OLD | NEW |
1 /* | 1 /* |
2 * NSS utility functions | 2 * NSS utility functions |
3 * | 3 * |
4 * This Source Code Form is subject to the terms of the Mozilla Public | 4 * This Source Code Form is subject to the terms of the Mozilla Public |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | 5 * License, v. 2.0. If a copy of the MPL was not distributed with this |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
7 | 7 |
8 #include <stdio.h> | 8 #include <stdio.h> |
9 #include <string.h> | 9 #include <string.h> |
10 #include "prerror.h" | 10 #include "prerror.h" |
11 #include "secitem.h" | 11 #include "secitem.h" |
12 #include "prnetdb.h" | 12 #include "prnetdb.h" |
13 #include "cert.h" | 13 #include "cert.h" |
14 #include "nspr.h" | 14 #include "nspr.h" |
15 #include "secder.h" | 15 #include "secder.h" |
16 #include "key.h" | 16 #include "key.h" |
17 #include "nss.h" | 17 #include "nss.h" |
18 | 18 |
19 /* | 19 /* |
20 * Look to see if any of the signers in the cert chain for "cert" are found | 20 * Look to see if any of the signers in the cert chain for "cert" are found |
21 * in the list of caNames. | 21 * in the list of caNames. |
22 * Returns SECSuccess if so, SECFailure if not. | 22 * Returns SECSuccess if so, SECFailure if not. |
23 */ | 23 */ |
24 SECStatus | 24 SECStatus |
25 NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames) | 25 NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames) |
26 { | 26 { |
27 SECItem * caname; | 27 SECItem *caname; |
28 CERTCertificate * curcert; | 28 CERTCertificate *curcert; |
29 CERTCertificate * oldcert; | 29 CERTCertificate *oldcert; |
30 PRInt32 contentlen; | 30 PRInt32 contentlen; |
31 int j; | 31 int j; |
32 int headerlen; | 32 int headerlen; |
33 int depth; | 33 int depth; |
34 SECStatus rv; | 34 SECStatus rv; |
35 SECItem issuerName; | 35 SECItem issuerName; |
36 SECItem compatIssuerName; | 36 SECItem compatIssuerName; |
37 | 37 |
38 if (!cert || !caNames || !caNames->nnames || !caNames->names || | 38 if (!cert || !caNames || !caNames->nnames || !caNames->names || |
39 !caNames->names->data) | 39 !caNames->names->data) |
40 return SECFailure; | 40 return SECFailure; |
41 depth=0; | 41 depth = 0; |
42 curcert = CERT_DupCertificate(cert); | 42 curcert = CERT_DupCertificate(cert); |
43 | 43 |
44 while( curcert ) { | 44 while (curcert) { |
45 issuerName = curcert->derIssuer; | 45 issuerName = curcert->derIssuer; |
46 | 46 |
47 /* compute an alternate issuer name for compatibility with 2.0 | 47 /* compute an alternate issuer name for compatibility with 2.0 |
48 * enterprise server, which send the CA names without | 48 * enterprise server, which send the CA names without |
49 * the outer layer of DER header | 49 * the outer layer of DER header |
50 */ | 50 */ |
51 rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen); | 51 rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen); |
52 if ( rv == SECSuccess ) { | 52 if (rv == SECSuccess) { |
53 compatIssuerName.data = &issuerName.data[headerlen]; | 53 compatIssuerName.data = &issuerName.data[headerlen]; |
54 compatIssuerName.len = issuerName.len - headerlen; | 54 compatIssuerName.len = issuerName.len - headerlen; |
55 } else { | 55 } else { |
56 compatIssuerName.data = NULL; | 56 compatIssuerName.data = NULL; |
57 compatIssuerName.len = 0; | 57 compatIssuerName.len = 0; |
| 58 } |
| 59 |
| 60 for (j = 0; j < caNames->nnames; j++) { |
| 61 caname = &caNames->names[j]; |
| 62 if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) { |
| 63 rv = SECSuccess; |
| 64 CERT_DestroyCertificate(curcert); |
| 65 goto done; |
| 66 } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqua
l) { |
| 67 rv = SECSuccess; |
| 68 CERT_DestroyCertificate(curcert); |
| 69 goto done; |
| 70 } |
| 71 } |
| 72 if ((depth <= 20) && |
| 73 (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) != |
| 74 SECEqual)) { |
| 75 oldcert = curcert; |
| 76 curcert = CERT_FindCertByName(curcert->dbhandle, |
| 77 &curcert->derIssuer); |
| 78 CERT_DestroyCertificate(oldcert); |
| 79 depth++; |
| 80 } else { |
| 81 CERT_DestroyCertificate(curcert); |
| 82 curcert = NULL; |
| 83 } |
58 } | 84 } |
59 | 85 rv = SECFailure; |
60 for (j = 0; j < caNames->nnames; j++) { | 86 |
61 caname = &caNames->names[j]; | |
62 if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) { | |
63 » rv = SECSuccess; | |
64 » CERT_DestroyCertificate(curcert); | |
65 » goto done; | |
66 } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) { | |
67 » rv = SECSuccess; | |
68 » CERT_DestroyCertificate(curcert); | |
69 » goto done; | |
70 } | |
71 } | |
72 if ( ( depth <= 20 ) && | |
73 » ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) | |
74 » != SECEqual ) ) { | |
75 oldcert = curcert; | |
76 curcert = CERT_FindCertByName(curcert->dbhandle, | |
77 » » » » &curcert->derIssuer); | |
78 CERT_DestroyCertificate(oldcert); | |
79 depth++; | |
80 } else { | |
81 CERT_DestroyCertificate(curcert); | |
82 curcert = NULL; | |
83 } | |
84 } | |
85 rv = SECFailure; | |
86 | |
87 done: | 87 done: |
88 return rv; | 88 return rv; |
89 } | 89 } |
90 | |
OLD | NEW |