← Back to branch summary

~ubuntu-branches/ubuntu/intrepid/xulrunner-1.9/intrepid

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c

  • Committer: Bazaar Package Importer
  • Author(s): Alexander Sack, Alexander Sack, Fabien Tassin
  • Date: 2008-02-13 11:47:21 UTC
  • mfrom: (1.1.4 upstream)
  • Revision ID: james.westby@ubuntu.com-20080213114721-7om0mgzngvuk9czv
Tags: 1.9~b3+nobinonly-0ubuntu1
https://launchpad.net/bugs/37507
* release FIREFOX_3_0b3_RELEASE

[ Alexander Sack ]
* submit patch that ships xpcshell to bugzilla
  - rename debian/patches/ship_xpcshell.patch =>
           debian/patches/bz410617_att295212_ship_xpcshell.patch
  - update debian/patches/series
* fix tooltip in epiphany: previously displayed out of screen bounds
  (LP: #37507)
  - add debian/patches/bz233371_att297343_fix_outofscreen_embed_tooltip.patch
  - update debian/patches/series
* use default upstream gcc tweaks for improved performance - especially of the
  javascript engine
  - update debian/rules
* update global extension/plugin patch to apply cleanly against latest code
  - update debian/patches/bzXXX_gre_extension_plugin_support.patch
* fix pyxpcom build failure introduced by recent commit
  - add debian/patches/bzXXX_fix_pyxpcom_build_failure.patch
  - update debian/patches/series
* add distro independent global install locations for extensions,
  /usr/lib/mozilla/extensions and /usr/share/mozilla/extensions
  - update debian/xulrunner-1.9.dirs
* support embedded tarball layout when either there is a *.tar.bz2 in orig tarball
  or if DEBIAN_MOZCLIENT_EMBEDDED is not unset (you will need this to produce embedded
  tarballs during |get-orig-source|
  - update debian/rules
* bump minimum libnss3-dev build requirements to >= 3.12.0~1.9b3
  - update debian/control
* bump minimum libnspr4-dev build requirements to >= 4.7.0~1.9b3
  - update debian/control

[ Fabien Tassin ]
* Drop patches applied upstream
  - drop debian/patches/bz410617_att295212_ship_xpcshell.patch
  - drop debian/patches/bz404634_att294921.patch
  - drop debian/patches/bz386610_python2.5_ftbfs_amd64.patch
  - drop debian/patches/bz373918_att295042.patch
  - drop debian/patches/bz408062_unstable_pc.patch
  - drop debian/patches/bz384304_fix_recursive_symlinks.patch
  - update debian/patches/series
* Refresh diverged patches:
  - update debian/patches/bzXXX_pc_honour_system_nspr_nss.patch
  - update debian/patches/rename_venkman_addon.patch
  - update debian/patches/bz344818_cairo_xrender.patch
* Install links for all .so libs in the -dev package
  - update debian/patches/dont_install_so_in_dev.patch
* Bump gtk requirement to 2.12 as per Mozilla bug 412432
  - update debian/control
* Add #DEBHELPER# token to postinst/prerm scripts
  - update debian/xulrunner-1.9.{postinst,prerm}
* Install previously missed libdbusservice.so
  - update debian/xulrunner-1.9.install
* Update venkman patch to also rename locales
  - update debian/patches/rename_venkman_addon.patch
* Bump requirement for system cairo to >= 1.5.8 as we now need
  the newly added cairo_path_extents()
  - update debian/rules
* Include mozilla-devscripts file using -include so ifneq could be omitted
  - update debian/rules
* Fix missing .so symlinks regression
  - update debian/patches/dont_install_so_in_dev.patch

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c
1
 
/* ***** BEGIN LICENSE BLOCK *****
2
 
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3
 
 *
4
 
 * The contents of this file are subject to the Mozilla Public License Version
5
 
 * 1.1 (the "License"); you may not use this file except in compliance with
6
 
 * the License. You may obtain a copy of the License at
7
 
 * http://www.mozilla.org/MPL/
8
 
 *
9
 
 * Software distributed under the License is distributed on an "AS IS" basis,
10
 
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
 
 * for the specific language governing rights and limitations under the
12
 
 * License.
13
 
 *
14
 
 * The Original Code is the PKIX-C library.
15
 
 *
16
 
 * The Initial Developer of the Original Code is
17
 
 * Sun Microsystems, Inc.
18
 
 * Portions created by the Initial Developer are
19
 
 * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
20
 
 *
21
 
 * Contributor(s):
22
 
 *   Sun Microsystems, Inc.
23
 
 *
24
 
 * Alternatively, the contents of this file may be used under the terms of
25
 
 * either the GNU General Public License Version 2 or later (the "GPL"), or
26
 
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
 
 * in which case the provisions of the GPL or the LGPL are applicable instead
28
 
 * of those above. If you wish to allow use of your version of this file only
29
 
 * under the terms of either the GPL or the LGPL, and not to allow others to
30
 
 * use your version of this file under the terms of the MPL, indicate your
31
 
 * decision by deleting the provisions above and replace them with the notice
32
 
 * and other provisions required by the GPL or the LGPL. If you do not delete
33
 
 * the provisions above, a recipient may use your version of this file under
34
 
 * the terms of any one of the MPL, the GPL or the LGPL.
35
 
 *
36
 
 * ***** END LICENSE BLOCK ***** */
37
 
/*
38
 
 * pkix_defaultcrlchecker.c
39
 
 *
40
 
 * Functions for default CRL Checkers
41
 
 *
42
 
 */
43
 
#define CERTCHAINCHECKERDEBUG 1
44
 
 
45
 
#include "pkix_defaultcrlchecker.h"
46
 
 
47
 
static char *reasonCodeMsgString[] = {
48
 
        "Certificate is revoked by CRL for unspecified reason"
49
 
        "Certificate is revoked by CRL for key compromise",
50
 
        "Certificate is revoked by CRL for CA compromise",
51
 
        "Certificate is revoked by CRL for affiliation changed",
52
 
        "Certificate is revoked by CRL for being superseded",
53
 
        "Certificate is revoked by CRL for cessation of operation",
54
 
        "Certificate is revoked by CRL for certificate hold",
55
 
        "Certificate is revoked by CRL for undefined reason",
56
 
        "Certificate is revoked by CRL for being removed from CRL",
57
 
        "Certificate is revoked by CRL for privilege withdrawn",
58
 
        "Certificate is revoked by CRL for aACompromise",
59
 
};
60
 
 
61
 
/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
62
 
 
63
 
/*
64
 
 * FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
65
 
 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
66
 
 */
67
 
static PKIX_Error *
68
 
pkix_DefaultCRLCheckerState_Destroy(
69
 
        PKIX_PL_Object *object,
70
 
        void *plContext)
71
 
{
72
 
        pkix_DefaultCRLCheckerState *state = NULL;
73
 
 
74
 
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
75
 
                    "pkix_DefaultCRLCheckerState_Destroy");
76
 
        PKIX_NULLCHECK_ONE(object);
77
 
 
78
 
        /* Check that this object is a default CRL checker state */
79
 
        PKIX_CHECK(pkix_CheckType
80
 
                    (object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
81
 
                    PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
82
 
 
83
 
        state = (pkix_DefaultCRLCheckerState *)object;
84
 
 
85
 
        state->certHasValidCrl = PKIX_FALSE;
86
 
        state->prevCertCrlSign = PKIX_FALSE;
87
 
        state->reasonCodeMask = 0;
88
 
 
89
 
        PKIX_DECREF(state->certStores);
90
 
        PKIX_DECREF(state->testDate);
91
 
        PKIX_DECREF(state->prevPublicKey);
92
 
        PKIX_DECREF(state->prevPublicKeyList);
93
 
        PKIX_DECREF(state->crlReasonCodeOID);
94
 
        PKIX_DECREF(state->certIssuer);
95
 
        PKIX_DECREF(state->certSerialNumber);
96
 
        PKIX_DECREF(state->crlSelector);
97
 
        state->crlStoreIndex = 0;
98
 
        state->numCrlStores = 0;
99
 
 
100
 
cleanup:
101
 
 
102
 
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
103
 
}
104
 
 
105
 
/*
106
 
 * FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
107
 
 *
108
 
 * DESCRIPTION:
109
 
 *  Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
110
 
 *  with systemClasses[]
111
 
 *
112
 
 * THREAD SAFETY:
113
 
 *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
114
 
 *
115
 
 *  Since this function is only called by PKIX_PL_Initialize, which should
116
 
 *  only be called once, it is acceptable that this function is not
117
 
 *  thread-safe.
118
 
 */
119
 
PKIX_Error *
120
 
pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
121
 
{
122
 
        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
123
 
        pkix_ClassTable_Entry entry;
124
 
 
125
 
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
126
 
                    "pkix_DefaultCRLCheckerState_RegisterSelf");
127
 
 
128
 
        entry.description = "DefaultCRLCheckerState";
129
 
        entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
130
 
        entry.equalsFunction = NULL;
131
 
        entry.hashcodeFunction = NULL;
132
 
        entry.toStringFunction = NULL;
133
 
        entry.comparator = NULL;
134
 
        entry.duplicateFunction = NULL;
135
 
 
136
 
        systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
137
 
 
138
 
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
139
 
}
140
 
 
141
 
/*
142
 
 * FUNCTION: pkix_DefaultCRLCheckerState_Create
143
 
 *
144
 
 * DESCRIPTION:
145
 
 *  Allocate and initialize DefaultCRLChecker state data.
146
 
 *
147
 
 * PARAMETERS
148
 
 *  "certStores"
149
 
 *      Address of CertStore List to be stored in state. Must be non-NULL.
150
 
 *  "testDate"
151
 
 *      Address of PKIX_PL_Date to be checked. May be NULL.
152
 
 *  "trustedPubKey"
153
 
 *      Trusted Anchor Public Key for verifying first Cert in the chain.
154
 
 *      Must be non-NULL.
155
 
 *  "certsRemaining"
156
 
 *      Number of certificates remaining in the chain.
157
 
 *  "nistCRLPolicyEnabled"
158
 
 *      If enabled, enforce nist crl policy.
159
 
 *  "pCheckerState"
160
 
 *      Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
161
 
 *  "plContext"
162
 
 *      Platform-specific context pointer.
163
 
 *
164
 
 * THREAD SAFETY:
165
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
166
 
 *
167
 
 * RETURNS:
168
 
 *  Returns NULL if the function succeeds.
169
 
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
170
 
 *  non-fatal way.
171
 
 *  Returns a Fatal Error
172
 
 */
173
 
static PKIX_Error *
174
 
pkix_DefaultCRLCheckerState_Create(
175
 
    PKIX_List *certStores,
176
 
    PKIX_PL_Date *testDate,
177
 
    PKIX_PL_PublicKey *trustedPubKey,
178
 
    PKIX_UInt32 certsRemaining,
179
 
    PKIX_Boolean nistCRLPolicyEnabled,
180
 
    pkix_DefaultCRLCheckerState **pCheckerState,
181
 
    void *plContext)
182
 
{
183
 
        pkix_DefaultCRLCheckerState *state = NULL;
184
 
 
185
 
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
186
 
                    "pkix_DefaultCRLCheckerState_Create");
187
 
        PKIX_NULLCHECK_TWO(certStores, pCheckerState);
188
 
 
189
 
        PKIX_CHECK(PKIX_PL_Object_Alloc
190
 
                    (PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
191
 
                    sizeof (pkix_DefaultCRLCheckerState),
192
 
                    (PKIX_PL_Object **)&state,
193
 
                    plContext),
194
 
                    PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
195
 
 
196
 
        /* Initialize fields */
197
 
 
198
 
        PKIX_INCREF(certStores);
199
 
        state->certStores = certStores;
200
 
 
201
 
        PKIX_INCREF(testDate);
202
 
        state->testDate = testDate;
203
 
 
204
 
        PKIX_INCREF(trustedPubKey);
205
 
        state->prevPublicKey = trustedPubKey;
206
 
 
207
 
        state->certHasValidCrl = PKIX_FALSE;
208
 
        state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
209
 
        state->prevCertCrlSign = PKIX_TRUE;
210
 
        state->prevPublicKeyList = NULL;
211
 
        state->reasonCodeMask = 0;
212
 
        state->certsRemaining = certsRemaining;
213
 
 
214
 
        PKIX_CHECK(PKIX_PL_OID_Create
215
 
                    (PKIX_CRLREASONCODE_OID,
216
 
                    &state->crlReasonCodeOID,
217
 
                    plContext),
218
 
                    PKIX_OIDCREATEFAILED);
219
 
 
220
 
        state->certIssuer = NULL;
221
 
        state->certSerialNumber = NULL;
222
 
        state->crlSelector = NULL;
223
 
        state->crlStoreIndex = 0;
224
 
        state->numCrlStores = 0;
225
 
 
226
 
        *pCheckerState = state;
227
 
 
228
 
cleanup:
229
 
 
230
 
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
231
 
}
232
 
 
233
 
/* --Private-DefaultCRLChecker-Functions------------------------------------ */
234
 
 
235
 
/*
236
 
 * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
237
 
 *
238
 
 * DESCRIPTION:
239
 
 *  Check validity of "cert" based on CRLs at "crlList" that has correct
240
 
 *  signature verification with "publicKey".
241
 
 *
242
 
 * PARAMETERS
243
 
 *  "cert"
244
 
 *      Address of Cert which has the certificate data. Must be non-NULL.
245
 
 *  "certIssuer"
246
 
 *      Address of Issuer that associates with the Cert. Must be non-NULL.
247
 
 *  "certSerialNumber"
248
 
 *      Address of Serial Number that associates with the Cert. Must be 
249
 
 *      non-NULL.
250
 
 *  "publicKey"
251
 
 *      Address of Public Key that associates with the Cert Issuer.
252
 
 *      Must be non-NULL.
253
 
 *  "crlList"
254
 
 *      A List CRLs that the certificate is verified upon. Must be non-NULL.
255
 
 *  "state"
256
 
 *      Address of DefaultCRLCheckerState which keeps dynamic state data.
257
 
 *      Must be non-NULL.
258
 
 *  "pCrlEntryList"
259
 
 *      Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
260
 
 *      this Cert. May be NULL.
261
 
 *  "plContext"
262
 
 *      Platform-specific context pointer.
263
 
 *
264
 
 * THREAD SAFETY:
265
 
 *  Conditionally Thread Safe
266
 
 *      (see Thread Safety Definitions in Programmer's Guide)
267
 
 *
268
 
 * RETURNS:
269
 
 *  Returns NULL if the function succeeds.
270
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
271
 
 *  Returns a Fatal Error
272
 
 */
273
 
static PKIX_Error *
274
 
pkix_DefaultCRLChecker_CheckCRLs(
275
 
        PKIX_PL_Cert *cert,
276
 
        PKIX_PL_X500Name *certIssuer,
277
 
        PKIX_PL_BigInt *certSerialNumber,
278
 
        PKIX_PL_PublicKey *publicKey,
279
 
        PKIX_List *crlList,
280
 
        pkix_DefaultCRLCheckerState *state,
281
 
        PKIX_List **pCrlEntryList,
282
 
        void *plContext)
283
 
{
284
 
        PKIX_PL_CRL *crl = NULL;
285
 
        PKIX_PL_CRLEntry *crlEntry = NULL;
286
 
        PKIX_PL_PublicKey *pKey = NULL;
287
 
        PKIX_List *unresCrlCritExtOIDs = NULL;
288
 
        PKIX_List *unresCrlEntryCritExtOIDs = NULL;
289
 
        PKIX_List *crlEntryList = NULL;
290
 
        PKIX_Error *verifyFail = NULL;
291
 
        PKIX_UInt32 numCrls = 0;
292
 
        PKIX_UInt32 numKeys = 0;
293
 
        PKIX_UInt32 numCritExtOIDs = 0;
294
 
        PKIX_Boolean crlVerified = PKIX_FALSE;
295
 
        PKIX_Boolean crlRevoking = PKIX_FALSE;
296
 
        PKIX_Int32 reasonCode = 0;
297
 
        PKIX_UInt32 i;
298
 
        PKIX_Int32 j;
299
 
 
300
 
        PKIX_ENTER(CERTCHAINCHECKER,
301
 
                    "pkix_DefaultCRLChecker_CheckCRLs");
302
 
        PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
303
 
 
304
 
        PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
305
 
                    PKIX_LISTGETLENGTHFAILED);
306
 
 
307
 
        if (state->prevPublicKeyList != NULL) {
308
 
 
309
 
                PKIX_CHECK(PKIX_List_GetLength
310
 
                    (state->prevPublicKeyList, &numKeys, plContext),
311
 
                    PKIX_LISTGETLENGTHFAILED);
312
 
        }
313
 
 
314
 
        /* Check if Cert is not revoked by any the the CRLs */
315
 
 
316
 
        for (i = 0; i < numCrls; i++){
317
 
 
318
 
                PKIX_CHECK(PKIX_List_GetItem
319
 
                            (crlList, i, (PKIX_PL_Object **)&crl, plContext),
320
 
                            PKIX_LISTGETITEMFAILED);
321
 
 
322
 
                /*
323
 
                 * Checking serial number (issuer done in selector) then
324
 
                 * verify signature. If matches, get the CRL reason(s).
325
 
                 */
326
 
 
327
 
                if (state->prevCertCrlSign == PKIX_TRUE) {
328
 
                        verifyFail = PKIX_PL_CRL_VerifySignature
329
 
                                (crl, publicKey, plContext);
330
 
                        if (verifyFail == NULL) {
331
 
                                crlVerified = PKIX_TRUE;
332
 
                        } else {
333
 
                                crlVerified = PKIX_FALSE;
334
 
                                PKIX_DECREF(verifyFail);
335
 
                        }
336
 
                }
337
 
 
338
 
                if (crlVerified == PKIX_FALSE) {
339
 
 
340
 
                    /* Verify from old key(s) on the list */
341
 
                    for (j = numKeys - 1; j >= 0; j--) {
342
 
 
343
 
                            PKIX_CHECK(PKIX_List_GetItem
344
 
                                (state->prevPublicKeyList,
345
 
                                j,
346
 
                                (PKIX_PL_Object **) &pKey,
347
 
                                plContext),
348
 
                                PKIX_LISTGETITEMFAILED);
349
 
 
350
 
                            verifyFail = PKIX_PL_CRL_VerifySignature
351
 
                                (crl, pKey, plContext);
352
 
 
353
 
                            if (verifyFail == NULL) {
354
 
                                crlVerified = PKIX_TRUE;
355
 
                                break;
356
 
                            } else {
357
 
                                crlVerified = PKIX_FALSE;
358
 
                                PKIX_DECREF(verifyFail);
359
 
                            }
360
 
 
361
 
                            PKIX_DECREF(pKey);
362
 
                    }
363
 
                }
364
 
 
365
 
                if (crlVerified == PKIX_FALSE) {
366
 
                    /* try next one ... */
367
 
                    goto cleanup_loop;
368
 
                }
369
 
 
370
 
                state->certHasValidCrl = PKIX_TRUE;
371
 
 
372
 
                PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
373
 
                            (crl, &unresCrlCritExtOIDs, plContext),
374
 
                            PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
375
 
 
376
 
                /*
377
 
                 * XXX Advanced CRL work - should put a
378
 
                 * Loop here to process and remove critical
379
 
                 * extension oids.
380
 
                 */
381
 
 
382
 
                if (unresCrlCritExtOIDs) {
383
 
 
384
 
                    PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
385
 
                        &numCritExtOIDs,
386
 
                        plContext),
387
 
                        PKIX_LISTGETLENGTHFAILED);
388
 
 
389
 
                    if (numCritExtOIDs != 0) {
390
 
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
391
 
                                (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
392
 
                        /*
393
 
                         * Uncomment this after we have implemented
394
 
                         * checkers for all the critical extensions.
395
 
                         *
396
 
                         * PKIX_ERROR
397
 
                         *      ("Unrecognized CRL Critical Extension");
398
 
                         */
399
 
                    }
400
 
                }
401
 
 
402
 
                PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
403
 
                            (crl, certSerialNumber, &crlEntry, plContext),
404
 
                            PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
405
 
 
406
 
                if (crlEntry == NULL) {
407
 
                    goto cleanup_loop;
408
 
                }
409
 
 
410
 
                crlRevoking = PKIX_TRUE;
411
 
 
412
 
                PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
413
 
                            (crlEntry,
414
 
                            &reasonCode,
415
 
                            plContext),
416
 
                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
417
 
 
418
 
                /* This is a valid CRLEntry, return it for caching */
419
 
                if (crlEntryList == NULL) {
420
 
                    PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
421
 
                            PKIX_LISTCREATEFAILED);
422
 
 
423
 
                }
424
 
 
425
 
                PKIX_CHECK(PKIX_List_AppendItem
426
 
                        (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
427
 
                        PKIX_LISTAPPENDITEMFAILED);
428
 
 
429
 
                /* Set reason code in state for advance CRL reviewing */
430
 
 
431
 
                if (reasonCode >= 0 &&
432
 
                    reasonCode < sizeof (reasonCodeMsgString)) {
433
 
 
434
 
                    state->reasonCodeMask |= 1 << reasonCode;
435
 
                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
436
 
                        ("CRL revocation Reason: %s\n ",
437
 
                        reasonCodeMsgString[reasonCode]);
438
 
 
439
 
                } else {
440
 
                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
441
 
                        ("Revoked by Unknown CRL ReasonCode");
442
 
                }
443
 
 
444
 
                PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
445
 
                            (crlEntry, &unresCrlEntryCritExtOIDs, plContext),
446
 
                            PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
447
 
                if (unresCrlEntryCritExtOIDs) {
448
 
 
449
 
                    PKIX_CHECK(pkix_List_Remove
450
 
                            (unresCrlEntryCritExtOIDs,
451
 
                            (PKIX_PL_Object *) state->crlReasonCodeOID,
452
 
                            plContext),
453
 
                            PKIX_LISTREMOVEFAILED);
454
 
 
455
 
                    PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
456
 
                        &numCritExtOIDs,
457
 
                        plContext),
458
 
                        PKIX_LISTGETLENGTHFAILED);
459
 
 
460
 
                    if (numCritExtOIDs != 0) {
461
 
 
462
 
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
463
 
                            (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
464
 
                        PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
465
 
                    }
466
 
                }
467
 
 
468
 
        cleanup_loop:
469
 
 
470
 
                PKIX_DECREF(pKey);
471
 
                PKIX_DECREF(verifyFail);
472
 
                PKIX_DECREF(pKey);
473
 
                PKIX_DECREF(crlEntry);
474
 
                PKIX_DECREF(crl);
475
 
                PKIX_DECREF(unresCrlCritExtOIDs);
476
 
                PKIX_DECREF(unresCrlEntryCritExtOIDs);
477
 
        }
478
 
 
479
 
        *pCrlEntryList = crlEntryList;
480
 
 
481
 
        if (crlRevoking == PKIX_TRUE) {
482
 
 
483
 
                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
484
 
        }
485
 
 
486
 
cleanup:
487
 
 
488
 
        PKIX_DECREF(pKey);
489
 
        PKIX_DECREF(verifyFail);
490
 
        PKIX_DECREF(crlEntry);
491
 
        PKIX_DECREF(crl);
492
 
        PKIX_DECREF(unresCrlCritExtOIDs);
493
 
        PKIX_DECREF(unresCrlEntryCritExtOIDs);
494
 
 
495
 
        PKIX_RETURN(CERTCHAINCHECKER);
496
 
}
497
 
 
498
 
/*
499
 
 * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
500
 
 *
501
 
 * DESCRIPTION:
502
 
 *  This function creates a CRLSelector suitable for finding a CRL for
503
 
 *  the Cert pointed to by "cert", setting the result in the
504
 
 *  defaultCRLCheckerState pointed to by "state".
505
 
 *
506
 
 * PARAMETERS
507
 
 *  "cert"
508
 
 *      Address of Cert for which a CRLSelector is to be constructed. Must be
509
 
 *      non-NULL.
510
 
 *  "state"
511
 
 *      Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
512
 
 *      be non-NULL.
513
 
 *  "plContext"
514
 
 *      Platform-specific context pointer.
515
 
 *
516
 
 * THREAD SAFETY:
517
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
518
 
 *
519
 
 * RETURNS:
520
 
 *  Returns NULL if the function succeeds.
521
 
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
522
 
 *  non-fatal way.
523
 
 *  Returns a Fatal Error
524
 
 */
525
 
PKIX_Error *
526
 
pkix_DefaultCRLChecker_Check_SetSelector(
527
 
        PKIX_PL_Cert *cert,
528
 
        pkix_DefaultCRLCheckerState *state,
529
 
        void *plContext)
530
 
{
531
 
        PKIX_PL_X500Name *certIssuer = NULL;
532
 
        PKIX_PL_BigInt *certSerialNumber = NULL;
533
 
        PKIX_PL_Date *nowDate = NULL;
534
 
        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
535
 
        PKIX_CRLSelector *crlSelector = NULL;
536
 
 
537
 
        PKIX_ENTER
538
 
                (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
539
 
        PKIX_NULLCHECK_TWO(cert, state);
540
 
 
541
 
        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
542
 
                PKIX_CERTGETISSUERFAILED);
543
 
 
544
 
        PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
545
 
                (cert, &certSerialNumber, plContext),
546
 
                PKIX_CERTGETSERIALNUMBERFAILED);
547
 
 
548
 
        if (state->testDate != NULL) {
549
 
 
550
 
                PKIX_INCREF(state->testDate);
551
 
                nowDate = state->testDate;
552
 
 
553
 
        } else {
554
 
 
555
 
                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
556
 
                        (NULL, &nowDate, plContext),
557
 
                        PKIX_DATECREATEUTCTIMEFAILED);
558
 
        }
559
 
 
560
 
        PKIX_CHECK(PKIX_ComCRLSelParams_Create
561
 
                (&comCrlSelParams, plContext),
562
 
                PKIX_COMCRLSELPARAMSCREATEFAILED);
563
 
 
564
 
        PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
565
 
                (comCrlSelParams, certIssuer, plContext),
566
 
                PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
567
 
 
568
 
        PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
569
 
                (comCrlSelParams, nowDate, plContext),
570
 
                PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
571
 
 
572
 
        PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
573
 
                (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
574
 
                PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
575
 
 
576
 
        PKIX_CHECK(PKIX_CRLSelector_Create
577
 
                (NULL,
578
 
                NULL, /* never used? (PKIX_PL_Object *)checker, */
579
 
                &crlSelector,
580
 
                plContext),
581
 
                PKIX_CRLSELECTORCREATEFAILED);
582
 
 
583
 
        PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
584
 
                (crlSelector, comCrlSelParams, plContext),
585
 
                PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
586
 
 
587
 
        PKIX_DECREF(state->certIssuer);
588
 
        PKIX_INCREF(certIssuer);
589
 
        state->certIssuer = certIssuer;
590
 
        PKIX_DECREF(state->certSerialNumber);
591
 
        PKIX_INCREF(certSerialNumber);
592
 
        state->certSerialNumber = certSerialNumber;
593
 
        PKIX_DECREF(state->crlSelector);
594
 
        PKIX_INCREF(crlSelector);
595
 
        state->crlSelector = crlSelector;
596
 
 
597
 
        state->crlStoreIndex = 0;
598
 
 
599
 
        PKIX_CHECK(PKIX_List_GetLength
600
 
                    (state->certStores, &(state->numCrlStores), plContext),
601
 
                    PKIX_LISTGETLENGTHFAILED);
602
 
 
603
 
        state->certHasValidCrl = PKIX_FALSE;
604
 
 
605
 
cleanup:
606
 
 
607
 
        PKIX_DECREF(certIssuer);
608
 
        PKIX_DECREF(certSerialNumber);
609
 
        PKIX_DECREF(nowDate);
610
 
        PKIX_DECREF(comCrlSelParams);
611
 
        PKIX_DECREF(crlSelector);
612
 
 
613
 
        PKIX_RETURN(CERTCHAINCHECKER);
614
 
}
615
 
 
616
 
/*
617
 
 * FUNCTION: pkix_DefaultCRLChecker_Check_Store
618
 
 *
619
 
 * DESCRIPTION:
620
 
 *  Checks the certStore pointed to by "certStore" for a CRL that may determine
621
 
 *  whether the Cert pointed to by "cert" has been revoked.
622
 
 *
623
 
 * PARAMETERS
624
 
 *  "checker"
625
 
 *      Address of CertChainChecker which has the state data.
626
 
 *      Must be non-NULL.
627
 
 *  "cert"
628
 
 *      Address of Certificate that is to be validated. Must be non-NULL.
629
 
 *  "prevPublicKey"
630
 
 *      Address of previous public key in the backward chain. May be NULL.
631
 
 *  "state"
632
 
 *      Address of DefaultCrlCheckerState. Must be non-NULL.
633
 
 *  "unresolvedCriticalExtensions"
634
 
 *      A List OIDs. Not **yet** used in this checker function.
635
 
 *  "certStore"
636
 
 *      Address of the CertStore to be queried for a relevant CRL. Must be
637
 
 *      non-NULL.
638
 
 *  "pNBIOContext"
639
 
 *      Address at which platform-dependent information is stored if processing
640
 
 *      is suspended for non-blocking I/O. Must be non-NULL.
641
 
 *  "plContext"
642
 
 *      Platform-specific context pointer.
643
 
 *
644
 
 * THREAD SAFETY:
645
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
646
 
 *
647
 
 * RETURNS:
648
 
 *  Returns NULL if the function succeeds.
649
 
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
650
 
 *  non-fatal way.
651
 
 *  Returns a Fatal Error
652
 
 */
653
 
static PKIX_Error *
654
 
pkix_DefaultCRLChecker_Check_Store(
655
 
        PKIX_CertChainChecker *checker,
656
 
        PKIX_PL_Cert *cert,
657
 
        PKIX_PL_PublicKey *prevPublicKey,
658
 
        pkix_DefaultCRLCheckerState *state,
659
 
        PKIX_List *unresolvedCriticalExtensions,
660
 
        PKIX_CertStore *certStore,
661
 
        void **pNBIOContext,
662
 
        void *plContext)
663
 
{
664
 
 
665
 
        PKIX_Boolean cacheFlag = PKIX_FALSE;
666
 
        PKIX_Boolean cacheHit = PKIX_FALSE;
667
 
        PKIX_UInt32 numEntries = 0;
668
 
        PKIX_UInt32 i = 0;
669
 
        PKIX_Int32 reasonCode = 0;
670
 
        PKIX_UInt32 allReasonCodes = 0;
671
 
        PKIX_List *crlList = NULL;
672
 
        PKIX_List *crlEntryList = NULL;
673
 
        PKIX_PL_CRLEntry *crlEntry = NULL;
674
 
        PKIX_Error *checkCrlFail = NULL;
675
 
        PKIX_CertStore_CRLCallback getCrls = NULL;
676
 
        void *nbioContext = NULL;
677
 
 
678
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
679
 
        PKIX_NULLCHECK_TWO(checker, cert);
680
 
        PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
681
 
 
682
 
        nbioContext = *pNBIOContext;
683
 
        *pNBIOContext = NULL;
684
 
 
685
 
        /* Are this CertStore's entries in cache? */
686
 
        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
687
 
                (certStore, &cacheFlag, plContext),
688
 
                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
689
 
 
690
 
        if (cacheFlag) {
691
 
 
692
 
                PKIX_CHECK(pkix_CacheCrlEntry_Lookup
693
 
                        (certStore,
694
 
                        state->certIssuer,
695
 
                        state->certSerialNumber,
696
 
                        &cacheHit,
697
 
                        &crlEntryList,
698
 
                        plContext),
699
 
                        PKIX_CACHECRLENTRYLOOKUPFAILED);
700
 
 
701
 
        }
702
 
 
703
 
        if (cacheHit) {
704
 
 
705
 
                /* Use cached data */
706
 
 
707
 
                PKIX_CHECK(PKIX_List_GetLength
708
 
                        (crlEntryList, &numEntries, plContext),
709
 
                        PKIX_LISTGETLENGTHFAILED);
710
 
 
711
 
                for (i = 0; i < numEntries; i++) {
712
 
 
713
 
                    PKIX_CHECK(PKIX_List_GetItem
714
 
                            (crlEntryList,
715
 
                            i,
716
 
                            (PKIX_PL_Object **)&crlEntry,
717
 
                            plContext),
718
 
                            PKIX_LISTGETITEMFAILED);
719
 
 
720
 
                    PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
721
 
                            (crlEntry, &reasonCode, plContext),
722
 
                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
723
 
 
724
 
                    if ((reasonCode >= 0) &&
725
 
                        (reasonCode < sizeof (reasonCodeMsgString))) {
726
 
 
727
 
                            allReasonCodes |= (1 << (reasonCode - 1));
728
 
 
729
 
                            PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
730
 
                                    ("CRL revocation Reason: %s\n ",
731
 
                                    reasonCodeMsgString[reasonCode]);
732
 
 
733
 
                    }
734
 
 
735
 
                    PKIX_DECREF(crlEntry);
736
 
                }
737
 
 
738
 
                state->reasonCodeMask |= allReasonCodes;
739
 
 
740
 
                if (allReasonCodes != 0) {
741
 
 
742
 
                        PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
743
 
                }
744
 
 
745
 
                PKIX_DECREF(crlEntryList);
746
 
 
747
 
       } else {
748
 
 
749
 
                if (nbioContext == NULL) {
750
 
                        PKIX_CHECK(PKIX_CertStore_GetCRLCallback
751
 
                                (certStore, &getCrls, plContext),
752
 
                                PKIX_CERTSTOREGETCRLCALLBACKFAILED);
753
 
 
754
 
                        PKIX_CHECK(getCrls
755
 
                                (certStore,
756
 
                                state->crlSelector,
757
 
                                &nbioContext,
758
 
                                &crlList,
759
 
                                plContext),
760
 
                                PKIX_GETCRLSFAILED);
761
 
                } else {
762
 
                        PKIX_CHECK(PKIX_CertStore_CrlContinue
763
 
                                (certStore,
764
 
                                state->crlSelector,
765
 
                                &nbioContext,
766
 
                                &crlList,
767
 
                                plContext),
768
 
                                PKIX_CERTSTORECRLCONTINUEFAILED);
769
 
                }
770
 
 
771
 
                /*
772
 
                 * Verify Certificate validity: if one CertStore provides
773
 
                 * reason code, we stop here. Instead of exhausting all
774
 
                 * CertStores to get all possible reason codes associated
775
 
                 *  with the Cert. May be expanded if desire otherwise.
776
 
                 */
777
 
 
778
 
                if (crlList == NULL) {
779
 
 
780
 
                        *pNBIOContext = nbioContext;
781
 
                } else {
782
 
 
783
 
                        *pNBIOContext = NULL;
784
 
 
785
 
                        checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
786
 
                                (cert,
787
 
                                state->certIssuer,
788
 
                                state->certSerialNumber,
789
 
                                prevPublicKey,
790
 
                                crlList,
791
 
                                state,
792
 
                                &crlEntryList,
793
 
                                plContext);
794
 
 
795
 
                        if (checkCrlFail) {
796
 
                                if (crlEntryList != NULL) {
797
 
                                        /* Add to cache */
798
 
                                        PKIX_CHECK(pkix_CacheCrlEntry_Add
799
 
                                               (certStore,
800
 
                                               state->certIssuer,
801
 
                                               state->certSerialNumber,
802
 
                                               crlEntryList,
803
 
                                               plContext),
804
 
                                               PKIX_CACHECRLENTRYADDFAILED);
805
 
                                }
806
 
                                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
807
 
                        }
808
 
                }
809
 
 
810
 
                PKIX_DECREF(crlList);
811
 
 
812
 
        }
813
 
 
814
 
cleanup:
815
 
        PKIX_DECREF(crlEntryList);
816
 
        PKIX_DECREF(crlEntry);
817
 
        PKIX_DECREF(crlList);
818
 
        PKIX_DECREF(checkCrlFail);
819
 
 
820
 
        PKIX_RETURN(CERTCHAINCHECKER);
821
 
}
822
 
 
823
 
/*
824
 
 * FUNCTION: pkix_DefaultCRLChecker_Check_Helper
825
 
 *
826
 
 * DESCRIPTION:
827
 
 *  Check if the Cert has been revoked based on the CRL's data. It exhausts all
828
 
 *  CertStores and match CRLs at those stores for the certificate. It set the
829
 
 *  current date and issuer in CRLSelector to fetching CRL data from cache.
830
 
 *
831
 
 * PARAMETERS
832
 
 *  "checker"
833
 
 *      Address of CertChainChecker which has the state data.
834
 
 *      Must be non-NULL.
835
 
 *  "cert"
836
 
 *      Address of Certificate that is to be validated. Must be non-NULL.
837
 
 *  "prevPublicKey"
838
 
 *      Address of previous public key in the backward chain. May be NULL.
839
 
 *  "state"
840
 
 *      Address of DefaultCrlCheckerState. Must be non-NULL.
841
 
 *  "unresolvedCriticalExtensions"
842
 
 *      A List OIDs. Not **yet** used in this checker function.
843
 
 *  "useOnlyLocal"
844
 
 *      Boolean value indicating whether to use or bypass remote CertStores
845
 
 *  "pNBIOContext"
846
 
 *      Address at which platform-dependent information is stored if processing
847
 
 *      is suspended for non-blocking I/O. Must be non-NULL.
848
 
 *  "plContext"
849
 
 *      Platform-specific context pointer.
850
 
 *
851
 
 * THREAD SAFETY:
852
 
 *  Not Thread Safe
853
 
 *      (see Thread Safety Definitions in Programmer's Guide)
854
 
 *
855
 
 * RETURNS:
856
 
 *  Returns NULL if the function succeeds.
857
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
858
 
 *  Returns a Fatal Error
859
 
 */
860
 
PKIX_Error *
861
 
pkix_DefaultCRLChecker_Check_Helper(
862
 
        PKIX_CertChainChecker *checker,
863
 
        PKIX_PL_Cert *cert,
864
 
        PKIX_PL_PublicKey *prevPublicKey,
865
 
        pkix_DefaultCRLCheckerState *state,
866
 
        PKIX_List *unresolvedCriticalExtensions,
867
 
        PKIX_Boolean useOnlyLocal,
868
 
        void **pNBIOContext,
869
 
        void *plContext)
870
 
{
871
 
 
872
 
        void *nbioContext = NULL;
873
 
        PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
874
 
        PKIX_CertStore *certStore = NULL;
875
 
        PKIX_Error *storeError = NULL;
876
 
 
877
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
878
 
        PKIX_NULLCHECK_THREE(checker, cert, state);
879
 
 
880
 
        nbioContext = *pNBIOContext;
881
 
        *pNBIOContext = NULL; /* prepare for Error exit */
882
 
 
883
 
        while ((state->crlStoreIndex) < (state->numCrlStores)) {
884
 
 
885
 
                /*
886
 
                 * For Basic CRL work, exit the loop when there is a valid
887
 
                 * CRL. For advance CRL, need to exhaust CRL until all
888
 
                 * reason masks are checked or a revocation is found.
889
 
                 */
890
 
 
891
 
                if (state->certHasValidCrl == PKIX_TRUE) {
892
 
                        break;
893
 
                }
894
 
 
895
 
                PKIX_CHECK(PKIX_List_GetItem
896
 
                        (state->certStores,
897
 
                        state->crlStoreIndex,
898
 
                        (PKIX_PL_Object **)&certStore,
899
 
                        plContext),
900
 
                        PKIX_LISTGETITEMFAILED);
901
 
 
902
 
                if (useOnlyLocal == PKIX_FALSE) {
903
 
                        certStoreCanBeUsed = PKIX_TRUE;
904
 
                } else {
905
 
                        PKIX_CHECK(PKIX_CertStore_GetLocalFlag
906
 
                                (certStore, &certStoreCanBeUsed, plContext),
907
 
                                PKIX_CERTSTOREGETLOCALFLAGFAILED);
908
 
                }
909
 
 
910
 
                if (certStoreCanBeUsed == PKIX_TRUE)
911
 
                {
912
 
                        /* Catch and re-throw error to preserve information */
913
 
                        storeError = pkix_DefaultCRLChecker_Check_Store
914
 
                                (checker,
915
 
                                cert,
916
 
                                prevPublicKey,
917
 
                                state,
918
 
                                unresolvedCriticalExtensions,
919
 
                                certStore,
920
 
                                &nbioContext,
921
 
                                plContext);
922
 
                        PKIX_CHECK
923
 
                                (storeError,
924
 
                                PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
925
 
 
926
 
                        if (nbioContext != NULL) {
927
 
                                /* I/O still pending. Exit and resume later. */
928
 
                                *pNBIOContext = nbioContext;
929
 
                                goto cleanup;
930
 
                        }
931
 
                }
932
 
 
933
 
                PKIX_DECREF(certStore);
934
 
                state->crlStoreIndex++;
935
 
        } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
936
 
 
937
 
        if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
938
 
            state->certHasValidCrl == PKIX_FALSE) {
939
 
            PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
940
 
        }
941
 
 
942
 
cleanup:
943
 
 
944
 
        PKIX_DECREF(certStore);
945
 
 
946
 
        PKIX_RETURN(CERTCHAINCHECKER);
947
 
}
948
 
 
949
 
/*
950
 
 * FUNCTION: pkix_DefaultCRLChecker_Check
951
 
 *
952
 
 * DESCRIPTION:
953
 
 *  Check if the Cert has been revoked based the CRLs data.  This function
954
 
 *  maintains the checker state to be current.
955
 
 *
956
 
 * PARAMETERS
957
 
 *  "checker"
958
 
 *      Address of CertChainChecker which has the state data.
959
 
 *      Must be non-NULL.
960
 
 *  "cert"
961
 
 *      Address of Certificate that is to be validated. Must be non-NULL.
962
 
 *  "unresolvedCriticalExtensions"
963
 
 *      A List OIDs. Not **yet** used in this checker function.
964
 
 *  "plContext"
965
 
 *      Platform-specific context pointer.
966
 
 *
967
 
 * THREAD SAFETY:
968
 
 *  Not Thread Safe
969
 
 *      (see Thread Safety Definitions in Programmer's Guide)
970
 
 *
971
 
 * RETURNS:
972
 
 *  Returns NULL if the function succeeds.
973
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
974
 
 *  Returns a Fatal Error
975
 
 */
976
 
static PKIX_Error *
977
 
pkix_DefaultCRLChecker_Check(
978
 
        PKIX_CertChainChecker *checker,
979
 
        PKIX_PL_Cert *cert,
980
 
        PKIX_List *unresolvedCriticalExtensions,
981
 
        void **pNBIOContext,
982
 
        void *plContext)
983
 
{
984
 
        pkix_DefaultCRLCheckerState *state = NULL;
985
 
        PKIX_PL_PublicKey *publicKey = NULL;
986
 
        PKIX_PL_PublicKey *newPublicKey = NULL;
987
 
        PKIX_Error *checkKeyUsageFail = NULL;
988
 
        PKIX_Boolean selfIssued = PKIX_FALSE;
989
 
        void *nbioContext = PKIX_FALSE;
990
 
 
991
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
992
 
        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
993
 
 
994
 
        nbioContext = *pNBIOContext;
995
 
        *pNBIOContext = NULL; /* prepare for Error exit */
996
 
 
997
 
        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
998
 
                    (checker, (PKIX_PL_Object **)&state, plContext),
999
 
                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
1000
 
 
1001
 
        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1002
 
                    (cert, &publicKey, plContext),
1003
 
                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1004
 
 
1005
 
        /*
1006
 
         * If we already have a selector, we were in the middle of checking
1007
 
         * when a certStore returned with non-blocking I/O pendning.
1008
 
         */
1009
 
        if ((state->crlSelector) == NULL) {
1010
 
                state->certsRemaining--;
1011
 
 
1012
 
                PKIX_NULLCHECK_ONE(state->prevPublicKey);
1013
 
 
1014
 
                if (state->prevCertCrlSign == PKIX_FALSE) {
1015
 
                        PKIX_ERROR
1016
 
                                (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
1017
 
                }
1018
 
 
1019
 
                /* Set up CRLSelector */
1020
 
                PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
1021
 
                        (cert, state, plContext),
1022
 
                        PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
1023
 
 
1024
 
        }
1025
 
 
1026
 
        PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
1027
 
                    (checker,
1028
 
                    cert,
1029
 
                    state->prevPublicKey,
1030
 
                    state,
1031
 
                    unresolvedCriticalExtensions,
1032
 
                    PKIX_FALSE,
1033
 
                    &nbioContext,
1034
 
                    plContext),
1035
 
                    PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
1036
 
 
1037
 
        if (nbioContext != NULL) {
1038
 
                *pNBIOContext = nbioContext;
1039
 
                goto cleanup;
1040
 
        }
1041
 
 
1042
 
        PKIX_DECREF(state->crlSelector);
1043
 
 
1044
 
        /*
1045
 
         * Some NIST test case in 4.5.* use different publicKeys for
1046
 
         * Cert and its CRL on the chain. Self-issued Certs are used
1047
 
         * to speciy multiple keys for those cases. That is why we apply
1048
 
         * the following algorithm:
1049
 
         *
1050
 
         * Check if Cert is self-issued. If so, the public key of the Cert
1051
 
         * that issues this Cert (old key) can be used together with this
1052
 
         * current key (new key) for key verification. If there are multiple
1053
 
         * self-issued certs, keys of those Certs (old keys) can also be used
1054
 
         * for key verification. Old key(s) is saved in a list (PrevPublickKey-
1055
 
         * List) and cleared when a Cert is no longer self-issued.
1056
 
         * PrevPublicKey keep key of the previous Cert.
1057
 
         * PrevPublicKeyList keep key(s) of Cert before the previous one.
1058
 
         */
1059
 
        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
1060
 
                    PKIX_ISCERTSELFISSUEFAILED);
1061
 
 
1062
 
        if (selfIssued == PKIX_TRUE) {
1063
 
 
1064
 
                if (state->prevPublicKeyList == NULL) {
1065
 
 
1066
 
                        PKIX_CHECK(PKIX_List_Create
1067
 
                            (&state->prevPublicKeyList, plContext),
1068
 
                            PKIX_LISTCREATEFAILED);
1069
 
 
1070
 
                }
1071
 
 
1072
 
                PKIX_CHECK(PKIX_List_AppendItem
1073
 
                            (state->prevPublicKeyList,
1074
 
                            (PKIX_PL_Object *) state->prevPublicKey,
1075
 
                            plContext),
1076
 
                            PKIX_LISTAPPENDITEMFAILED);
1077
 
 
1078
 
        } else {
1079
 
                /* Not self-issued Cert any more, clear old key(s) saved */
1080
 
                PKIX_DECREF(state->prevPublicKeyList);
1081
 
        }
1082
 
 
1083
 
        /* Make inheritance and save current Public Key */
1084
 
        PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
1085
 
                    (publicKey, state->prevPublicKey, &newPublicKey, plContext),
1086
 
                    PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
1087
 
 
1088
 
        if (newPublicKey == NULL){
1089
 
                PKIX_INCREF(publicKey);
1090
 
                newPublicKey = publicKey;
1091
 
        }
1092
 
 
1093
 
        PKIX_DECREF(state->prevPublicKey);
1094
 
        PKIX_INCREF(newPublicKey);
1095
 
        state->prevPublicKey = newPublicKey;
1096
 
 
1097
 
        /* Save current Cert's crlSign bit for CRL checking later */
1098
 
        if (state->certsRemaining != 0) {
1099
 
                checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
1100
 
                        (cert, PKIX_CRL_SIGN, plContext);
1101
 
 
1102
 
                state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
1103
 
                        PKIX_TRUE : PKIX_FALSE;
1104
 
 
1105
 
                PKIX_DECREF(checkKeyUsageFail);
1106
 
        }
1107
 
 
1108
 
/*
1109
 
        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
1110
 
                (checker, (PKIX_PL_Object *)state, plContext),
1111
 
                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
1112
 
 */
1113
 
 
1114
 
cleanup:
1115
 
 
1116
 
        PKIX_DECREF(state);
1117
 
        PKIX_DECREF(publicKey);
1118
 
        PKIX_DECREF(newPublicKey);
1119
 
        PKIX_DECREF(checkKeyUsageFail);
1120
 
 
1121
 
        PKIX_RETURN(CERTCHAINCHECKER);
1122
 
}
1123
 
 
1124
 
/*
1125
 
 * FUNCTION: pkix_DefaultCRLChecker_Initialize
1126
 
 *
1127
 
 * DESCRIPTION:
1128
 
 *  Create a CertChainChecker with DefaultCRLCheckerState.
1129
 
 *
1130
 
 * PARAMETERS
1131
 
 *  "certStores"
1132
 
 *      Address of CertStore List to be stored in state. Must be non-NULL.
1133
 
 *  "testDate"
1134
 
 *      Address of PKIX_PL_Date to be checked. May be NULL.
1135
 
 *  "trustedPubKey"
1136
 
 *      Address of Public Key of Trust Anchor. Must be non-NULL.
1137
 
 *  "certsRemaining"
1138
 
 *      Number of certificates remaining in the chain.
1139
 
 *  "nistPolicyEnabled"
1140
 
 *      Enable NIST crl policy.
1141
 
 *  "pChecker"
1142
 
 *      Address where object pointer will be stored. Must be non-NULL.
1143
 
 *      Must be non-NULL.
1144
 
 *  "plContext"
1145
 
 *      Platform-specific context pointer.
1146
 
 *
1147
 
 * THREAD SAFETY:
1148
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1149
 
 *
1150
 
 * RETURNS:
1151
 
 *  Returns NULL if the function succeeds.
1152
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
1153
 
 *  Returns a Fatal Error
1154
 
 */
1155
 
PKIX_Error *
1156
 
pkix_DefaultCRLChecker_Initialize(
1157
 
        PKIX_List *certStores,
1158
 
        PKIX_PL_Date *testDate,
1159
 
        PKIX_PL_PublicKey *trustedPubKey,
1160
 
        PKIX_UInt32 certsRemaining,
1161
 
        PKIX_Boolean nistPolicyEnabled,
1162
 
        PKIX_CertChainChecker **pChecker,
1163
 
        void *plContext)
1164
 
{
1165
 
        pkix_DefaultCRLCheckerState *state = NULL;
1166
 
 
1167
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
1168
 
        PKIX_NULLCHECK_TWO(certStores, pChecker);
1169
 
 
1170
 
        PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
1171
 
                    (certStores,
1172
 
                    testDate,
1173
 
                    trustedPubKey,
1174
 
                    certsRemaining,
1175
 
                    nistPolicyEnabled, 
1176
 
                    &state,
1177
 
                    plContext),
1178
 
                    PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
1179
 
 
1180
 
        PKIX_CHECK(PKIX_CertChainChecker_Create
1181
 
                    (pkix_DefaultCRLChecker_Check,
1182
 
                    PKIX_FALSE,
1183
 
                    PKIX_FALSE,
1184
 
                    NULL,
1185
 
                    (PKIX_PL_Object *) state,
1186
 
                    pChecker,
1187
 
                    plContext),
1188
 
                    PKIX_CERTCHAINCHECKERCREATEFAILED);
1189
 
 
1190
 
cleanup:
1191
 
 
1192
 
        PKIX_DECREF(state);
1193
 
 
1194
 
        PKIX_RETURN(CERTCHAINCHECKER);
1195
 
}