Index: lib/certhigh/certvfypkix.c |
=================================================================== |
--- a/lib/certhigh/certvfypkix.c |
+++ b/lib/certhigh/certvfypkix.c |
@@ -7,43 +7,40 @@ |
* PKIX - NSS proxy functions |
* |
* NOTE: All structures, functions, data types are parts of library private |
* api and are subjects to change in any following releases. |
* |
*/ |
#include "prerror.h" |
#include "prprf.h" |
- |
+ |
#include "nspr.h" |
#include "pk11func.h" |
#include "certdb.h" |
#include "cert.h" |
#include "secerr.h" |
#include "nssb64.h" |
#include "secasn1.h" |
#include "secder.h" |
#include "pkit.h" |
#include "pkix_pl_common.h" |
extern PRLogModuleInfo *pkixLog; |
#ifdef PKIX_OBJECT_LEAK_TEST |
-extern PKIX_UInt32 |
-pkix_pl_lifecycle_ObjectLeakCheck(int *); |
+extern PKIX_UInt32 pkix_pl_lifecycle_ObjectLeakCheck(int *); |
-extern SECStatus |
-pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); |
+extern SECStatus pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); |
PRInt32 parallelFnInvocationCount; |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
- |
static PRBool usePKIXValidationEngine = PR_FALSE; |
/* |
* FUNCTION: CERT_SetUsePKIXForValidation |
* DESCRIPTION: |
* |
* Enables or disables use of libpkix for certificate validation |
* |
@@ -51,42 +48,36 @@ static PRBool usePKIXValidationEngine = |
* "enable" |
* PR_TRUE: enables use of libpkix for cert validation. |
* PR_FALSE: disables. |
* THREAD SAFETY: |
* NOT Thread Safe. |
* RETURNS: |
* Returns SECSuccess if successfully enabled |
*/ |
-SECStatus |
-CERT_SetUsePKIXForValidation(PRBool enable) |
-{ |
- usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE; |
- return SECSuccess; |
+SECStatus CERT_SetUsePKIXForValidation(PRBool enable) { |
+ usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE; |
+ return SECSuccess; |
} |
/* |
* FUNCTION: CERT_GetUsePKIXForValidation |
* DESCRIPTION: |
* |
* Checks if libpkix building function should be use for certificate |
* chain building. |
* |
* PARAMETERS: |
* NONE |
* THREAD SAFETY: |
* NOT Thread Safe |
* RETURNS: |
* Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise. |
*/ |
-PRBool |
-CERT_GetUsePKIXForValidation() |
-{ |
- return usePKIXValidationEngine; |
-} |
+PRBool CERT_GetUsePKIXForValidation() { return usePKIXValidationEngine; } |
#ifdef NOTDEF |
/* |
* FUNCTION: cert_NssKeyUsagesToPkix |
* DESCRIPTION: |
* |
* Converts nss key usage bit field(PRUint32) to pkix key usage |
* bit field. |
@@ -99,196 +90,178 @@ CERT_GetUsePKIXForValidation() |
* "plContext" |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_NssKeyUsagesToPkix( |
- PRUint32 nssKeyUsage, |
- PKIX_UInt32 *pPkixKeyUsage, |
- void *plContext) |
-{ |
- PKIX_UInt32 pkixKeyUsage = 0; |
+static PKIX_Error *cert_NssKeyUsagesToPkix(PRUint32 nssKeyUsage, |
+ PKIX_UInt32 *pPkixKeyUsage, |
+ void *plContext) { |
+ PKIX_UInt32 pkixKeyUsage = 0; |
- PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix"); |
- PKIX_NULLCHECK_ONE(pPkixKeyUsage); |
+ PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix"); |
+ PKIX_NULLCHECK_ONE(pPkixKeyUsage); |
- *pPkixKeyUsage = 0; |
+ *pPkixKeyUsage = 0; |
- if (nssKeyUsage & KU_DIGITAL_SIGNATURE) { |
- pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE; |
- } |
- |
- if (nssKeyUsage & KU_NON_REPUDIATION) { |
- pkixKeyUsage |= PKIX_NON_REPUDIATION; |
- } |
+ if (nssKeyUsage & KU_DIGITAL_SIGNATURE) { |
+ pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE; |
+ } |
- if (nssKeyUsage & KU_KEY_ENCIPHERMENT) { |
- pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT; |
- } |
- |
- if (nssKeyUsage & KU_DATA_ENCIPHERMENT) { |
- pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT; |
- } |
- |
- if (nssKeyUsage & KU_KEY_AGREEMENT) { |
- pkixKeyUsage |= PKIX_KEY_AGREEMENT; |
- } |
- |
- if (nssKeyUsage & KU_KEY_CERT_SIGN) { |
- pkixKeyUsage |= PKIX_KEY_CERT_SIGN; |
- } |
- |
- if (nssKeyUsage & KU_CRL_SIGN) { |
- pkixKeyUsage |= PKIX_CRL_SIGN; |
- } |
+ if (nssKeyUsage & KU_NON_REPUDIATION) { |
+ pkixKeyUsage |= PKIX_NON_REPUDIATION; |
+ } |
- if (nssKeyUsage & KU_ENCIPHER_ONLY) { |
- pkixKeyUsage |= PKIX_ENCIPHER_ONLY; |
- } |
- |
- /* Not supported. XXX we should support this once it is |
- * fixed in NSS */ |
- /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */ |
+ if (nssKeyUsage & KU_KEY_ENCIPHERMENT) { |
+ pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT; |
+ } |
- *pPkixKeyUsage = pkixKeyUsage; |
+ if (nssKeyUsage & KU_DATA_ENCIPHERMENT) { |
+ pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT; |
+ } |
- PKIX_RETURN(CERTVFYPKIX); |
+ if (nssKeyUsage & KU_KEY_AGREEMENT) { |
+ pkixKeyUsage |= PKIX_KEY_AGREEMENT; |
+ } |
+ |
+ if (nssKeyUsage & KU_KEY_CERT_SIGN) { |
+ pkixKeyUsage |= PKIX_KEY_CERT_SIGN; |
+ } |
+ |
+ if (nssKeyUsage & KU_CRL_SIGN) { |
+ pkixKeyUsage |= PKIX_CRL_SIGN; |
+ } |
+ |
+ if (nssKeyUsage & KU_ENCIPHER_ONLY) { |
+ pkixKeyUsage |= PKIX_ENCIPHER_ONLY; |
+ } |
+ |
+ /* Not supported. XXX we should support this once it is |
+ * fixed in NSS */ |
+ /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */ |
+ |
+ *pPkixKeyUsage = pkixKeyUsage; |
+ |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
extern SECOidTag ekuOidStrings[]; |
enum { |
- ekuIndexSSLServer = 0, |
- ekuIndexSSLClient, |
- ekuIndexCodeSigner, |
- ekuIndexEmail, |
- ekuIndexTimeStamp, |
- ekuIndexStatusResponder, |
- ekuIndexUnknown |
+ ekuIndexSSLServer = 0, |
+ ekuIndexSSLClient, |
+ ekuIndexCodeSigner, |
+ ekuIndexEmail, |
+ ekuIndexTimeStamp, |
+ ekuIndexStatusResponder, |
+ ekuIndexUnknown |
} ekuIndex; |
typedef struct { |
- SECCertUsage certUsage; |
- PRUint32 ekuStringIndex; |
+ SECCertUsage certUsage; |
+ PRUint32 ekuStringIndex; |
} SECCertUsageToEku; |
const SECCertUsageToEku certUsageEkuStringMap[] = { |
- {certUsageSSLClient, ekuIndexSSLClient}, |
- {certUsageSSLServer, ekuIndexSSLServer}, |
- {certUsageSSLCA, ekuIndexSSLServer}, |
- {certUsageEmailSigner, ekuIndexEmail}, |
- {certUsageEmailRecipient, ekuIndexEmail}, |
- {certUsageObjectSigner, ekuIndexCodeSigner}, |
- {certUsageUserCertImport, ekuIndexUnknown}, |
- {certUsageVerifyCA, ekuIndexUnknown}, |
+ {certUsageSSLClient, ekuIndexSSLClient}, |
+ {certUsageSSLServer, ekuIndexSSLServer}, |
+ {certUsageSSLCA, ekuIndexSSLServer}, |
+ {certUsageEmailSigner, ekuIndexEmail}, |
+ {certUsageEmailRecipient, ekuIndexEmail}, |
+ {certUsageObjectSigner, ekuIndexCodeSigner}, |
+ {certUsageUserCertImport, ekuIndexUnknown}, |
+ {certUsageVerifyCA, ekuIndexUnknown}, |
{certUsageProtectedObjectSigner, ekuIndexUnknown}, |
- {certUsageStatusResponder, ekuIndexStatusResponder}, |
- {certUsageAnyCA, ekuIndexUnknown}, |
-}; |
+ {certUsageStatusResponder, ekuIndexStatusResponder}, |
+ {certUsageAnyCA, ekuIndexUnknown}, }; |
/* |
* FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU |
* DESCRIPTION: |
* |
* Converts nss CERTCertificateUsage bit field to pkix key and |
* extended key usages. |
* |
* PARAMETERS: |
* "cert" |
* Pointer to CERTCertificate structure of validating cert. |
* "requiredCertUsages" |
- * Required usage that will be converted to pkix eku and ku. |
+ * Required usage that will be converted to pkix eku and ku. |
* "requiredKeyUsage", |
* Additional key usages impose to cert. |
* "isCA", |
- * it true, convert usages for cert that is a CA cert. |
+ * it true, convert usages for cert that is a CA cert. |
* "ppkixEKUList" |
* Returned address of a list of pkix extended key usages. |
* "ppkixKU" |
- * Returned address of pkix required key usages bit field. |
+ * Returned address of pkix required key usages bit field. |
* "plContext" |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_NssCertificateUsageToPkixKUAndEKU( |
- CERTCertificate *cert, |
- SECCertUsage requiredCertUsage, |
- PRUint32 requiredKeyUsages, |
- PRBool isCA, |
- PKIX_List **ppkixEKUList, |
- PKIX_UInt32 *ppkixKU, |
- void *plContext) |
-{ |
- PKIX_List *ekuOidsList = NULL; |
- PKIX_PL_OID *ekuOid = NULL; |
- int i = 0; |
- int ekuIndex = ekuIndexUnknown; |
+static PKIX_Error *cert_NssCertificateUsageToPkixKUAndEKU( |
+ CERTCertificate *cert, SECCertUsage requiredCertUsage, |
+ PRUint32 requiredKeyUsages, PRBool isCA, PKIX_List **ppkixEKUList, |
+ PKIX_UInt32 *ppkixKU, void *plContext) { |
+ PKIX_List *ekuOidsList = NULL; |
+ PKIX_PL_OID *ekuOid = NULL; |
+ int i = 0; |
+ int ekuIndex = ekuIndexUnknown; |
- PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku"); |
- PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU); |
- |
- PKIX_CHECK( |
- PKIX_List_Create(&ekuOidsList, plContext), |
- PKIX_LISTCREATEFAILED); |
+ PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku"); |
+ PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU); |
- for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) { |
- const SECCertUsageToEku *usageToEkuElem = |
- &certUsageEkuStringMap[i]; |
- if (usageToEkuElem->certUsage == requiredCertUsage) { |
- ekuIndex = usageToEkuElem->ekuStringIndex; |
- break; |
- } |
+ PKIX_CHECK(PKIX_List_Create(&ekuOidsList, plContext), PKIX_LISTCREATEFAILED); |
+ |
+ for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) { |
+ const SECCertUsageToEku *usageToEkuElem = &certUsageEkuStringMap[i]; |
+ if (usageToEkuElem->certUsage == requiredCertUsage) { |
+ ekuIndex = usageToEkuElem->ekuStringIndex; |
+ break; |
} |
- if (ekuIndex != ekuIndexUnknown) { |
- PRUint32 reqKeyUsage = 0; |
- PRUint32 reqCertType = 0; |
+ } |
+ if (ekuIndex != ekuIndexUnknown) { |
+ PRUint32 reqKeyUsage = 0; |
+ PRUint32 reqCertType = 0; |
- CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA, |
- &reqKeyUsage, |
- &reqCertType); |
- |
- requiredKeyUsages |= reqKeyUsage; |
- |
- PKIX_CHECK( |
- PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid, |
- plContext), |
- PKIX_OIDCREATEFAILED); |
- |
- PKIX_CHECK( |
- PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid, |
- plContext), |
- PKIX_LISTAPPENDITEMFAILED); |
- |
- PKIX_DECREF(ekuOid); |
- } |
+ CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA, &reqKeyUsage, |
+ &reqCertType); |
+ |
+ requiredKeyUsages |= reqKeyUsage; |
+ |
+ PKIX_CHECK(PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid, plContext), |
+ PKIX_OIDCREATEFAILED); |
PKIX_CHECK( |
- cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext), |
- PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED); |
+ PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid, plContext), |
+ PKIX_LISTAPPENDITEMFAILED); |
- *ppkixEKUList = ekuOidsList; |
- ekuOidsList = NULL; |
+ PKIX_DECREF(ekuOid); |
+ } |
+ |
+ PKIX_CHECK(cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext), |
+ PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED); |
+ |
+ *ppkixEKUList = ekuOidsList; |
+ ekuOidsList = NULL; |
cleanup: |
- |
- PKIX_DECREF(ekuOid); |
- PKIX_DECREF(ekuOidsList); |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_DECREF(ekuOid); |
+ PKIX_DECREF(ekuOidsList); |
+ |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
#endif |
/* |
* FUNCTION: cert_ProcessingParamsSetKeyAndCertUsage |
* DESCRIPTION: |
* |
@@ -308,61 +281,52 @@ cleanup: |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_ProcessingParamsSetKeyAndCertUsage( |
- PKIX_ProcessingParams *procParams, |
- SECCertUsage requiredCertUsage, |
- PRUint32 requiredKeyUsages, |
- void *plContext) |
-{ |
- PKIX_CertSelector *certSelector = NULL; |
- PKIX_ComCertSelParams *certSelParams = NULL; |
- PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext*)plContext; |
- |
- PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage"); |
- PKIX_NULLCHECK_TWO(procParams, nssContext); |
- |
- PKIX_CHECK( |
- pkix_pl_NssContext_SetCertUsage( |
- ((SECCertificateUsage)1) << requiredCertUsage, nssContext), |
- PKIX_NSSCONTEXTSETCERTUSAGEFAILED); |
+static PKIX_Error *cert_ProcessingParamsSetKeyAndCertUsage( |
+ PKIX_ProcessingParams *procParams, SECCertUsage requiredCertUsage, |
+ PRUint32 requiredKeyUsages, void *plContext) { |
+ PKIX_CertSelector *certSelector = NULL; |
+ PKIX_ComCertSelParams *certSelParams = NULL; |
+ PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; |
- if (requiredKeyUsages) { |
- PKIX_CHECK( |
- PKIX_ProcessingParams_GetTargetCertConstraints(procParams, |
- &certSelector, plContext), |
- PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); |
- |
- PKIX_CHECK( |
- PKIX_CertSelector_GetCommonCertSelectorParams(certSelector, |
- &certSelParams, plContext), |
- PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); |
- |
- |
- PKIX_CHECK( |
- PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages, |
- plContext), |
- PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED); |
- } |
+ PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage"); |
+ PKIX_NULLCHECK_TWO(procParams, nssContext); |
+ |
+ PKIX_CHECK(pkix_pl_NssContext_SetCertUsage( |
+ ((SECCertificateUsage)1) << requiredCertUsage, nssContext), |
+ PKIX_NSSCONTEXTSETCERTUSAGEFAILED); |
+ |
+ if (requiredKeyUsages) { |
+ PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints( |
+ procParams, &certSelector, plContext), |
+ PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); |
+ |
+ PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams( |
+ certSelector, &certSelParams, plContext), |
+ PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED); |
+ |
+ PKIX_CHECK(PKIX_ComCertSelParams_SetKeyUsage(certSelParams, |
+ requiredKeyUsages, plContext), |
+ PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED); |
+ } |
cleanup: |
- PKIX_DECREF(certSelector); |
- PKIX_DECREF(certSelParams); |
+ PKIX_DECREF(certSelector); |
+ PKIX_DECREF(certSelParams); |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
/* |
- * Unused parameters: |
+ * Unused parameters: |
* |
* CERTCertList *initialChain, |
* CERTCertStores certStores, |
* CERTCertRevCheckers certRevCheckers, |
* CERTCertChainCheckers certChainCheckers, |
* SECItem *initPolicies, |
* PRBool policyQualifierRejected, |
* PRBool anyPolicyInhibited, |
@@ -393,329 +357,287 @@ cleanup: |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_CreatePkixProcessingParams( |
- CERTCertificate *cert, |
- PRBool checkSig, /* not used yet. See bug 391476 */ |
- PRTime time, |
- void *wincx, |
- PRBool useArena, |
- PRBool disableOCSPRemoteFetching, |
- PKIX_ProcessingParams **pprocParams, |
- void **pplContext) |
-{ |
- PKIX_List *anchors = NULL; |
- PKIX_PL_Cert *targetCert = NULL; |
- PKIX_PL_Date *date = NULL; |
- PKIX_ProcessingParams *procParams = NULL; |
- PKIX_CertSelector *certSelector = NULL; |
- PKIX_ComCertSelParams *certSelParams = NULL; |
- PKIX_CertStore *certStore = NULL; |
- PKIX_List *certStores = NULL; |
- PKIX_RevocationChecker *revChecker = NULL; |
- PKIX_UInt32 methodFlags = 0; |
- void *plContext = NULL; |
- CERTStatusConfig *statusConfig = NULL; |
- |
- PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); |
- PKIX_NULLCHECK_TWO(cert, pprocParams); |
- |
- PKIX_CHECK( |
- PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext), |
- PKIX_NSSCONTEXTCREATEFAILED); |
+static PKIX_Error *cert_CreatePkixProcessingParams( |
+ CERTCertificate *cert, PRBool checkSig, /* not used yet. See bug 391476 */ |
+ PRTime time, void *wincx, PRBool useArena, PRBool disableOCSPRemoteFetching, |
+ PKIX_ProcessingParams **pprocParams, void **pplContext) { |
+ PKIX_List *anchors = NULL; |
+ PKIX_PL_Cert *targetCert = NULL; |
+ PKIX_PL_Date *date = NULL; |
+ PKIX_ProcessingParams *procParams = NULL; |
+ PKIX_CertSelector *certSelector = NULL; |
+ PKIX_ComCertSelParams *certSelParams = NULL; |
+ PKIX_CertStore *certStore = NULL; |
+ PKIX_List *certStores = NULL; |
+ PKIX_RevocationChecker *revChecker = NULL; |
+ PKIX_UInt32 methodFlags = 0; |
+ void *plContext = NULL; |
+ CERTStatusConfig *statusConfig = NULL; |
- *pplContext = plContext; |
+ PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); |
+ PKIX_NULLCHECK_TWO(cert, pprocParams); |
-#ifdef PKIX_NOTDEF |
- /* Functions should be implemented in patch for 390532 */ |
- PKIX_CHECK( |
- pkix_pl_NssContext_SetCertSignatureCheck(checkSig, |
- (PKIX_PL_NssContext*)plContext), |
- PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED); |
+ PKIX_CHECK(PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext), |
+ PKIX_NSSCONTEXTCREATEFAILED); |
+ |
+ *pplContext = plContext; |
+ |
+#ifdef PKIX_NOTDEF |
+ /* Functions should be implemented in patch for 390532 */ |
+ PKIX_CHECK(pkix_pl_NssContext_SetCertSignatureCheck( |
+ checkSig, (PKIX_PL_NssContext *)plContext), |
+ PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED); |
#endif /* PKIX_NOTDEF */ |
- PKIX_CHECK( |
- PKIX_ProcessingParams_Create(&procParams, plContext), |
- PKIX_PROCESSINGPARAMSCREATEFAILED); |
- |
- PKIX_CHECK( |
- PKIX_ComCertSelParams_Create(&certSelParams, plContext), |
- PKIX_COMCERTSELPARAMSCREATEFAILED); |
- |
- PKIX_CHECK( |
- PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext), |
- PKIX_CERTCREATEWITHNSSCERTFAILED); |
+ PKIX_CHECK(PKIX_ProcessingParams_Create(&procParams, plContext), |
+ PKIX_PROCESSINGPARAMSCREATEFAILED); |
- PKIX_CHECK( |
- PKIX_ComCertSelParams_SetCertificate(certSelParams, |
- targetCert, plContext), |
- PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED); |
- |
- PKIX_CHECK( |
- PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext), |
- PKIX_COULDNOTCREATECERTSELECTOROBJECT); |
- |
- PKIX_CHECK( |
- PKIX_CertSelector_SetCommonCertSelectorParams(certSelector, |
- certSelParams, plContext), |
- PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); |
- |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetTargetCertConstraints(procParams, |
- certSelector, plContext), |
- PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED); |
+ PKIX_CHECK(PKIX_ComCertSelParams_Create(&certSelParams, plContext), |
+ PKIX_COMCERTSELPARAMSCREATEFAILED); |
- /* Turn off quialification of target cert since leaf cert is |
- * already check for date validity, key usages and extended |
- * key usages. */ |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE, |
- plContext), |
- PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED); |
+ PKIX_CHECK( |
+ PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext), |
+ PKIX_CERTCREATEWITHNSSCERTFAILED); |
- PKIX_CHECK( |
- PKIX_PL_Pk11CertStore_Create(&certStore, plContext), |
- PKIX_PK11CERTSTORECREATEFAILED); |
- |
- PKIX_CHECK( |
- PKIX_List_Create(&certStores, plContext), |
- PKIX_UNABLETOCREATELIST); |
- |
- PKIX_CHECK( |
- PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, |
- plContext), |
- PKIX_LISTAPPENDITEMFAILED); |
+ PKIX_CHECK(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert, |
+ plContext), |
+ PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED); |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetCertStores(procParams, certStores, |
- plContext), |
- PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED); |
+ PKIX_CHECK(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext), |
+ PKIX_COULDNOTCREATECERTSELECTOROBJECT); |
- PKIX_CHECK( |
- PKIX_PL_Date_CreateFromPRTime(time, &date, plContext), |
- PKIX_DATECREATEFROMPRTIMEFAILED); |
+ PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams( |
+ certSelector, certSelParams, plContext), |
+ PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetDate(procParams, date, plContext), |
- PKIX_PROCESSINGPARAMSSETDATEFAILED); |
+ PKIX_CHECK(PKIX_ProcessingParams_SetTargetCertConstraints( |
+ procParams, certSelector, plContext), |
+ PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED); |
- PKIX_CHECK( |
- PKIX_RevocationChecker_Create( |
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, |
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, |
- &revChecker, plContext), |
- PKIX_REVOCATIONCHECKERCREATEFAILED); |
+ /* Turn off quialification of target cert since leaf cert is |
+ * already check for date validity, key usages and extended |
+ * key usages. */ |
+ PKIX_CHECK(PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE, |
+ plContext), |
+ PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED); |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker, |
- plContext), |
- PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED); |
+ PKIX_CHECK(PKIX_PL_Pk11CertStore_Create(&certStore, plContext), |
+ PKIX_PK11CERTSTORECREATEFAILED); |
- /* CRL method flags */ |
- methodFlags = |
- PKIX_REV_M_TEST_USING_THIS_METHOD | |
- PKIX_REV_M_FORBID_NETWORK_FETCHING | |
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ |
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ |
- PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; |
+ PKIX_CHECK(PKIX_List_Create(&certStores, plContext), PKIX_UNABLETOCREATELIST); |
- /* add CRL revocation method to check the leaf certificate */ |
- PKIX_CHECK( |
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, |
- PKIX_RevocationMethod_CRL, methodFlags, |
- 0, NULL, PKIX_TRUE, plContext), |
- PKIX_REVOCATIONCHECKERADDMETHODFAILED); |
+ PKIX_CHECK( |
+ PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext), |
+ PKIX_LISTAPPENDITEMFAILED); |
- /* add CRL revocation method for other certs in the chain. */ |
- PKIX_CHECK( |
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, |
- PKIX_RevocationMethod_CRL, methodFlags, |
- 0, NULL, PKIX_FALSE, plContext), |
- PKIX_REVOCATIONCHECKERADDMETHODFAILED); |
- |
- /* For compatibility with the old code, need to check that |
- * statusConfig is set in the db handle and status checker |
- * is defined befor allow ocsp status check on the leaf cert.*/ |
- statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB()); |
- if (statusConfig != NULL && statusConfig->statusChecker != NULL) { |
+ PKIX_CHECK( |
+ PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext), |
+ PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED); |
- /* Enable OCSP revocation checking for the leaf cert. */ |
- /* OCSP method flags */ |
- methodFlags = |
- PKIX_REV_M_TEST_USING_THIS_METHOD | |
- PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ |
- PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ |
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ |
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ |
- PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; |
- |
- /* Disabling ocsp fetching when checking the status |
- * of ocsp response signer. Here and in the next if, |
- * adjust flags for ocsp signer cert validation case. */ |
- if (disableOCSPRemoteFetching) { |
- methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; |
- } |
- |
- if (ocsp_FetchingFailureIsVerificationFailure() |
- && !disableOCSPRemoteFetching) { |
- methodFlags |= |
- PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; |
- } |
- |
- /* add OCSP revocation method to check only the leaf certificate.*/ |
- PKIX_CHECK( |
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, |
- PKIX_RevocationMethod_OCSP, methodFlags, |
- 1, NULL, PKIX_TRUE, plContext), |
- PKIX_REVOCATIONCHECKERADDMETHODFAILED); |
+ PKIX_CHECK(PKIX_PL_Date_CreateFromPRTime(time, &date, plContext), |
+ PKIX_DATECREATEFROMPRTIMEFAILED); |
+ |
+ PKIX_CHECK(PKIX_ProcessingParams_SetDate(procParams, date, plContext), |
+ PKIX_PROCESSINGPARAMSSETDATEFAILED); |
+ |
+ PKIX_CHECK(PKIX_RevocationChecker_Create( |
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, |
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, |
+ &revChecker, plContext), |
+ PKIX_REVOCATIONCHECKERCREATEFAILED); |
+ |
+ PKIX_CHECK(PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker, |
+ plContext), |
+ PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED); |
+ |
+ /* CRL method flags */ |
+ methodFlags = PKIX_REV_M_TEST_USING_THIS_METHOD | |
+ PKIX_REV_M_FORBID_NETWORK_FETCHING | |
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ |
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ |
+ PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; |
+ |
+ /* add CRL revocation method to check the leaf certificate */ |
+ PKIX_CHECK(PKIX_RevocationChecker_CreateAndAddMethod( |
+ revChecker, procParams, PKIX_RevocationMethod_CRL, methodFlags, |
+ 0, NULL, PKIX_TRUE, plContext), |
+ PKIX_REVOCATIONCHECKERADDMETHODFAILED); |
+ |
+ /* add CRL revocation method for other certs in the chain. */ |
+ PKIX_CHECK(PKIX_RevocationChecker_CreateAndAddMethod( |
+ revChecker, procParams, PKIX_RevocationMethod_CRL, methodFlags, |
+ 0, NULL, PKIX_FALSE, plContext), |
+ PKIX_REVOCATIONCHECKERADDMETHODFAILED); |
+ |
+ /* For compatibility with the old code, need to check that |
+ * statusConfig is set in the db handle and status checker |
+ * is defined befor allow ocsp status check on the leaf cert.*/ |
+ statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB()); |
+ if (statusConfig != NULL && statusConfig->statusChecker != NULL) { |
+ |
+ /* Enable OCSP revocation checking for the leaf cert. */ |
+ /* OCSP method flags */ |
+ methodFlags = PKIX_REV_M_TEST_USING_THIS_METHOD | |
+ PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ |
+ PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ |
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ |
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ |
+ PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; |
+ |
+ /* Disabling ocsp fetching when checking the status |
+ * of ocsp response signer. Here and in the next if, |
+ * adjust flags for ocsp signer cert validation case. */ |
+ if (disableOCSPRemoteFetching) { |
+ methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; |
} |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE, |
- plContext), |
- PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED); |
+ if (ocsp_FetchingFailureIsVerificationFailure() && |
+ !disableOCSPRemoteFetching) { |
+ methodFlags |= PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; |
+ } |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE, |
- plContext), |
- PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED); |
+ /* add OCSP revocation method to check only the leaf certificate.*/ |
+ PKIX_CHECK(PKIX_RevocationChecker_CreateAndAddMethod( |
+ revChecker, procParams, PKIX_RevocationMethod_OCSP, |
+ methodFlags, 1, NULL, PKIX_TRUE, plContext), |
+ PKIX_REVOCATIONCHECKERADDMETHODFAILED); |
+ } |
- PKIX_CHECK( |
- PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE, |
- plContext), |
- PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED); |
- |
- *pprocParams = procParams; |
- procParams = NULL; |
+ PKIX_CHECK(PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE, |
+ plContext), |
+ PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED); |
+ |
+ PKIX_CHECK(PKIX_ProcessingParams_SetExplicitPolicyRequired( |
+ procParams, PR_FALSE, plContext), |
+ PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED); |
+ |
+ PKIX_CHECK(PKIX_ProcessingParams_SetPolicyMappingInhibited( |
+ procParams, PR_FALSE, plContext), |
+ PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED); |
+ |
+ *pprocParams = procParams; |
+ procParams = NULL; |
cleanup: |
- PKIX_DECREF(anchors); |
- PKIX_DECREF(targetCert); |
- PKIX_DECREF(date); |
- PKIX_DECREF(certSelector); |
- PKIX_DECREF(certSelParams); |
- PKIX_DECREF(certStore); |
- PKIX_DECREF(certStores); |
- PKIX_DECREF(procParams); |
- PKIX_DECREF(revChecker); |
+ PKIX_DECREF(anchors); |
+ PKIX_DECREF(targetCert); |
+ PKIX_DECREF(date); |
+ PKIX_DECREF(certSelector); |
+ PKIX_DECREF(certSelParams); |
+ PKIX_DECREF(certStore); |
+ PKIX_DECREF(certStores); |
+ PKIX_DECREF(procParams); |
+ PKIX_DECREF(revChecker); |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
/* |
* FUNCTION: cert_PkixToNssCertsChain |
* DESCRIPTION: |
* |
* Converts pkix cert list into nss cert list. |
- * |
+ * |
* PARAMETERS: |
* "pkixCertChain" |
- * Pkix certificate list. |
+ * Pkix certificate list. |
* "pvalidChain" |
* An address of returned nss certificate list. |
* "plContext" |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_PkixToNssCertsChain( |
- PKIX_List *pkixCertChain, |
- CERTCertList **pvalidChain, |
- void *plContext) |
-{ |
- PLArenaPool *arena = NULL; |
- CERTCertificate *nssCert = NULL; |
- CERTCertList *validChain = NULL; |
- PKIX_PL_Object *certItem = NULL; |
- PKIX_UInt32 length = 0; |
- PKIX_UInt32 i = 0; |
+static PKIX_Error *cert_PkixToNssCertsChain(PKIX_List *pkixCertChain, |
+ CERTCertList **pvalidChain, |
+ void *plContext) { |
+ PLArenaPool *arena = NULL; |
+ CERTCertificate *nssCert = NULL; |
+ CERTCertList *validChain = NULL; |
+ PKIX_PL_Object *certItem = NULL; |
+ PKIX_UInt32 length = 0; |
+ PKIX_UInt32 i = 0; |
- PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain"); |
- PKIX_NULLCHECK_ONE(pvalidChain); |
+ PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain"); |
+ PKIX_NULLCHECK_ONE(pvalidChain); |
- if (pkixCertChain == NULL) { |
- goto cleanup; |
- } |
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
- if (arena == NULL) { |
- PKIX_ERROR(PKIX_OUTOFMEMORY); |
- } |
- validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); |
- if (validChain == NULL) { |
- PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); |
- } |
- PR_INIT_CLIST(&validChain->list); |
- validChain->arena = arena; |
- arena = NULL; |
+ if (pkixCertChain == NULL) { |
+ goto cleanup; |
+ } |
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
+ if (arena == NULL) { |
+ PKIX_ERROR(PKIX_OUTOFMEMORY); |
+ } |
+ validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList)); |
+ if (validChain == NULL) { |
+ PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); |
+ } |
+ PR_INIT_CLIST(&validChain->list); |
+ validChain->arena = arena; |
+ arena = NULL; |
- PKIX_CHECK( |
- PKIX_List_GetLength(pkixCertChain, &length, plContext), |
- PKIX_LISTGETLENGTHFAILED); |
+ PKIX_CHECK(PKIX_List_GetLength(pkixCertChain, &length, plContext), |
+ PKIX_LISTGETLENGTHFAILED); |
- for (i = 0; i < length; i++){ |
- CERTCertListNode *node = NULL; |
+ for (i = 0; i < length; i++) { |
+ CERTCertListNode *node = NULL; |
- PKIX_CHECK( |
- PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext), |
- PKIX_LISTGETITEMFAILED); |
- |
- PKIX_CHECK( |
- PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert, |
- plContext), |
- PKIX_CERTGETCERTCERTIFICATEFAILED); |
- |
- node = |
- (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena, |
- sizeof(CERTCertListNode)); |
- if ( node == NULL ) { |
- PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); |
- } |
+ PKIX_CHECK(PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext), |
+ PKIX_LISTGETITEMFAILED); |
- PR_INSERT_BEFORE(&node->links, &validChain->list); |
+ PKIX_CHECK(PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem, |
+ &nssCert, plContext), |
+ PKIX_CERTGETCERTCERTIFICATEFAILED); |
- node->cert = nssCert; |
- nssCert = NULL; |
- |
- PKIX_DECREF(certItem); |
+ node = (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena, |
+ sizeof(CERTCertListNode)); |
+ if (node == NULL) { |
+ PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); |
} |
- *pvalidChain = validChain; |
+ PR_INSERT_BEFORE(&node->links, &validChain->list); |
+ |
+ node->cert = nssCert; |
+ nssCert = NULL; |
+ |
+ PKIX_DECREF(certItem); |
+ } |
+ |
+ *pvalidChain = validChain; |
cleanup: |
- if (PKIX_ERROR_RECEIVED){ |
- if (validChain) { |
- CERT_DestroyCertList(validChain); |
- } else if (arena) { |
- PORT_FreeArena(arena, PR_FALSE); |
- } |
- if (nssCert) { |
- CERT_DestroyCertificate(nssCert); |
- } |
+ if (PKIX_ERROR_RECEIVED) { |
+ if (validChain) { |
+ CERT_DestroyCertList(validChain); |
+ } else if (arena) { |
+ PORT_FreeArena(arena, PR_FALSE); |
} |
- PKIX_DECREF(certItem); |
+ if (nssCert) { |
+ CERT_DestroyCertificate(nssCert); |
+ } |
+ } |
+ PKIX_DECREF(certItem); |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
- |
/* |
* FUNCTION: cert_BuildAndValidateChain |
* DESCRIPTION: |
* |
* The function builds and validates a cert chain based on certificate |
* selection criterias from procParams. This function call PKIX_BuildChain |
* to accomplish chain building. If PKIX_BuildChain returns with incomplete |
* IO, the function waits with PR_Poll until the blocking IO is finished and |
@@ -733,61 +655,56 @@ cleanup: |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_BuildAndValidateChain( |
- PKIX_ProcessingParams *procParams, |
- PKIX_BuildResult **pResult, |
- PKIX_VerifyNode **pVerifyNode, |
- void *plContext) |
-{ |
- PKIX_BuildResult *result = NULL; |
- PKIX_VerifyNode *verifyNode = NULL; |
- void *nbioContext = NULL; |
- void *state = NULL; |
- |
- PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain"); |
- PKIX_NULLCHECK_TWO(procParams, pResult); |
- |
- do { |
- if (nbioContext && state) { |
- /* PKIX-XXX: need to test functionality of NBIO handling in libPkix. |
- * See bug 391180 */ |
- PRInt32 filesReady = 0; |
- PRPollDesc *pollDesc = (PRPollDesc*)nbioContext; |
- filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT); |
- if (filesReady <= 0) { |
- PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM); |
- } |
- } |
+static PKIX_Error *cert_BuildAndValidateChain(PKIX_ProcessingParams *procParams, |
+ PKIX_BuildResult **pResult, |
+ PKIX_VerifyNode **pVerifyNode, |
+ void *plContext) { |
+ PKIX_BuildResult *result = NULL; |
+ PKIX_VerifyNode *verifyNode = NULL; |
+ void *nbioContext = NULL; |
+ void *state = NULL; |
- PKIX_CHECK( |
- PKIX_BuildChain(procParams, &nbioContext, &state, |
- &result, &verifyNode, plContext), |
- PKIX_UNABLETOBUILDCHAIN); |
- |
- } while (nbioContext && state); |
+ PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain"); |
+ PKIX_NULLCHECK_TWO(procParams, pResult); |
- *pResult = result; |
+ do { |
+ if (nbioContext && state) { |
+ /* PKIX-XXX: need to test functionality of NBIO handling in libPkix. |
+ * See bug 391180 */ |
+ PRInt32 filesReady = 0; |
+ PRPollDesc *pollDesc = (PRPollDesc *)nbioContext; |
+ filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT); |
+ if (filesReady <= 0) { |
+ PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM); |
+ } |
+ } |
+ |
+ PKIX_CHECK(PKIX_BuildChain(procParams, &nbioContext, &state, &result, |
+ &verifyNode, plContext), |
+ PKIX_UNABLETOBUILDCHAIN); |
+ |
+ } while (nbioContext && state); |
+ |
+ *pResult = result; |
cleanup: |
- if (pVerifyNode) { |
- *pVerifyNode = verifyNode; |
- } |
+ if (pVerifyNode) { |
+ *pVerifyNode = verifyNode; |
+ } |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
- |
/* |
* FUNCTION: cert_PkixErrorToNssCode |
* DESCRIPTION: |
* |
* Converts pkix error(PKIX_Error) structure to PR error codes. |
* |
* PKIX-XXX to be implemented. See 391183. |
* |
@@ -800,137 +717,127 @@ cleanup: |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error * |
-cert_PkixErrorToNssCode( |
- PKIX_Error *error, |
- SECErrorCodes *pNssErr, |
- void *plContext) |
-{ |
- int errLevel = 0; |
- PKIX_Int32 nssErr = 0; |
- PKIX_Error *errPtr = error; |
+static PKIX_Error *cert_PkixErrorToNssCode(PKIX_Error *error, |
+ SECErrorCodes *pNssErr, |
+ void *plContext) { |
+ int errLevel = 0; |
+ PKIX_Int32 nssErr = 0; |
+ PKIX_Error *errPtr = error; |
- PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode"); |
- PKIX_NULLCHECK_TWO(error, pNssErr); |
- |
- /* Loop until we find at least one error with non-null |
- * plErr code, that is going to be nss error code. */ |
- while (errPtr) { |
- if (errPtr->plErr && !nssErr) { |
- nssErr = errPtr->plErr; |
- if (!pkixLog) break; |
- } |
- if (pkixLog) { |
-#ifdef PKIX_ERROR_DESCRIPTION |
- PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel, |
- PKIX_ErrorText[errPtr->errCode])); |
+ PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode"); |
+ PKIX_NULLCHECK_TWO(error, pNssErr); |
+ |
+ /* Loop until we find at least one error with non-null |
+ * plErr code, that is going to be nss error code. */ |
+ while (errPtr) { |
+ if (errPtr->plErr && !nssErr) { |
+ nssErr = errPtr->plErr; |
+ if (!pkixLog) break; |
+ } |
+ if (pkixLog) { |
+#ifdef PKIX_ERROR_DESCRIPTION |
+ PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel, |
+ PKIX_ErrorText[errPtr->errCode])); |
#else |
- PR_LOG(pkixLog, 2, ("Error at level %d: Error code %d\n", errLevel, |
- errPtr->errCode)); |
+ PR_LOG(pkixLog, 2, |
+ ("Error at level %d: Error code %d\n", errLevel, errPtr->errCode)); |
#endif /* PKIX_ERROR_DESCRIPTION */ |
- } |
- errPtr = errPtr->cause; |
- errLevel += 1; |
} |
- PORT_Assert(nssErr); |
- if (!nssErr) { |
- *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL; |
- } else { |
- *pNssErr = nssErr; |
- } |
+ errPtr = errPtr->cause; |
+ errLevel += 1; |
+ } |
+ PORT_Assert(nssErr); |
+ if (!nssErr) { |
+ *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL; |
+ } else { |
+ *pNssErr = nssErr; |
+ } |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
/* |
* FUNCTION: cert_GetLogFromVerifyNode |
* DESCRIPTION: |
* |
* Recursive function that converts verify node tree-like set of structures |
* to CERTVerifyLog. |
* |
* PARAMETERS: |
* "log" |
- * Pointed to already allocated CERTVerifyLog structure. |
+ * Pointed to already allocated CERTVerifyLog structure. |
* "node" |
* A node of PKIX_VerifyNode tree. |
* "plContext" |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error * |
-cert_GetLogFromVerifyNode( |
- CERTVerifyLog *log, |
- PKIX_VerifyNode *node, |
- void *plContext) |
-{ |
- PKIX_List *children = NULL; |
- PKIX_VerifyNode *childNode = NULL; |
+static PKIX_Error *cert_GetLogFromVerifyNode(CERTVerifyLog *log, |
+ PKIX_VerifyNode *node, |
+ void *plContext) { |
+ PKIX_List *children = NULL; |
+ PKIX_VerifyNode *childNode = NULL; |
- PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode"); |
+ PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode"); |
- children = node->children; |
+ children = node->children; |
- if (children == NULL) { |
- PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT; |
- if (node->error && node->error->errCode != errCode) { |
- if (log != NULL) { |
- SECErrorCodes nssErrorCode = 0; |
- CERTCertificate *cert = NULL; |
+ if (children == NULL) { |
+ PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT; |
+ if (node->error && node->error->errCode != errCode) { |
+ if (log != NULL) { |
+ SECErrorCodes nssErrorCode = 0; |
+ CERTCertificate *cert = NULL; |
- cert = node->verifyCert->nssCert; |
- |
- PKIX_CHECK( |
- cert_PkixErrorToNssCode(node->error, &nssErrorCode, |
- plContext), |
- PKIX_GETPKIXERRORCODEFAILED); |
- |
- cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL); |
- } |
- } |
- PKIX_RETURN(CERTVFYPKIX); |
- } else { |
- PRUint32 i = 0; |
- PKIX_UInt32 length = 0; |
+ cert = node->verifyCert->nssCert; |
PKIX_CHECK( |
- PKIX_List_GetLength(children, &length, plContext), |
- PKIX_LISTGETLENGTHFAILED); |
- |
- for (i = 0; i < length; i++){ |
+ cert_PkixErrorToNssCode(node->error, &nssErrorCode, plContext), |
+ PKIX_GETPKIXERRORCODEFAILED); |
- PKIX_CHECK( |
- PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode, |
- plContext), |
- PKIX_LISTGETITEMFAILED); |
- |
- PKIX_CHECK( |
- cert_GetLogFromVerifyNode(log, childNode, plContext), |
- PKIX_ERRORINRECURSIVEEQUALSCALL); |
+ cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL); |
+ } |
+ } |
+ PKIX_RETURN(CERTVFYPKIX); |
+ } else { |
+ PRUint32 i = 0; |
+ PKIX_UInt32 length = 0; |
- PKIX_DECREF(childNode); |
- } |
+ PKIX_CHECK(PKIX_List_GetLength(children, &length, plContext), |
+ PKIX_LISTGETLENGTHFAILED); |
+ |
+ for (i = 0; i < length; i++) { |
+ |
+ PKIX_CHECK(PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode, |
+ plContext), |
+ PKIX_LISTGETITEMFAILED); |
+ |
+ PKIX_CHECK(cert_GetLogFromVerifyNode(log, childNode, plContext), |
+ PKIX_ERRORINRECURSIVEEQUALSCALL); |
+ |
+ PKIX_DECREF(childNode); |
} |
+ } |
cleanup: |
- PKIX_DECREF(childNode); |
+ PKIX_DECREF(childNode); |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
/* |
* FUNCTION: cert_GetBuildResults |
* DESCRIPTION: |
* |
* Converts pkix build results to nss results. This function is called |
* regardless of build result. |
@@ -938,17 +845,17 @@ cleanup: |
* If it called after chain was successfully constructed, then it will |
* convert: |
* * pkix cert list that represent the chain to nss cert list |
* * trusted root the chain was anchored to nss certificate. |
* |
* In case of failure it will convert: |
* * pkix error to PR error code(will set it with PORT_SetError) |
* * pkix validation log to nss CERTVerifyLog |
- * |
+ * |
* PARAMETERS: |
* "buildResult" |
* Build results returned by PKIX_BuildChain. |
* "verifyNode" |
* Tree-like structure of chain building/validation failures |
* returned by PKIX_BuildChain. Ignored in case of success. |
* "error" |
* Final error returned by PKIX_BuildChain. Should be NULL in |
@@ -963,112 +870,102 @@ cleanup: |
* Platform-specific context pointer. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* Returns NULL if the function succeeds. |
* Returns a Cert Verify Error if the function fails in an unrecoverable way. |
* Returns a Fatal Error if the function fails in an unrecoverable way. |
*/ |
-static PKIX_Error* |
-cert_GetBuildResults( |
- PKIX_BuildResult *buildResult, |
- PKIX_VerifyNode *verifyNode, |
- PKIX_Error *error, |
- CERTVerifyLog *log, |
- CERTCertificate **ptrustedRoot, |
- CERTCertList **pvalidChain, |
- void *plContext) |
-{ |
- PKIX_ValidateResult *validResult = NULL; |
- CERTCertList *validChain = NULL; |
- CERTCertificate *trustedRoot = NULL; |
- PKIX_TrustAnchor *trustAnchor = NULL; |
- PKIX_PL_Cert *trustedCert = NULL; |
- PKIX_List *pkixCertChain = NULL; |
- |
- PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults"); |
- if (buildResult == NULL && error == NULL) { |
- PKIX_ERROR(PKIX_NULLARGUMENT); |
+static PKIX_Error *cert_GetBuildResults(PKIX_BuildResult *buildResult, |
+ PKIX_VerifyNode *verifyNode, |
+ PKIX_Error *error, CERTVerifyLog *log, |
+ CERTCertificate **ptrustedRoot, |
+ CERTCertList **pvalidChain, |
+ void *plContext) { |
+ PKIX_ValidateResult *validResult = NULL; |
+ CERTCertList *validChain = NULL; |
+ CERTCertificate *trustedRoot = NULL; |
+ PKIX_TrustAnchor *trustAnchor = NULL; |
+ PKIX_PL_Cert *trustedCert = NULL; |
+ PKIX_List *pkixCertChain = NULL; |
+ |
+ PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults"); |
+ if (buildResult == NULL && error == NULL) { |
+ PKIX_ERROR(PKIX_NULLARGUMENT); |
+ } |
+ |
+ if (error) { |
+ SECErrorCodes nssErrorCode = 0; |
+ if (verifyNode) { |
+ PKIX_Error *tmpError = |
+ cert_GetLogFromVerifyNode(log, verifyNode, plContext); |
+ if (tmpError) { |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); |
+ } |
} |
+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); |
+ PORT_SetError(nssErrorCode); |
+ goto cleanup; |
+ } |
- if (error) { |
- SECErrorCodes nssErrorCode = 0; |
- if (verifyNode) { |
- PKIX_Error *tmpError = |
- cert_GetLogFromVerifyNode(log, verifyNode, plContext); |
- if (tmpError) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); |
- } |
- } |
- cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); |
- PORT_SetError(nssErrorCode); |
- goto cleanup; |
- } |
+ if (pvalidChain) { |
+ PKIX_CHECK( |
+ PKIX_BuildResult_GetCertChain(buildResult, &pkixCertChain, plContext), |
+ PKIX_BUILDRESULTGETCERTCHAINFAILED); |
- if (pvalidChain) { |
- PKIX_CHECK( |
- PKIX_BuildResult_GetCertChain(buildResult, &pkixCertChain, |
- plContext), |
- PKIX_BUILDRESULTGETCERTCHAINFAILED); |
+ PKIX_CHECK(cert_PkixToNssCertsChain(pkixCertChain, &validChain, plContext), |
+ PKIX_CERTCHAINTONSSCHAINFAILED); |
+ } |
- PKIX_CHECK( |
- cert_PkixToNssCertsChain(pkixCertChain, &validChain, plContext), |
- PKIX_CERTCHAINTONSSCHAINFAILED); |
- } |
+ if (ptrustedRoot) { |
+ PKIX_CHECK(PKIX_BuildResult_GetValidateResult(buildResult, &validResult, |
+ plContext), |
+ PKIX_BUILDRESULTGETVALIDATERESULTFAILED); |
- if (ptrustedRoot) { |
- PKIX_CHECK( |
- PKIX_BuildResult_GetValidateResult(buildResult, &validResult, |
- plContext), |
- PKIX_BUILDRESULTGETVALIDATERESULTFAILED); |
+ PKIX_CHECK(PKIX_ValidateResult_GetTrustAnchor(validResult, &trustAnchor, |
+ plContext), |
+ PKIX_VALIDATERESULTGETTRUSTANCHORFAILED); |
- PKIX_CHECK( |
- PKIX_ValidateResult_GetTrustAnchor(validResult, &trustAnchor, |
- plContext), |
- PKIX_VALIDATERESULTGETTRUSTANCHORFAILED); |
+ PKIX_CHECK( |
+ PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert, plContext), |
+ PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); |
- PKIX_CHECK( |
- PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert, |
- plContext), |
- PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); |
+ PKIX_CHECK( |
+ PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot, plContext), |
+ PKIX_CERTGETCERTCERTIFICATEFAILED); |
+ } |
- PKIX_CHECK( |
- PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot, |
- plContext), |
- PKIX_CERTGETCERTCERTIFICATEFAILED); |
- } |
- |
- PORT_Assert(!PKIX_ERROR_RECEIVED); |
+ PORT_Assert(!PKIX_ERROR_RECEIVED); |
+ if (trustedRoot) { |
+ *ptrustedRoot = trustedRoot; |
+ } |
+ if (validChain) { |
+ *pvalidChain = validChain; |
+ } |
+ |
+cleanup: |
+ if (PKIX_ERROR_RECEIVED) { |
if (trustedRoot) { |
- *ptrustedRoot = trustedRoot; |
+ CERT_DestroyCertificate(trustedRoot); |
} |
if (validChain) { |
- *pvalidChain = validChain; |
+ CERT_DestroyCertList(validChain); |
} |
+ } |
+ PKIX_DECREF(trustAnchor); |
+ PKIX_DECREF(trustedCert); |
+ PKIX_DECREF(pkixCertChain); |
+ PKIX_DECREF(validResult); |
+ PKIX_DECREF(error); |
+ PKIX_DECREF(verifyNode); |
+ PKIX_DECREF(buildResult); |
-cleanup: |
- if (PKIX_ERROR_RECEIVED) { |
- if (trustedRoot) { |
- CERT_DestroyCertificate(trustedRoot); |
- } |
- if (validChain) { |
- CERT_DestroyCertList(validChain); |
- } |
- } |
- PKIX_DECREF(trustAnchor); |
- PKIX_DECREF(trustedCert); |
- PKIX_DECREF(pkixCertChain); |
- PKIX_DECREF(validResult); |
- PKIX_DECREF(error); |
- PKIX_DECREF(verifyNode); |
- PKIX_DECREF(buildResult); |
- |
- PKIX_RETURN(CERTVFYPKIX); |
+ PKIX_RETURN(CERTVFYPKIX); |
} |
/* |
* FUNCTION: cert_VerifyCertChainPkix |
* DESCRIPTION: |
* |
* The main wrapper function that is called from CERT_VerifyCert and |
* CERT_VerifyCACertForUsage functions to validate cert with libpkix. |
@@ -1095,877 +992,750 @@ cleanup: |
* Address of PRBool. If not NULL, returns true is cert chain |
* was invalidated because a revoked certificate was found in |
* the chain. |
* THREAD SAFETY: |
* Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
* RETURNS: |
* SECFailure is chain building process has failed. SECSuccess otherwise. |
*/ |
-SECStatus |
-cert_VerifyCertChainPkix( |
- CERTCertificate *cert, |
- PRBool checkSig, |
- SECCertUsage requiredUsage, |
- PRTime time, |
- void *wincx, |
- CERTVerifyLog *log, |
- PRBool *pSigerror, |
- PRBool *pRevoked) |
-{ |
- PKIX_ProcessingParams *procParams = NULL; |
- PKIX_BuildResult *result = NULL; |
- PKIX_VerifyNode *verifyNode = NULL; |
- PKIX_Error *error = NULL; |
+SECStatus cert_VerifyCertChainPkix(CERTCertificate *cert, PRBool checkSig, |
+ SECCertUsage requiredUsage, PRTime time, |
+ void *wincx, CERTVerifyLog *log, |
+ PRBool *pSigerror, PRBool *pRevoked) { |
+ PKIX_ProcessingParams *procParams = NULL; |
+ PKIX_BuildResult *result = NULL; |
+ PKIX_VerifyNode *verifyNode = NULL; |
+ PKIX_Error *error = NULL; |
- SECStatus rv = SECFailure; |
- void *plContext = NULL; |
+ SECStatus rv = SECFailure; |
+ void *plContext = NULL; |
#ifdef PKIX_OBJECT_LEAK_TEST |
- int leakedObjNum = 0; |
- int memLeakLoopCount = 0; |
- int objCountTable[PKIX_NUMTYPES]; |
- int fnInvLocalCount = 0; |
- PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; |
+ int leakedObjNum = 0; |
+ int memLeakLoopCount = 0; |
+ int objCountTable[PKIX_NUMTYPES]; |
+ int fnInvLocalCount = 0; |
+ PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; |
- if (usePKIXValidationEngine) { |
- /* current memory leak testing implementation does not allow |
- * to run simultaneous tests one the same or a different threads. |
- * Setting the variable to false, to make additional chain |
- * validations be handled by old nss. */ |
- usePKIXValidationEngine = PR_FALSE; |
- } |
- testStartFnStackPosition = 2; |
- fnStackNameArr[0] = "cert_VerifyCertChainPkix"; |
- fnStackInvCountArr[0] = 0; |
- PKIX_Boolean abortOnLeak = |
- (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? |
- PKIX_FALSE : PKIX_TRUE; |
- runningLeakTest = PKIX_TRUE; |
+ if (usePKIXValidationEngine) { |
+ /* current memory leak testing implementation does not allow |
+ * to run simultaneous tests one the same or a different threads. |
+ * Setting the variable to false, to make additional chain |
+ * validations be handled by old nss. */ |
+ usePKIXValidationEngine = PR_FALSE; |
+ } |
+ testStartFnStackPosition = 2; |
+ fnStackNameArr[0] = "cert_VerifyCertChainPkix"; |
+ fnStackInvCountArr[0] = 0; |
+ PKIX_Boolean abortOnLeak = |
+ (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE |
+ : PKIX_TRUE; |
+ runningLeakTest = PKIX_TRUE; |
- /* Prevent multi-threaded run of object leak test */ |
- fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); |
- PORT_Assert(fnInvLocalCount == 1); |
+ /* Prevent multi-threaded run of object leak test */ |
+ fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); |
+ PORT_Assert(fnInvLocalCount == 1); |
-do { |
+ do { |
rv = SECFailure; |
plContext = NULL; |
procParams = NULL; |
result = NULL; |
verifyNode = NULL; |
error = NULL; |
errorGenerated = PKIX_FALSE; |
stackPosition = 0; |
if (leakedObjNum) { |
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); |
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); |
} |
memLeakLoopCount += 1; |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
- error = |
- cert_CreatePkixProcessingParams(cert, checkSig, time, wincx, |
- PR_FALSE/*use arena*/, |
- requiredUsage == certUsageStatusResponder, |
- &procParams, &plContext); |
+ error = cert_CreatePkixProcessingParams( |
+ cert, checkSig, time, wincx, PR_FALSE /*use arena*/, |
+ requiredUsage == certUsageStatusResponder, &procParams, &plContext); |
if (error) { |
- goto cleanup; |
+ goto cleanup; |
+ } |
+ |
+ error = cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, |
+ 0, plContext); |
+ if (error) { |
+ goto cleanup; |
} |
error = |
- cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0, |
- plContext); |
+ cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext); |
if (error) { |
- goto cleanup; |
+ goto cleanup; |
} |
- error = |
- cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext); |
- if (error) { |
- goto cleanup; |
- } |
- |
if (pRevoked) { |
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ |
- *pRevoked = PR_FALSE; |
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ |
+ *pRevoked = PR_FALSE; |
} |
if (pSigerror) { |
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ |
- *pSigerror = PR_FALSE; |
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */ |
+ *pSigerror = PR_FALSE; |
} |
rv = SECSuccess; |
-cleanup: |
+ cleanup: |
error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL, |
plContext); |
if (error) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
} |
if (procParams) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); |
} |
if (plContext) { |
- PKIX_PL_NssContext_Destroy(plContext); |
+ PKIX_PL_NssContext_Destroy(plContext); |
} |
#ifdef PKIX_OBJECT_LEAK_TEST |
leakedObjNum = |
pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); |
- |
+ |
if (pkixLog && leakedObjNum) { |
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." |
- "Stack %s\n", memLeakLoopCount, errorFnStackString)); |
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." |
+ "Stack %s\n", |
+ memLeakLoopCount, errorFnStackString)); |
} |
PR_Free(errorFnStackString); |
errorFnStackString = NULL; |
if (abortOnLeak) { |
- PORT_Assert(leakedObjNum == 0); |
+ PORT_Assert(leakedObjNum == 0); |
} |
-} while (errorGenerated); |
+ } while (errorGenerated); |
- runningLeakTest = PKIX_FALSE; |
- PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); |
- usePKIXValidationEngine = savedUsePkixEngFlag; |
+ runningLeakTest = PKIX_FALSE; |
+ PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); |
+ usePKIXValidationEngine = savedUsePkixEngFlag; |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
- return rv; |
+ return rv; |
} |
-PKIX_CertSelector * |
-cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext) |
-{ |
- PKIX_ComCertSelParams *certSelParams = NULL; |
- PKIX_CertSelector *certSelector = NULL; |
- PKIX_CertSelector *r= NULL; |
- PKIX_PL_Cert *eeCert = NULL; |
- PKIX_Error *error = NULL; |
+PKIX_CertSelector *cert_GetTargetCertConstraints(CERTCertificate *target, |
+ void *plContext) { |
+ PKIX_ComCertSelParams *certSelParams = NULL; |
+ PKIX_CertSelector *certSelector = NULL; |
+ PKIX_CertSelector *r = NULL; |
+ PKIX_PL_Cert *eeCert = NULL; |
+ PKIX_Error *error = NULL; |
- error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext); |
- if (error != NULL) goto cleanup; |
+ error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext); |
- if (error != NULL) goto cleanup; |
+ error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_ComCertSelParams_Create(&certSelParams, plContext); |
- if (error != NULL) goto cleanup; |
+ error = PKIX_ComCertSelParams_Create(&certSelParams, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_ComCertSelParams_SetCertificate( |
- certSelParams, eeCert, plContext); |
- if (error != NULL) goto cleanup; |
+ error = |
+ PKIX_ComCertSelParams_SetCertificate(certSelParams, eeCert, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_CertSelector_SetCommonCertSelectorParams |
- (certSelector, certSelParams, plContext); |
- if (error != NULL) goto cleanup; |
+ error = PKIX_CertSelector_SetCommonCertSelectorParams( |
+ certSelector, certSelParams, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext); |
- if (error == NULL) r = certSelector; |
+ error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext); |
+ if (error == NULL) r = certSelector; |
cleanup: |
- if (certSelParams != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext); |
+ if (certSelParams != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext); |
- if (eeCert != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext); |
+ if (eeCert != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext); |
- if (certSelector != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); |
+ if (certSelector != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); |
- if (error != NULL) { |
- SECErrorCodes nssErr; |
+ if (error != NULL) { |
+ SECErrorCodes nssErr; |
- cert_PkixErrorToNssCode(error, &nssErr, plContext); |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
- PORT_SetError(nssErr); |
- } |
+ cert_PkixErrorToNssCode(error, &nssErr, plContext); |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
+ PORT_SetError(nssErr); |
+ } |
- return r; |
+ return r; |
} |
-static PKIX_List * |
-cert_GetCertStores(void *plContext) |
-{ |
- PKIX_CertStore *certStore = NULL; |
- PKIX_List *certStores = NULL; |
- PKIX_List *r = NULL; |
- PKIX_Error *error = NULL; |
+static PKIX_List *cert_GetCertStores(void *plContext) { |
+ PKIX_CertStore *certStore = NULL; |
+ PKIX_List *certStores = NULL; |
+ PKIX_List *r = NULL; |
+ PKIX_Error *error = NULL; |
- error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext); |
- if (error != NULL) goto cleanup; |
+ error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_List_Create(&certStores, plContext); |
- if (error != NULL) goto cleanup; |
+ error = PKIX_List_Create(&certStores, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_List_AppendItem( certStores, |
- (PKIX_PL_Object *)certStore, plContext); |
- if (error != NULL) goto cleanup; |
+ error = |
+ PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext); |
- if (error == NULL) r = certStores; |
+ error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext); |
+ if (error == NULL) r = certStores; |
cleanup: |
- if (certStores != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); |
+ if (certStores != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); |
- if (certStore != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext); |
+ if (certStore != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext); |
- if (error != NULL) { |
- SECErrorCodes nssErr; |
+ if (error != NULL) { |
+ SECErrorCodes nssErr; |
- cert_PkixErrorToNssCode(error, &nssErr, plContext); |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
- PORT_SetError(nssErr); |
- } |
+ cert_PkixErrorToNssCode(error, &nssErr, plContext); |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
+ PORT_SetError(nssErr); |
+ } |
- return r; |
+ return r; |
} |
- |
struct fake_PKIX_PL_CertStruct { |
- CERTCertificate *nssCert; |
+ CERTCertificate *nssCert; |
}; |
/* This needs to be part of the PKIX_PL_* */ |
/* This definitely needs to go away, and be replaced with |
a real accessor function in PKIX */ |
-static CERTCertificate * |
-cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert) |
-{ |
- struct fake_PKIX_PL_CertStruct *fcert = NULL; |
+static CERTCertificate *cert_NSSCertFromPKIXCert( |
+ const PKIX_PL_Cert *pkix_cert) { |
+ struct fake_PKIX_PL_CertStruct *fcert = NULL; |
- fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert; |
+ fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert; |
- return CERT_DupCertificate(fcert->nssCert); |
+ return CERT_DupCertificate(fcert->nssCert); |
} |
-PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext) |
-{ |
- PKIX_List *r = NULL; |
- PKIX_List *policyList = NULL; |
- PKIX_PL_OID *policyOID = NULL; |
- PKIX_Error *error = NULL; |
- int i; |
+PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, |
+ void *plContext) { |
+ PKIX_List *r = NULL; |
+ PKIX_List *policyList = NULL; |
+ PKIX_PL_OID *policyOID = NULL; |
+ PKIX_Error *error = NULL; |
+ int i; |
- error = PKIX_List_Create(&policyList, plContext); |
+ error = PKIX_List_Create(&policyList, plContext); |
+ if (error != NULL) { |
+ goto cleanup; |
+ } |
+ |
+ for (i = 0; i < oidCount; i++) { |
+ error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext); |
+ if (error) { |
+ goto cleanup; |
+ } |
+ error = PKIX_List_AppendItem(policyList, (PKIX_PL_Object *)policyOID, |
+ plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); |
+ policyOID = NULL; |
+ } |
- for (i=0; i<oidCount; i++) { |
- error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext); |
- if (error) { |
- goto cleanup; |
- } |
- error = PKIX_List_AppendItem(policyList, |
- (PKIX_PL_Object *)policyOID, plContext); |
- if (error != NULL) { |
- goto cleanup; |
- } |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); |
- policyOID = NULL; |
- } |
+ error = PKIX_List_SetImmutable(policyList, plContext); |
+ if (error != NULL) goto cleanup; |
- error = PKIX_List_SetImmutable(policyList, plContext); |
- if (error != NULL) goto cleanup; |
- |
- error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext); |
- if (error == NULL) r = policyList; |
+ error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext); |
+ if (error == NULL) r = policyList; |
cleanup: |
- if (policyOID != NULL) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); |
- } |
- if (policyList != NULL) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext); |
- } |
- if (error != NULL) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
- } |
+ if (policyOID != NULL) { |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); |
+ } |
+ if (policyList != NULL) { |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext); |
+ } |
+ if (error != NULL) { |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
+ } |
- return r; |
+ return r; |
} |
-CERTValOutParam * |
-cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t) |
-{ |
- CERTValOutParam *i; |
- if (params == NULL) { |
- return NULL; |
+CERTValOutParam *cert_pkix_FindOutputParam(CERTValOutParam *params, |
+ const CERTValParamOutType t) { |
+ CERTValOutParam *i; |
+ if (params == NULL) { |
+ return NULL; |
+ } |
+ for (i = params; i->type != cert_po_end; i++) { |
+ if (i->type == t) { |
+ return i; |
} |
- for (i = params; i->type != cert_po_end; i++) { |
- if (i->type == t) { |
- return i; |
- } |
- } |
- return NULL; |
+ } |
+ return NULL; |
} |
+static PKIX_Error *setRevocationMethod( |
+ PKIX_RevocationChecker *revChecker, PKIX_ProcessingParams *procParams, |
+ const CERTRevocationTests *revTest, CERTRevocationMethodIndex certRevMethod, |
+ PKIX_RevocationMethodType pkixRevMethod, PKIX_Boolean verifyResponderUsages, |
+ PKIX_Boolean isLeafTest, void *plContext) { |
+ PKIX_UInt32 methodFlags = 0; |
+ PKIX_Error *error = NULL; |
+ int priority = 0; |
-static PKIX_Error* |
-setRevocationMethod(PKIX_RevocationChecker *revChecker, |
- PKIX_ProcessingParams *procParams, |
- const CERTRevocationTests *revTest, |
- CERTRevocationMethodIndex certRevMethod, |
- PKIX_RevocationMethodType pkixRevMethod, |
- PKIX_Boolean verifyResponderUsages, |
- PKIX_Boolean isLeafTest, |
- void *plContext) |
-{ |
- PKIX_UInt32 methodFlags = 0; |
- PKIX_Error *error = NULL; |
- int priority = 0; |
- |
- if (revTest->number_of_defined_methods <= certRevMethod) { |
- return NULL; |
+ if (revTest->number_of_defined_methods <= certRevMethod) { |
+ return NULL; |
+ } |
+ if (revTest->preferred_methods) { |
+ int i = 0; |
+ for (; i < revTest->number_of_preferred_methods; i++) { |
+ if (revTest->preferred_methods[i] == certRevMethod) break; |
} |
- if (revTest->preferred_methods) { |
- int i = 0; |
- for (;i < revTest->number_of_preferred_methods;i++) { |
- if (revTest->preferred_methods[i] == certRevMethod) |
- break; |
- } |
- priority = i; |
- } |
- methodFlags = revTest->cert_rev_flags_per_method[certRevMethod]; |
- if (verifyResponderUsages && |
- pkixRevMethod == PKIX_RevocationMethod_OCSP) { |
- methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; |
- } |
- error = |
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, |
- pkixRevMethod, methodFlags, |
- priority, NULL, |
- isLeafTest, plContext); |
- return error; |
+ priority = i; |
+ } |
+ methodFlags = revTest->cert_rev_flags_per_method[certRevMethod]; |
+ if (verifyResponderUsages && pkixRevMethod == PKIX_RevocationMethod_OCSP) { |
+ methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; |
+ } |
+ error = PKIX_RevocationChecker_CreateAndAddMethod( |
+ revChecker, procParams, pkixRevMethod, methodFlags, priority, NULL, |
+ isLeafTest, plContext); |
+ return error; |
} |
+SECStatus cert_pkixSetParam(PKIX_ProcessingParams *procParams, |
+ const CERTValInParam *param, void *plContext) { |
+ PKIX_Error *error = NULL; |
+ SECStatus r = SECSuccess; |
+ PKIX_PL_Date *date = NULL; |
+ PKIX_List *policyOIDList = NULL; |
+ PKIX_List *certListPkix = NULL; |
+ const CERTRevocationFlags *flags; |
+ SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS; |
+ const CERTCertList *certList = NULL; |
+ CERTCertListNode *node; |
+ PKIX_PL_Cert *certPkix = NULL; |
+ PKIX_TrustAnchor *trustAnchor = NULL; |
+ PKIX_PL_Date *revDate = NULL; |
+ PKIX_RevocationChecker *revChecker = NULL; |
+ PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; |
-SECStatus |
-cert_pkixSetParam(PKIX_ProcessingParams *procParams, |
- const CERTValInParam *param, void *plContext) |
-{ |
- PKIX_Error * error = NULL; |
- SECStatus r=SECSuccess; |
- PKIX_PL_Date *date = NULL; |
- PKIX_List *policyOIDList = NULL; |
- PKIX_List *certListPkix = NULL; |
- const CERTRevocationFlags *flags; |
- SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS; |
- const CERTCertList *certList = NULL; |
- CERTCertListNode *node; |
- PKIX_PL_Cert *certPkix = NULL; |
- PKIX_TrustAnchor *trustAnchor = NULL; |
- PKIX_PL_Date *revDate = NULL; |
- PKIX_RevocationChecker *revChecker = NULL; |
- PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext; |
+ /* XXX we need a way to map generic PKIX error to generic NSS errors */ |
- /* XXX we need a way to map generic PKIX error to generic NSS errors */ |
+ switch (param->type) { |
- switch (param->type) { |
+ case cert_pi_policyOID: |
- case cert_pi_policyOID: |
+ /* needed? */ |
+ error = PKIX_ProcessingParams_SetExplicitPolicyRequired( |
+ procParams, PKIX_TRUE, plContext); |
- /* needed? */ |
- error = PKIX_ProcessingParams_SetExplicitPolicyRequired( |
- procParams, PKIX_TRUE, plContext); |
+ if (error != NULL) { |
+ break; |
+ } |
- if (error != NULL) { |
- break; |
- } |
+ policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids, |
+ param->value.arraySize, plContext); |
+ if (policyOIDList == NULL) { |
+ r = SECFailure; |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ break; |
+ } |
- policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids, |
- param->value.arraySize,plContext); |
- if (policyOIDList == NULL) { |
- r = SECFailure; |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- break; |
- } |
+ error = PKIX_ProcessingParams_SetInitialPolicies( |
+ procParams, policyOIDList, plContext); |
+ break; |
- error = PKIX_ProcessingParams_SetInitialPolicies( |
- procParams,policyOIDList,plContext); |
- break; |
+ case cert_pi_date: |
+ if (param->value.scalar.time == 0) { |
+ error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext); |
+ if (error != NULL) { |
+ errCode = SEC_ERROR_INVALID_TIME; |
+ break; |
+ } |
+ } else { |
+ error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time, &date, |
+ plContext); |
+ if (error != NULL) { |
+ errCode = SEC_ERROR_INVALID_TIME; |
+ break; |
+ } |
+ } |
- case cert_pi_date: |
- if (param->value.scalar.time == 0) { |
- error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext); |
- if (error != NULL) { |
- errCode = SEC_ERROR_INVALID_TIME; |
- break; |
- } |
- } else { |
- error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time, |
- &date, plContext); |
- if (error != NULL) { |
- errCode = SEC_ERROR_INVALID_TIME; |
- break; |
- } |
- } |
+ error = PKIX_ProcessingParams_SetDate(procParams, date, plContext); |
+ if (error != NULL) { |
+ errCode = SEC_ERROR_INVALID_TIME; |
+ } |
+ break; |
- error = PKIX_ProcessingParams_SetDate(procParams, date, plContext); |
- if (error != NULL) { |
- errCode = SEC_ERROR_INVALID_TIME; |
- } |
- break; |
+ case cert_pi_revocationFlags: { |
+ PKIX_UInt32 leafIMFlags = 0; |
+ PKIX_UInt32 chainIMFlags = 0; |
+ PKIX_Boolean validatingResponderCert = PKIX_FALSE; |
- case cert_pi_revocationFlags: |
- { |
- PKIX_UInt32 leafIMFlags = 0; |
- PKIX_UInt32 chainIMFlags = 0; |
- PKIX_Boolean validatingResponderCert = PKIX_FALSE; |
+ flags = param->value.pointer.revocation; |
+ if (!flags) { |
+ PORT_SetError(errCode); |
+ r = SECFailure; |
+ break; |
+ } |
- flags = param->value.pointer.revocation; |
- if (!flags) { |
- PORT_SetError(errCode); |
- r = SECFailure; |
- break; |
- } |
+ leafIMFlags = flags->leafTests.cert_rev_method_independent_flags; |
+ chainIMFlags = flags->chainTests.cert_rev_method_independent_flags; |
- leafIMFlags = |
- flags->leafTests.cert_rev_method_independent_flags; |
- chainIMFlags = |
- flags->chainTests.cert_rev_method_independent_flags; |
+ error = PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags, |
+ &revChecker, plContext); |
+ if (error) { |
+ break; |
+ } |
- error = |
- PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags, |
- &revChecker, plContext); |
- if (error) { |
- break; |
- } |
+ error = PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker, |
+ plContext); |
+ if (error) { |
+ break; |
+ } |
- error = |
- PKIX_ProcessingParams_SetRevocationChecker(procParams, |
- revChecker, plContext); |
- if (error) { |
- break; |
- } |
+ if (((PKIX_PL_NssContext *)plContext)->certificateUsage & |
+ certificateUsageStatusResponder) { |
+ validatingResponderCert = PKIX_TRUE; |
+ } |
- if (((PKIX_PL_NssContext*)plContext)->certificateUsage & |
- certificateUsageStatusResponder) { |
- validatingResponderCert = PKIX_TRUE; |
- } |
+ error = setRevocationMethod( |
+ revChecker, procParams, &flags->leafTests, cert_revocation_method_crl, |
+ PKIX_RevocationMethod_CRL, validatingResponderCert, PKIX_TRUE, |
+ plContext); |
+ if (error) { |
+ break; |
+ } |
- error = setRevocationMethod(revChecker, |
- procParams, &flags->leafTests, |
- cert_revocation_method_crl, |
- PKIX_RevocationMethod_CRL, |
- validatingResponderCert, |
- PKIX_TRUE, plContext); |
- if (error) { |
- break; |
- } |
+ error = setRevocationMethod( |
+ revChecker, procParams, &flags->leafTests, |
+ cert_revocation_method_ocsp, PKIX_RevocationMethod_OCSP, |
+ validatingResponderCert, PKIX_TRUE, plContext); |
+ if (error) { |
+ break; |
+ } |
- error = setRevocationMethod(revChecker, |
- procParams, &flags->leafTests, |
- cert_revocation_method_ocsp, |
- PKIX_RevocationMethod_OCSP, |
- validatingResponderCert, |
- PKIX_TRUE, plContext); |
- if (error) { |
- break; |
- } |
+ error = setRevocationMethod( |
+ revChecker, procParams, &flags->chainTests, |
+ cert_revocation_method_crl, PKIX_RevocationMethod_CRL, |
+ validatingResponderCert, PKIX_FALSE, plContext); |
+ if (error) { |
+ break; |
+ } |
- error = setRevocationMethod(revChecker, |
- procParams, &flags->chainTests, |
- cert_revocation_method_crl, |
- PKIX_RevocationMethod_CRL, |
- validatingResponderCert, |
- PKIX_FALSE, plContext); |
- if (error) { |
- break; |
- } |
+ error = setRevocationMethod( |
+ revChecker, procParams, &flags->chainTests, |
+ cert_revocation_method_ocsp, PKIX_RevocationMethod_OCSP, |
+ validatingResponderCert, PKIX_FALSE, plContext); |
+ if (error) { |
+ break; |
+ } |
- error = setRevocationMethod(revChecker, |
- procParams, &flags->chainTests, |
- cert_revocation_method_ocsp, |
- PKIX_RevocationMethod_OCSP, |
- validatingResponderCert, |
- PKIX_FALSE, plContext); |
- if (error) { |
- break; |
- } |
+ } break; |
+ case cert_pi_trustAnchors: |
+ certList = param->value.pointer.chain; |
+ if (!certList) { |
+ PORT_SetError(errCode); |
+ r = SECFailure; |
+ break; |
+ } |
+ error = PKIX_List_Create(&certListPkix, plContext); |
+ if (error != NULL) { |
+ break; |
+ } |
+ for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); |
+ node = CERT_LIST_NEXT(node)) { |
+ error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, &certPkix, |
+ plContext); |
+ if (error) { |
+ break; |
+ } |
+ error = |
+ PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor, plContext); |
+ if (error) { |
+ break; |
+ } |
+ error = PKIX_List_AppendItem(certListPkix, |
+ (PKIX_PL_Object *)trustAnchor, plContext); |
+ if (error) { |
+ break; |
+ } |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); |
+ trustAnchor = NULL; |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); |
+ certPkix = NULL; |
+ } |
+ error = PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix, |
+ plContext); |
+ break; |
+ |
+ case cert_pi_useAIACertFetch: |
+ error = PKIX_ProcessingParams_SetUseAIAForCertFetching( |
+ procParams, (PRBool)(param->value.scalar.b != 0), plContext); |
+ break; |
+ |
+ case cert_pi_chainVerifyCallback: { |
+ const CERTChainVerifyCallback *chainVerifyCallback = |
+ param->value.pointer.chainVerifyCallback; |
+ if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) { |
+ PORT_SetError(errCode); |
+ r = SECFailure; |
+ break; |
+ } |
+ |
+ nssContext->chainVerifyCallback = *chainVerifyCallback; |
+ } break; |
+ |
+ case cert_pi_useOnlyTrustAnchors: |
+ error = PKIX_ProcessingParams_SetUseOnlyTrustAnchors( |
+ procParams, (PRBool)(param->value.scalar.b != 0), plContext); |
+ break; |
+ |
+ default: |
+ PORT_SetError(errCode); |
+ r = SECFailure; |
+ break; |
+ } |
+ |
+ if (policyOIDList != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext); |
+ |
+ if (date != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext); |
+ |
+ if (revDate != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext); |
+ |
+ if (revChecker != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext); |
+ |
+ if (certListPkix) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext); |
+ |
+ if (trustAnchor) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); |
+ |
+ if (certPkix) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); |
+ |
+ if (error != NULL) { |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
+ PORT_SetError(errCode); |
+ r = SECFailure; |
+ } |
+ |
+ return r; |
+} |
+ |
+void cert_pkixDestroyValOutParam(CERTValOutParam *params) { |
+ CERTValOutParam *i; |
+ |
+ if (params == NULL) { |
+ return; |
+ } |
+ for (i = params; i->type != cert_po_end; i++) { |
+ switch (i->type) { |
+ case cert_po_trustAnchor: |
+ if (i->value.pointer.cert) { |
+ CERT_DestroyCertificate(i->value.pointer.cert); |
+ i->value.pointer.cert = NULL; |
} |
break; |
- case cert_pi_trustAnchors: |
- certList = param->value.pointer.chain; |
- if (!certList) { |
- PORT_SetError(errCode); |
- r = SECFailure; |
- break; |
- } |
- error = PKIX_List_Create(&certListPkix, plContext); |
- if (error != NULL) { |
- break; |
- } |
- for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); |
- node = CERT_LIST_NEXT(node) ) { |
- error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, |
- &certPkix, plContext); |
- if (error) { |
- break; |
- } |
- error = PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor, |
- plContext); |
- if (error) { |
- break; |
- } |
- error = PKIX_List_AppendItem(certListPkix, |
- (PKIX_PL_Object*)trustAnchor, plContext); |
- if (error) { |
- break; |
- } |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); |
- trustAnchor = NULL; |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); |
- certPkix = NULL; |
- } |
- error = |
- PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix, |
- plContext); |
- break; |
- |
- case cert_pi_useAIACertFetch: |
- error = |
- PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams, |
- (PRBool)(param->value.scalar.b != 0), |
- plContext); |
- break; |
- |
- case cert_pi_chainVerifyCallback: |
- { |
- const CERTChainVerifyCallback *chainVerifyCallback = |
- param->value.pointer.chainVerifyCallback; |
- if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) { |
- PORT_SetError(errCode); |
- r = SECFailure; |
- break; |
- } |
- |
- nssContext->chainVerifyCallback = *chainVerifyCallback; |
+ case cert_po_certList: |
+ if (i->value.pointer.chain) { |
+ CERT_DestroyCertList(i->value.pointer.chain); |
+ i->value.pointer.chain = NULL; |
} |
break; |
- case cert_pi_useOnlyTrustAnchors: |
- error = |
- PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams, |
- (PRBool)(param->value.scalar.b != 0), |
- plContext); |
- break; |
- |
- default: |
- PORT_SetError(errCode); |
- r = SECFailure; |
- break; |
+ default: |
+ break; |
} |
- |
- if (policyOIDList != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext); |
- |
- if (date != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext); |
- |
- if (revDate != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext); |
- |
- if (revChecker != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext); |
- |
- if (certListPkix) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext); |
- |
- if (trustAnchor) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); |
- |
- if (certPkix) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext); |
- |
- if (error != NULL) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
- PORT_SetError(errCode); |
- r = SECFailure; |
- } |
- |
- return r; |
- |
-} |
- |
-void |
-cert_pkixDestroyValOutParam(CERTValOutParam *params) |
-{ |
- CERTValOutParam *i; |
- |
- if (params == NULL) { |
- return; |
- } |
- for (i = params; i->type != cert_po_end; i++) { |
- switch (i->type) { |
- case cert_po_trustAnchor: |
- if (i->value.pointer.cert) { |
- CERT_DestroyCertificate(i->value.pointer.cert); |
- i->value.pointer.cert = NULL; |
- } |
- break; |
- |
- case cert_po_certList: |
- if (i->value.pointer.chain) { |
- CERT_DestroyCertList(i->value.pointer.chain); |
- i->value.pointer.chain = NULL; |
- } |
- break; |
- |
- default: |
- break; |
- } |
- } |
+ } |
} |
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FORBID_NETWORK_FETCHING |
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
- /* ocsp */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING | |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
+ /* ocsp */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD}; |
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FORBID_NETWORK_FETCHING |
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
- /* ocsp */ |
- 0 |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING | |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
+ /* ocsp */ |
+ 0}; |
-static CERTRevocationMethodIndex |
-certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = { |
- cert_revocation_method_crl |
-}; |
+static CERTRevocationMethodIndex |
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = { |
+ cert_revocation_method_crl}; |
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = { |
- { |
- /* leafTests */ |
- 2, |
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags, |
- 1, |
- &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference, |
- 0 |
- }, |
- { |
- /* chainTests */ |
- 2, |
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags, |
- 0, |
- 0, |
- 0 |
- } |
-}; |
+ { |
+ /* leafTests */ |
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags, |
+ 1, &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference, |
+ 0}, |
+ { |
+ /* chainTests */ |
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags, 0, 0, 0}}; |
-extern const CERTRevocationFlags* |
-CERT_GetClassicOCSPEnabledSoftFailurePolicy() |
-{ |
- return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy; |
+extern const CERTRevocationFlags * |
+CERT_GetClassicOCSPEnabledSoftFailurePolicy() { |
+ return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy; |
} |
- |
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FORBID_NETWORK_FETCHING |
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
- /* ocsp */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING | |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
+ /* ocsp */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO}; |
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FORBID_NETWORK_FETCHING |
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
- /* ocsp */ |
- 0 |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING | |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
+ /* ocsp */ |
+ 0}; |
-static CERTRevocationMethodIndex |
-certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = { |
- cert_revocation_method_crl |
-}; |
+static CERTRevocationMethodIndex |
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = { |
+ cert_revocation_method_crl}; |
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = { |
- { |
- /* leafTests */ |
- 2, |
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags, |
- 1, |
- &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference, |
- 0 |
- }, |
- { |
- /* chainTests */ |
- 2, |
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags, |
- 0, |
- 0, |
- 0 |
- } |
-}; |
+ { |
+ /* leafTests */ |
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags, |
+ 1, &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference, |
+ 0}, |
+ { |
+ /* chainTests */ |
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags, 0, 0, 0}}; |
-extern const CERTRevocationFlags* |
-CERT_GetClassicOCSPEnabledHardFailurePolicy() |
-{ |
- return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy; |
+extern const CERTRevocationFlags * |
+CERT_GetClassicOCSPEnabledHardFailurePolicy() { |
+ return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy; |
} |
- |
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FORBID_NETWORK_FETCHING |
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
- /* ocsp */ |
- 0 |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING | |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
+ /* ocsp */ |
+ 0}; |
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FORBID_NETWORK_FETCHING |
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
- /* ocsp */ |
- 0 |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING | |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO, |
+ /* ocsp */ |
+ 0}; |
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = { |
- { |
- /* leafTests */ |
- 2, |
- certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, |
- 0, |
- 0, |
- 0 |
- }, |
- { |
- /* chainTests */ |
- 2, |
- certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, |
- 0, |
- 0, |
- 0 |
- } |
-}; |
+ { |
+ /* leafTests */ |
+ 2, certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, 0, 0, 0}, |
+ { |
+ /* chainTests */ |
+ 2, certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, 0, 0, 0}}; |
-extern const CERTRevocationFlags* |
-CERT_GetClassicOCSPDisabledPolicy() |
-{ |
- return &certRev_NSS_3_11_Ocsp_Disabled_Policy; |
+extern const CERTRevocationFlags *CERT_GetClassicOCSPDisabledPolicy() { |
+ return &certRev_NSS_3_11_Ocsp_Disabled_Policy; |
} |
- |
static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, |
- /* ocsp */ |
- 0 |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, |
+ /* ocsp */ |
+ 0}; |
static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = { |
- /* crl */ |
- CERT_REV_M_TEST_USING_THIS_METHOD |
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, |
- /* ocsp */ |
- 0 |
-}; |
+ /* crl */ |
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE, |
+ /* ocsp */ |
+ 0}; |
static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = { |
- { |
- /* leafTests */ |
- 2, |
- certRev_PKIX_Verify_Nist_Policy_LeafFlags, |
- 0, |
- 0, |
- 0 |
- }, |
- { |
- /* chainTests */ |
- 2, |
- certRev_PKIX_Verify_Nist_Policy_ChainFlags, |
- 0, |
- 0, |
- 0 |
- } |
-}; |
+ { |
+ /* leafTests */ |
+ 2, certRev_PKIX_Verify_Nist_Policy_LeafFlags, 0, 0, 0}, |
+ { |
+ /* chainTests */ |
+ 2, certRev_PKIX_Verify_Nist_Policy_ChainFlags, 0, 0, 0}}; |
-extern const CERTRevocationFlags* |
-CERT_GetPKIXVerifyNistRevocationPolicy() |
-{ |
- return &certRev_PKIX_Verify_Nist_Policy; |
+extern const CERTRevocationFlags *CERT_GetPKIXVerifyNistRevocationPolicy() { |
+ return &certRev_PKIX_Verify_Nist_Policy; |
} |
-CERTRevocationFlags * |
-CERT_AllocCERTRevocationFlags( |
+CERTRevocationFlags *CERT_AllocCERTRevocationFlags( |
PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods, |
- PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods) |
-{ |
- CERTRevocationFlags *flags; |
- |
- flags = PORT_New(CERTRevocationFlags); |
- if (!flags) |
- return(NULL); |
- |
- flags->leafTests.number_of_defined_methods = number_leaf_methods; |
- flags->leafTests.cert_rev_flags_per_method = |
- PORT_NewArray(PRUint64, number_leaf_methods); |
+ PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods) { |
+ CERTRevocationFlags *flags; |
- flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods; |
- flags->leafTests.preferred_methods = |
- PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods); |
+ flags = PORT_New(CERTRevocationFlags); |
+ if (!flags) return (NULL); |
- flags->chainTests.number_of_defined_methods = number_chain_methods; |
- flags->chainTests.cert_rev_flags_per_method = |
- PORT_NewArray(PRUint64, number_chain_methods); |
+ flags->leafTests.number_of_defined_methods = number_leaf_methods; |
+ flags->leafTests.cert_rev_flags_per_method = |
+ PORT_NewArray(PRUint64, number_leaf_methods); |
- flags->chainTests.number_of_preferred_methods = number_chain_pref_methods; |
- flags->chainTests.preferred_methods = |
- PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods); |
- |
- if (!flags->leafTests.cert_rev_flags_per_method |
- || !flags->leafTests.preferred_methods |
- || !flags->chainTests.cert_rev_flags_per_method |
- || !flags->chainTests.preferred_methods) { |
- CERT_DestroyCERTRevocationFlags(flags); |
- return (NULL); |
- } |
- |
- return flags; |
+ flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods; |
+ flags->leafTests.preferred_methods = |
+ PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods); |
+ |
+ flags->chainTests.number_of_defined_methods = number_chain_methods; |
+ flags->chainTests.cert_rev_flags_per_method = |
+ PORT_NewArray(PRUint64, number_chain_methods); |
+ |
+ flags->chainTests.number_of_preferred_methods = number_chain_pref_methods; |
+ flags->chainTests.preferred_methods = |
+ PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods); |
+ |
+ if (!flags->leafTests.cert_rev_flags_per_method || |
+ !flags->leafTests.preferred_methods || |
+ !flags->chainTests.cert_rev_flags_per_method || |
+ !flags->chainTests.preferred_methods) { |
+ CERT_DestroyCERTRevocationFlags(flags); |
+ return (NULL); |
+ } |
+ |
+ return flags; |
} |
-void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) |
-{ |
- if (!flags) |
- return; |
- |
- if (flags->leafTests.cert_rev_flags_per_method) |
- PORT_Free(flags->leafTests.cert_rev_flags_per_method); |
+void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) { |
+ if (!flags) return; |
- if (flags->leafTests.preferred_methods) |
- PORT_Free(flags->leafTests.preferred_methods); |
- |
- if (flags->chainTests.cert_rev_flags_per_method) |
- PORT_Free(flags->chainTests.cert_rev_flags_per_method); |
+ if (flags->leafTests.cert_rev_flags_per_method) |
+ PORT_Free(flags->leafTests.cert_rev_flags_per_method); |
- if (flags->chainTests.preferred_methods) |
- PORT_Free(flags->chainTests.preferred_methods); |
+ if (flags->leafTests.preferred_methods) |
+ PORT_Free(flags->leafTests.preferred_methods); |
- PORT_Free(flags); |
+ if (flags->chainTests.cert_rev_flags_per_method) |
+ PORT_Free(flags->chainTests.cert_rev_flags_per_method); |
+ |
+ if (flags->chainTests.preferred_methods) |
+ PORT_Free(flags->chainTests.preferred_methods); |
+ |
+ PORT_Free(flags); |
} |
/* |
* CERT_PKIXVerifyCert |
* |
* Verify a Certificate using the PKIX library. |
* |
* Parameters: |
@@ -1983,277 +1753,270 @@ void CERT_DestroyCERTRevocationFlags(CER |
* args[0].type = cvpt_policyOID; |
* args[0].value.si = oid; |
* args[1].type = revCheckRequired; |
* args[1].value.b = PR_TRUE; |
* args[2].type = cvpt_end; |
* |
* CERT_PKIXVerifyCert(cert, &output, args |
*/ |
-SECStatus CERT_PKIXVerifyCert( |
- CERTCertificate *cert, |
- SECCertificateUsage usages, |
- CERTValInParam *paramsIn, |
- CERTValOutParam *paramsOut, |
- void *wincx) |
-{ |
- SECStatus r = SECFailure; |
- PKIX_Error * error = NULL; |
- PKIX_ProcessingParams *procParams = NULL; |
- PKIX_BuildResult * buildResult = NULL; |
- void * nbioContext = NULL; /* for non-blocking IO */ |
- void * buildState = NULL; /* for non-blocking IO */ |
- PKIX_CertSelector * certSelector = NULL; |
- PKIX_List * certStores = NULL; |
- PKIX_ValidateResult * valResult = NULL; |
- PKIX_VerifyNode * verifyNode = NULL; |
- PKIX_TrustAnchor * trustAnchor = NULL; |
- PKIX_PL_Cert * trustAnchorCert = NULL; |
- PKIX_List * builtCertList = NULL; |
- CERTValOutParam * oparam = NULL; |
- int i=0; |
+SECStatus CERT_PKIXVerifyCert(CERTCertificate *cert, SECCertificateUsage usages, |
+ CERTValInParam *paramsIn, |
+ CERTValOutParam *paramsOut, void *wincx) { |
+ SECStatus r = SECFailure; |
+ PKIX_Error *error = NULL; |
+ PKIX_ProcessingParams *procParams = NULL; |
+ PKIX_BuildResult *buildResult = NULL; |
+ void *nbioContext = NULL; /* for non-blocking IO */ |
+ void *buildState = NULL; /* for non-blocking IO */ |
+ PKIX_CertSelector *certSelector = NULL; |
+ PKIX_List *certStores = NULL; |
+ PKIX_ValidateResult *valResult = NULL; |
+ PKIX_VerifyNode *verifyNode = NULL; |
+ PKIX_TrustAnchor *trustAnchor = NULL; |
+ PKIX_PL_Cert *trustAnchorCert = NULL; |
+ PKIX_List *builtCertList = NULL; |
+ CERTValOutParam *oparam = NULL; |
+ int i = 0; |
- void *plContext = NULL; |
+ void *plContext = NULL; |
#ifdef PKIX_OBJECT_LEAK_TEST |
- int leakedObjNum = 0; |
- int memLeakLoopCount = 0; |
- int objCountTable[PKIX_NUMTYPES]; |
- int fnInvLocalCount = 0; |
- PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; |
+ int leakedObjNum = 0; |
+ int memLeakLoopCount = 0; |
+ int objCountTable[PKIX_NUMTYPES]; |
+ int fnInvLocalCount = 0; |
+ PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; |
- if (usePKIXValidationEngine) { |
- /* current memory leak testing implementation does not allow |
- * to run simultaneous tests one the same or a different threads. |
- * Setting the variable to false, to make additional chain |
- * validations be handled by old nss. */ |
- usePKIXValidationEngine = PR_FALSE; |
- } |
- testStartFnStackPosition = 1; |
- fnStackNameArr[0] = "CERT_PKIXVerifyCert"; |
- fnStackInvCountArr[0] = 0; |
- PKIX_Boolean abortOnLeak = |
- (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? |
- PKIX_FALSE : PKIX_TRUE; |
- runningLeakTest = PKIX_TRUE; |
+ if (usePKIXValidationEngine) { |
+ /* current memory leak testing implementation does not allow |
+ * to run simultaneous tests one the same or a different threads. |
+ * Setting the variable to false, to make additional chain |
+ * validations be handled by old nss. */ |
+ usePKIXValidationEngine = PR_FALSE; |
+ } |
+ testStartFnStackPosition = 1; |
+ fnStackNameArr[0] = "CERT_PKIXVerifyCert"; |
+ fnStackInvCountArr[0] = 0; |
+ PKIX_Boolean abortOnLeak = |
+ (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE |
+ : PKIX_TRUE; |
+ runningLeakTest = PKIX_TRUE; |
- /* Prevent multi-threaded run of object leak test */ |
- fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); |
- PORT_Assert(fnInvLocalCount == 1); |
+ /* Prevent multi-threaded run of object leak test */ |
+ fnInvLocalCount = PR_ATOMIC_INCREMENT(¶llelFnInvocationCount); |
+ PORT_Assert(fnInvLocalCount == 1); |
-do { |
+ do { |
r = SECFailure; |
error = NULL; |
procParams = NULL; |
buildResult = NULL; |
- nbioContext = NULL; /* for non-blocking IO */ |
- buildState = NULL; /* for non-blocking IO */ |
+ nbioContext = NULL; /* for non-blocking IO */ |
+ buildState = NULL; /* for non-blocking IO */ |
certSelector = NULL; |
certStores = NULL; |
valResult = NULL; |
verifyNode = NULL; |
trustAnchor = NULL; |
trustAnchorCert = NULL; |
builtCertList = NULL; |
oparam = NULL; |
- i=0; |
+ i = 0; |
errorGenerated = PKIX_FALSE; |
stackPosition = 0; |
if (leakedObjNum) { |
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); |
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); |
} |
memLeakLoopCount += 1; |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
- error = PKIX_PL_NssContext_Create( |
- 0, PR_FALSE /*use arena*/, wincx, &plContext); |
- if (error != NULL) { /* need pkix->nss error map */ |
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID); |
- goto cleanup; |
+ error = |
+ PKIX_PL_NssContext_Create(0, PR_FALSE /*use arena*/, wincx, &plContext); |
+ if (error != NULL) {/* need pkix->nss error map */ |
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID); |
+ goto cleanup; |
} |
error = pkix_pl_NssContext_SetCertUsage(usages, plContext); |
if (error != NULL) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- goto cleanup; |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ goto cleanup; |
} |
error = PKIX_ProcessingParams_Create(&procParams, plContext); |
- if (error != NULL) { /* need pkix->nss error map */ |
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID); |
- goto cleanup; |
+ if (error != NULL) {/* need pkix->nss error map */ |
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID); |
+ goto cleanup; |
} |
/* local cert store should be set into procParams before |
* filling in revocation settings. */ |
certStores = cert_GetCertStores(plContext); |
if (certStores == NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
- error = PKIX_ProcessingParams_SetCertStores |
- (procParams, certStores, plContext); |
+ error = |
+ PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
/* now process the extensible input parameters structure */ |
if (paramsIn != NULL) { |
- i=0; |
- while (paramsIn[i].type != cert_pi_end) { |
- if (paramsIn[i].type >= cert_pi_max) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- goto cleanup; |
- } |
- if (cert_pkixSetParam(procParams, |
- ¶msIn[i],plContext) != SECSuccess) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- goto cleanup; |
- } |
- i++; |
+ i = 0; |
+ while (paramsIn[i].type != cert_pi_end) { |
+ if (paramsIn[i].type >= cert_pi_max) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ goto cleanup; |
} |
+ if (cert_pkixSetParam(procParams, ¶msIn[i], plContext) != |
+ SECSuccess) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ goto cleanup; |
+ } |
+ i++; |
+ } |
} |
certSelector = cert_GetTargetCertConstraints(cert, plContext); |
if (certSelector == NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
- error = PKIX_ProcessingParams_SetTargetCertConstraints |
- (procParams, certSelector, plContext); |
+ error = PKIX_ProcessingParams_SetTargetCertConstraints( |
+ procParams, certSelector, plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
- error = PKIX_BuildChain( procParams, &nbioContext, |
- &buildState, &buildResult, &verifyNode, |
- plContext); |
+ error = PKIX_BuildChain(procParams, &nbioContext, &buildState, &buildResult, |
+ &verifyNode, plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
- error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult, |
- plContext); |
+ error = |
+ PKIX_BuildResult_GetValidateResult(buildResult, &valResult, plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
- error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor, |
- plContext); |
+ error = |
+ PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor, plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
if (trustAnchor != NULL) { |
- error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert, |
- plContext); |
- if (error != NULL) { |
- goto cleanup; |
- } |
+ error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCert, |
+ plContext); |
+ if (error != NULL) { |
+ goto cleanup; |
+ } |
} |
#ifdef PKIX_OBJECT_LEAK_TEST |
/* Can not continue if error was generated but not returned. |
* Jumping to cleanup. */ |
if (errorGenerated) goto cleanup; |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor); |
if (oparam != NULL) { |
- if (trustAnchorCert != NULL) { |
- oparam->value.pointer.cert = |
- cert_NSSCertFromPKIXCert(trustAnchorCert); |
- } else { |
- oparam->value.pointer.cert = NULL; |
- } |
+ if (trustAnchorCert != NULL) { |
+ oparam->value.pointer.cert = cert_NSSCertFromPKIXCert(trustAnchorCert); |
+ } else { |
+ oparam->value.pointer.cert = NULL; |
+ } |
} |
- error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList, |
- plContext); |
+ error = |
+ PKIX_BuildResult_GetCertChain(buildResult, &builtCertList, plContext); |
if (error != NULL) { |
- goto cleanup; |
+ goto cleanup; |
} |
oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList); |
if (oparam != NULL) { |
- error = cert_PkixToNssCertsChain(builtCertList, |
- &oparam->value.pointer.chain, |
- plContext); |
- if (error) goto cleanup; |
+ error = cert_PkixToNssCertsChain(builtCertList, |
+ &oparam->value.pointer.chain, plContext); |
+ if (error) goto cleanup; |
} |
r = SECSuccess; |
-cleanup: |
+ cleanup: |
if (verifyNode) { |
- /* Return validation log only upon error. */ |
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); |
+ /* Return validation log only upon error. */ |
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog); |
#ifdef PKIX_OBJECT_LEAK_TEST |
- if (!errorGenerated) |
+ if (!errorGenerated) |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
if (r && oparam != NULL) { |
- PKIX_Error *tmpError = |
- cert_GetLogFromVerifyNode(oparam->value.pointer.log, |
- verifyNode, plContext); |
- if (tmpError) { |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); |
- } |
+ PKIX_Error *tmpError = cert_GetLogFromVerifyNode( |
+ oparam->value.pointer.log, verifyNode, plContext); |
+ if (tmpError) { |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext); |
+ } |
} |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext); |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext); |
} |
- if (procParams != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); |
+ if (procParams != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); |
- if (trustAnchorCert != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext); |
+ if (trustAnchorCert != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext); |
- if (trustAnchor != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); |
+ if (trustAnchor != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); |
- if (valResult != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext); |
+ if (valResult != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext); |
- if (buildResult != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext); |
+ if (buildResult != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext); |
- if (certStores != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); |
+ if (certStores != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext); |
- if (certSelector != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); |
+ if (certSelector != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); |
- if (builtCertList != NULL) |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext); |
+ if (builtCertList != NULL) |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext); |
if (error != NULL) { |
- SECErrorCodes nssErrorCode = 0; |
+ SECErrorCodes nssErrorCode = 0; |
- cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); |
- cert_pkixDestroyValOutParam(paramsOut); |
- PORT_SetError(nssErrorCode); |
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext); |
+ cert_pkixDestroyValOutParam(paramsOut); |
+ PORT_SetError(nssErrorCode); |
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); |
} |
PKIX_PL_NssContext_Destroy(plContext); |
#ifdef PKIX_OBJECT_LEAK_TEST |
leakedObjNum = |
pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); |
if (pkixLog && leakedObjNum) { |
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." |
- "Stack %s\n", memLeakLoopCount, errorFnStackString)); |
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." |
+ "Stack %s\n", |
+ memLeakLoopCount, errorFnStackString)); |
} |
PR_Free(errorFnStackString); |
errorFnStackString = NULL; |
if (abortOnLeak) { |
- PORT_Assert(leakedObjNum == 0); |
+ PORT_Assert(leakedObjNum == 0); |
} |
- |
-} while (errorGenerated); |
- runningLeakTest = PKIX_FALSE; |
- PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); |
- usePKIXValidationEngine = savedUsePkixEngFlag; |
+ } while (errorGenerated); |
+ |
+ runningLeakTest = PKIX_FALSE; |
+ PR_ATOMIC_DECREMENT(¶llelFnInvocationCount); |
+ usePKIXValidationEngine = savedUsePkixEngFlag; |
#endif /* PKIX_OBJECT_LEAK_TEST */ |
- return r; |
+ return r; |
} |