OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 /* | 4 /* |
5 * pkix_pl_pk11certstore.c | 5 * pkix_pl_pk11certstore.c |
6 * | 6 * |
7 * PKCS11CertStore Function Definitions | 7 * PKCS11CertStore Function Definitions |
8 * | 8 * |
9 */ | 9 */ |
10 | 10 |
(...skipping 361 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
372 PRTime time, | 372 PRTime time, |
373 PKIX_Boolean *pHasFetchedCrlInCache, | 373 PKIX_Boolean *pHasFetchedCrlInCache, |
374 void *plContext) | 374 void *plContext) |
375 { | 375 { |
376 /* Returning true result in this case will mean, that case info | 376 /* Returning true result in this case will mean, that case info |
377 * is currect and should used as is. */ | 377 * is currect and should used as is. */ |
378 NamedCRLCache* nameCrlCache = NULL; | 378 NamedCRLCache* nameCrlCache = NULL; |
379 PKIX_Boolean hasFetchedCrlInCache = PKIX_TRUE; | 379 PKIX_Boolean hasFetchedCrlInCache = PKIX_TRUE; |
380 PKIX_List *dpList = NULL; | 380 PKIX_List *dpList = NULL; |
381 pkix_pl_CrlDp *dp = NULL; | 381 pkix_pl_CrlDp *dp = NULL; |
382 CERTCertificate *cert; | |
383 PKIX_UInt32 dpIndex = 0; | 382 PKIX_UInt32 dpIndex = 0; |
384 SECStatus rv = SECSuccess; | 383 SECStatus rv = SECSuccess; |
385 PRTime reloadDelay = 0, badCrlInvalDelay = 0; | 384 PRTime reloadDelay = 0, badCrlInvalDelay = 0; |
386 | 385 |
387 PKIX_ENTER(CERTSTORE, "ChechCacheHasFetchedCrl"); | 386 PKIX_ENTER(CERTSTORE, "ChechCacheHasFetchedCrl"); |
388 | 387 |
389 cert = pkixCert->nssCert; | |
390 reloadDelay = | 388 reloadDelay = |
391 ((PKIX_PL_NssContext*)plContext)->crlReloadDelay * | 389 ((PKIX_PL_NssContext*)plContext)->crlReloadDelay * |
392 PR_USEC_PER_SEC; | 390 PR_USEC_PER_SEC; |
393 badCrlInvalDelay = | 391 badCrlInvalDelay = |
394 ((PKIX_PL_NssContext*)plContext)->badDerCrlReloadDelay * | 392 ((PKIX_PL_NssContext*)plContext)->badDerCrlReloadDelay * |
395 PR_USEC_PER_SEC; | 393 PR_USEC_PER_SEC; |
396 if (!time) { | 394 if (!time) { |
397 time = PR_Now(); | 395 time = PR_Now(); |
398 } | 396 } |
399 /* If we already download the crl and inserted into the cache, then | 397 /* If we already download the crl and inserted into the cache, then |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
473 * Returns a CertStore Error if the function fails in a non-fatal way. | 471 * Returns a CertStore Error if the function fails in a non-fatal way. |
474 * Returns a Fatal Error if the function fails in an unrecoverable way. | 472 * Returns a Fatal Error if the function fails in an unrecoverable way. |
475 */ | 473 */ |
476 static PKIX_Error * | 474 static PKIX_Error * |
477 pkix_pl_Pk11CertStore_CheckRevByCrl( | 475 pkix_pl_Pk11CertStore_CheckRevByCrl( |
478 PKIX_CertStore *store, | 476 PKIX_CertStore *store, |
479 PKIX_PL_Cert *pkixCert, | 477 PKIX_PL_Cert *pkixCert, |
480 PKIX_PL_Cert *pkixIssuer, | 478 PKIX_PL_Cert *pkixIssuer, |
481 PKIX_PL_Date *date, | 479 PKIX_PL_Date *date, |
482 PKIX_Boolean crlDownloadDone, | 480 PKIX_Boolean crlDownloadDone, |
483 PKIX_UInt32 *pReasonCode, | 481 CERTCRLEntryReasonCode *pReasonCode, |
484 PKIX_RevocationStatus *pStatus, | 482 PKIX_RevocationStatus *pStatus, |
485 void *plContext) | 483 void *plContext) |
486 { | 484 { |
487 PKIX_RevocationStatus pkixRevStatus = PKIX_RevStatus_NoInfo; | 485 PKIX_RevocationStatus pkixRevStatus = PKIX_RevStatus_NoInfo; |
488 CERTRevocationStatus revStatus = certRevocationStatusUnknown; | 486 CERTRevocationStatus revStatus = certRevocationStatusUnknown; |
489 PKIX_Boolean hasFetchedCrlInCache = PKIX_TRUE; | 487 PKIX_Boolean hasFetchedCrlInCache = PKIX_TRUE; |
490 CERTCertificate *cert = NULL, *issuer = NULL; | 488 CERTCertificate *cert = NULL, *issuer = NULL; |
491 SECStatus rv = SECSuccess; | 489 SECStatus rv = SECSuccess; |
492 void *wincx = NULL; | 490 void *wincx = NULL; |
493 PRTime time = 0; | 491 PRTime time = 0; |
(...skipping 174 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
668 | 666 |
669 PKIX_RETURN(CERTSTORE); | 667 PKIX_RETURN(CERTSTORE); |
670 } | 668 } |
671 | 669 |
672 static PKIX_Error * | 670 static PKIX_Error * |
673 RemovePartitionedDpsFromList(PKIX_List *dpList, PKIX_PL_Date *date, | 671 RemovePartitionedDpsFromList(PKIX_List *dpList, PKIX_PL_Date *date, |
674 void *plContext) | 672 void *plContext) |
675 { | 673 { |
676 NamedCRLCache* nameCrlCache = NULL; | 674 NamedCRLCache* nameCrlCache = NULL; |
677 pkix_pl_CrlDp *dp = NULL; | 675 pkix_pl_CrlDp *dp = NULL; |
678 int dpIndex = 0; | 676 unsigned int dpIndex = 0; |
679 PRTime time; | 677 PRTime time; |
680 PRTime reloadDelay = 0, badCrlInvalDelay = 0; | 678 PRTime reloadDelay = 0, badCrlInvalDelay = 0; |
681 SECStatus rv; | 679 SECStatus rv; |
682 | 680 |
683 PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_ListRemovePrtDp"); | 681 PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_ListRemovePrtDp"); |
684 | 682 |
685 if (!dpList || !dpList->length) { | 683 if (!dpList || !dpList->length) { |
686 PKIX_RETURN(CERTSTORE); | 684 PKIX_RETURN(CERTSTORE); |
687 } | 685 } |
688 reloadDelay = | 686 reloadDelay = |
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
772 PRUint16 port; | 770 PRUint16 port; |
773 SEC_HTTP_SERVER_SESSION pServerSession = NULL; | 771 SEC_HTTP_SERVER_SESSION pServerSession = NULL; |
774 SEC_HTTP_REQUEST_SESSION pRequestSession = NULL; | 772 SEC_HTTP_REQUEST_SESSION pRequestSession = NULL; |
775 PRUint16 myHttpResponseCode; | 773 PRUint16 myHttpResponseCode; |
776 const char *myHttpResponseData = NULL; | 774 const char *myHttpResponseData = NULL; |
777 PRUint32 myHttpResponseDataLen; | 775 PRUint32 myHttpResponseDataLen; |
778 SECItem *uri = NULL; | 776 SECItem *uri = NULL; |
779 SECItem *derCrlCopy = NULL; | 777 SECItem *derCrlCopy = NULL; |
780 CERTSignedCrl *nssCrl = NULL; | 778 CERTSignedCrl *nssCrl = NULL; |
781 CERTGeneralName *genName = NULL; | 779 CERTGeneralName *genName = NULL; |
782 PKIX_Int32 savedError = -1; | |
783 SECItem **derGenNames = NULL; | 780 SECItem **derGenNames = NULL; |
784 SECItem *derGenName = NULL; | 781 SECItem *derGenName = NULL; |
785 | 782 |
786 PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_DownloadCrl"); | 783 PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_DownloadCrl"); |
787 | 784 |
788 /* Do not support dps others than a one with GeneralName | 785 /* Do not support dps others than a one with GeneralName |
789 * name type. */ | 786 * name type. */ |
790 if (dp->distPointType != generalName || | 787 if (dp->distPointType != generalName || |
791 !dp->nssdp->derFullName) { | 788 !dp->nssdp->derFullName) { |
792 PKIX_ERROR(PKIX_UNSUPPORTEDCRLDPTYPE); | 789 PKIX_ERROR(PKIX_UNSUPPORTEDCRLDPTYPE); |
793 } | 790 } |
794 genName = dp->name.fullName; | 791 genName = dp->name.fullName; |
795 derGenNames = dp->nssdp->derFullName; | 792 derGenNames = dp->nssdp->derFullName; |
796 do { | 793 do { |
797 derGenName = *derGenNames; | 794 derGenName = *derGenNames; |
798 do { | 795 do { |
799 if (!derGenName || | 796 if (!derGenName || |
800 !genName->name.other.data) { | 797 !genName->name.other.data) { |
801 /* get to next name if no data. */ | 798 /* get to next name if no data. */ |
802 savedError = PKIX_UNSUPPORTEDCRLDPTYPE; | |
803 break; | 799 break; |
804 } | 800 } |
805 uri = &genName->name.other; | 801 uri = &genName->name.other; |
806 location = (char*)PR_Malloc(1 + uri->len); | 802 location = (char*)PR_Malloc(1 + uri->len); |
807 if (!location) { | 803 if (!location) { |
808 savedError = PKIX_ALLOCERROR; | |
809 break; | 804 break; |
810 } | 805 } |
811 PORT_Memcpy(location, uri->data, uri->len); | 806 PORT_Memcpy(location, uri->data, uri->len); |
812 location[uri->len] = 0; | 807 location[uri->len] = 0; |
813 if (CERT_ParseURL(location, &hostname, | 808 if (CERT_ParseURL(location, &hostname, |
814 &port, &path) != SECSuccess) { | 809 &port, &path) != SECSuccess) { |
815 PORT_SetError(SEC_ERROR_BAD_CRL_DP_URL); | 810 PORT_SetError(SEC_ERROR_BAD_CRL_DP_URL); |
816 savedError = PKIX_URLPARSINGFAILED; | |
817 break; | 811 break; |
818 } | 812 } |
819 | 813 |
820 PORT_Assert(hostname != NULL); | 814 PORT_Assert(hostname != NULL); |
821 PORT_Assert(path != NULL); | 815 PORT_Assert(path != NULL); |
822 | 816 |
823 if ((*hcv1->createSessionFcn)(hostname, port, | 817 if ((*hcv1->createSessionFcn)(hostname, port, |
824 &pServerSession) != SECSuccess) { | 818 &pServerSession) != SECSuccess) { |
825 PORT_SetError(SEC_ERROR_BAD_CRL_DP_URL); | 819 PORT_SetError(SEC_ERROR_BAD_CRL_DP_URL); |
826 savedError = PKIX_URLPARSINGFAILED; | |
827 break; | 820 break; |
828 } | 821 } |
829 | 822 |
830 if ((*hcv1->createFcn)(pServerSession, "http", path, "GET", | 823 if ((*hcv1->createFcn)(pServerSession, "http", path, "GET", |
831 /* Users with slow connections might not get CRL revocation | 824 /* Users with slow connections might not get CRL revocation |
832 checking for certs that use big CRLs because of the timeout | 825 checking for certs that use big CRLs because of the timeout |
833 We absolutely need code that limits our retry attempts. | 826 We absolutely need code that limits our retry attempts. |
834 */ | 827 */ |
835 PR_SecondsToInterval( | 828 PR_SecondsToInterval( |
836 ((PKIX_PL_NssContext*)plContext)->timeoutSeconds), | 829 ((PKIX_PL_NssContext*)plContext)->timeoutSeconds), |
837 &pRequestSession) != SECSuccess) { | 830 &pRequestSession) != SECSuccess) { |
838 savedError = PKIX_HTTPSERVERERROR; | |
839 break; | 831 break; |
840 } | 832 } |
841 | 833 |
842 myHttpResponseDataLen = | 834 myHttpResponseDataLen = |
843 ((PKIX_PL_NssContext*)plContext)->maxResponseLength; | 835 ((PKIX_PL_NssContext*)plContext)->maxResponseLength; |
844 if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH) | 836 if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH) |
845 myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH; | 837 myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH; |
846 | 838 |
847 /* We use a non-zero timeout, which means: | 839 /* We use a non-zero timeout, which means: |
848 - the client will use blocking I/O | 840 - the client will use blocking I/O |
849 - TryFcn will not return WOULD_BLOCK nor a poll descriptor | 841 - TryFcn will not return WOULD_BLOCK nor a poll descriptor |
850 - it's sufficient to call TryFcn once | 842 - it's sufficient to call TryFcn once |
851 */ | 843 */ |
852 /* we don't want result objects larger than this: */ | 844 /* we don't want result objects larger than this: */ |
853 if ((*hcv1->trySendAndReceiveFcn)( | 845 if ((*hcv1->trySendAndReceiveFcn)( |
854 pRequestSession, | 846 pRequestSession, |
855 NULL, | 847 NULL, |
856 &myHttpResponseCode, | 848 &myHttpResponseCode, |
857 NULL, | 849 NULL, |
858 NULL, | 850 NULL, |
859 &myHttpResponseData, | 851 &myHttpResponseData, |
860 &myHttpResponseDataLen) != SECSuccess) { | 852 &myHttpResponseDataLen) != SECSuccess) { |
861 savedError = PKIX_HTTPSERVERERROR; | |
862 break; | 853 break; |
863 } | 854 } |
864 | 855 |
865 if (myHttpResponseCode != 200) { | 856 if (myHttpResponseCode != 200) { |
866 savedError = PKIX_HTTPSERVERERROR; | |
867 break; | 857 break; |
868 } | 858 } |
869 } while(0); | 859 } while(0); |
870 if (!myHttpResponseData) { | 860 if (!myHttpResponseData) { |
871 /* Going to the next one. */ | 861 /* Going to the next one. */ |
872 genName = CERT_GetNextGeneralName(genName); | 862 genName = CERT_GetNextGeneralName(genName); |
873 derGenNames++; | 863 derGenNames++; |
874 } | 864 } |
875 /* Staing in the loop through all the names until | 865 /* Staing in the loop through all the names until |
876 * we have a successful download. */ | 866 * we have a successful download. */ |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1040 &certStore, | 1030 &certStore, |
1041 plContext), | 1031 plContext), |
1042 PKIX_CERTSTORECREATEFAILED); | 1032 PKIX_CERTSTORECREATEFAILED); |
1043 | 1033 |
1044 *pCertStore = certStore; | 1034 *pCertStore = certStore; |
1045 | 1035 |
1046 cleanup: | 1036 cleanup: |
1047 | 1037 |
1048 PKIX_RETURN(CERTSTORE); | 1038 PKIX_RETURN(CERTSTORE); |
1049 } | 1039 } |
OLD | NEW |