| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 #include "nspr.h" | 4 #include "nspr.h" |
| 5 #include "secerr.h" | 5 #include "secerr.h" |
| 6 #include "secport.h" | 6 #include "secport.h" |
| 7 #include "seccomon.h" | 7 #include "seccomon.h" |
| 8 #include "secoid.h" | 8 #include "secoid.h" |
| 9 #include "sslerr.h" | |
| 10 #include "genname.h" | 9 #include "genname.h" |
| 11 #include "keyhi.h" | 10 #include "keyhi.h" |
| 12 #include "cert.h" | 11 #include "cert.h" |
| 13 #include "certdb.h" | 12 #include "certdb.h" |
| 14 #include "certi.h" | 13 #include "certi.h" |
| 15 #include "cryptohi.h" | 14 #include "cryptohi.h" |
| 16 #ifndef NSS_DISABLE_LIBPKIX | 15 #ifndef NSS_DISABLE_LIBPKIX |
| 17 #include "pkix.h" | 16 #include "pkix.h" |
| 18 /*#include "pkix_sample_modules.h" */ | 17 /*#include "pkix_sample_modules.h" */ |
| 19 #include "pkix_pl_cert.h" | 18 #include "pkix_pl_cert.h" |
| 20 #endif /* NSS_DISABLE_LIBPKIX */ | 19 #endif /* NSS_DISABLE_LIBPKIX */ |
| 21 | 20 |
| 22 | 21 |
| 23 #include "nsspki.h" | 22 #include "nsspki.h" |
| 24 #include "pkitm.h" | 23 #include "pkitm.h" |
| 25 #include "pkim.h" | 24 #include "pkim.h" |
| 26 #include "pki3hack.h" | 25 #include "pki3hack.h" |
| 27 #include "base.h" | 26 #include "base.h" |
| 27 #include "keyhi.h" |
| 28 | 28 |
| 29 #ifdef NSS_DISABLE_LIBPKIX | 29 #ifdef NSS_DISABLE_LIBPKIX |
| 30 SECStatus | 30 SECStatus |
| 31 cert_VerifyCertChainPkix( | 31 cert_VerifyCertChainPkix( |
| 32 CERTCertificate *cert, | 32 CERTCertificate *cert, |
| 33 PRBool checkSig, | 33 PRBool checkSig, |
| 34 SECCertUsage requiredUsage, | 34 SECCertUsage requiredUsage, |
| 35 PRTime time, | 35 PRTime time, |
| 36 void *wincx, | 36 void *wincx, |
| 37 CERTVerifyLog *log, | 37 CERTVerifyLog *log, |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 70 /* | 70 /* |
| 71 * Check the validity times of a certificate | 71 * Check the validity times of a certificate |
| 72 */ | 72 */ |
| 73 SECStatus | 73 SECStatus |
| 74 CERT_CertTimesValid(CERTCertificate *c) | 74 CERT_CertTimesValid(CERTCertificate *c) |
| 75 { | 75 { |
| 76 SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE); | 76 SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE); |
| 77 return (valid == secCertTimeValid) ? SECSuccess : SECFailure; | 77 return (valid == secCertTimeValid) ? SECSuccess : SECFailure; |
| 78 } | 78 } |
| 79 | 79 |
| 80 SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicK
ey *key) |
| 81 { |
| 82 SECStatus rv; |
| 83 SECOidTag sigAlg; |
| 84 SECOidTag curve; |
| 85 PRUint32 policyFlags = 0; |
| 86 PRInt32 minLen, len; |
| 87 |
| 88 sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm); |
| 89 |
| 90 switch(sigAlg) { |
| 91 case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: |
| 92 case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: |
| 93 case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: |
| 94 case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: |
| 95 case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: |
| 96 if (key->keyType != ecKey) { |
| 97 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 98 return SECFailure; |
| 99 } |
| 100 |
| 101 curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams); |
| 102 if (curve != 0) { |
| 103 if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure || |
| 104 !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { |
| 105 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); |
| 106 return SECFailure; |
| 107 } else { |
| 108 return SECSuccess; |
| 109 } |
| 110 } else { |
| 111 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); |
| 112 return SECFailure; |
| 113 } |
| 114 return SECSuccess; |
| 115 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: |
| 116 case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: |
| 117 case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: |
| 118 case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: |
| 119 case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: |
| 120 case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: |
| 121 case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: |
| 122 case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: |
| 123 if (key->keyType != rsaKey && key->keyType != rsaPssKey) { |
| 124 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 125 return SECFailure; |
| 126 } |
| 127 |
| 128 len = 8 * key->u.rsa.modulus.len; |
| 129 |
| 130 rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen); |
| 131 if (rv != SECSuccess) { |
| 132 return SECFailure; |
| 133 } |
| 134 |
| 135 if (len < minLen) { |
| 136 return SECFailure; |
| 137 } |
| 138 |
| 139 return SECSuccess; |
| 140 case SEC_OID_ANSIX9_DSA_SIGNATURE: |
| 141 case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: |
| 142 case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: |
| 143 case SEC_OID_SDN702_DSA_SIGNATURE: |
| 144 case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: |
| 145 case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: |
| 146 if (key->keyType != dsaKey) { |
| 147 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 148 return SECFailure; |
| 149 } |
| 150 |
| 151 len = 8 * key->u.dsa.params.prime.len; |
| 152 |
| 153 rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minLen); |
| 154 if (rv != SECSuccess) { |
| 155 return SECFailure; |
| 156 } |
| 157 |
| 158 if (len < minLen) { |
| 159 return SECFailure; |
| 160 } |
| 161 |
| 162 return SECSuccess; |
| 163 default: |
| 164 return SECSuccess; |
| 165 } |
| 166 } |
| 167 |
| 80 /* | 168 /* |
| 81 * verify the signature of a signed data object with the given DER publickey | 169 * verify the signature of a signed data object with the given DER publickey |
| 82 */ | 170 */ |
| 83 SECStatus | 171 SECStatus |
| 84 CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, | 172 CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, |
| 85 SECKEYPublicKey *pubKey, | 173 SECKEYPublicKey *pubKey, |
| 86 void *wincx) | 174 void *wincx) |
| 87 { | 175 { |
| 88 SECStatus rv; | 176 SECStatus rv; |
| 89 SECItem sig; | 177 SECItem sig; |
| 90 SECOidTag hashAlg = SEC_OID_UNKNOWN; | 178 SECOidTag hashAlg = SEC_OID_UNKNOWN; |
| 91 | 179 |
| 92 if ( !pubKey || !sd ) { | 180 if ( !pubKey || !sd ) { |
| 93 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 181 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
| 94 return SECFailure; | 182 return SECFailure; |
| 95 } | 183 } |
| 96 | |
| 97 /* check the signature */ | 184 /* check the signature */ |
| 98 sig = sd->signature; | 185 sig = sd->signature; |
| 99 /* convert sig->len from bit counts to byte count. */ | 186 /* convert sig->len from bit counts to byte count. */ |
| 100 DER_ConvertBitString(&sig); | 187 DER_ConvertBitString(&sig); |
| 101 | 188 |
| 102 rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, | 189 rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, |
| 103 &sig, &sd->signatureAlgorithm, &hashAlg, wincx); | 190 &sig, &sd->signatureAlgorithm, &hashAlg, wincx); |
| 104 if (rv == SECSuccess) { | 191 if (rv == SECSuccess) { |
| 105 /* Are we honoring signatures for this algorithm? */ | 192 /* Are we honoring signatures for this algorithm? */ |
| 106 PRUint32 policyFlags = 0; | 193 PRUint32 policyFlags = 0; |
| 194 rv = checkKeyParams(&sd->signatureAlgorithm, pubKey); |
| 195 if (rv != SECSuccess) { |
| 196 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); |
| 197 return SECFailure; |
| 198 } |
| 199 |
| 107 rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags); | 200 rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags); |
| 108 if (rv == SECSuccess && | 201 if (rv == SECSuccess && |
| 109 !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { | 202 !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { |
| 110 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); | 203 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); |
| 111 » rv = SECFailure; | 204 » return SECFailure; |
| 112 } | 205 } |
| 113 } | 206 } |
| 114 return rv; | 207 return rv; |
| 115 } | 208 } |
| 116 | 209 |
| 117 /* | 210 /* |
| 118 * verify the signature of a signed data object with the given DER publickey | 211 * verify the signature of a signed data object with the given DER publickey |
| 119 */ | 212 */ |
| 120 SECStatus | 213 SECStatus |
| 121 CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, | 214 CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, |
| (...skipping 1756 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1878 return chain; | 1971 return chain; |
| 1879 } | 1972 } |
| 1880 | 1973 |
| 1881 cert = CERT_FindCertIssuer(cert, time, usage); | 1974 cert = CERT_FindCertIssuer(cert, time, usage); |
| 1882 } | 1975 } |
| 1883 | 1976 |
| 1884 /* return partial chain */ | 1977 /* return partial chain */ |
| 1885 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); | 1978 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); |
| 1886 return chain; | 1979 return chain; |
| 1887 } | 1980 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1504923011:
Update NSS to 3.21 RTM and NSPR to 4.11 RTM (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/nss