OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * nss_pkix_proxy.h | |
6 * | |
7 * PKIX - NSS proxy functions | |
8 * | |
9 * NOTE: All structures, functions, data types are parts of library private | |
10 * api and are subjects to change in any following releases. | |
11 * | |
12 */ | |
13 #include "prerror.h" | |
14 #include "prprf.h" | |
15 | |
16 #include "nspr.h" | |
17 #include "pk11func.h" | |
18 #include "certdb.h" | |
19 #include "cert.h" | |
20 #include "secerr.h" | |
21 #include "nssb64.h" | |
22 #include "secasn1.h" | |
23 #include "secder.h" | |
24 #include "pkit.h" | |
25 | |
26 #include "pkix_pl_common.h" | |
27 | |
28 extern PRLogModuleInfo *pkixLog; | |
29 | |
30 #ifdef PKIX_OBJECT_LEAK_TEST | |
31 | |
32 extern PKIX_UInt32 | |
33 pkix_pl_lifecycle_ObjectLeakCheck(int *); | |
34 | |
35 extern SECStatus | |
36 pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); | |
37 | |
38 PRInt32 parallelFnInvocationCount; | |
39 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
40 | |
41 static PRBool usePKIXValidationEngine = PR_FALSE; | |
42 | |
43 /* | |
44 * FUNCTION: CERT_SetUsePKIXForValidation | |
45 * DESCRIPTION: | |
46 * | |
47 * Enables or disables use of libpkix for certificate validation | |
48 * | |
49 * PARAMETERS: | |
50 * "enable" | |
51 * PR_TRUE: enables use of libpkix for cert validation. | |
52 * PR_FALSE: disables. | |
53 * THREAD SAFETY: | |
54 * NOT Thread Safe. | |
55 * RETURNS: | |
56 * Returns SECSuccess if successfully enabled | |
57 */ | |
58 SECStatus | |
59 CERT_SetUsePKIXForValidation(PRBool enable) | |
60 { | |
61 usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE; | |
62 return SECSuccess; | |
63 } | |
64 | |
65 /* | |
66 * FUNCTION: CERT_GetUsePKIXForValidation | |
67 * DESCRIPTION: | |
68 * | |
69 * Checks if libpkix building function should be use for certificate | |
70 * chain building. | |
71 * | |
72 * PARAMETERS: | |
73 * NONE | |
74 * THREAD SAFETY: | |
75 * NOT Thread Safe | |
76 * RETURNS: | |
77 * Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise. | |
78 */ | |
79 PRBool | |
80 CERT_GetUsePKIXForValidation() | |
81 { | |
82 return usePKIXValidationEngine; | |
83 } | |
84 | |
85 #ifdef NOTDEF | |
86 /* | |
87 * FUNCTION: cert_NssKeyUsagesToPkix | |
88 * DESCRIPTION: | |
89 * | |
90 * Converts nss key usage bit field(PRUint32) to pkix key usage | |
91 * bit field. | |
92 * | |
93 * PARAMETERS: | |
94 * "nssKeyUsage" | |
95 * Nss key usage bit field. | |
96 * "pkixKeyUsage" | |
97 * Pkix key usage big field. | |
98 * "plContext" | |
99 * Platform-specific context pointer. | |
100 * THREAD SAFETY: | |
101 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
102 * RETURNS: | |
103 * Returns NULL if the function succeeds. | |
104 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
105 */ | |
106 static PKIX_Error * | |
107 cert_NssKeyUsagesToPkix( | |
108 PRUint32 nssKeyUsage, | |
109 PKIX_UInt32 *pPkixKeyUsage, | |
110 void *plContext) | |
111 { | |
112 PKIX_UInt32 pkixKeyUsage = 0; | |
113 | |
114 PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix"); | |
115 PKIX_NULLCHECK_ONE(pPkixKeyUsage); | |
116 | |
117 *pPkixKeyUsage = 0; | |
118 | |
119 if (nssKeyUsage & KU_DIGITAL_SIGNATURE) { | |
120 pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE; | |
121 } | |
122 | |
123 if (nssKeyUsage & KU_NON_REPUDIATION) { | |
124 pkixKeyUsage |= PKIX_NON_REPUDIATION; | |
125 } | |
126 | |
127 if (nssKeyUsage & KU_KEY_ENCIPHERMENT) { | |
128 pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT; | |
129 } | |
130 | |
131 if (nssKeyUsage & KU_DATA_ENCIPHERMENT) { | |
132 pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT; | |
133 } | |
134 | |
135 if (nssKeyUsage & KU_KEY_AGREEMENT) { | |
136 pkixKeyUsage |= PKIX_KEY_AGREEMENT; | |
137 } | |
138 | |
139 if (nssKeyUsage & KU_KEY_CERT_SIGN) { | |
140 pkixKeyUsage |= PKIX_KEY_CERT_SIGN; | |
141 } | |
142 | |
143 if (nssKeyUsage & KU_CRL_SIGN) { | |
144 pkixKeyUsage |= PKIX_CRL_SIGN; | |
145 } | |
146 | |
147 if (nssKeyUsage & KU_ENCIPHER_ONLY) { | |
148 pkixKeyUsage |= PKIX_ENCIPHER_ONLY; | |
149 } | |
150 | |
151 /* Not supported. XXX we should support this once it is | |
152 * fixed in NSS */ | |
153 /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */ | |
154 | |
155 *pPkixKeyUsage = pkixKeyUsage; | |
156 | |
157 PKIX_RETURN(CERTVFYPKIX); | |
158 } | |
159 | |
160 extern SECOidTag ekuOidStrings[]; | |
161 | |
162 enum { | |
163 ekuIndexSSLServer = 0, | |
164 ekuIndexSSLClient, | |
165 ekuIndexCodeSigner, | |
166 ekuIndexEmail, | |
167 ekuIndexTimeStamp, | |
168 ekuIndexStatusResponder, | |
169 ekuIndexUnknown | |
170 } ekuIndex; | |
171 | |
172 typedef struct { | |
173 SECCertUsage certUsage; | |
174 PRUint32 ekuStringIndex; | |
175 } SECCertUsageToEku; | |
176 | |
177 const SECCertUsageToEku certUsageEkuStringMap[] = { | |
178 { certUsageSSLClient, ekuIndexSSLClient }, | |
179 { certUsageSSLServer, ekuIndexSSLServer }, | |
180 { certUsageSSLCA, ekuIndexSSLServer }, | |
181 { certUsageEmailSigner, ekuIndexEmail }, | |
182 { certUsageEmailRecipient, ekuIndexEmail }, | |
183 { certUsageObjectSigner, ekuIndexCodeSigner }, | |
184 { certUsageUserCertImport, ekuIndexUnknown }, | |
185 { certUsageVerifyCA, ekuIndexUnknown }, | |
186 { certUsageProtectedObjectSigner, ekuIndexUnknown }, | |
187 { certUsageStatusResponder, ekuIndexStatusResponder }, | |
188 { certUsageAnyCA, ekuIndexUnknown }, | |
189 }; | |
190 | |
191 /* | |
192 * FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU | |
193 * DESCRIPTION: | |
194 * | |
195 * Converts nss CERTCertificateUsage bit field to pkix key and | |
196 * extended key usages. | |
197 * | |
198 * PARAMETERS: | |
199 * "cert" | |
200 * Pointer to CERTCertificate structure of validating cert. | |
201 * "requiredCertUsages" | |
202 * Required usage that will be converted to pkix eku and ku. | |
203 * "requiredKeyUsage", | |
204 * Additional key usages impose to cert. | |
205 * "isCA", | |
206 * it true, convert usages for cert that is a CA cert. | |
207 * "ppkixEKUList" | |
208 * Returned address of a list of pkix extended key usages. | |
209 * "ppkixKU" | |
210 * Returned address of pkix required key usages bit field. | |
211 * "plContext" | |
212 * Platform-specific context pointer. | |
213 * THREAD SAFETY: | |
214 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
215 * RETURNS: | |
216 * Returns NULL if the function succeeds. | |
217 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
218 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
219 */ | |
220 static PKIX_Error * | |
221 cert_NssCertificateUsageToPkixKUAndEKU( | |
222 CERTCertificate *cert, | |
223 SECCertUsage requiredCertUsage, | |
224 PRUint32 requiredKeyUsages, | |
225 PRBool isCA, | |
226 PKIX_List **ppkixEKUList, | |
227 PKIX_UInt32 *ppkixKU, | |
228 void *plContext) | |
229 { | |
230 PKIX_List *ekuOidsList = NULL; | |
231 PKIX_PL_OID *ekuOid = NULL; | |
232 int i = 0; | |
233 int ekuIndex = ekuIndexUnknown; | |
234 | |
235 PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku"); | |
236 PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU); | |
237 | |
238 PKIX_CHECK( | |
239 PKIX_List_Create(&ekuOidsList, plContext), | |
240 PKIX_LISTCREATEFAILED); | |
241 | |
242 for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) { | |
243 const SECCertUsageToEku *usageToEkuElem = | |
244 &certUsageEkuStringMap[i]; | |
245 if (usageToEkuElem->certUsage == requiredCertUsage) { | |
246 ekuIndex = usageToEkuElem->ekuStringIndex; | |
247 break; | |
248 } | |
249 } | |
250 if (ekuIndex != ekuIndexUnknown) { | |
251 PRUint32 reqKeyUsage = 0; | |
252 PRUint32 reqCertType = 0; | |
253 | |
254 CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA, | |
255 &reqKeyUsage, | |
256 &reqCertType); | |
257 | |
258 requiredKeyUsages |= reqKeyUsage; | |
259 | |
260 PKIX_CHECK( | |
261 PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid, | |
262 plContext), | |
263 PKIX_OIDCREATEFAILED); | |
264 | |
265 PKIX_CHECK( | |
266 PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid, | |
267 plContext), | |
268 PKIX_LISTAPPENDITEMFAILED); | |
269 | |
270 PKIX_DECREF(ekuOid); | |
271 } | |
272 | |
273 PKIX_CHECK( | |
274 cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext), | |
275 PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED); | |
276 | |
277 *ppkixEKUList = ekuOidsList; | |
278 ekuOidsList = NULL; | |
279 | |
280 cleanup: | |
281 | |
282 PKIX_DECREF(ekuOid); | |
283 PKIX_DECREF(ekuOidsList); | |
284 | |
285 PKIX_RETURN(CERTVFYPKIX); | |
286 } | |
287 | |
288 #endif | |
289 | |
290 /* | |
291 * FUNCTION: cert_ProcessingParamsSetKeyAndCertUsage | |
292 * DESCRIPTION: | |
293 * | |
294 * Converts cert usage to pkix KU type and sets | |
295 * converted data into PKIX_ProcessingParams object. It also sets | |
296 * proper cert usage into nsscontext object. | |
297 * | |
298 * PARAMETERS: | |
299 * "procParams" | |
300 * Pointer to PKIX_ProcessingParams used during validation. | |
301 * "requiredCertUsage" | |
302 * Required certificate usages the certificate and chain is built and | |
303 * validated for. | |
304 * "requiredKeyUsage" | |
305 * Request additional key usages the certificate should be validated for. | |
306 * "plContext" | |
307 * Platform-specific context pointer. | |
308 * THREAD SAFETY: | |
309 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
310 * RETURNS: | |
311 * Returns NULL if the function succeeds. | |
312 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
313 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
314 */ | |
315 static PKIX_Error * | |
316 cert_ProcessingParamsSetKeyAndCertUsage( | |
317 PKIX_ProcessingParams *procParams, | |
318 SECCertUsage requiredCertUsage, | |
319 PRUint32 requiredKeyUsages, | |
320 void *plContext) | |
321 { | |
322 PKIX_CertSelector *certSelector = NULL; | |
323 PKIX_ComCertSelParams *certSelParams = NULL; | |
324 PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; | |
325 | |
326 PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage"); | |
327 PKIX_NULLCHECK_TWO(procParams, nssContext); | |
328 | |
329 PKIX_CHECK( | |
330 pkix_pl_NssContext_SetCertUsage( | |
331 ((SECCertificateUsage)1) << requiredCertUsage, nssContext), | |
332 PKIX_NSSCONTEXTSETCERTUSAGEFAILED); | |
333 | |
334 if (requiredKeyUsages) { | |
335 PKIX_CHECK( | |
336 PKIX_ProcessingParams_GetTargetCertConstraints(procParams, | |
337 &certSelector, plCont
ext), | |
338 PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); | |
339 | |
340 PKIX_CHECK( | |
341 PKIX_CertSelector_GetCommonCertSelectorParams(certSelector, | |
342 &certSelParams, plCont
ext), | |
343 PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); | |
344 | |
345 PKIX_CHECK( | |
346 PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages, | |
347 plContext), | |
348 PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED); | |
349 } | |
350 cleanup: | |
351 PKIX_DECREF(certSelector); | |
352 PKIX_DECREF(certSelParams); | |
353 | |
354 PKIX_RETURN(CERTVFYPKIX); | |
355 } | |
356 | |
357 /* | |
358 * Unused parameters: | |
359 * | |
360 * CERTCertList *initialChain, | |
361 * CERTCertStores certStores, | |
362 * CERTCertRevCheckers certRevCheckers, | |
363 * CERTCertChainCheckers certChainCheckers, | |
364 * SECItem *initPolicies, | |
365 * PRBool policyQualifierRejected, | |
366 * PRBool anyPolicyInhibited, | |
367 * PRBool reqExplicitPolicy, | |
368 * PRBool policyMappingInhibited, | |
369 * PKIX_CertSelector certConstraints, | |
370 */ | |
371 | |
372 /* | |
373 * FUNCTION: cert_CreatePkixProcessingParams | |
374 * DESCRIPTION: | |
375 * | |
376 * Creates and fills in PKIX_ProcessingParams structure to be used | |
377 * for certificate chain building. | |
378 * | |
379 * PARAMETERS: | |
380 * "cert" | |
381 * Pointer to the CERTCertificate: the leaf certificate of a chain. | |
382 * "time" | |
383 * Validity time. | |
384 * "wincx" | |
385 * Nss db password token. | |
386 * "useArena" | |
387 * Flags to use arena for data allocation during chain building process. | |
388 * "pprocParams" | |
389 * Address to return created processing parameters. | |
390 * "plContext" | |
391 * Platform-specific context pointer. | |
392 * THREAD SAFETY: | |
393 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
394 * RETURNS: | |
395 * Returns NULL if the function succeeds. | |
396 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
397 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
398 */ | |
399 static PKIX_Error * | |
400 cert_CreatePkixProcessingParams( | |
401 CERTCertificate *cert, | |
402 PRBool checkSig, /* not used yet. See bug 391476 */ | |
403 PRTime time, | |
404 void *wincx, | |
405 PRBool useArena, | |
406 PRBool disableOCSPRemoteFetching, | |
407 PKIX_ProcessingParams **pprocParams, | |
408 void **pplContext) | |
409 { | |
410 PKIX_List *anchors = NULL; | |
411 PKIX_PL_Cert *targetCert = NULL; | |
412 PKIX_PL_Date *date = NULL; | |
413 PKIX_ProcessingParams *procParams = NULL; | |
414 PKIX_CertSelector *certSelector = NULL; | |
415 PKIX_ComCertSelParams *certSelParams = NULL; | |
416 PKIX_CertStore *certStore = NULL; | |
417 PKIX_List *certStores = NULL; | |
418 PKIX_RevocationChecker *revChecker = NULL; | |
419 PKIX_UInt32 methodFlags = 0; | |
420 void *plContext = NULL; | |
421 CERTStatusConfig *statusConfig = NULL; | |
422 | |
423 PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); | |
424 PKIX_NULLCHECK_TWO(cert, pprocParams); | |
425 | |
426 PKIX_CHECK( | |
427 PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext), | |
428 PKIX_NSSCONTEXTCREATEFAILED); | |
429 | |
430 *pplContext = plContext; | |
431 | |
432 #ifdef PKIX_NOTDEF | |
433 /* Functions should be implemented in patch for 390532 */ | |
434 PKIX_CHECK( | |
435 pkix_pl_NssContext_SetCertSignatureCheck(checkSig, | |
436 (PKIX_PL_NssContext *)plContext
), | |
437 PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED); | |
438 | |
439 #endif /* PKIX_NOTDEF */ | |
440 | |
441 PKIX_CHECK( | |
442 PKIX_ProcessingParams_Create(&procParams, plContext), | |
443 PKIX_PROCESSINGPARAMSCREATEFAILED); | |
444 | |
445 PKIX_CHECK( | |
446 PKIX_ComCertSelParams_Create(&certSelParams, plContext), | |
447 PKIX_COMCERTSELPARAMSCREATEFAILED); | |
448 | |
449 PKIX_CHECK( | |
450 PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext), | |
451 PKIX_CERTCREATEWITHNSSCERTFAILED); | |
452 | |
453 PKIX_CHECK( | |
454 PKIX_ComCertSelParams_SetCertificate(certSelParams, | |
455 targetCert, plContext), | |
456 PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED); | |
457 | |
458 PKIX_CHECK( | |
459 PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext), | |
460 PKIX_COULDNOTCREATECERTSELECTOROBJECT); | |
461 | |
462 PKIX_CHECK( | |
463 PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, | |
464 certSelParams, plContext), | |
465 PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); | |
466 | |
467 PKIX_CHECK( | |
468 PKIX_ProcessingParams_SetTargetCertConstraints(procParams, | |
469 certSelector, plContext), | |
470 PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED); | |
471 | |
472 /* Turn off quialification of target cert since leaf cert is | |
473 * already check for date validity, key usages and extended | |
474 * key usages. */ | |
475 PKIX_CHECK( | |
476 PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE, | |
477 plContext), | |
478 PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED); | |
479 | |
480 PKIX_CHECK( | |
481 PKIX_PL_Pk11CertStore_Create(&certStore, plContext), | |
482 PKIX_PK11CERTSTORECREATEFAILED); | |
483 | |
484 PKIX_CHECK( | |
485 PKIX_List_Create(&certStores, plContext), | |
486 PKIX_UNABLETOCREATELIST); | |
487 | |
488 PKIX_CHECK( | |
489 PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, | |
490 plContext), | |
491 PKIX_LISTAPPENDITEMFAILED); | |
492 | |
493 PKIX_CHECK( | |
494 PKIX_ProcessingParams_SetCertStores(procParams, certStores, | |
495 plContext), | |
496 PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED); | |
497 | |
498 PKIX_CHECK( | |
499 PKIX_PL_Date_CreateFromPRTime(time, &date, plContext), | |
500 PKIX_DATECREATEFROMPRTIMEFAILED); | |
501 | |
502 PKIX_CHECK( | |
503 PKIX_ProcessingParams_SetDate(procParams, date, plContext), | |
504 PKIX_PROCESSINGPARAMSSETDATEFAILED); | |
505 | |
506 PKIX_CHECK( | |
507 PKIX_RevocationChecker_Create( | |
508 PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | | |
509 PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, | |
510 PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | | |
511 PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, | |
512 &revChecker, plContext), | |
513 PKIX_REVOCATIONCHECKERCREATEFAILED); | |
514 | |
515 PKIX_CHECK( | |
516 PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker, | |
517 plContext), | |
518 PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED); | |
519 | |
520 /* CRL method flags */ | |
521 methodFlags = | |
522 PKIX_REV_M_TEST_USING_THIS_METHOD | | |
523 PKIX_REV_M_FORBID_NETWORK_FETCHING | | |
524 PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ | |
525 PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ | |
526 PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; | |
527 | |
528 /* add CRL revocation method to check the leaf certificate */ | |
529 PKIX_CHECK( | |
530 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, | |
531 PKIX_RevocationMethod_CRL, met
hodFlags, | |
532 0, NULL, PKIX_TRUE, plContext)
, | |
533 PKIX_REVOCATIONCHECKERADDMETHODFAILED); | |
534 | |
535 /* add CRL revocation method for other certs in the chain. */ | |
536 PKIX_CHECK( | |
537 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, | |
538 PKIX_RevocationMethod_CRL, met
hodFlags, | |
539 0, NULL, PKIX_FALSE, plContext
), | |
540 PKIX_REVOCATIONCHECKERADDMETHODFAILED); | |
541 | |
542 /* For compatibility with the old code, need to check that | |
543 * statusConfig is set in the db handle and status checker | |
544 * is defined befor allow ocsp status check on the leaf cert.*/ | |
545 statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB()); | |
546 if (statusConfig != NULL && statusConfig->statusChecker != NULL) { | |
547 | |
548 /* Enable OCSP revocation checking for the leaf cert. */ | |
549 /* OCSP method flags */ | |
550 methodFlags = | |
551 PKIX_REV_M_TEST_USING_THIS_METHOD | | |
552 PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ | |
553 PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ | |
554 PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ | |
555 PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ | |
556 PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; | |
557 | |
558 /* Disabling ocsp fetching when checking the status | |
559 * of ocsp response signer. Here and in the next if, | |
560 * adjust flags for ocsp signer cert validation case. */ | |
561 if (disableOCSPRemoteFetching) { | |
562 methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; | |
563 } | |
564 | |
565 if (ocsp_FetchingFailureIsVerificationFailure() && | |
566 !disableOCSPRemoteFetching) { | |
567 methodFlags |= | |
568 PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; | |
569 } | |
570 | |
571 /* add OCSP revocation method to check only the leaf certificate.*/ | |
572 PKIX_CHECK( | |
573 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, | |
574 PKIX_RevocationMethod_OCSP
, methodFlags, | |
575 1, NULL, PKIX_TRUE, plCont
ext), | |
576 PKIX_REVOCATIONCHECKERADDMETHODFAILED); | |
577 } | |
578 | |
579 PKIX_CHECK( | |
580 PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE, | |
581 plContext), | |
582 PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED); | |
583 | |
584 PKIX_CHECK( | |
585 PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE, | |
586 plContext), | |
587 PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED); | |
588 | |
589 PKIX_CHECK( | |
590 PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE, | |
591 plContext), | |
592 PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED); | |
593 | |
594 *pprocParams = procParams; | |
595 procParams = NULL; | |
596 | |
597 cleanup: | |
598 PKIX_DECREF(anchors); | |
599 PKIX_DECREF(targetCert); | |
600 PKIX_DECREF(date); | |
601 PKIX_DECREF(certSelector); | |
602 PKIX_DECREF(certSelParams); | |
603 PKIX_DECREF(certStore); | |
604 PKIX_DECREF(certStores); | |
605 PKIX_DECREF(procParams); | |
606 PKIX_DECREF(revChecker); | |
607 | |
608 PKIX_RETURN(CERTVFYPKIX); | |
609 } | |
610 | |
611 /* | |
612 * FUNCTION: cert_PkixToNssCertsChain | |
613 * DESCRIPTION: | |
614 * | |
615 * Converts pkix cert list into nss cert list. | |
616 * | |
617 * PARAMETERS: | |
618 * "pkixCertChain" | |
619 * Pkix certificate list. | |
620 * "pvalidChain" | |
621 * An address of returned nss certificate list. | |
622 * "plContext" | |
623 * Platform-specific context pointer. | |
624 * THREAD SAFETY: | |
625 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
626 * RETURNS: | |
627 * Returns NULL if the function succeeds. | |
628 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
629 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
630 */ | |
631 static PKIX_Error * | |
632 cert_PkixToNssCertsChain( | |
633 PKIX_List *pkixCertChain, | |
634 CERTCertList **pvalidChain, | |
635 void *plContext) | |
636 { | |
637 PLArenaPool *arena = NULL; | |
638 CERTCertificate *nssCert = NULL; | |
639 CERTCertList *validChain = NULL; | |
640 PKIX_PL_Object *certItem = NULL; | |
641 PKIX_UInt32 length = 0; | |
642 PKIX_UInt32 i = 0; | |
643 | |
644 PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain"); | |
645 PKIX_NULLCHECK_ONE(pvalidChain); | |
646 | |
647 if (pkixCertChain == NULL) { | |
648 goto cleanup; | |
649 } | |
650 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
651 if (arena == NULL) { | |
652 PKIX_ERROR(PKIX_OUTOFMEMORY); | |
653 } | |
654 validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); | |
655 if (validChain == NULL) { | |
656 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); | |
657 } | |
658 PR_INIT_CLIST(&validChain->list); | |
659 validChain->arena = arena; | |
660 arena = NULL; | |
661 | |
662 PKIX_CHECK( | |
663 PKIX_List_GetLength(pkixCertChain, &length, plContext), | |
664 PKIX_LISTGETLENGTHFAILED); | |
665 | |
666 for (i = 0; i < length; i++) { | |
667 CERTCertListNode *node = NULL; | |
668 | |
669 PKIX_CHECK( | |
670 PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext), | |
671 PKIX_LISTGETITEMFAILED); | |
672 | |
673 PKIX_CHECK( | |
674 PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem, &nssCert, | |
675 plContext), | |
676 PKIX_CERTGETCERTCERTIFICATEFAILED); | |
677 | |
678 node = | |
679 (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena, | |
680 sizeof(CERTCertListNode)); | |
681 if (node == NULL) { | |
682 PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); | |
683 } | |
684 | |
685 PR_INSERT_BEFORE(&node->links, &validChain->list); | |
686 | |
687 node->cert = nssCert; | |
688 nssCert = NULL; | |
689 | |
690 PKIX_DECREF(certItem); | |
691 } | |
692 | |
693 *pvalidChain = validChain; | |
694 | |
695 cleanup: | |
696 if (PKIX_ERROR_RECEIVED) { | |
697 if (validChain) { | |
698 CERT_DestroyCertList(validChain); | |
699 } else if (arena) { | |
700 PORT_FreeArena(arena, PR_FALSE); | |
701 } | |
702 if (nssCert) { | |
703 CERT_DestroyCertificate(nssCert); | |
704 } | |
705 } | |
706 PKIX_DECREF(certItem); | |
707 | |
708 PKIX_RETURN(CERTVFYPKIX); | |
709 } | |
710 | |
711 /* | |
712 * FUNCTION: cert_BuildAndValidateChain | |
713 * DESCRIPTION: | |
714 * | |
715 * The function builds and validates a cert chain based on certificate | |
716 * selection criterias from procParams. This function call PKIX_BuildChain | |
717 * to accomplish chain building. If PKIX_BuildChain returns with incomplete | |
718 * IO, the function waits with PR_Poll until the blocking IO is finished and | |
719 * return control back to PKIX_BuildChain. | |
720 * | |
721 * PARAMETERS: | |
722 * "procParams" | |
723 * Processing parameters to be used during chain building. | |
724 * "pResult" | |
725 * Returned build result. | |
726 * "pVerifyNode" | |
727 * Returned pointed to verify node structure: the tree-like structure | |
728 * that reports points of chain building failures. | |
729 * "plContext" | |
730 * Platform-specific context pointer. | |
731 * THREAD SAFETY: | |
732 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
733 * RETURNS: | |
734 * Returns NULL if the function succeeds. | |
735 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
736 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
737 */ | |
738 static PKIX_Error * | |
739 cert_BuildAndValidateChain( | |
740 PKIX_ProcessingParams *procParams, | |
741 PKIX_BuildResult **pResult, | |
742 PKIX_VerifyNode **pVerifyNode, | |
743 void *plContext) | |
744 { | |
745 PKIX_BuildResult *result = NULL; | |
746 PKIX_VerifyNode *verifyNode = NULL; | |
747 void *nbioContext = NULL; | |
748 void *state = NULL; | |
749 | |
750 PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain"); | |
751 PKIX_NULLCHECK_TWO(procParams, pResult); | |
752 | |
753 do { | |
754 if (nbioContext && state) { | |
755 /* PKIX-XXX: need to test functionality of NBIO handling in libPkix. | |
756 * See bug 391180 */ | |
757 PRInt32 filesReady = 0; | |
758 PRPollDesc *pollDesc = (PRPollDesc *)nbioContext; | |
759 filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT); | |
760 if (filesReady <= 0) { | |
761 PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM); | |
762 } | |
763 } | |
764 | |
765 PKIX_CHECK( | |
766 PKIX_BuildChain(procParams, &nbioContext, &state, | |
767 &result, &verifyNode, plContext), | |
768 PKIX_UNABLETOBUILDCHAIN); | |
769 | |
770 } while (nbioContext && state); | |
771 | |
772 *pResult = result; | |
773 | |
774 cleanup: | |
775 if (pVerifyNode) { | |
776 *pVerifyNode = verifyNode; | |
777 } | |
778 | |
779 PKIX_RETURN(CERTVFYPKIX); | |
780 } | |
781 | |
782 /* | |
783 * FUNCTION: cert_PkixErrorToNssCode | |
784 * DESCRIPTION: | |
785 * | |
786 * Converts pkix error(PKIX_Error) structure to PR error codes. | |
787 * | |
788 * PKIX-XXX to be implemented. See 391183. | |
789 * | |
790 * PARAMETERS: | |
791 * "error" | |
792 * Pkix error that will be converted. | |
793 * "nssCode" | |
794 * Corresponding nss error code. | |
795 * "plContext" | |
796 * Platform-specific context pointer. | |
797 * THREAD SAFETY: | |
798 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
799 * RETURNS: | |
800 * Returns NULL if the function succeeds. | |
801 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
802 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
803 */ | |
804 static PKIX_Error * | |
805 cert_PkixErrorToNssCode( | |
806 PKIX_Error *error, | |
807 SECErrorCodes *pNssErr, | |
808 void *plContext) | |
809 { | |
810 int errLevel = 0; | |
811 PKIX_Int32 nssErr = 0; | |
812 PKIX_Error *errPtr = error; | |
813 | |
814 PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode"); | |
815 PKIX_NULLCHECK_TWO(error, pNssErr); | |
816 | |
817 /* Loop until we find at least one error with non-null | |
818 * plErr code, that is going to be nss error code. */ | |
819 while (errPtr) { | |
820 if (errPtr->plErr && !nssErr) { | |
821 nssErr = errPtr->plErr; | |
822 if (!pkixLog) | |
823 break; | |
824 } | |
825 if (pkixLog) { | |
826 #ifdef PKIX_ERROR_DESCRIPTION | |
827 PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel, | |
828 PKIX_ErrorText[errPtr->errCode])); | |
829 #else | |
830 PR_LOG(pkixLog, 2, ("Error at level %d: Error code %d\n", errLevel, | |
831 errPtr->errCode)); | |
832 #endif /* PKIX_ERROR_DESCRIPTION */ | |
833 } | |
834 errPtr = errPtr->cause; | |
835 errLevel += 1; | |
836 } | |
837 PORT_Assert(nssErr); | |
838 if (!nssErr) { | |
839 *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL; | |
840 } else { | |
841 *pNssErr = nssErr; | |
842 } | |
843 | |
844 PKIX_RETURN(CERTVFYPKIX); | |
845 } | |
846 | |
847 /* | |
848 * FUNCTION: cert_GetLogFromVerifyNode | |
849 * DESCRIPTION: | |
850 * | |
851 * Recursive function that converts verify node tree-like set of structures | |
852 * to CERTVerifyLog. | |
853 * | |
854 * PARAMETERS: | |
855 * "log" | |
856 * Pointed to already allocated CERTVerifyLog structure. | |
857 * "node" | |
858 * A node of PKIX_VerifyNode tree. | |
859 * "plContext" | |
860 * Platform-specific context pointer. | |
861 * THREAD SAFETY: | |
862 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
863 * RETURNS: | |
864 * Returns NULL if the function succeeds. | |
865 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
866 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
867 */ | |
868 static PKIX_Error * | |
869 cert_GetLogFromVerifyNode( | |
870 CERTVerifyLog *log, | |
871 PKIX_VerifyNode *node, | |
872 void *plContext) | |
873 { | |
874 PKIX_List *children = NULL; | |
875 PKIX_VerifyNode *childNode = NULL; | |
876 | |
877 PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode"); | |
878 | |
879 children = node->children; | |
880 | |
881 if (children == NULL) { | |
882 PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT; | |
883 if (node->error && node->error->errCode != errCode) { | |
884 if (log != NULL) { | |
885 SECErrorCodes nssErrorCode = 0; | |
886 CERTCertificate *cert = NULL; | |
887 | |
888 cert = node->verifyCert->nssCert; | |
889 | |
890 PKIX_CHECK( | |
891 cert_PkixErrorToNssCode(node->error, &nssErrorCode, | |
892 plContext), | |
893 PKIX_GETPKIXERRORCODEFAILED); | |
894 | |
895 cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL); | |
896 } | |
897 } | |
898 PKIX_RETURN(CERTVFYPKIX); | |
899 } else { | |
900 PRUint32 i = 0; | |
901 PKIX_UInt32 length = 0; | |
902 | |
903 PKIX_CHECK( | |
904 PKIX_List_GetLength(children, &length, plContext), | |
905 PKIX_LISTGETLENGTHFAILED); | |
906 | |
907 for (i = 0; i < length; i++) { | |
908 | |
909 PKIX_CHECK( | |
910 PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode, | |
911 plContext), | |
912 PKIX_LISTGETITEMFAILED); | |
913 | |
914 PKIX_CHECK( | |
915 cert_GetLogFromVerifyNode(log, childNode, plContext), | |
916 PKIX_ERRORINRECURSIVEEQUALSCALL); | |
917 | |
918 PKIX_DECREF(childNode); | |
919 } | |
920 } | |
921 | |
922 cleanup: | |
923 PKIX_DECREF(childNode); | |
924 | |
925 PKIX_RETURN(CERTVFYPKIX); | |
926 } | |
927 | |
928 /* | |
929 * FUNCTION: cert_GetBuildResults | |
930 * DESCRIPTION: | |
931 * | |
932 * Converts pkix build results to nss results. This function is called | |
933 * regardless of build result. | |
934 * | |
935 * If it called after chain was successfully constructed, then it will | |
936 * convert: | |
937 * * pkix cert list that represent the chain to nss cert list | |
938 * * trusted root the chain was anchored to nss certificate. | |
939 * | |
940 * In case of failure it will convert: | |
941 * * pkix error to PR error code(will set it with PORT_SetError) | |
942 * * pkix validation log to nss CERTVerifyLog | |
943 * | |
944 * PARAMETERS: | |
945 * "buildResult" | |
946 * Build results returned by PKIX_BuildChain. | |
947 * "verifyNode" | |
948 * Tree-like structure of chain building/validation failures | |
949 * returned by PKIX_BuildChain. Ignored in case of success. | |
950 * "error" | |
951 * Final error returned by PKIX_BuildChain. Should be NULL in | |
952 * case of success. | |
953 * "log" | |
954 * Address of pre-allocated(if not NULL) CERTVerifyLog structure. | |
955 * "ptrustedRoot" | |
956 * Address of returned trusted root the chain was anchored to. | |
957 * "pvalidChain" | |
958 * Address of returned valid chain. | |
959 * "plContext" | |
960 * Platform-specific context pointer. | |
961 * THREAD SAFETY: | |
962 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
963 * RETURNS: | |
964 * Returns NULL if the function succeeds. | |
965 * Returns a Cert Verify Error if the function fails in an unrecoverable way. | |
966 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
967 */ | |
968 static PKIX_Error * | |
969 cert_GetBuildResults( | |
970 PKIX_BuildResult *buildResult, | |
971 PKIX_VerifyNode *verifyNode, | |
972 PKIX_Error *error, | |
973 CERTVerifyLog *log, | |
974 CERTCertificate **ptrustedRoot, | |
975 CERTCertList **pvalidChain, | |
976 void *plContext) | |
977 { | |
978 PKIX_ValidateResult *validResult = NULL; | |
979 CERTCertList *validChain = NULL; | |
980 CERTCertificate *trustedRoot = NULL; | |
981 PKIX_TrustAnchor *trustAnchor = NULL; | |
982 PKIX_PL_Cert *trustedCert = NULL; | |
983 PKIX_List *pkixCertChain = NULL; | |
984 | |
985 PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults"); | |
986 if (buildResult == NULL && error == NULL) { | |
987 PKIX_ERROR(PKIX_NULLARGUMENT); | |
988 } | |
989 | |
990 if (error) { | |
991 SECErrorCodes nssErrorCode = 0; | |
992 if (verifyNode) { | |
993 PKIX_Error *tmpError = | |
994 cert_GetLogFromVerifyNode(log, verifyNode, plContext); | |
995 if (tmpError) { | |
996 PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); | |
997 } | |
998 } | |
999 cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); | |
1000 PORT_SetError(nssErrorCode); | |
1001 goto cleanup; | |
1002 } | |
1003 | |
1004 if (pvalidChain) { | |
1005 PKIX_CHECK( | |
1006 PKIX_BuildResult_GetCertChain(buildResult, &pkixCertChain, | |
1007 plContext), | |
1008 PKIX_BUILDRESULTGETCERTCHAINFAILED); | |
1009 | |
1010 PKIX_CHECK( | |
1011 cert_PkixToNssCertsChain(pkixCertChain, &validChain, plContext), | |
1012 PKIX_CERTCHAINTONSSCHAINFAILED); | |
1013 } | |
1014 | |
1015 if (ptrustedRoot) { | |
1016 PKIX_CHECK( | |
1017 PKIX_BuildResult_GetValidateResult(buildResult, &validResult, | |
1018 plContext), | |
1019 PKIX_BUILDRESULTGETVALIDATERESULTFAILED); | |
1020 | |
1021 PKIX_CHECK( | |
1022 PKIX_ValidateResult_GetTrustAnchor(validResult, &trustAnchor, | |
1023 plContext), | |
1024 PKIX_VALIDATERESULTGETTRUSTANCHORFAILED); | |
1025 | |
1026 PKIX_CHECK( | |
1027 PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert, | |
1028 plContext), | |
1029 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); | |
1030 | |
1031 PKIX_CHECK( | |
1032 PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot, | |
1033 plContext), | |
1034 PKIX_CERTGETCERTCERTIFICATEFAILED); | |
1035 } | |
1036 | |
1037 PORT_Assert(!PKIX_ERROR_RECEIVED); | |
1038 | |
1039 if (trustedRoot) { | |
1040 *ptrustedRoot = trustedRoot; | |
1041 } | |
1042 if (validChain) { | |
1043 *pvalidChain = validChain; | |
1044 } | |
1045 | |
1046 cleanup: | |
1047 if (PKIX_ERROR_RECEIVED) { | |
1048 if (trustedRoot) { | |
1049 CERT_DestroyCertificate(trustedRoot); | |
1050 } | |
1051 if (validChain) { | |
1052 CERT_DestroyCertList(validChain); | |
1053 } | |
1054 } | |
1055 PKIX_DECREF(trustAnchor); | |
1056 PKIX_DECREF(trustedCert); | |
1057 PKIX_DECREF(pkixCertChain); | |
1058 PKIX_DECREF(validResult); | |
1059 PKIX_DECREF(error); | |
1060 PKIX_DECREF(verifyNode); | |
1061 PKIX_DECREF(buildResult); | |
1062 | |
1063 PKIX_RETURN(CERTVFYPKIX); | |
1064 } | |
1065 | |
1066 /* | |
1067 * FUNCTION: cert_VerifyCertChainPkix | |
1068 * DESCRIPTION: | |
1069 * | |
1070 * The main wrapper function that is called from CERT_VerifyCert and | |
1071 * CERT_VerifyCACertForUsage functions to validate cert with libpkix. | |
1072 * | |
1073 * PARAMETERS: | |
1074 * "cert" | |
1075 * Leaf certificate of a chain we want to build. | |
1076 * "checkSig" | |
1077 * Certificate signatures will not be verified if this | |
1078 * flag is set to PR_FALSE. | |
1079 * "requiredUsage" | |
1080 * Required usage for certificate and chain. | |
1081 * "time" | |
1082 * Validity time. | |
1083 * "wincx" | |
1084 * Nss database password token. | |
1085 * "log" | |
1086 * Address of already allocated CERTVerifyLog structure. Not | |
1087 * used if NULL; | |
1088 * "pSigerror" | |
1089 * Address of PRBool. If not NULL, returns true is cert chain | |
1090 * was invalidated because of bad certificate signature. | |
1091 * "pRevoked" | |
1092 * Address of PRBool. If not NULL, returns true is cert chain | |
1093 * was invalidated because a revoked certificate was found in | |
1094 * the chain. | |
1095 * THREAD SAFETY: | |
1096 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
1097 * RETURNS: | |
1098 * SECFailure is chain building process has failed. SECSuccess otherwise. | |
1099 */ | |
1100 SECStatus | |
1101 cert_VerifyCertChainPkix( | |
1102 CERTCertificate *cert, | |
1103 PRBool checkSig, | |
1104 SECCertUsage requiredUsage, | |
1105 PRTime time, | |
1106 void *wincx, | |
1107 CERTVerifyLog *log, | |
1108 PRBool *pSigerror, | |
1109 PRBool *pRevoked) | |
1110 { | |
1111 PKIX_ProcessingParams *procParams = NULL; | |
1112 PKIX_BuildResult *result = NULL; | |
1113 PKIX_VerifyNode *verifyNode = NULL; | |
1114 PKIX_Error *error = NULL; | |
1115 | |
1116 SECStatus rv = SECFailure; | |
1117 void *plContext = NULL; | |
1118 | |
1119 #ifdef PKIX_OBJECT_LEAK_TEST | |
1120 int leakedObjNum = 0; | |
1121 int memLeakLoopCount = 0; | |
1122 int objCountTable[PKIX_NUMTYPES]; | |
1123 int fnInvLocalCount = 0; | |
1124 PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; | |
1125 | |
1126 if (usePKIXValidationEngine) { | |
1127 /* current memory leak testing implementation does not allow | |
1128 * to run simultaneous tests one the same or a different threads. | |
1129 * Setting the variable to false, to make additional chain | |
1130 * validations be handled by old nss. */ | |
1131 usePKIXValidationEngine = PR_FALSE; | |
1132 } | |
1133 testStartFnStackPosition = 2; | |
1134 fnStackNameArr[0] = "cert_VerifyCertChainPkix"; | |
1135 fnStackInvCountArr[0] = 0; | |
1136 PKIX_Boolean abortOnLeak = | |
1137 (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_
FALSE | |
1138 : PKIX_
TRUE; | |
1139 runningLeakTest = PKIX_TRUE; | |
1140 | |
1141 /* Prevent multi-threaded run of object leak test */ | |
1142 fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); | |
1143 PORT_Assert(fnInvLocalCount == 1); | |
1144 | |
1145 do { | |
1146 rv = SECFailure; | |
1147 plContext = NULL; | |
1148 procParams = NULL; | |
1149 result = NULL; | |
1150 verifyNode = NULL; | |
1151 error = NULL; | |
1152 errorGenerated = PKIX_FALSE; | |
1153 stackPosition = 0; | |
1154 | |
1155 if (leakedObjNum) { | |
1156 pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); | |
1157 } | |
1158 memLeakLoopCount += 1; | |
1159 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
1160 | |
1161 error = | |
1162 cert_CreatePkixProcessingParams(cert, checkSig, time, wincx, | |
1163 PR_FALSE /*use arena*/, | |
1164 requiredUsage == certUsageStatusResp
onder, | |
1165 &procParams, &plContext); | |
1166 if (error) { | |
1167 goto cleanup; | |
1168 } | |
1169 | |
1170 error = | |
1171 cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0
, | |
1172 plContext); | |
1173 if (error) { | |
1174 goto cleanup; | |
1175 } | |
1176 | |
1177 error = | |
1178 cert_BuildAndValidateChain(procParams, &result, &verifyNode, plConte
xt); | |
1179 if (error) { | |
1180 goto cleanup; | |
1181 } | |
1182 | |
1183 if (pRevoked) { | |
1184 /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ | |
1185 *pRevoked = PR_FALSE; | |
1186 } | |
1187 if (pSigerror) { | |
1188 /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ | |
1189 *pSigerror = PR_FALSE; | |
1190 } | |
1191 rv = SECSuccess; | |
1192 | |
1193 cleanup: | |
1194 error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL, | |
1195 plContext); | |
1196 if (error) { | |
1197 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); | |
1198 } | |
1199 if (procParams) { | |
1200 PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); | |
1201 } | |
1202 if (plContext) { | |
1203 PKIX_PL_NssContext_Destroy(plContext); | |
1204 } | |
1205 | |
1206 #ifdef PKIX_OBJECT_LEAK_TEST | |
1207 leakedObjNum = | |
1208 pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NUL
L); | |
1209 | |
1210 if (pkixLog && leakedObjNum) { | |
1211 PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loo
p %d." | |
1212 "Stack %s\n", | |
1213 memLeakLoopCount, errorFnStackString)); | |
1214 } | |
1215 PR_Free(errorFnStackString); | |
1216 errorFnStackString = NULL; | |
1217 if (abortOnLeak) { | |
1218 PORT_Assert(leakedObjNum == 0); | |
1219 } | |
1220 | |
1221 } while (errorGenerated); | |
1222 | |
1223 runningLeakTest = PKIX_FALSE; | |
1224 PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); | |
1225 usePKIXValidationEngine = savedUsePkixEngFlag; | |
1226 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
1227 | |
1228 return rv; | |
1229 } | |
1230 | |
1231 PKIX_CertSelector * | |
1232 cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) | |
1233 { | |
1234 PKIX_ComCertSelParams *certSelParams = NULL; | |
1235 PKIX_CertSelector *certSelector = NULL; | |
1236 PKIX_CertSelector *r = NULL; | |
1237 PKIX_PL_Cert *eeCert = NULL; | |
1238 PKIX_Error *error = NULL; | |
1239 | |
1240 error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext); | |
1241 if (error != NULL) | |
1242 goto cleanup; | |
1243 | |
1244 error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext); | |
1245 if (error != NULL) | |
1246 goto cleanup; | |
1247 | |
1248 error = PKIX_ComCertSelParams_Create(&certSelParams, plContext); | |
1249 if (error != NULL) | |
1250 goto cleanup; | |
1251 | |
1252 error = PKIX_ComCertSelParams_SetCertificate( | |
1253 certSelParams, eeCert, plContext); | |
1254 if (error != NULL) | |
1255 goto cleanup; | |
1256 | |
1257 error = PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, certSelP
arams, plContext); | |
1258 if (error != NULL) | |
1259 goto cleanup; | |
1260 | |
1261 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext); | |
1262 if (error == NULL) | |
1263 r = certSelector; | |
1264 | |
1265 cleanup: | |
1266 if (certSelParams != NULL) | |
1267 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext); | |
1268 | |
1269 if (eeCert != NULL) | |
1270 PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext); | |
1271 | |
1272 if (certSelector != NULL) | |
1273 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); | |
1274 | |
1275 if (error != NULL) { | |
1276 SECErrorCodes nssErr; | |
1277 | |
1278 cert_PkixErrorToNssCode(error, &nssErr, plContext); | |
1279 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); | |
1280 PORT_SetError(nssErr); | |
1281 } | |
1282 | |
1283 return r; | |
1284 } | |
1285 | |
1286 static PKIX_List * | |
1287 cert_GetCertStores(void *plContext) | |
1288 { | |
1289 PKIX_CertStore *certStore = NULL; | |
1290 PKIX_List *certStores = NULL; | |
1291 PKIX_List *r = NULL; | |
1292 PKIX_Error *error = NULL; | |
1293 | |
1294 error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext); | |
1295 if (error != NULL) | |
1296 goto cleanup; | |
1297 | |
1298 error = PKIX_List_Create(&certStores, plContext); | |
1299 if (error != NULL) | |
1300 goto cleanup; | |
1301 | |
1302 error = PKIX_List_AppendItem(certStores, | |
1303 (PKIX_PL_Object *)certStore, plContext); | |
1304 if (error != NULL) | |
1305 goto cleanup; | |
1306 | |
1307 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext); | |
1308 if (error == NULL) | |
1309 r = certStores; | |
1310 | |
1311 cleanup: | |
1312 if (certStores != NULL) | |
1313 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); | |
1314 | |
1315 if (certStore != NULL) | |
1316 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext); | |
1317 | |
1318 if (error != NULL) { | |
1319 SECErrorCodes nssErr; | |
1320 | |
1321 cert_PkixErrorToNssCode(error, &nssErr, plContext); | |
1322 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); | |
1323 PORT_SetError(nssErr); | |
1324 } | |
1325 | |
1326 return r; | |
1327 } | |
1328 | |
1329 struct fake_PKIX_PL_CertStruct { | |
1330 CERTCertificate *nssCert; | |
1331 }; | |
1332 | |
1333 /* This needs to be part of the PKIX_PL_* */ | |
1334 /* This definitely needs to go away, and be replaced with | |
1335 a real accessor function in PKIX */ | |
1336 static CERTCertificate * | |
1337 cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert) | |
1338 { | |
1339 struct fake_PKIX_PL_CertStruct *fcert = NULL; | |
1340 | |
1341 fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert; | |
1342 | |
1343 return CERT_DupCertificate(fcert->nssCert); | |
1344 } | |
1345 | |
1346 PKIX_List * | |
1347 cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext) | |
1348 { | |
1349 PKIX_List *r = NULL; | |
1350 PKIX_List *policyList = NULL; | |
1351 PKIX_PL_OID *policyOID = NULL; | |
1352 PKIX_Error *error = NULL; | |
1353 int i; | |
1354 | |
1355 error = PKIX_List_Create(&policyList, plContext); | |
1356 if (error != NULL) { | |
1357 goto cleanup; | |
1358 } | |
1359 | |
1360 for (i = 0; i < oidCount; i++) { | |
1361 error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext); | |
1362 if (error) { | |
1363 goto cleanup; | |
1364 } | |
1365 error = PKIX_List_AppendItem(policyList, | |
1366 (PKIX_PL_Object *)policyOID, plContext); | |
1367 if (error != NULL) { | |
1368 goto cleanup; | |
1369 } | |
1370 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); | |
1371 policyOID = NULL; | |
1372 } | |
1373 | |
1374 error = PKIX_List_SetImmutable(policyList, plContext); | |
1375 if (error != NULL) | |
1376 goto cleanup; | |
1377 | |
1378 error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext); | |
1379 if (error == NULL) | |
1380 r = policyList; | |
1381 | |
1382 cleanup: | |
1383 if (policyOID != NULL) { | |
1384 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); | |
1385 } | |
1386 if (policyList != NULL) { | |
1387 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext); | |
1388 } | |
1389 if (error != NULL) { | |
1390 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); | |
1391 } | |
1392 | |
1393 return r; | |
1394 } | |
1395 | |
1396 CERTValOutParam * | |
1397 cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t) | |
1398 { | |
1399 CERTValOutParam *i; | |
1400 if (params == NULL) { | |
1401 return NULL; | |
1402 } | |
1403 for (i = params; i->type != cert_po_end; i++) { | |
1404 if (i->type == t) { | |
1405 return i; | |
1406 } | |
1407 } | |
1408 return NULL; | |
1409 } | |
1410 | |
1411 static PKIX_Error * | |
1412 setRevocationMethod(PKIX_RevocationChecker *revChecker, | |
1413 PKIX_ProcessingParams *procParams, | |
1414 const CERTRevocationTests *revTest, | |
1415 CERTRevocationMethodIndex certRevMethod, | |
1416 PKIX_RevocationMethodType pkixRevMethod, | |
1417 PKIX_Boolean verifyResponderUsages, | |
1418 PKIX_Boolean isLeafTest, | |
1419 void *plContext) | |
1420 { | |
1421 PKIX_UInt32 methodFlags = 0; | |
1422 PKIX_Error *error = NULL; | |
1423 PKIX_UInt32 priority = 0; | |
1424 | |
1425 if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) { | |
1426 return NULL; | |
1427 } | |
1428 if (revTest->preferred_methods) { | |
1429 unsigned int i = 0; | |
1430 for (; i < revTest->number_of_preferred_methods; i++) { | |
1431 if (revTest->preferred_methods[i] == certRevMethod) | |
1432 break; | |
1433 } | |
1434 priority = i; | |
1435 } | |
1436 methodFlags = revTest->cert_rev_flags_per_method[certRevMethod]; | |
1437 if (verifyResponderUsages && | |
1438 pkixRevMethod == PKIX_RevocationMethod_OCSP) { | |
1439 methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; | |
1440 } | |
1441 error = | |
1442 PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, | |
1443 pkixRevMethod, methodFlags, | |
1444 priority, NULL, | |
1445 isLeafTest, plContext); | |
1446 return error; | |
1447 } | |
1448 | |
1449 SECStatus | |
1450 cert_pkixSetParam(PKIX_ProcessingParams *procParams, | |
1451 const CERTValInParam *param, void *plContext) | |
1452 { | |
1453 PKIX_Error *error = NULL; | |
1454 SECStatus r = SECSuccess; | |
1455 PKIX_PL_Date *date = NULL; | |
1456 PKIX_List *policyOIDList = NULL; | |
1457 PKIX_List *certListPkix = NULL; | |
1458 const CERTRevocationFlags *flags; | |
1459 SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS; | |
1460 const CERTCertList *certList = NULL; | |
1461 CERTCertListNode *node; | |
1462 PKIX_PL_Cert *certPkix = NULL; | |
1463 PKIX_TrustAnchor *trustAnchor = NULL; | |
1464 PKIX_RevocationChecker *revChecker = NULL; | |
1465 PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; | |
1466 | |
1467 /* XXX we need a way to map generic PKIX error to generic NSS errors */ | |
1468 | |
1469 switch (param->type) { | |
1470 | |
1471 case cert_pi_policyOID: | |
1472 | |
1473 /* needed? */ | |
1474 error = PKIX_ProcessingParams_SetExplicitPolicyRequired( | |
1475 procParams, PKIX_TRUE, plContext); | |
1476 | |
1477 if (error != NULL) { | |
1478 break; | |
1479 } | |
1480 | |
1481 policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids, | |
1482 param->value.arraySize, plConte
xt); | |
1483 if (policyOIDList == NULL) { | |
1484 r = SECFailure; | |
1485 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1486 break; | |
1487 } | |
1488 | |
1489 error = PKIX_ProcessingParams_SetInitialPolicies( | |
1490 procParams, policyOIDList, plContext); | |
1491 break; | |
1492 | |
1493 case cert_pi_date: | |
1494 if (param->value.scalar.time == 0) { | |
1495 error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext); | |
1496 if (error != NULL) { | |
1497 errCode = SEC_ERROR_INVALID_TIME; | |
1498 break; | |
1499 } | |
1500 } else { | |
1501 error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time, | |
1502 &date, plContext); | |
1503 if (error != NULL) { | |
1504 errCode = SEC_ERROR_INVALID_TIME; | |
1505 break; | |
1506 } | |
1507 } | |
1508 | |
1509 error = PKIX_ProcessingParams_SetDate(procParams, date, plContext); | |
1510 if (error != NULL) { | |
1511 errCode = SEC_ERROR_INVALID_TIME; | |
1512 } | |
1513 break; | |
1514 | |
1515 case cert_pi_revocationFlags: { | |
1516 PKIX_UInt32 leafIMFlags = 0; | |
1517 PKIX_UInt32 chainIMFlags = 0; | |
1518 PKIX_Boolean validatingResponderCert = PKIX_FALSE; | |
1519 | |
1520 flags = param->value.pointer.revocation; | |
1521 if (!flags) { | |
1522 PORT_SetError(errCode); | |
1523 r = SECFailure; | |
1524 break; | |
1525 } | |
1526 | |
1527 leafIMFlags = | |
1528 flags->leafTests.cert_rev_method_independent_flags; | |
1529 chainIMFlags = | |
1530 flags->chainTests.cert_rev_method_independent_flags; | |
1531 | |
1532 error = | |
1533 PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags, | |
1534 &revChecker, plContext); | |
1535 if (error) { | |
1536 break; | |
1537 } | |
1538 | |
1539 error = | |
1540 PKIX_ProcessingParams_SetRevocationChecker(procParams, | |
1541 revChecker, plContext
); | |
1542 if (error) { | |
1543 break; | |
1544 } | |
1545 | |
1546 if (((PKIX_PL_NssContext *)plContext)->certificateUsage & | |
1547 certificateUsageStatusResponder) { | |
1548 validatingResponderCert = PKIX_TRUE; | |
1549 } | |
1550 | |
1551 error = setRevocationMethod(revChecker, | |
1552 procParams, &flags->leafTests, | |
1553 cert_revocation_method_crl, | |
1554 PKIX_RevocationMethod_CRL, | |
1555 validatingResponderCert, | |
1556 PKIX_TRUE, plContext); | |
1557 if (error) { | |
1558 break; | |
1559 } | |
1560 | |
1561 error = setRevocationMethod(revChecker, | |
1562 procParams, &flags->leafTests, | |
1563 cert_revocation_method_ocsp, | |
1564 PKIX_RevocationMethod_OCSP, | |
1565 validatingResponderCert, | |
1566 PKIX_TRUE, plContext); | |
1567 if (error) { | |
1568 break; | |
1569 } | |
1570 | |
1571 error = setRevocationMethod(revChecker, | |
1572 procParams, &flags->chainTests, | |
1573 cert_revocation_method_crl, | |
1574 PKIX_RevocationMethod_CRL, | |
1575 validatingResponderCert, | |
1576 PKIX_FALSE, plContext); | |
1577 if (error) { | |
1578 break; | |
1579 } | |
1580 | |
1581 error = setRevocationMethod(revChecker, | |
1582 procParams, &flags->chainTests, | |
1583 cert_revocation_method_ocsp, | |
1584 PKIX_RevocationMethod_OCSP, | |
1585 validatingResponderCert, | |
1586 PKIX_FALSE, plContext); | |
1587 if (error) { | |
1588 break; | |
1589 } | |
1590 | |
1591 } break; | |
1592 | |
1593 case cert_pi_trustAnchors: | |
1594 certList = param->value.pointer.chain; | |
1595 if (!certList) { | |
1596 PORT_SetError(errCode); | |
1597 r = SECFailure; | |
1598 break; | |
1599 } | |
1600 error = PKIX_List_Create(&certListPkix, plContext); | |
1601 if (error != NULL) { | |
1602 break; | |
1603 } | |
1604 for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList)
; | |
1605 node = CERT_LIST_NEXT(node)) { | |
1606 error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, | |
1607 &certPkix, plCont
ext); | |
1608 if (error) { | |
1609 break; | |
1610 } | |
1611 error = PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor, | |
1612 plContext); | |
1613 if (error) { | |
1614 break; | |
1615 } | |
1616 error = PKIX_List_AppendItem(certListPkix, | |
1617 (PKIX_PL_Object *)trustAnchor, plCo
ntext); | |
1618 if (error) { | |
1619 break; | |
1620 } | |
1621 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); | |
1622 trustAnchor = NULL; | |
1623 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); | |
1624 certPkix = NULL; | |
1625 } | |
1626 error = | |
1627 PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix, | |
1628 plContext); | |
1629 break; | |
1630 | |
1631 case cert_pi_useAIACertFetch: | |
1632 error = | |
1633 PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams, | |
1634 (PRBool)(param->v
alue.scalar.b != | |
1635 0), | |
1636 plContext); | |
1637 break; | |
1638 | |
1639 case cert_pi_chainVerifyCallback: { | |
1640 const CERTChainVerifyCallback *chainVerifyCallback = | |
1641 param->value.pointer.chainVerifyCallback; | |
1642 if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) { | |
1643 PORT_SetError(errCode); | |
1644 r = SECFailure; | |
1645 break; | |
1646 } | |
1647 | |
1648 nssContext->chainVerifyCallback = *chainVerifyCallback; | |
1649 } break; | |
1650 | |
1651 case cert_pi_useOnlyTrustAnchors: | |
1652 error = | |
1653 PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams, | |
1654 (PRBool)(param->val
ue.scalar.b != | |
1655 0), | |
1656 plContext); | |
1657 break; | |
1658 | |
1659 default: | |
1660 PORT_SetError(errCode); | |
1661 r = SECFailure; | |
1662 break; | |
1663 } | |
1664 | |
1665 if (policyOIDList != NULL) | |
1666 PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext); | |
1667 | |
1668 if (date != NULL) | |
1669 PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext); | |
1670 | |
1671 if (revChecker != NULL) | |
1672 PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext); | |
1673 | |
1674 if (certListPkix) | |
1675 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext); | |
1676 | |
1677 if (trustAnchor) | |
1678 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); | |
1679 | |
1680 if (certPkix) | |
1681 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); | |
1682 | |
1683 if (error != NULL) { | |
1684 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); | |
1685 PORT_SetError(errCode); | |
1686 r = SECFailure; | |
1687 } | |
1688 | |
1689 return r; | |
1690 } | |
1691 | |
1692 void | |
1693 cert_pkixDestroyValOutParam(CERTValOutParam *params) | |
1694 { | |
1695 CERTValOutParam *i; | |
1696 | |
1697 if (params == NULL) { | |
1698 return; | |
1699 } | |
1700 for (i = params; i->type != cert_po_end; i++) { | |
1701 switch (i->type) { | |
1702 case cert_po_trustAnchor: | |
1703 if (i->value.pointer.cert) { | |
1704 CERT_DestroyCertificate(i->value.pointer.cert); | |
1705 i->value.pointer.cert = NULL; | |
1706 } | |
1707 break; | |
1708 | |
1709 case cert_po_certList: | |
1710 if (i->value.pointer.chain) { | |
1711 CERT_DestroyCertList(i->value.pointer.chain); | |
1712 i->value.pointer.chain = NULL; | |
1713 } | |
1714 break; | |
1715 | |
1716 default: | |
1717 break; | |
1718 } | |
1719 } | |
1720 } | |
1721 | |
1722 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = { | |
1723 /* crl */ | |
1724 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1725 CERT_REV_M_FORBID_NETWORK_FETCHING | | |
1726 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, | |
1727 /* ocsp */ | |
1728 CERT_REV_M_TEST_USING_THIS_METHOD | |
1729 }; | |
1730 | |
1731 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = { | |
1732 /* crl */ | |
1733 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1734 CERT_REV_M_FORBID_NETWORK_FETCHING | | |
1735 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, | |
1736 /* ocsp */ | |
1737 0 | |
1738 }; | |
1739 | |
1740 static CERTRevocationMethodIndex | |
1741 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = { | |
1742 cert_revocation_method_crl | |
1743 }; | |
1744 | |
1745 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = { | |
1746 { /* leafTests */ | |
1747 2, | |
1748 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags, | |
1749 1, | |
1750 &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference, | |
1751 0 }, | |
1752 { /* chainTests */ | |
1753 2, | |
1754 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags, | |
1755 0, | |
1756 0, | |
1757 0 } | |
1758 }; | |
1759 | |
1760 extern const CERTRevocationFlags * | |
1761 CERT_GetClassicOCSPEnabledSoftFailurePolicy() | |
1762 { | |
1763 return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy; | |
1764 } | |
1765 | |
1766 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = { | |
1767 /* crl */ | |
1768 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1769 CERT_REV_M_FORBID_NETWORK_FETCHING | | |
1770 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, | |
1771 /* ocsp */ | |
1772 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1773 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | |
1774 }; | |
1775 | |
1776 static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = { | |
1777 /* crl */ | |
1778 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1779 CERT_REV_M_FORBID_NETWORK_FETCHING | | |
1780 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, | |
1781 /* ocsp */ | |
1782 0 | |
1783 }; | |
1784 | |
1785 static CERTRevocationMethodIndex | |
1786 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = { | |
1787 cert_revocation_method_crl | |
1788 }; | |
1789 | |
1790 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = { | |
1791 { /* leafTests */ | |
1792 2, | |
1793 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags, | |
1794 1, | |
1795 &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference, | |
1796 0 }, | |
1797 { /* chainTests */ | |
1798 2, | |
1799 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags, | |
1800 0, | |
1801 0, | |
1802 0 } | |
1803 }; | |
1804 | |
1805 extern const CERTRevocationFlags * | |
1806 CERT_GetClassicOCSPEnabledHardFailurePolicy() | |
1807 { | |
1808 return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy; | |
1809 } | |
1810 | |
1811 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = { | |
1812 /* crl */ | |
1813 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1814 CERT_REV_M_FORBID_NETWORK_FETCHING | | |
1815 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, | |
1816 /* ocsp */ | |
1817 0 | |
1818 }; | |
1819 | |
1820 static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = { | |
1821 /* crl */ | |
1822 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1823 CERT_REV_M_FORBID_NETWORK_FETCHING | | |
1824 CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, | |
1825 /* ocsp */ | |
1826 0 | |
1827 }; | |
1828 | |
1829 static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = { | |
1830 { /* leafTests */ | |
1831 2, | |
1832 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, | |
1833 0, | |
1834 0, | |
1835 0 }, | |
1836 { /* chainTests */ | |
1837 2, | |
1838 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, | |
1839 0, | |
1840 0, | |
1841 0 } | |
1842 }; | |
1843 | |
1844 extern const CERTRevocationFlags * | |
1845 CERT_GetClassicOCSPDisabledPolicy() | |
1846 { | |
1847 return &certRev_NSS_3_11_Ocsp_Disabled_Policy; | |
1848 } | |
1849 | |
1850 static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = { | |
1851 /* crl */ | |
1852 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1853 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | | |
1854 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, | |
1855 /* ocsp */ | |
1856 0 | |
1857 }; | |
1858 | |
1859 static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = { | |
1860 /* crl */ | |
1861 CERT_REV_M_TEST_USING_THIS_METHOD | | |
1862 CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | | |
1863 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, | |
1864 /* ocsp */ | |
1865 0 | |
1866 }; | |
1867 | |
1868 static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = { | |
1869 { /* leafTests */ | |
1870 2, | |
1871 certRev_PKIX_Verify_Nist_Policy_LeafFlags, | |
1872 0, | |
1873 0, | |
1874 0 }, | |
1875 { /* chainTests */ | |
1876 2, | |
1877 certRev_PKIX_Verify_Nist_Policy_ChainFlags, | |
1878 0, | |
1879 0, | |
1880 0 } | |
1881 }; | |
1882 | |
1883 extern const CERTRevocationFlags * | |
1884 CERT_GetPKIXVerifyNistRevocationPolicy() | |
1885 { | |
1886 return &certRev_PKIX_Verify_Nist_Policy; | |
1887 } | |
1888 | |
1889 CERTRevocationFlags * | |
1890 CERT_AllocCERTRevocationFlags( | |
1891 PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, | |
1892 PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods) | |
1893 { | |
1894 CERTRevocationFlags *flags; | |
1895 | |
1896 flags = PORT_New(CERTRevocationFlags); | |
1897 if (!flags) | |
1898 return (NULL); | |
1899 | |
1900 flags->leafTests.number_of_defined_methods = number_leaf_methods; | |
1901 flags->leafTests.cert_rev_flags_per_method = | |
1902 PORT_NewArray(PRUint64, number_leaf_methods); | |
1903 | |
1904 flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods; | |
1905 flags->leafTests.preferred_methods = | |
1906 PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods); | |
1907 | |
1908 flags->chainTests.number_of_defined_methods = number_chain_methods; | |
1909 flags->chainTests.cert_rev_flags_per_method = | |
1910 PORT_NewArray(PRUint64, number_chain_methods); | |
1911 | |
1912 flags->chainTests.number_of_preferred_methods = number_chain_pref_methods; | |
1913 flags->chainTests.preferred_methods = | |
1914 PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods); | |
1915 | |
1916 if (!flags->leafTests.cert_rev_flags_per_method || | |
1917 !flags->leafTests.preferred_methods || | |
1918 !flags->chainTests.cert_rev_flags_per_method || | |
1919 !flags->chainTests.preferred_methods) { | |
1920 CERT_DestroyCERTRevocationFlags(flags); | |
1921 return (NULL); | |
1922 } | |
1923 | |
1924 return flags; | |
1925 } | |
1926 | |
1927 void | |
1928 CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) | |
1929 { | |
1930 if (!flags) | |
1931 return; | |
1932 | |
1933 if (flags->leafTests.cert_rev_flags_per_method) | |
1934 PORT_Free(flags->leafTests.cert_rev_flags_per_method); | |
1935 | |
1936 if (flags->leafTests.preferred_methods) | |
1937 PORT_Free(flags->leafTests.preferred_methods); | |
1938 | |
1939 if (flags->chainTests.cert_rev_flags_per_method) | |
1940 PORT_Free(flags->chainTests.cert_rev_flags_per_method); | |
1941 | |
1942 if (flags->chainTests.preferred_methods) | |
1943 PORT_Free(flags->chainTests.preferred_methods); | |
1944 | |
1945 PORT_Free(flags); | |
1946 } | |
1947 | |
1948 /* | |
1949 * CERT_PKIXVerifyCert | |
1950 * | |
1951 * Verify a Certificate using the PKIX library. | |
1952 * | |
1953 * Parameters: | |
1954 * cert - the target certificate to verify. Must be non-null | |
1955 * params - an array of type/value parameters which can be | |
1956 * used to modify the behavior of the validation | |
1957 * algorithm, or supply additional constraints. | |
1958 * | |
1959 * outputTrustAnchor - the trust anchor which the certificate | |
1960 * chains to. The caller is responsible | |
1961 * for freeing this. | |
1962 * | |
1963 * Example Usage: | |
1964 * CERTValParam args[3]; | |
1965 * args[0].type = cvpt_policyOID; | |
1966 * args[0].value.si = oid; | |
1967 * args[1].type = revCheckRequired; | |
1968 * args[1].value.b = PR_TRUE; | |
1969 * args[2].type = cvpt_end; | |
1970 * | |
1971 * CERT_PKIXVerifyCert(cert, &output, args | |
1972 */ | |
1973 SECStatus | |
1974 CERT_PKIXVerifyCert( | |
1975 CERTCertificate *cert, | |
1976 SECCertificateUsage usages, | |
1977 CERTValInParam *paramsIn, | |
1978 CERTValOutParam *paramsOut, | |
1979 void *wincx) | |
1980 { | |
1981 SECStatus r = SECFailure; | |
1982 PKIX_Error *error = NULL; | |
1983 PKIX_ProcessingParams *procParams = NULL; | |
1984 PKIX_BuildResult *buildResult = NULL; | |
1985 void *nbioContext = NULL; /* for non-blocking IO */ | |
1986 void *buildState = NULL; /* for non-blocking IO */ | |
1987 PKIX_CertSelector *certSelector = NULL; | |
1988 PKIX_List *certStores = NULL; | |
1989 PKIX_ValidateResult *valResult = NULL; | |
1990 PKIX_VerifyNode *verifyNode = NULL; | |
1991 PKIX_TrustAnchor *trustAnchor = NULL; | |
1992 PKIX_PL_Cert *trustAnchorCert = NULL; | |
1993 PKIX_List *builtCertList = NULL; | |
1994 CERTValOutParam *oparam = NULL; | |
1995 int i = 0; | |
1996 | |
1997 void *plContext = NULL; | |
1998 | |
1999 #ifdef PKIX_OBJECT_LEAK_TEST | |
2000 int leakedObjNum = 0; | |
2001 int memLeakLoopCount = 0; | |
2002 int objCountTable[PKIX_NUMTYPES]; | |
2003 int fnInvLocalCount = 0; | |
2004 PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; | |
2005 | |
2006 if (usePKIXValidationEngine) { | |
2007 /* current memory leak testing implementation does not allow | |
2008 * to run simultaneous tests one the same or a different threads. | |
2009 * Setting the variable to false, to make additional chain | |
2010 * validations be handled by old nss. */ | |
2011 usePKIXValidationEngine = PR_FALSE; | |
2012 } | |
2013 testStartFnStackPosition = 1; | |
2014 fnStackNameArr[0] = "CERT_PKIXVerifyCert"; | |
2015 fnStackInvCountArr[0] = 0; | |
2016 PKIX_Boolean abortOnLeak = | |
2017 (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_
FALSE | |
2018 : PKIX_
TRUE; | |
2019 runningLeakTest = PKIX_TRUE; | |
2020 | |
2021 /* Prevent multi-threaded run of object leak test */ | |
2022 fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); | |
2023 PORT_Assert(fnInvLocalCount == 1); | |
2024 | |
2025 do { | |
2026 r = SECFailure; | |
2027 error = NULL; | |
2028 procParams = NULL; | |
2029 buildResult = NULL; | |
2030 nbioContext = NULL; /* for non-blocking IO */ | |
2031 buildState = NULL; /* for non-blocking IO */ | |
2032 certSelector = NULL; | |
2033 certStores = NULL; | |
2034 valResult = NULL; | |
2035 verifyNode = NULL; | |
2036 trustAnchor = NULL; | |
2037 trustAnchorCert = NULL; | |
2038 builtCertList = NULL; | |
2039 oparam = NULL; | |
2040 i = 0; | |
2041 errorGenerated = PKIX_FALSE; | |
2042 stackPosition = 0; | |
2043 | |
2044 if (leakedObjNum) { | |
2045 pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); | |
2046 } | |
2047 memLeakLoopCount += 1; | |
2048 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
2049 | |
2050 error = PKIX_PL_NssContext_Create( | |
2051 0, PR_FALSE /*use arena*/, wincx, &plContext); | |
2052 if (error != NULL) { /* need pkix->nss error map */ | |
2053 PORT_SetError(SEC_ERROR_CERT_NOT_VALID); | |
2054 goto cleanup; | |
2055 } | |
2056 | |
2057 error = pkix_pl_NssContext_SetCertUsage(usages, plContext); | |
2058 if (error != NULL) { | |
2059 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
2060 goto cleanup; | |
2061 } | |
2062 | |
2063 error = PKIX_ProcessingParams_Create(&procParams, plContext); | |
2064 if (error != NULL) { /* need pkix->nss error map */ | |
2065 PORT_SetError(SEC_ERROR_CERT_NOT_VALID); | |
2066 goto cleanup; | |
2067 } | |
2068 | |
2069 /* local cert store should be set into procParams before | |
2070 * filling in revocation settings. */ | |
2071 certStores = cert_GetCertStores(plContext); | |
2072 if (certStores == NULL) { | |
2073 goto cleanup; | |
2074 } | |
2075 error = PKIX_ProcessingParams_SetCertStores(procParams, certStores, plCo
ntext); | |
2076 if (error != NULL) { | |
2077 goto cleanup; | |
2078 } | |
2079 | |
2080 /* now process the extensible input parameters structure */ | |
2081 if (paramsIn != NULL) { | |
2082 i = 0; | |
2083 while (paramsIn[i].type != cert_pi_end) { | |
2084 if (paramsIn[i].type >= cert_pi_max) { | |
2085 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
2086 goto cleanup; | |
2087 } | |
2088 if (cert_pkixSetParam(procParams, | |
2089 ¶msIn[i], plContext) != | |
2090 SECSuccess) { | |
2091 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
2092 goto cleanup; | |
2093 } | |
2094 i++; | |
2095 } | |
2096 } | |
2097 | |
2098 certSelector = cert_GetTargetCertConstraints(cert, plContext); | |
2099 if (certSelector == NULL) { | |
2100 goto cleanup; | |
2101 } | |
2102 error = PKIX_ProcessingParams_SetTargetCertConstraints(procParams, certS
elector, plContext); | |
2103 if (error != NULL) { | |
2104 goto cleanup; | |
2105 } | |
2106 | |
2107 error = PKIX_BuildChain(procParams, &nbioContext, | |
2108 &buildState, &buildResult, &verifyNode, | |
2109 plContext); | |
2110 if (error != NULL) { | |
2111 goto cleanup; | |
2112 } | |
2113 | |
2114 error = PKIX_BuildResult_GetValidateResult(buildResult, &valResult, | |
2115 plContext); | |
2116 if (error != NULL) { | |
2117 goto cleanup; | |
2118 } | |
2119 | |
2120 error = PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor, | |
2121 plContext); | |
2122 if (error != NULL) { | |
2123 goto cleanup; | |
2124 } | |
2125 | |
2126 if (trustAnchor != NULL) { | |
2127 error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCer
t, | |
2128 plContext); | |
2129 if (error != NULL) { | |
2130 goto cleanup; | |
2131 } | |
2132 } | |
2133 | |
2134 #ifdef PKIX_OBJECT_LEAK_TEST | |
2135 /* Can not continue if error was generated but not returned. | |
2136 * Jumping to cleanup. */ | |
2137 if (errorGenerated) | |
2138 goto cleanup; | |
2139 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
2140 | |
2141 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor); | |
2142 if (oparam != NULL) { | |
2143 if (trustAnchorCert != NULL) { | |
2144 oparam->value.pointer.cert = | |
2145 cert_NSSCertFromPKIXCert(trustAnchorCert); | |
2146 } else { | |
2147 oparam->value.pointer.cert = NULL; | |
2148 } | |
2149 } | |
2150 | |
2151 error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList, | |
2152 plContext); | |
2153 if (error != NULL) { | |
2154 goto cleanup; | |
2155 } | |
2156 | |
2157 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList); | |
2158 if (oparam != NULL) { | |
2159 error = cert_PkixToNssCertsChain(builtCertList, | |
2160 &oparam->value.pointer.chain, | |
2161 plContext); | |
2162 if (error) | |
2163 goto cleanup; | |
2164 } | |
2165 | |
2166 r = SECSuccess; | |
2167 | |
2168 cleanup: | |
2169 if (verifyNode) { | |
2170 /* Return validation log only upon error. */ | |
2171 oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); | |
2172 #ifdef PKIX_OBJECT_LEAK_TEST | |
2173 if (!errorGenerated) | |
2174 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
2175 if (r && oparam != NULL) { | |
2176 PKIX_Error *tmpError = | |
2177 cert_GetLogFromVerifyNode(oparam->value.pointer.log, | |
2178 verifyNode, plContext); | |
2179 if (tmpError) { | |
2180 PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plCont
ext); | |
2181 } | |
2182 } | |
2183 PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext); | |
2184 } | |
2185 | |
2186 if (procParams != NULL) | |
2187 PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); | |
2188 | |
2189 if (trustAnchorCert != NULL) | |
2190 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext); | |
2191 | |
2192 if (trustAnchor != NULL) | |
2193 PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); | |
2194 | |
2195 if (valResult != NULL) | |
2196 PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext); | |
2197 | |
2198 if (buildResult != NULL) | |
2199 PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext); | |
2200 | |
2201 if (certStores != NULL) | |
2202 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); | |
2203 | |
2204 if (certSelector != NULL) | |
2205 PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); | |
2206 | |
2207 if (builtCertList != NULL) | |
2208 PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext); | |
2209 | |
2210 if (error != NULL) { | |
2211 SECErrorCodes nssErrorCode = 0; | |
2212 | |
2213 cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); | |
2214 cert_pkixDestroyValOutParam(paramsOut); | |
2215 PORT_SetError(nssErrorCode); | |
2216 PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); | |
2217 } | |
2218 | |
2219 PKIX_PL_NssContext_Destroy(plContext); | |
2220 | |
2221 #ifdef PKIX_OBJECT_LEAK_TEST | |
2222 leakedObjNum = | |
2223 pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NUL
L); | |
2224 | |
2225 if (pkixLog && leakedObjNum) { | |
2226 PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loo
p %d." | |
2227 "Stack %s\n", | |
2228 memLeakLoopCount, errorFnStackString)); | |
2229 } | |
2230 PR_Free(errorFnStackString); | |
2231 errorFnStackString = NULL; | |
2232 if (abortOnLeak) { | |
2233 PORT_Assert(leakedObjNum == 0); | |
2234 } | |
2235 | |
2236 } while (errorGenerated); | |
2237 | |
2238 runningLeakTest = PKIX_FALSE; | |
2239 PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); | |
2240 usePKIXValidationEngine = savedUsePkixEngFlag; | |
2241 #endif /* PKIX_OBJECT_LEAK_TEST */ | |
2242 | |
2243 return r; | |
2244 } | |
OLD | NEW |