| Index: nss/lib/libpkix/pkix/top/pkix_build.c
|
| ===================================================================
|
| --- nss/lib/libpkix/pkix/top/pkix_build.c (revision 251855)
|
| +++ nss/lib/libpkix/pkix/top/pkix_build.c (working copy)
|
| @@ -65,7 +65,6 @@
|
| state->numFanout = 0;
|
| state->numDepth = 0;
|
| state->reasonCode = 0;
|
| - state->revCheckDelayed = PKIX_FALSE;
|
| state->canBeCached = PKIX_FALSE;
|
| state->useOnlyLocal = PKIX_FALSE;
|
| state->revChecking = PKIX_FALSE;
|
| @@ -126,9 +125,6 @@
|
| * Number of Certs that can be considered at this level (0 = no limit)
|
| * "numDepth"
|
| * Number of additional levels that can be searched (0 = no limit)
|
| - * "revCheckDelayed"
|
| - * Boolean value indicating whether rev check is delayed until after
|
| - * entire chain is built.
|
| * "canBeCached"
|
| * Boolean value indicating whether all certs on the chain can be cached.
|
| * "validityDate"
|
| @@ -159,7 +155,6 @@
|
| PKIX_Int32 traversedCACerts,
|
| PKIX_UInt32 numFanout,
|
| PKIX_UInt32 numDepth,
|
| - PKIX_Boolean revCheckDelayed,
|
| PKIX_Boolean canBeCached,
|
| PKIX_PL_Date *validityDate,
|
| PKIX_PL_Cert *prevCert,
|
| @@ -195,7 +190,6 @@
|
| state->numDepth = numDepth;
|
| state->reasonCode = 0;
|
| state->revChecking = numDepth;
|
| - state->revCheckDelayed = revCheckDelayed;
|
| state->canBeCached = canBeCached;
|
| state->useOnlyLocal = PKIX_TRUE;
|
| state->revChecking = PKIX_FALSE;
|
| @@ -371,7 +365,6 @@
|
| "\tnumFanout: \t%d\n"
|
| "\tnumDepth: \t%d\n"
|
| "\treasonCode: \t%d\n"
|
| - "\trevCheckDelayed: \t%d\n"
|
| "\tcanBeCached: \t%d\n"
|
| "\tuseOnlyLocal: \t%d\n"
|
| "\trevChecking: \t%d\n"
|
| @@ -416,10 +409,6 @@
|
| break;
|
| case BUILD_ABANDONNODE: asciiStatus = "BUILD_ABANDONNODE";
|
| break;
|
| - case BUILD_CRLPREP: asciiStatus = "BUILD_CRLPREP";
|
| - break;
|
| - case BUILD_CRL1: asciiStatus = "BUILD_CRL1";
|
| - break;
|
| case BUILD_DATEPREP: asciiStatus = "BUILD_DATEPREP";
|
| break;
|
| case BUILD_CHECKTRUSTED: asciiStatus = "BUILD_CHECKTRUSTED";
|
| @@ -428,8 +417,6 @@
|
| break;
|
| case BUILD_ADDTOCHAIN: asciiStatus = "BUILD_ADDTOCHAIN";
|
| break;
|
| - case BUILD_CRL2: asciiStatus = "BUILD_CRL2";
|
| - break;
|
| case BUILD_VALCHAIN: asciiStatus = "BUILD_VALCHAIN";
|
| break;
|
| case BUILD_VALCHAIN2: asciiStatus = "BUILD_VALCHAIN2";
|
| @@ -498,7 +485,6 @@
|
| (PKIX_UInt32)state->numFanout,
|
| (PKIX_UInt32)state->numDepth,
|
| (PKIX_UInt32)state->reasonCode,
|
| - state->revCheckDelayed,
|
| state->canBeCached,
|
| state->useOnlyLocal,
|
| state->revChecking,
|
| @@ -656,8 +642,6 @@
|
| PKIX_NULLCHECK_TWO(state, pPending);
|
|
|
| if ((state->status == BUILD_GATHERPENDING) ||
|
| - (state->status == BUILD_CRL1) ||
|
| - (state->status == BUILD_CRL2) ||
|
| (state->status == BUILD_CHECKTRUSTED2) ||
|
| (state->status == BUILD_VALCHAIN2) ||
|
| (state->status == BUILD_AIAPENDING)) {
|
| @@ -780,16 +764,12 @@
|
| * Checks whether the previous Cert stored in the ForwardBuilderState pointed
|
| * to by "state" successfully chains, including signature verification, to the
|
| * candidate Cert also stored in "state", using the Boolean value in "trusted"
|
| - * to determine whether "candidateCert" is trusted. Using the Boolean value in
|
| - * "revocationChecking" for the existence of revocation checking, it sets
|
| - * "pNeedsCRLChecking" to PKIX_TRUE if the candidate Cert needs to be checked
|
| - * against Certificate Revocation Lists.
|
| + * to determine whether "candidateCert" is trusted.
|
| *
|
| * First it checks whether "candidateCert" has already been traversed by
|
| - * determining whether it is contained in the List of traversed Certs. It
|
| + * determining whether it is contained in the List of traversed Certs. It then
|
| * checks the candidate Cert with user checkers, if any, in the List pointed to
|
| - * by "userCheckers". It then runs the signature validation. Finally, it
|
| - * determines the appropriate value for "pNeedsCRLChecking".
|
| + * by "userCheckers". Finally, it runs the signature validation.
|
| *
|
| * If this Certificate fails verification, and state->verifyNode is non-NULL,
|
| * this function sets the Error code into the verifyNode.
|
| @@ -800,14 +780,8 @@
|
| * "userCheckers"
|
| * Address of a List of CertChainCheckers to be used, if present, to
|
| * validate the candidateCert.
|
| - * "revocationChecking"
|
| - * Boolean indication of whether revocation checking is available, either
|
| - * as a CertChainChecker or a List of RevocationCheckers.
|
| * "trusted"
|
| * Boolean value of trust for the candidate Cert
|
| - * "pNeedsCRLChecking"
|
| - * Address where Boolean CRL-checking-needed value is stored.
|
| - * Must be non-NULL.
|
| * "plContext"
|
| * Platform-specific context pointer.
|
| * THREAD SAFETY:
|
| @@ -821,9 +795,7 @@
|
| pkix_Build_VerifyCertificate(
|
| PKIX_ForwardBuilderState *state,
|
| PKIX_List *userCheckers,
|
| - PKIX_Boolean revocationChecking,
|
| PKIX_Boolean *pTrusted,
|
| - PKIX_Boolean *pNeedsCRLChecking,
|
| PKIX_VerifyNode *verifyNode,
|
| void *plContext)
|
| {
|
| @@ -841,12 +813,10 @@
|
| void *nbioContext = NULL;
|
|
|
| PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate");
|
| - PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking);
|
| + PKIX_NULLCHECK_TWO(state, pTrusted);
|
| PKIX_NULLCHECK_THREE
|
| (state->candidateCerts, state->prevCert, state->trustChain);
|
|
|
| - *pNeedsCRLChecking = PKIX_FALSE;
|
| -
|
| PKIX_INCREF(state->candidateCert);
|
| candidateCert = state->candidateCert;
|
|
|
| @@ -944,26 +914,6 @@
|
| PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
|
| }
|
| }
|
| -
|
| -
|
| - if (revocationChecking) {
|
| - if (!trusted) {
|
| - if (state->revCheckDelayed) {
|
| - goto cleanup;
|
| - } else {
|
| - PKIX_Boolean isSelfIssued = PKIX_FALSE;
|
| - PKIX_CHECK(
|
| - pkix_IsCertSelfIssued(candidateCert, &isSelfIssued,
|
| - plContext),
|
| - PKIX_ISCERTSELFISSUEDFAILED);
|
| - if (isSelfIssued) {
|
| - state->revCheckDelayed = PKIX_TRUE;
|
| - goto cleanup;
|
| - }
|
| - }
|
| - }
|
| - *pNeedsCRLChecking = PKIX_TRUE;
|
| - }
|
|
|
| cleanup:
|
| PKIX_DECREF(candidateCert);
|
| @@ -2079,8 +2029,6 @@
|
| PKIX_Boolean trusted = PKIX_FALSE;
|
| PKIX_Boolean isSelfIssued = PKIX_FALSE;
|
| PKIX_Boolean canBeCached = PKIX_FALSE;
|
| - PKIX_Boolean revocationCheckingExists = PKIX_FALSE;
|
| - PKIX_Boolean needsCRLChecking = PKIX_FALSE;
|
| PKIX_Boolean ioPending = PKIX_FALSE;
|
| PKIX_PL_Date *validityDate = NULL;
|
| PKIX_PL_Date *currTime = NULL;
|
| @@ -2391,9 +2339,6 @@
|
| #endif
|
|
|
| if (state->status == BUILD_CERTVALIDATING) {
|
| - revocationCheckingExists =
|
| - (state->buildConstants.revChecker != NULL);
|
| -
|
| PKIX_DECREF(state->candidateCert);
|
| PKIX_CHECK(PKIX_List_GetItem
|
| (state->candidateCerts,
|
| @@ -2416,9 +2361,7 @@
|
| verifyError = pkix_Build_VerifyCertificate
|
| (state,
|
| state->buildConstants.userCheckers,
|
| - revocationCheckingExists,
|
| &trusted,
|
| - &needsCRLChecking,
|
| verifyNode,
|
| plContext);
|
|
|
| @@ -2453,63 +2396,11 @@
|
| (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
|
| }
|
| state->status = BUILD_GETNEXTCERT;
|
| - } else if (needsCRLChecking) {
|
| - state->status = BUILD_CRLPREP;
|
| } else {
|
| state->status = BUILD_DATEPREP;
|
| }
|
| }
|
|
|
| - if (state->status == BUILD_CRLPREP) {
|
| - PKIX_RevocationStatus revStatus;
|
| - PKIX_UInt32 reasonCode;
|
| -
|
| - verifyError =
|
| - PKIX_RevocationChecker_Check(
|
| - state->prevCert, state->candidateCert,
|
| - state->buildConstants.revChecker,
|
| - state->buildConstants.procParams,
|
| - PKIX_FALSE,
|
| - (state->parentState == NULL) ?
|
| - PKIX_TRUE : PKIX_FALSE,
|
| - &revStatus, &reasonCode,
|
| - &nbio, plContext);
|
| - if (nbio != NULL) {
|
| - *pNBIOContext = nbio;
|
| - goto cleanup;
|
| - }
|
| - if (revStatus == PKIX_RevStatus_Revoked || verifyError) {
|
| - if (!verifyError) {
|
| - /* if verifyError is returned then use it as
|
| - * it has a detailed revocation error code.
|
| - * Otherwise create a new error */
|
| - PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED,
|
| - verifyError);
|
| - }
|
| - if (state->verifyNode != NULL) {
|
| - PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
|
| - (verifyNode, verifyError, plContext),
|
| - PKIX_VERIFYNODESETERRORFAILED);
|
| - PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
|
| - (state->verifyNode,
|
| - verifyNode,
|
| - plContext),
|
| - PKIX_VERIFYNODEADDTOTREEFAILED);
|
| - PKIX_DECREF(verifyNode);
|
| - }
|
| - PKIX_DECREF(finalError);
|
| - finalError = verifyError;
|
| - verifyError = NULL;
|
| - if (state->certLoopingDetected) {
|
| - PKIX_ERROR
|
| - (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
|
| - }
|
| - state->status = BUILD_GETNEXTCERT;
|
| - } else {
|
| - state->status = BUILD_DATEPREP;
|
| - }
|
| - }
|
| -
|
| if (state->status == BUILD_DATEPREP) {
|
| /* Keep track of whether this chain can be cached */
|
| PKIX_CHECK(pkix_Build_UpdateDate(state, plContext),
|
| @@ -2711,7 +2602,6 @@
|
| (childTraversedCACerts,
|
| state->buildConstants.maxFanout,
|
| state->numDepth - 1,
|
| - state->revCheckDelayed,
|
| canBeCached,
|
| validityDate,
|
| state->candidateCert,
|
| @@ -3521,7 +3411,6 @@
|
| (0, /* PKIX_UInt32 traversedCACerts */
|
| buildConstants.maxFanout,
|
| buildConstants.maxDepth,
|
| - PKIX_FALSE, /* PKIX_Boolean revCheckDelayed */
|
| PKIX_TRUE, /* PKIX_Boolean canBeCached */
|
| NULL, /* PKIX_Date *validityDate */
|
| targetCert, /* PKIX_PL_Cert *prevCert */
|
|
|
Chromium Code Reviews
Issue 170823003:
Update to NSS 3.15.5 and NSPR 4.10.3. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/