| Index: mozilla/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
|
| ===================================================================
|
| --- mozilla/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c (revision 191424)
|
| +++ mozilla/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c (working copy)
|
| @@ -1,467 +0,0 @@
|
| -/* This Source Code Form is subject to the terms of the Mozilla Public
|
| - * License, v. 2.0. If a copy of the MPL was not distributed with this
|
| - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
| -/*
|
| - * pkix_revocationchecker.c
|
| - *
|
| - * RevocationChecker Object Functions
|
| - *
|
| - */
|
| -
|
| -#include "pkix_revocationchecker.h"
|
| -#include "pkix_tools.h"
|
| -
|
| -/* --Private-Functions-------------------------------------------- */
|
| -
|
| -/*
|
| - * FUNCTION: pkix_RevocationChecker_Destroy
|
| - * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
|
| - */
|
| -static PKIX_Error *
|
| -pkix_RevocationChecker_Destroy(
|
| - PKIX_PL_Object *object,
|
| - void *plContext)
|
| -{
|
| - PKIX_RevocationChecker *checker = NULL;
|
| -
|
| - PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");
|
| - PKIX_NULLCHECK_ONE(object);
|
| -
|
| - /* Check that this object is a revocation checker */
|
| - PKIX_CHECK(pkix_CheckType
|
| - (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
|
| - PKIX_OBJECTNOTREVOCATIONCHECKER);
|
| -
|
| - checker = (PKIX_RevocationChecker *)object;
|
| -
|
| - PKIX_DECREF(checker->leafMethodList);
|
| - PKIX_DECREF(checker->chainMethodList);
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_RETURN(REVOCATIONCHECKER);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_RevocationChecker_Duplicate
|
| - * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
|
| - */
|
| -static PKIX_Error *
|
| -pkix_RevocationChecker_Duplicate(
|
| - PKIX_PL_Object *object,
|
| - PKIX_PL_Object **pNewObject,
|
| - void *plContext)
|
| -{
|
| - PKIX_RevocationChecker *checker = NULL;
|
| - PKIX_RevocationChecker *checkerDuplicate = NULL;
|
| - PKIX_List *dupLeafList = NULL;
|
| - PKIX_List *dupChainList = NULL;
|
| -
|
| - PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Duplicate");
|
| - PKIX_NULLCHECK_TWO(object, pNewObject);
|
| -
|
| - PKIX_CHECK(pkix_CheckType
|
| - (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
|
| - PKIX_OBJECTNOTCERTCHAINCHECKER);
|
| -
|
| - checker = (PKIX_RevocationChecker *)object;
|
| -
|
| - if (checker->leafMethodList){
|
| - PKIX_CHECK(PKIX_PL_Object_Duplicate
|
| - ((PKIX_PL_Object *)checker->leafMethodList,
|
| - (PKIX_PL_Object **)&dupLeafList,
|
| - plContext),
|
| - PKIX_OBJECTDUPLICATEFAILED);
|
| - }
|
| - if (checker->chainMethodList){
|
| - PKIX_CHECK(PKIX_PL_Object_Duplicate
|
| - ((PKIX_PL_Object *)checker->chainMethodList,
|
| - (PKIX_PL_Object **)&dupChainList,
|
| - plContext),
|
| - PKIX_OBJECTDUPLICATEFAILED);
|
| - }
|
| -
|
| - PKIX_CHECK(
|
| - PKIX_RevocationChecker_Create(checker->leafMethodListFlags,
|
| - checker->chainMethodListFlags,
|
| - &checkerDuplicate,
|
| - plContext),
|
| - PKIX_REVOCATIONCHECKERCREATEFAILED);
|
| -
|
| - checkerDuplicate->leafMethodList = dupLeafList;
|
| - checkerDuplicate->chainMethodList = dupChainList;
|
| - dupLeafList = NULL;
|
| - dupChainList = NULL;
|
| -
|
| - *pNewObject = (PKIX_PL_Object *)checkerDuplicate;
|
| -
|
| -cleanup:
|
| - PKIX_DECREF(dupLeafList);
|
| - PKIX_DECREF(dupChainList);
|
| -
|
| - PKIX_RETURN(REVOCATIONCHECKER);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_RevocationChecker_RegisterSelf
|
| - * DESCRIPTION:
|
| - * Registers PKIX_REVOCATIONCHECKER_TYPE and its related functions with
|
| - * systemClasses[]
|
| - * THREAD SAFETY:
|
| - * Not Thread Safe - for performance and complexity reasons
|
| - *
|
| - * Since this function is only called by PKIX_PL_Initialize, which should
|
| - * only be called once, it is acceptable that this function is not
|
| - * thread-safe.
|
| - */
|
| -PKIX_Error *
|
| -pkix_RevocationChecker_RegisterSelf(void *plContext)
|
| -{
|
| - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
|
| - pkix_ClassTable_Entry entry;
|
| -
|
| - PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_RegisterSelf");
|
| -
|
| - entry.description = "RevocationChecker";
|
| - entry.objCounter = 0;
|
| - entry.typeObjectSize = sizeof(PKIX_RevocationChecker);
|
| - entry.destructor = pkix_RevocationChecker_Destroy;
|
| - entry.equalsFunction = NULL;
|
| - entry.hashcodeFunction = NULL;
|
| - entry.toStringFunction = NULL;
|
| - entry.comparator = NULL;
|
| - entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
|
| -
|
| - systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
|
| -
|
| - PKIX_RETURN(REVOCATIONCHECKER);
|
| -}
|
| -
|
| -/* Sort methods by theirs priorities */
|
| -static PKIX_Error *
|
| -pkix_RevocationChecker_SortComparator(
|
| - PKIX_PL_Object *obj1,
|
| - PKIX_PL_Object *obj2,
|
| - PKIX_Int32 *pResult,
|
| - void *plContext)
|
| -{
|
| - pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
|
| -
|
| - PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
|
| -
|
| - method1 = (pkix_RevocationMethod *)obj1;
|
| - method2 = (pkix_RevocationMethod *)obj2;
|
| -
|
| - *pResult = (method1->priority > method2->priority);
|
| -
|
| - PKIX_RETURN(BUILD);
|
| -}
|
| -
|
| -
|
| -/* --Public-Functions--------------------------------------------- */
|
| -
|
| -
|
| -/*
|
| - * FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_revchecker.h)
|
| - */
|
| -PKIX_Error *
|
| -PKIX_RevocationChecker_Create(
|
| - PKIX_UInt32 leafMethodListFlags,
|
| - PKIX_UInt32 chainMethodListFlags,
|
| - PKIX_RevocationChecker **pChecker,
|
| - void *plContext)
|
| -{
|
| - PKIX_RevocationChecker *checker = NULL;
|
| -
|
| - PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");
|
| - PKIX_NULLCHECK_ONE(pChecker);
|
| -
|
| - PKIX_CHECK(
|
| - PKIX_PL_Object_Alloc(PKIX_REVOCATIONCHECKER_TYPE,
|
| - sizeof (PKIX_RevocationChecker),
|
| - (PKIX_PL_Object **)&checker,
|
| - plContext),
|
| - PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
|
| -
|
| - checker->leafMethodListFlags = leafMethodListFlags;
|
| - checker->chainMethodListFlags = chainMethodListFlags;
|
| - checker->leafMethodList = NULL;
|
| - checker->chainMethodList = NULL;
|
| -
|
| - *pChecker = checker;
|
| - checker = NULL;
|
| -
|
| -cleanup:
|
| - PKIX_DECREF(checker);
|
| -
|
| - PKIX_RETURN(REVOCATIONCHECKER);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
|
| - */
|
| -PKIX_Error *
|
| -PKIX_RevocationChecker_CreateAndAddMethod(
|
| - PKIX_RevocationChecker *revChecker,
|
| - PKIX_ProcessingParams *params,
|
| - PKIX_RevocationMethodType methodType,
|
| - PKIX_UInt32 flags,
|
| - PKIX_UInt32 priority,
|
| - PKIX_PL_VerifyCallback verificationFn,
|
| - PKIX_Boolean isLeafMethod,
|
| - void *plContext)
|
| -{
|
| - PKIX_List **methodList = NULL;
|
| - PKIX_List *unsortedList = NULL;
|
| - PKIX_List *certStores = NULL;
|
| - pkix_RevocationMethod *method = NULL;
|
| - pkix_LocalRevocationCheckFn *localRevChecker = NULL;
|
| - pkix_ExternalRevocationCheckFn *externRevChecker = NULL;
|
| - PKIX_UInt32 miFlags;
|
| -
|
| - PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");
|
| - PKIX_NULLCHECK_ONE(revChecker);
|
| -
|
| - /* If the caller has said "Either one is sufficient, then don't let the
|
| - * absence of any one method's info lead to an overall failure.
|
| - */
|
| - miFlags = isLeafMethod ? revChecker->leafMethodListFlags
|
| - : revChecker->chainMethodListFlags;
|
| - if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)
|
| - flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
|
| -
|
| - switch (methodType) {
|
| - case PKIX_RevocationMethod_CRL:
|
| - localRevChecker = pkix_CrlChecker_CheckLocal;
|
| - externRevChecker = pkix_CrlChecker_CheckExternal;
|
| - PKIX_CHECK(
|
| - PKIX_ProcessingParams_GetCertStores(params, &certStores,
|
| - plContext),
|
| - PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
|
| - PKIX_CHECK(
|
| - pkix_CrlChecker_Create(methodType, flags, priority,
|
| - localRevChecker, externRevChecker,
|
| - certStores, verificationFn,
|
| - &method,
|
| - plContext),
|
| - PKIX_COULDNOTCREATECRLCHECKEROBJECT);
|
| - break;
|
| - case PKIX_RevocationMethod_OCSP:
|
| - localRevChecker = pkix_OcspChecker_CheckLocal;
|
| - externRevChecker = pkix_OcspChecker_CheckExternal;
|
| - PKIX_CHECK(
|
| - pkix_OcspChecker_Create(methodType, flags, priority,
|
| - localRevChecker, externRevChecker,
|
| - verificationFn,
|
| - &method,
|
| - plContext),
|
| - PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);
|
| - break;
|
| - default:
|
| - PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);
|
| - }
|
| -
|
| - if (isLeafMethod) {
|
| - methodList = &revChecker->leafMethodList;
|
| - } else {
|
| - methodList = &revChecker->chainMethodList;
|
| - }
|
| -
|
| - if (*methodList == NULL) {
|
| - PKIX_CHECK(
|
| - PKIX_List_Create(methodList, plContext),
|
| - PKIX_LISTCREATEFAILED);
|
| - }
|
| - unsortedList = *methodList;
|
| - PKIX_CHECK(
|
| - PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),
|
| - PKIX_LISTAPPENDITEMFAILED);
|
| - PKIX_CHECK(
|
| - pkix_List_BubbleSort(unsortedList,
|
| - pkix_RevocationChecker_SortComparator,
|
| - methodList, plContext),
|
| - PKIX_LISTBUBBLESORTFAILED);
|
| -
|
| -cleanup:
|
| - PKIX_DECREF(method);
|
| - PKIX_DECREF(unsortedList);
|
| - PKIX_DECREF(certStores);
|
| -
|
| - PKIX_RETURN(REVOCATIONCHECKER);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: PKIX_RevocationChecker_Check
|
| - */
|
| -PKIX_Error *
|
| -PKIX_RevocationChecker_Check(
|
| - PKIX_PL_Cert *cert,
|
| - PKIX_PL_Cert *issuer,
|
| - PKIX_RevocationChecker *revChecker,
|
| - PKIX_ProcessingParams *procParams,
|
| - PKIX_Boolean chainVerificationState,
|
| - PKIX_Boolean testingLeafCert,
|
| - PKIX_RevocationStatus *pRevStatus,
|
| - PKIX_UInt32 *pReasonCode,
|
| - void **pNbioContext,
|
| - void *plContext)
|
| -{
|
| - PKIX_RevocationStatus overallStatus = PKIX_RevStatus_NoInfo;
|
| - PKIX_RevocationStatus methodStatus[PKIX_RevocationMethod_MAX];
|
| - PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE;
|
| - PKIX_UInt32 revFlags = 0;
|
| - PKIX_List *revList = NULL;
|
| - PKIX_PL_Date *date = NULL;
|
| - pkix_RevocationMethod *method = NULL;
|
| - void *nbioContext;
|
| - int tries;
|
| -
|
| - PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check");
|
| - PKIX_NULLCHECK_TWO(revChecker, procParams);
|
| -
|
| - nbioContext = *pNbioContext;
|
| - *pNbioContext = NULL;
|
| -
|
| - if (testingLeafCert) {
|
| - revList = revChecker->leafMethodList;
|
| - revFlags = revChecker->leafMethodListFlags;
|
| - } else {
|
| - revList = revChecker->chainMethodList;
|
| - revFlags = revChecker->chainMethodListFlags;
|
| - }
|
| - if (!revList) {
|
| - /* Return NoInfo status */
|
| - goto cleanup;
|
| - }
|
| -
|
| - PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo,
|
| - sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);
|
| -
|
| - date = procParams->date;
|
| -
|
| - /* Need to have two loops if we testing all local info first:
|
| - * first we are going to test all local(cached) info
|
| - * second, all remote info(fetching) */
|
| - for (tries = 0;tries < 2;tries++) {
|
| - int methodNum = 0;
|
| - for (;methodNum < revList->length;methodNum++) {
|
| - PKIX_UInt32 methodFlags = 0;
|
| -
|
| - PKIX_DECREF(method);
|
| - PKIX_CHECK(
|
| - PKIX_List_GetItem(revList, methodNum,
|
| - (PKIX_PL_Object**)&method, plContext),
|
| - PKIX_LISTGETITEMFAILED);
|
| - methodFlags = method->flags;
|
| - if (!(methodFlags & PKIX_REV_M_TEST_USING_THIS_METHOD)) {
|
| - /* Will not check with this method. Skipping... */
|
| - continue;
|
| - }
|
| - if (!onlyUseRemoteMethods &&
|
| - methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
|
| - PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
|
| - PKIX_CHECK_NO_GOTO(
|
| - (*method->localRevChecker)(cert, issuer, date,
|
| - method, procParams,
|
| - methodFlags,
|
| - chainVerificationState,
|
| - &revStatus,
|
| - pReasonCode, plContext),
|
| - PKIX_REVCHECKERCHECKFAILED);
|
| - methodStatus[methodNum] = revStatus;
|
| - if (revStatus == PKIX_RevStatus_Revoked) {
|
| - /* if error was generated use it as final error. */
|
| - overallStatus = PKIX_RevStatus_Revoked;
|
| - goto cleanup;
|
| - }
|
| - if (pkixErrorResult) {
|
| - /* Disregard errors. Only returned revStatus matters. */
|
| - PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
|
| - plContext);
|
| - pkixErrorResult = NULL;
|
| - }
|
| - }
|
| - if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) ||
|
| - onlyUseRemoteMethods) &&
|
| - chainVerificationState &&
|
| - methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
|
| - if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {
|
| - PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
|
| - PKIX_CHECK_NO_GOTO(
|
| - (*method->externalRevChecker)(cert, issuer, date,
|
| - method,
|
| - procParams, methodFlags,
|
| - &revStatus, pReasonCode,
|
| - &nbioContext, plContext),
|
| - PKIX_REVCHECKERCHECKFAILED);
|
| - methodStatus[methodNum] = revStatus;
|
| - if (revStatus == PKIX_RevStatus_Revoked) {
|
| - /* if error was generated use it as final error. */
|
| - overallStatus = PKIX_RevStatus_Revoked;
|
| - goto cleanup;
|
| - }
|
| - if (pkixErrorResult) {
|
| - /* Disregard errors. Only returned revStatus matters. */
|
| - PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
|
| - plContext);
|
| - pkixErrorResult = NULL;
|
| - }
|
| - } else if (methodFlags &
|
| - PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
|
| - /* Info is not in the local cache. Network fetching is not
|
| - * allowed. If need to fail on missing fresh info for the
|
| - * the method, then we should fail right here.*/
|
| - overallStatus = PKIX_RevStatus_Revoked;
|
| - goto cleanup;
|
| - }
|
| - }
|
| - /* If success and we should not check the next method, then
|
| - * return a success. */
|
| - if (methodStatus[methodNum] == PKIX_RevStatus_Success &&
|
| - !(methodFlags & PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO)) {
|
| - overallStatus = PKIX_RevStatus_Success;
|
| - goto cleanup;
|
| - }
|
| - } /* inner loop */
|
| - if (!onlyUseRemoteMethods &&
|
| - revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST &&
|
| - chainVerificationState) {
|
| - onlyUseRemoteMethods = PKIX_TRUE;
|
| - continue;
|
| - }
|
| - break;
|
| - } /* outer loop */
|
| -
|
| - if (overallStatus == PKIX_RevStatus_NoInfo &&
|
| - chainVerificationState) {
|
| - /* The following check makes sence only for chain
|
| - * validation step, sinse we do not fetch info while
|
| - * in the process of finding trusted anchor.
|
| - * For chain building step it is enough to know, that
|
| - * the cert was not directly revoked by any of the
|
| - * methods. */
|
| -
|
| - /* Still have no info. But one of the method could
|
| - * have returned success status(possible if CONTINUE
|
| - * TESTING ON FRESH INFO flag was used).
|
| - * If any of the methods have returned Success status,
|
| - * the overallStatus should be success. */
|
| - int methodNum = 0;
|
| - for (;methodNum < PKIX_RevocationMethod_MAX;methodNum++) {
|
| - if (methodStatus[methodNum] == PKIX_RevStatus_Success) {
|
| - overallStatus = PKIX_RevStatus_Success;
|
| - goto cleanup;
|
| - }
|
| - }
|
| - if (revFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE) {
|
| - overallStatus = PKIX_RevStatus_Revoked;
|
| - }
|
| - }
|
| -
|
| -cleanup:
|
| - *pRevStatus = overallStatus;
|
| - PKIX_DECREF(method);
|
| -
|
| - PKIX_RETURN(REVOCATIONCHECKER);
|
| -}
|
| -
|
|
|
Chromium Code Reviews
Issue 14249009:
Change the NSS and NSPR source tree to the new directory structure to be (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/