OLD | NEW |
| (Empty) |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* | |
5 * pkix_pl_ldapcertstore.c | |
6 * | |
7 * LDAPCertStore Function Definitions | |
8 * | |
9 */ | |
10 | |
11 /* We can't decode the length of a message without at least this many bytes */ | |
12 #define MINIMUM_MSG_LENGTH 5 | |
13 | |
14 #include "pkix_pl_ldapcertstore.h" | |
15 | |
16 /* --Private-Ldap-CertStore-Database-Functions----------------------- */ | |
17 | |
18 /* | |
19 * FUNCTION: pkix_pl_LdapCertStore_DecodeCrossCertPair | |
20 * DESCRIPTION: | |
21 * | |
22 * This function decodes a DER-encoded CrossCertPair pointed to by | |
23 * "responseList" and extracts and decodes the Certificates in that pair, | |
24 * adding the resulting Certs, if the decoding was successful, to the List | |
25 * (possibly empty) pointed to by "certList". If none of the objects | |
26 * can be decoded into a Cert, the List is returned unchanged. | |
27 * | |
28 * PARAMETERS: | |
29 * "derCCPItem" | |
30 * The address of the SECItem containing the DER representation of the | |
31 * CrossCertPair. Must be non-NULL. | |
32 * "certList" | |
33 * The address of the List to which the decoded Certs are added. May be | |
34 * empty, but must be non-NULL. | |
35 * "plContext" | |
36 * Platform-specific context pointer. | |
37 * THREAD SAFETY: | |
38 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
39 * RETURNS: | |
40 * Returns NULL if the function succeeds. | |
41 * Returns a CertStore Error if the function fails in a non-fatal way. | |
42 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
43 */ | |
44 PKIX_Error * | |
45 pkix_pl_LdapCertStore_DecodeCrossCertPair( | |
46 SECItem *derCCPItem, | |
47 PKIX_List *certList, | |
48 void *plContext) | |
49 { | |
50 LDAPCertPair certPair = {{ siBuffer, NULL, 0 }, { siBuffer, NULL, 0 }}; | |
51 SECStatus rv = SECFailure; | |
52 | |
53 PLArenaPool *tempArena = NULL; | |
54 | |
55 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_DecodeCrossCertPair"); | |
56 PKIX_NULLCHECK_TWO(derCCPItem, certList); | |
57 | |
58 tempArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
59 if (!tempArena) { | |
60 PKIX_ERROR(PKIX_OUTOFMEMORY); | |
61 } | |
62 | |
63 rv = SEC_ASN1DecodeItem(tempArena, &certPair, PKIX_PL_LDAPCrossCertPairT
emplate, | |
64 derCCPItem); | |
65 if (rv != SECSuccess) { | |
66 goto cleanup; | |
67 } | |
68 | |
69 if (certPair.forward.data != NULL) { | |
70 | |
71 PKIX_CHECK( | |
72 pkix_pl_Cert_CreateToList(&certPair.forward, certList, | |
73 plContext), | |
74 PKIX_CERTCREATETOLISTFAILED); | |
75 } | |
76 | |
77 if (certPair.reverse.data != NULL) { | |
78 | |
79 PKIX_CHECK( | |
80 pkix_pl_Cert_CreateToList(&certPair.reverse, certList, | |
81 plContext), | |
82 PKIX_CERTCREATETOLISTFAILED); | |
83 } | |
84 | |
85 cleanup: | |
86 if (tempArena) { | |
87 PORT_FreeArena(tempArena, PR_FALSE); | |
88 } | |
89 | |
90 PKIX_RETURN(CERTSTORE); | |
91 } | |
92 | |
93 /* | |
94 * FUNCTION: pkix_pl_LdapCertStore_BuildCertList | |
95 * DESCRIPTION: | |
96 * | |
97 * This function takes a List of LdapResponse objects pointed to by | |
98 * "responseList" and extracts and decodes the Certificates in those responses, | |
99 * storing the List of those Certificates at "pCerts". If none of the objects | |
100 * can be decoded into a Cert, the returned List is empty. | |
101 * | |
102 * PARAMETERS: | |
103 * "responseList" | |
104 * The address of the List of LdapResponses. Must be non-NULL. | |
105 * "pCerts" | |
106 * The address at which the result is stored. Must be non-NULL. | |
107 * "plContext" | |
108 * Platform-specific context pointer. | |
109 * THREAD SAFETY: | |
110 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
111 * RETURNS: | |
112 * Returns NULL if the function succeeds. | |
113 * Returns a CertStore Error if the function fails in a non-fatal way. | |
114 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
115 */ | |
116 PKIX_Error * | |
117 pkix_pl_LdapCertStore_BuildCertList( | |
118 PKIX_List *responseList, | |
119 PKIX_List **pCerts, | |
120 void *plContext) | |
121 { | |
122 PKIX_UInt32 numResponses = 0; | |
123 PKIX_UInt32 respIx = 0; | |
124 LdapAttrMask attrBits = 0; | |
125 PKIX_PL_LdapResponse *response = NULL; | |
126 PKIX_List *certList = NULL; | |
127 LDAPMessage *message = NULL; | |
128 LDAPSearchResponseEntry *sre = NULL; | |
129 LDAPSearchResponseAttr **sreAttrArray = NULL; | |
130 LDAPSearchResponseAttr *sreAttr = NULL; | |
131 SECItem *attrType = NULL; | |
132 SECItem **attrVal = NULL; | |
133 SECItem *derCertItem = NULL; | |
134 | |
135 | |
136 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCertList"); | |
137 PKIX_NULLCHECK_TWO(responseList, pCerts); | |
138 | |
139 PKIX_CHECK(PKIX_List_Create(&certList, plContext), | |
140 PKIX_LISTCREATEFAILED); | |
141 | |
142 /* extract certs from response */ | |
143 PKIX_CHECK(PKIX_List_GetLength | |
144 (responseList, &numResponses, plContext), | |
145 PKIX_LISTGETLENGTHFAILED); | |
146 | |
147 for (respIx = 0; respIx < numResponses; respIx++) { | |
148 PKIX_CHECK(PKIX_List_GetItem | |
149 (responseList, | |
150 respIx, | |
151 (PKIX_PL_Object **)&response, | |
152 plContext), | |
153 PKIX_LISTGETITEMFAILED); | |
154 | |
155 PKIX_CHECK(pkix_pl_LdapResponse_GetMessage | |
156 (response, &message, plContext), | |
157 PKIX_LDAPRESPONSEGETMESSAGEFAILED); | |
158 | |
159 sre = &(message->protocolOp.op.searchResponseEntryMsg); | |
160 sreAttrArray = sre->attributes; | |
161 | |
162 /* Get next element of null-terminated array */ | |
163 sreAttr = *sreAttrArray++; | |
164 while (sreAttr != NULL) { | |
165 attrType = &(sreAttr->attrType); | |
166 PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit | |
167 (attrType, &attrBits, plContext), | |
168 PKIX_LDAPREQUESTATTRTYPETOBITFAILED); | |
169 /* Is this attrVal a Certificate? */ | |
170 if (((LDAPATTR_CACERT | LDAPATTR_USERCERT) & | |
171 attrBits) == attrBits) { | |
172 attrVal = sreAttr->val; | |
173 derCertItem = *attrVal++; | |
174 while (derCertItem != 0) { | |
175 /* create a PKIX_PL_Cert from derCert */ | |
176 PKIX_CHECK(pkix_pl_Cert_CreateToList | |
177 (derCertItem, certList, plContext), | |
178 PKIX_CERTCREATETOLISTFAILED); | |
179 derCertItem = *attrVal++; | |
180 } | |
181 } else if ((LDAPATTR_CROSSPAIRCERT & attrBits) == attrBits){ | |
182 /* Is this attrVal a CrossPairCertificate? */ | |
183 attrVal = sreAttr->val; | |
184 derCertItem = *attrVal++; | |
185 while (derCertItem != 0) { | |
186 /* create PKIX_PL_Certs from derCert */ | |
187 PKIX_CHECK(pkix_pl_LdapCertStore_DecodeCrossCertPair | |
188 (derCertItem, certList, plContext), | |
189 PKIX_LDAPCERTSTOREDECODECROSSCERTPAIRFAILED); | |
190 derCertItem = *attrVal++; | |
191 } | |
192 } | |
193 sreAttr = *sreAttrArray++; | |
194 } | |
195 PKIX_DECREF(response); | |
196 } | |
197 | |
198 *pCerts = certList; | |
199 | |
200 cleanup: | |
201 if (PKIX_ERROR_RECEIVED) { | |
202 PKIX_DECREF(certList); | |
203 } | |
204 | |
205 PKIX_DECREF(response); | |
206 | |
207 PKIX_RETURN(CERTSTORE); | |
208 } | |
209 | |
210 /* | |
211 * FUNCTION: pkix_pl_LdapCertStore_BuildCrlList | |
212 * DESCRIPTION: | |
213 * | |
214 * This function takes a List of LdapResponse objects pointed to by | |
215 * "responseList" and extracts and decodes the CRLs in those responses, storing | |
216 * the List of those CRLs at "pCrls". If none of the objects can be decoded | |
217 * into a CRL, the returned List is empty. | |
218 * | |
219 * PARAMETERS: | |
220 * "responseList" | |
221 * The address of the List of LdapResponses. Must be non-NULL. | |
222 * "pCrls" | |
223 * The address at which the result is stored. Must be non-NULL. | |
224 * "plContext" | |
225 * Platform-specific context pointer. | |
226 * THREAD SAFETY: | |
227 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
228 * RETURNS: | |
229 * Returns NULL if the function succeeds. | |
230 * Returns a CertStore Error if the function fails in a non-fatal way. | |
231 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
232 */ | |
233 PKIX_Error * | |
234 pkix_pl_LdapCertStore_BuildCrlList( | |
235 PKIX_List *responseList, | |
236 PKIX_List **pCrls, | |
237 void *plContext) | |
238 { | |
239 PKIX_UInt32 numResponses = 0; | |
240 PKIX_UInt32 respIx = 0; | |
241 LdapAttrMask attrBits = 0; | |
242 CERTSignedCrl *nssCrl = NULL; | |
243 PKIX_PL_LdapResponse *response = NULL; | |
244 PKIX_List *crlList = NULL; | |
245 PKIX_PL_CRL *crl = NULL; | |
246 LDAPMessage *message = NULL; | |
247 LDAPSearchResponseEntry *sre = NULL; | |
248 LDAPSearchResponseAttr **sreAttrArray = NULL; | |
249 LDAPSearchResponseAttr *sreAttr = NULL; | |
250 SECItem *attrType = NULL; | |
251 SECItem **attrVal = NULL; | |
252 SECItem *derCrlCopy = NULL; | |
253 SECItem *derCrlItem = NULL; | |
254 | |
255 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_BuildCrlList"); | |
256 PKIX_NULLCHECK_TWO(responseList, pCrls); | |
257 | |
258 PKIX_CHECK(PKIX_List_Create(&crlList, plContext), | |
259 PKIX_LISTCREATEFAILED); | |
260 | |
261 /* extract crls from response */ | |
262 PKIX_CHECK(PKIX_List_GetLength | |
263 (responseList, &numResponses, plContext), | |
264 PKIX_LISTGETLENGTHFAILED); | |
265 | |
266 for (respIx = 0; respIx < numResponses; respIx++) { | |
267 PKIX_CHECK(PKIX_List_GetItem | |
268 (responseList, | |
269 respIx, | |
270 (PKIX_PL_Object **)&response, | |
271 plContext), | |
272 PKIX_LISTGETITEMFAILED); | |
273 | |
274 PKIX_CHECK(pkix_pl_LdapResponse_GetMessage | |
275 (response, &message, plContext), | |
276 PKIX_LDAPRESPONSEGETMESSAGEFAILED); | |
277 | |
278 sre = &(message->protocolOp.op.searchResponseEntryMsg); | |
279 sreAttrArray = sre->attributes; | |
280 | |
281 /* Get next element of null-terminated array */ | |
282 sreAttr = *sreAttrArray++; | |
283 while (sreAttr != NULL) { | |
284 attrType = &(sreAttr->attrType); | |
285 PKIX_CHECK(pkix_pl_LdapRequest_AttrTypeToBit | |
286 (attrType, &attrBits, plContext), | |
287 PKIX_LDAPREQUESTATTRTYPETOBITFAILED); | |
288 /* Is this attrVal a Revocation List? */ | |
289 if (((LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST) & | |
290 attrBits) == attrBits) { | |
291 attrVal = sreAttr->val; | |
292 derCrlItem = *attrVal++; | |
293 while (derCrlItem != 0) { | |
294 /* create a PKIX_PL_Crl from derCrl */ | |
295 derCrlCopy = SECITEM_DupItem(derCrlItem); | |
296 if (!derCrlCopy) { | |
297 PKIX_ERROR(PKIX_ALLOCERROR); | |
298 } | |
299 /* crl will be based on derCrlCopy, but wont | |
300 * own the der. */ | |
301 nssCrl = | |
302 CERT_DecodeDERCrlWithFlags(NULL, derCrlCopy, | |
303 SEC_CRL_TYPE, | |
304 CRL_DECODE_DONT_COPY_DER
| | |
305 CRL_DECODE_SKIP_ENTRIES); | |
306 if (!nssCrl) { | |
307 SECITEM_FreeItem(derCrlCopy, PKIX_TRUE); | |
308 continue; | |
309 } | |
310 /* pkix crl own the der. */ | |
311 PKIX_CHECK( | |
312 pkix_pl_CRL_CreateWithSignedCRL(nssCrl, | |
313 derCrlCopy, NULL, &crl, plContext), | |
314 PKIX_CRLCREATEWITHSIGNEDCRLFAILED); | |
315 /* Left control over memory pointed by derCrlCopy an
d | |
316 * nssCrl to pkix crl. */ | |
317 derCrlCopy = NULL; | |
318 nssCrl = NULL; | |
319 PKIX_CHECK(PKIX_List_AppendItem | |
320 (crlList, (PKIX_PL_Object *) crl, plConte
xt), | |
321 PKIX_LISTAPPENDITEMFAILED); | |
322 PKIX_DECREF(crl); | |
323 derCrlItem = *attrVal++; | |
324 } | |
325 /* Clean up after PKIX_CHECK_ONLY_FATAL */ | |
326 pkixTempErrorReceived = PKIX_FALSE; | |
327 } | |
328 sreAttr = *sreAttrArray++; | |
329 } | |
330 PKIX_DECREF(response); | |
331 } | |
332 | |
333 *pCrls = crlList; | |
334 crlList = NULL; | |
335 cleanup: | |
336 if (derCrlCopy) { | |
337 SECITEM_FreeItem(derCrlCopy, PKIX_TRUE); | |
338 } | |
339 if (nssCrl) { | |
340 SEC_DestroyCrl(nssCrl); | |
341 } | |
342 PKIX_DECREF(crl); | |
343 PKIX_DECREF(crlList); | |
344 PKIX_DECREF(response); | |
345 | |
346 PKIX_RETURN(CERTSTORE); | |
347 } | |
348 | |
349 /* | |
350 * FUNCTION: pkix_pl_LdapCertStore_DestroyAVAList | |
351 * DESCRIPTION: | |
352 * | |
353 * This function frees the space allocated for the components of the | |
354 * equalFilters that make up the andFilter pointed to by "filter". | |
355 * | |
356 * PARAMETERS: | |
357 * "requestParams" | |
358 * The address of the andFilter whose components are to be freed. Must be | |
359 * non-NULL. | |
360 * "plContext" | |
361 * Platform-specific context pointer | |
362 * THREAD SAFETY: | |
363 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
364 * RETURNS: | |
365 * Returns NULL if the function succeeds. | |
366 * Returns a CertStore Error if the function fails in a non-fatal way. | |
367 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
368 */ | |
369 static PKIX_Error * | |
370 pkix_pl_LdapCertStore_DestroyAVAList( | |
371 LDAPNameComponent **nameComponents, | |
372 void *plContext) | |
373 { | |
374 LDAPNameComponent **currentNC = NULL; | |
375 unsigned char *component = NULL; | |
376 | |
377 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_DestroyAVAList"); | |
378 PKIX_NULLCHECK_ONE(nameComponents); | |
379 | |
380 /* Set currentNC to point to first AVA pointer */ | |
381 currentNC = nameComponents; | |
382 | |
383 while ((*currentNC) != NULL) { | |
384 component = (*currentNC)->attrValue; | |
385 if (component != NULL) { | |
386 PORT_Free(component); | |
387 } | |
388 currentNC++; | |
389 } | |
390 | |
391 PKIX_RETURN(CERTSTORE); | |
392 } | |
393 | |
394 /* | |
395 * FUNCTION: pkix_pl_LdapCertStore_MakeNameAVAList | |
396 * DESCRIPTION: | |
397 * | |
398 * This function allocates space from the arena pointed to by "arena" to | |
399 * construct a filter that will match components of the X500Name pointed to | |
400 * by "name", and stores the resulting filter at "pFilter". | |
401 * | |
402 * "name" is checked for commonName and organizationName components (cn=, | |
403 * and o=). The component strings are extracted using the family of | |
404 * CERT_Get* functions, and each must be freed with PORT_Free. | |
405 * | |
406 * It is not clear which components should be in a request, so, for now, | |
407 * we stop adding components after we have found one. | |
408 * | |
409 * PARAMETERS: | |
410 * "arena" | |
411 * The address of the PLArenaPool used in creating the filter. Must be | |
412 * non-NULL. | |
413 * "name" | |
414 * The address of the X500Name whose components define the desired | |
415 * matches. Must be non-NULL. | |
416 * "pList" | |
417 * The address at which the result is stored. | |
418 * "plContext" | |
419 * Platform-specific context pointer | |
420 * THREAD SAFETY: | |
421 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
422 * RETURNS: | |
423 * Returns NULL if the function succeeds. | |
424 * Returns a CertStore Error if the function fails in a non-fatal way. | |
425 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
426 */ | |
427 static PKIX_Error * | |
428 pkix_pl_LdapCertStore_MakeNameAVAList( | |
429 PLArenaPool *arena, | |
430 PKIX_PL_X500Name *subjectName, | |
431 LDAPNameComponent ***pList, | |
432 void *plContext) | |
433 { | |
434 LDAPNameComponent **setOfNameComponents; | |
435 LDAPNameComponent *currentNameComponent = NULL; | |
436 PKIX_UInt32 componentsPresent = 0; | |
437 void *v = NULL; | |
438 unsigned char *component = NULL; | |
439 | |
440 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_MakeNameAVAList"); | |
441 PKIX_NULLCHECK_THREE(arena, subjectName, pList); | |
442 | |
443 /* Increase this if additional components may be extracted */ | |
444 #define MAX_NUM_COMPONENTS 3 | |
445 | |
446 /* Space for (MAX_NUM_COMPONENTS + 1) pointers to LDAPNameComponents */ | |
447 PKIX_PL_NSSCALLRV(CERTSTORE, v, PORT_ArenaZAlloc, | |
448 (arena, (MAX_NUM_COMPONENTS + 1)*sizeof(LDAPNameComponent *))); | |
449 setOfNameComponents = (LDAPNameComponent **)v; | |
450 | |
451 /* Space for MAX_NUM_COMPONENTS LDAPNameComponents */ | |
452 PKIX_PL_NSSCALLRV(CERTSTORE, v, PORT_ArenaZNewArray, | |
453 (arena, LDAPNameComponent, MAX_NUM_COMPONENTS)); | |
454 | |
455 currentNameComponent = (LDAPNameComponent *)v; | |
456 | |
457 /* Try for commonName */ | |
458 PKIX_CHECK(pkix_pl_X500Name_GetCommonName | |
459 (subjectName, &component, plContext), | |
460 PKIX_X500NAMEGETCOMMONNAMEFAILED); | |
461 if (component) { | |
462 setOfNameComponents[componentsPresent] = currentNameComponent; | |
463 currentNameComponent->attrType = (unsigned char *)"cn"; | |
464 currentNameComponent->attrValue = component; | |
465 componentsPresent++; | |
466 currentNameComponent++; | |
467 } | |
468 | |
469 /* | |
470 * The LDAP specification says we can send multiple name components | |
471 * in an "AND" filter, but the LDAP Servers don't seem to be able to | |
472 * handle such requests. So we'll quit after the cn component. | |
473 */ | |
474 #if 0 | |
475 /* Try for orgName */ | |
476 PKIX_CHECK(pkix_pl_X500Name_GetOrgName | |
477 (subjectName, &component, plContext), | |
478 PKIX_X500NAMEGETORGNAMEFAILED); | |
479 if (component) { | |
480 setOfNameComponents[componentsPresent] = currentNameComponent; | |
481 currentNameComponent->attrType = (unsigned char *)"o"; | |
482 currentNameComponent->attrValue = component; | |
483 componentsPresent++; | |
484 currentNameComponent++; | |
485 } | |
486 | |
487 /* Try for countryName */ | |
488 PKIX_CHECK(pkix_pl_X500Name_GetCountryName | |
489 (subjectName, &component, plContext), | |
490 PKIX_X500NAMEGETCOUNTRYNAMEFAILED); | |
491 if (component) { | |
492 setOfNameComponents[componentsPresent] = currentNameComponent; | |
493 currentNameComponent->attrType = (unsigned char *)"c"; | |
494 currentNameComponent->attrValue = component; | |
495 componentsPresent++; | |
496 currentNameComponent++; | |
497 } | |
498 #endif | |
499 | |
500 setOfNameComponents[componentsPresent] = NULL; | |
501 | |
502 *pList = setOfNameComponents; | |
503 | |
504 cleanup: | |
505 | |
506 PKIX_RETURN(CERTSTORE); | |
507 | |
508 } | |
509 | |
510 #if 0 | |
511 /* | |
512 * FUNCTION: pkix_pl_LdapCertstore_ConvertCertResponses | |
513 * DESCRIPTION: | |
514 * | |
515 * This function processes the List of LDAPResponses pointed to by "responses" | |
516 * into a List of resulting Certs, storing the result at "pCerts". If there | |
517 * are no responses converted successfully, a NULL may be stored. | |
518 * | |
519 * PARAMETERS: | |
520 * "responses" | |
521 * The LDAPResponses whose contents are to be converted. Must be non-NULL. | |
522 * "pCerts" | |
523 * Address at which the returned List is stored. Must be non-NULL. | |
524 * "plContext" | |
525 * Platform-specific context pointer. | |
526 * THREAD SAFETY: | |
527 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | |
528 * RETURNS: | |
529 * Returns NULL if the function succeeds. | |
530 * Returns a CertStore Error if the function fails in a non-fatal way | |
531 * Returns a Fatal Error if the function fails in an unrecoverable way. | |
532 */ | |
533 PKIX_Error * | |
534 pkix_pl_LdapCertStore_ConvertCertResponses( | |
535 PKIX_List *responses, | |
536 PKIX_List **pCerts, | |
537 void *plContext) | |
538 { | |
539 PKIX_List *unfiltered = NULL; | |
540 | |
541 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_ConvertCertResponses"); | |
542 PKIX_NULLCHECK_TWO(responses, pCerts); | |
543 | |
544 /* | |
545 * We have a List of LdapResponse objects that have to be | |
546 * turned into Certs. | |
547 */ | |
548 PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList | |
549 (responses, &unfiltered, plContext), | |
550 PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED); | |
551 | |
552 *pCerts = unfiltered; | |
553 | |
554 cleanup: | |
555 | |
556 PKIX_RETURN(CERTSTORE); | |
557 } | |
558 #endif | |
559 | |
560 /* | |
561 * FUNCTION: pkix_pl_LdapCertStore_GetCert | |
562 * (see description of PKIX_CertStore_CertCallback in pkix_certstore.h) | |
563 */ | |
564 PKIX_Error * | |
565 pkix_pl_LdapCertStore_GetCert( | |
566 PKIX_CertStore *store, | |
567 PKIX_CertSelector *selector, | |
568 PKIX_VerifyNode *verifyNode, | |
569 void **pNBIOContext, | |
570 PKIX_List **pCertList, | |
571 void *plContext) | |
572 { | |
573 PLArenaPool *requestArena = NULL; | |
574 LDAPRequestParams requestParams; | |
575 void *pollDesc = NULL; | |
576 PKIX_Int32 minPathLen = 0; | |
577 PKIX_Boolean cacheFlag = PKIX_FALSE; | |
578 PKIX_ComCertSelParams *params = NULL; | |
579 PKIX_PL_LdapCertStoreContext *lcs = NULL; | |
580 PKIX_List *responses = NULL; | |
581 PKIX_List *unfilteredCerts = NULL; | |
582 PKIX_List *filteredCerts = NULL; | |
583 PKIX_PL_X500Name *subjectName = 0; | |
584 | |
585 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCert"); | |
586 PKIX_NULLCHECK_THREE(store, selector, pCertList); | |
587 | |
588 requestParams.baseObject = "c=US"; | |
589 requestParams.scope = WHOLE_SUBTREE; | |
590 requestParams.derefAliases = NEVER_DEREF; | |
591 requestParams.sizeLimit = 0; | |
592 requestParams.timeLimit = 0; | |
593 | |
594 /* Prepare elements for request filter */ | |
595 | |
596 /* | |
597 * Get a short-lived arena. We'll be done with this space once | |
598 * the request is encoded. | |
599 */ | |
600 requestArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
601 if (!requestArena) { | |
602 PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY); | |
603 } | |
604 | |
605 PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams | |
606 (selector, ¶ms, plContext), | |
607 PKIX_CERTSELECTORGETCOMCERTSELPARAMSFAILED); | |
608 | |
609 /* | |
610 * If we have the subject name for the desired subject, | |
611 * ask the server for Certs with that subject. | |
612 */ | |
613 PKIX_CHECK(PKIX_ComCertSelParams_GetSubject | |
614 (params, &subjectName, plContext), | |
615 PKIX_COMCERTSELPARAMSGETSUBJECTFAILED); | |
616 | |
617 PKIX_CHECK(PKIX_ComCertSelParams_GetBasicConstraints | |
618 (params, &minPathLen, plContext), | |
619 PKIX_COMCERTSELPARAMSGETBASICCONSTRAINTSFAILED); | |
620 | |
621 if (subjectName) { | |
622 PKIX_CHECK(pkix_pl_LdapCertStore_MakeNameAVAList | |
623 (requestArena, | |
624 subjectName, | |
625 &(requestParams.nc), | |
626 plContext), | |
627 PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED); | |
628 | |
629 if (*requestParams.nc == NULL) { | |
630 /* | |
631 * The subjectName may not include any components | |
632 * that we know how to encode. We do not return | |
633 * an error, because the caller did not necessarily | |
634 * do anything wrong, but we return an empty List. | |
635 */ | |
636 PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, | |
637 (requestArena, PR_FALSE)); | |
638 | |
639 PKIX_CHECK(PKIX_List_Create(&filteredCerts, plContext), | |
640 PKIX_LISTCREATEFAILED); | |
641 | |
642 PKIX_CHECK(PKIX_List_SetImmutable | |
643 (filteredCerts, plContext), | |
644 PKIX_LISTSETIMMUTABLEFAILED); | |
645 | |
646 *pNBIOContext = NULL; | |
647 *pCertList = filteredCerts; | |
648 filteredCerts = NULL; | |
649 goto cleanup; | |
650 } | |
651 } else { | |
652 PKIX_ERROR(PKIX_INSUFFICIENTCRITERIAFORCERTQUERY); | |
653 } | |
654 | |
655 /* Prepare attribute field of request */ | |
656 | |
657 requestParams.attributes = 0; | |
658 | |
659 if (minPathLen < 0) { | |
660 requestParams.attributes |= LDAPATTR_USERCERT; | |
661 } | |
662 | |
663 if (minPathLen > -2) { | |
664 requestParams.attributes |= | |
665 LDAPATTR_CACERT | LDAPATTR_CROSSPAIRCERT; | |
666 } | |
667 | |
668 /* All request fields are done */ | |
669 | |
670 PKIX_CHECK(PKIX_CertStore_GetCertStoreContext | |
671 (store, (PKIX_PL_Object **)&lcs, plContext), | |
672 PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED); | |
673 | |
674 PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest | |
675 ((PKIX_PL_LdapClient *)lcs, | |
676 &requestParams, | |
677 &pollDesc, | |
678 &responses, | |
679 plContext), | |
680 PKIX_LDAPCLIENTINITIATEREQUESTFAILED); | |
681 | |
682 PKIX_CHECK(pkix_pl_LdapCertStore_DestroyAVAList | |
683 (requestParams.nc, plContext), | |
684 PKIX_LDAPCERTSTOREDESTROYAVALISTFAILED); | |
685 | |
686 if (requestArena) { | |
687 PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, | |
688 (requestArena, PR_FALSE)); | |
689 requestArena = NULL; | |
690 } | |
691 | |
692 if (pollDesc != NULL) { | |
693 /* client is waiting for non-blocking I/O to complete */ | |
694 *pNBIOContext = (void *)pollDesc; | |
695 *pCertList = NULL; | |
696 goto cleanup; | |
697 } | |
698 /* LdapClient has given us a response! */ | |
699 | |
700 if (responses) { | |
701 PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag | |
702 (store, &cacheFlag, plContext), | |
703 PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED); | |
704 | |
705 PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList | |
706 (responses, &unfilteredCerts, plContext), | |
707 PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED); | |
708 | |
709 PKIX_CHECK(pkix_CertSelector_Select | |
710 (selector, unfilteredCerts, &filteredCerts, plContext), | |
711 PKIX_CERTSELECTORSELECTFAILED); | |
712 } | |
713 | |
714 *pNBIOContext = NULL; | |
715 *pCertList = filteredCerts; | |
716 filteredCerts = NULL; | |
717 | |
718 cleanup: | |
719 | |
720 PKIX_DECREF(params); | |
721 PKIX_DECREF(subjectName); | |
722 PKIX_DECREF(responses); | |
723 PKIX_DECREF(unfilteredCerts); | |
724 PKIX_DECREF(filteredCerts); | |
725 PKIX_DECREF(lcs); | |
726 | |
727 PKIX_RETURN(CERTSTORE); | |
728 } | |
729 | |
730 /* | |
731 * FUNCTION: pkix_pl_LdapCertStore_GetCertContinue | |
732 * (see description of PKIX_CertStore_CertCallback in pkix_certstore.h) | |
733 */ | |
734 PKIX_Error * | |
735 pkix_pl_LdapCertStore_GetCertContinue( | |
736 PKIX_CertStore *store, | |
737 PKIX_CertSelector *selector, | |
738 PKIX_VerifyNode *verifyNode, | |
739 void **pNBIOContext, | |
740 PKIX_List **pCertList, | |
741 void *plContext) | |
742 { | |
743 PKIX_Boolean cacheFlag = PKIX_FALSE; | |
744 PKIX_PL_LdapCertStoreContext *lcs = NULL; | |
745 void *pollDesc = NULL; | |
746 PKIX_List *responses = NULL; | |
747 PKIX_List *unfilteredCerts = NULL; | |
748 PKIX_List *filteredCerts = NULL; | |
749 | |
750 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCertContinue"); | |
751 PKIX_NULLCHECK_THREE(store, selector, pCertList); | |
752 | |
753 PKIX_CHECK(PKIX_CertStore_GetCertStoreContext | |
754 (store, (PKIX_PL_Object **)&lcs, plContext), | |
755 PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED); | |
756 | |
757 PKIX_CHECK(PKIX_PL_LdapClient_ResumeRequest | |
758 ((PKIX_PL_LdapClient *)lcs, &pollDesc, &responses, plContext), | |
759 PKIX_LDAPCLIENTRESUMEREQUESTFAILED); | |
760 | |
761 if (pollDesc != NULL) { | |
762 /* client is waiting for non-blocking I/O to complete */ | |
763 *pNBIOContext = (void *)pollDesc; | |
764 *pCertList = NULL; | |
765 goto cleanup; | |
766 } | |
767 /* LdapClient has given us a response! */ | |
768 | |
769 if (responses) { | |
770 PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag | |
771 (store, &cacheFlag, plContext), | |
772 PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED); | |
773 | |
774 PKIX_CHECK(pkix_pl_LdapCertStore_BuildCertList | |
775 (responses, &unfilteredCerts, plContext), | |
776 PKIX_LDAPCERTSTOREBUILDCERTLISTFAILED); | |
777 | |
778 PKIX_CHECK(pkix_CertSelector_Select | |
779 (selector, unfilteredCerts, &filteredCerts, plContext), | |
780 PKIX_CERTSELECTORSELECTFAILED); | |
781 } | |
782 | |
783 *pNBIOContext = NULL; | |
784 *pCertList = filteredCerts; | |
785 | |
786 cleanup: | |
787 | |
788 PKIX_DECREF(responses); | |
789 PKIX_DECREF(unfilteredCerts); | |
790 PKIX_DECREF(lcs); | |
791 | |
792 PKIX_RETURN(CERTSTORE); | |
793 } | |
794 | |
795 /* | |
796 * FUNCTION: pkix_pl_LdapCertStore_GetCRL | |
797 * (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h) | |
798 */ | |
799 PKIX_Error * | |
800 pkix_pl_LdapCertStore_GetCRL( | |
801 PKIX_CertStore *store, | |
802 PKIX_CRLSelector *selector, | |
803 void **pNBIOContext, | |
804 PKIX_List **pCrlList, | |
805 void *plContext) | |
806 { | |
807 LDAPRequestParams requestParams; | |
808 void *pollDesc = NULL; | |
809 PLArenaPool *requestArena = NULL; | |
810 PKIX_UInt32 numNames = 0; | |
811 PKIX_UInt32 thisName = 0; | |
812 PKIX_PL_CRL *candidate = NULL; | |
813 PKIX_List *responses = NULL; | |
814 PKIX_List *issuerNames = NULL; | |
815 PKIX_List *filteredCRLs = NULL; | |
816 PKIX_List *unfilteredCRLs = NULL; | |
817 PKIX_PL_X500Name *issuer = NULL; | |
818 PKIX_PL_LdapCertStoreContext *lcs = NULL; | |
819 PKIX_ComCRLSelParams *params = NULL; | |
820 | |
821 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCRL"); | |
822 PKIX_NULLCHECK_THREE(store, selector, pCrlList); | |
823 | |
824 requestParams.baseObject = "c=US"; | |
825 requestParams.scope = WHOLE_SUBTREE; | |
826 requestParams.derefAliases = NEVER_DEREF; | |
827 requestParams.sizeLimit = 0; | |
828 requestParams.timeLimit = 0; | |
829 requestParams.attributes = LDAPATTR_CERTREVLIST | LDAPATTR_AUTHREVLIST; | |
830 /* Prepare elements for request filter */ | |
831 | |
832 /* XXX Place CRLDP code here. Handle the case when */ | |
833 /* RFC 5280. Paragraph: 4.2.1.13: */ | |
834 /* If the distributionPoint field contains a directoryName, the entry */ | |
835 /* for that directoryName contains the current CRL for the associated */ | |
836 /* reasons and the CRL is issued by the associated cRLIssuer. The CRL *
/ | |
837 /* may be stored in either the certificateRevocationList or */ | |
838 /* authorityRevocationList attribute. The CRL is to be obtained by the
*/ | |
839 /* application from whatever directory server is locally configured. */ | |
840 /* The protocol the application uses to access the directory (e.g., DAP
*/ | |
841 /* or LDAP) is a local matter. */ | |
842 | |
843 | |
844 | |
845 /* | |
846 * Get a short-lived arena. We'll be done with this space once | |
847 * the request is encoded. | |
848 */ | |
849 PKIX_PL_NSSCALLRV | |
850 (CERTSTORE, requestArena, PORT_NewArena, (DER_DEFAULT_CHUNKSIZE)); | |
851 | |
852 if (!requestArena) { | |
853 PKIX_ERROR_FATAL(PKIX_OUTOFMEMORY); | |
854 } | |
855 | |
856 PKIX_CHECK(PKIX_CRLSelector_GetCommonCRLSelectorParams | |
857 (selector, ¶ms, plContext), | |
858 PKIX_CRLSELECTORGETCOMCERTSELPARAMSFAILED); | |
859 | |
860 PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames | |
861 (params, &issuerNames, plContext), | |
862 PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED); | |
863 | |
864 /* | |
865 * The specification for PKIX_ComCRLSelParams_GetIssuerNames in | |
866 * pkix_crlsel.h says that if the criterion is not set we get a null | |
867 * pointer. If we get an empty List the criterion is impossible to | |
868 * meet ("must match at least one of the names in the List"). | |
869 */ | |
870 if (issuerNames) { | |
871 | |
872 PKIX_CHECK(PKIX_List_GetLength | |
873 (issuerNames, &numNames, plContext), | |
874 PKIX_LISTGETLENGTHFAILED); | |
875 | |
876 if (numNames > 0) { | |
877 for (thisName = 0; thisName < numNames; thisName++) { | |
878 PKIX_CHECK(PKIX_List_GetItem | |
879 (issuerNames, | |
880 thisName, | |
881 (PKIX_PL_Object **)&issuer, | |
882 plContext), | |
883 PKIX_LISTGETITEMFAILED); | |
884 | |
885 PKIX_CHECK | |
886 (pkix_pl_LdapCertStore_MakeNameAVAList | |
887 (requestArena, | |
888 issuer, | |
889 &(requestParams.nc), | |
890 plContext), | |
891 PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED)
; | |
892 | |
893 PKIX_DECREF(issuer); | |
894 | |
895 if (*requestParams.nc == NULL) { | |
896 /* | |
897 * The issuer may not include any | |
898 * components that we know how to | |
899 * encode. We do not return an error, | |
900 * because the caller did not | |
901 * necessarily do anything wrong, but | |
902 * we return an empty List. | |
903 */ | |
904 PKIX_PL_NSSCALL | |
905 (CERTSTORE, PORT_FreeArena, | |
906 (requestArena, PR_FALSE)); | |
907 | |
908 PKIX_CHECK(PKIX_List_Create | |
909 (&filteredCRLs, plContext), | |
910 PKIX_LISTCREATEFAILED); | |
911 | |
912 PKIX_CHECK(PKIX_List_SetImmutable | |
913 (filteredCRLs, plContext), | |
914 PKIX_LISTSETIMMUTABLEFAILED); | |
915 | |
916 *pNBIOContext = NULL; | |
917 *pCrlList = filteredCRLs; | |
918 goto cleanup; | |
919 } | |
920 | |
921 /* | |
922 * LDAP Servers don't seem to be able to handle | |
923 * requests with more than more than one name. | |
924 */ | |
925 break; | |
926 } | |
927 } else { | |
928 PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY); | |
929 } | |
930 } else { | |
931 PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY); | |
932 } | |
933 | |
934 /* All request fields are done */ | |
935 | |
936 PKIX_CHECK(PKIX_CertStore_GetCertStoreContext | |
937 (store, (PKIX_PL_Object **)&lcs, plContext), | |
938 PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED); | |
939 | |
940 PKIX_CHECK(PKIX_PL_LdapClient_InitiateRequest | |
941 ((PKIX_PL_LdapClient *)lcs, | |
942 &requestParams, | |
943 &pollDesc, | |
944 &responses, | |
945 plContext), | |
946 PKIX_LDAPCLIENTINITIATEREQUESTFAILED); | |
947 | |
948 PKIX_CHECK(pkix_pl_LdapCertStore_DestroyAVAList | |
949 (requestParams.nc, plContext), | |
950 PKIX_LDAPCERTSTOREDESTROYAVALISTFAILED); | |
951 | |
952 if (requestArena) { | |
953 PKIX_PL_NSSCALL(CERTSTORE, PORT_FreeArena, | |
954 (requestArena, PR_FALSE)); | |
955 } | |
956 | |
957 if (pollDesc != NULL) { | |
958 /* client is waiting for non-blocking I/O to complete */ | |
959 *pNBIOContext = (void *)pollDesc; | |
960 *pCrlList = NULL; | |
961 goto cleanup; | |
962 } | |
963 /* client has finished! */ | |
964 | |
965 if (responses) { | |
966 | |
967 /* | |
968 * We have a List of LdapResponse objects that still have to be | |
969 * turned into Crls. | |
970 */ | |
971 PKIX_CHECK(pkix_pl_LdapCertStore_BuildCrlList | |
972 (responses, &unfilteredCRLs, plContext), | |
973 PKIX_LDAPCERTSTOREBUILDCRLLISTFAILED); | |
974 | |
975 PKIX_CHECK(pkix_CRLSelector_Select | |
976 (selector, unfilteredCRLs, &filteredCRLs, plContext), | |
977 PKIX_CRLSELECTORSELECTFAILED); | |
978 | |
979 } | |
980 | |
981 /* Don't throw away the list if one CRL was bad! */ | |
982 pkixTempErrorReceived = PKIX_FALSE; | |
983 | |
984 *pNBIOContext = NULL; | |
985 *pCrlList = filteredCRLs; | |
986 | |
987 cleanup: | |
988 | |
989 if (PKIX_ERROR_RECEIVED) { | |
990 PKIX_DECREF(filteredCRLs); | |
991 } | |
992 | |
993 PKIX_DECREF(params); | |
994 PKIX_DECREF(issuerNames); | |
995 PKIX_DECREF(issuer); | |
996 PKIX_DECREF(candidate); | |
997 PKIX_DECREF(responses); | |
998 PKIX_DECREF(unfilteredCRLs); | |
999 PKIX_DECREF(lcs); | |
1000 | |
1001 PKIX_RETURN(CERTSTORE); | |
1002 } | |
1003 | |
1004 /* | |
1005 * FUNCTION: pkix_pl_LdapCertStore_GetCRLContinue | |
1006 * (see description of PKIX_CertStore_CRLCallback in pkix_certstore.h) | |
1007 */ | |
1008 PKIX_Error * | |
1009 pkix_pl_LdapCertStore_GetCRLContinue( | |
1010 PKIX_CertStore *store, | |
1011 PKIX_CRLSelector *selector, | |
1012 void **pNBIOContext, | |
1013 PKIX_List **pCrlList, | |
1014 void *plContext) | |
1015 { | |
1016 void *nbio = NULL; | |
1017 PKIX_PL_CRL *candidate = NULL; | |
1018 PKIX_List *responses = NULL; | |
1019 PKIX_PL_LdapCertStoreContext *lcs = NULL; | |
1020 PKIX_List *filteredCRLs = NULL; | |
1021 PKIX_List *unfilteredCRLs = NULL; | |
1022 | |
1023 PKIX_ENTER(CERTSTORE, "pkix_pl_LdapCertStore_GetCRLContinue"); | |
1024 PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCrlList); | |
1025 | |
1026 PKIX_CHECK(PKIX_CertStore_GetCertStoreContext | |
1027 (store, (PKIX_PL_Object **)&lcs, plContext), | |
1028 PKIX_CERTSTOREGETCERTSTORECONTEXTFAILED); | |
1029 | |
1030 PKIX_CHECK(PKIX_PL_LdapClient_ResumeRequest | |
1031 ((PKIX_PL_LdapClient *)lcs, &nbio, &responses, plContext), | |
1032 PKIX_LDAPCLIENTRESUMEREQUESTFAILED); | |
1033 | |
1034 if (nbio != NULL) { | |
1035 /* client is waiting for non-blocking I/O to complete */ | |
1036 *pNBIOContext = (void *)nbio; | |
1037 *pCrlList = NULL; | |
1038 goto cleanup; | |
1039 } | |
1040 /* client has finished! */ | |
1041 | |
1042 if (responses) { | |
1043 | |
1044 /* | |
1045 * We have a List of LdapResponse objects that still have to be | |
1046 * turned into Crls. | |
1047 */ | |
1048 PKIX_CHECK(pkix_pl_LdapCertStore_BuildCrlList | |
1049 (responses, &unfilteredCRLs, plContext), | |
1050 PKIX_LDAPCERTSTOREBUILDCRLLISTFAILED); | |
1051 | |
1052 PKIX_CHECK(pkix_CRLSelector_Select | |
1053 (selector, unfilteredCRLs, &filteredCRLs, plContext), | |
1054 PKIX_CRLSELECTORSELECTFAILED); | |
1055 | |
1056 PKIX_CHECK(PKIX_List_SetImmutable(filteredCRLs, plContext), | |
1057 PKIX_LISTSETIMMUTABLEFAILED); | |
1058 | |
1059 } | |
1060 | |
1061 /* Don't throw away the list if one CRL was bad! */ | |
1062 pkixTempErrorReceived = PKIX_FALSE; | |
1063 | |
1064 *pCrlList = filteredCRLs; | |
1065 | |
1066 cleanup: | |
1067 if (PKIX_ERROR_RECEIVED) { | |
1068 PKIX_DECREF(filteredCRLs); | |
1069 } | |
1070 | |
1071 PKIX_DECREF(candidate); | |
1072 PKIX_DECREF(responses); | |
1073 PKIX_DECREF(unfilteredCRLs); | |
1074 PKIX_DECREF(lcs); | |
1075 | |
1076 PKIX_RETURN(CERTSTORE); | |
1077 } | |
1078 | |
1079 /* --Public-LdapCertStore-Functions----------------------------------- */ | |
1080 | |
1081 /* | |
1082 * FUNCTION: PKIX_PL_LdapCertStore_Create | |
1083 * (see comments in pkix_samples_modules.h) | |
1084 */ | |
1085 PKIX_Error * | |
1086 PKIX_PL_LdapCertStore_Create( | |
1087 PKIX_PL_LdapClient *client, | |
1088 PKIX_CertStore **pCertStore, | |
1089 void *plContext) | |
1090 { | |
1091 PKIX_CertStore *certStore = NULL; | |
1092 | |
1093 PKIX_ENTER(CERTSTORE, "PKIX_PL_LdapCertStore_Create"); | |
1094 PKIX_NULLCHECK_TWO(client, pCertStore); | |
1095 | |
1096 PKIX_CHECK(PKIX_CertStore_Create | |
1097 (pkix_pl_LdapCertStore_GetCert, | |
1098 pkix_pl_LdapCertStore_GetCRL, | |
1099 pkix_pl_LdapCertStore_GetCertContinue, | |
1100 pkix_pl_LdapCertStore_GetCRLContinue, | |
1101 NULL, /* don't support trust */ | |
1102 NULL, /* can not store crls */ | |
1103 NULL, /* can not do revocation check */ | |
1104 (PKIX_PL_Object *)client, | |
1105 PKIX_TRUE, /* cache flag */ | |
1106 PKIX_FALSE, /* not local */ | |
1107 &certStore, | |
1108 plContext), | |
1109 PKIX_CERTSTORECREATEFAILED); | |
1110 | |
1111 *pCertStore = certStore; | |
1112 | |
1113 cleanup: | |
1114 | |
1115 PKIX_RETURN(CERTSTORE); | |
1116 } | |
OLD | NEW |