Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(63)

Side by Side Diff: nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * pkix_basicconstraintschecker.c
6 *
7 * Functions for basic constraints validation
8 *
9 */
10
11 #include "pkix_basicconstraintschecker.h"
12
13 /* --Private-BasicConstraintsCheckerState-Functions------------------------- */
14
15 /*
16 * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
17 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
18 */
19 static PKIX_Error *
20 pkix_BasicConstraintsCheckerState_Destroy(
21 PKIX_PL_Object *object,
22 void *plContext)
23 {
24 pkix_BasicConstraintsCheckerState *state = NULL;
25
26 PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
27 "pkix_BasicConstraintsCheckerState_Destroy");
28
29 PKIX_NULLCHECK_ONE(object);
30
31 /* Check that this object is a basic constraints checker state */
32 PKIX_CHECK(pkix_CheckType
33 (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
34 PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
35
36 state = (pkix_BasicConstraintsCheckerState *)object;
37
38 PKIX_DECREF(state->basicConstraintsOID);
39
40 cleanup:
41
42 PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
43 }
44
45 /*
46 * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
47 * DESCRIPTION:
48 * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
49 * THREAD SAFETY:
50 * Not Thread Safe - for performance and complexity reasons
51 *
52 * Since this function is only called by PKIX_PL_Initialize, which should
53 * only be called once, it is acceptable that this function is not
54 * thread-safe.
55 */
56 PKIX_Error *
57 pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
58 {
59 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
60 pkix_ClassTable_Entry entry;
61
62 PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
63 "pkix_BasicConstraintsCheckerState_RegisterSelf");
64
65 entry.description = "BasicConstraintsCheckerState";
66 entry.objCounter = 0;
67 entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
68 entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
69 entry.equalsFunction = NULL;
70 entry.hashcodeFunction = NULL;
71 entry.toStringFunction = NULL;
72 entry.comparator = NULL;
73 entry.duplicateFunction = NULL;
74
75 systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
76
77 PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
78 }
79
80 /*
81 * FUNCTION: pkix_BasicConstraintsCheckerState_Create
82 * DESCRIPTION:
83 *
84 * Creates a new BasicConstraintsCheckerState using the number of certs in
85 * the chain represented by "certsRemaining" and stores it at "pState".
86 *
87 * PARAMETERS:
88 * "certsRemaining"
89 * Number of certificates in the chain.
90 * "pState"
91 * Address where object pointer will be stored. Must be non-NULL.
92 * "plContext"
93 * Platform-specific context pointer.
94 * THREAD SAFETY:
95 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
96 * RETURNS:
97 * Returns NULL if the function succeeds.
98 * Returns a BasicConstraintsCheckerState Error if the function fails in a
99 * non-fatal way.
100 * Returns a Fatal Error if the function fails in an unrecoverable way.
101 */
102 static PKIX_Error *
103 pkix_BasicConstraintsCheckerState_Create(
104 PKIX_UInt32 certsRemaining,
105 pkix_BasicConstraintsCheckerState **pState,
106 void *plContext)
107 {
108 pkix_BasicConstraintsCheckerState *state = NULL;
109
110 PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
111 "pkix_BasicConstraintsCheckerState_Create");
112
113 PKIX_NULLCHECK_ONE(pState);
114
115 PKIX_CHECK(PKIX_PL_Object_Alloc
116 (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
117 sizeof (pkix_BasicConstraintsCheckerState),
118 (PKIX_PL_Object **)&state,
119 plContext),
120 PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
121
122 /* initialize fields */
123 state->certsRemaining = certsRemaining;
124 state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
125
126 PKIX_CHECK(PKIX_PL_OID_Create
127 (PKIX_BASICCONSTRAINTS_OID,
128 &state->basicConstraintsOID,
129 plContext),
130 PKIX_OIDCREATEFAILED);
131
132 *pState = state;
133 state = NULL;
134
135 cleanup:
136
137 PKIX_DECREF(state);
138
139 PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
140 }
141
142 /* --Private-BasicConstraintsChecker-Functions------------------------------ */
143
144 /*
145 * FUNCTION: pkix_BasicConstraintsChecker_Check
146 * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
147 */
148 PKIX_Error *
149 pkix_BasicConstraintsChecker_Check(
150 PKIX_CertChainChecker *checker,
151 PKIX_PL_Cert *cert,
152 PKIX_List *unresolvedCriticalExtensions, /* list of PKIX_PL_OID */
153 void **pNBIOContext,
154 void *plContext)
155 {
156 PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
157 pkix_BasicConstraintsCheckerState *state = NULL;
158 PKIX_Boolean caFlag = PKIX_FALSE;
159 PKIX_Int32 pathLength = 0;
160 PKIX_Int32 maxPathLength_now;
161 PKIX_Boolean isSelfIssued = PKIX_FALSE;
162
163 PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
164 PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
165
166 *pNBIOContext = NULL; /* we never block on pending I/O */
167
168 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
169 (checker, (PKIX_PL_Object **)&state, plContext),
170 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
171
172 state->certsRemaining--;
173
174 if (state->certsRemaining != 0) {
175
176 PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
177 (cert, &basicConstraints, plContext),
178 PKIX_CERTGETBASICCONSTRAINTSFAILED);
179
180 /* get CA Flag and path length */
181 if (basicConstraints != NULL) {
182 PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
183 (basicConstraints,
184 &caFlag,
185 plContext),
186 PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
187
188 if (caFlag == PKIX_TRUE) {
189 PKIX_CHECK
190 (PKIX_PL_BasicConstraints_GetPathLenConstraint
191 (basicConstraints,
192 &pathLength,
193 plContext),
194 PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
195 }
196
197 }else{
198 caFlag = PKIX_FALSE;
199 pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
200 }
201
202 PKIX_CHECK(pkix_IsCertSelfIssued
203 (cert,
204 &isSelfIssued,
205 plContext),
206 PKIX_ISCERTSELFISSUEDFAILED);
207
208 maxPathLength_now = state->maxPathLength;
209
210 if (isSelfIssued != PKIX_TRUE) {
211
212 /* Not last CA Cert, but maxPathLength is down to zero */
213 if (maxPathLength_now == 0) {
214 PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
215 }
216
217 if (caFlag == PKIX_FALSE) {
218 PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
219 }
220
221 if (maxPathLength_now > 0) { /* can be unlimited (-1) */
222 maxPathLength_now--;
223 }
224
225 }
226
227 if (caFlag == PKIX_TRUE) {
228 if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
229 maxPathLength_now = pathLength;
230 } else {
231 /* If pathLength is not specified, don't set */
232 if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
233 maxPathLength_now =
234 (maxPathLength_now > pathLength)?
235 pathLength:maxPathLength_now;
236 }
237 }
238 }
239
240 state->maxPathLength = maxPathLength_now;
241 }
242
243 /* Remove Basic Constraints Extension OID from list */
244 if (unresolvedCriticalExtensions != NULL) {
245
246 PKIX_CHECK(pkix_List_Remove
247 (unresolvedCriticalExtensions,
248 (PKIX_PL_Object *) state->basicConstraintsOID,
249 plContext),
250 PKIX_LISTREMOVEFAILED);
251 }
252
253
254 PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
255 (checker, (PKIX_PL_Object *)state, plContext),
256 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
257
258
259 cleanup:
260 PKIX_DECREF(state);
261 PKIX_DECREF(basicConstraints);
262 PKIX_RETURN(CERTCHAINCHECKER);
263
264 }
265
266 /*
267 * FUNCTION: pkix_BasicConstraintsChecker_Initialize
268 * DESCRIPTION:
269 * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
270 * THREAD SAFETY:
271 * Not Thread Safe - for performance and complexity reasons
272 *
273 * Since this function is only called by PKIX_PL_Initialize, which should
274 * only be called once, it is acceptable that this function is not
275 * thread-safe.
276 */
277 PKIX_Error *
278 pkix_BasicConstraintsChecker_Initialize(
279 PKIX_UInt32 certsRemaining,
280 PKIX_CertChainChecker **pChecker,
281 void *plContext)
282 {
283 pkix_BasicConstraintsCheckerState *state = NULL;
284
285 PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
286 PKIX_NULLCHECK_ONE(pChecker);
287
288 PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
289 (certsRemaining, &state, plContext),
290 PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
291
292 PKIX_CHECK(PKIX_CertChainChecker_Create
293 (pkix_BasicConstraintsChecker_Check,
294 PKIX_FALSE,
295 PKIX_FALSE,
296 NULL,
297 (PKIX_PL_Object *)state,
298 pChecker,
299 plContext),
300 PKIX_CERTCHAINCHECKERCHECKFAILED);
301
302 cleanup:
303 PKIX_DECREF(state);
304
305 PKIX_RETURN(CERTCHAINCHECKER);
306 }
OLDNEW
« no previous file with comments | « nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h ('k') | nss/lib/libpkix/pkix/checker/pkix_certchainchecker.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698