Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(5)

Unified Diff: nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
diff --git a/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
deleted file mode 100644
index fa5d6e9d5fffb744491b6e8e1c27abc099c33e17..0000000000000000000000000000000000000000
--- a/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+++ /dev/null
@@ -1,1067 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/*
- * pkix_pl_ocspresponse.c
- *
- */
-
-#include "pkix_pl_ocspresponse.h"
-
-/* ----Public functions------------------------------------- */
-/*
- * This is the libpkix replacement for CERT_VerifyOCSPResponseSignature.
- * It is used if it has been set as the verifyFcn member of ocspChecker.
- */
-PKIX_Error *
-PKIX_PL_OcspResponse_UseBuildChain(
- PKIX_PL_Cert *signerCert,
- PKIX_PL_Date *producedAt,
- PKIX_ProcessingParams *procParams,
- void **pNBIOContext,
- void **pState,
- PKIX_BuildResult **pBuildResult,
- PKIX_VerifyNode **pVerifyTree,
- void *plContext)
-{
- PKIX_ProcessingParams *caProcParams = NULL;
- PKIX_PL_Date *date = NULL;
- PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_CertSelector *certSelector = NULL;
- void *nbioContext = NULL;
- PKIX_Error *buildError = NULL;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_OcspResponse_UseBuildChain");
- PKIX_NULLCHECK_THREE(signerCert, producedAt, procParams);
- PKIX_NULLCHECK_THREE(pNBIOContext, pState, pBuildResult);
-
- nbioContext = *pNBIOContext;
- *pNBIOContext = NULL;
-
- /* Are we resuming after a WOULDBLOCK return, or starting anew ? */
- if (nbioContext == NULL) {
- /* Starting anew */
- PKIX_CHECK(PKIX_PL_Object_Duplicate
- ((PKIX_PL_Object *)procParams,
- (PKIX_PL_Object **)&caProcParams,
- plContext),
- PKIX_OBJECTDUPLICATEFAILED);
-
- PKIX_CHECK(PKIX_ProcessingParams_SetDate(procParams, date, plContext),
- PKIX_PROCESSINGPARAMSSETDATEFAILED);
-
- /* create CertSelector with target certificate in params */
-
- PKIX_CHECK(PKIX_CertSelector_Create
- (NULL, NULL, &certSelector, plContext),
- PKIX_CERTSELECTORCREATEFAILED);
-
- PKIX_CHECK(PKIX_ComCertSelParams_Create
- (&certSelParams, plContext),
- PKIX_COMCERTSELPARAMSCREATEFAILED);
-
- PKIX_CHECK(PKIX_ComCertSelParams_SetCertificate
- (certSelParams, signerCert, plContext),
- PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
-
- PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
- (certSelector, certSelParams, plContext),
- PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
-
- PKIX_CHECK(PKIX_ProcessingParams_SetTargetCertConstraints
- (caProcParams, certSelector, plContext),
- PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
- }
-
- buildError = PKIX_BuildChain
- (caProcParams,
- &nbioContext,
- pState,
- pBuildResult,
- pVerifyTree,
- plContext);
-
- /* non-null nbioContext means the build would block */
- if (nbioContext != NULL) {
-
- *pNBIOContext = nbioContext;
-
- /* no buildResult means the build has failed */
- } else if (buildError) {
- pkixErrorResult = buildError;
- buildError = NULL;
- } else {
- PKIX_DECREF(*pState);
- }
-
-cleanup:
-
- PKIX_DECREF(caProcParams);
- PKIX_DECREF(date);
- PKIX_DECREF(certSelParams);
- PKIX_DECREF(certSelector);
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/* --Private-OcspResponse-Functions------------------------------------- */
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_Destroy
- * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
- */
-static PKIX_Error *
-pkix_pl_OcspResponse_Destroy(
- PKIX_PL_Object *object,
- void *plContext)
-{
- PKIX_PL_OcspResponse *ocspRsp = NULL;
- const SEC_HttpClientFcn *httpClient = NULL;
- const SEC_HttpClientFcnV1 *hcv1 = NULL;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Destroy");
- PKIX_NULLCHECK_ONE(object);
-
- PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
- PKIX_OBJECTNOTANOCSPRESPONSE);
-
- ocspRsp = (PKIX_PL_OcspResponse *)object;
-
- if (ocspRsp->nssOCSPResponse != NULL) {
- CERT_DestroyOCSPResponse(ocspRsp->nssOCSPResponse);
- ocspRsp->nssOCSPResponse = NULL;
- }
-
- if (ocspRsp->signerCert != NULL) {
- CERT_DestroyCertificate(ocspRsp->signerCert);
- ocspRsp->signerCert = NULL;
- }
-
- httpClient = (const SEC_HttpClientFcn *)(ocspRsp->httpClient);
-
- if (httpClient && (httpClient->version == 1)) {
-
- hcv1 = &(httpClient->fcnTable.ftable1);
-
- if (ocspRsp->sessionRequest != NULL) {
- (*hcv1->freeFcn)(ocspRsp->sessionRequest);
- ocspRsp->sessionRequest = NULL;
- }
-
- if (ocspRsp->serverSession != NULL) {
- (*hcv1->freeSessionFcn)(ocspRsp->serverSession);
- ocspRsp->serverSession = NULL;
- }
- }
-
- if (ocspRsp->arena != NULL) {
- PORT_FreeArena(ocspRsp->arena, PR_FALSE);
- ocspRsp->arena = NULL;
- }
-
- PKIX_DECREF(ocspRsp->producedAtDate);
- PKIX_DECREF(ocspRsp->pkixSignerCert);
- PKIX_DECREF(ocspRsp->request);
-
-cleanup:
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_Hashcode
- * (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
- */
-static PKIX_Error *
-pkix_pl_OcspResponse_Hashcode(
- PKIX_PL_Object *object,
- PKIX_UInt32 *pHashcode,
- void *plContext)
-{
- PKIX_PL_OcspResponse *ocspRsp = NULL;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Hashcode");
- PKIX_NULLCHECK_TWO(object, pHashcode);
-
- PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPRESPONSE_TYPE, plContext),
- PKIX_OBJECTNOTANOCSPRESPONSE);
-
- ocspRsp = (PKIX_PL_OcspResponse *)object;
-
- if (ocspRsp->encodedResponse->data == NULL) {
- *pHashcode = 0;
- } else {
- PKIX_CHECK(pkix_hash
- (ocspRsp->encodedResponse->data,
- ocspRsp->encodedResponse->len,
- pHashcode,
- plContext),
- PKIX_HASHFAILED);
- }
-
-cleanup:
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_Equals
- * (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
- */
-static PKIX_Error *
-pkix_pl_OcspResponse_Equals(
- PKIX_PL_Object *firstObj,
- PKIX_PL_Object *secondObj,
- PKIX_Boolean *pResult,
- void *plContext)
-{
- PKIX_UInt32 secondType = 0;
- PKIX_UInt32 firstLen = 0;
- PKIX_UInt32 i = 0;
- PKIX_PL_OcspResponse *rsp1 = NULL;
- PKIX_PL_OcspResponse *rsp2 = NULL;
- const unsigned char *firstData = NULL;
- const unsigned char *secondData = NULL;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Equals");
- PKIX_NULLCHECK_THREE(firstObj, secondObj, pResult);
-
- /* test that firstObj is a OcspResponse */
- PKIX_CHECK(pkix_CheckType(firstObj, PKIX_OCSPRESPONSE_TYPE, plContext),
- PKIX_FIRSTOBJARGUMENTNOTANOCSPRESPONSE);
-
- /*
- * Since we know firstObj is a OcspResponse, if both references are
- * identical, they must be equal
- */
- if (firstObj == secondObj){
- *pResult = PKIX_TRUE;
- goto cleanup;
- }
-
- /*
- * If secondObj isn't a OcspResponse, we don't throw an error.
- * We simply return a Boolean result of FALSE
- */
- *pResult = PKIX_FALSE;
- PKIX_CHECK(PKIX_PL_Object_GetType(secondObj, &secondType, plContext),
- PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
- if (secondType != PKIX_OCSPRESPONSE_TYPE) {
- goto cleanup;
- }
-
- rsp1 = (PKIX_PL_OcspResponse *)firstObj;
- rsp2 = (PKIX_PL_OcspResponse *)secondObj;
-
- /* If either lacks an encoded string, they cannot be compared */
- firstData = (const unsigned char *)rsp1->encodedResponse->data;
- secondData = (const unsigned char *)rsp2->encodedResponse->data;
- if ((firstData == NULL) || (secondData == NULL)) {
- goto cleanup;
- }
-
- firstLen = rsp1->encodedResponse->len;
-
- if (firstLen != rsp2->encodedResponse->len) {
- goto cleanup;
- }
-
- for (i = 0; i < firstLen; i++) {
- if (*firstData++ != *secondData++) {
- goto cleanup;
- }
- }
-
- *pResult = PKIX_TRUE;
-
-cleanup:
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_RegisterSelf
- * DESCRIPTION:
- * Registers PKIX_OCSPRESPONSE_TYPE and its related functions with
- * systemClasses[]
- * PARAMETERS:
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Not Thread Safe - for performance and complexity reasons
- *
- * Since this function is only called by PKIX_PL_Initialize, which should
- * only be called once, it is acceptable that this function is not
- * thread-safe.
- */
-PKIX_Error *
-pkix_pl_OcspResponse_RegisterSelf(void *plContext)
-{
- extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
- pkix_ClassTable_Entry *entry = &systemClasses[PKIX_OCSPRESPONSE_TYPE];
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_RegisterSelf");
-
- entry->description = "OcspResponse";
- entry->typeObjectSize = sizeof(PKIX_PL_OcspResponse);
- entry->destructor = pkix_pl_OcspResponse_Destroy;
- entry->equalsFunction = pkix_pl_OcspResponse_Equals;
- entry->hashcodeFunction = pkix_pl_OcspResponse_Hashcode;
- entry->duplicateFunction = pkix_duplicateImmutable;
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/* --Public-Functions------------------------------------------------------- */
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_Create
- * DESCRIPTION:
- *
- * This function transmits the OcspRequest pointed to by "request" and obtains
- * an OcspResponse, which it stores at "pOcspResponse". If the HTTPClient
- * supports non-blocking I/O this function may store a non-NULL value at
- * "pNBIOContext" (the WOULDBLOCK condition). In that case the caller should
- * make a subsequent call with the same value in "pNBIOContext" and
- * "pOcspResponse" to resume the operation. Additional WOULDBLOCK returns may
- * occur; the caller should persist until a return occurs with NULL stored at
- * "pNBIOContext".
- *
- * If a SEC_HttpClientFcn "responder" is supplied, it is used as the client
- * to which the OCSP query is sent. If none is supplied, the default responder
- * is used.
- *
- * If an OcspResponse_VerifyCallback "verifyFcn" is supplied, it is used to
- * verify the Cert received from the responder as the signer. If none is
- * supplied, the default verification function is used.
- *
- * The contents of "request" are ignored on calls subsequent to a WOULDBLOCK
- * return, and the caller is permitted to supply NULL.
- *
- * PARAMETERS
- * "request"
- * Address of the OcspRequest for which a response is desired.
- * "httpMethod"
- * GET or POST
- * "responder"
- * Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
- * query.
- * "verifyFcn"
- * Address, if non-NULL, of the OcspResponse_VerifyCallback function to be
- * used to verify the Cert of the OCSP responder.
- * "pNBIOContext"
- * Address at which platform-dependent information is stored for handling
- * of non-blocking I/O. Must be non-NULL.
- * "pOcspResponse"
- * The address where the created OcspResponse is stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns an OcspResponse Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-PKIX_Error *
-pkix_pl_OcspResponse_Create(
- PKIX_PL_OcspRequest *request,
- const char *httpMethod,
- void *responder,
- PKIX_PL_VerifyCallback verifyFcn,
- void **pNBIOContext,
- PKIX_PL_OcspResponse **pResponse,
- void *plContext)
-{
- void *nbioContext = NULL;
- PKIX_PL_OcspResponse *ocspResponse = NULL;
- const SEC_HttpClientFcn *httpClient = NULL;
- const SEC_HttpClientFcnV1 *hcv1 = NULL;
- SECStatus rv = SECFailure;
- char *location = NULL;
- char *hostname = NULL;
- char *path = NULL;
- char *responseContentType = NULL;
- PRUint16 port = 0;
- SEC_HTTP_SERVER_SESSION serverSession = NULL;
- SEC_HTTP_REQUEST_SESSION sessionRequest = NULL;
- SECItem *encodedRequest = NULL;
- PRUint16 responseCode = 0;
- char *responseData = NULL;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
- PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
-
- if (!strcmp(httpMethod, "GET") && !strcmp(httpMethod, "POST")) {
- PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD);
- }
-
- nbioContext = *pNBIOContext;
- *pNBIOContext = NULL;
-
- if (nbioContext != NULL) {
-
- ocspResponse = *pResponse;
- PKIX_NULLCHECK_ONE(ocspResponse);
-
- httpClient = ocspResponse->httpClient;
- serverSession = ocspResponse->serverSession;
- sessionRequest = ocspResponse->sessionRequest;
- PKIX_NULLCHECK_THREE(httpClient, serverSession, sessionRequest);
-
- } else {
- PKIX_UInt32 timeout =
- ((PKIX_PL_NssContext*)plContext)->timeoutSeconds;
-
- PKIX_NULLCHECK_ONE(request);
-
- PKIX_CHECK(pkix_pl_OcspRequest_GetEncoded
- (request, &encodedRequest, plContext),
- PKIX_OCSPREQUESTGETENCODEDFAILED);
-
- /* prepare initial message to HTTPClient */
-
- /* Is there a default responder and is it enabled? */
- if (responder) {
- httpClient = (const SEC_HttpClientFcn *)responder;
- } else {
- httpClient = SEC_GetRegisteredHttpClient();
- }
-
- if (httpClient && (httpClient->version == 1)) {
- char *fullGetPath = NULL;
- const char *sessionPath = NULL;
- PRBool usePOST = !strcmp(httpMethod, "POST");
-
- hcv1 = &(httpClient->fcnTable.ftable1);
-
- PKIX_CHECK(pkix_pl_OcspRequest_GetLocation
- (request, &location, plContext),
- PKIX_OCSPREQUESTGETLOCATIONFAILED);
-
- /* parse location -> hostname, port, path */
- rv = CERT_ParseURL(location, &hostname, &port, &path);
- if (rv == SECFailure || hostname == NULL || path == NULL) {
- PKIX_ERROR(PKIX_URLPARSINGFAILED);
- }
-
- rv = (*hcv1->createSessionFcn)(hostname, port,
- &serverSession);
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_OCSPSERVERERROR);
- }
-
- if (usePOST) {
- sessionPath = path;
- } else {
- /* calculate, are we allowed to use GET? */
- enum { max_get_request_size = 255 }; /* defined by RFC2560 */
- char b64ReqBuf[max_get_request_size+1];
- size_t base64size;
- size_t slashLengthIfNeeded = 0;
- size_t pathLength;
- PRInt32 urlEncodedBufLength;
- size_t getURLLength;
- char *walkOutput = NULL;
-
- pathLength = strlen(path);
- if (path[pathLength-1] != '/') {
- slashLengthIfNeeded = 1;
- }
- base64size = (((encodedRequest->len +2)/3) * 4);
- if (base64size > max_get_request_size) {
- PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG);
- }
- memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
- PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, b64ReqBuf);
- urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
- getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
- fullGetPath = (char*)PORT_Alloc(getURLLength);
- if (!fullGetPath) {
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
- strcpy(fullGetPath, path);
- walkOutput = fullGetPath + pathLength;
- if (walkOutput > fullGetPath && slashLengthIfNeeded) {
- strcpy(walkOutput, "/");
- ++walkOutput;
- }
- ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
- sessionPath = fullGetPath;
- }
-
- rv = (*hcv1->createFcn)(serverSession, "http",
- sessionPath, httpMethod,
- PR_SecondsToInterval(timeout),
- &sessionRequest);
- sessionPath = NULL;
- if (fullGetPath) {
- PORT_Free(fullGetPath);
- fullGetPath = NULL;
- }
-
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_OCSPSERVERERROR);
- }
-
- if (usePOST) {
- rv = (*hcv1->setPostDataFcn)(sessionRequest,
- (char *)encodedRequest->data,
- encodedRequest->len,
- "application/ocsp-request");
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_OCSPSERVERERROR);
- }
- }
-
- /* create a PKIX_PL_OcspResponse object */
- PKIX_CHECK(PKIX_PL_Object_Alloc
- (PKIX_OCSPRESPONSE_TYPE,
- sizeof (PKIX_PL_OcspResponse),
- (PKIX_PL_Object **)&ocspResponse,
- plContext),
- PKIX_COULDNOTCREATEOBJECT);
-
- PKIX_INCREF(request);
- ocspResponse->request = request;
- ocspResponse->httpClient = httpClient;
- ocspResponse->serverSession = serverSession;
- serverSession = NULL;
- ocspResponse->sessionRequest = sessionRequest;
- sessionRequest = NULL;
- ocspResponse->verifyFcn = verifyFcn;
- ocspResponse->handle = CERT_GetDefaultCertDB();
- ocspResponse->encodedResponse = NULL;
- ocspResponse->arena = NULL;
- ocspResponse->producedAt = 0;
- ocspResponse->producedAtDate = NULL;
- ocspResponse->pkixSignerCert = NULL;
- ocspResponse->nssOCSPResponse = NULL;
- ocspResponse->signerCert = NULL;
- }
- }
-
- /* begin or resume IO to HTTPClient */
- if (httpClient && (httpClient->version == 1)) {
- PRUint32 responseDataLen =
- ((PKIX_PL_NssContext*)plContext)->maxResponseLength;
-
- hcv1 = &(httpClient->fcnTable.ftable1);
-
- rv = (*hcv1->trySendAndReceiveFcn)(ocspResponse->sessionRequest,
- (PRPollDesc **)&nbioContext,
- &responseCode,
- (const char **)&responseContentType,
- NULL, /* responseHeaders */
- (const char **)&responseData,
- &responseDataLen);
-
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_OCSPSERVERERROR);
- }
- /* responseContentType is a pointer to the null-terminated
- * string returned by httpclient. Memory allocated for context
- * type will be freed with freeing of the HttpClient struct. */
- if (PORT_Strcasecmp(responseContentType,
- "application/ocsp-response")) {
- PKIX_ERROR(PKIX_OCSPSERVERERROR);
- }
- if (nbioContext != NULL) {
- *pNBIOContext = nbioContext;
- goto cleanup;
- }
- if (responseCode != 200) {
- PKIX_ERROR(PKIX_OCSPBADHTTPRESPONSE);
- }
- ocspResponse->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (ocspResponse->arena == NULL) {
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
- ocspResponse->encodedResponse = SECITEM_AllocItem
- (ocspResponse->arena, NULL, responseDataLen);
- if (ocspResponse->encodedResponse == NULL) {
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
- PORT_Memcpy(ocspResponse->encodedResponse->data,
- responseData, responseDataLen);
- }
- *pResponse = ocspResponse;
- ocspResponse = NULL;
-
-cleanup:
-
- if (path != NULL) {
- PORT_Free(path);
- }
- if (hostname != NULL) {
- PORT_Free(hostname);
- }
- if (ocspResponse) {
- PKIX_DECREF(ocspResponse);
- }
- if (serverSession) {
- hcv1->freeSessionFcn(serverSession);
- }
- if (sessionRequest) {
- hcv1->freeFcn(sessionRequest);
- }
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_Decode
- * DESCRIPTION:
- *
- * This function decodes the DER data contained in the OcspResponse pointed to
- * by "response", storing PKIX_TRUE at "pPassed" if the decoding was
- * successful, and PKIX_FALSE otherwise.
- *
- * PARAMETERS
- * "response"
- * The address of the OcspResponse whose DER data is to be decoded. Must
- * be non-NULL.
- * "pPassed"
- * Address at which the Boolean result is stored. Must be non-NULL.
- * "pReturnCode"
- * Address at which the SECErrorCodes result is stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns an OcspResponse Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-
-PKIX_Error *
-pkix_pl_OcspResponse_Decode(
- PKIX_PL_OcspResponse *response,
- PKIX_Boolean *pPassed,
- SECErrorCodes *pReturnCode,
- void *plContext)
-{
-
- PKIX_ENTER(OCSPRESPONSE, "PKIX_PL_OcspResponse_Decode");
- PKIX_NULLCHECK_TWO(response, response->encodedResponse);
-
- response->nssOCSPResponse =
- CERT_DecodeOCSPResponse(response->encodedResponse);
-
- if (response->nssOCSPResponse != NULL) {
- *pPassed = PKIX_TRUE;
- *pReturnCode = 0;
- } else {
- *pPassed = PKIX_FALSE;
- *pReturnCode = PORT_GetError();
- }
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_GetStatus
- * DESCRIPTION:
- *
- * This function checks the response status of the OcspResponse pointed to
- * by "response", storing PKIX_TRUE at "pPassed" if the responder understood
- * the request and considered it valid, and PKIX_FALSE otherwise.
- *
- * PARAMETERS
- * "response"
- * The address of the OcspResponse whose status is to be retrieved. Must
- * be non-NULL.
- * "pPassed"
- * Address at which the Boolean result is stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns an OcspResponse Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-
-PKIX_Error *
-pkix_pl_OcspResponse_GetStatus(
- PKIX_PL_OcspResponse *response,
- PKIX_Boolean *pPassed,
- SECErrorCodes *pReturnCode,
- void *plContext)
-{
- SECStatus rv = SECFailure;
-
- PKIX_ENTER(OCSPRESPONSE, "PKIX_PL_OcspResponse_GetStatus");
- PKIX_NULLCHECK_FOUR(response, response->nssOCSPResponse, pPassed, pReturnCode);
-
- rv = CERT_GetOCSPResponseStatus(response->nssOCSPResponse);
-
- if (rv == SECSuccess) {
- *pPassed = PKIX_TRUE;
- *pReturnCode = 0;
- } else {
- *pPassed = PKIX_FALSE;
- *pReturnCode = PORT_GetError();
- }
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-
-static PKIX_Error*
-pkix_pl_OcspResponse_VerifyResponse(
- PKIX_PL_OcspResponse *response,
- PKIX_ProcessingParams *procParams,
- SECCertUsage certUsage,
- void **state,
- PKIX_BuildResult **buildResult,
- void **pNBIOContext,
- void *plContext)
-{
- SECStatus rv = SECFailure;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_VerifyResponse");
-
- if (response->verifyFcn != NULL) {
- void *lplContext = NULL;
-
- PKIX_CHECK(
- PKIX_PL_NssContext_Create(((SECCertificateUsage)1) << certUsage,
- PKIX_FALSE, NULL, &lplContext),
- PKIX_NSSCONTEXTCREATEFAILED);
-
- PKIX_CHECK(
- (response->verifyFcn)((PKIX_PL_Object*)response->pkixSignerCert,
- NULL, response->producedAtDate,
- procParams, pNBIOContext,
- state, buildResult,
- NULL, lplContext),
- PKIX_CERTVERIFYKEYUSAGEFAILED);
- rv = SECSuccess;
- } else {
- rv = CERT_VerifyCert(response->handle, response->signerCert, PKIX_TRUE,
- certUsage, response->producedAt, NULL, NULL);
- if (rv != SECSuccess) {
- PKIX_ERROR(PKIX_CERTVERIFYKEYUSAGEFAILED);
- }
- }
-
-cleanup:
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
- }
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_VerifySignature
- * DESCRIPTION:
- *
- * This function verifies the ocspResponse signature field in the OcspResponse
- * pointed to by "response", storing PKIX_TRUE at "pPassed" if verification
- * is successful and PKIX_FALSE otherwise. If verification is unsuccessful an
- * error code (an enumeration of type SECErrorCodes) is stored at *pReturnCode.
- *
- * PARAMETERS
- * "response"
- * The address of the OcspResponse whose signature field is to be
- * retrieved. Must be non-NULL.
- * "cert"
- * The address of the Cert for which the OCSP query was made. Must be
- * non-NULL.
- * "procParams"
- * Address of ProcessingParams used to initialize the ExpirationChecker
- * and TargetCertChecker. Must be non-NULL.
- * "pPassed"
- * Address at which the Boolean result is stored. Must be non-NULL.
- * "pNBIOContext"
- * Address at which the NBIOContext is stored indicating whether the
- * checking is complete. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns an OcspResponse Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-PKIX_Error *
-pkix_pl_OcspResponse_VerifySignature(
- PKIX_PL_OcspResponse *response,
- PKIX_PL_Cert *cert,
- PKIX_ProcessingParams *procParams,
- PKIX_Boolean *pPassed,
- void **pNBIOContext,
- void *plContext)
-{
- SECStatus rv = SECFailure;
- CERTOCSPResponse *nssOCSPResponse = NULL;
- CERTCertificate *issuerCert = NULL;
- PKIX_BuildResult *buildResult = NULL;
- void *nbio = NULL;
- void *state = NULL;
-
- ocspSignature *signature = NULL;
- ocspResponseData *tbsData = NULL;
- SECItem *tbsResponseDataDER = NULL;
-
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_VerifySignature");
- PKIX_NULLCHECK_FOUR(response, cert, pPassed, pNBIOContext);
-
- nbio = *pNBIOContext;
- *pNBIOContext = NULL;
-
- nssOCSPResponse = response->nssOCSPResponse;
- if (nssOCSPResponse == NULL) {
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto cleanup;
- }
-
- tbsData =
- ocsp_GetResponseData(nssOCSPResponse, &tbsResponseDataDER);
-
- signature = ocsp_GetResponseSignature(nssOCSPResponse);
-
-
- /* Are we resuming after a WOULDBLOCK response? */
- if (nbio == NULL) {
- /* No, this is a new query */
-
- issuerCert = CERT_FindCertIssuer(cert->nssCert, PR_Now(),
- certUsageAnyCA);
-
- /*
- * If this signature has already gone through verification,
- * just return the cached result.
- */
- if (signature->wasChecked) {
- if (signature->status == SECSuccess) {
- response->signerCert =
- CERT_DupCertificate(signature->cert);
- } else {
- PORT_SetError(signature->failureReason);
- goto cleanup;
- }
- }
-
- response->signerCert =
- ocsp_GetSignerCertificate(response->handle, tbsData,
- signature, issuerCert);
-
- if (response->signerCert == NULL) {
- if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
- /* Make the error a little more specific. */
- PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
- }
- goto cleanup;
- }
- PKIX_CHECK(
- PKIX_PL_Cert_CreateFromCERTCertificate(response->signerCert,
- &(response->pkixSignerCert),
- plContext),
- PKIX_CERTCREATEWITHNSSCERTFAILED);
-
- /*
- * We could mark this true at the top of this function, or
- * always below at "finish", but if the problem was just that
- * we could not find the signer's cert, leave that as if the
- * signature hasn't been checked. Maybe a subsequent call will
- * have better luck.
- */
- signature->wasChecked = PR_TRUE;
-
- /*
- * We are about to verify the signer certificate; we need to
- * specify *when* that certificate must be valid -- for our
- * purposes we expect it to be valid when the response was
- * signed. The value of "producedAt" is the signing time.
- */
- rv = DER_GeneralizedTimeToTime(&response->producedAt,
- &tbsData->producedAt);
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
- goto cleanup;
- }
-
- /*
- * We need producedAtDate and pkixSignerCert if we are calling a
- * user-supplied verification function. Let's put their
- * creation before the code that gets repeated when
- * non-blocking I/O is used.
- */
-
- PKIX_CHECK(
- pkix_pl_Date_CreateFromPRTime((PRTime)response->producedAt,
- &(response->producedAtDate),
- plContext),
- PKIX_DATECREATEFROMPRTIMEFAILED);
-
- }
-
- /*
- * Just because we have a cert does not mean it is any good; check
- * it for validity, trust and usage. Use the caller-supplied
- * verification function, if one was supplied.
- */
- if (ocsp_CertIsOCSPDefaultResponder(response->handle,
- response->signerCert)) {
- rv = SECSuccess;
- } else {
- SECCertUsage certUsage;
- if (CERT_IsCACert(response->signerCert, NULL)) {
- certUsage = certUsageAnyCA;
- } else {
- certUsage = certUsageStatusResponder;
- }
- PKIX_CHECK_ONLY_FATAL(
- pkix_pl_OcspResponse_VerifyResponse(response, procParams,
- certUsage, &state,
- &buildResult, &nbio,
- plContext),
- PKIX_CERTVERIFYKEYUSAGEFAILED);
- if (pkixTempErrorReceived) {
- rv = SECFailure;
- goto cleanup;
- }
- if (nbio != NULL) {
- *pNBIOContext = nbio;
- goto cleanup;
- }
- }
-
- rv = ocsp_VerifyResponseSignature(response->signerCert, signature,
- tbsResponseDataDER, NULL);
-
-cleanup:
- if (rv == SECSuccess) {
- *pPassed = PKIX_TRUE;
- } else {
- *pPassed = PKIX_FALSE;
- }
-
- if (signature) {
- if (signature->wasChecked) {
- signature->status = rv;
- }
-
- if (rv != SECSuccess) {
- signature->failureReason = PORT_GetError();
- if (response->signerCert != NULL) {
- CERT_DestroyCertificate(response->signerCert);
- response->signerCert = NULL;
- }
- } else {
- /* Save signer's certificate in signature. */
- signature->cert = CERT_DupCertificate(response->signerCert);
- }
- }
-
- if (issuerCert)
- CERT_DestroyCertificate(issuerCert);
-
- PKIX_RETURN(OCSPRESPONSE);
-}
-
-/*
- * FUNCTION: pkix_pl_OcspResponse_GetStatusForCert
- * DESCRIPTION:
- *
- * This function checks the revocation status of the Cert for which the
- * OcspResponse was obtained, storing PKIX_TRUE at "pPassed" if the Cert has
- * not been revoked and PKIX_FALSE otherwise.
- *
- * PARAMETERS
- * "response"
- * The address of the OcspResponse whose certificate status is to be
- * retrieved. Must be non-NULL.
- * "pPassed"
- * Address at which the Boolean result is stored. Must be non-NULL.
- * "pReturnCode"
- * Address at which the SECErrorCodes result is stored. Must be non-NULL.
- * "plContext"
- * Platform-specific context pointer.
- * THREAD SAFETY:
- * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- * Returns NULL if the function succeeds.
- * Returns an OcspResponse Error if the function fails in a non-fatal way.
- * Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-PKIX_Error *
-pkix_pl_OcspResponse_GetStatusForCert(
- PKIX_PL_OcspCertID *cid,
- PKIX_PL_OcspResponse *response,
- PKIX_Boolean allowCachingOfFailures,
- PKIX_PL_Date *validity,
- PKIX_Boolean *pPassed,
- SECErrorCodes *pReturnCode,
- void *plContext)
-{
- PRTime time = 0;
- SECStatus rv = SECFailure;
- CERTOCSPSingleResponse *single = NULL;
-
- PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_GetStatusForCert");
- PKIX_NULLCHECK_THREE(response, pPassed, pReturnCode);
-
- /*
- * It is an error to call this function except following a successful
- * return from pkix_pl_OcspResponse_VerifySignature, which would have
- * set response->signerCert.
- */
- PKIX_NULLCHECK_TWO(response->signerCert, response->request);
- PKIX_NULLCHECK_TWO(cid, cid->certID);
-
- if (validity != NULL) {
- PKIX_Error *er = pkix_pl_Date_GetPRTime(validity, &time, plContext);
- PKIX_DECREF(er);
- }
- if (!time) {
- time = PR_Now();
- }
-
- rv = ocsp_GetVerifiedSingleResponseForCertID(response->handle,
- response->nssOCSPResponse,
- cid->certID,
- response->signerCert,
- time, &single);
- if (rv == SECSuccess) {
- /*
- * Check whether the status says revoked, and if so
- * how that compares to the time value passed into this routine.
- */
- rv = ocsp_CertHasGoodStatus(single->certStatus, time);
- }
-
- if (rv == SECSuccess || allowCachingOfFailures) {
- /* allowed to update the cache */
- PRBool certIDWasConsumed = PR_FALSE;
-
- if (single) {
- ocsp_CacheSingleResponse(cid->certID,single,
- &certIDWasConsumed);
- } else {
- cert_RememberOCSPProcessingFailure(cid->certID,
- &certIDWasConsumed);
- }
-
- if (certIDWasConsumed) {
- cid->certID = NULL;
- }
- }
-
- if (rv == SECSuccess) {
- *pPassed = PKIX_TRUE;
- *pReturnCode = 0;
- } else {
- *pPassed = PKIX_FALSE;
- *pReturnCode = PORT_GetError();
- }
-
- PKIX_RETURN(OCSPRESPONSE);
-}
« no previous file with comments | « nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h ('k') | nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698