| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | 4 |
| 5 /* | 5 /* |
| 6 * X.509 v3 Basic Constraints Extension | 6 * X.509 v3 Basic Constraints Extension |
| 7 */ | 7 */ |
| 8 | 8 |
| 9 #include "prtypes.h" | 9 #include "prtypes.h" |
| 10 #include <limits.h> /* for LONG_MAX */ | 10 #include <limits.h> /* for LONG_MAX */ |
| 11 #include "seccomon.h" | 11 #include "seccomon.h" |
| 12 #include "secdert.h" | 12 #include "secdert.h" |
| 13 #include "secoidt.h" | 13 #include "secoidt.h" |
| 14 #include "secasn1t.h" | 14 #include "secasn1t.h" |
| 15 #include "secasn1.h" | 15 #include "secasn1.h" |
| 16 #include "certt.h" | 16 #include "certt.h" |
| 17 #include "secder.h" | 17 #include "secder.h" |
| 18 #include "prprf.h" | 18 #include "prprf.h" |
| 19 #include "secerr.h" | 19 #include "secerr.h" |
| 20 | 20 |
| 21 typedef struct EncodedContext{ | 21 typedef struct EncodedContext { |
| 22 SECItem isCA; | 22 SECItem isCA; |
| 23 SECItem pathLenConstraint; | 23 SECItem pathLenConstraint; |
| 24 SECItem encodedValue; | 24 SECItem encodedValue; |
| 25 PLArenaPool *arena; | 25 PLArenaPool *arena; |
| 26 }EncodedContext; | 26 } EncodedContext; |
| 27 | 27 |
| 28 static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = { | 28 static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = { |
| 29 { SEC_ASN1_SEQUENCE, | 29 { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(EncodedContext) }, |
| 30 » 0, NULL, sizeof(EncodedContext) }, | 30 { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ |
| 31 { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,» » /* XXX DER_DEFAULT */ | 31 offsetof(EncodedContext, isCA) }, |
| 32 » offsetof(EncodedContext,isCA)}, | |
| 33 { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, | 32 { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, |
| 34 » offsetof(EncodedContext,pathLenConstraint) }, | 33 offsetof(EncodedContext, pathLenConstraint) }, |
| 35 { 0, } | 34 { 0 } |
| 36 }; | 35 }; |
| 37 | 36 |
| 38 static unsigned char hexTrue = 0xff; | 37 static unsigned char hexTrue = 0xff; |
| 39 static unsigned char hexFalse = 0x00; | 38 static unsigned char hexFalse = 0x00; |
| 40 | 39 |
| 41 #define GEN_BREAK(status) rv = status; break; | 40 #define GEN_BREAK(status) \ |
| 41 rv = status; \ |
| 42 break; |
| 42 | 43 |
| 43 SECStatus CERT_EncodeBasicConstraintValue | 44 SECStatus |
| 44 (PLArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue) | 45 CERT_EncodeBasicConstraintValue(PLArenaPool *arena, CERTBasicConstraints *value, |
| 46 SECItem *encodedValue) |
| 45 { | 47 { |
| 46 EncodedContext encodeContext; | 48 EncodedContext encodeContext; |
| 47 PLArenaPool *our_pool = NULL; | 49 PLArenaPool *our_pool = NULL; |
| 48 SECStatus rv = SECSuccess; | 50 SECStatus rv = SECSuccess; |
| 49 | 51 |
| 50 do { | 52 do { |
| 51 » PORT_Memset (&encodeContext, 0, sizeof (encodeContext)); | 53 PORT_Memset(&encodeContext, 0, sizeof(encodeContext)); |
| 52 » if (!value->isCA && value->pathLenConstraint >= 0) { | 54 if (!value->isCA && value->pathLenConstraint >= 0) { |
| 53 » PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID); | 55 PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); |
| 54 » GEN_BREAK (SECFailure); | 56 GEN_BREAK(SECFailure); |
| 55 » } | 57 } |
| 56 | 58 |
| 57 encodeContext.arena = arena; | 59 encodeContext.arena = arena; |
| 58 » if (value->isCA == PR_TRUE) { | 60 if (value->isCA == PR_TRUE) { |
| 59 » encodeContext.isCA.data = &hexTrue ; | 61 encodeContext.isCA.data = &hexTrue; |
| 60 » encodeContext.isCA.len = 1; | 62 encodeContext.isCA.len = 1; |
| 61 » } | 63 } |
| 62 | 64 |
| 63 » /* If the pathLenConstraint is less than 0, then it should be | 65 /* If the pathLenConstraint is less than 0, then it should be |
| 64 » * omitted from the encoding. | 66 * omitted from the encoding. |
| 65 » */ | 67 */ |
| 66 » if (value->isCA && value->pathLenConstraint >= 0) { | 68 if (value->isCA && value->pathLenConstraint >= 0) { |
| 67 » our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE); | 69 our_pool = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); |
| 68 » if (our_pool == NULL) { | 70 if (our_pool == NULL) { |
| 69 » » PORT_SetError (SEC_ERROR_NO_MEMORY); | 71 PORT_SetError(SEC_ERROR_NO_MEMORY); |
| 70 » » GEN_BREAK (SECFailure); | 72 GEN_BREAK(SECFailure); |
| 71 » } | 73 } |
| 72 » if (SEC_ASN1EncodeUnsignedInteger | 74 if (SEC_ASN1EncodeUnsignedInteger( |
| 73 » » (our_pool, &encodeContext.pathLenConstraint, | 75 our_pool, &encodeContext.pathLenConstraint, |
| 74 » » (unsigned long)value->pathLenConstraint) == NULL) { | 76 (unsigned long)value->pathLenConstraint) == NULL) { |
| 75 » » PORT_SetError (SEC_ERROR_NO_MEMORY); | 77 PORT_SetError(SEC_ERROR_NO_MEMORY); |
| 76 » » GEN_BREAK (SECFailure); | 78 GEN_BREAK(SECFailure); |
| 77 » } | 79 } |
| 78 » } | 80 } |
| 79 » if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext, | 81 if (SEC_ASN1EncodeItem(arena, encodedValue, &encodeContext, |
| 80 » » » » CERTBasicConstraintsTemplate) == NULL) { | 82 CERTBasicConstraintsTemplate) == NULL) { |
| 81 » GEN_BREAK (SECFailure); | 83 GEN_BREAK(SECFailure); |
| 82 » } | 84 } |
| 83 } while (0); | 85 } while (0); |
| 84 if (our_pool) | 86 if (our_pool) |
| 85 » PORT_FreeArena (our_pool, PR_FALSE); | 87 PORT_FreeArena(our_pool, PR_FALSE); |
| 86 return(rv); | 88 return (rv); |
| 87 | |
| 88 } | 89 } |
| 89 | 90 |
| 90 SECStatus CERT_DecodeBasicConstraintValue | 91 SECStatus |
| 91 (CERTBasicConstraints *value, const SECItem *encodedValue) | 92 CERT_DecodeBasicConstraintValue(CERTBasicConstraints *value, |
| 93 const SECItem *encodedValue) |
| 92 { | 94 { |
| 93 EncodedContext decodeContext; | 95 EncodedContext decodeContext; |
| 94 PLArenaPool *our_pool; | 96 PLArenaPool *our_pool; |
| 95 SECStatus rv = SECSuccess; | 97 SECStatus rv = SECSuccess; |
| 96 | 98 |
| 97 do { | 99 do { |
| 98 » PORT_Memset (&decodeContext, 0, sizeof (decodeContext)); | 100 PORT_Memset(&decodeContext, 0, sizeof(decodeContext)); |
| 99 » /* initialize the value just in case we got "0x30 00", or when the | 101 /* initialize the value just in case we got "0x30 00", or when the |
| 100 » pathLenConstraint is omitted. | 102 pathLenConstraint is omitted. |
| 101 */ | 103 */ |
| 102 » decodeContext.isCA.data =&hexFalse; | 104 decodeContext.isCA.data = &hexFalse; |
| 103 » decodeContext.isCA.len = 1; | 105 decodeContext.isCA.len = 1; |
| 104 » | |
| 105 » our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE); | |
| 106 » if (our_pool == NULL) { | |
| 107 » PORT_SetError (SEC_ERROR_NO_MEMORY); | |
| 108 » GEN_BREAK (SECFailure); | |
| 109 » } | |
| 110 | 106 |
| 111 rv = SEC_QuickDERDecodeItem | 107 our_pool = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); |
| 112 » (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedVal
ue); | 108 if (our_pool == NULL) { |
| 113 » if (rv == SECFailure) | 109 PORT_SetError(SEC_ERROR_NO_MEMORY); |
| 114 » break; | 110 GEN_BREAK(SECFailure); |
| 115 » | 111 } |
| 116 » value->isCA = decodeContext.isCA.data | 112 |
| 117 » ? (PRBool)(decodeContext.isCA.data[0] != 0) | 113 rv = SEC_QuickDERDecodeItem(our_pool, &decodeContext, |
| 118 » » : PR_FALSE; | 114 CERTBasicConstraintsTemplate, encodedValue); |
| 119 » if (decodeContext.pathLenConstraint.data == NULL) { | 115 if (rv == SECFailure) |
| 120 » /* if the pathLenConstraint is not encoded, and the current setting | 116 break; |
| 121 » is CA, then the pathLenConstraint should be set to a negative numb
er | 117 |
| 122 » for unlimited certificate path. | 118 value->isCA = decodeContext.isCA.data |
| 123 » */ | 119 ? (PRBool)(decodeContext.isCA.data[0] != 0) |
| 124 » if (value->isCA) | 120 : PR_FALSE; |
| 125 » » value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT; | 121 if (decodeContext.pathLenConstraint.data == NULL) { |
| 126 » } else if (value->isCA) { | 122 /* if the pathLenConstraint is not encoded, and the current setting |
| 127 » long len = DER_GetInteger (&decodeContext.pathLenConstraint); | 123 is CA, then the pathLenConstraint should be set to a negative |
| 128 » if (len < 0 || len == LONG_MAX) { | 124 number |
| 129 » » PORT_SetError (SEC_ERROR_BAD_DER); | 125 for unlimited certificate path. |
| 130 » » GEN_BREAK (SECFailure); | 126 */ |
| 131 » } | 127 if (value->isCA) |
| 132 » value->pathLenConstraint = len; | 128 value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT; |
| 133 » } else { | 129 } else if (value->isCA) { |
| 134 » /* here we get an error where the subject is not a CA, but | 130 long len = DER_GetInteger(&decodeContext.pathLenConstraint); |
| 135 » the pathLenConstraint is set */ | 131 if (len < 0 || len == LONG_MAX) { |
| 136 » PORT_SetError (SEC_ERROR_BAD_DER); | 132 PORT_SetError(SEC_ERROR_BAD_DER); |
| 137 » GEN_BREAK (SECFailure); | 133 GEN_BREAK(SECFailure); |
| 138 » break; | 134 } |
| 139 » } | 135 value->pathLenConstraint = len; |
| 140 » | 136 } else { |
| 137 /* here we get an error where the subject is not a CA, but |
| 138 the pathLenConstraint is set */ |
| 139 PORT_SetError(SEC_ERROR_BAD_DER); |
| 140 GEN_BREAK(SECFailure); |
| 141 break; |
| 142 } |
| 143 |
| 141 } while (0); | 144 } while (0); |
| 142 PORT_FreeArena (our_pool, PR_FALSE); | 145 PORT_FreeArena(our_pool, PR_FALSE); |
| 143 return (rv); | 146 return (rv); |
| 144 | |
| 145 } | 147 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1843333003:
Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master