1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the PKIX-C library.
16
* The Initial Developer of the Original Code is
17
* Sun Microsystems, Inc.
18
* Portions created by the Initial Developer are
19
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
22
* Sun Microsystems, Inc.
24
* Alternatively, the contents of this file may be used under the terms of
25
* either the GNU General Public License Version 2 or later (the "GPL"), or
26
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
* in which case the provisions of the GPL or the LGPL are applicable instead
28
* of those above. If you wish to allow use of your version of this file only
29
* under the terms of either the GPL or the LGPL, and not to allow others to
30
* use your version of this file under the terms of the MPL, indicate your
31
* decision by deleting the provisions above and replace them with the notice
32
* and other provisions required by the GPL or the LGPL. If you do not delete
33
* the provisions above, a recipient may use your version of this file under
34
* the terms of any one of the MPL, the GPL or the LGPL.
36
* ***** END LICENSE BLOCK ***** */
38
* pkix_defaultcrlchecker.c
40
* Functions for default CRL Checkers
43
#define CERTCHAINCHECKERDEBUG 1
45
#include "pkix_defaultcrlchecker.h"
47
static char *reasonCodeMsgString[] = {
48
"Certificate is revoked by CRL for unspecified reason"
49
"Certificate is revoked by CRL for key compromise",
50
"Certificate is revoked by CRL for CA compromise",
51
"Certificate is revoked by CRL for affiliation changed",
52
"Certificate is revoked by CRL for being superseded",
53
"Certificate is revoked by CRL for cessation of operation",
54
"Certificate is revoked by CRL for certificate hold",
55
"Certificate is revoked by CRL for undefined reason",
56
"Certificate is revoked by CRL for being removed from CRL",
57
"Certificate is revoked by CRL for privilege withdrawn",
58
"Certificate is revoked by CRL for aACompromise",
61
/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
64
* FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
65
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
68
pkix_DefaultCRLCheckerState_Destroy(
69
PKIX_PL_Object *object,
72
pkix_DefaultCRLCheckerState *state = NULL;
74
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
75
"pkix_DefaultCRLCheckerState_Destroy");
76
PKIX_NULLCHECK_ONE(object);
78
/* Check that this object is a default CRL checker state */
79
PKIX_CHECK(pkix_CheckType
80
(object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
81
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
83
state = (pkix_DefaultCRLCheckerState *)object;
85
state->certHasValidCrl = PKIX_FALSE;
86
state->prevCertCrlSign = PKIX_FALSE;
87
state->reasonCodeMask = 0;
89
PKIX_DECREF(state->certStores);
90
PKIX_DECREF(state->testDate);
91
PKIX_DECREF(state->prevPublicKey);
92
PKIX_DECREF(state->prevPublicKeyList);
93
PKIX_DECREF(state->crlReasonCodeOID);
94
PKIX_DECREF(state->certIssuer);
95
PKIX_DECREF(state->certSerialNumber);
96
PKIX_DECREF(state->crlSelector);
97
state->crlStoreIndex = 0;
98
state->numCrlStores = 0;
102
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
106
* FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
109
* Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
110
* with systemClasses[]
113
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
115
* Since this function is only called by PKIX_PL_Initialize, which should
116
* only be called once, it is acceptable that this function is not
120
pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
122
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
123
pkix_ClassTable_Entry entry;
125
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
126
"pkix_DefaultCRLCheckerState_RegisterSelf");
128
entry.description = "DefaultCRLCheckerState";
129
entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
130
entry.equalsFunction = NULL;
131
entry.hashcodeFunction = NULL;
132
entry.toStringFunction = NULL;
133
entry.comparator = NULL;
134
entry.duplicateFunction = NULL;
136
systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
138
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
142
* FUNCTION: pkix_DefaultCRLCheckerState_Create
145
* Allocate and initialize DefaultCRLChecker state data.
149
* Address of CertStore List to be stored in state. Must be non-NULL.
151
* Address of PKIX_PL_Date to be checked. May be NULL.
153
* Trusted Anchor Public Key for verifying first Cert in the chain.
156
* Number of certificates remaining in the chain.
157
* "nistCRLPolicyEnabled"
158
* If enabled, enforce nist crl policy.
160
* Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
162
* Platform-specific context pointer.
165
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
168
* Returns NULL if the function succeeds.
169
* Returns a DefaultCrlCheckerState Error if the function fails in a
171
* Returns a Fatal Error
174
pkix_DefaultCRLCheckerState_Create(
175
PKIX_List *certStores,
176
PKIX_PL_Date *testDate,
177
PKIX_PL_PublicKey *trustedPubKey,
178
PKIX_UInt32 certsRemaining,
179
PKIX_Boolean nistCRLPolicyEnabled,
180
pkix_DefaultCRLCheckerState **pCheckerState,
183
pkix_DefaultCRLCheckerState *state = NULL;
185
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
186
"pkix_DefaultCRLCheckerState_Create");
187
PKIX_NULLCHECK_TWO(certStores, pCheckerState);
189
PKIX_CHECK(PKIX_PL_Object_Alloc
190
(PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
191
sizeof (pkix_DefaultCRLCheckerState),
192
(PKIX_PL_Object **)&state,
194
PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
196
/* Initialize fields */
198
PKIX_INCREF(certStores);
199
state->certStores = certStores;
201
PKIX_INCREF(testDate);
202
state->testDate = testDate;
204
PKIX_INCREF(trustedPubKey);
205
state->prevPublicKey = trustedPubKey;
207
state->certHasValidCrl = PKIX_FALSE;
208
state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
209
state->prevCertCrlSign = PKIX_TRUE;
210
state->prevPublicKeyList = NULL;
211
state->reasonCodeMask = 0;
212
state->certsRemaining = certsRemaining;
214
PKIX_CHECK(PKIX_PL_OID_Create
215
(PKIX_CRLREASONCODE_OID,
216
&state->crlReasonCodeOID,
218
PKIX_OIDCREATEFAILED);
220
state->certIssuer = NULL;
221
state->certSerialNumber = NULL;
222
state->crlSelector = NULL;
223
state->crlStoreIndex = 0;
224
state->numCrlStores = 0;
226
*pCheckerState = state;
230
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
233
/* --Private-DefaultCRLChecker-Functions------------------------------------ */
236
* FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
239
* Check validity of "cert" based on CRLs at "crlList" that has correct
240
* signature verification with "publicKey".
244
* Address of Cert which has the certificate data. Must be non-NULL.
246
* Address of Issuer that associates with the Cert. Must be non-NULL.
248
* Address of Serial Number that associates with the Cert. Must be
251
* Address of Public Key that associates with the Cert Issuer.
254
* A List CRLs that the certificate is verified upon. Must be non-NULL.
256
* Address of DefaultCRLCheckerState which keeps dynamic state data.
259
* Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
260
* this Cert. May be NULL.
262
* Platform-specific context pointer.
265
* Conditionally Thread Safe
266
* (see Thread Safety Definitions in Programmer's Guide)
269
* Returns NULL if the function succeeds.
270
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
271
* Returns a Fatal Error
274
pkix_DefaultCRLChecker_CheckCRLs(
276
PKIX_PL_X500Name *certIssuer,
277
PKIX_PL_BigInt *certSerialNumber,
278
PKIX_PL_PublicKey *publicKey,
280
pkix_DefaultCRLCheckerState *state,
281
PKIX_List **pCrlEntryList,
284
PKIX_PL_CRL *crl = NULL;
285
PKIX_PL_CRLEntry *crlEntry = NULL;
286
PKIX_PL_PublicKey *pKey = NULL;
287
PKIX_List *unresCrlCritExtOIDs = NULL;
288
PKIX_List *unresCrlEntryCritExtOIDs = NULL;
289
PKIX_List *crlEntryList = NULL;
290
PKIX_Error *verifyFail = NULL;
291
PKIX_UInt32 numCrls = 0;
292
PKIX_UInt32 numKeys = 0;
293
PKIX_UInt32 numCritExtOIDs = 0;
294
PKIX_Boolean crlVerified = PKIX_FALSE;
295
PKIX_Boolean crlRevoking = PKIX_FALSE;
296
PKIX_Int32 reasonCode = 0;
300
PKIX_ENTER(CERTCHAINCHECKER,
301
"pkix_DefaultCRLChecker_CheckCRLs");
302
PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
304
PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
305
PKIX_LISTGETLENGTHFAILED);
307
if (state->prevPublicKeyList != NULL) {
309
PKIX_CHECK(PKIX_List_GetLength
310
(state->prevPublicKeyList, &numKeys, plContext),
311
PKIX_LISTGETLENGTHFAILED);
314
/* Check if Cert is not revoked by any the the CRLs */
316
for (i = 0; i < numCrls; i++){
318
PKIX_CHECK(PKIX_List_GetItem
319
(crlList, i, (PKIX_PL_Object **)&crl, plContext),
320
PKIX_LISTGETITEMFAILED);
323
* Checking serial number (issuer done in selector) then
324
* verify signature. If matches, get the CRL reason(s).
327
if (state->prevCertCrlSign == PKIX_TRUE) {
328
verifyFail = PKIX_PL_CRL_VerifySignature
329
(crl, publicKey, plContext);
330
if (verifyFail == NULL) {
331
crlVerified = PKIX_TRUE;
333
crlVerified = PKIX_FALSE;
334
PKIX_DECREF(verifyFail);
338
if (crlVerified == PKIX_FALSE) {
340
/* Verify from old key(s) on the list */
341
for (j = numKeys - 1; j >= 0; j--) {
343
PKIX_CHECK(PKIX_List_GetItem
344
(state->prevPublicKeyList,
346
(PKIX_PL_Object **) &pKey,
348
PKIX_LISTGETITEMFAILED);
350
verifyFail = PKIX_PL_CRL_VerifySignature
351
(crl, pKey, plContext);
353
if (verifyFail == NULL) {
354
crlVerified = PKIX_TRUE;
357
crlVerified = PKIX_FALSE;
358
PKIX_DECREF(verifyFail);
365
if (crlVerified == PKIX_FALSE) {
366
/* try next one ... */
370
state->certHasValidCrl = PKIX_TRUE;
372
PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
373
(crl, &unresCrlCritExtOIDs, plContext),
374
PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
377
* XXX Advanced CRL work - should put a
378
* Loop here to process and remove critical
382
if (unresCrlCritExtOIDs) {
384
PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
387
PKIX_LISTGETLENGTHFAILED);
389
if (numCritExtOIDs != 0) {
390
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
391
(PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
393
* Uncomment this after we have implemented
394
* checkers for all the critical extensions.
397
* ("Unrecognized CRL Critical Extension");
402
PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
403
(crl, certSerialNumber, &crlEntry, plContext),
404
PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
406
if (crlEntry == NULL) {
410
crlRevoking = PKIX_TRUE;
412
PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
416
PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
418
/* This is a valid CRLEntry, return it for caching */
419
if (crlEntryList == NULL) {
420
PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
421
PKIX_LISTCREATEFAILED);
425
PKIX_CHECK(PKIX_List_AppendItem
426
(crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
427
PKIX_LISTAPPENDITEMFAILED);
429
/* Set reason code in state for advance CRL reviewing */
431
if (reasonCode >= 0 &&
432
reasonCode < sizeof (reasonCodeMsgString)) {
434
state->reasonCodeMask |= 1 << reasonCode;
435
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
436
("CRL revocation Reason: %s\n ",
437
reasonCodeMsgString[reasonCode]);
440
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
441
("Revoked by Unknown CRL ReasonCode");
444
PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
445
(crlEntry, &unresCrlEntryCritExtOIDs, plContext),
446
PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
447
if (unresCrlEntryCritExtOIDs) {
449
PKIX_CHECK(pkix_List_Remove
450
(unresCrlEntryCritExtOIDs,
451
(PKIX_PL_Object *) state->crlReasonCodeOID,
453
PKIX_LISTREMOVEFAILED);
455
PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
458
PKIX_LISTGETLENGTHFAILED);
460
if (numCritExtOIDs != 0) {
462
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
463
(PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
464
PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
471
PKIX_DECREF(verifyFail);
473
PKIX_DECREF(crlEntry);
475
PKIX_DECREF(unresCrlCritExtOIDs);
476
PKIX_DECREF(unresCrlEntryCritExtOIDs);
479
*pCrlEntryList = crlEntryList;
481
if (crlRevoking == PKIX_TRUE) {
483
PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
489
PKIX_DECREF(verifyFail);
490
PKIX_DECREF(crlEntry);
492
PKIX_DECREF(unresCrlCritExtOIDs);
493
PKIX_DECREF(unresCrlEntryCritExtOIDs);
495
PKIX_RETURN(CERTCHAINCHECKER);
499
* FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
502
* This function creates a CRLSelector suitable for finding a CRL for
503
* the Cert pointed to by "cert", setting the result in the
504
* defaultCRLCheckerState pointed to by "state".
508
* Address of Cert for which a CRLSelector is to be constructed. Must be
511
* Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
514
* Platform-specific context pointer.
517
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
520
* Returns NULL if the function succeeds.
521
* Returns a DefaultCrlCheckerState Error if the function fails in a
523
* Returns a Fatal Error
526
pkix_DefaultCRLChecker_Check_SetSelector(
528
pkix_DefaultCRLCheckerState *state,
531
PKIX_PL_X500Name *certIssuer = NULL;
532
PKIX_PL_BigInt *certSerialNumber = NULL;
533
PKIX_PL_Date *nowDate = NULL;
534
PKIX_ComCRLSelParams *comCrlSelParams = NULL;
535
PKIX_CRLSelector *crlSelector = NULL;
538
(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
539
PKIX_NULLCHECK_TWO(cert, state);
541
PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
542
PKIX_CERTGETISSUERFAILED);
544
PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
545
(cert, &certSerialNumber, plContext),
546
PKIX_CERTGETSERIALNUMBERFAILED);
548
if (state->testDate != NULL) {
550
PKIX_INCREF(state->testDate);
551
nowDate = state->testDate;
555
PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
556
(NULL, &nowDate, plContext),
557
PKIX_DATECREATEUTCTIMEFAILED);
560
PKIX_CHECK(PKIX_ComCRLSelParams_Create
561
(&comCrlSelParams, plContext),
562
PKIX_COMCRLSELPARAMSCREATEFAILED);
564
PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
565
(comCrlSelParams, certIssuer, plContext),
566
PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
568
PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
569
(comCrlSelParams, nowDate, plContext),
570
PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
572
PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
573
(comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
574
PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
576
PKIX_CHECK(PKIX_CRLSelector_Create
578
NULL, /* never used? (PKIX_PL_Object *)checker, */
581
PKIX_CRLSELECTORCREATEFAILED);
583
PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
584
(crlSelector, comCrlSelParams, plContext),
585
PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
587
PKIX_DECREF(state->certIssuer);
588
PKIX_INCREF(certIssuer);
589
state->certIssuer = certIssuer;
590
PKIX_DECREF(state->certSerialNumber);
591
PKIX_INCREF(certSerialNumber);
592
state->certSerialNumber = certSerialNumber;
593
PKIX_DECREF(state->crlSelector);
594
PKIX_INCREF(crlSelector);
595
state->crlSelector = crlSelector;
597
state->crlStoreIndex = 0;
599
PKIX_CHECK(PKIX_List_GetLength
600
(state->certStores, &(state->numCrlStores), plContext),
601
PKIX_LISTGETLENGTHFAILED);
603
state->certHasValidCrl = PKIX_FALSE;
607
PKIX_DECREF(certIssuer);
608
PKIX_DECREF(certSerialNumber);
609
PKIX_DECREF(nowDate);
610
PKIX_DECREF(comCrlSelParams);
611
PKIX_DECREF(crlSelector);
613
PKIX_RETURN(CERTCHAINCHECKER);
617
* FUNCTION: pkix_DefaultCRLChecker_Check_Store
620
* Checks the certStore pointed to by "certStore" for a CRL that may determine
621
* whether the Cert pointed to by "cert" has been revoked.
625
* Address of CertChainChecker which has the state data.
628
* Address of Certificate that is to be validated. Must be non-NULL.
630
* Address of previous public key in the backward chain. May be NULL.
632
* Address of DefaultCrlCheckerState. Must be non-NULL.
633
* "unresolvedCriticalExtensions"
634
* A List OIDs. Not **yet** used in this checker function.
636
* Address of the CertStore to be queried for a relevant CRL. Must be
639
* Address at which platform-dependent information is stored if processing
640
* is suspended for non-blocking I/O. Must be non-NULL.
642
* Platform-specific context pointer.
645
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
648
* Returns NULL if the function succeeds.
649
* Returns a DefaultCrlCheckerState Error if the function fails in a
651
* Returns a Fatal Error
654
pkix_DefaultCRLChecker_Check_Store(
655
PKIX_CertChainChecker *checker,
657
PKIX_PL_PublicKey *prevPublicKey,
658
pkix_DefaultCRLCheckerState *state,
659
PKIX_List *unresolvedCriticalExtensions,
660
PKIX_CertStore *certStore,
665
PKIX_Boolean cacheFlag = PKIX_FALSE;
666
PKIX_Boolean cacheHit = PKIX_FALSE;
667
PKIX_UInt32 numEntries = 0;
669
PKIX_Int32 reasonCode = 0;
670
PKIX_UInt32 allReasonCodes = 0;
671
PKIX_List *crlList = NULL;
672
PKIX_List *crlEntryList = NULL;
673
PKIX_PL_CRLEntry *crlEntry = NULL;
674
PKIX_Error *checkCrlFail = NULL;
675
PKIX_CertStore_CRLCallback getCrls = NULL;
676
void *nbioContext = NULL;
678
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
679
PKIX_NULLCHECK_TWO(checker, cert);
680
PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
682
nbioContext = *pNBIOContext;
683
*pNBIOContext = NULL;
685
/* Are this CertStore's entries in cache? */
686
PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
687
(certStore, &cacheFlag, plContext),
688
PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
692
PKIX_CHECK(pkix_CacheCrlEntry_Lookup
695
state->certSerialNumber,
699
PKIX_CACHECRLENTRYLOOKUPFAILED);
705
/* Use cached data */
707
PKIX_CHECK(PKIX_List_GetLength
708
(crlEntryList, &numEntries, plContext),
709
PKIX_LISTGETLENGTHFAILED);
711
for (i = 0; i < numEntries; i++) {
713
PKIX_CHECK(PKIX_List_GetItem
716
(PKIX_PL_Object **)&crlEntry,
718
PKIX_LISTGETITEMFAILED);
720
PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
721
(crlEntry, &reasonCode, plContext),
722
PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
724
if ((reasonCode >= 0) &&
725
(reasonCode < sizeof (reasonCodeMsgString))) {
727
allReasonCodes |= (1 << (reasonCode - 1));
729
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
730
("CRL revocation Reason: %s\n ",
731
reasonCodeMsgString[reasonCode]);
735
PKIX_DECREF(crlEntry);
738
state->reasonCodeMask |= allReasonCodes;
740
if (allReasonCodes != 0) {
742
PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
745
PKIX_DECREF(crlEntryList);
749
if (nbioContext == NULL) {
750
PKIX_CHECK(PKIX_CertStore_GetCRLCallback
751
(certStore, &getCrls, plContext),
752
PKIX_CERTSTOREGETCRLCALLBACKFAILED);
762
PKIX_CHECK(PKIX_CertStore_CrlContinue
768
PKIX_CERTSTORECRLCONTINUEFAILED);
772
* Verify Certificate validity: if one CertStore provides
773
* reason code, we stop here. Instead of exhausting all
774
* CertStores to get all possible reason codes associated
775
* with the Cert. May be expanded if desire otherwise.
778
if (crlList == NULL) {
780
*pNBIOContext = nbioContext;
783
*pNBIOContext = NULL;
785
checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
788
state->certSerialNumber,
796
if (crlEntryList != NULL) {
798
PKIX_CHECK(pkix_CacheCrlEntry_Add
801
state->certSerialNumber,
804
PKIX_CACHECRLENTRYADDFAILED);
806
PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
810
PKIX_DECREF(crlList);
815
PKIX_DECREF(crlEntryList);
816
PKIX_DECREF(crlEntry);
817
PKIX_DECREF(crlList);
818
PKIX_DECREF(checkCrlFail);
820
PKIX_RETURN(CERTCHAINCHECKER);
824
* FUNCTION: pkix_DefaultCRLChecker_Check_Helper
827
* Check if the Cert has been revoked based on the CRL's data. It exhausts all
828
* CertStores and match CRLs at those stores for the certificate. It set the
829
* current date and issuer in CRLSelector to fetching CRL data from cache.
833
* Address of CertChainChecker which has the state data.
836
* Address of Certificate that is to be validated. Must be non-NULL.
838
* Address of previous public key in the backward chain. May be NULL.
840
* Address of DefaultCrlCheckerState. Must be non-NULL.
841
* "unresolvedCriticalExtensions"
842
* A List OIDs. Not **yet** used in this checker function.
844
* Boolean value indicating whether to use or bypass remote CertStores
846
* Address at which platform-dependent information is stored if processing
847
* is suspended for non-blocking I/O. Must be non-NULL.
849
* Platform-specific context pointer.
853
* (see Thread Safety Definitions in Programmer's Guide)
856
* Returns NULL if the function succeeds.
857
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
858
* Returns a Fatal Error
861
pkix_DefaultCRLChecker_Check_Helper(
862
PKIX_CertChainChecker *checker,
864
PKIX_PL_PublicKey *prevPublicKey,
865
pkix_DefaultCRLCheckerState *state,
866
PKIX_List *unresolvedCriticalExtensions,
867
PKIX_Boolean useOnlyLocal,
872
void *nbioContext = NULL;
873
PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
874
PKIX_CertStore *certStore = NULL;
875
PKIX_Error *storeError = NULL;
877
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
878
PKIX_NULLCHECK_THREE(checker, cert, state);
880
nbioContext = *pNBIOContext;
881
*pNBIOContext = NULL; /* prepare for Error exit */
883
while ((state->crlStoreIndex) < (state->numCrlStores)) {
886
* For Basic CRL work, exit the loop when there is a valid
887
* CRL. For advance CRL, need to exhaust CRL until all
888
* reason masks are checked or a revocation is found.
891
if (state->certHasValidCrl == PKIX_TRUE) {
895
PKIX_CHECK(PKIX_List_GetItem
897
state->crlStoreIndex,
898
(PKIX_PL_Object **)&certStore,
900
PKIX_LISTGETITEMFAILED);
902
if (useOnlyLocal == PKIX_FALSE) {
903
certStoreCanBeUsed = PKIX_TRUE;
905
PKIX_CHECK(PKIX_CertStore_GetLocalFlag
906
(certStore, &certStoreCanBeUsed, plContext),
907
PKIX_CERTSTOREGETLOCALFLAGFAILED);
910
if (certStoreCanBeUsed == PKIX_TRUE)
912
/* Catch and re-throw error to preserve information */
913
storeError = pkix_DefaultCRLChecker_Check_Store
918
unresolvedCriticalExtensions,
924
PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
926
if (nbioContext != NULL) {
927
/* I/O still pending. Exit and resume later. */
928
*pNBIOContext = nbioContext;
933
PKIX_DECREF(certStore);
934
state->crlStoreIndex++;
935
} /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
937
if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
938
state->certHasValidCrl == PKIX_FALSE) {
939
PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
944
PKIX_DECREF(certStore);
946
PKIX_RETURN(CERTCHAINCHECKER);
950
* FUNCTION: pkix_DefaultCRLChecker_Check
953
* Check if the Cert has been revoked based the CRLs data. This function
954
* maintains the checker state to be current.
958
* Address of CertChainChecker which has the state data.
961
* Address of Certificate that is to be validated. Must be non-NULL.
962
* "unresolvedCriticalExtensions"
963
* A List OIDs. Not **yet** used in this checker function.
965
* Platform-specific context pointer.
969
* (see Thread Safety Definitions in Programmer's Guide)
972
* Returns NULL if the function succeeds.
973
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
974
* Returns a Fatal Error
977
pkix_DefaultCRLChecker_Check(
978
PKIX_CertChainChecker *checker,
980
PKIX_List *unresolvedCriticalExtensions,
984
pkix_DefaultCRLCheckerState *state = NULL;
985
PKIX_PL_PublicKey *publicKey = NULL;
986
PKIX_PL_PublicKey *newPublicKey = NULL;
987
PKIX_Error *checkKeyUsageFail = NULL;
988
PKIX_Boolean selfIssued = PKIX_FALSE;
989
void *nbioContext = PKIX_FALSE;
991
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
992
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
994
nbioContext = *pNBIOContext;
995
*pNBIOContext = NULL; /* prepare for Error exit */
997
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
998
(checker, (PKIX_PL_Object **)&state, plContext),
999
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
1001
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1002
(cert, &publicKey, plContext),
1003
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1006
* If we already have a selector, we were in the middle of checking
1007
* when a certStore returned with non-blocking I/O pendning.
1009
if ((state->crlSelector) == NULL) {
1010
state->certsRemaining--;
1012
PKIX_NULLCHECK_ONE(state->prevPublicKey);
1014
if (state->prevCertCrlSign == PKIX_FALSE) {
1016
(PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
1019
/* Set up CRLSelector */
1020
PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
1021
(cert, state, plContext),
1022
PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
1026
PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
1029
state->prevPublicKey,
1031
unresolvedCriticalExtensions,
1035
PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
1037
if (nbioContext != NULL) {
1038
*pNBIOContext = nbioContext;
1042
PKIX_DECREF(state->crlSelector);
1045
* Some NIST test case in 4.5.* use different publicKeys for
1046
* Cert and its CRL on the chain. Self-issued Certs are used
1047
* to speciy multiple keys for those cases. That is why we apply
1048
* the following algorithm:
1050
* Check if Cert is self-issued. If so, the public key of the Cert
1051
* that issues this Cert (old key) can be used together with this
1052
* current key (new key) for key verification. If there are multiple
1053
* self-issued certs, keys of those Certs (old keys) can also be used
1054
* for key verification. Old key(s) is saved in a list (PrevPublickKey-
1055
* List) and cleared when a Cert is no longer self-issued.
1056
* PrevPublicKey keep key of the previous Cert.
1057
* PrevPublicKeyList keep key(s) of Cert before the previous one.
1059
PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
1060
PKIX_ISCERTSELFISSUEFAILED);
1062
if (selfIssued == PKIX_TRUE) {
1064
if (state->prevPublicKeyList == NULL) {
1066
PKIX_CHECK(PKIX_List_Create
1067
(&state->prevPublicKeyList, plContext),
1068
PKIX_LISTCREATEFAILED);
1072
PKIX_CHECK(PKIX_List_AppendItem
1073
(state->prevPublicKeyList,
1074
(PKIX_PL_Object *) state->prevPublicKey,
1076
PKIX_LISTAPPENDITEMFAILED);
1079
/* Not self-issued Cert any more, clear old key(s) saved */
1080
PKIX_DECREF(state->prevPublicKeyList);
1083
/* Make inheritance and save current Public Key */
1084
PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
1085
(publicKey, state->prevPublicKey, &newPublicKey, plContext),
1086
PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
1088
if (newPublicKey == NULL){
1089
PKIX_INCREF(publicKey);
1090
newPublicKey = publicKey;
1093
PKIX_DECREF(state->prevPublicKey);
1094
PKIX_INCREF(newPublicKey);
1095
state->prevPublicKey = newPublicKey;
1097
/* Save current Cert's crlSign bit for CRL checking later */
1098
if (state->certsRemaining != 0) {
1099
checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
1100
(cert, PKIX_CRL_SIGN, plContext);
1102
state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
1103
PKIX_TRUE : PKIX_FALSE;
1105
PKIX_DECREF(checkKeyUsageFail);
1109
PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
1110
(checker, (PKIX_PL_Object *)state, plContext),
1111
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
1117
PKIX_DECREF(publicKey);
1118
PKIX_DECREF(newPublicKey);
1119
PKIX_DECREF(checkKeyUsageFail);
1121
PKIX_RETURN(CERTCHAINCHECKER);
1125
* FUNCTION: pkix_DefaultCRLChecker_Initialize
1128
* Create a CertChainChecker with DefaultCRLCheckerState.
1132
* Address of CertStore List to be stored in state. Must be non-NULL.
1134
* Address of PKIX_PL_Date to be checked. May be NULL.
1136
* Address of Public Key of Trust Anchor. Must be non-NULL.
1138
* Number of certificates remaining in the chain.
1139
* "nistPolicyEnabled"
1140
* Enable NIST crl policy.
1142
* Address where object pointer will be stored. Must be non-NULL.
1145
* Platform-specific context pointer.
1148
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1151
* Returns NULL if the function succeeds.
1152
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
1153
* Returns a Fatal Error
1156
pkix_DefaultCRLChecker_Initialize(
1157
PKIX_List *certStores,
1158
PKIX_PL_Date *testDate,
1159
PKIX_PL_PublicKey *trustedPubKey,
1160
PKIX_UInt32 certsRemaining,
1161
PKIX_Boolean nistPolicyEnabled,
1162
PKIX_CertChainChecker **pChecker,
1165
pkix_DefaultCRLCheckerState *state = NULL;
1167
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
1168
PKIX_NULLCHECK_TWO(certStores, pChecker);
1170
PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
1178
PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
1180
PKIX_CHECK(PKIX_CertChainChecker_Create
1181
(pkix_DefaultCRLChecker_Check,
1185
(PKIX_PL_Object *) state,
1188
PKIX_CERTCHAINCHECKERCREATEFAILED);
1194
PKIX_RETURN(CERTCHAINCHECKER);