Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(220)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: nss/lib/certhigh/certvfypkix.c

Issue 1843333003: Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « nss/lib/certhigh/certvfy.c ('k') | nss/lib/certhigh/crlv2.c » ('j') | nss/lib/util/secoid.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* This Source Code Form is subject to the terms of the Mozilla Public 1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /* 4 /*
5 * nss_pkix_proxy.h 5 * nss_pkix_proxy.h
6 * 6 *
7 * PKIX - NSS proxy functions 7 * PKIX - NSS proxy functions
8 * 8 *
9 * NOTE: All structures, functions, data types are parts of library private 9 * NOTE: All structures, functions, data types are parts of library private
10 * api and are subjects to change in any following releases. 10 * api and are subjects to change in any following releases.
11 * 11 *
12 */ 12 */
13 #include "prerror.h" 13 #include "prerror.h"
14 #include "prprf.h" 14 #include "prprf.h"
15 15
16 #include "nspr.h" 16 #include "nspr.h"
17 #include "pk11func.h" 17 #include "pk11func.h"
18 #include "certdb.h" 18 #include "certdb.h"
19 #include "cert.h" 19 #include "cert.h"
20 #include "secerr.h" 20 #include "secerr.h"
21 #include "nssb64.h" 21 #include "nssb64.h"
22 #include "secasn1.h" 22 #include "secasn1.h"
23 #include "secder.h" 23 #include "secder.h"
24 #include "pkit.h" 24 #include "pkit.h"
25 25
26 #include "pkix_pl_common.h" 26 #include "pkix_pl_common.h"
27 27
28 extern PRLogModuleInfo *pkixLog; 28 extern PRLogModuleInfo *pkixLog;
29 29
30 #ifdef PKIX_OBJECT_LEAK_TEST 30 #ifdef PKIX_OBJECT_LEAK_TEST
31 31
32 extern PKIX_UInt32 32 extern PKIX_UInt32
33 pkix_pl_lifecycle_ObjectLeakCheck(int *); 33 pkix_pl_lifecycle_ObjectLeakCheck(int *);
34 34
35 extern SECStatus 35 extern SECStatus
36 pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); 36 pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
37 37
38 PRInt32 parallelFnInvocationCount; 38 PRInt32 parallelFnInvocationCount;
39 #endif /* PKIX_OBJECT_LEAK_TEST */ 39 #endif /* PKIX_OBJECT_LEAK_TEST */
40 40
41
42 static PRBool usePKIXValidationEngine = PR_FALSE; 41 static PRBool usePKIXValidationEngine = PR_FALSE;
43 42
44 /* 43 /*
45 * FUNCTION: CERT_SetUsePKIXForValidation 44 * FUNCTION: CERT_SetUsePKIXForValidation
46 * DESCRIPTION: 45 * DESCRIPTION:
47 * 46 *
48 * Enables or disables use of libpkix for certificate validation 47 * Enables or disables use of libpkix for certificate validation
49 * 48 *
50 * PARAMETERS: 49 * PARAMETERS:
51 * "enable" 50 * "enable"
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
97 * "pkixKeyUsage" 96 * "pkixKeyUsage"
98 * Pkix key usage big field. 97 * Pkix key usage big field.
99 * "plContext" 98 * "plContext"
100 * Platform-specific context pointer. 99 * Platform-specific context pointer.
101 * THREAD SAFETY: 100 * THREAD SAFETY:
102 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 101 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
103 * RETURNS: 102 * RETURNS:
104 * Returns NULL if the function succeeds. 103 * Returns NULL if the function succeeds.
105 * Returns a Fatal Error if the function fails in an unrecoverable way. 104 * Returns a Fatal Error if the function fails in an unrecoverable way.
106 */ 105 */
107 static PKIX_Error* 106 static PKIX_Error *
108 cert_NssKeyUsagesToPkix( 107 cert_NssKeyUsagesToPkix(
109 PRUint32 nssKeyUsage, 108 PRUint32 nssKeyUsage,
110 PKIX_UInt32 *pPkixKeyUsage, 109 PKIX_UInt32 *pPkixKeyUsage,
111 void *plContext) 110 void *plContext)
112 { 111 {
113 PKIX_UInt32 pkixKeyUsage = 0; 112 PKIX_UInt32 pkixKeyUsage = 0;
114 113
115 PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix"); 114 PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix");
116 PKIX_NULLCHECK_ONE(pPkixKeyUsage); 115 PKIX_NULLCHECK_ONE(pPkixKeyUsage);
117 116
118 *pPkixKeyUsage = 0; 117 *pPkixKeyUsage = 0;
119 118
120 if (nssKeyUsage & KU_DIGITAL_SIGNATURE) { 119 if (nssKeyUsage & KU_DIGITAL_SIGNATURE) {
121 pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE; 120 pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE;
122 } 121 }
123 122
124 if (nssKeyUsage & KU_NON_REPUDIATION) { 123 if (nssKeyUsage & KU_NON_REPUDIATION) {
125 pkixKeyUsage |= PKIX_NON_REPUDIATION; 124 pkixKeyUsage |= PKIX_NON_REPUDIATION;
126 } 125 }
127 126
128 if (nssKeyUsage & KU_KEY_ENCIPHERMENT) { 127 if (nssKeyUsage & KU_KEY_ENCIPHERMENT) {
129 pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT; 128 pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT;
130 } 129 }
131 130
132 if (nssKeyUsage & KU_DATA_ENCIPHERMENT) { 131 if (nssKeyUsage & KU_DATA_ENCIPHERMENT) {
133 pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT; 132 pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT;
134 } 133 }
135 134
136 if (nssKeyUsage & KU_KEY_AGREEMENT) { 135 if (nssKeyUsage & KU_KEY_AGREEMENT) {
137 pkixKeyUsage |= PKIX_KEY_AGREEMENT; 136 pkixKeyUsage |= PKIX_KEY_AGREEMENT;
138 } 137 }
139 138
140 if (nssKeyUsage & KU_KEY_CERT_SIGN) { 139 if (nssKeyUsage & KU_KEY_CERT_SIGN) {
141 pkixKeyUsage |= PKIX_KEY_CERT_SIGN; 140 pkixKeyUsage |= PKIX_KEY_CERT_SIGN;
142 } 141 }
143 142
144 if (nssKeyUsage & KU_CRL_SIGN) { 143 if (nssKeyUsage & KU_CRL_SIGN) {
145 pkixKeyUsage |= PKIX_CRL_SIGN; 144 pkixKeyUsage |= PKIX_CRL_SIGN;
146 } 145 }
147 146
148 if (nssKeyUsage & KU_ENCIPHER_ONLY) { 147 if (nssKeyUsage & KU_ENCIPHER_ONLY) {
149 pkixKeyUsage |= PKIX_ENCIPHER_ONLY; 148 pkixKeyUsage |= PKIX_ENCIPHER_ONLY;
150 } 149 }
151 150
152 /* Not supported. XXX we should support this once it is 151 /* Not supported. XXX we should support this once it is
153 * fixed in NSS */ 152 * fixed in NSS */
154 /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */ 153 /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
155 154
156 *pPkixKeyUsage = pkixKeyUsage; 155 *pPkixKeyUsage = pkixKeyUsage;
157 156
158 PKIX_RETURN(CERTVFYPKIX); 157 PKIX_RETURN(CERTVFYPKIX);
159 } 158 }
160 159
161 extern SECOidTag ekuOidStrings[]; 160 extern SECOidTag ekuOidStrings[];
162 161
163 enum { 162 enum {
164 ekuIndexSSLServer = 0, 163 ekuIndexSSLServer = 0,
165 ekuIndexSSLClient, 164 ekuIndexSSLClient,
166 ekuIndexCodeSigner, 165 ekuIndexCodeSigner,
167 ekuIndexEmail, 166 ekuIndexEmail,
168 ekuIndexTimeStamp, 167 ekuIndexTimeStamp,
169 ekuIndexStatusResponder, 168 ekuIndexStatusResponder,
170 ekuIndexUnknown 169 ekuIndexUnknown
171 } ekuIndex; 170 } ekuIndex;
172 171
173 typedef struct { 172 typedef struct {
174 SECCertUsage certUsage; 173 SECCertUsage certUsage;
175 PRUint32 ekuStringIndex; 174 PRUint32 ekuStringIndex;
176 } SECCertUsageToEku; 175 } SECCertUsageToEku;
177 176
178 const SECCertUsageToEku certUsageEkuStringMap[] = { 177 const SECCertUsageToEku certUsageEkuStringMap[] = {
179 {certUsageSSLClient, ekuIndexSSLClient}, 178 { certUsageSSLClient, ekuIndexSSLClient },
180 {certUsageSSLServer, ekuIndexSSLServer}, 179 { certUsageSSLServer, ekuIndexSSLServer },
181 {certUsageSSLCA, ekuIndexSSLServer}, 180 { certUsageSSLCA, ekuIndexSSLServer },
182 {certUsageEmailSigner, ekuIndexEmail}, 181 { certUsageEmailSigner, ekuIndexEmail },
183 {certUsageEmailRecipient, ekuIndexEmail}, 182 { certUsageEmailRecipient, ekuIndexEmail },
184 {certUsageObjectSigner, ekuIndexCodeSigner}, 183 { certUsageObjectSigner, ekuIndexCodeSigner },
185 {certUsageUserCertImport, ekuIndexUnknown}, 184 { certUsageUserCertImport, ekuIndexUnknown },
186 {certUsageVerifyCA, ekuIndexUnknown}, 185 { certUsageVerifyCA, ekuIndexUnknown },
187 {certUsageProtectedObjectSigner, ekuIndexUnknown}, 186 { certUsageProtectedObjectSigner, ekuIndexUnknown },
188 {certUsageStatusResponder, ekuIndexStatusResponder}, 187 { certUsageStatusResponder, ekuIndexStatusResponder },
189 {certUsageAnyCA, ekuIndexUnknown}, 188 { certUsageAnyCA, ekuIndexUnknown },
190 }; 189 };
191 190
192 /* 191 /*
193 * FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU 192 * FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU
194 * DESCRIPTION: 193 * DESCRIPTION:
195 * 194 *
196 * Converts nss CERTCertificateUsage bit field to pkix key and 195 * Converts nss CERTCertificateUsage bit field to pkix key and
197 * extended key usages. 196 * extended key usages.
198 * 197 *
199 * PARAMETERS: 198 * PARAMETERS:
200 * "cert" 199 * "cert"
201 * Pointer to CERTCertificate structure of validating cert. 200 * Pointer to CERTCertificate structure of validating cert.
202 * "requiredCertUsages" 201 * "requiredCertUsages"
203 * Required usage that will be converted to pkix eku and ku. 202 * Required usage that will be converted to pkix eku and ku.
204 * "requiredKeyUsage", 203 * "requiredKeyUsage",
205 * Additional key usages impose to cert. 204 * Additional key usages impose to cert.
206 * "isCA", 205 * "isCA",
207 * it true, convert usages for cert that is a CA cert. 206 * it true, convert usages for cert that is a CA cert.
208 * "ppkixEKUList" 207 * "ppkixEKUList"
209 * Returned address of a list of pkix extended key usages. 208 * Returned address of a list of pkix extended key usages.
210 * "ppkixKU" 209 * "ppkixKU"
211 * Returned address of pkix required key usages bit field. 210 * Returned address of pkix required key usages bit field.
212 * "plContext" 211 * "plContext"
213 * Platform-specific context pointer. 212 * Platform-specific context pointer.
214 * THREAD SAFETY: 213 * THREAD SAFETY:
215 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 214 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
216 * RETURNS: 215 * RETURNS:
217 * Returns NULL if the function succeeds. 216 * Returns NULL if the function succeeds.
218 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 217 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
219 * Returns a Fatal Error if the function fails in an unrecoverable way. 218 * Returns a Fatal Error if the function fails in an unrecoverable way.
220 */ 219 */
221 static PKIX_Error* 220 static PKIX_Error *
222 cert_NssCertificateUsageToPkixKUAndEKU( 221 cert_NssCertificateUsageToPkixKUAndEKU(
223 CERTCertificate *cert, 222 CERTCertificate *cert,
224 SECCertUsage requiredCertUsage, 223 SECCertUsage requiredCertUsage,
225 PRUint32 requiredKeyUsages, 224 PRUint32 requiredKeyUsages,
226 PRBool isCA, 225 PRBool isCA,
227 PKIX_List **ppkixEKUList, 226 PKIX_List **ppkixEKUList,
228 PKIX_UInt32 *ppkixKU, 227 PKIX_UInt32 *ppkixKU,
229 void *plContext) 228 void *plContext)
230 { 229 {
231 PKIX_List *ekuOidsList = NULL; 230 PKIX_List *ekuOidsList = NULL;
232 PKIX_PL_OID *ekuOid = NULL; 231 PKIX_PL_OID *ekuOid = NULL;
233 int i = 0; 232 int i = 0;
234 int ekuIndex = ekuIndexUnknown; 233 int ekuIndex = ekuIndexUnknown;
235 234
236 PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku"); 235 PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku");
237 PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU); 236 PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU);
238 237
239 PKIX_CHECK( 238 PKIX_CHECK(
240 PKIX_List_Create(&ekuOidsList, plContext), 239 PKIX_List_Create(&ekuOidsList, plContext),
241 PKIX_LISTCREATEFAILED); 240 PKIX_LISTCREATEFAILED);
242 241
243 for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) { 242 for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) {
244 const SECCertUsageToEku *usageToEkuElem = 243 const SECCertUsageToEku *usageToEkuElem =
245 &certUsageEkuStringMap[i]; 244 &certUsageEkuStringMap[i];
246 if (usageToEkuElem->certUsage == requiredCertUsage) { 245 if (usageToEkuElem->certUsage == requiredCertUsage) {
247 ekuIndex = usageToEkuElem->ekuStringIndex; 246 ekuIndex = usageToEkuElem->ekuStringIndex;
248 break; 247 break;
249 } 248 }
250 } 249 }
251 if (ekuIndex != ekuIndexUnknown) { 250 if (ekuIndex != ekuIndexUnknown) {
252 PRUint32 reqKeyUsage = 0; 251 PRUint32 reqKeyUsage = 0;
253 PRUint32 reqCertType = 0; 252 PRUint32 reqCertType = 0;
254 253
255 CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA, 254 CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA,
256 &reqKeyUsage, 255 &reqKeyUsage,
257 &reqCertType); 256 &reqCertType);
258 257
259 requiredKeyUsages |= reqKeyUsage; 258 requiredKeyUsages |= reqKeyUsage;
260 259
261 PKIX_CHECK( 260 PKIX_CHECK(
262 PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid, 261 PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid,
263 plContext), 262 plContext),
264 PKIX_OIDCREATEFAILED); 263 PKIX_OIDCREATEFAILED);
265 264
266 PKIX_CHECK( 265 PKIX_CHECK(
267 PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid, 266 PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid,
268 plContext), 267 plContext),
269 PKIX_LISTAPPENDITEMFAILED); 268 PKIX_LISTAPPENDITEMFAILED);
270 269
271 PKIX_DECREF(ekuOid); 270 PKIX_DECREF(ekuOid);
272 } 271 }
273 272
274 PKIX_CHECK( 273 PKIX_CHECK(
275 cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext), 274 cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext),
276 PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED); 275 PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED);
277 276
278 *ppkixEKUList = ekuOidsList; 277 *ppkixEKUList = ekuOidsList;
279 ekuOidsList = NULL; 278 ekuOidsList = NULL;
280 279
281 cleanup: 280 cleanup:
282 281
283 PKIX_DECREF(ekuOid); 282 PKIX_DECREF(ekuOid);
284 PKIX_DECREF(ekuOidsList); 283 PKIX_DECREF(ekuOidsList);
285 284
286 PKIX_RETURN(CERTVFYPKIX); 285 PKIX_RETURN(CERTVFYPKIX);
287 } 286 }
288 287
289 #endif 288 #endif
290 289
291 /* 290 /*
292 * FUNCTION: cert_ProcessingParamsSetKeyAndCertUsage 291 * FUNCTION: cert_ProcessingParamsSetKeyAndCertUsage
(...skipping 13 matching lines...) Expand all
306 * Request additional key usages the certificate should be validated for. 305 * Request additional key usages the certificate should be validated for.
307 * "plContext" 306 * "plContext"
308 * Platform-specific context pointer. 307 * Platform-specific context pointer.
309 * THREAD SAFETY: 308 * THREAD SAFETY:
310 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 309 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
311 * RETURNS: 310 * RETURNS:
312 * Returns NULL if the function succeeds. 311 * Returns NULL if the function succeeds.
313 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 312 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
314 * Returns a Fatal Error if the function fails in an unrecoverable way. 313 * Returns a Fatal Error if the function fails in an unrecoverable way.
315 */ 314 */
316 static PKIX_Error* 315 static PKIX_Error *
317 cert_ProcessingParamsSetKeyAndCertUsage( 316 cert_ProcessingParamsSetKeyAndCertUsage(
318 PKIX_ProcessingParams *procParams, 317 PKIX_ProcessingParams *procParams,
319 SECCertUsage requiredCertUsage, 318 SECCertUsage requiredCertUsage,
320 PRUint32 requiredKeyUsages, 319 PRUint32 requiredKeyUsages,
321 void *plContext) 320 void *plContext)
322 { 321 {
323 PKIX_CertSelector *certSelector = NULL; 322 PKIX_CertSelector *certSelector = NULL;
324 PKIX_ComCertSelParams *certSelParams = NULL; 323 PKIX_ComCertSelParams *certSelParams = NULL;
325 PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext*)plContext; 324 PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
326 325
327 PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage"); 326 PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage");
328 PKIX_NULLCHECK_TWO(procParams, nssContext); 327 PKIX_NULLCHECK_TWO(procParams, nssContext);
329 328
330 PKIX_CHECK( 329 PKIX_CHECK(
331 pkix_pl_NssContext_SetCertUsage( 330 pkix_pl_NssContext_SetCertUsage(
332 » ((SECCertificateUsage)1) << requiredCertUsage, nssContext), 331 ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
333 » PKIX_NSSCONTEXTSETCERTUSAGEFAILED); 332 PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
334 333
335 if (requiredKeyUsages) { 334 if (requiredKeyUsages) {
336 PKIX_CHECK( 335 PKIX_CHECK(
337 PKIX_ProcessingParams_GetTargetCertConstraints(procParams, 336 PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
338 &certSelector, plCont ext), 337 &certSelector, plCont ext),
339 PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); 338 PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
340 339
341 PKIX_CHECK( 340 PKIX_CHECK(
342 PKIX_CertSelector_GetCommonCertSelectorParams(certSelector, 341 PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
343 &certSelParams, plCont ext), 342 &certSelParams, plCont ext),
344 PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); 343 PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
345 344
346
347 PKIX_CHECK( 345 PKIX_CHECK(
348 PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages, 346 PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages,
349 plContext), 347 plContext),
350 PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED); 348 PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
351 } 349 }
352 cleanup: 350 cleanup:
353 PKIX_DECREF(certSelector); 351 PKIX_DECREF(certSelector);
354 PKIX_DECREF(certSelParams); 352 PKIX_DECREF(certSelParams);
355 353
356 PKIX_RETURN(CERTVFYPKIX); 354 PKIX_RETURN(CERTVFYPKIX);
357 } 355 }
358 356
359 /* 357 /*
360 * Unused parameters: 358 * Unused parameters:
361 * 359 *
362 * CERTCertList *initialChain, 360 * CERTCertList *initialChain,
363 * CERTCertStores certStores, 361 * CERTCertStores certStores,
364 * CERTCertRevCheckers certRevCheckers, 362 * CERTCertRevCheckers certRevCheckers,
365 * CERTCertChainCheckers certChainCheckers, 363 * CERTCertChainCheckers certChainCheckers,
366 * SECItem *initPolicies, 364 * SECItem *initPolicies,
367 * PRBool policyQualifierRejected, 365 * PRBool policyQualifierRejected,
368 * PRBool anyPolicyInhibited, 366 * PRBool anyPolicyInhibited,
369 * PRBool reqExplicitPolicy, 367 * PRBool reqExplicitPolicy,
370 * PRBool policyMappingInhibited, 368 * PRBool policyMappingInhibited,
(...skipping 20 matching lines...) Expand all
391 * Address to return created processing parameters. 389 * Address to return created processing parameters.
392 * "plContext" 390 * "plContext"
393 * Platform-specific context pointer. 391 * Platform-specific context pointer.
394 * THREAD SAFETY: 392 * THREAD SAFETY:
395 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 393 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
396 * RETURNS: 394 * RETURNS:
397 * Returns NULL if the function succeeds. 395 * Returns NULL if the function succeeds.
398 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 396 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
399 * Returns a Fatal Error if the function fails in an unrecoverable way. 397 * Returns a Fatal Error if the function fails in an unrecoverable way.
400 */ 398 */
401 static PKIX_Error* 399 static PKIX_Error *
402 cert_CreatePkixProcessingParams( 400 cert_CreatePkixProcessingParams(
403 CERTCertificate *cert, 401 CERTCertificate *cert,
404 PRBool checkSig, /* not used yet. See bug 391476 */ 402 PRBool checkSig, /* not used yet. See bug 391476 */
405 PRTime time, 403 PRTime time,
406 void *wincx, 404 void *wincx,
407 PRBool useArena, 405 PRBool useArena,
408 PRBool disableOCSPRemoteFetching, 406 PRBool disableOCSPRemoteFetching,
409 PKIX_ProcessingParams **pprocParams, 407 PKIX_ProcessingParams **pprocParams,
410 void **pplContext) 408 void **pplContext)
411 { 409 {
412 PKIX_List *anchors = NULL; 410 PKIX_List *anchors = NULL;
413 PKIX_PL_Cert *targetCert = NULL; 411 PKIX_PL_Cert *targetCert = NULL;
414 PKIX_PL_Date *date = NULL; 412 PKIX_PL_Date *date = NULL;
415 PKIX_ProcessingParams *procParams = NULL; 413 PKIX_ProcessingParams *procParams = NULL;
416 PKIX_CertSelector *certSelector = NULL; 414 PKIX_CertSelector *certSelector = NULL;
417 PKIX_ComCertSelParams *certSelParams = NULL; 415 PKIX_ComCertSelParams *certSelParams = NULL;
418 PKIX_CertStore *certStore = NULL; 416 PKIX_CertStore *certStore = NULL;
419 PKIX_List *certStores = NULL; 417 PKIX_List *certStores = NULL;
420 PKIX_RevocationChecker *revChecker = NULL; 418 PKIX_RevocationChecker *revChecker = NULL;
421 PKIX_UInt32 methodFlags = 0; 419 PKIX_UInt32 methodFlags = 0;
422 void *plContext = NULL; 420 void *plContext = NULL;
423 CERTStatusConfig *statusConfig = NULL; 421 CERTStatusConfig *statusConfig = NULL;
424 422
425 PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); 423 PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
426 PKIX_NULLCHECK_TWO(cert, pprocParams); 424 PKIX_NULLCHECK_TWO(cert, pprocParams);
427 425
428 PKIX_CHECK( 426 PKIX_CHECK(
429 PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext), 427 PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
430 PKIX_NSSCONTEXTCREATEFAILED); 428 PKIX_NSSCONTEXTCREATEFAILED);
431 429
432 *pplContext = plContext; 430 *pplContext = plContext;
433 431
434 #ifdef PKIX_NOTDEF 432 #ifdef PKIX_NOTDEF
435 /* Functions should be implemented in patch for 390532 */ 433 /* Functions should be implemented in patch for 390532 */
436 PKIX_CHECK( 434 PKIX_CHECK(
437 pkix_pl_NssContext_SetCertSignatureCheck(checkSig, 435 pkix_pl_NssContext_SetCertSignatureCheck(checkSig,
438 (PKIX_PL_NssContext*)plContext) , 436 (PKIX_PL_NssContext *)plContext ),
439 PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED); 437 PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
440 438
441 #endif /* PKIX_NOTDEF */ 439 #endif /* PKIX_NOTDEF */
442 440
443 PKIX_CHECK( 441 PKIX_CHECK(
444 PKIX_ProcessingParams_Create(&procParams, plContext), 442 PKIX_ProcessingParams_Create(&procParams, plContext),
445 PKIX_PROCESSINGPARAMSCREATEFAILED); 443 PKIX_PROCESSINGPARAMSCREATEFAILED);
446 444
447 PKIX_CHECK( 445 PKIX_CHECK(
448 PKIX_ComCertSelParams_Create(&certSelParams, plContext), 446 PKIX_ComCertSelParams_Create(&certSelParams, plContext),
449 PKIX_COMCERTSELPARAMSCREATEFAILED); 447 PKIX_COMCERTSELPARAMSCREATEFAILED);
450 448
451 PKIX_CHECK( 449 PKIX_CHECK(
452 PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext), 450 PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext),
453 PKIX_CERTCREATEWITHNSSCERTFAILED); 451 PKIX_CERTCREATEWITHNSSCERTFAILED);
454 452
455 PKIX_CHECK( 453 PKIX_CHECK(
456 PKIX_ComCertSelParams_SetCertificate(certSelParams, 454 PKIX_ComCertSelParams_SetCertificate(certSelParams,
457 targetCert, plContext), 455 targetCert, plContext),
458 PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED); 456 PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
459 457
460 PKIX_CHECK( 458 PKIX_CHECK(
461 PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext), 459 PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext),
462 PKIX_COULDNOTCREATECERTSELECTOROBJECT); 460 PKIX_COULDNOTCREATECERTSELECTOROBJECT);
463 461
464 PKIX_CHECK( 462 PKIX_CHECK(
465 PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, 463 PKIX_CertSelector_SetCommonCertSelectorParams(certSelector,
466 certSelParams, plContext), 464 certSelParams, plContext),
467 PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); 465 PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
468 466
469 PKIX_CHECK( 467 PKIX_CHECK(
470 PKIX_ProcessingParams_SetTargetCertConstraints(procParams, 468 PKIX_ProcessingParams_SetTargetCertConstraints(procParams,
471 certSelector, plContext), 469 certSelector, plContext),
472 PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED); 470 PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
473 471
474 /* Turn off quialification of target cert since leaf cert is 472 /* Turn off quialification of target cert since leaf cert is
475 * already check for date validity, key usages and extended 473 * already check for date validity, key usages and extended
476 * key usages. */ 474 * key usages. */
477 PKIX_CHECK( 475 PKIX_CHECK(
478 PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE, 476 PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE,
479 plContext), 477 plContext),
480 PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED); 478 PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED);
481 479
482 PKIX_CHECK( 480 PKIX_CHECK(
483 PKIX_PL_Pk11CertStore_Create(&certStore, plContext), 481 PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
484 PKIX_PK11CERTSTORECREATEFAILED); 482 PKIX_PK11CERTSTORECREATEFAILED);
485 483
486 PKIX_CHECK( 484 PKIX_CHECK(
487 PKIX_List_Create(&certStores, plContext), 485 PKIX_List_Create(&certStores, plContext),
488 PKIX_UNABLETOCREATELIST); 486 PKIX_UNABLETOCREATELIST);
489 487
490 PKIX_CHECK( 488 PKIX_CHECK(
491 PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, 489 PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore,
492 plContext), 490 plContext),
493 PKIX_LISTAPPENDITEMFAILED); 491 PKIX_LISTAPPENDITEMFAILED);
494 492
495 PKIX_CHECK( 493 PKIX_CHECK(
496 PKIX_ProcessingParams_SetCertStores(procParams, certStores, 494 PKIX_ProcessingParams_SetCertStores(procParams, certStores,
497 plContext), 495 plContext),
498 PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED); 496 PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED);
499 497
500 PKIX_CHECK( 498 PKIX_CHECK(
501 PKIX_PL_Date_CreateFromPRTime(time, &date, plContext), 499 PKIX_PL_Date_CreateFromPRTime(time, &date, plContext),
502 PKIX_DATECREATEFROMPRTIMEFAILED); 500 PKIX_DATECREATEFROMPRTIMEFAILED);
503 501
504 PKIX_CHECK( 502 PKIX_CHECK(
505 PKIX_ProcessingParams_SetDate(procParams, date, plContext), 503 PKIX_ProcessingParams_SetDate(procParams, date, plContext),
506 PKIX_PROCESSINGPARAMSSETDATEFAILED); 504 PKIX_PROCESSINGPARAMSSETDATEFAILED);
507 505
508 PKIX_CHECK( 506 PKIX_CHECK(
509 PKIX_RevocationChecker_Create( 507 PKIX_RevocationChecker_Create(
510 PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | 508 PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
511 PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, 509 PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
512 PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | 510 PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
513 PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, 511 PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
514 &revChecker, plContext), 512 &revChecker, plContext),
515 PKIX_REVOCATIONCHECKERCREATEFAILED); 513 PKIX_REVOCATIONCHECKERCREATEFAILED);
516 514
517 PKIX_CHECK( 515 PKIX_CHECK(
518 PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker, 516 PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker,
519 plContext), 517 plContext),
520 PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED); 518 PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED);
521 519
522 /* CRL method flags */ 520 /* CRL method flags */
523 methodFlags = 521 methodFlags =
524 PKIX_REV_M_TEST_USING_THIS_METHOD | 522 PKIX_REV_M_TEST_USING_THIS_METHOD |
525 PKIX_REV_M_FORBID_NETWORK_FETCHING | 523 PKIX_REV_M_FORBID_NETWORK_FETCHING |
526 PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ 524 PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
527 PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ 525 PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
528 PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; 526 PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
529 527
530 /* add CRL revocation method to check the leaf certificate */ 528 /* add CRL revocation method to check the leaf certificate */
531 PKIX_CHECK( 529 PKIX_CHECK(
532 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, 530 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
533 PKIX_RevocationMethod_CRL, methodFlags, 531 PKIX_RevocationMethod_CRL, met hodFlags,
534 0, NULL, PKIX_TRUE, plContext), 532 0, NULL, PKIX_TRUE, plContext) ,
535 PKIX_REVOCATIONCHECKERADDMETHODFAILED); 533 PKIX_REVOCATIONCHECKERADDMETHODFAILED);
536 534
537 /* add CRL revocation method for other certs in the chain. */ 535 /* add CRL revocation method for other certs in the chain. */
538 PKIX_CHECK( 536 PKIX_CHECK(
539 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, 537 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
540 PKIX_RevocationMethod_CRL, methodFlags, 538 PKIX_RevocationMethod_CRL, met hodFlags,
541 0, NULL, PKIX_FALSE, plContext), 539 0, NULL, PKIX_FALSE, plContext ),
542 PKIX_REVOCATIONCHECKERADDMETHODFAILED); 540 PKIX_REVOCATIONCHECKERADDMETHODFAILED);
543 541
544 /* For compatibility with the old code, need to check that 542 /* For compatibility with the old code, need to check that
545 * statusConfig is set in the db handle and status checker 543 * statusConfig is set in the db handle and status checker
546 * is defined befor allow ocsp status check on the leaf cert.*/ 544 * is defined befor allow ocsp status check on the leaf cert.*/
547 statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB()); 545 statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB());
548 if (statusConfig != NULL && statusConfig->statusChecker != NULL) { 546 if (statusConfig != NULL && statusConfig->statusChecker != NULL) {
549 547
550 /* Enable OCSP revocation checking for the leaf cert. */ 548 /* Enable OCSP revocation checking for the leaf cert. */
551 /* OCSP method flags */ 549 /* OCSP method flags */
552 methodFlags = 550 methodFlags =
553 PKIX_REV_M_TEST_USING_THIS_METHOD | 551 PKIX_REV_M_TEST_USING_THIS_METHOD |
554 PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ 552 PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
555 PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ 553 PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
556 PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ 554 PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
557 PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ 555 PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
558 PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; 556 PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
559 557
560 /* Disabling ocsp fetching when checking the status 558 /* Disabling ocsp fetching when checking the status
561 * of ocsp response signer. Here and in the next if, 559 * of ocsp response signer. Here and in the next if,
562 * adjust flags for ocsp signer cert validation case. */ 560 * adjust flags for ocsp signer cert validation case. */
563 if (disableOCSPRemoteFetching) { 561 if (disableOCSPRemoteFetching) {
564 methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; 562 methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
565 } 563 }
566 564
567 if (ocsp_FetchingFailureIsVerificationFailure() 565 if (ocsp_FetchingFailureIsVerificationFailure() &&
568 && !disableOCSPRemoteFetching) { 566 !disableOCSPRemoteFetching) {
569 methodFlags |= 567 methodFlags |=
570 PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; 568 PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
571 } 569 }
572 570
573 /* add OCSP revocation method to check only the leaf certificate.*/ 571 /* add OCSP revocation method to check only the leaf certificate.*/
574 PKIX_CHECK( 572 PKIX_CHECK(
575 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, 573 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
576 PKIX_RevocationMethod_OCSP, methodFlags, 574 PKIX_RevocationMethod_OCSP , methodFlags,
577 1, NULL, PKIX_TRUE, plContext), 575 1, NULL, PKIX_TRUE, plCont ext),
578 PKIX_REVOCATIONCHECKERADDMETHODFAILED); 576 PKIX_REVOCATIONCHECKERADDMETHODFAILED);
579 } 577 }
580 578
581 PKIX_CHECK( 579 PKIX_CHECK(
582 PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE, 580 PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,
583 plContext), 581 plContext),
584 PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED); 582 PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED);
585 583
586 PKIX_CHECK( 584 PKIX_CHECK(
587 PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE, 585 PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE,
588 plContext), 586 plContext),
589 PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED); 587 PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED);
590 588
591 PKIX_CHECK( 589 PKIX_CHECK(
592 PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE, 590 PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE,
593 plContext), 591 plContext),
594 PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED); 592 PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED);
595 593
596 *pprocParams = procParams; 594 *pprocParams = procParams;
597 procParams = NULL; 595 procParams = NULL;
598 596
599 cleanup: 597 cleanup:
600 PKIX_DECREF(anchors); 598 PKIX_DECREF(anchors);
601 PKIX_DECREF(targetCert); 599 PKIX_DECREF(targetCert);
602 PKIX_DECREF(date); 600 PKIX_DECREF(date);
603 PKIX_DECREF(certSelector); 601 PKIX_DECREF(certSelector);
604 PKIX_DECREF(certSelParams); 602 PKIX_DECREF(certSelParams);
605 PKIX_DECREF(certStore); 603 PKIX_DECREF(certStore);
606 PKIX_DECREF(certStores); 604 PKIX_DECREF(certStores);
607 PKIX_DECREF(procParams); 605 PKIX_DECREF(procParams);
608 PKIX_DECREF(revChecker); 606 PKIX_DECREF(revChecker);
609 607
610 PKIX_RETURN(CERTVFYPKIX); 608 PKIX_RETURN(CERTVFYPKIX);
611 } 609 }
612 610
613 /* 611 /*
614 * FUNCTION: cert_PkixToNssCertsChain 612 * FUNCTION: cert_PkixToNssCertsChain
615 * DESCRIPTION: 613 * DESCRIPTION:
616 * 614 *
617 * Converts pkix cert list into nss cert list. 615 * Converts pkix cert list into nss cert list.
618 * 616 *
619 * PARAMETERS: 617 * PARAMETERS:
620 * "pkixCertChain" 618 * "pkixCertChain"
621 * Pkix certificate list. 619 * Pkix certificate list.
622 * "pvalidChain" 620 * "pvalidChain"
623 * An address of returned nss certificate list. 621 * An address of returned nss certificate list.
624 * "plContext" 622 * "plContext"
625 * Platform-specific context pointer. 623 * Platform-specific context pointer.
626 * THREAD SAFETY: 624 * THREAD SAFETY:
627 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 625 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
628 * RETURNS: 626 * RETURNS:
629 * Returns NULL if the function succeeds. 627 * Returns NULL if the function succeeds.
630 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 628 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
631 * Returns a Fatal Error if the function fails in an unrecoverable way. 629 * Returns a Fatal Error if the function fails in an unrecoverable way.
632 */ 630 */
633 static PKIX_Error* 631 static PKIX_Error *
634 cert_PkixToNssCertsChain( 632 cert_PkixToNssCertsChain(
635 PKIX_List *pkixCertChain, 633 PKIX_List *pkixCertChain,
636 CERTCertList **pvalidChain, 634 CERTCertList **pvalidChain,
637 void *plContext) 635 void *plContext)
638 { 636 {
639 PLArenaPool *arena = NULL; 637 PLArenaPool *arena = NULL;
640 CERTCertificate *nssCert = NULL; 638 CERTCertificate *nssCert = NULL;
641 CERTCertList *validChain = NULL; 639 CERTCertList *validChain = NULL;
642 PKIX_PL_Object *certItem = NULL; 640 PKIX_PL_Object *certItem = NULL;
643 PKIX_UInt32 length = 0; 641 PKIX_UInt32 length = 0;
644 PKIX_UInt32 i = 0; 642 PKIX_UInt32 i = 0;
645 643
646 PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain"); 644 PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain");
647 PKIX_NULLCHECK_ONE(pvalidChain); 645 PKIX_NULLCHECK_ONE(pvalidChain);
648 646
649 if (pkixCertChain == NULL) { 647 if (pkixCertChain == NULL) {
650 goto cleanup; 648 goto cleanup;
651 } 649 }
652 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 650 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
653 if (arena == NULL) { 651 if (arena == NULL) {
654 PKIX_ERROR(PKIX_OUTOFMEMORY); 652 PKIX_ERROR(PKIX_OUTOFMEMORY);
655 } 653 }
656 validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); 654 validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
657 if (validChain == NULL) { 655 if (validChain == NULL) {
658 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); 656 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
659 } 657 }
660 PR_INIT_CLIST(&validChain->list); 658 PR_INIT_CLIST(&validChain->list);
661 validChain->arena = arena; 659 validChain->arena = arena;
662 arena = NULL; 660 arena = NULL;
663 661
664 PKIX_CHECK( 662 PKIX_CHECK(
665 PKIX_List_GetLength(pkixCertChain, &length, plContext), 663 PKIX_List_GetLength(pkixCertChain, &length, plContext),
666 PKIX_LISTGETLENGTHFAILED); 664 PKIX_LISTGETLENGTHFAILED);
667 665
668 for (i = 0; i < length; i++){ 666 for (i = 0; i < length; i++) {
669 CERTCertListNode *node = NULL; 667 CERTCertListNode *node = NULL;
670 668
671 PKIX_CHECK( 669 PKIX_CHECK(
672 PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext), 670 PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext),
673 PKIX_LISTGETITEMFAILED); 671 PKIX_LISTGETITEMFAILED);
674 672
675 PKIX_CHECK( 673 PKIX_CHECK(
676 PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert, 674 PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem, &nssCert,
677 plContext), 675 plContext),
678 PKIX_CERTGETCERTCERTIFICATEFAILED); 676 PKIX_CERTGETCERTCERTIFICATEFAILED);
679 677
680 node = 678 node =
681 (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena, 679 (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
682 sizeof(CERTCertListNode)); 680 sizeof(CERTCertListNode));
683 if ( node == NULL ) { 681 if (node == NULL) {
684 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); 682 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
685 } 683 }
686 684
687 PR_INSERT_BEFORE(&node->links, &validChain->list); 685 PR_INSERT_BEFORE(&node->links, &validChain->list);
688 686
689 node->cert = nssCert; 687 node->cert = nssCert;
690 nssCert = NULL; 688 nssCert = NULL;
691 689
692 PKIX_DECREF(certItem); 690 PKIX_DECREF(certItem);
693 } 691 }
694 692
695 *pvalidChain = validChain; 693 *pvalidChain = validChain;
696 694
697 cleanup: 695 cleanup:
698 if (PKIX_ERROR_RECEIVED){ 696 if (PKIX_ERROR_RECEIVED) {
699 if (validChain) { 697 if (validChain) {
700 CERT_DestroyCertList(validChain); 698 CERT_DestroyCertList(validChain);
701 } else if (arena) { 699 } else if (arena) {
702 PORT_FreeArena(arena, PR_FALSE); 700 PORT_FreeArena(arena, PR_FALSE);
703 } 701 }
704 if (nssCert) { 702 if (nssCert) {
705 CERT_DestroyCertificate(nssCert); 703 CERT_DestroyCertificate(nssCert);
706 } 704 }
707 } 705 }
708 PKIX_DECREF(certItem); 706 PKIX_DECREF(certItem);
709 707
710 PKIX_RETURN(CERTVFYPKIX); 708 PKIX_RETURN(CERTVFYPKIX);
711 } 709 }
712 710
713
714 /* 711 /*
715 * FUNCTION: cert_BuildAndValidateChain 712 * FUNCTION: cert_BuildAndValidateChain
716 * DESCRIPTION: 713 * DESCRIPTION:
717 * 714 *
718 * The function builds and validates a cert chain based on certificate 715 * The function builds and validates a cert chain based on certificate
719 * selection criterias from procParams. This function call PKIX_BuildChain 716 * selection criterias from procParams. This function call PKIX_BuildChain
720 * to accomplish chain building. If PKIX_BuildChain returns with incomplete 717 * to accomplish chain building. If PKIX_BuildChain returns with incomplete
721 * IO, the function waits with PR_Poll until the blocking IO is finished and 718 * IO, the function waits with PR_Poll until the blocking IO is finished and
722 * return control back to PKIX_BuildChain. 719 * return control back to PKIX_BuildChain.
723 * 720 *
724 * PARAMETERS: 721 * PARAMETERS:
725 * "procParams" 722 * "procParams"
726 * Processing parameters to be used during chain building. 723 * Processing parameters to be used during chain building.
727 * "pResult" 724 * "pResult"
728 * Returned build result. 725 * Returned build result.
729 * "pVerifyNode" 726 * "pVerifyNode"
730 * Returned pointed to verify node structure: the tree-like structure 727 * Returned pointed to verify node structure: the tree-like structure
731 * that reports points of chain building failures. 728 * that reports points of chain building failures.
732 * "plContext" 729 * "plContext"
733 * Platform-specific context pointer. 730 * Platform-specific context pointer.
734 * THREAD SAFETY: 731 * THREAD SAFETY:
735 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 732 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
736 * RETURNS: 733 * RETURNS:
737 * Returns NULL if the function succeeds. 734 * Returns NULL if the function succeeds.
738 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 735 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
739 * Returns a Fatal Error if the function fails in an unrecoverable way. 736 * Returns a Fatal Error if the function fails in an unrecoverable way.
740 */ 737 */
741 static PKIX_Error* 738 static PKIX_Error *
742 cert_BuildAndValidateChain( 739 cert_BuildAndValidateChain(
743 PKIX_ProcessingParams *procParams, 740 PKIX_ProcessingParams *procParams,
744 PKIX_BuildResult **pResult, 741 PKIX_BuildResult **pResult,
745 PKIX_VerifyNode **pVerifyNode, 742 PKIX_VerifyNode **pVerifyNode,
746 void *plContext) 743 void *plContext)
747 { 744 {
748 PKIX_BuildResult *result = NULL; 745 PKIX_BuildResult *result = NULL;
749 PKIX_VerifyNode *verifyNode = NULL; 746 PKIX_VerifyNode *verifyNode = NULL;
750 void *nbioContext = NULL; 747 void *nbioContext = NULL;
751 void *state = NULL; 748 void *state = NULL;
752 749
753 PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain"); 750 PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain");
754 PKIX_NULLCHECK_TWO(procParams, pResult); 751 PKIX_NULLCHECK_TWO(procParams, pResult);
755 752
756 do { 753 do {
757 if (nbioContext && state) { 754 if (nbioContext && state) {
758 /* PKIX-XXX: need to test functionality of NBIO handling in libPkix. 755 /* PKIX-XXX: need to test functionality of NBIO handling in libPkix.
759 * See bug 391180 */ 756 * See bug 391180 */
760 PRInt32 filesReady = 0; 757 PRInt32 filesReady = 0;
761 PRPollDesc *pollDesc = (PRPollDesc*)nbioContext; 758 PRPollDesc *pollDesc = (PRPollDesc *)nbioContext;
762 filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT); 759 filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
763 if (filesReady <= 0) { 760 if (filesReady <= 0) {
764 PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM); 761 PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM);
765 } 762 }
766 } 763 }
767 764
768 PKIX_CHECK( 765 PKIX_CHECK(
769 PKIX_BuildChain(procParams, &nbioContext, &state, 766 PKIX_BuildChain(procParams, &nbioContext, &state,
770 &result, &verifyNode, plContext), 767 &result, &verifyNode, plContext),
771 PKIX_UNABLETOBUILDCHAIN); 768 PKIX_UNABLETOBUILDCHAIN);
772 769
773 } while (nbioContext && state); 770 } while (nbioContext && state);
774 771
775 *pResult = result; 772 *pResult = result;
776 773
777 cleanup: 774 cleanup:
778 if (pVerifyNode) { 775 if (pVerifyNode) {
779 *pVerifyNode = verifyNode; 776 *pVerifyNode = verifyNode;
780 } 777 }
781 778
782 PKIX_RETURN(CERTVFYPKIX); 779 PKIX_RETURN(CERTVFYPKIX);
783 } 780 }
784 781
785
786 /* 782 /*
787 * FUNCTION: cert_PkixErrorToNssCode 783 * FUNCTION: cert_PkixErrorToNssCode
788 * DESCRIPTION: 784 * DESCRIPTION:
789 * 785 *
790 * Converts pkix error(PKIX_Error) structure to PR error codes. 786 * Converts pkix error(PKIX_Error) structure to PR error codes.
791 * 787 *
792 * PKIX-XXX to be implemented. See 391183. 788 * PKIX-XXX to be implemented. See 391183.
793 * 789 *
794 * PARAMETERS: 790 * PARAMETERS:
795 * "error" 791 * "error"
(...skipping 14 matching lines...) Expand all
810 PKIX_Error *error, 806 PKIX_Error *error,
811 SECErrorCodes *pNssErr, 807 SECErrorCodes *pNssErr,
812 void *plContext) 808 void *plContext)
813 { 809 {
814 int errLevel = 0; 810 int errLevel = 0;
815 PKIX_Int32 nssErr = 0; 811 PKIX_Int32 nssErr = 0;
816 PKIX_Error *errPtr = error; 812 PKIX_Error *errPtr = error;
817 813
818 PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode"); 814 PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
819 PKIX_NULLCHECK_TWO(error, pNssErr); 815 PKIX_NULLCHECK_TWO(error, pNssErr);
820 816
821 /* Loop until we find at least one error with non-null 817 /* Loop until we find at least one error with non-null
822 * plErr code, that is going to be nss error code. */ 818 * plErr code, that is going to be nss error code. */
823 while (errPtr) { 819 while (errPtr) {
824 if (errPtr->plErr && !nssErr) { 820 if (errPtr->plErr && !nssErr) {
825 nssErr = errPtr->plErr; 821 nssErr = errPtr->plErr;
826 if (!pkixLog) break; 822 if (!pkixLog)
823 break;
827 } 824 }
828 if (pkixLog) { 825 if (pkixLog) {
829 #ifdef PKIX_ERROR_DESCRIPTION 826 #ifdef PKIX_ERROR_DESCRIPTION
830 PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel, 827 PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel,
831 PKIX_ErrorText[errPtr->errCode])); 828 PKIX_ErrorText[errPtr->errCode]));
832 #else 829 #else
833 PR_LOG(pkixLog, 2, ("Error at level %d: Error code %d\n", errLevel, 830 PR_LOG(pkixLog, 2, ("Error at level %d: Error code %d\n", errLevel,
834 errPtr->errCode)); 831 errPtr->errCode));
835 #endif /* PKIX_ERROR_DESCRIPTION */ 832 #endif /* PKIX_ERROR_DESCRIPTION */
836 } 833 }
837 errPtr = errPtr->cause; 834 errPtr = errPtr->cause;
838 errLevel += 1; 835 errLevel += 1;
839 } 836 }
840 PORT_Assert(nssErr); 837 PORT_Assert(nssErr);
841 if (!nssErr) { 838 if (!nssErr) {
842 *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL; 839 *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
843 } else { 840 } else {
844 *pNssErr = nssErr; 841 *pNssErr = nssErr;
845 } 842 }
846 843
847 PKIX_RETURN(CERTVFYPKIX); 844 PKIX_RETURN(CERTVFYPKIX);
848 } 845 }
849 846
850 /* 847 /*
851 * FUNCTION: cert_GetLogFromVerifyNode 848 * FUNCTION: cert_GetLogFromVerifyNode
852 * DESCRIPTION: 849 * DESCRIPTION:
853 * 850 *
854 * Recursive function that converts verify node tree-like set of structures 851 * Recursive function that converts verify node tree-like set of structures
855 * to CERTVerifyLog. 852 * to CERTVerifyLog.
856 * 853 *
857 * PARAMETERS: 854 * PARAMETERS:
858 * "log" 855 * "log"
859 * Pointed to already allocated CERTVerifyLog structure. 856 * Pointed to already allocated CERTVerifyLog structure.
860 * "node" 857 * "node"
861 * A node of PKIX_VerifyNode tree. 858 * A node of PKIX_VerifyNode tree.
862 * "plContext" 859 * "plContext"
863 * Platform-specific context pointer. 860 * Platform-specific context pointer.
864 * THREAD SAFETY: 861 * THREAD SAFETY:
865 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 862 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
866 * RETURNS: 863 * RETURNS:
867 * Returns NULL if the function succeeds. 864 * Returns NULL if the function succeeds.
868 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 865 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
869 * Returns a Fatal Error if the function fails in an unrecoverable way. 866 * Returns a Fatal Error if the function fails in an unrecoverable way.
870 */ 867 */
871 static PKIX_Error * 868 static PKIX_Error *
872 cert_GetLogFromVerifyNode( 869 cert_GetLogFromVerifyNode(
873 CERTVerifyLog *log, 870 CERTVerifyLog *log,
874 PKIX_VerifyNode *node, 871 PKIX_VerifyNode *node,
875 void *plContext) 872 void *plContext)
876 { 873 {
877 PKIX_List *children = NULL; 874 PKIX_List *children = NULL;
878 PKIX_VerifyNode *childNode = NULL; 875 PKIX_VerifyNode *childNode = NULL;
879 876
880 PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode"); 877 PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode");
881 878
882 children = node->children; 879 children = node->children;
883 880
884 if (children == NULL) { 881 if (children == NULL) {
885 PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT; 882 PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT;
886 if (node->error && node->error->errCode != errCode) { 883 if (node->error && node->error->errCode != errCode) {
887 if (log != NULL) { 884 if (log != NULL) {
888 SECErrorCodes nssErrorCode = 0; 885 SECErrorCodes nssErrorCode = 0;
889 CERTCertificate *cert = NULL; 886 CERTCertificate *cert = NULL;
890 887
891 cert = node->verifyCert->nssCert; 888 cert = node->verifyCert->nssCert;
892 889
893 PKIX_CHECK( 890 PKIX_CHECK(
894 cert_PkixErrorToNssCode(node->error, &nssErrorCode, 891 cert_PkixErrorToNssCode(node->error, &nssErrorCode,
895 plContext), 892 plContext),
896 PKIX_GETPKIXERRORCODEFAILED); 893 PKIX_GETPKIXERRORCODEFAILED);
897 894
898 cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL); 895 cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
899 } 896 }
900 } 897 }
901 PKIX_RETURN(CERTVFYPKIX); 898 PKIX_RETURN(CERTVFYPKIX);
902 } else { 899 } else {
903 PRUint32 i = 0; 900 PRUint32 i = 0;
904 PKIX_UInt32 length = 0; 901 PKIX_UInt32 length = 0;
905 902
906 PKIX_CHECK( 903 PKIX_CHECK(
907 PKIX_List_GetLength(children, &length, plContext), 904 PKIX_List_GetLength(children, &length, plContext),
908 PKIX_LISTGETLENGTHFAILED); 905 PKIX_LISTGETLENGTHFAILED);
909 906
910 for (i = 0; i < length; i++){ 907 for (i = 0; i < length; i++) {
911 908
912 PKIX_CHECK( 909 PKIX_CHECK(
913 PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode, 910 PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode,
914 plContext), 911 plContext),
915 PKIX_LISTGETITEMFAILED); 912 PKIX_LISTGETITEMFAILED);
916 913
917 PKIX_CHECK( 914 PKIX_CHECK(
918 cert_GetLogFromVerifyNode(log, childNode, plContext), 915 cert_GetLogFromVerifyNode(log, childNode, plContext),
919 PKIX_ERRORINRECURSIVEEQUALSCALL); 916 PKIX_ERRORINRECURSIVEEQUALSCALL);
920 917
921 PKIX_DECREF(childNode); 918 PKIX_DECREF(childNode);
922 } 919 }
923 } 920 }
924 921
925 cleanup: 922 cleanup:
926 PKIX_DECREF(childNode); 923 PKIX_DECREF(childNode);
927 924
928 PKIX_RETURN(CERTVFYPKIX); 925 PKIX_RETURN(CERTVFYPKIX);
929 } 926 }
930 927
931 /* 928 /*
932 * FUNCTION: cert_GetBuildResults 929 * FUNCTION: cert_GetBuildResults
933 * DESCRIPTION: 930 * DESCRIPTION:
934 * 931 *
935 * Converts pkix build results to nss results. This function is called 932 * Converts pkix build results to nss results. This function is called
936 * regardless of build result. 933 * regardless of build result.
937 * 934 *
938 * If it called after chain was successfully constructed, then it will 935 * If it called after chain was successfully constructed, then it will
939 * convert: 936 * convert:
940 * * pkix cert list that represent the chain to nss cert list 937 * * pkix cert list that represent the chain to nss cert list
941 * * trusted root the chain was anchored to nss certificate. 938 * * trusted root the chain was anchored to nss certificate.
942 * 939 *
943 * In case of failure it will convert: 940 * In case of failure it will convert:
944 * * pkix error to PR error code(will set it with PORT_SetError) 941 * * pkix error to PR error code(will set it with PORT_SetError)
945 * * pkix validation log to nss CERTVerifyLog 942 * * pkix validation log to nss CERTVerifyLog
946 * 943 *
947 * PARAMETERS: 944 * PARAMETERS:
948 * "buildResult" 945 * "buildResult"
949 * Build results returned by PKIX_BuildChain. 946 * Build results returned by PKIX_BuildChain.
950 * "verifyNode" 947 * "verifyNode"
951 * Tree-like structure of chain building/validation failures 948 * Tree-like structure of chain building/validation failures
952 * returned by PKIX_BuildChain. Ignored in case of success. 949 * returned by PKIX_BuildChain. Ignored in case of success.
953 * "error" 950 * "error"
954 * Final error returned by PKIX_BuildChain. Should be NULL in 951 * Final error returned by PKIX_BuildChain. Should be NULL in
955 * case of success. 952 * case of success.
956 * "log" 953 * "log"
957 * Address of pre-allocated(if not NULL) CERTVerifyLog structure. 954 * Address of pre-allocated(if not NULL) CERTVerifyLog structure.
958 * "ptrustedRoot" 955 * "ptrustedRoot"
959 * Address of returned trusted root the chain was anchored to. 956 * Address of returned trusted root the chain was anchored to.
960 * "pvalidChain" 957 * "pvalidChain"
961 * Address of returned valid chain. 958 * Address of returned valid chain.
962 * "plContext" 959 * "plContext"
963 * Platform-specific context pointer. 960 * Platform-specific context pointer.
964 * THREAD SAFETY: 961 * THREAD SAFETY:
965 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 962 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
966 * RETURNS: 963 * RETURNS:
967 * Returns NULL if the function succeeds. 964 * Returns NULL if the function succeeds.
968 * Returns a Cert Verify Error if the function fails in an unrecoverable way. 965 * Returns a Cert Verify Error if the function fails in an unrecoverable way.
969 * Returns a Fatal Error if the function fails in an unrecoverable way. 966 * Returns a Fatal Error if the function fails in an unrecoverable way.
970 */ 967 */
971 static PKIX_Error* 968 static PKIX_Error *
972 cert_GetBuildResults( 969 cert_GetBuildResults(
973 PKIX_BuildResult *buildResult, 970 PKIX_BuildResult *buildResult,
974 PKIX_VerifyNode *verifyNode, 971 PKIX_VerifyNode *verifyNode,
975 PKIX_Error *error, 972 PKIX_Error *error,
976 CERTVerifyLog *log, 973 CERTVerifyLog *log,
977 CERTCertificate **ptrustedRoot, 974 CERTCertificate **ptrustedRoot,
978 CERTCertList **pvalidChain, 975 CERTCertList **pvalidChain,
979 void *plContext) 976 void *plContext)
980 { 977 {
981 PKIX_ValidateResult *validResult = NULL; 978 PKIX_ValidateResult *validResult = NULL;
982 CERTCertList *validChain = NULL; 979 CERTCertList *validChain = NULL;
983 CERTCertificate *trustedRoot = NULL; 980 CERTCertificate *trustedRoot = NULL;
984 PKIX_TrustAnchor *trustAnchor = NULL; 981 PKIX_TrustAnchor *trustAnchor = NULL;
985 PKIX_PL_Cert *trustedCert = NULL; 982 PKIX_PL_Cert *trustedCert = NULL;
986 PKIX_List *pkixCertChain = NULL; 983 PKIX_List *pkixCertChain = NULL;
987 984
988 PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults"); 985 PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults");
989 if (buildResult == NULL && error == NULL) { 986 if (buildResult == NULL && error == NULL) {
990 PKIX_ERROR(PKIX_NULLARGUMENT); 987 PKIX_ERROR(PKIX_NULLARGUMENT);
991 } 988 }
992 989
993 if (error) { 990 if (error) {
994 SECErrorCodes nssErrorCode = 0; 991 SECErrorCodes nssErrorCode = 0;
995 if (verifyNode) { 992 if (verifyNode) {
996 PKIX_Error *tmpError = 993 PKIX_Error *tmpError =
997 cert_GetLogFromVerifyNode(log, verifyNode, plContext); 994 cert_GetLogFromVerifyNode(log, verifyNode, plContext);
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
1029 PKIX_CHECK( 1026 PKIX_CHECK(
1030 PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert, 1027 PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert,
1031 plContext), 1028 plContext),
1032 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); 1029 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
1033 1030
1034 PKIX_CHECK( 1031 PKIX_CHECK(
1035 PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot, 1032 PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot,
1036 plContext), 1033 plContext),
1037 PKIX_CERTGETCERTCERTIFICATEFAILED); 1034 PKIX_CERTGETCERTCERTIFICATEFAILED);
1038 } 1035 }
1039 1036
1040 PORT_Assert(!PKIX_ERROR_RECEIVED); 1037 PORT_Assert(!PKIX_ERROR_RECEIVED);
1041 1038
1042 if (trustedRoot) { 1039 if (trustedRoot) {
1043 *ptrustedRoot = trustedRoot; 1040 *ptrustedRoot = trustedRoot;
1044 } 1041 }
1045 if (validChain) { 1042 if (validChain) {
1046 *pvalidChain = validChain; 1043 *pvalidChain = validChain;
1047 } 1044 }
1048 1045
1049 cleanup: 1046 cleanup:
1050 if (PKIX_ERROR_RECEIVED) { 1047 if (PKIX_ERROR_RECEIVED) {
1051 if (trustedRoot) { 1048 if (trustedRoot) {
1052 CERT_DestroyCertificate(trustedRoot); 1049 CERT_DestroyCertificate(trustedRoot);
1053 } 1050 }
1054 if (validChain) { 1051 if (validChain) {
1055 CERT_DestroyCertList(validChain); 1052 CERT_DestroyCertList(validChain);
1056 } 1053 }
1057 } 1054 }
1058 PKIX_DECREF(trustAnchor); 1055 PKIX_DECREF(trustAnchor);
1059 PKIX_DECREF(trustedCert); 1056 PKIX_DECREF(trustedCert);
1060 PKIX_DECREF(pkixCertChain); 1057 PKIX_DECREF(pkixCertChain);
1061 PKIX_DECREF(validResult); 1058 PKIX_DECREF(validResult);
1062 PKIX_DECREF(error); 1059 PKIX_DECREF(error);
1063 PKIX_DECREF(verifyNode); 1060 PKIX_DECREF(verifyNode);
1064 PKIX_DECREF(buildResult); 1061 PKIX_DECREF(buildResult);
1065 1062
1066 PKIX_RETURN(CERTVFYPKIX); 1063 PKIX_RETURN(CERTVFYPKIX);
1067 } 1064 }
1068 1065
1069 /* 1066 /*
1070 * FUNCTION: cert_VerifyCertChainPkix 1067 * FUNCTION: cert_VerifyCertChainPkix
1071 * DESCRIPTION: 1068 * DESCRIPTION:
1072 * 1069 *
1073 * The main wrapper function that is called from CERT_VerifyCert and 1070 * The main wrapper function that is called from CERT_VerifyCert and
1074 * CERT_VerifyCACertForUsage functions to validate cert with libpkix. 1071 * CERT_VerifyCACertForUsage functions to validate cert with libpkix.
1075 * 1072 *
(...skipping 20 matching lines...) Expand all
1096 * was invalidated because a revoked certificate was found in 1093 * was invalidated because a revoked certificate was found in
1097 * the chain. 1094 * the chain.
1098 * THREAD SAFETY: 1095 * THREAD SAFETY:
1099 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) 1096 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1100 * RETURNS: 1097 * RETURNS:
1101 * SECFailure is chain building process has failed. SECSuccess otherwise. 1098 * SECFailure is chain building process has failed. SECSuccess otherwise.
1102 */ 1099 */
1103 SECStatus 1100 SECStatus
1104 cert_VerifyCertChainPkix( 1101 cert_VerifyCertChainPkix(
1105 CERTCertificate *cert, 1102 CERTCertificate *cert,
1106 PRBool checkSig, 1103 PRBool checkSig,
1107 SECCertUsage requiredUsage, 1104 SECCertUsage requiredUsage,
1108 PRTime time, 1105 PRTime time,
1109 void *wincx, 1106 void *wincx,
1110 CERTVerifyLog *log, 1107 CERTVerifyLog *log,
1111 PRBool *pSigerror, 1108 PRBool *pSigerror,
1112 PRBool *pRevoked) 1109 PRBool *pRevoked)
1113 { 1110 {
1114 PKIX_ProcessingParams *procParams = NULL; 1111 PKIX_ProcessingParams *procParams = NULL;
1115 PKIX_BuildResult *result = NULL; 1112 PKIX_BuildResult *result = NULL;
1116 PKIX_VerifyNode *verifyNode = NULL; 1113 PKIX_VerifyNode *verifyNode = NULL;
1117 PKIX_Error *error = NULL; 1114 PKIX_Error *error = NULL;
1118 1115
1119 SECStatus rv = SECFailure; 1116 SECStatus rv = SECFailure;
1120 void *plContext = NULL; 1117 void *plContext = NULL;
1121 1118
1122 #ifdef PKIX_OBJECT_LEAK_TEST 1119 #ifdef PKIX_OBJECT_LEAK_TEST
1123 int leakedObjNum = 0; 1120 int leakedObjNum = 0;
1124 int memLeakLoopCount = 0; 1121 int memLeakLoopCount = 0;
1125 int objCountTable[PKIX_NUMTYPES]; 1122 int objCountTable[PKIX_NUMTYPES];
1126 int fnInvLocalCount = 0; 1123 int fnInvLocalCount = 0;
1127 PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; 1124 PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
1128 1125
1129 if (usePKIXValidationEngine) { 1126 if (usePKIXValidationEngine) {
1130 /* current memory leak testing implementation does not allow 1127 /* current memory leak testing implementation does not allow
1131 * to run simultaneous tests one the same or a different threads. 1128 * to run simultaneous tests one the same or a different threads.
1132 * Setting the variable to false, to make additional chain 1129 * Setting the variable to false, to make additional chain
1133 * validations be handled by old nss. */ 1130 * validations be handled by old nss. */
1134 usePKIXValidationEngine = PR_FALSE; 1131 usePKIXValidationEngine = PR_FALSE;
1135 } 1132 }
1136 testStartFnStackPosition = 2; 1133 testStartFnStackPosition = 2;
1137 fnStackNameArr[0] = "cert_VerifyCertChainPkix"; 1134 fnStackNameArr[0] = "cert_VerifyCertChainPkix";
1138 fnStackInvCountArr[0] = 0; 1135 fnStackInvCountArr[0] = 0;
1139 PKIX_Boolean abortOnLeak = 1136 PKIX_Boolean abortOnLeak =
1140 (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? 1137 (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_ FALSE
1141 PKIX_FALSE : PKIX_TRUE; 1138 : PKIX_ TRUE;
1142 runningLeakTest = PKIX_TRUE; 1139 runningLeakTest = PKIX_TRUE;
1143 1140
1144 /* Prevent multi-threaded run of object leak test */ 1141 /* Prevent multi-threaded run of object leak test */
1145 fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount); 1142 fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
1146 PORT_Assert(fnInvLocalCount == 1); 1143 PORT_Assert(fnInvLocalCount == 1);
1147 1144
1148 do { 1145 do {
1149 rv = SECFailure; 1146 rv = SECFailure;
1150 plContext = NULL; 1147 plContext = NULL;
1151 procParams = NULL; 1148 procParams = NULL;
1152 result = NULL; 1149 result = NULL;
1153 verifyNode = NULL; 1150 verifyNode = NULL;
1154 error = NULL; 1151 error = NULL;
1155 errorGenerated = PKIX_FALSE; 1152 errorGenerated = PKIX_FALSE;
1156 stackPosition = 0; 1153 stackPosition = 0;
1157 1154
1158 if (leakedObjNum) { 1155 if (leakedObjNum) {
1159 pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); 1156 pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
1160 } 1157 }
1161 memLeakLoopCount += 1; 1158 memLeakLoopCount += 1;
1162 #endif /* PKIX_OBJECT_LEAK_TEST */ 1159 #endif /* PKIX_OBJECT_LEAK_TEST */
1163 1160
1164 error = 1161 error =
1165 cert_CreatePkixProcessingParams(cert, checkSig, time, wincx, 1162 cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
1166 PR_FALSE/*use arena*/, 1163 PR_FALSE /*use arena*/,
1167 requiredUsage == certUsageStatusResponder, 1164 requiredUsage == certUsageStatusResp onder,
1168 &procParams, &plContext); 1165 &procParams, &plContext);
1169 if (error) { 1166 if (error) {
1170 goto cleanup; 1167 goto cleanup;
1171 } 1168 }
1172 1169
1173 error = 1170 error =
1174 cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0, 1171 cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0 ,
1175 plContext); 1172 plContext);
1176 if (error) { 1173 if (error) {
1177 goto cleanup; 1174 goto cleanup;
1178 } 1175 }
1179 1176
1180 error = 1177 error =
1181 cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext); 1178 cert_BuildAndValidateChain(procParams, &result, &verifyNode, plConte xt);
1182 if (error) { 1179 if (error) {
1183 goto cleanup; 1180 goto cleanup;
1184 } 1181 }
1185
1186 if (pRevoked) {
1187 /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
1188 *pRevoked = PR_FALSE;
1189 }
1190 if (pSigerror) {
1191 /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
1192 *pSigerror = PR_FALSE;
1193 }
1194 rv = SECSuccess;
1195 1182
1196 cleanup: 1183 if (pRevoked) {
1197 error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL, 1184 /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
1198 plContext); 1185 *pRevoked = PR_FALSE;
1199 if (error) { 1186 }
1200 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); 1187 if (pSigerror) {
1201 } 1188 /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
1202 if (procParams) { 1189 *pSigerror = PR_FALSE;
1203 PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); 1190 }
1204 } 1191 rv = SECSuccess;
1205 if (plContext) { 1192
1206 PKIX_PL_NssContext_Destroy(plContext); 1193 cleanup:
1207 } 1194 error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL,
1195 plContext);
1196 if (error) {
1197 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
1198 }
1199 if (procParams) {
1200 PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
1201 }
1202 if (plContext) {
1203 PKIX_PL_NssContext_Destroy(plContext);
1204 }
1208 1205
1209 #ifdef PKIX_OBJECT_LEAK_TEST 1206 #ifdef PKIX_OBJECT_LEAK_TEST
1210 leakedObjNum = 1207 leakedObjNum =
1211 pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); 1208 pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NUL L);
1212
1213 if (pkixLog && leakedObjNum) {
1214 PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d ."
1215 "Stack %s\n", memLeakLoopCount, errorFnStackString)) ;
1216 }
1217 PR_Free(errorFnStackString);
1218 errorFnStackString = NULL;
1219 if (abortOnLeak) {
1220 PORT_Assert(leakedObjNum == 0);
1221 }
1222 1209
1223 } while (errorGenerated); 1210 if (pkixLog && leakedObjNum) {
1211 PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loo p %d."
1212 "Stack %s\n",
1213 memLeakLoopCount, errorFnStackString));
1214 }
1215 PR_Free(errorFnStackString);
1216 errorFnStackString = NULL;
1217 if (abortOnLeak) {
1218 PORT_Assert(leakedObjNum == 0);
1219 }
1224 1220
1225 runningLeakTest = PKIX_FALSE; 1221 } while (errorGenerated);
1222
1223 runningLeakTest = PKIX_FALSE;
1226 PR_ATOMIC_DECREMENT(&parallelFnInvocationCount); 1224 PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
1227 usePKIXValidationEngine = savedUsePkixEngFlag; 1225 usePKIXValidationEngine = savedUsePkixEngFlag;
1228 #endif /* PKIX_OBJECT_LEAK_TEST */ 1226 #endif /* PKIX_OBJECT_LEAK_TEST */
1229 1227
1230 return rv; 1228 return rv;
1231 } 1229 }
1232 1230
1233 PKIX_CertSelector * 1231 PKIX_CertSelector *
1234 cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) 1232 cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
1235 { 1233 {
1236 PKIX_ComCertSelParams *certSelParams = NULL; 1234 PKIX_ComCertSelParams *certSelParams = NULL;
1237 PKIX_CertSelector *certSelector = NULL; 1235 PKIX_CertSelector *certSelector = NULL;
1238 PKIX_CertSelector *r= NULL; 1236 PKIX_CertSelector *r = NULL;
1239 PKIX_PL_Cert *eeCert = NULL; 1237 PKIX_PL_Cert *eeCert = NULL;
1240 PKIX_Error *error = NULL; 1238 PKIX_Error *error = NULL;
1241 1239
1242 error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext); 1240 error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext);
1243 if (error != NULL) goto cleanup; 1241 if (error != NULL)
1242 goto cleanup;
1244 1243
1245 error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext); 1244 error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext);
1246 if (error != NULL) goto cleanup; 1245 if (error != NULL)
1246 goto cleanup;
1247 1247
1248 error = PKIX_ComCertSelParams_Create(&certSelParams, plContext); 1248 error = PKIX_ComCertSelParams_Create(&certSelParams, plContext);
1249 if (error != NULL) goto cleanup; 1249 if (error != NULL)
1250 goto cleanup;
1250 1251
1251 error = PKIX_ComCertSelParams_SetCertificate( 1252 error = PKIX_ComCertSelParams_SetCertificate(
1252 certSelParams, eeCert, plContext); 1253 certSelParams, eeCert, plContext);
1253 if (error != NULL) goto cleanup; 1254 if (error != NULL)
1255 goto cleanup;
1254 1256
1255 error = PKIX_CertSelector_SetCommonCertSelectorParams 1257 error = PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelP arams, plContext);
1256 (certSelector, certSelParams, plContext); 1258 if (error != NULL)
1257 if (error != NULL) goto cleanup; 1259 goto cleanup;
1258 1260
1259 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext); 1261 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext);
1260 if (error == NULL) r = certSelector; 1262 if (error == NULL)
1263 r = certSelector;
1261 1264
1262 cleanup: 1265 cleanup:
1263 if (certSelParams != NULL) 1266 if (certSelParams != NULL)
1264 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext); 1267 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext);
1265 1268
1266 if (eeCert != NULL) 1269 if (eeCert != NULL)
1267 PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext); 1270 PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext);
1268 1271
1269 if (certSelector != NULL) 1272 if (certSelector != NULL)
1270 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); 1273 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
1271 1274
1272 if (error != NULL) { 1275 if (error != NULL) {
1273 » SECErrorCodes nssErr; 1276 SECErrorCodes nssErr;
1274 1277
1275 » cert_PkixErrorToNssCode(error, &nssErr, plContext); 1278 cert_PkixErrorToNssCode(error, &nssErr, plContext);
1276 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); 1279 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
1277 » PORT_SetError(nssErr); 1280 PORT_SetError(nssErr);
1278 } 1281 }
1279 1282
1280 return r; 1283 return r;
1281 } 1284 }
1282 1285
1283 static PKIX_List * 1286 static PKIX_List *
1284 cert_GetCertStores(void *plContext) 1287 cert_GetCertStores(void *plContext)
1285 { 1288 {
1286 PKIX_CertStore *certStore = NULL; 1289 PKIX_CertStore *certStore = NULL;
1287 PKIX_List *certStores = NULL; 1290 PKIX_List *certStores = NULL;
1288 PKIX_List *r = NULL; 1291 PKIX_List *r = NULL;
1289 PKIX_Error *error = NULL; 1292 PKIX_Error *error = NULL;
1290 1293
1291 error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext); 1294 error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
1292 if (error != NULL) goto cleanup; 1295 if (error != NULL)
1296 goto cleanup;
1293 1297
1294 error = PKIX_List_Create(&certStores, plContext); 1298 error = PKIX_List_Create(&certStores, plContext);
1295 if (error != NULL) goto cleanup; 1299 if (error != NULL)
1300 goto cleanup;
1296 1301
1297 error = PKIX_List_AppendItem( certStores, 1302 error = PKIX_List_AppendItem(certStores,
1298 (PKIX_PL_Object *)certStore, plContext); 1303 (PKIX_PL_Object *)certStore, plContext);
1299 if (error != NULL) goto cleanup; 1304 if (error != NULL)
1305 goto cleanup;
1300 1306
1301 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext); 1307 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext);
1302 if (error == NULL) r = certStores; 1308 if (error == NULL)
1309 r = certStores;
1303 1310
1304 cleanup: 1311 cleanup:
1305 if (certStores != NULL) 1312 if (certStores != NULL)
1306 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); 1313 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
1307 1314
1308 if (certStore != NULL) 1315 if (certStore != NULL)
1309 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext); 1316 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext);
1310 1317
1311 if (error != NULL) { 1318 if (error != NULL) {
1312 » SECErrorCodes nssErr; 1319 SECErrorCodes nssErr;
1313 1320
1314 » cert_PkixErrorToNssCode(error, &nssErr, plContext); 1321 cert_PkixErrorToNssCode(error, &nssErr, plContext);
1315 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); 1322 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
1316 » PORT_SetError(nssErr); 1323 PORT_SetError(nssErr);
1317 } 1324 }
1318 1325
1319 return r; 1326 return r;
1320 } 1327 }
1321 1328
1322
1323 struct fake_PKIX_PL_CertStruct { 1329 struct fake_PKIX_PL_CertStruct {
1324 CERTCertificate *nssCert; 1330 CERTCertificate *nssCert;
1325 }; 1331 };
1326 1332
1327 /* This needs to be part of the PKIX_PL_* */ 1333 /* This needs to be part of the PKIX_PL_* */
1328 /* This definitely needs to go away, and be replaced with 1334 /* This definitely needs to go away, and be replaced with
1329 a real accessor function in PKIX */ 1335 a real accessor function in PKIX */
1330 static CERTCertificate * 1336 static CERTCertificate *
1331 cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert) 1337 cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert)
1332 { 1338 {
1333 struct fake_PKIX_PL_CertStruct *fcert = NULL; 1339 struct fake_PKIX_PL_CertStruct *fcert = NULL;
1334 1340
1335 fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert; 1341 fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert;
1336 1342
1337 return CERT_DupCertificate(fcert->nssCert); 1343 return CERT_DupCertificate(fcert->nssCert);
1338 } 1344 }
1339 1345
1340 PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon text) 1346 PKIX_List *
1347 cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
1341 { 1348 {
1342 PKIX_List *r = NULL; 1349 PKIX_List *r = NULL;
1343 PKIX_List *policyList = NULL; 1350 PKIX_List *policyList = NULL;
1344 PKIX_PL_OID *policyOID = NULL; 1351 PKIX_PL_OID *policyOID = NULL;
1345 PKIX_Error *error = NULL; 1352 PKIX_Error *error = NULL;
1346 int i; 1353 int i;
1347 1354
1348 error = PKIX_List_Create(&policyList, plContext); 1355 error = PKIX_List_Create(&policyList, plContext);
1349 if (error != NULL) { 1356 if (error != NULL) {
1350 » goto cleanup; 1357 goto cleanup;
1351 } 1358 }
1352 1359
1353 for (i=0; i<oidCount; i++) { 1360 for (i = 0; i < oidCount; i++) {
1354 error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext); 1361 error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
1355 if (error) { 1362 if (error) {
1356 goto cleanup; 1363 goto cleanup;
1357 } 1364 }
1358 error = PKIX_List_AppendItem(policyList, 1365 error = PKIX_List_AppendItem(policyList,
1359 (PKIX_PL_Object *)policyOID, plContext); 1366 (PKIX_PL_Object *)policyOID, plContext);
1360 if (error != NULL) { 1367 if (error != NULL) {
1361 goto cleanup; 1368 goto cleanup;
1362 } 1369 }
1363 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); 1370 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
1364 policyOID = NULL; 1371 policyOID = NULL;
1365 } 1372 }
1366 1373
1367 error = PKIX_List_SetImmutable(policyList, plContext); 1374 error = PKIX_List_SetImmutable(policyList, plContext);
1368 if (error != NULL) goto cleanup; 1375 if (error != NULL)
1376 goto cleanup;
1369 1377
1370 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext); 1378 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext);
1371 if (error == NULL) r = policyList; 1379 if (error == NULL)
1380 r = policyList;
1372 1381
1373 cleanup: 1382 cleanup:
1374 if (policyOID != NULL) { 1383 if (policyOID != NULL) {
1375 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); 1384 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
1376 } 1385 }
1377 if (policyList != NULL) { 1386 if (policyList != NULL) {
1378 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext); 1387 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext);
1379 } 1388 }
1380 if (error != NULL) { 1389 if (error != NULL) {
1381 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); 1390 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
1382 } 1391 }
1383 1392
1384 return r; 1393 return r;
1385 } 1394 }
1386 1395
1387 CERTValOutParam * 1396 CERTValOutParam *
1388 cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t) 1397 cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t)
1389 { 1398 {
1390 CERTValOutParam *i; 1399 CERTValOutParam *i;
1391 if (params == NULL) { 1400 if (params == NULL) {
1392 return NULL; 1401 return NULL;
1393 } 1402 }
1394 for (i = params; i->type != cert_po_end; i++) { 1403 for (i = params; i->type != cert_po_end; i++) {
1395 if (i->type == t) { 1404 if (i->type == t) {
1396 return i; 1405 return i;
1397 } 1406 }
1398 } 1407 }
1399 return NULL; 1408 return NULL;
1400 } 1409 }
1401 1410
1402 1411 static PKIX_Error *
1403 static PKIX_Error*
1404 setRevocationMethod(PKIX_RevocationChecker *revChecker, 1412 setRevocationMethod(PKIX_RevocationChecker *revChecker,
1405 PKIX_ProcessingParams *procParams, 1413 PKIX_ProcessingParams *procParams,
1406 const CERTRevocationTests *revTest, 1414 const CERTRevocationTests *revTest,
1407 CERTRevocationMethodIndex certRevMethod, 1415 CERTRevocationMethodIndex certRevMethod,
1408 PKIX_RevocationMethodType pkixRevMethod, 1416 PKIX_RevocationMethodType pkixRevMethod,
1409 PKIX_Boolean verifyResponderUsages, 1417 PKIX_Boolean verifyResponderUsages,
1410 PKIX_Boolean isLeafTest, 1418 PKIX_Boolean isLeafTest,
1411 void *plContext) 1419 void *plContext)
1412 { 1420 {
1413 PKIX_UInt32 methodFlags = 0; 1421 PKIX_UInt32 methodFlags = 0;
1414 PKIX_Error *error = NULL; 1422 PKIX_Error *error = NULL;
1415 PKIX_UInt32 priority = 0; 1423 PKIX_UInt32 priority = 0;
1416 1424
1417 if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) { 1425 if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) {
1418 return NULL; 1426 return NULL;
1419 } 1427 }
1420 if (revTest->preferred_methods) { 1428 if (revTest->preferred_methods) {
1421 unsigned int i = 0; 1429 unsigned int i = 0;
1422 for (;i < revTest->number_of_preferred_methods;i++) { 1430 for (; i < revTest->number_of_preferred_methods; i++) {
1423 if (revTest->preferred_methods[i] == certRevMethod) 1431 if (revTest->preferred_methods[i] == certRevMethod)
1424 break; 1432 break;
1425 } 1433 }
1426 priority = i; 1434 priority = i;
1427 } 1435 }
1428 methodFlags = revTest->cert_rev_flags_per_method[certRevMethod]; 1436 methodFlags = revTest->cert_rev_flags_per_method[certRevMethod];
1429 if (verifyResponderUsages && 1437 if (verifyResponderUsages &&
1430 pkixRevMethod == PKIX_RevocationMethod_OCSP) { 1438 pkixRevMethod == PKIX_RevocationMethod_OCSP) {
1431 methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; 1439 methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
1432 } 1440 }
1433 error = 1441 error =
1434 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, 1442 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
1435 pkixRevMethod, methodFlags, 1443 pkixRevMethod, methodFlags,
1436 priority, NULL, 1444 priority, NULL,
1437 isLeafTest, plContext); 1445 isLeafTest, plContext);
1438 return error; 1446 return error;
1439 } 1447 }
1440 1448
1441
1442 SECStatus 1449 SECStatus
1443 cert_pkixSetParam(PKIX_ProcessingParams *procParams, 1450 cert_pkixSetParam(PKIX_ProcessingParams *procParams,
1444 const CERTValInParam *param, void *plContext) 1451 const CERTValInParam *param, void *plContext)
1445 { 1452 {
1446 PKIX_Error * error = NULL; 1453 PKIX_Error *error = NULL;
1447 SECStatus r=SECSuccess; 1454 SECStatus r = SECSuccess;
1448 PKIX_PL_Date *date = NULL; 1455 PKIX_PL_Date *date = NULL;
1449 PKIX_List *policyOIDList = NULL; 1456 PKIX_List *policyOIDList = NULL;
1450 PKIX_List *certListPkix = NULL; 1457 PKIX_List *certListPkix = NULL;
1451 const CERTRevocationFlags *flags; 1458 const CERTRevocationFlags *flags;
1452 SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS; 1459 SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS;
1453 const CERTCertList *certList = NULL; 1460 const CERTCertList *certList = NULL;
1454 CERTCertListNode *node; 1461 CERTCertListNode *node;
1455 PKIX_PL_Cert *certPkix = NULL; 1462 PKIX_PL_Cert *certPkix = NULL;
1456 PKIX_TrustAnchor *trustAnchor = NULL; 1463 PKIX_TrustAnchor *trustAnchor = NULL;
1457 PKIX_RevocationChecker *revChecker = NULL; 1464 PKIX_RevocationChecker *revChecker = NULL;
1458 PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; 1465 PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
1459 1466
1460 /* XXX we need a way to map generic PKIX error to generic NSS errors */ 1467 /* XXX we need a way to map generic PKIX error to generic NSS errors */
1461 1468
1462 switch (param->type) { 1469 switch (param->type) {
1463 1470
1464 case cert_pi_policyOID: 1471 case cert_pi_policyOID:
1465 1472
1466 /* needed? */ 1473 /* needed? */
1467 error = PKIX_ProcessingParams_SetExplicitPolicyRequired( 1474 error = PKIX_ProcessingParams_SetExplicitPolicyRequired(
1468 procParams, PKIX_TRUE, plContext); 1475 procParams, PKIX_TRUE, plContext);
1469 1476
1470 if (error != NULL) { 1477 if (error != NULL) {
1471 break; 1478 break;
1472 } 1479 }
1473 1480
1474 policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids, 1481 policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids,
1475 param->value.arraySize,plContext); 1482 param->value.arraySize, plConte xt);
1476 » if (policyOIDList == NULL) { 1483 if (policyOIDList == NULL) {
1477 » » r = SECFailure; 1484 r = SECFailure;
1478 » » PORT_SetError(SEC_ERROR_INVALID_ARGS); 1485 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1479 » » break; 1486 break;
1480 » } 1487 }
1481 1488
1482 error = PKIX_ProcessingParams_SetInitialPolicies( 1489 error = PKIX_ProcessingParams_SetInitialPolicies(
1483 procParams,policyOIDList,plContext); 1490 procParams, policyOIDList, plContext);
1484 break; 1491 break;
1485 1492
1486 case cert_pi_date: 1493 case cert_pi_date:
1487 if (param->value.scalar.time == 0) { 1494 if (param->value.scalar.time == 0) {
1488 error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext); 1495 error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext);
1489 if (error != NULL) { 1496 if (error != NULL) {
1490 errCode = SEC_ERROR_INVALID_TIME; 1497 errCode = SEC_ERROR_INVALID_TIME;
1491 break; 1498 break;
1492 } 1499 }
1493 } else { 1500 } else {
1494 error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time, 1501 error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
1495 &date, plContext); 1502 &date, plContext);
1496 if (error != NULL) { 1503 if (error != NULL) {
1497 errCode = SEC_ERROR_INVALID_TIME; 1504 errCode = SEC_ERROR_INVALID_TIME;
1498 break; 1505 break;
1499 } 1506 }
1500 } 1507 }
1501 1508
1502 error = PKIX_ProcessingParams_SetDate(procParams, date, plContext); 1509 error = PKIX_ProcessingParams_SetDate(procParams, date, plContext);
1503 if (error != NULL) { 1510 if (error != NULL) {
1504 errCode = SEC_ERROR_INVALID_TIME; 1511 errCode = SEC_ERROR_INVALID_TIME;
1505 } 1512 }
1506 break; 1513 break;
1507 1514
1508 case cert_pi_revocationFlags: 1515 case cert_pi_revocationFlags: {
1509 {
1510 PKIX_UInt32 leafIMFlags = 0; 1516 PKIX_UInt32 leafIMFlags = 0;
1511 PKIX_UInt32 chainIMFlags = 0; 1517 PKIX_UInt32 chainIMFlags = 0;
1512 PKIX_Boolean validatingResponderCert = PKIX_FALSE; 1518 PKIX_Boolean validatingResponderCert = PKIX_FALSE;
1513 1519
1514 flags = param->value.pointer.revocation; 1520 flags = param->value.pointer.revocation;
1515 if (!flags) { 1521 if (!flags) {
1516 PORT_SetError(errCode); 1522 PORT_SetError(errCode);
1517 r = SECFailure; 1523 r = SECFailure;
1518 break; 1524 break;
1519 } 1525 }
1520 1526
1521 leafIMFlags = 1527 leafIMFlags =
1522 flags->leafTests.cert_rev_method_independent_flags; 1528 flags->leafTests.cert_rev_method_independent_flags;
1523 chainIMFlags = 1529 chainIMFlags =
1524 flags->chainTests.cert_rev_method_independent_flags; 1530 flags->chainTests.cert_rev_method_independent_flags;
1525 1531
1526 error = 1532 error =
1527 PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags, 1533 PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags,
1528 &revChecker, plContext); 1534 &revChecker, plContext);
1529 if (error) { 1535 if (error) {
1530 break; 1536 break;
1531 } 1537 }
1532 1538
1533 error = 1539 error =
1534 PKIX_ProcessingParams_SetRevocationChecker(procParams, 1540 PKIX_ProcessingParams_SetRevocationChecker(procParams,
1535 revChecker, plContext); 1541 revChecker, plContext );
1536 if (error) { 1542 if (error) {
1537 break; 1543 break;
1538 } 1544 }
1539 1545
1540 if (((PKIX_PL_NssContext*)plContext)->certificateUsage & 1546 if (((PKIX_PL_NssContext *)plContext)->certificateUsage &
1541 certificateUsageStatusResponder) { 1547 certificateUsageStatusResponder) {
1542 validatingResponderCert = PKIX_TRUE; 1548 validatingResponderCert = PKIX_TRUE;
1543 } 1549 }
1544 1550
1545 error = setRevocationMethod(revChecker, 1551 error = setRevocationMethod(revChecker,
1546 procParams, &flags->leafTests, 1552 procParams, &flags->leafTests,
1547 cert_revocation_method_crl, 1553 cert_revocation_method_crl,
1548 PKIX_RevocationMethod_CRL, 1554 PKIX_RevocationMethod_CRL,
1549 validatingResponderCert, 1555 validatingResponderCert,
1550 PKIX_TRUE, plContext); 1556 PKIX_TRUE, plContext);
(...skipping 24 matching lines...) Expand all
1575 error = setRevocationMethod(revChecker, 1581 error = setRevocationMethod(revChecker,
1576 procParams, &flags->chainTests, 1582 procParams, &flags->chainTests,
1577 cert_revocation_method_ocsp, 1583 cert_revocation_method_ocsp,
1578 PKIX_RevocationMethod_OCSP, 1584 PKIX_RevocationMethod_OCSP,
1579 validatingResponderCert, 1585 validatingResponderCert,
1580 PKIX_FALSE, plContext); 1586 PKIX_FALSE, plContext);
1581 if (error) { 1587 if (error) {
1582 break; 1588 break;
1583 } 1589 }
1584 1590
1585 } 1591 } break;
1586 break;
1587 1592
1588 case cert_pi_trustAnchors: 1593 case cert_pi_trustAnchors:
1589 certList = param->value.pointer.chain; 1594 certList = param->value.pointer.chain;
1590 if (!certList) { 1595 if (!certList) {
1591 PORT_SetError(errCode); 1596 PORT_SetError(errCode);
1592 r = SECFailure; 1597 r = SECFailure;
1593 break; 1598 break;
1594 } 1599 }
1595 error = PKIX_List_Create(&certListPkix, plContext); 1600 error = PKIX_List_Create(&certListPkix, plContext);
1596 if (error != NULL) { 1601 if (error != NULL) {
1597 break; 1602 break;
1598 } 1603 }
1599 for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); 1604 for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList) ;
1600 node = CERT_LIST_NEXT(node) ) { 1605 node = CERT_LIST_NEXT(node)) {
1601 error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, 1606 error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert,
1602 &certPkix, plContext); 1607 &certPkix, plCont ext);
1603 if (error) { 1608 if (error) {
1604 break; 1609 break;
1605 } 1610 }
1606 error = PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor, 1611 error = PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor,
1607 plContext); 1612 plContext);
1608 if (error) { 1613 if (error) {
1609 break; 1614 break;
1610 } 1615 }
1611 error = PKIX_List_AppendItem(certListPkix, 1616 error = PKIX_List_AppendItem(certListPkix,
1612 (PKIX_PL_Object*)trustAnchor, plContext); 1617 (PKIX_PL_Object *)trustAnchor, plCo ntext);
1613 if (error) { 1618 if (error) {
1614 break; 1619 break;
1615 } 1620 }
1616 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); 1621 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
1617 trustAnchor = NULL; 1622 trustAnchor = NULL;
1618 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); 1623 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
1619 certPkix = NULL; 1624 certPkix = NULL;
1620 } 1625 }
1621 error = 1626 error =
1622 PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix, 1627 PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix,
1623 plContext); 1628 plContext);
1624 break; 1629 break;
1625 1630
1626 case cert_pi_useAIACertFetch: 1631 case cert_pi_useAIACertFetch:
1627 error = 1632 error =
1628 PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams, 1633 PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
1629 (PRBool)(param->value.scalar.b != 0), 1634 (PRBool)(param->v alue.scalar.b !=
1635 0),
1630 plContext); 1636 plContext);
1631 break; 1637 break;
1632 1638
1633 case cert_pi_chainVerifyCallback: 1639 case cert_pi_chainVerifyCallback: {
1634 {
1635 const CERTChainVerifyCallback *chainVerifyCallback = 1640 const CERTChainVerifyCallback *chainVerifyCallback =
1636 param->value.pointer.chainVerifyCallback; 1641 param->value.pointer.chainVerifyCallback;
1637 if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) { 1642 if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) {
1638 PORT_SetError(errCode); 1643 PORT_SetError(errCode);
1639 r = SECFailure; 1644 r = SECFailure;
1640 break; 1645 break;
1641 } 1646 }
1642 1647
1643 nssContext->chainVerifyCallback = *chainVerifyCallback; 1648 nssContext->chainVerifyCallback = *chainVerifyCallback;
1644 } 1649 } break;
1645 break;
1646 1650
1647 case cert_pi_useOnlyTrustAnchors: 1651 case cert_pi_useOnlyTrustAnchors:
1648 error = 1652 error =
1649 PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams, 1653 PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams,
1650 (PRBool)(param->value.scalar.b != 0), 1654 (PRBool)(param->val ue.scalar.b !=
1655 0),
1651 plContext); 1656 plContext);
1652 break; 1657 break;
1653 1658
1654 default: 1659 default:
1655 PORT_SetError(errCode); 1660 PORT_SetError(errCode);
1656 r = SECFailure; 1661 r = SECFailure;
1657 break; 1662 break;
1658 } 1663 }
1659 1664
1660 if (policyOIDList != NULL) 1665 if (policyOIDList != NULL)
1661 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext); 1666 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
1662 1667
1663 if (date != NULL) 1668 if (date != NULL)
1664 PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext); 1669 PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
1665 1670
1666 if (revChecker != NULL) 1671 if (revChecker != NULL)
1667 PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext); 1672 PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);
1668 1673
1669 if (certListPkix) 1674 if (certListPkix)
1670 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext); 1675 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext);
1671 1676
1672 if (trustAnchor) 1677 if (trustAnchor)
1673 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); 1678 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
1674 1679
1675 if (certPkix) 1680 if (certPkix)
1676 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); 1681 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
1677 1682
1678 if (error != NULL) { 1683 if (error != NULL) {
1679 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); 1684 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
1680 PORT_SetError(errCode); 1685 PORT_SetError(errCode);
1681 r = SECFailure; 1686 r = SECFailure;
1682 } 1687 }
1683 1688
1684 return r; 1689 return r;
1685
1686 } 1690 }
1687 1691
1688 void 1692 void
1689 cert_pkixDestroyValOutParam(CERTValOutParam *params) 1693 cert_pkixDestroyValOutParam(CERTValOutParam *params)
1690 { 1694 {
1691 CERTValOutParam *i; 1695 CERTValOutParam *i;
1692 1696
1693 if (params == NULL) { 1697 if (params == NULL) {
1694 return; 1698 return;
1695 } 1699 }
1696 for (i = params; i->type != cert_po_end; i++) { 1700 for (i = params; i->type != cert_po_end; i++) {
1697 switch (i->type) { 1701 switch (i->type) {
1698 case cert_po_trustAnchor: 1702 case cert_po_trustAnchor:
1699 if (i->value.pointer.cert) { 1703 if (i->value.pointer.cert) {
1700 CERT_DestroyCertificate(i->value.pointer.cert); 1704 CERT_DestroyCertificate(i->value.pointer.cert);
1701 i->value.pointer.cert = NULL; 1705 i->value.pointer.cert = NULL;
1702 } 1706 }
1703 break; 1707 break;
1704 1708
1705 case cert_po_certList: 1709 case cert_po_certList:
1706 if (i->value.pointer.chain) { 1710 if (i->value.pointer.chain) {
1707 CERT_DestroyCertList(i->value.pointer.chain); 1711 CERT_DestroyCertList(i->value.pointer.chain);
1708 i->value.pointer.chain = NULL; 1712 i->value.pointer.chain = NULL;
1709 } 1713 }
1710 break; 1714 break;
1711 1715
1712 default: 1716 default:
1713 break; 1717 break;
1714 } 1718 }
1715 } 1719 }
1716 } 1720 }
1717 1721
1718 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = { 1722 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = {
1719 /* crl */ 1723 /* crl */
1720 CERT_REV_M_TEST_USING_THIS_METHOD 1724 CERT_REV_M_TEST_USING_THIS_METHOD |
1721 | CERT_REV_M_FORBID_NETWORK_FETCHING 1725 CERT_REV_M_FORBID_NETWORK_FETCHING |
1722 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, 1726 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
1723 /* ocsp */ 1727 /* ocsp */
1724 CERT_REV_M_TEST_USING_THIS_METHOD 1728 CERT_REV_M_TEST_USING_THIS_METHOD
1725 }; 1729 };
1726 1730
1727 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = { 1731 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = {
1728 /* crl */ 1732 /* crl */
1729 CERT_REV_M_TEST_USING_THIS_METHOD 1733 CERT_REV_M_TEST_USING_THIS_METHOD |
1730 | CERT_REV_M_FORBID_NETWORK_FETCHING 1734 CERT_REV_M_FORBID_NETWORK_FETCHING |
1731 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, 1735 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
1732 /* ocsp */ 1736 /* ocsp */
1733 0 1737 0
1734 }; 1738 };
1735 1739
1736 static CERTRevocationMethodIndex 1740 static CERTRevocationMethodIndex
1737 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = { 1741 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
1738 cert_revocation_method_crl 1742 cert_revocation_method_crl
1743 };
1744
1745 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = {
1746 { /* leafTests */
1747 2,
1748 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
1749 1,
1750 &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
1751 0 },
1752 { /* chainTests */
1753 2,
1754 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
1755 0,
1756 0,
1757 0 }
1739 }; 1758 };
1740 1759
1741 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = { 1760 extern const CERTRevocationFlags *
1742 {
1743 /* leafTests */
1744 2,
1745 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
1746 1,
1747 &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
1748 0
1749 },
1750 {
1751 /* chainTests */
1752 2,
1753 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
1754 0,
1755 0,
1756 0
1757 }
1758 };
1759
1760 extern const CERTRevocationFlags*
1761 CERT_GetClassicOCSPEnabledSoftFailurePolicy() 1761 CERT_GetClassicOCSPEnabledSoftFailurePolicy()
1762 { 1762 {
1763 return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy; 1763 return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
1764 } 1764 }
1765 1765
1766
1767 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = { 1766 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
1768 /* crl */ 1767 /* crl */
1769 CERT_REV_M_TEST_USING_THIS_METHOD 1768 CERT_REV_M_TEST_USING_THIS_METHOD |
1770 | CERT_REV_M_FORBID_NETWORK_FETCHING 1769 CERT_REV_M_FORBID_NETWORK_FETCHING |
1771 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, 1770 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
1772 /* ocsp */ 1771 /* ocsp */
1773 CERT_REV_M_TEST_USING_THIS_METHOD 1772 CERT_REV_M_TEST_USING_THIS_METHOD |
1774 | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 1773 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
1775 }; 1774 };
1776 1775
1777 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = { 1776 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
1778 /* crl */ 1777 /* crl */
1779 CERT_REV_M_TEST_USING_THIS_METHOD 1778 CERT_REV_M_TEST_USING_THIS_METHOD |
1780 | CERT_REV_M_FORBID_NETWORK_FETCHING 1779 CERT_REV_M_FORBID_NETWORK_FETCHING |
1781 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, 1780 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
1782 /* ocsp */ 1781 /* ocsp */
1783 0 1782 0
1784 }; 1783 };
1785 1784
1786 static CERTRevocationMethodIndex 1785 static CERTRevocationMethodIndex
1787 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = { 1786 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
1788 cert_revocation_method_crl 1787 cert_revocation_method_crl
1788 };
1789
1790 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = {
1791 { /* leafTests */
1792 2,
1793 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
1794 1,
1795 &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
1796 0 },
1797 { /* chainTests */
1798 2,
1799 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
1800 0,
1801 0,
1802 0 }
1789 }; 1803 };
1790 1804
1791 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = { 1805 extern const CERTRevocationFlags *
1792 {
1793 /* leafTests */
1794 2,
1795 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
1796 1,
1797 &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
1798 0
1799 },
1800 {
1801 /* chainTests */
1802 2,
1803 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
1804 0,
1805 0,
1806 0
1807 }
1808 };
1809
1810 extern const CERTRevocationFlags*
1811 CERT_GetClassicOCSPEnabledHardFailurePolicy() 1806 CERT_GetClassicOCSPEnabledHardFailurePolicy()
1812 { 1807 {
1813 return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy; 1808 return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
1814 } 1809 }
1815 1810
1816
1817 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = { 1811 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
1818 /* crl */ 1812 /* crl */
1819 CERT_REV_M_TEST_USING_THIS_METHOD 1813 CERT_REV_M_TEST_USING_THIS_METHOD |
1820 | CERT_REV_M_FORBID_NETWORK_FETCHING 1814 CERT_REV_M_FORBID_NETWORK_FETCHING |
1821 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, 1815 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
1822 /* ocsp */ 1816 /* ocsp */
1823 0 1817 0
1824 }; 1818 };
1825 1819
1826 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = { 1820 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = {
1827 /* crl */ 1821 /* crl */
1828 CERT_REV_M_TEST_USING_THIS_METHOD 1822 CERT_REV_M_TEST_USING_THIS_METHOD |
1829 | CERT_REV_M_FORBID_NETWORK_FETCHING 1823 CERT_REV_M_FORBID_NETWORK_FETCHING |
1830 | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, 1824 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
1831 /* ocsp */ 1825 /* ocsp */
1832 0 1826 0
1833 }; 1827 };
1834 1828
1835 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = { 1829 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = {
1836 { 1830 { /* leafTests */
1837 /* leafTests */ 1831 2,
1838 2, 1832 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
1839 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, 1833 0,
1840 0, 1834 0,
1841 0, 1835 0 },
1842 0 1836 { /* chainTests */
1843 }, 1837 2,
1844 { 1838 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
1845 /* chainTests */ 1839 0,
1846 2, 1840 0,
1847 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, 1841 0 }
1848 0,
1849 0,
1850 0
1851 }
1852 }; 1842 };
1853 1843
1854 extern const CERTRevocationFlags* 1844 extern const CERTRevocationFlags *
1855 CERT_GetClassicOCSPDisabledPolicy() 1845 CERT_GetClassicOCSPDisabledPolicy()
1856 { 1846 {
1857 return &certRev_NSS_3_11_Ocsp_Disabled_Policy; 1847 return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
1858 } 1848 }
1859 1849
1860
1861 static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = { 1850 static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
1862 /* crl */ 1851 /* crl */
1863 CERT_REV_M_TEST_USING_THIS_METHOD 1852 CERT_REV_M_TEST_USING_THIS_METHOD |
1864 | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 1853 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
1865 | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, 1854 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
1866 /* ocsp */ 1855 /* ocsp */
1867 0 1856 0
1868 }; 1857 };
1869 1858
1870 static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = { 1859 static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = {
1871 /* crl */ 1860 /* crl */
1872 CERT_REV_M_TEST_USING_THIS_METHOD 1861 CERT_REV_M_TEST_USING_THIS_METHOD |
1873 | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 1862 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
1874 | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, 1863 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
1875 /* ocsp */ 1864 /* ocsp */
1876 0 1865 0
1877 }; 1866 };
1878 1867
1879 static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = { 1868 static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = {
1880 { 1869 { /* leafTests */
1881 /* leafTests */ 1870 2,
1882 2, 1871 certRev_PKIX_Verify_Nist_Policy_LeafFlags,
1883 certRev_PKIX_Verify_Nist_Policy_LeafFlags, 1872 0,
1884 0, 1873 0,
1885 0, 1874 0 },
1886 0 1875 { /* chainTests */
1887 }, 1876 2,
1888 { 1877 certRev_PKIX_Verify_Nist_Policy_ChainFlags,
1889 /* chainTests */ 1878 0,
1890 2, 1879 0,
1891 certRev_PKIX_Verify_Nist_Policy_ChainFlags, 1880 0 }
1892 0,
1893 0,
1894 0
1895 }
1896 }; 1881 };
1897 1882
1898 extern const CERTRevocationFlags* 1883 extern const CERTRevocationFlags *
1899 CERT_GetPKIXVerifyNistRevocationPolicy() 1884 CERT_GetPKIXVerifyNistRevocationPolicy()
1900 { 1885 {
1901 return &certRev_PKIX_Verify_Nist_Policy; 1886 return &certRev_PKIX_Verify_Nist_Policy;
1902 } 1887 }
1903 1888
1904 CERTRevocationFlags * 1889 CERTRevocationFlags *
1905 CERT_AllocCERTRevocationFlags( 1890 CERT_AllocCERTRevocationFlags(
1906 PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, 1891 PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
1907 PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods) 1892 PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
1908 { 1893 {
1909 CERTRevocationFlags *flags; 1894 CERTRevocationFlags *flags;
1910 1895
1911 flags = PORT_New(CERTRevocationFlags); 1896 flags = PORT_New(CERTRevocationFlags);
1912 if (!flags) 1897 if (!flags)
1913 return(NULL); 1898 return (NULL);
1914 1899
1915 flags->leafTests.number_of_defined_methods = number_leaf_methods; 1900 flags->leafTests.number_of_defined_methods = number_leaf_methods;
1916 flags->leafTests.cert_rev_flags_per_method = 1901 flags->leafTests.cert_rev_flags_per_method =
1917 PORT_NewArray(PRUint64, number_leaf_methods); 1902 PORT_NewArray(PRUint64, number_leaf_methods);
1918 1903
1919 flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods; 1904 flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods;
1920 flags->leafTests.preferred_methods = 1905 flags->leafTests.preferred_methods =
1921 PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods); 1906 PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods);
1922 1907
1923 flags->chainTests.number_of_defined_methods = number_chain_methods; 1908 flags->chainTests.number_of_defined_methods = number_chain_methods;
1924 flags->chainTests.cert_rev_flags_per_method = 1909 flags->chainTests.cert_rev_flags_per_method =
1925 PORT_NewArray(PRUint64, number_chain_methods); 1910 PORT_NewArray(PRUint64, number_chain_methods);
1926 1911
1927 flags->chainTests.number_of_preferred_methods = number_chain_pref_methods; 1912 flags->chainTests.number_of_preferred_methods = number_chain_pref_methods;
1928 flags->chainTests.preferred_methods = 1913 flags->chainTests.preferred_methods =
1929 PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods); 1914 PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods);
1930 1915
1931 if (!flags->leafTests.cert_rev_flags_per_method 1916 if (!flags->leafTests.cert_rev_flags_per_method ||
1932 || !flags->leafTests.preferred_methods 1917 !flags->leafTests.preferred_methods ||
1933 || !flags->chainTests.cert_rev_flags_per_method 1918 !flags->chainTests.cert_rev_flags_per_method ||
1934 || !flags->chainTests.preferred_methods) { 1919 !flags->chainTests.preferred_methods) {
1935 CERT_DestroyCERTRevocationFlags(flags); 1920 CERT_DestroyCERTRevocationFlags(flags);
1936 return (NULL); 1921 return (NULL);
1937 } 1922 }
1938 1923
1939 return flags; 1924 return flags;
1940 } 1925 }
1941 1926
1942 void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) 1927 void
1928 CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
1943 { 1929 {
1944 if (!flags) 1930 if (!flags)
1945 » return; 1931 return;
1946 1932
1947 if (flags->leafTests.cert_rev_flags_per_method) 1933 if (flags->leafTests.cert_rev_flags_per_method)
1948 PORT_Free(flags->leafTests.cert_rev_flags_per_method); 1934 PORT_Free(flags->leafTests.cert_rev_flags_per_method);
1949 1935
1950 if (flags->leafTests.preferred_methods) 1936 if (flags->leafTests.preferred_methods)
1951 PORT_Free(flags->leafTests.preferred_methods); 1937 PORT_Free(flags->leafTests.preferred_methods);
1952 1938
1953 if (flags->chainTests.cert_rev_flags_per_method) 1939 if (flags->chainTests.cert_rev_flags_per_method)
1954 PORT_Free(flags->chainTests.cert_rev_flags_per_method); 1940 PORT_Free(flags->chainTests.cert_rev_flags_per_method);
1955 1941
1956 if (flags->chainTests.preferred_methods) 1942 if (flags->chainTests.preferred_methods)
1957 PORT_Free(flags->chainTests.preferred_methods); 1943 PORT_Free(flags->chainTests.preferred_methods);
1958 1944
1959 PORT_Free(flags); 1945 PORT_Free(flags);
1960 } 1946 }
1961 1947
1962 /* 1948 /*
1963 * CERT_PKIXVerifyCert 1949 * CERT_PKIXVerifyCert
1964 * 1950 *
1965 * Verify a Certificate using the PKIX library. 1951 * Verify a Certificate using the PKIX library.
1966 * 1952 *
1967 * Parameters: 1953 * Parameters:
1968 * cert - the target certificate to verify. Must be non-null 1954 * cert - the target certificate to verify. Must be non-null
1969 * params - an array of type/value parameters which can be 1955 * params - an array of type/value parameters which can be
1970 * used to modify the behavior of the validation 1956 * used to modify the behavior of the validation
1971 * algorithm, or supply additional constraints. 1957 * algorithm, or supply additional constraints.
1972 * 1958 *
1973 * outputTrustAnchor - the trust anchor which the certificate 1959 * outputTrustAnchor - the trust anchor which the certificate
1974 * chains to. The caller is responsible 1960 * chains to. The caller is responsible
1975 * for freeing this. 1961 * for freeing this.
1976 * 1962 *
1977 * Example Usage: 1963 * Example Usage:
1978 * CERTValParam args[3]; 1964 * CERTValParam args[3];
1979 * args[0].type = cvpt_policyOID; 1965 * args[0].type = cvpt_policyOID;
1980 * args[0].value.si = oid; 1966 * args[0].value.si = oid;
1981 * args[1].type = revCheckRequired; 1967 * args[1].type = revCheckRequired;
1982 * args[1].value.b = PR_TRUE; 1968 * args[1].value.b = PR_TRUE;
1983 * args[2].type = cvpt_end; 1969 * args[2].type = cvpt_end;
1984 * 1970 *
1985 * CERT_PKIXVerifyCert(cert, &output, args 1971 * CERT_PKIXVerifyCert(cert, &output, args
1986 */ 1972 */
1987 SECStatus CERT_PKIXVerifyCert( 1973 SECStatus
1988 CERTCertificate *cert, 1974 CERT_PKIXVerifyCert(
1989 SECCertificateUsage usages, 1975 CERTCertificate *cert,
1990 CERTValInParam *paramsIn, 1976 SECCertificateUsage usages,
1991 CERTValOutParam *paramsOut, 1977 CERTValInParam *paramsIn,
1992 void *wincx) 1978 CERTValOutParam *paramsOut,
1979 void *wincx)
1993 { 1980 {
1994 SECStatus r = SECFailure; 1981 SECStatus r = SECFailure;
1995 PKIX_Error * error = NULL; 1982 PKIX_Error *error = NULL;
1996 PKIX_ProcessingParams *procParams = NULL; 1983 PKIX_ProcessingParams *procParams = NULL;
1997 PKIX_BuildResult * buildResult = NULL; 1984 PKIX_BuildResult *buildResult = NULL;
1998 void * nbioContext = NULL; /* for non-blocking IO */ 1985 void *nbioContext = NULL; /* for non-blocking IO */
1999 void * buildState = NULL; /* for non-blocking IO */ 1986 void *buildState = NULL; /* for non-blocking IO */
2000 PKIX_CertSelector * certSelector = NULL; 1987 PKIX_CertSelector *certSelector = NULL;
2001 PKIX_List * certStores = NULL; 1988 PKIX_List *certStores = NULL;
2002 PKIX_ValidateResult * valResult = NULL; 1989 PKIX_ValidateResult *valResult = NULL;
2003 PKIX_VerifyNode * verifyNode = NULL; 1990 PKIX_VerifyNode *verifyNode = NULL;
2004 PKIX_TrustAnchor * trustAnchor = NULL; 1991 PKIX_TrustAnchor *trustAnchor = NULL;
2005 PKIX_PL_Cert * trustAnchorCert = NULL; 1992 PKIX_PL_Cert *trustAnchorCert = NULL;
2006 PKIX_List * builtCertList = NULL; 1993 PKIX_List *builtCertList = NULL;
2007 CERTValOutParam * oparam = NULL; 1994 CERTValOutParam *oparam = NULL;
2008 int i=0; 1995 int i = 0;
2009 1996
2010 void *plContext = NULL; 1997 void *plContext = NULL;
2011 1998
2012 #ifdef PKIX_OBJECT_LEAK_TEST 1999 #ifdef PKIX_OBJECT_LEAK_TEST
2013 int leakedObjNum = 0; 2000 int leakedObjNum = 0;
2014 int memLeakLoopCount = 0; 2001 int memLeakLoopCount = 0;
2015 int objCountTable[PKIX_NUMTYPES]; 2002 int objCountTable[PKIX_NUMTYPES];
2016 int fnInvLocalCount = 0; 2003 int fnInvLocalCount = 0;
2017 PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; 2004 PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
2018 2005
2019 if (usePKIXValidationEngine) { 2006 if (usePKIXValidationEngine) {
2020 /* current memory leak testing implementation does not allow 2007 /* current memory leak testing implementation does not allow
2021 * to run simultaneous tests one the same or a different threads. 2008 * to run simultaneous tests one the same or a different threads.
2022 * Setting the variable to false, to make additional chain 2009 * Setting the variable to false, to make additional chain
2023 * validations be handled by old nss. */ 2010 * validations be handled by old nss. */
2024 usePKIXValidationEngine = PR_FALSE; 2011 usePKIXValidationEngine = PR_FALSE;
2025 } 2012 }
2026 testStartFnStackPosition = 1; 2013 testStartFnStackPosition = 1;
2027 fnStackNameArr[0] = "CERT_PKIXVerifyCert"; 2014 fnStackNameArr[0] = "CERT_PKIXVerifyCert";
2028 fnStackInvCountArr[0] = 0; 2015 fnStackInvCountArr[0] = 0;
2029 PKIX_Boolean abortOnLeak = 2016 PKIX_Boolean abortOnLeak =
2030 (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? 2017 (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_ FALSE
2031 PKIX_FALSE : PKIX_TRUE; 2018 : PKIX_ TRUE;
2032 runningLeakTest = PKIX_TRUE; 2019 runningLeakTest = PKIX_TRUE;
2033 2020
2034 /* Prevent multi-threaded run of object leak test */ 2021 /* Prevent multi-threaded run of object leak test */
2035 fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount); 2022 fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
2036 PORT_Assert(fnInvLocalCount == 1); 2023 PORT_Assert(fnInvLocalCount == 1);
2037 2024
2038 do { 2025 do {
2039 r = SECFailure; 2026 r = SECFailure;
2040 error = NULL; 2027 error = NULL;
2041 procParams = NULL; 2028 procParams = NULL;
2042 buildResult = NULL; 2029 buildResult = NULL;
2043 nbioContext = NULL; /* for non-blocking IO */ 2030 nbioContext = NULL; /* for non-blocking IO */
2044 buildState = NULL; /* for non-blocking IO */ 2031 buildState = NULL; /* for non-blocking IO */
2045 certSelector = NULL; 2032 certSelector = NULL;
2046 certStores = NULL; 2033 certStores = NULL;
2047 valResult = NULL; 2034 valResult = NULL;
2048 verifyNode = NULL; 2035 verifyNode = NULL;
2049 trustAnchor = NULL; 2036 trustAnchor = NULL;
2050 trustAnchorCert = NULL; 2037 trustAnchorCert = NULL;
2051 builtCertList = NULL; 2038 builtCertList = NULL;
2052 oparam = NULL; 2039 oparam = NULL;
2053 i=0; 2040 i = 0;
2054 errorGenerated = PKIX_FALSE; 2041 errorGenerated = PKIX_FALSE;
2055 stackPosition = 0; 2042 stackPosition = 0;
2056 2043
2057 if (leakedObjNum) { 2044 if (leakedObjNum) {
2058 pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); 2045 pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
2059 } 2046 }
2060 memLeakLoopCount += 1; 2047 memLeakLoopCount += 1;
2061 #endif /* PKIX_OBJECT_LEAK_TEST */ 2048 #endif /* PKIX_OBJECT_LEAK_TEST */
2062 2049
2063 error = PKIX_PL_NssContext_Create( 2050 error = PKIX_PL_NssContext_Create(
2064 0, PR_FALSE /*use arena*/, wincx, &plContext); 2051 0, PR_FALSE /*use arena*/, wincx, &plContext);
2065 if (error != NULL) { /* need pkix->nss error map */ 2052 if (error != NULL) { /* need pkix->nss error map */
2066 PORT_SetError(SEC_ERROR_CERT_NOT_VALID); 2053 PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
2067 goto cleanup; 2054 goto cleanup;
2068 } 2055 }
2069 2056
2070 error = pkix_pl_NssContext_SetCertUsage(usages, plContext); 2057 error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
2071 if (error != NULL) { 2058 if (error != NULL) {
2072 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2059 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2073 goto cleanup; 2060 goto cleanup;
2074 } 2061 }
2075 2062
2076 error = PKIX_ProcessingParams_Create(&procParams, plContext); 2063 error = PKIX_ProcessingParams_Create(&procParams, plContext);
2077 if (error != NULL) { /* need pkix->nss error map */ 2064 if (error != NULL) { /* need pkix->nss error map */
2078 PORT_SetError(SEC_ERROR_CERT_NOT_VALID); 2065 PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
2079 goto cleanup; 2066 goto cleanup;
2080 } 2067 }
2081 2068
2082 /* local cert store should be set into procParams before 2069 /* local cert store should be set into procParams before
2083 * filling in revocation settings. */ 2070 * filling in revocation settings. */
2084 certStores = cert_GetCertStores(plContext); 2071 certStores = cert_GetCertStores(plContext);
2085 if (certStores == NULL) { 2072 if (certStores == NULL) {
2086 goto cleanup; 2073 goto cleanup;
2087 } 2074 }
2088 error = PKIX_ProcessingParams_SetCertStores 2075 error = PKIX_ProcessingParams_SetCertStores(procParams, certStores, plCo ntext);
2089 (procParams, certStores, plContext); 2076 if (error != NULL) {
2090 if (error != NULL) { 2077 goto cleanup;
2091 goto cleanup; 2078 }
2092 } 2079
2093 2080 /* now process the extensible input parameters structure */
2094 /* now process the extensible input parameters structure */ 2081 if (paramsIn != NULL) {
2095 if (paramsIn != NULL) { 2082 i = 0;
2096 i=0; 2083 while (paramsIn[i].type != cert_pi_end) {
2097 while (paramsIn[i].type != cert_pi_end) { 2084 if (paramsIn[i].type >= cert_pi_max) {
2098 if (paramsIn[i].type >= cert_pi_max) { 2085 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2099 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2086 goto cleanup;
2087 }
2088 if (cert_pkixSetParam(procParams,
2089 &paramsIn[i], plContext) !=
2090 SECSuccess) {
2091 PORT_SetError(SEC_ERROR_INVALID_ARGS);
2092 goto cleanup;
2093 }
2094 i++;
2095 }
2096 }
2097
2098 certSelector = cert_GetTargetCertConstraints(cert, plContext);
2099 if (certSelector == NULL) {
2100 goto cleanup;
2101 }
2102 error = PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certS elector, plContext);
2103 if (error != NULL) {
2104 goto cleanup;
2105 }
2106
2107 error = PKIX_BuildChain(procParams, &nbioContext,
2108 &buildState, &buildResult, &verifyNode,
2109 plContext);
2110 if (error != NULL) {
2111 goto cleanup;
2112 }
2113
2114 error = PKIX_BuildResult_GetValidateResult(buildResult, &valResult,
2115 plContext);
2116 if (error != NULL) {
2117 goto cleanup;
2118 }
2119
2120 error = PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor,
2121 plContext);
2122 if (error != NULL) {
2123 goto cleanup;
2124 }
2125
2126 if (trustAnchor != NULL) {
2127 error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCer t,
2128 plContext);
2129 if (error != NULL) {
2100 goto cleanup; 2130 goto cleanup;
2101 } 2131 }
2102 if (cert_pkixSetParam(procParams, 2132 }
2103 &paramsIn[i],plContext) != SECSuccess) { 2133
2104 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2134 #ifdef PKIX_OBJECT_LEAK_TEST
2135 /* Can not continue if error was generated but not returned.
2136 * Jumping to cleanup. */
2137 if (errorGenerated)
2138 goto cleanup;
2139 #endif /* PKIX_OBJECT_LEAK_TEST */
2140
2141 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
2142 if (oparam != NULL) {
2143 if (trustAnchorCert != NULL) {
2144 oparam->value.pointer.cert =
2145 cert_NSSCertFromPKIXCert(trustAnchorCert);
2146 } else {
2147 oparam->value.pointer.cert = NULL;
2148 }
2149 }
2150
2151 error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList,
2152 plContext);
2153 if (error != NULL) {
2154 goto cleanup;
2155 }
2156
2157 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
2158 if (oparam != NULL) {
2159 error = cert_PkixToNssCertsChain(builtCertList,
2160 &oparam->value.pointer.chain,
2161 plContext);
2162 if (error)
2105 goto cleanup; 2163 goto cleanup;
2106 } 2164 }
2107 i++; 2165
2108 } 2166 r = SECSuccess;
2109 } 2167
2110 2168 cleanup:
2111 certSelector = cert_GetTargetCertConstraints(cert, plContext); 2169 if (verifyNode) {
2112 if (certSelector == NULL) { 2170 /* Return validation log only upon error. */
2113 goto cleanup; 2171 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
2114 }
2115 error = PKIX_ProcessingParams_SetTargetCertConstraints
2116 (procParams, certSelector, plContext);
2117 if (error != NULL) {
2118 goto cleanup;
2119 }
2120
2121 error = PKIX_BuildChain( procParams, &nbioContext,
2122 &buildState, &buildResult, &verifyNode,
2123 plContext);
2124 if (error != NULL) {
2125 goto cleanup;
2126 }
2127
2128 error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult,
2129 plContext);
2130 if (error != NULL) {
2131 goto cleanup;
2132 }
2133
2134 error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor,
2135 plContext);
2136 if (error != NULL) {
2137 goto cleanup;
2138 }
2139
2140 if (trustAnchor != NULL) {
2141 error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert,
2142 plContext);
2143 if (error != NULL) {
2144 goto cleanup;
2145 }
2146 }
2147
2148 #ifdef PKIX_OBJECT_LEAK_TEST 2172 #ifdef PKIX_OBJECT_LEAK_TEST
2149 /* Can not continue if error was generated but not returned. 2173 if (!errorGenerated)
2150 * Jumping to cleanup. */ 2174 #endif /* PKIX_OBJECT_LEAK_TEST */
2151 if (errorGenerated) goto cleanup; 2175 if (r && oparam != NULL) {
2152 #endif /* PKIX_OBJECT_LEAK_TEST */ 2176 PKIX_Error *tmpError =
2153 2177 cert_GetLogFromVerifyNode(oparam->value.pointer.log,
2154 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor); 2178 verifyNode, plContext);
2155 if (oparam != NULL) { 2179 if (tmpError) {
2156 if (trustAnchorCert != NULL) { 2180 PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plCont ext);
2157 oparam->value.pointer.cert = 2181 }
2158 cert_NSSCertFromPKIXCert(trustAnchorCert); 2182 }
2159 } else { 2183 PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
2160 oparam->value.pointer.cert = NULL; 2184 }
2161 } 2185
2162 } 2186 if (procParams != NULL)
2163 2187 PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
2164 error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList, 2188
2165 plContext); 2189 if (trustAnchorCert != NULL)
2166 if (error != NULL) { 2190 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
2167 goto cleanup; 2191
2168 } 2192 if (trustAnchor != NULL)
2169 2193 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
2170 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList); 2194
2171 if (oparam != NULL) { 2195 if (valResult != NULL)
2172 error = cert_PkixToNssCertsChain(builtCertList, 2196 PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
2173 &oparam->value.pointer.chain, 2197
2174 plContext); 2198 if (buildResult != NULL)
2175 if (error) goto cleanup; 2199 PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
2176 } 2200
2177 2201 if (certStores != NULL)
2178 r = SECSuccess; 2202 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
2179 2203
2180 cleanup: 2204 if (certSelector != NULL)
2181 if (verifyNode) { 2205 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
2182 /* Return validation log only upon error. */ 2206
2183 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); 2207 if (builtCertList != NULL)
2208 PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
2209
2210 if (error != NULL) {
2211 SECErrorCodes nssErrorCode = 0;
2212
2213 cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
2214 cert_pkixDestroyValOutParam(paramsOut);
2215 PORT_SetError(nssErrorCode);
2216 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
2217 }
2218
2219 PKIX_PL_NssContext_Destroy(plContext);
2220
2184 #ifdef PKIX_OBJECT_LEAK_TEST 2221 #ifdef PKIX_OBJECT_LEAK_TEST
2185 if (!errorGenerated) 2222 leakedObjNum =
2186 #endif /* PKIX_OBJECT_LEAK_TEST */ 2223 pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NUL L);
2187 if (r && oparam != NULL) { 2224
2188 PKIX_Error *tmpError = 2225 if (pkixLog && leakedObjNum) {
2189 cert_GetLogFromVerifyNode(oparam->value.pointer.log, 2226 PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loo p %d."
2190 verifyNode, plContext); 2227 "Stack %s\n",
2191 if (tmpError) { 2228 memLeakLoopCount, errorFnStackString));
2192 PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); 2229 }
2193 } 2230 PR_Free(errorFnStackString);
2194 } 2231 errorFnStackString = NULL;
2195 PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext); 2232 if (abortOnLeak) {
2196 } 2233 PORT_Assert(leakedObjNum == 0);
2197 2234 }
2198 if (procParams != NULL) 2235
2199 PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); 2236 } while (errorGenerated);
2200 2237
2201 if (trustAnchorCert != NULL) 2238 runningLeakTest = PKIX_FALSE;
2202 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
2203
2204 if (trustAnchor != NULL)
2205 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
2206
2207 if (valResult != NULL)
2208 PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
2209
2210 if (buildResult != NULL)
2211 PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
2212
2213 if (certStores != NULL)
2214 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
2215
2216 if (certSelector != NULL)
2217 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
2218
2219 if (builtCertList != NULL)
2220 PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
2221
2222 if (error != NULL) {
2223 SECErrorCodes nssErrorCode = 0;
2224
2225 cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
2226 cert_pkixDestroyValOutParam(paramsOut);
2227 PORT_SetError(nssErrorCode);
2228 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
2229 }
2230
2231 PKIX_PL_NssContext_Destroy(plContext);
2232
2233 #ifdef PKIX_OBJECT_LEAK_TEST
2234 leakedObjNum =
2235 pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
2236
2237 if (pkixLog && leakedObjNum) {
2238 PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d ."
2239 "Stack %s\n", memLeakLoopCount, errorFnStackString)) ;
2240 }
2241 PR_Free(errorFnStackString);
2242 errorFnStackString = NULL;
2243 if (abortOnLeak) {
2244 PORT_Assert(leakedObjNum == 0);
2245 }
2246
2247 } while (errorGenerated);
2248
2249 runningLeakTest = PKIX_FALSE;
2250 PR_ATOMIC_DECREMENT(&parallelFnInvocationCount); 2239 PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
2251 usePKIXValidationEngine = savedUsePkixEngFlag; 2240 usePKIXValidationEngine = savedUsePkixEngFlag;
2252 #endif /* PKIX_OBJECT_LEAK_TEST */ 2241 #endif /* PKIX_OBJECT_LEAK_TEST */
2253 2242
2254 return r; 2243 return r;
2255 } 2244 }
OLDNEW
« no previous file with comments | « nss/lib/certhigh/certvfy.c ('k') | nss/lib/certhigh/crlv2.c » ('j') | nss/lib/util/secoid.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698