← Back to branch summary

~ubuntu-branches/ubuntu/jaunty/nss/jaunty-proposed

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c

  • Committer: Bazaar Package Importer
  • Author(s): Alexander Sack, Fabien Tassin, Alexander Sack
  • Date: 2009-01-11 15:06:17 UTC
  • mfrom: (1.1.8 upstream)
  • Revision ID: james.westby@ubuntu.com-20090111150617-iz4lw05qgy2odorl
Tags: 3.12.2~rc1-0ubuntu1
* New upstream snapshot: 3.12.2 RC1

[ Fabien Tassin <fta@ubuntu.com> ]
* Remove patch applied upstream:
  - drop debian/patches/80_security_tools.patch
  - update debian/patches/series
* Update diverged patches:
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
* Add new symbols to symbols file
  - update debian/libnss3-1d.symbols

[ Alexander Sack <asac@ubuntu.com> ]
* disable soname patch to become binary compatible with upstream
  - update debian/patches/series
* flip links: libnss3.so <- libnss3.so.1d (before: libnss3.so ->
  libnss3.so.1d); same link flipping was done for all other previously
  soname patched libs: libnssutil3.so, libsmime3.so.1d, libssl3.so.1d
  - update debian/libnss3-1d.links
  - update debian/libnss3-1d.symbols
* properly transition links in preinst and postrm; also cover abort-
  cases in the other maintainer scripts
  - add debian/libnss3-1d.postinst
  - add debian/libnss3-1d.postrm
  - add debian/libnss3-1d.preinst
  - add debian/libnss3-1d.prerm
* remove hack from debian/rules that debian uses to recreate
  libsoftokn3.so with a versioned SONAME
  - update debian/rules
* install the unversioned .so binaries
  - update debian/rules
* only install the 4 main libraries into /usr/lib; all the others
  go to pkglibdir
  - update debian/rules
* higher bar for libnspr4 Build-Depend to >= 4.7.3~, which is
  the version where the soname droppage is going to happen
  - update debian/control
* explitily pass libraries to be used for dpkg-gensymbols run of
  dh_makeshlibs
  - update debian/rules
* fix lintian complain about no-shlibs-control-file
  - update debian/rules

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
 
1
/* ***** BEGIN LICENSE BLOCK *****
 
2
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 
3
 *
 
4
 * The contents of this file are subject to the Mozilla Public License Version
 
5
 * 1.1 (the "License"); you may not use this file except in compliance with
 
6
 * the License. You may obtain a copy of the License at
 
7
 * http://www.mozilla.org/MPL/
 
8
 *
 
9
 * Software distributed under the License is distributed on an "AS IS" basis,
 
10
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 
11
 * for the specific language governing rights and limitations under the
 
12
 * License.
 
13
 *
 
14
 * The Original Code is the PKIX-C library.
 
15
 *
 
16
 * The Initial Developer of the Original Code is
 
17
 * Sun Microsystems, Inc.
 
18
 * Portions created by the Initial Developer are
 
19
 * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
 
20
 *
 
21
 * Contributor(s):
 
22
 *   Sun Microsystems, Inc.
 
23
 *
 
24
 * Alternatively, the contents of this file may be used under the terms of
 
25
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 
26
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 
27
 * in which case the provisions of the GPL or the LGPL are applicable instead
 
28
 * of those above. If you wish to allow use of your version of this file only
 
29
 * under the terms of either the GPL or the LGPL, and not to allow others to
 
30
 * use your version of this file under the terms of the MPL, indicate your
 
31
 * decision by deleting the provisions above and replace them with the notice
 
32
 * and other provisions required by the GPL or the LGPL. If you do not delete
 
33
 * the provisions above, a recipient may use your version of this file under
 
34
 * the terms of any one of the MPL, the GPL or the LGPL.
 
35
 *
 
36
 * ***** END LICENSE BLOCK ***** */
 
37
/*
 
38
 * pkix_defaultcrlchecker.c
 
39
 *
 
40
 * Functions for default CRL Checkers
 
41
 *
 
42
 */
 
43
#define CERTCHAINCHECKERDEBUG 1
 
44
 
 
45
#include "pkix_defaultcrlchecker.h"
 
46
 
 
47
static char *reasonCodeMsgString[] = {
 
48
        "Certificate is revoked by CRL for unspecified reason"
 
49
        "Certificate is revoked by CRL for key compromise",
 
50
        "Certificate is revoked by CRL for CA compromise",
 
51
        "Certificate is revoked by CRL for affiliation changed",
 
52
        "Certificate is revoked by CRL for being superseded",
 
53
        "Certificate is revoked by CRL for cessation of operation",
 
54
        "Certificate is revoked by CRL for certificate hold",
 
55
        "Certificate is revoked by CRL for undefined reason",
 
56
        "Certificate is revoked by CRL for being removed from CRL",
 
57
        "Certificate is revoked by CRL for privilege withdrawn",
 
58
        "Certificate is revoked by CRL for aACompromise",
 
59
};
 
60
 
 
61
static const int numReasonCodes = 
 
62
    sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]);
 
63
 
 
64
/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
 
65
 
 
66
/*
 
67
 * FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
 
68
 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
 
69
 */
 
70
static PKIX_Error *
 
71
pkix_DefaultCRLCheckerState_Destroy(
 
72
        PKIX_PL_Object *object,
 
73
        void *plContext)
 
74
{
 
75
        pkix_DefaultCRLCheckerState *state = NULL;
 
76
 
 
77
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
 
78
                    "pkix_DefaultCRLCheckerState_Destroy");
 
79
        PKIX_NULLCHECK_ONE(object);
 
80
 
 
81
        /* Check that this object is a default CRL checker state */
 
82
        PKIX_CHECK(pkix_CheckType
 
83
                    (object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
 
84
                    PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
 
85
 
 
86
        state = (pkix_DefaultCRLCheckerState *)object;
 
87
 
 
88
        state->certHasValidCrl = PKIX_FALSE;
 
89
        state->prevCertCrlSign = PKIX_FALSE;
 
90
        state->reasonCodeMask = 0;
 
91
 
 
92
        PKIX_DECREF(state->certStores);
 
93
        PKIX_DECREF(state->testDate);
 
94
        PKIX_DECREF(state->prevPublicKey);
 
95
        PKIX_DECREF(state->prevPublicKeyList);
 
96
        PKIX_DECREF(state->crlReasonCodeOID);
 
97
        PKIX_DECREF(state->certIssuer);
 
98
        PKIX_DECREF(state->certSerialNumber);
 
99
        PKIX_DECREF(state->crlSelector);
 
100
        state->crlStoreIndex = 0;
 
101
        state->numCrlStores = 0;
 
102
 
 
103
cleanup:
 
104
 
 
105
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
 
106
}
 
107
 
 
108
/*
 
109
 * FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
 
110
 *
 
111
 * DESCRIPTION:
 
112
 *  Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
 
113
 *  with systemClasses[]
 
114
 *
 
115
 * THREAD SAFETY:
 
116
 *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
117
 *
 
118
 *  Since this function is only called by PKIX_PL_Initialize, which should
 
119
 *  only be called once, it is acceptable that this function is not
 
120
 *  thread-safe.
 
121
 */
 
122
PKIX_Error *
 
123
pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
 
124
{
 
125
        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
 
126
        pkix_ClassTable_Entry entry;
 
127
 
 
128
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
 
129
                    "pkix_DefaultCRLCheckerState_RegisterSelf");
 
130
 
 
131
        entry.description = "DefaultCRLCheckerState";
 
132
        entry.objCounter = 0;
 
133
        entry.typeObjectSize = sizeof(pkix_DefaultCRLCheckerState);
 
134
        entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
 
135
        entry.equalsFunction = NULL;
 
136
        entry.hashcodeFunction = NULL;
 
137
        entry.toStringFunction = NULL;
 
138
        entry.comparator = NULL;
 
139
        entry.duplicateFunction = NULL;
 
140
 
 
141
        systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
 
142
 
 
143
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
 
144
}
 
145
 
 
146
/*
 
147
 * FUNCTION: pkix_DefaultCRLCheckerState_Create
 
148
 *
 
149
 * DESCRIPTION:
 
150
 *  Allocate and initialize DefaultCRLChecker state data.
 
151
 *
 
152
 * PARAMETERS
 
153
 *  "certStores"
 
154
 *      Address of CertStore List to be stored in state. Must be non-NULL.
 
155
 *  "testDate"
 
156
 *      Address of PKIX_PL_Date to be checked. May be NULL.
 
157
 *  "trustedPubKey"
 
158
 *      Trusted Anchor Public Key for verifying first Cert in the chain.
 
159
 *      Must be non-NULL.
 
160
 *  "certsRemaining"
 
161
 *      Number of certificates remaining in the chain.
 
162
 *  "nistCRLPolicyEnabled"
 
163
 *      If enabled, enforce nist crl policy.
 
164
 *  "pCheckerState"
 
165
 *      Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
 
166
 *  "plContext"
 
167
 *      Platform-specific context pointer.
 
168
 *
 
169
 * THREAD SAFETY:
 
170
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
171
 *
 
172
 * RETURNS:
 
173
 *  Returns NULL if the function succeeds.
 
174
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
 
175
 *  non-fatal way.
 
176
 *  Returns a Fatal Error
 
177
 */
 
178
static PKIX_Error *
 
179
pkix_DefaultCRLCheckerState_Create(
 
180
    PKIX_List *certStores,
 
181
    PKIX_PL_Date *testDate,
 
182
    PKIX_PL_PublicKey *trustedPubKey,
 
183
    PKIX_UInt32 certsRemaining,
 
184
    PKIX_Boolean nistCRLPolicyEnabled,
 
185
    pkix_DefaultCRLCheckerState **pCheckerState,
 
186
    void *plContext)
 
187
{
 
188
        pkix_DefaultCRLCheckerState *state = NULL;
 
189
 
 
190
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
 
191
                    "pkix_DefaultCRLCheckerState_Create");
 
192
        PKIX_NULLCHECK_TWO(certStores, pCheckerState);
 
193
 
 
194
        PKIX_CHECK(PKIX_PL_Object_Alloc
 
195
                    (PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
 
196
                    sizeof (pkix_DefaultCRLCheckerState),
 
197
                    (PKIX_PL_Object **)&state,
 
198
                    plContext),
 
199
                    PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
 
200
 
 
201
        /* Initialize fields */
 
202
 
 
203
        PKIX_INCREF(certStores);
 
204
        state->certStores = certStores;
 
205
 
 
206
        PKIX_INCREF(testDate);
 
207
        state->testDate = testDate;
 
208
 
 
209
        PKIX_INCREF(trustedPubKey);
 
210
        state->prevPublicKey = trustedPubKey;
 
211
 
 
212
        state->certHasValidCrl = PKIX_FALSE;
 
213
        state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
 
214
        state->prevCertCrlSign = PKIX_TRUE;
 
215
        state->prevPublicKeyList = NULL;
 
216
        state->reasonCodeMask = 0;
 
217
        state->certsRemaining = certsRemaining;
 
218
 
 
219
        PKIX_CHECK(PKIX_PL_OID_Create
 
220
                    (PKIX_CRLREASONCODE_OID,
 
221
                    &state->crlReasonCodeOID,
 
222
                    plContext),
 
223
                    PKIX_OIDCREATEFAILED);
 
224
 
 
225
        state->certIssuer = NULL;
 
226
        state->certSerialNumber = NULL;
 
227
        state->crlSelector = NULL;
 
228
        state->crlStoreIndex = 0;
 
229
        state->numCrlStores = 0;
 
230
 
 
231
        *pCheckerState = state;
 
232
        state = NULL;
 
233
 
 
234
cleanup:
 
235
 
 
236
        PKIX_DECREF(state);
 
237
 
 
238
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
 
239
}
 
240
 
 
241
/* --Private-DefaultCRLChecker-Functions------------------------------------ */
 
242
 
 
243
/*
 
244
 * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
 
245
 *
 
246
 * DESCRIPTION:
 
247
 *  Check validity of "cert" based on CRLs at "crlList" that has correct
 
248
 *  signature verification with "publicKey".
 
249
 *
 
250
 * PARAMETERS
 
251
 *  "cert"
 
252
 *      Address of Cert which has the certificate data. Must be non-NULL.
 
253
 *  "certIssuer"
 
254
 *      Address of Issuer that associates with the Cert. Must be non-NULL.
 
255
 *  "certSerialNumber"
 
256
 *      Address of Serial Number that associates with the Cert. Must be 
 
257
 *      non-NULL.
 
258
 *  "publicKey"
 
259
 *      Address of Public Key that associates with the Cert Issuer.
 
260
 *      Must be non-NULL.
 
261
 *  "crlList"
 
262
 *      A List CRLs that the certificate is verified upon. Must be non-NULL.
 
263
 *  "state"
 
264
 *      Address of DefaultCRLCheckerState which keeps dynamic state data.
 
265
 *      Must be non-NULL.
 
266
 *  "pCrlEntryList"
 
267
 *      Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
 
268
 *      this Cert. May be NULL.
 
269
 *  "plContext"
 
270
 *      Platform-specific context pointer.
 
271
 *
 
272
 * THREAD SAFETY:
 
273
 *  Conditionally Thread Safe
 
274
 *      (see Thread Safety Definitions in Programmer's Guide)
 
275
 *
 
276
 * RETURNS:
 
277
 *  Returns NULL if the function succeeds.
 
278
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
 
279
 *  Returns a Fatal Error
 
280
 */
 
281
static PKIX_Error *
 
282
pkix_DefaultCRLChecker_CheckCRLs(
 
283
        PKIX_PL_Cert *cert,
 
284
        PKIX_PL_X500Name *certIssuer,
 
285
        PKIX_PL_BigInt *certSerialNumber,
 
286
        PKIX_PL_PublicKey *publicKey,
 
287
        PKIX_List *crlList,
 
288
        pkix_DefaultCRLCheckerState *state,
 
289
        PKIX_List **pCrlEntryList,
 
290
        void *plContext)
 
291
{
 
292
        PKIX_PL_CRL *crl = NULL;
 
293
        PKIX_PL_CRLEntry *crlEntry = NULL;
 
294
        PKIX_PL_PublicKey *pKey = NULL;
 
295
        PKIX_List *unresCrlCritExtOIDs = NULL;
 
296
        PKIX_List *unresCrlEntryCritExtOIDs = NULL;
 
297
        PKIX_List *crlEntryList = NULL;
 
298
        PKIX_Error *verifyFail = NULL;
 
299
        PKIX_UInt32 numCrls = 0;
 
300
        PKIX_UInt32 numKeys = 0;
 
301
        PKIX_UInt32 numCritExtOIDs = 0;
 
302
        PKIX_Boolean crlVerified = PKIX_FALSE;
 
303
        PKIX_Boolean crlRevoking = PKIX_FALSE;
 
304
        PKIX_Int32 reasonCode = 0;
 
305
        PKIX_UInt32 i;
 
306
        PKIX_Int32 j;
 
307
 
 
308
        PKIX_ENTER(CERTCHAINCHECKER,
 
309
                    "pkix_DefaultCRLChecker_CheckCRLs");
 
310
        PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
 
311
 
 
312
        PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
 
313
                    PKIX_LISTGETLENGTHFAILED);
 
314
 
 
315
        if (state->prevPublicKeyList != NULL) {
 
316
 
 
317
                PKIX_CHECK(PKIX_List_GetLength
 
318
                    (state->prevPublicKeyList, &numKeys, plContext),
 
319
                    PKIX_LISTGETLENGTHFAILED);
 
320
        }
 
321
 
 
322
        /* Check if Cert is not revoked by any the the CRLs */
 
323
 
 
324
        for (i = 0; i < numCrls; i++){
 
325
 
 
326
                PKIX_CHECK(PKIX_List_GetItem
 
327
                            (crlList, i, (PKIX_PL_Object **)&crl, plContext),
 
328
                            PKIX_LISTGETITEMFAILED);
 
329
 
 
330
                /*
 
331
                 * Checking serial number (issuer done in selector) then
 
332
                 * verify signature. If matches, get the CRL reason(s).
 
333
                 */
 
334
 
 
335
                if (state->prevCertCrlSign == PKIX_TRUE) {
 
336
                        verifyFail = PKIX_PL_CRL_VerifySignature
 
337
                                (crl, publicKey, plContext);
 
338
                        if (verifyFail == NULL) {
 
339
                                crlVerified = PKIX_TRUE;
 
340
                        } else {
 
341
                                crlVerified = PKIX_FALSE;
 
342
                                PKIX_DECREF(verifyFail);
 
343
                        }
 
344
                }
 
345
 
 
346
                if (crlVerified == PKIX_FALSE) {
 
347
 
 
348
                    /* Verify from old key(s) on the list */
 
349
                    for (j = numKeys - 1; j >= 0; j--) {
 
350
 
 
351
                            PKIX_CHECK(PKIX_List_GetItem
 
352
                                (state->prevPublicKeyList,
 
353
                                j,
 
354
                                (PKIX_PL_Object **) &pKey,
 
355
                                plContext),
 
356
                                PKIX_LISTGETITEMFAILED);
 
357
 
 
358
                            verifyFail = PKIX_PL_CRL_VerifySignature
 
359
                                (crl, pKey, plContext);
 
360
 
 
361
                            if (verifyFail == NULL) {
 
362
                                crlVerified = PKIX_TRUE;
 
363
                                break;
 
364
                            } else {
 
365
                                crlVerified = PKIX_FALSE;
 
366
                                PKIX_DECREF(verifyFail);
 
367
                            }
 
368
 
 
369
                            PKIX_DECREF(pKey);
 
370
                    }
 
371
                }
 
372
 
 
373
                if (crlVerified == PKIX_FALSE) {
 
374
                    /* try next one ... */
 
375
                    goto cleanup_loop;
 
376
                }
 
377
 
 
378
                state->certHasValidCrl = PKIX_TRUE;
 
379
 
 
380
                PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
 
381
                            (crl, &unresCrlCritExtOIDs, plContext),
 
382
                            PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
 
383
 
 
384
                /*
 
385
                 * XXX Advanced CRL work - should put a
 
386
                 * Loop here to process and remove critical
 
387
                 * extension oids.
 
388
                 */
 
389
 
 
390
                if (unresCrlCritExtOIDs) {
 
391
 
 
392
                    PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
 
393
                        &numCritExtOIDs,
 
394
                        plContext),
 
395
                        PKIX_LISTGETLENGTHFAILED);
 
396
 
 
397
                    if (numCritExtOIDs != 0) {
 
398
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
 
399
                                (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
 
400
                        /*
 
401
                         * Uncomment this after we have implemented
 
402
                         * checkers for all the critical extensions.
 
403
                         *
 
404
                         * PKIX_ERROR
 
405
                         *      ("Unrecognized CRL Critical Extension");
 
406
                         */
 
407
                    }
 
408
                }
 
409
 
 
410
                PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
 
411
                            (crl, certSerialNumber, &crlEntry, plContext),
 
412
                            PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
 
413
 
 
414
                if (crlEntry == NULL) {
 
415
                    goto cleanup_loop;
 
416
                }
 
417
 
 
418
                crlRevoking = PKIX_TRUE;
 
419
 
 
420
                PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
 
421
                            (crlEntry,
 
422
                            &reasonCode,
 
423
                            plContext),
 
424
                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
 
425
 
 
426
                /* This is a valid CRLEntry, return it for caching */
 
427
                if (crlEntryList == NULL) {
 
428
                    PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
 
429
                            PKIX_LISTCREATEFAILED);
 
430
 
 
431
                }
 
432
 
 
433
                PKIX_CHECK(PKIX_List_AppendItem
 
434
                        (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
 
435
                        PKIX_LISTAPPENDITEMFAILED);
 
436
 
 
437
                /* Set reason code in state for advance CRL reviewing */
 
438
 
 
439
                if (reasonCode >= 0) {
 
440
                    if (reasonCode >= numReasonCodes) 
 
441
                        reasonCode = 0;
 
442
 
 
443
                    state->reasonCodeMask |= 1 << reasonCode;
 
444
                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
 
445
                        ("CRL revocation Reason: %s\n ",
 
446
                        reasonCodeMsgString[reasonCode]);
 
447
 
 
448
                } else {
 
449
                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
 
450
                        ("Revoked by Unknown CRL ReasonCode");
 
451
                }
 
452
 
 
453
                PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
 
454
                            (crlEntry, &unresCrlEntryCritExtOIDs, plContext),
 
455
                            PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
 
456
                if (unresCrlEntryCritExtOIDs) {
 
457
 
 
458
                    PKIX_CHECK(pkix_List_Remove
 
459
                            (unresCrlEntryCritExtOIDs,
 
460
                            (PKIX_PL_Object *) state->crlReasonCodeOID,
 
461
                            plContext),
 
462
                            PKIX_LISTREMOVEFAILED);
 
463
 
 
464
                    PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
 
465
                        &numCritExtOIDs,
 
466
                        plContext),
 
467
                        PKIX_LISTGETLENGTHFAILED);
 
468
 
 
469
                    if (numCritExtOIDs != 0) {
 
470
 
 
471
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
 
472
                            (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
 
473
                        PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
 
474
                    }
 
475
                }
 
476
 
 
477
        cleanup_loop:
 
478
 
 
479
                PKIX_DECREF(pKey);
 
480
                PKIX_DECREF(verifyFail);
 
481
                PKIX_DECREF(pKey);
 
482
                PKIX_DECREF(crlEntry);
 
483
                PKIX_DECREF(crl);
 
484
                PKIX_DECREF(unresCrlCritExtOIDs);
 
485
                PKIX_DECREF(unresCrlEntryCritExtOIDs);
 
486
        }
 
487
 
 
488
        *pCrlEntryList = crlEntryList;
 
489
 
 
490
        if (crlRevoking == PKIX_TRUE) {
 
491
 
 
492
                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
 
493
        }
 
494
 
 
495
cleanup:
 
496
 
 
497
        PKIX_DECREF(pKey);
 
498
        PKIX_DECREF(verifyFail);
 
499
        PKIX_DECREF(crlEntry);
 
500
        PKIX_DECREF(crl);
 
501
        PKIX_DECREF(unresCrlCritExtOIDs);
 
502
        PKIX_DECREF(unresCrlEntryCritExtOIDs);
 
503
 
 
504
        PKIX_RETURN(CERTCHAINCHECKER);
 
505
}
 
506
 
 
507
/*
 
508
 * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
 
509
 *
 
510
 * DESCRIPTION:
 
511
 *  This function creates a CRLSelector suitable for finding a CRL for
 
512
 *  the Cert pointed to by "cert", setting the result in the
 
513
 *  defaultCRLCheckerState pointed to by "state".
 
514
 *
 
515
 * PARAMETERS
 
516
 *  "cert"
 
517
 *      Address of Cert for which a CRLSelector is to be constructed. Must be
 
518
 *      non-NULL.
 
519
 *  "state"
 
520
 *      Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
 
521
 *      be non-NULL.
 
522
 *  "plContext"
 
523
 *      Platform-specific context pointer.
 
524
 *
 
525
 * THREAD SAFETY:
 
526
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
527
 *
 
528
 * RETURNS:
 
529
 *  Returns NULL if the function succeeds.
 
530
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
 
531
 *  non-fatal way.
 
532
 *  Returns a Fatal Error
 
533
 */
 
534
PKIX_Error *
 
535
pkix_DefaultCRLChecker_Check_SetSelector(
 
536
        PKIX_PL_Cert *cert,
 
537
        pkix_DefaultCRLCheckerState *state,
 
538
        void *plContext)
 
539
{
 
540
        PKIX_PL_X500Name *certIssuer = NULL;
 
541
        PKIX_PL_BigInt *certSerialNumber = NULL;
 
542
        PKIX_PL_Date *nowDate = NULL;
 
543
        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
 
544
        PKIX_CRLSelector *crlSelector = NULL;
 
545
 
 
546
        PKIX_ENTER
 
547
                (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
 
548
        PKIX_NULLCHECK_TWO(cert, state);
 
549
 
 
550
        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
 
551
                PKIX_CERTGETISSUERFAILED);
 
552
 
 
553
        PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
 
554
                (cert, &certSerialNumber, plContext),
 
555
                PKIX_CERTGETSERIALNUMBERFAILED);
 
556
 
 
557
        if (state->testDate != NULL) {
 
558
 
 
559
                PKIX_INCREF(state->testDate);
 
560
                nowDate = state->testDate;
 
561
 
 
562
        } else {
 
563
 
 
564
                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
 
565
                        (NULL, &nowDate, plContext),
 
566
                        PKIX_DATECREATEUTCTIMEFAILED);
 
567
        }
 
568
 
 
569
        PKIX_CHECK(PKIX_ComCRLSelParams_Create
 
570
                (&comCrlSelParams, plContext),
 
571
                PKIX_COMCRLSELPARAMSCREATEFAILED);
 
572
 
 
573
        PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
 
574
                (comCrlSelParams, certIssuer, plContext),
 
575
                PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
 
576
 
 
577
        PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
 
578
                (comCrlSelParams, nowDate, plContext),
 
579
                PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
 
580
 
 
581
        PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
 
582
                (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
 
583
                PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
 
584
 
 
585
        PKIX_CHECK(PKIX_CRLSelector_Create
 
586
                (NULL,
 
587
                NULL, /* never used? (PKIX_PL_Object *)checker, */
 
588
                &crlSelector,
 
589
                plContext),
 
590
                PKIX_CRLSELECTORCREATEFAILED);
 
591
 
 
592
        PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
 
593
                (crlSelector, comCrlSelParams, plContext),
 
594
                PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
 
595
 
 
596
        PKIX_DECREF(state->certIssuer);
 
597
        PKIX_INCREF(certIssuer);
 
598
        state->certIssuer = certIssuer;
 
599
        PKIX_DECREF(state->certSerialNumber);
 
600
        PKIX_INCREF(certSerialNumber);
 
601
        state->certSerialNumber = certSerialNumber;
 
602
        PKIX_DECREF(state->crlSelector);
 
603
        PKIX_INCREF(crlSelector);
 
604
        state->crlSelector = crlSelector;
 
605
 
 
606
        state->crlStoreIndex = 0;
 
607
 
 
608
        PKIX_CHECK(PKIX_List_GetLength
 
609
                    (state->certStores, &(state->numCrlStores), plContext),
 
610
                    PKIX_LISTGETLENGTHFAILED);
 
611
 
 
612
        state->certHasValidCrl = PKIX_FALSE;
 
613
 
 
614
cleanup:
 
615
 
 
616
        PKIX_DECREF(certIssuer);
 
617
        PKIX_DECREF(certSerialNumber);
 
618
        PKIX_DECREF(nowDate);
 
619
        PKIX_DECREF(comCrlSelParams);
 
620
        PKIX_DECREF(crlSelector);
 
621
 
 
622
        PKIX_RETURN(CERTCHAINCHECKER);
 
623
}
 
624
 
 
625
/*
 
626
 * FUNCTION: pkix_DefaultCRLChecker_Check_Store
 
627
 *
 
628
 * DESCRIPTION:
 
629
 *  Checks the certStore pointed to by "certStore" for a CRL that may determine
 
630
 *  whether the Cert pointed to by "cert" has been revoked.
 
631
 *
 
632
 * PARAMETERS
 
633
 *  "checker"
 
634
 *      Address of CertChainChecker which has the state data.
 
635
 *      Must be non-NULL.
 
636
 *  "cert"
 
637
 *      Address of Certificate that is to be validated. Must be non-NULL.
 
638
 *  "prevPublicKey"
 
639
 *      Address of previous public key in the backward chain. May be NULL.
 
640
 *  "state"
 
641
 *      Address of DefaultCrlCheckerState. Must be non-NULL.
 
642
 *  "unresolvedCriticalExtensions"
 
643
 *      A List OIDs. Not **yet** used in this checker function.
 
644
 *  "certStore"
 
645
 *      Address of the CertStore to be queried for a relevant CRL. Must be
 
646
 *      non-NULL.
 
647
 *  "pNBIOContext"
 
648
 *      Address at which platform-dependent information is stored if processing
 
649
 *      is suspended for non-blocking I/O. Must be non-NULL.
 
650
 *  "plContext"
 
651
 *      Platform-specific context pointer.
 
652
 *
 
653
 * THREAD SAFETY:
 
654
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
655
 *
 
656
 * RETURNS:
 
657
 *  Returns NULL if the function succeeds.
 
658
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
 
659
 *  non-fatal way.
 
660
 *  Returns a Fatal Error
 
661
 */
 
662
static PKIX_Error *
 
663
pkix_DefaultCRLChecker_Check_Store(
 
664
        PKIX_CertChainChecker *checker,
 
665
        PKIX_PL_Cert *cert,
 
666
        PKIX_PL_PublicKey *prevPublicKey,
 
667
        pkix_DefaultCRLCheckerState *state,
 
668
        PKIX_List *unresolvedCriticalExtensions,
 
669
        PKIX_CertStore *certStore,
 
670
        void **pNBIOContext,
 
671
        void *plContext)
 
672
{
 
673
 
 
674
        PKIX_Boolean cacheFlag = PKIX_FALSE;
 
675
        PKIX_Boolean cacheHit = PKIX_FALSE;
 
676
        PKIX_UInt32 numEntries = 0;
 
677
        PKIX_UInt32 i = 0;
 
678
        PKIX_Int32 reasonCode = 0;
 
679
        PKIX_UInt32 allReasonCodes = 0;
 
680
        PKIX_List *crlList = NULL;
 
681
        PKIX_List *crlEntryList = NULL;
 
682
        PKIX_PL_CRLEntry *crlEntry = NULL;
 
683
        PKIX_Error *checkCrlFail = NULL;
 
684
        PKIX_CertStore_CRLCallback getCrls = NULL;
 
685
        void *nbioContext = NULL;
 
686
 
 
687
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
 
688
        PKIX_NULLCHECK_TWO(checker, cert);
 
689
        PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
 
690
 
 
691
        nbioContext = *pNBIOContext;
 
692
        *pNBIOContext = NULL;
 
693
 
 
694
        /* Are this CertStore's entries in cache? */
 
695
        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
 
696
                (certStore, &cacheFlag, plContext),
 
697
                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
 
698
 
 
699
        if (cacheFlag) {
 
700
 
 
701
                PKIX_CHECK(pkix_CacheCrlEntry_Lookup
 
702
                        (certStore,
 
703
                        state->certIssuer,
 
704
                        state->certSerialNumber,
 
705
                        &cacheHit,
 
706
                        &crlEntryList,
 
707
                        plContext),
 
708
                        PKIX_CACHECRLENTRYLOOKUPFAILED);
 
709
 
 
710
        }
 
711
 
 
712
        if (cacheHit) {
 
713
 
 
714
                /* Use cached data */
 
715
 
 
716
                PKIX_CHECK(PKIX_List_GetLength
 
717
                        (crlEntryList, &numEntries, plContext),
 
718
                        PKIX_LISTGETLENGTHFAILED);
 
719
 
 
720
                for (i = 0; i < numEntries; i++) {
 
721
 
 
722
                    PKIX_CHECK(PKIX_List_GetItem
 
723
                            (crlEntryList,
 
724
                            i,
 
725
                            (PKIX_PL_Object **)&crlEntry,
 
726
                            plContext),
 
727
                            PKIX_LISTGETITEMFAILED);
 
728
 
 
729
                    PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
 
730
                            (crlEntry, &reasonCode, plContext),
 
731
                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
 
732
 
 
733
                    if (reasonCode >= 0) {
 
734
                        if (reasonCode >= numReasonCodes) 
 
735
                            reasonCode = 0;
 
736
 
 
737
                        allReasonCodes |= (1 << reasonCode);
 
738
 
 
739
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
 
740
                                    ("CRL revocation Reason: %s\n ",
 
741
                                    reasonCodeMsgString[reasonCode]);
 
742
 
 
743
                    }
 
744
 
 
745
                    PKIX_DECREF(crlEntry);
 
746
                }
 
747
 
 
748
                state->reasonCodeMask |= allReasonCodes;
 
749
 
 
750
                if (allReasonCodes != 0) {
 
751
 
 
752
                        PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
 
753
                }
 
754
 
 
755
                PKIX_DECREF(crlEntryList);
 
756
 
 
757
       } else {
 
758
 
 
759
                if (nbioContext == NULL) {
 
760
                        PKIX_CHECK(PKIX_CertStore_GetCRLCallback
 
761
                                (certStore, &getCrls, plContext),
 
762
                                PKIX_CERTSTOREGETCRLCALLBACKFAILED);
 
763
 
 
764
                        PKIX_CHECK(getCrls
 
765
                                (certStore,
 
766
                                state->crlSelector,
 
767
                                &nbioContext,
 
768
                                &crlList,
 
769
                                plContext),
 
770
                                PKIX_GETCRLSFAILED);
 
771
                } else {
 
772
                        PKIX_CHECK(PKIX_CertStore_CrlContinue
 
773
                                (certStore,
 
774
                                state->crlSelector,
 
775
                                &nbioContext,
 
776
                                &crlList,
 
777
                                plContext),
 
778
                                PKIX_CERTSTORECRLCONTINUEFAILED);
 
779
                }
 
780
 
 
781
                /*
 
782
                 * Verify Certificate validity: if one CertStore provides
 
783
                 * reason code, we stop here. Instead of exhausting all
 
784
                 * CertStores to get all possible reason codes associated
 
785
                 *  with the Cert. May be expanded if desire otherwise.
 
786
                 */
 
787
 
 
788
                if (crlList == NULL) {
 
789
 
 
790
                        *pNBIOContext = nbioContext;
 
791
                } else {
 
792
 
 
793
                        *pNBIOContext = NULL;
 
794
 
 
795
                        checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
 
796
                                (cert,
 
797
                                state->certIssuer,
 
798
                                state->certSerialNumber,
 
799
                                prevPublicKey,
 
800
                                crlList,
 
801
                                state,
 
802
                                &crlEntryList,
 
803
                                plContext);
 
804
 
 
805
                        if (checkCrlFail) {
 
806
                                if (crlEntryList != NULL) {
 
807
                                        /* Add to cache */
 
808
                                        PKIX_CHECK(pkix_CacheCrlEntry_Add
 
809
                                               (certStore,
 
810
                                               state->certIssuer,
 
811
                                               state->certSerialNumber,
 
812
                                               crlEntryList,
 
813
                                               plContext),
 
814
                                               PKIX_CACHECRLENTRYADDFAILED);
 
815
                                }
 
816
                                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
 
817
                        }
 
818
                }
 
819
 
 
820
                PKIX_DECREF(crlList);
 
821
 
 
822
        }
 
823
 
 
824
cleanup:
 
825
        PKIX_DECREF(crlEntryList);
 
826
        PKIX_DECREF(crlEntry);
 
827
        PKIX_DECREF(crlList);
 
828
        PKIX_DECREF(checkCrlFail);
 
829
 
 
830
        PKIX_RETURN(CERTCHAINCHECKER);
 
831
}
 
832
 
 
833
/*
 
834
 * FUNCTION: pkix_DefaultCRLChecker_Check_Helper
 
835
 *
 
836
 * DESCRIPTION:
 
837
 *  Check if the Cert has been revoked based on the CRL's data. It exhausts all
 
838
 *  CertStores and match CRLs at those stores for the certificate. It set the
 
839
 *  current date and issuer in CRLSelector to fetching CRL data from cache.
 
840
 *
 
841
 * PARAMETERS
 
842
 *  "checker"
 
843
 *      Address of CertChainChecker which has the state data.
 
844
 *      Must be non-NULL.
 
845
 *  "cert"
 
846
 *      Address of Certificate that is to be validated. Must be non-NULL.
 
847
 *  "prevPublicKey"
 
848
 *      Address of previous public key in the backward chain. May be NULL.
 
849
 *  "state"
 
850
 *      Address of DefaultCrlCheckerState. Must be non-NULL.
 
851
 *  "unresolvedCriticalExtensions"
 
852
 *      A List OIDs. Not **yet** used in this checker function.
 
853
 *  "useOnlyLocal"
 
854
 *      Boolean value indicating whether to use or bypass remote CertStores
 
855
 *  "pNBIOContext"
 
856
 *      Address at which platform-dependent information is stored if processing
 
857
 *      is suspended for non-blocking I/O. Must be non-NULL.
 
858
 *  "plContext"
 
859
 *      Platform-specific context pointer.
 
860
 *
 
861
 * THREAD SAFETY:
 
862
 *  Not Thread Safe
 
863
 *      (see Thread Safety Definitions in Programmer's Guide)
 
864
 *
 
865
 * RETURNS:
 
866
 *  Returns NULL if the function succeeds.
 
867
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
 
868
 *  Returns a Fatal Error
 
869
 */
 
870
PKIX_Error *
 
871
pkix_DefaultCRLChecker_Check_Helper(
 
872
        PKIX_CertChainChecker *checker,
 
873
        PKIX_PL_Cert *cert,
 
874
        PKIX_PL_PublicKey *prevPublicKey,
 
875
        pkix_DefaultCRLCheckerState *state,
 
876
        PKIX_List *unresolvedCriticalExtensions,
 
877
        PKIX_Boolean useOnlyLocal,
 
878
        void **pNBIOContext,
 
879
        void *plContext)
 
880
{
 
881
 
 
882
        void *nbioContext = NULL;
 
883
        PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
 
884
        PKIX_CertStore *certStore = NULL;
 
885
        PKIX_Error *storeError = NULL;
 
886
 
 
887
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
 
888
        PKIX_NULLCHECK_THREE(checker, cert, state);
 
889
 
 
890
        nbioContext = *pNBIOContext;
 
891
        *pNBIOContext = NULL; /* prepare for Error exit */
 
892
 
 
893
        while ((state->crlStoreIndex) < (state->numCrlStores)) {
 
894
 
 
895
                /*
 
896
                 * For Basic CRL work, exit the loop when there is a valid
 
897
                 * CRL. For advance CRL, need to exhaust CRL until all
 
898
                 * reason masks are checked or a revocation is found.
 
899
                 */
 
900
 
 
901
                if (state->certHasValidCrl == PKIX_TRUE) {
 
902
                        break;
 
903
                }
 
904
 
 
905
                PKIX_CHECK(PKIX_List_GetItem
 
906
                        (state->certStores,
 
907
                        state->crlStoreIndex,
 
908
                        (PKIX_PL_Object **)&certStore,
 
909
                        plContext),
 
910
                        PKIX_LISTGETITEMFAILED);
 
911
 
 
912
                if (useOnlyLocal == PKIX_FALSE) {
 
913
                        certStoreCanBeUsed = PKIX_TRUE;
 
914
                } else {
 
915
                        PKIX_CHECK(PKIX_CertStore_GetLocalFlag
 
916
                                (certStore, &certStoreCanBeUsed, plContext),
 
917
                                PKIX_CERTSTOREGETLOCALFLAGFAILED);
 
918
                }
 
919
 
 
920
                if (certStoreCanBeUsed == PKIX_TRUE)
 
921
                {
 
922
                        /* Catch and re-throw error to preserve information */
 
923
                        storeError = pkix_DefaultCRLChecker_Check_Store
 
924
                                (checker,
 
925
                                cert,
 
926
                                prevPublicKey,
 
927
                                state,
 
928
                                unresolvedCriticalExtensions,
 
929
                                certStore,
 
930
                                &nbioContext,
 
931
                                plContext);
 
932
                        PKIX_CHECK
 
933
                                (storeError,
 
934
                                PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
 
935
 
 
936
                        if (nbioContext != NULL) {
 
937
                                /* I/O still pending. Exit and resume later. */
 
938
                                *pNBIOContext = nbioContext;
 
939
                                goto cleanup;
 
940
                        }
 
941
                }
 
942
 
 
943
                PKIX_DECREF(certStore);
 
944
                state->crlStoreIndex++;
 
945
        } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
 
946
 
 
947
        if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
 
948
            state->certHasValidCrl == PKIX_FALSE) {
 
949
            PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
 
950
        }
 
951
 
 
952
cleanup:
 
953
 
 
954
        PKIX_DECREF(certStore);
 
955
 
 
956
        PKIX_RETURN(CERTCHAINCHECKER);
 
957
}
 
958
 
 
959
/*
 
960
 * FUNCTION: pkix_DefaultCRLChecker_Check
 
961
 *
 
962
 * DESCRIPTION:
 
963
 *  Check if the Cert has been revoked based the CRLs data.  This function
 
964
 *  maintains the checker state to be current.
 
965
 *
 
966
 * PARAMETERS
 
967
 *  "checker"
 
968
 *      Address of CertChainChecker which has the state data.
 
969
 *      Must be non-NULL.
 
970
 *  "cert"
 
971
 *      Address of Certificate that is to be validated. Must be non-NULL.
 
972
 *  "unresolvedCriticalExtensions"
 
973
 *      A List OIDs. Not **yet** used in this checker function.
 
974
 *  "plContext"
 
975
 *      Platform-specific context pointer.
 
976
 *
 
977
 * THREAD SAFETY:
 
978
 *  Not Thread Safe
 
979
 *      (see Thread Safety Definitions in Programmer's Guide)
 
980
 *
 
981
 * RETURNS:
 
982
 *  Returns NULL if the function succeeds.
 
983
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
 
984
 *  Returns a Fatal Error
 
985
 */
 
986
static PKIX_Error *
 
987
pkix_DefaultCRLChecker_Check(
 
988
        PKIX_CertChainChecker *checker,
 
989
        PKIX_PL_Cert *cert,
 
990
        PKIX_List *unresolvedCriticalExtensions,
 
991
        void **pNBIOContext,
 
992
        void *plContext)
 
993
{
 
994
        pkix_DefaultCRLCheckerState *state = NULL;
 
995
        PKIX_PL_PublicKey *publicKey = NULL;
 
996
        PKIX_PL_PublicKey *newPublicKey = NULL;
 
997
        PKIX_Error *checkKeyUsageFail = NULL;
 
998
        PKIX_Boolean selfIssued = PKIX_FALSE;
 
999
        void *nbioContext = NULL;
 
1000
 
 
1001
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
 
1002
        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
 
1003
 
 
1004
        nbioContext = *pNBIOContext;
 
1005
        *pNBIOContext = NULL; /* prepare for Error exit */
 
1006
 
 
1007
        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
 
1008
                    (checker, (PKIX_PL_Object **)&state, plContext),
 
1009
                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
 
1010
 
 
1011
        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
 
1012
                    (cert, &publicKey, plContext),
 
1013
                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
 
1014
 
 
1015
        /*
 
1016
         * If we already have a selector, we were in the middle of checking
 
1017
         * when a certStore returned with non-blocking I/O pendning.
 
1018
         */
 
1019
        if ((state->crlSelector) == NULL) {
 
1020
                state->certsRemaining--;
 
1021
 
 
1022
                PKIX_NULLCHECK_ONE(state->prevPublicKey);
 
1023
 
 
1024
                if (state->prevCertCrlSign == PKIX_FALSE) {
 
1025
                        PKIX_ERROR
 
1026
                                (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
 
1027
                }
 
1028
 
 
1029
                /* Set up CRLSelector */
 
1030
                PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
 
1031
                        (cert, state, plContext),
 
1032
                        PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
 
1033
 
 
1034
        }
 
1035
 
 
1036
        PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
 
1037
                    (checker,
 
1038
                    cert,
 
1039
                    state->prevPublicKey,
 
1040
                    state,
 
1041
                    unresolvedCriticalExtensions,
 
1042
                    PKIX_FALSE,
 
1043
                    &nbioContext,
 
1044
                    plContext),
 
1045
                    PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
 
1046
 
 
1047
        if (nbioContext != NULL) {
 
1048
                *pNBIOContext = nbioContext;
 
1049
                goto cleanup;
 
1050
        }
 
1051
 
 
1052
        PKIX_DECREF(state->crlSelector);
 
1053
 
 
1054
        /*
 
1055
         * Some NIST test case in 4.5.* use different publicKeys for
 
1056
         * Cert and its CRL on the chain. Self-issued Certs are used
 
1057
         * to speciy multiple keys for those cases. That is why we apply
 
1058
         * the following algorithm:
 
1059
         *
 
1060
         * Check if Cert is self-issued. If so, the public key of the Cert
 
1061
         * that issues this Cert (old key) can be used together with this
 
1062
         * current key (new key) for key verification. If there are multiple
 
1063
         * self-issued certs, keys of those Certs (old keys) can also be used
 
1064
         * for key verification. Old key(s) is saved in a list (PrevPublickKey-
 
1065
         * List) and cleared when a Cert is no longer self-issued.
 
1066
         * PrevPublicKey keep key of the previous Cert.
 
1067
         * PrevPublicKeyList keep key(s) of Cert before the previous one.
 
1068
         */
 
1069
        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
 
1070
                    PKIX_ISCERTSELFISSUEFAILED);
 
1071
 
 
1072
        if (selfIssued == PKIX_TRUE) {
 
1073
 
 
1074
                if (state->prevPublicKeyList == NULL) {
 
1075
 
 
1076
                        PKIX_CHECK(PKIX_List_Create
 
1077
                            (&state->prevPublicKeyList, plContext),
 
1078
                            PKIX_LISTCREATEFAILED);
 
1079
 
 
1080
                }
 
1081
 
 
1082
                PKIX_CHECK(PKIX_List_AppendItem
 
1083
                            (state->prevPublicKeyList,
 
1084
                            (PKIX_PL_Object *) state->prevPublicKey,
 
1085
                            plContext),
 
1086
                            PKIX_LISTAPPENDITEMFAILED);
 
1087
 
 
1088
        } else {
 
1089
                /* Not self-issued Cert any more, clear old key(s) saved */
 
1090
                PKIX_DECREF(state->prevPublicKeyList);
 
1091
        }
 
1092
 
 
1093
        /* Make inheritance and save current Public Key */
 
1094
        PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
 
1095
                    (publicKey, state->prevPublicKey, &newPublicKey, plContext),
 
1096
                    PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
 
1097
 
 
1098
        if (newPublicKey == NULL){
 
1099
                PKIX_INCREF(publicKey);
 
1100
                newPublicKey = publicKey;
 
1101
        }
 
1102
 
 
1103
        PKIX_DECREF(state->prevPublicKey);
 
1104
        PKIX_INCREF(newPublicKey);
 
1105
        state->prevPublicKey = newPublicKey;
 
1106
 
 
1107
        /* Save current Cert's crlSign bit for CRL checking later */
 
1108
        if (state->certsRemaining != 0) {
 
1109
                checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
 
1110
                        (cert, PKIX_CRL_SIGN, plContext);
 
1111
 
 
1112
                state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
 
1113
                        PKIX_TRUE : PKIX_FALSE;
 
1114
 
 
1115
                PKIX_DECREF(checkKeyUsageFail);
 
1116
        }
 
1117
 
 
1118
/*
 
1119
        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
 
1120
                (checker, (PKIX_PL_Object *)state, plContext),
 
1121
                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
 
1122
 */
 
1123
 
 
1124
cleanup:
 
1125
 
 
1126
        PKIX_DECREF(state);
 
1127
        PKIX_DECREF(publicKey);
 
1128
        PKIX_DECREF(newPublicKey);
 
1129
        PKIX_DECREF(checkKeyUsageFail);
 
1130
 
 
1131
        PKIX_RETURN(CERTCHAINCHECKER);
 
1132
}
 
1133
 
 
1134
/*
 
1135
 * FUNCTION: pkix_DefaultCRLChecker_Initialize
 
1136
 *
 
1137
 * DESCRIPTION:
 
1138
 *  Create a CertChainChecker with DefaultCRLCheckerState.
 
1139
 *
 
1140
 * PARAMETERS
 
1141
 *  "certStores"
 
1142
 *      Address of CertStore List to be stored in state. Must be non-NULL.
 
1143
 *  "testDate"
 
1144
 *      Address of PKIX_PL_Date to be checked. May be NULL.
 
1145
 *  "trustedPubKey"
 
1146
 *      Address of Public Key of Trust Anchor. Must be non-NULL.
 
1147
 *  "certsRemaining"
 
1148
 *      Number of certificates remaining in the chain.
 
1149
 *  "nistPolicyEnabled"
 
1150
 *      Enable NIST crl policy.
 
1151
 *  "pChecker"
 
1152
 *      Address where object pointer will be stored. Must be non-NULL.
 
1153
 *      Must be non-NULL.
 
1154
 *  "plContext"
 
1155
 *      Platform-specific context pointer.
 
1156
 *
 
1157
 * THREAD SAFETY:
 
1158
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
1159
 *
 
1160
 * RETURNS:
 
1161
 *  Returns NULL if the function succeeds.
 
1162
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
 
1163
 *  Returns a Fatal Error
 
1164
 */
 
1165
PKIX_Error *
 
1166
pkix_DefaultCRLChecker_Initialize(
 
1167
        PKIX_List *certStores,
 
1168
        PKIX_PL_Date *testDate,
 
1169
        PKIX_PL_PublicKey *trustedPubKey,
 
1170
        PKIX_UInt32 certsRemaining,
 
1171
        PKIX_Boolean nistPolicyEnabled,
 
1172
        PKIX_CertChainChecker **pChecker,
 
1173
        void *plContext)
 
1174
{
 
1175
        pkix_DefaultCRLCheckerState *state = NULL;
 
1176
 
 
1177
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
 
1178
        PKIX_NULLCHECK_TWO(certStores, pChecker);
 
1179
 
 
1180
        PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
 
1181
                    (certStores,
 
1182
                    testDate,
 
1183
                    trustedPubKey,
 
1184
                    certsRemaining,
 
1185
                    nistPolicyEnabled, 
 
1186
                    &state,
 
1187
                    plContext),
 
1188
                    PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
 
1189
 
 
1190
        PKIX_CHECK(PKIX_CertChainChecker_Create
 
1191
                    (pkix_DefaultCRLChecker_Check,
 
1192
                    PKIX_FALSE,
 
1193
                    PKIX_FALSE,
 
1194
                    NULL,
 
1195
                    (PKIX_PL_Object *) state,
 
1196
                    pChecker,
 
1197
                    plContext),
 
1198
                    PKIX_CERTCHAINCHECKERCREATEFAILED);
 
1199
 
 
1200
cleanup:
 
1201
 
 
1202
        PKIX_DECREF(state);
 
1203
 
 
1204
        PKIX_RETURN(CERTCHAINCHECKER);
 
1205
}