OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 /* | 4 /* |
5 * pkix_policychecker.c | 5 * pkix_policychecker.c |
6 * | 6 * |
7 * Functions for Policy Checker | 7 * Functions for Policy Checker |
8 * | 8 * |
9 */ | 9 */ |
10 #include "pkix_policychecker.h" | 10 #include "pkix_policychecker.h" |
11 | 11 |
12 /* --Forward declarations----------------------------------------------- */ | 12 /* --Forward declarations----------------------------------------------- */ |
13 | 13 |
14 static PKIX_Error * | 14 static PKIX_Error *pkix_PolicyChecker_MakeSingleton(PKIX_PL_Object *listItem, |
15 pkix_PolicyChecker_MakeSingleton( | 15 PKIX_Boolean immutability, |
16 PKIX_PL_Object *listItem, | 16 PKIX_List **pList, |
17 PKIX_Boolean immutability, | 17 void *plContext); |
18 PKIX_List **pList, | |
19 void *plContext); | |
20 | 18 |
21 /* --Private-PolicyCheckerState-Functions---------------------------------- */ | 19 /* --Private-PolicyCheckerState-Functions---------------------------------- */ |
22 | 20 |
23 /* | 21 /* |
24 * FUNCTION:pkix_PolicyCheckerState_Destroy | 22 * FUNCTION:pkix_PolicyCheckerState_Destroy |
25 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) | 23 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) |
26 */ | 24 */ |
27 static PKIX_Error * | 25 static PKIX_Error *pkix_PolicyCheckerState_Destroy(PKIX_PL_Object *object, |
28 pkix_PolicyCheckerState_Destroy( | 26 void *plContext) { |
29 PKIX_PL_Object *object, | 27 PKIX_PolicyCheckerState *checkerState = NULL; |
30 void *plContext) | 28 |
31 { | 29 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy"); |
32 PKIX_PolicyCheckerState *checkerState = NULL; | 30 PKIX_NULLCHECK_ONE(object); |
33 | 31 |
34 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy"); | 32 PKIX_CHECK( |
35 PKIX_NULLCHECK_ONE(object); | 33 pkix_CheckType(object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext), |
36 | 34 PKIX_OBJECTNOTPOLICYCHECKERSTATE); |
37 PKIX_CHECK(pkix_CheckType | 35 |
38 (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext), | 36 checkerState = (PKIX_PolicyCheckerState *)object; |
39 PKIX_OBJECTNOTPOLICYCHECKERSTATE); | 37 |
40 | 38 PKIX_DECREF(checkerState->certPoliciesExtension); |
41 checkerState = (PKIX_PolicyCheckerState *)object; | 39 PKIX_DECREF(checkerState->policyMappingsExtension); |
42 | 40 PKIX_DECREF(checkerState->policyConstraintsExtension); |
43 PKIX_DECREF(checkerState->certPoliciesExtension); | 41 PKIX_DECREF(checkerState->inhibitAnyPolicyExtension); |
44 PKIX_DECREF(checkerState->policyMappingsExtension); | 42 PKIX_DECREF(checkerState->anyPolicyOID); |
45 PKIX_DECREF(checkerState->policyConstraintsExtension); | 43 PKIX_DECREF(checkerState->validPolicyTree); |
46 PKIX_DECREF(checkerState->inhibitAnyPolicyExtension); | 44 PKIX_DECREF(checkerState->userInitialPolicySet); |
47 PKIX_DECREF(checkerState->anyPolicyOID); | 45 PKIX_DECREF(checkerState->mappedUserInitialPolicySet); |
48 PKIX_DECREF(checkerState->validPolicyTree); | 46 |
49 PKIX_DECREF(checkerState->userInitialPolicySet); | 47 checkerState->policyQualifiersRejected = PKIX_FALSE; |
50 PKIX_DECREF(checkerState->mappedUserInitialPolicySet); | 48 checkerState->explicitPolicy = 0; |
51 | 49 checkerState->inhibitAnyPolicy = 0; |
52 checkerState->policyQualifiersRejected = PKIX_FALSE; | 50 checkerState->policyMapping = 0; |
53 checkerState->explicitPolicy = 0; | 51 checkerState->numCerts = 0; |
54 checkerState->inhibitAnyPolicy = 0; | 52 checkerState->certsProcessed = 0; |
55 checkerState->policyMapping = 0; | 53 checkerState->certPoliciesCritical = PKIX_FALSE; |
56 checkerState->numCerts = 0; | 54 |
57 checkerState->certsProcessed = 0; | 55 PKIX_DECREF(checkerState->anyPolicyNodeAtBottom); |
58 checkerState->certPoliciesCritical = PKIX_FALSE; | 56 PKIX_DECREF(checkerState->newAnyPolicyNode); |
59 | 57 PKIX_DECREF(checkerState->mappedPolicyOIDs); |
60 PKIX_DECREF(checkerState->anyPolicyNodeAtBottom); | |
61 PKIX_DECREF(checkerState->newAnyPolicyNode); | |
62 PKIX_DECREF(checkerState->mappedPolicyOIDs); | |
63 | 58 |
64 cleanup: | 59 cleanup: |
65 | 60 |
66 PKIX_RETURN(CERTPOLICYCHECKERSTATE); | 61 PKIX_RETURN(CERTPOLICYCHECKERSTATE); |
67 } | 62 } |
68 | 63 |
69 /* | 64 /* |
70 * FUNCTION: pkix_PolicyCheckerState_ToString | 65 * FUNCTION: pkix_PolicyCheckerState_ToString |
71 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) | 66 * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) |
72 */ | 67 */ |
73 static PKIX_Error * | 68 static PKIX_Error *pkix_PolicyCheckerState_ToString( |
74 pkix_PolicyCheckerState_ToString( | 69 PKIX_PL_Object *object, PKIX_PL_String **pCheckerStateString, |
75 PKIX_PL_Object *object, | 70 void *plContext) { |
76 PKIX_PL_String **pCheckerStateString, | 71 PKIX_PolicyCheckerState *state = NULL; |
77 void *plContext) | 72 PKIX_PL_String *resultString = NULL; |
78 { | 73 PKIX_PL_String *policiesExtOIDString = NULL; |
79 PKIX_PolicyCheckerState *state = NULL; | 74 PKIX_PL_String *policyMapOIDString = NULL; |
80 PKIX_PL_String *resultString = NULL; | 75 PKIX_PL_String *policyConstrOIDString = NULL; |
81 PKIX_PL_String *policiesExtOIDString = NULL; | 76 PKIX_PL_String *inhAnyPolOIDString = NULL; |
82 PKIX_PL_String *policyMapOIDString = NULL; | 77 PKIX_PL_String *anyPolicyOIDString = NULL; |
83 PKIX_PL_String *policyConstrOIDString = NULL; | 78 PKIX_PL_String *validPolicyTreeString = NULL; |
84 PKIX_PL_String *inhAnyPolOIDString = NULL; | 79 PKIX_PL_String *userInitialPolicySetString = NULL; |
85 PKIX_PL_String *anyPolicyOIDString = NULL; | 80 PKIX_PL_String *mappedUserPolicySetString = NULL; |
86 PKIX_PL_String *validPolicyTreeString = NULL; | 81 PKIX_PL_String *mappedPolicyOIDsString = NULL; |
87 PKIX_PL_String *userInitialPolicySetString = NULL; | 82 PKIX_PL_String *anyAtBottomString = NULL; |
88 PKIX_PL_String *mappedUserPolicySetString = NULL; | 83 PKIX_PL_String *newAnyPolicyString = NULL; |
89 PKIX_PL_String *mappedPolicyOIDsString = NULL; | 84 PKIX_PL_String *formatString = NULL; |
90 PKIX_PL_String *anyAtBottomString = NULL; | 85 PKIX_PL_String *trueString = NULL; |
91 PKIX_PL_String *newAnyPolicyString = NULL; | 86 PKIX_PL_String *falseString = NULL; |
92 PKIX_PL_String *formatString = NULL; | 87 PKIX_PL_String *nullString = NULL; |
93 PKIX_PL_String *trueString = NULL; | 88 PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; |
94 PKIX_PL_String *falseString = NULL; | 89 PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; |
95 PKIX_PL_String *nullString = NULL; | 90 PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; |
96 PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; | 91 PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE; |
97 PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; | 92 PKIX_Boolean policyQualifiersRejected = PKIX_FALSE; |
98 PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; | 93 PKIX_Boolean certPoliciesCritical = PKIX_FALSE; |
99 PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE; | 94 char *asciiFormat = |
100 PKIX_Boolean policyQualifiersRejected = PKIX_FALSE; | 95 "{\n" |
101 PKIX_Boolean certPoliciesCritical = PKIX_FALSE; | 96 "\tcertPoliciesExtension: \t%s\n" |
102 char *asciiFormat = | 97 "\tpolicyMappingsExtension: \t%s\n" |
103 "{\n" | 98 "\tpolicyConstraintsExtension:\t%s\n" |
104 "\tcertPoliciesExtension: \t%s\n" | 99 "\tinhibitAnyPolicyExtension:\t%s\n" |
105 "\tpolicyMappingsExtension: \t%s\n" | 100 "\tanyPolicyOID: \t%s\n" |
106 "\tpolicyConstraintsExtension:\t%s\n" | 101 "\tinitialIsAnyPolicy: \t%s\n" |
107 "\tinhibitAnyPolicyExtension:\t%s\n" | 102 "\tvalidPolicyTree: \t%s\n" |
108 "\tanyPolicyOID: \t%s\n" | 103 "\tuserInitialPolicySet: \t%s\n" |
109 "\tinitialIsAnyPolicy: \t%s\n" | 104 "\tmappedUserPolicySet: \t%s\n" |
110 "\tvalidPolicyTree: \t%s\n" | 105 "\tpolicyQualifiersRejected: \t%s\n" |
111 "\tuserInitialPolicySet: \t%s\n" | 106 "\tinitialPolMappingInhibit: \t%s\n" |
112 "\tmappedUserPolicySet: \t%s\n" | 107 "\tinitialExplicitPolicy: \t%s\n" |
113 "\tpolicyQualifiersRejected: \t%s\n" | 108 "\tinitialAnyPolicyInhibit: \t%s\n" |
114 "\tinitialPolMappingInhibit: \t%s\n" | 109 "\texplicitPolicy: \t%d\n" |
115 "\tinitialExplicitPolicy: \t%s\n" | 110 "\tinhibitAnyPolicy: \t%d\n" |
116 "\tinitialAnyPolicyInhibit: \t%s\n" | 111 "\tpolicyMapping: \t%d\n" |
117 "\texplicitPolicy: \t%d\n" | 112 "\tnumCerts: \t%d\n" |
118 "\tinhibitAnyPolicy: \t%d\n" | 113 "\tcertsProcessed: \t%d\n" |
119 "\tpolicyMapping: \t%d\n" | 114 "\tanyPolicyNodeAtBottom: \t%s\n" |
120 "\tnumCerts: \t%d\n" | 115 "\tnewAnyPolicyNode: \t%s\n" |
121 "\tcertsProcessed: \t%d\n" | 116 "\tcertPoliciesCritical: \t%s\n" |
122 "\tanyPolicyNodeAtBottom: \t%s\n" | 117 "\tmappedPolicyOIDs: \t%s\n" |
123 "\tnewAnyPolicyNode: \t%s\n" | 118 "}"; |
124 "\tcertPoliciesCritical: \t%s\n" | 119 |
125 "\tmappedPolicyOIDs: \t%s\n" | 120 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString"); |
126 "}"; | 121 |
127 | 122 PKIX_NULLCHECK_TWO(object, pCheckerStateString); |
128 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString"); | 123 |
129 | 124 PKIX_CHECK( |
130 PKIX_NULLCHECK_TWO(object, pCheckerStateString); | 125 pkix_CheckType(object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext), |
131 | 126 PKIX_OBJECTNOTPOLICYCHECKERSTATE); |
132 PKIX_CHECK(pkix_CheckType | 127 |
133 (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext), | 128 state = (PKIX_PolicyCheckerState *)object; |
134 PKIX_OBJECTNOTPOLICYCHECKERSTATE); | 129 PKIX_NULLCHECK_THREE(state->certPoliciesExtension, |
135 | 130 state->policyMappingsExtension, |
136 state = (PKIX_PolicyCheckerState *)object; | 131 state->policyConstraintsExtension); |
137 PKIX_NULLCHECK_THREE | 132 PKIX_NULLCHECK_THREE(state->inhibitAnyPolicyExtension, state->anyPolicyOID, |
138 (state->certPoliciesExtension, | 133 state->userInitialPolicySet); |
139 state->policyMappingsExtension, | 134 |
140 state->policyConstraintsExtension); | 135 PKIX_CHECK(PKIX_PL_String_Create(PKIX_ESCASCII, asciiFormat, 0, &formatString, |
141 PKIX_NULLCHECK_THREE | 136 plContext), |
142 (state->inhibitAnyPolicyExtension, | 137 PKIX_STRINGCREATEFAILED); |
143 state->anyPolicyOID, | 138 /* |
144 state->userInitialPolicySet); | 139 * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a |
145 | 140 * PKIX_PL_String is complicated enough, it's worth checking, for |
146 PKIX_CHECK(PKIX_PL_String_Create | 141 * each, to make sure the string is needed. |
147 (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext), | 142 */ |
148 PKIX_STRINGCREATEFAILED); | 143 initialPolicyMappingInhibit = state->initialPolicyMappingInhibit; |
149 /* | 144 initialExplicitPolicy = state->initialExplicitPolicy; |
150 * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a | 145 initialAnyPolicyInhibit = state->initialAnyPolicyInhibit; |
151 * PKIX_PL_String is complicated enough, it's worth checking, for | 146 initialIsAnyPolicy = state->initialIsAnyPolicy; |
152 * each, to make sure the string is needed. | 147 policyQualifiersRejected = state->policyQualifiersRejected; |
153 */ | 148 certPoliciesCritical = state->certPoliciesCritical; |
154 initialPolicyMappingInhibit = state->initialPolicyMappingInhibit; | 149 |
155 initialExplicitPolicy = state->initialExplicitPolicy; | 150 if (initialPolicyMappingInhibit || initialExplicitPolicy || |
156 initialAnyPolicyInhibit = state->initialAnyPolicyInhibit; | 151 initialAnyPolicyInhibit || initialIsAnyPolicy || |
157 initialIsAnyPolicy = state->initialIsAnyPolicy; | 152 policyQualifiersRejected || certPoliciesCritical) { |
158 policyQualifiersRejected = state->policyQualifiersRejected; | 153 PKIX_CHECK( |
159 certPoliciesCritical = state->certPoliciesCritical; | 154 PKIX_PL_String_Create(PKIX_ESCASCII, "TRUE", 0, &trueString, plContext), |
160 | 155 PKIX_STRINGCREATEFAILED); |
161 if (initialPolicyMappingInhibit || initialExplicitPolicy || | 156 } |
162 initialAnyPolicyInhibit || initialIsAnyPolicy || | 157 if (!initialPolicyMappingInhibit || !initialExplicitPolicy || |
163 policyQualifiersRejected || certPoliciesCritical) { | 158 !initialAnyPolicyInhibit || !initialIsAnyPolicy || |
164 PKIX_CHECK(PKIX_PL_String_Create | 159 !policyQualifiersRejected || !certPoliciesCritical) { |
165 (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext), | 160 PKIX_CHECK(PKIX_PL_String_Create(PKIX_ESCASCII, "FALSE", 0, &falseString, |
166 PKIX_STRINGCREATEFAILED); | 161 plContext), |
167 } | 162 PKIX_STRINGCREATEFAILED); |
168 if (!initialPolicyMappingInhibit || !initialExplicitPolicy || | 163 } |
169 !initialAnyPolicyInhibit || !initialIsAnyPolicy || | 164 if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) { |
170 !policyQualifiersRejected || !certPoliciesCritical) { | 165 PKIX_CHECK(PKIX_PL_String_Create(PKIX_ESCASCII, "(null)", 0, &nullString, |
171 PKIX_CHECK(PKIX_PL_String_Create | 166 plContext), |
172 (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext), | 167 PKIX_STRINGCREATEFAILED); |
173 PKIX_STRINGCREATEFAILED); | 168 } |
174 } | 169 |
175 if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) { | 170 PKIX_TOSTRING(state->certPoliciesExtension, &policiesExtOIDString, plContext, |
176 PKIX_CHECK(PKIX_PL_String_Create | 171 PKIX_OBJECTTOSTRINGFAILED); |
177 (PKIX_ESCASCII, "(null)", 0, &nullString, plContext), | 172 |
178 PKIX_STRINGCREATEFAILED); | 173 PKIX_TOSTRING(state->policyMappingsExtension, &policyMapOIDString, plContext, |
179 } | 174 PKIX_OBJECTTOSTRINGFAILED); |
180 | 175 |
181 PKIX_TOSTRING | 176 PKIX_TOSTRING(state->policyConstraintsExtension, &policyConstrOIDString, |
182 (state->certPoliciesExtension, &policiesExtOIDString, plContext, | 177 plContext, PKIX_OBJECTTOSTRINGFAILED); |
183 PKIX_OBJECTTOSTRINGFAILED); | 178 |
184 | 179 PKIX_TOSTRING(state->inhibitAnyPolicyExtension, &inhAnyPolOIDString, |
185 PKIX_TOSTRING | 180 plContext, PKIX_OBJECTTOSTRINGFAILED); |
186 (state->policyMappingsExtension, | 181 |
187 &policyMapOIDString, | 182 PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext, |
188 plContext, | 183 PKIX_OBJECTTOSTRINGFAILED); |
189 PKIX_OBJECTTOSTRINGFAILED); | 184 |
190 | 185 PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext, |
191 PKIX_TOSTRING | 186 PKIX_OBJECTTOSTRINGFAILED); |
192 (state->policyConstraintsExtension, | 187 |
193 &policyConstrOIDString, | 188 PKIX_TOSTRING(state->userInitialPolicySet, &userInitialPolicySetString, |
194 plContext, | 189 plContext, PKIX_OBJECTTOSTRINGFAILED); |
195 PKIX_OBJECTTOSTRINGFAILED); | 190 |
196 | 191 PKIX_TOSTRING(state->mappedUserInitialPolicySet, &mappedUserPolicySetString, |
197 PKIX_TOSTRING | 192 plContext, PKIX_OBJECTTOSTRINGFAILED); |
198 (state->inhibitAnyPolicyExtension, | 193 |
199 &inhAnyPolOIDString, | 194 if (state->anyPolicyNodeAtBottom) { |
200 plContext, | 195 PKIX_CHECK(pkix_SinglePolicyNode_ToString(state->anyPolicyNodeAtBottom, |
201 PKIX_OBJECTTOSTRINGFAILED); | 196 &anyAtBottomString, plContext), |
202 | 197 PKIX_SINGLEPOLICYNODETOSTRINGFAILED); |
203 PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext, | 198 } else { |
204 PKIX_OBJECTTOSTRINGFAILED); | 199 PKIX_INCREF(nullString); |
205 | 200 anyAtBottomString = nullString; |
206 PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext, | 201 } |
207 PKIX_OBJECTTOSTRINGFAILED); | 202 |
208 | 203 if (state->newAnyPolicyNode) { |
209 PKIX_TOSTRING | 204 PKIX_CHECK(pkix_SinglePolicyNode_ToString(state->newAnyPolicyNode, |
210 (state->userInitialPolicySet, | 205 &newAnyPolicyString, plContext), |
211 &userInitialPolicySetString, | 206 PKIX_SINGLEPOLICYNODETOSTRINGFAILED); |
212 plContext, | 207 } else { |
213 PKIX_OBJECTTOSTRINGFAILED); | 208 PKIX_INCREF(nullString); |
214 | 209 newAnyPolicyString = nullString; |
215 PKIX_TOSTRING | 210 } |
216 (state->mappedUserInitialPolicySet, | 211 |
217 &mappedUserPolicySetString, | 212 PKIX_TOSTRING(state->mappedPolicyOIDs, &mappedPolicyOIDsString, plContext, |
218 plContext, | 213 PKIX_OBJECTTOSTRINGFAILED); |
219 PKIX_OBJECTTOSTRINGFAILED); | 214 |
220 | 215 PKIX_CHECK( |
221 if (state->anyPolicyNodeAtBottom) { | 216 PKIX_PL_Sprintf( |
222 PKIX_CHECK(pkix_SinglePolicyNode_ToString | 217 &resultString, plContext, formatString, policiesExtOIDString, |
223 (state->anyPolicyNodeAtBottom, | 218 policyMapOIDString, policyConstrOIDString, inhAnyPolOIDString, |
224 &anyAtBottomString, | 219 anyPolicyOIDString, initialIsAnyPolicy ? trueString : falseString, |
225 plContext), | 220 validPolicyTreeString, userInitialPolicySetString, |
226 PKIX_SINGLEPOLICYNODETOSTRINGFAILED); | 221 mappedUserPolicySetString, |
227 } else { | 222 policyQualifiersRejected ? trueString : falseString, |
228 PKIX_INCREF(nullString); | 223 initialPolicyMappingInhibit ? trueString : falseString, |
229 anyAtBottomString = nullString; | 224 initialExplicitPolicy ? trueString : falseString, |
230 } | 225 initialAnyPolicyInhibit ? trueString : falseString, |
231 | 226 state->explicitPolicy, state->inhibitAnyPolicy, state->policyMapping, |
232 if (state->newAnyPolicyNode) { | 227 state->numCerts, state->certsProcessed, anyAtBottomString, |
233 PKIX_CHECK(pkix_SinglePolicyNode_ToString | 228 newAnyPolicyString, certPoliciesCritical ? trueString : falseString, |
234 (state->newAnyPolicyNode, | 229 mappedPolicyOIDsString), |
235 &newAnyPolicyString, | 230 PKIX_SPRINTFFAILED); |
236 plContext), | 231 |
237 PKIX_SINGLEPOLICYNODETOSTRINGFAILED); | 232 *pCheckerStateString = resultString; |
238 } else { | |
239 PKIX_INCREF(nullString); | |
240 newAnyPolicyString = nullString; | |
241 } | |
242 | |
243 PKIX_TOSTRING | |
244 (state->mappedPolicyOIDs, | |
245 &mappedPolicyOIDsString, | |
246 plContext, | |
247 PKIX_OBJECTTOSTRINGFAILED); | |
248 | |
249 PKIX_CHECK(PKIX_PL_Sprintf | |
250 (&resultString, | |
251 plContext, | |
252 formatString, | |
253 policiesExtOIDString, | |
254 policyMapOIDString, | |
255 policyConstrOIDString, | |
256 inhAnyPolOIDString, | |
257 anyPolicyOIDString, | |
258 initialIsAnyPolicy?trueString:falseString, | |
259 validPolicyTreeString, | |
260 userInitialPolicySetString, | |
261 mappedUserPolicySetString, | |
262 policyQualifiersRejected?trueString:falseString, | |
263 initialPolicyMappingInhibit?trueString:falseString, | |
264 initialExplicitPolicy?trueString:falseString, | |
265 initialAnyPolicyInhibit?trueString:falseString, | |
266 state->explicitPolicy, | |
267 state->inhibitAnyPolicy, | |
268 state->policyMapping, | |
269 state->numCerts, | |
270 state->certsProcessed, | |
271 anyAtBottomString, | |
272 newAnyPolicyString, | |
273 certPoliciesCritical?trueString:falseString, | |
274 mappedPolicyOIDsString), | |
275 PKIX_SPRINTFFAILED); | |
276 | |
277 *pCheckerStateString = resultString; | |
278 | 233 |
279 cleanup: | 234 cleanup: |
280 PKIX_DECREF(policiesExtOIDString); | 235 PKIX_DECREF(policiesExtOIDString); |
281 PKIX_DECREF(policyMapOIDString); | 236 PKIX_DECREF(policyMapOIDString); |
282 PKIX_DECREF(policyConstrOIDString); | 237 PKIX_DECREF(policyConstrOIDString); |
283 PKIX_DECREF(inhAnyPolOIDString); | 238 PKIX_DECREF(inhAnyPolOIDString); |
284 PKIX_DECREF(anyPolicyOIDString); | 239 PKIX_DECREF(anyPolicyOIDString); |
285 PKIX_DECREF(validPolicyTreeString); | 240 PKIX_DECREF(validPolicyTreeString); |
286 PKIX_DECREF(userInitialPolicySetString); | 241 PKIX_DECREF(userInitialPolicySetString); |
287 PKIX_DECREF(mappedUserPolicySetString); | 242 PKIX_DECREF(mappedUserPolicySetString); |
288 PKIX_DECREF(anyAtBottomString); | 243 PKIX_DECREF(anyAtBottomString); |
289 PKIX_DECREF(newAnyPolicyString); | 244 PKIX_DECREF(newAnyPolicyString); |
290 PKIX_DECREF(mappedPolicyOIDsString); | 245 PKIX_DECREF(mappedPolicyOIDsString); |
291 PKIX_DECREF(formatString); | 246 PKIX_DECREF(formatString); |
292 PKIX_DECREF(trueString); | 247 PKIX_DECREF(trueString); |
293 PKIX_DECREF(falseString); | 248 PKIX_DECREF(falseString); |
294 PKIX_DECREF(nullString); | 249 PKIX_DECREF(nullString); |
295 | 250 |
296 PKIX_RETURN(CERTPOLICYCHECKERSTATE); | 251 PKIX_RETURN(CERTPOLICYCHECKERSTATE); |
297 } | 252 } |
298 | 253 |
299 /* | 254 /* |
300 * FUNCTION: pkix_PolicyCheckerState_RegisterSelf | 255 * FUNCTION: pkix_PolicyCheckerState_RegisterSelf |
301 * DESCRIPTION: | 256 * DESCRIPTION: |
302 * | 257 * |
303 * Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions | 258 * Registers PKIX_POLICYCHECKERSTATE_TYPE and its related functions |
304 * with systemClasses[] | 259 * with systemClasses[] |
305 * | 260 * |
306 * PARAMETERS: | 261 * PARAMETERS: |
307 * "plContext" | 262 * "plContext" |
308 * Platform-specific context pointer. | 263 * Platform-specific context pointer. |
309 * THREAD SAFETY: | 264 * THREAD SAFETY: |
310 * Not Thread Safe - for performance and complexity reasons | 265 * Not Thread Safe - for performance and complexity reasons |
311 * | 266 * |
312 * Since this function is only called by PKIX_PL_Initialize, which should | 267 * Since this function is only called by PKIX_PL_Initialize, which should |
313 * only be called once, it is acceptable that this function is not | 268 * only be called once, it is acceptable that this function is not |
314 * thread-safe. | 269 * thread-safe. |
315 */ | 270 */ |
316 PKIX_Error * | 271 PKIX_Error *pkix_PolicyCheckerState_RegisterSelf(void *plContext) { |
317 pkix_PolicyCheckerState_RegisterSelf(void *plContext) | 272 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; |
318 { | 273 pkix_ClassTable_Entry entry; |
319 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; | |
320 pkix_ClassTable_Entry entry; | |
321 | 274 |
322 PKIX_ENTER | 275 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_RegisterSelf"); |
323 (CERTPOLICYCHECKERSTATE, | |
324 "pkix_PolicyCheckerState_RegisterSelf"); | |
325 | 276 |
326 entry.description = "PolicyCheckerState"; | 277 entry.description = "PolicyCheckerState"; |
327 entry.objCounter = 0; | 278 entry.objCounter = 0; |
328 entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState); | 279 entry.typeObjectSize = sizeof(PKIX_PolicyCheckerState); |
329 entry.destructor = pkix_PolicyCheckerState_Destroy; | 280 entry.destructor = pkix_PolicyCheckerState_Destroy; |
330 entry.equalsFunction = NULL; | 281 entry.equalsFunction = NULL; |
331 entry.hashcodeFunction = NULL; | 282 entry.hashcodeFunction = NULL; |
332 entry.toStringFunction = pkix_PolicyCheckerState_ToString; | 283 entry.toStringFunction = pkix_PolicyCheckerState_ToString; |
333 entry.comparator = NULL; | 284 entry.comparator = NULL; |
334 entry.duplicateFunction = NULL; | 285 entry.duplicateFunction = NULL; |
335 | 286 |
336 systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry; | 287 systemClasses[PKIX_CERTPOLICYCHECKERSTATE_TYPE] = entry; |
337 | 288 |
338 PKIX_RETURN(CERTPOLICYCHECKERSTATE); | 289 PKIX_RETURN(CERTPOLICYCHECKERSTATE); |
339 } | 290 } |
340 | 291 |
341 /* | 292 /* |
342 * FUNCTION:pkix_PolicyCheckerState_Create | 293 * FUNCTION:pkix_PolicyCheckerState_Create |
343 * DESCRIPTION: | 294 * DESCRIPTION: |
344 * | 295 * |
345 * Creates a PolicyCheckerState Object, using the List pointed to | 296 * Creates a PolicyCheckerState Object, using the List pointed to |
346 * by "initialPolicies" for the user-initial-policy-set, the Boolean value | 297 * by "initialPolicies" for the user-initial-policy-set, the Boolean value |
347 * of "policyQualifiersRejected" for the policyQualifiersRejected parameter, | 298 * of "policyQualifiersRejected" for the policyQualifiersRejected parameter, |
348 * the Boolean value of "initialPolicyMappingInhibit" for the | 299 * the Boolean value of "initialPolicyMappingInhibit" for the |
(...skipping 22 matching lines...) Expand all Loading... |
371 * "plContext" | 322 * "plContext" |
372 * Platform-specific context pointer. | 323 * Platform-specific context pointer. |
373 * THREAD SAFETY: | 324 * THREAD SAFETY: |
374 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 325 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
375 * RETURNS: | 326 * RETURNS: |
376 * Returns NULL if the function succeeds | 327 * Returns NULL if the function succeeds |
377 * Returns a CertPolicyCheckerState Error if the functions fails in a | 328 * Returns a CertPolicyCheckerState Error if the functions fails in a |
378 * non-fatal way | 329 * non-fatal way |
379 * Returns a Fatal Error if the function fails in an unrecoverable way | 330 * Returns a Fatal Error if the function fails in an unrecoverable way |
380 */ | 331 */ |
381 static PKIX_Error * | 332 static PKIX_Error *pkix_PolicyCheckerState_Create( |
382 pkix_PolicyCheckerState_Create( | 333 PKIX_List *initialPolicies, PKIX_Boolean policyQualifiersRejected, |
383 PKIX_List *initialPolicies, | 334 PKIX_Boolean initialPolicyMappingInhibit, |
384 PKIX_Boolean policyQualifiersRejected, | 335 PKIX_Boolean initialExplicitPolicy, PKIX_Boolean initialAnyPolicyInhibit, |
385 PKIX_Boolean initialPolicyMappingInhibit, | 336 PKIX_UInt32 numCerts, PKIX_PolicyCheckerState **pCheckerState, |
386 PKIX_Boolean initialExplicitPolicy, | 337 void *plContext) { |
387 PKIX_Boolean initialAnyPolicyInhibit, | 338 PKIX_PolicyCheckerState *checkerState = NULL; |
388 PKIX_UInt32 numCerts, | 339 PKIX_PolicyNode *policyNode = NULL; |
389 PKIX_PolicyCheckerState **pCheckerState, | 340 PKIX_List *anyPolicyList = NULL; |
390 void *plContext) | 341 PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE; |
391 { | |
392 PKIX_PolicyCheckerState *checkerState = NULL; | |
393 PKIX_PolicyNode *policyNode = NULL; | |
394 PKIX_List *anyPolicyList = NULL; | |
395 PKIX_Boolean initialPoliciesIsEmpty = PKIX_FALSE; | |
396 | 342 |
397 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create"); | 343 PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Create"); |
398 PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState); | 344 PKIX_NULLCHECK_TWO(initialPolicies, pCheckerState); |
399 | 345 |
400 PKIX_CHECK(PKIX_PL_Object_Alloc | 346 PKIX_CHECK(PKIX_PL_Object_Alloc(PKIX_CERTPOLICYCHECKERSTATE_TYPE, |
401 (PKIX_CERTPOLICYCHECKERSTATE_TYPE, | 347 sizeof(PKIX_PolicyCheckerState), |
402 sizeof (PKIX_PolicyCheckerState), | 348 (PKIX_PL_Object **)&checkerState, plContext), |
403 (PKIX_PL_Object **)&checkerState, | 349 PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT); |
404 plContext), | |
405 PKIX_COULDNOTCREATEPOLICYCHECKERSTATEOBJECT); | |
406 | 350 |
407 /* Create constant PKIX_PL_OIDs: */ | 351 /* Create constant PKIX_PL_OIDs: */ |
408 | 352 |
409 PKIX_CHECK(PKIX_PL_OID_Create | 353 PKIX_CHECK( |
410 (PKIX_CERTIFICATEPOLICIES_OID, | 354 PKIX_PL_OID_Create(PKIX_CERTIFICATEPOLICIES_OID, |
411 &(checkerState->certPoliciesExtension), | 355 &(checkerState->certPoliciesExtension), plContext), |
412 plContext), | 356 PKIX_OIDCREATEFAILED); |
413 PKIX_OIDCREATEFAILED); | |
414 | 357 |
415 PKIX_CHECK(PKIX_PL_OID_Create | 358 PKIX_CHECK( |
416 (PKIX_POLICYMAPPINGS_OID, | 359 PKIX_PL_OID_Create(PKIX_POLICYMAPPINGS_OID, |
417 &(checkerState->policyMappingsExtension), | 360 &(checkerState->policyMappingsExtension), plContext), |
418 plContext), | 361 PKIX_OIDCREATEFAILED); |
419 PKIX_OIDCREATEFAILED); | |
420 | 362 |
421 PKIX_CHECK(PKIX_PL_OID_Create | 363 PKIX_CHECK(PKIX_PL_OID_Create(PKIX_POLICYCONSTRAINTS_OID, |
422 (PKIX_POLICYCONSTRAINTS_OID, | 364 &(checkerState->policyConstraintsExtension), |
423 &(checkerState->policyConstraintsExtension), | 365 plContext), |
424 plContext), | 366 PKIX_OIDCREATEFAILED); |
425 PKIX_OIDCREATEFAILED); | |
426 | 367 |
427 PKIX_CHECK(PKIX_PL_OID_Create | 368 PKIX_CHECK( |
428 (PKIX_INHIBITANYPOLICY_OID, | 369 PKIX_PL_OID_Create(PKIX_INHIBITANYPOLICY_OID, |
429 &(checkerState->inhibitAnyPolicyExtension), | 370 &(checkerState->inhibitAnyPolicyExtension), plContext), |
430 plContext), | 371 PKIX_OIDCREATEFAILED); |
431 PKIX_OIDCREATEFAILED); | |
432 | 372 |
433 PKIX_CHECK(PKIX_PL_OID_Create | 373 PKIX_CHECK(PKIX_PL_OID_Create(PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID, |
434 (PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID, | 374 &(checkerState->anyPolicyOID), plContext), |
435 &(checkerState->anyPolicyOID), | 375 PKIX_OIDCREATEFAILED); |
436 plContext), | |
437 PKIX_OIDCREATEFAILED); | |
438 | 376 |
439 /* Create an initial policy set from argument supplied */ | 377 /* Create an initial policy set from argument supplied */ |
440 PKIX_INCREF(initialPolicies); | 378 PKIX_INCREF(initialPolicies); |
441 checkerState->userInitialPolicySet = initialPolicies; | 379 checkerState->userInitialPolicySet = initialPolicies; |
442 PKIX_INCREF(initialPolicies); | 380 PKIX_INCREF(initialPolicies); |
443 checkerState->mappedUserInitialPolicySet = initialPolicies; | 381 checkerState->mappedUserInitialPolicySet = initialPolicies; |
444 | 382 |
445 PKIX_CHECK(PKIX_List_IsEmpty | 383 PKIX_CHECK( |
446 (initialPolicies, | 384 PKIX_List_IsEmpty(initialPolicies, &initialPoliciesIsEmpty, plContext), |
447 &initialPoliciesIsEmpty, | 385 PKIX_LISTISEMPTYFAILED); |
448 plContext), | 386 if (initialPoliciesIsEmpty) { |
449 PKIX_LISTISEMPTYFAILED); | 387 checkerState->initialIsAnyPolicy = PKIX_TRUE; |
450 if (initialPoliciesIsEmpty) { | 388 } else { |
451 checkerState->initialIsAnyPolicy = PKIX_TRUE; | 389 PKIX_CHECK( |
452 } else { | 390 pkix_List_Contains(initialPolicies, |
453 PKIX_CHECK(pkix_List_Contains | 391 (PKIX_PL_Object *)(checkerState->anyPolicyOID), |
454 (initialPolicies, | 392 &(checkerState->initialIsAnyPolicy), plContext), |
455 (PKIX_PL_Object *)(checkerState->anyPolicyOID), | 393 PKIX_LISTCONTAINSFAILED); |
456 &(checkerState->initialIsAnyPolicy), | 394 } |
457 plContext), | |
458 PKIX_LISTCONTAINSFAILED); | |
459 } | |
460 | 395 |
461 checkerState->policyQualifiersRejected = | 396 checkerState->policyQualifiersRejected = policyQualifiersRejected; |
462 policyQualifiersRejected; | 397 checkerState->initialExplicitPolicy = initialExplicitPolicy; |
463 checkerState->initialExplicitPolicy = initialExplicitPolicy; | 398 checkerState->explicitPolicy = (initialExplicitPolicy ? 0 : numCerts + 1); |
464 checkerState->explicitPolicy = | 399 checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit; |
465 (initialExplicitPolicy? 0: numCerts + 1); | 400 checkerState->inhibitAnyPolicy = (initialAnyPolicyInhibit ? 0 : numCerts + 1); |
466 checkerState->initialAnyPolicyInhibit = initialAnyPolicyInhibit; | 401 checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit; |
467 checkerState->inhibitAnyPolicy = | 402 checkerState->policyMapping = |
468 (initialAnyPolicyInhibit? 0: numCerts + 1); | 403 (initialPolicyMappingInhibit ? 0 : numCerts + 1); |
469 checkerState->initialPolicyMappingInhibit = initialPolicyMappingInhibit; | 404 ; |
470 checkerState->policyMapping = | 405 checkerState->numCerts = numCerts; |
471 (initialPolicyMappingInhibit? 0: numCerts + 1); | 406 checkerState->certsProcessed = 0; |
472 ; | 407 checkerState->certPoliciesCritical = PKIX_FALSE; |
473 checkerState->numCerts = numCerts; | |
474 checkerState->certsProcessed = 0; | |
475 checkerState->certPoliciesCritical = PKIX_FALSE; | |
476 | 408 |
477 /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */ | 409 /* Create a valid_policy_tree as in RFC3280 6.1.2(a) */ |
478 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton | 410 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton( |
479 ((PKIX_PL_Object *)(checkerState->anyPolicyOID), | 411 (PKIX_PL_Object *)(checkerState->anyPolicyOID), PKIX_TRUE, |
480 PKIX_TRUE, | 412 &anyPolicyList, plContext), |
481 &anyPolicyList, | 413 PKIX_POLICYCHECKERMAKESINGLETONFAILED); |
482 plContext), | |
483 PKIX_POLICYCHECKERMAKESINGLETONFAILED); | |
484 | 414 |
485 PKIX_CHECK(pkix_PolicyNode_Create | 415 PKIX_CHECK( |
486 (checkerState->anyPolicyOID, /* validPolicy */ | 416 pkix_PolicyNode_Create(checkerState->anyPolicyOID, /* validPolicy */ |
487 NULL, /* qualifier set */ | 417 NULL, /* qualifier set */ |
488 PKIX_FALSE, /* criticality */ | 418 PKIX_FALSE, /* criticality */ |
489 anyPolicyList, /* expectedPolicySet */ | 419 anyPolicyList, /* expectedPolicySet */ |
490 &policyNode, | 420 &policyNode, plContext), |
491 plContext), | 421 PKIX_POLICYNODECREATEFAILED); |
492 PKIX_POLICYNODECREATEFAILED); | 422 checkerState->validPolicyTree = policyNode; |
493 checkerState->validPolicyTree = policyNode; | |
494 | 423 |
495 /* | 424 /* |
496 * Since the initial validPolicyTree specifies | 425 * Since the initial validPolicyTree specifies |
497 * ANY_POLICY, begin with a pointer to the root node. | 426 * ANY_POLICY, begin with a pointer to the root node. |
498 */ | 427 */ |
499 PKIX_INCREF(policyNode); | 428 PKIX_INCREF(policyNode); |
500 checkerState->anyPolicyNodeAtBottom = policyNode; | 429 checkerState->anyPolicyNodeAtBottom = policyNode; |
501 | 430 |
502 checkerState->newAnyPolicyNode = NULL; | 431 checkerState->newAnyPolicyNode = NULL; |
503 | 432 |
504 checkerState->mappedPolicyOIDs = NULL; | 433 checkerState->mappedPolicyOIDs = NULL; |
505 | 434 |
506 *pCheckerState = checkerState; | 435 *pCheckerState = checkerState; |
507 checkerState = NULL; | 436 checkerState = NULL; |
508 | 437 |
509 cleanup: | 438 cleanup: |
510 | 439 |
511 PKIX_DECREF(checkerState); | 440 PKIX_DECREF(checkerState); |
512 | 441 |
513 PKIX_DECREF(anyPolicyList); | 442 PKIX_DECREF(anyPolicyList); |
514 | 443 |
515 PKIX_RETURN(CERTPOLICYCHECKERSTATE); | 444 PKIX_RETURN(CERTPOLICYCHECKERSTATE); |
516 } | 445 } |
517 | 446 |
518 /* --Private-PolicyChecker-Functions--------------------------------------- */ | 447 /* --Private-PolicyChecker-Functions--------------------------------------- */ |
519 | 448 |
520 /* | 449 /* |
521 * FUNCTION: pkix_PolicyChecker_MapContains | 450 * FUNCTION: pkix_PolicyChecker_MapContains |
522 * DESCRIPTION: | 451 * DESCRIPTION: |
523 * | 452 * |
524 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to | 453 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to |
525 * determine whether the OID pointed to by "policy" is among the | 454 * determine whether the OID pointed to by "policy" is among the |
(...skipping 14 matching lines...) Expand all Loading... |
540 * Address where the result of the search will be stored. Must be non-NULL. | 469 * Address where the result of the search will be stored. Must be non-NULL. |
541 * "plContext" | 470 * "plContext" |
542 * platform-specific context pointer | 471 * platform-specific context pointer |
543 * THREAD SAFETY: | 472 * THREAD SAFETY: |
544 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 473 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
545 * RETURNS: | 474 * RETURNS: |
546 * Returns NULL if the function succeeds | 475 * Returns NULL if the function succeeds |
547 * Returns a CertChainChecker Error if the function fails in a non-fatal way. | 476 * Returns a CertChainChecker Error if the function fails in a non-fatal way. |
548 * Returns a Fatal Error if the function fails in an unrecoverable way | 477 * Returns a Fatal Error if the function fails in an unrecoverable way |
549 */ | 478 */ |
550 PKIX_Error * | 479 PKIX_Error *pkix_PolicyChecker_MapContains(PKIX_List *certPolicyMaps, |
551 pkix_PolicyChecker_MapContains( | 480 PKIX_PL_OID *policy, |
552 PKIX_List *certPolicyMaps, | 481 PKIX_Boolean *pFound, |
553 PKIX_PL_OID *policy, | 482 void *plContext) { |
554 PKIX_Boolean *pFound, | 483 PKIX_PL_CertPolicyMap *map = NULL; |
555 void *plContext) | 484 PKIX_UInt32 numEntries = 0; |
556 { | 485 PKIX_UInt32 index = 0; |
557 PKIX_PL_CertPolicyMap *map = NULL; | 486 PKIX_Boolean match = PKIX_FALSE; |
558 PKIX_UInt32 numEntries = 0; | 487 PKIX_PL_OID *issuerDomainPolicy = NULL; |
559 PKIX_UInt32 index = 0; | 488 PKIX_PL_OID *subjectDomainPolicy = NULL; |
560 PKIX_Boolean match = PKIX_FALSE; | |
561 PKIX_PL_OID *issuerDomainPolicy = NULL; | |
562 PKIX_PL_OID *subjectDomainPolicy = NULL; | |
563 | 489 |
564 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains"); | 490 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapContains"); |
565 PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound); | 491 PKIX_NULLCHECK_THREE(certPolicyMaps, policy, pFound); |
566 | 492 |
567 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext), | 493 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext), |
568 PKIX_LISTGETLENGTHFAILED); | 494 PKIX_LISTGETLENGTHFAILED); |
569 | 495 |
570 for (index = 0; (!match) && (index < numEntries); index++) { | 496 for (index = 0; (!match) && (index < numEntries); index++) { |
571 PKIX_CHECK(PKIX_List_GetItem | 497 PKIX_CHECK(PKIX_List_GetItem(certPolicyMaps, index, (PKIX_PL_Object **)&map, |
572 (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext), | 498 plContext), |
573 PKIX_LISTGETITEMFAILED); | 499 PKIX_LISTGETITEMFAILED); |
574 | 500 |
575 PKIX_NULLCHECK_ONE(map); | 501 PKIX_NULLCHECK_ONE(map); |
576 | 502 |
577 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy | 503 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy( |
578 (map, &issuerDomainPolicy, plContext), | 504 map, &issuerDomainPolicy, plContext), |
579 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED); | 505 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED); |
580 | 506 |
581 PKIX_EQUALS | 507 PKIX_EQUALS(policy, issuerDomainPolicy, &match, plContext, |
582 (policy, issuerDomainPolicy, &match, plContext, | 508 PKIX_OBJECTEQUALSFAILED); |
583 PKIX_OBJECTEQUALSFAILED); | |
584 | 509 |
585 if (!match) { | 510 if (!match) { |
586 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy | 511 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy( |
587 (map, &subjectDomainPolicy, plContext), | 512 map, &subjectDomainPolicy, plContext), |
588 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED); | 513 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED); |
589 | 514 |
590 PKIX_EQUALS | 515 PKIX_EQUALS(policy, subjectDomainPolicy, &match, plContext, |
591 (policy, subjectDomainPolicy, &match, plContext, | 516 PKIX_OBJECTEQUALSFAILED); |
592 PKIX_OBJECTEQUALSFAILED); | 517 } |
593 } | |
594 | 518 |
595 PKIX_DECREF(map); | 519 PKIX_DECREF(map); |
596 PKIX_DECREF(issuerDomainPolicy); | 520 PKIX_DECREF(issuerDomainPolicy); |
597 PKIX_DECREF(subjectDomainPolicy); | 521 PKIX_DECREF(subjectDomainPolicy); |
598 } | 522 } |
599 | 523 |
600 *pFound = match; | 524 *pFound = match; |
601 | 525 |
602 cleanup: | 526 cleanup: |
603 | 527 |
604 PKIX_DECREF(map); | 528 PKIX_DECREF(map); |
605 PKIX_DECREF(issuerDomainPolicy); | 529 PKIX_DECREF(issuerDomainPolicy); |
606 PKIX_DECREF(subjectDomainPolicy); | 530 PKIX_DECREF(subjectDomainPolicy); |
607 PKIX_RETURN(CERTCHAINCHECKER); | 531 PKIX_RETURN(CERTCHAINCHECKER); |
608 } | 532 } |
609 | 533 |
610 /* | 534 /* |
611 * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies | 535 * FUNCTION: pkix_PolicyChecker_MapGetSubjectDomainPolicies |
612 * DESCRIPTION: | 536 * DESCRIPTION: |
613 * | 537 * |
614 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create | 538 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps", to create |
615 * a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the | 539 * a list of all SubjectDomainPolicies for which the IssuerDomainPolicy is the |
616 * policy pointed to by "policy", and stores the result in | 540 * policy pointed to by "policy", and stores the result in |
617 * "pSubjectDomainPolicies". | 541 * "pSubjectDomainPolicies". |
(...skipping 14 matching lines...) Expand all Loading... |
632 * Address where the result of the search will be stored. Must be non-NULL. | 556 * Address where the result of the search will be stored. Must be non-NULL. |
633 * "plContext" | 557 * "plContext" |
634 * platform-specific context pointer | 558 * platform-specific context pointer |
635 * THREAD SAFETY: | 559 * THREAD SAFETY: |
636 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 560 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
637 * RETURNS: | 561 * RETURNS: |
638 * Returns NULL if the function succeeds | 562 * Returns NULL if the function succeeds |
639 * Returns a CertChainChecker Error if the function fails in a non-fatal way. | 563 * Returns a CertChainChecker Error if the function fails in a non-fatal way. |
640 * Returns a Fatal Error if the function fails in an unrecoverable way | 564 * Returns a Fatal Error if the function fails in an unrecoverable way |
641 */ | 565 */ |
642 PKIX_Error * | 566 PKIX_Error *pkix_PolicyChecker_MapGetSubjectDomainPolicies( |
643 pkix_PolicyChecker_MapGetSubjectDomainPolicies( | 567 PKIX_List *certPolicyMaps, PKIX_PL_OID *policy, |
644 PKIX_List *certPolicyMaps, | 568 PKIX_List **pSubjectDomainPolicies, void *plContext) { |
645 PKIX_PL_OID *policy, | 569 PKIX_PL_CertPolicyMap *map = NULL; |
646 PKIX_List **pSubjectDomainPolicies, | 570 PKIX_List *subjectList = NULL; |
647 void *plContext) | 571 PKIX_UInt32 numEntries = 0; |
648 { | 572 PKIX_UInt32 index = 0; |
649 PKIX_PL_CertPolicyMap *map = NULL; | 573 PKIX_Boolean match = PKIX_FALSE; |
650 PKIX_List *subjectList = NULL; | 574 PKIX_PL_OID *issuerDomainPolicy = NULL; |
651 PKIX_UInt32 numEntries = 0; | 575 PKIX_PL_OID *subjectDomainPolicy = NULL; |
652 PKIX_UInt32 index = 0; | |
653 PKIX_Boolean match = PKIX_FALSE; | |
654 PKIX_PL_OID *issuerDomainPolicy = NULL; | |
655 PKIX_PL_OID *subjectDomainPolicy = NULL; | |
656 | 576 |
657 PKIX_ENTER | 577 PKIX_ENTER(CERTCHAINCHECKER, |
658 (CERTCHAINCHECKER, | 578 "pkix_PolicyChecker_MapGetSubjectDomainPolicies"); |
659 "pkix_PolicyChecker_MapGetSubjectDomainPolicies"); | 579 PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies); |
660 PKIX_NULLCHECK_TWO(policy, pSubjectDomainPolicies); | |
661 | 580 |
662 if (certPolicyMaps) { | 581 if (certPolicyMaps) { |
663 PKIX_CHECK(PKIX_List_GetLength | 582 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext), |
664 (certPolicyMaps, | 583 PKIX_LISTGETLENGTHFAILED); |
665 &numEntries, | 584 } |
666 plContext), | |
667 PKIX_LISTGETLENGTHFAILED); | |
668 } | |
669 | 585 |
670 for (index = 0; index < numEntries; index++) { | 586 for (index = 0; index < numEntries; index++) { |
671 PKIX_CHECK(PKIX_List_GetItem | 587 PKIX_CHECK(PKIX_List_GetItem(certPolicyMaps, index, (PKIX_PL_Object **)&map, |
672 (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext), | 588 plContext), |
673 PKIX_LISTGETITEMFAILED); | 589 PKIX_LISTGETITEMFAILED); |
674 | 590 |
675 PKIX_NULLCHECK_ONE(map); | 591 PKIX_NULLCHECK_ONE(map); |
676 | 592 |
677 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy | 593 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy( |
678 (map, &issuerDomainPolicy, plContext), | 594 map, &issuerDomainPolicy, plContext), |
679 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED); | 595 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED); |
680 | 596 |
681 PKIX_EQUALS | 597 PKIX_EQUALS(policy, issuerDomainPolicy, &match, plContext, |
682 (policy, issuerDomainPolicy, &match, plContext, | 598 PKIX_OBJECTEQUALSFAILED); |
683 PKIX_OBJECTEQUALSFAILED); | |
684 | 599 |
685 if (match) { | 600 if (match) { |
686 if (!subjectList) { | 601 if (!subjectList) { |
687 PKIX_CHECK(PKIX_List_Create(&subjectList, plContext), | 602 PKIX_CHECK(PKIX_List_Create(&subjectList, plContext), |
688 PKIX_LISTCREATEFAILED); | 603 PKIX_LISTCREATEFAILED); |
689 } | 604 } |
690 | 605 |
691 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy | 606 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy( |
692 (map, &subjectDomainPolicy, plContext), | 607 map, &subjectDomainPolicy, plContext), |
693 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED); | 608 PKIX_CERTPOLICYMAPGETSUBJECTDOMAINPOLICYFAILED); |
694 | 609 |
695 PKIX_CHECK(PKIX_List_AppendItem | 610 PKIX_CHECK( |
696 (subjectList, | 611 PKIX_List_AppendItem( |
697 (PKIX_PL_Object *)subjectDomainPolicy, | 612 subjectList, (PKIX_PL_Object *)subjectDomainPolicy, plContext), |
698 plContext), | 613 PKIX_LISTAPPENDITEMFAILED); |
699 PKIX_LISTAPPENDITEMFAILED); | 614 } |
700 } | |
701 | 615 |
702 PKIX_DECREF(map); | 616 PKIX_DECREF(map); |
703 PKIX_DECREF(issuerDomainPolicy); | 617 PKIX_DECREF(issuerDomainPolicy); |
704 PKIX_DECREF(subjectDomainPolicy); | 618 PKIX_DECREF(subjectDomainPolicy); |
705 } | 619 } |
706 | 620 |
707 if (subjectList) { | 621 if (subjectList) { |
708 PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext), | 622 PKIX_CHECK(PKIX_List_SetImmutable(subjectList, plContext), |
709 PKIX_LISTSETIMMUTABLEFAILED); | 623 PKIX_LISTSETIMMUTABLEFAILED); |
710 } | 624 } |
711 | 625 |
712 *pSubjectDomainPolicies = subjectList; | 626 *pSubjectDomainPolicies = subjectList; |
713 | 627 |
714 cleanup: | 628 cleanup: |
715 | 629 |
716 if (PKIX_ERROR_RECEIVED) { | 630 if (PKIX_ERROR_RECEIVED) { |
717 PKIX_DECREF(subjectList); | 631 PKIX_DECREF(subjectList); |
718 } | 632 } |
719 | 633 |
720 PKIX_DECREF(map); | 634 PKIX_DECREF(map); |
721 PKIX_DECREF(issuerDomainPolicy); | 635 PKIX_DECREF(issuerDomainPolicy); |
722 PKIX_DECREF(subjectDomainPolicy); | 636 PKIX_DECREF(subjectDomainPolicy); |
723 | 637 |
724 PKIX_RETURN(CERTCHAINCHECKER); | 638 PKIX_RETURN(CERTCHAINCHECKER); |
725 } | 639 } |
726 | 640 |
727 /* | 641 /* |
728 * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies | 642 * FUNCTION: pkix_PolicyChecker_MapGetMappedPolicies |
729 * DESCRIPTION: | 643 * DESCRIPTION: |
730 * | 644 * |
731 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a | 645 * Checks the List of CertPolicyMaps pointed to by "certPolicyMaps" to create a |
732 * List of all IssuerDomainPolicies, and stores the result in | 646 * List of all IssuerDomainPolicies, and stores the result in |
733 * "pMappedPolicies". | 647 * "pMappedPolicies". |
734 * | 648 * |
(...skipping 10 matching lines...) Expand all Loading... |
745 * Address where the result will be stored. Must be non-NULL. | 659 * Address where the result will be stored. Must be non-NULL. |
746 * "plContext" | 660 * "plContext" |
747 * platform-specific context pointer | 661 * platform-specific context pointer |
748 * THREAD SAFETY: | 662 * THREAD SAFETY: |
749 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 663 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
750 * RETURNS: | 664 * RETURNS: |
751 * Returns NULL if the function succeeds | 665 * Returns NULL if the function succeeds |
752 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 666 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
753 * Returns a Fatal Error if the function fails in an unrecoverable way | 667 * Returns a Fatal Error if the function fails in an unrecoverable way |
754 */ | 668 */ |
755 PKIX_Error * | 669 PKIX_Error *pkix_PolicyChecker_MapGetMappedPolicies(PKIX_List *certPolicyMaps, |
756 pkix_PolicyChecker_MapGetMappedPolicies( | 670 PKIX_List **pMappedPolicies, |
757 PKIX_List *certPolicyMaps, | 671 void *plContext) { |
758 PKIX_List **pMappedPolicies, | 672 PKIX_PL_CertPolicyMap *map = NULL; |
759 void *plContext) | 673 PKIX_List *mappedList = NULL; |
760 { | 674 PKIX_UInt32 numEntries = 0; |
761 PKIX_PL_CertPolicyMap *map = NULL; | 675 PKIX_UInt32 index = 0; |
762 PKIX_List *mappedList = NULL; | 676 PKIX_Boolean isContained = PKIX_FALSE; |
763 PKIX_UInt32 numEntries = 0; | 677 PKIX_PL_OID *issuerDomainPolicy = NULL; |
764 PKIX_UInt32 index = 0; | |
765 PKIX_Boolean isContained = PKIX_FALSE; | |
766 PKIX_PL_OID *issuerDomainPolicy = NULL; | |
767 | 678 |
768 PKIX_ENTER | 679 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies"); |
769 (CERTCHAINCHECKER, "pkix_PolicyChecker_MapGetMappedPolicies"); | 680 PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies); |
770 PKIX_NULLCHECK_TWO(certPolicyMaps, pMappedPolicies); | |
771 | 681 |
772 PKIX_CHECK(PKIX_List_Create(&mappedList, plContext), | 682 PKIX_CHECK(PKIX_List_Create(&mappedList, plContext), PKIX_LISTCREATEFAILED); |
773 PKIX_LISTCREATEFAILED); | |
774 | 683 |
775 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext), | 684 PKIX_CHECK(PKIX_List_GetLength(certPolicyMaps, &numEntries, plContext), |
776 PKIX_LISTGETLENGTHFAILED); | 685 PKIX_LISTGETLENGTHFAILED); |
777 | 686 |
778 for (index = 0; index < numEntries; index++) { | 687 for (index = 0; index < numEntries; index++) { |
779 PKIX_CHECK(PKIX_List_GetItem | 688 PKIX_CHECK(PKIX_List_GetItem(certPolicyMaps, index, (PKIX_PL_Object **)&map, |
780 (certPolicyMaps, index, (PKIX_PL_Object **)&map, plContext), | 689 plContext), |
781 PKIX_LISTGETITEMFAILED); | 690 PKIX_LISTGETITEMFAILED); |
782 | 691 |
783 PKIX_NULLCHECK_ONE(map); | 692 PKIX_NULLCHECK_ONE(map); |
784 | 693 |
785 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy | 694 PKIX_CHECK(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy( |
786 (map, &issuerDomainPolicy, plContext), | 695 map, &issuerDomainPolicy, plContext), |
787 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED); | 696 PKIX_CERTPOLICYMAPGETISSUERDOMAINPOLICYFAILED); |
788 | 697 |
789 PKIX_CHECK(pkix_List_Contains | 698 PKIX_CHECK( |
790 (mappedList, | 699 pkix_List_Contains(mappedList, (PKIX_PL_Object *)issuerDomainPolicy, |
791 (PKIX_PL_Object *)issuerDomainPolicy, | 700 &isContained, plContext), |
792 &isContained, | 701 PKIX_LISTCONTAINSFAILED); |
793 plContext), | |
794 PKIX_LISTCONTAINSFAILED); | |
795 | 702 |
796 if (isContained == PKIX_FALSE) { | 703 if (isContained == PKIX_FALSE) { |
797 PKIX_CHECK(PKIX_List_AppendItem | 704 PKIX_CHECK( |
798 (mappedList, | 705 PKIX_List_AppendItem(mappedList, (PKIX_PL_Object *)issuerDomainPolicy, |
799 (PKIX_PL_Object *)issuerDomainPolicy, | 706 plContext), |
800 plContext), | 707 PKIX_LISTAPPENDITEMFAILED); |
801 PKIX_LISTAPPENDITEMFAILED); | 708 } |
802 } | |
803 | 709 |
804 PKIX_DECREF(map); | 710 PKIX_DECREF(map); |
805 PKIX_DECREF(issuerDomainPolicy); | 711 PKIX_DECREF(issuerDomainPolicy); |
806 } | 712 } |
807 | 713 |
808 *pMappedPolicies = mappedList; | 714 *pMappedPolicies = mappedList; |
809 | 715 |
810 cleanup: | 716 cleanup: |
811 | 717 |
812 if (PKIX_ERROR_RECEIVED) { | 718 if (PKIX_ERROR_RECEIVED) { |
813 PKIX_DECREF(mappedList); | 719 PKIX_DECREF(mappedList); |
814 } | 720 } |
815 | 721 |
816 PKIX_DECREF(map); | 722 PKIX_DECREF(map); |
817 PKIX_DECREF(issuerDomainPolicy); | 723 PKIX_DECREF(issuerDomainPolicy); |
818 | 724 |
819 PKIX_RETURN(CERTCHAINCHECKER); | 725 PKIX_RETURN(CERTCHAINCHECKER); |
820 } | 726 } |
821 | 727 |
822 /* | 728 /* |
823 * FUNCTION: pkix_PolicyChecker_MakeMutableCopy | 729 * FUNCTION: pkix_PolicyChecker_MakeMutableCopy |
824 * DESCRIPTION: | 730 * DESCRIPTION: |
825 * | 731 * |
826 * Creates a mutable copy of the List pointed to by "list", which may or may | 732 * Creates a mutable copy of the List pointed to by "list", which may or may |
827 * not be immutable, and stores the address at "pMutableCopy". | 733 * not be immutable, and stores the address at "pMutableCopy". |
828 * | 734 * |
829 * PARAMETERS: | 735 * PARAMETERS: |
830 * "list" | 736 * "list" |
831 * Address of List to be copied. Must be non-NULL. | 737 * Address of List to be copied. Must be non-NULL. |
832 * "pMutableCopy" | 738 * "pMutableCopy" |
833 * Address where mutable copy will be stored. Must be non-NULL. | 739 * Address where mutable copy will be stored. Must be non-NULL. |
834 * "plContext" | 740 * "plContext" |
835 * Platform-specific context pointer. | 741 * Platform-specific context pointer. |
836 * THREAD SAFETY: | 742 * THREAD SAFETY: |
837 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 743 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
838 * RETURNS: | 744 * RETURNS: |
839 * Returns NULL if the function succeeds | 745 * Returns NULL if the function succeeds |
840 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 746 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
841 * Returns a Fatal Error if the function fails in an unrecoverable way | 747 * Returns a Fatal Error if the function fails in an unrecoverable way |
842 */ | 748 */ |
843 static PKIX_Error * | 749 static PKIX_Error *pkix_PolicyChecker_MakeMutableCopy(PKIX_List *list, |
844 pkix_PolicyChecker_MakeMutableCopy( | 750 PKIX_List **pMutableCopy, |
845 PKIX_List *list, | 751 void *plContext) { |
846 PKIX_List **pMutableCopy, | 752 PKIX_List *newList = NULL; |
847 void *plContext) | 753 PKIX_UInt32 listLen = 0; |
848 { | 754 PKIX_UInt32 listIx = 0; |
849 PKIX_List *newList = NULL; | 755 PKIX_PL_Object *object = NULL; |
850 PKIX_UInt32 listLen = 0; | |
851 PKIX_UInt32 listIx = 0; | |
852 PKIX_PL_Object *object = NULL; | |
853 | 756 |
854 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy"); | 757 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeMutableCopy"); |
855 PKIX_NULLCHECK_TWO(list, pMutableCopy); | 758 PKIX_NULLCHECK_TWO(list, pMutableCopy); |
856 | 759 |
857 PKIX_CHECK(PKIX_List_Create(&newList, plContext), | 760 PKIX_CHECK(PKIX_List_Create(&newList, plContext), PKIX_LISTCREATEFAILED); |
858 PKIX_LISTCREATEFAILED); | |
859 | 761 |
860 PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext), | 762 PKIX_CHECK(PKIX_List_GetLength(list, &listLen, plContext), |
861 PKIX_LISTGETLENGTHFAILED); | 763 PKIX_LISTGETLENGTHFAILED); |
862 | 764 |
863 for (listIx = 0; listIx < listLen; listIx++) { | 765 for (listIx = 0; listIx < listLen; listIx++) { |
864 | 766 |
865 PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext), | 767 PKIX_CHECK(PKIX_List_GetItem(list, listIx, &object, plContext), |
866 PKIX_LISTGETITEMFAILED); | 768 PKIX_LISTGETITEMFAILED); |
867 | 769 |
868 PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext), | 770 PKIX_CHECK(PKIX_List_AppendItem(newList, object, plContext), |
869 PKIX_LISTAPPENDITEMFAILED); | 771 PKIX_LISTAPPENDITEMFAILED); |
870 | 772 |
871 PKIX_DECREF(object); | 773 PKIX_DECREF(object); |
872 } | 774 } |
873 | 775 |
874 *pMutableCopy = newList; | 776 *pMutableCopy = newList; |
875 newList = NULL; | 777 newList = NULL; |
876 | 778 |
877 cleanup: | 779 cleanup: |
878 PKIX_DECREF(newList); | 780 PKIX_DECREF(newList); |
879 PKIX_DECREF(object); | 781 PKIX_DECREF(object); |
880 | 782 |
881 PKIX_RETURN(CERTCHAINCHECKER); | 783 PKIX_RETURN(CERTCHAINCHECKER); |
882 } | 784 } |
883 | 785 |
884 /* | 786 /* |
885 * FUNCTION: pkix_PolicyChecker_MakeSingleton | 787 * FUNCTION: pkix_PolicyChecker_MakeSingleton |
886 * DESCRIPTION: | 788 * DESCRIPTION: |
887 * | 789 * |
888 * Creates a new List containing the Object pointed to by "listItem", using | 790 * Creates a new List containing the Object pointed to by "listItem", using |
889 * the Boolean value of "immutability" to determine whether to set the List | 791 * the Boolean value of "immutability" to determine whether to set the List |
890 * immutable, and stores the address at "pList". | 792 * immutable, and stores the address at "pList". |
891 * | 793 * |
892 * PARAMETERS: | 794 * PARAMETERS: |
893 * "listItem" | 795 * "listItem" |
894 * Address of Object to be inserted into the new List. Must be non-NULL. | 796 * Address of Object to be inserted into the new List. Must be non-NULL. |
895 * "immutability" | 797 * "immutability" |
896 * Boolean value indicating whether new List is to be immutable | 798 * Boolean value indicating whether new List is to be immutable |
897 * "pList" | 799 * "pList" |
898 * Address where List will be stored. Must be non-NULL. | 800 * Address where List will be stored. Must be non-NULL. |
899 * "plContext" | 801 * "plContext" |
900 * Platform-specific context pointer. | 802 * Platform-specific context pointer. |
901 * THREAD SAFETY: | 803 * THREAD SAFETY: |
902 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 804 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
903 * RETURNS: | 805 * RETURNS: |
904 * Returns NULL if the function succeeds | 806 * Returns NULL if the function succeeds |
905 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 807 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
906 * Returns a Fatal Error if the function fails in an unrecoverable way | 808 * Returns a Fatal Error if the function fails in an unrecoverable way |
907 */ | 809 */ |
908 static PKIX_Error * | 810 static PKIX_Error *pkix_PolicyChecker_MakeSingleton(PKIX_PL_Object *listItem, |
909 pkix_PolicyChecker_MakeSingleton( | 811 PKIX_Boolean immutability, |
910 PKIX_PL_Object *listItem, | 812 PKIX_List **pList, |
911 PKIX_Boolean immutability, | 813 void *plContext) { |
912 PKIX_List **pList, | 814 PKIX_List *newList = NULL; |
913 void *plContext) | |
914 { | |
915 PKIX_List *newList = NULL; | |
916 | 815 |
917 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton"); | 816 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_MakeSingleton"); |
918 PKIX_NULLCHECK_TWO(listItem, pList); | 817 PKIX_NULLCHECK_TWO(listItem, pList); |
919 | 818 |
920 PKIX_CHECK(PKIX_List_Create(&newList, plContext), | 819 PKIX_CHECK(PKIX_List_Create(&newList, plContext), PKIX_LISTCREATEFAILED); |
921 PKIX_LISTCREATEFAILED); | |
922 | 820 |
923 PKIX_CHECK(PKIX_List_AppendItem | 821 PKIX_CHECK( |
924 (newList, (PKIX_PL_Object *)listItem, plContext), | 822 PKIX_List_AppendItem(newList, (PKIX_PL_Object *)listItem, plContext), |
925 PKIX_LISTAPPENDITEMFAILED); | 823 PKIX_LISTAPPENDITEMFAILED); |
926 | 824 |
927 if (immutability) { | 825 if (immutability) { |
928 PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext), | 826 PKIX_CHECK(PKIX_List_SetImmutable(newList, plContext), |
929 PKIX_LISTSETIMMUTABLEFAILED); | 827 PKIX_LISTSETIMMUTABLEFAILED); |
930 } | 828 } |
931 | 829 |
932 *pList = newList; | 830 *pList = newList; |
933 | 831 |
934 cleanup: | 832 cleanup: |
935 if (PKIX_ERROR_RECEIVED) { | 833 if (PKIX_ERROR_RECEIVED) { |
936 PKIX_DECREF(newList); | 834 PKIX_DECREF(newList); |
937 } | 835 } |
938 | 836 |
939 PKIX_RETURN(CERTCHAINCHECKER); | 837 PKIX_RETURN(CERTCHAINCHECKER); |
940 } | 838 } |
941 | 839 |
942 /* | 840 /* |
943 * FUNCTION: pkix_PolicyChecker_Spawn | 841 * FUNCTION: pkix_PolicyChecker_Spawn |
944 * DESCRIPTION: | 842 * DESCRIPTION: |
945 * | 843 * |
946 * Creates a new childNode for the parent pointed to by "parent", using | 844 * Creates a new childNode for the parent pointed to by "parent", using |
947 * the OID pointed to by "policyOID", the List of CertPolicyQualifiers | 845 * the OID pointed to by "policyOID", the List of CertPolicyQualifiers |
948 * pointed to by "qualifiers", the List of OIDs pointed to by | 846 * pointed to by "qualifiers", the List of OIDs pointed to by |
949 * "subjectDomainPolicies", and the PolicyCheckerState pointed to by | 847 * "subjectDomainPolicies", and the PolicyCheckerState pointed to by |
(...skipping 30 matching lines...) Expand all Loading... |
980 * Address of the current PKIX_PolicyCheckerState. Must be non-NULL.. | 878 * Address of the current PKIX_PolicyCheckerState. Must be non-NULL.. |
981 * "plContext" | 879 * "plContext" |
982 * Platform-specific context pointer. | 880 * Platform-specific context pointer. |
983 * THREAD SAFETY: | 881 * THREAD SAFETY: |
984 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 882 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
985 * RETURNS: | 883 * RETURNS: |
986 * Returns NULL if the function succeeds | 884 * Returns NULL if the function succeeds |
987 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 885 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
988 * Returns a Fatal Error if the function fails in an unrecoverable way | 886 * Returns a Fatal Error if the function fails in an unrecoverable way |
989 */ | 887 */ |
990 static PKIX_Error * | 888 static PKIX_Error *pkix_PolicyChecker_Spawn( |
991 pkix_PolicyChecker_Spawn( | 889 PKIX_PolicyNode *parent, PKIX_PL_OID *policyOID, |
992 PKIX_PolicyNode *parent, | 890 PKIX_List *qualifiers, /* CertPolicyQualifiers */ |
993 PKIX_PL_OID *policyOID, | 891 PKIX_List *subjectDomainPolicies, PKIX_PolicyCheckerState *state, |
994 PKIX_List *qualifiers, /* CertPolicyQualifiers */ | 892 void *plContext) { |
995 PKIX_List *subjectDomainPolicies, | 893 PKIX_List *expectedSet = NULL; /* OIDs */ |
996 PKIX_PolicyCheckerState *state, | 894 PKIX_PolicyNode *childNode = NULL; |
997 void *plContext) | 895 PKIX_Boolean match = PKIX_FALSE; |
998 { | |
999 PKIX_List *expectedSet = NULL; /* OIDs */ | |
1000 PKIX_PolicyNode *childNode = NULL; | |
1001 PKIX_Boolean match = PKIX_FALSE; | |
1002 | 896 |
1003 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn"); | 897 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Spawn"); |
1004 PKIX_NULLCHECK_THREE(policyOID, parent, state); | 898 PKIX_NULLCHECK_THREE(policyOID, parent, state); |
1005 | 899 |
1006 if (subjectDomainPolicies) { | 900 if (subjectDomainPolicies) { |
1007 | 901 |
1008 PKIX_INCREF(subjectDomainPolicies); | 902 PKIX_INCREF(subjectDomainPolicies); |
1009 expectedSet = subjectDomainPolicies; | 903 expectedSet = subjectDomainPolicies; |
1010 | 904 |
1011 } else { | 905 } else { |
1012 /* Create the child's ExpectedPolicy Set */ | 906 /* Create the child's ExpectedPolicy Set */ |
1013 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton | 907 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton( |
1014 ((PKIX_PL_Object *)policyOID, | 908 (PKIX_PL_Object *)policyOID, |
1015 PKIX_TRUE, /* make expectedPolicySet immutable */ | 909 PKIX_TRUE, /* make expectedPolicySet immutable */ |
1016 &expectedSet, | 910 &expectedSet, plContext), |
1017 plContext), | 911 PKIX_POLICYCHECKERMAKESINGLETONFAILED); |
1018 PKIX_POLICYCHECKERMAKESINGLETONFAILED); | 912 } |
1019 } | |
1020 | 913 |
1021 PKIX_CHECK(pkix_PolicyNode_Create | 914 PKIX_CHECK( |
1022 (policyOID, | 915 pkix_PolicyNode_Create(policyOID, qualifiers, state->certPoliciesCritical, |
1023 qualifiers, | 916 expectedSet, &childNode, plContext), |
1024 state->certPoliciesCritical, | 917 PKIX_POLICYNODECREATEFAILED); |
1025 expectedSet, | |
1026 &childNode, | |
1027 plContext), | |
1028 PKIX_POLICYNODECREATEFAILED); | |
1029 | 918 |
1030 /* | 919 /* |
1031 * If we had a non-empty mapping, we know the new node could not | 920 * If we had a non-empty mapping, we know the new node could not |
1032 * have been created with a validPolicy of anyPolicy. Otherwise, | 921 * have been created with a validPolicy of anyPolicy. Otherwise, |
1033 * check whether we just created a new node with anyPolicy, because | 922 * check whether we just created a new node with anyPolicy, because |
1034 * in that case we want to save the child pointer in newAnyPolicyNode. | 923 * in that case we want to save the child pointer in newAnyPolicyNode. |
1035 */ | 924 */ |
1036 if (!subjectDomainPolicies) { | 925 if (!subjectDomainPolicies) { |
1037 PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext, | 926 PKIX_EQUALS(policyOID, state->anyPolicyOID, &match, plContext, |
1038 PKIX_OBJECTEQUALSFAILED); | 927 PKIX_OBJECTEQUALSFAILED); |
1039 | 928 |
1040 if (match) { | 929 if (match) { |
1041 PKIX_DECREF(state->newAnyPolicyNode); | 930 PKIX_DECREF(state->newAnyPolicyNode); |
1042 PKIX_INCREF(childNode); | 931 PKIX_INCREF(childNode); |
1043 state->newAnyPolicyNode = childNode; | 932 state->newAnyPolicyNode = childNode; |
1044 } | 933 } |
1045 } | 934 } |
1046 | 935 |
1047 PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext), | 936 PKIX_CHECK(pkix_PolicyNode_AddToParent(parent, childNode, plContext), |
1048 PKIX_POLICYNODEADDTOPARENTFAILED); | 937 PKIX_POLICYNODEADDTOPARENTFAILED); |
1049 | 938 |
1050 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | 939 PKIX_CHECK(PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
1051 ((PKIX_PL_Object *)state, plContext), | 940 PKIX_OBJECTINVALIDATECACHEFAILED); |
1052 PKIX_OBJECTINVALIDATECACHEFAILED); | |
1053 | 941 |
1054 cleanup: | 942 cleanup: |
1055 PKIX_DECREF(childNode); | 943 PKIX_DECREF(childNode); |
1056 PKIX_DECREF(expectedSet); | 944 PKIX_DECREF(expectedSet); |
1057 PKIX_RETURN(CERTCHAINCHECKER); | 945 PKIX_RETURN(CERTCHAINCHECKER); |
1058 } | 946 } |
1059 | 947 |
1060 /* | 948 /* |
1061 * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive | 949 * FUNCTION: pkix_PolicyChecker_CheckPolicyRecursive |
1062 * DESCRIPTION: | 950 * DESCRIPTION: |
1063 * | 951 * |
1064 * Performs policy processing for the policy whose OID is pointed to by | 952 * Performs policy processing for the policy whose OID is pointed to by |
1065 * "policyOID" and whose List of CertPolicyQualifiers is pointed to by | 953 * "policyOID" and whose List of CertPolicyQualifiers is pointed to by |
1066 * "policyQualifiers", using the List of policy OIDs pointed to by | 954 * "policyQualifiers", using the List of policy OIDs pointed to by |
1067 * "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode", | 955 * "subjectDomainPolicies" and the PolicyNode pointed to by "currentNode", |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1101 * creates a child node. Must be non-NULL. | 989 * creates a child node. Must be non-NULL. |
1102 * "plContext" | 990 * "plContext" |
1103 * Platform-specific context pointer. | 991 * Platform-specific context pointer. |
1104 * THREAD SAFETY: | 992 * THREAD SAFETY: |
1105 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 993 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
1106 * RETURNS: | 994 * RETURNS: |
1107 * Returns NULL if the function succeeds | 995 * Returns NULL if the function succeeds |
1108 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 996 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
1109 * Returns a Fatal Error if the function fails in an unrecoverable way | 997 * Returns a Fatal Error if the function fails in an unrecoverable way |
1110 */ | 998 */ |
1111 static PKIX_Error * | 999 static PKIX_Error *pkix_PolicyChecker_CheckPolicyRecursive( |
1112 pkix_PolicyChecker_CheckPolicyRecursive( | 1000 PKIX_PL_OID *policyOID, PKIX_List *policyQualifiers, |
1113 PKIX_PL_OID *policyOID, | 1001 PKIX_List *subjectDomainPolicies, PKIX_PolicyNode *currentNode, |
1114 PKIX_List *policyQualifiers, | 1002 PKIX_PolicyCheckerState *state, PKIX_Boolean *pChildNodeCreated, |
1115 PKIX_List *subjectDomainPolicies, | 1003 void *plContext) { |
1116 PKIX_PolicyNode *currentNode, | 1004 PKIX_UInt32 depth = 0; |
1117 PKIX_PolicyCheckerState *state, | 1005 PKIX_UInt32 numChildren = 0; |
1118 PKIX_Boolean *pChildNodeCreated, | 1006 PKIX_UInt32 childIx = 0; |
1119 void *plContext) | 1007 PKIX_Boolean isIncluded = PKIX_FALSE; |
1120 { | 1008 PKIX_List *children = NULL; /* PolicyNodes */ |
1121 PKIX_UInt32 depth = 0; | 1009 PKIX_PolicyNode *childNode = NULL; |
1122 PKIX_UInt32 numChildren = 0; | 1010 PKIX_List *expectedPolicies = NULL; /* OIDs */ |
1123 PKIX_UInt32 childIx = 0; | |
1124 PKIX_Boolean isIncluded = PKIX_FALSE; | |
1125 PKIX_List *children = NULL; /* PolicyNodes */ | |
1126 PKIX_PolicyNode *childNode = NULL; | |
1127 PKIX_List *expectedPolicies = NULL; /* OIDs */ | |
1128 | 1011 |
1129 PKIX_ENTER | 1012 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicyRecursive"); |
1130 (CERTCHAINCHECKER, | 1013 PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated); |
1131 "pkix_PolicyChecker_CheckPolicyRecursive"); | |
1132 PKIX_NULLCHECK_FOUR(policyOID, currentNode, state, pChildNodeCreated); | |
1133 | 1014 |
1134 /* if not at the bottom of the tree */ | 1015 /* if not at the bottom of the tree */ |
1135 PKIX_CHECK(PKIX_PolicyNode_GetDepth | 1016 PKIX_CHECK(PKIX_PolicyNode_GetDepth(currentNode, &depth, plContext), |
1136 (currentNode, &depth, plContext), | 1017 PKIX_POLICYNODEGETDEPTHFAILED); |
1137 PKIX_POLICYNODEGETDEPTHFAILED); | |
1138 | 1018 |
1139 if (depth < (state->certsProcessed)) { | 1019 if (depth < (state->certsProcessed)) { |
1140 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable | 1020 PKIX_CHECK( |
1141 (currentNode, &children, plContext), | 1021 pkix_PolicyNode_GetChildrenMutable(currentNode, &children, plContext), |
1142 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED); | 1022 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED); |
1143 | 1023 |
1144 if (children) { | 1024 if (children) { |
1145 PKIX_CHECK(PKIX_List_GetLength | 1025 PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext), |
1146 (children, &numChildren, plContext), | 1026 PKIX_LISTGETLENGTHFAILED); |
1147 PKIX_LISTGETLENGTHFAILED); | 1027 } |
1148 } | |
1149 | 1028 |
1150 for (childIx = 0; childIx < numChildren; childIx++) { | 1029 for (childIx = 0; childIx < numChildren; childIx++) { |
1151 | 1030 |
1152 PKIX_CHECK(PKIX_List_GetItem | 1031 PKIX_CHECK(PKIX_List_GetItem(children, childIx, |
1153 (children, | 1032 (PKIX_PL_Object **)&childNode, plContext), |
1154 childIx, | 1033 PKIX_LISTGETITEMFAILED); |
1155 (PKIX_PL_Object **)&childNode, | |
1156 plContext), | |
1157 PKIX_LISTGETITEMFAILED); | |
1158 | 1034 |
1159 PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive | 1035 PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive( |
1160 (policyOID, | 1036 policyOID, policyQualifiers, subjectDomainPolicies, |
1161 policyQualifiers, | 1037 childNode, state, pChildNodeCreated, plContext), |
1162 subjectDomainPolicies, | 1038 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED); |
1163 childNode, | |
1164 state, | |
1165 pChildNodeCreated, | |
1166 plContext), | |
1167 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED); | |
1168 | 1039 |
1169 PKIX_DECREF(childNode); | 1040 PKIX_DECREF(childNode); |
1170 } | 1041 } |
1171 } else { /* if at the bottom of the tree */ | 1042 } else {/* if at the bottom of the tree */ |
1172 | 1043 |
1173 /* Check whether policy is in this node's expectedPolicySet */ | 1044 /* Check whether policy is in this node's expectedPolicySet */ |
1174 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies | 1045 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies( |
1175 (currentNode, &expectedPolicies, plContext), | 1046 currentNode, &expectedPolicies, plContext), |
1176 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED); | 1047 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED); |
1177 | 1048 |
1178 PKIX_NULLCHECK_ONE(expectedPolicies); | 1049 PKIX_NULLCHECK_ONE(expectedPolicies); |
1179 | 1050 |
1180 PKIX_CHECK(pkix_List_Contains | 1051 PKIX_CHECK(pkix_List_Contains(expectedPolicies, (PKIX_PL_Object *)policyOID, |
1181 (expectedPolicies, | 1052 &isIncluded, plContext), |
1182 (PKIX_PL_Object *)policyOID, | 1053 PKIX_LISTCONTAINSFAILED); |
1183 &isIncluded, | |
1184 plContext), | |
1185 PKIX_LISTCONTAINSFAILED); | |
1186 | 1054 |
1187 if (isIncluded) { | 1055 if (isIncluded) { |
1188 PKIX_CHECK(pkix_PolicyChecker_Spawn | 1056 PKIX_CHECK( |
1189 (currentNode, | 1057 pkix_PolicyChecker_Spawn(currentNode, policyOID, policyQualifiers, |
1190 policyOID, | 1058 subjectDomainPolicies, state, plContext), |
1191 policyQualifiers, | 1059 PKIX_POLICYCHECKERSPAWNFAILED); |
1192 subjectDomainPolicies, | |
1193 state, | |
1194 plContext), | |
1195 PKIX_POLICYCHECKERSPAWNFAILED); | |
1196 | 1060 |
1197 *pChildNodeCreated = PKIX_TRUE; | 1061 *pChildNodeCreated = PKIX_TRUE; |
1198 } | 1062 } |
1199 } | 1063 } |
1200 | 1064 |
1201 cleanup: | 1065 cleanup: |
1202 | 1066 |
1203 PKIX_DECREF(children); | 1067 PKIX_DECREF(children); |
1204 PKIX_DECREF(childNode); | 1068 PKIX_DECREF(childNode); |
1205 PKIX_DECREF(expectedPolicies); | 1069 PKIX_DECREF(expectedPolicies); |
1206 | 1070 |
1207 PKIX_RETURN(CERTCHAINCHECKER); | 1071 PKIX_RETURN(CERTCHAINCHECKER); |
1208 } | 1072 } |
1209 | 1073 |
1210 /* | 1074 /* |
1211 * FUNCTION: pkix_PolicyChecker_CheckPolicy | 1075 * FUNCTION: pkix_PolicyChecker_CheckPolicy |
1212 * DESCRIPTION: | 1076 * DESCRIPTION: |
1213 * | 1077 * |
1214 * Performs the non-recursive portion of the policy processing for the policy | 1078 * Performs the non-recursive portion of the policy processing for the policy |
1215 * whose OID is pointed to by "policyOID" and whose List of | 1079 * whose OID is pointed to by "policyOID" and whose List of |
1216 * CertPolicyQualifiers is pointed to by "policyQualifiers", for the | 1080 * CertPolicyQualifiers is pointed to by "policyQualifiers", for the |
1217 * Certificate pointed to by "cert" with the List of CertPolicyMaps pointed | 1081 * Certificate pointed to by "cert" with the List of CertPolicyMaps pointed |
(...skipping 18 matching lines...) Expand all Loading... |
1236 * non-NULL. | 1100 * non-NULL. |
1237 * "plContext" | 1101 * "plContext" |
1238 * Platform-specific context pointer. | 1102 * Platform-specific context pointer. |
1239 * THREAD SAFETY: | 1103 * THREAD SAFETY: |
1240 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 1104 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
1241 * RETURNS: | 1105 * RETURNS: |
1242 * Returns NULL if the function succeeds | 1106 * Returns NULL if the function succeeds |
1243 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 1107 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
1244 * Returns a Fatal Error if the function fails in an unrecoverable way | 1108 * Returns a Fatal Error if the function fails in an unrecoverable way |
1245 */ | 1109 */ |
1246 static PKIX_Error * | 1110 static PKIX_Error *pkix_PolicyChecker_CheckPolicy( |
1247 pkix_PolicyChecker_CheckPolicy( | 1111 PKIX_PL_OID *policyOID, PKIX_List *policyQualifiers, PKIX_PL_Cert *cert, |
1248 PKIX_PL_OID *policyOID, | 1112 PKIX_List *maps, PKIX_PolicyCheckerState *state, void *plContext) { |
1249 PKIX_List *policyQualifiers, | 1113 PKIX_Boolean childNodeCreated = PKIX_FALSE; |
1250 PKIX_PL_Cert *cert, | 1114 PKIX_Boolean okToSpawn = PKIX_FALSE; |
1251 PKIX_List *maps, | 1115 PKIX_Boolean found = PKIX_FALSE; |
1252 PKIX_PolicyCheckerState *state, | 1116 PKIX_List *subjectDomainPolicies = NULL; |
1253 void *plContext) | |
1254 { | |
1255 PKIX_Boolean childNodeCreated = PKIX_FALSE; | |
1256 PKIX_Boolean okToSpawn = PKIX_FALSE; | |
1257 PKIX_Boolean found = PKIX_FALSE; | |
1258 PKIX_List *subjectDomainPolicies = NULL; | |
1259 | 1117 |
1260 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy"); | 1118 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckPolicy"); |
1261 PKIX_NULLCHECK_THREE(policyOID, cert, state); | 1119 PKIX_NULLCHECK_THREE(policyOID, cert, state); |
1262 | 1120 |
1263 /* | 1121 /* |
1264 * If this is not the last certificate, get the set of | 1122 * If this is not the last certificate, get the set of |
1265 * subjectDomainPolicies that "policy" maps to, according to the | 1123 * subjectDomainPolicies that "policy" maps to, according to the |
1266 * current cert's policy mapping extension. That set will be NULL | 1124 * current cert's policy mapping extension. That set will be NULL |
1267 * if the current cert does not have a policy mapping extension, | 1125 * if the current cert does not have a policy mapping extension, |
1268 * or if the current policy is not mapped. | 1126 * or if the current policy is not mapped. |
1269 */ | 1127 */ |
1270 if (state->certsProcessed != (state->numCerts - 1)) { | 1128 if (state->certsProcessed != (state->numCerts - 1)) { |
1271 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies | 1129 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies( |
1272 (maps, policyOID, &subjectDomainPolicies, plContext), | 1130 maps, policyOID, &subjectDomainPolicies, plContext), |
1273 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); | 1131 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); |
1274 } | 1132 } |
1275 | 1133 |
1276 /* | 1134 /* |
1277 * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we | 1135 * Section 6.1.4(b)(2) tells us that if policyMapping is zero, we |
1278 * will have to delete any nodes created with validPolicies equal to | 1136 * will have to delete any nodes created with validPolicies equal to |
1279 * policies that appear as issuerDomainPolicies in a policy mapping | 1137 * policies that appear as issuerDomainPolicies in a policy mapping |
1280 * extension. Let's avoid creating any such nodes. | 1138 * extension. Let's avoid creating any such nodes. |
1281 */ | 1139 */ |
1282 if ((state->policyMapping) == 0) { | 1140 if ((state->policyMapping) == 0) { |
1283 if (subjectDomainPolicies) { | 1141 if (subjectDomainPolicies) { |
1284 goto cleanup; | 1142 goto cleanup; |
1285 } | 1143 } |
1286 } | 1144 } |
1287 | 1145 |
1288 PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive | 1146 PKIX_CHECK(pkix_PolicyChecker_CheckPolicyRecursive( |
1289 (policyOID, | 1147 policyOID, policyQualifiers, subjectDomainPolicies, |
1290 policyQualifiers, | 1148 state->validPolicyTree, state, &childNodeCreated, plContext), |
1291 subjectDomainPolicies, | 1149 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED); |
1292 state->validPolicyTree, | |
1293 state, | |
1294 &childNodeCreated, | |
1295 plContext), | |
1296 PKIX_POLICYCHECKERCHECKPOLICYRECURSIVEFAILED); | |
1297 | 1150 |
1298 if (!childNodeCreated) { | 1151 if (!childNodeCreated) { |
1299 /* | 1152 /* |
1300 * Section 6.1.3(d)(1)(ii) | 1153 * Section 6.1.3(d)(1)(ii) |
1301 * There was no match. If there was a node at | 1154 * There was no match. If there was a node at |
1302 * depth i-1 with valid policy anyPolicy, | 1155 * depth i-1 with valid policy anyPolicy, |
1303 * generate a node subordinate to that. | 1156 * generate a node subordinate to that. |
1304 * | 1157 * |
1305 * But that means this created node would be in | 1158 * But that means this created node would be in |
1306 * the valid-policy-node-set, and will be | 1159 * the valid-policy-node-set, and will be |
1307 * pruned in 6.1.5(g)(iii)(2) unless it is in | 1160 * pruned in 6.1.5(g)(iii)(2) unless it is in |
1308 * the user-initial-policy-set or the user- | 1161 * the user-initial-policy-set or the user- |
1309 * initial-policy-set is {anyPolicy}. So check, | 1162 * initial-policy-set is {anyPolicy}. So check, |
1310 * and don't create it if it will be pruned. | 1163 * and don't create it if it will be pruned. |
1311 */ | 1164 */ |
1312 if (state->anyPolicyNodeAtBottom) { | 1165 if (state->anyPolicyNodeAtBottom) { |
1313 if (state->initialIsAnyPolicy) { | 1166 if (state->initialIsAnyPolicy) { |
1314 okToSpawn = PKIX_TRUE; | 1167 okToSpawn = PKIX_TRUE; |
1315 } else { | 1168 } else { |
1316 PKIX_CHECK(pkix_List_Contains | 1169 PKIX_CHECK(pkix_List_Contains(state->mappedUserInitialPolicySet, |
1317 (state->mappedUserInitialPolicySet, | 1170 (PKIX_PL_Object *)policyOID, &okToSpawn, |
1318 (PKIX_PL_Object *)policyOID, | 1171 plContext), |
1319 &okToSpawn, | 1172 PKIX_LISTCONTAINSFAILED); |
1320 plContext), | 1173 } |
1321 PKIX_LISTCONTAINSFAILED); | 1174 if (okToSpawn) { |
1322 } | 1175 PKIX_CHECK( |
1323 if (okToSpawn) { | 1176 pkix_PolicyChecker_Spawn(state->anyPolicyNodeAtBottom, policyOID, |
1324 PKIX_CHECK(pkix_PolicyChecker_Spawn | 1177 policyQualifiers, subjectDomainPolicies, |
1325 (state->anyPolicyNodeAtBottom, | 1178 state, plContext), |
1326 policyOID, | 1179 PKIX_POLICYCHECKERSPAWNFAILED); |
1327 policyQualifiers, | 1180 childNodeCreated = PKIX_TRUE; |
1328 subjectDomainPolicies, | 1181 } |
1329 state, | 1182 } |
1330 plContext), | 1183 } |
1331 PKIX_POLICYCHECKERSPAWNFAILED); | |
1332 childNodeCreated = PKIX_TRUE; | |
1333 } | |
1334 } | |
1335 } | |
1336 | 1184 |
1337 if (childNodeCreated) { | 1185 if (childNodeCreated) { |
1338 /* | 1186 /* |
1339 * If this policy had qualifiers, and the certificate policies | 1187 * If this policy had qualifiers, and the certificate policies |
1340 * extension was marked critical, and the user cannot deal with | 1188 * extension was marked critical, and the user cannot deal with |
1341 * policy qualifiers, throw an error. | 1189 * policy qualifiers, throw an error. |
1342 */ | 1190 */ |
1343 if (policyQualifiers && | 1191 if (policyQualifiers && state->certPoliciesCritical && |
1344 state->certPoliciesCritical && | 1192 state->policyQualifiersRejected) { |
1345 state->policyQualifiersRejected) { | 1193 PKIX_ERROR(PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION); |
1346 PKIX_ERROR | 1194 } |
1347 (PKIX_QUALIFIERSINCRITICALCERTIFICATEPOLICYEXTENSION); | 1195 /* |
1348 } | 1196 * If the policy we just propagated was in the list of mapped |
1349 /* | 1197 * policies, remove it from the list. That list is used, at the |
1350 * If the policy we just propagated was in the list of mapped | 1198 * end, to determine policies that have not been propagated. |
1351 * policies, remove it from the list. That list is used, at the | 1199 */ |
1352 * end, to determine policies that have not been propagated. | 1200 if (state->mappedPolicyOIDs) { |
1353 */ | 1201 PKIX_CHECK( |
1354 if (state->mappedPolicyOIDs) { | 1202 pkix_List_Contains(state->mappedPolicyOIDs, |
1355 PKIX_CHECK(pkix_List_Contains | 1203 (PKIX_PL_Object *)policyOID, &found, plContext), |
1356 (state->mappedPolicyOIDs, | 1204 PKIX_LISTCONTAINSFAILED); |
1357 (PKIX_PL_Object *)policyOID, | 1205 if (found) { |
1358 &found, | 1206 PKIX_CHECK(pkix_List_Remove(state->mappedPolicyOIDs, |
1359 plContext), | 1207 (PKIX_PL_Object *)policyOID, plContext), |
1360 PKIX_LISTCONTAINSFAILED); | 1208 PKIX_LISTREMOVEFAILED); |
1361 if (found) { | 1209 } |
1362 PKIX_CHECK(pkix_List_Remove | 1210 } |
1363 (state->mappedPolicyOIDs, | 1211 } |
1364 (PKIX_PL_Object *)policyOID, | |
1365 plContext), | |
1366 PKIX_LISTREMOVEFAILED); | |
1367 } | |
1368 } | |
1369 } | |
1370 | 1212 |
1371 cleanup: | 1213 cleanup: |
1372 | 1214 |
1373 PKIX_DECREF(subjectDomainPolicies); | 1215 PKIX_DECREF(subjectDomainPolicies); |
1374 | 1216 |
1375 PKIX_RETURN(CERTCHAINCHECKER); | 1217 PKIX_RETURN(CERTCHAINCHECKER); |
1376 } | 1218 } |
1377 | 1219 |
1378 /* | 1220 /* |
1379 * FUNCTION: pkix_PolicyChecker_CheckAny | 1221 * FUNCTION: pkix_PolicyChecker_CheckAny |
1380 * DESCRIPTION: | 1222 * DESCRIPTION: |
1381 * Performs the creation of PolicyNodes, for the PolicyNode pointed to by | 1223 * Performs the creation of PolicyNodes, for the PolicyNode pointed to by |
1382 * "currentNode" and PolicyNodes subordinate to it, using the List of | 1224 * "currentNode" and PolicyNodes subordinate to it, using the List of |
1383 * qualifiers pointed to by "qualsOfAny", in accordance with the current | 1225 * qualifiers pointed to by "qualsOfAny", in accordance with the current |
1384 * certificate's PolicyMaps pointed to by "policyMaps" and the current | 1226 * certificate's PolicyMaps pointed to by "policyMaps" and the current |
1385 * PolicyCheckerState pointed to by "state". | 1227 * PolicyCheckerState pointed to by "state". |
(...skipping 29 matching lines...) Expand all Loading... |
1415 * Must be non-NULL. | 1257 * Must be non-NULL. |
1416 * "plContext" | 1258 * "plContext" |
1417 * Platform-specific context pointer. | 1259 * Platform-specific context pointer. |
1418 * THREAD SAFETY: | 1260 * THREAD SAFETY: |
1419 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 1261 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
1420 * RETURNS: | 1262 * RETURNS: |
1421 * Returns NULL if the function succeeds | 1263 * Returns NULL if the function succeeds |
1422 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 1264 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
1423 * Returns a Fatal Error if the function fails in an unrecoverable way | 1265 * Returns a Fatal Error if the function fails in an unrecoverable way |
1424 */ | 1266 */ |
1425 static PKIX_Error * | 1267 static PKIX_Error *pkix_PolicyChecker_CheckAny( |
1426 pkix_PolicyChecker_CheckAny( | 1268 PKIX_PolicyNode *currentNode, |
1427 PKIX_PolicyNode *currentNode, | 1269 PKIX_List *qualsOfAny, /* CertPolicyQualifiers */ |
1428 PKIX_List *qualsOfAny, /* CertPolicyQualifiers */ | 1270 PKIX_List *policyMaps, /* CertPolicyMaps */ |
1429 PKIX_List *policyMaps, /* CertPolicyMaps */ | 1271 PKIX_PolicyCheckerState *state, void *plContext) { |
1430 PKIX_PolicyCheckerState *state, | 1272 PKIX_UInt32 depth = 0; |
1431 void *plContext) | 1273 PKIX_UInt32 numChildren = 0; |
1432 { | 1274 PKIX_UInt32 childIx = 0; |
1433 PKIX_UInt32 depth = 0; | 1275 PKIX_UInt32 numPolicies = 0; |
1434 PKIX_UInt32 numChildren = 0; | 1276 PKIX_UInt32 polx = 0; |
1435 PKIX_UInt32 childIx = 0; | 1277 PKIX_Boolean isIncluded = PKIX_FALSE; |
1436 PKIX_UInt32 numPolicies = 0; | 1278 PKIX_List *children = NULL; /* PolicyNodes */ |
1437 PKIX_UInt32 polx = 0; | 1279 PKIX_PolicyNode *childNode = NULL; |
1438 PKIX_Boolean isIncluded = PKIX_FALSE; | 1280 PKIX_List *expectedPolicies = NULL; /* OIDs */ |
1439 PKIX_List *children = NULL; /* PolicyNodes */ | 1281 PKIX_PL_OID *policyOID = NULL; |
1440 PKIX_PolicyNode *childNode = NULL; | 1282 PKIX_PL_OID *childPolicy = NULL; |
1441 PKIX_List *expectedPolicies = NULL; /* OIDs */ | 1283 PKIX_List *subjectDomainPolicies = NULL; /* OIDs */ |
1442 PKIX_PL_OID *policyOID = NULL; | |
1443 PKIX_PL_OID *childPolicy = NULL; | |
1444 PKIX_List *subjectDomainPolicies = NULL; /* OIDs */ | |
1445 | 1284 |
1446 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny"); | 1285 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CheckAny"); |
1447 PKIX_NULLCHECK_TWO(currentNode, state); | 1286 PKIX_NULLCHECK_TWO(currentNode, state); |
1448 | 1287 |
1449 PKIX_CHECK(PKIX_PolicyNode_GetDepth | 1288 PKIX_CHECK(PKIX_PolicyNode_GetDepth(currentNode, &depth, plContext), |
1450 (currentNode, &depth, plContext), | 1289 PKIX_POLICYNODEGETDEPTHFAILED); |
1451 PKIX_POLICYNODEGETDEPTHFAILED); | |
1452 | 1290 |
1453 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable | 1291 PKIX_CHECK( |
1454 (currentNode, &children, plContext), | 1292 pkix_PolicyNode_GetChildrenMutable(currentNode, &children, plContext), |
1455 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED); | 1293 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED); |
1456 | 1294 |
1457 if (children) { | 1295 if (children) { |
1458 PKIX_CHECK(PKIX_List_GetLength | 1296 PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext), |
1459 (children, &numChildren, plContext), | 1297 PKIX_LISTGETLENGTHFAILED); |
1460 PKIX_LISTGETLENGTHFAILED); | 1298 } |
| 1299 |
| 1300 if (depth < (state->certsProcessed)) { |
| 1301 for (childIx = 0; childIx < numChildren; childIx++) { |
| 1302 |
| 1303 PKIX_CHECK(PKIX_List_GetItem(children, childIx, |
| 1304 (PKIX_PL_Object **)&childNode, plContext), |
| 1305 PKIX_LISTGETITEMFAILED); |
| 1306 |
| 1307 PKIX_NULLCHECK_ONE(childNode); |
| 1308 PKIX_CHECK(pkix_PolicyChecker_CheckAny(childNode, qualsOfAny, policyMaps, |
| 1309 state, plContext), |
| 1310 PKIX_POLICYCHECKERCHECKANYFAILED); |
| 1311 |
| 1312 PKIX_DECREF(childNode); |
| 1313 } |
| 1314 } else {/* if at the bottom of the tree */ |
| 1315 |
| 1316 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies( |
| 1317 currentNode, &expectedPolicies, plContext), |
| 1318 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED); |
| 1319 |
| 1320 /* Expected Policy Set is not allowed to be NULL */ |
| 1321 PKIX_NULLCHECK_ONE(expectedPolicies); |
| 1322 |
| 1323 PKIX_CHECK(PKIX_List_GetLength(expectedPolicies, &numPolicies, plContext), |
| 1324 PKIX_LISTGETLENGTHFAILED); |
| 1325 |
| 1326 for (polx = 0; polx < numPolicies; polx++) { |
| 1327 PKIX_CHECK(PKIX_List_GetItem(expectedPolicies, polx, |
| 1328 (PKIX_PL_Object **)&policyOID, plContext), |
| 1329 PKIX_LISTGETITEMFAILED); |
| 1330 |
| 1331 PKIX_NULLCHECK_ONE(policyOID); |
| 1332 |
| 1333 isIncluded = PKIX_FALSE; |
| 1334 |
| 1335 for (childIx = 0; (!isIncluded && (childIx < numChildren)); childIx++) { |
| 1336 |
| 1337 PKIX_CHECK(PKIX_List_GetItem(children, childIx, |
| 1338 (PKIX_PL_Object **)&childNode, plContext), |
| 1339 PKIX_LISTGETITEMFAILED); |
| 1340 |
| 1341 PKIX_NULLCHECK_ONE(childNode); |
| 1342 |
| 1343 PKIX_CHECK( |
| 1344 PKIX_PolicyNode_GetValidPolicy(childNode, &childPolicy, plContext), |
| 1345 PKIX_POLICYNODEGETVALIDPOLICYFAILED); |
| 1346 |
| 1347 PKIX_NULLCHECK_ONE(childPolicy); |
| 1348 |
| 1349 PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext, |
| 1350 PKIX_OBJECTEQUALSFAILED); |
| 1351 |
| 1352 PKIX_DECREF(childNode); |
| 1353 PKIX_DECREF(childPolicy); |
| 1354 } |
| 1355 |
| 1356 if (!isIncluded) { |
| 1357 if (policyMaps) { |
| 1358 PKIX_CHECK( |
| 1359 pkix_PolicyChecker_MapGetSubjectDomainPolicies( |
| 1360 policyMaps, policyOID, &subjectDomainPolicies, plContext), |
| 1361 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); |
1461 } | 1362 } |
| 1363 PKIX_CHECK( |
| 1364 pkix_PolicyChecker_Spawn(currentNode, policyOID, qualsOfAny, |
| 1365 subjectDomainPolicies, state, plContext), |
| 1366 PKIX_POLICYCHECKERSPAWNFAILED); |
| 1367 PKIX_DECREF(subjectDomainPolicies); |
| 1368 } |
1462 | 1369 |
1463 if (depth < (state->certsProcessed)) { | 1370 PKIX_DECREF(policyOID); |
1464 for (childIx = 0; childIx < numChildren; childIx++) { | 1371 } |
1465 | 1372 } |
1466 PKIX_CHECK(PKIX_List_GetItem | |
1467 (children, | |
1468 childIx, | |
1469 (PKIX_PL_Object **)&childNode, | |
1470 plContext), | |
1471 PKIX_LISTGETITEMFAILED); | |
1472 | |
1473 PKIX_NULLCHECK_ONE(childNode); | |
1474 PKIX_CHECK(pkix_PolicyChecker_CheckAny | |
1475 (childNode, | |
1476 qualsOfAny, | |
1477 policyMaps, | |
1478 state, | |
1479 plContext), | |
1480 PKIX_POLICYCHECKERCHECKANYFAILED); | |
1481 | |
1482 PKIX_DECREF(childNode); | |
1483 } | |
1484 } else { /* if at the bottom of the tree */ | |
1485 | |
1486 PKIX_CHECK(PKIX_PolicyNode_GetExpectedPolicies | |
1487 (currentNode, &expectedPolicies, plContext), | |
1488 PKIX_POLICYNODEGETEXPECTEDPOLICIESFAILED); | |
1489 | |
1490 /* Expected Policy Set is not allowed to be NULL */ | |
1491 PKIX_NULLCHECK_ONE(expectedPolicies); | |
1492 | |
1493 PKIX_CHECK(PKIX_List_GetLength | |
1494 (expectedPolicies, &numPolicies, plContext), | |
1495 PKIX_LISTGETLENGTHFAILED); | |
1496 | |
1497 for (polx = 0; polx < numPolicies; polx++) { | |
1498 PKIX_CHECK(PKIX_List_GetItem | |
1499 (expectedPolicies, | |
1500 polx, | |
1501 (PKIX_PL_Object **)&policyOID, | |
1502 plContext), | |
1503 PKIX_LISTGETITEMFAILED); | |
1504 | |
1505 PKIX_NULLCHECK_ONE(policyOID); | |
1506 | |
1507 isIncluded = PKIX_FALSE; | |
1508 | |
1509 for (childIx = 0; | |
1510 (!isIncluded && (childIx < numChildren)); | |
1511 childIx++) { | |
1512 | |
1513 PKIX_CHECK(PKIX_List_GetItem | |
1514 (children, | |
1515 childIx, | |
1516 (PKIX_PL_Object **)&childNode, | |
1517 plContext), | |
1518 PKIX_LISTGETITEMFAILED); | |
1519 | |
1520 PKIX_NULLCHECK_ONE(childNode); | |
1521 | |
1522 PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy | |
1523 (childNode, &childPolicy, plContext), | |
1524 PKIX_POLICYNODEGETVALIDPOLICYFAILED); | |
1525 | |
1526 PKIX_NULLCHECK_ONE(childPolicy); | |
1527 | |
1528 PKIX_EQUALS(policyOID, childPolicy, &isIncluded, plContext, | |
1529 PKIX_OBJECTEQUALSFAILED); | |
1530 | |
1531 PKIX_DECREF(childNode); | |
1532 PKIX_DECREF(childPolicy); | |
1533 } | |
1534 | |
1535 if (!isIncluded) { | |
1536 if (policyMaps) { | |
1537 PKIX_CHECK | |
1538 (pkix_PolicyChecker_MapGetSubjectDomainPolicies | |
1539 (policyMaps, | |
1540 policyOID, | |
1541 &subjectDomainPolicies, | |
1542 plContext), | |
1543 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); | |
1544 } | |
1545 PKIX_CHECK(pkix_PolicyChecker_Spawn | |
1546 (currentNode, | |
1547 policyOID, | |
1548 qualsOfAny, | |
1549 subjectDomainPolicies, | |
1550 state, | |
1551 plContext), | |
1552 PKIX_POLICYCHECKERSPAWNFAILED); | |
1553 PKIX_DECREF(subjectDomainPolicies); | |
1554 } | |
1555 | |
1556 PKIX_DECREF(policyOID); | |
1557 } | |
1558 } | |
1559 | 1373 |
1560 cleanup: | 1374 cleanup: |
1561 | 1375 |
1562 PKIX_DECREF(children); | 1376 PKIX_DECREF(children); |
1563 PKIX_DECREF(childNode); | 1377 PKIX_DECREF(childNode); |
1564 PKIX_DECREF(expectedPolicies); | 1378 PKIX_DECREF(expectedPolicies); |
1565 PKIX_DECREF(policyOID); | 1379 PKIX_DECREF(policyOID); |
1566 PKIX_DECREF(childPolicy); | 1380 PKIX_DECREF(childPolicy); |
1567 PKIX_DECREF(subjectDomainPolicies); | 1381 PKIX_DECREF(subjectDomainPolicies); |
1568 | 1382 |
1569 PKIX_RETURN(CERTCHAINCHECKER); | 1383 PKIX_RETURN(CERTCHAINCHECKER); |
1570 | |
1571 } | 1384 } |
1572 | 1385 |
1573 /* | 1386 /* |
1574 * FUNCTION: pkix_PolicyChecker_CalculateIntersection | 1387 * FUNCTION: pkix_PolicyChecker_CalculateIntersection |
1575 * DESCRIPTION: | 1388 * DESCRIPTION: |
1576 * | 1389 * |
1577 * Processes the PolicyNode pointed to by "currentNode", and its descendants, | 1390 * Processes the PolicyNode pointed to by "currentNode", and its descendants, |
1578 * using the PolicyCheckerState pointed to by "state", using the List at | 1391 * using the PolicyCheckerState pointed to by "state", using the List at |
1579 * the address pointed to by "nominees" the OIDs of policies that are in the | 1392 * the address pointed to by "nominees" the OIDs of policies that are in the |
1580 * user-initial-policy-set but are not represented among the nodes at the | 1393 * user-initial-policy-set but are not represented among the nodes at the |
(...skipping 25 matching lines...) Expand all Loading... |
1606 * should be deleted, is stored. Must be non-NULL. | 1419 * should be deleted, is stored. Must be non-NULL. |
1607 * "plContext" | 1420 * "plContext" |
1608 * Platform-specific context pointer. | 1421 * Platform-specific context pointer. |
1609 * THREAD SAFETY: | 1422 * THREAD SAFETY: |
1610 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 1423 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
1611 * RETURNS: | 1424 * RETURNS: |
1612 * Returns NULL if the function succeeds | 1425 * Returns NULL if the function succeeds |
1613 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 1426 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
1614 * Returns a Fatal Error if the function fails in an unrecoverable way | 1427 * Returns a Fatal Error if the function fails in an unrecoverable way |
1615 */ | 1428 */ |
1616 static PKIX_Error * | 1429 static PKIX_Error *pkix_PolicyChecker_CalculateIntersection( |
1617 pkix_PolicyChecker_CalculateIntersection( | 1430 PKIX_PolicyNode *currentNode, PKIX_PolicyCheckerState *state, |
1618 PKIX_PolicyNode *currentNode, | 1431 PKIX_List *nominees, /* OIDs */ |
1619 PKIX_PolicyCheckerState *state, | 1432 PKIX_Boolean *pShouldBePruned, void *plContext) { |
1620 PKIX_List *nominees, /* OIDs */ | 1433 PKIX_Boolean currentPolicyIsAny = PKIX_FALSE; |
1621 PKIX_Boolean *pShouldBePruned, | 1434 PKIX_Boolean parentPolicyIsAny = PKIX_FALSE; |
1622 void *plContext) | 1435 PKIX_Boolean currentPolicyIsValid = PKIX_FALSE; |
1623 { | 1436 PKIX_Boolean shouldBePruned = PKIX_FALSE; |
1624 PKIX_Boolean currentPolicyIsAny = PKIX_FALSE; | 1437 PKIX_Boolean priorCriticality = PKIX_FALSE; |
1625 PKIX_Boolean parentPolicyIsAny = PKIX_FALSE; | 1438 PKIX_UInt32 depth = 0; |
1626 PKIX_Boolean currentPolicyIsValid = PKIX_FALSE; | 1439 PKIX_UInt32 numChildren = 0; |
1627 PKIX_Boolean shouldBePruned = PKIX_FALSE; | 1440 PKIX_UInt32 childIndex = 0; |
1628 PKIX_Boolean priorCriticality = PKIX_FALSE; | 1441 PKIX_UInt32 numNominees = 0; |
1629 PKIX_UInt32 depth = 0; | 1442 PKIX_UInt32 polIx = 0; |
1630 PKIX_UInt32 numChildren = 0; | 1443 PKIX_PL_OID *currentPolicy = NULL; |
1631 PKIX_UInt32 childIndex = 0; | 1444 PKIX_PL_OID *parentPolicy = NULL; |
1632 PKIX_UInt32 numNominees = 0; | 1445 PKIX_PL_OID *substPolicy = NULL; |
1633 PKIX_UInt32 polIx = 0; | 1446 PKIX_PolicyNode *parent = NULL; |
1634 PKIX_PL_OID *currentPolicy = NULL; | 1447 PKIX_PolicyNode *child = NULL; |
1635 PKIX_PL_OID *parentPolicy = NULL; | 1448 PKIX_List *children = NULL; /* PolicyNodes */ |
1636 PKIX_PL_OID *substPolicy = NULL; | 1449 PKIX_List *policyQualifiers = NULL; |
1637 PKIX_PolicyNode *parent = NULL; | 1450 |
1638 PKIX_PolicyNode *child = NULL; | 1451 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_CalculateIntersection"); |
1639 PKIX_List *children = NULL; /* PolicyNodes */ | 1452 |
1640 PKIX_List *policyQualifiers = NULL; | 1453 /* |
1641 | 1454 * We call this function if the valid_policy_tree is not NULL and |
1642 PKIX_ENTER | 1455 * the user-initial-policy-set is not any-policy. |
1643 (CERTCHAINCHECKER, | 1456 */ |
1644 "pkix_PolicyChecker_CalculateIntersection"); | 1457 if (!state->validPolicyTree || state->initialIsAnyPolicy) { |
1645 | 1458 PKIX_ERROR(PKIX_PRECONDITIONFAILED); |
1646 /* | 1459 } |
1647 * We call this function if the valid_policy_tree is not NULL and | 1460 |
1648 * the user-initial-policy-set is not any-policy. | 1461 PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned); |
1649 */ | 1462 |
1650 if (!state->validPolicyTree || state->initialIsAnyPolicy) { | 1463 PKIX_CHECK( |
1651 PKIX_ERROR(PKIX_PRECONDITIONFAILED); | 1464 PKIX_PolicyNode_GetValidPolicy(currentNode, ¤tPolicy, plContext), |
1652 } | 1465 PKIX_POLICYNODEGETVALIDPOLICYFAILED); |
1653 | 1466 |
1654 PKIX_NULLCHECK_FOUR(currentNode, state, nominees, pShouldBePruned); | 1467 PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy); |
1655 | 1468 |
1656 PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy | 1469 PKIX_EQUALS(state->anyPolicyOID, currentPolicy, ¤tPolicyIsAny, |
1657 (currentNode, ¤tPolicy, plContext), | 1470 plContext, PKIX_OBJECTEQUALSFAILED); |
1658 PKIX_POLICYNODEGETVALIDPOLICYFAILED); | 1471 |
1659 | 1472 PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext), |
1660 PKIX_NULLCHECK_TWO(state->anyPolicyOID, currentPolicy); | 1473 PKIX_POLICYNODEGETPARENTFAILED); |
1661 | 1474 |
1662 PKIX_EQUALS | 1475 if (currentPolicyIsAny == PKIX_FALSE) { |
1663 (state->anyPolicyOID, | 1476 |
1664 currentPolicy, | 1477 /* |
1665 ¤tPolicyIsAny, | 1478 * If we are at the top of the tree, or if our |
1666 plContext, | 1479 * parent's validPolicy is anyPolicy, we are in |
1667 PKIX_OBJECTEQUALSFAILED); | 1480 * the valid policy node set. |
1668 | 1481 */ |
1669 PKIX_CHECK(PKIX_PolicyNode_GetParent(currentNode, &parent, plContext), | 1482 if (parent) { |
1670 PKIX_POLICYNODEGETPARENTFAILED); | 1483 PKIX_CHECK( |
1671 | 1484 PKIX_PolicyNode_GetValidPolicy(parent, &parentPolicy, plContext), |
1672 if (currentPolicyIsAny == PKIX_FALSE) { | 1485 PKIX_POLICYNODEGETVALIDPOLICYFAILED); |
1673 | 1486 |
1674 /* | 1487 PKIX_NULLCHECK_ONE(parentPolicy); |
1675 * If we are at the top of the tree, or if our | 1488 |
1676 * parent's validPolicy is anyPolicy, we are in | 1489 PKIX_EQUALS(state->anyPolicyOID, parentPolicy, &parentPolicyIsAny, |
1677 * the valid policy node set. | 1490 plContext, PKIX_OBJECTEQUALSFAILED); |
1678 */ | 1491 } |
1679 if (parent) { | 1492 |
1680 PKIX_CHECK(PKIX_PolicyNode_GetValidPolicy | 1493 /* |
1681 (parent, &parentPolicy, plContext), | 1494 * Section 6.1.5(g)(iii)(2) |
1682 PKIX_POLICYNODEGETVALIDPOLICYFAILED); | 1495 * If this node's policy is not in the user-initial-policy-set, |
1683 | 1496 * it is not in the intersection. Prune it. |
1684 PKIX_NULLCHECK_ONE(parentPolicy); | 1497 */ |
1685 | 1498 if (!parent || parentPolicyIsAny) { |
1686 PKIX_EQUALS | 1499 PKIX_CHECK(pkix_List_Contains(state->userInitialPolicySet, |
1687 (state->anyPolicyOID, | 1500 (PKIX_PL_Object *)currentPolicy, |
1688 parentPolicy, | 1501 ¤tPolicyIsValid, plContext), |
1689 &parentPolicyIsAny, | 1502 PKIX_LISTCONTAINSFAILED); |
1690 plContext, | 1503 if (!currentPolicyIsValid) { |
1691 PKIX_OBJECTEQUALSFAILED); | 1504 *pShouldBePruned = PKIX_TRUE; |
1692 } | 1505 goto cleanup; |
1693 | 1506 } |
1694 /* | 1507 |
1695 * Section 6.1.5(g)(iii)(2) | 1508 /* |
1696 * If this node's policy is not in the user-initial-policy-set, | 1509 * If this node's policy is in the user-initial-policy- |
1697 * it is not in the intersection. Prune it. | 1510 * set, it will propagate that policy into the next |
1698 */ | 1511 * level of the tree. Remove the policy from the list |
1699 if (!parent || parentPolicyIsAny) { | 1512 * of policies that an anyPolicy will spawn. |
1700 PKIX_CHECK(pkix_List_Contains | 1513 */ |
1701 (state->userInitialPolicySet, | 1514 PKIX_CHECK(pkix_List_Remove(nominees, (PKIX_PL_Object *)currentPolicy, |
1702 (PKIX_PL_Object *)currentPolicy, | 1515 plContext), |
1703 ¤tPolicyIsValid, | 1516 PKIX_LISTREMOVEFAILED); |
1704 plContext), | 1517 } |
1705 PKIX_LISTCONTAINSFAILED); | 1518 } |
1706 if (!currentPolicyIsValid) { | 1519 |
1707 *pShouldBePruned = PKIX_TRUE; | 1520 /* Are we at the bottom of the tree? */ |
1708 goto cleanup; | 1521 |
1709 } | 1522 PKIX_CHECK(PKIX_PolicyNode_GetDepth(currentNode, &depth, plContext), |
1710 | 1523 PKIX_POLICYNODEGETDEPTHFAILED); |
1711 /* | 1524 |
1712 * If this node's policy is in the user-initial-policy- | 1525 if (depth == (state->numCerts)) { |
1713 * set, it will propagate that policy into the next | 1526 /* |
1714 * level of the tree. Remove the policy from the list | 1527 * Section 6.1.5(g)(iii)(3) |
1715 * of policies that an anyPolicy will spawn. | 1528 * Replace anyPolicy nodes... |
1716 */ | 1529 */ |
1717 PKIX_CHECK(pkix_List_Remove | 1530 if (currentPolicyIsAny == PKIX_TRUE) { |
1718 (nominees, | 1531 |
1719 (PKIX_PL_Object *)currentPolicy, | 1532 /* replace this node */ |
1720 plContext), | 1533 |
1721 PKIX_LISTREMOVEFAILED); | 1534 PKIX_CHECK(PKIX_List_GetLength(nominees, &numNominees, plContext), |
1722 } | 1535 PKIX_LISTGETLENGTHFAILED); |
1723 } | 1536 |
1724 | 1537 if (numNominees) { |
1725 | 1538 |
1726 /* Are we at the bottom of the tree? */ | 1539 PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers( |
1727 | 1540 currentNode, &policyQualifiers, plContext), |
1728 PKIX_CHECK(PKIX_PolicyNode_GetDepth | 1541 PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED); |
1729 (currentNode, &depth, plContext), | 1542 |
1730 PKIX_POLICYNODEGETDEPTHFAILED); | 1543 PKIX_CHECK(PKIX_PolicyNode_IsCritical(currentNode, &priorCriticality, |
1731 | 1544 plContext), |
1732 if (depth == (state->numCerts)) { | 1545 PKIX_POLICYNODEISCRITICALFAILED); |
1733 /* | 1546 } |
1734 * Section 6.1.5(g)(iii)(3) | 1547 |
1735 * Replace anyPolicy nodes... | 1548 PKIX_NULLCHECK_ONE(parent); |
1736 */ | 1549 |
1737 if (currentPolicyIsAny == PKIX_TRUE) { | 1550 for (polIx = 0; polIx < numNominees; polIx++) { |
1738 | 1551 |
1739 /* replace this node */ | 1552 PKIX_CHECK( |
1740 | 1553 PKIX_List_GetItem(nominees, polIx, (PKIX_PL_Object **)&substPolicy, |
1741 PKIX_CHECK(PKIX_List_GetLength | 1554 plContext), |
1742 (nominees, &numNominees, plContext), | 1555 PKIX_LISTGETITEMFAILED); |
1743 PKIX_LISTGETLENGTHFAILED); | 1556 |
1744 | 1557 PKIX_CHECK( |
1745 if (numNominees) { | 1558 pkix_PolicyChecker_Spawn(parent, substPolicy, policyQualifiers, |
1746 | 1559 NULL, state, plContext), |
1747 PKIX_CHECK(PKIX_PolicyNode_GetPolicyQualifiers | 1560 PKIX_POLICYCHECKERSPAWNFAILED); |
1748 (currentNode, | 1561 |
1749 &policyQualifiers, | 1562 PKIX_DECREF(substPolicy); |
1750 plContext), | 1563 } |
1751 PKIX_POLICYNODEGETPOLICYQUALIFIERSFAILED); | 1564 /* remove currentNode from parent */ |
1752 | 1565 *pShouldBePruned = PKIX_TRUE; |
1753 PKIX_CHECK(PKIX_PolicyNode_IsCritical | 1566 /* |
1754 (currentNode, &priorCriticality, plContext), | 1567 * We can get away with augmenting the parent's List |
1755 PKIX_POLICYNODEISCRITICALFAILED); | 1568 * of children because we started at the end and went |
1756 } | 1569 * toward the beginning. New nodes are added at the end. |
1757 | 1570 */ |
1758 PKIX_NULLCHECK_ONE(parent); | 1571 } |
1759 | 1572 } else { |
1760 for (polIx = 0; polIx < numNominees; polIx++) { | 1573 /* |
1761 | 1574 * Section 6.1.5(g)(iii)(4) |
1762 PKIX_CHECK(PKIX_List_GetItem | 1575 * Prune any childless nodes above the bottom level |
1763 (nominees, | 1576 */ |
1764 polIx, | 1577 PKIX_CHECK( |
1765 (PKIX_PL_Object **)&substPolicy, | 1578 pkix_PolicyNode_GetChildrenMutable(currentNode, &children, plContext), |
1766 plContext), | 1579 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED); |
1767 PKIX_LISTGETITEMFAILED); | 1580 |
1768 | 1581 /* CurrentNode should have been pruned if childless. */ |
1769 PKIX_CHECK(pkix_PolicyChecker_Spawn | 1582 PKIX_NULLCHECK_ONE(children); |
1770 (parent, | 1583 |
1771 substPolicy, | 1584 PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext), |
1772 policyQualifiers, | 1585 PKIX_LISTGETLENGTHFAILED); |
1773 NULL, | 1586 |
1774 state, | 1587 for (childIndex = numChildren; childIndex > 0; childIndex--) { |
1775 plContext), | 1588 |
1776 PKIX_POLICYCHECKERSPAWNFAILED); | 1589 PKIX_CHECK(PKIX_List_GetItem(children, childIndex - 1, |
1777 | 1590 (PKIX_PL_Object **)&child, plContext), |
1778 PKIX_DECREF(substPolicy); | 1591 PKIX_LISTGETITEMFAILED); |
1779 | 1592 |
1780 } | 1593 PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection( |
1781 /* remove currentNode from parent */ | 1594 child, state, nominees, &shouldBePruned, plContext), |
1782 *pShouldBePruned = PKIX_TRUE; | 1595 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED); |
1783 /* | 1596 |
1784 * We can get away with augmenting the parent's List | 1597 if (PKIX_TRUE == shouldBePruned) { |
1785 * of children because we started at the end and went | 1598 |
1786 * toward the beginning. New nodes are added at the end. | 1599 PKIX_CHECK(PKIX_List_DeleteItem(children, childIndex - 1, plContext), |
1787 */ | 1600 PKIX_LISTDELETEITEMFAILED); |
1788 } | 1601 PKIX_CHECK( |
1789 } else { | 1602 PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
1790 /* | 1603 PKIX_OBJECTINVALIDATECACHEFAILED); |
1791 * Section 6.1.5(g)(iii)(4) | 1604 } |
1792 * Prune any childless nodes above the bottom level | 1605 |
1793 */ | 1606 PKIX_DECREF(child); |
1794 PKIX_CHECK(pkix_PolicyNode_GetChildrenMutable | 1607 } |
1795 (currentNode, &children, plContext), | 1608 |
1796 PKIX_POLICYNODEGETCHILDRENMUTABLEFAILED); | 1609 PKIX_CHECK(PKIX_List_GetLength(children, &numChildren, plContext), |
1797 | 1610 PKIX_LISTGETLENGTHFAILED); |
1798 /* CurrentNode should have been pruned if childless. */ | 1611 |
1799 PKIX_NULLCHECK_ONE(children); | 1612 if (numChildren == 0) { |
1800 | 1613 *pShouldBePruned = PKIX_TRUE; |
1801 PKIX_CHECK(PKIX_List_GetLength | 1614 } |
1802 (children, &numChildren, plContext), | 1615 } |
1803 PKIX_LISTGETLENGTHFAILED); | |
1804 | |
1805 for (childIndex = numChildren; childIndex > 0; childIndex--) { | |
1806 | |
1807 PKIX_CHECK(PKIX_List_GetItem | |
1808 (children, | |
1809 childIndex - 1, | |
1810 (PKIX_PL_Object **)&child, | |
1811 plContext), | |
1812 PKIX_LISTGETITEMFAILED); | |
1813 | |
1814 PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection | |
1815 (child, state, nominees, &shouldBePruned, plContext), | |
1816 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED); | |
1817 | |
1818 if (PKIX_TRUE == shouldBePruned) { | |
1819 | |
1820 PKIX_CHECK(PKIX_List_DeleteItem | |
1821 (children, childIndex - 1, plContext), | |
1822 PKIX_LISTDELETEITEMFAILED); | |
1823 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | |
1824 ((PKIX_PL_Object *)state, plContext), | |
1825 PKIX_OBJECTINVALIDATECACHEFAILED); | |
1826 } | |
1827 | |
1828 PKIX_DECREF(child); | |
1829 } | |
1830 | |
1831 PKIX_CHECK(PKIX_List_GetLength | |
1832 (children, &numChildren, plContext), | |
1833 PKIX_LISTGETLENGTHFAILED); | |
1834 | |
1835 if (numChildren == 0) { | |
1836 *pShouldBePruned = PKIX_TRUE; | |
1837 } | |
1838 } | |
1839 cleanup: | 1616 cleanup: |
1840 PKIX_DECREF(currentPolicy); | 1617 PKIX_DECREF(currentPolicy); |
1841 PKIX_DECREF(parentPolicy); | 1618 PKIX_DECREF(parentPolicy); |
1842 PKIX_DECREF(substPolicy); | 1619 PKIX_DECREF(substPolicy); |
1843 PKIX_DECREF(parent); | 1620 PKIX_DECREF(parent); |
1844 PKIX_DECREF(child); | 1621 PKIX_DECREF(child); |
1845 PKIX_DECREF(children); | 1622 PKIX_DECREF(children); |
1846 PKIX_DECREF(policyQualifiers); | 1623 PKIX_DECREF(policyQualifiers); |
1847 | 1624 |
1848 PKIX_RETURN(CERTCHAINCHECKER); | 1625 PKIX_RETURN(CERTCHAINCHECKER); |
1849 | |
1850 } | 1626 } |
1851 | 1627 |
1852 /* | 1628 /* |
1853 * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing | 1629 * FUNCTION: pkix_PolicyChecker_PolicyMapProcessing |
1854 * DESCRIPTION: | 1630 * DESCRIPTION: |
1855 * | 1631 * |
1856 * Performs the processing of Policies in the List of CertPolicyMaps pointed | 1632 * Performs the processing of Policies in the List of CertPolicyMaps pointed |
1857 * to by "policyMaps", using and updating the PolicyCheckerState pointed to by | 1633 * to by "policyMaps", using and updating the PolicyCheckerState pointed to by |
1858 * "state". | 1634 * "state". |
1859 * | 1635 * |
(...skipping 16 matching lines...) Expand all Loading... |
1876 * Must be non-NULL. | 1652 * Must be non-NULL. |
1877 * "plContext" | 1653 * "plContext" |
1878 * Platform-specific context pointer. | 1654 * Platform-specific context pointer. |
1879 * THREAD SAFETY: | 1655 * THREAD SAFETY: |
1880 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 1656 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
1881 * RETURNS: | 1657 * RETURNS: |
1882 * Returns NULL if the function succeeds | 1658 * Returns NULL if the function succeeds |
1883 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 1659 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
1884 * Returns a Fatal Error if the function fails in an unrecoverable way | 1660 * Returns a Fatal Error if the function fails in an unrecoverable way |
1885 */ | 1661 */ |
1886 static PKIX_Error * | 1662 static PKIX_Error *pkix_PolicyChecker_PolicyMapProcessing( |
1887 pkix_PolicyChecker_PolicyMapProcessing( | 1663 PKIX_List *policyMaps, /* CertPolicyMaps */ |
1888 PKIX_List *policyMaps, /* CertPolicyMaps */ | 1664 PKIX_Boolean certPoliciesIncludeAny, PKIX_List *qualsOfAny, |
1889 PKIX_Boolean certPoliciesIncludeAny, | 1665 PKIX_PolicyCheckerState *state, void *plContext) { |
1890 PKIX_List *qualsOfAny, | 1666 PKIX_UInt32 numPolicies = 0; |
1891 PKIX_PolicyCheckerState *state, | 1667 PKIX_UInt32 polX = 0; |
1892 void *plContext) | 1668 PKIX_PL_OID *policyOID = NULL; |
1893 { | 1669 PKIX_List *newMappedPolicies = NULL; /* OIDs */ |
1894 PKIX_UInt32 numPolicies = 0; | 1670 PKIX_List *subjectDomainPolicies = NULL; /* OIDs */ |
1895 PKIX_UInt32 polX = 0; | |
1896 PKIX_PL_OID *policyOID = NULL; | |
1897 PKIX_List *newMappedPolicies = NULL; /* OIDs */ | |
1898 PKIX_List *subjectDomainPolicies = NULL; /* OIDs */ | |
1899 | 1671 |
1900 PKIX_ENTER | 1672 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_PolicyMapProcessing"); |
1901 (CERTCHAINCHECKER, | 1673 PKIX_NULLCHECK_THREE(policyMaps, state, state->mappedUserInitialPolicySet); |
1902 "pkix_PolicyChecker_PolicyMapProcessing"); | |
1903 PKIX_NULLCHECK_THREE | |
1904 (policyMaps, | |
1905 state, | |
1906 state->mappedUserInitialPolicySet); | |
1907 | 1674 |
1908 /* | 1675 /* |
1909 * For each policy in mappedUserInitialPolicySet, if it is not mapped, | 1676 * For each policy in mappedUserInitialPolicySet, if it is not mapped, |
1910 * append it to new policySet; if it is mapped, append its | 1677 * append it to new policySet; if it is mapped, append its |
1911 * subjectDomainPolicies to new policySet. When done, this new | 1678 * subjectDomainPolicies to new policySet. When done, this new |
1912 * policySet will replace mappedUserInitialPolicySet. | 1679 * policySet will replace mappedUserInitialPolicySet. |
1913 */ | 1680 */ |
1914 PKIX_CHECK(PKIX_List_Create | 1681 PKIX_CHECK(PKIX_List_Create(&newMappedPolicies, plContext), |
1915 (&newMappedPolicies, plContext), | 1682 PKIX_LISTCREATEFAILED); |
1916 PKIX_LISTCREATEFAILED); | |
1917 | 1683 |
1918 PKIX_CHECK(PKIX_List_GetLength | 1684 PKIX_CHECK(PKIX_List_GetLength(state->mappedUserInitialPolicySet, |
1919 (state->mappedUserInitialPolicySet, | 1685 &numPolicies, plContext), |
1920 &numPolicies, | 1686 PKIX_LISTGETLENGTHFAILED); |
1921 plContext), | |
1922 PKIX_LISTGETLENGTHFAILED); | |
1923 | 1687 |
1924 for (polX = 0; polX < numPolicies; polX++) { | 1688 for (polX = 0; polX < numPolicies; polX++) { |
1925 | 1689 |
1926 PKIX_CHECK(PKIX_List_GetItem | 1690 PKIX_CHECK(PKIX_List_GetItem(state->mappedUserInitialPolicySet, polX, |
1927 (state->mappedUserInitialPolicySet, | 1691 (PKIX_PL_Object **)&policyOID, plContext), |
1928 polX, | 1692 PKIX_LISTGETITEMFAILED); |
1929 (PKIX_PL_Object **)&policyOID, | |
1930 plContext), | |
1931 PKIX_LISTGETITEMFAILED); | |
1932 | 1693 |
1933 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies | 1694 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies( |
1934 (policyMaps, | 1695 policyMaps, policyOID, &subjectDomainPolicies, plContext), |
1935 policyOID, | 1696 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); |
1936 &subjectDomainPolicies, | |
1937 plContext), | |
1938 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); | |
1939 | 1697 |
1940 if (subjectDomainPolicies) { | 1698 if (subjectDomainPolicies) { |
1941 | 1699 |
1942 PKIX_CHECK(pkix_List_AppendUnique | 1700 PKIX_CHECK(pkix_List_AppendUnique(newMappedPolicies, |
1943 (newMappedPolicies, | 1701 subjectDomainPolicies, plContext), |
1944 subjectDomainPolicies, | 1702 PKIX_LISTAPPENDUNIQUEFAILED); |
1945 plContext), | |
1946 PKIX_LISTAPPENDUNIQUEFAILED); | |
1947 | 1703 |
1948 PKIX_DECREF(subjectDomainPolicies); | 1704 PKIX_DECREF(subjectDomainPolicies); |
1949 | 1705 |
1950 } else { | 1706 } else { |
1951 PKIX_CHECK(PKIX_List_AppendItem | 1707 PKIX_CHECK(PKIX_List_AppendItem(newMappedPolicies, |
1952 (newMappedPolicies, | 1708 (PKIX_PL_Object *)policyOID, plContext), |
1953 (PKIX_PL_Object *)policyOID, | 1709 PKIX_LISTAPPENDITEMFAILED); |
1954 plContext), | 1710 } |
1955 PKIX_LISTAPPENDITEMFAILED); | 1711 PKIX_DECREF(policyOID); |
1956 } | 1712 } |
1957 PKIX_DECREF(policyOID); | |
1958 } | |
1959 | 1713 |
1960 /* | 1714 /* |
1961 * For each policy ID-P remaining in mappedPolicyOIDs, it has not been | 1715 * For each policy ID-P remaining in mappedPolicyOIDs, it has not been |
1962 * propagated to the bottom of the tree (depth i). If policyMapping | 1716 * propagated to the bottom of the tree (depth i). If policyMapping |
1963 * is greater than zero and this cert contains anyPolicy and the tree | 1717 * is greater than zero and this cert contains anyPolicy and the tree |
1964 * contains an anyPolicy node at depth i-1, then we must create a node | 1718 * contains an anyPolicy node at depth i-1, then we must create a node |
1965 * with validPolicy ID-P, the policy qualifiers of anyPolicy in | 1719 * with validPolicy ID-P, the policy qualifiers of anyPolicy in |
1966 * this certificate, and expectedPolicySet the subjectDomainPolicies | 1720 * this certificate, and expectedPolicySet the subjectDomainPolicies |
1967 * that ID-P maps to. We also then add those subjectDomainPolicies to | 1721 * that ID-P maps to. We also then add those subjectDomainPolicies to |
1968 * the list of policies that will be accepted in the next certificate, | 1722 * the list of policies that will be accepted in the next certificate, |
1969 * the mappedUserInitialPolicySet. | 1723 * the mappedUserInitialPolicySet. |
1970 */ | 1724 */ |
1971 | 1725 |
1972 if ((state->policyMapping > 0) && (certPoliciesIncludeAny) && | 1726 if ((state->policyMapping > 0) && (certPoliciesIncludeAny) && |
1973 (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) { | 1727 (state->anyPolicyNodeAtBottom) && (state->mappedPolicyOIDs)) { |
1974 | 1728 |
1975 PKIX_CHECK(PKIX_List_GetLength | 1729 PKIX_CHECK( |
1976 (state->mappedPolicyOIDs, | 1730 PKIX_List_GetLength(state->mappedPolicyOIDs, &numPolicies, plContext), |
1977 &numPolicies, | 1731 PKIX_LISTGETLENGTHFAILED); |
1978 plContext), | |
1979 PKIX_LISTGETLENGTHFAILED); | |
1980 | 1732 |
1981 for (polX = 0; polX < numPolicies; polX++) { | 1733 for (polX = 0; polX < numPolicies; polX++) { |
1982 | 1734 |
1983 PKIX_CHECK(PKIX_List_GetItem | 1735 PKIX_CHECK(PKIX_List_GetItem(state->mappedPolicyOIDs, polX, |
1984 (state->mappedPolicyOIDs, | 1736 (PKIX_PL_Object **)&policyOID, plContext), |
1985 polX, | 1737 PKIX_LISTGETITEMFAILED); |
1986 (PKIX_PL_Object **)&policyOID, | |
1987 plContext), | |
1988 PKIX_LISTGETITEMFAILED); | |
1989 | 1738 |
1990 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies | 1739 PKIX_CHECK(pkix_PolicyChecker_MapGetSubjectDomainPolicies( |
1991 (policyMaps, | 1740 policyMaps, policyOID, &subjectDomainPolicies, plContext), |
1992 policyOID, | 1741 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); |
1993 &subjectDomainPolicies, | |
1994 plContext), | |
1995 PKIX_POLICYCHECKERMAPGETSUBJECTDOMAINPOLICIESFAILED); | |
1996 | 1742 |
1997 PKIX_CHECK(pkix_PolicyChecker_Spawn | 1743 PKIX_CHECK(pkix_PolicyChecker_Spawn( |
1998 (state->anyPolicyNodeAtBottom, | 1744 state->anyPolicyNodeAtBottom, policyOID, qualsOfAny, |
1999 policyOID, | 1745 subjectDomainPolicies, state, plContext), |
2000 qualsOfAny, | 1746 PKIX_POLICYCHECKERSPAWNFAILED); |
2001 subjectDomainPolicies, | |
2002 state, | |
2003 plContext), | |
2004 PKIX_POLICYCHECKERSPAWNFAILED); | |
2005 | 1747 |
2006 PKIX_CHECK(pkix_List_AppendUnique | 1748 PKIX_CHECK(pkix_List_AppendUnique(newMappedPolicies, |
2007 (newMappedPolicies, | 1749 subjectDomainPolicies, plContext), |
2008 subjectDomainPolicies, | 1750 PKIX_LISTAPPENDUNIQUEFAILED); |
2009 plContext), | |
2010 PKIX_LISTAPPENDUNIQUEFAILED); | |
2011 | 1751 |
2012 PKIX_DECREF(subjectDomainPolicies); | 1752 PKIX_DECREF(subjectDomainPolicies); |
2013 PKIX_DECREF(policyOID); | 1753 PKIX_DECREF(policyOID); |
2014 } | 1754 } |
2015 } | 1755 } |
2016 | 1756 |
2017 PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext), | 1757 PKIX_CHECK(PKIX_List_SetImmutable(newMappedPolicies, plContext), |
2018 PKIX_LISTSETIMMUTABLEFAILED); | 1758 PKIX_LISTSETIMMUTABLEFAILED); |
2019 | 1759 |
2020 PKIX_DECREF(state->mappedUserInitialPolicySet); | 1760 PKIX_DECREF(state->mappedUserInitialPolicySet); |
2021 PKIX_INCREF(newMappedPolicies); | 1761 PKIX_INCREF(newMappedPolicies); |
2022 | 1762 |
2023 state->mappedUserInitialPolicySet = newMappedPolicies; | 1763 state->mappedUserInitialPolicySet = newMappedPolicies; |
2024 | 1764 |
2025 cleanup: | 1765 cleanup: |
2026 | 1766 |
2027 PKIX_DECREF(policyOID); | 1767 PKIX_DECREF(policyOID); |
2028 PKIX_DECREF(newMappedPolicies); | 1768 PKIX_DECREF(newMappedPolicies); |
2029 PKIX_DECREF(subjectDomainPolicies); | 1769 PKIX_DECREF(subjectDomainPolicies); |
2030 | 1770 |
2031 PKIX_RETURN(CERTCHAINCHECKER); | 1771 PKIX_RETURN(CERTCHAINCHECKER); |
2032 } | 1772 } |
2033 | 1773 |
2034 /* | 1774 /* |
2035 * FUNCTION: pkix_PolicyChecker_WrapUpProcessing | 1775 * FUNCTION: pkix_PolicyChecker_WrapUpProcessing |
2036 * DESCRIPTION: | 1776 * DESCRIPTION: |
2037 * | 1777 * |
2038 * Performs the wrap-up processing for the Cert pointed to by "cert", | 1778 * Performs the wrap-up processing for the Cert pointed to by "cert", |
2039 * using and updating the PolicyCheckerState pointed to by "state". | 1779 * using and updating the PolicyCheckerState pointed to by "state". |
2040 * | 1780 * |
2041 * This function implements the wrap-up processing described in RFC3280 | 1781 * This function implements the wrap-up processing described in RFC3280 |
2042 * Section 6.1.5, after the final certificate has been processed. Section | 1782 * Section 6.1.5, after the final certificate has been processed. Section |
2043 * references in the comments are to that document. | 1783 * references in the comments are to that document. |
2044 * | 1784 * |
2045 * PARAMETERS: | 1785 * PARAMETERS: |
2046 * "cert" | 1786 * "cert" |
2047 * Address of the current (presumably the end entity) certificate. | 1787 * Address of the current (presumably the end entity) certificate. |
2048 * Must be non-NULL. | 1788 * Must be non-NULL. |
2049 * "state" | 1789 * "state" |
2050 * Address of the current state of the PKIX_PolicyChecker. | 1790 * Address of the current state of the PKIX_PolicyChecker. |
2051 * Must be non-NULL. | 1791 * Must be non-NULL. |
2052 * "plContext" | 1792 * "plContext" |
2053 * Platform-specific context pointer. | 1793 * Platform-specific context pointer. |
2054 * THREAD SAFETY: | 1794 * THREAD SAFETY: |
2055 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 1795 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
2056 * RETURNS: | 1796 * RETURNS: |
2057 * Returns NULL if the function succeeds | 1797 * Returns NULL if the function succeeds |
2058 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 1798 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
2059 * Returns a Fatal Error if the function fails in an unrecoverable way | 1799 * Returns a Fatal Error if the function fails in an unrecoverable way |
2060 */ | 1800 */ |
2061 static PKIX_Error * | 1801 static PKIX_Error *pkix_PolicyChecker_WrapUpProcessing( |
2062 pkix_PolicyChecker_WrapUpProcessing( | 1802 PKIX_PL_Cert *cert, PKIX_PolicyCheckerState *state, void *plContext) { |
2063 PKIX_PL_Cert *cert, | 1803 PKIX_Int32 explicitPolicySkipCerts = 0; |
2064 PKIX_PolicyCheckerState *state, | 1804 PKIX_Boolean isSelfIssued = PKIX_FALSE; |
2065 void *plContext) | 1805 PKIX_Boolean shouldBePruned = PKIX_FALSE; |
2066 { | 1806 PKIX_List *nominees = NULL; /* OIDs */ |
2067 PKIX_Int32 explicitPolicySkipCerts = 0; | 1807 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2068 PKIX_Boolean isSelfIssued = PKIX_FALSE; | 1808 PKIX_PL_String *stateString = NULL; |
2069 PKIX_Boolean shouldBePruned = PKIX_FALSE; | 1809 char *stateAscii = NULL; |
2070 PKIX_List *nominees = NULL; /* OIDs */ | 1810 PKIX_UInt32 length; |
2071 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | 1811 #endif |
2072 PKIX_PL_String *stateString = NULL; | 1812 |
2073 char *stateAscii = NULL; | 1813 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_WrapUpProcessing"); |
2074 PKIX_UInt32 length; | 1814 PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet); |
2075 #endif | 1815 |
2076 | 1816 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2077 PKIX_ENTER | 1817 PKIX_CHECK( |
2078 (CERTCHAINCHECKER, | 1818 PKIX_PL_Object_ToString((PKIX_PL_Object *)state, &stateString, plContext), |
2079 "pkix_PolicyChecker_WrapUpProcessing"); | 1819 PKIX_OBJECTTOSTRINGFAILED); |
2080 PKIX_NULLCHECK_THREE(cert, state, state->userInitialPolicySet); | 1820 |
2081 | 1821 PKIX_CHECK( |
2082 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | 1822 PKIX_PL_String_GetEncoded(stateString, PKIX_ESCASCII, |
2083 PKIX_CHECK(PKIX_PL_Object_ToString | 1823 (void **)&stateAscii, &length, plContext), |
2084 ((PKIX_PL_Object*)state, &stateString, plContext), | 1824 PKIX_STRINGGETENCODEDFAILED); |
2085 PKIX_OBJECTTOSTRINGFAILED); | 1825 |
2086 | 1826 PKIX_DEBUG_ARG("%s\n", stateAscii); |
2087 PKIX_CHECK(PKIX_PL_String_GetEncoded | 1827 |
2088 (stateString, | 1828 PKIX_FREE(stateAscii); |
2089 PKIX_ESCASCII, | 1829 PKIX_DECREF(stateString); |
2090 (void **)&stateAscii, | 1830 #endif |
2091 &length, | 1831 |
2092 plContext), | 1832 /* Section 6.1.5(a) ... */ |
2093 PKIX_STRINGGETENCODEDFAILED); | 1833 PKIX_CHECK(pkix_IsCertSelfIssued(cert, &isSelfIssued, plContext), |
2094 | 1834 PKIX_ISCERTSELFISSUEDFAILED); |
2095 PKIX_DEBUG_ARG("%s\n", stateAscii); | 1835 |
2096 | 1836 if (!isSelfIssued) { |
2097 PKIX_FREE(stateAscii); | 1837 if (state->explicitPolicy > 0) { |
2098 PKIX_DECREF(stateString); | 1838 |
2099 #endif | 1839 state->explicitPolicy--; |
2100 | 1840 |
2101 /* Section 6.1.5(a) ... */ | 1841 PKIX_CHECK( |
2102 PKIX_CHECK(pkix_IsCertSelfIssued | 1842 PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
2103 (cert, &isSelfIssued, plContext), | 1843 PKIX_OBJECTINVALIDATECACHEFAILED); |
2104 PKIX_ISCERTSELFISSUEDFAILED); | 1844 } |
2105 | 1845 } |
2106 if (!isSelfIssued) { | 1846 |
2107 if (state->explicitPolicy > 0) { | 1847 /* Section 6.1.5(b) ... */ |
2108 | 1848 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy( |
2109 state->explicitPolicy--; | 1849 cert, &explicitPolicySkipCerts, plContext), |
2110 | 1850 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED); |
2111 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | 1851 |
2112 ((PKIX_PL_Object *)state, plContext), | 1852 if (explicitPolicySkipCerts == 0) { |
2113 PKIX_OBJECTINVALIDATECACHEFAILED); | 1853 state->explicitPolicy = 0; |
2114 } | 1854 } |
2115 } | 1855 |
2116 | 1856 /* Section 6.1.5(g)(i) ... */ |
2117 /* Section 6.1.5(b) ... */ | 1857 |
2118 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy | 1858 if (!(state->validPolicyTree)) { |
2119 (cert, &explicitPolicySkipCerts, plContext), | 1859 goto cleanup; |
2120 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED); | 1860 } |
2121 | 1861 |
2122 if (explicitPolicySkipCerts == 0) { | 1862 /* Section 6.1.5(g)(ii) ... */ |
2123 state->explicitPolicy = 0; | 1863 |
2124 } | 1864 if (state->initialIsAnyPolicy) { |
2125 | 1865 goto cleanup; |
2126 /* Section 6.1.5(g)(i) ... */ | 1866 } |
2127 | 1867 |
2128 if (!(state->validPolicyTree)) { | 1868 /* |
2129 goto cleanup; | 1869 * Section 6.1.5(g)(iii) ... |
2130 } | 1870 * Create a list of policies which could be substituted for anyPolicy. |
2131 | 1871 * Start with a (mutable) copy of user-initial-policy-set. |
2132 /* Section 6.1.5(g)(ii) ... */ | 1872 */ |
2133 | 1873 PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy(state->userInitialPolicySet, |
2134 if (state->initialIsAnyPolicy) { | 1874 &nominees, plContext), |
2135 goto cleanup; | 1875 PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED); |
2136 } | 1876 |
2137 | 1877 PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection( |
2138 /* | 1878 state->validPolicyTree, /* node at top of tree */ |
2139 * Section 6.1.5(g)(iii) ... | 1879 state, nominees, &shouldBePruned, plContext), |
2140 * Create a list of policies which could be substituted for anyPolicy. | 1880 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED); |
2141 * Start with a (mutable) copy of user-initial-policy-set. | 1881 |
2142 */ | 1882 if (PKIX_TRUE == shouldBePruned) { |
2143 PKIX_CHECK(pkix_PolicyChecker_MakeMutableCopy | 1883 PKIX_DECREF(state->validPolicyTree); |
2144 (state->userInitialPolicySet, &nominees, plContext), | 1884 } |
2145 PKIX_POLICYCHECKERMAKEMUTABLECOPYFAILED); | 1885 |
2146 | 1886 if (state->validPolicyTree) { |
2147 PKIX_CHECK(pkix_PolicyChecker_CalculateIntersection | 1887 PKIX_CHECK(PKIX_PL_Object_InvalidateCache( |
2148 (state->validPolicyTree, /* node at top of tree */ | 1888 (PKIX_PL_Object *)state->validPolicyTree, plContext), |
2149 state, | 1889 PKIX_OBJECTINVALIDATECACHEFAILED); |
2150 nominees, | 1890 } |
2151 &shouldBePruned, | 1891 |
2152 plContext), | 1892 PKIX_CHECK(PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
2153 PKIX_POLICYCHECKERCALCULATEINTERSECTIONFAILED); | 1893 PKIX_OBJECTINVALIDATECACHEFAILED); |
2154 | 1894 |
2155 if (PKIX_TRUE == shouldBePruned) { | 1895 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2156 PKIX_DECREF(state->validPolicyTree); | 1896 if (state->validPolicyTree) { |
2157 } | 1897 PKIX_CHECK(PKIX_PL_Object_ToString((PKIX_PL_Object *)state, &stateString, |
2158 | 1898 plContext), |
2159 if (state->validPolicyTree) { | 1899 PKIX_OBJECTTOSTRINGFAILED); |
2160 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | 1900 |
2161 ((PKIX_PL_Object *)state->validPolicyTree, plContext), | 1901 PKIX_CHECK( |
2162 PKIX_OBJECTINVALIDATECACHEFAILED); | 1902 PKIX_PL_String_GetEncoded(stateString, PKIX_ESCASCII, |
2163 } | 1903 (void **)&stateAscii, &length, plContext), |
2164 | 1904 PKIX_STRINGGETENCODEDFAILED); |
2165 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | 1905 |
2166 ((PKIX_PL_Object *)state, plContext), | 1906 PKIX_DEBUG_ARG("After CalculateIntersection:\n%s\n", stateAscii); |
2167 PKIX_OBJECTINVALIDATECACHEFAILED); | 1907 |
2168 | 1908 PKIX_FREE(stateAscii); |
2169 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | 1909 PKIX_DECREF(stateString); |
2170 if (state->validPolicyTree) { | 1910 } else { |
2171 PKIX_CHECK(PKIX_PL_Object_ToString | 1911 PKIX_DEBUG("validPolicyTree is NULL\n"); |
2172 ((PKIX_PL_Object*)state, &stateString, plContext), | 1912 } |
2173 PKIX_OBJECTTOSTRINGFAILED); | 1913 #endif |
2174 | 1914 |
2175 PKIX_CHECK(PKIX_PL_String_GetEncoded | 1915 /* Section 6.1.5(g)(iii)(4) ... */ |
2176 (stateString, | 1916 |
2177 PKIX_ESCASCII, | 1917 if (state->validPolicyTree) { |
2178 (void **)&stateAscii, | 1918 |
2179 &length, | 1919 PKIX_CHECK(pkix_PolicyNode_Prune(state->validPolicyTree, state->numCerts, |
2180 plContext), | 1920 &shouldBePruned, plContext), |
2181 PKIX_STRINGGETENCODEDFAILED); | 1921 PKIX_POLICYNODEPRUNEFAILED); |
2182 | 1922 |
2183 PKIX_DEBUG_ARG | 1923 if (shouldBePruned) { |
2184 ("After CalculateIntersection:\n%s\n", stateAscii); | 1924 PKIX_DECREF(state->validPolicyTree); |
2185 | 1925 } |
2186 PKIX_FREE(stateAscii); | 1926 } |
2187 PKIX_DECREF(stateString); | 1927 |
2188 } else { | 1928 if (state->validPolicyTree) { |
2189 PKIX_DEBUG("validPolicyTree is NULL\n"); | 1929 PKIX_CHECK(PKIX_PL_Object_InvalidateCache( |
2190 } | 1930 (PKIX_PL_Object *)state->validPolicyTree, plContext), |
2191 #endif | 1931 PKIX_OBJECTINVALIDATECACHEFAILED); |
2192 | 1932 } |
2193 /* Section 6.1.5(g)(iii)(4) ... */ | 1933 |
2194 | 1934 PKIX_CHECK(PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
2195 if (state->validPolicyTree) { | 1935 PKIX_OBJECTINVALIDATECACHEFAILED); |
2196 | 1936 |
2197 PKIX_CHECK(pkix_PolicyNode_Prune | 1937 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2198 (state->validPolicyTree, | 1938 PKIX_CHECK( |
2199 state->numCerts, | 1939 PKIX_PL_Object_ToString((PKIX_PL_Object *)state, &stateString, plContext), |
2200 &shouldBePruned, | 1940 PKIX_OBJECTTOSTRINGFAILED); |
2201 plContext), | 1941 PKIX_CHECK( |
2202 PKIX_POLICYNODEPRUNEFAILED); | 1942 PKIX_PL_String_GetEncoded(stateString, PKIX_ESCASCII, |
2203 | 1943 (void **)&stateAscii, &length, plContext), |
2204 if (shouldBePruned) { | 1944 PKIX_STRINGGETENCODEDFAILED); |
2205 PKIX_DECREF(state->validPolicyTree); | 1945 PKIX_DEBUG_ARG("%s\n", stateAscii); |
2206 } | 1946 |
2207 } | 1947 PKIX_FREE(stateAscii); |
2208 | 1948 PKIX_DECREF(stateString); |
2209 if (state->validPolicyTree) { | |
2210 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | |
2211 ((PKIX_PL_Object *)state->validPolicyTree, plContext), | |
2212 PKIX_OBJECTINVALIDATECACHEFAILED); | |
2213 } | |
2214 | |
2215 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | |
2216 ((PKIX_PL_Object *)state, plContext), | |
2217 PKIX_OBJECTINVALIDATECACHEFAILED); | |
2218 | |
2219 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | |
2220 PKIX_CHECK(PKIX_PL_Object_ToString | |
2221 ((PKIX_PL_Object*)state, &stateString, plContext), | |
2222 PKIX_OBJECTTOSTRINGFAILED); | |
2223 PKIX_CHECK(PKIX_PL_String_GetEncoded | |
2224 (stateString, | |
2225 PKIX_ESCASCII, | |
2226 (void **)&stateAscii, | |
2227 &length, | |
2228 plContext), | |
2229 PKIX_STRINGGETENCODEDFAILED); | |
2230 PKIX_DEBUG_ARG("%s\n", stateAscii); | |
2231 | |
2232 PKIX_FREE(stateAscii); | |
2233 PKIX_DECREF(stateString); | |
2234 #endif | 1949 #endif |
2235 | 1950 |
2236 cleanup: | 1951 cleanup: |
2237 | 1952 |
2238 PKIX_DECREF(nominees); | 1953 PKIX_DECREF(nominees); |
2239 | 1954 |
2240 PKIX_RETURN(CERTCHAINCHECKER); | 1955 PKIX_RETURN(CERTCHAINCHECKER); |
2241 } | 1956 } |
2242 | 1957 |
2243 | |
2244 /* | 1958 /* |
2245 * FUNCTION: pkix_PolicyChecker_Check | 1959 * FUNCTION: pkix_PolicyChecker_Check |
2246 * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback) | 1960 * (see comments in pkix_checker.h for PKIX_CertChainChecker_CheckCallback) |
2247 * | 1961 * |
2248 * Labels referring to sections, such as "Section 6.1.3(d)", refer to | 1962 * Labels referring to sections, such as "Section 6.1.3(d)", refer to |
2249 * sections of RFC3280, Section 6.1.3 Basic Certificate Processing. | 1963 * sections of RFC3280, Section 6.1.3 Basic Certificate Processing. |
2250 * | 1964 * |
2251 * If a non-fatal error occurs, it is unlikely that policy processing can | 1965 * If a non-fatal error occurs, it is unlikely that policy processing can |
2252 * continue. But it is still possible that chain validation could succeed if | 1966 * continue. But it is still possible that chain validation could succeed if |
2253 * policy processing is non-critical. So if this function receives a non-fatal | 1967 * policy processing is non-critical. So if this function receives a non-fatal |
2254 * error from a lower level routine, it aborts policy processing by setting | 1968 * error from a lower level routine, it aborts policy processing by setting |
2255 * the validPolicyTree to NULL and tries to continue. | 1969 * the validPolicyTree to NULL and tries to continue. |
2256 * | 1970 * |
2257 */ | 1971 */ |
2258 static PKIX_Error * | 1972 static PKIX_Error *pkix_PolicyChecker_Check( |
2259 pkix_PolicyChecker_Check( | 1973 PKIX_CertChainChecker *checker, PKIX_PL_Cert *cert, |
2260 PKIX_CertChainChecker *checker, | 1974 PKIX_List *unresolvedCriticals, /* OIDs */ |
2261 PKIX_PL_Cert *cert, | 1975 void **pNBIOContext, void *plContext) { |
2262 PKIX_List *unresolvedCriticals, /* OIDs */ | 1976 PKIX_UInt32 numPolicies = 0; |
2263 void **pNBIOContext, | 1977 PKIX_UInt32 polX = 0; |
2264 void *plContext) | 1978 PKIX_Boolean result = PKIX_FALSE; |
2265 { | 1979 PKIX_Int32 inhibitMappingSkipCerts = 0; |
2266 PKIX_UInt32 numPolicies = 0; | 1980 PKIX_Int32 explicitPolicySkipCerts = 0; |
2267 PKIX_UInt32 polX = 0; | 1981 PKIX_Int32 inhibitAnyPolicySkipCerts = 0; |
2268 PKIX_Boolean result = PKIX_FALSE; | 1982 PKIX_Boolean shouldBePruned = PKIX_FALSE; |
2269 PKIX_Int32 inhibitMappingSkipCerts = 0; | 1983 PKIX_Boolean isSelfIssued = PKIX_FALSE; |
2270 PKIX_Int32 explicitPolicySkipCerts = 0; | 1984 PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE; |
2271 PKIX_Int32 inhibitAnyPolicySkipCerts = 0; | 1985 PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE; |
2272 PKIX_Boolean shouldBePruned = PKIX_FALSE; | 1986 |
2273 PKIX_Boolean isSelfIssued = PKIX_FALSE; | 1987 PKIX_PolicyCheckerState *state = NULL; |
2274 PKIX_Boolean certPoliciesIncludeAny = PKIX_FALSE; | 1988 PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */ |
2275 PKIX_Boolean doAnyPolicyProcessing = PKIX_FALSE; | 1989 PKIX_PL_CertPolicyInfo *policy = NULL; |
2276 | 1990 PKIX_PL_OID *policyOID = NULL; |
2277 PKIX_PolicyCheckerState *state = NULL; | 1991 PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */ |
2278 PKIX_List *certPolicyInfos = NULL; /* CertPolicyInfos */ | 1992 PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */ |
2279 PKIX_PL_CertPolicyInfo *policy = NULL; | 1993 PKIX_List *policyMaps = NULL; /* CertPolicyMaps */ |
2280 PKIX_PL_OID *policyOID = NULL; | 1994 PKIX_List *mappedPolicies = NULL; /* OIDs */ |
2281 PKIX_List *qualsOfAny = NULL; /* CertPolicyQualifiers */ | 1995 PKIX_Error *subroutineErr = NULL; |
2282 PKIX_List *policyQualifiers = NULL; /* CertPolicyQualifiers */ | 1996 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2283 PKIX_List *policyMaps = NULL; /* CertPolicyMaps */ | 1997 PKIX_PL_String *stateString = NULL; |
2284 PKIX_List *mappedPolicies = NULL; /* OIDs */ | 1998 char *stateAscii = NULL; |
2285 PKIX_Error *subroutineErr = NULL; | 1999 PKIX_PL_String *certString = NULL; |
2286 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | 2000 char *certAscii = NULL; |
2287 PKIX_PL_String *stateString = NULL; | 2001 PKIX_UInt32 length; |
2288 char *stateAscii = NULL; | 2002 #endif |
2289 PKIX_PL_String *certString = NULL; | 2003 |
2290 char *certAscii = NULL; | 2004 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check"); |
2291 PKIX_UInt32 length; | 2005 PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext); |
2292 #endif | 2006 |
2293 | 2007 *pNBIOContext = NULL; /* we never block on pending I/O */ |
2294 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Check"); | 2008 |
2295 PKIX_NULLCHECK_FOUR(checker, cert, unresolvedCriticals, pNBIOContext); | 2009 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState( |
2296 | 2010 checker, (PKIX_PL_Object **)&state, plContext), |
2297 *pNBIOContext = NULL; /* we never block on pending I/O */ | 2011 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); |
2298 | 2012 |
2299 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState | 2013 PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension); |
2300 (checker, (PKIX_PL_Object **)&state, plContext), | 2014 |
2301 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); | 2015 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2302 | 2016 PKIX_CHECK( |
2303 PKIX_NULLCHECK_TWO(state, state->certPoliciesExtension); | 2017 PKIX_PL_Object_ToString((PKIX_PL_Object *)state, &stateString, plContext), |
2304 | 2018 PKIX_OBJECTTOSTRINGFAILED); |
2305 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | 2019 PKIX_CHECK( |
2306 PKIX_CHECK(PKIX_PL_Object_ToString | 2020 PKIX_PL_String_GetEncoded(stateString, PKIX_ESCASCII, |
2307 ((PKIX_PL_Object*)state, &stateString, plContext), | 2021 (void **)&stateAscii, &length, plContext), |
2308 PKIX_OBJECTTOSTRINGFAILED); | 2022 PKIX_STRINGGETENCODEDFAILED); |
2309 PKIX_CHECK(PKIX_PL_String_GetEncoded | 2023 PKIX_DEBUG_ARG("On entry %s\n", stateAscii); |
2310 (stateString, | 2024 PKIX_FREE(stateAscii); |
2311 PKIX_ESCASCII, | 2025 PKIX_DECREF(stateString); |
2312 (void **)&stateAscii, | 2026 #endif |
2313 &length, | 2027 |
2314 plContext), | 2028 /* |
2315 PKIX_STRINGGETENCODEDFAILED); | 2029 * Section 6.1.4(a) |
2316 PKIX_DEBUG_ARG("On entry %s\n", stateAscii); | 2030 * If this is not the last certificate, and if |
2317 PKIX_FREE(stateAscii); | 2031 * policyMapping extension is present, check that no |
2318 PKIX_DECREF(stateString); | 2032 * issuerDomainPolicy or subjectDomainPolicy is equal to the |
2319 #endif | 2033 * special policy anyPolicy. |
2320 | 2034 */ |
2321 /* | 2035 if (state->certsProcessed != (state->numCerts - 1)) { |
2322 * Section 6.1.4(a) | 2036 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings(cert, &policyMaps, plContext), |
2323 * If this is not the last certificate, and if | 2037 PKIX_CERTGETPOLICYMAPPINGSFAILED); |
2324 * policyMapping extension is present, check that no | 2038 } |
2325 * issuerDomainPolicy or subjectDomainPolicy is equal to the | 2039 |
2326 * special policy anyPolicy. | 2040 if (policyMaps) { |
2327 */ | 2041 |
2328 if (state->certsProcessed != (state->numCerts - 1)) { | 2042 PKIX_CHECK(pkix_PolicyChecker_MapContains(policyMaps, state->anyPolicyOID, |
2329 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappings | 2043 &result, plContext), |
2330 (cert, &policyMaps, plContext), | 2044 PKIX_POLICYCHECKERMAPCONTAINSFAILED); |
2331 PKIX_CERTGETPOLICYMAPPINGSFAILED); | 2045 |
| 2046 if (result) { |
| 2047 PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY); |
| 2048 } |
| 2049 |
| 2050 PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies( |
| 2051 policyMaps, &mappedPolicies, plContext), |
| 2052 PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED); |
| 2053 |
| 2054 PKIX_DECREF(state->mappedPolicyOIDs); |
| 2055 PKIX_INCREF(mappedPolicies); |
| 2056 state->mappedPolicyOIDs = mappedPolicies; |
| 2057 } |
| 2058 |
| 2059 /* Section 6.1.3(d) */ |
| 2060 if (state->validPolicyTree) { |
| 2061 |
| 2062 PKIX_CHECK( |
| 2063 PKIX_PL_Cert_GetPolicyInformation(cert, &certPolicyInfos, plContext), |
| 2064 PKIX_CERTGETPOLICYINFORMATIONFAILED); |
| 2065 |
| 2066 if (certPolicyInfos) { |
| 2067 PKIX_CHECK(PKIX_List_GetLength(certPolicyInfos, &numPolicies, plContext), |
| 2068 PKIX_LISTGETLENGTHFAILED); |
| 2069 } |
| 2070 |
| 2071 if (numPolicies > 0) { |
| 2072 |
| 2073 PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical( |
| 2074 cert, &(state->certPoliciesCritical), plContext), |
| 2075 PKIX_CERTARECERTPOLICIESCRITICALFAILED); |
| 2076 |
| 2077 /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */ |
| 2078 for (polX = 0; polX < numPolicies; polX++) { |
| 2079 |
| 2080 PKIX_CHECK(PKIX_List_GetItem(certPolicyInfos, polX, |
| 2081 (PKIX_PL_Object **)&policy, plContext), |
| 2082 PKIX_LISTGETITEMFAILED); |
| 2083 |
| 2084 PKIX_CHECK( |
| 2085 PKIX_PL_CertPolicyInfo_GetPolicyId(policy, &policyOID, plContext), |
| 2086 PKIX_CERTPOLICYINFOGETPOLICYIDFAILED); |
| 2087 |
| 2088 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers( |
| 2089 policy, &policyQualifiers, plContext), |
| 2090 PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED); |
| 2091 |
| 2092 PKIX_EQUALS(state->anyPolicyOID, policyOID, &result, plContext, |
| 2093 PKIX_OIDEQUALFAILED); |
| 2094 |
| 2095 if (result == PKIX_FALSE) { |
| 2096 |
| 2097 /* Section 6.1.3(d)(1)(i) */ |
| 2098 subroutineErr = pkix_PolicyChecker_CheckPolicy( |
| 2099 policyOID, policyQualifiers, cert, policyMaps, state, plContext); |
| 2100 if (subroutineErr) { |
| 2101 goto subrErrorCleanup; |
| 2102 } |
| 2103 |
| 2104 } else { |
| 2105 /* |
| 2106 * No descent (yet) for anyPolicy, but we will need |
| 2107 * the policyQualifiers for anyPolicy in 6.1.3(d)(2) |
| 2108 */ |
| 2109 PKIX_DECREF(qualsOfAny); |
| 2110 PKIX_INCREF(policyQualifiers); |
| 2111 qualsOfAny = policyQualifiers; |
| 2112 certPoliciesIncludeAny = PKIX_TRUE; |
2332 } | 2113 } |
2333 | 2114 PKIX_DECREF(policy); |
2334 if (policyMaps) { | 2115 PKIX_DECREF(policyOID); |
2335 | 2116 PKIX_DECREF(policyQualifiers); |
2336 PKIX_CHECK(pkix_PolicyChecker_MapContains | 2117 } |
2337 (policyMaps, state->anyPolicyOID, &result, plContext), | 2118 |
2338 PKIX_POLICYCHECKERMAPCONTAINSFAILED); | 2119 /* Section 6.1.3(d)(2) */ |
2339 | 2120 if (certPoliciesIncludeAny == PKIX_TRUE) { |
2340 if (result) { | 2121 if (state->inhibitAnyPolicy > 0) { |
2341 PKIX_ERROR(PKIX_INVALIDPOLICYMAPPINGINCLUDESANYPOLICY); | 2122 doAnyPolicyProcessing = PKIX_TRUE; |
2342 } | 2123 } else { |
2343 | 2124 /* We haven't yet counted the current cert */ |
2344 PKIX_CHECK(pkix_PolicyChecker_MapGetMappedPolicies | 2125 if (((state->certsProcessed) + 1) < (state->numCerts)) { |
2345 (policyMaps, &mappedPolicies, plContext), | 2126 |
2346 PKIX_POLICYCHECKERMAPGETMAPPEDPOLICIESFAILED); | 2127 PKIX_CHECK( |
2347 | 2128 pkix_IsCertSelfIssued(cert, &doAnyPolicyProcessing, plContext), |
2348 PKIX_DECREF(state->mappedPolicyOIDs); | 2129 PKIX_ISCERTSELFISSUEDFAILED); |
2349 PKIX_INCREF(mappedPolicies); | 2130 } |
2350 state->mappedPolicyOIDs = mappedPolicies; | |
2351 } | 2131 } |
2352 | 2132 if (doAnyPolicyProcessing) { |
2353 /* Section 6.1.3(d) */ | 2133 subroutineErr = pkix_PolicyChecker_CheckAny( |
2354 if (state->validPolicyTree) { | 2134 state->validPolicyTree, qualsOfAny, policyMaps, state, plContext); |
2355 | 2135 if (subroutineErr) { |
2356 PKIX_CHECK(PKIX_PL_Cert_GetPolicyInformation | 2136 goto subrErrorCleanup; |
2357 (cert, &certPolicyInfos, plContext), | 2137 } |
2358 PKIX_CERTGETPOLICYINFORMATIONFAILED); | |
2359 | |
2360 if (certPolicyInfos) { | |
2361 PKIX_CHECK(PKIX_List_GetLength | |
2362 (certPolicyInfos, &numPolicies, plContext), | |
2363 PKIX_LISTGETLENGTHFAILED); | |
2364 } | |
2365 | |
2366 if (numPolicies > 0) { | |
2367 | |
2368 PKIX_CHECK(PKIX_PL_Cert_AreCertPoliciesCritical | |
2369 (cert, &(state->certPoliciesCritical), plContext), | |
2370 PKIX_CERTARECERTPOLICIESCRITICALFAILED); | |
2371 | |
2372 /* Section 6.1.3(d)(1) For each policy not equal to anyPolicy */ | |
2373 for (polX = 0; polX < numPolicies; polX++) { | |
2374 | |
2375 PKIX_CHECK(PKIX_List_GetItem | |
2376 (certPolicyInfos, | |
2377 polX, | |
2378 (PKIX_PL_Object **)&policy, | |
2379 plContext), | |
2380 PKIX_LISTGETITEMFAILED); | |
2381 | |
2382 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolicyId | |
2383 (policy, &policyOID, plContext), | |
2384 PKIX_CERTPOLICYINFOGETPOLICYIDFAILED); | |
2385 | |
2386 PKIX_CHECK(PKIX_PL_CertPolicyInfo_GetPolQualifiers | |
2387 (policy, &policyQualifiers, plContext), | |
2388 PKIX_CERTPOLICYINFOGETPOLQUALIFIERSFAILED); | |
2389 | |
2390 PKIX_EQUALS | |
2391 (state->anyPolicyOID, | |
2392 policyOID, | |
2393 &result, | |
2394 plContext, | |
2395 PKIX_OIDEQUALFAILED); | |
2396 | |
2397 if (result == PKIX_FALSE) { | |
2398 | |
2399 /* Section 6.1.3(d)(1)(i) */ | |
2400 subroutineErr = pkix_PolicyChecker_CheckPolicy | |
2401 (policyOID, | |
2402 policyQualifiers, | |
2403 cert, | |
2404 policyMaps, | |
2405 state, | |
2406 plContext); | |
2407 if (subroutineErr) { | |
2408 goto subrErrorCleanup; | |
2409 } | |
2410 | |
2411 } else { | |
2412 /* | |
2413 * No descent (yet) for anyPolicy, but we will need | |
2414 * the policyQualifiers for anyPolicy in 6.1.3(d)(2) | |
2415 */ | |
2416 PKIX_DECREF(qualsOfAny); | |
2417 PKIX_INCREF(policyQualifiers); | |
2418 qualsOfAny = policyQualifiers; | |
2419 certPoliciesIncludeAny = PKIX_TRUE; | |
2420 } | |
2421 PKIX_DECREF(policy); | |
2422 PKIX_DECREF(policyOID); | |
2423 PKIX_DECREF(policyQualifiers); | |
2424 } | |
2425 | |
2426 /* Section 6.1.3(d)(2) */ | |
2427 if (certPoliciesIncludeAny == PKIX_TRUE) { | |
2428 if (state->inhibitAnyPolicy > 0) { | |
2429 doAnyPolicyProcessing = PKIX_TRUE; | |
2430 } else { | |
2431 /* We haven't yet counted the current cert */ | |
2432 if (((state->certsProcessed) + 1) < | |
2433 (state->numCerts)) { | |
2434 | |
2435 PKIX_CHECK(pkix_IsCertSelfIssued | |
2436 (cert, | |
2437 &doAnyPolicyProcessing, | |
2438 plContext), | |
2439 PKIX_ISCERTSELFISSUEDFAILED); | |
2440 } | |
2441 } | |
2442 if (doAnyPolicyProcessing) { | |
2443 subroutineErr = pkix_PolicyChecker_CheckAny | |
2444 (state->validPolicyTree, | |
2445 qualsOfAny, | |
2446 policyMaps, | |
2447 state, | |
2448 plContext); | |
2449 if (subroutineErr) { | |
2450 goto subrErrorCleanup; | |
2451 } | |
2452 } | |
2453 } | |
2454 | |
2455 /* Section 6.1.3(d)(3) */ | |
2456 if (state->validPolicyTree) { | |
2457 subroutineErr = pkix_PolicyNode_Prune | |
2458 (state->validPolicyTree, | |
2459 state->certsProcessed + 1, | |
2460 &shouldBePruned, | |
2461 plContext); | |
2462 if (subroutineErr) { | |
2463 goto subrErrorCleanup; | |
2464 } | |
2465 if (shouldBePruned) { | |
2466 PKIX_DECREF(state->validPolicyTree); | |
2467 PKIX_DECREF(state->anyPolicyNodeAtBottom); | |
2468 } | |
2469 } | |
2470 | |
2471 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | |
2472 ((PKIX_PL_Object *)state, plContext), | |
2473 PKIX_OBJECTINVALIDATECACHEFAILED); | |
2474 | |
2475 } else { | |
2476 /* Section 6.1.3(e) */ | |
2477 PKIX_DECREF(state->validPolicyTree); | |
2478 PKIX_DECREF(state->anyPolicyNodeAtBottom); | |
2479 PKIX_DECREF(state->newAnyPolicyNode); | |
2480 | |
2481 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | |
2482 ((PKIX_PL_Object *)state, plContext), | |
2483 PKIX_OBJECTINVALIDATECACHEFAILED); | |
2484 } | |
2485 } | 2138 } |
2486 | 2139 } |
2487 /* Section 6.1.3(f) */ | 2140 |
2488 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) { | 2141 /* Section 6.1.3(d)(3) */ |
2489 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION); | 2142 if (state->validPolicyTree) { |
| 2143 subroutineErr = pkix_PolicyNode_Prune(state->validPolicyTree, |
| 2144 state->certsProcessed + 1, |
| 2145 &shouldBePruned, plContext); |
| 2146 if (subroutineErr) { |
| 2147 goto subrErrorCleanup; |
2490 } | 2148 } |
2491 | 2149 if (shouldBePruned) { |
2492 /* | 2150 PKIX_DECREF(state->validPolicyTree); |
2493 * Remove Policy OIDs from list of unresolved critical | 2151 PKIX_DECREF(state->anyPolicyNodeAtBottom); |
2494 * extensions, if present. | |
2495 */ | |
2496 PKIX_CHECK(pkix_List_Remove | |
2497 (unresolvedCriticals, | |
2498 (PKIX_PL_Object *)state->certPoliciesExtension, | |
2499 plContext), | |
2500 PKIX_LISTREMOVEFAILED); | |
2501 | |
2502 PKIX_CHECK(pkix_List_Remove | |
2503 (unresolvedCriticals, | |
2504 (PKIX_PL_Object *)state->policyMappingsExtension, | |
2505 plContext), | |
2506 PKIX_LISTREMOVEFAILED); | |
2507 | |
2508 PKIX_CHECK(pkix_List_Remove | |
2509 (unresolvedCriticals, | |
2510 (PKIX_PL_Object *)state->policyConstraintsExtension, | |
2511 plContext), | |
2512 PKIX_LISTREMOVEFAILED); | |
2513 | |
2514 PKIX_CHECK(pkix_List_Remove | |
2515 (unresolvedCriticals, | |
2516 (PKIX_PL_Object *)state->inhibitAnyPolicyExtension, | |
2517 plContext), | |
2518 PKIX_LISTREMOVEFAILED); | |
2519 | |
2520 state->certsProcessed++; | |
2521 | |
2522 /* If this was not the last certificate, do next-cert preparation */ | |
2523 if (state->certsProcessed != state->numCerts) { | |
2524 | |
2525 if (policyMaps) { | |
2526 subroutineErr = pkix_PolicyChecker_PolicyMapProcessing | |
2527 (policyMaps, | |
2528 certPoliciesIncludeAny, | |
2529 qualsOfAny, | |
2530 state, | |
2531 plContext); | |
2532 if (subroutineErr) { | |
2533 goto subrErrorCleanup; | |
2534 } | |
2535 } | |
2536 | |
2537 /* update anyPolicyNodeAtBottom pointer */ | |
2538 PKIX_DECREF(state->anyPolicyNodeAtBottom); | |
2539 state->anyPolicyNodeAtBottom = state->newAnyPolicyNode; | |
2540 state->newAnyPolicyNode = NULL; | |
2541 | |
2542 /* Section 6.1.4(h) */ | |
2543 PKIX_CHECK(pkix_IsCertSelfIssued | |
2544 (cert, &isSelfIssued, plContext), | |
2545 PKIX_ISCERTSELFISSUEDFAILED); | |
2546 | |
2547 if (!isSelfIssued) { | |
2548 if (state->explicitPolicy > 0) { | |
2549 state->explicitPolicy--; | |
2550 } | |
2551 if (state->policyMapping > 0) { | |
2552 state->policyMapping--; | |
2553 } | |
2554 if (state->inhibitAnyPolicy > 0) { | |
2555 state->inhibitAnyPolicy--; | |
2556 } | |
2557 } | |
2558 | |
2559 /* Section 6.1.4(i) */ | |
2560 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy | |
2561 (cert, &explicitPolicySkipCerts, plContext), | |
2562 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED); | |
2563 | |
2564 if (explicitPolicySkipCerts != -1) { | |
2565 if (((PKIX_UInt32)explicitPolicySkipCerts) < | |
2566 (state->explicitPolicy)) { | |
2567 state->explicitPolicy = | |
2568 ((PKIX_UInt32) explicitPolicySkipCerts); | |
2569 } | |
2570 } | |
2571 | |
2572 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited | |
2573 (cert, &inhibitMappingSkipCerts, plContext), | |
2574 PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED); | |
2575 | |
2576 if (inhibitMappingSkipCerts != -1) { | |
2577 if (((PKIX_UInt32)inhibitMappingSkipCerts) < | |
2578 (state->policyMapping)) { | |
2579 state->policyMapping = | |
2580 ((PKIX_UInt32)inhibitMappingSkipCerts); | |
2581 } | |
2582 } | |
2583 | |
2584 PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy | |
2585 (cert, &inhibitAnyPolicySkipCerts, plContext), | |
2586 PKIX_CERTGETINHIBITANYPOLICYFAILED); | |
2587 | |
2588 if (inhibitAnyPolicySkipCerts != -1) { | |
2589 if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) < | |
2590 (state->inhibitAnyPolicy)) { | |
2591 state->inhibitAnyPolicy = | |
2592 ((PKIX_UInt32)inhibitAnyPolicySkipCerts); | |
2593 } | |
2594 } | |
2595 | |
2596 PKIX_CHECK(PKIX_PL_Object_InvalidateCache | |
2597 ((PKIX_PL_Object *)state, plContext), | |
2598 PKIX_OBJECTINVALIDATECACHEFAILED); | |
2599 | |
2600 } else { /* If this was the last certificate, do wrap-up processing */ | |
2601 | |
2602 /* Section 6.1.5 */ | |
2603 subroutineErr = pkix_PolicyChecker_WrapUpProcessing | |
2604 (cert, state, plContext); | |
2605 if (subroutineErr) { | |
2606 goto subrErrorCleanup; | |
2607 } | |
2608 | |
2609 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) { | |
2610 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION); | |
2611 } | |
2612 | |
2613 PKIX_DECREF(state->anyPolicyNodeAtBottom); | |
2614 PKIX_DECREF(state->newAnyPolicyNode); | |
2615 } | 2152 } |
2616 | 2153 } |
2617 | 2154 |
2618 if (subroutineErr) { | 2155 PKIX_CHECK( |
2619 | 2156 PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
2620 subrErrorCleanup: | 2157 PKIX_OBJECTINVALIDATECACHEFAILED); |
2621 /* We had an error. Was it a fatal error? */ | 2158 |
2622 pkixErrorClass = subroutineErr->errClass; | 2159 } else { |
2623 if (pkixErrorClass == PKIX_FATAL_ERROR) { | 2160 /* Section 6.1.3(e) */ |
2624 pkixErrorResult = subroutineErr; | 2161 PKIX_DECREF(state->validPolicyTree); |
2625 subroutineErr = NULL; | 2162 PKIX_DECREF(state->anyPolicyNodeAtBottom); |
2626 goto cleanup; | 2163 PKIX_DECREF(state->newAnyPolicyNode); |
2627 } | 2164 |
2628 /* | 2165 PKIX_CHECK( |
2629 * Abort policy processing, and then determine whether | 2166 PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
2630 * we can continue without policy processing. | 2167 PKIX_OBJECTINVALIDATECACHEFAILED); |
2631 */ | 2168 } |
2632 PKIX_DECREF(state->validPolicyTree); | 2169 } |
2633 PKIX_DECREF(state->anyPolicyNodeAtBottom); | 2170 |
2634 PKIX_DECREF(state->newAnyPolicyNode); | 2171 /* Section 6.1.3(f) */ |
2635 if (state->explicitPolicy == 0) { | 2172 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) { |
2636 PKIX_ERROR | 2173 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION); |
2637 (PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION); | 2174 } |
2638 } | 2175 |
2639 } | 2176 /* |
2640 | 2177 * Remove Policy OIDs from list of unresolved critical |
2641 /* Checking is complete. Save state for the next certificate. */ | 2178 * extensions, if present. |
2642 PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState | 2179 */ |
2643 (checker, (PKIX_PL_Object *)state, plContext), | 2180 PKIX_CHECK(pkix_List_Remove(unresolvedCriticals, |
2644 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED); | 2181 (PKIX_PL_Object *)state->certPoliciesExtension, |
| 2182 plContext), |
| 2183 PKIX_LISTREMOVEFAILED); |
| 2184 |
| 2185 PKIX_CHECK(pkix_List_Remove(unresolvedCriticals, |
| 2186 (PKIX_PL_Object *)state->policyMappingsExtension, |
| 2187 plContext), |
| 2188 PKIX_LISTREMOVEFAILED); |
| 2189 |
| 2190 PKIX_CHECK( |
| 2191 pkix_List_Remove(unresolvedCriticals, |
| 2192 (PKIX_PL_Object *)state->policyConstraintsExtension, |
| 2193 plContext), |
| 2194 PKIX_LISTREMOVEFAILED); |
| 2195 |
| 2196 PKIX_CHECK(pkix_List_Remove( |
| 2197 unresolvedCriticals, |
| 2198 (PKIX_PL_Object *)state->inhibitAnyPolicyExtension, plContext), |
| 2199 PKIX_LISTREMOVEFAILED); |
| 2200 |
| 2201 state->certsProcessed++; |
| 2202 |
| 2203 /* If this was not the last certificate, do next-cert preparation */ |
| 2204 if (state->certsProcessed != state->numCerts) { |
| 2205 |
| 2206 if (policyMaps) { |
| 2207 subroutineErr = pkix_PolicyChecker_PolicyMapProcessing( |
| 2208 policyMaps, certPoliciesIncludeAny, qualsOfAny, state, plContext); |
| 2209 if (subroutineErr) { |
| 2210 goto subrErrorCleanup; |
| 2211 } |
| 2212 } |
| 2213 |
| 2214 /* update anyPolicyNodeAtBottom pointer */ |
| 2215 PKIX_DECREF(state->anyPolicyNodeAtBottom); |
| 2216 state->anyPolicyNodeAtBottom = state->newAnyPolicyNode; |
| 2217 state->newAnyPolicyNode = NULL; |
| 2218 |
| 2219 /* Section 6.1.4(h) */ |
| 2220 PKIX_CHECK(pkix_IsCertSelfIssued(cert, &isSelfIssued, plContext), |
| 2221 PKIX_ISCERTSELFISSUEDFAILED); |
| 2222 |
| 2223 if (!isSelfIssued) { |
| 2224 if (state->explicitPolicy > 0) { |
| 2225 state->explicitPolicy--; |
| 2226 } |
| 2227 if (state->policyMapping > 0) { |
| 2228 state->policyMapping--; |
| 2229 } |
| 2230 if (state->inhibitAnyPolicy > 0) { |
| 2231 state->inhibitAnyPolicy--; |
| 2232 } |
| 2233 } |
| 2234 |
| 2235 /* Section 6.1.4(i) */ |
| 2236 PKIX_CHECK(PKIX_PL_Cert_GetRequireExplicitPolicy( |
| 2237 cert, &explicitPolicySkipCerts, plContext), |
| 2238 PKIX_CERTGETREQUIREEXPLICITPOLICYFAILED); |
| 2239 |
| 2240 if (explicitPolicySkipCerts != -1) { |
| 2241 if (((PKIX_UInt32)explicitPolicySkipCerts) < (state->explicitPolicy)) { |
| 2242 state->explicitPolicy = ((PKIX_UInt32)explicitPolicySkipCerts); |
| 2243 } |
| 2244 } |
| 2245 |
| 2246 PKIX_CHECK(PKIX_PL_Cert_GetPolicyMappingInhibited( |
| 2247 cert, &inhibitMappingSkipCerts, plContext), |
| 2248 PKIX_CERTGETPOLICYMAPPINGINHIBITEDFAILED); |
| 2249 |
| 2250 if (inhibitMappingSkipCerts != -1) { |
| 2251 if (((PKIX_UInt32)inhibitMappingSkipCerts) < (state->policyMapping)) { |
| 2252 state->policyMapping = ((PKIX_UInt32)inhibitMappingSkipCerts); |
| 2253 } |
| 2254 } |
| 2255 |
| 2256 PKIX_CHECK(PKIX_PL_Cert_GetInhibitAnyPolicy( |
| 2257 cert, &inhibitAnyPolicySkipCerts, plContext), |
| 2258 PKIX_CERTGETINHIBITANYPOLICYFAILED); |
| 2259 |
| 2260 if (inhibitAnyPolicySkipCerts != -1) { |
| 2261 if (((PKIX_UInt32)inhibitAnyPolicySkipCerts) < |
| 2262 (state->inhibitAnyPolicy)) { |
| 2263 state->inhibitAnyPolicy = ((PKIX_UInt32)inhibitAnyPolicySkipCerts); |
| 2264 } |
| 2265 } |
| 2266 |
| 2267 PKIX_CHECK( |
| 2268 PKIX_PL_Object_InvalidateCache((PKIX_PL_Object *)state, plContext), |
| 2269 PKIX_OBJECTINVALIDATECACHEFAILED); |
| 2270 |
| 2271 } else {/* If this was the last certificate, do wrap-up processing */ |
| 2272 |
| 2273 /* Section 6.1.5 */ |
| 2274 subroutineErr = pkix_PolicyChecker_WrapUpProcessing(cert, state, plContext); |
| 2275 if (subroutineErr) { |
| 2276 goto subrErrorCleanup; |
| 2277 } |
| 2278 |
| 2279 if ((0 == state->explicitPolicy) && (!state->validPolicyTree)) { |
| 2280 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION); |
| 2281 } |
| 2282 |
| 2283 PKIX_DECREF(state->anyPolicyNodeAtBottom); |
| 2284 PKIX_DECREF(state->newAnyPolicyNode); |
| 2285 } |
| 2286 |
| 2287 if (subroutineErr) { |
| 2288 |
| 2289 subrErrorCleanup: |
| 2290 /* We had an error. Was it a fatal error? */ |
| 2291 pkixErrorClass = subroutineErr->errClass; |
| 2292 if (pkixErrorClass == PKIX_FATAL_ERROR) { |
| 2293 pkixErrorResult = subroutineErr; |
| 2294 subroutineErr = NULL; |
| 2295 goto cleanup; |
| 2296 } |
| 2297 /* |
| 2298 * Abort policy processing, and then determine whether |
| 2299 * we can continue without policy processing. |
| 2300 */ |
| 2301 PKIX_DECREF(state->validPolicyTree); |
| 2302 PKIX_DECREF(state->anyPolicyNodeAtBottom); |
| 2303 PKIX_DECREF(state->newAnyPolicyNode); |
| 2304 if (state->explicitPolicy == 0) { |
| 2305 PKIX_ERROR(PKIX_CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION); |
| 2306 } |
| 2307 } |
| 2308 |
| 2309 /* Checking is complete. Save state for the next certificate. */ |
| 2310 PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState( |
| 2311 checker, (PKIX_PL_Object *)state, plContext), |
| 2312 PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED); |
2645 | 2313 |
2646 cleanup: | 2314 cleanup: |
2647 | 2315 |
2648 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG | 2316 #if PKIX_CERTPOLICYCHECKERSTATEDEBUG |
2649 if (cert) { | 2317 if (cert) { |
2650 PKIX_CHECK(PKIX_PL_Object_ToString | 2318 PKIX_CHECK( |
2651 ((PKIX_PL_Object*)cert, &certString, plContext), | 2319 PKIX_PL_Object_ToString((PKIX_PL_Object *)cert, &certString, plContext), |
2652 PKIX_OBJECTTOSTRINGFAILED); | 2320 PKIX_OBJECTTOSTRINGFAILED); |
2653 PKIX_CHECK(PKIX_PL_String_GetEncoded | 2321 PKIX_CHECK( |
2654 (certString, | 2322 PKIX_PL_String_GetEncoded(certString, PKIX_ESCASCII, |
2655 PKIX_ESCASCII, | 2323 (void **)&certAscii, &length, plContext), |
2656 (void **)&certAscii, | 2324 PKIX_STRINGGETENCODEDFAILED); |
2657 &length, | 2325 PKIX_DEBUG_ARG("Cert was %s\n", certAscii); |
2658 plContext), | 2326 PKIX_FREE(certAscii); |
2659 PKIX_STRINGGETENCODEDFAILED); | 2327 PKIX_DECREF(certString); |
2660 PKIX_DEBUG_ARG("Cert was %s\n", certAscii); | 2328 } |
2661 PKIX_FREE(certAscii); | 2329 if (state) { |
2662 PKIX_DECREF(certString); | 2330 PKIX_CHECK(PKIX_PL_Object_ToString((PKIX_PL_Object *)state, &stateString, |
2663 } | 2331 plContext), |
2664 if (state) { | 2332 PKIX_OBJECTTOSTRINGFAILED); |
2665 PKIX_CHECK(PKIX_PL_Object_ToString | 2333 PKIX_CHECK( |
2666 ((PKIX_PL_Object*)state, &stateString, plContext), | 2334 PKIX_PL_String_GetEncoded(stateString, PKIX_ESCASCII, |
2667 PKIX_OBJECTTOSTRINGFAILED); | 2335 (void **)&stateAscii, &length, plContext), |
2668 PKIX_CHECK(PKIX_PL_String_GetEncoded | 2336 PKIX_STRINGGETENCODEDFAILED); |
2669 (stateString, | 2337 PKIX_DEBUG_ARG("On exit %s\n", stateAscii); |
2670 PKIX_ESCASCII, | 2338 PKIX_FREE(stateAscii); |
2671 (void **)&stateAscii, | 2339 PKIX_DECREF(stateString); |
2672 &length, | 2340 } |
2673 plContext), | 2341 #endif |
2674 PKIX_STRINGGETENCODEDFAILED); | 2342 |
2675 PKIX_DEBUG_ARG("On exit %s\n", stateAscii); | 2343 PKIX_DECREF(state); |
2676 PKIX_FREE(stateAscii); | 2344 PKIX_DECREF(certPolicyInfos); |
2677 PKIX_DECREF(stateString); | 2345 PKIX_DECREF(policy); |
2678 } | 2346 PKIX_DECREF(qualsOfAny); |
2679 #endif | 2347 PKIX_DECREF(policyQualifiers); |
2680 | 2348 PKIX_DECREF(policyOID); |
2681 PKIX_DECREF(state); | 2349 PKIX_DECREF(subroutineErr); |
2682 PKIX_DECREF(certPolicyInfos); | 2350 PKIX_DECREF(policyMaps); |
2683 PKIX_DECREF(policy); | 2351 PKIX_DECREF(mappedPolicies); |
2684 PKIX_DECREF(qualsOfAny); | 2352 |
2685 PKIX_DECREF(policyQualifiers); | 2353 PKIX_RETURN(CERTCHAINCHECKER); |
2686 PKIX_DECREF(policyOID); | |
2687 PKIX_DECREF(subroutineErr); | |
2688 PKIX_DECREF(policyMaps); | |
2689 PKIX_DECREF(mappedPolicies); | |
2690 | |
2691 PKIX_RETURN(CERTCHAINCHECKER); | |
2692 } | 2354 } |
2693 | 2355 |
2694 /* | 2356 /* |
2695 * FUNCTION: pkix_PolicyChecker_Initialize | 2357 * FUNCTION: pkix_PolicyChecker_Initialize |
2696 * DESCRIPTION: | 2358 * DESCRIPTION: |
2697 * | 2359 * |
2698 * Creates and initializes a PolicyChecker, using the List pointed to | 2360 * Creates and initializes a PolicyChecker, using the List pointed to |
2699 * by "initialPolicies" for the user-initial-policy-set, the Boolean value | 2361 * by "initialPolicies" for the user-initial-policy-set, the Boolean value |
2700 * of "policyQualifiersRejected" for the policyQualifiersRejected parameter, | 2362 * of "policyQualifiersRejected" for the policyQualifiersRejected parameter, |
2701 * the Boolean value of "initialPolicyMappingInhibit" for the | 2363 * the Boolean value of "initialPolicyMappingInhibit" for the |
(...skipping 21 matching lines...) Expand all Loading... |
2723 * Address to store the created PolicyChecker. Must be non-NULL. | 2385 * Address to store the created PolicyChecker. Must be non-NULL. |
2724 * "plContext" | 2386 * "plContext" |
2725 * Platform-specific context pointer. | 2387 * Platform-specific context pointer. |
2726 * THREAD SAFETY: | 2388 * THREAD SAFETY: |
2727 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 2389 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
2728 * RETURNS: | 2390 * RETURNS: |
2729 * Returns NULL if the function succeeds | 2391 * Returns NULL if the function succeeds |
2730 * Returns a CertChainChecker Error if the functions fails in a non-fatal way | 2392 * Returns a CertChainChecker Error if the functions fails in a non-fatal way |
2731 * Returns a Fatal Error if the function fails in an unrecoverable way | 2393 * Returns a Fatal Error if the function fails in an unrecoverable way |
2732 */ | 2394 */ |
2733 PKIX_Error * | 2395 PKIX_Error *pkix_PolicyChecker_Initialize( |
2734 pkix_PolicyChecker_Initialize( | 2396 PKIX_List *initialPolicies, PKIX_Boolean policyQualifiersRejected, |
2735 PKIX_List *initialPolicies, | 2397 PKIX_Boolean initialPolicyMappingInhibit, |
2736 PKIX_Boolean policyQualifiersRejected, | 2398 PKIX_Boolean initialExplicitPolicy, PKIX_Boolean initialAnyPolicyInhibit, |
2737 PKIX_Boolean initialPolicyMappingInhibit, | 2399 PKIX_UInt32 numCerts, PKIX_CertChainChecker **pChecker, void *plContext) { |
2738 PKIX_Boolean initialExplicitPolicy, | 2400 PKIX_PolicyCheckerState *polCheckerState = NULL; |
2739 PKIX_Boolean initialAnyPolicyInhibit, | 2401 PKIX_List *policyExtensions = NULL; /* OIDs */ |
2740 PKIX_UInt32 numCerts, | 2402 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize"); |
2741 PKIX_CertChainChecker **pChecker, | 2403 PKIX_NULLCHECK_ONE(pChecker); |
2742 void *plContext) | |
2743 { | |
2744 PKIX_PolicyCheckerState *polCheckerState = NULL; | |
2745 PKIX_List *policyExtensions = NULL; /* OIDs */ | |
2746 PKIX_ENTER(CERTCHAINCHECKER, "pkix_PolicyChecker_Initialize"); | |
2747 PKIX_NULLCHECK_ONE(pChecker); | |
2748 | 2404 |
2749 PKIX_CHECK(pkix_PolicyCheckerState_Create | 2405 PKIX_CHECK( |
2750 (initialPolicies, | 2406 pkix_PolicyCheckerState_Create( |
2751 policyQualifiersRejected, | 2407 initialPolicies, policyQualifiersRejected, |
2752 initialPolicyMappingInhibit, | 2408 initialPolicyMappingInhibit, initialExplicitPolicy, |
2753 initialExplicitPolicy, | 2409 initialAnyPolicyInhibit, numCerts, &polCheckerState, plContext), |
2754 initialAnyPolicyInhibit, | 2410 PKIX_POLICYCHECKERSTATECREATEFAILED); |
2755 numCerts, | |
2756 &polCheckerState, | |
2757 plContext), | |
2758 PKIX_POLICYCHECKERSTATECREATEFAILED); | |
2759 | 2411 |
2760 /* Create the list of extensions that we handle */ | 2412 /* Create the list of extensions that we handle */ |
2761 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton | 2413 PKIX_CHECK(pkix_PolicyChecker_MakeSingleton( |
2762 ((PKIX_PL_Object *)(polCheckerState->certPoliciesExtension), | 2414 (PKIX_PL_Object *)(polCheckerState->certPoliciesExtension), |
2763 PKIX_TRUE, | 2415 PKIX_TRUE, &policyExtensions, plContext), |
2764 &policyExtensions, | 2416 PKIX_POLICYCHECKERMAKESINGLETONFAILED); |
2765 plContext), | |
2766 PKIX_POLICYCHECKERMAKESINGLETONFAILED); | |
2767 | 2417 |
2768 PKIX_CHECK(PKIX_CertChainChecker_Create | 2418 PKIX_CHECK( |
2769 (pkix_PolicyChecker_Check, | 2419 PKIX_CertChainChecker_Create( |
2770 PKIX_FALSE, /* forwardCheckingSupported */ | 2420 pkix_PolicyChecker_Check, PKIX_FALSE, /* forwardCheckingSupported */ |
2771 PKIX_FALSE, | 2421 PKIX_FALSE, policyExtensions, (PKIX_PL_Object *)polCheckerState, |
2772 policyExtensions, | 2422 pChecker, plContext), |
2773 (PKIX_PL_Object *)polCheckerState, | 2423 PKIX_CERTCHAINCHECKERCREATEFAILED); |
2774 pChecker, | |
2775 plContext), | |
2776 PKIX_CERTCHAINCHECKERCREATEFAILED); | |
2777 | 2424 |
2778 cleanup: | 2425 cleanup: |
2779 PKIX_DECREF(polCheckerState); | 2426 PKIX_DECREF(polCheckerState); |
2780 PKIX_DECREF(policyExtensions); | 2427 PKIX_DECREF(policyExtensions); |
2781 PKIX_RETURN(CERTCHAINCHECKER); | 2428 PKIX_RETURN(CERTCHAINCHECKER); |
2782 | |
2783 } | 2429 } |
OLD | NEW |