Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(925)

Unified Diff: lib/certhigh/certvfypkix.c

Issue 201830043: Bug 1118245 - Apply uniform style across NSS
Patch Set: Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « lib/certhigh/certvfy.c ('k') | lib/certhigh/crlv2.c » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: lib/certhigh/certvfypkix.c
===================================================================
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -7,43 +7,40 @@
* PKIX - NSS proxy functions
*
* NOTE: All structures, functions, data types are parts of library private
* api and are subjects to change in any following releases.
*
*/
#include "prerror.h"
#include "prprf.h"
-
+
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
#include "cert.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
#include "secder.h"
#include "pkit.h"
#include "pkix_pl_common.h"
extern PRLogModuleInfo *pkixLog;
#ifdef PKIX_OBJECT_LEAK_TEST
-extern PKIX_UInt32
-pkix_pl_lifecycle_ObjectLeakCheck(int *);
+extern PKIX_UInt32 pkix_pl_lifecycle_ObjectLeakCheck(int *);
-extern SECStatus
-pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
+extern SECStatus pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-
static PRBool usePKIXValidationEngine = PR_FALSE;
/*
* FUNCTION: CERT_SetUsePKIXForValidation
* DESCRIPTION:
*
* Enables or disables use of libpkix for certificate validation
*
@@ -51,42 +48,36 @@ static PRBool usePKIXValidationEngine =
* "enable"
* PR_TRUE: enables use of libpkix for cert validation.
* PR_FALSE: disables.
* THREAD SAFETY:
* NOT Thread Safe.
* RETURNS:
* Returns SECSuccess if successfully enabled
*/
-SECStatus
-CERT_SetUsePKIXForValidation(PRBool enable)
-{
- usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE;
- return SECSuccess;
+SECStatus CERT_SetUsePKIXForValidation(PRBool enable) {
+ usePKIXValidationEngine = (enable > 0) ? PR_TRUE : PR_FALSE;
+ return SECSuccess;
}
/*
* FUNCTION: CERT_GetUsePKIXForValidation
* DESCRIPTION:
*
* Checks if libpkix building function should be use for certificate
* chain building.
*
* PARAMETERS:
* NONE
* THREAD SAFETY:
* NOT Thread Safe
* RETURNS:
* Returns PR_TRUE if libpkix should be used. PR_FALSE otherwise.
*/
-PRBool
-CERT_GetUsePKIXForValidation()
-{
- return usePKIXValidationEngine;
-}
+PRBool CERT_GetUsePKIXForValidation() { return usePKIXValidationEngine; }
#ifdef NOTDEF
/*
* FUNCTION: cert_NssKeyUsagesToPkix
* DESCRIPTION:
*
* Converts nss key usage bit field(PRUint32) to pkix key usage
* bit field.
@@ -99,196 +90,178 @@ CERT_GetUsePKIXForValidation()
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_NssKeyUsagesToPkix(
- PRUint32 nssKeyUsage,
- PKIX_UInt32 *pPkixKeyUsage,
- void *plContext)
-{
- PKIX_UInt32 pkixKeyUsage = 0;
+static PKIX_Error *cert_NssKeyUsagesToPkix(PRUint32 nssKeyUsage,
+ PKIX_UInt32 *pPkixKeyUsage,
+ void *plContext) {
+ PKIX_UInt32 pkixKeyUsage = 0;
- PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix");
- PKIX_NULLCHECK_ONE(pPkixKeyUsage);
+ PKIX_ENTER(CERTVFYPKIX, "cert_NssKeyUsagesToPkix");
+ PKIX_NULLCHECK_ONE(pPkixKeyUsage);
- *pPkixKeyUsage = 0;
+ *pPkixKeyUsage = 0;
- if (nssKeyUsage & KU_DIGITAL_SIGNATURE) {
- pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE;
- }
-
- if (nssKeyUsage & KU_NON_REPUDIATION) {
- pkixKeyUsage |= PKIX_NON_REPUDIATION;
- }
+ if (nssKeyUsage & KU_DIGITAL_SIGNATURE) {
+ pkixKeyUsage |= PKIX_DIGITAL_SIGNATURE;
+ }
- if (nssKeyUsage & KU_KEY_ENCIPHERMENT) {
- pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT;
- }
-
- if (nssKeyUsage & KU_DATA_ENCIPHERMENT) {
- pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT;
- }
-
- if (nssKeyUsage & KU_KEY_AGREEMENT) {
- pkixKeyUsage |= PKIX_KEY_AGREEMENT;
- }
-
- if (nssKeyUsage & KU_KEY_CERT_SIGN) {
- pkixKeyUsage |= PKIX_KEY_CERT_SIGN;
- }
-
- if (nssKeyUsage & KU_CRL_SIGN) {
- pkixKeyUsage |= PKIX_CRL_SIGN;
- }
+ if (nssKeyUsage & KU_NON_REPUDIATION) {
+ pkixKeyUsage |= PKIX_NON_REPUDIATION;
+ }
- if (nssKeyUsage & KU_ENCIPHER_ONLY) {
- pkixKeyUsage |= PKIX_ENCIPHER_ONLY;
- }
-
- /* Not supported. XXX we should support this once it is
- * fixed in NSS */
- /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
+ if (nssKeyUsage & KU_KEY_ENCIPHERMENT) {
+ pkixKeyUsage |= PKIX_KEY_ENCIPHERMENT;
+ }
- *pPkixKeyUsage = pkixKeyUsage;
+ if (nssKeyUsage & KU_DATA_ENCIPHERMENT) {
+ pkixKeyUsage |= PKIX_DATA_ENCIPHERMENT;
+ }
- PKIX_RETURN(CERTVFYPKIX);
+ if (nssKeyUsage & KU_KEY_AGREEMENT) {
+ pkixKeyUsage |= PKIX_KEY_AGREEMENT;
+ }
+
+ if (nssKeyUsage & KU_KEY_CERT_SIGN) {
+ pkixKeyUsage |= PKIX_KEY_CERT_SIGN;
+ }
+
+ if (nssKeyUsage & KU_CRL_SIGN) {
+ pkixKeyUsage |= PKIX_CRL_SIGN;
+ }
+
+ if (nssKeyUsage & KU_ENCIPHER_ONLY) {
+ pkixKeyUsage |= PKIX_ENCIPHER_ONLY;
+ }
+
+ /* Not supported. XXX we should support this once it is
+ * fixed in NSS */
+ /* pkixKeyUsage |= PKIX_DECIPHER_ONLY; */
+
+ *pPkixKeyUsage = pkixKeyUsage;
+
+ PKIX_RETURN(CERTVFYPKIX);
}
extern SECOidTag ekuOidStrings[];
enum {
- ekuIndexSSLServer = 0,
- ekuIndexSSLClient,
- ekuIndexCodeSigner,
- ekuIndexEmail,
- ekuIndexTimeStamp,
- ekuIndexStatusResponder,
- ekuIndexUnknown
+ ekuIndexSSLServer = 0,
+ ekuIndexSSLClient,
+ ekuIndexCodeSigner,
+ ekuIndexEmail,
+ ekuIndexTimeStamp,
+ ekuIndexStatusResponder,
+ ekuIndexUnknown
} ekuIndex;
typedef struct {
- SECCertUsage certUsage;
- PRUint32 ekuStringIndex;
+ SECCertUsage certUsage;
+ PRUint32 ekuStringIndex;
} SECCertUsageToEku;
const SECCertUsageToEku certUsageEkuStringMap[] = {
- {certUsageSSLClient, ekuIndexSSLClient},
- {certUsageSSLServer, ekuIndexSSLServer},
- {certUsageSSLCA, ekuIndexSSLServer},
- {certUsageEmailSigner, ekuIndexEmail},
- {certUsageEmailRecipient, ekuIndexEmail},
- {certUsageObjectSigner, ekuIndexCodeSigner},
- {certUsageUserCertImport, ekuIndexUnknown},
- {certUsageVerifyCA, ekuIndexUnknown},
+ {certUsageSSLClient, ekuIndexSSLClient},
+ {certUsageSSLServer, ekuIndexSSLServer},
+ {certUsageSSLCA, ekuIndexSSLServer},
+ {certUsageEmailSigner, ekuIndexEmail},
+ {certUsageEmailRecipient, ekuIndexEmail},
+ {certUsageObjectSigner, ekuIndexCodeSigner},
+ {certUsageUserCertImport, ekuIndexUnknown},
+ {certUsageVerifyCA, ekuIndexUnknown},
{certUsageProtectedObjectSigner, ekuIndexUnknown},
- {certUsageStatusResponder, ekuIndexStatusResponder},
- {certUsageAnyCA, ekuIndexUnknown},
-};
+ {certUsageStatusResponder, ekuIndexStatusResponder},
+ {certUsageAnyCA, ekuIndexUnknown}, };
/*
* FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU
* DESCRIPTION:
*
* Converts nss CERTCertificateUsage bit field to pkix key and
* extended key usages.
*
* PARAMETERS:
* "cert"
* Pointer to CERTCertificate structure of validating cert.
* "requiredCertUsages"
- * Required usage that will be converted to pkix eku and ku.
+ * Required usage that will be converted to pkix eku and ku.
* "requiredKeyUsage",
* Additional key usages impose to cert.
* "isCA",
- * it true, convert usages for cert that is a CA cert.
+ * it true, convert usages for cert that is a CA cert.
* "ppkixEKUList"
* Returned address of a list of pkix extended key usages.
* "ppkixKU"
- * Returned address of pkix required key usages bit field.
+ * Returned address of pkix required key usages bit field.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_NssCertificateUsageToPkixKUAndEKU(
- CERTCertificate *cert,
- SECCertUsage requiredCertUsage,
- PRUint32 requiredKeyUsages,
- PRBool isCA,
- PKIX_List **ppkixEKUList,
- PKIX_UInt32 *ppkixKU,
- void *plContext)
-{
- PKIX_List *ekuOidsList = NULL;
- PKIX_PL_OID *ekuOid = NULL;
- int i = 0;
- int ekuIndex = ekuIndexUnknown;
+static PKIX_Error *cert_NssCertificateUsageToPkixKUAndEKU(
+ CERTCertificate *cert, SECCertUsage requiredCertUsage,
+ PRUint32 requiredKeyUsages, PRBool isCA, PKIX_List **ppkixEKUList,
+ PKIX_UInt32 *ppkixKU, void *plContext) {
+ PKIX_List *ekuOidsList = NULL;
+ PKIX_PL_OID *ekuOid = NULL;
+ int i = 0;
+ int ekuIndex = ekuIndexUnknown;
- PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku");
- PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU);
-
- PKIX_CHECK(
- PKIX_List_Create(&ekuOidsList, plContext),
- PKIX_LISTCREATEFAILED);
+ PKIX_ENTER(CERTVFYPKIX, "cert_NssCertificateUsageToPkixEku");
+ PKIX_NULLCHECK_TWO(ppkixEKUList, ppkixKU);
- for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) {
- const SECCertUsageToEku *usageToEkuElem =
- &certUsageEkuStringMap[i];
- if (usageToEkuElem->certUsage == requiredCertUsage) {
- ekuIndex = usageToEkuElem->ekuStringIndex;
- break;
- }
+ PKIX_CHECK(PKIX_List_Create(&ekuOidsList, plContext), PKIX_LISTCREATEFAILED);
+
+ for (; i < PR_ARRAY_SIZE(certUsageEkuStringMap); i++) {
+ const SECCertUsageToEku *usageToEkuElem = &certUsageEkuStringMap[i];
+ if (usageToEkuElem->certUsage == requiredCertUsage) {
+ ekuIndex = usageToEkuElem->ekuStringIndex;
+ break;
}
- if (ekuIndex != ekuIndexUnknown) {
- PRUint32 reqKeyUsage = 0;
- PRUint32 reqCertType = 0;
+ }
+ if (ekuIndex != ekuIndexUnknown) {
+ PRUint32 reqKeyUsage = 0;
+ PRUint32 reqCertType = 0;
- CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA,
- &reqKeyUsage,
- &reqCertType);
-
- requiredKeyUsages |= reqKeyUsage;
-
- PKIX_CHECK(
- PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid,
- plContext),
- PKIX_OIDCREATEFAILED);
-
- PKIX_CHECK(
- PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
-
- PKIX_DECREF(ekuOid);
- }
+ CERT_KeyUsageAndTypeForCertUsage(requiredCertUsage, isCA, &reqKeyUsage,
+ &reqCertType);
+
+ requiredKeyUsages |= reqKeyUsage;
+
+ PKIX_CHECK(PKIX_PL_OID_Create(ekuOidStrings[ekuIndex], &ekuOid, plContext),
+ PKIX_OIDCREATEFAILED);
PKIX_CHECK(
- cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext),
- PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED);
+ PKIX_List_AppendItem(ekuOidsList, (PKIX_PL_Object *)ekuOid, plContext),
+ PKIX_LISTAPPENDITEMFAILED);
- *ppkixEKUList = ekuOidsList;
- ekuOidsList = NULL;
+ PKIX_DECREF(ekuOid);
+ }
+
+ PKIX_CHECK(cert_NssKeyUsagesToPkix(requiredKeyUsages, ppkixKU, plContext),
+ PKIX_NSSCERTIFICATEUSAGETOPKIXKUANDEKUFAILED);
+
+ *ppkixEKUList = ekuOidsList;
+ ekuOidsList = NULL;
cleanup:
-
- PKIX_DECREF(ekuOid);
- PKIX_DECREF(ekuOidsList);
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_DECREF(ekuOid);
+ PKIX_DECREF(ekuOidsList);
+
+ PKIX_RETURN(CERTVFYPKIX);
}
#endif
/*
* FUNCTION: cert_ProcessingParamsSetKeyAndCertUsage
* DESCRIPTION:
*
@@ -308,61 +281,52 @@ cleanup:
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_ProcessingParamsSetKeyAndCertUsage(
- PKIX_ProcessingParams *procParams,
- SECCertUsage requiredCertUsage,
- PRUint32 requiredKeyUsages,
- void *plContext)
-{
- PKIX_CertSelector *certSelector = NULL;
- PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext*)plContext;
-
- PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage");
- PKIX_NULLCHECK_TWO(procParams, nssContext);
-
- PKIX_CHECK(
- pkix_pl_NssContext_SetCertUsage(
- ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
- PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
+static PKIX_Error *cert_ProcessingParamsSetKeyAndCertUsage(
+ PKIX_ProcessingParams *procParams, SECCertUsage requiredCertUsage,
+ PRUint32 requiredKeyUsages, void *plContext) {
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_ComCertSelParams *certSelParams = NULL;
+ PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
- if (requiredKeyUsages) {
- PKIX_CHECK(
- PKIX_ProcessingParams_GetTargetCertConstraints(procParams,
- &certSelector, plContext),
- PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
-
- PKIX_CHECK(
- PKIX_CertSelector_GetCommonCertSelectorParams(certSelector,
- &certSelParams, plContext),
- PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
-
-
- PKIX_CHECK(
- PKIX_ComCertSelParams_SetKeyUsage(certSelParams, requiredKeyUsages,
- plContext),
- PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
- }
+ PKIX_ENTER(CERTVFYPKIX, "cert_ProcessingParamsSetKeyAndCertUsage");
+ PKIX_NULLCHECK_TWO(procParams, nssContext);
+
+ PKIX_CHECK(pkix_pl_NssContext_SetCertUsage(
+ ((SECCertificateUsage)1) << requiredCertUsage, nssContext),
+ PKIX_NSSCONTEXTSETCERTUSAGEFAILED);
+
+ if (requiredKeyUsages) {
+ PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints(
+ procParams, &certSelector, plContext),
+ PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
+
+ PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams(
+ certSelector, &certSelParams, plContext),
+ PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
+
+ PKIX_CHECK(PKIX_ComCertSelParams_SetKeyUsage(certSelParams,
+ requiredKeyUsages, plContext),
+ PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
+ }
cleanup:
- PKIX_DECREF(certSelector);
- PKIX_DECREF(certSelParams);
+ PKIX_DECREF(certSelector);
+ PKIX_DECREF(certSelParams);
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
/*
- * Unused parameters:
+ * Unused parameters:
*
* CERTCertList *initialChain,
* CERTCertStores certStores,
* CERTCertRevCheckers certRevCheckers,
* CERTCertChainCheckers certChainCheckers,
* SECItem *initPolicies,
* PRBool policyQualifierRejected,
* PRBool anyPolicyInhibited,
@@ -393,329 +357,287 @@ cleanup:
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_CreatePkixProcessingParams(
- CERTCertificate *cert,
- PRBool checkSig, /* not used yet. See bug 391476 */
- PRTime time,
- void *wincx,
- PRBool useArena,
- PRBool disableOCSPRemoteFetching,
- PKIX_ProcessingParams **pprocParams,
- void **pplContext)
-{
- PKIX_List *anchors = NULL;
- PKIX_PL_Cert *targetCert = NULL;
- PKIX_PL_Date *date = NULL;
- PKIX_ProcessingParams *procParams = NULL;
- PKIX_CertSelector *certSelector = NULL;
- PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_CertStore *certStore = NULL;
- PKIX_List *certStores = NULL;
- PKIX_RevocationChecker *revChecker = NULL;
- PKIX_UInt32 methodFlags = 0;
- void *plContext = NULL;
- CERTStatusConfig *statusConfig = NULL;
-
- PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
- PKIX_NULLCHECK_TWO(cert, pprocParams);
-
- PKIX_CHECK(
- PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
- PKIX_NSSCONTEXTCREATEFAILED);
+static PKIX_Error *cert_CreatePkixProcessingParams(
+ CERTCertificate *cert, PRBool checkSig, /* not used yet. See bug 391476 */
+ PRTime time, void *wincx, PRBool useArena, PRBool disableOCSPRemoteFetching,
+ PKIX_ProcessingParams **pprocParams, void **pplContext) {
+ PKIX_List *anchors = NULL;
+ PKIX_PL_Cert *targetCert = NULL;
+ PKIX_PL_Date *date = NULL;
+ PKIX_ProcessingParams *procParams = NULL;
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_ComCertSelParams *certSelParams = NULL;
+ PKIX_CertStore *certStore = NULL;
+ PKIX_List *certStores = NULL;
+ PKIX_RevocationChecker *revChecker = NULL;
+ PKIX_UInt32 methodFlags = 0;
+ void *plContext = NULL;
+ CERTStatusConfig *statusConfig = NULL;
- *pplContext = plContext;
+ PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
+ PKIX_NULLCHECK_TWO(cert, pprocParams);
-#ifdef PKIX_NOTDEF
- /* Functions should be implemented in patch for 390532 */
- PKIX_CHECK(
- pkix_pl_NssContext_SetCertSignatureCheck(checkSig,
- (PKIX_PL_NssContext*)plContext),
- PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
+ PKIX_CHECK(PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext),
+ PKIX_NSSCONTEXTCREATEFAILED);
+
+ *pplContext = plContext;
+
+#ifdef PKIX_NOTDEF
+ /* Functions should be implemented in patch for 390532 */
+ PKIX_CHECK(pkix_pl_NssContext_SetCertSignatureCheck(
+ checkSig, (PKIX_PL_NssContext *)plContext),
+ PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
#endif /* PKIX_NOTDEF */
- PKIX_CHECK(
- PKIX_ProcessingParams_Create(&procParams, plContext),
- PKIX_PROCESSINGPARAMSCREATEFAILED);
-
- PKIX_CHECK(
- PKIX_ComCertSelParams_Create(&certSelParams, plContext),
- PKIX_COMCERTSELPARAMSCREATEFAILED);
-
- PKIX_CHECK(
- PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext),
- PKIX_CERTCREATEWITHNSSCERTFAILED);
+ PKIX_CHECK(PKIX_ProcessingParams_Create(&procParams, plContext),
+ PKIX_PROCESSINGPARAMSCREATEFAILED);
- PKIX_CHECK(
- PKIX_ComCertSelParams_SetCertificate(certSelParams,
- targetCert, plContext),
- PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
-
- PKIX_CHECK(
- PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext),
- PKIX_COULDNOTCREATECERTSELECTOROBJECT);
-
- PKIX_CHECK(
- PKIX_CertSelector_SetCommonCertSelectorParams(certSelector,
- certSelParams, plContext),
- PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
-
- PKIX_CHECK(
- PKIX_ProcessingParams_SetTargetCertConstraints(procParams,
- certSelector, plContext),
- PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
+ PKIX_CHECK(PKIX_ComCertSelParams_Create(&certSelParams, plContext),
+ PKIX_COMCERTSELPARAMSCREATEFAILED);
- /* Turn off quialification of target cert since leaf cert is
- * already check for date validity, key usages and extended
- * key usages. */
- PKIX_CHECK(
- PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE,
- plContext),
- PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED);
+ PKIX_CHECK(
+ PKIX_PL_Cert_CreateFromCERTCertificate(cert, &targetCert, plContext),
+ PKIX_CERTCREATEWITHNSSCERTFAILED);
- PKIX_CHECK(
- PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
- PKIX_PK11CERTSTORECREATEFAILED);
-
- PKIX_CHECK(
- PKIX_List_Create(&certStores, plContext),
- PKIX_UNABLETOCREATELIST);
-
- PKIX_CHECK(
- PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore,
- plContext),
- PKIX_LISTAPPENDITEMFAILED);
+ PKIX_CHECK(PKIX_ComCertSelParams_SetCertificate(certSelParams, targetCert,
+ plContext),
+ PKIX_COMCERTSELPARAMSSETCERTIFICATEFAILED);
- PKIX_CHECK(
- PKIX_ProcessingParams_SetCertStores(procParams, certStores,
- plContext),
- PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED);
+ PKIX_CHECK(PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext),
+ PKIX_COULDNOTCREATECERTSELECTOROBJECT);
- PKIX_CHECK(
- PKIX_PL_Date_CreateFromPRTime(time, &date, plContext),
- PKIX_DATECREATEFROMPRTIMEFAILED);
+ PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams(
+ certSelector, certSelParams, plContext),
+ PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
- PKIX_CHECK(
- PKIX_ProcessingParams_SetDate(procParams, date, plContext),
- PKIX_PROCESSINGPARAMSSETDATEFAILED);
+ PKIX_CHECK(PKIX_ProcessingParams_SetTargetCertConstraints(
+ procParams, certSelector, plContext),
+ PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
- PKIX_CHECK(
- PKIX_RevocationChecker_Create(
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
- PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
- PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
- &revChecker, plContext),
- PKIX_REVOCATIONCHECKERCREATEFAILED);
+ /* Turn off quialification of target cert since leaf cert is
+ * already check for date validity, key usages and extended
+ * key usages. */
+ PKIX_CHECK(PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE,
+ plContext),
+ PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED);
- PKIX_CHECK(
- PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker,
- plContext),
- PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED);
+ PKIX_CHECK(PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
+ PKIX_PK11CERTSTORECREATEFAILED);
- /* CRL method flags */
- methodFlags =
- PKIX_REV_M_TEST_USING_THIS_METHOD |
- PKIX_REV_M_FORBID_NETWORK_FETCHING |
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
- PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
+ PKIX_CHECK(PKIX_List_Create(&certStores, plContext), PKIX_UNABLETOCREATELIST);
- /* add CRL revocation method to check the leaf certificate */
- PKIX_CHECK(
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_CRL, methodFlags,
- 0, NULL, PKIX_TRUE, plContext),
- PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+ PKIX_CHECK(
+ PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext),
+ PKIX_LISTAPPENDITEMFAILED);
- /* add CRL revocation method for other certs in the chain. */
- PKIX_CHECK(
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_CRL, methodFlags,
- 0, NULL, PKIX_FALSE, plContext),
- PKIX_REVOCATIONCHECKERADDMETHODFAILED);
-
- /* For compatibility with the old code, need to check that
- * statusConfig is set in the db handle and status checker
- * is defined befor allow ocsp status check on the leaf cert.*/
- statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB());
- if (statusConfig != NULL && statusConfig->statusChecker != NULL) {
+ PKIX_CHECK(
+ PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext),
+ PKIX_PROCESSINGPARAMSADDCERTSTOREFAILED);
- /* Enable OCSP revocation checking for the leaf cert. */
- /* OCSP method flags */
- methodFlags =
- PKIX_REV_M_TEST_USING_THIS_METHOD |
- PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
- PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
- PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
- PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
- PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
-
- /* Disabling ocsp fetching when checking the status
- * of ocsp response signer. Here and in the next if,
- * adjust flags for ocsp signer cert validation case. */
- if (disableOCSPRemoteFetching) {
- methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
- }
-
- if (ocsp_FetchingFailureIsVerificationFailure()
- && !disableOCSPRemoteFetching) {
- methodFlags |=
- PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
- }
-
- /* add OCSP revocation method to check only the leaf certificate.*/
- PKIX_CHECK(
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- PKIX_RevocationMethod_OCSP, methodFlags,
- 1, NULL, PKIX_TRUE, plContext),
- PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+ PKIX_CHECK(PKIX_PL_Date_CreateFromPRTime(time, &date, plContext),
+ PKIX_DATECREATEFROMPRTIMEFAILED);
+
+ PKIX_CHECK(PKIX_ProcessingParams_SetDate(procParams, date, plContext),
+ PKIX_PROCESSINGPARAMSSETDATEFAILED);
+
+ PKIX_CHECK(PKIX_RevocationChecker_Create(
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
+ PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
+ PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
+ &revChecker, plContext),
+ PKIX_REVOCATIONCHECKERCREATEFAILED);
+
+ PKIX_CHECK(PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker,
+ plContext),
+ PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED);
+
+ /* CRL method flags */
+ methodFlags = PKIX_REV_M_TEST_USING_THIS_METHOD |
+ PKIX_REV_M_FORBID_NETWORK_FETCHING |
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
+ PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
+
+ /* add CRL revocation method to check the leaf certificate */
+ PKIX_CHECK(PKIX_RevocationChecker_CreateAndAddMethod(
+ revChecker, procParams, PKIX_RevocationMethod_CRL, methodFlags,
+ 0, NULL, PKIX_TRUE, plContext),
+ PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+
+ /* add CRL revocation method for other certs in the chain. */
+ PKIX_CHECK(PKIX_RevocationChecker_CreateAndAddMethod(
+ revChecker, procParams, PKIX_RevocationMethod_CRL, methodFlags,
+ 0, NULL, PKIX_FALSE, plContext),
+ PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+
+ /* For compatibility with the old code, need to check that
+ * statusConfig is set in the db handle and status checker
+ * is defined befor allow ocsp status check on the leaf cert.*/
+ statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB());
+ if (statusConfig != NULL && statusConfig->statusChecker != NULL) {
+
+ /* Enable OCSP revocation checking for the leaf cert. */
+ /* OCSP method flags */
+ methodFlags = PKIX_REV_M_TEST_USING_THIS_METHOD |
+ PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
+ PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
+ PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
+ PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
+
+ /* Disabling ocsp fetching when checking the status
+ * of ocsp response signer. Here and in the next if,
+ * adjust flags for ocsp signer cert validation case. */
+ if (disableOCSPRemoteFetching) {
+ methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
}
- PKIX_CHECK(
- PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,
- plContext),
- PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED);
+ if (ocsp_FetchingFailureIsVerificationFailure() &&
+ !disableOCSPRemoteFetching) {
+ methodFlags |= PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
+ }
- PKIX_CHECK(
- PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE,
- plContext),
- PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED);
+ /* add OCSP revocation method to check only the leaf certificate.*/
+ PKIX_CHECK(PKIX_RevocationChecker_CreateAndAddMethod(
+ revChecker, procParams, PKIX_RevocationMethod_OCSP,
+ methodFlags, 1, NULL, PKIX_TRUE, plContext),
+ PKIX_REVOCATIONCHECKERADDMETHODFAILED);
+ }
- PKIX_CHECK(
- PKIX_ProcessingParams_SetPolicyMappingInhibited(procParams, PR_FALSE,
- plContext),
- PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED);
-
- *pprocParams = procParams;
- procParams = NULL;
+ PKIX_CHECK(PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,
+ plContext),
+ PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED);
+
+ PKIX_CHECK(PKIX_ProcessingParams_SetExplicitPolicyRequired(
+ procParams, PR_FALSE, plContext),
+ PKIX_PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED);
+
+ PKIX_CHECK(PKIX_ProcessingParams_SetPolicyMappingInhibited(
+ procParams, PR_FALSE, plContext),
+ PKIX_PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED);
+
+ *pprocParams = procParams;
+ procParams = NULL;
cleanup:
- PKIX_DECREF(anchors);
- PKIX_DECREF(targetCert);
- PKIX_DECREF(date);
- PKIX_DECREF(certSelector);
- PKIX_DECREF(certSelParams);
- PKIX_DECREF(certStore);
- PKIX_DECREF(certStores);
- PKIX_DECREF(procParams);
- PKIX_DECREF(revChecker);
+ PKIX_DECREF(anchors);
+ PKIX_DECREF(targetCert);
+ PKIX_DECREF(date);
+ PKIX_DECREF(certSelector);
+ PKIX_DECREF(certSelParams);
+ PKIX_DECREF(certStore);
+ PKIX_DECREF(certStores);
+ PKIX_DECREF(procParams);
+ PKIX_DECREF(revChecker);
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
/*
* FUNCTION: cert_PkixToNssCertsChain
* DESCRIPTION:
*
* Converts pkix cert list into nss cert list.
- *
+ *
* PARAMETERS:
* "pkixCertChain"
- * Pkix certificate list.
+ * Pkix certificate list.
* "pvalidChain"
* An address of returned nss certificate list.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_PkixToNssCertsChain(
- PKIX_List *pkixCertChain,
- CERTCertList **pvalidChain,
- void *plContext)
-{
- PLArenaPool *arena = NULL;
- CERTCertificate *nssCert = NULL;
- CERTCertList *validChain = NULL;
- PKIX_PL_Object *certItem = NULL;
- PKIX_UInt32 length = 0;
- PKIX_UInt32 i = 0;
+static PKIX_Error *cert_PkixToNssCertsChain(PKIX_List *pkixCertChain,
+ CERTCertList **pvalidChain,
+ void *plContext) {
+ PLArenaPool *arena = NULL;
+ CERTCertificate *nssCert = NULL;
+ CERTCertList *validChain = NULL;
+ PKIX_PL_Object *certItem = NULL;
+ PKIX_UInt32 length = 0;
+ PKIX_UInt32 i = 0;
- PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain");
- PKIX_NULLCHECK_ONE(pvalidChain);
+ PKIX_ENTER(CERTVFYPKIX, "cert_PkixToNssCertsChain");
+ PKIX_NULLCHECK_ONE(pvalidChain);
- if (pkixCertChain == NULL) {
- goto cleanup;
- }
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) {
- PKIX_ERROR(PKIX_OUTOFMEMORY);
- }
- validChain = (CERTCertList*)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
- if (validChain == NULL) {
- PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
- }
- PR_INIT_CLIST(&validChain->list);
- validChain->arena = arena;
- arena = NULL;
+ if (pkixCertChain == NULL) {
+ goto cleanup;
+ }
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PKIX_ERROR(PKIX_OUTOFMEMORY);
+ }
+ validChain = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
+ if (validChain == NULL) {
+ PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
+ }
+ PR_INIT_CLIST(&validChain->list);
+ validChain->arena = arena;
+ arena = NULL;
- PKIX_CHECK(
- PKIX_List_GetLength(pkixCertChain, &length, plContext),
- PKIX_LISTGETLENGTHFAILED);
+ PKIX_CHECK(PKIX_List_GetLength(pkixCertChain, &length, plContext),
+ PKIX_LISTGETLENGTHFAILED);
- for (i = 0; i < length; i++){
- CERTCertListNode *node = NULL;
+ for (i = 0; i < length; i++) {
+ CERTCertListNode *node = NULL;
- PKIX_CHECK(
- PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(
- PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert*)certItem, &nssCert,
- plContext),
- PKIX_CERTGETCERTCERTIFICATEFAILED);
-
- node =
- (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
- sizeof(CERTCertListNode));
- if ( node == NULL ) {
- PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
- }
+ PKIX_CHECK(PKIX_List_GetItem(pkixCertChain, i, &certItem, plContext),
+ PKIX_LISTGETITEMFAILED);
- PR_INSERT_BEFORE(&node->links, &validChain->list);
+ PKIX_CHECK(PKIX_PL_Cert_GetCERTCertificate((PKIX_PL_Cert *)certItem,
+ &nssCert, plContext),
+ PKIX_CERTGETCERTCERTIFICATEFAILED);
- node->cert = nssCert;
- nssCert = NULL;
-
- PKIX_DECREF(certItem);
+ node = (CERTCertListNode *)PORT_ArenaZAlloc(validChain->arena,
+ sizeof(CERTCertListNode));
+ if (node == NULL) {
+ PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
- *pvalidChain = validChain;
+ PR_INSERT_BEFORE(&node->links, &validChain->list);
+
+ node->cert = nssCert;
+ nssCert = NULL;
+
+ PKIX_DECREF(certItem);
+ }
+
+ *pvalidChain = validChain;
cleanup:
- if (PKIX_ERROR_RECEIVED){
- if (validChain) {
- CERT_DestroyCertList(validChain);
- } else if (arena) {
- PORT_FreeArena(arena, PR_FALSE);
- }
- if (nssCert) {
- CERT_DestroyCertificate(nssCert);
- }
+ if (PKIX_ERROR_RECEIVED) {
+ if (validChain) {
+ CERT_DestroyCertList(validChain);
+ } else if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
}
- PKIX_DECREF(certItem);
+ if (nssCert) {
+ CERT_DestroyCertificate(nssCert);
+ }
+ }
+ PKIX_DECREF(certItem);
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
-
/*
* FUNCTION: cert_BuildAndValidateChain
* DESCRIPTION:
*
* The function builds and validates a cert chain based on certificate
* selection criterias from procParams. This function call PKIX_BuildChain
* to accomplish chain building. If PKIX_BuildChain returns with incomplete
* IO, the function waits with PR_Poll until the blocking IO is finished and
@@ -733,61 +655,56 @@ cleanup:
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_BuildAndValidateChain(
- PKIX_ProcessingParams *procParams,
- PKIX_BuildResult **pResult,
- PKIX_VerifyNode **pVerifyNode,
- void *plContext)
-{
- PKIX_BuildResult *result = NULL;
- PKIX_VerifyNode *verifyNode = NULL;
- void *nbioContext = NULL;
- void *state = NULL;
-
- PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain");
- PKIX_NULLCHECK_TWO(procParams, pResult);
-
- do {
- if (nbioContext && state) {
- /* PKIX-XXX: need to test functionality of NBIO handling in libPkix.
- * See bug 391180 */
- PRInt32 filesReady = 0;
- PRPollDesc *pollDesc = (PRPollDesc*)nbioContext;
- filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
- if (filesReady <= 0) {
- PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM);
- }
- }
+static PKIX_Error *cert_BuildAndValidateChain(PKIX_ProcessingParams *procParams,
+ PKIX_BuildResult **pResult,
+ PKIX_VerifyNode **pVerifyNode,
+ void *plContext) {
+ PKIX_BuildResult *result = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ void *nbioContext = NULL;
+ void *state = NULL;
- PKIX_CHECK(
- PKIX_BuildChain(procParams, &nbioContext, &state,
- &result, &verifyNode, plContext),
- PKIX_UNABLETOBUILDCHAIN);
-
- } while (nbioContext && state);
+ PKIX_ENTER(CERTVFYPKIX, "cert_BuildAndVerifyChain");
+ PKIX_NULLCHECK_TWO(procParams, pResult);
- *pResult = result;
+ do {
+ if (nbioContext && state) {
+ /* PKIX-XXX: need to test functionality of NBIO handling in libPkix.
+ * See bug 391180 */
+ PRInt32 filesReady = 0;
+ PRPollDesc *pollDesc = (PRPollDesc *)nbioContext;
+ filesReady = PR_Poll(pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
+ if (filesReady <= 0) {
+ PKIX_ERROR(PKIX_PRPOLLRETBADFILENUM);
+ }
+ }
+
+ PKIX_CHECK(PKIX_BuildChain(procParams, &nbioContext, &state, &result,
+ &verifyNode, plContext),
+ PKIX_UNABLETOBUILDCHAIN);
+
+ } while (nbioContext && state);
+
+ *pResult = result;
cleanup:
- if (pVerifyNode) {
- *pVerifyNode = verifyNode;
- }
+ if (pVerifyNode) {
+ *pVerifyNode = verifyNode;
+ }
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
-
/*
* FUNCTION: cert_PkixErrorToNssCode
* DESCRIPTION:
*
* Converts pkix error(PKIX_Error) structure to PR error codes.
*
* PKIX-XXX to be implemented. See 391183.
*
@@ -800,137 +717,127 @@ cleanup:
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error *
-cert_PkixErrorToNssCode(
- PKIX_Error *error,
- SECErrorCodes *pNssErr,
- void *plContext)
-{
- int errLevel = 0;
- PKIX_Int32 nssErr = 0;
- PKIX_Error *errPtr = error;
+static PKIX_Error *cert_PkixErrorToNssCode(PKIX_Error *error,
+ SECErrorCodes *pNssErr,
+ void *plContext) {
+ int errLevel = 0;
+ PKIX_Int32 nssErr = 0;
+ PKIX_Error *errPtr = error;
- PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
- PKIX_NULLCHECK_TWO(error, pNssErr);
-
- /* Loop until we find at least one error with non-null
- * plErr code, that is going to be nss error code. */
- while (errPtr) {
- if (errPtr->plErr && !nssErr) {
- nssErr = errPtr->plErr;
- if (!pkixLog) break;
- }
- if (pkixLog) {
-#ifdef PKIX_ERROR_DESCRIPTION
- PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel,
- PKIX_ErrorText[errPtr->errCode]));
+ PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
+ PKIX_NULLCHECK_TWO(error, pNssErr);
+
+ /* Loop until we find at least one error with non-null
+ * plErr code, that is going to be nss error code. */
+ while (errPtr) {
+ if (errPtr->plErr && !nssErr) {
+ nssErr = errPtr->plErr;
+ if (!pkixLog) break;
+ }
+ if (pkixLog) {
+#ifdef PKIX_ERROR_DESCRIPTION
+ PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel,
+ PKIX_ErrorText[errPtr->errCode]));
#else
- PR_LOG(pkixLog, 2, ("Error at level %d: Error code %d\n", errLevel,
- errPtr->errCode));
+ PR_LOG(pkixLog, 2,
+ ("Error at level %d: Error code %d\n", errLevel, errPtr->errCode));
#endif /* PKIX_ERROR_DESCRIPTION */
- }
- errPtr = errPtr->cause;
- errLevel += 1;
}
- PORT_Assert(nssErr);
- if (!nssErr) {
- *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
- } else {
- *pNssErr = nssErr;
- }
+ errPtr = errPtr->cause;
+ errLevel += 1;
+ }
+ PORT_Assert(nssErr);
+ if (!nssErr) {
+ *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
+ } else {
+ *pNssErr = nssErr;
+ }
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
/*
* FUNCTION: cert_GetLogFromVerifyNode
* DESCRIPTION:
*
* Recursive function that converts verify node tree-like set of structures
* to CERTVerifyLog.
*
* PARAMETERS:
* "log"
- * Pointed to already allocated CERTVerifyLog structure.
+ * Pointed to already allocated CERTVerifyLog structure.
* "node"
* A node of PKIX_VerifyNode tree.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error *
-cert_GetLogFromVerifyNode(
- CERTVerifyLog *log,
- PKIX_VerifyNode *node,
- void *plContext)
-{
- PKIX_List *children = NULL;
- PKIX_VerifyNode *childNode = NULL;
+static PKIX_Error *cert_GetLogFromVerifyNode(CERTVerifyLog *log,
+ PKIX_VerifyNode *node,
+ void *plContext) {
+ PKIX_List *children = NULL;
+ PKIX_VerifyNode *childNode = NULL;
- PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode");
+ PKIX_ENTER(CERTVFYPKIX, "cert_GetLogFromVerifyNode");
- children = node->children;
+ children = node->children;
- if (children == NULL) {
- PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT;
- if (node->error && node->error->errCode != errCode) {
- if (log != NULL) {
- SECErrorCodes nssErrorCode = 0;
- CERTCertificate *cert = NULL;
+ if (children == NULL) {
+ PKIX_ERRORCODE errCode = PKIX_ANCHORDIDNOTCHAINTOCERT;
+ if (node->error && node->error->errCode != errCode) {
+ if (log != NULL) {
+ SECErrorCodes nssErrorCode = 0;
+ CERTCertificate *cert = NULL;
- cert = node->verifyCert->nssCert;
-
- PKIX_CHECK(
- cert_PkixErrorToNssCode(node->error, &nssErrorCode,
- plContext),
- PKIX_GETPKIXERRORCODEFAILED);
-
- cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
- }
- }
- PKIX_RETURN(CERTVFYPKIX);
- } else {
- PRUint32 i = 0;
- PKIX_UInt32 length = 0;
+ cert = node->verifyCert->nssCert;
PKIX_CHECK(
- PKIX_List_GetLength(children, &length, plContext),
- PKIX_LISTGETLENGTHFAILED);
-
- for (i = 0; i < length; i++){
+ cert_PkixErrorToNssCode(node->error, &nssErrorCode, plContext),
+ PKIX_GETPKIXERRORCODEFAILED);
- PKIX_CHECK(
- PKIX_List_GetItem(children, i, (PKIX_PL_Object**)&childNode,
- plContext),
- PKIX_LISTGETITEMFAILED);
-
- PKIX_CHECK(
- cert_GetLogFromVerifyNode(log, childNode, plContext),
- PKIX_ERRORINRECURSIVEEQUALSCALL);
+ cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
+ }
+ }
+ PKIX_RETURN(CERTVFYPKIX);
+ } else {
+ PRUint32 i = 0;
+ PKIX_UInt32 length = 0;
- PKIX_DECREF(childNode);
- }
+ PKIX_CHECK(PKIX_List_GetLength(children, &length, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ for (i = 0; i < length; i++) {
+
+ PKIX_CHECK(PKIX_List_GetItem(children, i, (PKIX_PL_Object **)&childNode,
+ plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ PKIX_CHECK(cert_GetLogFromVerifyNode(log, childNode, plContext),
+ PKIX_ERRORINRECURSIVEEQUALSCALL);
+
+ PKIX_DECREF(childNode);
}
+ }
cleanup:
- PKIX_DECREF(childNode);
+ PKIX_DECREF(childNode);
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
/*
* FUNCTION: cert_GetBuildResults
* DESCRIPTION:
*
* Converts pkix build results to nss results. This function is called
* regardless of build result.
@@ -938,17 +845,17 @@ cleanup:
* If it called after chain was successfully constructed, then it will
* convert:
* * pkix cert list that represent the chain to nss cert list
* * trusted root the chain was anchored to nss certificate.
*
* In case of failure it will convert:
* * pkix error to PR error code(will set it with PORT_SetError)
* * pkix validation log to nss CERTVerifyLog
- *
+ *
* PARAMETERS:
* "buildResult"
* Build results returned by PKIX_BuildChain.
* "verifyNode"
* Tree-like structure of chain building/validation failures
* returned by PKIX_BuildChain. Ignored in case of success.
* "error"
* Final error returned by PKIX_BuildChain. Should be NULL in
@@ -963,112 +870,102 @@ cleanup:
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Cert Verify Error if the function fails in an unrecoverable way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
-static PKIX_Error*
-cert_GetBuildResults(
- PKIX_BuildResult *buildResult,
- PKIX_VerifyNode *verifyNode,
- PKIX_Error *error,
- CERTVerifyLog *log,
- CERTCertificate **ptrustedRoot,
- CERTCertList **pvalidChain,
- void *plContext)
-{
- PKIX_ValidateResult *validResult = NULL;
- CERTCertList *validChain = NULL;
- CERTCertificate *trustedRoot = NULL;
- PKIX_TrustAnchor *trustAnchor = NULL;
- PKIX_PL_Cert *trustedCert = NULL;
- PKIX_List *pkixCertChain = NULL;
-
- PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults");
- if (buildResult == NULL && error == NULL) {
- PKIX_ERROR(PKIX_NULLARGUMENT);
+static PKIX_Error *cert_GetBuildResults(PKIX_BuildResult *buildResult,
+ PKIX_VerifyNode *verifyNode,
+ PKIX_Error *error, CERTVerifyLog *log,
+ CERTCertificate **ptrustedRoot,
+ CERTCertList **pvalidChain,
+ void *plContext) {
+ PKIX_ValidateResult *validResult = NULL;
+ CERTCertList *validChain = NULL;
+ CERTCertificate *trustedRoot = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Cert *trustedCert = NULL;
+ PKIX_List *pkixCertChain = NULL;
+
+ PKIX_ENTER(CERTVFYPKIX, "cert_GetBuildResults");
+ if (buildResult == NULL && error == NULL) {
+ PKIX_ERROR(PKIX_NULLARGUMENT);
+ }
+
+ if (error) {
+ SECErrorCodes nssErrorCode = 0;
+ if (verifyNode) {
+ PKIX_Error *tmpError =
+ cert_GetLogFromVerifyNode(log, verifyNode, plContext);
+ if (tmpError) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
+ }
}
+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
+ PORT_SetError(nssErrorCode);
+ goto cleanup;
+ }
- if (error) {
- SECErrorCodes nssErrorCode = 0;
- if (verifyNode) {
- PKIX_Error *tmpError =
- cert_GetLogFromVerifyNode(log, verifyNode, plContext);
- if (tmpError) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
- }
- }
- cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
- PORT_SetError(nssErrorCode);
- goto cleanup;
- }
+ if (pvalidChain) {
+ PKIX_CHECK(
+ PKIX_BuildResult_GetCertChain(buildResult, &pkixCertChain, plContext),
+ PKIX_BUILDRESULTGETCERTCHAINFAILED);
- if (pvalidChain) {
- PKIX_CHECK(
- PKIX_BuildResult_GetCertChain(buildResult, &pkixCertChain,
- plContext),
- PKIX_BUILDRESULTGETCERTCHAINFAILED);
+ PKIX_CHECK(cert_PkixToNssCertsChain(pkixCertChain, &validChain, plContext),
+ PKIX_CERTCHAINTONSSCHAINFAILED);
+ }
- PKIX_CHECK(
- cert_PkixToNssCertsChain(pkixCertChain, &validChain, plContext),
- PKIX_CERTCHAINTONSSCHAINFAILED);
- }
+ if (ptrustedRoot) {
+ PKIX_CHECK(PKIX_BuildResult_GetValidateResult(buildResult, &validResult,
+ plContext),
+ PKIX_BUILDRESULTGETVALIDATERESULTFAILED);
- if (ptrustedRoot) {
- PKIX_CHECK(
- PKIX_BuildResult_GetValidateResult(buildResult, &validResult,
- plContext),
- PKIX_BUILDRESULTGETVALIDATERESULTFAILED);
+ PKIX_CHECK(PKIX_ValidateResult_GetTrustAnchor(validResult, &trustAnchor,
+ plContext),
+ PKIX_VALIDATERESULTGETTRUSTANCHORFAILED);
- PKIX_CHECK(
- PKIX_ValidateResult_GetTrustAnchor(validResult, &trustAnchor,
- plContext),
- PKIX_VALIDATERESULTGETTRUSTANCHORFAILED);
+ PKIX_CHECK(
+ PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert, plContext),
+ PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
- PKIX_CHECK(
- PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustedCert,
- plContext),
- PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+ PKIX_CHECK(
+ PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot, plContext),
+ PKIX_CERTGETCERTCERTIFICATEFAILED);
+ }
- PKIX_CHECK(
- PKIX_PL_Cert_GetCERTCertificate(trustedCert, &trustedRoot,
- plContext),
- PKIX_CERTGETCERTCERTIFICATEFAILED);
- }
-
- PORT_Assert(!PKIX_ERROR_RECEIVED);
+ PORT_Assert(!PKIX_ERROR_RECEIVED);
+ if (trustedRoot) {
+ *ptrustedRoot = trustedRoot;
+ }
+ if (validChain) {
+ *pvalidChain = validChain;
+ }
+
+cleanup:
+ if (PKIX_ERROR_RECEIVED) {
if (trustedRoot) {
- *ptrustedRoot = trustedRoot;
+ CERT_DestroyCertificate(trustedRoot);
}
if (validChain) {
- *pvalidChain = validChain;
+ CERT_DestroyCertList(validChain);
}
+ }
+ PKIX_DECREF(trustAnchor);
+ PKIX_DECREF(trustedCert);
+ PKIX_DECREF(pkixCertChain);
+ PKIX_DECREF(validResult);
+ PKIX_DECREF(error);
+ PKIX_DECREF(verifyNode);
+ PKIX_DECREF(buildResult);
-cleanup:
- if (PKIX_ERROR_RECEIVED) {
- if (trustedRoot) {
- CERT_DestroyCertificate(trustedRoot);
- }
- if (validChain) {
- CERT_DestroyCertList(validChain);
- }
- }
- PKIX_DECREF(trustAnchor);
- PKIX_DECREF(trustedCert);
- PKIX_DECREF(pkixCertChain);
- PKIX_DECREF(validResult);
- PKIX_DECREF(error);
- PKIX_DECREF(verifyNode);
- PKIX_DECREF(buildResult);
-
- PKIX_RETURN(CERTVFYPKIX);
+ PKIX_RETURN(CERTVFYPKIX);
}
/*
* FUNCTION: cert_VerifyCertChainPkix
* DESCRIPTION:
*
* The main wrapper function that is called from CERT_VerifyCert and
* CERT_VerifyCACertForUsage functions to validate cert with libpkix.
@@ -1095,877 +992,750 @@ cleanup:
* Address of PRBool. If not NULL, returns true is cert chain
* was invalidated because a revoked certificate was found in
* the chain.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* SECFailure is chain building process has failed. SECSuccess otherwise.
*/
-SECStatus
-cert_VerifyCertChainPkix(
- CERTCertificate *cert,
- PRBool checkSig,
- SECCertUsage requiredUsage,
- PRTime time,
- void *wincx,
- CERTVerifyLog *log,
- PRBool *pSigerror,
- PRBool *pRevoked)
-{
- PKIX_ProcessingParams *procParams = NULL;
- PKIX_BuildResult *result = NULL;
- PKIX_VerifyNode *verifyNode = NULL;
- PKIX_Error *error = NULL;
+SECStatus cert_VerifyCertChainPkix(CERTCertificate *cert, PRBool checkSig,
+ SECCertUsage requiredUsage, PRTime time,
+ void *wincx, CERTVerifyLog *log,
+ PRBool *pSigerror, PRBool *pRevoked) {
+ PKIX_ProcessingParams *procParams = NULL;
+ PKIX_BuildResult *result = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ PKIX_Error *error = NULL;
- SECStatus rv = SECFailure;
- void *plContext = NULL;
+ SECStatus rv = SECFailure;
+ void *plContext = NULL;
#ifdef PKIX_OBJECT_LEAK_TEST
- int leakedObjNum = 0;
- int memLeakLoopCount = 0;
- int objCountTable[PKIX_NUMTYPES];
- int fnInvLocalCount = 0;
- PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
+ int leakedObjNum = 0;
+ int memLeakLoopCount = 0;
+ int objCountTable[PKIX_NUMTYPES];
+ int fnInvLocalCount = 0;
+ PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
- if (usePKIXValidationEngine) {
- /* current memory leak testing implementation does not allow
- * to run simultaneous tests one the same or a different threads.
- * Setting the variable to false, to make additional chain
- * validations be handled by old nss. */
- usePKIXValidationEngine = PR_FALSE;
- }
- testStartFnStackPosition = 2;
- fnStackNameArr[0] = "cert_VerifyCertChainPkix";
- fnStackInvCountArr[0] = 0;
- PKIX_Boolean abortOnLeak =
- (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
- PKIX_FALSE : PKIX_TRUE;
- runningLeakTest = PKIX_TRUE;
+ if (usePKIXValidationEngine) {
+ /* current memory leak testing implementation does not allow
+ * to run simultaneous tests one the same or a different threads.
+ * Setting the variable to false, to make additional chain
+ * validations be handled by old nss. */
+ usePKIXValidationEngine = PR_FALSE;
+ }
+ testStartFnStackPosition = 2;
+ fnStackNameArr[0] = "cert_VerifyCertChainPkix";
+ fnStackInvCountArr[0] = 0;
+ PKIX_Boolean abortOnLeak =
+ (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
+ : PKIX_TRUE;
+ runningLeakTest = PKIX_TRUE;
- /* Prevent multi-threaded run of object leak test */
- fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
- PORT_Assert(fnInvLocalCount == 1);
+ /* Prevent multi-threaded run of object leak test */
+ fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
+ PORT_Assert(fnInvLocalCount == 1);
-do {
+ do {
rv = SECFailure;
plContext = NULL;
procParams = NULL;
result = NULL;
verifyNode = NULL;
error = NULL;
errorGenerated = PKIX_FALSE;
stackPosition = 0;
if (leakedObjNum) {
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
}
memLeakLoopCount += 1;
#endif /* PKIX_OBJECT_LEAK_TEST */
- error =
- cert_CreatePkixProcessingParams(cert, checkSig, time, wincx,
- PR_FALSE/*use arena*/,
- requiredUsage == certUsageStatusResponder,
- &procParams, &plContext);
+ error = cert_CreatePkixProcessingParams(
+ cert, checkSig, time, wincx, PR_FALSE /*use arena*/,
+ requiredUsage == certUsageStatusResponder, &procParams, &plContext);
if (error) {
- goto cleanup;
+ goto cleanup;
+ }
+
+ error = cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage,
+ 0, plContext);
+ if (error) {
+ goto cleanup;
}
error =
- cert_ProcessingParamsSetKeyAndCertUsage(procParams, requiredUsage, 0,
- plContext);
+ cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
if (error) {
- goto cleanup;
+ goto cleanup;
}
- error =
- cert_BuildAndValidateChain(procParams, &result, &verifyNode, plContext);
- if (error) {
- goto cleanup;
- }
-
if (pRevoked) {
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
- *pRevoked = PR_FALSE;
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+ *pRevoked = PR_FALSE;
}
if (pSigerror) {
- /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
- *pSigerror = PR_FALSE;
+ /* Currently always PR_FALSE. Will be fixed as a part of 394077 */
+ *pSigerror = PR_FALSE;
}
rv = SECSuccess;
-cleanup:
+ cleanup:
error = cert_GetBuildResults(result, verifyNode, error, log, NULL, NULL,
plContext);
if (error) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
}
if (procParams) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
}
if (plContext) {
- PKIX_PL_NssContext_Destroy(plContext);
+ PKIX_PL_NssContext_Destroy(plContext);
}
#ifdef PKIX_OBJECT_LEAK_TEST
leakedObjNum =
pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
-
+
if (pkixLog && leakedObjNum) {
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
- "Stack %s\n", memLeakLoopCount, errorFnStackString));
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
+ "Stack %s\n",
+ memLeakLoopCount, errorFnStackString));
}
PR_Free(errorFnStackString);
errorFnStackString = NULL;
if (abortOnLeak) {
- PORT_Assert(leakedObjNum == 0);
+ PORT_Assert(leakedObjNum == 0);
}
-} while (errorGenerated);
+ } while (errorGenerated);
- runningLeakTest = PKIX_FALSE;
- PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
- usePKIXValidationEngine = savedUsePkixEngFlag;
+ runningLeakTest = PKIX_FALSE;
+ PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
+ usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
- return rv;
+ return rv;
}
-PKIX_CertSelector *
-cert_GetTargetCertConstraints(CERTCertificate *target, void *plContext)
-{
- PKIX_ComCertSelParams *certSelParams = NULL;
- PKIX_CertSelector *certSelector = NULL;
- PKIX_CertSelector *r= NULL;
- PKIX_PL_Cert *eeCert = NULL;
- PKIX_Error *error = NULL;
+PKIX_CertSelector *cert_GetTargetCertConstraints(CERTCertificate *target,
+ void *plContext) {
+ PKIX_ComCertSelParams *certSelParams = NULL;
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_CertSelector *r = NULL;
+ PKIX_PL_Cert *eeCert = NULL;
+ PKIX_Error *error = NULL;
- error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_PL_Cert_CreateFromCERTCertificate(target, &eeCert, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_ComCertSelParams_Create(&certSelParams, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_ComCertSelParams_Create(&certSelParams, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_ComCertSelParams_SetCertificate(
- certSelParams, eeCert, plContext);
- if (error != NULL) goto cleanup;
+ error =
+ PKIX_ComCertSelParams_SetCertificate(certSelParams, eeCert, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_CertSelector_SetCommonCertSelectorParams
- (certSelector, certSelParams, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_CertSelector_SetCommonCertSelectorParams(
+ certSelector, certSelParams, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext);
- if (error == NULL) r = certSelector;
+ error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certSelector, plContext);
+ if (error == NULL) r = certSelector;
cleanup:
- if (certSelParams != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext);
+ if (certSelParams != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelParams, plContext);
- if (eeCert != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext);
+ if (eeCert != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)eeCert, plContext);
- if (certSelector != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
+ if (certSelector != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
- if (error != NULL) {
- SECErrorCodes nssErr;
+ if (error != NULL) {
+ SECErrorCodes nssErr;
- cert_PkixErrorToNssCode(error, &nssErr, plContext);
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(nssErr);
- }
+ cert_PkixErrorToNssCode(error, &nssErr, plContext);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ PORT_SetError(nssErr);
+ }
- return r;
+ return r;
}
-static PKIX_List *
-cert_GetCertStores(void *plContext)
-{
- PKIX_CertStore *certStore = NULL;
- PKIX_List *certStores = NULL;
- PKIX_List *r = NULL;
- PKIX_Error *error = NULL;
+static PKIX_List *cert_GetCertStores(void *plContext) {
+ PKIX_CertStore *certStore = NULL;
+ PKIX_List *certStores = NULL;
+ PKIX_List *r = NULL;
+ PKIX_Error *error = NULL;
- error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_List_Create(&certStores, plContext);
- if (error != NULL) goto cleanup;
+ error = PKIX_List_Create(&certStores, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_List_AppendItem( certStores,
- (PKIX_PL_Object *)certStore, plContext);
- if (error != NULL) goto cleanup;
+ error =
+ PKIX_List_AppendItem(certStores, (PKIX_PL_Object *)certStore, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext);
- if (error == NULL) r = certStores;
+ error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)certStores, plContext);
+ if (error == NULL) r = certStores;
cleanup:
- if (certStores != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
+ if (certStores != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
- if (certStore != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext);
+ if (certStore != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStore, plContext);
- if (error != NULL) {
- SECErrorCodes nssErr;
+ if (error != NULL) {
+ SECErrorCodes nssErr;
- cert_PkixErrorToNssCode(error, &nssErr, plContext);
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(nssErr);
- }
+ cert_PkixErrorToNssCode(error, &nssErr, plContext);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ PORT_SetError(nssErr);
+ }
- return r;
+ return r;
}
-
struct fake_PKIX_PL_CertStruct {
- CERTCertificate *nssCert;
+ CERTCertificate *nssCert;
};
/* This needs to be part of the PKIX_PL_* */
/* This definitely needs to go away, and be replaced with
a real accessor function in PKIX */
-static CERTCertificate *
-cert_NSSCertFromPKIXCert(const PKIX_PL_Cert *pkix_cert)
-{
- struct fake_PKIX_PL_CertStruct *fcert = NULL;
+static CERTCertificate *cert_NSSCertFromPKIXCert(
+ const PKIX_PL_Cert *pkix_cert) {
+ struct fake_PKIX_PL_CertStruct *fcert = NULL;
- fcert = (struct fake_PKIX_PL_CertStruct*)pkix_cert;
+ fcert = (struct fake_PKIX_PL_CertStruct *)pkix_cert;
- return CERT_DupCertificate(fcert->nssCert);
+ return CERT_DupCertificate(fcert->nssCert);
}
-PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plContext)
-{
- PKIX_List *r = NULL;
- PKIX_List *policyList = NULL;
- PKIX_PL_OID *policyOID = NULL;
- PKIX_Error *error = NULL;
- int i;
+PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount,
+ void *plContext) {
+ PKIX_List *r = NULL;
+ PKIX_List *policyList = NULL;
+ PKIX_PL_OID *policyOID = NULL;
+ PKIX_Error *error = NULL;
+ int i;
- error = PKIX_List_Create(&policyList, plContext);
+ error = PKIX_List_Create(&policyList, plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
+
+ for (i = 0; i < oidCount; i++) {
+ error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
+ if (error) {
+ goto cleanup;
+ }
+ error = PKIX_List_AppendItem(policyList, (PKIX_PL_Object *)policyOID,
+ plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
+ policyOID = NULL;
+ }
- for (i=0; i<oidCount; i++) {
- error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
- if (error) {
- goto cleanup;
- }
- error = PKIX_List_AppendItem(policyList,
- (PKIX_PL_Object *)policyOID, plContext);
- if (error != NULL) {
- goto cleanup;
- }
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
- policyOID = NULL;
- }
+ error = PKIX_List_SetImmutable(policyList, plContext);
+ if (error != NULL) goto cleanup;
- error = PKIX_List_SetImmutable(policyList, plContext);
- if (error != NULL) goto cleanup;
-
- error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext);
- if (error == NULL) r = policyList;
+ error = PKIX_PL_Object_IncRef((PKIX_PL_Object *)policyList, plContext);
+ if (error == NULL) r = policyList;
cleanup:
- if (policyOID != NULL) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
- }
- if (policyList != NULL) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext);
- }
- if (error != NULL) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- }
+ if (policyOID != NULL) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
+ }
+ if (policyList != NULL) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext);
+ }
+ if (error != NULL) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ }
- return r;
+ return r;
}
-CERTValOutParam *
-cert_pkix_FindOutputParam(CERTValOutParam *params, const CERTValParamOutType t)
-{
- CERTValOutParam *i;
- if (params == NULL) {
- return NULL;
+CERTValOutParam *cert_pkix_FindOutputParam(CERTValOutParam *params,
+ const CERTValParamOutType t) {
+ CERTValOutParam *i;
+ if (params == NULL) {
+ return NULL;
+ }
+ for (i = params; i->type != cert_po_end; i++) {
+ if (i->type == t) {
+ return i;
}
- for (i = params; i->type != cert_po_end; i++) {
- if (i->type == t) {
- return i;
- }
- }
- return NULL;
+ }
+ return NULL;
}
+static PKIX_Error *setRevocationMethod(
+ PKIX_RevocationChecker *revChecker, PKIX_ProcessingParams *procParams,
+ const CERTRevocationTests *revTest, CERTRevocationMethodIndex certRevMethod,
+ PKIX_RevocationMethodType pkixRevMethod, PKIX_Boolean verifyResponderUsages,
+ PKIX_Boolean isLeafTest, void *plContext) {
+ PKIX_UInt32 methodFlags = 0;
+ PKIX_Error *error = NULL;
+ int priority = 0;
-static PKIX_Error*
-setRevocationMethod(PKIX_RevocationChecker *revChecker,
- PKIX_ProcessingParams *procParams,
- const CERTRevocationTests *revTest,
- CERTRevocationMethodIndex certRevMethod,
- PKIX_RevocationMethodType pkixRevMethod,
- PKIX_Boolean verifyResponderUsages,
- PKIX_Boolean isLeafTest,
- void *plContext)
-{
- PKIX_UInt32 methodFlags = 0;
- PKIX_Error *error = NULL;
- int priority = 0;
-
- if (revTest->number_of_defined_methods <= certRevMethod) {
- return NULL;
+ if (revTest->number_of_defined_methods <= certRevMethod) {
+ return NULL;
+ }
+ if (revTest->preferred_methods) {
+ int i = 0;
+ for (; i < revTest->number_of_preferred_methods; i++) {
+ if (revTest->preferred_methods[i] == certRevMethod) break;
}
- if (revTest->preferred_methods) {
- int i = 0;
- for (;i < revTest->number_of_preferred_methods;i++) {
- if (revTest->preferred_methods[i] == certRevMethod)
- break;
- }
- priority = i;
- }
- methodFlags = revTest->cert_rev_flags_per_method[certRevMethod];
- if (verifyResponderUsages &&
- pkixRevMethod == PKIX_RevocationMethod_OCSP) {
- methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
- }
- error =
- PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
- pkixRevMethod, methodFlags,
- priority, NULL,
- isLeafTest, plContext);
- return error;
+ priority = i;
+ }
+ methodFlags = revTest->cert_rev_flags_per_method[certRevMethod];
+ if (verifyResponderUsages && pkixRevMethod == PKIX_RevocationMethod_OCSP) {
+ methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
+ }
+ error = PKIX_RevocationChecker_CreateAndAddMethod(
+ revChecker, procParams, pkixRevMethod, methodFlags, priority, NULL,
+ isLeafTest, plContext);
+ return error;
}
+SECStatus cert_pkixSetParam(PKIX_ProcessingParams *procParams,
+ const CERTValInParam *param, void *plContext) {
+ PKIX_Error *error = NULL;
+ SECStatus r = SECSuccess;
+ PKIX_PL_Date *date = NULL;
+ PKIX_List *policyOIDList = NULL;
+ PKIX_List *certListPkix = NULL;
+ const CERTRevocationFlags *flags;
+ SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS;
+ const CERTCertList *certList = NULL;
+ CERTCertListNode *node;
+ PKIX_PL_Cert *certPkix = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Date *revDate = NULL;
+ PKIX_RevocationChecker *revChecker = NULL;
+ PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
-SECStatus
-cert_pkixSetParam(PKIX_ProcessingParams *procParams,
- const CERTValInParam *param, void *plContext)
-{
- PKIX_Error * error = NULL;
- SECStatus r=SECSuccess;
- PKIX_PL_Date *date = NULL;
- PKIX_List *policyOIDList = NULL;
- PKIX_List *certListPkix = NULL;
- const CERTRevocationFlags *flags;
- SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS;
- const CERTCertList *certList = NULL;
- CERTCertListNode *node;
- PKIX_PL_Cert *certPkix = NULL;
- PKIX_TrustAnchor *trustAnchor = NULL;
- PKIX_PL_Date *revDate = NULL;
- PKIX_RevocationChecker *revChecker = NULL;
- PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
+ /* XXX we need a way to map generic PKIX error to generic NSS errors */
- /* XXX we need a way to map generic PKIX error to generic NSS errors */
+ switch (param->type) {
- switch (param->type) {
+ case cert_pi_policyOID:
- case cert_pi_policyOID:
+ /* needed? */
+ error = PKIX_ProcessingParams_SetExplicitPolicyRequired(
+ procParams, PKIX_TRUE, plContext);
- /* needed? */
- error = PKIX_ProcessingParams_SetExplicitPolicyRequired(
- procParams, PKIX_TRUE, plContext);
+ if (error != NULL) {
+ break;
+ }
- if (error != NULL) {
- break;
- }
+ policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids,
+ param->value.arraySize, plContext);
+ if (policyOIDList == NULL) {
+ r = SECFailure;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ break;
+ }
- policyOIDList = cert_PKIXMakeOIDList(param->value.array.oids,
- param->value.arraySize,plContext);
- if (policyOIDList == NULL) {
- r = SECFailure;
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- break;
- }
+ error = PKIX_ProcessingParams_SetInitialPolicies(
+ procParams, policyOIDList, plContext);
+ break;
- error = PKIX_ProcessingParams_SetInitialPolicies(
- procParams,policyOIDList,plContext);
- break;
+ case cert_pi_date:
+ if (param->value.scalar.time == 0) {
+ error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext);
+ if (error != NULL) {
+ errCode = SEC_ERROR_INVALID_TIME;
+ break;
+ }
+ } else {
+ error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time, &date,
+ plContext);
+ if (error != NULL) {
+ errCode = SEC_ERROR_INVALID_TIME;
+ break;
+ }
+ }
- case cert_pi_date:
- if (param->value.scalar.time == 0) {
- error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext);
- if (error != NULL) {
- errCode = SEC_ERROR_INVALID_TIME;
- break;
- }
- } else {
- error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
- &date, plContext);
- if (error != NULL) {
- errCode = SEC_ERROR_INVALID_TIME;
- break;
- }
- }
+ error = PKIX_ProcessingParams_SetDate(procParams, date, plContext);
+ if (error != NULL) {
+ errCode = SEC_ERROR_INVALID_TIME;
+ }
+ break;
- error = PKIX_ProcessingParams_SetDate(procParams, date, plContext);
- if (error != NULL) {
- errCode = SEC_ERROR_INVALID_TIME;
- }
- break;
+ case cert_pi_revocationFlags: {
+ PKIX_UInt32 leafIMFlags = 0;
+ PKIX_UInt32 chainIMFlags = 0;
+ PKIX_Boolean validatingResponderCert = PKIX_FALSE;
- case cert_pi_revocationFlags:
- {
- PKIX_UInt32 leafIMFlags = 0;
- PKIX_UInt32 chainIMFlags = 0;
- PKIX_Boolean validatingResponderCert = PKIX_FALSE;
+ flags = param->value.pointer.revocation;
+ if (!flags) {
+ PORT_SetError(errCode);
+ r = SECFailure;
+ break;
+ }
- flags = param->value.pointer.revocation;
- if (!flags) {
- PORT_SetError(errCode);
- r = SECFailure;
- break;
- }
+ leafIMFlags = flags->leafTests.cert_rev_method_independent_flags;
+ chainIMFlags = flags->chainTests.cert_rev_method_independent_flags;
- leafIMFlags =
- flags->leafTests.cert_rev_method_independent_flags;
- chainIMFlags =
- flags->chainTests.cert_rev_method_independent_flags;
+ error = PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags,
+ &revChecker, plContext);
+ if (error) {
+ break;
+ }
- error =
- PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags,
- &revChecker, plContext);
- if (error) {
- break;
- }
+ error = PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker,
+ plContext);
+ if (error) {
+ break;
+ }
- error =
- PKIX_ProcessingParams_SetRevocationChecker(procParams,
- revChecker, plContext);
- if (error) {
- break;
- }
+ if (((PKIX_PL_NssContext *)plContext)->certificateUsage &
+ certificateUsageStatusResponder) {
+ validatingResponderCert = PKIX_TRUE;
+ }
- if (((PKIX_PL_NssContext*)plContext)->certificateUsage &
- certificateUsageStatusResponder) {
- validatingResponderCert = PKIX_TRUE;
- }
+ error = setRevocationMethod(
+ revChecker, procParams, &flags->leafTests, cert_revocation_method_crl,
+ PKIX_RevocationMethod_CRL, validatingResponderCert, PKIX_TRUE,
+ plContext);
+ if (error) {
+ break;
+ }
- error = setRevocationMethod(revChecker,
- procParams, &flags->leafTests,
- cert_revocation_method_crl,
- PKIX_RevocationMethod_CRL,
- validatingResponderCert,
- PKIX_TRUE, plContext);
- if (error) {
- break;
- }
+ error = setRevocationMethod(
+ revChecker, procParams, &flags->leafTests,
+ cert_revocation_method_ocsp, PKIX_RevocationMethod_OCSP,
+ validatingResponderCert, PKIX_TRUE, plContext);
+ if (error) {
+ break;
+ }
- error = setRevocationMethod(revChecker,
- procParams, &flags->leafTests,
- cert_revocation_method_ocsp,
- PKIX_RevocationMethod_OCSP,
- validatingResponderCert,
- PKIX_TRUE, plContext);
- if (error) {
- break;
- }
+ error = setRevocationMethod(
+ revChecker, procParams, &flags->chainTests,
+ cert_revocation_method_crl, PKIX_RevocationMethod_CRL,
+ validatingResponderCert, PKIX_FALSE, plContext);
+ if (error) {
+ break;
+ }
- error = setRevocationMethod(revChecker,
- procParams, &flags->chainTests,
- cert_revocation_method_crl,
- PKIX_RevocationMethod_CRL,
- validatingResponderCert,
- PKIX_FALSE, plContext);
- if (error) {
- break;
- }
+ error = setRevocationMethod(
+ revChecker, procParams, &flags->chainTests,
+ cert_revocation_method_ocsp, PKIX_RevocationMethod_OCSP,
+ validatingResponderCert, PKIX_FALSE, plContext);
+ if (error) {
+ break;
+ }
- error = setRevocationMethod(revChecker,
- procParams, &flags->chainTests,
- cert_revocation_method_ocsp,
- PKIX_RevocationMethod_OCSP,
- validatingResponderCert,
- PKIX_FALSE, plContext);
- if (error) {
- break;
- }
+ } break;
+ case cert_pi_trustAnchors:
+ certList = param->value.pointer.chain;
+ if (!certList) {
+ PORT_SetError(errCode);
+ r = SECFailure;
+ break;
+ }
+ error = PKIX_List_Create(&certListPkix, plContext);
+ if (error != NULL) {
+ break;
+ }
+ for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
+ node = CERT_LIST_NEXT(node)) {
+ error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, &certPkix,
+ plContext);
+ if (error) {
+ break;
+ }
+ error =
+ PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor, plContext);
+ if (error) {
+ break;
+ }
+ error = PKIX_List_AppendItem(certListPkix,
+ (PKIX_PL_Object *)trustAnchor, plContext);
+ if (error) {
+ break;
+ }
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+ trustAnchor = NULL;
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
+ certPkix = NULL;
+ }
+ error = PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix,
+ plContext);
+ break;
+
+ case cert_pi_useAIACertFetch:
+ error = PKIX_ProcessingParams_SetUseAIAForCertFetching(
+ procParams, (PRBool)(param->value.scalar.b != 0), plContext);
+ break;
+
+ case cert_pi_chainVerifyCallback: {
+ const CERTChainVerifyCallback *chainVerifyCallback =
+ param->value.pointer.chainVerifyCallback;
+ if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) {
+ PORT_SetError(errCode);
+ r = SECFailure;
+ break;
+ }
+
+ nssContext->chainVerifyCallback = *chainVerifyCallback;
+ } break;
+
+ case cert_pi_useOnlyTrustAnchors:
+ error = PKIX_ProcessingParams_SetUseOnlyTrustAnchors(
+ procParams, (PRBool)(param->value.scalar.b != 0), plContext);
+ break;
+
+ default:
+ PORT_SetError(errCode);
+ r = SECFailure;
+ break;
+ }
+
+ if (policyOIDList != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
+
+ if (date != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
+
+ if (revDate != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext);
+
+ if (revChecker != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);
+
+ if (certListPkix)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext);
+
+ if (trustAnchor)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+
+ if (certPkix) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
+
+ if (error != NULL) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ PORT_SetError(errCode);
+ r = SECFailure;
+ }
+
+ return r;
+}
+
+void cert_pkixDestroyValOutParam(CERTValOutParam *params) {
+ CERTValOutParam *i;
+
+ if (params == NULL) {
+ return;
+ }
+ for (i = params; i->type != cert_po_end; i++) {
+ switch (i->type) {
+ case cert_po_trustAnchor:
+ if (i->value.pointer.cert) {
+ CERT_DestroyCertificate(i->value.pointer.cert);
+ i->value.pointer.cert = NULL;
}
break;
- case cert_pi_trustAnchors:
- certList = param->value.pointer.chain;
- if (!certList) {
- PORT_SetError(errCode);
- r = SECFailure;
- break;
- }
- error = PKIX_List_Create(&certListPkix, plContext);
- if (error != NULL) {
- break;
- }
- for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList);
- node = CERT_LIST_NEXT(node) ) {
- error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert,
- &certPkix, plContext);
- if (error) {
- break;
- }
- error = PKIX_TrustAnchor_CreateWithCert(certPkix, &trustAnchor,
- plContext);
- if (error) {
- break;
- }
- error = PKIX_List_AppendItem(certListPkix,
- (PKIX_PL_Object*)trustAnchor, plContext);
- if (error) {
- break;
- }
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
- trustAnchor = NULL;
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
- certPkix = NULL;
- }
- error =
- PKIX_ProcessingParams_SetTrustAnchors(procParams, certListPkix,
- plContext);
- break;
-
- case cert_pi_useAIACertFetch:
- error =
- PKIX_ProcessingParams_SetUseAIAForCertFetching(procParams,
- (PRBool)(param->value.scalar.b != 0),
- plContext);
- break;
-
- case cert_pi_chainVerifyCallback:
- {
- const CERTChainVerifyCallback *chainVerifyCallback =
- param->value.pointer.chainVerifyCallback;
- if (!chainVerifyCallback || !chainVerifyCallback->isChainValid) {
- PORT_SetError(errCode);
- r = SECFailure;
- break;
- }
-
- nssContext->chainVerifyCallback = *chainVerifyCallback;
+ case cert_po_certList:
+ if (i->value.pointer.chain) {
+ CERT_DestroyCertList(i->value.pointer.chain);
+ i->value.pointer.chain = NULL;
}
break;
- case cert_pi_useOnlyTrustAnchors:
- error =
- PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams,
- (PRBool)(param->value.scalar.b != 0),
- plContext);
- break;
-
- default:
- PORT_SetError(errCode);
- r = SECFailure;
- break;
+ default:
+ break;
}
-
- if (policyOIDList != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext);
-
- if (date != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
-
- if (revDate != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext);
-
- if (revChecker != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);
-
- if (certListPkix)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext);
-
- if (trustAnchor)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
-
- if (certPkix)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certPkix, plContext);
-
- if (error != NULL) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
- PORT_SetError(errCode);
- r = SECFailure;
- }
-
- return r;
-
-}
-
-void
-cert_pkixDestroyValOutParam(CERTValOutParam *params)
-{
- CERTValOutParam *i;
-
- if (params == NULL) {
- return;
- }
- for (i = params; i->type != cert_po_end; i++) {
- switch (i->type) {
- case cert_po_trustAnchor:
- if (i->value.pointer.cert) {
- CERT_DestroyCertificate(i->value.pointer.cert);
- i->value.pointer.cert = NULL;
- }
- break;
-
- case cert_po_certList:
- if (i->value.pointer.chain) {
- CERT_DestroyCertList(i->value.pointer.chain);
- i->value.pointer.chain = NULL;
- }
- break;
-
- default:
- break;
- }
- }
+ }
}
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- CERT_REV_M_TEST_USING_THIS_METHOD
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ CERT_REV_M_TEST_USING_THIS_METHOD};
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0};
-static CERTRevocationMethodIndex
-certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
- cert_revocation_method_crl
-};
+static CERTRevocationMethodIndex
+ certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference = {
+ cert_revocation_method_crl};
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
- 1,
- &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
-};
+ {
+ /* leafTests */
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_LeafFlags,
+ 1, &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_Method_Preference,
+ 0},
+ {
+ /* chainTests */
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy_ChainFlags, 0, 0, 0}};
-extern const CERTRevocationFlags*
-CERT_GetClassicOCSPEnabledSoftFailurePolicy()
-{
- return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
+extern const CERTRevocationFlags *
+CERT_GetClassicOCSPEnabledSoftFailurePolicy() {
+ return &certRev_NSS_3_11_Ocsp_Enabled_Soft_Policy;
}
-
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO};
static PRUint64 certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0};
-static CERTRevocationMethodIndex
-certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
- cert_revocation_method_crl
-};
+static CERTRevocationMethodIndex
+ certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference = {
+ cert_revocation_method_crl};
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
- 1,
- &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
-};
+ {
+ /* leafTests */
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_LeafFlags,
+ 1, &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_Method_Preference,
+ 0},
+ {
+ /* chainTests */
+ 2, certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy_ChainFlags, 0, 0, 0}};
-extern const CERTRevocationFlags*
-CERT_GetClassicOCSPEnabledHardFailurePolicy()
-{
- return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
+extern const CERTRevocationFlags *
+CERT_GetClassicOCSPEnabledHardFailurePolicy() {
+ return &certRev_NSS_3_11_Ocsp_Enabled_Hard_Policy;
}
-
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0};
static PRUint64 certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FORBID_NETWORK_FETCHING
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
- /* ocsp */
- 0
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FORBID_NETWORK_FETCHING |
+ CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO,
+ /* ocsp */
+ 0};
static const CERTRevocationFlags certRev_NSS_3_11_Ocsp_Disabled_Policy = {
- {
- /* leafTests */
- 2,
- certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags,
- 0,
- 0,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
-};
+ {
+ /* leafTests */
+ 2, certRev_NSS_3_11_Ocsp_Disabled_Policy_LeafFlags, 0, 0, 0},
+ {
+ /* chainTests */
+ 2, certRev_NSS_3_11_Ocsp_Disabled_Policy_ChainFlags, 0, 0, 0}};
-extern const CERTRevocationFlags*
-CERT_GetClassicOCSPDisabledPolicy()
-{
- return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
+extern const CERTRevocationFlags *CERT_GetClassicOCSPDisabledPolicy() {
+ return &certRev_NSS_3_11_Ocsp_Disabled_Policy;
}
-
static PRUint64 certRev_PKIX_Verify_Nist_Policy_LeafFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
- /* ocsp */
- 0
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+ /* ocsp */
+ 0};
static PRUint64 certRev_PKIX_Verify_Nist_Policy_ChainFlags[2] = {
- /* crl */
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
- /* ocsp */
- 0
-};
+ /* crl */
+ CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO |
+ CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE,
+ /* ocsp */
+ 0};
static const CERTRevocationFlags certRev_PKIX_Verify_Nist_Policy = {
- {
- /* leafTests */
- 2,
- certRev_PKIX_Verify_Nist_Policy_LeafFlags,
- 0,
- 0,
- 0
- },
- {
- /* chainTests */
- 2,
- certRev_PKIX_Verify_Nist_Policy_ChainFlags,
- 0,
- 0,
- 0
- }
-};
+ {
+ /* leafTests */
+ 2, certRev_PKIX_Verify_Nist_Policy_LeafFlags, 0, 0, 0},
+ {
+ /* chainTests */
+ 2, certRev_PKIX_Verify_Nist_Policy_ChainFlags, 0, 0, 0}};
-extern const CERTRevocationFlags*
-CERT_GetPKIXVerifyNistRevocationPolicy()
-{
- return &certRev_PKIX_Verify_Nist_Policy;
+extern const CERTRevocationFlags *CERT_GetPKIXVerifyNistRevocationPolicy() {
+ return &certRev_PKIX_Verify_Nist_Policy;
}
-CERTRevocationFlags *
-CERT_AllocCERTRevocationFlags(
+CERTRevocationFlags *CERT_AllocCERTRevocationFlags(
PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
- PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
-{
- CERTRevocationFlags *flags;
-
- flags = PORT_New(CERTRevocationFlags);
- if (!flags)
- return(NULL);
-
- flags->leafTests.number_of_defined_methods = number_leaf_methods;
- flags->leafTests.cert_rev_flags_per_method =
- PORT_NewArray(PRUint64, number_leaf_methods);
+ PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods) {
+ CERTRevocationFlags *flags;
- flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods;
- flags->leafTests.preferred_methods =
- PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods);
+ flags = PORT_New(CERTRevocationFlags);
+ if (!flags) return (NULL);
- flags->chainTests.number_of_defined_methods = number_chain_methods;
- flags->chainTests.cert_rev_flags_per_method =
- PORT_NewArray(PRUint64, number_chain_methods);
+ flags->leafTests.number_of_defined_methods = number_leaf_methods;
+ flags->leafTests.cert_rev_flags_per_method =
+ PORT_NewArray(PRUint64, number_leaf_methods);
- flags->chainTests.number_of_preferred_methods = number_chain_pref_methods;
- flags->chainTests.preferred_methods =
- PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods);
-
- if (!flags->leafTests.cert_rev_flags_per_method
- || !flags->leafTests.preferred_methods
- || !flags->chainTests.cert_rev_flags_per_method
- || !flags->chainTests.preferred_methods) {
- CERT_DestroyCERTRevocationFlags(flags);
- return (NULL);
- }
-
- return flags;
+ flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods;
+ flags->leafTests.preferred_methods =
+ PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods);
+
+ flags->chainTests.number_of_defined_methods = number_chain_methods;
+ flags->chainTests.cert_rev_flags_per_method =
+ PORT_NewArray(PRUint64, number_chain_methods);
+
+ flags->chainTests.number_of_preferred_methods = number_chain_pref_methods;
+ flags->chainTests.preferred_methods =
+ PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods);
+
+ if (!flags->leafTests.cert_rev_flags_per_method ||
+ !flags->leafTests.preferred_methods ||
+ !flags->chainTests.cert_rev_flags_per_method ||
+ !flags->chainTests.preferred_methods) {
+ CERT_DestroyCERTRevocationFlags(flags);
+ return (NULL);
+ }
+
+ return flags;
}
-void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
-{
- if (!flags)
- return;
-
- if (flags->leafTests.cert_rev_flags_per_method)
- PORT_Free(flags->leafTests.cert_rev_flags_per_method);
+void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags) {
+ if (!flags) return;
- if (flags->leafTests.preferred_methods)
- PORT_Free(flags->leafTests.preferred_methods);
-
- if (flags->chainTests.cert_rev_flags_per_method)
- PORT_Free(flags->chainTests.cert_rev_flags_per_method);
+ if (flags->leafTests.cert_rev_flags_per_method)
+ PORT_Free(flags->leafTests.cert_rev_flags_per_method);
- if (flags->chainTests.preferred_methods)
- PORT_Free(flags->chainTests.preferred_methods);
+ if (flags->leafTests.preferred_methods)
+ PORT_Free(flags->leafTests.preferred_methods);
- PORT_Free(flags);
+ if (flags->chainTests.cert_rev_flags_per_method)
+ PORT_Free(flags->chainTests.cert_rev_flags_per_method);
+
+ if (flags->chainTests.preferred_methods)
+ PORT_Free(flags->chainTests.preferred_methods);
+
+ PORT_Free(flags);
}
/*
* CERT_PKIXVerifyCert
*
* Verify a Certificate using the PKIX library.
*
* Parameters:
@@ -1983,277 +1753,270 @@ void CERT_DestroyCERTRevocationFlags(CER
* args[0].type = cvpt_policyOID;
* args[0].value.si = oid;
* args[1].type = revCheckRequired;
* args[1].value.b = PR_TRUE;
* args[2].type = cvpt_end;
*
* CERT_PKIXVerifyCert(cert, &output, args
*/
-SECStatus CERT_PKIXVerifyCert(
- CERTCertificate *cert,
- SECCertificateUsage usages,
- CERTValInParam *paramsIn,
- CERTValOutParam *paramsOut,
- void *wincx)
-{
- SECStatus r = SECFailure;
- PKIX_Error * error = NULL;
- PKIX_ProcessingParams *procParams = NULL;
- PKIX_BuildResult * buildResult = NULL;
- void * nbioContext = NULL; /* for non-blocking IO */
- void * buildState = NULL; /* for non-blocking IO */
- PKIX_CertSelector * certSelector = NULL;
- PKIX_List * certStores = NULL;
- PKIX_ValidateResult * valResult = NULL;
- PKIX_VerifyNode * verifyNode = NULL;
- PKIX_TrustAnchor * trustAnchor = NULL;
- PKIX_PL_Cert * trustAnchorCert = NULL;
- PKIX_List * builtCertList = NULL;
- CERTValOutParam * oparam = NULL;
- int i=0;
+SECStatus CERT_PKIXVerifyCert(CERTCertificate *cert, SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut, void *wincx) {
+ SECStatus r = SECFailure;
+ PKIX_Error *error = NULL;
+ PKIX_ProcessingParams *procParams = NULL;
+ PKIX_BuildResult *buildResult = NULL;
+ void *nbioContext = NULL; /* for non-blocking IO */
+ void *buildState = NULL; /* for non-blocking IO */
+ PKIX_CertSelector *certSelector = NULL;
+ PKIX_List *certStores = NULL;
+ PKIX_ValidateResult *valResult = NULL;
+ PKIX_VerifyNode *verifyNode = NULL;
+ PKIX_TrustAnchor *trustAnchor = NULL;
+ PKIX_PL_Cert *trustAnchorCert = NULL;
+ PKIX_List *builtCertList = NULL;
+ CERTValOutParam *oparam = NULL;
+ int i = 0;
- void *plContext = NULL;
+ void *plContext = NULL;
#ifdef PKIX_OBJECT_LEAK_TEST
- int leakedObjNum = 0;
- int memLeakLoopCount = 0;
- int objCountTable[PKIX_NUMTYPES];
- int fnInvLocalCount = 0;
- PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
+ int leakedObjNum = 0;
+ int memLeakLoopCount = 0;
+ int objCountTable[PKIX_NUMTYPES];
+ int fnInvLocalCount = 0;
+ PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
- if (usePKIXValidationEngine) {
- /* current memory leak testing implementation does not allow
- * to run simultaneous tests one the same or a different threads.
- * Setting the variable to false, to make additional chain
- * validations be handled by old nss. */
- usePKIXValidationEngine = PR_FALSE;
- }
- testStartFnStackPosition = 1;
- fnStackNameArr[0] = "CERT_PKIXVerifyCert";
- fnStackInvCountArr[0] = 0;
- PKIX_Boolean abortOnLeak =
- (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
- PKIX_FALSE : PKIX_TRUE;
- runningLeakTest = PKIX_TRUE;
+ if (usePKIXValidationEngine) {
+ /* current memory leak testing implementation does not allow
+ * to run simultaneous tests one the same or a different threads.
+ * Setting the variable to false, to make additional chain
+ * validations be handled by old nss. */
+ usePKIXValidationEngine = PR_FALSE;
+ }
+ testStartFnStackPosition = 1;
+ fnStackNameArr[0] = "CERT_PKIXVerifyCert";
+ fnStackInvCountArr[0] = 0;
+ PKIX_Boolean abortOnLeak =
+ (PR_GetEnv("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
+ : PKIX_TRUE;
+ runningLeakTest = PKIX_TRUE;
- /* Prevent multi-threaded run of object leak test */
- fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
- PORT_Assert(fnInvLocalCount == 1);
+ /* Prevent multi-threaded run of object leak test */
+ fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
+ PORT_Assert(fnInvLocalCount == 1);
-do {
+ do {
r = SECFailure;
error = NULL;
procParams = NULL;
buildResult = NULL;
- nbioContext = NULL; /* for non-blocking IO */
- buildState = NULL; /* for non-blocking IO */
+ nbioContext = NULL; /* for non-blocking IO */
+ buildState = NULL; /* for non-blocking IO */
certSelector = NULL;
certStores = NULL;
valResult = NULL;
verifyNode = NULL;
trustAnchor = NULL;
trustAnchorCert = NULL;
builtCertList = NULL;
oparam = NULL;
- i=0;
+ i = 0;
errorGenerated = PKIX_FALSE;
stackPosition = 0;
if (leakedObjNum) {
- pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
+ pkix_pl_lifecycle_ObjectTableUpdate(objCountTable);
}
memLeakLoopCount += 1;
#endif /* PKIX_OBJECT_LEAK_TEST */
- error = PKIX_PL_NssContext_Create(
- 0, PR_FALSE /*use arena*/, wincx, &plContext);
- if (error != NULL) { /* need pkix->nss error map */
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
- goto cleanup;
+ error =
+ PKIX_PL_NssContext_Create(0, PR_FALSE /*use arena*/, wincx, &plContext);
+ if (error != NULL) {/* need pkix->nss error map */
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+ goto cleanup;
}
error = pkix_pl_NssContext_SetCertUsage(usages, plContext);
if (error != NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
}
error = PKIX_ProcessingParams_Create(&procParams, plContext);
- if (error != NULL) { /* need pkix->nss error map */
- PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
- goto cleanup;
+ if (error != NULL) {/* need pkix->nss error map */
+ PORT_SetError(SEC_ERROR_CERT_NOT_VALID);
+ goto cleanup;
}
/* local cert store should be set into procParams before
* filling in revocation settings. */
certStores = cert_GetCertStores(plContext);
if (certStores == NULL) {
- goto cleanup;
+ goto cleanup;
}
- error = PKIX_ProcessingParams_SetCertStores
- (procParams, certStores, plContext);
+ error =
+ PKIX_ProcessingParams_SetCertStores(procParams, certStores, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
/* now process the extensible input parameters structure */
if (paramsIn != NULL) {
- i=0;
- while (paramsIn[i].type != cert_pi_end) {
- if (paramsIn[i].type >= cert_pi_max) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
- }
- if (cert_pkixSetParam(procParams,
- &paramsIn[i],plContext) != SECSuccess) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto cleanup;
- }
- i++;
+ i = 0;
+ while (paramsIn[i].type != cert_pi_end) {
+ if (paramsIn[i].type >= cert_pi_max) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
}
+ if (cert_pkixSetParam(procParams, &paramsIn[i], plContext) !=
+ SECSuccess) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto cleanup;
+ }
+ i++;
+ }
}
certSelector = cert_GetTargetCertConstraints(cert, plContext);
if (certSelector == NULL) {
- goto cleanup;
+ goto cleanup;
}
- error = PKIX_ProcessingParams_SetTargetCertConstraints
- (procParams, certSelector, plContext);
+ error = PKIX_ProcessingParams_SetTargetCertConstraints(
+ procParams, certSelector, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
- error = PKIX_BuildChain( procParams, &nbioContext,
- &buildState, &buildResult, &verifyNode,
- plContext);
+ error = PKIX_BuildChain(procParams, &nbioContext, &buildState, &buildResult,
+ &verifyNode, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
- error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult,
- plContext);
+ error =
+ PKIX_BuildResult_GetValidateResult(buildResult, &valResult, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
- error = PKIX_ValidateResult_GetTrustAnchor( valResult, &trustAnchor,
- plContext);
+ error =
+ PKIX_ValidateResult_GetTrustAnchor(valResult, &trustAnchor, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
if (trustAnchor != NULL) {
- error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert,
- plContext);
- if (error != NULL) {
- goto cleanup;
- }
+ error = PKIX_TrustAnchor_GetTrustedCert(trustAnchor, &trustAnchorCert,
+ plContext);
+ if (error != NULL) {
+ goto cleanup;
+ }
}
#ifdef PKIX_OBJECT_LEAK_TEST
/* Can not continue if error was generated but not returned.
* Jumping to cleanup. */
if (errorGenerated) goto cleanup;
#endif /* PKIX_OBJECT_LEAK_TEST */
oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
if (oparam != NULL) {
- if (trustAnchorCert != NULL) {
- oparam->value.pointer.cert =
- cert_NSSCertFromPKIXCert(trustAnchorCert);
- } else {
- oparam->value.pointer.cert = NULL;
- }
+ if (trustAnchorCert != NULL) {
+ oparam->value.pointer.cert = cert_NSSCertFromPKIXCert(trustAnchorCert);
+ } else {
+ oparam->value.pointer.cert = NULL;
+ }
}
- error = PKIX_BuildResult_GetCertChain( buildResult, &builtCertList,
- plContext);
+ error =
+ PKIX_BuildResult_GetCertChain(buildResult, &builtCertList, plContext);
if (error != NULL) {
- goto cleanup;
+ goto cleanup;
}
oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_certList);
if (oparam != NULL) {
- error = cert_PkixToNssCertsChain(builtCertList,
- &oparam->value.pointer.chain,
- plContext);
- if (error) goto cleanup;
+ error = cert_PkixToNssCertsChain(builtCertList,
+ &oparam->value.pointer.chain, plContext);
+ if (error) goto cleanup;
}
r = SECSuccess;
-cleanup:
+ cleanup:
if (verifyNode) {
- /* Return validation log only upon error. */
- oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
+ /* Return validation log only upon error. */
+ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_errorLog);
#ifdef PKIX_OBJECT_LEAK_TEST
- if (!errorGenerated)
+ if (!errorGenerated)
#endif /* PKIX_OBJECT_LEAK_TEST */
if (r && oparam != NULL) {
- PKIX_Error *tmpError =
- cert_GetLogFromVerifyNode(oparam->value.pointer.log,
- verifyNode, plContext);
- if (tmpError) {
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
- }
+ PKIX_Error *tmpError = cert_GetLogFromVerifyNode(
+ oparam->value.pointer.log, verifyNode, plContext);
+ if (tmpError) {
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)tmpError, plContext);
+ }
}
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)verifyNode, plContext);
}
- if (procParams != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
+ if (procParams != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext);
- if (trustAnchorCert != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
+ if (trustAnchorCert != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchorCert, plContext);
- if (trustAnchor != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
+ if (trustAnchor != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext);
- if (valResult != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
+ if (valResult != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)valResult, plContext);
- if (buildResult != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
+ if (buildResult != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)buildResult, plContext);
- if (certStores != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
+ if (certStores != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certStores, plContext);
- if (certSelector != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
+ if (certSelector != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext);
- if (builtCertList != NULL)
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
+ if (builtCertList != NULL)
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)builtCertList, plContext);
if (error != NULL) {
- SECErrorCodes nssErrorCode = 0;
+ SECErrorCodes nssErrorCode = 0;
- cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
- cert_pkixDestroyValOutParam(paramsOut);
- PORT_SetError(nssErrorCode);
- PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
+ cert_PkixErrorToNssCode(error, &nssErrorCode, plContext);
+ cert_pkixDestroyValOutParam(paramsOut);
+ PORT_SetError(nssErrorCode);
+ PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext);
}
PKIX_PL_NssContext_Destroy(plContext);
#ifdef PKIX_OBJECT_LEAK_TEST
leakedObjNum =
pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL);
if (pkixLog && leakedObjNum) {
- PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
- "Stack %s\n", memLeakLoopCount, errorFnStackString));
+ PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d."
+ "Stack %s\n",
+ memLeakLoopCount, errorFnStackString));
}
PR_Free(errorFnStackString);
errorFnStackString = NULL;
if (abortOnLeak) {
- PORT_Assert(leakedObjNum == 0);
+ PORT_Assert(leakedObjNum == 0);
}
-
-} while (errorGenerated);
- runningLeakTest = PKIX_FALSE;
- PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
- usePKIXValidationEngine = savedUsePkixEngFlag;
+ } while (errorGenerated);
+
+ runningLeakTest = PKIX_FALSE;
+ PR_ATOMIC_DECREMENT(&parallelFnInvocationCount);
+ usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
- return r;
+ return r;
}
« no previous file with comments | « lib/certhigh/certvfy.c ('k') | lib/certhigh/crlv2.c » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b