Index: lib/certdb/genname.c |
=================================================================== |
--- a/lib/certdb/genname.c |
+++ b/lib/certdb/genname.c |
@@ -19,1196 +19,1105 @@ |
SEC_ASN1_MKSUB(SEC_AnyTemplate) |
SEC_ASN1_MKSUB(SEC_IntegerTemplate) |
SEC_ASN1_MKSUB(SEC_IA5StringTemplate) |
SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) |
SEC_ASN1_MKSUB(SEC_OctetStringTemplate) |
static const SEC_ASN1Template CERTNameConstraintTemplate[] = { |
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) }, |
- { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) }, |
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
- offsetof(CERTNameConstraint, min), |
- SEC_ASN1_SUB(SEC_IntegerTemplate) }, |
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, |
- offsetof(CERTNameConstraint, max), |
- SEC_ASN1_SUB(SEC_IntegerTemplate) }, |
- { 0, } |
-}; |
+ {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint)}, |
+ {SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName)}, |
+ {SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
+ offsetof(CERTNameConstraint, min), SEC_ASN1_SUB(SEC_IntegerTemplate)}, |
+ {SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, |
+ offsetof(CERTNameConstraint, max), SEC_ASN1_SUB(SEC_IntegerTemplate)}, |
+ {0, }}; |
const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = { |
- { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) } |
-}; |
+ {SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate)}}; |
static const SEC_ASN1Template CERTNameConstraintsTemplate[] = { |
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) }, |
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, |
- offsetof(CERTNameConstraints, DERPermited), |
- CERT_NameConstraintSubtreeSubTemplate}, |
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, |
- offsetof(CERTNameConstraints, DERExcluded), |
- CERT_NameConstraintSubtreeSubTemplate}, |
- { 0, } |
-}; |
- |
+ {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints)}, |
+ {SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, |
+ offsetof(CERTNameConstraints, DERPermited), |
+ CERT_NameConstraintSubtreeSubTemplate}, |
+ {SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, |
+ offsetof(CERTNameConstraints, DERExcluded), |
+ CERT_NameConstraintSubtreeSubTemplate}, |
+ {0, }}; |
static const SEC_ASN1Template CERTOthNameTemplate[] = { |
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) }, |
- { SEC_ASN1_OBJECT_ID, |
- offsetof(OtherName, oid) }, |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | |
- SEC_ASN1_XTRN | 0, offsetof(OtherName, name), |
- SEC_ASN1_SUB(SEC_AnyTemplate) }, |
- { 0, } |
-}; |
+ {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName)}, |
+ {SEC_ASN1_OBJECT_ID, offsetof(OtherName, oid)}, |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | |
+ SEC_ASN1_XTRN | 0, |
+ offsetof(OtherName, name), SEC_ASN1_SUB(SEC_AnyTemplate)}, |
+ {0, }}; |
static const SEC_ASN1Template CERTOtherNameTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0 , |
- offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate, |
- sizeof(CERTGeneralName) } |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0, |
+ offsetof(CERTGeneralName, name.OthName), |
+ CERTOthNameTemplate, |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERTOtherName2Template[] = { |
- { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 , |
- 0, NULL, sizeof(CERTGeneralName) }, |
- { SEC_ASN1_OBJECT_ID, |
- offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) }, |
- { SEC_ASN1_ANY, |
- offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) }, |
- { 0, } |
-}; |
+ {SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0, 0, NULL, |
+ sizeof(CERTGeneralName)}, |
+ {SEC_ASN1_OBJECT_ID, |
+ offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid)}, |
+ {SEC_ASN1_ANY, |
+ offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name)}, |
+ {0, }}; |
static const SEC_ASN1Template CERT_RFC822NameTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 , |
- offsetof(CERTGeneralName, name.other), |
- SEC_ASN1_SUB(SEC_IA5StringTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_IA5StringTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_DNSNameTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 , |
- offsetof(CERTGeneralName, name.other), |
- SEC_ASN1_SUB(SEC_IA5StringTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_IA5StringTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_X400AddressTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 3, |
- offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 3, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_AnyTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | |
- SEC_ASN1_XTRN | 4, offsetof(CERTGeneralName, derDirectoryName), |
- SEC_ASN1_SUB(SEC_AnyTemplate), sizeof (CERTGeneralName)} |
-}; |
- |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | |
+ SEC_ASN1_XTRN | 4, |
+ offsetof(CERTGeneralName, derDirectoryName), SEC_ASN1_SUB(SEC_AnyTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 5, |
- offsetof(CERTGeneralName, name.other), SEC_ASN1_SUB(SEC_AnyTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_XTRN | 5, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_AnyTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_URITemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 6 , |
- offsetof(CERTGeneralName, name.other), |
- SEC_ASN1_SUB(SEC_IA5StringTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 6, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_IA5StringTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_IPAddressTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 7 , |
- offsetof(CERTGeneralName, name.other), |
- SEC_ASN1_SUB(SEC_OctetStringTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 7, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_OctetStringTemplate), |
+ sizeof(CERTGeneralName)}}; |
static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = { |
- { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 8 , |
- offsetof(CERTGeneralName, name.other), |
- SEC_ASN1_SUB(SEC_ObjectIDTemplate), |
- sizeof (CERTGeneralName)} |
-}; |
- |
+ {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 8, |
+ offsetof(CERTGeneralName, name.other), |
+ SEC_ASN1_SUB(SEC_ObjectIDTemplate), |
+ sizeof(CERTGeneralName)}}; |
const SEC_ASN1Template CERT_GeneralNamesTemplate[] = { |
- { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN , 0, SEC_ASN1_SUB(SEC_AnyTemplate) } |
-}; |
- |
+ {SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate)}}; |
static struct { |
- CERTGeneralNameType type; |
- char *name; |
-} typesArray[] = { |
- { certOtherName, "other" }, |
- { certRFC822Name, "email" }, |
- { certRFC822Name, "rfc822" }, |
- { certDNSName, "dns" }, |
- { certX400Address, "x400" }, |
- { certX400Address, "x400addr" }, |
- { certDirectoryName, "directory" }, |
- { certDirectoryName, "dn" }, |
- { certEDIPartyName, "edi" }, |
- { certEDIPartyName, "ediparty" }, |
- { certURI, "uri" }, |
- { certIPAddress, "ip" }, |
- { certIPAddress, "ipaddr" }, |
- { certRegisterID, "registerid" } |
-}; |
+ CERTGeneralNameType type; |
+ char *name; |
+} typesArray[] = {{certOtherName, "other"}, |
+ {certRFC822Name, "email"}, |
+ {certRFC822Name, "rfc822"}, |
+ {certDNSName, "dns"}, |
+ {certX400Address, "x400"}, |
+ {certX400Address, "x400addr"}, |
+ {certDirectoryName, "directory"}, |
+ {certDirectoryName, "dn"}, |
+ {certEDIPartyName, "edi"}, |
+ {certEDIPartyName, "ediparty"}, |
+ {certURI, "uri"}, |
+ {certIPAddress, "ip"}, |
+ {certIPAddress, "ipaddr"}, |
+ {certRegisterID, "registerid"}}; |
-CERTGeneralNameType |
-CERT_GetGeneralNameTypeFromString(const char *string) |
-{ |
- int types_count = sizeof(typesArray)/sizeof(typesArray[0]); |
- int i; |
+CERTGeneralNameType CERT_GetGeneralNameTypeFromString(const char *string) { |
+ int types_count = sizeof(typesArray) / sizeof(typesArray[0]); |
+ int i; |
- for (i=0; i < types_count; i++) { |
- if (PORT_Strcasecmp(string, typesArray[i].name) == 0) { |
- return typesArray[i].type; |
- } |
+ for (i = 0; i < types_count; i++) { |
+ if (PORT_Strcasecmp(string, typesArray[i].name) == 0) { |
+ return typesArray[i].type; |
} |
- return 0; |
+ } |
+ return 0; |
} |
-CERTGeneralName * |
-CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type) |
-{ |
- CERTGeneralName *name = arena |
- ? PORT_ArenaZNew(arena, CERTGeneralName) |
- : PORT_ZNew(CERTGeneralName); |
- if (name) { |
- name->type = type; |
- name->l.prev = name->l.next = &name->l; |
- } |
- return name; |
+CERTGeneralName *CERT_NewGeneralName(PLArenaPool *arena, |
+ CERTGeneralNameType type) { |
+ CERTGeneralName *name = arena ? PORT_ArenaZNew(arena, CERTGeneralName) |
+ : PORT_ZNew(CERTGeneralName); |
+ if (name) { |
+ name->type = type; |
+ name->l.prev = name->l.next = &name->l; |
+ } |
+ return name; |
} |
/* Copy content of one General Name to another. |
** Caller has allocated destination general name. |
** This function does not change the destinate's GeneralName's list linkage. |
*/ |
-SECStatus |
-cert_CopyOneGeneralName(PLArenaPool *arena, |
- CERTGeneralName *dest, |
- CERTGeneralName *src) |
-{ |
- SECStatus rv; |
- void *mark = NULL; |
+SECStatus cert_CopyOneGeneralName(PLArenaPool *arena, CERTGeneralName *dest, |
+ CERTGeneralName *src) { |
+ SECStatus rv; |
+ void *mark = NULL; |
- PORT_Assert(dest != NULL); |
- dest->type = src->type; |
+ PORT_Assert(dest != NULL); |
+ dest->type = src->type; |
- mark = PORT_ArenaMark(arena); |
+ mark = PORT_ArenaMark(arena); |
- switch (src->type) { |
- case certDirectoryName: |
- rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, |
- &src->derDirectoryName); |
- if (rv == SECSuccess) |
- rv = CERT_CopyName(arena, &dest->name.directoryName, |
- &src->name.directoryName); |
- break; |
+ switch (src->type) { |
+ case certDirectoryName: |
+ rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, |
+ &src->derDirectoryName); |
+ if (rv == SECSuccess) |
+ rv = CERT_CopyName(arena, &dest->name.directoryName, |
+ &src->name.directoryName); |
+ break; |
- case certOtherName: |
- rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, |
- &src->name.OthName.name); |
- if (rv == SECSuccess) |
- rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, |
- &src->name.OthName.oid); |
- break; |
+ case certOtherName: |
+ rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, |
+ &src->name.OthName.name); |
+ if (rv == SECSuccess) |
+ rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, |
+ &src->name.OthName.oid); |
+ break; |
- default: |
- rv = SECITEM_CopyItem(arena, &dest->name.other, |
- &src->name.other); |
- break; |
- |
- } |
- if (rv != SECSuccess) { |
- PORT_ArenaRelease(arena, mark); |
- } else { |
- PORT_ArenaUnmark(arena, mark); |
- } |
- return rv; |
+ default: |
+ rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other); |
+ break; |
+ } |
+ if (rv != SECSuccess) { |
+ PORT_ArenaRelease(arena, mark); |
+ } else { |
+ PORT_ArenaUnmark(arena, mark); |
+ } |
+ return rv; |
} |
+void CERT_DestroyGeneralNameList(CERTGeneralNameList *list) { |
+ PZLock *lock; |
-void |
-CERT_DestroyGeneralNameList(CERTGeneralNameList *list) |
-{ |
- PZLock *lock; |
- |
- if (list != NULL) { |
- lock = list->lock; |
- PZ_Lock(lock); |
- if (--list->refCount <= 0 && list->arena != NULL) { |
- PORT_FreeArena(list->arena, PR_FALSE); |
- PZ_Unlock(lock); |
- PZ_DestroyLock(lock); |
- } else { |
- PZ_Unlock(lock); |
- } |
+ if (list != NULL) { |
+ lock = list->lock; |
+ PZ_Lock(lock); |
+ if (--list->refCount <= 0 && list->arena != NULL) { |
+ PORT_FreeArena(list->arena, PR_FALSE); |
+ PZ_Unlock(lock); |
+ PZ_DestroyLock(lock); |
+ } else { |
+ PZ_Unlock(lock); |
} |
- return; |
+ } |
+ return; |
} |
-CERTGeneralNameList * |
-CERT_CreateGeneralNameList(CERTGeneralName *name) { |
- PLArenaPool *arena; |
- CERTGeneralNameList *list = NULL; |
+CERTGeneralNameList *CERT_CreateGeneralNameList(CERTGeneralName *name) { |
+ PLArenaPool *arena; |
+ CERTGeneralNameList *list = NULL; |
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
- if (arena == NULL) { |
- goto done; |
- } |
- list = PORT_ArenaZNew(arena, CERTGeneralNameList); |
- if (!list) |
- goto loser; |
- if (name != NULL) { |
- SECStatus rv; |
- list->name = CERT_NewGeneralName(arena, (CERTGeneralNameType)0); |
- if (!list->name) |
- goto loser; |
- rv = CERT_CopyGeneralName(arena, list->name, name); |
- if (rv != SECSuccess) |
- goto loser; |
- } |
- list->lock = PZ_NewLock(nssILockList); |
- if (!list->lock) |
- goto loser; |
- list->arena = arena; |
- list->refCount = 1; |
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
+ if (arena == NULL) { |
+ goto done; |
+ } |
+ list = PORT_ArenaZNew(arena, CERTGeneralNameList); |
+ if (!list) goto loser; |
+ if (name != NULL) { |
+ SECStatus rv; |
+ list->name = CERT_NewGeneralName(arena, (CERTGeneralNameType)0); |
+ if (!list->name) goto loser; |
+ rv = CERT_CopyGeneralName(arena, list->name, name); |
+ if (rv != SECSuccess) goto loser; |
+ } |
+ list->lock = PZ_NewLock(nssILockList); |
+ if (!list->lock) goto loser; |
+ list->arena = arena; |
+ list->refCount = 1; |
done: |
- return list; |
+ return list; |
loser: |
- PORT_FreeArena(arena, PR_FALSE); |
- return NULL; |
+ PORT_FreeArena(arena, PR_FALSE); |
+ return NULL; |
} |
-CERTGeneralName * |
-CERT_GetNextGeneralName(CERTGeneralName *current) |
-{ |
- PRCList *next; |
- |
- next = current->l.next; |
- return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l)); |
+CERTGeneralName *CERT_GetNextGeneralName(CERTGeneralName *current) { |
+ PRCList *next; |
+ |
+ next = current->l.next; |
+ return (CERTGeneralName *)(((char *)next) - offsetof(CERTGeneralName, l)); |
} |
-CERTGeneralName * |
-CERT_GetPrevGeneralName(CERTGeneralName *current) |
-{ |
- PRCList *prev; |
- prev = current->l.prev; |
- return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l)); |
+CERTGeneralName *CERT_GetPrevGeneralName(CERTGeneralName *current) { |
+ PRCList *prev; |
+ prev = current->l.prev; |
+ return (CERTGeneralName *)(((char *)prev) - offsetof(CERTGeneralName, l)); |
} |
-CERTNameConstraint * |
-CERT_GetNextNameConstraint(CERTNameConstraint *current) |
-{ |
- PRCList *next; |
- |
- next = current->l.next; |
- return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l)); |
+CERTNameConstraint *CERT_GetNextNameConstraint(CERTNameConstraint *current) { |
+ PRCList *next; |
+ |
+ next = current->l.next; |
+ return (CERTNameConstraint *)(((char *)next) - |
+ offsetof(CERTNameConstraint, l)); |
} |
-CERTNameConstraint * |
-CERT_GetPrevNameConstraint(CERTNameConstraint *current) |
-{ |
- PRCList *prev; |
- prev = current->l.prev; |
- return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l)); |
+CERTNameConstraint *CERT_GetPrevNameConstraint(CERTNameConstraint *current) { |
+ PRCList *prev; |
+ prev = current->l.prev; |
+ return (CERTNameConstraint *)(((char *)prev) - |
+ offsetof(CERTNameConstraint, l)); |
} |
-SECItem * |
-CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PLArenaPool *arena) |
-{ |
+SECItem *CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, |
+ PLArenaPool *arena) { |
- const SEC_ASN1Template * template; |
+ const SEC_ASN1Template *template; |
- PORT_Assert(arena); |
- if (arena == NULL) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return NULL; |
+ PORT_Assert(arena); |
+ if (arena == NULL) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return NULL; |
+ } |
+ /* TODO: mark arena */ |
+ if (dest == NULL) { |
+ dest = PORT_ArenaZNew(arena, SECItem); |
+ if (!dest) goto loser; |
+ } |
+ if (genName->type == certDirectoryName) { |
+ if (genName->derDirectoryName.data == NULL) { |
+ /* The field hasn't been encoded yet. */ |
+ SECItem *pre_dest = |
+ SEC_ASN1EncodeItem(arena, &(genName->derDirectoryName), |
+ &(genName->name.directoryName), CERT_NameTemplate); |
+ if (!pre_dest) goto loser; |
} |
- /* TODO: mark arena */ |
- if (dest == NULL) { |
- dest = PORT_ArenaZNew(arena, SECItem); |
- if (!dest) |
- goto loser; |
+ if (genName->derDirectoryName.data == NULL) { |
+ goto loser; |
} |
- if (genName->type == certDirectoryName) { |
- if (genName->derDirectoryName.data == NULL) { |
- /* The field hasn't been encoded yet. */ |
- SECItem * pre_dest = |
- SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName), |
- &(genName->name.directoryName), |
- CERT_NameTemplate); |
- if (!pre_dest) |
- goto loser; |
- } |
- if (genName->derDirectoryName.data == NULL) { |
- goto loser; |
- } |
- } |
- switch (genName->type) { |
- case certURI: template = CERT_URITemplate; break; |
- case certRFC822Name: template = CERT_RFC822NameTemplate; break; |
- case certDNSName: template = CERT_DNSNameTemplate; break; |
- case certIPAddress: template = CERT_IPAddressTemplate; break; |
- case certOtherName: template = CERTOtherNameTemplate; break; |
- case certRegisterID: template = CERT_RegisteredIDTemplate; break; |
- /* for this type, we expect the value is already encoded */ |
- case certEDIPartyName: template = CERT_EDIPartyNameTemplate; break; |
- /* for this type, we expect the value is already encoded */ |
- case certX400Address: template = CERT_X400AddressTemplate; break; |
- case certDirectoryName: template = CERT_DirectoryNameTemplate; break; |
+ } |
+ switch (genName->type) { |
+ case certURI: |
+ template = CERT_URITemplate; |
+ break; |
+ case certRFC822Name: |
+ template = CERT_RFC822NameTemplate; |
+ break; |
+ case certDNSName: |
+ template = CERT_DNSNameTemplate; |
+ break; |
+ case certIPAddress: |
+ template = CERT_IPAddressTemplate; |
+ break; |
+ case certOtherName: |
+ template = CERTOtherNameTemplate; |
+ break; |
+ case certRegisterID: |
+ template = CERT_RegisteredIDTemplate; |
+ break; |
+ /* for this type, we expect the value is already encoded */ |
+ case certEDIPartyName: |
+ template = CERT_EDIPartyNameTemplate; |
+ break; |
+ /* for this type, we expect the value is already encoded */ |
+ case certX400Address: |
+ template = CERT_X400AddressTemplate; |
+ break; |
+ case certDirectoryName: |
+ template = CERT_DirectoryNameTemplate; |
+ break; |
default: |
- PORT_Assert(0); goto loser; |
- } |
- dest = SEC_ASN1EncodeItem(arena, dest, genName, template); |
- if (!dest) { |
- goto loser; |
- } |
- /* TODO: unmark arena */ |
- return dest; |
+ PORT_Assert(0); |
+ goto loser; |
+ } |
+ dest = SEC_ASN1EncodeItem(arena, dest, genName, template); |
+ if (!dest) { |
+ goto loser; |
+ } |
+ /* TODO: unmark arena */ |
+ return dest; |
loser: |
- /* TODO: release arena back to mark */ |
- return NULL; |
+ /* TODO: release arena back to mark */ |
+ return NULL; |
} |
-SECItem ** |
-cert_EncodeGeneralNames(PLArenaPool *arena, CERTGeneralName *names) |
-{ |
- CERTGeneralName *current_name; |
- SECItem **items = NULL; |
- int count = 0; |
- int i; |
- PRCList *head; |
+SECItem **cert_EncodeGeneralNames(PLArenaPool *arena, CERTGeneralName *names) { |
+ CERTGeneralName *current_name; |
+ SECItem **items = NULL; |
+ int count = 0; |
+ int i; |
+ PRCList *head; |
- PORT_Assert(arena); |
- /* TODO: mark arena */ |
- current_name = names; |
- if (names != NULL) { |
- count = 1; |
- } |
- head = &(names->l); |
- while (current_name->l.next != head) { |
- current_name = CERT_GetNextGeneralName(current_name); |
- ++count; |
+ PORT_Assert(arena); |
+ /* TODO: mark arena */ |
+ current_name = names; |
+ if (names != NULL) { |
+ count = 1; |
+ } |
+ head = &(names->l); |
+ while (current_name->l.next != head) { |
+ current_name = CERT_GetNextGeneralName(current_name); |
+ ++count; |
+ } |
+ current_name = CERT_GetNextGeneralName(current_name); |
+ items = PORT_ArenaNewArray(arena, SECItem *, count + 1); |
+ if (items == NULL) { |
+ goto loser; |
+ } |
+ for (i = 0; i < count; i++) { |
+ items[i] = CERT_EncodeGeneralName(current_name, (SECItem *)NULL, arena); |
+ if (items[i] == NULL) { |
+ goto loser; |
} |
current_name = CERT_GetNextGeneralName(current_name); |
- items = PORT_ArenaNewArray(arena, SECItem *, count + 1); |
- if (items == NULL) { |
- goto loser; |
- } |
- for (i = 0; i < count; i++) { |
- items[i] = CERT_EncodeGeneralName(current_name, (SECItem *)NULL, arena); |
- if (items[i] == NULL) { |
- goto loser; |
- } |
- current_name = CERT_GetNextGeneralName(current_name); |
- } |
- items[i] = NULL; |
- /* TODO: unmark arena */ |
- return items; |
+ } |
+ items[i] = NULL; |
+ /* TODO: unmark arena */ |
+ return items; |
loser: |
- /* TODO: release arena to mark */ |
- return NULL; |
+ /* TODO: release arena to mark */ |
+ return NULL; |
} |
-CERTGeneralName * |
-CERT_DecodeGeneralName(PLArenaPool *reqArena, |
- SECItem *encodedName, |
- CERTGeneralName *genName) |
-{ |
- const SEC_ASN1Template * template; |
- CERTGeneralNameType genNameType; |
- SECStatus rv = SECSuccess; |
- SECItem* newEncodedName; |
+CERTGeneralName *CERT_DecodeGeneralName(PLArenaPool *reqArena, |
+ SECItem *encodedName, |
+ CERTGeneralName *genName) { |
+ const SEC_ASN1Template *template; |
+ CERTGeneralNameType genNameType; |
+ SECStatus rv = SECSuccess; |
+ SECItem *newEncodedName; |
- if (!reqArena) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return NULL; |
- } |
- /* make a copy for decoding so the data decoded with QuickDER doesn't |
- point to temporary memory */ |
- newEncodedName = SECITEM_ArenaDupItem(reqArena, encodedName); |
- if (!newEncodedName) { |
- return NULL; |
- } |
- /* TODO: mark arena */ |
- genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1); |
- if (genName == NULL) { |
- genName = CERT_NewGeneralName(reqArena, genNameType); |
- if (!genName) |
- goto loser; |
- } else { |
- genName->type = genNameType; |
- genName->l.prev = genName->l.next = &genName->l; |
- } |
+ if (!reqArena) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return NULL; |
+ } |
+ /* make a copy for decoding so the data decoded with QuickDER doesn't |
+ point to temporary memory */ |
+ newEncodedName = SECITEM_ArenaDupItem(reqArena, encodedName); |
+ if (!newEncodedName) { |
+ return NULL; |
+ } |
+ /* TODO: mark arena */ |
+ genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1); |
+ if (genName == NULL) { |
+ genName = CERT_NewGeneralName(reqArena, genNameType); |
+ if (!genName) goto loser; |
+ } else { |
+ genName->type = genNameType; |
+ genName->l.prev = genName->l.next = &genName->l; |
+ } |
- switch (genNameType) { |
- case certURI: template = CERT_URITemplate; break; |
- case certRFC822Name: template = CERT_RFC822NameTemplate; break; |
- case certDNSName: template = CERT_DNSNameTemplate; break; |
- case certIPAddress: template = CERT_IPAddressTemplate; break; |
- case certOtherName: template = CERTOtherNameTemplate; break; |
- case certRegisterID: template = CERT_RegisteredIDTemplate; break; |
- case certEDIPartyName: template = CERT_EDIPartyNameTemplate; break; |
- case certX400Address: template = CERT_X400AddressTemplate; break; |
- case certDirectoryName: template = CERT_DirectoryNameTemplate; break; |
- default: |
- goto loser; |
- } |
- rv = SEC_QuickDERDecodeItem(reqArena, genName, template, newEncodedName); |
- if (rv != SECSuccess) |
- goto loser; |
- if (genNameType == certDirectoryName) { |
- rv = SEC_QuickDERDecodeItem(reqArena, &(genName->name.directoryName), |
- CERT_NameTemplate, |
- &(genName->derDirectoryName)); |
- if (rv != SECSuccess) |
- goto loser; |
- } |
+ switch (genNameType) { |
+ case certURI: |
+ template = CERT_URITemplate; |
+ break; |
+ case certRFC822Name: |
+ template = CERT_RFC822NameTemplate; |
+ break; |
+ case certDNSName: |
+ template = CERT_DNSNameTemplate; |
+ break; |
+ case certIPAddress: |
+ template = CERT_IPAddressTemplate; |
+ break; |
+ case certOtherName: |
+ template = CERTOtherNameTemplate; |
+ break; |
+ case certRegisterID: |
+ template = CERT_RegisteredIDTemplate; |
+ break; |
+ case certEDIPartyName: |
+ template = CERT_EDIPartyNameTemplate; |
+ break; |
+ case certX400Address: |
+ template = CERT_X400AddressTemplate; |
+ break; |
+ case certDirectoryName: |
+ template = CERT_DirectoryNameTemplate; |
+ break; |
+ default: |
+ goto loser; |
+ } |
+ rv = SEC_QuickDERDecodeItem(reqArena, genName, template, newEncodedName); |
+ if (rv != SECSuccess) goto loser; |
+ if (genNameType == certDirectoryName) { |
+ rv = |
+ SEC_QuickDERDecodeItem(reqArena, &(genName->name.directoryName), |
+ CERT_NameTemplate, &(genName->derDirectoryName)); |
+ if (rv != SECSuccess) goto loser; |
+ } |
- /* TODO: unmark arena */ |
- return genName; |
+ /* TODO: unmark arena */ |
+ return genName; |
loser: |
- /* TODO: release arena to mark */ |
- return NULL; |
+ /* TODO: release arena to mark */ |
+ return NULL; |
} |
-CERTGeneralName * |
-cert_DecodeGeneralNames (PLArenaPool *arena, |
- SECItem **encodedGenName) |
-{ |
- PRCList *head = NULL; |
- PRCList *tail = NULL; |
- CERTGeneralName *currentName = NULL; |
+CERTGeneralName *cert_DecodeGeneralNames(PLArenaPool *arena, |
+ SECItem **encodedGenName) { |
+ PRCList *head = NULL; |
+ PRCList *tail = NULL; |
+ CERTGeneralName *currentName = NULL; |
- PORT_Assert(arena); |
- if (!encodedGenName || !arena) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return NULL; |
+ PORT_Assert(arena); |
+ if (!encodedGenName || !arena) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return NULL; |
+ } |
+ /* TODO: mark arena */ |
+ while (*encodedGenName != NULL) { |
+ currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL); |
+ if (currentName == NULL) break; |
+ if (head == NULL) { |
+ head = &(currentName->l); |
+ tail = head; |
} |
- /* TODO: mark arena */ |
- while (*encodedGenName != NULL) { |
- currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL); |
- if (currentName == NULL) |
- break; |
- if (head == NULL) { |
- head = &(currentName->l); |
- tail = head; |
- } |
- currentName->l.next = head; |
- currentName->l.prev = tail; |
- tail = head->prev = tail->next = &(currentName->l); |
- encodedGenName++; |
- } |
- if (currentName) { |
- /* TODO: unmark arena */ |
- return CERT_GetNextGeneralName(currentName); |
- } |
- /* TODO: release arena to mark */ |
- return NULL; |
+ currentName->l.next = head; |
+ currentName->l.prev = tail; |
+ tail = head->prev = tail->next = &(currentName->l); |
+ encodedGenName++; |
+ } |
+ if (currentName) { |
+ /* TODO: unmark arena */ |
+ return CERT_GetNextGeneralName(currentName); |
+ } |
+ /* TODO: release arena to mark */ |
+ return NULL; |
} |
-void |
-CERT_DestroyGeneralName(CERTGeneralName *name) |
-{ |
- cert_DestroyGeneralNames(name); |
+void CERT_DestroyGeneralName(CERTGeneralName *name) { |
+ cert_DestroyGeneralNames(name); |
} |
-SECStatus |
-cert_DestroyGeneralNames(CERTGeneralName *name) |
-{ |
- CERTGeneralName *first; |
- CERTGeneralName *next = NULL; |
+SECStatus cert_DestroyGeneralNames(CERTGeneralName *name) { |
+ CERTGeneralName *first; |
+ CERTGeneralName *next = NULL; |
- |
- first = name; |
- do { |
- next = CERT_GetNextGeneralName(name); |
- PORT_Free(name); |
- name = next; |
- } while (name != first); |
- return SECSuccess; |
+ first = name; |
+ do { |
+ next = CERT_GetNextGeneralName(name); |
+ PORT_Free(name); |
+ name = next; |
+ } while (name != first); |
+ return SECSuccess; |
} |
-static SECItem * |
-cert_EncodeNameConstraint(CERTNameConstraint *constraint, |
- SECItem *dest, |
- PLArenaPool *arena) |
-{ |
- PORT_Assert(arena); |
+static SECItem *cert_EncodeNameConstraint(CERTNameConstraint *constraint, |
+ SECItem *dest, PLArenaPool *arena) { |
+ PORT_Assert(arena); |
+ if (dest == NULL) { |
+ dest = PORT_ArenaZNew(arena, SECItem); |
if (dest == NULL) { |
- dest = PORT_ArenaZNew(arena, SECItem); |
- if (dest == NULL) { |
- return NULL; |
- } |
+ return NULL; |
} |
- CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), arena); |
- |
- dest = SEC_ASN1EncodeItem (arena, dest, constraint, |
- CERTNameConstraintTemplate); |
- return dest; |
-} |
+ } |
+ CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), arena); |
-SECStatus |
-cert_EncodeNameConstraintSubTree(CERTNameConstraint *constraints, |
- PLArenaPool *arena, |
- SECItem ***dest, |
- PRBool permited) |
-{ |
- CERTNameConstraint *current_constraint = constraints; |
- SECItem **items = NULL; |
- int count = 0; |
- int i; |
- PRCList *head; |
+ dest = |
+ SEC_ASN1EncodeItem(arena, dest, constraint, CERTNameConstraintTemplate); |
+ return dest; |
+} |
- PORT_Assert(arena); |
- /* TODO: mark arena */ |
- if (constraints != NULL) { |
- count = 1; |
- } |
- head = &constraints->l; |
- while (current_constraint->l.next != head) { |
- current_constraint = CERT_GetNextNameConstraint(current_constraint); |
- ++count; |
+SECStatus cert_EncodeNameConstraintSubTree(CERTNameConstraint *constraints, |
+ PLArenaPool *arena, SECItem ***dest, |
+ PRBool permited) { |
+ CERTNameConstraint *current_constraint = constraints; |
+ SECItem **items = NULL; |
+ int count = 0; |
+ int i; |
+ PRCList *head; |
+ |
+ PORT_Assert(arena); |
+ /* TODO: mark arena */ |
+ if (constraints != NULL) { |
+ count = 1; |
+ } |
+ head = &constraints->l; |
+ while (current_constraint->l.next != head) { |
+ current_constraint = CERT_GetNextNameConstraint(current_constraint); |
+ ++count; |
+ } |
+ current_constraint = CERT_GetNextNameConstraint(current_constraint); |
+ items = PORT_ArenaZNewArray(arena, SECItem *, count + 1); |
+ if (items == NULL) { |
+ goto loser; |
+ } |
+ for (i = 0; i < count; i++) { |
+ items[i] = |
+ cert_EncodeNameConstraint(current_constraint, (SECItem *)NULL, arena); |
+ if (items[i] == NULL) { |
+ goto loser; |
} |
current_constraint = CERT_GetNextNameConstraint(current_constraint); |
- items = PORT_ArenaZNewArray(arena, SECItem *, count + 1); |
- if (items == NULL) { |
- goto loser; |
- } |
- for (i = 0; i < count; i++) { |
- items[i] = cert_EncodeNameConstraint(current_constraint, |
- (SECItem *) NULL, arena); |
- if (items[i] == NULL) { |
- goto loser; |
- } |
- current_constraint = CERT_GetNextNameConstraint(current_constraint); |
- } |
- *dest = items; |
- if (*dest == NULL) { |
- goto loser; |
- } |
- /* TODO: unmark arena */ |
- return SECSuccess; |
+ } |
+ *dest = items; |
+ if (*dest == NULL) { |
+ goto loser; |
+ } |
+ /* TODO: unmark arena */ |
+ return SECSuccess; |
loser: |
- /* TODO: release arena to mark */ |
- return SECFailure; |
+ /* TODO: release arena to mark */ |
+ return SECFailure; |
} |
-SECStatus |
-cert_EncodeNameConstraints(CERTNameConstraints *constraints, |
- PLArenaPool *arena, |
- SECItem *dest) |
-{ |
- SECStatus rv = SECSuccess; |
+SECStatus cert_EncodeNameConstraints(CERTNameConstraints *constraints, |
+ PLArenaPool *arena, SECItem *dest) { |
+ SECStatus rv = SECSuccess; |
- PORT_Assert(arena); |
- /* TODO: mark arena */ |
- if (constraints->permited != NULL) { |
- rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena, |
- &constraints->DERPermited, |
- PR_TRUE); |
- if (rv == SECFailure) { |
- goto loser; |
- } |
+ PORT_Assert(arena); |
+ /* TODO: mark arena */ |
+ if (constraints->permited != NULL) { |
+ rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena, |
+ &constraints->DERPermited, PR_TRUE); |
+ if (rv == SECFailure) { |
+ goto loser; |
} |
- if (constraints->excluded != NULL) { |
- rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena, |
- &constraints->DERExcluded, |
- PR_FALSE); |
- if (rv == SECFailure) { |
- goto loser; |
- } |
+ } |
+ if (constraints->excluded != NULL) { |
+ rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena, |
+ &constraints->DERExcluded, PR_FALSE); |
+ if (rv == SECFailure) { |
+ goto loser; |
} |
- dest = SEC_ASN1EncodeItem(arena, dest, constraints, |
- CERTNameConstraintsTemplate); |
- if (dest == NULL) { |
- goto loser; |
- } |
- /* TODO: unmark arena */ |
- return SECSuccess; |
+ } |
+ dest = |
+ SEC_ASN1EncodeItem(arena, dest, constraints, CERTNameConstraintsTemplate); |
+ if (dest == NULL) { |
+ goto loser; |
+ } |
+ /* TODO: unmark arena */ |
+ return SECSuccess; |
loser: |
- /* TODO: release arena to mark */ |
- return SECFailure; |
+ /* TODO: release arena to mark */ |
+ return SECFailure; |
} |
+CERTNameConstraint *cert_DecodeNameConstraint(PLArenaPool *reqArena, |
+ SECItem *encodedConstraint) { |
+ CERTNameConstraint *constraint; |
+ SECStatus rv = SECSuccess; |
+ CERTGeneralName *temp; |
+ SECItem *newEncodedConstraint; |
-CERTNameConstraint * |
-cert_DecodeNameConstraint(PLArenaPool *reqArena, |
- SECItem *encodedConstraint) |
-{ |
- CERTNameConstraint *constraint; |
- SECStatus rv = SECSuccess; |
- CERTGeneralName *temp; |
- SECItem* newEncodedConstraint; |
+ if (!reqArena) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return NULL; |
+ } |
+ newEncodedConstraint = SECITEM_ArenaDupItem(reqArena, encodedConstraint); |
+ if (!newEncodedConstraint) { |
+ return NULL; |
+ } |
+ /* TODO: mark arena */ |
+ constraint = PORT_ArenaZNew(reqArena, CERTNameConstraint); |
+ if (!constraint) goto loser; |
+ rv = SEC_QuickDERDecodeItem(reqArena, constraint, CERTNameConstraintTemplate, |
+ newEncodedConstraint); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ temp = CERT_DecodeGeneralName(reqArena, &(constraint->DERName), |
+ &(constraint->name)); |
+ if (temp != &(constraint->name)) { |
+ goto loser; |
+ } |
- if (!reqArena) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return NULL; |
- } |
- newEncodedConstraint = SECITEM_ArenaDupItem(reqArena, encodedConstraint); |
- if (!newEncodedConstraint) { |
- return NULL; |
- } |
- /* TODO: mark arena */ |
- constraint = PORT_ArenaZNew(reqArena, CERTNameConstraint); |
- if (!constraint) |
- goto loser; |
- rv = SEC_QuickDERDecodeItem(reqArena, constraint, |
- CERTNameConstraintTemplate, |
- newEncodedConstraint); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- temp = CERT_DecodeGeneralName(reqArena, &(constraint->DERName), |
- &(constraint->name)); |
- if (temp != &(constraint->name)) { |
- goto loser; |
- } |
- |
- /* ### sjlee: since the name constraint contains only one |
- * CERTGeneralName, the list within CERTGeneralName shouldn't |
- * point anywhere else. Otherwise, bad things will happen. |
- */ |
- constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l); |
- /* TODO: unmark arena */ |
- return constraint; |
+ /* ### sjlee: since the name constraint contains only one |
+ * CERTGeneralName, the list within CERTGeneralName shouldn't |
+ * point anywhere else. Otherwise, bad things will happen. |
+ */ |
+ constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l); |
+ /* TODO: unmark arena */ |
+ return constraint; |
loser: |
- /* TODO: release arena back to mark */ |
- return NULL; |
+ /* TODO: release arena back to mark */ |
+ return NULL; |
} |
-CERTNameConstraint * |
-cert_DecodeNameConstraintSubTree(PLArenaPool *arena, |
- SECItem **subTree, |
- PRBool permited) |
-{ |
- CERTNameConstraint *current = NULL; |
- CERTNameConstraint *first = NULL; |
- CERTNameConstraint *last = NULL; |
- int i = 0; |
+CERTNameConstraint *cert_DecodeNameConstraintSubTree(PLArenaPool *arena, |
+ SECItem **subTree, |
+ PRBool permited) { |
+ CERTNameConstraint *current = NULL; |
+ CERTNameConstraint *first = NULL; |
+ CERTNameConstraint *last = NULL; |
+ int i = 0; |
- PORT_Assert(arena); |
- /* TODO: mark arena */ |
- while (subTree[i] != NULL) { |
- current = cert_DecodeNameConstraint(arena, subTree[i]); |
- if (current == NULL) { |
- goto loser; |
- } |
- if (last == NULL) { |
- first = last = current; |
- } |
- current->l.prev = &(last->l); |
- current->l.next = last->l.next; |
- last->l.next = &(current->l); |
- i++; |
+ PORT_Assert(arena); |
+ /* TODO: mark arena */ |
+ while (subTree[i] != NULL) { |
+ current = cert_DecodeNameConstraint(arena, subTree[i]); |
+ if (current == NULL) { |
+ goto loser; |
} |
- first->l.prev = &(current->l); |
- /* TODO: unmark arena */ |
- return first; |
+ if (last == NULL) { |
+ first = last = current; |
+ } |
+ current->l.prev = &(last->l); |
+ current->l.next = last->l.next; |
+ last->l.next = &(current->l); |
+ i++; |
+ } |
+ first->l.prev = &(current->l); |
+ /* TODO: unmark arena */ |
+ return first; |
loser: |
- /* TODO: release arena back to mark */ |
- return NULL; |
+ /* TODO: release arena back to mark */ |
+ return NULL; |
} |
-CERTNameConstraints * |
-cert_DecodeNameConstraints(PLArenaPool *reqArena, |
- const SECItem *encodedConstraints) |
-{ |
- CERTNameConstraints *constraints; |
- SECStatus rv; |
- SECItem* newEncodedConstraints; |
+CERTNameConstraints *cert_DecodeNameConstraints( |
+ PLArenaPool *reqArena, const SECItem *encodedConstraints) { |
+ CERTNameConstraints *constraints; |
+ SECStatus rv; |
+ SECItem *newEncodedConstraints; |
- if (!reqArena) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return NULL; |
+ if (!reqArena) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return NULL; |
+ } |
+ PORT_Assert(encodedConstraints); |
+ newEncodedConstraints = SECITEM_ArenaDupItem(reqArena, encodedConstraints); |
+ |
+ /* TODO: mark arena */ |
+ constraints = PORT_ArenaZNew(reqArena, CERTNameConstraints); |
+ if (constraints == NULL) { |
+ goto loser; |
+ } |
+ rv = |
+ SEC_QuickDERDecodeItem(reqArena, constraints, CERTNameConstraintsTemplate, |
+ newEncodedConstraints); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ if (constraints->DERPermited != NULL && constraints->DERPermited[0] != NULL) { |
+ constraints->permited = cert_DecodeNameConstraintSubTree( |
+ reqArena, constraints->DERPermited, PR_TRUE); |
+ if (constraints->permited == NULL) { |
+ goto loser; |
} |
- PORT_Assert(encodedConstraints); |
- newEncodedConstraints = SECITEM_ArenaDupItem(reqArena, encodedConstraints); |
- |
- /* TODO: mark arena */ |
- constraints = PORT_ArenaZNew(reqArena, CERTNameConstraints); |
- if (constraints == NULL) { |
- goto loser; |
+ } |
+ if (constraints->DERExcluded != NULL && constraints->DERExcluded[0] != NULL) { |
+ constraints->excluded = cert_DecodeNameConstraintSubTree( |
+ reqArena, constraints->DERExcluded, PR_FALSE); |
+ if (constraints->excluded == NULL) { |
+ goto loser; |
} |
- rv = SEC_QuickDERDecodeItem(reqArena, constraints, |
- CERTNameConstraintsTemplate, |
- newEncodedConstraints); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- if (constraints->DERPermited != NULL && |
- constraints->DERPermited[0] != NULL) { |
- constraints->permited = |
- cert_DecodeNameConstraintSubTree(reqArena, |
- constraints->DERPermited, |
- PR_TRUE); |
- if (constraints->permited == NULL) { |
- goto loser; |
- } |
- } |
- if (constraints->DERExcluded != NULL && |
- constraints->DERExcluded[0] != NULL) { |
- constraints->excluded = |
- cert_DecodeNameConstraintSubTree(reqArena, |
- constraints->DERExcluded, |
- PR_FALSE); |
- if (constraints->excluded == NULL) { |
- goto loser; |
- } |
- } |
- /* TODO: unmark arena */ |
- return constraints; |
+ } |
+ /* TODO: unmark arena */ |
+ return constraints; |
loser: |
- /* TODO: release arena back to mark */ |
- return NULL; |
+ /* TODO: release arena back to mark */ |
+ return NULL; |
} |
/* Copy a chain of one or more general names to a destination chain. |
-** Caller has allocated at least the first destination GeneralName struct. |
+** Caller has allocated at least the first destination GeneralName struct. |
** Both source and destination chains are circular doubly-linked lists. |
** The first source struct is copied to the first destination struct. |
-** If the source chain has more than one member, and the destination chain |
-** has only one member, then this function allocates new structs for all but |
-** the first copy from the arena and links them into the destination list. |
+** If the source chain has more than one member, and the destination chain |
+** has only one member, then this function allocates new structs for all but |
+** the first copy from the arena and links them into the destination list. |
** If the destination struct is part of a list with more than one member, |
** then this function traverses both the source and destination lists, |
** copying each source struct to the corresponding dest struct. |
-** In that case, the destination list MUST contain at least as many |
+** In that case, the destination list MUST contain at least as many |
** structs as the source list or some dest entries will be overwritten. |
*/ |
-SECStatus |
-CERT_CopyGeneralName(PLArenaPool *arena, |
- CERTGeneralName *dest, |
- CERTGeneralName *src) |
-{ |
- SECStatus rv; |
- CERTGeneralName *destHead = dest; |
- CERTGeneralName *srcHead = src; |
+SECStatus CERT_CopyGeneralName(PLArenaPool *arena, CERTGeneralName *dest, |
+ CERTGeneralName *src) { |
+ SECStatus rv; |
+ CERTGeneralName *destHead = dest; |
+ CERTGeneralName *srcHead = src; |
- PORT_Assert(dest != NULL); |
- if (!dest) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
+ PORT_Assert(dest != NULL); |
+ if (!dest) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ /* TODO: mark arena */ |
+ do { |
+ rv = cert_CopyOneGeneralName(arena, dest, src); |
+ if (rv != SECSuccess) goto loser; |
+ src = CERT_GetNextGeneralName(src); |
+ /* if there is only one general name, we shouldn't do this */ |
+ if (src != srcHead) { |
+ if (dest->l.next == &destHead->l) { |
+ CERTGeneralName *temp; |
+ temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0); |
+ if (!temp) goto loser; |
+ temp->l.next = &destHead->l; |
+ temp->l.prev = &dest->l; |
+ destHead->l.prev = &temp->l; |
+ dest->l.next = &temp->l; |
+ dest = temp; |
+ } else { |
+ dest = CERT_GetNextGeneralName(dest); |
+ } |
} |
- /* TODO: mark arena */ |
- do { |
- rv = cert_CopyOneGeneralName(arena, dest, src); |
- if (rv != SECSuccess) |
- goto loser; |
- src = CERT_GetNextGeneralName(src); |
- /* if there is only one general name, we shouldn't do this */ |
- if (src != srcHead) { |
- if (dest->l.next == &destHead->l) { |
- CERTGeneralName *temp; |
- temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0); |
- if (!temp) |
- goto loser; |
- temp->l.next = &destHead->l; |
- temp->l.prev = &dest->l; |
- destHead->l.prev = &temp->l; |
- dest->l.next = &temp->l; |
- dest = temp; |
- } else { |
- dest = CERT_GetNextGeneralName(dest); |
- } |
- } |
- } while (src != srcHead && rv == SECSuccess); |
- /* TODO: unmark arena */ |
- return rv; |
+ } while (src != srcHead && rv == SECSuccess); |
+ /* TODO: unmark arena */ |
+ return rv; |
loser: |
- /* TODO: release back to mark */ |
- return SECFailure; |
+ /* TODO: release back to mark */ |
+ return SECFailure; |
} |
- |
-CERTGeneralNameList * |
-CERT_DupGeneralNameList(CERTGeneralNameList *list) |
-{ |
- if (list != NULL) { |
- PZ_Lock(list->lock); |
- list->refCount++; |
- PZ_Unlock(list->lock); |
- } |
- return list; |
+CERTGeneralNameList *CERT_DupGeneralNameList(CERTGeneralNameList *list) { |
+ if (list != NULL) { |
+ PZ_Lock(list->lock); |
+ list->refCount++; |
+ PZ_Unlock(list->lock); |
+ } |
+ return list; |
} |
/* Allocate space and copy CERTNameConstraint from src to dest */ |
-CERTNameConstraint * |
-CERT_CopyNameConstraint(PLArenaPool *arena, |
- CERTNameConstraint *dest, |
- CERTNameConstraint *src) |
-{ |
- SECStatus rv; |
- |
- /* TODO: mark arena */ |
- if (dest == NULL) { |
- dest = PORT_ArenaZNew(arena, CERTNameConstraint); |
- if (!dest) |
- goto loser; |
- /* mark that it is not linked */ |
- dest->name.l.prev = dest->name.l.next = &(dest->name.l); |
- } |
- rv = CERT_CopyGeneralName(arena, &dest->name, &src->name); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- rv = SECITEM_CopyItem(arena, &dest->min, &src->min); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- rv = SECITEM_CopyItem(arena, &dest->max, &src->max); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- dest->l.prev = dest->l.next = &dest->l; |
- /* TODO: unmark arena */ |
- return dest; |
+CERTNameConstraint *CERT_CopyNameConstraint(PLArenaPool *arena, |
+ CERTNameConstraint *dest, |
+ CERTNameConstraint *src) { |
+ SECStatus rv; |
+ |
+ /* TODO: mark arena */ |
+ if (dest == NULL) { |
+ dest = PORT_ArenaZNew(arena, CERTNameConstraint); |
+ if (!dest) goto loser; |
+ /* mark that it is not linked */ |
+ dest->name.l.prev = dest->name.l.next = &(dest->name.l); |
+ } |
+ rv = CERT_CopyGeneralName(arena, &dest->name, &src->name); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ rv = SECITEM_CopyItem(arena, &dest->min, &src->min); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ rv = SECITEM_CopyItem(arena, &dest->max, &src->max); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ dest->l.prev = dest->l.next = &dest->l; |
+ /* TODO: unmark arena */ |
+ return dest; |
loser: |
- /* TODO: release arena to mark */ |
- return NULL; |
+ /* TODO: release arena to mark */ |
+ return NULL; |
} |
+CERTGeneralName *cert_CombineNamesLists(CERTGeneralName *list1, |
+ CERTGeneralName *list2) { |
+ PRCList *begin1; |
+ PRCList *begin2; |
+ PRCList *end1; |
+ PRCList *end2; |
-CERTGeneralName * |
-cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2) |
-{ |
- PRCList *begin1; |
- PRCList *begin2; |
- PRCList *end1; |
- PRCList *end2; |
- |
- if (list1 == NULL){ |
- return list2; |
- } else if (list2 == NULL) { |
- return list1; |
- } else { |
- begin1 = &list1->l; |
- begin2 = &list2->l; |
- end1 = list1->l.prev; |
- end2 = list2->l.prev; |
- end1->next = begin2; |
- end2->next = begin1; |
- begin1->prev = end2; |
- begin2->prev = end1; |
- return list1; |
- } |
+ if (list1 == NULL) { |
+ return list2; |
+ } else if (list2 == NULL) { |
+ return list1; |
+ } else { |
+ begin1 = &list1->l; |
+ begin2 = &list2->l; |
+ end1 = list1->l.prev; |
+ end2 = list2->l.prev; |
+ end1->next = begin2; |
+ end2->next = begin1; |
+ begin1->prev = end2; |
+ begin2->prev = end1; |
+ return list1; |
+ } |
} |
+CERTNameConstraint *cert_CombineConstraintsLists(CERTNameConstraint *list1, |
+ CERTNameConstraint *list2) { |
+ PRCList *begin1; |
+ PRCList *begin2; |
+ PRCList *end1; |
+ PRCList *end2; |
-CERTNameConstraint * |
-cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2) |
-{ |
- PRCList *begin1; |
- PRCList *begin2; |
- PRCList *end1; |
- PRCList *end2; |
- |
- if (list1 == NULL){ |
- return list2; |
- } else if (list2 == NULL) { |
- return list1; |
- } else { |
- begin1 = &list1->l; |
- begin2 = &list2->l; |
- end1 = list1->l.prev; |
- end2 = list2->l.prev; |
- end1->next = begin2; |
- end2->next = begin1; |
- begin1->prev = end2; |
- begin2->prev = end1; |
- return list1; |
- } |
+ if (list1 == NULL) { |
+ return list2; |
+ } else if (list2 == NULL) { |
+ return list1; |
+ } else { |
+ begin1 = &list1->l; |
+ begin2 = &list2->l; |
+ end1 = list1->l.prev; |
+ end2 = list2->l.prev; |
+ end1->next = begin2; |
+ end2->next = begin1; |
+ begin1->prev = end2; |
+ begin2->prev = end1; |
+ return list1; |
+ } |
} |
- |
/* Add a CERTNameConstraint to the CERTNameConstraint list */ |
-CERTNameConstraint * |
-CERT_AddNameConstraint(CERTNameConstraint *list, |
- CERTNameConstraint *constraint) |
-{ |
- PORT_Assert(constraint != NULL); |
- constraint->l.next = constraint->l.prev = &constraint->l; |
- list = cert_CombineConstraintsLists(list, constraint); |
- return list; |
+CERTNameConstraint *CERT_AddNameConstraint(CERTNameConstraint *list, |
+ CERTNameConstraint *constraint) { |
+ PORT_Assert(constraint != NULL); |
+ constraint->l.next = constraint->l.prev = &constraint->l; |
+ list = cert_CombineConstraintsLists(list, constraint); |
+ return list; |
} |
+SECStatus CERT_GetNameConstraintByType(CERTNameConstraint *constraints, |
+ CERTGeneralNameType type, |
+ CERTNameConstraint **returnList, |
+ PLArenaPool *arena) { |
+ CERTNameConstraint *current = NULL; |
+ void *mark = NULL; |
-SECStatus |
-CERT_GetNameConstraintByType (CERTNameConstraint *constraints, |
- CERTGeneralNameType type, |
- CERTNameConstraint **returnList, |
- PLArenaPool *arena) |
-{ |
- CERTNameConstraint *current = NULL; |
- void *mark = NULL; |
+ *returnList = NULL; |
+ if (!constraints) return SECSuccess; |
- *returnList = NULL; |
- if (!constraints) |
- return SECSuccess; |
+ mark = PORT_ArenaMark(arena); |
- mark = PORT_ArenaMark(arena); |
- |
- current = constraints; |
- do { |
- PORT_Assert(current->name.type); |
- if (current->name.type == type) { |
- CERTNameConstraint *temp; |
- temp = CERT_CopyNameConstraint(arena, NULL, current); |
- if (temp == NULL) |
- goto loser; |
- *returnList = CERT_AddNameConstraint(*returnList, temp); |
- } |
- current = CERT_GetNextNameConstraint(current); |
- } while (current != constraints); |
- PORT_ArenaUnmark(arena, mark); |
- return SECSuccess; |
+ current = constraints; |
+ do { |
+ PORT_Assert(current->name.type); |
+ if (current->name.type == type) { |
+ CERTNameConstraint *temp; |
+ temp = CERT_CopyNameConstraint(arena, NULL, current); |
+ if (temp == NULL) goto loser; |
+ *returnList = CERT_AddNameConstraint(*returnList, temp); |
+ } |
+ current = CERT_GetNextNameConstraint(current); |
+ } while (current != constraints); |
+ PORT_ArenaUnmark(arena, mark); |
+ return SECSuccess; |
loser: |
- PORT_ArenaRelease(arena, mark); |
- return SECFailure; |
+ PORT_ArenaRelease(arena, mark); |
+ return SECFailure; |
} |
-void * |
-CERT_GetGeneralNameByType (CERTGeneralName *genNames, |
- CERTGeneralNameType type, PRBool derFormat) |
-{ |
- CERTGeneralName *current; |
- |
- if (!genNames) |
- return NULL; |
- current = genNames; |
+void *CERT_GetGeneralNameByType(CERTGeneralName *genNames, |
+ CERTGeneralNameType type, PRBool derFormat) { |
+ CERTGeneralName *current; |
- do { |
- if (current->type == type) { |
- switch (type) { |
- case certDNSName: |
- case certEDIPartyName: |
- case certIPAddress: |
- case certRegisterID: |
- case certRFC822Name: |
- case certX400Address: |
- case certURI: |
- return (void *)¤t->name.other; /* SECItem * */ |
+ if (!genNames) return NULL; |
+ current = genNames; |
- case certOtherName: |
- return (void *)¤t->name.OthName; /* OthName * */ |
+ do { |
+ if (current->type == type) { |
+ switch (type) { |
+ case certDNSName: |
+ case certEDIPartyName: |
+ case certIPAddress: |
+ case certRegisterID: |
+ case certRFC822Name: |
+ case certX400Address: |
+ case certURI: |
+ return (void *)¤t->name.other; /* SECItem * */ |
- case certDirectoryName: |
- return derFormat |
- ? (void *)¤t->derDirectoryName /* SECItem * */ |
- : (void *)¤t->name.directoryName; /* CERTName * */ |
- } |
- PORT_Assert(0); |
- return NULL; |
- } |
- current = CERT_GetNextGeneralName(current); |
- } while (current != genNames); |
- return NULL; |
+ case certOtherName: |
+ return (void *)¤t->name.OthName; /* OthName * */ |
+ |
+ case certDirectoryName: |
+ return derFormat |
+ ? (void *)¤t->derDirectoryName /* SECItem * */ |
+ : (void *)¤t->name.directoryName; /* CERTName * */ |
+ } |
+ PORT_Assert(0); |
+ return NULL; |
+ } |
+ current = CERT_GetNextGeneralName(current); |
+ } while (current != genNames); |
+ return NULL; |
} |
-int |
-CERT_GetNamesLength(CERTGeneralName *names) |
-{ |
- int length = 0; |
- CERTGeneralName *first; |
+int CERT_GetNamesLength(CERTGeneralName *names) { |
+ int length = 0; |
+ CERTGeneralName *first; |
- first = names; |
- if (names != NULL) { |
- do { |
- length++; |
- names = CERT_GetNextGeneralName(names); |
- } while (names != first); |
- } |
- return length; |
+ first = names; |
+ if (names != NULL) { |
+ do { |
+ length++; |
+ names = CERT_GetNextGeneralName(names); |
+ } while (names != first); |
+ } |
+ return length; |
} |
-/* Creates new GeneralNames for any email addresses found in the |
+/* Creates new GeneralNames for any email addresses found in the |
** input DN, and links them onto the list for the DN. |
*/ |
-SECStatus |
-cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena) |
-{ |
- CERTGeneralName *nameList = NULL; |
- const CERTRDN **nRDNs = (const CERTRDN **)(name->name.directoryName.rdns); |
- SECStatus rv = SECSuccess; |
+SECStatus cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena) { |
+ CERTGeneralName *nameList = NULL; |
+ const CERTRDN **nRDNs = (const CERTRDN **)(name->name.directoryName.rdns); |
+ SECStatus rv = SECSuccess; |
- PORT_Assert(name->type == certDirectoryName); |
- if (name->type != certDirectoryName) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
- } |
- /* TODO: mark arena */ |
- while (nRDNs && *nRDNs) { /* loop over RDNs */ |
- const CERTRDN *nRDN = *nRDNs++; |
- CERTAVA **nAVAs = nRDN->avas; |
- while (nAVAs && *nAVAs) { /* loop over AVAs */ |
- int tag; |
- CERTAVA *nAVA = *nAVAs++; |
- tag = CERT_GetAVATag(nAVA); |
- if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS || |
- tag == SEC_OID_RFC1274_MAIL) { /* email AVA */ |
- CERTGeneralName *newName = NULL; |
- SECItem *avaValue = CERT_DecodeAVAValue(&nAVA->value); |
- if (!avaValue) |
- goto loser; |
- rv = SECFailure; |
- newName = CERT_NewGeneralName(arena, certRFC822Name); |
- if (newName) { |
- rv = SECITEM_CopyItem(arena, &newName->name.other, avaValue); |
- } |
- SECITEM_FreeItem(avaValue, PR_TRUE); |
- if (rv != SECSuccess) |
- goto loser; |
- nameList = cert_CombineNamesLists(nameList, newName); |
- } /* handle one email AVA */ |
- } /* loop over AVAs */ |
- } /* loop over RDNs */ |
- /* combine new names with old one. */ |
- name = cert_CombineNamesLists(name, nameList); |
- /* TODO: unmark arena */ |
- return SECSuccess; |
+ PORT_Assert(name->type == certDirectoryName); |
+ if (name->type != certDirectoryName) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ /* TODO: mark arena */ |
+ while (nRDNs && *nRDNs) {/* loop over RDNs */ |
+ const CERTRDN *nRDN = *nRDNs++; |
+ CERTAVA **nAVAs = nRDN->avas; |
+ while (nAVAs && *nAVAs) {/* loop over AVAs */ |
+ int tag; |
+ CERTAVA *nAVA = *nAVAs++; |
+ tag = CERT_GetAVATag(nAVA); |
+ if (tag == SEC_OID_PKCS9_EMAIL_ADDRESS || |
+ tag == SEC_OID_RFC1274_MAIL) {/* email AVA */ |
+ CERTGeneralName *newName = NULL; |
+ SECItem *avaValue = CERT_DecodeAVAValue(&nAVA->value); |
+ if (!avaValue) goto loser; |
+ rv = SECFailure; |
+ newName = CERT_NewGeneralName(arena, certRFC822Name); |
+ if (newName) { |
+ rv = SECITEM_CopyItem(arena, &newName->name.other, avaValue); |
+ } |
+ SECITEM_FreeItem(avaValue, PR_TRUE); |
+ if (rv != SECSuccess) goto loser; |
+ nameList = cert_CombineNamesLists(nameList, newName); |
+ } /* handle one email AVA */ |
+ } /* loop over AVAs */ |
+ } /* loop over RDNs */ |
+ /* combine new names with old one. */ |
+ name = cert_CombineNamesLists(name, nameList); |
+ /* TODO: unmark arena */ |
+ return SECSuccess; |
loser: |
- /* TODO: release arena back to mark */ |
- return SECFailure; |
+ /* TODO: release arena back to mark */ |
+ return SECFailure; |
} |
-/* Extract all names except Subject Common Name from a cert |
+/* Extract all names except Subject Common Name from a cert |
** in preparation for a name constraints test. |
*/ |
-CERTGeneralName * |
-CERT_GetCertificateNames(CERTCertificate *cert, PLArenaPool *arena) |
-{ |
- return CERT_GetConstrainedCertificateNames(cert, arena, PR_FALSE); |
+CERTGeneralName *CERT_GetCertificateNames(CERTCertificate *cert, |
+ PLArenaPool *arena) { |
+ return CERT_GetConstrainedCertificateNames(cert, arena, PR_FALSE); |
} |
/* This function is called by CERT_VerifyCertChain to extract all |
** names from a cert in preparation for a name constraints test. |
*/ |
-CERTGeneralName * |
-CERT_GetConstrainedCertificateNames(const CERTCertificate *cert, |
- PLArenaPool *arena, |
- PRBool includeSubjectCommonName) |
-{ |
- CERTGeneralName *DN; |
- CERTGeneralName *SAN; |
- PRUint32 numDNSNames = 0; |
- SECStatus rv; |
+CERTGeneralName *CERT_GetConstrainedCertificateNames( |
+ const CERTCertificate *cert, PLArenaPool *arena, |
+ PRBool includeSubjectCommonName) { |
+ CERTGeneralName *DN; |
+ CERTGeneralName *SAN; |
+ PRUint32 numDNSNames = 0; |
+ SECStatus rv; |
- if (!arena) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return NULL; |
+ if (!arena) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return NULL; |
+ } |
+ /* TODO: mark arena */ |
+ DN = CERT_NewGeneralName(arena, certDirectoryName); |
+ if (DN == NULL) { |
+ goto loser; |
+ } |
+ rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject); |
+ if (rv != SECSuccess) { |
+ goto loser; |
+ } |
+ /* Extract email addresses from DN, construct CERTGeneralName structs |
+ ** for them, add them to the name list |
+ */ |
+ rv = cert_ExtractDNEmailAddrs(DN, arena); |
+ if (rv != SECSuccess) goto loser; |
+ |
+ /* Now extract any GeneralNames from the subject name names extension. */ |
+ SAN = cert_GetSubjectAltNameList(cert, arena); |
+ if (SAN) { |
+ numDNSNames = cert_CountDNSPatterns(SAN); |
+ DN = cert_CombineNamesLists(DN, SAN); |
+ } |
+ if (!numDNSNames && includeSubjectCommonName) { |
+ char *cn = CERT_GetCommonName(&cert->subject); |
+ if (cn) { |
+ CERTGeneralName *CN = CERT_NewGeneralName(arena, certDNSName); |
+ if (CN) { |
+ SECItem cnItem = {siBuffer, NULL, 0}; |
+ cnItem.data = (unsigned char *)cn; |
+ cnItem.len = strlen(cn); |
+ rv = SECITEM_CopyItem(arena, &CN->name.other, &cnItem); |
+ if (rv == SECSuccess) { |
+ DN = cert_CombineNamesLists(DN, CN); |
+ } |
+ } |
+ PORT_Free(cn); |
} |
- /* TODO: mark arena */ |
- DN = CERT_NewGeneralName(arena, certDirectoryName); |
- if (DN == NULL) { |
- goto loser; |
- } |
- rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject); |
- if (rv != SECSuccess) { |
- goto loser; |
- } |
- /* Extract email addresses from DN, construct CERTGeneralName structs |
- ** for them, add them to the name list |
- */ |
- rv = cert_ExtractDNEmailAddrs(DN, arena); |
- if (rv != SECSuccess) |
- goto loser; |
- |
- /* Now extract any GeneralNames from the subject name names extension. */ |
- SAN = cert_GetSubjectAltNameList(cert, arena); |
- if (SAN) { |
- numDNSNames = cert_CountDNSPatterns(SAN); |
- DN = cert_CombineNamesLists(DN, SAN); |
- } |
- if (!numDNSNames && includeSubjectCommonName) { |
- char *cn = CERT_GetCommonName(&cert->subject); |
- if (cn) { |
- CERTGeneralName *CN = CERT_NewGeneralName(arena, certDNSName); |
- if (CN) { |
- SECItem cnItem = {siBuffer, NULL, 0}; |
- cnItem.data = (unsigned char *)cn; |
- cnItem.len = strlen(cn); |
- rv = SECITEM_CopyItem(arena, &CN->name.other, &cnItem); |
- if (rv == SECSuccess) { |
- DN = cert_CombineNamesLists(DN, CN); |
- } |
- } |
- PORT_Free(cn); |
- } |
- } |
- if (rv == SECSuccess) { |
- /* TODO: unmark arena */ |
- return DN; |
- } |
+ } |
+ if (rv == SECSuccess) { |
+ /* TODO: unmark arena */ |
+ return DN; |
+ } |
loser: |
- /* TODO: release arena to mark */ |
- return NULL; |
+ /* TODO: release arena to mark */ |
+ return NULL; |
} |
-/* Returns SECSuccess if name matches constraint per RFC 3280 rules for |
+/* Returns SECSuccess if name matches constraint per RFC 3280 rules for |
** URI name constraints. SECFailure otherwise. |
** If the constraint begins with a dot, it is a domain name, otherwise |
** It is a host name. Examples: |
** Constraint Name Result |
** ------------ --------------- -------- |
** foo.bar.com foo.bar.com matches |
** foo.bar.com FoO.bAr.CoM matches |
** foo.bar.com www.foo.bar.com no match |
** foo.bar.com nofoo.bar.com no match |
** .foo.bar.com www.foo.bar.com matches |
** .foo.bar.com nofoo.bar.com no match |
** .foo.bar.com foo.bar.com no match |
** .foo.bar.com www..foo.bar.com no match |
*/ |
-static SECStatus |
-compareURIN2C(const SECItem *name, const SECItem *constraint) |
-{ |
- int offset; |
- /* The spec is silent on intepreting zero-length constraints. |
- ** We interpret them as matching no URI names. |
- */ |
- if (!constraint->len) |
- return SECFailure; |
- if (constraint->data[0] != '.') { |
- /* constraint is a host name. */ |
- if (name->len != constraint->len || |
- PL_strncasecmp((char *)name->data, |
- (char *)constraint->data, constraint->len)) |
- return SECFailure; |
- return SECSuccess; |
- } |
- /* constraint is a domain name. */ |
- if (name->len < constraint->len) |
- return SECFailure; |
- offset = name->len - constraint->len; |
- if (PL_strncasecmp((char *)(name->data + offset), |
- (char *)constraint->data, constraint->len)) |
- return SECFailure; |
- if (!offset || |
- (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1) |
- return SECSuccess; |
+static SECStatus compareURIN2C(const SECItem *name, const SECItem *constraint) { |
+ int offset; |
+ /* The spec is silent on intepreting zero-length constraints. |
+ ** We interpret them as matching no URI names. |
+ */ |
+ if (!constraint->len) return SECFailure; |
+ if (constraint->data[0] != '.') { |
+ /* constraint is a host name. */ |
+ if (name->len != constraint->len || |
+ PL_strncasecmp((char *)name->data, (char *)constraint->data, |
+ constraint->len)) |
+ return SECFailure; |
+ return SECSuccess; |
+ } |
+ /* constraint is a domain name. */ |
+ if (name->len < constraint->len) return SECFailure; |
+ offset = name->len - constraint->len; |
+ if (PL_strncasecmp((char *)(name->data + offset), (char *)constraint->data, |
+ constraint->len)) |
return SECFailure; |
+ if (!offset || |
+ (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1) |
+ return SECSuccess; |
+ return SECFailure; |
} |
/* for DNSname constraints, RFC 3280 says, (section 4.2.1.11, page 38) |
** |
** DNS name restrictions are expressed as foo.bar.com. Any DNS name |
** that can be constructed by simply adding to the left hand side of the |
** name satisfies the name constraint. For example, www.foo.bar.com |
** would satisfy the constraint but foo1.bar.com would not. |
@@ -1220,551 +1129,514 @@ compareURIN2C(const SECItem *name, const |
** Constraint Name RFC 3280 NIST PKITS |
** ------------ --------------- -------- ---------- |
** foo.bar.com foo.bar.com matches matches |
** foo.bar.com FoO.bAr.CoM matches matches |
** foo.bar.com www.foo.bar.com matches matches |
** foo.bar.com nofoo.bar.com MATCHES NO MATCH |
** .foo.bar.com www.foo.bar.com matches matches? disallowed? |
** .foo.bar.com foo.bar.com no match no match |
-** .foo.bar.com www..foo.bar.com matches probably not |
+** .foo.bar.com www..foo.bar.com matches probably not |
** |
-** We will try to conform to NIST's PKITS tests, and the unstated |
+** We will try to conform to NIST's PKITS tests, and the unstated |
** rules they imply. |
*/ |
-static SECStatus |
-compareDNSN2C(const SECItem *name, const SECItem *constraint) |
-{ |
- int offset; |
- /* The spec is silent on intepreting zero-length constraints. |
- ** We interpret them as matching all DNSnames. |
- */ |
- if (!constraint->len) |
- return SECSuccess; |
- if (name->len < constraint->len) |
- return SECFailure; |
- offset = name->len - constraint->len; |
- if (PL_strncasecmp((char *)(name->data + offset), |
- (char *)constraint->data, constraint->len)) |
- return SECFailure; |
- if (!offset || |
- (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1) |
- return SECSuccess; |
+static SECStatus compareDNSN2C(const SECItem *name, const SECItem *constraint) { |
+ int offset; |
+ /* The spec is silent on intepreting zero-length constraints. |
+ ** We interpret them as matching all DNSnames. |
+ */ |
+ if (!constraint->len) return SECSuccess; |
+ if (name->len < constraint->len) return SECFailure; |
+ offset = name->len - constraint->len; |
+ if (PL_strncasecmp((char *)(name->data + offset), (char *)constraint->data, |
+ constraint->len)) |
return SECFailure; |
+ if (!offset || |
+ (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1) |
+ return SECSuccess; |
+ return SECFailure; |
} |
/* Returns SECSuccess if name matches constraint per RFC 3280 rules for |
** internet email addresses. SECFailure otherwise. |
** If constraint contains a '@' then the two strings much match exactly. |
** Else if constraint starts with a '.'. then it must match the right-most |
-** substring of the name, |
+** substring of the name, |
** else constraint string must match entire name after the name's '@'. |
** Empty constraint string matches all names. All comparisons case insensitive. |
*/ |
-static SECStatus |
-compareRFC822N2C(const SECItem *name, const SECItem *constraint) |
-{ |
- int offset; |
- if (!constraint->len) |
- return SECSuccess; |
- if (name->len < constraint->len) |
- return SECFailure; |
- if (constraint->len == 1 && constraint->data[0] == '.') |
- return SECSuccess; |
- for (offset = constraint->len - 1; offset >= 0; --offset) { |
- if (constraint->data[offset] == '@') { |
- return (name->len == constraint->len && |
- !PL_strncasecmp((char *)name->data, |
- (char *)constraint->data, constraint->len)) |
- ? SECSuccess : SECFailure; |
- } |
+static SECStatus compareRFC822N2C(const SECItem *name, |
+ const SECItem *constraint) { |
+ int offset; |
+ if (!constraint->len) return SECSuccess; |
+ if (name->len < constraint->len) return SECFailure; |
+ if (constraint->len == 1 && constraint->data[0] == '.') return SECSuccess; |
+ for (offset = constraint->len - 1; offset >= 0; --offset) { |
+ if (constraint->data[offset] == '@') { |
+ return (name->len == constraint->len && |
+ !PL_strncasecmp((char *)name->data, (char *)constraint->data, |
+ constraint->len)) |
+ ? SECSuccess |
+ : SECFailure; |
} |
- offset = name->len - constraint->len; |
- if (PL_strncasecmp((char *)(name->data + offset), |
- (char *)constraint->data, constraint->len)) |
- return SECFailure; |
- if (constraint->data[0] == '.') |
- return SECSuccess; |
- if (offset > 0 && name->data[offset - 1] == '@') |
- return SECSuccess; |
+ } |
+ offset = name->len - constraint->len; |
+ if (PL_strncasecmp((char *)(name->data + offset), (char *)constraint->data, |
+ constraint->len)) |
return SECFailure; |
+ if (constraint->data[0] == '.') return SECSuccess; |
+ if (offset > 0 && name->data[offset - 1] == '@') return SECSuccess; |
+ return SECFailure; |
} |
/* name contains either a 4 byte IPv4 address or a 16 byte IPv6 address. |
** constraint contains an address of the same length, and a subnet mask |
-** of the same length. Compare name's address to the constraint's |
+** of the same length. Compare name's address to the constraint's |
** address, subject to the mask. |
-** Return SECSuccess if they match, SECFailure if they don't. |
+** Return SECSuccess if they match, SECFailure if they don't. |
*/ |
-static SECStatus |
-compareIPaddrN2C(const SECItem *name, const SECItem *constraint) |
-{ |
- int i; |
- if (name->len == 4 && constraint->len == 8) { /* ipv4 addr */ |
- for (i = 0; i < 4; i++) { |
- if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+4]) |
- goto loser; |
- } |
- return SECSuccess; |
+static SECStatus compareIPaddrN2C(const SECItem *name, |
+ const SECItem *constraint) { |
+ int i; |
+ if (name->len == 4 && constraint->len == 8) {/* ipv4 addr */ |
+ for (i = 0; i < 4; i++) { |
+ if ((name->data[i] ^ constraint->data[i]) & constraint->data[i + 4]) |
+ goto loser; |
} |
- if (name->len == 16 && constraint->len == 32) { /* ipv6 addr */ |
- for (i = 0; i < 16; i++) { |
- if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+16]) |
- goto loser; |
- } |
- return SECSuccess; |
+ return SECSuccess; |
+ } |
+ if (name->len == 16 && constraint->len == 32) {/* ipv6 addr */ |
+ for (i = 0; i < 16; i++) { |
+ if ((name->data[i] ^ constraint->data[i]) & constraint->data[i + 16]) |
+ goto loser; |
} |
+ return SECSuccess; |
+ } |
loser: |
- return SECFailure; |
+ return SECFailure; |
} |
-/* start with a SECItem that points to a URI. Parse it lookingg for |
+/* start with a SECItem that points to a URI. Parse it lookingg for |
** a hostname. Modify item->data and item->len to define the hostname, |
-** but do not modify and data at item->data. |
+** but do not modify and data at item->data. |
** If anything goes wrong, the contents of *item are undefined. |
*/ |
-static SECStatus |
-parseUriHostname(SECItem * item) |
-{ |
- int i; |
- PRBool found = PR_FALSE; |
- for (i = 0; (unsigned)(i+2) < item->len; ++i) { |
- if (item->data[i ] == ':' && |
- item->data[i+1] == '/' && |
- item->data[i+2] == '/') { |
- i += 3; |
- item->data += i; |
- item->len -= i; |
- found = PR_TRUE; |
- break; |
- } |
+static SECStatus parseUriHostname(SECItem *item) { |
+ int i; |
+ PRBool found = PR_FALSE; |
+ for (i = 0; (unsigned)(i + 2) < item->len; ++i) { |
+ if (item->data[i] == ':' && item->data[i + 1] == '/' && |
+ item->data[i + 2] == '/') { |
+ i += 3; |
+ item->data += i; |
+ item->len -= i; |
+ found = PR_TRUE; |
+ break; |
} |
- if (!found) |
- return SECFailure; |
- /* now look for a '/', which is an upper bound in the end of the name */ |
- for (i = 0; (unsigned)i < item->len; ++i) { |
- if (item->data[i] == '/') { |
- item->len = i; |
- break; |
- } |
+ } |
+ if (!found) return SECFailure; |
+ /* now look for a '/', which is an upper bound in the end of the name */ |
+ for (i = 0; (unsigned)i < item->len; ++i) { |
+ if (item->data[i] == '/') { |
+ item->len = i; |
+ break; |
} |
- /* now look for a ':', which marks the end of the name */ |
- for (i = item->len; --i >= 0; ) { |
- if (item->data[i] == ':') { |
- item->len = i; |
- break; |
- } |
+ } |
+ /* now look for a ':', which marks the end of the name */ |
+ for (i = item->len; --i >= 0;) { |
+ if (item->data[i] == ':') { |
+ item->len = i; |
+ break; |
} |
- /* now look for an '@', which marks the beginning of the hostname */ |
- for (i = 0; (unsigned)i < item->len; ++i) { |
- if (item->data[i] == '@') { |
- ++i; |
- item->data += i; |
- item->len -= i; |
- break; |
- } |
+ } |
+ /* now look for an '@', which marks the beginning of the hostname */ |
+ for (i = 0; (unsigned)i < item->len; ++i) { |
+ if (item->data[i] == '@') { |
+ ++i; |
+ item->data += i; |
+ item->len -= i; |
+ break; |
} |
- return item->len ? SECSuccess : SECFailure; |
+ } |
+ return item->len ? SECSuccess : SECFailure; |
} |
/* This function takes one name, and a list of constraints. |
** It searches the constraints looking for a match. |
** It returns SECSuccess if the name satisfies the constraints, i.e., |
-** if excluded, then the name does not match any constraint, |
+** if excluded, then the name does not match any constraint, |
** if permitted, then the name matches at least one constraint. |
** It returns SECFailure if the name fails to satisfy the constraints, |
** or if some code fails (e.g. out of memory, or invalid constraint) |
*/ |
-SECStatus |
-cert_CompareNameWithConstraints(const CERTGeneralName *name, |
- const CERTNameConstraint *constraints, |
- PRBool excluded) |
-{ |
- SECStatus rv = SECSuccess; |
- SECStatus matched = SECFailure; |
- const CERTNameConstraint *current; |
+SECStatus cert_CompareNameWithConstraints(const CERTGeneralName *name, |
+ const CERTNameConstraint *constraints, |
+ PRBool excluded) { |
+ SECStatus rv = SECSuccess; |
+ SECStatus matched = SECFailure; |
+ const CERTNameConstraint *current; |
- PORT_Assert(constraints); /* caller should not call with NULL */ |
- if (!constraints) { |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
+ PORT_Assert(constraints); /* caller should not call with NULL */ |
+ if (!constraints) { |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+ } |
+ |
+ current = constraints; |
+ do { |
+ rv = SECSuccess; |
+ matched = SECFailure; |
+ PORT_Assert(name->type == current->name.type); |
+ switch (name->type) { |
+ |
+ case certDNSName: |
+ matched = compareDNSN2C(&name->name.other, ¤t->name.name.other); |
+ break; |
+ |
+ case certRFC822Name: |
+ matched = |
+ compareRFC822N2C(&name->name.other, ¤t->name.name.other); |
+ break; |
+ |
+ case certURI: { |
+ /* make a modifiable copy of the URI SECItem. */ |
+ SECItem uri = name->name.other; |
+ /* find the hostname in the URI */ |
+ rv = parseUriHostname(&uri); |
+ if (rv == SECSuccess) { |
+ /* does our hostname meet the constraint? */ |
+ matched = compareURIN2C(&uri, ¤t->name.name.other); |
+ } |
+ } break; |
+ |
+ case certDirectoryName: |
+ /* Determine if the constraint directory name is a "prefix" |
+ ** for the directory name being tested. |
+ */ |
+ { |
+ /* status defaults to SECEqual, so that a constraint with |
+ ** no AVAs will be a wildcard, matching all directory names. |
+ */ |
+ SECComparison status = SECEqual; |
+ const CERTRDN **cRDNs = |
+ (const CERTRDN **)current->name.name.directoryName.rdns; |
+ const CERTRDN **nRDNs = |
+ (const CERTRDN **)name->name.directoryName.rdns; |
+ while (cRDNs && *cRDNs && nRDNs && *nRDNs) { |
+ /* loop over name RDNs and constraint RDNs in lock step */ |
+ const CERTRDN *cRDN = *cRDNs++; |
+ const CERTRDN *nRDN = *nRDNs++; |
+ CERTAVA **cAVAs = cRDN->avas; |
+ while (cAVAs && *cAVAs) {/* loop over constraint AVAs */ |
+ CERTAVA *cAVA = *cAVAs++; |
+ CERTAVA **nAVAs = nRDN->avas; |
+ while (nAVAs && *nAVAs) {/* loop over name AVAs */ |
+ CERTAVA *nAVA = *nAVAs++; |
+ status = CERT_CompareAVA(cAVA, nAVA); |
+ if (status == SECEqual) break; |
+ } /* loop over name AVAs */ |
+ if (status != SECEqual) break; |
+ } /* loop over constraint AVAs */ |
+ if (status != SECEqual) break; |
+ } /* loop over name RDNs and constraint RDNs */ |
+ matched = (status == SECEqual) ? SECSuccess : SECFailure; |
+ break; |
+ } |
+ |
+ case certIPAddress: /* type 8 */ |
+ matched = |
+ compareIPaddrN2C(&name->name.other, ¤t->name.name.other); |
+ break; |
+ |
+ /* NSS does not know how to compare these "Other" type names with |
+ ** their respective constraints. But it does know how to tell |
+ ** if the constraint applies to the type of name (by comparing |
+ ** the constraint OID to the name OID). NSS makes no use of "Other" |
+ ** type names at all, so NSS errs on the side of leniency for these |
+ ** types, provided that their OIDs match. So, when an "Other" |
+ ** name constraint appears in an excluded subtree, it never causes |
+ ** a name to fail. When an "Other" name constraint appears in a |
+ ** permitted subtree, AND the constraint's OID matches the name's |
+ ** OID, then name is treated as if it matches the constraint. |
+ */ |
+ case certOtherName: /* type 1 */ |
+ matched = (!excluded && name->type == current->name.type && |
+ SECITEM_ItemsAreEqual(&name->name.OthName.oid, |
+ ¤t->name.name.OthName.oid)) |
+ ? SECSuccess |
+ : SECFailure; |
+ break; |
+ |
+ /* NSS does not know how to compare these types of names with their |
+ ** respective constraints. But NSS makes no use of these types of |
+ ** names at all, so it errs on the side of leniency for these types. |
+ ** Constraints for these types of names never cause the name to |
+ ** fail the constraints test. NSS behaves as if the name matched |
+ ** for permitted constraints, and did not match for excluded ones. |
+ */ |
+ case certX400Address: /* type 4 */ |
+ case certEDIPartyName: /* type 6 */ |
+ case certRegisterID: /* type 9 */ |
+ matched = excluded ? SECFailure : SECSuccess; |
+ break; |
+ |
+ default: /* non-standard types are not supported */ |
+ rv = SECFailure; |
+ break; |
} |
+ if (matched == SECSuccess || rv != SECSuccess) break; |
+ current = CERT_GetNextNameConstraint((CERTNameConstraint *)current); |
+ } while (current != constraints); |
+ if (rv == SECSuccess) { |
+ if (matched == SECSuccess) |
+ rv = excluded ? SECFailure : SECSuccess; |
+ else |
+ rv = excluded ? SECSuccess : SECFailure; |
+ return rv; |
+ } |
- current = constraints; |
- do { |
- rv = SECSuccess; |
- matched = SECFailure; |
- PORT_Assert(name->type == current->name.type); |
- switch (name->type) { |
- |
- case certDNSName: |
- matched = compareDNSN2C(&name->name.other, |
- ¤t->name.name.other); |
- break; |
- |
- case certRFC822Name: |
- matched = compareRFC822N2C(&name->name.other, |
- ¤t->name.name.other); |
- break; |
- |
- case certURI: |
- { |
- /* make a modifiable copy of the URI SECItem. */ |
- SECItem uri = name->name.other; |
- /* find the hostname in the URI */ |
- rv = parseUriHostname(&uri); |
- if (rv == SECSuccess) { |
- /* does our hostname meet the constraint? */ |
- matched = compareURIN2C(&uri, ¤t->name.name.other); |
- } |
- } |
- break; |
- |
- case certDirectoryName: |
- /* Determine if the constraint directory name is a "prefix" |
- ** for the directory name being tested. |
- */ |
- { |
- /* status defaults to SECEqual, so that a constraint with |
- ** no AVAs will be a wildcard, matching all directory names. |
- */ |
- SECComparison status = SECEqual; |
- const CERTRDN **cRDNs = |
- (const CERTRDN **)current->name.name.directoryName.rdns; |
- const CERTRDN **nRDNs = |
- (const CERTRDN **)name->name.directoryName.rdns; |
- while (cRDNs && *cRDNs && nRDNs && *nRDNs) { |
- /* loop over name RDNs and constraint RDNs in lock step */ |
- const CERTRDN *cRDN = *cRDNs++; |
- const CERTRDN *nRDN = *nRDNs++; |
- CERTAVA **cAVAs = cRDN->avas; |
- while (cAVAs && *cAVAs) { /* loop over constraint AVAs */ |
- CERTAVA *cAVA = *cAVAs++; |
- CERTAVA **nAVAs = nRDN->avas; |
- while (nAVAs && *nAVAs) { /* loop over name AVAs */ |
- CERTAVA *nAVA = *nAVAs++; |
- status = CERT_CompareAVA(cAVA, nAVA); |
- if (status == SECEqual) |
- break; |
- } /* loop over name AVAs */ |
- if (status != SECEqual) |
- break; |
- } /* loop over constraint AVAs */ |
- if (status != SECEqual) |
- break; |
- } /* loop over name RDNs and constraint RDNs */ |
- matched = (status == SECEqual) ? SECSuccess : SECFailure; |
- break; |
- } |
- |
- case certIPAddress: /* type 8 */ |
- matched = compareIPaddrN2C(&name->name.other, |
- ¤t->name.name.other); |
- break; |
- |
- /* NSS does not know how to compare these "Other" type names with |
- ** their respective constraints. But it does know how to tell |
- ** if the constraint applies to the type of name (by comparing |
- ** the constraint OID to the name OID). NSS makes no use of "Other" |
- ** type names at all, so NSS errs on the side of leniency for these |
- ** types, provided that their OIDs match. So, when an "Other" |
- ** name constraint appears in an excluded subtree, it never causes |
- ** a name to fail. When an "Other" name constraint appears in a |
- ** permitted subtree, AND the constraint's OID matches the name's |
- ** OID, then name is treated as if it matches the constraint. |
- */ |
- case certOtherName: /* type 1 */ |
- matched = (!excluded && |
- name->type == current->name.type && |
- SECITEM_ItemsAreEqual(&name->name.OthName.oid, |
- ¤t->name.name.OthName.oid)) |
- ? SECSuccess : SECFailure; |
- break; |
- |
- /* NSS does not know how to compare these types of names with their |
- ** respective constraints. But NSS makes no use of these types of |
- ** names at all, so it errs on the side of leniency for these types. |
- ** Constraints for these types of names never cause the name to |
- ** fail the constraints test. NSS behaves as if the name matched |
- ** for permitted constraints, and did not match for excluded ones. |
- */ |
- case certX400Address: /* type 4 */ |
- case certEDIPartyName: /* type 6 */ |
- case certRegisterID: /* type 9 */ |
- matched = excluded ? SECFailure : SECSuccess; |
- break; |
- |
- default: /* non-standard types are not supported */ |
- rv = SECFailure; |
- break; |
- } |
- if (matched == SECSuccess || rv != SECSuccess) |
- break; |
- current = CERT_GetNextNameConstraint((CERTNameConstraint*)current); |
- } while (current != constraints); |
- if (rv == SECSuccess) { |
- if (matched == SECSuccess) |
- rv = excluded ? SECFailure : SECSuccess; |
- else |
- rv = excluded ? SECSuccess : SECFailure; |
- return rv; |
- } |
- |
- return SECFailure; |
+ return SECFailure; |
} |
/* Add and link a CERTGeneralName to a CERTNameConstraint list. Most |
** likely the CERTNameConstraint passed in is either the permitted |
** list or the excluded list of a CERTNameConstraints. |
*/ |
-SECStatus |
-CERT_AddNameConstraintByGeneralName(PLArenaPool *arena, |
- CERTNameConstraint **constraints, |
- CERTGeneralName *name) |
-{ |
- SECStatus rv; |
- CERTNameConstraint *current = NULL; |
- CERTNameConstraint *first = *constraints; |
- void *mark = NULL; |
+SECStatus CERT_AddNameConstraintByGeneralName(PLArenaPool *arena, |
+ CERTNameConstraint **constraints, |
+ CERTGeneralName *name) { |
+ SECStatus rv; |
+ CERTNameConstraint *current = NULL; |
+ CERTNameConstraint *first = *constraints; |
+ void *mark = NULL; |
- mark = PORT_ArenaMark(arena); |
+ mark = PORT_ArenaMark(arena); |
- current = PORT_ArenaZNew(arena, CERTNameConstraint); |
- if (current == NULL) { |
- rv = SECFailure; |
- goto done; |
- } |
- |
- rv = cert_CopyOneGeneralName(arena, ¤t->name, name); |
- if (rv != SECSuccess) { |
- goto done; |
- } |
- |
- current->name.l.prev = current->name.l.next = &(current->name.l); |
- |
- if (first == NULL) { |
- *constraints = current; |
- PR_INIT_CLIST(¤t->l); |
- } else { |
- PR_INSERT_BEFORE(¤t->l, &first->l); |
- } |
+ current = PORT_ArenaZNew(arena, CERTNameConstraint); |
+ if (current == NULL) { |
+ rv = SECFailure; |
+ goto done; |
+ } |
+ |
+ rv = cert_CopyOneGeneralName(arena, ¤t->name, name); |
+ if (rv != SECSuccess) { |
+ goto done; |
+ } |
+ |
+ current->name.l.prev = current->name.l.next = &(current->name.l); |
+ |
+ if (first == NULL) { |
+ *constraints = current; |
+ PR_INIT_CLIST(¤t->l); |
+ } else { |
+ PR_INSERT_BEFORE(¤t->l, &first->l); |
+ } |
done: |
- if (rv == SECFailure) { |
- PORT_ArenaRelease(arena, mark); |
- } else { |
- PORT_ArenaUnmark(arena, mark); |
- } |
- return rv; |
+ if (rv == SECFailure) { |
+ PORT_ArenaRelease(arena, mark); |
+ } else { |
+ PORT_ArenaUnmark(arena, mark); |
+ } |
+ return rv; |
} |
/* Add name constraints to certain certs that do not include name constraints |
* This is the core of the implementation for bug 952572. |
*/ |
-static SECStatus |
-getNameExtensionsBuiltIn(CERTCertificate *cert, |
- SECItem *extensions) |
-{ |
- const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/ |
- "\xA0\x5B" /* element len =91 */ |
- "\x30\x05" /* sequence len 5 */ |
- "\x82\x03" /* entry len 3 */ |
- ".fr" |
- "\x30\x05\x82\x03" /* sequence len5, entry len 3 */ |
- ".gp" |
- "\x30\x05\x82\x03" |
- ".gf" |
- "\x30\x05\x82\x03" |
- ".mq" |
- "\x30\x05\x82\x03" |
- ".re" |
- "\x30\x05\x82\x03" |
- ".yt" |
- "\x30\x05\x82\x03" |
- ".pm" |
- "\x30\x05\x82\x03" |
- ".bl" |
- "\x30\x05\x82\x03" |
- ".mf" |
- "\x30\x05\x82\x03" |
- ".wf" |
- "\x30\x05\x82\x03" |
- ".pf" |
- "\x30\x05\x82\x03" |
- ".nc" |
- "\x30\x05\x82\x03" |
- ".tf"; |
+static SECStatus getNameExtensionsBuiltIn(CERTCertificate *cert, |
+ SECItem *extensions) { |
+ const char constraintFranceGov[] = |
+ "\x30\x5D" /* sequence len = 93*/ |
+ "\xA0\x5B" /* element len =91 */ |
+ "\x30\x05" /* sequence len 5 */ |
+ "\x82\x03" /* entry len 3 */ |
+ ".fr" |
+ "\x30\x05\x82\x03" /* sequence len5, entry len 3 */ |
+ ".gp" |
+ "\x30\x05\x82\x03" |
+ ".gf" |
+ "\x30\x05\x82\x03" |
+ ".mq" |
+ "\x30\x05\x82\x03" |
+ ".re" |
+ "\x30\x05\x82\x03" |
+ ".yt" |
+ "\x30\x05\x82\x03" |
+ ".pm" |
+ "\x30\x05\x82\x03" |
+ ".bl" |
+ "\x30\x05\x82\x03" |
+ ".mf" |
+ "\x30\x05\x82\x03" |
+ ".wf" |
+ "\x30\x05\x82\x03" |
+ ".pf" |
+ "\x30\x05\x82\x03" |
+ ".nc" |
+ "\x30\x05\x82\x03" |
+ ".tf"; |
/* The stringified value for the subject is: |
E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR |
*/ |
- const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04" |
- "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03" |
- "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65" |
- "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" |
- "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03" |
- "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44" |
- "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13" |
- "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06" |
- "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41" |
- "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7" |
- "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40" |
- "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75" |
- "\x76\x2E\x66\x72"; |
+ const char rawANSSISubject[] = |
+ "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04" |
+ "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03" |
+ "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65" |
+ "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" |
+ "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03" |
+ "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44" |
+ "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13" |
+ "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06" |
+ "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41" |
+ "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7" |
+ "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40" |
+ "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75" |
+ "\x76\x2E\x66\x72"; |
- const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject, |
- sizeof(rawANSSISubject)-1}; |
- const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov, |
- sizeof(constraintFranceGov)-1}; |
+ const SECItem anssi_subject = {0, (unsigned char *)rawANSSISubject, |
+ sizeof(rawANSSISubject) - 1}; |
+ const SECItem permitFranceGovNC = {0, (unsigned char *)constraintFranceGov, |
+ sizeof(constraintFranceGov) - 1}; |
if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) { |
SECStatus rv; |
rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC); |
return rv; |
} |
PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); |
return SECFailure; |
} |
/* Extract the name constraints extension from the CA cert. */ |
-SECStatus |
-CERT_FindNameConstraintsExten(PLArenaPool *arena, |
- CERTCertificate *cert, |
- CERTNameConstraints **constraints) |
-{ |
- SECStatus rv = SECSuccess; |
- SECItem constraintsExtension; |
- void *mark = NULL; |
- |
- *constraints = NULL; |
+SECStatus CERT_FindNameConstraintsExten(PLArenaPool *arena, |
+ CERTCertificate *cert, |
+ CERTNameConstraints **constraints) { |
+ SECStatus rv = SECSuccess; |
+ SECItem constraintsExtension; |
+ void *mark = NULL; |
- rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, |
- &constraintsExtension); |
+ *constraints = NULL; |
+ |
+ rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, |
+ &constraintsExtension); |
+ if (rv != SECSuccess) { |
+ if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { |
+ return rv; |
+ } |
+ rv = getNameExtensionsBuiltIn(cert, &constraintsExtension); |
if (rv != SECSuccess) { |
- if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { |
- return rv; |
- } |
- rv = getNameExtensionsBuiltIn(cert, &constraintsExtension); |
- if (rv != SECSuccess) { |
- if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { |
- return SECSuccess; |
- } |
- return rv; |
- } |
+ if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { |
+ return SECSuccess; |
+ } |
+ return rv; |
} |
+ } |
- mark = PORT_ArenaMark(arena); |
+ mark = PORT_ArenaMark(arena); |
- *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension); |
- if (*constraints == NULL) { /* decode failed */ |
- rv = SECFailure; |
- } |
- PORT_Free (constraintsExtension.data); |
+ *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension); |
+ if (*constraints == NULL) {/* decode failed */ |
+ rv = SECFailure; |
+ } |
+ PORT_Free(constraintsExtension.data); |
- if (rv == SECFailure) { |
- PORT_ArenaRelease(arena, mark); |
- } else { |
- PORT_ArenaUnmark(arena, mark); |
- } |
+ if (rv == SECFailure) { |
+ PORT_ArenaRelease(arena, mark); |
+ } else { |
+ PORT_ArenaUnmark(arena, mark); |
+ } |
- return rv; |
+ return rv; |
} |
/* Verify name against all the constraints relevant to that type of |
** the name. |
*/ |
-SECStatus |
-CERT_CheckNameSpace(PLArenaPool *arena, |
- const CERTNameConstraints *constraints, |
- const CERTGeneralName *currentName) |
-{ |
- CERTNameConstraint *matchingConstraints; |
- SECStatus rv = SECSuccess; |
- |
- if (constraints->excluded != NULL) { |
- rv = CERT_GetNameConstraintByType(constraints->excluded, |
- currentName->type, |
- &matchingConstraints, arena); |
- if (rv == SECSuccess && matchingConstraints != NULL) { |
- rv = cert_CompareNameWithConstraints(currentName, |
- matchingConstraints, |
- PR_TRUE); |
- } |
- if (rv != SECSuccess) { |
- return(rv); |
- } |
+SECStatus CERT_CheckNameSpace(PLArenaPool *arena, |
+ const CERTNameConstraints *constraints, |
+ const CERTGeneralName *currentName) { |
+ CERTNameConstraint *matchingConstraints; |
+ SECStatus rv = SECSuccess; |
+ |
+ if (constraints->excluded != NULL) { |
+ rv = CERT_GetNameConstraintByType(constraints->excluded, currentName->type, |
+ &matchingConstraints, arena); |
+ if (rv == SECSuccess && matchingConstraints != NULL) { |
+ rv = cert_CompareNameWithConstraints(currentName, matchingConstraints, |
+ PR_TRUE); |
} |
- |
- if (constraints->permited != NULL) { |
- rv = CERT_GetNameConstraintByType(constraints->permited, |
- currentName->type, |
- &matchingConstraints, arena); |
- if (rv == SECSuccess && matchingConstraints != NULL) { |
- rv = cert_CompareNameWithConstraints(currentName, |
- matchingConstraints, |
- PR_FALSE); |
- } |
- if (rv != SECSuccess) { |
- return(rv); |
- } |
+ if (rv != SECSuccess) { |
+ return (rv); |
} |
+ } |
- return(SECSuccess); |
+ if (constraints->permited != NULL) { |
+ rv = CERT_GetNameConstraintByType(constraints->permited, currentName->type, |
+ &matchingConstraints, arena); |
+ if (rv == SECSuccess && matchingConstraints != NULL) { |
+ rv = cert_CompareNameWithConstraints(currentName, matchingConstraints, |
+ PR_FALSE); |
+ } |
+ if (rv != SECSuccess) { |
+ return (rv); |
+ } |
+ } |
+ |
+ return (SECSuccess); |
} |
/* Extract the name constraints extension from the CA cert. |
** Test each and every name in namesList against all the constraints |
** relevant to that type of name. |
** Returns NULL in pBadCert for success, if all names are acceptable. |
** If some name is not acceptable, returns a pointer to the cert that |
** contained that name. |
*/ |
-SECStatus |
-CERT_CompareNameSpace(CERTCertificate *cert, |
- CERTGeneralName *namesList, |
- CERTCertificate **certsList, |
- PLArenaPool *reqArena, |
- CERTCertificate **pBadCert) |
-{ |
- SECStatus rv = SECSuccess; |
- CERTNameConstraints *constraints; |
- CERTGeneralName *currentName; |
- int count = 0; |
- CERTCertificate *badCert = NULL; |
+SECStatus CERT_CompareNameSpace(CERTCertificate *cert, |
+ CERTGeneralName *namesList, |
+ CERTCertificate **certsList, |
+ PLArenaPool *reqArena, |
+ CERTCertificate **pBadCert) { |
+ SECStatus rv = SECSuccess; |
+ CERTNameConstraints *constraints; |
+ CERTGeneralName *currentName; |
+ int count = 0; |
+ CERTCertificate *badCert = NULL; |
- /* If no names to check, then no names can be bad. */ |
- if (!namesList) |
- goto done; |
- rv = CERT_FindNameConstraintsExten(reqArena, cert, &constraints); |
- if (rv != SECSuccess) { |
- count = -1; |
- goto done; |
+ /* If no names to check, then no names can be bad. */ |
+ if (!namesList) goto done; |
+ rv = CERT_FindNameConstraintsExten(reqArena, cert, &constraints); |
+ if (rv != SECSuccess) { |
+ count = -1; |
+ goto done; |
+ } |
+ |
+ currentName = namesList; |
+ do { |
+ if (constraints) { |
+ rv = CERT_CheckNameSpace(reqArena, constraints, currentName); |
+ if (rv != SECSuccess) { |
+ break; |
+ } |
} |
- |
- currentName = namesList; |
- do { |
- if (constraints){ |
- rv = CERT_CheckNameSpace(reqArena, constraints, currentName); |
- if (rv != SECSuccess) { |
- break; |
- } |
- } |
- currentName = CERT_GetNextGeneralName(currentName); |
- count ++; |
- } while (currentName != namesList); |
+ currentName = CERT_GetNextGeneralName(currentName); |
+ count++; |
+ } while (currentName != namesList); |
done: |
- if (rv != SECSuccess) { |
- badCert = (count >= 0) ? certsList[count] : cert; |
- } |
- if (pBadCert) |
- *pBadCert = badCert; |
+ if (rv != SECSuccess) { |
+ badCert = (count >= 0) ? certsList[count] : cert; |
+ } |
+ if (pBadCert) *pBadCert = badCert; |
- return rv; |
+ return rv; |
} |
#if 0 |
/* not exported from shared libs, not used. Turn on if we ever need it. */ |
SECStatus |
CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b) |
{ |
CERTGeneralName *currentA; |