| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | 4 |
| 5 /* | 5 /* |
| 6 * Certificate handling code | 6 * Certificate handling code |
| 7 */ | 7 */ |
| 8 | 8 |
| 9 #include "nssilock.h" | 9 #include "nssilock.h" |
| 10 #include "prmon.h" | 10 #include "prmon.h" |
| (...skipping 1033 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1044 } | 1044 } |
| 1045 | 1045 |
| 1046 /* These routines should probably be combined with the cert | 1046 /* These routines should probably be combined with the cert |
| 1047 * routines using an common extraction routine. | 1047 * routines using an common extraction routine. |
| 1048 */ | 1048 */ |
| 1049 SECCertTimeValidity | 1049 SECCertTimeValidity |
| 1050 SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) { | 1050 SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) { |
| 1051 PRTime notBefore, notAfter, llPendingSlop, tmp1; | 1051 PRTime notBefore, notAfter, llPendingSlop, tmp1; |
| 1052 SECStatus rv; | 1052 SECStatus rv; |
| 1053 | 1053 |
| 1054 if (!crl) { |
| 1055 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1056 return(secCertTimeUndetermined); |
| 1057 } |
| 1058 |
| 1054 rv = SEC_GetCrlTimes(crl, ¬Before, ¬After); | 1059 rv = SEC_GetCrlTimes(crl, ¬Before, ¬After); |
| 1055 | 1060 |
| 1056 if (rv) { | 1061 if (rv) { |
| 1057 return(secCertTimeExpired); | 1062 return(secCertTimeExpired); |
| 1058 } | 1063 } |
| 1059 | 1064 |
| 1060 LL_I2L(llPendingSlop, pendingSlop); | 1065 LL_I2L(llPendingSlop, pendingSlop); |
| 1061 /* convert to micro seconds */ | 1066 /* convert to micro seconds */ |
| 1062 LL_I2L(tmp1, PR_USEC_PER_SEC); | 1067 LL_I2L(tmp1, PR_USEC_PER_SEC); |
| 1063 LL_MUL(llPendingSlop, llPendingSlop, tmp1); | 1068 LL_MUL(llPendingSlop, llPendingSlop, tmp1); |
| 1064 LL_SUB(notBefore, notBefore, llPendingSlop); | 1069 LL_SUB(notBefore, notBefore, llPendingSlop); |
| 1065 if ( LL_CMP( t, <, notBefore ) ) { | 1070 if ( LL_CMP( t, <, notBefore ) ) { |
| 1071 PORT_SetError(SEC_ERROR_CRL_EXPIRED); |
| 1066 return(secCertTimeNotValidYet); | 1072 return(secCertTimeNotValidYet); |
| 1067 } | 1073 } |
| 1068 | 1074 |
| 1069 /* If next update is omitted and the test for notBefore passes, then | 1075 /* If next update is omitted and the test for notBefore passes, then |
| 1070 we assume that the crl is up to date. | 1076 we assume that the crl is up to date. |
| 1071 */ | 1077 */ |
| 1072 if ( LL_IS_ZERO(notAfter) ) { | 1078 if ( LL_IS_ZERO(notAfter) ) { |
| 1073 return(secCertTimeValid); | 1079 return(secCertTimeValid); |
| 1074 } | 1080 } |
| 1075 | 1081 |
| 1076 if ( LL_CMP( t, >, notAfter) ) { | 1082 if ( LL_CMP( t, >, notAfter) ) { |
| 1083 PORT_SetError(SEC_ERROR_CRL_EXPIRED); |
| 1077 return(secCertTimeExpired); | 1084 return(secCertTimeExpired); |
| 1078 } | 1085 } |
| 1079 | 1086 |
| 1080 return(secCertTimeValid); | 1087 return(secCertTimeValid); |
| 1081 } | 1088 } |
| 1082 | 1089 |
| 1083 PRBool | 1090 PRBool |
| 1084 SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) { | 1091 SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) { |
| 1085 PRTime newNotBefore, newNotAfter; | 1092 PRTime newNotBefore, newNotAfter; |
| 1086 PRTime oldNotBefore, oldNotAfter; | 1093 PRTime oldNotBefore, oldNotAfter; |
| (...skipping 331 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1418 | 1425 |
| 1419 | 1426 |
| 1420 SECStatus | 1427 SECStatus |
| 1421 cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn) | 1428 cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn) |
| 1422 { | 1429 { |
| 1423 PLArenaPool * arena = NULL; | 1430 PLArenaPool * arena = NULL; |
| 1424 CERTGeneralName * nameList = NULL; | 1431 CERTGeneralName * nameList = NULL; |
| 1425 CERTGeneralName * current; | 1432 CERTGeneralName * current; |
| 1426 char * cn; | 1433 char * cn; |
| 1427 int cnBufLen; | 1434 int cnBufLen; |
| 1428 unsigned int hnLen; | |
| 1429 int DNSextCount = 0; | 1435 int DNSextCount = 0; |
| 1430 int IPextCount = 0; | 1436 int IPextCount = 0; |
| 1431 PRBool isIPaddr = PR_FALSE; | 1437 PRBool isIPaddr = PR_FALSE; |
| 1432 SECStatus rv = SECFailure; | 1438 SECStatus rv = SECFailure; |
| 1433 SECItem subAltName; | 1439 SECItem subAltName; |
| 1434 PRNetAddr netAddr; | 1440 PRNetAddr netAddr; |
| 1435 char cnbuf[128]; | 1441 char cnbuf[128]; |
| 1436 | 1442 |
| 1437 subAltName.data = NULL; | 1443 subAltName.data = NULL; |
| 1438 hnLen = strlen(hn); | |
| 1439 cn = cnbuf; | 1444 cn = cnbuf; |
| 1440 cnBufLen = sizeof cnbuf; | 1445 cnBufLen = sizeof cnbuf; |
| 1441 | 1446 |
| 1442 rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, | 1447 rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, |
| 1443 &subAltName); | 1448 &subAltName); |
| 1444 if (rv != SECSuccess) { | 1449 if (rv != SECSuccess) { |
| 1445 goto fail; | 1450 goto fail; |
| 1446 } | 1451 } |
| 1447 isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr)); | 1452 isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr)); |
| 1448 rv = SECFailure; | 1453 rv = SECFailure; |
| (...skipping 855 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2304 } | 2309 } |
| 2305 | 2310 |
| 2306 /* | 2311 /* |
| 2307 * NOTE - don't allow encode of govt-approved or invisible bits | 2312 * NOTE - don't allow encode of govt-approved or invisible bits |
| 2308 */ | 2313 */ |
| 2309 SECStatus | 2314 SECStatus |
| 2310 CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts) | 2315 CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts) |
| 2311 { | 2316 { |
| 2312 unsigned int i; | 2317 unsigned int i; |
| 2313 unsigned int *pflags; | 2318 unsigned int *pflags; |
| 2314 | 2319 |
| 2315 if (!trust) { | 2320 if (!trust) { |
| 2316 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2321 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 2317 return SECFailure; | 2322 return SECFailure; |
| 2318 } | 2323 } |
| 2319 trust->sslFlags = 0; | 2324 trust->sslFlags = 0; |
| 2320 trust->emailFlags = 0; | 2325 trust->emailFlags = 0; |
| 2321 trust->objectSigningFlags = 0; | 2326 trust->objectSigningFlags = 0; |
| 2322 if (!trusts) { | 2327 if (!trusts) { |
| 2323 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2328 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 2324 return SECFailure; | 2329 return SECFailure; |
| 2325 } | 2330 } |
| 2326 | 2331 |
| 2327 pflags = &trust->sslFlags; | 2332 pflags = &trust->sslFlags; |
| 2328 | 2333 |
| 2329 for (i=0; i < PORT_Strlen(trusts); i++) { | 2334 for (i=0; i < PORT_Strlen(trusts); i++) { |
| 2330 switch (trusts[i]) { | 2335 switch (trusts[i]) { |
| 2331 case 'p': | 2336 case 'p': |
| 2332 *pflags = *pflags | CERTDB_TERMINAL_RECORD; | 2337 *pflags = *pflags | CERTDB_TERMINAL_RECORD; |
| 2333 break; | 2338 break; |
| 2334 | 2339 |
| 2335 case 'P': | 2340 case 'P': |
| 2336 *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; | 2341 *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; |
| 2337 break; | 2342 break; |
| 2338 | 2343 |
| (...skipping 25 matching lines...) Expand all Loading... |
| 2364 break; | 2369 break; |
| 2365 | 2370 |
| 2366 case ',': | 2371 case ',': |
| 2367 if ( pflags == &trust->sslFlags ) { | 2372 if ( pflags == &trust->sslFlags ) { |
| 2368 pflags = &trust->emailFlags; | 2373 pflags = &trust->emailFlags; |
| 2369 } else { | 2374 } else { |
| 2370 pflags = &trust->objectSigningFlags; | 2375 pflags = &trust->objectSigningFlags; |
| 2371 } | 2376 } |
| 2372 break; | 2377 break; |
| 2373 default: | 2378 default: |
| 2379 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 2374 return SECFailure; | 2380 return SECFailure; |
| 2375 } | 2381 } |
| 2376 } | 2382 } |
| 2377 | 2383 |
| 2378 return SECSuccess; | 2384 return SECSuccess; |
| 2379 } | 2385 } |
| 2380 | 2386 |
| 2381 static void | 2387 static void |
| 2382 EncodeFlags(char *trusts, unsigned int flags) | 2388 EncodeFlags(char *trusts, unsigned int flags) |
| 2383 { | 2389 { |
| (...skipping 882 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3266 CERTCertificate *cert = NULL; | 3272 CERTCertificate *cert = NULL; |
| 3267 SECItem *derCert; | 3273 SECItem *derCert; |
| 3268 | 3274 |
| 3269 derCert = cert_FindDERCertBySubjectKeyID(subjKeyID); | 3275 derCert = cert_FindDERCertBySubjectKeyID(subjKeyID); |
| 3270 if (derCert) { | 3276 if (derCert) { |
| 3271 cert = CERT_FindCertByDERCert(handle, derCert); | 3277 cert = CERT_FindCertByDERCert(handle, derCert); |
| 3272 SECITEM_FreeItem(derCert, PR_TRUE); | 3278 SECITEM_FreeItem(derCert, PR_TRUE); |
| 3273 } | 3279 } |
| 3274 return cert; | 3280 return cert; |
| 3275 } | 3281 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1017413002:
Uprev NSS to 3.18 RTM (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@nspr_uprev