OLD | NEW |
1 /* ***** BEGIN LICENSE BLOCK ***** | 1 /* ***** BEGIN LICENSE BLOCK ***** |
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
3 * | 3 * |
4 * The contents of this file are subject to the Mozilla Public License Version | 4 * The contents of this file are subject to the Mozilla Public License Version |
5 * 1.1 (the "License"); you may not use this file except in compliance with | 5 * 1.1 (the "License"); you may not use this file except in compliance with |
6 * the License. You may obtain a copy of the License at | 6 * the License. You may obtain a copy of the License at |
7 * http://www.mozilla.org/MPL/ | 7 * http://www.mozilla.org/MPL/ |
8 * | 8 * |
9 * Software distributed under the License is distributed on an "AS IS" basis, | 9 * Software distributed under the License is distributed on an "AS IS" basis, |
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License | 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License |
(...skipping 19 matching lines...) Expand all Loading... |
30 * decision by deleting the provisions above and replace them with the notice | 30 * decision by deleting the provisions above and replace them with the notice |
31 * and other provisions required by the GPL or the LGPL. If you do not delete | 31 * and other provisions required by the GPL or the LGPL. If you do not delete |
32 * the provisions above, a recipient may use your version of this file under | 32 * the provisions above, a recipient may use your version of this file under |
33 * the terms of any one of the MPL, the GPL or the LGPL. | 33 * the terms of any one of the MPL, the GPL or the LGPL. |
34 * | 34 * |
35 * ***** END LICENSE BLOCK ***** */ | 35 * ***** END LICENSE BLOCK ***** */ |
36 | 36 |
37 /* | 37 /* |
38 * Moved from secpkcs7.c | 38 * Moved from secpkcs7.c |
39 * | 39 * |
40 * $Id: crl.c,v 1.68 2009/08/10 22:25:44 julien.pierre.boogz%sun.com Exp $ | 40 * $Id: crl.c,v 1.71 2010/05/21 00:43:51 wtc%google.com Exp $ |
41 */ | 41 */ |
42 | 42 |
43 #include "cert.h" | 43 #include "cert.h" |
44 #include "certi.h" | 44 #include "certi.h" |
45 #include "secder.h" | 45 #include "secder.h" |
46 #include "secasn1.h" | 46 #include "secasn1.h" |
47 #include "secoid.h" | 47 #include "secoid.h" |
48 #include "certdb.h" | 48 #include "certdb.h" |
49 #include "certxutl.h" | 49 #include "certxutl.h" |
50 #include "prtime.h" | 50 #include "prtime.h" |
(...skipping 784 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
835 | 835 |
836 loser: | 836 loser: |
837 PORT_FreeArena(arena, PR_FALSE); | 837 PORT_FreeArena(arena, PR_FALSE); |
838 return(crl); | 838 return(crl); |
839 } | 839 } |
840 | 840 |
841 CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl) | 841 CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl) |
842 { | 842 { |
843 if (acrl) | 843 if (acrl) |
844 { | 844 { |
845 PR_AtomicIncrement(&acrl->referenceCount); | 845 PR_ATOMIC_INCREMENT(&acrl->referenceCount); |
846 return acrl; | 846 return acrl; |
847 } | 847 } |
848 return NULL; | 848 return NULL; |
849 } | 849 } |
850 | 850 |
851 SECStatus | 851 SECStatus |
852 SEC_DestroyCrl(CERTSignedCrl *crl) | 852 SEC_DestroyCrl(CERTSignedCrl *crl) |
853 { | 853 { |
854 if (crl) { | 854 if (crl) { |
855 » if (PR_AtomicDecrement(&crl->referenceCount) < 1) { | 855 » if (PR_ATOMIC_DECREMENT(&crl->referenceCount) < 1) { |
856 if (crl->slot) { | 856 if (crl->slot) { |
857 PK11_FreeSlot(crl->slot); | 857 PK11_FreeSlot(crl->slot); |
858 } | 858 } |
859 if (GetOpaqueCRLFields(crl) && | 859 if (GetOpaqueCRLFields(crl) && |
860 PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) { | 860 PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) { |
861 SECITEM_FreeItem(crl->derCrl, PR_TRUE); | 861 SECITEM_FreeItem(crl->derCrl, PR_TRUE); |
862 } | 862 } |
863 if (crl->arena) { | 863 if (crl->arena) { |
864 PORT_FreeArena(crl->arena, PR_FALSE); | 864 PORT_FreeArena(crl->arena, PR_FALSE); |
865 } | 865 } |
(...skipping 766 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1632 issuer, vfdate, wincx); | 1632 issuer, vfdate, wincx); |
1633 } | 1633 } |
1634 | 1634 |
1635 /* verify a CRL and update cache state */ | 1635 /* verify a CRL and update cache state */ |
1636 static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject, | 1636 static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject, |
1637 PRTime vfdate, void* wincx) | 1637 PRTime vfdate, void* wincx) |
1638 { | 1638 { |
1639 /* Check if it is an invalid CRL | 1639 /* Check if it is an invalid CRL |
1640 if we got a bad CRL, we want to cache it in order to avoid | 1640 if we got a bad CRL, we want to cache it in order to avoid |
1641 subsequent fetches of this same identical bad CRL. We set | 1641 subsequent fetches of this same identical bad CRL. We set |
1642 the cache to the invalid state to ensure that all certs | 1642 the cache to the invalid state to ensure that all certs on this |
1643 on this DP are considered revoked from now on. The cache | 1643 DP are considered to have unknown status from now on. The cache |
1644 object will remain in this state until the bad CRL object | 1644 object will remain in this state until the bad CRL object |
1645 is removed from the token it was fetched from. If the cause | 1645 is removed from the token it was fetched from. If the cause |
1646 of the failure is that we didn't have the issuer cert to | 1646 of the failure is that we didn't have the issuer cert to |
1647 verify the signature, this state can be cleared when | 1647 verify the signature, this state can be cleared when |
1648 the issuer certificate becomes available if that causes the | 1648 the issuer certificate becomes available if that causes the |
1649 signature to verify */ | 1649 signature to verify */ |
1650 | 1650 |
1651 if (!cache || !crlobject) | 1651 if (!cache || !crlobject) |
1652 { | 1652 { |
1653 PORT_Assert(0); | 1653 PORT_Assert(0); |
(...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1819 SECStatus rv; | 1819 SECStatus rv; |
1820 if (!cache || !sn || !returned) | 1820 if (!cache || !sn || !returned) |
1821 { | 1821 { |
1822 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1822 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1823 /* no cache or SN to look up, or no way to return entry */ | 1823 /* no cache or SN to look up, or no way to return entry */ |
1824 return dpcacheCallerError; | 1824 return dpcacheCallerError; |
1825 } | 1825 } |
1826 *returned = NULL; | 1826 *returned = NULL; |
1827 if (0 != cache->invalid) | 1827 if (0 != cache->invalid) |
1828 { | 1828 { |
1829 /* the cache contains a bad CRL, or there was a CRL fetching error. | 1829 /* the cache contains a bad CRL, or there was a CRL fetching error. */ |
1830 consider all certs revoked as a security measure */ | |
1831 PORT_SetError(SEC_ERROR_CRL_INVALID); | 1830 PORT_SetError(SEC_ERROR_CRL_INVALID); |
1832 return dpcacheInvalidCacheError; | 1831 return dpcacheInvalidCacheError; |
1833 } | 1832 } |
1834 if (!cache->selected) | 1833 if (!cache->selected) |
1835 { | 1834 { |
1836 /* no CRL means no entry to return. This is OK, except for | 1835 /* no CRL means no entry to return. This is OK, except for |
1837 * NIST policy */ | 1836 * NIST policy */ |
1838 return dpcacheEmpty; | 1837 return dpcacheEmpty; |
1839 } | 1838 } |
1840 rv = CachedCrl_GetEntry(cache->selected, sn, returned); | 1839 rv = CachedCrl_GetEntry(cache->selected, sn, returned); |
(...skipping 946 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2787 case dpcacheEmpty: | 2786 case dpcacheEmpty: |
2788 /* useful for NIST policy */ | 2787 /* useful for NIST policy */ |
2789 status = certRevocationStatusUnknown; | 2788 status = certRevocationStatusUnknown; |
2790 break; | 2789 break; |
2791 | 2790 |
2792 case dpcacheNoEntry: | 2791 case dpcacheNoEntry: |
2793 status = certRevocationStatusValid; | 2792 status = certRevocationStatusValid; |
2794 break; | 2793 break; |
2795 | 2794 |
2796 case dpcacheInvalidCacheError: | 2795 case dpcacheInvalidCacheError: |
2797 /* t of zero may have caused the CRL cache to fail to verify | 2796 /* treat it as unknown and let the caller decide based on |
2798 * a CRL. treat it as unknown */ | 2797 the policy */ |
2799 if (!t) | 2798 status = certRevocationStatusUnknown; |
2800 { | |
2801 status = certRevocationStatusUnknown; | |
2802 } | |
2803 break; | 2799 break; |
2804 | 2800 |
2805 default: | 2801 default: |
2806 /* leave status as revoked */ | 2802 /* leave status as revoked */ |
2807 break; | 2803 break; |
2808 } | 2804 } |
2809 | 2805 |
2810 ReleaseDPCache(dpcache, lockedwrite); | 2806 ReleaseDPCache(dpcache, lockedwrite); |
2811 if (revStatus) | 2807 if (revStatus) |
2812 { | 2808 { |
(...skipping 646 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3459 to CERT_CacheCRL previously. That API takes a SECItem*, thus, we | 3455 to CERT_CacheCRL previously. That API takes a SECItem*, thus, we |
3460 just do a pointer comparison here. | 3456 just do a pointer comparison here. |
3461 */ | 3457 */ |
3462 if (b->crl->derCrl == a->crl->derCrl) | 3458 if (b->crl->derCrl == a->crl->derCrl) |
3463 { | 3459 { |
3464 *isDupe = PR_TRUE; | 3460 *isDupe = PR_TRUE; |
3465 } | 3461 } |
3466 } | 3462 } |
3467 return SECSuccess; | 3463 return SECSuccess; |
3468 } | 3464 } |
3469 | |
3470 /* this function assumes the caller holds a read lock on the DPCache */ | |
3471 SECStatus DPCache_GetAllCRLs(CRLDPCache* dpc, PRArenaPool* arena, | |
3472 CERTSignedCrl*** crls, PRUint16* status) | |
3473 { | |
3474 CERTSignedCrl** allcrls; | |
3475 PRUint32 index; | |
3476 if (!dpc || !crls || !status) | |
3477 { | |
3478 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
3479 return SECFailure; | |
3480 } | |
3481 | |
3482 *status = dpc->invalid; | |
3483 *crls = NULL; | |
3484 if (!dpc->ncrls) | |
3485 { | |
3486 /* no CRLs to return */ | |
3487 return SECSuccess; | |
3488 } | |
3489 allcrls = PORT_ArenaZNewArray(arena, CERTSignedCrl*, dpc->ncrls +1); | |
3490 if (!allcrls) | |
3491 { | |
3492 return SECFailure; | |
3493 } | |
3494 for (index=0; index < dpc->ncrls ; index ++) { | |
3495 CachedCrl* cachedcrl = dpc->crls[index]; | |
3496 if (!cachedcrl || !cachedcrl->crl) | |
3497 { | |
3498 PORT_Assert(0); /* this should never happen */ | |
3499 continue; | |
3500 } | |
3501 allcrls[index] = SEC_DupCrl(cachedcrl->crl); | |
3502 } | |
3503 *crls = allcrls; | |
3504 return SECSuccess; | |
3505 } | |
3506 | |
3507 static CachedCrl* DPCache_FindCRL(CRLDPCache* cache, CERTSignedCrl* crl) | |
3508 { | |
3509 PRUint32 index; | |
3510 CachedCrl* cachedcrl = NULL; | |
3511 for (index=0; index < cache->ncrls ; index ++) { | |
3512 cachedcrl = cache->crls[index]; | |
3513 if (!cachedcrl || !cachedcrl->crl) | |
3514 { | |
3515 PORT_Assert(0); /* this should never happen */ | |
3516 continue; | |
3517 } | |
3518 if (cachedcrl->crl == crl) { | |
3519 break; | |
3520 } | |
3521 } | |
3522 return cachedcrl; | |
3523 } | |
3524 | |
3525 /* this function assumes the caller holds a lock on the DPCache */ | |
3526 SECStatus DPCache_GetCRLEntry(CRLDPCache* cache, PRBool readlocked, | |
3527 CERTSignedCrl* crl, SECItem* sn, | |
3528 CERTCrlEntry** returned) | |
3529 { | |
3530 CachedCrl* cachedcrl = NULL; | |
3531 if (!cache || !crl || !sn || !returned) | |
3532 { | |
3533 PORT_Assert(0); | |
3534 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
3535 return SECFailure; | |
3536 } | |
3537 *returned = NULL; | |
3538 /* first, we need to find the CachedCrl* that matches this CERTSignedCRL */ | |
3539 cachedcrl = DPCache_FindCRL(cache, crl); | |
3540 if (!cachedcrl) { | |
3541 PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); | |
3542 return SECFailure; | |
3543 } | |
3544 | |
3545 if (cachedcrl->unbuildable) { | |
3546 /* this CRL could not be fully decoded */ | |
3547 PORT_SetError(SEC_ERROR_BAD_DER); | |
3548 return SECFailure; | |
3549 } | |
3550 /* now, make sure it has a hash table. Otherwise, we'll need to build one */ | |
3551 if (!cachedcrl->entries || !cachedcrl->prebuffer) { | |
3552 DPCache_LockWrite(); | |
3553 CachedCrl_Populate(cachedcrl); | |
3554 DPCache_UnlockWrite(); | |
3555 } | |
3556 | |
3557 /* finally, get the CRL entry */ | |
3558 return CachedCrl_GetEntry(cachedcrl, sn, returned); | |
3559 } | |
3560 | |
OLD | NEW |