Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(393)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c

Issue 14249009: Change the NSS and NSPR source tree to the new directory structure to be (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h ('k') | mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * pkix_certselector.c
6 *
7 * CertSelector Object Functions
8 *
9 */
10
11 #include "pkix_certselector.h"
12
13 /* --Private-Functions-------------------------------------------- */
14
15 /*
16 * FUNCTION: pkix_CertSelector_Destroy
17 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
18 */
19 static PKIX_Error *
20 pkix_CertSelector_Destroy(
21 PKIX_PL_Object *object,
22 void *plContext)
23 {
24 PKIX_CertSelector *selector = NULL;
25
26 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Destroy");
27 PKIX_NULLCHECK_ONE(object);
28
29 /* Check that this object is a cert selector */
30 PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
31 PKIX_OBJECTNOTCERTSELECTOR);
32
33 selector = (PKIX_CertSelector *)object;
34 PKIX_DECREF(selector->params);
35 PKIX_DECREF(selector->context);
36
37 cleanup:
38
39 PKIX_RETURN(CERTSELECTOR);
40 }
41
42 /*
43 * FUNCTION: pkix_CertSelector_Duplicate
44 * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
45 */
46 static PKIX_Error *
47 pkix_CertSelector_Duplicate(
48 PKIX_PL_Object *object,
49 PKIX_PL_Object **pNewObject,
50 void *plContext)
51 {
52 PKIX_CertSelector *certSelector = NULL;
53 PKIX_CertSelector *certSelectorDuplicate = NULL;
54
55 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Duplicate");
56 PKIX_NULLCHECK_TWO(object, pNewObject);
57
58 PKIX_CHECK(pkix_CheckType(object, PKIX_CERTSELECTOR_TYPE, plContext),
59 PKIX_OBJECTNOTCERTSELECTOR);
60
61 certSelector = (PKIX_CertSelector *)object;
62
63 PKIX_CHECK(PKIX_CertSelector_Create
64 (certSelector->matchCallback,
65 certSelector->context,
66 &certSelectorDuplicate,
67 plContext),
68 PKIX_CERTSELECTORCREATEFAILED);
69
70 PKIX_CHECK(PKIX_PL_Object_Duplicate
71 ((PKIX_PL_Object *)certSelector->params,
72 (PKIX_PL_Object **)&certSelectorDuplicate->params,
73 plContext),
74 PKIX_OBJECTDUPLICATEFAILED);
75
76 *pNewObject = (PKIX_PL_Object *)certSelectorDuplicate;
77
78 cleanup:
79
80 if (PKIX_ERROR_RECEIVED){
81 PKIX_DECREF(certSelectorDuplicate);
82 }
83
84 PKIX_RETURN(CERTSELECTOR);
85 }
86
87 /*
88 * FUNCTION: pkix_CertSelector_Match_BasicConstraint
89 * DESCRIPTION:
90 *
91 * Determines whether the Cert pointed to by "cert" matches the basic
92 * constraints criterion using the basic constraints field of the
93 * ComCertSelParams pointed to by "params". If the basic constraints field is
94 * -1, no basic constraints check is done and the Cert is considered to match
95 * the basic constraints criterion. If the Cert does not match the basic
96 * constraints criterion, an Error pointer is returned.
97 *
98 * In order to match against this criterion, there are several possibilities.
99 *
100 * 1) If the criterion's minimum path length is greater than or equal to zero,
101 * a certificate must include a BasicConstraints extension with a pathLen of
102 * at least this value.
103 *
104 * 2) If the criterion's minimum path length is -2, a certificate must be an
105 * end-entity certificate.
106 *
107 * 3) If the criterion's minimum path length is -1, no basic constraints check
108 * is done and all certificates are considered to match this criterion.
109 *
110 * PARAMETERS:
111 * "params"
112 * Address of ComCertSelParams whose basic constraints field is used.
113 * Must be non-NULL.
114 * "cert"
115 * Address of Cert that is to be matched. Must be non-NULL.
116 * "pResult"
117 * Address of PKIX_Boolean that returns the match result.
118 * "plContext"
119 * Platform-specific context pointer.
120 * OUTPUT PARAMETERS ON FAILURE:
121 * If the function returns a failure,
122 * the output parameters of this function are undefined.
123 * THREAD SAFETY:
124 * Conditionally Thread Safe
125 * (see Thread Safety Definitions in Programmer's Guide)
126 * RETURNS:
127 * Returns NULL if the function succeeds.
128 * Returns a CertSelector Error if the function fails in a non-fatal way.
129 * Returns a Fatal Error if the function fails in an unrecoverable way.
130 */
131 static PKIX_Error *
132 pkix_CertSelector_Match_BasicConstraint(
133 PKIX_ComCertSelParams *params,
134 PKIX_PL_Cert *cert,
135 PKIX_Boolean *pResult,
136 void *plContext)
137 {
138 PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
139 PKIX_Boolean caFlag = PKIX_FALSE; /* EE Cert by default */
140 PKIX_Int32 pathLength = 0;
141 PKIX_Int32 minPathLength = 0;
142
143 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_BasicConstraint");
144 PKIX_NULLCHECK_THREE(params, cert, pResult);
145 *pResult = PKIX_TRUE;
146
147 PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints
148 (params, &minPathLength, plContext),
149 PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED);
150
151 /* If the minPathLength is unlimited (-1), no checking */
152 if (minPathLength == PKIX_CERTSEL_ALL_MATCH_MIN_PATHLENGTH) {
153 goto cleanup;
154 }
155
156 PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
157 (cert, &basicConstraints, plContext),
158 PKIX_CERTGETBASICCONSTRAINTSFAILED);
159
160 if (basicConstraints != NULL) {
161 PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
162 (basicConstraints, &caFlag, plContext),
163 PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
164
165 PKIX_CHECK(PKIX_PL_BasicConstraints_GetPathLenConstraint
166 (basicConstraints, &pathLength, plContext),
167 PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
168 }
169
170 /*
171 * if minPathLength >= 0, the cert must have a BasicConstraints ext and
172 * the pathLength in this cert
173 * BasicConstraints needs to be >= minPathLength.
174 */
175 if (minPathLength >= 0){
176 if ((!basicConstraints) || (caFlag == PKIX_FALSE)){
177 PKIX_ERROR(PKIX_CERTNOTALLOWEDTOSIGNCERTIFICATES);
178 } else if ((pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) &&
179 (pathLength < minPathLength)){
180 PKIX_CERTSELECTOR_DEBUG
181 ("Basic Constraints path length match failed\n");
182 *pResult = PKIX_FALSE;
183 PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
184 }
185 }
186
187 /* if the minPathLength is -2, this cert must be an end-entity cert. */
188 if (minPathLength == PKIX_CERTSEL_ENDENTITY_MIN_PATHLENGTH) {
189 if (caFlag == PKIX_TRUE) {
190 PKIX_CERTSELECTOR_DEBUG
191 ("Basic Constraints end-entity match failed\n");
192 *pResult = PKIX_FALSE;
193 PKIX_ERROR(PKIX_PATHLENCONSTRAINTINVALID);
194 }
195 }
196
197 cleanup:
198
199 PKIX_DECREF(basicConstraints);
200 PKIX_RETURN(CERTSELECTOR);
201 }
202
203 /*
204 * FUNCTION: pkix_CertSelector_Match_Policies
205 * DESCRIPTION:
206 *
207 * Determines whether the Cert pointed to by "cert" matches the policy
208 * constraints specified in the ComCertsSelParams given by "params".
209 * If "params" specifies a policy constraint of NULL, all certificates
210 * match. If "params" specifies an empty list, "cert" must have at least
211 * some policy. Otherwise "cert" must include at least one of the
212 * policies in the list. See the description of PKIX_CertSelector in
213 * pkix_certsel.h for more.
214 *
215 * PARAMETERS:
216 * "params"
217 * Address of ComCertSelParams whose policy criterion (if any) is used.
218 * Must be non-NULL.
219 * "cert"
220 * Address of Cert that is to be matched. Must be non-NULL.
221 * "pResult"
222 * Address of PKIX_Boolean that returns the match result.
223 * "plContext"
224 * Platform-specific context pointer.
225 * THREAD SAFETY:
226 * Conditionally Thread Safe
227 * (see Thread Safety Definitions in Programmer's Guide)
228 * RETURNS:
229 * Returns NULL if the function succeeds.
230 * Returns a CertSelector Error if the function fails in a non-fatal way.
231 * Returns a Fatal Error if the function fails in an unrecoverable way.
232 */
233 static PKIX_Error *
234 pkix_CertSelector_Match_Policies(
235 PKIX_ComCertSelParams *params,
236 PKIX_PL_Cert *cert,
237 PKIX_Boolean *pResult,
238 void *plContext)
239 {
240 PKIX_UInt32 numConstraintPolicies = 0;
241 PKIX_UInt32 numCertPolicies = 0;
242 PKIX_UInt32 certPolicyIndex = 0;
243 PKIX_Boolean result = PKIX_FALSE;
244 PKIX_List *constraintPolicies = NULL; /* List of PKIX_PL_OID */
245 PKIX_List *certPolicyInfos = NULL; /* List of PKIX_PL_CertPolicyInfo */
246 PKIX_PL_CertPolicyInfo *policyInfo = NULL;
247 PKIX_PL_OID *polOID = NULL;
248
249 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_Policies");
250 PKIX_NULLCHECK_THREE(params, cert, pResult);
251
252 PKIX_CHECK(PKIX_ComCertSelParams_GetPolicy
253 (params, &constraintPolicies, plContext),
254 PKIX_COMCERTSELPARAMSGETPOLICYFAILED);
255
256 /* If constraintPolicies is NULL, all certificates "match" */
257 if (constraintPolicies) {
258 PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
259 (cert, &certPolicyInfos, plContext),
260 PKIX_CERTGETPOLICYINFORMATIONFAILED);
261
262 /* No hope of a match if cert has no policies */
263 if (!certPolicyInfos) {
264 PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
265 *pResult = PKIX_FALSE;
266 PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
267 }
268
269 PKIX_CHECK(PKIX_List_GetLength
270 (constraintPolicies, &numConstraintPolicies, plContext),
271 PKIX_LISTGETLENGTHFAILED);
272
273 if (numConstraintPolicies > 0) {
274
275 PKIX_CHECK(PKIX_List_GetLength
276 (certPolicyInfos, &numCertPolicies, plContext),
277 PKIX_LISTGETLENGTHFAILED);
278
279 for (certPolicyIndex = 0;
280 ((!result) && (certPolicyIndex < numCertPolicies));
281 certPolicyIndex++) {
282
283 PKIX_CHECK(PKIX_List_GetItem
284 (certPolicyInfos,
285 certPolicyIndex,
286 (PKIX_PL_Object **)&policyInfo,
287 plContext),
288 PKIX_LISTGETELEMENTFAILED);
289 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
290 (policyInfo, &polOID, plContext),
291 PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
292
293 PKIX_CHECK(pkix_List_Contains
294 (constraintPolicies,
295 (PKIX_PL_Object *)polOID,
296 &result,
297 plContext),
298 PKIX_LISTCONTAINSFAILED);
299 PKIX_DECREF(policyInfo);
300 PKIX_DECREF(polOID);
301 }
302 if (!result) {
303 *pResult = PKIX_FALSE;
304 PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
305 }
306 }
307 }
308
309 cleanup:
310
311 PKIX_DECREF(constraintPolicies);
312 PKIX_DECREF(certPolicyInfos);
313 PKIX_DECREF(policyInfo);
314 PKIX_DECREF(polOID);
315
316 PKIX_RETURN(CERTSELECTOR);
317
318 }
319
320 /*
321 * FUNCTION: pkix_CertSelector_Match_CertificateValid
322 * DESCRIPTION:
323 *
324 * Determines whether the Cert pointed to by "cert" matches the certificate
325 * validity criterion using the CertificateValid field of the
326 * ComCertSelParams pointed to by "params". If the CertificateValid field is
327 * NULL, no validity check is done and the Cert is considered to match
328 * the CertificateValid criterion. If the CertificateValid field specifies a
329 * Date prior to the notBefore field in the Cert, or greater than the notAfter
330 * field in the Cert, an Error is returned.
331 *
332 * PARAMETERS:
333 * "params"
334 * Address of ComCertSelParams whose certValid field is used.
335 * Must be non-NULL.
336 * "cert"
337 * Address of Cert that is to be matched. Must be non-NULL.
338 * "pResult"
339 * Address of PKIX_Boolean that returns the match result.
340 * "plContext"
341 * Platform-specific context pointer.
342 * THREAD SAFETY:
343 * Conditionally Thread Safe
344 * (see Thread Safety Definitions in Programmer's Guide)
345 * RETURNS:
346 * Returns NULL if the function succeeds.
347 * Returns a CertSelector Error if the function fails in a non-fatal way.
348 * Returns a Fatal Error if the function fails in an unrecoverable way.
349 */
350 static PKIX_Error *
351 pkix_CertSelector_Match_CertificateValid(
352 PKIX_ComCertSelParams *params,
353 PKIX_PL_Cert *cert,
354 PKIX_Boolean *pResult,
355 void *plContext)
356 {
357 PKIX_PL_Date *validityTime = NULL;
358
359 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_CertificateValid");
360 PKIX_NULLCHECK_THREE(params, cert, pResult);
361
362 PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
363 (params, &validityTime, plContext),
364 PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
365
366 /* If the validityTime is not set, all certificates are acceptable */
367 if (validityTime) {
368 PKIX_CHECK(PKIX_PL_Cert_CheckValidity
369 (cert, validityTime, plContext),
370 PKIX_CERTCHECKVALIDITYFAILED);
371 }
372
373 cleanup:
374 if (PKIX_ERROR_RECEIVED) {
375 *pResult = PKIX_FALSE;
376 }
377 PKIX_DECREF(validityTime);
378
379 PKIX_RETURN(CERTSELECTOR);
380 }
381
382 /*
383 * FUNCTION: pkix_CertSelector_Match_NameConstraints
384 * DESCRIPTION:
385 *
386 * Determines whether the Cert pointed to by "cert" matches the name
387 * constraints criterion specified in the ComCertSelParams pointed to by
388 * "params". If the name constraints field is NULL, no name constraints check
389 * is done and the Cert is considered to match the name constraints criterion.
390 * If the Cert does not match the name constraints criterion, an Error pointer
391 * is returned.
392 *
393 * PARAMETERS:
394 * "params"
395 * Address of ComCertSelParams whose name constraints field is used.
396 * Must be non-NULL.
397 * "cert"
398 * Address of Cert that is to be matched. Must be non-NULL.
399 * "pResult"
400 * Address of PKIX_Boolean that returns the match result.
401 * "plContext"
402 * Platform-specific context pointer.
403 * THREAD SAFETY:
404 * Conditionally Thread Safe
405 * (see Thread Safety Definitions in Programmer's Guide)
406 * RETURNS:
407 * Returns NULL if the function succeeds.
408 * Returns a CertSelector Error if the function fails in a non-fatal way.
409 * Returns a Fatal Error if the function fails in an unrecoverable way.
410 */
411 static PKIX_Error *
412 pkix_CertSelector_Match_NameConstraints(
413 PKIX_ComCertSelParams *params,
414 PKIX_PL_Cert *cert,
415 PKIX_Boolean *pResult,
416 void *plContext)
417 {
418 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
419
420 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
421 PKIX_NULLCHECK_THREE(params, cert, pResult);
422
423 PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
424 (params, &nameConstraints, plContext),
425 PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
426
427 if (nameConstraints != NULL) {
428
429 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
430 (cert, nameConstraints, plContext),
431 PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
432 }
433
434 cleanup:
435 if (PKIX_ERROR_RECEIVED) {
436 *pResult = PKIX_FALSE;
437 }
438
439 PKIX_DECREF(nameConstraints);
440 PKIX_RETURN(CERTSELECTOR);
441 }
442
443 /*
444 * FUNCTION: pkix_CertSelector_Match_PathToNames
445 * DESCRIPTION:
446 *
447 * Determines whether the names at pathToNames in "params" complies with the
448 * NameConstraints pointed to by "cert". If the pathToNames field is NULL
449 * or there is no name constraints for this "cert", no checking is done
450 * and the Cert is considered to match the name constraints criterion.
451 * If the Cert does not match the name constraints criterion, an Error
452 * pointer is returned.
453 *
454 * PARAMETERS:
455 * "params"
456 * Address of ComCertSelParams whose PathToNames field is used.
457 * Must be non-NULL.
458 * "cert"
459 * Address of Cert that is to be matched. Must be non-NULL.
460 * "pResult"
461 * Address of PKIX_Boolean that returns the match result.
462 * "plContext"
463 * Platform-specific context pointer.
464 * THREAD SAFETY:
465 * Conditionally Thread Safe
466 * (see Thread Safety Definitions in Programmer's Guide)
467 * RETURNS:
468 * Returns NULL if the function succeeds.
469 * Returns a CertSelector Error if the function fails in a non-fatal way.
470 * Returns a Fatal Error if the function fails in an unrecoverable way.
471 */
472 static PKIX_Error *
473 pkix_CertSelector_Match_PathToNames(
474 PKIX_ComCertSelParams *params,
475 PKIX_PL_Cert *cert,
476 PKIX_Boolean *pResult,
477 void *plContext)
478 {
479 PKIX_List *pathToNamesList = NULL;
480 PKIX_Boolean passed = PKIX_FALSE;
481 PKIX_PL_CertNameConstraints *nameConstraints = NULL;
482
483 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_PathToNames");
484 PKIX_NULLCHECK_THREE(params, cert, pResult);
485
486 PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames
487 (params, &pathToNamesList, plContext),
488 PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED);
489
490 if (pathToNamesList != NULL) {
491
492 PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
493 (cert, &nameConstraints, plContext),
494 PKIX_CERTGETNAMECONSTRAINTSFAILED);
495
496 if (nameConstraints != NULL) {
497
498 PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
499 (pathToNamesList, nameConstraints, &passed, plContext),
500 PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
501
502 if (passed != PKIX_TRUE) {
503 *pResult = PKIX_FALSE;
504 PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
505 }
506 }
507
508 }
509
510 cleanup:
511
512 PKIX_DECREF(nameConstraints);
513 PKIX_DECREF(pathToNamesList);
514
515 PKIX_RETURN(CERTSELECTOR);
516 }
517
518 /*
519 * FUNCTION: pkix_CertSelector_Match_SubjAltNames
520 * DESCRIPTION:
521 *
522 * Determines whether the names at subjAltNames in "params" match with the
523 * SubjAltNames pointed to by "cert". If the subjAltNames field is NULL,
524 * no name checking is done and the Cert is considered to match the
525 * criterion. If the Cert does not match the criterion, an Error pointer
526 * is returned.
527 *
528 * PARAMETERS:
529 * "params"
530 * Address of ComCertSelParams whose SubjAltNames field is used.
531 * Must be non-NULL.
532 * "cert"
533 * Address of Cert that is to be matched. Must be non-NULL.
534 * "pResult"
535 * Address of PKIX_Boolean that returns the match result.
536 * "plContext"
537 * Platform-specific context pointer.
538 * THREAD SAFETY:
539 * Conditionally Thread Safe
540 * (see Thread Safety Definitions in Programmer's Guide)
541 * RETURNS:
542 * Returns NULL if the function succeeds.
543 * Returns a CertSelector Error if the function fails in a non-fatal way.
544 * Returns a Fatal Error if the function fails in an unrecoverable way.
545 */
546 static PKIX_Error *
547 pkix_CertSelector_Match_SubjAltNames(
548 PKIX_ComCertSelParams *params,
549 PKIX_PL_Cert *cert,
550 PKIX_Boolean *pResult,
551 void *plContext)
552 {
553 PKIX_List *subjAltNamesList = NULL;
554 PKIX_List *certSubjAltNames = NULL;
555 PKIX_PL_GeneralName *name = NULL;
556 PKIX_Boolean checkPassed = PKIX_FALSE;
557 PKIX_Boolean matchAll = PKIX_TRUE;
558 PKIX_UInt32 i, numItems;
559 PKIX_UInt32 matchCount = 0;
560
561 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjAltNames");
562 PKIX_NULLCHECK_THREE(params, cert, pResult);
563
564 PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
565 (params, &matchAll, plContext),
566 PKIX_COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED);
567
568 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames
569 (params, &subjAltNamesList, plContext),
570 PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED);
571
572 if (subjAltNamesList != NULL) {
573
574 PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames
575 (cert, &certSubjAltNames, plContext),
576 PKIX_CERTGETSUBJALTNAMESFAILED);
577
578 if (certSubjAltNames == NULL) {
579 *pResult = PKIX_FALSE;
580 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
581 }
582
583 PKIX_CHECK(PKIX_List_GetLength
584 (subjAltNamesList, &numItems, plContext),
585 PKIX_LISTGETLENGTHFAILED);
586
587 for (i = 0; i < numItems; i++) {
588
589 PKIX_CHECK(PKIX_List_GetItem
590 (subjAltNamesList,
591 i,
592 (PKIX_PL_Object **) &name,
593 plContext),
594 PKIX_LISTGETITEMFAILED);
595
596 PKIX_CHECK(pkix_List_Contains
597 (certSubjAltNames,
598 (PKIX_PL_Object *) name,
599 &checkPassed,
600 plContext),
601 PKIX_LISTCONTAINSFAILED);
602
603 PKIX_DECREF(name);
604
605 if (checkPassed == PKIX_TRUE) {
606
607 if (matchAll == PKIX_FALSE) {
608 /* one match is good enough */
609 matchCount = numItems;
610 break;
611 } else {
612 /* else continue checking next */
613 matchCount++;
614 }
615
616 }
617
618 }
619
620 if (matchCount != numItems) {
621 *pResult = PKIX_FALSE;
622 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
623 }
624 }
625
626 cleanup:
627
628 PKIX_DECREF(name);
629 PKIX_DECREF(certSubjAltNames);
630 PKIX_DECREF(subjAltNamesList);
631
632 PKIX_RETURN(CERTSELECTOR);
633 }
634
635 /*
636 * FUNCTION: pkix_CertSelector_Match_ExtendedKeyUsage
637 * DESCRIPTION:
638 *
639 * Determines whether the names at ExtKeyUsage in "params" matches with the
640 * ExtKeyUsage pointed to by "cert". If the ExtKeyUsage criterion or
641 * ExtKeyUsage in "cert" is NULL, no checking is done and the Cert is
642 * considered a match. If the Cert does not match, an Error pointer is
643 * returned.
644 *
645 * PARAMETERS:
646 * "params"
647 * Address of ComCertSelParams whose ExtKeyUsage field is used.
648 * Must be non-NULL.
649 * "cert"
650 * Address of Cert that is to be matched. Must be non-NULL.
651 * "pResult"
652 * Address of PKIX_Boolean that returns the match result.
653 * "plContext"
654 * Platform-specific context pointer.
655 * THREAD SAFETY:
656 * Conditionally Thread Safe
657 * (see Thread Safety Definitions in Programmer's Guide)
658 * RETURNS:
659 * Returns NULL if the function succeeds.
660 * Returns a CertSelector Error if the function fails in a non-fatal way.
661 * Returns a Fatal Error if the function fails in an unrecoverable way.
662 */
663 static PKIX_Error *
664 pkix_CertSelector_Match_ExtendedKeyUsage(
665 PKIX_ComCertSelParams *params,
666 PKIX_PL_Cert *cert,
667 PKIX_Boolean *pResult,
668 void *plContext)
669 {
670 PKIX_List *extKeyUsageList = NULL;
671 PKIX_List *certExtKeyUsageList = NULL;
672 PKIX_PL_OID *ekuOid = NULL;
673 PKIX_Boolean isContained = PKIX_FALSE;
674 PKIX_UInt32 numItems = 0;
675 PKIX_UInt32 i;
676
677 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_ExtendedKeyUsage");
678 PKIX_NULLCHECK_THREE(params, cert, pResult);
679
680 PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
681 (params, &extKeyUsageList, plContext),
682 PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
683
684 if (extKeyUsageList == NULL) {
685 goto cleanup;
686 }
687
688 PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
689 (cert, &certExtKeyUsageList, plContext),
690 PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
691
692 if (certExtKeyUsageList != NULL) {
693
694 PKIX_CHECK(PKIX_List_GetLength
695 (extKeyUsageList, &numItems, plContext),
696 PKIX_LISTGETLENGTHFAILED);
697
698 for (i = 0; i < numItems; i++) {
699
700 PKIX_CHECK(PKIX_List_GetItem
701 (extKeyUsageList, i, (PKIX_PL_Object **)&ekuOid, plContext),
702 PKIX_LISTGETITEMFAILED);
703
704 PKIX_CHECK(pkix_List_Contains
705 (certExtKeyUsageList,
706 (PKIX_PL_Object *)ekuOid,
707 &isContained,
708 plContext),
709 PKIX_LISTCONTAINSFAILED);
710
711 PKIX_DECREF(ekuOid);
712
713 if (isContained != PKIX_TRUE) {
714 *pResult = PKIX_FALSE;
715 PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
716 }
717 }
718 }
719
720 cleanup:
721
722 PKIX_DECREF(ekuOid);
723 PKIX_DECREF(extKeyUsageList);
724 PKIX_DECREF(certExtKeyUsageList);
725
726 PKIX_RETURN(CERTSELECTOR);
727 }
728
729 /*
730 * FUNCTION: pkix_CertSelector_Match_KeyUsage
731 * DESCRIPTION:
732 *
733 * Determines whether the bits at KeyUsage in "params" matches with the
734 * KeyUsage pointed to by "cert". If the KeyUsage in params is 0
735 * no checking is done and the Cert is considered a match. If the Cert does
736 * not match, an Error pointer is returned.
737 *
738 * PARAMETERS:
739 * "params"
740 * Address of ComCertSelParams whose ExtKeyUsage field is used.
741 * Must be non-NULL.
742 * "cert"
743 * Address of Cert that is to be matched. Must be non-NULL.
744 * "pResult"
745 * Address of PKIX_Boolean that returns the match result.
746 * "plContext"
747 * Platform-specific context pointer.
748 * THREAD SAFETY:
749 * Conditionally Thread Safe
750 * (see Thread Safety Definitions in Programmer's Guide)
751 * RETURNS:
752 * Returns NULL if the function succeeds.
753 * Returns a CertSelector Error if the function fails in a non-fatal way.
754 * Returns a Fatal Error if the function fails in an unrecoverable way.
755 */
756 static PKIX_Error *
757 pkix_CertSelector_Match_KeyUsage(
758 PKIX_ComCertSelParams *params,
759 PKIX_PL_Cert *cert,
760 PKIX_Boolean *pResult,
761 void *plContext)
762 {
763 PKIX_UInt32 keyUsage = 0;
764
765 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_KeyUsage");
766 PKIX_NULLCHECK_THREE(params, cert, pResult);
767
768 PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
769 (params, &keyUsage, plContext),
770 PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
771
772 if (keyUsage != 0) {
773
774 PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
775 (cert, keyUsage, plContext),
776 PKIX_CERTVERIFYKEYUSAGEFAILED);
777
778 }
779
780 cleanup:
781 if (PKIX_ERROR_RECEIVED) {
782 *pResult = PKIX_FALSE;
783 }
784
785 PKIX_RETURN(CERTSELECTOR);
786 }
787
788 /*
789 * FUNCTION: pkix_CertSelector_Match_SubjKeyId
790 * DESCRIPTION:
791 *
792 * Determines whether the bytes at subjKeyId in "params" matches with the
793 * Subject Key Identifier pointed to by "cert". If the subjKeyId in params is
794 * set to NULL or the Cert doesn't have a Subject Key Identifier, no checking
795 * is done and the Cert is considered a match. If the Cert does not match, an
796 * Error pointer is returned.
797 *
798 * PARAMETERS:
799 * "params"
800 * Address of ComCertSelParams whose subjKeyId field is used.
801 * Must be non-NULL.
802 * "cert"
803 * Address of Cert that is to be matched. Must be non-NULL.
804 * "pResult"
805 * Address of PKIX_Boolean that returns the match result.
806 * "plContext"
807 * Platform-specific context pointer.
808 * THREAD SAFETY:
809 * Conditionally Thread Safe
810 * (see Thread Safety Definitions in Programmer's Guide)
811 * RETURNS:
812 * Returns NULL if the function succeeds.
813 * Returns a CertSelector Error if the function fails in a non-fatal way.
814 * Returns a Fatal Error if the function fails in an unrecoverable way.
815 */
816 static PKIX_Error *
817 pkix_CertSelector_Match_SubjKeyId(
818 PKIX_ComCertSelParams *params,
819 PKIX_PL_Cert *cert,
820 PKIX_Boolean *pResult,
821 void *plContext)
822 {
823 PKIX_PL_ByteArray *selSubjKeyId = NULL;
824 PKIX_PL_ByteArray *certSubjKeyId = NULL;
825 PKIX_Boolean equals = PKIX_FALSE;
826
827 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjKeyId");
828 PKIX_NULLCHECK_THREE(params, cert, pResult);
829
830 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjKeyIdentifier
831 (params, &selSubjKeyId, plContext),
832 PKIX_COMCERTSELPARAMSGETSUBJKEYIDENTIFIERFAILED);
833
834 if (selSubjKeyId != NULL) {
835
836 PKIX_CHECK(PKIX_PL_Cert_GetSubjectKeyIdentifier
837 (cert, &certSubjKeyId, plContext),
838 PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
839
840 if (certSubjKeyId == NULL) {
841 goto cleanup;
842 }
843
844 PKIX_CHECK(PKIX_PL_Object_Equals
845 ((PKIX_PL_Object *)selSubjKeyId,
846 (PKIX_PL_Object *)certSubjKeyId,
847 &equals,
848 plContext),
849 PKIX_OBJECTEQUALSFAILED);
850
851 if (equals == PKIX_FALSE) {
852 *pResult = PKIX_FALSE;
853 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
854 }
855 }
856
857 cleanup:
858
859 PKIX_DECREF(selSubjKeyId);
860 PKIX_DECREF(certSubjKeyId);
861
862 PKIX_RETURN(CERTSELECTOR);
863 }
864
865 /*
866 * FUNCTION: pkix_CertSelector_Match_AuthKeyId
867 * DESCRIPTION:
868 *
869 * Determines whether the bytes at authKeyId in "params" matches with the
870 * Authority Key Identifier pointed to by "cert". If the authKeyId in params
871 * is set to NULL, no checking is done and the Cert is considered a match. If
872 * the Cert does not match, an Error pointer is returned.
873 *
874 * PARAMETERS:
875 * "params"
876 * Address of ComCertSelParams whose authKeyId field is used.
877 * Must be non-NULL.
878 * "cert"
879 * Address of Cert that is to be matched. Must be non-NULL.
880 * "pResult"
881 * Address of PKIX_Boolean that returns the match result.
882 * "plContext"
883 * Platform-specific context pointer.
884 * THREAD SAFETY:
885 * Conditionally Thread Safe
886 * (see Thread Safety Definitions in Programmer's Guide)
887 * RETURNS:
888 * Returns NULL if the function succeeds.
889 * Returns a CertSelector Error if the function fails in a non-fatal way.
890 * Returns a Fatal Error if the function fails in an unrecoverable way.
891 */
892 static PKIX_Error *
893 pkix_CertSelector_Match_AuthKeyId(
894 PKIX_ComCertSelParams *params,
895 PKIX_PL_Cert *cert,
896 PKIX_Boolean *pResult,
897 void *plContext)
898 {
899 PKIX_PL_ByteArray *selAuthKeyId = NULL;
900 PKIX_PL_ByteArray *certAuthKeyId = NULL;
901 PKIX_Boolean equals = PKIX_FALSE;
902
903 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_AuthKeyId");
904 PKIX_NULLCHECK_THREE(params, cert, pResult);
905
906 PKIX_CHECK(PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
907 (params, &selAuthKeyId, plContext),
908 PKIX_COMCERTSELPARAMSGETAUTHORITYKEYIDENTIFIERFAILED);
909
910 if (selAuthKeyId != NULL) {
911
912 PKIX_CHECK(PKIX_PL_Cert_GetAuthorityKeyIdentifier
913 (cert, &certAuthKeyId, plContext),
914 PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
915
916 if (certAuthKeyId == NULL) {
917 *pResult = PKIX_FALSE;
918 PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
919 }
920 PKIX_CHECK(PKIX_PL_Object_Equals
921 ((PKIX_PL_Object *)selAuthKeyId,
922 (PKIX_PL_Object *)certAuthKeyId,
923 &equals,
924 plContext),
925 PKIX_OBJECTEQUALSFAILED);
926
927 if (equals != PKIX_TRUE) {
928 *pResult = PKIX_FALSE;
929 PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
930 }
931 }
932
933 cleanup:
934
935 PKIX_DECREF(selAuthKeyId);
936 PKIX_DECREF(certAuthKeyId);
937
938 PKIX_RETURN(CERTSELECTOR);
939 }
940
941 /*
942 * FUNCTION: pkix_CertSelector_Match_SubjPKAlgId
943 * DESCRIPTION:
944 *
945 * Determines whether the OID at subjPKAlgId in "params" matches with the
946 * Subject Public Key Alg Id pointed to by "cert". If the subjPKAlgId in params
947 * is set to NULL, no checking is done and the Cert is considered a match. If
948 * the Cert does not match, an Error pointer is returned.
949 *
950 * PARAMETERS:
951 * "params"
952 * Address of ComCertSelParams whose subjPKAlgId field is used.
953 * Must be non-NULL.
954 * "cert"
955 * Address of Cert that is to be matched. Must be non-NULL.
956 * "pResult"
957 * Address of PKIX_Boolean that returns the match result.
958 * "plContext"
959 * Platform-specific context pointer.
960 * THREAD SAFETY:
961 * Conditionally Thread Safe
962 * (see Thread Safety Definitions in Programmer's Guide)
963 * RETURNS:
964 * Returns NULL if the function succeeds.
965 * Returns a CertSelector Error if the function fails in a non-fatal way.
966 * Returns a Fatal Error if the function fails in an unrecoverable way.
967 */
968 static PKIX_Error *
969 pkix_CertSelector_Match_SubjPKAlgId(
970 PKIX_ComCertSelParams *params,
971 PKIX_PL_Cert *cert,
972 PKIX_Boolean *pResult,
973 void *plContext)
974 {
975 PKIX_PL_OID *selPKAlgId = NULL;
976 PKIX_PL_OID *certPKAlgId = NULL;
977 PKIX_Boolean equals = PKIX_FALSE;
978
979 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPKAlgId");
980 PKIX_NULLCHECK_THREE(params, cert, pResult);
981
982 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPKAlgId
983 (params, &selPKAlgId, plContext),
984 PKIX_COMCERTSELPARAMSGETSUBJPKALGIDFAILED);
985
986 if (selPKAlgId != NULL) {
987
988 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
989 (cert, &certPKAlgId, plContext),
990 PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
991
992 if (certPKAlgId != NULL) {
993 *pResult = PKIX_FALSE;
994 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
995 }
996 PKIX_CHECK(PKIX_PL_Object_Equals
997 ((PKIX_PL_Object *)selPKAlgId,
998 (PKIX_PL_Object *)certPKAlgId,
999 &equals,
1000 plContext),
1001 PKIX_OBJECTEQUALSFAILED);
1002
1003 if (equals != PKIX_TRUE) {
1004 *pResult = PKIX_FALSE;
1005 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1006 }
1007 }
1008
1009 cleanup:
1010
1011 PKIX_DECREF(selPKAlgId);
1012 PKIX_DECREF(certPKAlgId);
1013
1014 PKIX_RETURN(CERTSELECTOR);
1015 }
1016
1017 /*
1018 * FUNCTION: pkix_CertSelector_Match_SubjPubKey
1019 * DESCRIPTION:
1020 *
1021 * Determines whether the key at subjPubKey in "params" matches with the
1022 * Subject Public Key pointed to by "cert". If the subjPubKey in params
1023 * is set to NULL, no checking is done and the Cert is considered a match. If
1024 * the Cert does not match, an Error pointer is returned.
1025 *
1026 * PARAMETERS:
1027 * "params"
1028 * Address of ComCertSelParams whose subPubKey field is used.
1029 * Must be non-NULL.
1030 * "cert"
1031 * Address of Cert that is to be matched. Must be non-NULL.
1032 * "pResult"
1033 * Address of PKIX_Boolean that returns the match result.
1034 * "plContext"
1035 * Platform-specific context pointer.
1036 * THREAD SAFETY:
1037 * Conditionally Thread Safe
1038 * (see Thread Safety Definitions in Programmer's Guide)
1039 * RETURNS:
1040 * Returns NULL if the function succeeds.
1041 * Returns a CertSelector Error if the function fails in a non-fatal way.
1042 * Returns a Fatal Error if the function fails in an unrecoverable way.
1043 */
1044 static PKIX_Error *
1045 pkix_CertSelector_Match_SubjPubKey(
1046 PKIX_ComCertSelParams *params,
1047 PKIX_PL_Cert *cert,
1048 PKIX_Boolean *pResult,
1049 void *plContext)
1050 {
1051 PKIX_PL_PublicKey *selPK = NULL;
1052 PKIX_PL_PublicKey *certPK = NULL;
1053 PKIX_Boolean equals = PKIX_FALSE;
1054
1055 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_SubjPubKey");
1056 PKIX_NULLCHECK_THREE(params, cert, pResult);
1057
1058 PKIX_CHECK(PKIX_ComCertSelParams_GetSubjPubKey
1059 (params, &selPK, plContext),
1060 PKIX_COMCERTSELPARAMSGETSUBJPUBKEYFAILED);
1061
1062 if (selPK != NULL) {
1063
1064 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1065 (cert, &certPK, plContext),
1066 PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1067
1068 if (certPK == NULL) {
1069 *pResult = PKIX_FALSE;
1070 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1071 }
1072 PKIX_CHECK(PKIX_PL_Object_Equals
1073 ((PKIX_PL_Object *)selPK,
1074 (PKIX_PL_Object *)certPK,
1075 &equals,
1076 plContext),
1077 PKIX_OBJECTEQUALSFAILED);
1078
1079 if (equals != PKIX_TRUE) {
1080 *pResult = PKIX_FALSE;
1081 PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1082 }
1083 }
1084
1085 cleanup:
1086
1087 PKIX_DECREF(selPK);
1088 PKIX_DECREF(certPK);
1089
1090 PKIX_RETURN(CERTSELECTOR);
1091 }
1092
1093 /*
1094 * FUNCTION: pkix_CertSelector_DefaultMatch
1095 * DESCRIPTION:
1096 *
1097 * This default match function determines whether the specified Cert pointed
1098 * to by "cert" matches the criteria of the CertSelector pointed to by
1099 * "selector". If the Cert does not match the CertSelector's
1100 * criteria, an error will be thrown.
1101 *
1102 * This default match function understands how to process the most common
1103 * parameters. Any common parameter that is not set is assumed to be disabled,
1104 * which means this function will select all certificates without regard to
1105 * that particular disabled parameter. For example, if the SerialNumber
1106 * parameter is not set, this function will not filter out any certificate
1107 * based on its serial number. As such, if no parameters are set, all are
1108 * disabled and any certificate will match. If a parameter is disabled, its
1109 * associated PKIX_ComCertSelParams_Get* function returns a default value.
1110 * That value is -1 for PKIX_ComCertSelParams_GetBasicConstraints and
1111 * PKIX_ComCertSelParams_GetVersion, 0 for PKIX_ComCertSelParams_GetKeyUsage,
1112 * and NULL for all other Get functions.
1113 *
1114 * PARAMETERS:
1115 * "selector"
1116 * Address of CertSelector whose MatchCallback logic and parameters are
1117 * to be used. Must be non-NULL.
1118 * "cert"
1119 * Address of Cert that is to be matched using "selector".
1120 * Must be non-NULL.
1121 * "plContext"
1122 * Platform-specific context pointer.
1123 * THREAD SAFETY:
1124 * Conditionally Thread Safe
1125 * (see Thread Safety Definitions in Programmer's Guide)
1126 * RETURNS:
1127 * Returns NULL if the function succeeds.
1128 * Returns a CertSelector Error if the function fails in a non-fatal way.
1129 * Returns a Fatal Error if the function fails in an unrecoverable way.
1130 */
1131 static PKIX_Error *
1132 pkix_CertSelector_DefaultMatch(
1133 PKIX_CertSelector *selector,
1134 PKIX_PL_Cert *cert,
1135 void *plContext)
1136 {
1137 PKIX_ComCertSelParams *params = NULL;
1138 PKIX_PL_X500Name *certSubject = NULL;
1139 PKIX_PL_X500Name *selSubject = NULL;
1140 PKIX_PL_X500Name *certIssuer = NULL;
1141 PKIX_PL_X500Name *selIssuer = NULL;
1142 PKIX_PL_BigInt *certSerialNumber = NULL;
1143 PKIX_PL_BigInt *selSerialNumber = NULL;
1144 PKIX_PL_Cert *selCert = NULL;
1145 PKIX_PL_Date *selDate = NULL;
1146 PKIX_UInt32 selVersion = 0xFFFFFFFF;
1147 PKIX_UInt32 certVersion = 0;
1148 PKIX_Boolean result = PKIX_TRUE;
1149 PKIX_Boolean isLeafCert = PKIX_TRUE;
1150
1151 #ifdef PKIX_BUILDDEBUG
1152 PKIX_PL_String *certString = NULL;
1153 void *certAscii = NULL;
1154 PKIX_UInt32 certAsciiLen;
1155 #endif
1156
1157 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
1158 PKIX_NULLCHECK_TWO(selector, cert);
1159
1160 PKIX_INCREF(selector->params);
1161 params = selector->params;
1162
1163 /* Are we looking for CAs? */
1164 PKIX_CHECK(PKIX_ComCertSelParams_GetLeafCertFlag
1165 (params, &isLeafCert, plContext),
1166 PKIX_COMCERTSELPARAMSGETLEAFCERTFLAGFAILED);
1167
1168 if (params == NULL){
1169 goto cleanup;
1170 }
1171
1172 PKIX_CHECK(PKIX_ComCertSelParams_GetVersion
1173 (params, &selVersion, plContext),
1174 PKIX_COMCERTSELPARAMSGETVERSIONFAILED);
1175
1176 if (selVersion != 0xFFFFFFFF){
1177 PKIX_CHECK(PKIX_PL_Cert_GetVersion
1178 (cert, &certVersion, plContext),
1179 PKIX_CERTGETVERSIONFAILED);
1180
1181 if (selVersion != certVersion) {
1182 PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED);
1183 }
1184 }
1185
1186 PKIX_CHECK(PKIX_ComCertSelParams_GetSubject
1187 (params, &selSubject, plContext),
1188 PKIX_COMCERTSELPARAMSGETSUBJECTFAILED);
1189
1190 if (selSubject){
1191 PKIX_CHECK(PKIX_PL_Cert_GetSubject
1192 (cert, &certSubject, plContext),
1193 PKIX_CERTGETSUBJECTFAILED);
1194
1195 if (certSubject){
1196 PKIX_CHECK(PKIX_PL_X500Name_Match
1197 (selSubject, certSubject, &result, plContext),
1198 PKIX_X500NAMEMATCHFAILED);
1199
1200 if (result == PKIX_FALSE){
1201 PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
1202 }
1203 } else { /* cert has no subject */
1204 PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
1205 }
1206 }
1207
1208 PKIX_CHECK(PKIX_ComCertSelParams_GetIssuer
1209 (params, &selIssuer, plContext),
1210 PKIX_COMCERTSELPARAMSGETISSUERFAILED);
1211
1212 if (selIssuer){
1213 PKIX_CHECK(PKIX_PL_Cert_GetIssuer
1214 (cert, &certIssuer, plContext),
1215 PKIX_CERTGETISSUERFAILED);
1216
1217 PKIX_CHECK(PKIX_PL_X500Name_Match
1218 (selIssuer, certIssuer, &result, plContext),
1219 PKIX_X500NAMEMATCHFAILED);
1220
1221 if (result == PKIX_FALSE){
1222 PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED);
1223 }
1224 }
1225
1226 PKIX_CHECK(PKIX_ComCertSelParams_GetSerialNumber
1227 (params, &selSerialNumber, plContext),
1228 PKIX_COMCERTSELPARAMSGETSERIALNUMBERFAILED);
1229
1230 if (selSerialNumber){
1231 PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
1232 (cert, &certSerialNumber, plContext),
1233 PKIX_CERTGETSERIALNUMBERFAILED);
1234
1235 PKIX_CHECK(PKIX_PL_Object_Equals
1236 ((PKIX_PL_Object *)selSerialNumber,
1237 (PKIX_PL_Object *)certSerialNumber,
1238 &result,
1239 plContext),
1240 PKIX_OBJECTEQUALSFAILED);
1241
1242 if (result == PKIX_FALSE){
1243 PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED);
1244 }
1245 }
1246
1247 PKIX_CHECK(PKIX_ComCertSelParams_GetCertificate
1248 (params, &selCert, plContext),
1249 PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
1250
1251 if (selCert){
1252 PKIX_CHECK(PKIX_PL_Object_Equals
1253 ((PKIX_PL_Object *) selCert,
1254 (PKIX_PL_Object *) cert,
1255 &result,
1256 plContext),
1257 PKIX_OBJECTEQUALSFAILED);
1258
1259 if (result == PKIX_FALSE){
1260 PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED);
1261 }
1262 }
1263
1264 PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
1265 (params, &selDate, plContext),
1266 PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
1267
1268 if (selDate){
1269 PKIX_CHECK(PKIX_PL_Cert_CheckValidity
1270 (cert, selDate, plContext),
1271 PKIX_CERTCHECKVALIDITYFAILED);
1272 }
1273
1274 PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
1275 (params, cert, &result, plContext),
1276 PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
1277
1278 PKIX_CHECK(pkix_CertSelector_Match_Policies
1279 (params, cert, &result, plContext),
1280 PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1281
1282 PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
1283 (params, cert, &result, plContext),
1284 PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
1285
1286 PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
1287 (params, cert, &result, plContext),
1288 PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
1289
1290 PKIX_CHECK(pkix_CertSelector_Match_PathToNames
1291 (params, cert, &result, plContext),
1292 PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
1293
1294 PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
1295 (params, cert, &result, plContext),
1296 PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1297
1298 /* Check key usage and cert type based on certificate usage. */
1299 PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, !isLeafCert,
1300 plContext),
1301 PKIX_CERTVERIFYCERTTYPEFAILED);
1302
1303 /* Next two check are for user supplied additional KU and EKU. */
1304 PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
1305 (params, cert, &result, plContext),
1306 PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
1307
1308 PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
1309 (params, cert, &result, plContext),
1310 PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
1311
1312 PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
1313 (params, cert, &result, plContext),
1314 PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
1315
1316 PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
1317 (params, cert, &result, plContext),
1318 PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1319
1320 PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
1321 (params, cert, &result, plContext),
1322 PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1323
1324 PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
1325 (params, cert, &result, plContext),
1326 PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1327
1328 /* if we reach here, the cert has successfully matched criteria */
1329
1330
1331 #ifdef PKIX_BUILDDEBUG
1332
1333 PKIX_CHECK(pkix_pl_Cert_ToString_Helper
1334 (cert, PKIX_TRUE, &certString, plContext),
1335 PKIX_CERTTOSTRINGHELPERFAILED);
1336
1337 PKIX_CHECK(PKIX_PL_String_GetEncoded
1338 (certString,
1339 PKIX_ESCASCII,
1340 &certAscii,
1341 &certAsciiLen,
1342 plContext),
1343 PKIX_STRINGGETENCODEDFAILED);
1344
1345 PKIX_CERTSELECTOR_DEBUG_ARG("Cert Selected:\n%s\n", certAscii);
1346
1347 #endif
1348
1349 cleanup:
1350
1351 #ifdef PKIX_BUILDDEBUG
1352 PKIX_DECREF(certString);
1353 PKIX_FREE(certAscii);
1354 #endif
1355
1356 PKIX_DECREF(certSubject);
1357 PKIX_DECREF(selSubject);
1358 PKIX_DECREF(certIssuer);
1359 PKIX_DECREF(selIssuer);
1360 PKIX_DECREF(certSerialNumber);
1361 PKIX_DECREF(selSerialNumber);
1362 PKIX_DECREF(selCert);
1363 PKIX_DECREF(selDate);
1364 PKIX_DECREF(params);
1365 PKIX_RETURN(CERTSELECTOR);
1366 }
1367
1368 /*
1369 * FUNCTION: pkix_CertSelector_RegisterSelf
1370 * DESCRIPTION:
1371 * Registers PKIX_CERTSELECTOR_TYPE and its related functions with
1372 * systemClasses[]
1373 * THREAD SAFETY:
1374 * Not Thread Safe - for performance and complexity reasons
1375 *
1376 * Since this function is only called by PKIX_PL_Initialize, which should
1377 * only be called once, it is acceptable that this function is not
1378 * thread-safe.
1379 */
1380 PKIX_Error *
1381 pkix_CertSelector_RegisterSelf(void *plContext)
1382 {
1383 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
1384 pkix_ClassTable_Entry entry;
1385
1386 PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_RegisterSelf");
1387
1388 entry.description = "CertSelector";
1389 entry.objCounter = 0;
1390 entry.typeObjectSize = sizeof(PKIX_CertSelector);
1391 entry.destructor = pkix_CertSelector_Destroy;
1392 entry.equalsFunction = NULL;
1393 entry.hashcodeFunction = NULL;
1394 entry.toStringFunction = NULL;
1395 entry.comparator = NULL;
1396 entry.duplicateFunction = pkix_CertSelector_Duplicate;
1397
1398 systemClasses[PKIX_CERTSELECTOR_TYPE] = entry;
1399
1400 PKIX_RETURN(CERTSELECTOR);
1401 }
1402
1403 /* --Public-Functions--------------------------------------------- */
1404
1405
1406 /*
1407 * FUNCTION: PKIX_CertSelector_Create (see comments in pkix_certsel.h)
1408 */
1409 PKIX_Error *
1410 PKIX_CertSelector_Create(
1411 PKIX_CertSelector_MatchCallback callback,
1412 PKIX_PL_Object *certSelectorContext,
1413 PKIX_CertSelector **pSelector,
1414 void *plContext)
1415 {
1416 PKIX_CertSelector *selector = NULL;
1417
1418 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Create");
1419 PKIX_NULLCHECK_ONE(pSelector);
1420
1421 PKIX_CHECK(PKIX_PL_Object_Alloc
1422 (PKIX_CERTSELECTOR_TYPE,
1423 sizeof (PKIX_CertSelector),
1424 (PKIX_PL_Object **)&selector,
1425 plContext),
1426 PKIX_COULDNOTCREATECERTSELECTOROBJECT);
1427
1428 /*
1429 * if user specified a particular match callback, we use that one.
1430 * otherwise, we use the default match implementation which
1431 * understands how to process PKIX_ComCertSelParams
1432 */
1433
1434 if (callback){
1435 selector->matchCallback = callback;
1436 } else {
1437 selector->matchCallback = pkix_CertSelector_DefaultMatch;
1438 }
1439
1440 /* initialize other fields */
1441 selector->params = NULL;
1442
1443 PKIX_INCREF(certSelectorContext);
1444 selector->context = certSelectorContext;
1445
1446 *pSelector = selector;
1447
1448 cleanup:
1449
1450 PKIX_RETURN(CERTSELECTOR);
1451
1452 }
1453
1454 /*
1455 * FUNCTION: PKIX_CertSelector_GetMatchCallback
1456 * (see comments in pkix_certsel.h)
1457 */
1458 PKIX_Error *
1459 PKIX_CertSelector_GetMatchCallback(
1460 PKIX_CertSelector *selector,
1461 PKIX_CertSelector_MatchCallback *pCallback,
1462 void *plContext)
1463 {
1464 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetMatchCallback");
1465 PKIX_NULLCHECK_TWO(selector, pCallback);
1466
1467 *pCallback = selector->matchCallback;
1468
1469 PKIX_RETURN(CERTSELECTOR);
1470 }
1471
1472 /*
1473 * FUNCTION: PKIX_CertSelector_GetCertSelectorContext
1474 * (see comments in pkix_certsel.h)
1475 */
1476 PKIX_Error *
1477 PKIX_CertSelector_GetCertSelectorContext(
1478 PKIX_CertSelector *selector,
1479 PKIX_PL_Object **pCertSelectorContext,
1480 void *plContext)
1481 {
1482 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_GetCertSelectorContext");
1483 PKIX_NULLCHECK_TWO(selector, pCertSelectorContext);
1484
1485 PKIX_INCREF(selector->context);
1486
1487 *pCertSelectorContext = selector->context;
1488
1489 cleanup:
1490 PKIX_RETURN(CERTSELECTOR);
1491 }
1492
1493 /*
1494 * FUNCTION: PKIX_CertSelector_GetCommonCertSelectorParams
1495 * (see comments in pkix_certsel.h)
1496 */
1497 PKIX_Error *
1498 PKIX_CertSelector_GetCommonCertSelectorParams(
1499 PKIX_CertSelector *selector,
1500 PKIX_ComCertSelParams **pParams,
1501 void *plContext)
1502 {
1503 PKIX_ENTER(CERTSELECTOR,
1504 "PKIX_CertSelector_GetCommonCertSelectorParams");
1505
1506 PKIX_NULLCHECK_TWO(selector, pParams);
1507
1508 PKIX_INCREF(selector->params);
1509 *pParams = selector->params;
1510
1511 cleanup:
1512 PKIX_RETURN(CERTSELECTOR);
1513
1514 }
1515
1516 /*
1517 * FUNCTION: PKIX_CertSelector_SetCommonCertSelectorParams
1518 * (see comments in pkix_certsel.h)
1519 */
1520 PKIX_Error *
1521 PKIX_CertSelector_SetCommonCertSelectorParams(
1522 PKIX_CertSelector *selector,
1523 PKIX_ComCertSelParams *params,
1524 void *plContext)
1525 {
1526 PKIX_ENTER(CERTSELECTOR,
1527 "PKIX_CertSelector_SetCommonCertSelectorParams");
1528
1529 PKIX_NULLCHECK_ONE(selector);
1530
1531 PKIX_DECREF(selector->params);
1532 PKIX_INCREF(params);
1533 selector->params = params;
1534
1535 PKIX_CHECK(PKIX_PL_Object_InvalidateCache
1536 ((PKIX_PL_Object *)selector, plContext),
1537 PKIX_OBJECTINVALIDATECACHEFAILED);
1538
1539 cleanup:
1540
1541 PKIX_RETURN(CERTSELECTOR);
1542
1543 }
1544
1545 /*
1546 * FUNCTION: pkix_CertSelector_Select
1547 * DESCRIPTION:
1548 *
1549 * This function applies the selector pointed to by "selector" to each Cert,
1550 * in turn, in the List pointed to by "before", and creates a List containing
1551 * all the Certs that matched, or passed the selection process, storing that
1552 * List at "pAfter". If no Certs match, an empty List is stored at "pAfter".
1553 *
1554 * The List returned in "pAfter" is immutable.
1555 *
1556 * PARAMETERS:
1557 * "selector"
1558 * Address of CertSelelector to be applied to the List. Must be non-NULL.
1559 * "before"
1560 * Address of List that is to be filtered. Must be non-NULL.
1561 * "pAfter"
1562 * Address at which resulting List, possibly empty, is stored. Must be
1563 * non-NULL.
1564 * "plContext"
1565 * Platform-specific context pointer.
1566 * THREAD SAFETY:
1567 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1568 * RETURNS:
1569 * Returns NULL if the function succeeds.
1570 * Returns a CertSelector Error if the function fails in a non-fatal way.
1571 * Returns a Fatal Error if the function fails in an unrecoverable way.
1572 */
1573 PKIX_Error *
1574 pkix_CertSelector_Select(
1575 PKIX_CertSelector *selector,
1576 PKIX_List *before,
1577 PKIX_List **pAfter,
1578 void *plContext)
1579 {
1580 PKIX_UInt32 numBefore = 0;
1581 PKIX_UInt32 i = 0;
1582 PKIX_List *filtered = NULL;
1583 PKIX_PL_Cert *candidate = NULL;
1584
1585 PKIX_ENTER(CERTSELECTOR, "PKIX_CertSelector_Select");
1586 PKIX_NULLCHECK_THREE(selector, before, pAfter);
1587
1588 PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
1589 PKIX_LISTCREATEFAILED);
1590
1591 PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
1592 PKIX_LISTGETLENGTHFAILED);
1593
1594 for (i = 0; i < numBefore; i++) {
1595
1596 PKIX_CHECK(PKIX_List_GetItem
1597 (before, i, (PKIX_PL_Object **)&candidate, plContext),
1598 PKIX_LISTGETITEMFAILED);
1599
1600 PKIX_CHECK_ONLY_FATAL(selector->matchCallback
1601 (selector, candidate, plContext),
1602 PKIX_CERTSELECTORMATCHCALLBACKFAILED);
1603
1604 if (!(PKIX_ERROR_RECEIVED)) {
1605
1606 PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
1607 (filtered,
1608 (PKIX_PL_Object *)candidate,
1609 plContext),
1610 PKIX_LISTAPPENDITEMFAILED);
1611 }
1612
1613 pkixTempErrorReceived = PKIX_FALSE;
1614 PKIX_DECREF(candidate);
1615 }
1616
1617 PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
1618 PKIX_LISTSETIMMUTABLEFAILED);
1619
1620 /* Don't throw away the list if one Cert was bad! */
1621 pkixTempErrorReceived = PKIX_FALSE;
1622
1623 *pAfter = filtered;
1624 filtered = NULL;
1625
1626 cleanup:
1627
1628 PKIX_DECREF(filtered);
1629 PKIX_DECREF(candidate);
1630
1631 PKIX_RETURN(CERTSELECTOR);
1632
1633 }
OLDNEW
« no previous file with comments | « mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.h ('k') | mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698