Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(84)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: nss/lib/certhigh/certvfypkix.c

Issue 1843333003: Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « nss/lib/certhigh/certvfy.c ('k') | nss/lib/certhigh/crlv2.c » ('j') | nss/lib/util/secoid.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: nss/lib/certhigh/certvfypkix.c
diff --git a/nss/lib/certhigh/certvfypkix.c b/nss/lib/certhigh/certvfypkix.c
index b89fe215fe84162e1efbf29528ec6002d209b3b7..5c11d7f6fff6ae6f58a7f287617c8baef5e6dc14 100644
--- a/nss/lib/certhigh/certvfypkix.c
+++ b/nss/lib/certhigh/certvfypkix.c
@@ -12,7 +12,7 @@
*/
#include "prerror.h"
#include "prprf.h"
-
+
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
@@ -38,7 +38,6 @@ pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-
static PRBool usePKIXValidationEngine = PR_FALSE;
/*
@@ -104,7 +103,7 @@ CERT_GetUsePKIXForValidation()
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_NssKeyUsagesToPkix(
PRUint32 nssKeyUsage,
PKIX_UInt32 *pPkixKeyUsage,
@@ -120,7 +119,7 @@ cert_NssKeyUsagesToPkix(
if (nssKeyUsage & KU_DIGITAL_SIGNATURE) {
pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE;
}
-
+
if (nssKeyUsage & KU_NON_REPUDIATION) {
pkixKeyUsage |= PKIX_NON_REPUDIATION;
}
@@ -128,19 +127,19 @@ cert_NssKeyUsagesToPkix(
if (nssKeyUsage & KU_KEY_ENCIPHERMENT) {
pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT;
}
-
+
if (nssKeyUsage & KU_DATA_ENCIPHERMENT) {
pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT;
}
-
+
if (nssKeyUsage & KU_KEY_AGREEMENT) {
pkixKeyUsage |= PKIX_KEY_AGREEMENT;
}
-
+
if (nssKeyUsage & KU_KEY_CERT_SIGN) {
pkixKeyUsage |= PKIX_KEY_CERT_SIGN;
}
-
+
if (nssKeyUsage & KU_CRL_SIGN) {
pkixKeyUsage |= PKIX_CRL_SIGN;
}
@@ -148,7 +147,7 @@ cert_NssKeyUsagesToPkix(
if (nssKeyUsage & KU_ENCIPHER_ONLY) {
pkixKeyUsage |= PKIX_ENCIPHER_ONLY;
}
-
+
/* Not supported. XXX we should support this once it is
* fixed in NSS */
/* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
@@ -176,17 +175,17 @@ typedef struct {
} SECCertUsageToEku;
const SECCertUsageToEku certUsageEkuStringMap[] = {
- {certUsageSSLClient, ekuIndexSSLClient},
- {certUsageSSLServer, ekuIndexSSLServer},
- {certUsageSSLCA, ekuIndexSSLServer},
- {certUsageEmailSigner, ekuIndexEmail},
- {certUsageEmailRecipient, ekuIndexEmail},
- {certUsageObjectSigner, ekuIndexCodeSigner},
- {certUsageUserCertImport, ekuIndexUnknown},
- {certUsageVerifyCA, ekuIndexUnknown},
- {certUsageProtectedObjectSigner, ekuIndexUnknown},
- {certUsageStatusResponder, ekuIndexStatusResponder},
- {certUsageAnyCA, ekuIndexUnknown},
+ { certUsageSSLClient, ekuIndexSSLClient },
+ { certUsageSSLServer, ekuIndexSSLServer },
+ { certUsageSSLCA, ekuIndexSSLServer },
+ { certUsageEmailSigner, ekuIndexEmail },
+ { certUsageEmailRecipient, ekuIndexEmail },
+ { certUsageObjectSigner, ekuIndexCodeSigner },
+ { certUsageUserCertImport, ekuIndexUnknown },
+ { certUsageVerifyCA, ekuIndexUnknown },
+ { certUsageProtectedObjectSigner, ekuIndexUnknown },
+ { certUsageStatusResponder, ekuIndexStatusResponder },
+ { certUsageAnyCA, ekuIndexUnknown },
};
/*
@@ -200,15 +199,15 @@ const SECCertUsageToEku certUsageEkuStringMap[] = {
* "cert"
* Pointer to CERTCertificate structure of validating cert.
* "requiredCertUsages"
- * Required usage that will be converted to pkix eku and ku.
+ * Required usage that will be converted to pkix eku and ku.
* "requiredKeyUsage",
* Additional key usages impose to cert.
* "isCA",
- * it true, convert usages for cert that is a CA cert.
+ * it true, convert usages for cert that is a CA cert.
* "ppkixEKUList"
* Returned address of a list of pkix extended key usages.
* "ppkixKU"
- * Returned address of pkix required key usages bit field.
+ * Returned address of pkix required key usages bit field.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
@@ -218,29 +217,29 @@ const SECCertUsageToEku certUsageEkuStringMap[] = {
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_NssCertificateUsageToPkixKUAndEKU(
CERTCertificate *cert,
- SECCertUsage requiredCertUsage,
- PRUint32 requiredKeyUsages,
- PRBool isCA,
- PKIX_List **ppkixEKUList,
- PKIX_UInt32 *ppkixKU,
- void *plContext)
+ SECCertUsage requiredCertUsage,
+ PRUint32 requiredKeyUsages,
+ PRBool isCA,
+ PKIX_List **ppkixEKUList,
+ PKIX_UInt32 *ppkixKU,
+ void *plContext)
{
- PKIX_List *ekuOidsList = NULL;
- PKIX_PL_OID *ekuOid = NULL;
- int i = 0;
- int ekuIndex = ekuIndexUnknown;
+ PKIX_List *ekuOidsList = NULL;
+ PKIX_PL_OID *ekuOid = NULL;
+ int i = 0;
+ int ekuIndex = ekuIndexUnknown;
PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku");
PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU);
-
+
PKIX_CHECK(
PKIX_List_Create(&ekuOidsList, plContext),
PKIX_LISTCREATEFAILED);
- for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) {
+ for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) {
const SECCertUsageToEku *usageToEkuElem =
&certUsageEkuStringMap[i];
if (usageToEkuElem->certUsage == requiredCertUsage) {
@@ -249,25 +248,25 @@ cert_NssCertificateUsageToPkixKUAndEKU(
}
}
if (ekuIndex != ekuIndexUnknown) {
- PRUint32 reqKeyUsage = 0;
- PRUint32 reqCertType = 0;
+ PRUint32 reqKeyUsage = 0;
+ PRUint32 reqCertType = 0;
CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA,
&reqKeyUsage,
&reqCertType);
-
+
requiredKeyUsages |= reqKeyUsage;
-
+
PKIX_CHECK(
PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid,
plContext),
PKIX_OIDCREATEFAILED);
-
+
PKIX_CHECK(
PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid,
plContext),
PKIX_LISTAPPENDITEMFAILED);
-
+
PKIX_DECREF(ekuOid);
}
@@ -279,7 +278,7 @@ cert_NssCertificateUsageToPkixKUAndEKU(
ekuOidsList = NULL;
cleanup:
-
+
PKIX_DECREF(ekuOid);
PKIX_DECREF(ekuOidsList);
@@ -313,37 +312,36 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_ProcessingParamsSetKeyAndCertUsage(
PKIX_ProcessingParams *procParams,
- SECCertUsage requiredCertUsage,
- PRUint32 requiredKeyUsages,
- void *plContext)
+ SECCertUsage requiredCertUsage,
+ PRUint32 requiredKeyUsages,
+ void *plContext)
{
- PKIX_CertSelector *certSelector = NULL;
+ PKIX_CertSelector *certSelector = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext*)plContext;
-
+ PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
+
PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage");
PKIX_NULLCHECK_TWO(procParams, nssContext);
-
+
PKIX_CHECK(
pkix_pl_NssContext_SetCertUsage(
- ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
- PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
+ ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
+ PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
if (requiredKeyUsages) {
PKIX_CHECK(
PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
&certSelector, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
-
+
PKIX_CHECK(
PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
&certSelParams, plContext),
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
-
-
+
PKIX_CHECK(
PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages,
plContext),
@@ -357,7 +355,7 @@ cleanup:
}
/*
- * Unused parameters:
+ * Unused parameters:
*
* CERTCertList *initialChain,
* CERTCertStores certStores,
@@ -398,44 +396,44 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_CreatePkixProcessingParams(
- CERTCertificate *cert,
- PRBool checkSig, /* not used yet. See bug 391476 */
- PRTime time,
- void *wincx,
- PRBool useArena,
- PRBool disableOCSPRemoteFetching,
+ CERTCertificate *cert,
+ PRBool checkSig, /* not used yet. See bug 391476 */
+ PRTime time,
+ void *wincx,
+ PRBool useArena,
+ PRBool disableOCSPRemoteFetching,
PKIX_ProcessingParams **pprocParams,
- void **pplContext)
+ void **pplContext)
{
- PKIX_List *anchors = NULL;
- PKIX_PL_Cert *targetCert = NULL;
- PKIX_PL_Date *date = NULL;
+ PKIX_List *anchors = NULL;
+ PKIX_PL_Cert *targetCert = NULL;
+ PKIX_PL_Date *date = NULL;
PKIX_ProcessingParams *procParams = NULL;
- PKIX_CertSelector *certSelector = NULL;
+ PKIX_CertSelector *certSelector = NULL;
PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_CertStore *certStore = NULL;
- PKIX_List *certStores = NULL;
+ PKIX_CertStore *certStore = NULL;
+ PKIX_List *certStores = NULL;
PKIX_RevocationChecker *revChecker = NULL;
- PKIX_UInt32 methodFlags = 0;
- void *plContext = NULL;
- CERTStatusConfig *statusConfig = NULL;
-
+ PKIX_UInt32 methodFlags = 0;
+ void *plContext = NULL;
+ CERTStatusConfig *statusConfig = NULL;
+
PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
PKIX_NULLCHECK_TWO(cert, pprocParams);
-
+
PKIX_CHECK(
PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
PKIX_NSSCONTEXTCREATEFAILED);
*pplContext = plContext;
-#ifdef PKIX_NOTDEF
+#ifdef PKIX_NOTDEF
/* Functions should be implemented in patch for 390532 */
PKIX_CHECK(
pkix_pl_NssContext_SetCertSignatureCheck(checkSig,
- (PKIX_PL_NssContext*)plContext),
+ (PKIX_PL_NssContext *)plContext),
PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
#endif /* PKIX_NOTDEF */
@@ -443,11 +441,11 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_ProcessingParams_Create(&procParams, plContext),
PKIX_PROCESSINGPARAMSCREATEFAILED);
-
+
PKIX_CHECK(
PKIX_ComCertSelParams_Create(&certSelParams, plContext),
PKIX_COMCERTSELPARAMSCREATEFAILED);
-
+
PKIX_CHECK(
PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext),
PKIX_CERTCREATEWITHNSSCERTFAILED);
@@ -456,16 +454,16 @@ cert_CreatePkixProcessingParams(
PKIX_ComCertSelParams_SetCertificate(certSelParams,
targetCert, plContext),
PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
-
+
PKIX_CHECK(
PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext),
PKIX_COULDNOTCREATECERTSELECTOROBJECT);
-
+
PKIX_CHECK(
PKIX_CertSelector_SetCommonCertSelectorParams(certSelector,
certSelParams, plContext),
PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
-
+
PKIX_CHECK(
PKIX_ProcessingParams_SetTargetCertConstraints(procParams,
certSelector, plContext),
@@ -482,11 +480,11 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
PKIX_PK11CERTSTORECREATEFAILED);
-
+
PKIX_CHECK(
PKIX_List_Create(&certStores, plContext),
PKIX_UNABLETOCREATELIST);
-
+
PKIX_CHECK(
PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore,
plContext),
@@ -507,11 +505,11 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_RevocationChecker_Create(
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
- &revChecker, plContext),
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
+ &revChecker, plContext),
PKIX_REVOCATIONCHECKERCREATEFAILED);
PKIX_CHECK(
@@ -520,27 +518,27 @@ cert_CreatePkixProcessingParams(
PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED);
/* CRL method flags */
- methodFlags =
+ methodFlags =
PKIX_REV_M_TEST_USING_THIS_METHOD |
PKIX_REV_M_FORBID_NETWORK_FETCHING |
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
/* add CRL revocation method to check the leaf certificate */
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_CRL, methodFlags,
- 0, NULL, PKIX_TRUE, plContext),
+ PKIX_RevocationMethod_CRL, methodFlags,
+ 0, NULL, PKIX_TRUE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
/* add CRL revocation method for other certs in the chain. */
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_CRL, methodFlags,
- 0, NULL, PKIX_FALSE, plContext),
+ PKIX_RevocationMethod_CRL, methodFlags,
+ 0, NULL, PKIX_FALSE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
-
+
/* For compatibility with the old code, need to check that
* statusConfig is set in the db handle and status checker
* is defined befor allow ocsp status check on the leaf cert.*/
@@ -551,30 +549,30 @@ cert_CreatePkixProcessingParams(
/* OCSP method flags */
methodFlags =
PKIX_REV_M_TEST_USING_THIS_METHOD |
- PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
- PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
+ PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
+ PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
-
+
/* Disabling ocsp fetching when checking the status
* of ocsp response signer. Here and in the next if,
* adjust flags for ocsp signer cert validation case. */
if (disableOCSPRemoteFetching) {
methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
}
-
- if (ocsp_FetchingFailureIsVerificationFailure()
- && !disableOCSPRemoteFetching) {
+
+ if (ocsp_FetchingFailureIsVerificationFailure() &&
+ !disableOCSPRemoteFetching) {
methodFlags |=
PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
}
-
+
/* add OCSP revocation method to check only the leaf certificate.*/
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_OCSP, methodFlags,
- 1, NULL, PKIX_TRUE, plContext),
+ PKIX_RevocationMethod_OCSP, methodFlags,
+ 1, NULL, PKIX_TRUE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
}
@@ -585,14 +583,14 @@ cert_CreatePkixProcessingParams(
PKIX_CHECK(
PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE,
- plContext),
+ plContext),
PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED);
PKIX_CHECK(
PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE,
plContext),
PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED);
-
+
*pprocParams = procParams;
procParams = NULL;
@@ -615,10 +613,10 @@ cleanup:
* DESCRIPTION:
*
* Converts pkix cert list into nss cert list.
- *
+ *
* PARAMETERS:
* "pkixCertChain"
- * Pkix certificate list.
+ * Pkix certificate list.
* "pvalidChain"
* An address of returned nss certificate list.
* "plContext"
@@ -630,18 +628,18 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_PkixToNssCertsChain(
- PKIX_List *pkixCertChain,
- CERTCertList **pvalidChain,
+ PKIX_List *pkixCertChain,
+ CERTCertList **pvalidChain,
void *plContext)
{
- PLArenaPool *arena = NULL;
+ PLArenaPool *arena = NULL;
CERTCertificate *nssCert = NULL;
- CERTCertList *validChain = NULL;
- PKIX_PL_Object *certItem = NULL;
- PKIX_UInt32 length = 0;
- PKIX_UInt32 i = 0;
+ CERTCertList *validChain = NULL;
+ PKIX_PL_Object *certItem = NULL;
+ PKIX_UInt32 length = 0;
+ PKIX_UInt32 i = 0;
PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain");
PKIX_NULLCHECK_ONE(pvalidChain);
@@ -653,7 +651,7 @@ cert_PkixToNssCertsChain(
if (arena == NULL) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
- validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
+ validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
if (validChain == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
@@ -665,22 +663,22 @@ cert_PkixToNssCertsChain(
PKIX_List_GetLength(pkixCertChain, &length, plContext),
PKIX_LISTGETLENGTHFAILED);
- for (i = 0; i < length; i++){
+ for (i = 0; i < length; i++) {
CERTCertListNode *node = NULL;
PKIX_CHECK(
PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext),
PKIX_LISTGETITEMFAILED);
-
+
PKIX_CHECK(
- PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert,
- plContext),
+ PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem, &nssCert,
+ plContext),
PKIX_CERTGETCERTCERTIFICATEFAILED);
-
+
node =
(CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
sizeof(CERTCertListNode));
- if ( node == NULL ) {
+ if (node == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
@@ -695,7 +693,7 @@ cert_PkixToNssCertsChain(
*pvalidChain = validChain;
cleanup:
- if (PKIX_ERROR_RECEIVED){
+ if (PKIX_ERROR_RECEIVED) {
if (validChain) {
CERT_DestroyCertList(validChain);
} else if (arena) {
@@ -710,7 +708,6 @@ cleanup:
PKIX_RETURN(CERTVFYPKIX);
}
-
/*
* FUNCTION: cert_BuildAndValidateChain
* DESCRIPTION:
@@ -738,7 +735,7 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_BuildAndValidateChain(
PKIX_ProcessingParams *procParams,
PKIX_BuildResult **pResult,
@@ -746,19 +743,19 @@ cert_BuildAndValidateChain(
void *plContext)
{
PKIX_BuildResult *result = NULL;
- PKIX_VerifyNode *verifyNode = NULL;
- void *nbioContext = NULL;
- void *state = NULL;
-
+ PKIX_VerifyNode *verifyNode = NULL;
+ void *nbioContext = NULL;
+ void *state = NULL;
+
PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain");
PKIX_NULLCHECK_TWO(procParams, pResult);
-
+
do {
if (nbioContext && state) {
/* PKIX-XXX: need to test functionality of NBIO handling in libPkix.
* See bug 391180 */
PRInt32 filesReady = 0;
- PRPollDesc *pollDesc = (PRPollDesc*)nbioContext;
+ PRPollDesc *pollDesc = (PRPollDesc *)nbioContext;
filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
if (filesReady <= 0) {
PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM);
@@ -769,7 +766,7 @@ cert_BuildAndValidateChain(
PKIX_BuildChain(procParams, &nbioContext, &state,
&result, &verifyNode, plContext),
PKIX_UNABLETOBUILDCHAIN);
-
+
} while (nbioContext && state);
*pResult = result;
@@ -782,7 +779,6 @@ cleanup:
PKIX_RETURN(CERTVFYPKIX);
}
-
/*
* FUNCTION: cert_PkixErrorToNssCode
* DESCRIPTION:
@@ -817,16 +813,17 @@ cert_PkixErrorToNssCode(
PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
PKIX_NULLCHECK_TWO(error, pNssErr);
-
+
/* Loop until we find at least one error with non-null
* plErr code, that is going to be nss error code. */
while (errPtr) {
if (errPtr->plErr && !nssErr) {
nssErr = errPtr->plErr;
- if (!pkixLog) break;
+ if (!pkixLog)
+ break;
}
if (pkixLog) {
-#ifdef PKIX_ERROR_DESCRIPTION
+#ifdef PKIX_ERROR_DESCRIPTION
PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel,
PKIX_ErrorText[errPtr->errCode]));
#else
@@ -835,7 +832,7 @@ cert_PkixErrorToNssCode(
#endif /* PKIX_ERROR_DESCRIPTION */
}
errPtr = errPtr->cause;
- errLevel += 1;
+ errLevel += 1;
}
PORT_Assert(nssErr);
if (!nssErr) {
@@ -856,7 +853,7 @@ cert_PkixErrorToNssCode(
*
* PARAMETERS:
* "log"
- * Pointed to already allocated CERTVerifyLog structure.
+ * Pointed to already allocated CERTVerifyLog structure.
* "node"
* A node of PKIX_VerifyNode tree.
* "plContext"
@@ -874,7 +871,7 @@ cert_GetLogFromVerifyNode(
PKIX_VerifyNode *node,
void *plContext)
{
- PKIX_List *children = NULL;
+ PKIX_List *children = NULL;
PKIX_VerifyNode *childNode = NULL;
PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode");
@@ -894,26 +891,26 @@ cert_GetLogFromVerifyNode(
cert_PkixErrorToNssCode(node->error, &nssErrorCode,
plContext),
PKIX_GETPKIXERRORCODEFAILED);
-
+
cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
}
}
PKIX_RETURN(CERTVFYPKIX);
} else {
- PRUint32 i = 0;
- PKIX_UInt32 length = 0;
+ PRUint32 i = 0;
+ PKIX_UInt32 length = 0;
PKIX_CHECK(
PKIX_List_GetLength(children, &length, plContext),
PKIX_LISTGETLENGTHFAILED);
-
- for (i = 0; i < length; i++){
+
+ for (i = 0; i < length; i++) {
PKIX_CHECK(
- PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode,
+ PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode,
plContext),
PKIX_LISTGETITEMFAILED);
-
+
PKIX_CHECK(
cert_GetLogFromVerifyNode(log, childNode, plContext),
PKIX_ERRORINRECURSIVEEQUALSCALL);
@@ -943,7 +940,7 @@ cleanup:
* In case of failure it will convert:
* * pkix error to PR error code(will set it with PORT_SetError)
* * pkix validation log to nss CERTVerifyLog
- *
+ *
* PARAMETERS:
* "buildResult"
* Build results returned by PKIX_BuildChain.
@@ -968,23 +965,23 @@ cleanup:
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
+static PKIX_Error *
cert_GetBuildResults(
PKIX_BuildResult *buildResult,
- PKIX_VerifyNode *verifyNode,
- PKIX_Error *error,
- CERTVerifyLog *log,
+ PKIX_VerifyNode *verifyNode,
+ PKIX_Error *error,
+ CERTVerifyLog *log,
CERTCertificate **ptrustedRoot,
- CERTCertList **pvalidChain,
- void *plContext)
+ CERTCertList **pvalidChain,
+ void *plContext)
{
PKIX_ValidateResult *validResult = NULL;
- CERTCertList *validChain = NULL;
- CERTCertificate *trustedRoot = NULL;
- PKIX_TrustAnchor *trustAnchor = NULL;
- PKIX_PL_Cert *trustedCert = NULL;
- PKIX_List *pkixCertChain = NULL;
-
+ CERTCertList *validChain = NULL;
+ CERTCertificate *trustedRoot = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Cert *trustedCert = NULL;
+ PKIX_List *pkixCertChain = NULL;
+
PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults");
if (buildResult == NULL && error == NULL) {
PKIX_ERROR(PKIX_NULLARGUMENT);
@@ -1036,7 +1033,7 @@ cert_GetBuildResults(
plContext),
PKIX_CERTGETCERTCERTIFICATEFAILED);
}
-
+
PORT_Assert(!PKIX_ERROR_RECEIVED);
if (trustedRoot) {
@@ -1062,7 +1059,7 @@ cleanup:
PKIX_DECREF(error);
PKIX_DECREF(verifyNode);
PKIX_DECREF(buildResult);
-
+
PKIX_RETURN(CERTVFYPKIX);
}
@@ -1103,27 +1100,27 @@ cleanup:
SECStatus
cert_VerifyCertChainPkix(
CERTCertificate *cert,
- PRBool checkSig,
- SECCertUsage requiredUsage,
- PRTime time,
- void *wincx,
- CERTVerifyLog *log,
- PRBool *pSigerror,
- PRBool *pRevoked)
+ PRBool checkSig,
+ SECCertUsage requiredUsage,
+ PRTime time,
+ void *wincx,
+ CERTVerifyLog *log,
+ PRBool *pSigerror,
+ PRBool *pRevoked)
{
PKIX_ProcessingParams *procParams = NULL;
- PKIX_BuildResult *result = NULL;
- PKIX_VerifyNode *verifyNode = NULL;
- PKIX_Error *error = NULL;
+ PKIX_BuildResult *result = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ PKIX_Error *error = NULL;
- SECStatus rv = SECFailure;
- void *plContext = NULL;
+ SECStatus rv = SECFailure;
+ void *plContext = NULL;
#ifdef PKIX_OBJECT_LEAK_TEST
- int leakedObjNum = 0;
- int memLeakLoopCount = 0;
- int objCountTable[PKIX_NUMTYPES];
- int fnInvLocalCount = 0;
+ int leakedObjNum = 0;
+ int memLeakLoopCount = 0;
+ int objCountTable[PKIX_NUMTYPES];
+ int fnInvLocalCount = 0;
PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
if (usePKIXValidationEngine) {
@@ -1136,93 +1133,94 @@ cert_VerifyCertChainPkix(
testStartFnStackPosition = 2;
fnStackNameArr[0] = "cert_VerifyCertChainPkix";
fnStackInvCountArr[0] = 0;
- PKIX_Boolean abortOnLeak =
- (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
- PKIX_FALSE : PKIX_TRUE;
+ PKIX_Boolean abortOnLeak =
+ (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
+ : PKIX_TRUE;
runningLeakTest = PKIX_TRUE;
/* Prevent multi-threaded run of object leak test */
fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
PORT_Assert(fnInvLocalCount == 1);
-do {
- rv = SECFailure;
- plContext = NULL;
- procParams = NULL;
- result = NULL;
- verifyNode = NULL;
- error = NULL;
- errorGenerated = PKIX_FALSE;
- stackPosition = 0;
-
- if (leakedObjNum) {
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
- }
- memLeakLoopCount += 1;
+ do {
+ rv = SECFailure;
+ plContext = NULL;
+ procParams = NULL;
+ result = NULL;
+ verifyNode = NULL;
+ error = NULL;
+ errorGenerated = PKIX_FALSE;
+ stackPosition = 0;
+
+ if (leakedObjNum) {
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+ }
+ memLeakLoopCount += 1;
#endif /* PKIX_OBJECT_LEAK_TEST */
- error =
- cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
- PR_FALSE/*use arena*/,
- requiredUsage == certUsageStatusResponder,
- &procParams, &plContext);
- if (error) {
- goto cleanup;
- }
+ error =
+ cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
+ PR_FALSE /*use arena*/,
+ requiredUsage == certUsageStatusResponder,
+ &procParams, &plContext);
+ if (error) {
+ goto cleanup;
+ }
- error =
- cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0,
- plContext);
- if (error) {
- goto cleanup;
- }
+ error =
+ cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0,
+ plContext);
+ if (error) {
+ goto cleanup;
+ }
- error =
- cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
- if (error) {
- goto cleanup;
- }
-
- if (pRevoked) {
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
- *pRevoked = PR_FALSE;
- }
- if (pSigerror) {
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
- *pSigerror = PR_FALSE;
- }
- rv = SECSuccess;
+ error =
+ cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
+ if (error) {
+ goto cleanup;
+ }
-cleanup:
- error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL,
- plContext);
- if (error) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- }
- if (procParams) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
- }
- if (plContext) {
- PKIX_PL_NssContext_Destroy(plContext);
- }
+ if (pRevoked) {
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+ *pRevoked = PR_FALSE;
+ }
+ if (pSigerror) {
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+ *pSigerror = PR_FALSE;
+ }
+ rv = SECSuccess;
+
+ cleanup:
+ error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL,
+ plContext);
+ if (error) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ }
+ if (procParams) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+ }
+ if (plContext) {
+ PKIX_PL_NssContext_Destroy(plContext);
+ }
#ifdef PKIX_OBJECT_LEAK_TEST
- leakedObjNum =
- pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
-
- if (pkixLog && leakedObjNum) {
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
- "Stack %s\n", memLeakLoopCount, errorFnStackString));
- }
- PR_Free(errorFnStackString);
- errorFnStackString = NULL;
- if (abortOnLeak) {
- PORT_Assert(leakedObjNum == 0);
- }
+ leakedObjNum =
+ pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
-} while (errorGenerated);
+ if (pkixLog && leakedObjNum) {
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
+ "Stack %s\n",
+ memLeakLoopCount, errorFnStackString));
+ }
+ PR_Free(errorFnStackString);
+ errorFnStackString = NULL;
+ if (abortOnLeak) {
+ PORT_Assert(leakedObjNum == 0);
+ }
- runningLeakTest = PKIX_FALSE;
+ } while (errorGenerated);
+
+ runningLeakTest = PKIX_FALSE;
PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
@@ -1231,50 +1229,55 @@ cleanup:
}
PKIX_CertSelector *
-cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
+cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
{
PKIX_ComCertSelParams *certSelParams = NULL;
PKIX_CertSelector *certSelector = NULL;
- PKIX_CertSelector *r= NULL;
+ PKIX_CertSelector *r = NULL;
PKIX_PL_Cert *eeCert = NULL;
PKIX_Error *error = NULL;
error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_ComCertSelParams_Create(&certSelParams, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_ComCertSelParams_SetCertificate(
- certSelParams, eeCert, plContext);
- if (error != NULL) goto cleanup;
+ certSelParams, eeCert, plContext);
+ if (error != NULL)
+ goto cleanup;
- error = PKIX_CertSelector_SetCommonCertSelectorParams
- (certSelector, certSelParams, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelParams, plContext);
+ if (error != NULL)
+ goto cleanup;
error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext);
- if (error == NULL) r = certSelector;
+ if (error == NULL)
+ r = certSelector;
cleanup:
- if (certSelParams != NULL)
+ if (certSelParams != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext);
- if (eeCert != NULL)
+ if (eeCert != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext);
- if (certSelector != NULL)
+ if (certSelector != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
if (error != NULL) {
- SECErrorCodes nssErr;
+ SECErrorCodes nssErr;
- cert_PkixErrorToNssCode(error, &nssErr, plContext);
+ cert_PkixErrorToNssCode(error, &nssErr, plContext);
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(nssErr);
+ PORT_SetError(nssErr);
}
return r;
@@ -1289,39 +1292,42 @@ cert_GetCertStores(void *plContext)
PKIX_Error *error = NULL;
error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_List_Create(&certStores, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
- error = PKIX_List_AppendItem( certStores,
- (PKIX_PL_Object *)certStore, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_List_AppendItem(certStores,
+ (PKIX_PL_Object *)certStore, plContext);
+ if (error != NULL)
+ goto cleanup;
error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext);
- if (error == NULL) r = certStores;
+ if (error == NULL)
+ r = certStores;
cleanup:
- if (certStores != NULL)
+ if (certStores != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
- if (certStore != NULL)
+ if (certStore != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext);
if (error != NULL) {
- SECErrorCodes nssErr;
+ SECErrorCodes nssErr;
- cert_PkixErrorToNssCode(error, &nssErr, plContext);
+ cert_PkixErrorToNssCode(error, &nssErr, plContext);
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(nssErr);
+ PORT_SetError(nssErr);
}
return r;
}
-
struct fake_PKIX_PL_CertStruct {
- CERTCertificate *nssCert;
+ CERTCertificate *nssCert;
};
/* This needs to be part of the PKIX_PL_* */
@@ -1332,12 +1338,13 @@ cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert)
{
struct fake_PKIX_PL_CertStruct *fcert = NULL;
- fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert;
+ fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert;
return CERT_DupCertificate(fcert->nssCert);
}
-PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
+PKIX_List *
+cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
{
PKIX_List *r = NULL;
PKIX_List *policyList = NULL;
@@ -1347,16 +1354,16 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
error = PKIX_List_Create(&policyList, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
- for (i=0; i<oidCount; i++) {
+ for (i = 0; i < oidCount; i++) {
error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
if (error) {
goto cleanup;
}
- error = PKIX_List_AppendItem(policyList,
- (PKIX_PL_Object *)policyOID, plContext);
+ error = PKIX_List_AppendItem(policyList,
+ (PKIX_PL_Object *)policyOID, plContext);
if (error != NULL) {
goto cleanup;
}
@@ -1365,19 +1372,21 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
}
error = PKIX_List_SetImmutable(policyList, plContext);
- if (error != NULL) goto cleanup;
+ if (error != NULL)
+ goto cleanup;
error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext);
- if (error == NULL) r = policyList;
+ if (error == NULL)
+ r = policyList;
cleanup:
- if (policyOID != NULL) {
+ if (policyOID != NULL) {
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
}
- if (policyList != NULL) {
+ if (policyList != NULL) {
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext);
}
- if (error != NULL) {
+ if (error != NULL) {
PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
}
@@ -1393,14 +1402,13 @@ cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t)
}
for (i = params; i->type != cert_po_end; i++) {
if (i->type == t) {
- return i;
+ return i;
}
}
return NULL;
}
-
-static PKIX_Error*
+static PKIX_Error *
setRevocationMethod(PKIX_RevocationChecker *revChecker,
PKIX_ProcessingParams *procParams,
const CERTRevocationTests *revTest,
@@ -1413,14 +1421,14 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker,
PKIX_UInt32 methodFlags = 0;
PKIX_Error *error = NULL;
PKIX_UInt32 priority = 0;
-
+
if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) {
return NULL;
}
if (revTest->preferred_methods) {
unsigned int i = 0;
- for (;i < revTest->number_of_preferred_methods;i++) {
- if (revTest->preferred_methods[i] == certRevMethod)
+ for (; i < revTest->number_of_preferred_methods; i++) {
+ if (revTest->preferred_methods[i] == certRevMethod)
break;
}
priority = i;
@@ -1432,19 +1440,18 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker,
}
error =
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- pkixRevMethod, methodFlags,
- priority, NULL,
- isLeafTest, plContext);
+ pkixRevMethod, methodFlags,
+ priority, NULL,
+ isLeafTest, plContext);
return error;
}
-
SECStatus
-cert_pkixSetParam(PKIX_ProcessingParams *procParams,
- const CERTValInParam *param, void *plContext)
+cert_pkixSetParam(PKIX_ProcessingParams *procParams,
+ const CERTValInParam *param, void *plContext)
{
- PKIX_Error * error = NULL;
- SECStatus r=SECSuccess;
+ PKIX_Error *error = NULL;
+ SECStatus r = SECSuccess;
PKIX_PL_Date *date = NULL;
PKIX_List *policyOIDList = NULL;
PKIX_List *certListPkix = NULL;
@@ -1465,22 +1472,22 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
/* needed? */
error = PKIX_ProcessingParams_SetExplicitPolicyRequired(
- procParams, PKIX_TRUE, plContext);
+ procParams, PKIX_TRUE, plContext);
- if (error != NULL) {
+ if (error != NULL) {
break;
}
policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids,
- param->value.arraySize,plContext);
- if (policyOIDList == NULL) {
- r = SECFailure;
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- break;
- }
+ param->value.arraySize, plContext);
+ if (policyOIDList == NULL) {
+ r = SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ break;
+ }
error = PKIX_ProcessingParams_SetInitialPolicies(
- procParams,policyOIDList,plContext);
+ procParams, policyOIDList, plContext);
break;
case cert_pi_date:
@@ -1492,7 +1499,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
}
} else {
error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
- &date, plContext);
+ &date, plContext);
if (error != NULL) {
errCode = SEC_ERROR_INVALID_TIME;
break;
@@ -1505,8 +1512,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
}
break;
- case cert_pi_revocationFlags:
- {
+ case cert_pi_revocationFlags: {
PKIX_UInt32 leafIMFlags = 0;
PKIX_UInt32 chainIMFlags = 0;
PKIX_Boolean validatingResponderCert = PKIX_FALSE;
@@ -1518,7 +1524,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
break;
}
- leafIMFlags =
+ leafIMFlags =
flags->leafTests.cert_rev_method_independent_flags;
chainIMFlags =
flags->chainTests.cert_rev_method_independent_flags;
@@ -1532,12 +1538,12 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
error =
PKIX_ProcessingParams_SetRevocationChecker(procParams,
- revChecker, plContext);
+ revChecker, plContext);
if (error) {
break;
}
- if (((PKIX_PL_NssContext*)plContext)->certificateUsage &
+ if (((PKIX_PL_NssContext *)plContext)->certificateUsage &
certificateUsageStatusResponder) {
validatingResponderCert = PKIX_TRUE;
}
@@ -1582,8 +1588,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
break;
}
- }
- break;
+ } break;
case cert_pi_trustAnchors:
certList = param->value.pointer.chain;
@@ -1596,10 +1601,10 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
if (error != NULL) {
break;
}
- for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
- node = CERT_LIST_NEXT(node) ) {
+ for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
+ node = CERT_LIST_NEXT(node)) {
error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert,
- &certPkix, plContext);
+ &certPkix, plContext);
if (error) {
break;
}
@@ -1609,8 +1614,8 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
break;
}
error = PKIX_List_AppendItem(certListPkix,
- (PKIX_PL_Object*)trustAnchor, plContext);
- if (error) {
+ (PKIX_PL_Object *)trustAnchor, plContext);
+ if (error) {
break;
}
PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
@@ -1626,12 +1631,12 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
case cert_pi_useAIACertFetch:
error =
PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
- (PRBool)(param->value.scalar.b != 0),
+ (PRBool)(param->value.scalar.b !=
+ 0),
plContext);
break;
- case cert_pi_chainVerifyCallback:
- {
+ case cert_pi_chainVerifyCallback: {
const CERTChainVerifyCallback *chainVerifyCallback =
param->value.pointer.chainVerifyCallback;
if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) {
@@ -1641,13 +1646,13 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
}
nssContext->chainVerifyCallback = *chainVerifyCallback;
- }
- break;
+ } break;
case cert_pi_useOnlyTrustAnchors:
error =
PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams,
- (PRBool)(param->value.scalar.b != 0),
+ (PRBool)(param->value.scalar.b !=
+ 0),
plContext);
break;
@@ -1660,19 +1665,19 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
if (policyOIDList != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
- if (date != NULL)
+ if (date != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
- if (revChecker != NULL)
+ if (revChecker != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);
- if (certListPkix)
+ if (certListPkix)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext);
- if (trustAnchor)
+ if (trustAnchor)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
- if (certPkix)
+ if (certPkix)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
if (error != NULL) {
@@ -1681,8 +1686,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
r = SECFailure;
}
- return r;
-
+ return r;
}
void
@@ -1695,207 +1699,188 @@ cert_pkixDestroyValOutParam(CERTValOutParam *params)
}
for (i = params; i->type != cert_po_end; i++) {
switch (i->type) {
- case cert_po_trustAnchor:
- if (i->value.pointer.cert) {
- CERT_DestroyCertificate(i->value.pointer.cert);
- i->value.pointer.cert = NULL;
- }
- break;
+ case cert_po_trustAnchor:
+ if (i->value.pointer.cert) {
+ CERT_DestroyCertificate(i->value.pointer.cert);
+ i->value.pointer.cert = NULL;
+ }
+ break;
- case cert_po_certList:
- if (i->value.pointer.chain) {
- CERT_DestroyCertList(i->value.pointer.chain);
- i->value.pointer.chain = NULL;
- }
- break;
+ case cert_po_certList:
+ if (i->value.pointer.chain) {
+ CERT_DestroyCertList(i->value.pointer.chain);
+ i->value.pointer.chain = NULL;
+ }
+ break;
- default:
- break;
+ default:
+ break;
}
}
}
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- CERT_REV_M_TEST_USING_THIS_METHOD
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ CERT_REV_M_TEST_USING_THIS_METHOD
};
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
-static CERTRevocationMethodIndex
-certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
- cert_revocation_method_crl
-};
+static CERTRevocationMethodIndex
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
+ cert_revocation_method_crl
+ };
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
- 1,
- &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
+ 1,
+ &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetClassicOCSPEnabledSoftFailurePolicy()
{
return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
}
-
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
};
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
-static CERTRevocationMethodIndex
-certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
- cert_revocation_method_crl
-};
+static CERTRevocationMethodIndex
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
+ cert_revocation_method_crl
+ };
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
- 1,
- &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
+ 1,
+ &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetClassicOCSPEnabledHardFailurePolicy()
{
return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
}
-
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0
};
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
- 0,
- 0,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
+ 0,
+ 0,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetClassicOCSPDisabledPolicy()
{
return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
}
-
static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+ /* ocsp */
+ 0
};
static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
- /* ocsp */
- 0
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD |
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+ /* ocsp */
+ 0
};
static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = {
- {
- /* leafTests */
- 2,
- certRev_PKIX_Verify_Nist_Policy_LeafFlags,
- 0,
- 0,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_PKIX_Verify_Nist_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
+ { /* leafTests */
+ 2,
+ certRev_PKIX_Verify_Nist_Policy_LeafFlags,
+ 0,
+ 0,
+ 0 },
+ { /* chainTests */
+ 2,
+ certRev_PKIX_Verify_Nist_Policy_ChainFlags,
+ 0,
+ 0,
+ 0 }
};
-extern const CERTRevocationFlags*
+extern const CERTRevocationFlags *
CERT_GetPKIXVerifyNistRevocationPolicy()
{
return &certRev_PKIX_Verify_Nist_Policy;
@@ -1907,56 +1892,57 @@ CERT_AllocCERTRevocationFlags(
PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
{
CERTRevocationFlags *flags;
-
+
flags = PORT_New(CERTRevocationFlags);
if (!flags)
- return(NULL);
-
+ return (NULL);
+
flags->leafTests.number_of_defined_methods = number_leaf_methods;
- flags->leafTests.cert_rev_flags_per_method =
+ flags->leafTests.cert_rev_flags_per_method =
PORT_NewArray(PRUint64, number_leaf_methods);
flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods;
- flags->leafTests.preferred_methods =
+ flags->leafTests.preferred_methods =
PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods);
flags->chainTests.number_of_defined_methods = number_chain_methods;
- flags->chainTests.cert_rev_flags_per_method =
+ flags->chainTests.cert_rev_flags_per_method =
PORT_NewArray(PRUint64, number_chain_methods);
flags->chainTests.number_of_preferred_methods = number_chain_pref_methods;
- flags->chainTests.preferred_methods =
+ flags->chainTests.preferred_methods =
PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods);
-
- if (!flags->leafTests.cert_rev_flags_per_method
- || !flags->leafTests.preferred_methods
- || !flags->chainTests.cert_rev_flags_per_method
- || !flags->chainTests.preferred_methods) {
+
+ if (!flags->leafTests.cert_rev_flags_per_method ||
+ !flags->leafTests.preferred_methods ||
+ !flags->chainTests.cert_rev_flags_per_method ||
+ !flags->chainTests.preferred_methods) {
CERT_DestroyCERTRevocationFlags(flags);
return (NULL);
}
-
+
return flags;
}
-void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
+void
+CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
{
if (!flags)
- return;
-
+ return;
+
if (flags->leafTests.cert_rev_flags_per_method)
PORT_Free(flags->leafTests.cert_rev_flags_per_method);
if (flags->leafTests.preferred_methods)
PORT_Free(flags->leafTests.preferred_methods);
-
+
if (flags->chainTests.cert_rev_flags_per_method)
PORT_Free(flags->chainTests.cert_rev_flags_per_method);
if (flags->chainTests.preferred_methods)
PORT_Free(flags->chainTests.preferred_methods);
- PORT_Free(flags);
+ PORT_Free(flags);
}
/*
@@ -1984,36 +1970,37 @@ void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
*
* CERT_PKIXVerifyCert(cert, &output, args
*/
-SECStatus CERT_PKIXVerifyCert(
- CERTCertificate *cert,
- SECCertificateUsage usages,
- CERTValInParam *paramsIn,
- CERTValOutParam *paramsOut,
- void *wincx)
+SECStatus
+CERT_PKIXVerifyCert(
+ CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut,
+ void *wincx)
{
- SECStatus r = SECFailure;
- PKIX_Error * error = NULL;
+ SECStatus r = SECFailure;
+ PKIX_Error *error = NULL;
PKIX_ProcessingParams *procParams = NULL;
- PKIX_BuildResult * buildResult = NULL;
- void * nbioContext = NULL; /* for non-blocking IO */
- void * buildState = NULL; /* for non-blocking IO */
- PKIX_CertSelector * certSelector = NULL;
- PKIX_List * certStores = NULL;
- PKIX_ValidateResult * valResult = NULL;
- PKIX_VerifyNode * verifyNode = NULL;
- PKIX_TrustAnchor * trustAnchor = NULL;
- PKIX_PL_Cert * trustAnchorCert = NULL;
- PKIX_List * builtCertList = NULL;
- CERTValOutParam * oparam = NULL;
- int i=0;
+ PKIX_BuildResult *buildResult = NULL;
+ void *nbioContext = NULL; /* for non-blocking IO */
+ void *buildState = NULL; /* for non-blocking IO */
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_List *certStores = NULL;
+ PKIX_ValidateResult *valResult = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Cert *trustAnchorCert = NULL;
+ PKIX_List *builtCertList = NULL;
+ CERTValOutParam *oparam = NULL;
+ int i = 0;
void *plContext = NULL;
#ifdef PKIX_OBJECT_LEAK_TEST
- int leakedObjNum = 0;
- int memLeakLoopCount = 0;
- int objCountTable[PKIX_NUMTYPES];
- int fnInvLocalCount = 0;
+ int leakedObjNum = 0;
+ int memLeakLoopCount = 0;
+ int objCountTable[PKIX_NUMTYPES];
+ int fnInvLocalCount = 0;
PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
if (usePKIXValidationEngine) {
@@ -2026,227 +2013,229 @@ SECStatus CERT_PKIXVerifyCert(
testStartFnStackPosition = 1;
fnStackNameArr[0] = "CERT_PKIXVerifyCert";
fnStackInvCountArr[0] = 0;
- PKIX_Boolean abortOnLeak =
- (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
- PKIX_FALSE : PKIX_TRUE;
+ PKIX_Boolean abortOnLeak =
+ (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
+ : PKIX_TRUE;
runningLeakTest = PKIX_TRUE;
/* Prevent multi-threaded run of object leak test */
fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
PORT_Assert(fnInvLocalCount == 1);
-do {
- r = SECFailure;
- error = NULL;
- procParams = NULL;
- buildResult = NULL;
- nbioContext = NULL; /* for non-blocking IO */
- buildState = NULL; /* for non-blocking IO */
- certSelector = NULL;
- certStores = NULL;
- valResult = NULL;
- verifyNode = NULL;
- trustAnchor = NULL;
- trustAnchorCert = NULL;
- builtCertList = NULL;
- oparam = NULL;
- i=0;
- errorGenerated = PKIX_FALSE;
- stackPosition = 0;
-
- if (leakedObjNum) {
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
- }
- memLeakLoopCount += 1;
+ do {
+ r = SECFailure;
+ error = NULL;
+ procParams = NULL;
+ buildResult = NULL;
+ nbioContext = NULL; /* for non-blocking IO */
+ buildState = NULL; /* for non-blocking IO */
+ certSelector = NULL;
+ certStores = NULL;
+ valResult = NULL;
+ verifyNode = NULL;
+ trustAnchor = NULL;
+ trustAnchorCert = NULL;
+ builtCertList = NULL;
+ oparam = NULL;
+ i = 0;
+ errorGenerated = PKIX_FALSE;
+ stackPosition = 0;
+
+ if (leakedObjNum) {
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+ }
+ memLeakLoopCount += 1;
#endif /* PKIX_OBJECT_LEAK_TEST */
- error = PKIX_PL_NssContext_Create(
+ error = PKIX_PL_NssContext_Create(
0, PR_FALSE /*use arena*/, wincx, &plContext);
- if (error != NULL) { /* need pkix->nss error map */
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
- goto cleanup;
- }
+ if (error != NULL) { /* need pkix->nss error map */
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+ goto cleanup;
+ }
- error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
- if (error != NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
- }
+ error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
+ if (error != NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
- error = PKIX_ProcessingParams_Create(&procParams, plContext);
- if (error != NULL) { /* need pkix->nss error map */
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
- goto cleanup;
- }
+ error = PKIX_ProcessingParams_Create(&procParams, plContext);
+ if (error != NULL) { /* need pkix->nss error map */
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+ goto cleanup;
+ }
- /* local cert store should be set into procParams before
- * filling in revocation settings. */
- certStores = cert_GetCertStores(plContext);
- if (certStores == NULL) {
- goto cleanup;
- }
- error = PKIX_ProcessingParams_SetCertStores
- (procParams, certStores, plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ /* local cert store should be set into procParams before
+ * filling in revocation settings. */
+ certStores = cert_GetCertStores(plContext);
+ if (certStores == NULL) {
+ goto cleanup;
+ }
+ error = PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- /* now process the extensible input parameters structure */
- if (paramsIn != NULL) {
- i=0;
- while (paramsIn[i].type != cert_pi_end) {
- if (paramsIn[i].type >= cert_pi_max) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
- }
- if (cert_pkixSetParam(procParams,
- &paramsIn[i],plContext) != SECSuccess) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
+ /* now process the extensible input parameters structure */
+ if (paramsIn != NULL) {
+ i = 0;
+ while (paramsIn[i].type != cert_pi_end) {
+ if (paramsIn[i].type >= cert_pi_max) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ if (cert_pkixSetParam(procParams,
+ &paramsIn[i], plContext) !=
+ SECSuccess) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ i++;
}
- i++;
}
- }
- certSelector = cert_GetTargetCertConstraints(cert, plContext);
- if (certSelector == NULL) {
- goto cleanup;
- }
- error = PKIX_ProcessingParams_SetTargetCertConstraints
- (procParams, certSelector, plContext);
- if (error != NULL) {
- goto cleanup;
- }
-
- error = PKIX_BuildChain( procParams, &nbioContext,
- &buildState, &buildResult, &verifyNode,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ certSelector = cert_GetTargetCertConstraints(cert, plContext);
+ if (certSelector == NULL) {
+ goto cleanup;
+ }
+ error = PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certSelector, plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_BuildChain(procParams, &nbioContext,
+ &buildState, &buildResult, &verifyNode,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_BuildResult_GetValidateResult(buildResult, &valResult,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- if (trustAnchor != NULL) {
- error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert,
- plContext);
+ error = PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor,
+ plContext);
if (error != NULL) {
goto cleanup;
}
- }
+
+ if (trustAnchor != NULL) {
+ error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCert,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
+ }
#ifdef PKIX_OBJECT_LEAK_TEST
- /* Can not continue if error was generated but not returned.
- * Jumping to cleanup. */
- if (errorGenerated) goto cleanup;
+ /* Can not continue if error was generated but not returned.
+ * Jumping to cleanup. */
+ if (errorGenerated)
+ goto cleanup;
#endif /* PKIX_OBJECT_LEAK_TEST */
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
- if (oparam != NULL) {
- if (trustAnchorCert != NULL) {
- oparam->value.pointer.cert =
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
+ if (oparam != NULL) {
+ if (trustAnchorCert != NULL) {
+ oparam->value.pointer.cert =
cert_NSSCertFromPKIXCert(trustAnchorCert);
- } else {
- oparam->value.pointer.cert = NULL;
+ } else {
+ oparam->value.pointer.cert = NULL;
+ }
}
- }
- error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
- if (oparam != NULL) {
- error = cert_PkixToNssCertsChain(builtCertList,
- &oparam->value.pointer.chain,
- plContext);
- if (error) goto cleanup;
- }
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
+ if (oparam != NULL) {
+ error = cert_PkixToNssCertsChain(builtCertList,
+ &oparam->value.pointer.chain,
+ plContext);
+ if (error)
+ goto cleanup;
+ }
- r = SECSuccess;
+ r = SECSuccess;
-cleanup:
- if (verifyNode) {
- /* Return validation log only upon error. */
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
+ cleanup:
+ if (verifyNode) {
+ /* Return validation log only upon error. */
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
#ifdef PKIX_OBJECT_LEAK_TEST
- if (!errorGenerated)
+ if (!errorGenerated)
#endif /* PKIX_OBJECT_LEAK_TEST */
- if (r && oparam != NULL) {
- PKIX_Error *tmpError =
- cert_GetLogFromVerifyNode(oparam->value.pointer.log,
- verifyNode, plContext);
- if (tmpError) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
- }
+ if (r && oparam != NULL) {
+ PKIX_Error *tmpError =
+ cert_GetLogFromVerifyNode(oparam->value.pointer.log,
+ verifyNode, plContext);
+ if (tmpError) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
+ }
+ }
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
}
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
- }
- if (procParams != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+ if (procParams != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
- if (trustAnchorCert != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
+ if (trustAnchorCert != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
- if (trustAnchor != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+ if (trustAnchor != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
- if (valResult != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
+ if (valResult != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
- if (buildResult != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
+ if (buildResult != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
- if (certStores != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
+ if (certStores != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
- if (certSelector != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
+ if (certSelector != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
- if (builtCertList != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
+ if (builtCertList != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
- if (error != NULL) {
- SECErrorCodes nssErrorCode = 0;
+ if (error != NULL) {
+ SECErrorCodes nssErrorCode = 0;
- cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
- cert_pkixDestroyValOutParam(paramsOut);
- PORT_SetError(nssErrorCode);
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- }
+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
+ cert_pkixDestroyValOutParam(paramsOut);
+ PORT_SetError(nssErrorCode);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ }
- PKIX_PL_NssContext_Destroy(plContext);
+ PKIX_PL_NssContext_Destroy(plContext);
#ifdef PKIX_OBJECT_LEAK_TEST
- leakedObjNum =
- pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
+ leakedObjNum =
+ pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
- if (pkixLog && leakedObjNum) {
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
- "Stack %s\n", memLeakLoopCount, errorFnStackString));
- }
- PR_Free(errorFnStackString);
- errorFnStackString = NULL;
- if (abortOnLeak) {
- PORT_Assert(leakedObjNum == 0);
- }
-
-} while (errorGenerated);
+ if (pkixLog && leakedObjNum) {
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
+ "Stack %s\n",
+ memLeakLoopCount, errorFnStackString));
+ }
+ PR_Free(errorFnStackString);
+ errorFnStackString = NULL;
+ if (abortOnLeak) {
+ PORT_Assert(leakedObjNum == 0);
+ }
+
+ } while (errorGenerated);
- runningLeakTest = PKIX_FALSE;
+ runningLeakTest = PKIX_FALSE;
PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
« no previous file with comments | « nss/lib/certhigh/certvfy.c ('k') | nss/lib/certhigh/crlv2.c » ('j') | nss/lib/util/secoid.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698