trust: Use the new NSS PKCS#11 extension codes

NSS had subtly changed the values of the distrust CK_TRUST codes
so update them to stay in sync.

6 files changed, 95 insertions, 94 deletions

diff --git a/common/attrs.c b/common/attrs.c
index b123b07..759bb75 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -581,19 +581,19 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr)
 	X (CKA_X_PEER)
 	X (CKA_X_DISTRUSTED)
 	X (CKA_X_CRITICAL)
-	X (CKA_NETSCAPE_URL)
-	X (CKA_NETSCAPE_EMAIL)
-	X (CKA_NETSCAPE_SMIME_INFO)
-	X (CKA_NETSCAPE_SMIME_TIMESTAMP)
-	X (CKA_NETSCAPE_PKCS8_SALT)
-	X (CKA_NETSCAPE_PASSWORD_CHECK)
-	X (CKA_NETSCAPE_EXPIRES)
-	X (CKA_NETSCAPE_KRL)
-	X (CKA_NETSCAPE_PQG_COUNTER)
-	X (CKA_NETSCAPE_PQG_SEED)
-	X (CKA_NETSCAPE_PQG_H)
-	X (CKA_NETSCAPE_PQG_SEED_BITS)
-	X (CKA_NETSCAPE_MODULE_SPEC)
+	X (CKA_NSS_URL)
+	X (CKA_NSS_EMAIL)
+	X (CKA_NSS_SMIME_INFO)
+	X (CKA_NSS_SMIME_TIMESTAMP)
+	X (CKA_NSS_PKCS8_SALT)
+	X (CKA_NSS_PASSWORD_CHECK)
+	X (CKA_NSS_EXPIRES)
+	X (CKA_NSS_KRL)
+	X (CKA_NSS_PQG_COUNTER)
+	X (CKA_NSS_PQG_SEED)
+	X (CKA_NSS_PQG_H)
+	X (CKA_NSS_PQG_SEED_BITS)
+	X (CKA_NSS_MODULE_SPEC)
 	X (CKA_TRUST_DIGITAL_SIGNATURE)
 	X (CKA_TRUST_NON_REPUDIATION)
 	X (CKA_TRUST_KEY_ENCIPHERMENT)
@@ -636,12 +636,12 @@ format_class (p11_buffer *buffer,
 	X (CKO_MECHANISM)
 	X (CKO_X_TRUST_ASSERTION)
 	X (CKO_X_CERTIFICATE_EXTENSION)
-	X (CKO_NETSCAPE_CRL)
-	X (CKO_NETSCAPE_SMIME)
-	X (CKO_NETSCAPE_TRUST)
-	X (CKO_NETSCAPE_BUILTIN_ROOT_LIST)
-	X (CKO_NETSCAPE_NEWSLOT)
-	X (CKO_NETSCAPE_DELSLOT)
+	X (CKO_NSS_CRL)
+	X (CKO_NSS_SMIME)
+	X (CKO_NSS_TRUST)
+	X (CKO_NSS_BUILTIN_ROOT_LIST)
+	X (CKO_NSS_NEWSLOT)
+	X (CKO_NSS_DELSLOT)
 	#undef X
 	}
 
@@ -704,7 +704,7 @@ format_key_type (p11_buffer *buffer,
 	X (CKK_AES)
 	X (CKK_BLOWFISH)
 	X (CKK_TWOFISH)
-	X (CKK_NETSCAPE_PKCS8)
+	X (CKK_NSS_PKCS8)
 	#undef X
 	}
 
@@ -741,11 +741,11 @@ format_trust_value (p11_buffer *buffer,
 
 	switch (trust) {
 	#define X(x) case x: string = #x; break;
-	X (CKT_NETSCAPE_TRUSTED)
-	X (CKT_NETSCAPE_TRUSTED_DELEGATOR)
-	X (CKT_NETSCAPE_UNTRUSTED)
-	X (CKT_NETSCAPE_MUST_VERIFY)
-	X (CKT_NETSCAPE_TRUST_UNKNOWN)
+	X (CKT_NSS_TRUSTED)
+	X (CKT_NSS_TRUSTED_DELEGATOR)
+	X (CKT_NSS_NOT_TRUSTED)
+	X (CKT_NSS_MUST_VERIFY_TRUST)
+	X (CKT_NSS_TRUST_UNKNOWN)
 	}
 
 	if (string != NULL)
@@ -880,19 +880,19 @@ format_attribute_type (p11_buffer *buffer,
 	X (CKA_X_PEER)
 	X (CKA_X_DISTRUSTED)
 	X (CKA_X_CRITICAL)
-	X (CKA_NETSCAPE_URL)
-	X (CKA_NETSCAPE_EMAIL)
-	X (CKA_NETSCAPE_SMIME_INFO)
-	X (CKA_NETSCAPE_SMIME_TIMESTAMP)
-	X (CKA_NETSCAPE_PKCS8_SALT)
-	X (CKA_NETSCAPE_PASSWORD_CHECK)
-	X (CKA_NETSCAPE_EXPIRES)
-	X (CKA_NETSCAPE_KRL)
-	X (CKA_NETSCAPE_PQG_COUNTER)
-	X (CKA_NETSCAPE_PQG_SEED)
-	X (CKA_NETSCAPE_PQG_H)
-	X (CKA_NETSCAPE_PQG_SEED_BITS)
-	X (CKA_NETSCAPE_MODULE_SPEC)
+	X (CKA_NSS_URL)
+	X (CKA_NSS_EMAIL)
+	X (CKA_NSS_SMIME_INFO)
+	X (CKA_NSS_SMIME_TIMESTAMP)
+	X (CKA_NSS_PKCS8_SALT)
+	X (CKA_NSS_PASSWORD_CHECK)
+	X (CKA_NSS_EXPIRES)
+	X (CKA_NSS_KRL)
+	X (CKA_NSS_PQG_COUNTER)
+	X (CKA_NSS_PQG_SEED)
+	X (CKA_NSS_PQG_H)
+	X (CKA_NSS_PQG_SEED_BITS)
+	X (CKA_NSS_MODULE_SPEC)
 	X (CKA_TRUST_DIGITAL_SIGNATURE)
 	X (CKA_TRUST_NON_REPUDIATION)
 	X (CKA_TRUST_KEY_ENCIPHERMENT)
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index a1e5971..58be460 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -50,30 +50,30 @@ extern "C" {
 #ifdef CRYPTOKI_NSS_VENDOR_DEFINED
 
 /* Various NSS objects */
-#define CKO_NETSCAPE_CRL                0xce534351UL
-#define CKO_NETSCAPE_SMIME              0xce534352UL
-#define CKO_NETSCAPE_TRUST              0xce534353UL
-#define CKO_NETSCAPE_BUILTIN_ROOT_LIST  0xce534354UL
-#define CKO_NETSCAPE_NEWSLOT            0xce534355UL
-#define CKO_NETSCAPE_DELSLOT            0xce534356UL
+#define CKO_NSS_CRL                     0xce534351UL
+#define CKO_NSS_SMIME                   0xce534352UL
+#define CKO_NSS_TRUST                   0xce534353UL
+#define CKO_NSS_BUILTIN_ROOT_LIST       0xce534354UL
+#define CKO_NSS_NEWSLOT                 0xce534355UL
+#define CKO_NSS_DELSLOT                 0xce534356UL
 
 /* Various NSS key types */
-#define CKK_NETSCAPE_PKCS8              0xce534351UL
+#define CKK_NSS_PKCS8                   0xce534351UL
 
 /* Various NSS attributes */
-#define CKA_NETSCAPE_URL                0xce534351UL
-#define CKA_NETSCAPE_EMAIL              0xce534352UL
-#define CKA_NETSCAPE_SMIME_INFO         0xce534353UL
-#define CKA_NETSCAPE_SMIME_TIMESTAMP    0xce534354UL
-#define CKA_NETSCAPE_PKCS8_SALT         0xce534355UL
-#define CKA_NETSCAPE_PASSWORD_CHECK     0xce534356UL
-#define CKA_NETSCAPE_EXPIRES            0xce534357UL
-#define CKA_NETSCAPE_KRL                0xce534358UL
-#define CKA_NETSCAPE_PQG_COUNTER        0xce534364UL
-#define CKA_NETSCAPE_PQG_SEED           0xce534365UL
-#define CKA_NETSCAPE_PQG_H              0xce534366UL
-#define CKA_NETSCAPE_PQG_SEED_BITS      0xce534367UL
-#define CKA_NETSCAPE_MODULE_SPEC        0xce534368UL
+#define CKA_NSS_URL                     0xce534351UL
+#define CKA_NSS_EMAIL                   0xce534352UL
+#define CKA_NSS_SMIME_INFO              0xce534353UL
+#define CKA_NSS_SMIME_TIMESTAMP         0xce534354UL
+#define CKA_NSS_PKCS8_SALT              0xce534355UL
+#define CKA_NSS_PASSWORD_CHECK          0xce534356UL
+#define CKA_NSS_EXPIRES                 0xce534357UL
+#define CKA_NSS_KRL                     0xce534358UL
+#define CKA_NSS_PQG_COUNTER             0xce534364UL
+#define CKA_NSS_PQG_SEED                0xce534365UL
+#define CKA_NSS_PQG_H                   0xce534366UL
+#define CKA_NSS_PQG_SEED_BITS           0xce534367UL
+#define CKA_NSS_MODULE_SPEC             0xce534368UL
 
 /* NSS trust attributes */
 #define CKA_TRUST_DIGITAL_SIGNATURE     0xce536351UL
@@ -97,19 +97,20 @@ extern "C" {
 
 /* NSS trust values */
 typedef CK_ULONG                        CK_TRUST;
-#define CKT_NETSCAPE_TRUSTED            0xce534351UL
-#define CKT_NETSCAPE_TRUSTED_DELEGATOR  0xce534352UL
-#define CKT_NETSCAPE_UNTRUSTED          0xce534353UL
-#define CKT_NETSCAPE_MUST_VERIFY        0xce534354UL
-#define CKT_NETSCAPE_TRUST_UNKNOWN      0xce534355UL
+#define CKT_NSS_TRUSTED                 0xce534351UL
+#define CKT_NSS_TRUSTED_DELEGATOR       0xce534352UL
+#define CKT_NSS_MUST_VERIFY_TRUST       0xce534353UL
+#define CKT_NSS_NOT_TRUSTED             0xce53435AUL
+#define CKT_NSS_TRUST_UNKNOWN           0xce534355UL
+#define CKT_NSS_VALID_DELEGATOR         0xce53435BUL
 
 /* NSS specific mechanisms */
-#define CKM_NETSCAPE_AES_KEY_WRAP       0xce534351UL
-#define CKM_NETSCAPE_AES_KEY_WRAP_PAD   0xce534352UL
+#define CKM_NSS_AES_KEY_WRAP            0xce534351UL
+#define CKM_NSS_AES_KEY_WRAP_PAD        0xce534352UL
 
 /* NSS specific return values */
-#define CKR_NETSCAPE_CERTDB_FAILED      0xce534351UL
-#define CKR_NETSCAPE_KEYDB_FAILED       0xce534352UL
+#define CKR_NSS_CERTDB_FAILED           0xce534351UL
+#define CKR_NSS_KEYDB_FAILED            0xce534352UL
 
 #endif /* CRYPTOKI_NSS_VENDOR_DEFINED */
 
diff --git a/trust/adapter.c b/trust/adapter.c
index d17cb70..08e4c78 100644
--- a/trust/adapter.c
+++ b/trust/adapter.c
@@ -82,7 +82,7 @@ build_trust_object_ku (p11_parser *parser,
 	defawlt = present;
 
 	/* If blacklisted, don't even bother looking at extensions */
-	if (present != CKT_NETSCAPE_UNTRUSTED)
+	if (present != CKT_NSS_NOT_TRUSTED)
 		data = p11_parsing_get_extension (parser, parsing, P11_OID_KEY_USAGE, &length);
 
 	if (data) {
@@ -91,7 +91,7 @@ build_trust_object_ku (p11_parser *parser,
 		 * usages are to be set. If the extension was invalid, then
 		 * fail safe to none of the key usages.
 		 */
-		defawlt = CKT_NETSCAPE_TRUST_UNKNOWN;
+		defawlt = CKT_NSS_TRUST_UNKNOWN;
 
 		defs = p11_parser_get_asn1_defs (parser);
 		if (!p11_x509_parse_key_usage (defs, data, length, &ku))
@@ -171,19 +171,19 @@ build_trust_object_eku (p11_parser *parser,
 		return_val_if_reached (NULL);
 
 	/* The neutral value is set if an purpose is not present */
-	if (allow == CKT_NETSCAPE_UNTRUSTED)
-		neutral = CKT_NETSCAPE_UNTRUSTED;
+	if (allow == CKT_NSS_NOT_TRUSTED)
+		neutral = CKT_NSS_NOT_TRUSTED;
 
 	/* If anything explicitly set, then neutral is unknown */
 	else if (purposes || rejects)
-		neutral = CKT_NETSCAPE_TRUST_UNKNOWN;
+		neutral = CKT_NSS_TRUST_UNKNOWN;
 
 	/* Otherwise neutral will allow any purpose */
 	else
 		neutral = allow;
 
 	/* The value set if a purpose is explictly rejected */
-	disallow = CKT_NETSCAPE_UNTRUSTED;
+	disallow = CKT_NSS_NOT_TRUSTED;
 
 	for (i = 0; eku_attribute_map[i].type != CKA_INVALID; i++) {
 		attrs[i].type = eku_attribute_map[i].type;
@@ -218,7 +218,7 @@ build_nss_trust_object (p11_parser *parser,
 	CK_ATTRIBUTE *object = NULL;
 	CK_TRUST allow;
 
-	CK_OBJECT_CLASS vclass = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS vclass = CKO_NSS_TRUST;
 	CK_BYTE vsha1_hash[P11_CHECKSUM_SHA1_LENGTH];
 	CK_BYTE vmd5_hash[P11_CHECKSUM_MD5_LENGTH];
 	CK_BBOOL vfalse = CK_FALSE;
@@ -270,13 +270,13 @@ build_nss_trust_object (p11_parser *parser,
 
 	/* Calculate the default allow trust */
 	if (distrust)
-		allow = CKT_NETSCAPE_UNTRUSTED;
+		allow = CKT_NSS_NOT_TRUSTED;
 	else if (trust && authority)
-		allow = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+		allow = CKT_NSS_TRUSTED_DELEGATOR;
 	else if (trust)
-		allow = CKT_NETSCAPE_TRUSTED;
+		allow = CKT_NSS_TRUSTED;
 	else
-		allow = CKT_NETSCAPE_TRUST_UNKNOWN;
+		allow = CKT_NSS_TRUST_UNKNOWN;
 
 	object = build_trust_object_ku (parser, parsing, object, allow);
 	return_if_fail (object != NULL);
diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c
index 2e085ba..2d0e488 100644
--- a/trust/tests/test-module.c
+++ b/trust/tests/test-module.c
@@ -192,7 +192,7 @@ static void
 check_has_trust_object (CuTest *cu,
                         CK_ATTRIBUTE *cert)
 {
-	CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST;
 	CK_ATTRIBUTE klass = { CKA_CLASS, &trust_object, sizeof (trust_object) };
 	CK_OBJECT_HANDLE objects[2];
 	CK_ATTRIBUTE *match;
@@ -314,7 +314,7 @@ test_find_certificates (CuTest *cu)
 static void
 test_find_builtin (CuTest *cu)
 {
-	CK_OBJECT_CLASS klass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+	CK_OBJECT_CLASS klass = CKO_NSS_BUILTIN_ROOT_LIST;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;
 
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index 581ff5e..0f40748 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -154,11 +154,11 @@ test_parse_pem_certificate (CuTest *cu)
 static void
 test_parse_openssl_trusted (CuTest *cu)
 {
-	CK_TRUST trusted = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-	CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED;
-	CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
+	CK_TRUST trusted = CKT_NSS_TRUSTED_DELEGATOR;
+	CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED;
+	CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN;
 	CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION;
-	CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST;
 	CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION;
 	CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE;
 	CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE;
@@ -294,9 +294,9 @@ test_parse_openssl_trusted (CuTest *cu)
 static void
 test_parse_openssl_distrusted (CuTest *cu)
 {
-	CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED;
+	CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED;
 	CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION;
-	CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST;
 	CK_OBJECT_CLASS klass = CKO_CERTIFICATE;
 	CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION;
 	CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE;
@@ -515,10 +515,10 @@ test_parse_openssl_distrusted (CuTest *cu)
 static void
 test_parse_with_key_usage (CuTest *cu)
 {
-	CK_TRUST trusted = CKT_NETSCAPE_TRUSTED;
-	CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
+	CK_TRUST trusted = CKT_NSS_TRUSTED;
+	CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN;
 	CK_OBJECT_CLASS klass = CKO_CERTIFICATE;
-	CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;
 	CK_CERTIFICATE_TYPE x509 = CKC_X_509;
@@ -606,9 +606,9 @@ static void
 test_parse_anchor (CuTest *cu)
 {
 	CK_BBOOL vtrue = CK_TRUE;
-	CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST;
 	CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) };
-	CK_TRUST delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+	CK_TRUST delegator = CKT_NSS_TRUSTED_DELEGATOR;
 	CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION;
 	CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE;
 
diff --git a/trust/token.c b/trust/token.c
index 46eea20..3c0de4c 100644
--- a/trust/token.c
+++ b/trust/token.c
@@ -214,9 +214,9 @@ loader_load_paths (p11_token *token,
 static int
 load_builtin_objects (p11_token *token)
 {
-	CK_OBJECT_CLASS builtin = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-	CK_OBJECT_CLASS nss_trust = CKO_NETSCAPE_TRUST;
-	CK_TRUST nss_not_trusted = CKT_NETSCAPE_UNTRUSTED;
+	CK_OBJECT_CLASS builtin = CKO_NSS_BUILTIN_ROOT_LIST;
+	CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST;
+	CK_TRUST nss_not_trusted = CKT_NSS_NOT_TRUSTED;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;