From 6295c6e20adea22f2c86f0c80f0036584837bb64 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 1 Aug 2024 15:43:28 -0500
Subject: [PATCH] Add PK11Store.findCertFromDERCertItem()

The PK11Store.findCertFromDERCertItem() has been added to find
a cert in NSS database using PK11_FindCertFromDERCertItem().
The findCert() has been modified to use this method.
---
 .../org/mozilla/jss/pkcs11/PK11Store.java     | 31 ++-----------
 lib/jss.map                                   |  6 +++
 .../native/org/mozilla/jss/pkcs11/PK11Store.c | 46 +++++++++++++++++++
 3 files changed, 56 insertions(+), 27 deletions(-)

diff --git a/base/src/main/java/org/mozilla/jss/pkcs11/PK11Store.java b/base/src/main/java/org/mozilla/jss/pkcs11/PK11Store.java
index 3ac385ccc..90d4bd4dc 100644
--- a/base/src/main/java/org/mozilla/jss/pkcs11/PK11Store.java
+++ b/base/src/main/java/org/mozilla/jss/pkcs11/PK11Store.java
@@ -4,7 +4,6 @@
 
 package org.mozilla.jss.pkcs11;
 
-import java.io.ByteArrayInputStream;
 import java.math.BigInteger;
 import java.security.PublicKey;
 import java.security.interfaces.RSAKey;
@@ -15,8 +14,6 @@
 
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.NotInitializedException;
-import org.mozilla.jss.asn1.ASN1Util;
-import org.mozilla.jss.asn1.INTEGER;
 import org.mozilla.jss.crypto.Algorithm;
 import org.mozilla.jss.crypto.CryptoStore;
 import org.mozilla.jss.crypto.KeyAlreadyImportedException;
@@ -28,9 +25,6 @@
 import org.mozilla.jss.crypto.SymmetricKey;
 import org.mozilla.jss.crypto.TokenException;
 import org.mozilla.jss.crypto.X509Certificate;
-import org.mozilla.jss.pkix.cert.Certificate;
-import org.mozilla.jss.pkix.cert.CertificateInfo;
-import org.mozilla.jss.pkix.primitive.Name;
 import org.mozilla.jss.util.Password;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -202,29 +196,12 @@ public native void importEncryptedPrivateKeyInfo(
 
     @Override
     public X509Certificate findCert(byte[] certBytes) throws TokenException {
-
-        try (ByteArrayInputStream is = new ByteArrayInputStream(certBytes)) {
-
-            Certificate pkixCert = (Certificate) Certificate.getTemplate().decode(is);
-            CertificateInfo certInfo = pkixCert.getInfo();
-
-            Name issuer = certInfo.getIssuer();
-            INTEGER serialNumber = certInfo.getSerialNumber();
-
-            // TODO: replace with PK11_FindCertFromDERCert()
-            CryptoManager cm = CryptoManager.getInstance();
-            return cm.findCertByIssuerAndSerialNumber(
-                    ASN1Util.encode(issuer),
-                    serialNumber);
-
-        } catch (ObjectNotFoundException e) {
-            return null;
-
-        } catch (Exception e) {
-            throw new TokenException("Unable to find certificate: " + e.getMessage(), e);
-        }
+        return findCertFromDERCertItem(certBytes);
     }
 
+    public native X509Certificate findCertFromDERCertItem(byte[] certBytes)
+            throws TokenException;
+
     @Override
     public native X509Certificate importCert(byte[] certBytes, String nickname)
             throws TokenException;
diff --git a/lib/jss.map b/lib/jss.map
index 94df9e771..ab5a0b142 100644
--- a/lib/jss.map
+++ b/lib/jss.map
@@ -518,3 +518,9 @@ Java_org_mozilla_jss_pkcs11_PK11Store_importCert;
     local:
         *;
 };
+JSS_5.6.0 {
+    global:
+Java_org_mozilla_jss_pkcs11_PK11Store_findCertFromDERCertItem;
+    local:
+        *;
+};
diff --git a/native/src/main/native/org/mozilla/jss/pkcs11/PK11Store.c b/native/src/main/native/org/mozilla/jss/pkcs11/PK11Store.c
index ea201d9c4..1e3a57c45 100644
--- a/native/src/main/native/org/mozilla/jss/pkcs11/PK11Store.c
+++ b/native/src/main/native/org/mozilla/jss/pkcs11/PK11Store.c
@@ -385,6 +385,52 @@ JSS_PK11_getStoreSlotPtr(JNIEnv *env, jobject store, PK11SlotInfo **slot)
                 PK11STORE_PROXY_SIG, (void**)slot);
 }
 
+/**********************************************************************
+ * PK11Store.findCertFromDERCertItem
+ */
+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_pkcs11_PK11Store_findCertFromDERCertItem(
+    JNIEnv *env,
+    jobject this,
+    jbyteArray certBytes)
+{
+    PK11SlotInfo *slot = NULL;
+    SECItem *derCert = NULL;
+    CERTCertificate *nssCert = NULL;
+    jobject cert = NULL;
+
+    if (certBytes == NULL) {
+        goto finish;
+    }
+
+    if (JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) {
+        goto finish;
+    }
+
+    derCert = JSS_ByteArrayToSECItem(env, certBytes);
+    if (derCert == NULL) {
+        goto finish;
+    }
+
+    nssCert = PK11_FindCertFromDERCertItem(slot, derCert, NULL);
+    if (nssCert == NULL) {
+        goto finish;
+    }
+
+    cert = JSS_PK11_wrapCertAndSlot(env, &nssCert, &slot);
+
+finish:
+    if (nssCert != NULL) {
+        CERT_DestroyCertificate(nssCert);
+    }
+
+    if (derCert != NULL) {
+        SECITEM_FreeItem(derCert, PR_TRUE);
+    }
+
+    return cert;
+}
+
 /**********************************************************************
  * PK11Store.importCert
  */