OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 /* | 4 /* |
5 * pkix_validate.c | 5 * pkix_validate.c |
6 * | 6 * |
7 * Top level validateChain function | 7 * Top level validateChain function |
8 * | 8 * |
9 */ | 9 */ |
10 | 10 |
(...skipping 29 matching lines...) Expand all Loading... |
40 * is to be inserted. The node is not created if VerifyTree is NULL. | 40 * is to be inserted. The node is not created if VerifyTree is NULL. |
41 * "plContext" | 41 * "plContext" |
42 * Platform-specific context pointer. | 42 * Platform-specific context pointer. |
43 * THREAD SAFETY: | 43 * THREAD SAFETY: |
44 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 44 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
45 * RETURNS: | 45 * RETURNS: |
46 * Returns NULL if the function succeeds. | 46 * Returns NULL if the function succeeds. |
47 * Returns a Validate Error if the function fails in a non-fatal way. | 47 * Returns a Validate Error if the function fails in a non-fatal way. |
48 * Returns a Fatal Error if the function fails in an unrecoverable way. | 48 * Returns a Fatal Error if the function fails in an unrecoverable way. |
49 */ | 49 */ |
50 static PKIX_Error * | 50 static PKIX_Error *pkix_AddToVerifyLog(PKIX_PL_Cert *cert, PKIX_UInt32 depth, |
51 pkix_AddToVerifyLog( | 51 PKIX_Error *error, |
52 PKIX_PL_Cert *cert, | 52 PKIX_VerifyNode **pVerifyTree, |
53 PKIX_UInt32 depth, | 53 void *plContext) { |
54 PKIX_Error *error, | |
55 PKIX_VerifyNode **pVerifyTree, | |
56 void *plContext) | |
57 { | |
58 | 54 |
59 PKIX_VerifyNode *verifyNode = NULL; | 55 PKIX_VerifyNode *verifyNode = NULL; |
60 | 56 |
61 PKIX_ENTER(VALIDATE, "pkix_AddToVerifyLog"); | 57 PKIX_ENTER(VALIDATE, "pkix_AddToVerifyLog"); |
62 PKIX_NULLCHECK_ONE(cert); | 58 PKIX_NULLCHECK_ONE(cert); |
63 | 59 |
64 if (pVerifyTree) { /* nothing to do if no address given for log */ | 60 if (pVerifyTree) {/* nothing to do if no address given for log */ |
65 | 61 |
66 PKIX_CHECK(pkix_VerifyNode_Create | 62 PKIX_CHECK( |
67 (cert, depth, error, &verifyNode, plContext), | 63 pkix_VerifyNode_Create(cert, depth, error, &verifyNode, plContext), |
68 PKIX_VERIFYNODECREATEFAILED); | 64 PKIX_VERIFYNODECREATEFAILED); |
69 | 65 |
70 if (depth == 0) { | 66 if (depth == 0) { |
71 /* We just created the root node */ | 67 /* We just created the root node */ |
72 *pVerifyTree = verifyNode; | 68 *pVerifyTree = verifyNode; |
73 } else { | 69 } else { |
74 PKIX_CHECK(pkix_VerifyNode_AddToChain | 70 PKIX_CHECK( |
75 (*pVerifyTree, verifyNode, plContext), | 71 pkix_VerifyNode_AddToChain(*pVerifyTree, verifyNode, plContext), |
76 PKIX_VERIFYNODEADDTOCHAINFAILED); | 72 PKIX_VERIFYNODEADDTOCHAINFAILED); |
77 } | 73 } |
78 } | 74 } |
79 | 75 |
80 cleanup: | 76 cleanup: |
81 | 77 |
82 PKIX_RETURN(VALIDATE); | 78 PKIX_RETURN(VALIDATE); |
83 | |
84 } | 79 } |
85 | 80 |
86 /* | 81 /* |
87 * FUNCTION: pkix_CheckCert | 82 * FUNCTION: pkix_CheckCert |
88 * DESCRIPTION: | 83 * DESCRIPTION: |
89 * | 84 * |
90 * Checks whether the Cert pointed to by "cert" successfully validates | 85 * Checks whether the Cert pointed to by "cert" successfully validates |
91 * using the List of CertChainCheckers pointed to by "checkers". If the | 86 * using the List of CertChainCheckers pointed to by "checkers". If the |
92 * certificate does not validate, an Error pointer is returned. | 87 * certificate does not validate, an Error pointer is returned. |
93 * | 88 * |
(...skipping 25 matching lines...) Expand all Loading... |
119 * Must be non-NULL. | 114 * Must be non-NULL. |
120 * "plContext" | 115 * "plContext" |
121 * Platform-specific context pointer. | 116 * Platform-specific context pointer. |
122 * THREAD SAFETY: | 117 * THREAD SAFETY: |
123 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 118 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
124 * RETURNS: | 119 * RETURNS: |
125 * Returns NULL if the function succeeds. | 120 * Returns NULL if the function succeeds. |
126 * Returns a Validate Error if the function fails in a non-fatal way. | 121 * Returns a Validate Error if the function fails in a non-fatal way. |
127 * Returns a Fatal Error if the function fails in an unrecoverable way. | 122 * Returns a Fatal Error if the function fails in an unrecoverable way. |
128 */ | 123 */ |
129 static PKIX_Error * | 124 static PKIX_Error *pkix_CheckCert(PKIX_PL_Cert *cert, PKIX_List *checkers, |
130 pkix_CheckCert( | 125 PKIX_List *checkedExtOIDsList, |
131 PKIX_PL_Cert *cert, | 126 PKIX_UInt32 *pCheckerIndex, |
132 PKIX_List *checkers, | 127 void **pNBIOContext, void *plContext) { |
133 PKIX_List *checkedExtOIDsList, | 128 PKIX_CertChainChecker_CheckCallback checkerCheck = NULL; |
134 PKIX_UInt32 *pCheckerIndex, | 129 PKIX_CertChainChecker *checker = NULL; |
135 void **pNBIOContext, | 130 PKIX_List *unresCritExtOIDs = NULL; |
136 void *plContext) | 131 PKIX_UInt32 numCheckers; |
137 { | 132 PKIX_UInt32 numUnresCritExtOIDs = 0; |
138 PKIX_CertChainChecker_CheckCallback checkerCheck = NULL; | 133 PKIX_UInt32 checkerIndex = 0; |
139 PKIX_CertChainChecker *checker = NULL; | 134 void *nbioContext = NULL; |
140 PKIX_List *unresCritExtOIDs = NULL; | |
141 PKIX_UInt32 numCheckers; | |
142 PKIX_UInt32 numUnresCritExtOIDs = 0; | |
143 PKIX_UInt32 checkerIndex = 0; | |
144 void *nbioContext = NULL; | |
145 | 135 |
146 PKIX_ENTER(VALIDATE, "pkix_CheckCert"); | 136 PKIX_ENTER(VALIDATE, "pkix_CheckCert"); |
147 PKIX_NULLCHECK_FOUR(cert, checkers, pCheckerIndex, pNBIOContext); | 137 PKIX_NULLCHECK_FOUR(cert, checkers, pCheckerIndex, pNBIOContext); |
148 | 138 |
149 nbioContext = *pNBIOContext; | 139 nbioContext = *pNBIOContext; |
150 *pNBIOContext = NULL; /* prepare for case of error exit */ | 140 *pNBIOContext = NULL; /* prepare for case of error exit */ |
151 | 141 |
152 PKIX_CHECK(PKIX_PL_Cert_GetCriticalExtensionOIDs | 142 PKIX_CHECK( |
153 (cert, &unresCritExtOIDs, plContext), | 143 PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &unresCritExtOIDs, plContext), |
154 PKIX_CERTGETCRITICALEXTENSIONOIDSFAILED); | 144 PKIX_CERTGETCRITICALEXTENSIONOIDSFAILED); |
155 | 145 |
156 PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext), | 146 PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext), |
157 PKIX_LISTGETLENGTHFAILED); | 147 PKIX_LISTGETLENGTHFAILED); |
158 | 148 |
159 for (checkerIndex = *pCheckerIndex; | 149 for (checkerIndex = *pCheckerIndex; checkerIndex < numCheckers; |
160 checkerIndex < numCheckers; | 150 checkerIndex++) { |
161 checkerIndex++) { | |
162 | 151 |
163 PKIX_CHECK(PKIX_List_GetItem | 152 PKIX_CHECK(PKIX_List_GetItem(checkers, checkerIndex, |
164 (checkers, | 153 (PKIX_PL_Object **)&checker, plContext), |
165 checkerIndex, | 154 PKIX_LISTGETITEMFAILED); |
166 (PKIX_PL_Object **)&checker, | |
167 plContext), | |
168 PKIX_LISTGETITEMFAILED); | |
169 | 155 |
170 PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback | 156 PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback(checker, &checkerCheck, |
171 (checker, &checkerCheck, plContext), | 157 plContext), |
172 PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED); | 158 PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED); |
173 | 159 |
174 PKIX_CHECK(checkerCheck(checker, cert, unresCritExtOIDs, | 160 PKIX_CHECK( |
175 &nbioContext, plContext), | 161 checkerCheck(checker, cert, unresCritExtOIDs, &nbioContext, plContext), |
176 PKIX_CERTCHAINCHECKERCHECKFAILED); | 162 PKIX_CERTCHAINCHECKERCHECKFAILED); |
177 | 163 |
178 if (nbioContext != NULL) { | 164 if (nbioContext != NULL) { |
179 *pCheckerIndex = checkerIndex; | 165 *pCheckerIndex = checkerIndex; |
180 *pNBIOContext = nbioContext; | 166 *pNBIOContext = nbioContext; |
181 goto cleanup; | 167 goto cleanup; |
182 } | 168 } |
183 | 169 |
184 PKIX_DECREF(checker); | 170 PKIX_DECREF(checker); |
185 } | 171 } |
186 | 172 |
187 if (unresCritExtOIDs){ | 173 if (unresCritExtOIDs) { |
188 | 174 |
189 #ifdef PKIX_VALIDATEDEBUG | 175 #ifdef PKIX_VALIDATEDEBUG |
190 { | 176 { |
191 PKIX_PL_String *oidString = NULL; | 177 PKIX_PL_String *oidString = NULL; |
192 PKIX_UInt32 length; | 178 PKIX_UInt32 length; |
193 char *oidAscii = NULL; | 179 char *oidAscii = NULL; |
194 PKIX_TOSTRING(unresCritExtOIDs, &oidString, plContext, | 180 PKIX_TOSTRING(unresCritExtOIDs, &oidString, plContext, |
195 PKIX_LISTTOSTRINGFAILED); | 181 PKIX_LISTTOSTRINGFAILED); |
196 PKIX_CHECK(PKIX_PL_String_GetEncoded | 182 PKIX_CHECK( |
197 (oidString, | 183 PKIX_PL_String_GetEncoded(oidString, PKIX_ESCASCII, |
198 PKIX_ESCASCII, | 184 (void **)&oidAscii, &length, plContext), |
199 (void **) &oidAscii, | 185 PKIX_STRINGGETENCODEDFAILED); |
200 &length, | 186 PKIX_VALIDATE_DEBUG_ARG( |
201 plContext), | 187 "unrecognized critical extension OIDs:" |
202 PKIX_STRINGGETENCODEDFAILED); | 188 " %s\n", |
203 PKIX_VALIDATE_DEBUG_ARG | 189 oidAscii); |
204 ("unrecognized critical extension OIDs:" | 190 PKIX_DECREF(oidString); |
205 " %s\n", oidAscii); | 191 PKIX_PL_Free(oidAscii, plContext); |
206 PKIX_DECREF(oidString); | 192 } |
207 PKIX_PL_Free(oidAscii, plContext); | |
208 } | |
209 #endif | 193 #endif |
210 | 194 |
211 if (checkedExtOIDsList != NULL) { | 195 if (checkedExtOIDsList != NULL) { |
212 /* Take out OID's that had been processed, if any */ | 196 /* Take out OID's that had been processed, if any */ |
213 PKIX_CHECK(pkix_List_RemoveItems | 197 PKIX_CHECK(pkix_List_RemoveItems(unresCritExtOIDs, checkedExtOIDsList, |
214 (unresCritExtOIDs, | 198 plContext), |
215 checkedExtOIDsList, | 199 PKIX_LISTREMOVEITEMSFAILED); |
216 plContext), | 200 } |
217 PKIX_LISTREMOVEITEMSFAILED); | |
218 } | |
219 | 201 |
220 PKIX_CHECK(PKIX_List_GetLength | 202 PKIX_CHECK( |
221 (unresCritExtOIDs, &numUnresCritExtOIDs, plContext), | 203 PKIX_List_GetLength(unresCritExtOIDs, &numUnresCritExtOIDs, plContext), |
222 PKIX_LISTGETLENGTHFAILED); | 204 PKIX_LISTGETLENGTHFAILED); |
223 | 205 |
224 if (numUnresCritExtOIDs != 0){ | 206 if (numUnresCritExtOIDs != 0) { |
225 PKIX_ERROR(PKIX_UNRECOGNIZEDCRITICALEXTENSION); | 207 PKIX_ERROR(PKIX_UNRECOGNIZEDCRITICALEXTENSION); |
226 } | 208 } |
227 | 209 } |
228 } | |
229 | 210 |
230 cleanup: | 211 cleanup: |
231 | 212 |
232 PKIX_DECREF(checker); | 213 PKIX_DECREF(checker); |
233 PKIX_DECREF(unresCritExtOIDs); | 214 PKIX_DECREF(unresCritExtOIDs); |
234 | 215 |
235 PKIX_RETURN(VALIDATE); | 216 PKIX_RETURN(VALIDATE); |
236 | |
237 } | 217 } |
238 | 218 |
239 /* | 219 /* |
240 * FUNCTION: pkix_InitializeCheckers | 220 * FUNCTION: pkix_InitializeCheckers |
241 * DESCRIPTION: | 221 * DESCRIPTION: |
242 * | 222 * |
243 * Creates several checkers and initializes them with values derived from the | 223 * Creates several checkers and initializes them with values derived from the |
244 * TrustAnchor pointed to by "anchor", the ProcessingParams pointed to by | 224 * TrustAnchor pointed to by "anchor", the ProcessingParams pointed to by |
245 * "procParams", and the number of Certs in the Chain, represented by | 225 * "procParams", and the number of Certs in the Chain, represented by |
246 * "numCerts". The List of checkers is stored at "pCheckers". | 226 * "numCerts". The List of checkers is stored at "pCheckers". |
(...skipping 11 matching lines...) Expand all Loading... |
258 * Address where object pointer will be stored. Must be non-NULL. | 238 * Address where object pointer will be stored. Must be non-NULL. |
259 * "plContext" | 239 * "plContext" |
260 * Platform-specific context pointer. | 240 * Platform-specific context pointer. |
261 * THREAD SAFETY: | 241 * THREAD SAFETY: |
262 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 242 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
263 * RETURNS: | 243 * RETURNS: |
264 * Returns NULL if the function succeeds. | 244 * Returns NULL if the function succeeds. |
265 * Returns a Validate Error if the function fails in a non-fatal way. | 245 * Returns a Validate Error if the function fails in a non-fatal way. |
266 * Returns a Fatal Error if the function fails in an unrecoverable way. | 246 * Returns a Fatal Error if the function fails in an unrecoverable way. |
267 */ | 247 */ |
268 static PKIX_Error * | 248 static PKIX_Error *pkix_InitializeCheckers(PKIX_TrustAnchor *anchor, |
269 pkix_InitializeCheckers( | 249 PKIX_ProcessingParams *procParams, |
270 PKIX_TrustAnchor *anchor, | 250 PKIX_UInt32 numCerts, |
271 PKIX_ProcessingParams *procParams, | 251 PKIX_List **pCheckers, |
272 PKIX_UInt32 numCerts, | 252 void *plContext) { |
273 PKIX_List **pCheckers, | 253 PKIX_CertChainChecker *targetCertChecker = NULL; |
274 void *plContext) | 254 PKIX_CertChainChecker *expirationChecker = NULL; |
275 { | 255 PKIX_CertChainChecker *nameChainingChecker = NULL; |
276 PKIX_CertChainChecker *targetCertChecker = NULL; | 256 PKIX_CertChainChecker *nameConstraintsChecker = NULL; |
277 PKIX_CertChainChecker *expirationChecker = NULL; | 257 PKIX_CertChainChecker *basicConstraintsChecker = NULL; |
278 PKIX_CertChainChecker *nameChainingChecker = NULL; | 258 PKIX_CertChainChecker *policyChecker = NULL; |
279 PKIX_CertChainChecker *nameConstraintsChecker = NULL; | 259 PKIX_CertChainChecker *sigChecker = NULL; |
280 PKIX_CertChainChecker *basicConstraintsChecker = NULL; | 260 PKIX_CertChainChecker *defaultCrlChecker = NULL; |
281 PKIX_CertChainChecker *policyChecker = NULL; | 261 PKIX_CertChainChecker *userChecker = NULL; |
282 PKIX_CertChainChecker *sigChecker = NULL; | 262 PKIX_PL_X500Name *trustedCAName = NULL; |
283 PKIX_CertChainChecker *defaultCrlChecker = NULL; | 263 PKIX_PL_PublicKey *trustedPubKey = NULL; |
284 PKIX_CertChainChecker *userChecker = NULL; | 264 PKIX_List *checkers = NULL; |
285 PKIX_PL_X500Name *trustedCAName = NULL; | 265 PKIX_PL_Date *testDate = NULL; |
286 PKIX_PL_PublicKey *trustedPubKey = NULL; | 266 PKIX_CertSelector *certSelector = NULL; |
287 PKIX_List *checkers = NULL; | 267 PKIX_PL_Cert *trustedCert = NULL; |
288 PKIX_PL_Date *testDate = NULL; | 268 PKIX_PL_CertNameConstraints *trustedNC = NULL; |
289 PKIX_CertSelector *certSelector = NULL; | 269 PKIX_List *initialPolicies = NULL; |
290 PKIX_PL_Cert *trustedCert = NULL; | 270 PKIX_Boolean policyQualifiersRejected = PKIX_FALSE; |
291 PKIX_PL_CertNameConstraints *trustedNC = NULL; | 271 PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; |
292 PKIX_List *initialPolicies = NULL; | 272 PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; |
293 PKIX_Boolean policyQualifiersRejected = PKIX_FALSE; | 273 PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; |
294 PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE; | 274 PKIX_List *userCheckersList = NULL; |
295 PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE; | 275 PKIX_List *certStores = NULL; |
296 PKIX_Boolean initialExplicitPolicy = PKIX_FALSE; | 276 PKIX_UInt32 numCertCheckers = 0; |
297 PKIX_List *userCheckersList = NULL; | 277 PKIX_UInt32 i; |
298 PKIX_List *certStores = NULL; | 278 |
299 PKIX_UInt32 numCertCheckers = 0; | 279 PKIX_ENTER(VALIDATE, "pkix_InitializeCheckers"); |
300 PKIX_UInt32 i; | 280 PKIX_NULLCHECK_THREE(anchor, procParams, pCheckers); |
301 | 281 PKIX_CHECK(PKIX_List_Create(&checkers, plContext), PKIX_LISTCREATEFAILED); |
302 PKIX_ENTER(VALIDATE, "pkix_InitializeCheckers"); | 282 |
303 PKIX_NULLCHECK_THREE(anchor, procParams, pCheckers); | 283 /* |
304 PKIX_CHECK(PKIX_List_Create(&checkers, plContext), | 284 * The TrustAnchor may have been created using CreateWithCert |
305 PKIX_LISTCREATEFAILED); | 285 * (in which case GetCAPublicKey and GetCAName will return NULL) |
306 | 286 * or may have been created using CreateWithNameKeyPair (in which |
307 /* | 287 * case GetTrustedCert will return NULL. So we call GetTrustedCert |
308 * The TrustAnchor may have been created using CreateWithCert | 288 * and populate trustedPubKey and trustedCAName accordingly. |
309 * (in which case GetCAPublicKey and GetCAName will return NULL) | 289 */ |
310 * or may have been created using CreateWithNameKeyPair (in which | 290 |
311 * case GetTrustedCert will return NULL. So we call GetTrustedCert | 291 PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert(anchor, &trustedCert, plContext), |
312 * and populate trustedPubKey and trustedCAName accordingly. | 292 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); |
313 */ | 293 |
314 | 294 if (trustedCert) { |
315 PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert | 295 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey(trustedCert, &trustedPubKey, |
316 (anchor, &trustedCert, plContext), | 296 plContext), |
317 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); | 297 PKIX_CERTGETSUBJECTPUBLICKEYFAILED); |
318 | 298 |
319 if (trustedCert){ | 299 PKIX_CHECK(PKIX_PL_Cert_GetSubject(trustedCert, &trustedCAName, plContext), |
320 PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey | 300 PKIX_CERTGETSUBJECTFAILED); |
321 (trustedCert, &trustedPubKey, plContext), | 301 } else { |
322 PKIX_CERTGETSUBJECTPUBLICKEYFAILED); | 302 PKIX_CHECK( |
323 | 303 PKIX_TrustAnchor_GetCAPublicKey(anchor, &trustedPubKey, plContext), |
324 PKIX_CHECK(PKIX_PL_Cert_GetSubject | 304 PKIX_TRUSTANCHORGETCAPUBLICKEYFAILED); |
325 (trustedCert, &trustedCAName, plContext), | 305 |
326 PKIX_CERTGETSUBJECTFAILED); | 306 PKIX_CHECK(PKIX_TrustAnchor_GetCAName(anchor, &trustedCAName, plContext), |
327 } else { | 307 PKIX_TRUSTANCHORGETCANAMEFAILED); |
328 PKIX_CHECK(PKIX_TrustAnchor_GetCAPublicKey | 308 } |
329 (anchor, &trustedPubKey, plContext), | 309 |
330 PKIX_TRUSTANCHORGETCAPUBLICKEYFAILED); | 310 PKIX_NULLCHECK_TWO(trustedPubKey, trustedCAName); |
331 | 311 |
332 PKIX_CHECK(PKIX_TrustAnchor_GetCAName | 312 PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints(anchor, &trustedNC, plContext), |
333 (anchor, &trustedCAName, plContext), | 313 PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED); |
334 PKIX_TRUSTANCHORGETCANAMEFAILED); | 314 |
335 } | 315 PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints( |
336 | 316 procParams, &certSelector, plContext), |
337 PKIX_NULLCHECK_TWO(trustedPubKey, trustedCAName); | 317 PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); |
338 | 318 |
339 PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints | 319 PKIX_CHECK(PKIX_ProcessingParams_GetDate(procParams, &testDate, plContext), |
340 (anchor, &trustedNC, plContext), | 320 PKIX_PROCESSINGPARAMSGETDATEFAILED); |
341 PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED); | 321 |
342 | 322 PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies( |
343 PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints | 323 procParams, &initialPolicies, plContext), |
344 (procParams, &certSelector, plContext), | 324 PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED); |
345 PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); | 325 |
346 | 326 PKIX_CHECK(PKIX_ProcessingParams_GetPolicyQualifiersRejected( |
347 PKIX_CHECK(PKIX_ProcessingParams_GetDate | 327 procParams, &policyQualifiersRejected, plContext), |
348 (procParams, &testDate, plContext), | 328 PKIX_PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED); |
349 PKIX_PROCESSINGPARAMSGETDATEFAILED); | 329 |
350 | 330 PKIX_CHECK(PKIX_ProcessingParams_IsPolicyMappingInhibited( |
351 PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies | 331 procParams, &initialPolicyMappingInhibit, plContext), |
352 (procParams, &initialPolicies, plContext), | 332 PKIX_PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED); |
353 PKIX_PROCESSINGPARAMSGETINITIALPOLICIESFAILED); | 333 |
354 | 334 PKIX_CHECK(PKIX_ProcessingParams_IsAnyPolicyInhibited( |
355 PKIX_CHECK(PKIX_ProcessingParams_GetPolicyQualifiersRejected | 335 procParams, &initialAnyPolicyInhibit, plContext), |
356 (procParams, &policyQualifiersRejected, plContext), | 336 PKIX_PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED); |
357 PKIX_PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED); | 337 |
358 | 338 PKIX_CHECK(PKIX_ProcessingParams_IsExplicitPolicyRequired( |
359 PKIX_CHECK(PKIX_ProcessingParams_IsPolicyMappingInhibited | 339 procParams, &initialExplicitPolicy, plContext), |
360 (procParams, &initialPolicyMappingInhibit, plContext), | 340 PKIX_PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED); |
361 PKIX_PROCESSINGPARAMSISPOLICYMAPPINGINHIBITEDFAILED); | 341 |
362 | 342 PKIX_CHECK( |
363 PKIX_CHECK(PKIX_ProcessingParams_IsAnyPolicyInhibited | 343 PKIX_ProcessingParams_GetCertStores(procParams, &certStores, plContext), |
364 (procParams, &initialAnyPolicyInhibit, plContext), | 344 PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED); |
365 PKIX_PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED); | 345 |
366 | 346 PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers( |
367 PKIX_CHECK(PKIX_ProcessingParams_IsExplicitPolicyRequired | 347 procParams, &userCheckersList, plContext), |
368 (procParams, &initialExplicitPolicy, plContext), | 348 PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); |
369 PKIX_PROCESSINGPARAMSISEXPLICITPOLICYREQUIREDFAILED); | 349 |
370 | 350 /* now, initialize all the checkers */ |
371 PKIX_CHECK(PKIX_ProcessingParams_GetCertStores | 351 PKIX_CHECK(pkix_TargetCertChecker_Initialize(certSelector, numCerts, |
372 (procParams, &certStores, plContext), | 352 &targetCertChecker, plContext), |
373 PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED); | 353 PKIX_TARGETCERTCHECKERINITIALIZEFAILED); |
374 | 354 |
375 PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers | 355 PKIX_CHECK(pkix_ExpirationChecker_Initialize(testDate, &expirationChecker, |
376 (procParams, &userCheckersList, plContext), | 356 plContext), |
377 PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); | 357 PKIX_EXPIRATIONCHECKERINITIALIZEFAILED); |
378 | 358 |
379 /* now, initialize all the checkers */ | 359 PKIX_CHECK(pkix_NameChainingChecker_Initialize( |
380 PKIX_CHECK(pkix_TargetCertChecker_Initialize | 360 trustedCAName, &nameChainingChecker, plContext), |
381 (certSelector, numCerts, &targetCertChecker, plContext), | 361 PKIX_NAMECHAININGCHECKERINITIALIZEFAILED); |
382 PKIX_TARGETCERTCHECKERINITIALIZEFAILED); | 362 |
383 | 363 PKIX_CHECK(pkix_NameConstraintsChecker_Initialize( |
384 PKIX_CHECK(pkix_ExpirationChecker_Initialize | 364 trustedNC, numCerts, &nameConstraintsChecker, plContext), |
385 (testDate, &expirationChecker, plContext), | 365 PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED); |
386 PKIX_EXPIRATIONCHECKERINITIALIZEFAILED); | 366 |
387 | 367 PKIX_CHECK(pkix_BasicConstraintsChecker_Initialize( |
388 PKIX_CHECK(pkix_NameChainingChecker_Initialize | 368 numCerts, &basicConstraintsChecker, plContext), |
389 (trustedCAName, &nameChainingChecker, plContext), | 369 PKIX_BASICCONSTRAINTSCHECKERINITIALIZEFAILED); |
390 PKIX_NAMECHAININGCHECKERINITIALIZEFAILED); | 370 |
391 | 371 PKIX_CHECK(pkix_PolicyChecker_Initialize( |
392 PKIX_CHECK(pkix_NameConstraintsChecker_Initialize | 372 initialPolicies, policyQualifiersRejected, |
393 (trustedNC, numCerts, &nameConstraintsChecker, plContext), | 373 initialPolicyMappingInhibit, initialExplicitPolicy, |
394 PKIX_NAMECONSTRAINTSCHECKERINITIALIZEFAILED); | 374 initialAnyPolicyInhibit, numCerts, &policyChecker, plContext), |
395 | 375 PKIX_POLICYCHECKERINITIALIZEFAILED); |
396 PKIX_CHECK(pkix_BasicConstraintsChecker_Initialize | 376 |
397 (numCerts, &basicConstraintsChecker, plContext), | 377 PKIX_CHECK(pkix_SignatureChecker_Initialize(trustedPubKey, numCerts, |
398 PKIX_BASICCONSTRAINTSCHECKERINITIALIZEFAILED); | 378 &sigChecker, plContext), |
399 | 379 PKIX_SIGNATURECHECKERINITIALIZEFAILED); |
400 PKIX_CHECK(pkix_PolicyChecker_Initialize | 380 |
401 (initialPolicies, | 381 if (userCheckersList != NULL) { |
402 policyQualifiersRejected, | 382 |
403 initialPolicyMappingInhibit, | 383 PKIX_CHECK( |
404 initialExplicitPolicy, | 384 PKIX_List_GetLength(userCheckersList, &numCertCheckers, plContext), |
405 initialAnyPolicyInhibit, | 385 PKIX_LISTGETLENGTHFAILED); |
406 numCerts, | 386 |
407 &policyChecker, | 387 for (i = 0; i < numCertCheckers; i++) { |
408 plContext), | 388 |
409 PKIX_POLICYCHECKERINITIALIZEFAILED); | 389 PKIX_CHECK(PKIX_List_GetItem(userCheckersList, i, |
410 | 390 (PKIX_PL_Object **)&userChecker, plContext), |
411 PKIX_CHECK(pkix_SignatureChecker_Initialize | 391 PKIX_LISTGETITEMFAILED); |
412 (trustedPubKey, numCerts, &sigChecker, plContext), | 392 |
413 PKIX_SIGNATURECHECKERINITIALIZEFAILED); | 393 PKIX_CHECK(PKIX_List_AppendItem(checkers, (PKIX_PL_Object *)userChecker, |
414 | 394 plContext), |
415 if (userCheckersList != NULL) { | 395 PKIX_LISTAPPENDITEMFAILED); |
416 | 396 |
417 PKIX_CHECK(PKIX_List_GetLength | 397 PKIX_DECREF(userChecker); |
418 (userCheckersList, &numCertCheckers, plContext), | 398 } |
419 PKIX_LISTGETLENGTHFAILED); | 399 } |
420 | 400 |
421 for (i = 0; i < numCertCheckers; i++) { | 401 PKIX_CHECK(PKIX_List_AppendItem(checkers, (PKIX_PL_Object *)targetCertChecker, |
422 | 402 plContext), |
423 PKIX_CHECK(PKIX_List_GetItem | 403 PKIX_LISTAPPENDITEMFAILED); |
424 (userCheckersList, | 404 |
425 i, | 405 PKIX_CHECK(PKIX_List_AppendItem(checkers, (PKIX_PL_Object *)expirationChecker, |
426 (PKIX_PL_Object **) &userChecker, | 406 plContext), |
427 plContext), | 407 PKIX_LISTAPPENDITEMFAILED); |
428 PKIX_LISTGETITEMFAILED); | 408 |
429 | 409 PKIX_CHECK(PKIX_List_AppendItem( |
430 PKIX_CHECK(PKIX_List_AppendItem | 410 checkers, (PKIX_PL_Object *)nameChainingChecker, plContext), |
431 (checkers, | 411 PKIX_LISTAPPENDITEMFAILED); |
432 (PKIX_PL_Object *)userChecker, | 412 |
433 plContext), | 413 PKIX_CHECK(PKIX_List_AppendItem( |
434 PKIX_LISTAPPENDITEMFAILED); | 414 checkers, (PKIX_PL_Object *)nameConstraintsChecker, plContext), |
435 | 415 PKIX_LISTAPPENDITEMFAILED); |
436 PKIX_DECREF(userChecker); | 416 |
437 } | 417 PKIX_CHECK( |
438 } | 418 PKIX_List_AppendItem(checkers, (PKIX_PL_Object *)basicConstraintsChecker, |
439 | 419 plContext), |
440 PKIX_CHECK(PKIX_List_AppendItem | 420 PKIX_LISTAPPENDITEMFAILED); |
441 (checkers, (PKIX_PL_Object *)targetCertChecker, plContext), | 421 |
442 PKIX_LISTAPPENDITEMFAILED); | 422 PKIX_CHECK(PKIX_List_AppendItem(checkers, (PKIX_PL_Object *)policyChecker, |
443 | 423 plContext), |
444 PKIX_CHECK(PKIX_List_AppendItem | 424 PKIX_LISTAPPENDITEMFAILED); |
445 (checkers, (PKIX_PL_Object *)expirationChecker, plContext), | 425 |
446 PKIX_LISTAPPENDITEMFAILED); | 426 PKIX_CHECK( |
447 | 427 PKIX_List_AppendItem(checkers, (PKIX_PL_Object *)sigChecker, plContext), |
448 PKIX_CHECK(PKIX_List_AppendItem | 428 PKIX_LISTAPPENDITEMFAILED); |
449 (checkers, (PKIX_PL_Object *)nameChainingChecker, plContext), | 429 |
450 PKIX_LISTAPPENDITEMFAILED); | 430 *pCheckers = checkers; |
451 | |
452 PKIX_CHECK(PKIX_List_AppendItem | |
453 (checkers, (PKIX_PL_Object *)nameConstraintsChecker, plContext), | |
454 PKIX_LISTAPPENDITEMFAILED); | |
455 | |
456 PKIX_CHECK(PKIX_List_AppendItem | |
457 (checkers, (PKIX_PL_Object *)basicConstraintsChecker, plContext), | |
458 PKIX_LISTAPPENDITEMFAILED); | |
459 | |
460 PKIX_CHECK(PKIX_List_AppendItem | |
461 (checkers, (PKIX_PL_Object *)policyChecker, plContext), | |
462 PKIX_LISTAPPENDITEMFAILED); | |
463 | |
464 PKIX_CHECK(PKIX_List_AppendItem | |
465 (checkers, (PKIX_PL_Object *)sigChecker, plContext), | |
466 PKIX_LISTAPPENDITEMFAILED); | |
467 | |
468 *pCheckers = checkers; | |
469 | 431 |
470 cleanup: | 432 cleanup: |
471 | 433 |
472 if (PKIX_ERROR_RECEIVED){ | 434 if (PKIX_ERROR_RECEIVED) { |
473 PKIX_DECREF(checkers); | 435 PKIX_DECREF(checkers); |
474 } | 436 } |
475 | 437 |
476 PKIX_DECREF(certSelector); | 438 PKIX_DECREF(certSelector); |
477 PKIX_DECREF(testDate); | 439 PKIX_DECREF(testDate); |
478 PKIX_DECREF(initialPolicies); | 440 PKIX_DECREF(initialPolicies); |
479 PKIX_DECREF(targetCertChecker); | 441 PKIX_DECREF(targetCertChecker); |
480 PKIX_DECREF(expirationChecker); | 442 PKIX_DECREF(expirationChecker); |
481 PKIX_DECREF(nameChainingChecker); | 443 PKIX_DECREF(nameChainingChecker); |
482 PKIX_DECREF(nameConstraintsChecker); | 444 PKIX_DECREF(nameConstraintsChecker); |
483 PKIX_DECREF(basicConstraintsChecker); | 445 PKIX_DECREF(basicConstraintsChecker); |
484 PKIX_DECREF(policyChecker); | 446 PKIX_DECREF(policyChecker); |
485 PKIX_DECREF(sigChecker); | 447 PKIX_DECREF(sigChecker); |
486 PKIX_DECREF(trustedCAName); | 448 PKIX_DECREF(trustedCAName); |
487 PKIX_DECREF(trustedPubKey); | 449 PKIX_DECREF(trustedPubKey); |
488 PKIX_DECREF(trustedNC); | 450 PKIX_DECREF(trustedNC); |
489 PKIX_DECREF(trustedCert); | 451 PKIX_DECREF(trustedCert); |
490 PKIX_DECREF(defaultCrlChecker); | 452 PKIX_DECREF(defaultCrlChecker); |
491 PKIX_DECREF(userCheckersList); | 453 PKIX_DECREF(userCheckersList); |
492 PKIX_DECREF(certStores); | 454 PKIX_DECREF(certStores); |
493 PKIX_DECREF(userChecker); | 455 PKIX_DECREF(userChecker); |
494 | 456 |
495 PKIX_RETURN(VALIDATE); | 457 PKIX_RETURN(VALIDATE); |
496 } | 458 } |
497 | 459 |
498 /* | 460 /* |
499 * FUNCTION: pkix_RetrieveOutputs | 461 * FUNCTION: pkix_RetrieveOutputs |
500 * DESCRIPTION: | 462 * DESCRIPTION: |
501 * | 463 * |
502 * This function queries the respective states of the List of checkers in | 464 * This function queries the respective states of the List of checkers in |
503 * "checkers" to to obtain the final public key from the SignatureChecker | 465 * "checkers" to to obtain the final public key from the SignatureChecker |
504 * and the policy tree from the PolicyChecker, storing those values at | 466 * and the policy tree from the PolicyChecker, storing those values at |
505 * "pFinalSubjPubKey" and "pPolicyTree", respectively. | 467 * "pFinalSubjPubKey" and "pPolicyTree", respectively. |
506 * | 468 * |
507 * PARAMETERS: | 469 * PARAMETERS: |
508 * "checkers" | 470 * "checkers" |
509 * Address of List of checkers to be queried. Must be non-NULL. | 471 * Address of List of checkers to be queried. Must be non-NULL. |
510 * "pFinalSubjPubKey" | 472 * "pFinalSubjPubKey" |
511 * Address where final public key will be stored. Must be non-NULL. | 473 * Address where final public key will be stored. Must be non-NULL. |
512 * "pPolicyTree" | 474 * "pPolicyTree" |
513 * Address where policy tree will be stored. Must be non-NULL. | 475 * Address where policy tree will be stored. Must be non-NULL. |
514 * "plContext" | 476 * "plContext" |
515 * Platform-specific context pointer. | 477 * Platform-specific context pointer. |
516 * THREAD SAFETY: | 478 * THREAD SAFETY: |
517 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 479 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
518 * RETURNS: | 480 * RETURNS: |
519 * Returns NULL if the function succeeds. | 481 * Returns NULL if the function succeeds. |
520 * Returns a Validate Error if the function fails in a non-fatal way. | 482 * Returns a Validate Error if the function fails in a non-fatal way. |
521 * Returns a Fatal Error if the function fails in an unrecoverable way. | 483 * Returns a Fatal Error if the function fails in an unrecoverable way. |
522 */ | 484 */ |
523 static PKIX_Error * | 485 static PKIX_Error *pkix_RetrieveOutputs(PKIX_List *checkers, |
524 pkix_RetrieveOutputs( | 486 PKIX_PL_PublicKey **pFinalSubjPubKey, |
525 PKIX_List *checkers, | 487 PKIX_PolicyNode **pPolicyTree, |
526 PKIX_PL_PublicKey **pFinalSubjPubKey, | 488 void *plContext) { |
527 PKIX_PolicyNode **pPolicyTree, | 489 PKIX_PL_PublicKey *finalSubjPubKey = NULL; |
528 void *plContext) | 490 PKIX_PolicyNode *validPolicyTree = NULL; |
529 { | 491 PKIX_CertChainChecker *checker = NULL; |
530 PKIX_PL_PublicKey *finalSubjPubKey = NULL; | 492 PKIX_PL_Object *state = NULL; |
531 PKIX_PolicyNode *validPolicyTree = NULL; | 493 PKIX_UInt32 numCheckers = 0; |
532 PKIX_CertChainChecker *checker = NULL; | 494 PKIX_UInt32 type; |
533 PKIX_PL_Object *state = NULL; | 495 PKIX_Int32 j; |
534 PKIX_UInt32 numCheckers = 0; | |
535 PKIX_UInt32 type; | |
536 PKIX_Int32 j; | |
537 | 496 |
538 PKIX_ENTER(VALIDATE, "pkix_RetrieveOutputs"); | 497 PKIX_ENTER(VALIDATE, "pkix_RetrieveOutputs"); |
539 | 498 |
540 PKIX_NULLCHECK_TWO(checkers, pPolicyTree); | 499 PKIX_NULLCHECK_TWO(checkers, pPolicyTree); |
541 | 500 |
542 /* | 501 /* |
543 * To optimize the search, we guess that the sigChecker is | 502 * To optimize the search, we guess that the sigChecker is |
544 * last in the tree and is preceded by the policyChecker. We | 503 * last in the tree and is preceded by the policyChecker. We |
545 * search toward the front of the chain. Remember that List | 504 * search toward the front of the chain. Remember that List |
546 * items are indexed 0..(numItems - 1). | 505 * items are indexed 0..(numItems - 1). |
547 */ | 506 */ |
548 | 507 |
549 PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext), | 508 PKIX_CHECK(PKIX_List_GetLength(checkers, &numCheckers, plContext), |
550 PKIX_LISTGETLENGTHFAILED); | 509 PKIX_LISTGETLENGTHFAILED); |
551 | 510 |
552 for (j = numCheckers - 1; j >= 0; j--){ | 511 for (j = numCheckers - 1; j >= 0; j--) { |
553 PKIX_CHECK(PKIX_List_GetItem | 512 PKIX_CHECK( |
554 (checkers, j, (PKIX_PL_Object **)&checker, plContext), | 513 PKIX_List_GetItem(checkers, j, (PKIX_PL_Object **)&checker, plContext), |
555 PKIX_LISTGETITEMFAILED); | 514 PKIX_LISTGETITEMFAILED); |
556 | 515 |
557 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState | 516 PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState(checker, &state, |
558 (checker, &state, plContext), | 517 plContext), |
559 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); | 518 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); |
560 | 519 |
561 /* user defined checker may have no state */ | 520 /* user defined checker may have no state */ |
562 if (state != NULL) { | 521 if (state != NULL) { |
563 | 522 |
564 PKIX_CHECK(PKIX_PL_Object_GetType(state, &type, plContext), | 523 PKIX_CHECK(PKIX_PL_Object_GetType(state, &type, plContext), |
565 PKIX_OBJECTGETTYPEFAILED); | 524 PKIX_OBJECTGETTYPEFAILED); |
566 | 525 |
567 if (type == PKIX_SIGNATURECHECKERSTATE_TYPE){ | 526 if (type == PKIX_SIGNATURECHECKERSTATE_TYPE) { |
568 /* final pubKey will include any inherited DSA params */ | 527 /* final pubKey will include any inherited DSA params */ |
569 finalSubjPubKey = | 528 finalSubjPubKey = ((pkix_SignatureCheckerState *)state)->prevPublicKey; |
570 ((pkix_SignatureCheckerState *)state)-> | 529 PKIX_INCREF(finalSubjPubKey); |
571 prevPublicKey; | 530 *pFinalSubjPubKey = finalSubjPubKey; |
572 PKIX_INCREF(finalSubjPubKey); | 531 } |
573 *pFinalSubjPubKey = finalSubjPubKey; | |
574 } | |
575 | 532 |
576 if (type == PKIX_CERTPOLICYCHECKERSTATE_TYPE) { | 533 if (type == PKIX_CERTPOLICYCHECKERSTATE_TYPE) { |
577 validPolicyTree = | 534 validPolicyTree = ((PKIX_PolicyCheckerState *)state)->validPolicyTree; |
578 ((PKIX_PolicyCheckerState *)state)->validPolicyTree; | 535 break; |
579 break; | 536 } |
580 } | 537 } |
581 } | |
582 | 538 |
583 PKIX_DECREF(checker); | 539 PKIX_DECREF(checker); |
584 PKIX_DECREF(state); | 540 PKIX_DECREF(state); |
585 } | 541 } |
586 | 542 |
587 PKIX_INCREF(validPolicyTree); | 543 PKIX_INCREF(validPolicyTree); |
588 *pPolicyTree = validPolicyTree; | 544 *pPolicyTree = validPolicyTree; |
589 | 545 |
590 cleanup: | 546 cleanup: |
591 | 547 |
592 PKIX_DECREF(checker); | 548 PKIX_DECREF(checker); |
593 PKIX_DECREF(state); | 549 PKIX_DECREF(state); |
594 | 550 |
595 PKIX_RETURN(VALIDATE); | 551 PKIX_RETURN(VALIDATE); |
596 | |
597 } | 552 } |
598 | 553 |
599 /* | 554 /* |
600 * FUNCTION: pkix_CheckChain | 555 * FUNCTION: pkix_CheckChain |
601 * DESCRIPTION: | 556 * DESCRIPTION: |
602 * | 557 * |
603 * Checks whether the List of Certs pointed to by "certs", containing | 558 * Checks whether the List of Certs pointed to by "certs", containing |
604 * "numCerts" entries, successfully validates using each CertChainChecker in | 559 * "numCerts" entries, successfully validates using each CertChainChecker in |
605 * the List pointed to by "checkers" and has not been revoked, according to any | 560 * the List pointed to by "checkers" and has not been revoked, according to any |
606 * of the Revocation Checkers in the List pointed to by "revChecker". Checkers | 561 * of the Revocation Checkers in the List pointed to by "revChecker". Checkers |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
669 * Address where a VerifyTree is stored, if non-NULL. | 624 * Address where a VerifyTree is stored, if non-NULL. |
670 * "plContext" | 625 * "plContext" |
671 * Platform-specific context pointer. | 626 * Platform-specific context pointer. |
672 * THREAD SAFETY: | 627 * THREAD SAFETY: |
673 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 628 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
674 * RETURNS: | 629 * RETURNS: |
675 * Returns NULL if the function succeeds. | 630 * Returns NULL if the function succeeds. |
676 * Returns a Validate Error if the function fails in a non-fatal way. | 631 * Returns a Validate Error if the function fails in a non-fatal way. |
677 * Returns a Fatal Error if the function fails in an unrecoverable way. | 632 * Returns a Fatal Error if the function fails in an unrecoverable way. |
678 */ | 633 */ |
679 PKIX_Error * | 634 PKIX_Error *pkix_CheckChain( |
680 pkix_CheckChain( | 635 PKIX_List *certs, PKIX_UInt32 numCerts, PKIX_TrustAnchor *anchor, |
681 PKIX_List *certs, | 636 PKIX_List *checkers, PKIX_RevocationChecker *revChecker, |
682 PKIX_UInt32 numCerts, | 637 PKIX_List *removeCheckedExtOIDs, PKIX_ProcessingParams *procParams, |
683 PKIX_TrustAnchor *anchor, | 638 PKIX_UInt32 *pCertCheckedIndex, PKIX_UInt32 *pCheckerIndex, |
684 PKIX_List *checkers, | 639 PKIX_Boolean *pRevChecking, PKIX_UInt32 *pReasonCode, void **pNBIOContext, |
685 PKIX_RevocationChecker *revChecker, | 640 PKIX_PL_PublicKey **pFinalSubjPubKey, PKIX_PolicyNode **pPolicyTree, |
686 PKIX_List *removeCheckedExtOIDs, | 641 PKIX_VerifyNode **pVerifyTree, void *plContext) { |
687 PKIX_ProcessingParams *procParams, | 642 PKIX_UInt32 j = 0; |
688 PKIX_UInt32 *pCertCheckedIndex, | 643 PKIX_Boolean revChecking = PKIX_FALSE; |
689 PKIX_UInt32 *pCheckerIndex, | 644 PKIX_Error *checkCertError = NULL; |
690 PKIX_Boolean *pRevChecking, | 645 void *nbioContext = NULL; |
691 PKIX_UInt32 *pReasonCode, | 646 PKIX_PL_Cert *cert = NULL; |
692 void **pNBIOContext, | 647 PKIX_PL_Cert *issuer = NULL; |
693 PKIX_PL_PublicKey **pFinalSubjPubKey, | 648 PKIX_PL_NssContext *nssContext = NULL; |
694 PKIX_PolicyNode **pPolicyTree, | 649 CERTCertList *certList = NULL; |
695 PKIX_VerifyNode **pVerifyTree, | 650 const CERTChainVerifyCallback *chainVerifyCallback = NULL; |
696 void *plContext) | 651 CERTCertificate *nssCert = NULL; |
697 { | |
698 PKIX_UInt32 j = 0; | |
699 PKIX_Boolean revChecking = PKIX_FALSE; | |
700 PKIX_Error *checkCertError = NULL; | |
701 void *nbioContext = NULL; | |
702 PKIX_PL_Cert *cert = NULL; | |
703 PKIX_PL_Cert *issuer = NULL; | |
704 PKIX_PL_NssContext *nssContext = NULL; | |
705 CERTCertList *certList = NULL; | |
706 const CERTChainVerifyCallback *chainVerifyCallback = NULL; | |
707 CERTCertificate *nssCert = NULL; | |
708 | 652 |
709 PKIX_ENTER(VALIDATE, "pkix_CheckChain"); | 653 PKIX_ENTER(VALIDATE, "pkix_CheckChain"); |
710 PKIX_NULLCHECK_FOUR(certs, checkers, revChecker, pCertCheckedIndex); | 654 PKIX_NULLCHECK_FOUR(certs, checkers, revChecker, pCertCheckedIndex); |
711 PKIX_NULLCHECK_FOUR(pCheckerIndex, pRevChecking, pReasonCode, anchor); | 655 PKIX_NULLCHECK_FOUR(pCheckerIndex, pRevChecking, pReasonCode, anchor); |
712 PKIX_NULLCHECK_THREE(pNBIOContext, pFinalSubjPubKey, pPolicyTree); | 656 PKIX_NULLCHECK_THREE(pNBIOContext, pFinalSubjPubKey, pPolicyTree); |
713 | 657 |
714 nbioContext = *pNBIOContext; | 658 nbioContext = *pNBIOContext; |
715 *pNBIOContext = NULL; | 659 *pNBIOContext = NULL; |
716 revChecking = *pRevChecking; | 660 revChecking = *pRevChecking; |
717 nssContext = (PKIX_PL_NssContext *)plContext; | 661 nssContext = (PKIX_PL_NssContext *)plContext; |
718 chainVerifyCallback = &nssContext->chainVerifyCallback; | 662 chainVerifyCallback = &nssContext->chainVerifyCallback; |
719 | 663 |
720 if (chainVerifyCallback->isChainValid != NULL) { | 664 if (chainVerifyCallback->isChainValid != NULL) { |
721 PRBool chainOK = PR_FALSE; /*assume failure*/ | 665 PRBool chainOK = PR_FALSE; /*assume failure*/ |
722 SECStatus rv; | 666 SECStatus rv; |
723 | 667 |
724 certList = CERT_NewCertList(); | 668 certList = CERT_NewCertList(); |
725 if (certList == NULL) { | 669 if (certList == NULL) { |
726 PKIX_ERROR_ALLOC_ERROR(); | 670 PKIX_ERROR_ALLOC_ERROR(); |
727 } | 671 } |
728 | 672 |
729 /* Add the trust anchor to the list */ | 673 /* Add the trust anchor to the list */ |
730 PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert | 674 PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert(anchor, &cert, plContext), |
731 (anchor, &cert, plContext), | 675 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); |
732 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); | |
733 | 676 |
734 PKIX_CHECK( | 677 PKIX_CHECK(PKIX_PL_Cert_GetCERTCertificate(cert, &nssCert, plContext), |
735 PKIX_PL_Cert_GetCERTCertificate(cert, &nssCert, plContex
t), | 678 PKIX_CERTGETCERTCERTIFICATEFAILED); |
736 PKIX_CERTGETCERTCERTIFICATEFAILED); | |
737 | 679 |
738 rv = CERT_AddCertToListHead(certList, nssCert); | 680 rv = CERT_AddCertToListHead(certList, nssCert); |
739 if (rv != SECSuccess) { | 681 if (rv != SECSuccess) { |
740 PKIX_ERROR_ALLOC_ERROR(); | 682 PKIX_ERROR_ALLOC_ERROR(); |
741 } | 683 } |
742 /* the certList takes ownership of nssCert on success */ | 684 /* the certList takes ownership of nssCert on success */ |
743 nssCert = NULL; | 685 nssCert = NULL; |
744 PKIX_DECREF(cert); | 686 PKIX_DECREF(cert); |
745 | 687 |
746 /* Add the rest of the chain to the list */ | 688 /* Add the rest of the chain to the list */ |
747 for (j = *pCertCheckedIndex; j < numCerts; j++) { | 689 for (j = *pCertCheckedIndex; j < numCerts; j++) { |
748 PKIX_CHECK(PKIX_List_GetItem( | 690 PKIX_CHECK( |
749 certs, j, (PKIX_PL_Object **)&cert, plContext), | 691 PKIX_List_GetItem(certs, j, (PKIX_PL_Object **)&cert, plContext), |
750 PKIX_LISTGETITEMFAILED); | 692 PKIX_LISTGETITEMFAILED); |
751 | 693 |
752 PKIX_CHECK( | 694 PKIX_CHECK(PKIX_PL_Cert_GetCERTCertificate(cert, &nssCert, plContext), |
753 PKIX_PL_Cert_GetCERTCertificate(cert, &nssCert,
plContext), | 695 PKIX_CERTGETCERTCERTIFICATEFAILED); |
754 PKIX_CERTGETCERTCERTIFICATEFAILED); | |
755 | 696 |
756 rv = CERT_AddCertToListHead(certList, nssCert); | 697 rv = CERT_AddCertToListHead(certList, nssCert); |
757 if (rv != SECSuccess) { | 698 if (rv != SECSuccess) { |
758 PKIX_ERROR_ALLOC_ERROR(); | 699 PKIX_ERROR_ALLOC_ERROR(); |
759 } | 700 } |
760 /* the certList takes ownership of nssCert on success */ | 701 /* the certList takes ownership of nssCert on success */ |
761 nssCert = NULL; | 702 nssCert = NULL; |
762 PKIX_DECREF(cert); | 703 PKIX_DECREF(cert); |
763 } | 704 } |
764 | 705 |
765 rv = (*chainVerifyCallback->isChainValid) | 706 rv = (*chainVerifyCallback->isChainValid)( |
766 (chainVerifyCallback->isChainValidArg, certList, &chainOK); | 707 chainVerifyCallback->isChainValidArg, certList, &chainOK); |
767 if (rv != SECSuccess) { | 708 if (rv != SECSuccess) { |
768 PKIX_ERROR_FATAL(PKIX_CHAINVERIFYCALLBACKFAILED); | 709 PKIX_ERROR_FATAL(PKIX_CHAINVERIFYCALLBACKFAILED); |
769 } | 710 } |
770 | 711 |
771 if (!chainOK) { | 712 if (!chainOK) { |
772 PKIX_ERROR(PKIX_CHAINVERIFYCALLBACKFAILED); | 713 PKIX_ERROR(PKIX_CHAINVERIFYCALLBACKFAILED); |
773 } | 714 } |
| 715 } |
774 | 716 |
| 717 PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert(anchor, &cert, plContext), |
| 718 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); |
| 719 |
| 720 for (j = *pCertCheckedIndex; j < numCerts; j++) { |
| 721 |
| 722 PORT_Assert(cert); |
| 723 PKIX_DECREF(issuer); |
| 724 issuer = cert; |
| 725 cert = NULL; |
| 726 |
| 727 PKIX_CHECK(PKIX_List_GetItem(certs, j, (PKIX_PL_Object **)&cert, plContext), |
| 728 PKIX_LISTGETITEMFAILED); |
| 729 |
| 730 /* check if cert pointer is valid */ |
| 731 PORT_Assert(cert); |
| 732 if (cert == NULL) { |
| 733 continue; |
| 734 } |
| 735 |
| 736 if (revChecking == PKIX_FALSE) { |
| 737 |
| 738 PKIX_CHECK(pkix_CheckCert(cert, checkers, removeCheckedExtOIDs, |
| 739 pCheckerIndex, &nbioContext, plContext), |
| 740 PKIX_CHECKCERTFAILED); |
| 741 |
| 742 if (nbioContext != NULL) { |
| 743 *pCertCheckedIndex = j; |
| 744 *pRevChecking = revChecking; |
| 745 *pNBIOContext = nbioContext; |
| 746 goto cleanup; |
| 747 } |
| 748 |
| 749 revChecking = PKIX_TRUE; |
| 750 *pCheckerIndex = 0; |
| 751 } |
| 752 |
| 753 if (revChecking == PKIX_TRUE) { |
| 754 PKIX_RevocationStatus revStatus; |
| 755 pkixErrorResult = PKIX_RevocationChecker_Check( |
| 756 cert, issuer, revChecker, procParams, PKIX_TRUE, |
| 757 (j == numCerts - 1) ? PKIX_TRUE : PKIX_FALSE, &revStatus, pReasonCode, |
| 758 &nbioContext, plContext); |
| 759 if (nbioContext != NULL) { |
| 760 *pCertCheckedIndex = j; |
| 761 *pRevChecking = revChecking; |
| 762 *pNBIOContext = nbioContext; |
| 763 goto cleanup; |
| 764 } |
| 765 if (revStatus == PKIX_RevStatus_Revoked || pkixErrorResult) { |
| 766 if (!pkixErrorResult) { |
| 767 /* if pkixErrorResult is returned then |
| 768 * use it as it has a detailed revocation |
| 769 * error code. Otherwise create a new error */ |
| 770 PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, pkixErrorResult); |
775 } | 771 } |
| 772 goto cleanup; |
| 773 } |
| 774 revChecking = PKIX_FALSE; |
| 775 *pCheckerIndex = 0; |
| 776 } |
776 | 777 |
777 PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert | 778 PKIX_CHECK(pkix_AddToVerifyLog(cert, j, NULL, pVerifyTree, plContext), |
778 (anchor, &cert, plContext), | 779 PKIX_ADDTOVERIFYLOGFAILED); |
779 PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); | 780 } |
780 | 781 |
781 for (j = *pCertCheckedIndex; j < numCerts; j++) { | 782 PKIX_CHECK( |
| 783 pkix_RetrieveOutputs(checkers, pFinalSubjPubKey, pPolicyTree, plContext), |
| 784 PKIX_RETRIEVEOUTPUTSFAILED); |
782 | 785 |
783 PORT_Assert(cert); | 786 *pNBIOContext = NULL; |
784 PKIX_DECREF(issuer); | |
785 issuer = cert; | |
786 cert = NULL; | |
787 | |
788 PKIX_CHECK(PKIX_List_GetItem( | |
789 certs, j, (PKIX_PL_Object **)&cert, plContext), | |
790 PKIX_LISTGETITEMFAILED); | |
791 ················ | |
792 /* check if cert pointer is valid */ | |
793 PORT_Assert(cert); | |
794 if (cert == NULL) { | |
795 continue; | |
796 } | |
797 | |
798 if (revChecking == PKIX_FALSE) { | |
799 | |
800 PKIX_CHECK(pkix_CheckCert | |
801 (cert, | |
802 checkers, | |
803 removeCheckedExtOIDs, | |
804 pCheckerIndex, | |
805 &nbioContext, | |
806 plContext), | |
807 PKIX_CHECKCERTFAILED); | |
808 | |
809 if (nbioContext != NULL) { | |
810 *pCertCheckedIndex = j; | |
811 *pRevChecking = revChecking; | |
812 *pNBIOContext = nbioContext; | |
813 goto cleanup; | |
814 } | |
815 | |
816 revChecking = PKIX_TRUE; | |
817 *pCheckerIndex = 0; | |
818 } | |
819 | |
820 if (revChecking == PKIX_TRUE) { | |
821 PKIX_RevocationStatus revStatus; | |
822 pkixErrorResult = | |
823 PKIX_RevocationChecker_Check( | |
824 cert, issuer, revChecker, | |
825 procParams, PKIX_TRUE, | |
826 (j == numCerts - 1) ? PKIX_TRUE : PKIX_FAL
SE, | |
827 &revStatus, pReasonCode, | |
828 &nbioContext, plContext); | |
829 if (nbioContext != NULL) { | |
830 *pCertCheckedIndex = j; | |
831 *pRevChecking = revChecking; | |
832 *pNBIOContext = nbioContext; | |
833 goto cleanup; | |
834 } | |
835 if (revStatus == PKIX_RevStatus_Revoked || | |
836 pkixErrorResult) { | |
837 if (!pkixErrorResult) { | |
838 /* if pkixErrorResult is returned then | |
839 * use it as it has a detailed revocation | |
840 * error code. Otherwise create a new error */ | |
841 PKIX_ERROR_CREATE(VALIDATE, | |
842 PKIX_CERTIFICATEREVOKED, | |
843 pkixErrorResult); | |
844 } | |
845 goto cleanup; | |
846 } | |
847 revChecking = PKIX_FALSE; | |
848 *pCheckerIndex = 0; | |
849 } | |
850 | |
851 PKIX_CHECK(pkix_AddToVerifyLog | |
852 (cert, j, NULL, pVerifyTree, plContext), | |
853 PKIX_ADDTOVERIFYLOGFAILED); | |
854 } | |
855 | |
856 PKIX_CHECK(pkix_RetrieveOutputs | |
857 (checkers, pFinalSubjPubKey, pPolicyTree, plContext), | |
858 PKIX_RETRIEVEOUTPUTSFAILED); | |
859 | |
860 *pNBIOContext = NULL; | |
861 | 787 |
862 cleanup: | 788 cleanup: |
863 if (PKIX_ERROR_RECEIVED && cert) { | 789 if (PKIX_ERROR_RECEIVED && cert) { |
864 checkCertError = pkixErrorResult; | 790 checkCertError = pkixErrorResult; |
865 | 791 |
866 PKIX_CHECK_FATAL( | 792 PKIX_CHECK_FATAL( |
867 pkix_AddToVerifyLog(cert, j, checkCertError, pVerifyTree, | 793 pkix_AddToVerifyLog(cert, j, checkCertError, pVerifyTree, plContext), |
868 plContext), | 794 PKIX_ADDTOVERIFYLOGFAILED); |
869 PKIX_ADDTOVERIFYLOGFAILED); | 795 pkixErrorResult = checkCertError; |
870 pkixErrorResult = checkCertError; | 796 pkixErrorCode = pkixErrorResult->errCode; |
871 pkixErrorCode = pkixErrorResult->errCode; | 797 checkCertError = NULL; |
872 checkCertError = NULL; | 798 } |
873 } | |
874 | 799 |
875 fatal: | 800 fatal: |
876 if (nssCert) { | 801 if (nssCert) { |
877 CERT_DestroyCertificate(nssCert); | 802 CERT_DestroyCertificate(nssCert); |
878 } | 803 } |
879 | 804 |
880 if (certList) { | 805 if (certList) { |
881 CERT_DestroyCertList(certList); | 806 CERT_DestroyCertList(certList); |
882 } | 807 } |
883 | 808 |
884 PKIX_DECREF(checkCertError); | 809 PKIX_DECREF(checkCertError); |
885 PKIX_DECREF(cert); | 810 PKIX_DECREF(cert); |
886 PKIX_DECREF(issuer); | 811 PKIX_DECREF(issuer); |
887 | 812 |
888 PKIX_RETURN(VALIDATE); | 813 PKIX_RETURN(VALIDATE); |
889 } | 814 } |
890 | 815 |
891 /* | 816 /* |
892 * FUNCTION: pkix_ExtractParameters | 817 * FUNCTION: pkix_ExtractParameters |
893 * DESCRIPTION: | 818 * DESCRIPTION: |
894 * | 819 * |
895 * Extracts several parameters from the ValidateParams object pointed to by | 820 * Extracts several parameters from the ValidateParams object pointed to by |
896 * "valParams" and stores the CertChain at "pChain", the List of Certs at | 821 * "valParams" and stores the CertChain at "pChain", the List of Certs at |
897 * "pCerts", the number of Certs in the chain at "pNumCerts", the | 822 * "pCerts", the number of Certs in the chain at "pNumCerts", the |
898 * ProcessingParams object at "pProcParams", the List of TrustAnchors at | 823 * ProcessingParams object at "pProcParams", the List of TrustAnchors at |
(...skipping 18 matching lines...) Expand all Loading... |
917 * Address where number of Anchors will be stored. Must be non-NULL. | 842 * Address where number of Anchors will be stored. Must be non-NULL. |
918 * "plContext" | 843 * "plContext" |
919 * Platform-specific context pointer. | 844 * Platform-specific context pointer. |
920 * THREAD SAFETY: | 845 * THREAD SAFETY: |
921 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 846 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
922 * RETURNS: | 847 * RETURNS: |
923 * Returns NULL if the function succeeds. | 848 * Returns NULL if the function succeeds. |
924 * Returns a Validate Error if the function fails in a non-fatal way. | 849 * Returns a Validate Error if the function fails in a non-fatal way. |
925 * Returns a Fatal Error if the function fails in an unrecoverable way. | 850 * Returns a Fatal Error if the function fails in an unrecoverable way. |
926 */ | 851 */ |
927 static PKIX_Error * | 852 static PKIX_Error *pkix_ExtractParameters( |
928 pkix_ExtractParameters( | 853 PKIX_ValidateParams *valParams, PKIX_List **pCerts, PKIX_UInt32 *pNumCerts, |
929 PKIX_ValidateParams *valParams, | 854 PKIX_ProcessingParams **pProcParams, PKIX_List **pAnchors, |
930 PKIX_List **pCerts, | 855 PKIX_UInt32 *pNumAnchors, void *plContext) { |
931 PKIX_UInt32 *pNumCerts, | 856 PKIX_ENTER(VALIDATE, "pkix_ExtractParameters"); |
932 PKIX_ProcessingParams **pProcParams, | 857 PKIX_NULLCHECK_THREE(valParams, pCerts, pNumCerts); |
933 PKIX_List **pAnchors, | 858 PKIX_NULLCHECK_THREE(pProcParams, pAnchors, pNumAnchors); |
934 PKIX_UInt32 *pNumAnchors, | 859 |
935 void *plContext) | 860 /* extract relevant parameters from chain */ |
936 { | 861 PKIX_CHECK(PKIX_ValidateParams_GetCertChain(valParams, pCerts, plContext), |
937 PKIX_ENTER(VALIDATE, "pkix_ExtractParameters"); | 862 PKIX_VALIDATEPARAMSGETCERTCHAINFAILED); |
938 PKIX_NULLCHECK_THREE(valParams, pCerts, pNumCerts); | 863 |
939 PKIX_NULLCHECK_THREE(pProcParams, pAnchors, pNumAnchors); | 864 PKIX_CHECK(PKIX_List_GetLength(*pCerts, pNumCerts, plContext), |
940 | 865 PKIX_LISTGETLENGTHFAILED); |
941 /* extract relevant parameters from chain */ | 866 |
942 PKIX_CHECK(PKIX_ValidateParams_GetCertChain | 867 /* extract relevant parameters from procParams */ |
943 (valParams, pCerts, plContext), | 868 PKIX_CHECK(PKIX_ValidateParams_GetProcessingParams(valParams, pProcParams, |
944 PKIX_VALIDATEPARAMSGETCERTCHAINFAILED); | 869 plContext), |
945 | 870 PKIX_VALIDATEPARAMSGETPROCESSINGPARAMSFAILED); |
946 PKIX_CHECK(PKIX_List_GetLength(*pCerts, pNumCerts, plContext), | 871 |
947 PKIX_LISTGETLENGTHFAILED); | 872 PKIX_CHECK( |
948 | 873 PKIX_ProcessingParams_GetTrustAnchors(*pProcParams, pAnchors, plContext), |
949 /* extract relevant parameters from procParams */ | 874 PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED); |
950 PKIX_CHECK(PKIX_ValidateParams_GetProcessingParams | 875 |
951 (valParams, pProcParams, plContext), | 876 PKIX_CHECK(PKIX_List_GetLength(*pAnchors, pNumAnchors, plContext), |
952 PKIX_VALIDATEPARAMSGETPROCESSINGPARAMSFAILED); | 877 PKIX_LISTGETLENGTHFAILED); |
953 | |
954 PKIX_CHECK(PKIX_ProcessingParams_GetTrustAnchors | |
955 (*pProcParams, pAnchors, plContext), | |
956 PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED); | |
957 | |
958 PKIX_CHECK(PKIX_List_GetLength(*pAnchors, pNumAnchors, plContext), | |
959 PKIX_LISTGETLENGTHFAILED); | |
960 | 878 |
961 cleanup: | 879 cleanup: |
962 | 880 |
963 PKIX_RETURN(VALIDATE); | 881 PKIX_RETURN(VALIDATE); |
964 } | 882 } |
965 | 883 |
966 /* --Public-Functions--------------------------------------------- */ | 884 /* --Public-Functions--------------------------------------------- */ |
967 | 885 |
968 /* | 886 /* |
969 * FUNCTION: PKIX_ValidateChain (see comments in pkix.h) | 887 * FUNCTION: PKIX_ValidateChain (see comments in pkix.h) |
970 */ | 888 */ |
971 PKIX_Error * | 889 PKIX_Error *PKIX_ValidateChain(PKIX_ValidateParams *valParams, |
972 PKIX_ValidateChain( | 890 PKIX_ValidateResult **pResult, |
973 PKIX_ValidateParams *valParams, | 891 PKIX_VerifyNode **pVerifyTree, void *plContext) { |
974 PKIX_ValidateResult **pResult, | 892 PKIX_Error *chainFailed = NULL; |
975 PKIX_VerifyNode **pVerifyTree, | 893 |
976 void *plContext) | 894 PKIX_ProcessingParams *procParams = NULL; |
977 { | 895 PKIX_CertChainChecker *userChecker = NULL; |
978 PKIX_Error *chainFailed = NULL; | 896 PKIX_RevocationChecker *revChecker = NULL; |
979 | 897 PKIX_List *certs = NULL; |
980 PKIX_ProcessingParams *procParams = NULL; | 898 PKIX_List *checkers = NULL; |
981 PKIX_CertChainChecker *userChecker = NULL; | 899 PKIX_List *anchors = NULL; |
982 PKIX_RevocationChecker *revChecker = NULL; | 900 PKIX_List *userCheckers = NULL; |
983 PKIX_List *certs = NULL; | 901 PKIX_List *userCheckerExtOIDs = NULL; |
984 PKIX_List *checkers = NULL; | 902 PKIX_List *validateCheckedCritExtOIDsList = NULL; |
985 PKIX_List *anchors = NULL; | 903 PKIX_TrustAnchor *anchor = NULL; |
986 PKIX_List *userCheckers = NULL; | 904 PKIX_ValidateResult *valResult = NULL; |
987 PKIX_List *userCheckerExtOIDs = NULL; | 905 PKIX_PL_PublicKey *finalPubKey = NULL; |
988 PKIX_List *validateCheckedCritExtOIDsList = NULL; | 906 PKIX_PolicyNode *validPolicyTree = NULL; |
989 PKIX_TrustAnchor *anchor = NULL; | 907 PKIX_Boolean supportForwarding = PKIX_FALSE; |
990 PKIX_ValidateResult *valResult = NULL; | 908 PKIX_Boolean revChecking = PKIX_FALSE; |
991 PKIX_PL_PublicKey *finalPubKey = NULL; | 909 PKIX_UInt32 i, numCerts, numAnchors; |
992 PKIX_PolicyNode *validPolicyTree = NULL; | 910 PKIX_UInt32 numUserCheckers = 0; |
993 PKIX_Boolean supportForwarding = PKIX_FALSE; | 911 PKIX_UInt32 certCheckedIndex = 0; |
994 PKIX_Boolean revChecking = PKIX_FALSE; | 912 PKIX_UInt32 checkerIndex = 0; |
995 PKIX_UInt32 i, numCerts, numAnchors; | 913 PKIX_UInt32 reasonCode = 0; |
996 PKIX_UInt32 numUserCheckers = 0; | 914 void *nbioContext = NULL; |
997 PKIX_UInt32 certCheckedIndex = 0; | 915 |
998 PKIX_UInt32 checkerIndex = 0; | 916 PKIX_ENTER(VALIDATE, "PKIX_ValidateChain"); |
999 PKIX_UInt32 reasonCode = 0; | 917 PKIX_NULLCHECK_TWO(valParams, pResult); |
1000 void *nbioContext = NULL; | 918 |
1001 | 919 /* extract various parameters from valParams */ |
1002 PKIX_ENTER(VALIDATE, "PKIX_ValidateChain"); | 920 PKIX_CHECK(pkix_ExtractParameters(valParams, &certs, &numCerts, &procParams, |
1003 PKIX_NULLCHECK_TWO(valParams, pResult); | 921 &anchors, &numAnchors, plContext), |
1004 | 922 PKIX_EXTRACTPARAMETERSFAILED); |
1005 /* extract various parameters from valParams */ | 923 |
1006 PKIX_CHECK(pkix_ExtractParameters | 924 /* |
1007 (valParams, | 925 * setup an extension OID list that user had defined for his checker |
1008 &certs, | 926 * processing. User checker is not responsible for taking out OIDs |
1009 &numCerts, | 927 * from unresolved critical extension list as the libpkix checker |
1010 &procParams, | 928 * is doing. Here we add those user checkers' OIDs to the removal |
1011 &anchors, | 929 * list to be taken out by CheckChain |
1012 &numAnchors, | 930 */ |
1013 plContext), | 931 PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers( |
1014 PKIX_EXTRACTPARAMETERSFAILED); | 932 procParams, &userCheckers, plContext), |
1015 | 933 PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); |
1016 /* | 934 |
1017 * setup an extension OID list that user had defined for his checker | 935 if (userCheckers != NULL) { |
1018 * processing. User checker is not responsible for taking out OIDs | 936 |
1019 * from unresolved critical extension list as the libpkix checker | 937 PKIX_CHECK(PKIX_List_Create(&validateCheckedCritExtOIDsList, plContext), |
1020 * is doing. Here we add those user checkers' OIDs to the removal | 938 PKIX_LISTCREATEFAILED); |
1021 * list to be taken out by CheckChain | 939 |
1022 */ | 940 PKIX_CHECK(PKIX_List_GetLength(userCheckers, &numUserCheckers, plContext), |
1023 PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers | 941 PKIX_LISTGETLENGTHFAILED); |
1024 (procParams, &userCheckers, plContext), | 942 |
1025 PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); | 943 for (i = 0; i < numUserCheckers; i++) { |
1026 | 944 |
1027 if (userCheckers != NULL) { | 945 PKIX_CHECK(PKIX_List_GetItem(userCheckers, i, |
1028 | 946 (PKIX_PL_Object **)&userChecker, plContext), |
1029 PKIX_CHECK(PKIX_List_Create | 947 PKIX_LISTGETITEMFAILED); |
1030 (&validateCheckedCritExtOIDsList, | 948 |
1031 plContext), | 949 PKIX_CHECK(PKIX_CertChainChecker_IsForwardCheckingSupported( |
1032 PKIX_LISTCREATEFAILED); | 950 userChecker, &supportForwarding, plContext), |
1033 | 951 PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED); |
1034 PKIX_CHECK(PKIX_List_GetLength | 952 |
1035 (userCheckers, &numUserCheckers, plContext), | 953 if (supportForwarding == PKIX_FALSE) { |
1036 PKIX_LISTGETLENGTHFAILED); | 954 |
1037 | 955 PKIX_CHECK(PKIX_CertChainChecker_GetSupportedExtensions( |
1038 for (i = 0; i < numUserCheckers; i++) { | 956 userChecker, &userCheckerExtOIDs, plContext), |
1039 | 957 PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED); |
1040 PKIX_CHECK(PKIX_List_GetItem | 958 |
1041 (userCheckers, | 959 if (userCheckerExtOIDs != NULL) { |
1042 i, | 960 PKIX_CHECK(pkix_List_AppendList(validateCheckedCritExtOIDsList, |
1043 (PKIX_PL_Object **) &userChecker, | 961 userCheckerExtOIDs, plContext), |
1044 plContext), | 962 PKIX_LISTAPPENDLISTFAILED); |
1045 PKIX_LISTGETITEMFAILED); | |
1046 | |
1047 PKIX_CHECK | |
1048 (PKIX_CertChainChecker_IsForwardCheckingSupported | |
1049 (userChecker, &supportForwarding, plContext), | |
1050 PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED); | |
1051 | |
1052 if (supportForwarding == PKIX_FALSE) { | |
1053 | |
1054 PKIX_CHECK | |
1055 (PKIX_CertChainChecker_GetSupportedExtensions | |
1056 (userChecker, &userCheckerExtOIDs, plContext), | |
1057 PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED); | |
1058 | |
1059 if (userCheckerExtOIDs != NULL) { | |
1060 PKIX_CHECK(pkix_List_AppendList | |
1061 (validateCheckedCritExtOIDsList, | |
1062 userCheckerExtOIDs, | |
1063 plContext), | |
1064 PKIX_LISTAPPENDLISTFAILED); | |
1065 } | |
1066 } | |
1067 | |
1068 PKIX_DECREF(userCheckerExtOIDs); | |
1069 PKIX_DECREF(userChecker); | |
1070 } | |
1071 } | 963 } |
1072 | 964 } |
1073 PKIX_CHECK(PKIX_ProcessingParams_GetRevocationChecker | 965 |
1074 (procParams, &revChecker, plContext), | 966 PKIX_DECREF(userCheckerExtOIDs); |
1075 PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED); | 967 PKIX_DECREF(userChecker); |
1076 | 968 } |
1077 /* try to validate the chain with each anchor */ | 969 } |
1078 for (i = 0; i < numAnchors; i++){ | 970 |
1079 | 971 PKIX_CHECK(PKIX_ProcessingParams_GetRevocationChecker(procParams, &revChecker, |
1080 /* get trust anchor */ | 972 plContext), |
1081 PKIX_CHECK(PKIX_List_GetItem | 973 PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED); |
1082 (anchors, i, (PKIX_PL_Object **)&anchor, plContext), | 974 |
1083 PKIX_LISTGETITEMFAILED); | 975 /* try to validate the chain with each anchor */ |
1084 | 976 for (i = 0; i < numAnchors; i++) { |
1085 /* initialize checkers using information from trust anchor */ | 977 |
1086 PKIX_CHECK(pkix_InitializeCheckers | 978 /* get trust anchor */ |
1087 (anchor, procParams, numCerts, &checkers, plContext), | 979 PKIX_CHECK( |
1088 PKIX_INITIALIZECHECKERSFAILED); | 980 PKIX_List_GetItem(anchors, i, (PKIX_PL_Object **)&anchor, plContext), |
1089 | 981 PKIX_LISTGETITEMFAILED); |
1090 /* | 982 |
1091 * Validate the chain using this trust anchor and these | 983 /* initialize checkers using information from trust anchor */ |
1092 * checkers. (WARNING: checkers that use non-blocking I/O | 984 PKIX_CHECK(pkix_InitializeCheckers(anchor, procParams, numCerts, &checkers, |
1093 * are not currently supported.) | 985 plContext), |
1094 */ | 986 PKIX_INITIALIZECHECKERSFAILED); |
1095 certCheckedIndex = 0; | 987 |
1096 checkerIndex = 0; | 988 /* |
1097 revChecking = PKIX_FALSE; | 989 * Validate the chain using this trust anchor and these |
1098 chainFailed = pkix_CheckChain | 990 * checkers. (WARNING: checkers that use non-blocking I/O |
1099 (certs, | 991 * are not currently supported.) |
1100 numCerts, | 992 */ |
1101 anchor, | 993 certCheckedIndex = 0; |
1102 checkers, | 994 checkerIndex = 0; |
1103 revChecker, | 995 revChecking = PKIX_FALSE; |
1104 validateCheckedCritExtOIDsList, | 996 chainFailed = pkix_CheckChain( |
1105 procParams, | 997 certs, numCerts, anchor, checkers, revChecker, |
1106 &certCheckedIndex, | 998 validateCheckedCritExtOIDsList, procParams, &certCheckedIndex, |
1107 &checkerIndex, | 999 &checkerIndex, &revChecking, &reasonCode, &nbioContext, &finalPubKey, |
1108 &revChecking, | 1000 &validPolicyTree, pVerifyTree, plContext); |
1109 &reasonCode, | 1001 |
1110 &nbioContext, | 1002 if (chainFailed) { |
1111 &finalPubKey, | 1003 |
1112 &validPolicyTree, | 1004 /* cert chain failed to validate */ |
1113 pVerifyTree, | 1005 |
1114 plContext); | 1006 PKIX_DECREF(chainFailed); |
1115 | 1007 PKIX_DECREF(anchor); |
1116 if (chainFailed) { | 1008 PKIX_DECREF(checkers); |
1117 | 1009 PKIX_DECREF(validPolicyTree); |
1118 /* cert chain failed to validate */ | 1010 |
1119 | 1011 /* if last anchor, we fail; else, we try next anchor */ |
1120 PKIX_DECREF(chainFailed); | 1012 if (i == (numAnchors - 1)) {/* last anchor */ |
1121 PKIX_DECREF(anchor); | 1013 PKIX_ERROR(PKIX_VALIDATECHAINFAILED); |
1122 PKIX_DECREF(checkers); | 1014 } |
1123 PKIX_DECREF(validPolicyTree); | 1015 |
1124 | 1016 } else { |
1125 /* if last anchor, we fail; else, we try next anchor */ | 1017 |
1126 if (i == (numAnchors - 1)) { /* last anchor */ | 1018 /* XXX Remove this assertion after 2014-12-31. |
1127 PKIX_ERROR(PKIX_VALIDATECHAINFAILED); | 1019 * See bug 946984. */ |
1128 } | 1020 PORT_Assert(reasonCode == 0); |
1129 | 1021 |
1130 } else { | 1022 /* cert chain successfully validated! */ |
1131 | 1023 PKIX_CHECK( |
1132 /* XXX Remove this assertion after 2014-12-31. | 1024 pkix_ValidateResult_Create(finalPubKey, anchor, validPolicyTree, |
1133 * See bug 946984. */ | 1025 &valResult, plContext), |
1134 PORT_Assert(reasonCode == 0); | 1026 PKIX_VALIDATERESULTCREATEFAILED); |
1135 | 1027 |
1136 /* cert chain successfully validated! */ | 1028 *pResult = valResult; |
1137 PKIX_CHECK(pkix_ValidateResult_Create | 1029 |
1138 (finalPubKey, | 1030 /* no need to try any more anchors in the loop */ |
1139 anchor, | 1031 goto cleanup; |
1140 validPolicyTree, | 1032 } |
1141 &valResult, | 1033 } |
1142 plContext), | |
1143 PKIX_VALIDATERESULTCREATEFAILED); | |
1144 | |
1145 *pResult = valResult; | |
1146 | |
1147 /* no need to try any more anchors in the loop */ | |
1148 goto cleanup; | |
1149 } | |
1150 } | |
1151 | 1034 |
1152 cleanup: | 1035 cleanup: |
1153 | 1036 |
1154 PKIX_DECREF(finalPubKey); | 1037 PKIX_DECREF(finalPubKey); |
1155 PKIX_DECREF(certs); | 1038 PKIX_DECREF(certs); |
1156 PKIX_DECREF(anchors); | 1039 PKIX_DECREF(anchors); |
1157 PKIX_DECREF(anchor); | 1040 PKIX_DECREF(anchor); |
1158 PKIX_DECREF(checkers); | 1041 PKIX_DECREF(checkers); |
1159 PKIX_DECREF(revChecker); | 1042 PKIX_DECREF(revChecker); |
1160 PKIX_DECREF(validPolicyTree); | 1043 PKIX_DECREF(validPolicyTree); |
1161 PKIX_DECREF(chainFailed); | 1044 PKIX_DECREF(chainFailed); |
1162 PKIX_DECREF(procParams); | 1045 PKIX_DECREF(procParams); |
1163 PKIX_DECREF(userCheckers); | 1046 PKIX_DECREF(userCheckers); |
1164 PKIX_DECREF(validateCheckedCritExtOIDsList); | 1047 PKIX_DECREF(validateCheckedCritExtOIDsList); |
1165 | 1048 |
1166 PKIX_RETURN(VALIDATE); | 1049 PKIX_RETURN(VALIDATE); |
1167 } | 1050 } |
1168 | 1051 |
1169 /* | 1052 /* |
1170 * FUNCTION: pkix_Validate_BuildUserOIDs | 1053 * FUNCTION: pkix_Validate_BuildUserOIDs |
1171 * DESCRIPTION: | 1054 * DESCRIPTION: |
1172 * | 1055 * |
1173 * This function creates a List of the OIDs that are processed by the user | 1056 * This function creates a List of the OIDs that are processed by the user |
1174 * checkers in the List pointed to by "userCheckers", storing the resulting | 1057 * checkers in the List pointed to by "userCheckers", storing the resulting |
1175 * List at "pUserCritOIDs". If the List of userCheckers is NULL, the output | 1058 * List at "pUserCritOIDs". If the List of userCheckers is NULL, the output |
1176 * List will be NULL. Otherwise the output List will be non-NULL, but may be | 1059 * List will be NULL. Otherwise the output List will be non-NULL, but may be |
1177 * empty. | 1060 * empty. |
1178 * | 1061 * |
1179 * PARAMETERS: | 1062 * PARAMETERS: |
1180 * "userCheckers" | 1063 * "userCheckers" |
1181 * The address of the List of userCheckers. | 1064 * The address of the List of userCheckers. |
1182 * "pUserCritOIDs" | 1065 * "pUserCritOIDs" |
1183 * The address at which the List is stored. Must be non-NULL. | 1066 * The address at which the List is stored. Must be non-NULL. |
1184 * "plContext" | 1067 * "plContext" |
1185 * Platform-specific context pointer. | 1068 * Platform-specific context pointer. |
1186 * THREAD SAFETY: | 1069 * THREAD SAFETY: |
1187 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) | 1070 * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
1188 * RETURNS: | 1071 * RETURNS: |
1189 * Returns NULL if the function succeeds. | 1072 * Returns NULL if the function succeeds. |
1190 * Returns a VALIDATE Error if the function fails in a non-fatal way. | 1073 * Returns a VALIDATE Error if the function fails in a non-fatal way. |
1191 * Returns a Fatal Error if the function fails in an unrecoverable way. | 1074 * Returns a Fatal Error if the function fails in an unrecoverable way. |
1192 */ | 1075 */ |
1193 static PKIX_Error * | 1076 static PKIX_Error *pkix_Validate_BuildUserOIDs(PKIX_List *userCheckers, |
1194 pkix_Validate_BuildUserOIDs( | 1077 PKIX_List **pUserCritOIDs, |
1195 PKIX_List *userCheckers, | 1078 void *plContext) { |
1196 PKIX_List **pUserCritOIDs, | 1079 PKIX_UInt32 numUserCheckers = 0; |
1197 void *plContext) | 1080 PKIX_UInt32 i = 0; |
1198 { | 1081 PKIX_List *userCritOIDs = NULL; |
1199 PKIX_UInt32 numUserCheckers = 0; | 1082 PKIX_List *userCheckerExtOIDs = NULL; |
1200 PKIX_UInt32 i = 0; | 1083 PKIX_Boolean supportForwarding = PKIX_FALSE; |
1201 PKIX_List *userCritOIDs = NULL; | 1084 PKIX_CertChainChecker *userChecker = NULL; |
1202 PKIX_List *userCheckerExtOIDs = NULL; | 1085 |
1203 PKIX_Boolean supportForwarding = PKIX_FALSE; | 1086 PKIX_ENTER(VALIDATE, "pkix_Validate_BuildUserOIDs"); |
1204 PKIX_CertChainChecker *userChecker = NULL; | 1087 PKIX_NULLCHECK_ONE(pUserCritOIDs); |
1205 | 1088 |
1206 PKIX_ENTER(VALIDATE, "pkix_Validate_BuildUserOIDs"); | 1089 if (userCheckers != NULL) { |
1207 PKIX_NULLCHECK_ONE(pUserCritOIDs); | 1090 PKIX_CHECK(PKIX_List_Create(&userCritOIDs, plContext), |
1208 | 1091 PKIX_LISTCREATEFAILED); |
1209 if (userCheckers != NULL) { | 1092 |
1210 PKIX_CHECK(PKIX_List_Create(&userCritOIDs, plContext), | 1093 PKIX_CHECK(PKIX_List_GetLength(userCheckers, &numUserCheckers, plContext), |
1211 PKIX_LISTCREATEFAILED); | 1094 PKIX_LISTGETLENGTHFAILED); |
1212 | 1095 |
1213 PKIX_CHECK(PKIX_List_GetLength | 1096 for (i = 0; i < numUserCheckers; i++) { |
1214 (userCheckers, &numUserCheckers, plContext), | 1097 PKIX_CHECK(PKIX_List_GetItem(userCheckers, i, |
1215 PKIX_LISTGETLENGTHFAILED); | 1098 (PKIX_PL_Object **)&userChecker, plContext), |
1216 | 1099 PKIX_LISTGETITEMFAILED); |
1217 for (i = 0; i < numUserCheckers; i++) { | 1100 |
1218 PKIX_CHECK(PKIX_List_GetItem | 1101 PKIX_CHECK(PKIX_CertChainChecker_IsForwardCheckingSupported( |
1219 (userCheckers, | 1102 userChecker, &supportForwarding, plContext), |
1220 i, | 1103 PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED); |
1221 (PKIX_PL_Object **) &userChecker, | 1104 |
1222 plContext), | 1105 if (supportForwarding == PKIX_FALSE) { |
1223 PKIX_LISTGETITEMFAILED); | 1106 |
1224 | 1107 PKIX_CHECK(PKIX_CertChainChecker_GetSupportedExtensions( |
1225 PKIX_CHECK(PKIX_CertChainChecker_IsForwardCheckingSupported | 1108 userChecker, &userCheckerExtOIDs, plContext), |
1226 (userChecker, &supportForwarding, plContext), | 1109 PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED); |
1227 PKIX_CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED); | 1110 |
1228 | 1111 if (userCheckerExtOIDs != NULL) { |
1229 if (supportForwarding == PKIX_FALSE) { | 1112 PKIX_CHECK( |
1230 | 1113 pkix_List_AppendList(userCritOIDs, userCheckerExtOIDs, plContext), |
1231 PKIX_CHECK(PKIX_CertChainChecker_GetSupportedExtensions | 1114 PKIX_LISTAPPENDLISTFAILED); |
1232 (userChecker, &userCheckerExtOIDs, plContext), | |
1233 PKIX_CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED); | |
1234 | |
1235 if (userCheckerExtOIDs != NULL) { | |
1236 PKIX_CHECK(pkix_List_AppendList | |
1237 (userCritOIDs, userCheckerExtOIDs, plContext), | |
1238 PKIX_LISTAPPENDLISTFAILED); | |
1239 } | |
1240 } | |
1241 | |
1242 PKIX_DECREF(userCheckerExtOIDs); | |
1243 PKIX_DECREF(userChecker); | |
1244 } | |
1245 } | 1115 } |
1246 | 1116 } |
1247 *pUserCritOIDs = userCritOIDs; | 1117 |
| 1118 PKIX_DECREF(userCheckerExtOIDs); |
| 1119 PKIX_DECREF(userChecker); |
| 1120 } |
| 1121 } |
| 1122 |
| 1123 *pUserCritOIDs = userCritOIDs; |
1248 | 1124 |
1249 cleanup: | 1125 cleanup: |
1250 | 1126 |
1251 if (PKIX_ERROR_RECEIVED){ | 1127 if (PKIX_ERROR_RECEIVED) { |
1252 PKIX_DECREF(userCritOIDs); | 1128 PKIX_DECREF(userCritOIDs); |
1253 } | 1129 } |
1254 | 1130 |
1255 PKIX_DECREF(userCheckerExtOIDs); | 1131 PKIX_DECREF(userCheckerExtOIDs); |
1256 PKIX_DECREF(userChecker); | 1132 PKIX_DECREF(userChecker); |
1257 | 1133 |
1258 PKIX_RETURN(VALIDATE); | 1134 PKIX_RETURN(VALIDATE); |
1259 } | 1135 } |
1260 | 1136 |
1261 /* | 1137 /* |
1262 * FUNCTION: PKIX_ValidateChain_nb (see comments in pkix.h) | 1138 * FUNCTION: PKIX_ValidateChain_nb (see comments in pkix.h) |
1263 */ | 1139 */ |
1264 PKIX_Error * | 1140 PKIX_Error *PKIX_ValidateChain_NB( |
1265 PKIX_ValidateChain_NB( | 1141 PKIX_ValidateParams *valParams, PKIX_UInt32 *pCertIndex, |
1266 PKIX_ValidateParams *valParams, | 1142 PKIX_UInt32 *pAnchorIndex, PKIX_UInt32 *pCheckerIndex, |
1267 PKIX_UInt32 *pCertIndex, | 1143 PKIX_Boolean *pRevChecking, PKIX_List **pCheckers, void **pNBIOContext, |
1268 PKIX_UInt32 *pAnchorIndex, | 1144 PKIX_ValidateResult **pResult, PKIX_VerifyNode **pVerifyTree, |
1269 PKIX_UInt32 *pCheckerIndex, | 1145 void *plContext) { |
1270 PKIX_Boolean *pRevChecking, | 1146 PKIX_UInt32 numCerts = 0; |
1271 PKIX_List **pCheckers, | 1147 PKIX_UInt32 numAnchors = 0; |
1272 void **pNBIOContext, | 1148 PKIX_UInt32 i = 0; |
1273 PKIX_ValidateResult **pResult, | 1149 PKIX_UInt32 certIndex = 0; |
1274 PKIX_VerifyNode **pVerifyTree, | 1150 PKIX_UInt32 anchorIndex = 0; |
1275 void *plContext) | 1151 PKIX_UInt32 checkerIndex = 0; |
1276 { | 1152 PKIX_UInt32 reasonCode = 0; |
1277 PKIX_UInt32 numCerts = 0; | 1153 PKIX_Boolean revChecking = PKIX_FALSE; |
1278 PKIX_UInt32 numAnchors = 0; | 1154 PKIX_List *certs = NULL; |
1279 PKIX_UInt32 i = 0; | 1155 PKIX_List *anchors = NULL; |
1280 PKIX_UInt32 certIndex = 0; | 1156 PKIX_List *checkers = NULL; |
1281 PKIX_UInt32 anchorIndex = 0; | 1157 PKIX_List *userCheckers = NULL; |
1282 PKIX_UInt32 checkerIndex = 0; | 1158 PKIX_List *validateCheckedCritExtOIDsList = NULL; |
1283 PKIX_UInt32 reasonCode = 0; | 1159 PKIX_TrustAnchor *anchor = NULL; |
1284 PKIX_Boolean revChecking = PKIX_FALSE; | 1160 PKIX_ValidateResult *valResult = NULL; |
1285 PKIX_List *certs = NULL; | 1161 PKIX_PL_PublicKey *finalPubKey = NULL; |
1286 PKIX_List *anchors = NULL; | 1162 PKIX_PolicyNode *validPolicyTree = NULL; |
1287 PKIX_List *checkers = NULL; | 1163 PKIX_ProcessingParams *procParams = NULL; |
1288 PKIX_List *userCheckers = NULL; | 1164 PKIX_RevocationChecker *revChecker = NULL; |
1289 PKIX_List *validateCheckedCritExtOIDsList = NULL; | 1165 PKIX_Error *chainFailed = NULL; |
1290 PKIX_TrustAnchor *anchor = NULL; | 1166 void *nbioContext = NULL; |
1291 PKIX_ValidateResult *valResult = NULL; | 1167 |
1292 PKIX_PL_PublicKey *finalPubKey = NULL; | 1168 PKIX_ENTER(VALIDATE, "PKIX_ValidateChain_NB"); |
1293 PKIX_PolicyNode *validPolicyTree = NULL; | 1169 PKIX_NULLCHECK_FOUR(valParams, pCertIndex, pAnchorIndex, pCheckerIndex); |
1294 PKIX_ProcessingParams *procParams = NULL; | 1170 PKIX_NULLCHECK_FOUR(pRevChecking, pCheckers, pNBIOContext, pResult); |
1295 PKIX_RevocationChecker *revChecker = NULL; | 1171 |
1296 PKIX_Error *chainFailed = NULL; | 1172 nbioContext = *pNBIOContext; |
1297 void *nbioContext = NULL; | 1173 *pNBIOContext = NULL; |
1298 | 1174 |
1299 PKIX_ENTER(VALIDATE, "PKIX_ValidateChain_NB"); | 1175 /* extract various parameters from valParams */ |
1300 PKIX_NULLCHECK_FOUR | 1176 PKIX_CHECK(pkix_ExtractParameters(valParams, &certs, &numCerts, &procParams, |
1301 (valParams, pCertIndex, pAnchorIndex, pCheckerIndex); | 1177 &anchors, &numAnchors, plContext), |
1302 PKIX_NULLCHECK_FOUR(pRevChecking, pCheckers, pNBIOContext, pResult); | 1178 PKIX_EXTRACTPARAMETERSFAILED); |
1303 | 1179 |
1304 nbioContext = *pNBIOContext; | 1180 /* |
1305 *pNBIOContext = NULL; | 1181 * Create a List of the OIDs that will be processed by the user |
1306 | 1182 * checkers. User checkers are not responsible for removing OIDs from |
1307 /* extract various parameters from valParams */ | 1183 * the List of unresolved critical extensions, as libpkix checkers are. |
1308 PKIX_CHECK(pkix_ExtractParameters | 1184 * So we add those user checkers' OIDs to the removal list to be taken |
1309 (valParams, | 1185 * out by CheckChain. |
1310 &certs, | 1186 */ |
1311 &numCerts, | 1187 PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers( |
1312 &procParams, | 1188 procParams, &userCheckers, plContext), |
1313 &anchors, | 1189 PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); |
1314 &numAnchors, | 1190 |
1315 plContext), | 1191 PKIX_CHECK(pkix_Validate_BuildUserOIDs( |
1316 PKIX_EXTRACTPARAMETERSFAILED); | 1192 userCheckers, &validateCheckedCritExtOIDsList, plContext), |
1317 | 1193 PKIX_VALIDATEBUILDUSEROIDSFAILED); |
1318 /* | 1194 |
1319 * Create a List of the OIDs that will be processed by the user | 1195 PKIX_CHECK(PKIX_ProcessingParams_GetRevocationChecker(procParams, &revChecker, |
1320 * checkers. User checkers are not responsible for removing OIDs from | 1196 plContext), |
1321 * the List of unresolved critical extensions, as libpkix checkers are. | 1197 PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED); |
1322 * So we add those user checkers' OIDs to the removal list to be taken | 1198 |
1323 * out by CheckChain. | 1199 /* Are we resuming after a WOULDBLOCK return, or starting anew ? */ |
1324 */ | 1200 if (nbioContext != NULL) { |
1325 PKIX_CHECK(PKIX_ProcessingParams_GetCertChainCheckers | 1201 /* Resuming */ |
1326 (procParams, &userCheckers, plContext), | 1202 certIndex = *pCertIndex; |
1327 PKIX_PROCESSINGPARAMSGETCERTCHAINCHECKERSFAILED); | 1203 anchorIndex = *pAnchorIndex; |
1328 | 1204 checkerIndex = *pCheckerIndex; |
1329 PKIX_CHECK(pkix_Validate_BuildUserOIDs | 1205 revChecking = *pRevChecking; |
1330 (userCheckers, &validateCheckedCritExtOIDsList, plContext), | 1206 checkers = *pCheckers; |
1331 PKIX_VALIDATEBUILDUSEROIDSFAILED); | 1207 *pCheckers = NULL; |
1332 | 1208 } |
1333 PKIX_CHECK(PKIX_ProcessingParams_GetRevocationChecker | 1209 |
1334 (procParams, &revChecker, plContext), | 1210 /* try to validate the chain with each anchor */ |
1335 PKIX_PROCESSINGPARAMSGETREVOCATIONCHECKERFAILED); | 1211 for (i = anchorIndex; i < numAnchors; i++) { |
1336 | 1212 |
1337 /* Are we resuming after a WOULDBLOCK return, or starting anew ? */ | 1213 /* get trust anchor */ |
1338 if (nbioContext != NULL) { | 1214 PKIX_CHECK( |
1339 /* Resuming */ | 1215 PKIX_List_GetItem(anchors, i, (PKIX_PL_Object **)&anchor, plContext), |
1340 certIndex = *pCertIndex; | 1216 PKIX_LISTGETITEMFAILED); |
1341 anchorIndex = *pAnchorIndex; | 1217 |
1342 checkerIndex = *pCheckerIndex; | 1218 /* initialize checkers using information from trust anchor */ |
1343 revChecking = *pRevChecking; | 1219 if (nbioContext == NULL) { |
1344 checkers = *pCheckers; | 1220 PKIX_CHECK(pkix_InitializeCheckers(anchor, procParams, numCerts, |
1345 *pCheckers = NULL; | 1221 &checkers, plContext), |
1346 } | 1222 PKIX_INITIALIZECHECKERSFAILED); |
1347 | 1223 } |
1348 /* try to validate the chain with each anchor */ | 1224 |
1349 for (i = anchorIndex; i < numAnchors; i++) { | 1225 /* |
1350 | 1226 * Validate the chain using this trust anchor and these |
1351 /* get trust anchor */ | 1227 * checkers. |
1352 PKIX_CHECK(PKIX_List_GetItem | 1228 */ |
1353 (anchors, i, (PKIX_PL_Object **)&anchor, plContext), | 1229 chainFailed = |
1354 PKIX_LISTGETITEMFAILED); | 1230 pkix_CheckChain(certs, numCerts, anchor, checkers, revChecker, |
1355 | 1231 validateCheckedCritExtOIDsList, procParams, &certIndex, |
1356 /* initialize checkers using information from trust anchor */ | 1232 &checkerIndex, &revChecking, &reasonCode, &nbioContext, |
1357 if (nbioContext == NULL) { | 1233 &finalPubKey, &validPolicyTree, pVerifyTree, plContext); |
1358 PKIX_CHECK(pkix_InitializeCheckers | 1234 |
1359 (anchor, | 1235 if (nbioContext != NULL) { |
1360 procParams, | 1236 *pCertIndex = certIndex; |
1361 numCerts, | 1237 *pAnchorIndex = anchorIndex; |
1362 &checkers, | 1238 *pCheckerIndex = checkerIndex; |
1363 plContext), | 1239 *pRevChecking = revChecking; |
1364 PKIX_INITIALIZECHECKERSFAILED); | 1240 PKIX_INCREF(checkers); |
1365 } | 1241 *pCheckers = checkers; |
1366 | 1242 *pNBIOContext = nbioContext; |
1367 /* | 1243 goto cleanup; |
1368 * Validate the chain using this trust anchor and these | 1244 } |
1369 * checkers. | 1245 |
1370 */ | 1246 if (chainFailed) { |
1371 chainFailed = pkix_CheckChain | 1247 |
1372 (certs, | 1248 /* cert chain failed to validate */ |
1373 numCerts, | 1249 |
1374 anchor, | 1250 PKIX_DECREF(chainFailed); |
1375 checkers, | 1251 PKIX_DECREF(anchor); |
1376 revChecker, | 1252 PKIX_DECREF(checkers); |
1377 validateCheckedCritExtOIDsList, | 1253 PKIX_DECREF(validPolicyTree); |
1378 procParams, | 1254 |
1379 &certIndex, | 1255 /* if last anchor, we fail; else, we try next anchor */ |
1380 &checkerIndex, | 1256 if (i == (numAnchors - 1)) {/* last anchor */ |
1381 &revChecking, | 1257 PKIX_ERROR(PKIX_VALIDATECHAINFAILED); |
1382 &reasonCode, | 1258 } |
1383 &nbioContext, | 1259 |
1384 &finalPubKey, | 1260 } else { |
1385 &validPolicyTree, | 1261 |
1386 pVerifyTree, | 1262 /* XXX Remove this assertion after 2014-12-31. |
1387 plContext); | 1263 * See bug 946984. */ |
1388 | 1264 PORT_Assert(reasonCode == 0); |
1389 if (nbioContext != NULL) { | 1265 |
1390 *pCertIndex = certIndex; | 1266 /* cert chain successfully validated! */ |
1391 *pAnchorIndex = anchorIndex; | 1267 PKIX_CHECK( |
1392 *pCheckerIndex = checkerIndex; | 1268 pkix_ValidateResult_Create(finalPubKey, anchor, validPolicyTree, |
1393 *pRevChecking = revChecking; | 1269 &valResult, plContext), |
1394 PKIX_INCREF(checkers); | 1270 PKIX_VALIDATERESULTCREATEFAILED); |
1395 *pCheckers = checkers; | 1271 |
1396 *pNBIOContext = nbioContext; | 1272 *pResult = valResult; |
1397 goto cleanup; | 1273 |
1398 } | 1274 /* no need to try any more anchors in the loop */ |
1399 | 1275 goto cleanup; |
1400 if (chainFailed) { | 1276 } |
1401 | 1277 } |
1402 /* cert chain failed to validate */ | |
1403 | |
1404 PKIX_DECREF(chainFailed); | |
1405 PKIX_DECREF(anchor); | |
1406 PKIX_DECREF(checkers); | |
1407 PKIX_DECREF(validPolicyTree); | |
1408 | |
1409 /* if last anchor, we fail; else, we try next anchor */ | |
1410 if (i == (numAnchors - 1)) { /* last anchor */ | |
1411 PKIX_ERROR(PKIX_VALIDATECHAINFAILED); | |
1412 } | |
1413 | |
1414 } else { | |
1415 | |
1416 /* XXX Remove this assertion after 2014-12-31. | |
1417 * See bug 946984. */ | |
1418 PORT_Assert(reasonCode == 0); | |
1419 | |
1420 /* cert chain successfully validated! */ | |
1421 PKIX_CHECK(pkix_ValidateResult_Create | |
1422 (finalPubKey, | |
1423 anchor, | |
1424 validPolicyTree, | |
1425 &valResult, | |
1426 plContext), | |
1427 PKIX_VALIDATERESULTCREATEFAILED); | |
1428 | |
1429 *pResult = valResult; | |
1430 | |
1431 /* no need to try any more anchors in the loop */ | |
1432 goto cleanup; | |
1433 } | |
1434 } | |
1435 | 1278 |
1436 cleanup: | 1279 cleanup: |
1437 | 1280 |
1438 PKIX_DECREF(finalPubKey); | 1281 PKIX_DECREF(finalPubKey); |
1439 PKIX_DECREF(certs); | 1282 PKIX_DECREF(certs); |
1440 PKIX_DECREF(anchors); | 1283 PKIX_DECREF(anchors); |
1441 PKIX_DECREF(anchor); | 1284 PKIX_DECREF(anchor); |
1442 PKIX_DECREF(checkers); | 1285 PKIX_DECREF(checkers); |
1443 PKIX_DECREF(revChecker); | 1286 PKIX_DECREF(revChecker); |
1444 PKIX_DECREF(validPolicyTree); | 1287 PKIX_DECREF(validPolicyTree); |
1445 PKIX_DECREF(chainFailed); | 1288 PKIX_DECREF(chainFailed); |
1446 PKIX_DECREF(procParams); | 1289 PKIX_DECREF(procParams); |
1447 PKIX_DECREF(userCheckers); | 1290 PKIX_DECREF(userCheckers); |
1448 PKIX_DECREF(validateCheckedCritExtOIDsList); | 1291 PKIX_DECREF(validateCheckedCritExtOIDsList); |
1449 | 1292 |
1450 PKIX_RETURN(VALIDATE); | 1293 PKIX_RETURN(VALIDATE); |
1451 } | 1294 } |
OLD | NEW |