| Index: mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c
|
| ===================================================================
|
| --- mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c (revision 191424)
|
| +++ mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c (working copy)
|
| @@ -1,1274 +0,0 @@
|
| -/* This Source Code Form is subject to the terms of the Mozilla Public
|
| - * License, v. 2.0. If a copy of the MPL was not distributed with this
|
| - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
| -/*
|
| - * pkix_pl_nameconstraints.c
|
| - *
|
| - * Name Constraints Object Functions Definitions
|
| - *
|
| - */
|
| -
|
| -#include "pkix_pl_nameconstraints.h"
|
| -
|
| -
|
| -/* --Private-NameConstraints-Functions----------------------------- */
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_GetPermitted
|
| - * DESCRIPTION:
|
| - *
|
| - * This function retrieve name constraints permitted list from NSS
|
| - * data in "nameConstraints" and returns a PKIX_PL_GeneralName list
|
| - * in "pPermittedList".
|
| - *
|
| - * PARAMETERS
|
| - * "nameConstraints"
|
| - * Address of CertNameConstraints which has a pointer to
|
| - * CERTNameConstraints data. Must be non-NULL.
|
| - * "pPermittedList"
|
| - * Address where returned permitted name list is stored. Must be non-NULL.
|
| - * "plContext" - Platform-specific context pointer.
|
| - * THREAD SAFETY:
|
| - * Conditionally Thread Safe
|
| - * (see Thread Safety Definitions in Programmer's Guide)
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a
|
| - * non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_GetPermitted(
|
| - PKIX_PL_CertNameConstraints *nameConstraints,
|
| - PKIX_List **pPermittedList,
|
| - void *plContext)
|
| -{
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - CERTNameConstraints **nssNameConstraintsList = NULL;
|
| - CERTNameConstraint *nssPermitted = NULL;
|
| - CERTNameConstraint *firstPermitted = NULL;
|
| - PKIX_List *permittedList = NULL;
|
| - PKIX_PL_GeneralName *name = NULL;
|
| - PKIX_UInt32 numItems = 0;
|
| - PKIX_UInt32 i;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_GetPermitted");
|
| - PKIX_NULLCHECK_TWO(nameConstraints, pPermittedList);
|
| -
|
| - /*
|
| - * nssNameConstraints is an array of CERTNameConstraints
|
| - * pointers where CERTNameConstraints keep its permitted and excluded
|
| - * lists as pointer array of CERTNameConstraint.
|
| - */
|
| -
|
| - if (nameConstraints->permittedList == NULL) {
|
| -
|
| - PKIX_OBJECT_LOCK(nameConstraints);
|
| -
|
| - if (nameConstraints->permittedList == NULL) {
|
| -
|
| - PKIX_CHECK(PKIX_List_Create(&permittedList, plContext),
|
| - PKIX_LISTCREATEFAILED);
|
| -
|
| - numItems = nameConstraints->numNssNameConstraints;
|
| - nssNameConstraintsList =
|
| - nameConstraints->nssNameConstraintsList;
|
| -
|
| - for (i = 0; i < numItems; i++) {
|
| -
|
| - PKIX_NULLCHECK_ONE(nssNameConstraintsList);
|
| - nssNameConstraints = *(nssNameConstraintsList + i);
|
| - PKIX_NULLCHECK_ONE(nssNameConstraints);
|
| -
|
| - if (nssNameConstraints->permited != NULL) {
|
| -
|
| - nssPermitted = nssNameConstraints->permited;
|
| - firstPermitted = nssPermitted;
|
| -
|
| - do {
|
| -
|
| - PKIX_CHECK(pkix_pl_GeneralName_Create
|
| - (&nssPermitted->name, &name, plContext),
|
| - PKIX_GENERALNAMECREATEFAILED);
|
| -
|
| - PKIX_CHECK(PKIX_List_AppendItem
|
| - (permittedList,
|
| - (PKIX_PL_Object *)name,
|
| - plContext),
|
| - PKIX_LISTAPPENDITEMFAILED);
|
| -
|
| - PKIX_DECREF(name);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_GetNextNameConstraint\n");
|
| - nssPermitted = CERT_GetNextNameConstraint
|
| - (nssPermitted);
|
| -
|
| - } while (nssPermitted != firstPermitted);
|
| -
|
| - }
|
| - }
|
| -
|
| - PKIX_CHECK(PKIX_List_SetImmutable(permittedList, plContext),
|
| - PKIX_LISTSETIMMUTABLEFAILED);
|
| -
|
| - nameConstraints->permittedList = permittedList;
|
| -
|
| - }
|
| -
|
| - PKIX_OBJECT_UNLOCK(nameConstraints);
|
| -
|
| - }
|
| -
|
| - PKIX_INCREF(nameConstraints->permittedList);
|
| -
|
| - *pPermittedList = nameConstraints->permittedList;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_GetExcluded
|
| - * DESCRIPTION:
|
| - *
|
| - * This function retrieve name constraints excluded list from NSS
|
| - * data in "nameConstraints" and returns a PKIX_PL_GeneralName list
|
| - * in "pExcludedList".
|
| - *
|
| - * PARAMETERS
|
| - * "nameConstraints"
|
| - * Address of CertNameConstraints which has a pointer to NSS data.
|
| - * Must be non-NULL.
|
| - * "pPermittedList"
|
| - * Address where returned excluded name list is stored. Must be non-NULL.
|
| - * "plContext" - Platform-specific context pointer.
|
| - * THREAD SAFETY:
|
| - * Conditionally Thread Safe
|
| - * (see Thread Safety Definitions in Programmer's Guide)
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a
|
| - * non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_GetExcluded(
|
| - PKIX_PL_CertNameConstraints *nameConstraints,
|
| - PKIX_List **pExcludedList,
|
| - void *plContext)
|
| -{
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - CERTNameConstraints **nssNameConstraintsList = NULL;
|
| - CERTNameConstraint *nssExcluded = NULL;
|
| - CERTNameConstraint *firstExcluded = NULL;
|
| - PKIX_List *excludedList = NULL;
|
| - PKIX_PL_GeneralName *name = NULL;
|
| - PKIX_UInt32 numItems = 0;
|
| - PKIX_UInt32 i;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_GetExcluded");
|
| - PKIX_NULLCHECK_TWO(nameConstraints, pExcludedList);
|
| -
|
| - if (nameConstraints->excludedList == NULL) {
|
| -
|
| - PKIX_OBJECT_LOCK(nameConstraints);
|
| -
|
| - if (nameConstraints->excludedList == NULL) {
|
| -
|
| - PKIX_CHECK(PKIX_List_Create(&excludedList, plContext),
|
| - PKIX_LISTCREATEFAILED);
|
| -
|
| - numItems = nameConstraints->numNssNameConstraints;
|
| - nssNameConstraintsList =
|
| - nameConstraints->nssNameConstraintsList;
|
| -
|
| - for (i = 0; i < numItems; i++) {
|
| -
|
| - PKIX_NULLCHECK_ONE(nssNameConstraintsList);
|
| - nssNameConstraints = *(nssNameConstraintsList + i);
|
| - PKIX_NULLCHECK_ONE(nssNameConstraints);
|
| -
|
| - if (nssNameConstraints->excluded != NULL) {
|
| -
|
| - nssExcluded = nssNameConstraints->excluded;
|
| - firstExcluded = nssExcluded;
|
| -
|
| - do {
|
| -
|
| - PKIX_CHECK(pkix_pl_GeneralName_Create
|
| - (&nssExcluded->name, &name, plContext),
|
| - PKIX_GENERALNAMECREATEFAILED);
|
| -
|
| - PKIX_CHECK(PKIX_List_AppendItem
|
| - (excludedList,
|
| - (PKIX_PL_Object *)name,
|
| - plContext),
|
| - PKIX_LISTAPPENDITEMFAILED);
|
| -
|
| - PKIX_DECREF(name);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_GetNextNameConstraint\n");
|
| - nssExcluded = CERT_GetNextNameConstraint
|
| - (nssExcluded);
|
| -
|
| - } while (nssExcluded != firstExcluded);
|
| -
|
| - }
|
| -
|
| - }
|
| - PKIX_CHECK(PKIX_List_SetImmutable(excludedList, plContext),
|
| - PKIX_LISTSETIMMUTABLEFAILED);
|
| -
|
| - nameConstraints->excludedList = excludedList;
|
| -
|
| - }
|
| -
|
| - PKIX_OBJECT_UNLOCK(nameConstraints);
|
| - }
|
| -
|
| - PKIX_INCREF(nameConstraints->excludedList);
|
| -
|
| - *pExcludedList = nameConstraints->excludedList;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
|
| - * DESCRIPTION:
|
| - *
|
| - * This function checks if CERTGeneralNames in "nssSubjectNames" comply
|
| - * with the permitted and excluded names in "nameConstraints". It returns
|
| - * PKIX_TRUE in "pCheckPass", if the Names satify the name space of the
|
| - * permitted list and if the Names are not in the excluded list. Otherwise,
|
| - * it returns PKIX_FALSE.
|
| - *
|
| - * PARAMETERS
|
| - * "nssSubjectNames"
|
| - * List of CERTGeneralName that nameConstraints verification is based on.
|
| - * "nameConstraints"
|
| - * Address of CertNameConstraints that provides lists of permitted
|
| - * and excluded names. Must be non-NULL.
|
| - * "pCheckPass"
|
| - * Address where PKIX_TRUE is returned if the all names in "nameList" are
|
| - * valid.
|
| - * "plContext" - Platform-specific context pointer.
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a
|
| - * non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -PKIX_Error *
|
| -pkix_pl_CertNameConstraints_CheckNameSpaceNssNames(
|
| - CERTGeneralName *nssSubjectNames,
|
| - PKIX_PL_CertNameConstraints *nameConstraints,
|
| - PKIX_Boolean *pCheckPass,
|
| - void *plContext)
|
| -{
|
| - CERTNameConstraints **nssNameConstraintsList = NULL;
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - CERTGeneralName *nssMatchName = NULL;
|
| - PRArenaPool *arena = NULL;
|
| - PKIX_UInt32 numItems = 0;
|
| - PKIX_UInt32 i;
|
| - SECStatus status = SECSuccess;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_CheckNameSpaceNssNames");
|
| - PKIX_NULLCHECK_THREE(nssSubjectNames, nameConstraints, pCheckPass);
|
| -
|
| - *pCheckPass = PKIX_TRUE;
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
|
| - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
| - if (arena == NULL) {
|
| - PKIX_ERROR(PKIX_OUTOFMEMORY);
|
| - }
|
| -
|
| - nssMatchName = nssSubjectNames;
|
| - nssNameConstraintsList = nameConstraints->nssNameConstraintsList;
|
| -
|
| - /*
|
| - * CERTNameConstraint items in each permitted or excluded list
|
| - * is verified as OR condition. That means, if one item matched,
|
| - * then the checking on the remaining items on the list is skipped.
|
| - * (see NSS cert_CompareNameWithConstraints(...)).
|
| - * Items on PKIX_PL_NameConstraint's nssNameConstraints are verified
|
| - * as AND condition. PKIX_PL_NameConstraint keeps an array of pointers
|
| - * of CERTNameConstraints resulting from merging multiple
|
| - * PKIX_PL_NameConstraints. Since each CERTNameConstraint are created
|
| - * for different entity, a union condition of these entities then is
|
| - * performed.
|
| - */
|
| -
|
| - do {
|
| -
|
| - numItems = nameConstraints->numNssNameConstraints;
|
| -
|
| - for (i = 0; i < numItems; i++) {
|
| -
|
| - PKIX_NULLCHECK_ONE(nssNameConstraintsList);
|
| - nssNameConstraints = *(nssNameConstraintsList + i);
|
| - PKIX_NULLCHECK_ONE(nssNameConstraints);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_CheckNameSpace\n");
|
| - status = CERT_CheckNameSpace
|
| - (arena, nssNameConstraints, nssMatchName);
|
| - if (status != SECSuccess) {
|
| - break;
|
| - }
|
| -
|
| - }
|
| -
|
| - if (status != SECSuccess) {
|
| - break;
|
| - }
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_GetNextGeneralName\n");
|
| - nssMatchName = CERT_GetNextGeneralName(nssMatchName);
|
| -
|
| - } while (nssMatchName != nssSubjectNames);
|
| -
|
| - if (status == SECFailure) {
|
| -
|
| - *pCheckPass = PKIX_FALSE;
|
| - }
|
| -
|
| -cleanup:
|
| -
|
| - if (arena){
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling PORT_FreeArena).\n");
|
| - PORT_FreeArena(arena, PR_FALSE);
|
| - }
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_NameConstraints_Destroy
|
| - * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_Destroy(
|
| - PKIX_PL_Object *object,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Destroy");
|
| - PKIX_NULLCHECK_ONE(object);
|
| -
|
| - PKIX_CHECK(pkix_CheckType
|
| - (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
|
| - PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
|
| -
|
| - nameConstraints = (PKIX_PL_CertNameConstraints *)object;
|
| -
|
| - PKIX_CHECK(PKIX_PL_Free
|
| - (nameConstraints->nssNameConstraintsList, plContext),
|
| - PKIX_FREEFAILED);
|
| -
|
| - if (nameConstraints->arena){
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling PORT_FreeArena).\n");
|
| - PORT_FreeArena(nameConstraints->arena, PR_FALSE);
|
| - nameConstraints->arena = NULL;
|
| - }
|
| -
|
| - PKIX_DECREF(nameConstraints->permittedList);
|
| - PKIX_DECREF(nameConstraints->excludedList);
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_ToString_Helper
|
| - * DESCRIPTION:
|
| - *
|
| - * Helper function that creates a string representation of the object
|
| - * NameConstraints and stores it at "pString".
|
| - *
|
| - * PARAMETERS
|
| - * "nameConstraints"
|
| - * Address of CertNameConstraints whose string representation is
|
| - * desired. Must be non-NULL.
|
| - * "pString"
|
| - * Address where string object pointer will be stored. Must be non-NULL.
|
| - * "plContext" - Platform-specific context pointer.
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a
|
| - * non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_ToString_Helper(
|
| - PKIX_PL_CertNameConstraints *nameConstraints,
|
| - PKIX_PL_String **pString,
|
| - void *plContext)
|
| -{
|
| - char *asciiFormat = NULL;
|
| - PKIX_PL_String *formatString = NULL;
|
| - PKIX_List *permittedList = NULL;
|
| - PKIX_List *excludedList = NULL;
|
| - PKIX_PL_String *permittedListString = NULL;
|
| - PKIX_PL_String *excludedListString = NULL;
|
| - PKIX_PL_String *nameConstraintsString = NULL;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_ToString_Helper");
|
| - PKIX_NULLCHECK_TWO(nameConstraints, pString);
|
| -
|
| - asciiFormat =
|
| - "[\n"
|
| - "\t\tPermitted Name: %s\n"
|
| - "\t\tExcluded Name: %s\n"
|
| - "\t]\n";
|
| -
|
| - PKIX_CHECK(PKIX_PL_String_Create
|
| - (PKIX_ESCASCII,
|
| - asciiFormat,
|
| - 0,
|
| - &formatString,
|
| - plContext),
|
| - PKIX_STRINGCREATEFAILED);
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
|
| - (nameConstraints, &permittedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
|
| -
|
| - PKIX_TOSTRING(permittedList, &permittedListString, plContext,
|
| - PKIX_LISTTOSTRINGFAILED);
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
|
| - (nameConstraints, &excludedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
|
| -
|
| - PKIX_TOSTRING(excludedList, &excludedListString, plContext,
|
| - PKIX_LISTTOSTRINGFAILED);
|
| -
|
| - PKIX_CHECK(PKIX_PL_Sprintf
|
| - (&nameConstraintsString,
|
| - plContext,
|
| - formatString,
|
| - permittedListString,
|
| - excludedListString),
|
| - PKIX_SPRINTFFAILED);
|
| -
|
| - *pString = nameConstraintsString;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_DECREF(formatString);
|
| - PKIX_DECREF(permittedList);
|
| - PKIX_DECREF(excludedList);
|
| - PKIX_DECREF(permittedListString);
|
| - PKIX_DECREF(excludedListString);
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_ToString
|
| - * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_ToString(
|
| - PKIX_PL_Object *object,
|
| - PKIX_PL_String **pString,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_String *nameConstraintsString = NULL;
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_ToString");
|
| - PKIX_NULLCHECK_TWO(object, pString);
|
| -
|
| - PKIX_CHECK(pkix_CheckType(
|
| - object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
|
| - PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
|
| -
|
| - nameConstraints = (PKIX_PL_CertNameConstraints *)object;
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_ToString_Helper
|
| - (nameConstraints, &nameConstraintsString, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSTOSTRINGHELPERFAILED);
|
| -
|
| - *pString = nameConstraintsString;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_Hashcode
|
| - * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_Hashcode(
|
| - PKIX_PL_Object *object,
|
| - PKIX_UInt32 *pHashcode,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| - PKIX_List *permittedList = NULL;
|
| - PKIX_List *excludedList = NULL;
|
| - PKIX_UInt32 permitHash = 0;
|
| - PKIX_UInt32 excludeHash = 0;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Hashcode");
|
| - PKIX_NULLCHECK_TWO(object, pHashcode);
|
| -
|
| - PKIX_CHECK(pkix_CheckType
|
| - (object, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
|
| - PKIX_OBJECTNOTCERTNAMECONSTRAINTS);
|
| -
|
| - nameConstraints = (PKIX_PL_CertNameConstraints *)object;
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
|
| - (nameConstraints, &permittedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
|
| -
|
| - PKIX_HASHCODE(permittedList, &permitHash, plContext,
|
| - PKIX_OBJECTHASHCODEFAILED);
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
|
| - (nameConstraints, &excludedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
|
| -
|
| - PKIX_HASHCODE(excludedList, &excludeHash, plContext,
|
| - PKIX_OBJECTHASHCODEFAILED);
|
| -
|
| - *pHashcode = (((permitHash << 7) + excludeHash) << 7) +
|
| - nameConstraints->numNssNameConstraints;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_DECREF(permittedList);
|
| - PKIX_DECREF(excludedList);
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_Equals
|
| - * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_Equals(
|
| - PKIX_PL_Object *firstObject,
|
| - PKIX_PL_Object *secondObject,
|
| - PKIX_Boolean *pResult,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *firstNC = NULL;
|
| - PKIX_PL_CertNameConstraints *secondNC = NULL;
|
| - PKIX_List *firstPermittedList = NULL;
|
| - PKIX_List *secondPermittedList = NULL;
|
| - PKIX_List *firstExcludedList = NULL;
|
| - PKIX_List *secondExcludedList = NULL;
|
| - PKIX_UInt32 secondType;
|
| - PKIX_Boolean cmpResult = PKIX_FALSE;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Equals");
|
| - PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
|
| -
|
| - /* test that firstObject is a CertNameConstraints */
|
| - PKIX_CHECK(pkix_CheckType
|
| - (firstObject, PKIX_CERTNAMECONSTRAINTS_TYPE, plContext),
|
| - PKIX_FIRSTOBJECTNOTCERTNAMECONSTRAINTS);
|
| -
|
| - firstNC = (PKIX_PL_CertNameConstraints *)firstObject;
|
| - secondNC = (PKIX_PL_CertNameConstraints *)secondObject;
|
| -
|
| - /*
|
| - * Since we know firstObject is a CertNameConstraints, if both
|
| - * references are identical, they must be equal
|
| - */
|
| - if (firstNC == secondNC){
|
| - *pResult = PKIX_TRUE;
|
| - goto cleanup;
|
| - }
|
| -
|
| - /*
|
| - * If secondNC isn't a CertNameConstraints, we don't throw an error.
|
| - * We simply return a Boolean result of FALSE
|
| - */
|
| - *pResult = PKIX_FALSE;
|
| -
|
| - PKIX_CHECK(PKIX_PL_Object_GetType
|
| - ((PKIX_PL_Object *)secondNC, &secondType, plContext),
|
| - PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
|
| -
|
| - if (secondType != PKIX_CERTNAMECONSTRAINTS_TYPE) {
|
| - goto cleanup;
|
| - }
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
|
| - (firstNC, &firstPermittedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetPermitted
|
| - (secondNC, &secondPermittedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETPERMITTEDFAILED);
|
| -
|
| - PKIX_EQUALS
|
| - (firstPermittedList, secondPermittedList, &cmpResult, plContext,
|
| - PKIX_OBJECTEQUALSFAILED);
|
| -
|
| - if (cmpResult != PKIX_TRUE) {
|
| - goto cleanup;
|
| - }
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
|
| - (firstNC, &firstExcludedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_GetExcluded
|
| - (secondNC, &secondExcludedList, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSGETEXCLUDEDFAILED);
|
| -
|
| - PKIX_EQUALS
|
| - (firstExcludedList, secondExcludedList, &cmpResult, plContext,
|
| - PKIX_OBJECTEQUALSFAILED);
|
| -
|
| - if (cmpResult != PKIX_TRUE) {
|
| - goto cleanup;
|
| - }
|
| -
|
| - /*
|
| - * numNssNameConstraints is not checked because it is basically a
|
| - * merge count, it cannot determine the data equality.
|
| - */
|
| -
|
| - *pResult = PKIX_TRUE;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_DECREF(firstPermittedList);
|
| - PKIX_DECREF(secondPermittedList);
|
| - PKIX_DECREF(firstExcludedList);
|
| - PKIX_DECREF(secondExcludedList);
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_RegisterSelf
|
| - * DESCRIPTION:
|
| - * Registers PKIX_CERTNAMECONSTRAINTS_TYPE and its related functions with
|
| - * systemClasses[]
|
| - * THREAD SAFETY:
|
| - * Not Thread Safe - for performance and complexity reasons
|
| - *
|
| - * Since this function is only called by PKIX_PL_Initialize, which should
|
| - * only be called once, it is acceptable that this function is not
|
| - * thread-safe.
|
| - */
|
| -PKIX_Error *
|
| -pkix_pl_CertNameConstraints_RegisterSelf(void *plContext)
|
| -{
|
| - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
|
| - pkix_ClassTable_Entry entry;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_RegisterSelf");
|
| -
|
| - entry.description = "CertNameConstraints";
|
| - entry.objCounter = 0;
|
| - entry.typeObjectSize = sizeof(PKIX_PL_CertNameConstraints);
|
| - entry.destructor = pkix_pl_CertNameConstraints_Destroy;
|
| - entry.equalsFunction = pkix_pl_CertNameConstraints_Equals;
|
| - entry.hashcodeFunction = pkix_pl_CertNameConstraints_Hashcode;
|
| - entry.toStringFunction = pkix_pl_CertNameConstraints_ToString;
|
| - entry.comparator = NULL;
|
| - entry.duplicateFunction = pkix_duplicateImmutable;
|
| -
|
| - systemClasses[PKIX_CERTNAMECONSTRAINTS_TYPE] = entry;
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_Create_Helper
|
| - *
|
| - * DESCRIPTION:
|
| - * This function retrieves name constraints in "nssNameConstraints",
|
| - * converts and stores the result in a PKIX_PL_CertNameConstraints object.
|
| - *
|
| - * PARAMETERS
|
| - * "nssNameConstraints"
|
| - * Address of CERTNameConstraints that contains this object's data.
|
| - * Must be non-NULL.
|
| - * "pNameConstraints"
|
| - * Address where object pointer will be stored. Must be non-NULL.
|
| - * A NULL value will be returned if there is no Name Constraints extension.
|
| - * "plContext" - Platform-specific context pointer.
|
| - *
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - *
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_Create_Helper(
|
| - CERTNameConstraints *nssNameConstraints,
|
| - PKIX_PL_CertNameConstraints **pNameConstraints,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| - CERTNameConstraints **nssNameConstraintPtr = NULL;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_Create_Helper");
|
| - PKIX_NULLCHECK_TWO(nssNameConstraints, pNameConstraints);
|
| -
|
| - PKIX_CHECK(PKIX_PL_Object_Alloc
|
| - (PKIX_CERTNAMECONSTRAINTS_TYPE,
|
| - sizeof (PKIX_PL_CertNameConstraints),
|
| - (PKIX_PL_Object **)&nameConstraints,
|
| - plContext),
|
| - PKIX_COULDNOTCREATECERTNAMECONSTRAINTSOBJECT);
|
| -
|
| - PKIX_CHECK(PKIX_PL_Malloc
|
| - (sizeof (CERTNameConstraint *),
|
| - (void *)&nssNameConstraintPtr,
|
| - plContext),
|
| - PKIX_MALLOCFAILED);
|
| -
|
| - nameConstraints->numNssNameConstraints = 1;
|
| - nameConstraints->nssNameConstraintsList = nssNameConstraintPtr;
|
| - *nssNameConstraintPtr = nssNameConstraints;
|
| -
|
| - nameConstraints->permittedList = NULL;
|
| - nameConstraints->excludedList = NULL;
|
| - nameConstraints->arena = NULL;
|
| -
|
| - *pNameConstraints = nameConstraints;
|
| -
|
| -cleanup:
|
| -
|
| - if (PKIX_ERROR_RECEIVED){
|
| - PKIX_DECREF(nameConstraints);
|
| - }
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_Create
|
| - *
|
| - * DESCRIPTION:
|
| - * function that allocates and initialize the object CertNameConstraints.
|
| - *
|
| - * PARAMETERS
|
| - * "nssCert"
|
| - * Address of CERT that contains this object's data.
|
| - * Must be non-NULL.
|
| - * "pNameConstraints"
|
| - * Address where object pointer will be stored. Must be non-NULL.
|
| - * A NULL value will be returned if there is no Name Constraints extension.
|
| - * "plContext" - Platform-specific context pointer.
|
| - *
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - *
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -PKIX_Error *
|
| -pkix_pl_CertNameConstraints_Create(
|
| - CERTCertificate *nssCert,
|
| - PKIX_PL_CertNameConstraints **pNameConstraints,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - PLArenaPool *arena = NULL;
|
| - SECStatus status;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Create");
|
| - PKIX_NULLCHECK_THREE(nssCert, pNameConstraints, nssCert->arena);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
|
| - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
| - if (arena == NULL) {
|
| - PKIX_ERROR(PKIX_OUTOFMEMORY);
|
| - }
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_FindNameConstraintsExten\n");
|
| - status = CERT_FindNameConstraintsExten
|
| - (arena, nssCert, &nssNameConstraints);
|
| -
|
| - if (status != SECSuccess) {
|
| - PKIX_ERROR(PKIX_DECODINGCERTNAMECONSTRAINTSFAILED);
|
| - }
|
| -
|
| - if (nssNameConstraints == NULL) {
|
| - *pNameConstraints = NULL;
|
| - if (arena){
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling PORT_FreeArena).\n");
|
| - PORT_FreeArena(arena, PR_FALSE);
|
| - }
|
| - goto cleanup;
|
| - }
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
|
| - (nssNameConstraints, &nameConstraints, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
|
| -
|
| - nameConstraints->arena = arena;
|
| -
|
| - *pNameConstraints = nameConstraints;
|
| -
|
| -cleanup:
|
| -
|
| - if (PKIX_ERROR_RECEIVED){
|
| - if (arena){
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling PORT_FreeArena).\n");
|
| - PORT_FreeArena(arena, PR_FALSE);
|
| - }
|
| - }
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_CreateByMerge
|
| - *
|
| - * DESCRIPTION:
|
| - *
|
| - * This function allocates and creates a PKIX_PL_NameConstraint object
|
| - * for merging. It also allocates CERTNameConstraints data space for the
|
| - * merged NSS NameConstraints data.
|
| - *
|
| - * PARAMETERS
|
| - * "pNameConstraints"
|
| - * Address where object pointer will be stored and returned.
|
| - * Must be non-NULL.
|
| - * "plContext" - Platform-specific context pointer.
|
| - *
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - *
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_CreateByMerge(
|
| - PKIX_PL_CertNameConstraints **pNameConstraints,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - PLArenaPool *arena = NULL;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_CreateByMerge");
|
| - PKIX_NULLCHECK_ONE(pNameConstraints);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena).\n");
|
| - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
| - if (arena == NULL) {
|
| - PKIX_ERROR(PKIX_OUTOFMEMORY);
|
| - }
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
|
| - nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
|
| - if (nssNameConstraints == NULL) {
|
| - PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
|
| - }
|
| -
|
| - nssNameConstraints->permited = NULL;
|
| - nssNameConstraints->excluded = NULL;
|
| - nssNameConstraints->DERPermited = NULL;
|
| - nssNameConstraints->DERExcluded = NULL;
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_Create_Helper
|
| - (nssNameConstraints, &nameConstraints, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSCREATEHELPERFAILED);
|
| -
|
| - nameConstraints->arena = arena;
|
| -
|
| - *pNameConstraints = nameConstraints;
|
| -
|
| -cleanup:
|
| -
|
| - if (PKIX_ERROR_RECEIVED){
|
| - if (arena){
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling PORT_FreeArena).\n");
|
| - PORT_FreeArena(arena, PR_FALSE);
|
| - }
|
| - }
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_CopyNssNameConstraints
|
| - *
|
| - * DESCRIPTION:
|
| - *
|
| - * This function allocates and copies data to a NSS CERTNameConstraints from
|
| - * the NameConstraints given by "srcNC" and stores the result at "pDestNC". It
|
| - * copies items on both the permitted and excluded lists, but not the
|
| - * DERPermited and DERExcluded.
|
| - *
|
| - * PARAMETERS
|
| - * "arena"
|
| - * Memory pool where object data is allocated from. Must be non-NULL.
|
| - * "srcNC"
|
| - * Address of the NameConstraints to copy from. Must be non-NULL.
|
| - * "pDestNC"
|
| - * Address where new copied object is stored and returned.
|
| - * Must be non-NULL.
|
| - * "plContext" - Platform-specific context pointer.
|
| - *
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - *
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -static PKIX_Error *
|
| -pkix_pl_CertNameConstraints_CopyNssNameConstraints(
|
| - PLArenaPool *arena,
|
| - CERTNameConstraints *srcNC,
|
| - CERTNameConstraints **pDestNC,
|
| - void *plContext)
|
| -{
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - CERTNameConstraint *nssNameConstraintHead = NULL;
|
| - CERTNameConstraint *nssCurrent = NULL;
|
| - CERTNameConstraint *nssCopyTo = NULL;
|
| - CERTNameConstraint *nssCopyFrom = NULL;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "pkix_pl_CertNameConstraints_CopyNssNameConstraints");
|
| - PKIX_NULLCHECK_THREE(arena, srcNC, pDestNC);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_ArenaZNew).\n");
|
| - nssNameConstraints = PORT_ArenaZNew(arena, CERTNameConstraints);
|
| - if (nssNameConstraints == NULL) {
|
| - PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
|
| - }
|
| -
|
| - if (srcNC->permited) {
|
| -
|
| - nssCopyFrom = srcNC->permited;
|
| -
|
| - do {
|
| -
|
| - nssCopyTo = NULL;
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_CopyNameConstraint).\n");
|
| - nssCopyTo = CERT_CopyNameConstraint
|
| - (arena, nssCopyTo, nssCopyFrom);
|
| - if (nssCopyTo == NULL) {
|
| - PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
|
| - }
|
| - if (nssCurrent == NULL) {
|
| - nssCurrent = nssNameConstraintHead = nssCopyTo;
|
| - } else {
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_AddNameConstraint).\n");
|
| - nssCurrent = CERT_AddNameConstraint
|
| - (nssCurrent, nssCopyTo);
|
| - }
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_GetNextNameConstrain).\n");
|
| - nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
|
| -
|
| - } while (nssCopyFrom != srcNC->permited);
|
| -
|
| - nssNameConstraints->permited = nssNameConstraintHead;
|
| - }
|
| -
|
| - if (srcNC->excluded) {
|
| -
|
| - nssCurrent = NULL;
|
| - nssCopyFrom = srcNC->excluded;
|
| -
|
| - do {
|
| -
|
| - /*
|
| - * Cannot use CERT_DupGeneralNameList, which just increments
|
| - * refcount. We need our own copy since arena is for each
|
| - * PKIX_PL_NameConstraints. Perhaps contribute this code
|
| - * as CERT_CopyGeneralNameList (in the future).
|
| - */
|
| - nssCopyTo = NULL;
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_CopyNameConstraint).\n");
|
| - nssCopyTo = CERT_CopyNameConstraint
|
| - (arena, nssCopyTo, nssCopyFrom);
|
| - if (nssCopyTo == NULL) {
|
| - PKIX_ERROR(PKIX_CERTCOPYNAMECONSTRAINTFAILED);
|
| - }
|
| - if (nssCurrent == NULL) {
|
| - nssCurrent = nssNameConstraintHead = nssCopyTo;
|
| - } else {
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_AddNameConstraint).\n");
|
| - nssCurrent = CERT_AddNameConstraint
|
| - (nssCurrent, nssCopyTo);
|
| - }
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_GetNextNameConstrain).\n");
|
| - nssCopyFrom = CERT_GetNextNameConstraint(nssCopyFrom);
|
| -
|
| - } while (nssCopyFrom != srcNC->excluded);
|
| -
|
| - nssNameConstraints->excluded = nssNameConstraintHead;
|
| - }
|
| -
|
| - *pDestNC = nssNameConstraints;
|
| -
|
| -cleanup:
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/*
|
| - * FUNCTION: pkix_pl_CertNameConstraints_Merge
|
| - *
|
| - * DESCRIPTION:
|
| - *
|
| - * This function merges two NameConstraints pointed to by "firstNC" and
|
| - * "secondNC" and stores the result in "pMergedNC".
|
| - *
|
| - * PARAMETERS
|
| - * "firstNC"
|
| - * Address of the first NameConstraints to be merged. Must be non-NULL.
|
| - * "secondNC"
|
| - * Address of the second NameConstraints to be merged. Must be non-NULL.
|
| - * "pMergedNC"
|
| - * Address where the merge result is stored and returned. Must be non-NULL.
|
| - * "plContext" - Platform-specific context pointer.
|
| - *
|
| - * THREAD SAFETY:
|
| - * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
|
| - *
|
| - * RETURNS:
|
| - * Returns NULL if the function succeeds.
|
| - * Returns a NameConstraints Error if the function fails in a non-fatal way.
|
| - * Returns a Fatal Error if the function fails in an unrecoverable way.
|
| - */
|
| -PKIX_Error *
|
| -pkix_pl_CertNameConstraints_Merge(
|
| - PKIX_PL_CertNameConstraints *firstNC,
|
| - PKIX_PL_CertNameConstraints *secondNC,
|
| - PKIX_PL_CertNameConstraints **pMergedNC,
|
| - void *plContext)
|
| -{
|
| - PKIX_PL_CertNameConstraints *nameConstraints = NULL;
|
| - CERTNameConstraints **nssNCto = NULL;
|
| - CERTNameConstraints **nssNCfrom = NULL;
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - PKIX_UInt32 numNssItems = 0;
|
| - PKIX_UInt32 i;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS, "pkix_pl_CertNameConstraints_Merge");
|
| - PKIX_NULLCHECK_THREE(firstNC, secondNC, pMergedNC);
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_CreateByMerge
|
| - (&nameConstraints, plContext),
|
| - PKIX_CERTNAMECONSTRAINTSCREATEBYMERGEFAILED);
|
| -
|
| - /* Merge NSSCertConstraint lists */
|
| -
|
| - numNssItems = firstNC->numNssNameConstraints +
|
| - secondNC->numNssNameConstraints;
|
| -
|
| - /* Free the default space (only one entry) allocated by create */
|
| - PKIX_CHECK(PKIX_PL_Free
|
| - (nameConstraints->nssNameConstraintsList, plContext),
|
| - PKIX_FREEFAILED);
|
| -
|
| - /* Reallocate the size we need */
|
| - PKIX_CHECK(PKIX_PL_Malloc
|
| - (numNssItems * sizeof (CERTNameConstraint *),
|
| - (void *)&nssNCto,
|
| - plContext),
|
| - PKIX_MALLOCFAILED);
|
| -
|
| - nameConstraints->nssNameConstraintsList = nssNCto;
|
| -
|
| - nssNCfrom = firstNC->nssNameConstraintsList;
|
| -
|
| - for (i = 0; i < firstNC->numNssNameConstraints; i++) {
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
|
| - (nameConstraints->arena,
|
| - *nssNCfrom,
|
| - &nssNameConstraints,
|
| - plContext),
|
| - PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
|
| -
|
| - *nssNCto = nssNameConstraints;
|
| -
|
| - nssNCto++;
|
| - nssNCfrom++;
|
| - }
|
| -
|
| - nssNCfrom = secondNC->nssNameConstraintsList;
|
| -
|
| - for (i = 0; i < secondNC->numNssNameConstraints; i++) {
|
| -
|
| - PKIX_CHECK(pkix_pl_CertNameConstraints_CopyNssNameConstraints
|
| - (nameConstraints->arena,
|
| - *nssNCfrom,
|
| - &nssNameConstraints,
|
| - plContext),
|
| - PKIX_CERTNAMECONSTRAINTSCOPYNSSNAMECONSTRAINTSFAILED);
|
| -
|
| - *nssNCto = nssNameConstraints;
|
| -
|
| - nssNCto++;
|
| - nssNCfrom++;
|
| - }
|
| -
|
| - nameConstraints->numNssNameConstraints = numNssItems;
|
| - nameConstraints->permittedList = NULL;
|
| - nameConstraints->excludedList = NULL;
|
| -
|
| - *pMergedNC = nameConstraints;
|
| -
|
| -cleanup:
|
| -
|
| - if (PKIX_ERROR_RECEIVED){
|
| - PKIX_DECREF(nameConstraints);
|
| - }
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
| -
|
| -/* --Public-NameConstraints-Functions-------------------------------- */
|
| -
|
| -/*
|
| - * FUNCTION: PKIX_PL_CertNameConstraints_CheckNamesInNameSpace
|
| - * (see comments in pkix_pl_system.h)
|
| - */
|
| -PKIX_Error *
|
| -PKIX_PL_CertNameConstraints_CheckNamesInNameSpace(
|
| - PKIX_List *nameList, /* List of PKIX_PL_GeneralName */
|
| - PKIX_PL_CertNameConstraints *nameConstraints,
|
| - PKIX_Boolean *pCheckPass,
|
| - void *plContext)
|
| -{
|
| - CERTNameConstraints **nssNameConstraintsList = NULL;
|
| - CERTNameConstraints *nssNameConstraints = NULL;
|
| - CERTGeneralName *nssMatchName = NULL;
|
| - PRArenaPool *arena = NULL;
|
| - PKIX_PL_GeneralName *name = NULL;
|
| - PKIX_UInt32 numNameItems = 0;
|
| - PKIX_UInt32 numNCItems = 0;
|
| - PKIX_UInt32 i, j;
|
| - SECStatus status = SECSuccess;
|
| -
|
| - PKIX_ENTER(CERTNAMECONSTRAINTS,
|
| - "PKIX_PL_CertNameConstraints_CheckNamesInNameSpace");
|
| - PKIX_NULLCHECK_TWO(nameConstraints, pCheckPass);
|
| -
|
| - *pCheckPass = PKIX_TRUE;
|
| -
|
| - if (nameList != NULL) {
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG("\t\tCalling PORT_NewArena\n");
|
| - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
| - if (arena == NULL) {
|
| - PKIX_ERROR(PKIX_OUTOFMEMORY);
|
| - }
|
| -
|
| - nssNameConstraintsList =
|
| - nameConstraints->nssNameConstraintsList;
|
| - PKIX_NULLCHECK_ONE(nssNameConstraintsList);
|
| - numNCItems = nameConstraints->numNssNameConstraints;
|
| -
|
| - PKIX_CHECK(PKIX_List_GetLength
|
| - (nameList, &numNameItems, plContext),
|
| - PKIX_LISTGETLENGTHFAILED);
|
| -
|
| - for (i = 0; i < numNameItems; i++) {
|
| -
|
| - PKIX_CHECK(PKIX_List_GetItem
|
| - (nameList,
|
| - i,
|
| - (PKIX_PL_Object **) &name,
|
| - plContext),
|
| - PKIX_LISTGETITEMFAILED);
|
| -
|
| - PKIX_CHECK(pkix_pl_GeneralName_GetNssGeneralName
|
| - (name, &nssMatchName, plContext),
|
| - PKIX_GENERALNAMEGETNSSGENERALNAMEFAILED);
|
| -
|
| - PKIX_DECREF(name);
|
| -
|
| - for (j = 0; j < numNCItems; j++) {
|
| -
|
| - nssNameConstraints = *(nssNameConstraintsList + j);
|
| - PKIX_NULLCHECK_ONE(nssNameConstraints);
|
| -
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling CERT_CheckNameSpace\n");
|
| - status = CERT_CheckNameSpace
|
| - (arena, nssNameConstraints, nssMatchName);
|
| - if (status != SECSuccess) {
|
| - break;
|
| - }
|
| -
|
| - }
|
| -
|
| - if (status != SECSuccess) {
|
| - break;
|
| - }
|
| -
|
| - }
|
| - }
|
| -
|
| - if (status == SECFailure) {
|
| - *pCheckPass = PKIX_FALSE;
|
| - }
|
| -
|
| -cleanup:
|
| -
|
| - if (arena){
|
| - PKIX_CERTNAMECONSTRAINTS_DEBUG
|
| - ("\t\tCalling PORT_FreeArena).\n");
|
| - PORT_FreeArena(arena, PR_FALSE);
|
| - }
|
| -
|
| - PKIX_RETURN(CERTNAMECONSTRAINTS);
|
| -}
|
|
|
Chromium Code Reviews
Issue 14249009:
Change the NSS and NSPR source tree to the new directory structure to be (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/