752
703
/* --Private-BuildChain-Functions------------------------------------------- */
755
* FUNCTION: pkix_Build_CheckCertAgainstAnchor
758
* Checks whether the Cert pointed to by "candidateCert" successfully chains to
759
* the TrustAnchor pointed to by "anchor". Successful chaining includes
760
* successful subject/issuer name chaining, using the List of traversed subject
761
* names pointed to by "traversedSubjNames" to check for name constraints
762
* violation, and successful signature verification. If the "candidateCert"
763
* successfully chains, PKIX_TRUE is stored at the address pointed to by
764
* "pPassed". Otherwise PKIX_FALSE is stored.
766
* If a non-NULL VerifyNode is supplied, then this function will, in the event
767
* of a failure, set the Error associated with the failure in the VerifyNode.
772
* Address of Cert that is being checked. Must be non-NULL.
774
* Address of TrustAnchor with which the Cert must successfully chain.
776
* "traversedSubjNames"
777
* Address of List of subject names in certificates previously traversed.
780
* Address at which Boolean result is stored. Must be non-NULL.
782
* Address of the VerifyNode to receive the Error. May be NULL.
784
* Platform-specific context pointer.
786
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
788
* Returns NULL if the function succeeds.
789
* Returns a Build Error if the function fails in a non-fatal way
790
* Returns a Fatal Error if the function fails in an unrecoverable way.
793
pkix_Build_CheckCertAgainstAnchor(
794
PKIX_PL_Cert *candidateCert,
795
PKIX_TrustAnchor *anchor,
796
PKIX_List *traversedSubjNames,
797
PKIX_Boolean *pPassed,
798
PKIX_VerifyNode *verifyNode,
801
PKIX_PL_Cert *trustedCert = NULL;
802
PKIX_PL_CertNameConstraints *anchorNC = NULL;
803
PKIX_CertSelector *certSel = NULL;
804
PKIX_ComCertSelParams *certSelParams = NULL;
805
PKIX_PL_X500Name *trustedSubject = NULL;
806
PKIX_PL_X500Name *candidateIssuer = NULL;
807
PKIX_CertSelector_MatchCallback selectorMatch = NULL;
808
PKIX_Boolean certMatch = PKIX_TRUE;
809
PKIX_Boolean anchorMatch = PKIX_FALSE;
810
PKIX_PL_PublicKey *trustedPubKey = NULL;
811
PKIX_VerifyNode *anchorVerifyNode = NULL;
812
PKIX_Error *verifyError = NULL;
814
PKIX_ENTER(BUILD, "pkix_Build_CheckCertAgainstAnchor");
815
PKIX_NULLCHECK_THREE(anchor, candidateCert, pPassed);
817
*pPassed = PKIX_FALSE;
819
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
820
(anchor, &trustedCert, plContext),
821
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
823
PKIX_CHECK(PKIX_PL_Cert_GetSubject
824
(trustedCert, &trustedSubject, plContext),
825
PKIX_CERTGETSUBJECTFAILED);
827
PKIX_NULLCHECK_ONE(trustedSubject);
829
PKIX_CHECK(PKIX_PL_Cert_GetIssuer
830
(candidateCert, &candidateIssuer, plContext),
831
PKIX_CERTGETISSUERFAILED);
833
PKIX_CHECK(PKIX_PL_X500Name_Match
834
(trustedSubject, candidateIssuer, &anchorMatch, plContext),
835
PKIX_X500NAMEMATCHFAILED);
841
PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints
842
(anchor, &anchorNC, plContext),
843
PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED);
845
if (anchorNC == NULL) {
846
PKIX_CHECK(PKIX_CertSelector_Create
847
(NULL, NULL, &certSel, plContext),
848
PKIX_CERTSELECTORCREATEFAILED);
850
PKIX_CHECK(PKIX_ComCertSelParams_Create
851
(&certSelParams, plContext),
852
PKIX_COMCERTSELPARAMSCREATEFAILED);
854
PKIX_NULLCHECK_ONE(traversedSubjNames);
856
PKIX_CHECK(PKIX_ComCertSelParams_SetPathToNames
857
(certSelParams, traversedSubjNames, plContext),
858
PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED);
860
PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
861
(certSel, certSelParams, plContext),
862
PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
864
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
865
(certSel, &selectorMatch, plContext),
866
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
868
PKIX_CHECK(selectorMatch
869
(certSel, candidateCert, &certMatch, plContext),
870
PKIX_SELECTORMATCHFAILED);
878
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
879
(trustedCert, &trustedPubKey, plContext),
880
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
882
PKIX_CHECK(PKIX_PL_Cert_VerifySignature
883
(candidateCert, trustedPubKey, plContext),
884
PKIX_CERTVERIFYSIGNATUREFAILED);
888
if (PKIX_ERROR_RECEIVED || !anchorMatch || !certMatch) {
889
if (pkixErrorClass == PKIX_FATAL_ERROR) {
892
if (verifyNode != NULL) {
896
PKIX_ANCHORDIDNOTCHAINTOCERT,
898
} else if (!certMatch) {
901
PKIX_ANCHORDIDNOTPASSCERTSELECTORCRITERIA,
904
verifyError = pkixErrorResult;
905
pkixErrorResult = NULL;
907
PKIX_DECREF(pkixErrorResult);
910
*pPassed = PKIX_TRUE;
913
if (verifyNode != NULL) {
914
PKIX_CHECK_FATAL(pkix_VerifyNode_Create
920
PKIX_VERIFYNODECREATEFAILED);
921
PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
922
(verifyNode, anchorVerifyNode, plContext),
923
PKIX_VERIFYNODEADDTOTREEFAILED);
924
PKIX_DECREF(verifyError);
928
PKIX_DECREF(verifyError);
929
PKIX_DECREF(anchorVerifyNode);
930
PKIX_DECREF(trustedCert);
931
PKIX_DECREF(anchorNC);
932
PKIX_DECREF(certSel);
933
PKIX_DECREF(certSelParams);
934
PKIX_DECREF(trustedSubject);
935
PKIX_DECREF(trustedPubKey);
936
PKIX_DECREF(candidateIssuer);
942
706
* FUNCTION: pkix_Build_SortCertComparator
1194
/* signature check */
1196
if ((!(state->dsaParamsNeeded)) || trusted) {
1197
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1198
(candidateCert, &candidatePubKey, plContext),
1199
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1201
PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
1202
(candidatePubKey, &dsaParamsNeeded, plContext),
1203
PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
1205
if (dsaParamsNeeded) {
1207
PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
1209
state->dsaParamsNeeded = PKIX_TRUE;
1214
pkixErrorResult = PKIX_PL_Cert_VerifyKeyUsage
1215
(candidateCert, PKIX_KEY_CERT_SIGN, plContext);
1217
ERROR_CHECK(PKIX_CERTVERIFYKEYUSAGEFAILED);
1219
pkixErrorResult = PKIX_PL_Cert_VerifySignature
1220
(state->prevCert, candidatePubKey, plContext);
1222
ERROR_CHECK(PKIX_CERTVERIFYSIGNATUREFAILED);
1224
if (revocationChecking) {
1226
if (state->revCheckDelayed) {
1229
PKIX_CHECK(pkix_IsCertSelfIssued
1233
PKIX_ISCERTSELFISSUEDFAILED);
1236
state->revCheckDelayed = PKIX_TRUE;
1242
*pNeedsCRLChecking = PKIX_TRUE;
960
/* Check that public key of the trusted dsa cert has
963
PKIX_Boolean paramsNeeded = PKIX_FALSE;
964
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
965
(candidateCert, &candidatePubKey, plContext),
966
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
967
PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
968
(candidatePubKey, ¶msNeeded, plContext),
969
PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
971
PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
976
if (revocationChecking) {
978
if (state->revCheckDelayed) {
981
PKIX_Boolean isSelfIssued = PKIX_FALSE;
983
pkix_IsCertSelfIssued(candidateCert, &isSelfIssued,
985
PKIX_ISCERTSELFISSUEDFAILED);
987
state->revCheckDelayed = PKIX_TRUE;
992
*pNeedsCRLChecking = PKIX_TRUE;
1248
996
PKIX_DECREF(candidateCert);
1249
997
PKIX_DECREF(candidatePubKey);
1250
998
PKIX_DECREF(userChecker);
1445
if (procParams->revCheckers) {
1447
PKIX_PL_Object_Duplicate(
1448
(PKIX_PL_Object*)procParams->revCheckers,
1449
(PKIX_PL_Object **)&revCheckers,
1451
PKIX_LISTDUPLICATEFAILED);
1453
PKIX_CHECK(PKIX_List_Create(&revCheckers, plContext),
1454
PKIX_LISTCREATEFAILED);
1457
if ((state->dsaParamsNeeded) || (state->revCheckDelayed)) {
1459
if ((state->dsaParamsNeeded) ||
1460
(state->buildConstants.crlChecker)) {
1462
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
1463
(anchor, &trustedCert, plContext),
1464
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
1466
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1467
(trustedCert, &trustedPubKey, plContext),
1468
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1470
PKIX_NULLCHECK_ONE(state->buildConstants.certStores);
1473
PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
1474
(state->buildConstants.certStores,
1475
state->buildConstants.testDate,
1480
PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);
1482
PKIX_CHECK(PKIX_List_AppendItem
1484
(PKIX_PL_Object *)crlChecker,
1486
PKIX_LISTAPPENDITEMFAILED);
1488
PKIX_CHECK(pkix_DefaultRevChecker_Initialize
1489
(state->buildConstants.certStores,
1490
state->buildConstants.testDate,
1495
PKIX_DEFAULTREVCHECKERINITIALIZEFAILED);
1497
PKIX_CHECK(PKIX_List_AppendItem
1499
(PKIX_PL_Object *)revChecker,
1501
PKIX_LISTAPPENDITEMFAILED);
1505
if (state->dsaParamsNeeded) {
1507
PKIX_CHECK(pkix_SignatureChecker_Initialize
1512
PKIX_SIGNATURECHECKERINITIALIZEFAILED);
1514
PKIX_CHECK(PKIX_List_AppendItem
1516
(PKIX_PL_Object *)sigChecker,
1518
PKIX_LISTAPPENDITEMFAILED);
1212
/* Inabling post chain building signature check on the certs. */
1213
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
1214
(anchor, &trustedCert, plContext),
1215
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
1217
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1218
(trustedCert, &trustedPubKey, plContext),
1219
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1221
PKIX_CHECK(pkix_SignatureChecker_Initialize
1226
PKIX_SIGNATURECHECKERINITIALIZEFAILED);
1228
PKIX_CHECK(PKIX_List_AppendItem
1230
(PKIX_PL_Object *)sigChecker,
1232
PKIX_LISTAPPENDITEMFAILED);
1523
1234
PKIX_INCREF(reversedCertChain);
1524
1235
state->reversedCertChain = reversedCertChain;
1525
1236
PKIX_INCREF(buildCheckedCritExtOIDsList);
1526
1237
state->checkedCritExtOIDs = buildCheckedCritExtOIDsList;
1527
PKIX_INCREF(checkers);
1528
1238
state->checkerChain = checkers;
1529
PKIX_INCREF(revCheckers);
1530
state->revCheckers = revCheckers;
1531
1240
state->certCheckedIndex = 0;
1532
1241
state->checkerIndex = 0;
1533
1242
state->revChecking = PKIX_FALSE;
1777
1484
(certSelParams, state->traversedSubjNames, plContext),
1778
1485
PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED);
1487
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
1488
(state->buildConstants.procParams,
1489
&callerCertSelector, plContext),
1490
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
1492
if (callerCertSelector != NULL) {
1494
/* Get initial EKU OIDs from ComCertSelParams, if set */
1495
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
1496
(callerCertSelector, &callerComCertSelParams, plContext),
1497
PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
1499
if (callerComCertSelParams != NULL) {
1500
PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
1501
(callerComCertSelParams, &reqEkuOids, plContext),
1502
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
1504
PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
1505
(callerComCertSelParams, &reqKu, plContext),
1506
PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
1511
PKIX_ComCertSelParams_SetKeyUsage(certSelParams, reqKu,
1513
PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED);
1516
PKIX_ComCertSelParams_SetExtendedKeyUsage(certSelParams,
1519
PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED);
1780
1521
PKIX_CHECK(PKIX_CertSelector_Create
1781
1522
(NULL, NULL, &state->certSel, plContext),
1782
1523
PKIX_CERTSELECTORCREATEFAILED);
1795
1536
PKIX_DECREF(certSel);
1796
1537
PKIX_DECREF(currentIssuer);
1797
1538
PKIX_DECREF(testDate);
1539
PKIX_DECREF(reqEkuOids);
1540
PKIX_DECREF(callerComCertSelParams);
1541
PKIX_DECREF(callerCertSelector);
1799
1543
PKIX_RETURN(BUILD);
1803
* FUNCTION: pkix_Build_CombineWithTrust
1806
* Adds each Cert in the List pointed to by "fromList" to the List pointed
1807
* to by "toList", if it is not already a member of that List. If it is a
1808
* member of both Lists, then the two instances are checked to see if either
1809
* is trusted, in which case the trusted one is retained. In other words,
1810
* "toList" becomes the union of the two sets, with trust preserved.
1812
* It is assumed that fromList does not contain duplicates. Therefore as
1813
* elements of "fromlist" are added to "tolist", subsequent additions do
1814
* not need to be checked for equality against these new members.
1818
* Address of a List of Certs to be added, if not already present, to
1819
* "toList". Must be non-NULL, but may be empty.
1821
* Address of a List of Certs to be augmented by "fromList". Must be
1822
* non-NULL, but may be empty.
1824
* Platform-specific context pointer.
1826
* Not Thread Safe - assumes exclusive access to "toList"
1827
* (see Thread Safety Definitions in Programmer's Guide)
1829
* Returns NULL if the function succeeds
1830
* Returns a Build Error if the function fails in a non-fatal way.
1831
* Returns a Fatal Error if the function fails in an unrecoverable way
1834
pkix_Build_CombineWithTrust(
1836
PKIX_List *fromList,
1839
PKIX_Boolean match = PKIX_FALSE;
1840
PKIX_Boolean trusted = PKIX_FALSE;
1841
PKIX_UInt32 fromlistLen = 0;
1842
PKIX_UInt32 originalTolistLen = 0;
1843
PKIX_UInt32 fromlistIx = 0;
1844
PKIX_UInt32 tolistIx = 0;
1845
PKIX_PL_Object *fObject = NULL;
1846
PKIX_PL_Object *tObject = NULL;
1848
PKIX_ENTER(BUILD, "pkix_Build_CombineWithTrust");
1849
PKIX_NULLCHECK_TWO(fromList, toList);
1851
PKIX_CHECK(PKIX_List_GetLength(fromList, &fromlistLen, plContext),
1852
PKIX_LISTGETLENGTHFAILED);
1854
PKIX_CHECK(PKIX_List_GetLength(toList, &originalTolistLen, plContext),
1855
PKIX_LISTGETLENGTHFAILED);
1857
for (fromlistIx = 0; fromlistIx < fromlistLen; fromlistIx++) {
1859
PKIX_CHECK(PKIX_List_GetItem
1860
(fromList, fromlistIx, &fObject, plContext),
1861
PKIX_LISTGETITEMFAILED);
1863
PKIX_NULLCHECK_ONE(fObject);
1866
for (tolistIx = 0; tolistIx < originalTolistLen; tolistIx++) {
1867
PKIX_CHECK(PKIX_List_GetItem
1868
(toList, tolistIx, &tObject, plContext),
1869
PKIX_LISTGETITEMFAILED);
1871
PKIX_NULLCHECK_ONE(tObject);
1873
PKIX_CHECK(PKIX_PL_Object_Equals
1874
(fObject, tObject, &match, plContext),
1875
PKIX_OBJECTEQUALSFAILED);
1878
PKIX_CHECK(pkix_CheckType
1879
(tObject, PKIX_CERT_TYPE, plContext),
1880
PKIX_OBJECTNOTCERT);
1882
PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
1883
((PKIX_PL_Cert *)tObject, &trusted,
1885
PKIX_CERTISCERTTRUSTEDFAILED);
1546
/* Match trust anchor to select params in order to find next cert. */
1548
pkix_Build_SelectCertsFromTrustAnchors(
1549
PKIX_List *trustAnchorsList,
1550
PKIX_ComCertSelParams *certSelParams,
1551
PKIX_List **pMatchList,
1554
int anchorIndex = 0;
1555
PKIX_TrustAnchor *anchor = NULL;
1556
PKIX_PL_Cert *trustedCert = NULL;
1557
PKIX_List *matchList = NULL;
1558
PKIX_CertSelector *certSel = NULL;
1559
PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
1560
PKIX_Boolean certMatch = PKIX_TRUE;
1562
PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
1564
PKIX_CHECK(PKIX_CertSelector_Create
1565
(NULL, NULL, &certSel, plContext),
1566
PKIX_CERTSELECTORCREATEFAILED);
1567
PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
1568
(certSel, certSelParams, plContext),
1569
PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
1570
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
1571
(certSel, &selectorMatchCB, plContext),
1572
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
1574
for (anchorIndex = 0;anchorIndex < trustAnchorsList->length; anchorIndex++) {
1576
PKIX_List_GetItem(trustAnchorsList,
1578
(PKIX_PL_Object **)&anchor,
1580
PKIX_LISTGETITEMFAILED);
1581
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
1582
(anchor, &trustedCert, plContext),
1583
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
1585
(*selectorMatchCB)(certSel, trustedCert,
1586
&certMatch, plContext);
1587
if (!pkixErrorResult && certMatch) {
1589
PKIX_CHECK(PKIX_List_Create(&matchList,
1591
PKIX_LISTCREATEFAILED);
1594
PKIX_List_AppendItem(matchList,
1595
(PKIX_PL_Object*)trustedCert,
1597
PKIX_LISTAPPENDITEMFAILED);
1599
PKIX_DECREF(pkixErrorResult);
1601
PKIX_DECREF(trustedCert);
1602
PKIX_DECREF(anchor);
1605
*pMatchList = matchList;
1609
PKIX_DECREF(matchList);
1610
PKIX_DECREF(trustedCert);
1611
PKIX_DECREF(anchor);
1612
PKIX_DECREF(certSel);
1619
pkix_Build_RemoveDupUntrustedCerts(
1620
PKIX_List *trustedCertList,
1621
PKIX_List *certsFound,
1624
PKIX_UInt32 trustIndex;
1625
PKIX_PL_Cert *trustCert = NULL, *cert = NULL;
1627
PKIX_ENTER(BUILD, "pkix_Build_RemoveDupUntrustedCerts");
1628
if (trustedCertList == NULL || certsFound == NULL) {
1631
for (trustIndex = 0;trustIndex < trustedCertList->length;
1633
PKIX_UInt32 certIndex = 0;
1635
PKIX_List_GetItem(trustedCertList,
1637
(PKIX_PL_Object **)&trustCert,
1639
PKIX_LISTGETITEMFAILED);
1887
/* If tObject is a trusted cert, keep it. */
1888
if (trusted == PKIX_TRUE) {
1889
PKIX_DECREF(tObject);
1893
PKIX_CHECK(pkix_CheckType
1894
(fObject, PKIX_CERT_TYPE, plContext),
1895
PKIX_OBJECTNOTCERT);
1897
PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
1898
((PKIX_PL_Cert *)fObject, &trusted,
1900
PKIX_CERTISCERTTRUSTEDFAILED);
1902
/* If fObject is a trusted cert, replace it. */
1903
if (trusted == PKIX_TRUE) {
1904
PKIX_CHECK(PKIX_List_SetItem
1909
PKIX_LISTSETITEMFAILED);
1910
PKIX_DECREF(tObject);
1914
PKIX_DECREF(tObject);
1917
if (match == PKIX_FALSE) {
1918
PKIX_CHECK(PKIX_List_AppendItem
1919
(toList, fObject, plContext),
1920
PKIX_LISTAPPENDITEMFAILED);
1923
PKIX_DECREF(fObject);
1641
while (certIndex < certsFound->length) {
1642
PKIX_Boolean result = PKIX_FALSE;
1645
PKIX_List_GetItem(certsFound, certIndex,
1646
(PKIX_PL_Object **)&cert,
1648
PKIX_LISTGETITEMFAILED);
1650
PKIX_PL_Object_Equals((PKIX_PL_Object *)trustCert,
1651
(PKIX_PL_Object *)cert,
1654
PKIX_OBJECTEQUALSFAILED);
1660
PKIX_List_DeleteItem(certsFound, certIndex,
1662
PKIX_LISTDELETEITEMFAILED);
1664
PKIX_DECREF(trustCert);
1928
PKIX_DECREF(fObject);
1929
PKIX_DECREF(tObject);
1668
PKIX_DECREF(trustCert);
1935
1675
* FUNCTION: pkix_Build_GatherCerts
2118
1837
++(state->certStoreIndex);
1840
if (certsFound && certsFound->length > 1) {
1841
PKIX_List *sorted = NULL;
1843
/* sort Certs to try to optimize search */
1844
PKIX_CHECK(pkix_Build_SortCandidateCerts
1845
(certsFound, &sorted, plContext),
1846
PKIX_BUILDSORTCANDIDATECERTSFAILED);
1847
PKIX_DECREF(certsFound);
1848
certsFound = sorted;
1852
pkix_Build_SelectCertsFromTrustAnchors(
1853
state->buildConstants.anchors,
1854
certSelParams, &trustedCertList,
1856
PKIX_FAILTOSELECTCERTSFROMANCHORS);
1858
pkix_Build_RemoveDupUntrustedCerts(trustedCertList,
1861
PKIX_REMOVEDUPUNTRUSTEDCERTSFAILED);
1864
pkix_List_MergeLists(trustedCertList,
1866
&state->candidateCerts,
1868
PKIX_LISTMERGEFAILED);
2121
1870
/* No, return the list we have gathered */
2122
1871
PKIX_CHECK(PKIX_List_GetLength
2123
1872
(state->candidateCerts, &state->numCerts, plContext),
2124
1873
PKIX_LISTGETLENGTHFAILED);
2126
if (state->numCerts > 1) {
2127
/* sort Certs to try to optimize search */
2128
PKIX_CHECK(pkix_Build_SortCandidateCerts
2129
(state->candidateCerts, &sorted, plContext),
2130
PKIX_BUILDSORTCANDIDATECERTSFAILED);
2132
PKIX_DECREF(state->candidateCerts);
2133
state->candidateCerts = sorted;
2137
1875
state->certIndex = 0;
1878
PKIX_DECREF(trustedCertList);
2141
1879
PKIX_DECREF(certStore);
2142
1880
PKIX_DECREF(certsFound);
2222
* FUNCTION: pkix_Build_RevCheckPrep
2225
* This function prepares the CertChainCheckerState of the crlChecker contained
2226
* in "state" for checking the Certificate pointed to by "certToCheck".
2230
* Address of ForwardBuilderState to be used. Must be non-NULL.
2232
* Address of Certificate to be checked. Must be non-NULL.
2234
* Platform-specific context pointer.
2236
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
2238
* Returns NULL if the function succeeds.
2239
* Returns a Build Error if the function fails in a non-fatal way
2240
* Returns a Fatal Error if the function fails in an unrecoverable way.
2243
pkix_Build_RevCheckPrep(
2244
PKIX_ForwardBuilderState *state,
2245
PKIX_PL_Cert *certToCheck,
2248
PKIX_PL_Object *crlCheckerState = NULL;
2250
PKIX_ENTER(BUILD, "pkix_Build_RevCheckPrep");
2251
PKIX_NULLCHECK_ONE(state);
2253
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
2254
(state->buildConstants.crlChecker, &crlCheckerState, plContext),
2255
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
2257
PKIX_CHECK(pkix_CheckType
2258
(crlCheckerState, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
2259
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
2261
/* Set up CRLSelector */
2262
PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
2264
(pkix_DefaultCRLCheckerState *) crlCheckerState,
2266
PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
2269
(PKIX_CertChainChecker_SetCertChainCheckerState
2270
(state->buildConstants.crlChecker, crlCheckerState, plContext),
2271
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
2275
PKIX_DECREF(crlCheckerState);
2281
1960
* FUNCTION: pkix_BuildForwardDepthFirstSearch
2737
2425
if (state->status == BUILD_CRLPREP) {
2739
PKIX_CHECK(pkix_Build_RevCheckPrep
2740
(state, state->prevCert, plContext),
2741
PKIX_BUILDREVCHECKPREPFAILED);
2743
state->status = BUILD_CRL1;
2746
if (state->status == BUILD_CRL1) {
2748
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
2749
(state->candidateCert,
2752
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
2754
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
2755
(state->buildConstants.crlChecker,
2758
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
2760
PKIX_CHECK(pkix_CheckType
2762
PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
2764
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
2766
verifyError = pkix_DefaultCRLChecker_Check_Helper
2767
(state->buildConstants.crlChecker,
2770
(pkix_DefaultCRLCheckerState *) crlCheckerState,
2771
NULL, /* unresolved crit extensions */
2772
state->useOnlyLocal,
2776
pkixTempErrorReceived = PKIX_TRUE;
2777
pkixErrorClass = verifyError->errClass;
2778
if (pkixErrorClass == PKIX_FATAL_ERROR) {
2779
pkixErrorResult = verifyError;
2785
PKIX_DECREF(candidatePubKey);
2786
PKIX_DECREF(crlCheckerState);
2426
PKIX_RevocationStatus revStatus;
2427
PKIX_UInt32 reasonCode;
2430
PKIX_RevocationChecker_Check(
2431
state->prevCert, state->candidateCert,
2432
state->buildConstants.revChecker,
2433
state->buildConstants.procParams,
2435
(state->parentState == NULL) ?
2436
PKIX_TRUE : PKIX_FALSE,
2437
&revStatus, &reasonCode,
2788
2439
if (nbio != NULL) {
2789
/* IO still pending, resume later */
2440
*pNBIOContext = nbio;
2791
} else if (PKIX_ERROR_RECEIVED) {
2443
if (revStatus == PKIX_RevStatus_Revoked || verifyError) {
2445
/* if verifyError is returned then use it as
2446
* it has a detailed revocation error code.
2447
* Otherwise create a new error */
2448
PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED,
2792
2451
if (state->verifyNode != NULL) {
2793
2452
PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
2794
2453
(verifyNode, verifyError, plContext),
2915
2593
PKIX_LISTAPPENDITEMFAILED);
2917
state->status = BUILD_CHECKWITHANCHORS;
2918
state->anchorIndex = 0;
2595
state->status = BUILD_EXTENDCHAIN;
2921
while ((state->status == BUILD_CHECKWITHANCHORS) ||
2922
(state->status == BUILD_CRL2) ||
2923
(state->status == BUILD_VALCHAIN2)) {
2924
if (state->anchorIndex >=
2925
state->buildConstants.numAnchors) {
2926
state->status = BUILD_EXTENDCHAIN;
2930
PKIX_CHECK(PKIX_List_GetItem
2931
(state->buildConstants.anchors,
2933
(PKIX_PL_Object **)&trustAnchor,
2935
PKIX_LISTGETITEMFAILED);
2939
if (state->status == BUILD_CHECKWITHANCHORS) {
2942
* Does this Trust Anchor chain to this cert?
2943
* (If state->verifyNode is non-NULL, this function
2944
* chains a verifyNode for each anchor checked.)
2946
PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor
2947
(state->candidateCert,
2949
state->traversedSubjNames,
2953
PKIX_CHECKCERTAGAINSTANCHORFAILED);
2955
if (passed == PKIX_TRUE) {
2956
if (state->buildConstants.crlChecker) {
2957
state->status = BUILD_CRL2PREP;
2959
state->status = BUILD_VALCHAIN;
2961
} /* else increment anchorIndex and try next */
2964
if (state->status == BUILD_CRL2PREP) {
2965
PKIX_CHECK(pkix_Build_RevCheckPrep
2966
(state, state->candidateCert, plContext),
2967
PKIX_BUILDREVCHECKPREPFAILED);
2968
state->status = BUILD_CRL2;
2971
if (state->status == BUILD_CRL2) {
2972
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
2973
(trustAnchor, &trustedCert, plContext),
2974
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
2976
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
2977
(trustedCert, &trustedPubKey, plContext),
2978
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
2981
(PKIX_CertChainChecker_GetCertChainCheckerState
2982
(state->buildConstants.crlChecker,
2985
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
2987
PKIX_CHECK(pkix_CheckType
2989
PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
2991
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
2993
verifyError = pkix_DefaultCRLChecker_Check_Helper
2994
(state->buildConstants.crlChecker,
2995
state->candidateCert,
2997
(pkix_DefaultCRLCheckerState *) crlCheckerState,
2998
NULL, /* unresolved crit extensions */
2999
state->useOnlyLocal,
3003
pkixTempErrorReceived = PKIX_TRUE;
3004
pkixErrorClass = verifyError->errClass;
3005
if (pkixErrorClass == PKIX_FATAL_ERROR) {
3006
pkixErrorResult = verifyError;
3012
PKIX_DECREF(trustedCert);
3013
PKIX_DECREF(trustedPubKey);
3014
PKIX_DECREF(crlCheckerState);
3017
/* IO still pending, resume later */
3019
} else if (PKIX_ERROR_RECEIVED) {
3020
if (state->verifyNode != NULL) {
3022
(pkix_VerifyNode_SetError
3026
PKIX_VERIFYNODESETERRORFAILED);
3028
pkixTempErrorReceived = PKIX_FALSE;
3029
PKIX_DECREF(finalError);
3030
finalError = verifyError;
3032
/* try again with the next trust anchor */
3033
state->status = BUILD_CHECKWITHANCHORS;
3035
state->status = BUILD_VALCHAIN;
3039
if (state->status == BUILD_VALCHAIN) {
3040
/* Does the chain pass all validation tests? */
3041
PKIX_CHECK(pkix_Build_ValidationCheckers
3046
PKIX_BUILDVALIDATIONCHECKERSFAILED);
3048
state->status = BUILD_VALCHAIN2;
3051
if (state->status == BUILD_VALCHAIN2) {
3052
PKIX_CHECK_ONLY_FATAL
3053
(pkix_Build_ValidateEntireChain
3060
PKIX_BUILDVALIDATEENTIRECHAINFAILED);
3063
/* IO still pending, resume later */
3066
PKIX_DECREF(state->reversedCertChain);
3067
PKIX_DECREF(state->checkedCritExtOIDs);
3068
PKIX_DECREF(state->checkerChain);
3069
PKIX_DECREF(state->revCheckers);
3070
if (!PKIX_ERROR_RECEIVED) {
3071
*pValResult = valResult;
3073
if (state->verifyNode != NULL) {
3075
(pkix_VerifyNode_AddToTree
3079
PKIX_VERIFYNODEADDTOTREEFAILED);
3080
PKIX_DECREF(verifyNode);
3082
/* Make IsIOPending FALSE */
3083
state->status = BUILD_VALCHAIN;
3086
/* Reset temp error that was set by
3087
* PKIX_CHECK_ONLY_FATAL and continue */
3088
pkixTempErrorReceived = PKIX_FALSE;
3091
state->status = BUILD_CHECKWITHANCHORS;
3094
PKIX_DECREF(trustAnchor);
3095
state->anchorIndex++;
3096
} /* while (anchorIndex < numAnchors) */
3098
2598
if (state->status == BUILD_EXTENDCHAIN) {
3100
2600
/* Check whether we are allowed to extend the chain */
3380
2902
pkixErrorCode = PKIX_SECERRORUNKNOWNISSUER;
3381
2903
pkixErrorReceived = PKIX_TRUE;
2904
PKIX_ERROR_CREATE(BUILD, PKIX_SECERRORUNKNOWNISSUER,
2907
pkix_VerifyNode_SetError(state->verifyNode, verifyError,
2909
PKIX_VERIFYNODESETERRORFAILED);
3383
2911
pkixErrorResult = verifyError;
3384
2912
verifyError = NULL;
2916
if (state->parentState) {
2917
/* parentState in "state" object should be NULL at this point.
2918
* If itn't, that means that we got fatal error(we have jumped to
2919
* "fatal" label) and we should destroy all state except the top one. */
2920
while (state->parentState) {
2921
PKIX_Error *error = NULL;
2922
PKIX_ForwardBuilderState *prntState = state->parentState;
2923
/* Dumb: need to increment parentState to avoid destruction
2924
* of "build constants"(they get destroyed when parentState is
2926
PKIX_INCREF(prntState);
2927
error = PKIX_PL_Object_DecRef((PKIX_PL_Object*)state, plContext);
2929
PKIX_PL_Object_DecRef((PKIX_PL_Object*)error, plContext);
2931
/* No need to decref the parent state. It was already done by
2932
* pkix_ForwardBuilderState_Destroy function. */
3388
2936
PKIX_DECREF(parentState);
3389
2937
PKIX_DECREF(childState);
3390
2938
PKIX_DECREF(valResult);
3391
2939
PKIX_DECREF(verifyError);
3392
2940
PKIX_DECREF(finalError);
3393
2941
PKIX_DECREF(verifyNode);
3394
PKIX_DECREF(candidatePubKey);
3395
PKIX_DECREF(trustedPubKey);
3396
2942
PKIX_DECREF(childTraversedSubjNames);
3397
2943
PKIX_DECREF(certSelParams);
3398
2944
PKIX_DECREF(subjectNames);
3399
2945
PKIX_DECREF(subjectName);
3400
2946
PKIX_DECREF(trustAnchor);
3401
2947
PKIX_DECREF(validityDate);
3402
PKIX_DECREF(crlCheckerState);
2948
PKIX_DECREF(revCheckerState);
3403
2949
PKIX_DECREF(currTime);
3404
2950
PKIX_DECREF(filteredCerts);
3405
2951
PKIX_DECREF(unfilteredCerts);
3412
* FUNCTION: pkix_Build_TryShortcut
3415
* This function checks whether the target cert in "state", subject to the name
3416
* constraints specified by "targetSubjNames", forms a complete trust chain
3417
* with any of the trust anchors.
3419
* If a crlChecker using non-blocking I/O returns with an indication that I/O
3420
* is in progress, this function stores the NBIOContext (returned by the
3421
* checker) at "pNBIOContext". Otherwise, it stores NULL at "pNBIOContext" and
3422
* indicates in "pAnchor" whether a complete trust chain was found. If no
3423
* successful trust chain is found, NULL is stored at "pAnchor". If a
3424
* successful trust chain is found, the anchor that completed the chain is
3425
* stored at "pAnchor".
3429
* Address of ForwardBuilderState to be used. Must be non-NULL.
3431
* Address of List of subject names in targetCertificate. Must be non-NULL.
3433
* Address at which the NBIOContext is stored indicating whether the
3434
* checking is complete. Must be non-NULL.
3436
* Address at which successful trustAnchor is stored, if trustAnchor and
3437
* Certificate form a complete trust chain. Must be non-NULL.
3439
* Platform-specific context pointer.
3441
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
3443
* Returns NULL if the function succeeds.
3444
* Returns a Build Error if the function fails in a non-fatal way
3445
* Returns a Fatal Error if the function fails in an unrecoverable way.
3448
pkix_Build_TryShortcut(
3449
PKIX_ForwardBuilderState *state,
3450
PKIX_List *targetSubjNames,
3451
void **pNBIOContext,
3452
PKIX_TrustAnchor **pAnchor,
3453
PKIX_ValidateResult **pValResult,
3456
PKIX_Boolean passed = PKIX_FALSE;
3457
void *nbioContext = NULL;
3458
PKIX_TrustAnchor *anchor = NULL;
3459
PKIX_PL_Cert *trustedCert = NULL;
3460
PKIX_PL_PublicKey *trustedPubKey = NULL;
3461
PKIX_PL_Object *crlCheckerState = NULL;
3462
PKIX_Error *validationError = NULL;
3463
PKIX_VerifyNode *verifyNode = NULL;
3464
PKIX_ValidateResult *valResult = NULL;
3466
PKIX_ENTER(BUILD, "pkix_Build_TryShortcut");
3467
PKIX_NULLCHECK_THREE(state, pNBIOContext, pAnchor);
3469
*pNBIOContext = NULL; /* prepare in case of error exit */
3472
* Does the target cert, with any of our trust
3473
* anchors, form a complete trust chain?
3475
while (state->anchorIndex < state->buildConstants.numAnchors) {
3476
PKIX_CHECK(PKIX_List_GetItem
3477
(state->buildConstants.anchors,
3479
(PKIX_PL_Object **)&anchor,
3481
PKIX_LISTGETITEMFAILED);
3482
PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor
3489
PKIX_CHECKCERTAGAINSTANCHORFAILED);
3491
if (passed != PKIX_TRUE) {
3492
PKIX_DECREF(anchor);
3493
state->anchorIndex++;
3497
if (state->buildConstants.crlChecker != NULL) {
3499
PKIX_DECREF(trustedCert);
3500
PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
3501
(anchor, &trustedCert, plContext),
3502
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
3504
PKIX_DECREF(trustedPubKey);
3505
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
3506
(trustedCert, &trustedPubKey, plContext),
3507
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
3509
PKIX_DECREF(crlCheckerState);
3511
(PKIX_CertChainChecker_GetCertChainCheckerState
3512
(state->buildConstants.crlChecker,
3515
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
3517
PKIX_CHECK(pkix_CheckType
3519
PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
3521
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
3523
/* Set up CRLSelector */
3524
PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
3526
(pkix_DefaultCRLCheckerState *) crlCheckerState,
3528
PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
3531
pkix_DefaultCRLChecker_Check_Helper
3532
(state->buildConstants.crlChecker,
3535
(pkix_DefaultCRLCheckerState *) crlCheckerState,
3536
NULL, /* unresolved crit extensions */
3541
if (validationError) {
3542
pkixErrorClass = validationError->errClass;
3543
if (pkixErrorClass == PKIX_FATAL_ERROR) {
3544
pkixErrorResult = validationError;
3545
validationError = NULL;
3548
if (state->verifyNode) {
3550
pkix_VerifyNode_Create(state->prevCert,
3554
PKIX_VERIFYNODECREATEFAILED);
3556
pkix_VerifyNode_AddToTree(state->verifyNode,
3559
PKIX_VERIFYNODEADDTOTREEFAILED);
3560
PKIX_DECREF(verifyNode);
3562
PKIX_DECREF(validationError);
3563
/* contunue to the next anchor */
3564
PKIX_DECREF(anchor);
3565
state->anchorIndex++;
3568
if (nbioContext != NULL) {
3569
state->status = BUILD_SHORTCUTPENDING;
3570
*pNBIOContext = nbioContext;
3576
pkix_VerifyNode_Create(state->prevCert, 0, NULL,
3579
PKIX_VERIFYNODECREATEFAILED);
3582
pkix_Build_ValidationCheckers(state, state->trustChain,
3584
PKIX_BUILDVALIDATIONCHECKERSFAILED);
3586
PKIX_CHECK_ONLY_FATAL(
3587
pkix_Build_ValidateEntireChain(state, anchor, &nbioContext,
3588
&valResult, verifyNode,
3590
PKIX_BUILDVALIDATEENTIRECHAINFAILED);
3592
if (nbioContext != NULL) {
3593
/* IO still pending, resume later */
3594
*pNBIOContext = nbioContext;
3597
/* Cleanup after pkix_Build_ValidateEntireChain. */
3598
PKIX_DECREF(state->reversedCertChain);
3599
PKIX_DECREF(state->checkedCritExtOIDs);
3600
PKIX_DECREF(state->checkerChain);
3601
PKIX_DECREF(state->revCheckers);
3602
if (state->verifyNode != NULL) {
3604
pkix_VerifyNode_AddToTree(state->verifyNode,
3605
verifyNode, plContext),
3606
PKIX_VERIFYNODEADDTOTREEFAILED);
3607
PKIX_DECREF(verifyNode);
3610
if (!PKIX_ERROR_RECEIVED) {
3611
*pValResult = valResult;
3615
/* Reset temp error that was set by
3616
* PKIX_CHECK_ONLY_FATAL and continue */
3617
pkixTempErrorReceived = PKIX_FALSE;
3618
PKIX_DECREF(anchor);
3619
state->anchorIndex++;
3620
} /* while (state->anchorIndex < state->buildConstants.numAnchors) */
3628
PKIX_DECREF(validationError);
3629
PKIX_DECREF(valResult);
3630
PKIX_DECREF(verifyNode);
3631
PKIX_DECREF(trustedCert);
3632
PKIX_DECREF(trustedPubKey);
3633
PKIX_DECREF(crlCheckerState);
3634
PKIX_DECREF(anchor);
3640
2958
* FUNCTION: pkix_Build_CheckInCache