULL; i++) {			gn = CERT_DecodeGeneralName(arena, ec.encodedGenName[i],					NULL);			if (gn->type == certDNSName) {				char	*dn = ac_alloc(gn->name.other.len + 1);				memcpy(dn, gn->name.other.data,						gn->name.other.len);				dn[gn->name.other.len] = '/0';				if (verbose)					fprintf(stderr,						"Comparing DNS name: /"%s/"/n",						dn);				if (rfc2595_hostname_match(server, dn)						== OKAY) {					ac_free(dn);					goto out;				}				ac_free(dn);			}		}	}	if ((cn = CERT_GetCommonName(&cert->subject)) != NULL) {		if (verbose)			fprintf(stderr, "Comparing common name: /"%s/"/n", cn);		ok = rfc2595_hostname_match(server, cn);	}	if (ok == STOP)		fprintf(stderr, "host certificate does not match /"%s/"/n",				server);out:	if (cn)		PORT_Free(cn);	PORT_FreeArena(arena, PR_FALSE);	CERT_DestroyCertificate(cert);	return ok;}

/** * Loads the public key for the specified cert name from the NSS store. * * @param certData  The DER-encoded X509 certificate to extract the key from. * @param certDataSize The size of certData. * @param publicKey Out parameter for the public key to use. * @return CryptoX_Success on success, CryptoX_Error on error.*/CryptoX_ResultNSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize,                  SECKEYPublicKey **publicKey){  CERTCertificate * cert;  SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize };  if (!certData || !publicKey) {    return CryptoX_Error;  }  cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL,                                 PR_FALSE, PR_TRUE);  /* Get the cert and embedded public key out of the database */  if (!cert) {    return CryptoX_Error;  }  *publicKey = CERT_ExtractPublicKey(cert);  CERT_DestroyCertificate(cert);  if (!*publicKey) {    return CryptoX_Error;  }  return CryptoX_Success;}

static X509*nss_get_cert(NSS_CTX *ctx, const char *s) {    X509 *x509 = NULL;    CERTCertificate *cert = NULL;    CALL_TRACE("nss_get_cert.../n");    if (ctx == NULL) {        NSSerr(NSS_F_GET_CERT, NSS_R_INVALID_ARGUMENT);        goto done;    }    if (!NSS_IsInitialized()) {        NSSerr(NSS_F_GET_CERT, NSS_R_DB_IS_NOT_INITIALIZED);        goto done;    }    nss_debug(ctx, "search certificate '%s'", s);    cert = PK11_FindCertFromNickname(s, NULL);    nss_trace(ctx, "found certificate mem='%p'", cert);    if (cert == NULL) goto done;    x509 = X509_from_CERTCertificate(cert);done:    if (cert) CERT_DestroyCertificate(cert);    nss_debug(ctx, "certificate %s", (x509 ? "found": "not found"));    return(x509);}

static SECStatusssl_PopulateServerCert(sslServerCert *sc, CERTCertificate *cert,                       const CERTCertificateList *certChain){    if (sc->serverCert) {        CERT_DestroyCertificate(sc->serverCert);    }    if (sc->serverCertChain) {        CERT_DestroyCertificateList(sc->serverCertChain);    }    if (!cert) {        sc->serverCert = NULL;        sc->serverCertChain = NULL;        return SECSuccess;    }    sc->serverCert = CERT_DupCertificate(cert);    if (certChain) {        sc->serverCertChain = CERT_DupCertList(certChain);    } else {        sc->serverCertChain =            CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer,                                   PR_TRUE);    }    return sc->serverCertChain ? SECSuccess : SECFailure;}

/* * SecCmsSignerInfoDestroy - destroy a SignerInfo data structure */voidSecCmsSignerInfoDestroy(SecCmsSignerInfoRef si){    if (si->cert != NULL) {	dprintfRC("SecCmsSignerInfoDestroy top: certp %p cert.rc %d/n",	    si->cert, (int)CFGetRetainCount(si->cert));	CERT_DestroyCertificate(si->cert);    }    if (si->certList != NULL) {	dprintfRC("SecCmsSignerInfoDestroy top: certList.rc %d/n",	    (int)CFGetRetainCount(si->certList));	CFRelease(si->certList);    }    if (si->timestampCertList != NULL) {	dprintfRC("SecCmsSignerInfoDestroy top: timestampCertList.rc %d/n",	    (int)CFGetRetainCount(si->timestampCertList));	CFRelease(si->timestampCertList);    }    if (si->hashAgilityAttrValue != NULL) {        dprintfRC("SecCmsSignerInfoDestroy top: hashAgilityAttrValue.rc %d/n",                  (int)CFGetRetainCount(si->hashAgilityAttrValue));        CFRelease(si->hashAgilityAttrValue);    }    /* XXX storage ??? */}

/* This invokes the "default" AuthCert handler in libssl.** The only reason to use this one is that it prints out info as it goes. */static SECStatusmySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,		     PRBool isServer){    SECStatus rv;    CERTCertificate *    peerCert;    const SECItemArray *csa;    if (MakeCertOK>=2) {        return SECSuccess;    }    peerCert = SSL_PeerCertificate(fd);    PRINTF("strsclnt: Subject: %s/nstrsclnt: Issuer : %s/n",            peerCert->subjectName, peerCert->issuerName);     csa = SSL_PeerStapledOCSPResponses(fd);    if (csa) {        PRINTF("Received %d Cert Status items (OCSP stapled data)/n",               csa->len);    }    /* invoke the "default" AuthCert handler. */    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);    PR_ATOMIC_INCREMENT(&certsTested);    if (rv == SECSuccess) {	fputs("strsclnt: -- SSL: Server Certificate Validated./n", stderr);    }    CERT_DestroyCertificate(peerCert);    /* error, if any, will be displayed by the Bad Cert Handler. */    return rv;  }

/* * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message */SECStatusNSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,                                  CERTCertDBHandle *certdb,                                  SECCertUsage usage){    CERTCertificate *cert;    SECStatus rv = SECSuccess;    int i;    int count;    PRTime now;    if (!sigd || !certdb || !sigd->rawCerts) {        PORT_SetError(SEC_ERROR_INVALID_ARGS);        return SECFailure;    }    count = NSS_CMSArray_Count((void**)sigd->rawCerts);    now = PR_Now();    for (i=0; i < count; i++) {        if (sigd->certs && sigd->certs[i]) {            cert = CERT_DupCertificate(sigd->certs[i]);        } else {            cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);            if (!cert) {                rv = SECFailure;                break;            }        }        rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now,                              NULL, NULL);        CERT_DestroyCertificate(cert);    }    return rv;}

int sxi_vcrypt_print_cert_info(sxc_client_t *sx, const char *file, int batch_mode){    struct PK11_ctx ctx;    CERTCertificate *cert = load_cert_file(sx, file, &ctx);    if(!cert) {        free_PK11_ctx(&ctx);        return -1;    }    if (cert && !batch_mode) {        char *subject = CERT_NameToAscii(&cert->subject);        char *issuer = CERT_NameToAscii(&cert->issuer);        char *common_name = CERT_GetCommonName(&cert->subject);        struct sxi_fmt fmt;        char hash[SXI_SHA1_TEXT_LEN+1];        sxi_fmt_start(&fmt);        sxi_fmt_msg(&fmt, "/tSubject: %s/n", subject);        sxi_fmt_msg(&fmt, "/tIssuer: %s/n", issuer);        if (!sxi_conns_hashcalc_core(sx, NULL, 0,                                     cert->derCert.data,                                     cert->derCert.len, hash)) {            sxi_fmt_msg(&fmt, "/tSHA1 Fingerprint: %s/n", hash);        }        sxi_info(sx, "%s", fmt.buf);        PR_Free(subject);        PR_Free(issuer);        PR_Free(common_name);    }    CERT_DestroyCertificate(cert);    free_PK11_ctx(&ctx);    return 0;}

static voidtrust_prompt_free_certificate (gpointer cert){	if (!cert)		return;	CERT_DestroyCertificate (cert);}

static voidadd_to_subject_list(CERTCertList *certList, CERTCertificate *cert,                    PRBool validOnly, PRTime sorttime){    SECStatus secrv;    if (!validOnly ||        CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) ==            secCertTimeValid) {        secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity,                                         (void *)&sorttime);        if (secrv != SECSuccess) {            CERT_DestroyCertificate(cert);        }    } else {        CERT_DestroyCertificate(cert);    }}

staticint__pkcs11h_crypto_nss_certificate_is_issuer (	IN void * const global_data,	IN const unsigned char * const issuer_blob,	IN const size_t issuer_blob_size,	IN const unsigned char * const cert_blob,	IN const size_t cert_blob_size) {	PKCS11H_BOOL is_issuer = FALSE;	CERTCertificate *cert = NULL;	CERTCertificate *issuer = NULL;	(void)global_data;	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/	_PKCS11H_ASSERT (issuer_blob!=NULL);	_PKCS11H_ASSERT (cert_blob!=NULL);	if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) {		goto cleanup;	}	if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) {		goto cleanup;	}	is_issuer = CERT_VerifySignedDataWithPublicKeyInfo (		&cert->signatureWrap,		&issuer->subjectPublicKeyInfo,		NULL	) == SECSuccess;cleanup:	if (cert != NULL) {		CERT_DestroyCertificate (cert);	}	if (issuer != NULL) {		CERT_DestroyCertificate (issuer);	}	return is_issuer;}

/* * FUNCTION: pkix_pl_OcspResponse_Destroy * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) */static PKIX_Error *pkix_pl_OcspResponse_Destroy(        PKIX_PL_Object *object,        void *plContext){        PKIX_PL_OcspResponse *ocspRsp = NULL;        const SEC_HttpClientFcn *httpClient = NULL;        const SEC_HttpClientFcnV1 *hcv1 = NULL;        PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy");        PKIX_NULLCHECK_ONE(object);        PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),                    PKIX_OBJECTNOTANOCSPRESPONSE);        ocspRsp = (PKIX_PL_OcspResponse *)object;        if (ocspRsp->nssOCSPResponse != NULL) {                CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse);                ocspRsp->nssOCSPResponse = NULL;        }        if (ocspRsp->signerCert != NULL) {                CERT_DestroyCertificate(ocspRsp->signerCert);                ocspRsp->signerCert = NULL;        }        httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient);        if (httpClient && (httpClient->version == 1)) {                hcv1 = &(httpClient->fcnTable.ftable1);                if (ocspRsp->sessionRequest != NULL) {                    (*hcv1->freeFcn)(ocspRsp->sessionRequest);                    ocspRsp->sessionRequest = NULL;                }                if (ocspRsp->serverSession != NULL) {                    (*hcv1->freeSessionFcn)(ocspRsp->serverSession);                    ocspRsp->serverSession = NULL;                }        }        if (ocspRsp->arena != NULL) {                PORT_FreeArena(ocspRsp->arena, PR_FALSE);                ocspRsp->arena = NULL;        }	PKIX_DECREF(ocspRsp->producedAtDate);	PKIX_DECREF(ocspRsp->pkixSignerCert);	PKIX_DECREF(ocspRsp->request);cleanup:        PKIX_RETURN(OCSPRESPONSE);}

static SECStatus BadCertHandler(void *arg, PRFileDesc *sock){  SECStatus result = SECFailure;  struct connectdata *conn = (struct connectdata *)arg;  PRErrorCode err = PR_GetError();  CERTCertificate *cert = NULL;  char *subject, *subject_cn, *issuer;  conn->data->set.ssl.certverifyresult=err;  cert = SSL_PeerCertificate(sock);  subject = CERT_NameToAscii(&cert->subject);  subject_cn = CERT_GetCommonName(&cert->subject);  issuer = CERT_NameToAscii(&cert->issuer);  CERT_DestroyCertificate(cert);  switch(err) {  case SEC_ERROR_CA_CERT_INVALID:    infof(conn->data, "Issuer certificate is invalid: '%s'/n", issuer);    break;  case SEC_ERROR_UNTRUSTED_ISSUER:    infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'/n",          issuer);    break;  case SSL_ERROR_BAD_CERT_DOMAIN:    if(conn->data->set.ssl.verifyhost) {      failf(conn->data, "SSL: certificate subject name '%s' does not match "            "target host name '%s'", subject_cn, conn->host.dispname);    }    else {      result = SECSuccess;      infof(conn->data, "warning: SSL: certificate subject name '%s' does not "            "match target host name '%s'/n", subject_cn, conn->host.dispname);    }    break;  case SEC_ERROR_EXPIRED_CERTIFICATE:    infof(conn->data, "Remote Certificate has expired./n");    break;  case SEC_ERROR_UNKNOWN_ISSUER:    infof(conn->data, "Peer's certificate issuer is not recognized: '%s'/n",          issuer);    break;  default:    infof(conn->data, "Bad certificate received. Subject = '%s', "          "Issuer = '%s'/n", subject, issuer);    break;  }  if(result == SECSuccess)    infof(conn->data, "SSL certificate verify ok./n");  PR_Free(subject);  PR_Free(subject_cn);  PR_Free(issuer);  return result;}

int main(int argc, char **argv){  if (NSS_NoDB_Init(NULL) != SECSuccess) {    printf(" >>> NSS_NoDB_Init() failed./n");    return 1;  }  if (argc < 3) {    printf(" >>> I need a DER encoded file to read and have to know what to do with it [decode, private]!/n");    return 1;  }  PRFileDesc* file = PR_Open(argv[1], PR_RDONLY, 0);  SECItem data = {0, NULL, 0};  if (SECU_ReadDERFromFile(&data, file, PR_FALSE, PR_FALSE) != SECSuccess) {    printf(" >>> SECU_ReadDERFromFile() failed./n");    return 1;  }  PR_Close(file);  if (strcmp(argv[2], "decode") == 0) {    CERTCertificate *cert = CERT_DecodeCertFromPackage((char*)data.data, data.len);    if (cert){      printf(" >>> read cert!/n");      printf(" >>> SN: %s/n", cert->subjectName);      printf(" >>> IN: %s/n", cert->issuerName);      CERT_DestroyCertificate(cert);    } else {      printf(" >>> CERT_DecodeCertFromPackage failed./n");      SECITEM_FreeItem(&data, PR_FALSE);      return 1;    }  }  if (argv[2] == "private") {    PK11SlotInfo* slot = PK11_GetInternalSlot();    if (!slot) {      printf(" >>> PK11_GetInternalSlot() failed./n");      SECITEM_FreeItem(&data, PR_FALSE);      return 1;    }    SECKEYPrivateKey* privKey;    if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &data, NULL, NULL, PR_FALSE, PR_FALSE, KU_ALL, &privKey, NULL) != SECSuccess) {      printf(" >>> PK11_ImportDERPrivateKeyInfoAndReturnKey() failed./n");      SECITEM_FreeItem(&data, PR_FALSE);      return 1;    }  }  printf(" !!! Done./n");  return 0;}

/* * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure */voidNSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si){    if (si->cert != NULL)	CERT_DestroyCertificate(si->cert);    if (si->certList != NULL) 	CERT_DestroyCertificateList(si->certList);    /* XXX storage ??? */}

static SECStatus BadCertHandler(void *arg, PRFileDesc *sock){  SECStatus success = SECSuccess;  struct connectdata *conn = (struct connectdata *)arg;  PRErrorCode err = PR_GetError();  CERTCertificate *cert = NULL;  char *subject, *issuer;  if(conn->data->set.ssl.certverifyresult!=0)    return success;  conn->data->set.ssl.certverifyresult=err;  cert = SSL_PeerCertificate(sock);  subject = CERT_NameToAscii(&cert->subject);  issuer = CERT_NameToAscii(&cert->issuer);  CERT_DestroyCertificate(cert);  switch(err) {  case SEC_ERROR_CA_CERT_INVALID:    infof(conn->data, "Issuer certificate is invalid: '%s'/n", issuer);    if(conn->data->set.ssl.verifypeer)      success = SECFailure;    break;  case SEC_ERROR_UNTRUSTED_ISSUER:    if(conn->data->set.ssl.verifypeer)      success = SECFailure;    infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'/n",          issuer);    break;  case SSL_ERROR_BAD_CERT_DOMAIN:    if(conn->data->set.ssl.verifypeer)      success = SECFailure;    infof(conn->data, "common name: %s (does not match '%s')/n",          subject, conn->host.dispname);    break;  case SEC_ERROR_EXPIRED_CERTIFICATE:    if(conn->data->set.ssl.verifypeer)      success = SECFailure;    infof(conn->data, "Remote Certificate has expired./n");    break;  default:    if(conn->data->set.ssl.verifypeer)      success = SECFailure;    infof(conn->data, "Bad certificate received. Subject = '%s', "          "Issuer = '%s'/n", subject, issuer);    break;  }  if(success == SECSuccess)    infof(conn->data, "SSL certificate verify ok./n");  PR_Free(subject);  PR_Free(issuer);  return success;}

CERTDistNames *CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,                            int nnames){    CERTDistNames *dnames = NULL;    PLArenaPool *arena;    int i, rv;    SECItem *names = NULL;    CERTCertificate *cert = NULL;    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);    if (arena == NULL)        goto loser;    dnames = PORT_ArenaZNew(arena, CERTDistNames);    if (dnames == NULL)        goto loser;    dnames->arena = arena;    dnames->nnames = nnames;    dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames);    if (names == NULL)        goto loser;    for (i = 0; i < nnames; i++) {        cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);        if (cert == NULL)            goto loser;        rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);        if (rv == SECFailure)            goto loser;        CERT_DestroyCertificate(cert);    }    return dnames;loser:    if (cert != NULL)        CERT_DestroyCertificate(cert);    if (arena != NULL)        PORT_FreeArena(arena, PR_FALSE);    return NULL;}

CERTVerifyLogContentsCleaner::~CERTVerifyLogContentsCleaner(){  if (!m_cvl)    return;  CERTVerifyLogNode *i_node;  for (i_node = m_cvl->head; i_node; i_node = i_node->next)  {    if (i_node->cert)      CERT_DestroyCertificate(i_node->cert);  }}