Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Unified Diff: nss/lib/libpkix/pkix/checker/pkix_policychecker.c

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: nss/lib/libpkix/pkix/checker/pkix_policychecker.c
diff --git a/nss/lib/libpkix/pkix/checker/pkix_policychecker.c b/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
deleted file mode 100755
index 8e40596541a8431162d1cd589860db9ae0e97eb0..0000000000000000000000000000000000000000
--- a/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
+++ /dev/null
@@ -1,2783 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/*
- * pkix_policychecker.c
- *
- * Functions for Policy Checker
- *
- */
-#include "pkix_policychecker.h"
-
-/* --Forward declarations----------------------------------------------- */
-
-static PKIX_Error *
-pkix_PolicyChecker_MakeSingleton(
- PKIX_PL_Object *listItem,
- PKIX_Boolean immutability,
- PKIX_List **pList,
- void *plContext);
-
-/* --Private-PolicyCheckerState-Functions---------------------------------- */
-
-/*
- * FUNCTION:pkix_PolicyCheckerState_Destroy
- * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
- */
-static PKIX_Error *
-pkix_PolicyCheckerState_Destroy(
- PKIX_PL_Object *object,
- void *plContext)
-{
- PKIX_PolicyCheckerState *checkerState = NULL;
-
- PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
- PKIX_NULLCHECK_ONE(object);
-
- PKIX_CHECK(pkix_CheckType
- (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
- PKIX_OBJECTNOTPOLICYCHECKERSTATE);
-
- checkerState = (PKIX_PolicyCheckerState *)object;
-
- PKIX_DECREF(checkerState->certPoliciesExtension);
- PKIX_DECREF(checkerState->policyMappingsExtension);
- PKIX_DECREF(checkerState->policyConstraintsExtension);
- PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
- PKIX_DECREF(checkerState->anyPolicyOID);
- PKIX_DECREF(checkerState->validPolicyTree);
- PKIX_DECREF(checkerState->userInitialPolicySet);
- PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
-
- checkerState->policyQualifiersRejected = PKIX_FALSE;
- checkerState->explicitPolicy = 0;
- checkerState->inhibitAnyPolicy = 0;
- checkerState->policyMapping = 0;
- checkerState->numCerts = 0;
- checkerState->certsProcessed = 0;
- checkerState->certPoliciesCritical = PKIX_FALSE;
-
- PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
- PKIX_DECREF(checkerState->newAnyPolicyNode);
- PKIX_DECREF(checkerState->mappedPolicyOIDs);
-
-cleanup:
-
- PKIX_RETURN(CERTPOLICYCHECKERSTATE);
-}
-
-/*
- * FUNCTION: pkix_PolicyCheckerState_ToString
- * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
- */
-static PKIX_Error *
-pkix_PolicyCheckerState_ToString(
- PKIX_PL_Object *object,
- PKIX_PL_String **pCheckerStateString,
- void *plContext)
-{
- PKIX_PolicyCheckerState *state = NULL;
- PKIX_PL_String *resultString = NULL;
- PKIX_PL_String *policiesExtOIDString = NULL;
- PKIX_PL_String *policyMapOIDString = NULL;
- PKIX_PL_String *policyConstrOIDString = NULL;
- PKIX_PL_String *inhAnyPolOIDString = NULL;
- PKIX_PL_String *anyPolicyOIDString = NULL;
- PKIX_PL_String *validPolicyTreeString = NULL;
- PKIX_PL_String *userInitialPolicySetString = NULL;
- PKIX_PL_String *mappedUserPolicySetString = NULL;
- PKIX_PL_String *mappedPolicyOIDsString = NULL;
- PKIX_PL_String *anyAtBottomString = NULL;
- PKIX_PL_String *newAnyPolicyString = NULL;
- PKIX_PL_String *formatString = NULL;
- PKIX_PL_String *trueString = NULL;
- PKIX_PL_String *falseString = NULL;
- PKIX_PL_String *nullString = NULL;
- PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
- PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
- PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
- PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
- PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
- PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
- char *asciiFormat =
- "{\n"
- "\tcertPoliciesExtension: \t%s\n"
- "\tpolicyMappingsExtension: \t%s\n"
- "\tpolicyConstraintsExtension:\t%s\n"
- "\tinhibitAnyPolicyExtension:\t%s\n"
- "\tanyPolicyOID: \t%s\n"
- "\tinitialIsAnyPolicy: \t%s\n"
- "\tvalidPolicyTree: \t%s\n"
- "\tuserInitialPolicySet: \t%s\n"
- "\tmappedUserPolicySet: \t%s\n"
- "\tpolicyQualifiersRejected: \t%s\n"
- "\tinitialPolMappingInhibit: \t%s\n"
- "\tinitialExplicitPolicy: \t%s\n"
- "\tinitialAnyPolicyInhibit: \t%s\n"
- "\texplicitPolicy: \t%d\n"
- "\tinhibitAnyPolicy: \t%d\n"
- "\tpolicyMapping: \t%d\n"
- "\tnumCerts: \t%d\n"
- "\tcertsProcessed: \t%d\n"
- "\tanyPolicyNodeAtBottom: \t%s\n"
- "\tnewAnyPolicyNode: \t%s\n"
- "\tcertPoliciesCritical: \t%s\n"
- "\tmappedPolicyOIDs: \t%s\n"
- "}";
-
- PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
-
- PKIX_NULLCHECK_TWO(object, pCheckerStateString);
-
- PKIX_CHECK(pkix_CheckType
- (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
- PKIX_OBJECTNOTPOLICYCHECKERSTATE);
-
- state = (PKIX_PolicyCheckerState *)object;
- PKIX_NULLCHECK_THREE
- (state->certPoliciesExtension,
- state->policyMappingsExtension,
- state->policyConstraintsExtension);
- PKIX_NULLCHECK_THREE
- (state->inhibitAnyPolicyExtension,
- state->anyPolicyOID,
- state->userInitialPolicySet);
-
- PKIX_CHECK(PKIX_PL_String_Create
- (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
- PKIX_STRINGCREATEFAILED);
- /*
- * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
- * PKIX_PL_String is complicated enough, it's worth checking, for
- * each, to make sure the string is needed.
- */
- initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
- initialExplicitPolicy = state->initialExplicitPolicy;
- initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
- initialIsAnyPolicy = state->initialIsAnyPolicy;
- policyQualifiersRejected = state->policyQualifiersRejected;
- certPoliciesCritical = state->certPoliciesCritical;
-
- if (initialPolicyMappingInhibit || initialExplicitPolicy ||
- initialAnyPolicyInhibit || initialIsAnyPolicy ||
- policyQualifiersRejected || certPoliciesCritical) {
- PKIX_CHECK(PKIX_PL_String_Create
- (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
- PKIX_STRINGCREATEFAILED);
- }
- if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
- !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
- !policyQualifiersRejected || !certPoliciesCritical) {
- PKIX_CHECK(PKIX_PL_String_Create
- (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
- PKIX_STRINGCREATEFAILED);
- }
- if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
- PKIX_CHECK(PKIX_PL_String_Create
- (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
- PKIX_STRINGCREATEFAILED);
- }
-
- PKIX_TOSTRING
- (state->certPoliciesExtension, &policiesExtOIDString, plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING
- (state->policyMappingsExtension,
- &policyMapOIDString,
- plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING
- (state->policyConstraintsExtension,
- &policyConstrOIDString,
- plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING
- (state->inhibitAnyPolicyExtension,
- &inhAnyPolOIDString,
- plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING
- (state->userInitialPolicySet,
- &userInitialPolicySetString,
- plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_TOSTRING
- (state->mappedUserInitialPolicySet,
- &mappedUserPolicySetString,
- plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- if (state->anyPolicyNodeAtBottom) {
- PKIX_CHECK(pkix_SinglePolicyNode_ToString
- (state->anyPolicyNodeAtBottom,
- &anyAtBottomString,
- plContext),
- PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
- } else {
- PKIX_INCREF(nullString);
- anyAtBottomString = nullString;
- }
-
- if (state->newAnyPolicyNode) {
- PKIX_CHECK(pkix_SinglePolicyNode_ToString
- (state->newAnyPolicyNode,
- &newAnyPolicyString,
- plContext),
- PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
- } else {
- PKIX_INCREF(nullString);
- newAnyPolicyString = nullString;
- }
-
- PKIX_TOSTRING
- (state->mappedPolicyOIDs,
- &mappedPolicyOIDsString,
- plContext,
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_CHECK(PKIX_PL_Sprintf
- (&resultString,
- plContext,
- formatString,
- policiesExtOIDString,
- policyMapOIDString,
- policyConstrOIDString,
- inhAnyPolOIDString,
- anyPolicyOIDString,
- initialIsAnyPolicy?trueString:falseString,
- validPolicyTreeString,
- userInitialPolicySetString,
- mappedUserPolicySetString,
- policyQualifiersRejected?trueString:falseString,
- initialPolicyMappingInhibit?trueString:falseString,
- initialExplicitPolicy?trueString:falseString,
- initialAnyPolicyInhibit?trueString:falseString,
- state->explicitPolicy,
- state->inhibitAnyPolicy,
- state->policyMapping,
- state->numCerts,
- state->certsProcessed,
- anyAtBottomString,
- newAnyPolicyString,
- certPoliciesCritical?trueString:falseString,
- mappedPolicyOIDsString),
- PKIX_SPRINTFFAILED);
-
- *pCheckerStateString = resultString;
-
-cleanup:
- PKIX_DECREF(policiesExtOIDString);
- PKIX_DECREF(policyMapOIDString);
- PKIX_DECREF(policyConstrOIDString);
- PKIX_DECREF(inhAnyPolOIDString);
- PKIX_DECREF(anyPolicyOIDString);
- PKIX_DECREF(validPolicyTreeString);
- PKIX_DECREF(userInitialPolicySetString);
- PKIX_DECREF(mappedUserPolicySetString);
- PKIX_DECREF(anyAtBottomString);
- PKIX_DECREF(newAnyPolicyString);
- PKIX_DECREF(mappedPolicyOIDsString);
- PKIX_DECREF(formatString);
- PKIX_DECREF(trueString);
- PKIX_DECREF(falseString);
- PKIX_DECREF(nullString);
-
- PKIX_RETURN(CERTPOLICYCHECKERSTATE);
-}
-
-/*
- * FUNCTION: pkix_PolicyCheckerState_RegisterSelf
- * DESCRIPTION:
- *
- * Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions
- * with systemClasses[]
- *
- * PARAMETERS:
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe - for performance and complexity reasons
- *
- * Since this function is only called by PKIX_PL_Initialize, which should
- * only be called once, it is acceptable that this function is not
- * thread-safe.
- */
-PKIX_Error *
-pkix_PolicyCheckerState_RegisterSelf(void *plContext)
-{
- extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
- pkix_ClassTable_Entry entry;
-
- PKIX_ENTER
- (CERTPOLICYCHECKERSTATE,
- "pkix_PolicyCheckerState_RegisterSelf");
-
- entry.description = "PolicyCheckerState";
- entry.objCounter = 0;
- entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState);
- entry.destructor = pkix_PolicyCheckerState_Destroy;
- entry.equalsFunction = NULL;
- entry.hashcodeFunction = NULL;
- entry.toStringFunction = pkix_PolicyCheckerState_ToString;
- entry.comparator = NULL;
- entry.duplicateFunction = NULL;
-
- systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry;
-
- PKIX_RETURN(CERTPOLICYCHECKERSTATE);
-}
-
-/*
- * FUNCTION:pkix_PolicyCheckerState_Create
- * DESCRIPTION:
- *
- * Creates a PolicyCheckerState Object, using the List pointed to
- * by "initialPolicies" for the user-initial-policy-set, the Boolean value
- * of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
- * the Boolean value of "initialPolicyMappingInhibit" for the
- * inhibitPolicyMappings parameter, the Boolean value of
- * "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
- * Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
- * parameter, and the UInt32 value of "numCerts" as the number of
- * certificates in the chain; and stores the Object at "pCheckerState".
- *
- * PARAMETERS:
- * "initialPolicies"
- * Address of List of OIDs comprising the user-initial-policy-set; the List
- * may be empty, but must be non-NULL
- * "policyQualifiersRejected"
- * Boolean value of the policyQualifiersRejected parameter
- * "initialPolicyMappingInhibit"
- * Boolean value of the inhibitPolicyMappings parameter
- * "initialExplicitPolicy"
- * Boolean value of the initialExplicitPolicy parameter
- * "initialAnyPolicyInhibit"
- * Boolean value of the inhibitAnyPolicy parameter
- * "numCerts"
- * Number of certificates in the chain to be validated
- * "pCheckerState"
- * Address where PolicyCheckerState will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertPolicyCheckerState Error if the functions fails in a
- * non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyCheckerState_Create(
- PKIX_List *initialPolicies,
- PKIX_Boolean policyQualifiersRejected,
- PKIX_Boolean initialPolicyMappingInhibit,
- PKIX_Boolean initialExplicitPolicy,
- PKIX_Boolean initialAnyPolicyInhibit,
- PKIX_UInt32 numCerts,
- PKIX_PolicyCheckerState **pCheckerState,
- void *plContext)
-{
- PKIX_PolicyCheckerState *checkerState = NULL;
- PKIX_PolicyNode *policyNode = NULL;
- PKIX_List *anyPolicyList = NULL;
- PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE;
-
- PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create");
- PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState);
-
- PKIX_CHECK(PKIX_PL_Object_Alloc
- (PKIX_CERTPOLICYCHECKERSTATE_TYPE,
- sizeof (PKIX_PolicyCheckerState),
- (PKIX_PL_Object **)&checkerState,
- plContext),
- PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT);
-
- /* Create constant PKIX_PL_OIDs: */
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (PKIX_CERTIFICATEPOLICIES_OID,
- &(checkerState->certPoliciesExtension),
- plContext),
- PKIX_OIDCREATEFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (PKIX_POLICYMAPPINGS_OID,
- &(checkerState->policyMappingsExtension),
- plContext),
- PKIX_OIDCREATEFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (PKIX_POLICYCONSTRAINTS_OID,
- &(checkerState->policyConstraintsExtension),
- plContext),
- PKIX_OIDCREATEFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (PKIX_INHIBITANYPOLICY_OID,
- &(checkerState->inhibitAnyPolicyExtension),
- plContext),
- PKIX_OIDCREATEFAILED);
-
- PKIX_CHECK(PKIX_PL_OID_Create
- (PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID,
- &(checkerState->anyPolicyOID),
- plContext),
- PKIX_OIDCREATEFAILED);
-
- /* Create an initial policy set from argument supplied */
- PKIX_INCREF(initialPolicies);
- checkerState->userInitialPolicySet = initialPolicies;
- PKIX_INCREF(initialPolicies);
- checkerState->mappedUserInitialPolicySet = initialPolicies;
-
- PKIX_CHECK(PKIX_List_IsEmpty
- (initialPolicies,
- &initialPoliciesIsEmpty,
- plContext),
- PKIX_LISTISEMPTYFAILED);
- if (initialPoliciesIsEmpty) {
- checkerState->initialIsAnyPolicy = PKIX_TRUE;
- } else {
- PKIX_CHECK(pkix_List_Contains
- (initialPolicies,
- (PKIX_PL_Object *)(checkerState->anyPolicyOID),
- &(checkerState->initialIsAnyPolicy),
- plContext),
- PKIX_LISTCONTAINSFAILED);
- }
-
- checkerState->policyQualifiersRejected =
- policyQualifiersRejected;
- checkerState->initialExplicitPolicy = initialExplicitPolicy;
- checkerState->explicitPolicy =
- (initialExplicitPolicy? 0: numCerts + 1);
- checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit;
- checkerState->inhibitAnyPolicy =
- (initialAnyPolicyInhibit? 0: numCerts + 1);
- checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit;
- checkerState->policyMapping =
- (initialPolicyMappingInhibit? 0: numCerts + 1);
- ;
- checkerState->numCerts = numCerts;
- checkerState->certsProcessed = 0;
- checkerState->certPoliciesCritical = PKIX_FALSE;
-
- /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */
- PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
- ((PKIX_PL_Object *)(checkerState->anyPolicyOID),
- PKIX_TRUE,
- &anyPolicyList,
- plContext),
- PKIX_POLICYCHECKERMAKESINGLETONFAILED);
-
- PKIX_CHECK(pkix_PolicyNode_Create
- (checkerState->anyPolicyOID, /* validPolicy */
- NULL, /* qualifier set */
- PKIX_FALSE, /* criticality */
- anyPolicyList, /* expectedPolicySet */
- &policyNode,
- plContext),
- PKIX_POLICYNODECREATEFAILED);
- checkerState->validPolicyTree = policyNode;
-
- /*
- * Since the initial validPolicyTree specifies
- * ANY_POLICY, begin with a pointer to the root node.
- */
- PKIX_INCREF(policyNode);
- checkerState->anyPolicyNodeAtBottom = policyNode;
-
- checkerState->newAnyPolicyNode = NULL;
-
- checkerState->mappedPolicyOIDs = NULL;
-
- *pCheckerState = checkerState;
- checkerState = NULL;
-
-cleanup:
-
- PKIX_DECREF(checkerState);
-
- PKIX_DECREF(anyPolicyList);
-
- PKIX_RETURN(CERTPOLICYCHECKERSTATE);
-}
-
-/* --Private-PolicyChecker-Functions--------------------------------------- */
-
-/*
- * FUNCTION: pkix_PolicyChecker_MapContains
- * DESCRIPTION:
- *
- * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to
- * determine whether the OID pointed to by "policy" is among the
- * issuerDomainPolicies or subjectDomainPolicies of "certPolicyMaps", and
- * stores the result in "pFound".
- *
- * This function is intended to allow an efficient check that the proscription
- * against anyPolicy being mapped, described in RFC3280 Section 6.1.4(a), is
- * not violated.
- *
- * PARAMETERS:
- * "certPolicyMaps"
- * Address of List of CertPolicyMaps to be searched. May be empty, but
- * must be non-NULL
- * "policy"
- * Address of OID to be checked for. Must be non-NULL
- * "pFound"
- * Address where the result of the search will be stored. Must be non-NULL.
- * "plContext"
- * platform-specific context pointer
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-PKIX_Error *
-pkix_PolicyChecker_MapContains(
- PKIX_List *certPolicyMaps,
- PKIX_PL_OID *policy,
- PKIX_Boolean *pFound,
- void *plContext)
-{
- PKIX_PL_CertPolicyMap *map = NULL;
- PKIX_UInt32 numEntries = 0;
- PKIX_UInt32 index = 0;
- PKIX_Boolean match = PKIX_FALSE;
- PKIX_PL_OID *issuerDomainPolicy = NULL;
- PKIX_PL_OID *subjectDomainPolicy = NULL;
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains");
- PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound);
-
- PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (index = 0; (!match) && (index < numEntries); index++) {
- PKIX_CHECK(PKIX_List_GetItem
- (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_NULLCHECK_ONE(map);
-
- PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
- (map, &issuerDomainPolicy, plContext),
- PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
-
- PKIX_EQUALS
- (policy, issuerDomainPolicy, &match, plContext,
- PKIX_OBJECTEQUALSFAILED);
-
- if (!match) {
- PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
- (map, &subjectDomainPolicy, plContext),
- PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
-
- PKIX_EQUALS
- (policy, subjectDomainPolicy, &match, plContext,
- PKIX_OBJECTEQUALSFAILED);
- }
-
- PKIX_DECREF(map);
- PKIX_DECREF(issuerDomainPolicy);
- PKIX_DECREF(subjectDomainPolicy);
- }
-
- *pFound = match;
-
-cleanup:
-
- PKIX_DECREF(map);
- PKIX_DECREF(issuerDomainPolicy);
- PKIX_DECREF(subjectDomainPolicy);
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies
- * DESCRIPTION:
- *
- * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create
- * a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the
- * policy pointed to by "policy", and stores the result in
- * "pSubjectDomainPolicies".
- *
- * If the List of CertPolicyMaps provided in "certPolicyMaps" is NULL, the
- * resulting List will be NULL. If there are CertPolicyMaps, but none that
- * include "policy" as an IssuerDomainPolicy, the returned List pointer will
- * be NULL. Otherwise, the returned List will contain the SubjectDomainPolicies
- * of all CertPolicyMaps for which "policy" is the IssuerDomainPolicy. If a
- * List is returned it will be immutable.
- *
- * PARAMETERS:
- * "certPolicyMaps"
- * Address of List of CertPolicyMaps to be searched. May be empty or NULL.
- * "policy"
- * Address of OID to be checked for. Must be non-NULL
- * "pSubjectDomainPolicies"
- * Address where the result of the search will be stored. Must be non-NULL.
- * "plContext"
- * platform-specific context pointer
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-PKIX_Error *
-pkix_PolicyChecker_MapGetSubjectDomainPolicies(
- PKIX_List *certPolicyMaps,
- PKIX_PL_OID *policy,
- PKIX_List **pSubjectDomainPolicies,
- void *plContext)
-{
- PKIX_PL_CertPolicyMap *map = NULL;
- PKIX_List *subjectList = NULL;
- PKIX_UInt32 numEntries = 0;
- PKIX_UInt32 index = 0;
- PKIX_Boolean match = PKIX_FALSE;
- PKIX_PL_OID *issuerDomainPolicy = NULL;
- PKIX_PL_OID *subjectDomainPolicy = NULL;
-
- PKIX_ENTER
- (CERTCHAINCHECKER,
- "pkix_PolicyChecker_MapGetSubjectDomainPolicies");
- PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies);
-
- if (certPolicyMaps) {
- PKIX_CHECK(PKIX_List_GetLength
- (certPolicyMaps,
- &numEntries,
- plContext),
- PKIX_LISTGETLENGTHFAILED);
- }
-
- for (index = 0; index < numEntries; index++) {
- PKIX_CHECK(PKIX_List_GetItem
- (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_NULLCHECK_ONE(map);
-
- PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
- (map, &issuerDomainPolicy, plContext),
- PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
-
- PKIX_EQUALS
- (policy, issuerDomainPolicy, &match, plContext,
- PKIX_OBJECTEQUALSFAILED);
-
- if (match) {
- if (!subjectList) {
- PKIX_CHECK(PKIX_List_Create(&subjectList, plContext),
- PKIX_LISTCREATEFAILED);
- }
-
- PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
- (map, &subjectDomainPolicy, plContext),
- PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED);
-
- PKIX_CHECK(PKIX_List_AppendItem
- (subjectList,
- (PKIX_PL_Object *)subjectDomainPolicy,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
- }
-
- PKIX_DECREF(map);
- PKIX_DECREF(issuerDomainPolicy);
- PKIX_DECREF(subjectDomainPolicy);
- }
-
- if (subjectList) {
- PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext),
- PKIX_LISTSETIMMUTABLEFAILED);
- }
-
- *pSubjectDomainPolicies = subjectList;
-
-cleanup:
-
- if (PKIX_ERROR_RECEIVED) {
- PKIX_DECREF(subjectList);
- }
-
- PKIX_DECREF(map);
- PKIX_DECREF(issuerDomainPolicy);
- PKIX_DECREF(subjectDomainPolicy);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies
- * DESCRIPTION:
- *
- * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a
- * List of all IssuerDomainPolicies, and stores the result in
- * "pMappedPolicies".
- *
- * The caller may not rely on the IssuerDomainPolicies to be in any particular
- * order. IssuerDomainPolicies that appear in more than one CertPolicyMap will
- * only appear once in "pMappedPolicies". If "certPolicyMaps" is empty the
- * result will be an empty List. The created List is mutable.
- *
- * PARAMETERS:
- * "certPolicyMaps"
- * Address of List of CertPolicyMaps to be searched. May be empty, but
- * must be non-NULL.
- * "pMappedPolicies"
- * Address where the result will be stored. Must be non-NULL.
- * "plContext"
- * platform-specific context pointer
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-PKIX_Error *
-pkix_PolicyChecker_MapGetMappedPolicies(
- PKIX_List *certPolicyMaps,
- PKIX_List **pMappedPolicies,
- void *plContext)
-{
- PKIX_PL_CertPolicyMap *map = NULL;
- PKIX_List *mappedList = NULL;
- PKIX_UInt32 numEntries = 0;
- PKIX_UInt32 index = 0;
- PKIX_Boolean isContained = PKIX_FALSE;
- PKIX_PL_OID *issuerDomainPolicy = NULL;
-
- PKIX_ENTER
- (CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies");
- PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies);
-
- PKIX_CHECK(PKIX_List_Create(&mappedList, plContext),
- PKIX_LISTCREATEFAILED);
-
- PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (index = 0; index < numEntries; index++) {
- PKIX_CHECK(PKIX_List_GetItem
- (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_NULLCHECK_ONE(map);
-
- PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
- (map, &issuerDomainPolicy, plContext),
- PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED);
-
- PKIX_CHECK(pkix_List_Contains
- (mappedList,
- (PKIX_PL_Object *)issuerDomainPolicy,
- &isContained,
- plContext),
- PKIX_LISTCONTAINSFAILED);
-
- if (isContained == PKIX_FALSE) {
- PKIX_CHECK(PKIX_List_AppendItem
- (mappedList,
- (PKIX_PL_Object *)issuerDomainPolicy,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
- }
-
- PKIX_DECREF(map);
- PKIX_DECREF(issuerDomainPolicy);
- }
-
- *pMappedPolicies = mappedList;
-
-cleanup:
-
- if (PKIX_ERROR_RECEIVED) {
- PKIX_DECREF(mappedList);
- }
-
- PKIX_DECREF(map);
- PKIX_DECREF(issuerDomainPolicy);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_MakeMutableCopy
- * DESCRIPTION:
- *
- * Creates a mutable copy of the List pointed to by "list", which may or may
- * not be immutable, and stores the address at "pMutableCopy".
- *
- * PARAMETERS:
- * "list"
- * Address of List to be copied. Must be non-NULL.
- * "pMutableCopy"
- * Address where mutable copy will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_MakeMutableCopy(
- PKIX_List *list,
- PKIX_List **pMutableCopy,
- void *plContext)
-{
- PKIX_List *newList = NULL;
- PKIX_UInt32 listLen = 0;
- PKIX_UInt32 listIx = 0;
- PKIX_PL_Object *object = NULL;
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy");
- PKIX_NULLCHECK_TWO(list, pMutableCopy);
-
- PKIX_CHECK(PKIX_List_Create(&newList, plContext),
- PKIX_LISTCREATEFAILED);
-
- PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (listIx = 0; listIx < listLen; listIx++) {
-
- PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext),
- PKIX_LISTAPPENDITEMFAILED);
-
- PKIX_DECREF(object);
- }
-
- *pMutableCopy = newList;
- newList = NULL;
-
-cleanup:
- PKIX_DECREF(newList);
- PKIX_DECREF(object);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_MakeSingleton
- * DESCRIPTION:
- *
- * Creates a new List containing the Object pointed to by "listItem", using
- * the Boolean value of "immutability" to determine whether to set the List
- * immutable, and stores the address at "pList".
- *
- * PARAMETERS:
- * "listItem"
- * Address of Object to be inserted into the new List. Must be non-NULL.
- * "immutability"
- * Boolean value indicating whether new List is to be immutable
- * "pList"
- * Address where List will be stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_MakeSingleton(
- PKIX_PL_Object *listItem,
- PKIX_Boolean immutability,
- PKIX_List **pList,
- void *plContext)
-{
- PKIX_List *newList = NULL;
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton");
- PKIX_NULLCHECK_TWO(listItem, pList);
-
- PKIX_CHECK(PKIX_List_Create(&newList, plContext),
- PKIX_LISTCREATEFAILED);
-
- PKIX_CHECK(PKIX_List_AppendItem
- (newList, (PKIX_PL_Object *)listItem, plContext),
- PKIX_LISTAPPENDITEMFAILED);
-
- if (immutability) {
- PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext),
- PKIX_LISTSETIMMUTABLEFAILED);
- }
-
- *pList = newList;
-
-cleanup:
- if (PKIX_ERROR_RECEIVED) {
- PKIX_DECREF(newList);
- }
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_Spawn
- * DESCRIPTION:
- *
- * Creates a new childNode for the parent pointed to by "parent", using
- * the OID pointed to by "policyOID", the List of CertPolicyQualifiers
- * pointed to by "qualifiers", the List of OIDs pointed to by
- * "subjectDomainPolicies", and the PolicyCheckerState pointed to by
- * "state". The new node will be added to "parent".
- *
- * The validPolicy of the new node is set from the OID pointed to by
- * "policyOID". The policy qualifiers for the new node is set from the
- * List of qualifiers pointed to by "qualifiers", and may be NULL or
- * empty if the argument provided was NULL or empty. The criticality is
- * set according to the criticality obtained from the PolicyCheckerState.
- * If "subjectDomainPolicies" is NULL, the expectedPolicySet of the
- * child is set to contain the same policy as the validPolicy. If
- * "subjectDomainPolicies" is not NULL, it is used as the value for
- * the expectedPolicySet.
- *
- * The PolicyCheckerState also contains a constant, anyPolicy, which is
- * compared to "policyOID". If they match, the address of the childNode
- * is saved in the state's newAnyPolicyNode.
- *
- * PARAMETERS:
- * "parent"
- * Address of PolicyNode to which the child will be linked. Must be
- * non-NULL.
- * "policyOID"
- * Address of OID of the new child's validPolicy and also, if
- * subjectDomainPolicies is NULL, of the new child's expectedPolicySet.
- * Must be non-NULL.
- * "qualifiers"
- * Address of List of CertPolicyQualifiers. May be NULL or empty.
- * "subjectDomainPolicies"
- * Address of List of OIDs indicating the policies to which "policy" is
- * mapped. May be empty or NULL.
- * "state"
- * Address of the current PKIX_PolicyCheckerState. Must be non-NULL..
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_Spawn(
- PKIX_PolicyNode *parent,
- PKIX_PL_OID *policyOID,
- PKIX_List *qualifiers, /* CertPolicyQualifiers */
- PKIX_List *subjectDomainPolicies,
- PKIX_PolicyCheckerState *state,
- void *plContext)
-{
- PKIX_List *expectedSet = NULL; /* OIDs */
- PKIX_PolicyNode *childNode = NULL;
- PKIX_Boolean match = PKIX_FALSE;
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn");
- PKIX_NULLCHECK_THREE(policyOID, parent, state);
-
- if (subjectDomainPolicies) {
-
- PKIX_INCREF(subjectDomainPolicies);
- expectedSet = subjectDomainPolicies;
-
- } else {
- /* Create the child's ExpectedPolicy Set */
- PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
- ((PKIX_PL_Object *)policyOID,
- PKIX_TRUE, /* make expectedPolicySet immutable */
- &expectedSet,
- plContext),
- PKIX_POLICYCHECKERMAKESINGLETONFAILED);
- }
-
- PKIX_CHECK(pkix_PolicyNode_Create
- (policyOID,
- qualifiers,
- state->certPoliciesCritical,
- expectedSet,
- &childNode,
- plContext),
- PKIX_POLICYNODECREATEFAILED);
-
- /*
- * If we had a non-empty mapping, we know the new node could not
- * have been created with a validPolicy of anyPolicy. Otherwise,
- * check whether we just created a new node with anyPolicy, because
- * in that case we want to save the child pointer in newAnyPolicyNode.
- */
- if (!subjectDomainPolicies) {
- PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext,
- PKIX_OBJECTEQUALSFAILED);
-
- if (match) {
- PKIX_DECREF(state->newAnyPolicyNode);
- PKIX_INCREF(childNode);
- state->newAnyPolicyNode = childNode;
- }
- }
-
- PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext),
- PKIX_POLICYNODEADDTOPARENTFAILED);
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
-
-cleanup:
- PKIX_DECREF(childNode);
- PKIX_DECREF(expectedSet);
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive
- * DESCRIPTION:
- *
- * Performs policy processing for the policy whose OID is pointed to by
- * "policyOID" and whose List of CertPolicyQualifiers is pointed to by
- * "policyQualifiers", using the List of policy OIDs pointed to by
- * "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode",
- * in accordance with the current PolicyCheckerState pointed to by "state",
- * and setting "pChildNodeCreated" to TRUE if a new childNode is created.
- * Note: "pChildNodeCreated" is not set to FALSE if no childNode is created.
- * The intent of the design is that the caller can set a variable to FALSE
- * initially, prior to a recursive set of calls. At the end, the variable
- * can be tested to see whether *any* of the calls created a child node.
- *
- * If the currentNode is not at the bottom of the tree, this function
- * calls itself recursively for each child of currentNode. At the bottom of
- * the tree, it creates new child nodes as appropriate. This function will
- * never be called with policy = anyPolicy.
- *
- * This function implements the processing described in RFC3280
- * Section 6.1.3(d)(1)(i).
- *
- * PARAMETERS:
- * "policyOID"
- * Address of OID of the policy to be checked for. Must be non-NULL.
- * "policyQualifiers"
- * Address of List of CertPolicyQualifiers of the policy to be checked for.
- * May be empty or NULL.
- * "subjectDomainPolicies"
- * Address of List of OIDs indicating the policies to which "policy" is
- * mapped. May be empty or NULL.
- * "currentNode"
- * Address of PolicyNode whose descendants will be checked, if not at the
- * bottom of the tree; or whose expectedPolicySet will be compared to
- * "policy", if at the bottom. Must be non-NULL.
- * "state"
- * Address of PolicyCheckerState of the current PolicyChecker. Must be
- * non-NULL.
- * "pChildNodeCreated"
- * Address of the Boolean that will be set TRUE if this function
- * creates a child node. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_CheckPolicyRecursive(
- PKIX_PL_OID *policyOID,
- PKIX_List *policyQualifiers,
- PKIX_List *subjectDomainPolicies,
- PKIX_PolicyNode *currentNode,
- PKIX_PolicyCheckerState *state,
- PKIX_Boolean *pChildNodeCreated,
- void *plContext)
-{
- PKIX_UInt32 depth = 0;
- PKIX_UInt32 numChildren = 0;
- PKIX_UInt32 childIx = 0;
- PKIX_Boolean isIncluded = PKIX_FALSE;
- PKIX_List *children = NULL; /* PolicyNodes */
- PKIX_PolicyNode *childNode = NULL;
- PKIX_List *expectedPolicies = NULL; /* OIDs */
-
- PKIX_ENTER
- (CERTCHAINCHECKER,
- "pkix_PolicyChecker_CheckPolicyRecursive");
- PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated);
-
- /* if not at the bottom of the tree */
- PKIX_CHECK(PKIX_PolicyNode_GetDepth
- (currentNode, &depth, plContext),
- PKIX_POLICYNODEGETDEPTHFAILED);
-
- if (depth < (state->certsProcessed)) {
- PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
- (currentNode, &children, plContext),
- PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
-
- if (children) {
- PKIX_CHECK(PKIX_List_GetLength
- (children, &numChildren, plContext),
- PKIX_LISTGETLENGTHFAILED);
- }
-
- for (childIx = 0; childIx < numChildren; childIx++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (children,
- childIx,
- (PKIX_PL_Object **)&childNode,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
- (policyOID,
- policyQualifiers,
- subjectDomainPolicies,
- childNode,
- state,
- pChildNodeCreated,
- plContext),
- PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
-
- PKIX_DECREF(childNode);
- }
- } else { /* if at the bottom of the tree */
-
- /* Check whether policy is in this node's expectedPolicySet */
- PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
- (currentNode, &expectedPolicies, plContext),
- PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
-
- PKIX_NULLCHECK_ONE(expectedPolicies);
-
- PKIX_CHECK(pkix_List_Contains
- (expectedPolicies,
- (PKIX_PL_Object *)policyOID,
- &isIncluded,
- plContext),
- PKIX_LISTCONTAINSFAILED);
-
- if (isIncluded) {
- PKIX_CHECK(pkix_PolicyChecker_Spawn
- (currentNode,
- policyOID,
- policyQualifiers,
- subjectDomainPolicies,
- state,
- plContext),
- PKIX_POLICYCHECKERSPAWNFAILED);
-
- *pChildNodeCreated = PKIX_TRUE;
- }
- }
-
-cleanup:
-
- PKIX_DECREF(children);
- PKIX_DECREF(childNode);
- PKIX_DECREF(expectedPolicies);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_CheckPolicy
- * DESCRIPTION:
- *
- * Performs the non-recursive portion of the policy processing for the policy
- * whose OID is pointed to by "policyOID" and whose List of
- * CertPolicyQualifiers is pointed to by "policyQualifiers", for the
- * Certificate pointed to by "cert" with the List of CertPolicyMaps pointed
- * to by "maps", in accordance with the current PolicyCheckerState pointed
- * to by "state".
- *
- * This function implements the processing described in RFC3280
- * Section 6.1.3(d)(1)(i).
- *
- * PARAMETERS:
- * "policyOID"
- * Address of OID of the policy to be checked for. Must be non-NULL.
- * "policyQualifiers"
- * Address of List of CertPolicyQualifiers of the policy to be checked for.
- * May be empty or NULL.
- * "cert"
- * Address of the current certificate. Must be non-NULL.
- * "maps"
- * Address of List of CertPolicyMaps for the current certificate
- * "state"
- * Address of PolicyCheckerState of the current PolicyChecker. Must be
- * non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_CheckPolicy(
- PKIX_PL_OID *policyOID,
- PKIX_List *policyQualifiers,
- PKIX_PL_Cert *cert,
- PKIX_List *maps,
- PKIX_PolicyCheckerState *state,
- void *plContext)
-{
- PKIX_Boolean childNodeCreated = PKIX_FALSE;
- PKIX_Boolean okToSpawn = PKIX_FALSE;
- PKIX_Boolean found = PKIX_FALSE;
- PKIX_List *subjectDomainPolicies = NULL;
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy");
- PKIX_NULLCHECK_THREE(policyOID, cert, state);
-
- /*
- * If this is not the last certificate, get the set of
- * subjectDomainPolicies that "policy" maps to, according to the
- * current cert's policy mapping extension. That set will be NULL
- * if the current cert does not have a policy mapping extension,
- * or if the current policy is not mapped.
- */
- if (state->certsProcessed != (state->numCerts - 1)) {
- PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
- (maps, policyOID, &subjectDomainPolicies, plContext),
- PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
- }
-
- /*
- * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we
- * will have to delete any nodes created with validPolicies equal to
- * policies that appear as issuerDomainPolicies in a policy mapping
- * extension. Let's avoid creating any such nodes.
- */
- if ((state->policyMapping) == 0) {
- if (subjectDomainPolicies) {
- goto cleanup;
- }
- }
-
- PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive
- (policyOID,
- policyQualifiers,
- subjectDomainPolicies,
- state->validPolicyTree,
- state,
- &childNodeCreated,
- plContext),
- PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED);
-
- if (!childNodeCreated) {
- /*
- * Section 6.1.3(d)(1)(ii)
- * There was no match. If there was a node at
- * depth i-1 with valid policy anyPolicy,
- * generate a node subordinate to that.
- *
- * But that means this created node would be in
- * the valid-policy-node-set, and will be
- * pruned in 6.1.5(g)(iii)(2) unless it is in
- * the user-initial-policy-set or the user-
- * initial-policy-set is {anyPolicy}. So check,
- * and don't create it if it will be pruned.
- */
- if (state->anyPolicyNodeAtBottom) {
- if (state->initialIsAnyPolicy) {
- okToSpawn = PKIX_TRUE;
- } else {
- PKIX_CHECK(pkix_List_Contains
- (state->mappedUserInitialPolicySet,
- (PKIX_PL_Object *)policyOID,
- &okToSpawn,
- plContext),
- PKIX_LISTCONTAINSFAILED);
- }
- if (okToSpawn) {
- PKIX_CHECK(pkix_PolicyChecker_Spawn
- (state->anyPolicyNodeAtBottom,
- policyOID,
- policyQualifiers,
- subjectDomainPolicies,
- state,
- plContext),
- PKIX_POLICYCHECKERSPAWNFAILED);
- childNodeCreated = PKIX_TRUE;
- }
- }
- }
-
- if (childNodeCreated) {
- /*
- * If this policy had qualifiers, and the certificate policies
- * extension was marked critical, and the user cannot deal with
- * policy qualifiers, throw an error.
- */
- if (policyQualifiers &&
- state->certPoliciesCritical &&
- state->policyQualifiersRejected) {
- PKIX_ERROR
- (PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION);
- }
- /*
- * If the policy we just propagated was in the list of mapped
- * policies, remove it from the list. That list is used, at the
- * end, to determine policies that have not been propagated.
- */
- if (state->mappedPolicyOIDs) {
- PKIX_CHECK(pkix_List_Contains
- (state->mappedPolicyOIDs,
- (PKIX_PL_Object *)policyOID,
- &found,
- plContext),
- PKIX_LISTCONTAINSFAILED);
- if (found) {
- PKIX_CHECK(pkix_List_Remove
- (state->mappedPolicyOIDs,
- (PKIX_PL_Object *)policyOID,
- plContext),
- PKIX_LISTREMOVEFAILED);
- }
- }
- }
-
-cleanup:
-
- PKIX_DECREF(subjectDomainPolicies);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_CheckAny
- * DESCRIPTION:
- * Performs the creation of PolicyNodes, for the PolicyNode pointed to by
- * "currentNode" and PolicyNodes subordinate to it, using the List of
- * qualifiers pointed to by "qualsOfAny", in accordance with the current
- * certificate's PolicyMaps pointed to by "policyMaps" and the current
- * PolicyCheckerState pointed to by "state".
- *
- * If the currentNode is not just above the bottom of the validPolicyTree, this
- * function calls itself recursively for each child of currentNode. At the
- * level just above the bottom, for each policy in the currentNode's
- * expectedPolicySet not already present in a child node, it creates a new
- * child node. The validPolicy of the child created, and its expectedPolicySet,
- * will be the policy from the currentNode's expectedPolicySet. The policy
- * qualifiers will be the qualifiers from the current certificate's anyPolicy,
- * the "qualsOfAny" parameter. If the currentNode's expectedSet includes
- * anyPolicy, a childNode will be created with a policy of anyPolicy. This is
- * the only way such a node can be created.
- *
- * This function is called only when anyPolicy is one of the current
- * certificate's policies. This function implements the processing described
- * in RFC3280 Section 6.1.3(d)(2).
- *
- * PARAMETERS:
- * "currentNode"
- * Address of PolicyNode whose descendants will be checked, if not at the
- * bottom of the tree; or whose expectedPolicySet will be compared to those
- * in "alreadyPresent", if at the bottom. Must be non-NULL.
- * "qualsOfAny"
- * Address of List of qualifiers of the anyPolicy in the current
- * certificate. May be empty or NULL.
- * "policyMaps"
- * Address of the List of PolicyMaps of the current certificate. May be
- * empty or NULL.
- * "state"
- * Address of the current state of the PKIX_PolicyChecker.
- * Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_CheckAny(
- PKIX_PolicyNode *currentNode,
- PKIX_List *qualsOfAny, /* CertPolicyQualifiers */
- PKIX_List *policyMaps, /* CertPolicyMaps */
- PKIX_PolicyCheckerState *state,
- void *plContext)
-{
- PKIX_UInt32 depth = 0;
- PKIX_UInt32 numChildren = 0;
- PKIX_UInt32 childIx = 0;
- PKIX_UInt32 numPolicies = 0;
- PKIX_UInt32 polx = 0;
- PKIX_Boolean isIncluded = PKIX_FALSE;
- PKIX_List *children = NULL; /* PolicyNodes */
- PKIX_PolicyNode *childNode = NULL;
- PKIX_List *expectedPolicies = NULL; /* OIDs */
- PKIX_PL_OID *policyOID = NULL;
- PKIX_PL_OID *childPolicy = NULL;
- PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny");
- PKIX_NULLCHECK_TWO(currentNode, state);
-
- PKIX_CHECK(PKIX_PolicyNode_GetDepth
- (currentNode, &depth, plContext),
- PKIX_POLICYNODEGETDEPTHFAILED);
-
- PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
- (currentNode, &children, plContext),
- PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
-
- if (children) {
- PKIX_CHECK(PKIX_List_GetLength
- (children, &numChildren, plContext),
- PKIX_LISTGETLENGTHFAILED);
- }
-
- if (depth < (state->certsProcessed)) {
- for (childIx = 0; childIx < numChildren; childIx++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (children,
- childIx,
- (PKIX_PL_Object **)&childNode,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_NULLCHECK_ONE(childNode);
- PKIX_CHECK(pkix_PolicyChecker_CheckAny
- (childNode,
- qualsOfAny,
- policyMaps,
- state,
- plContext),
- PKIX_POLICYCHECKERCHECKANYFAILED);
-
- PKIX_DECREF(childNode);
- }
- } else { /* if at the bottom of the tree */
-
- PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies
- (currentNode, &expectedPolicies, plContext),
- PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED);
-
- /* Expected Policy Set is not allowed to be NULL */
- PKIX_NULLCHECK_ONE(expectedPolicies);
-
- PKIX_CHECK(PKIX_List_GetLength
- (expectedPolicies, &numPolicies, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (polx = 0; polx < numPolicies; polx++) {
- PKIX_CHECK(PKIX_List_GetItem
- (expectedPolicies,
- polx,
- (PKIX_PL_Object **)&policyOID,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_NULLCHECK_ONE(policyOID);
-
- isIncluded = PKIX_FALSE;
-
- for (childIx = 0;
- (!isIncluded && (childIx < numChildren));
- childIx++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (children,
- childIx,
- (PKIX_PL_Object **)&childNode,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_NULLCHECK_ONE(childNode);
-
- PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
- (childNode, &childPolicy, plContext),
- PKIX_POLICYNODEGETVALIDPOLICYFAILED);
-
- PKIX_NULLCHECK_ONE(childPolicy);
-
- PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext,
- PKIX_OBJECTEQUALSFAILED);
-
- PKIX_DECREF(childNode);
- PKIX_DECREF(childPolicy);
- }
-
- if (!isIncluded) {
- if (policyMaps) {
- PKIX_CHECK
- (pkix_PolicyChecker_MapGetSubjectDomainPolicies
- (policyMaps,
- policyOID,
- &subjectDomainPolicies,
- plContext),
- PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
- }
- PKIX_CHECK(pkix_PolicyChecker_Spawn
- (currentNode,
- policyOID,
- qualsOfAny,
- subjectDomainPolicies,
- state,
- plContext),
- PKIX_POLICYCHECKERSPAWNFAILED);
- PKIX_DECREF(subjectDomainPolicies);
- }
-
- PKIX_DECREF(policyOID);
- }
- }
-
-cleanup:
-
- PKIX_DECREF(children);
- PKIX_DECREF(childNode);
- PKIX_DECREF(expectedPolicies);
- PKIX_DECREF(policyOID);
- PKIX_DECREF(childPolicy);
- PKIX_DECREF(subjectDomainPolicies);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_CalculateIntersection
- * DESCRIPTION:
- *
- * Processes the PolicyNode pointed to by "currentNode", and its descendants,
- * using the PolicyCheckerState pointed to by "state", using the List at
- * the address pointed to by "nominees" the OIDs of policies that are in the
- * user-initial-policy-set but are not represented among the nodes at the
- * bottom of the tree, and storing at "pShouldBePruned" the value TRUE if
- * currentNode is childless at the end of this processing, FALSE if it has
- * children or is at the bottom of the tree.
- *
- * When this function is called at the top level, "nominees" should be the List
- * of all policies in the user-initial-policy-set. Policies that are
- * represented in the valid-policy-node-set are removed from this List. As a
- * result when nodes are created according to 6.1.5.(g)(iii)(3)(b), a node will
- * be created for each policy remaining in this List.
- *
- * This function implements the calculation of the intersection of the
- * validPolicyTree with the user-initial-policy-set, as described in
- * RFC 3280 6.1.5(g)(iii).
- *
- * PARAMETERS:
- * "currentNode"
- * Address of PolicyNode whose descendants will be processed as described.
- * Must be non-NULL.
- * "state"
- * Address of the current state of the PKIX_PolicyChecker. Must be non-NULL
- * "nominees"
- * Address of List of the OIDs for which nodes should be created to replace
- * anyPolicy nodes. Must be non-NULL but may be empty.
- * "pShouldBePruned"
- * Address where Boolean return value, set to TRUE if this PolicyNode
- * should be deleted, is stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_CalculateIntersection(
- PKIX_PolicyNode *currentNode,
- PKIX_PolicyCheckerState *state,
- PKIX_List *nominees, /* OIDs */
- PKIX_Boolean *pShouldBePruned,
- void *plContext)
-{
- PKIX_Boolean currentPolicyIsAny = PKIX_FALSE;
- PKIX_Boolean parentPolicyIsAny = PKIX_FALSE;
- PKIX_Boolean currentPolicyIsValid = PKIX_FALSE;
- PKIX_Boolean shouldBePruned = PKIX_FALSE;
- PKIX_Boolean priorCriticality = PKIX_FALSE;
- PKIX_UInt32 depth = 0;
- PKIX_UInt32 numChildren = 0;
- PKIX_UInt32 childIndex = 0;
- PKIX_UInt32 numNominees = 0;
- PKIX_UInt32 polIx = 0;
- PKIX_PL_OID *currentPolicy = NULL;
- PKIX_PL_OID *parentPolicy = NULL;
- PKIX_PL_OID *substPolicy = NULL;
- PKIX_PolicyNode *parent = NULL;
- PKIX_PolicyNode *child = NULL;
- PKIX_List *children = NULL; /* PolicyNodes */
- PKIX_List *policyQualifiers = NULL;
-
- PKIX_ENTER
- (CERTCHAINCHECKER,
- "pkix_PolicyChecker_CalculateIntersection");
-
- /*
- * We call this function if the valid_policy_tree is not NULL and
- * the user-initial-policy-set is not any-policy.
- */
- if (!state->validPolicyTree || state->initialIsAnyPolicy) {
- PKIX_ERROR(PKIX_PRECONDITIONFAILED);
- }
-
- PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned);
-
- PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
- (currentNode, &currentPolicy, plContext),
- PKIX_POLICYNODEGETVALIDPOLICYFAILED);
-
- PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy);
-
- PKIX_EQUALS
- (state->anyPolicyOID,
- currentPolicy,
- &currentPolicyIsAny,
- plContext,
- PKIX_OBJECTEQUALSFAILED);
-
- PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext),
- PKIX_POLICYNODEGETPARENTFAILED);
-
- if (currentPolicyIsAny == PKIX_FALSE) {
-
- /*
- * If we are at the top of the tree, or if our
- * parent's validPolicy is anyPolicy, we are in
- * the valid policy node set.
- */
- if (parent) {
- PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy
- (parent, &parentPolicy, plContext),
- PKIX_POLICYNODEGETVALIDPOLICYFAILED);
-
- PKIX_NULLCHECK_ONE(parentPolicy);
-
- PKIX_EQUALS
- (state->anyPolicyOID,
- parentPolicy,
- &parentPolicyIsAny,
- plContext,
- PKIX_OBJECTEQUALSFAILED);
- }
-
- /*
- * Section 6.1.5(g)(iii)(2)
- * If this node's policy is not in the user-initial-policy-set,
- * it is not in the intersection. Prune it.
- */
- if (!parent || parentPolicyIsAny) {
- PKIX_CHECK(pkix_List_Contains
- (state->userInitialPolicySet,
- (PKIX_PL_Object *)currentPolicy,
- &currentPolicyIsValid,
- plContext),
- PKIX_LISTCONTAINSFAILED);
- if (!currentPolicyIsValid) {
- *pShouldBePruned = PKIX_TRUE;
- goto cleanup;
- }
-
- /*
- * If this node's policy is in the user-initial-policy-
- * set, it will propagate that policy into the next
- * level of the tree. Remove the policy from the list
- * of policies that an anyPolicy will spawn.
- */
- PKIX_CHECK(pkix_List_Remove
- (nominees,
- (PKIX_PL_Object *)currentPolicy,
- plContext),
- PKIX_LISTREMOVEFAILED);
- }
- }
-
-
- /* Are we at the bottom of the tree? */
-
- PKIX_CHECK(PKIX_PolicyNode_GetDepth
- (currentNode, &depth, plContext),
- PKIX_POLICYNODEGETDEPTHFAILED);
-
- if (depth == (state->numCerts)) {
- /*
- * Section 6.1.5(g)(iii)(3)
- * Replace anyPolicy nodes...
- */
- if (currentPolicyIsAny == PKIX_TRUE) {
-
- /* replace this node */
-
- PKIX_CHECK(PKIX_List_GetLength
- (nominees, &numNominees, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- if (numNominees) {
-
- PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers
- (currentNode,
- &policyQualifiers,
- plContext),
- PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED);
-
- PKIX_CHECK(PKIX_PolicyNode_IsCritical
- (currentNode, &priorCriticality, plContext),
- PKIX_POLICYNODEISCRITICALFAILED);
- }
-
- PKIX_NULLCHECK_ONE(parent);
-
- for (polIx = 0; polIx < numNominees; polIx++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (nominees,
- polIx,
- (PKIX_PL_Object **)&substPolicy,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_Spawn
- (parent,
- substPolicy,
- policyQualifiers,
- NULL,
- state,
- plContext),
- PKIX_POLICYCHECKERSPAWNFAILED);
-
- PKIX_DECREF(substPolicy);
-
- }
- /* remove currentNode from parent */
- *pShouldBePruned = PKIX_TRUE;
- /*
- * We can get away with augmenting the parent's List
- * of children because we started at the end and went
- * toward the beginning. New nodes are added at the end.
- */
- }
- } else {
- /*
- * Section 6.1.5(g)(iii)(4)
- * Prune any childless nodes above the bottom level
- */
- PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable
- (currentNode, &children, plContext),
- PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED);
-
- /* CurrentNode should have been pruned if childless. */
- PKIX_NULLCHECK_ONE(children);
-
- PKIX_CHECK(PKIX_List_GetLength
- (children, &numChildren, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (childIndex = numChildren; childIndex > 0; childIndex--) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (children,
- childIndex - 1,
- (PKIX_PL_Object **)&child,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
- (child, state, nominees, &shouldBePruned, plContext),
- PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
-
- if (PKIX_TRUE == shouldBePruned) {
-
- PKIX_CHECK(PKIX_List_DeleteItem
- (children, childIndex - 1, plContext),
- PKIX_LISTDELETEITEMFAILED);
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
- }
-
- PKIX_DECREF(child);
- }
-
- PKIX_CHECK(PKIX_List_GetLength
- (children, &numChildren, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- if (numChildren == 0) {
- *pShouldBePruned = PKIX_TRUE;
- }
- }
-cleanup:
- PKIX_DECREF(currentPolicy);
- PKIX_DECREF(parentPolicy);
- PKIX_DECREF(substPolicy);
- PKIX_DECREF(parent);
- PKIX_DECREF(child);
- PKIX_DECREF(children);
- PKIX_DECREF(policyQualifiers);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing
- * DESCRIPTION:
- *
- * Performs the processing of Policies in the List of CertPolicyMaps pointed
- * to by "policyMaps", using and updating the PolicyCheckerState pointed to by
- * "state".
- *
- * This function implements the policyMap processing described in RFC3280
- * Section 6.1.4(b)(1), after certificate i has been processed, in preparation
- * for certificate i+1. Section references are to that document.
- *
- * PARAMETERS:
- * "policyMaps"
- * Address of the List of CertPolicyMaps presented by certificate i.
- * Must be non-NULL.
- * "certPoliciesIncludeAny"
- * Boolean value which is PKIX_TRUE if the current certificate asserts
- * anyPolicy, PKIX_FALSE otherwise.
- * "qualsOfAny"
- * Address of List of qualifiers of the anyPolicy in the current
- * certificate. May be empty or NULL.
- * "state"
- * Address of the current state of the PKIX_PolicyChecker.
- * Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_PolicyMapProcessing(
- PKIX_List *policyMaps, /* CertPolicyMaps */
- PKIX_Boolean certPoliciesIncludeAny,
- PKIX_List *qualsOfAny,
- PKIX_PolicyCheckerState *state,
- void *plContext)
-{
- PKIX_UInt32 numPolicies = 0;
- PKIX_UInt32 polX = 0;
- PKIX_PL_OID *policyOID = NULL;
- PKIX_List *newMappedPolicies = NULL; /* OIDs */
- PKIX_List *subjectDomainPolicies = NULL; /* OIDs */
-
- PKIX_ENTER
- (CERTCHAINCHECKER,
- "pkix_PolicyChecker_PolicyMapProcessing");
- PKIX_NULLCHECK_THREE
- (policyMaps,
- state,
- state->mappedUserInitialPolicySet);
-
- /*
- * For each policy in mappedUserInitialPolicySet, if it is not mapped,
- * append it to new policySet; if it is mapped, append its
- * subjectDomainPolicies to new policySet. When done, this new
- * policySet will replace mappedUserInitialPolicySet.
- */
- PKIX_CHECK(PKIX_List_Create
- (&newMappedPolicies, plContext),
- PKIX_LISTCREATEFAILED);
-
- PKIX_CHECK(PKIX_List_GetLength
- (state->mappedUserInitialPolicySet,
- &numPolicies,
- plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (polX = 0; polX < numPolicies; polX++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (state->mappedUserInitialPolicySet,
- polX,
- (PKIX_PL_Object **)&policyOID,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
- (policyMaps,
- policyOID,
- &subjectDomainPolicies,
- plContext),
- PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
-
- if (subjectDomainPolicies) {
-
- PKIX_CHECK(pkix_List_AppendUnique
- (newMappedPolicies,
- subjectDomainPolicies,
- plContext),
- PKIX_LISTAPPENDUNIQUEFAILED);
-
- PKIX_DECREF(subjectDomainPolicies);
-
- } else {
- PKIX_CHECK(PKIX_List_AppendItem
- (newMappedPolicies,
- (PKIX_PL_Object *)policyOID,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
- }
- PKIX_DECREF(policyOID);
- }
-
- /*
- * For each policy ID-P remaining in mappedPolicyOIDs, it has not been
- * propagated to the bottom of the tree (depth i). If policyMapping
- * is greater than zero and this cert contains anyPolicy and the tree
- * contains an anyPolicy node at depth i-1, then we must create a node
- * with validPolicy ID-P, the policy qualifiers of anyPolicy in
- * this certificate, and expectedPolicySet the subjectDomainPolicies
- * that ID-P maps to. We also then add those subjectDomainPolicies to
- * the list of policies that will be accepted in the next certificate,
- * the mappedUserInitialPolicySet.
- */
-
- if ((state->policyMapping > 0) && (certPoliciesIncludeAny) &&
- (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) {
-
- PKIX_CHECK(PKIX_List_GetLength
- (state->mappedPolicyOIDs,
- &numPolicies,
- plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (polX = 0; polX < numPolicies; polX++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (state->mappedPolicyOIDs,
- polX,
- (PKIX_PL_Object **)&policyOID,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies
- (policyMaps,
- policyOID,
- &subjectDomainPolicies,
- plContext),
- PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_Spawn
- (state->anyPolicyNodeAtBottom,
- policyOID,
- qualsOfAny,
- subjectDomainPolicies,
- state,
- plContext),
- PKIX_POLICYCHECKERSPAWNFAILED);
-
- PKIX_CHECK(pkix_List_AppendUnique
- (newMappedPolicies,
- subjectDomainPolicies,
- plContext),
- PKIX_LISTAPPENDUNIQUEFAILED);
-
- PKIX_DECREF(subjectDomainPolicies);
- PKIX_DECREF(policyOID);
- }
- }
-
- PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext),
- PKIX_LISTSETIMMUTABLEFAILED);
-
- PKIX_DECREF(state->mappedUserInitialPolicySet);
- PKIX_INCREF(newMappedPolicies);
-
- state->mappedUserInitialPolicySet = newMappedPolicies;
-
-cleanup:
-
- PKIX_DECREF(policyOID);
- PKIX_DECREF(newMappedPolicies);
- PKIX_DECREF(subjectDomainPolicies);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_WrapUpProcessing
- * DESCRIPTION:
- *
- * Performs the wrap-up processing for the Cert pointed to by "cert",
- * using and updating the PolicyCheckerState pointed to by "state".
- *
- * This function implements the wrap-up processing described in RFC3280
- * Section 6.1.5, after the final certificate has been processed. Section
- * references in the comments are to that document.
- *
- * PARAMETERS:
- * "cert"
- * Address of the current (presumably the end entity) certificate.
- * Must be non-NULL.
- * "state"
- * Address of the current state of the PKIX_PolicyChecker.
- * Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_PolicyChecker_WrapUpProcessing(
- PKIX_PL_Cert *cert,
- PKIX_PolicyCheckerState *state,
- void *plContext)
-{
- PKIX_Int32 explicitPolicySkipCerts = 0;
- PKIX_Boolean isSelfIssued = PKIX_FALSE;
- PKIX_Boolean shouldBePruned = PKIX_FALSE;
- PKIX_List *nominees = NULL; /* OIDs */
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- PKIX_PL_String *stateString = NULL;
- char *stateAscii = NULL;
- PKIX_UInt32 length;
-#endif
-
- PKIX_ENTER
- (CERTCHAINCHECKER,
- "pkix_PolicyChecker_WrapUpProcessing");
- PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet);
-
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object*)state, &stateString, plContext),
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_CHECK(PKIX_PL_String_GetEncoded
- (stateString,
- PKIX_ESCASCII,
- (void **)&stateAscii,
- &length,
- plContext),
- PKIX_STRINGGETENCODEDFAILED);
-
- PKIX_DEBUG_ARG("%s\n", stateAscii);
-
- PKIX_FREE(stateAscii);
- PKIX_DECREF(stateString);
-#endif
-
- /* Section 6.1.5(a) ... */
- PKIX_CHECK(pkix_IsCertSelfIssued
- (cert, &isSelfIssued, plContext),
- PKIX_ISCERTSELFISSUEDFAILED);
-
- if (!isSelfIssued) {
- if (state->explicitPolicy > 0) {
-
- state->explicitPolicy--;
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
- }
- }
-
- /* Section 6.1.5(b) ... */
- PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
- (cert, &explicitPolicySkipCerts, plContext),
- PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
-
- if (explicitPolicySkipCerts == 0) {
- state->explicitPolicy = 0;
- }
-
- /* Section 6.1.5(g)(i) ... */
-
- if (!(state->validPolicyTree)) {
- goto cleanup;
- }
-
- /* Section 6.1.5(g)(ii) ... */
-
- if (state->initialIsAnyPolicy) {
- goto cleanup;
- }
-
- /*
- * Section 6.1.5(g)(iii) ...
- * Create a list of policies which could be substituted for anyPolicy.
- * Start with a (mutable) copy of user-initial-policy-set.
- */
- PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy
- (state->userInitialPolicySet, &nominees, plContext),
- PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED);
-
- PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection
- (state->validPolicyTree, /* node at top of tree */
- state,
- nominees,
- &shouldBePruned,
- plContext),
- PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED);
-
- if (PKIX_TRUE == shouldBePruned) {
- PKIX_DECREF(state->validPolicyTree);
- }
-
- if (state->validPolicyTree) {
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state->validPolicyTree, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
- }
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
-
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- if (state->validPolicyTree) {
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object*)state, &stateString, plContext),
- PKIX_OBJECTTOSTRINGFAILED);
-
- PKIX_CHECK(PKIX_PL_String_GetEncoded
- (stateString,
- PKIX_ESCASCII,
- (void **)&stateAscii,
- &length,
- plContext),
- PKIX_STRINGGETENCODEDFAILED);
-
- PKIX_DEBUG_ARG
- ("After CalculateIntersection:\n%s\n", stateAscii);
-
- PKIX_FREE(stateAscii);
- PKIX_DECREF(stateString);
- } else {
- PKIX_DEBUG("validPolicyTree is NULL\n");
- }
-#endif
-
- /* Section 6.1.5(g)(iii)(4) ... */
-
- if (state->validPolicyTree) {
-
- PKIX_CHECK(pkix_PolicyNode_Prune
- (state->validPolicyTree,
- state->numCerts,
- &shouldBePruned,
- plContext),
- PKIX_POLICYNODEPRUNEFAILED);
-
- if (shouldBePruned) {
- PKIX_DECREF(state->validPolicyTree);
- }
- }
-
- if (state->validPolicyTree) {
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state->validPolicyTree, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
- }
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
-
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object*)state, &stateString, plContext),
- PKIX_OBJECTTOSTRINGFAILED);
- PKIX_CHECK(PKIX_PL_String_GetEncoded
- (stateString,
- PKIX_ESCASCII,
- (void **)&stateAscii,
- &length,
- plContext),
- PKIX_STRINGGETENCODEDFAILED);
- PKIX_DEBUG_ARG("%s\n", stateAscii);
-
- PKIX_FREE(stateAscii);
- PKIX_DECREF(stateString);
-#endif
-
-cleanup:
-
- PKIX_DECREF(nominees);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-
-/*
- * FUNCTION: pkix_PolicyChecker_Check
- * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback)
- *
- * Labels referring to sections, such as "Section 6.1.3(d)", refer to
- * sections of RFC3280, Section 6.1.3 Basic Certificate Processing.
- *
- * If a non-fatal error occurs, it is unlikely that policy processing can
- * continue. But it is still possible that chain validation could succeed if
- * policy processing is non-critical. So if this function receives a non-fatal
- * error from a lower level routine, it aborts policy processing by setting
- * the validPolicyTree to NULL and tries to continue.
- *
- */
-static PKIX_Error *
-pkix_PolicyChecker_Check(
- PKIX_CertChainChecker *checker,
- PKIX_PL_Cert *cert,
- PKIX_List *unresolvedCriticals, /* OIDs */
- void **pNBIOContext,
- void *plContext)
-{
- PKIX_UInt32 numPolicies = 0;
- PKIX_UInt32 polX = 0;
- PKIX_Boolean result = PKIX_FALSE;
- PKIX_Int32 inhibitMappingSkipCerts = 0;
- PKIX_Int32 explicitPolicySkipCerts = 0;
- PKIX_Int32 inhibitAnyPolicySkipCerts = 0;
- PKIX_Boolean shouldBePruned = PKIX_FALSE;
- PKIX_Boolean isSelfIssued = PKIX_FALSE;
- PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE;
- PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE;
-
- PKIX_PolicyCheckerState *state = NULL;
- PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */
- PKIX_PL_CertPolicyInfo *policy = NULL;
- PKIX_PL_OID *policyOID = NULL;
- PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */
- PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */
- PKIX_List *policyMaps = NULL; /* CertPolicyMaps */
- PKIX_List *mappedPolicies = NULL; /* OIDs */
- PKIX_Error *subroutineErr = NULL;
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- PKIX_PL_String *stateString = NULL;
- char *stateAscii = NULL;
- PKIX_PL_String *certString = NULL;
- char *certAscii = NULL;
- PKIX_UInt32 length;
-#endif
-
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check");
- PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext);
-
- *pNBIOContext = NULL; /* we never block on pending I/O */
-
- PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
- (checker, (PKIX_PL_Object **)&state, plContext),
- PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
-
- PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension);
-
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object*)state, &stateString, plContext),
- PKIX_OBJECTTOSTRINGFAILED);
- PKIX_CHECK(PKIX_PL_String_GetEncoded
- (stateString,
- PKIX_ESCASCII,
- (void **)&stateAscii,
- &length,
- plContext),
- PKIX_STRINGGETENCODEDFAILED);
- PKIX_DEBUG_ARG("On entry %s\n", stateAscii);
- PKIX_FREE(stateAscii);
- PKIX_DECREF(stateString);
-#endif
-
- /*
- * Section 6.1.4(a)
- * If this is not the last certificate, and if
- * policyMapping extension is present, check that no
- * issuerDomainPolicy or subjectDomainPolicy is equal to the
- * special policy anyPolicy.
- */
- if (state->certsProcessed != (state->numCerts - 1)) {
- PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings
- (cert, &policyMaps, plContext),
- PKIX_CERTGETPOLICYMAPPINGSFAILED);
- }
-
- if (policyMaps) {
-
- PKIX_CHECK(pkix_PolicyChecker_MapContains
- (policyMaps, state->anyPolicyOID, &result, plContext),
- PKIX_POLICYCHECKERMAPCONTAINSFAILED);
-
- if (result) {
- PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY);
- }
-
- PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies
- (policyMaps, &mappedPolicies, plContext),
- PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED);
-
- PKIX_DECREF(state->mappedPolicyOIDs);
- PKIX_INCREF(mappedPolicies);
- state->mappedPolicyOIDs = mappedPolicies;
- }
-
- /* Section 6.1.3(d) */
- if (state->validPolicyTree) {
-
- PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation
- (cert, &certPolicyInfos, plContext),
- PKIX_CERTGETPOLICYINFORMATIONFAILED);
-
- if (certPolicyInfos) {
- PKIX_CHECK(PKIX_List_GetLength
- (certPolicyInfos, &numPolicies, plContext),
- PKIX_LISTGETLENGTHFAILED);
- }
-
- if (numPolicies > 0) {
-
- PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical
- (cert, &(state->certPoliciesCritical), plContext),
- PKIX_CERTARECERTPOLICIESCRITICALFAILED);
-
- /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */
- for (polX = 0; polX < numPolicies; polX++) {
-
- PKIX_CHECK(PKIX_List_GetItem
- (certPolicyInfos,
- polX,
- (PKIX_PL_Object **)&policy,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId
- (policy, &policyOID, plContext),
- PKIX_CERTPOLICYINFOGETPOLICYIDFAILED);
-
- PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers
- (policy, &policyQualifiers, plContext),
- PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED);
-
- PKIX_EQUALS
- (state->anyPolicyOID,
- policyOID,
- &result,
- plContext,
- PKIX_OIDEQUALFAILED);
-
- if (result == PKIX_FALSE) {
-
- /* Section 6.1.3(d)(1)(i) */
- subroutineErr = pkix_PolicyChecker_CheckPolicy
- (policyOID,
- policyQualifiers,
- cert,
- policyMaps,
- state,
- plContext);
- if (subroutineErr) {
- goto subrErrorCleanup;
- }
-
- } else {
- /*
- * No descent (yet) for anyPolicy, but we will need
- * the policyQualifiers for anyPolicy in 6.1.3(d)(2)
- */
- PKIX_DECREF(qualsOfAny);
- PKIX_INCREF(policyQualifiers);
- qualsOfAny = policyQualifiers;
- certPoliciesIncludeAny = PKIX_TRUE;
- }
- PKIX_DECREF(policy);
- PKIX_DECREF(policyOID);
- PKIX_DECREF(policyQualifiers);
- }
-
- /* Section 6.1.3(d)(2) */
- if (certPoliciesIncludeAny == PKIX_TRUE) {
- if (state->inhibitAnyPolicy > 0) {
- doAnyPolicyProcessing = PKIX_TRUE;
- } else {
- /* We haven't yet counted the current cert */
- if (((state->certsProcessed) + 1) <
- (state->numCerts)) {
-
- PKIX_CHECK(pkix_IsCertSelfIssued
- (cert,
- &doAnyPolicyProcessing,
- plContext),
- PKIX_ISCERTSELFISSUEDFAILED);
- }
- }
- if (doAnyPolicyProcessing) {
- subroutineErr = pkix_PolicyChecker_CheckAny
- (state->validPolicyTree,
- qualsOfAny,
- policyMaps,
- state,
- plContext);
- if (subroutineErr) {
- goto subrErrorCleanup;
- }
- }
- }
-
- /* Section 6.1.3(d)(3) */
- if (state->validPolicyTree) {
- subroutineErr = pkix_PolicyNode_Prune
- (state->validPolicyTree,
- state->certsProcessed + 1,
- &shouldBePruned,
- plContext);
- if (subroutineErr) {
- goto subrErrorCleanup;
- }
- if (shouldBePruned) {
- PKIX_DECREF(state->validPolicyTree);
- PKIX_DECREF(state->anyPolicyNodeAtBottom);
- }
- }
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
-
- } else {
- /* Section 6.1.3(e) */
- PKIX_DECREF(state->validPolicyTree);
- PKIX_DECREF(state->anyPolicyNodeAtBottom);
- PKIX_DECREF(state->newAnyPolicyNode);
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
- }
- }
-
- /* Section 6.1.3(f) */
- if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
- PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
- }
-
- /*
- * Remove Policy OIDs from list of unresolved critical
- * extensions, if present.
- */
- PKIX_CHECK(pkix_List_Remove
- (unresolvedCriticals,
- (PKIX_PL_Object *)state->certPoliciesExtension,
- plContext),
- PKIX_LISTREMOVEFAILED);
-
- PKIX_CHECK(pkix_List_Remove
- (unresolvedCriticals,
- (PKIX_PL_Object *)state->policyMappingsExtension,
- plContext),
- PKIX_LISTREMOVEFAILED);
-
- PKIX_CHECK(pkix_List_Remove
- (unresolvedCriticals,
- (PKIX_PL_Object *)state->policyConstraintsExtension,
- plContext),
- PKIX_LISTREMOVEFAILED);
-
- PKIX_CHECK(pkix_List_Remove
- (unresolvedCriticals,
- (PKIX_PL_Object *)state->inhibitAnyPolicyExtension,
- plContext),
- PKIX_LISTREMOVEFAILED);
-
- state->certsProcessed++;
-
- /* If this was not the last certificate, do next-cert preparation */
- if (state->certsProcessed != state->numCerts) {
-
- if (policyMaps) {
- subroutineErr = pkix_PolicyChecker_PolicyMapProcessing
- (policyMaps,
- certPoliciesIncludeAny,
- qualsOfAny,
- state,
- plContext);
- if (subroutineErr) {
- goto subrErrorCleanup;
- }
- }
-
- /* update anyPolicyNodeAtBottom pointer */
- PKIX_DECREF(state->anyPolicyNodeAtBottom);
- state->anyPolicyNodeAtBottom = state->newAnyPolicyNode;
- state->newAnyPolicyNode = NULL;
-
- /* Section 6.1.4(h) */
- PKIX_CHECK(pkix_IsCertSelfIssued
- (cert, &isSelfIssued, plContext),
- PKIX_ISCERTSELFISSUEDFAILED);
-
- if (!isSelfIssued) {
- if (state->explicitPolicy > 0) {
- state->explicitPolicy--;
- }
- if (state->policyMapping > 0) {
- state->policyMapping--;
- }
- if (state->inhibitAnyPolicy > 0) {
- state->inhibitAnyPolicy--;
- }
- }
-
- /* Section 6.1.4(i) */
- PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy
- (cert, &explicitPolicySkipCerts, plContext),
- PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED);
-
- if (explicitPolicySkipCerts != -1) {
- if (((PKIX_UInt32)explicitPolicySkipCerts) <
- (state->explicitPolicy)) {
- state->explicitPolicy =
- ((PKIX_UInt32) explicitPolicySkipCerts);
- }
- }
-
- PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited
- (cert, &inhibitMappingSkipCerts, plContext),
- PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED);
-
- if (inhibitMappingSkipCerts != -1) {
- if (((PKIX_UInt32)inhibitMappingSkipCerts) <
- (state->policyMapping)) {
- state->policyMapping =
- ((PKIX_UInt32)inhibitMappingSkipCerts);
- }
- }
-
- PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy
- (cert, &inhibitAnyPolicySkipCerts, plContext),
- PKIX_CERTGETINHIBITANYPOLICYFAILED);
-
- if (inhibitAnyPolicySkipCerts != -1) {
- if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) <
- (state->inhibitAnyPolicy)) {
- state->inhibitAnyPolicy =
- ((PKIX_UInt32)inhibitAnyPolicySkipCerts);
- }
- }
-
- PKIX_CHECK(PKIX_PL_Object_InvalidateCache
- ((PKIX_PL_Object *)state, plContext),
- PKIX_OBJECTINVALIDATECACHEFAILED);
-
- } else { /* If this was the last certificate, do wrap-up processing */
-
- /* Section 6.1.5 */
- subroutineErr = pkix_PolicyChecker_WrapUpProcessing
- (cert, state, plContext);
- if (subroutineErr) {
- goto subrErrorCleanup;
- }
-
- if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) {
- PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
- }
-
- PKIX_DECREF(state->anyPolicyNodeAtBottom);
- PKIX_DECREF(state->newAnyPolicyNode);
- }
-
-
- if (subroutineErr) {
-
-subrErrorCleanup:
- /* We had an error. Was it a fatal error? */
- pkixErrorClass = subroutineErr->errClass;
- if (pkixErrorClass == PKIX_FATAL_ERROR) {
- pkixErrorResult = subroutineErr;
- subroutineErr = NULL;
- goto cleanup;
- }
- /*
- * Abort policy processing, and then determine whether
- * we can continue without policy processing.
- */
- PKIX_DECREF(state->validPolicyTree);
- PKIX_DECREF(state->anyPolicyNodeAtBottom);
- PKIX_DECREF(state->newAnyPolicyNode);
- if (state->explicitPolicy == 0) {
- PKIX_ERROR
- (PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION);
- }
- }
-
- /* Checking is complete. Save state for the next certificate. */
- PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
- (checker, (PKIX_PL_Object *)state, plContext),
- PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
-
-cleanup:
-
-#if PKIX_CERTPOLICYCHECKERSTATEDEBUG
- if (cert) {
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object*)cert, &certString, plContext),
- PKIX_OBJECTTOSTRINGFAILED);
- PKIX_CHECK(PKIX_PL_String_GetEncoded
- (certString,
- PKIX_ESCASCII,
- (void **)&certAscii,
- &length,
- plContext),
- PKIX_STRINGGETENCODEDFAILED);
- PKIX_DEBUG_ARG("Cert was %s\n", certAscii);
- PKIX_FREE(certAscii);
- PKIX_DECREF(certString);
- }
- if (state) {
- PKIX_CHECK(PKIX_PL_Object_ToString
- ((PKIX_PL_Object*)state, &stateString, plContext),
- PKIX_OBJECTTOSTRINGFAILED);
- PKIX_CHECK(PKIX_PL_String_GetEncoded
- (stateString,
- PKIX_ESCASCII,
- (void **)&stateAscii,
- &length,
- plContext),
- PKIX_STRINGGETENCODEDFAILED);
- PKIX_DEBUG_ARG("On exit %s\n", stateAscii);
- PKIX_FREE(stateAscii);
- PKIX_DECREF(stateString);
- }
-#endif
-
- PKIX_DECREF(state);
- PKIX_DECREF(certPolicyInfos);
- PKIX_DECREF(policy);
- PKIX_DECREF(qualsOfAny);
- PKIX_DECREF(policyQualifiers);
- PKIX_DECREF(policyOID);
- PKIX_DECREF(subroutineErr);
- PKIX_DECREF(policyMaps);
- PKIX_DECREF(mappedPolicies);
-
- PKIX_RETURN(CERTCHAINCHECKER);
-}
-
-/*
- * FUNCTION: pkix_PolicyChecker_Initialize
- * DESCRIPTION:
- *
- * Creates and initializes a PolicyChecker, using the List pointed to
- * by "initialPolicies" for the user-initial-policy-set, the Boolean value
- * of "policyQualifiersRejected" for the policyQualifiersRejected parameter,
- * the Boolean value of "initialPolicyMappingInhibit" for the
- * inhibitPolicyMappings parameter, the Boolean value of
- * "initialExplicitPolicy" for the initialExplicitPolicy parameter, the
- * Boolean value of "initialAnyPolicyInhibit" for the inhibitAnyPolicy
- * parameter, and the UInt32 value of "numCerts" as the number of
- * certificates in the chain; and stores the Checker at "pChecker".
- *
- * PARAMETERS:
- * "initialPolicies"
- * Address of List of OIDs comprising the user-initial-policy-set; the List
- * may be empty or NULL
- * "policyQualifiersRejected"
- * Boolean value of the policyQualifiersRejected parameter
- * "initialPolicyMappingInhibit"
- * Boolean value of the inhibitPolicyMappings parameter
- * "initialExplicitPolicy"
- * Boolean value of the initialExplicitPolicy parameter
- * "initialAnyPolicyInhibit"
- * Boolean value of the inhibitAnyPolicy parameter
- * "numCerts"
- * Number of certificates in the chain to be validated
- * "pChecker"
- * Address to store the created PolicyChecker. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds
- * Returns a CertChainChecker Error if the functions fails in a non-fatal way
- * Returns a Fatal Error if the function fails in an unrecoverable way
- */
-PKIX_Error *
-pkix_PolicyChecker_Initialize(
- PKIX_List *initialPolicies,
- PKIX_Boolean policyQualifiersRejected,
- PKIX_Boolean initialPolicyMappingInhibit,
- PKIX_Boolean initialExplicitPolicy,
- PKIX_Boolean initialAnyPolicyInhibit,
- PKIX_UInt32 numCerts,
- PKIX_CertChainChecker **pChecker,
- void *plContext)
-{
- PKIX_PolicyCheckerState *polCheckerState = NULL;
- PKIX_List *policyExtensions = NULL; /* OIDs */
- PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize");
- PKIX_NULLCHECK_ONE(pChecker);
-
- PKIX_CHECK(pkix_PolicyCheckerState_Create
- (initialPolicies,
- policyQualifiersRejected,
- initialPolicyMappingInhibit,
- initialExplicitPolicy,
- initialAnyPolicyInhibit,
- numCerts,
- &polCheckerState,
- plContext),
- PKIX_POLICYCHECKERSTATECREATEFAILED);
-
- /* Create the list of extensions that we handle */
- PKIX_CHECK(pkix_PolicyChecker_MakeSingleton
- ((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension),
- PKIX_TRUE,
- &policyExtensions,
- plContext),
- PKIX_POLICYCHECKERMAKESINGLETONFAILED);
-
- PKIX_CHECK(PKIX_CertChainChecker_Create
- (pkix_PolicyChecker_Check,
- PKIX_FALSE, /* forwardCheckingSupported */
- PKIX_FALSE,
- policyExtensions,
- (PKIX_PL_Object *)polCheckerState,
- pChecker,
- plContext),
- PKIX_CERTCHAINCHECKERCREATEFAILED);
-
-cleanup:
- PKIX_DECREF(polCheckerState);
- PKIX_DECREF(policyExtensions);
- PKIX_RETURN(CERTCHAINCHECKER);
-
-}
« no previous file with comments | « nss/lib/libpkix/pkix/checker/pkix_policychecker.h ('k') | nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698