| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 #include "nspr.h" | 4 #include "nspr.h" |
| 5 #include "secerr.h" | 5 #include "secerr.h" |
| 6 #include "secport.h" | 6 #include "secport.h" |
| 7 #include "seccomon.h" | 7 #include "seccomon.h" |
| 8 #include "secoid.h" | 8 #include "secoid.h" |
| 9 #include "sslerr.h" | 9 #include "sslerr.h" |
| 10 #include "genname.h" | 10 #include "genname.h" |
| (...skipping 531 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 542 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); | 542 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); |
| 543 } | 543 } |
| 544 pathLengthLimit = basicConstraint.pathLenConstraint; | 544 pathLengthLimit = basicConstraint.pathLenConstraint; |
| 545 isca = PR_TRUE; | 545 isca = PR_TRUE; |
| 546 } | 546 } |
| 547 /* make sure that the path len constraint is properly set.*/ | 547 /* make sure that the path len constraint is properly set.*/ |
| 548 if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) { | 548 if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) { |
| 549 PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID); | 549 PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID); |
| 550 LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit); | 550 LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit); |
| 551 } | 551 } |
| 552 » | 552 |
| 553 /* make sure that the entire chain is within the name space of the |
| 554 * current issuer certificate. |
| 555 */ |
| 556 rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, |
| 557 arena, &badCert); |
| 558 if (rv != SECSuccess || badCert != NULL) { |
| 559 PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE); |
| 560 LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0); |
| 561 goto loser; |
| 562 } |
| 563 |
| 553 /* XXX - the error logging may need to go down into CRL stuff at some | 564 /* XXX - the error logging may need to go down into CRL stuff at some |
| 554 * point | 565 * point |
| 555 */ | 566 */ |
| 556 /* check revoked list (issuer) */ | 567 /* check revoked list (issuer) */ |
| 557 rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx); | 568 rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx); |
| 558 if (rv == SECFailure) { | 569 if (rv == SECFailure) { |
| 559 if (revoked) { | 570 if (revoked) { |
| 560 *revoked = PR_TRUE; | 571 *revoked = PR_TRUE; |
| 561 } | 572 } |
| 562 LOG_ERROR_OR_EXIT(log,subjectCert,count,0); | 573 LOG_ERROR_OR_EXIT(log,subjectCert,count,0); |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 664 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); | 675 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); |
| 665 } | 676 } |
| 666 | 677 |
| 667 /* make sure key usage allows cert signing */ | 678 /* make sure key usage allows cert signing */ |
| 668 if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess
) { | 679 if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess
) { |
| 669 PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); | 680 PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE); |
| 670 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage); | 681 LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage); |
| 671 } | 682 } |
| 672 } | 683 } |
| 673 | 684 |
| 674 /* make sure that the entire chain is within the name space of the | |
| 675 ** current issuer certificate. | |
| 676 */ | |
| 677 rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, | |
| 678 arena, &badCert); | |
| 679 if (rv != SECSuccess || badCert != NULL) { | |
| 680 PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE); | |
| 681 LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0); | |
| 682 goto loser; | |
| 683 } | |
| 684 /* make sure that the issuer is not self signed. If it is, then | 685 /* make sure that the issuer is not self signed. If it is, then |
| 685 * stop here to prevent looping. | 686 * stop here to prevent looping. |
| 686 */ | 687 */ |
| 687 if (issuerCert->isRoot) { | 688 if (issuerCert->isRoot) { |
| 688 PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); | 689 PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); |
| 689 LOG_ERROR(log, issuerCert, count+1, 0); | 690 LOG_ERROR(log, issuerCert, count+1, 0); |
| 690 goto loser; | 691 goto loser; |
| 691 } | 692 } |
| 692 /* The issuer cert will be the subject cert in the next loop. | 693 /* The issuer cert will be the subject cert in the next loop. |
| 693 * A cert is self-issued if its subject and issuer are equal and | 694 * A cert is self-issued if its subject and issuer are equal and |
| (...skipping 1183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1877 return chain; | 1878 return chain; |
| 1878 } | 1879 } |
| 1879 | 1880 |
| 1880 cert = CERT_FindCertIssuer(cert, time, usage); | 1881 cert = CERT_FindCertIssuer(cert, time, usage); |
| 1881 } | 1882 } |
| 1882 | 1883 |
| 1883 /* return partial chain */ | 1884 /* return partial chain */ |
| 1884 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); | 1885 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); |
| 1885 return chain; | 1886 return chain; |
| 1886 } | 1887 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 195763027:
Update NSS to NSS_3_16_RC0. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/