1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the PKIX-C library.
16
* The Initial Developer of the Original Code is
17
* Sun Microsystems, Inc.
18
* Portions created by the Initial Developer are
19
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
22
* Sun Microsystems, Inc.
24
* Alternatively, the contents of this file may be used under the terms of
25
* either the GNU General Public License Version 2 or later (the "GPL"), or
26
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
* in which case the provisions of the GPL or the LGPL are applicable instead
28
* of those above. If you wish to allow use of your version of this file only
29
* under the terms of either the GPL or the LGPL, and not to allow others to
30
* use your version of this file under the terms of the MPL, indicate your
31
* decision by deleting the provisions above and replace them with the notice
32
* and other provisions required by the GPL or the LGPL. If you do not delete
33
* the provisions above, a recipient may use your version of this file under
34
* the terms of any one of the MPL, the GPL or the LGPL.
36
* ***** END LICENSE BLOCK ***** */
38
* pkix_defaultcrlchecker.c
40
* Functions for default CRL Checkers
43
#define CERTCHAINCHECKERDEBUG 1
45
#include "pkix_defaultcrlchecker.h"
47
static char *reasonCodeMsgString[] = {
48
"Certificate is revoked by CRL for unspecified reason"
49
"Certificate is revoked by CRL for key compromise",
50
"Certificate is revoked by CRL for CA compromise",
51
"Certificate is revoked by CRL for affiliation changed",
52
"Certificate is revoked by CRL for being superseded",
53
"Certificate is revoked by CRL for cessation of operation",
54
"Certificate is revoked by CRL for certificate hold",
55
"Certificate is revoked by CRL for undefined reason",
56
"Certificate is revoked by CRL for being removed from CRL",
57
"Certificate is revoked by CRL for privilege withdrawn",
58
"Certificate is revoked by CRL for aACompromise",
61
static const int numReasonCodes =
62
sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]);
64
/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
67
* FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
68
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
71
pkix_DefaultCRLCheckerState_Destroy(
72
PKIX_PL_Object *object,
75
pkix_DefaultCRLCheckerState *state = NULL;
77
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
78
"pkix_DefaultCRLCheckerState_Destroy");
79
PKIX_NULLCHECK_ONE(object);
81
/* Check that this object is a default CRL checker state */
82
PKIX_CHECK(pkix_CheckType
83
(object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
84
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
86
state = (pkix_DefaultCRLCheckerState *)object;
88
state->certHasValidCrl = PKIX_FALSE;
89
state->prevCertCrlSign = PKIX_FALSE;
90
state->reasonCodeMask = 0;
92
PKIX_DECREF(state->certStores);
93
PKIX_DECREF(state->testDate);
94
PKIX_DECREF(state->prevPublicKey);
95
PKIX_DECREF(state->prevPublicKeyList);
96
PKIX_DECREF(state->crlReasonCodeOID);
97
PKIX_DECREF(state->certIssuer);
98
PKIX_DECREF(state->certSerialNumber);
99
PKIX_DECREF(state->crlSelector);
100
state->crlStoreIndex = 0;
101
state->numCrlStores = 0;
105
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
109
* FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
112
* Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
113
* with systemClasses[]
116
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
118
* Since this function is only called by PKIX_PL_Initialize, which should
119
* only be called once, it is acceptable that this function is not
123
pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
125
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
126
pkix_ClassTable_Entry entry;
128
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
129
"pkix_DefaultCRLCheckerState_RegisterSelf");
131
entry.description = "DefaultCRLCheckerState";
132
entry.objCounter = 0;
133
entry.typeObjectSize = sizeof(pkix_DefaultCRLCheckerState);
134
entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
135
entry.equalsFunction = NULL;
136
entry.hashcodeFunction = NULL;
137
entry.toStringFunction = NULL;
138
entry.comparator = NULL;
139
entry.duplicateFunction = NULL;
141
systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
143
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
147
* FUNCTION: pkix_DefaultCRLCheckerState_Create
150
* Allocate and initialize DefaultCRLChecker state data.
154
* Address of CertStore List to be stored in state. Must be non-NULL.
156
* Address of PKIX_PL_Date to be checked. May be NULL.
158
* Trusted Anchor Public Key for verifying first Cert in the chain.
161
* Number of certificates remaining in the chain.
162
* "nistCRLPolicyEnabled"
163
* If enabled, enforce nist crl policy.
165
* Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
167
* Platform-specific context pointer.
170
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
173
* Returns NULL if the function succeeds.
174
* Returns a DefaultCrlCheckerState Error if the function fails in a
176
* Returns a Fatal Error
179
pkix_DefaultCRLCheckerState_Create(
180
PKIX_List *certStores,
181
PKIX_PL_Date *testDate,
182
PKIX_PL_PublicKey *trustedPubKey,
183
PKIX_UInt32 certsRemaining,
184
PKIX_Boolean nistCRLPolicyEnabled,
185
pkix_DefaultCRLCheckerState **pCheckerState,
188
pkix_DefaultCRLCheckerState *state = NULL;
190
PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
191
"pkix_DefaultCRLCheckerState_Create");
192
PKIX_NULLCHECK_TWO(certStores, pCheckerState);
194
PKIX_CHECK(PKIX_PL_Object_Alloc
195
(PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
196
sizeof (pkix_DefaultCRLCheckerState),
197
(PKIX_PL_Object **)&state,
199
PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
201
/* Initialize fields */
203
PKIX_INCREF(certStores);
204
state->certStores = certStores;
206
PKIX_INCREF(testDate);
207
state->testDate = testDate;
209
PKIX_INCREF(trustedPubKey);
210
state->prevPublicKey = trustedPubKey;
212
state->certHasValidCrl = PKIX_FALSE;
213
state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
214
state->prevCertCrlSign = PKIX_TRUE;
215
state->prevPublicKeyList = NULL;
216
state->reasonCodeMask = 0;
217
state->certsRemaining = certsRemaining;
219
PKIX_CHECK(PKIX_PL_OID_Create
220
(PKIX_CRLREASONCODE_OID,
221
&state->crlReasonCodeOID,
223
PKIX_OIDCREATEFAILED);
225
state->certIssuer = NULL;
226
state->certSerialNumber = NULL;
227
state->crlSelector = NULL;
228
state->crlStoreIndex = 0;
229
state->numCrlStores = 0;
231
*pCheckerState = state;
238
PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
241
/* --Private-DefaultCRLChecker-Functions------------------------------------ */
244
* FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
247
* Check validity of "cert" based on CRLs at "crlList" that has correct
248
* signature verification with "publicKey".
252
* Address of Cert which has the certificate data. Must be non-NULL.
254
* Address of Issuer that associates with the Cert. Must be non-NULL.
256
* Address of Serial Number that associates with the Cert. Must be
259
* Address of Public Key that associates with the Cert Issuer.
262
* A List CRLs that the certificate is verified upon. Must be non-NULL.
264
* Address of DefaultCRLCheckerState which keeps dynamic state data.
267
* Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
268
* this Cert. May be NULL.
270
* Platform-specific context pointer.
273
* Conditionally Thread Safe
274
* (see Thread Safety Definitions in Programmer's Guide)
277
* Returns NULL if the function succeeds.
278
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
279
* Returns a Fatal Error
282
pkix_DefaultCRLChecker_CheckCRLs(
284
PKIX_PL_X500Name *certIssuer,
285
PKIX_PL_BigInt *certSerialNumber,
286
PKIX_PL_PublicKey *publicKey,
288
pkix_DefaultCRLCheckerState *state,
289
PKIX_List **pCrlEntryList,
292
PKIX_PL_CRL *crl = NULL;
293
PKIX_PL_CRLEntry *crlEntry = NULL;
294
PKIX_PL_PublicKey *pKey = NULL;
295
PKIX_List *unresCrlCritExtOIDs = NULL;
296
PKIX_List *unresCrlEntryCritExtOIDs = NULL;
297
PKIX_List *crlEntryList = NULL;
298
PKIX_Error *verifyFail = NULL;
299
PKIX_UInt32 numCrls = 0;
300
PKIX_UInt32 numKeys = 0;
301
PKIX_UInt32 numCritExtOIDs = 0;
302
PKIX_Boolean crlVerified = PKIX_FALSE;
303
PKIX_Boolean crlRevoking = PKIX_FALSE;
304
PKIX_Int32 reasonCode = 0;
308
PKIX_ENTER(CERTCHAINCHECKER,
309
"pkix_DefaultCRLChecker_CheckCRLs");
310
PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
312
PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
313
PKIX_LISTGETLENGTHFAILED);
315
if (state->prevPublicKeyList != NULL) {
317
PKIX_CHECK(PKIX_List_GetLength
318
(state->prevPublicKeyList, &numKeys, plContext),
319
PKIX_LISTGETLENGTHFAILED);
322
/* Check if Cert is not revoked by any the the CRLs */
324
for (i = 0; i < numCrls; i++){
326
PKIX_CHECK(PKIX_List_GetItem
327
(crlList, i, (PKIX_PL_Object **)&crl, plContext),
328
PKIX_LISTGETITEMFAILED);
331
* Checking serial number (issuer done in selector) then
332
* verify signature. If matches, get the CRL reason(s).
335
if (state->prevCertCrlSign == PKIX_TRUE) {
336
verifyFail = PKIX_PL_CRL_VerifySignature
337
(crl, publicKey, plContext);
338
if (verifyFail == NULL) {
339
crlVerified = PKIX_TRUE;
341
crlVerified = PKIX_FALSE;
342
PKIX_DECREF(verifyFail);
346
if (crlVerified == PKIX_FALSE) {
348
/* Verify from old key(s) on the list */
349
for (j = numKeys - 1; j >= 0; j--) {
351
PKIX_CHECK(PKIX_List_GetItem
352
(state->prevPublicKeyList,
354
(PKIX_PL_Object **) &pKey,
356
PKIX_LISTGETITEMFAILED);
358
verifyFail = PKIX_PL_CRL_VerifySignature
359
(crl, pKey, plContext);
361
if (verifyFail == NULL) {
362
crlVerified = PKIX_TRUE;
365
crlVerified = PKIX_FALSE;
366
PKIX_DECREF(verifyFail);
373
if (crlVerified == PKIX_FALSE) {
374
/* try next one ... */
378
state->certHasValidCrl = PKIX_TRUE;
380
PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
381
(crl, &unresCrlCritExtOIDs, plContext),
382
PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
385
* XXX Advanced CRL work - should put a
386
* Loop here to process and remove critical
390
if (unresCrlCritExtOIDs) {
392
PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
395
PKIX_LISTGETLENGTHFAILED);
397
if (numCritExtOIDs != 0) {
398
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
399
(PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
401
* Uncomment this after we have implemented
402
* checkers for all the critical extensions.
405
* ("Unrecognized CRL Critical Extension");
410
PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
411
(crl, certSerialNumber, &crlEntry, plContext),
412
PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
414
if (crlEntry == NULL) {
418
crlRevoking = PKIX_TRUE;
420
PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
424
PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
426
/* This is a valid CRLEntry, return it for caching */
427
if (crlEntryList == NULL) {
428
PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
429
PKIX_LISTCREATEFAILED);
433
PKIX_CHECK(PKIX_List_AppendItem
434
(crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
435
PKIX_LISTAPPENDITEMFAILED);
437
/* Set reason code in state for advance CRL reviewing */
439
if (reasonCode >= 0) {
440
if (reasonCode >= numReasonCodes)
443
state->reasonCodeMask |= 1 << reasonCode;
444
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
445
("CRL revocation Reason: %s\n ",
446
reasonCodeMsgString[reasonCode]);
449
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
450
("Revoked by Unknown CRL ReasonCode");
453
PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
454
(crlEntry, &unresCrlEntryCritExtOIDs, plContext),
455
PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
456
if (unresCrlEntryCritExtOIDs) {
458
PKIX_CHECK(pkix_List_Remove
459
(unresCrlEntryCritExtOIDs,
460
(PKIX_PL_Object *) state->crlReasonCodeOID,
462
PKIX_LISTREMOVEFAILED);
464
PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
467
PKIX_LISTGETLENGTHFAILED);
469
if (numCritExtOIDs != 0) {
471
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
472
(PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
473
PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
480
PKIX_DECREF(verifyFail);
482
PKIX_DECREF(crlEntry);
484
PKIX_DECREF(unresCrlCritExtOIDs);
485
PKIX_DECREF(unresCrlEntryCritExtOIDs);
488
*pCrlEntryList = crlEntryList;
490
if (crlRevoking == PKIX_TRUE) {
492
PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
498
PKIX_DECREF(verifyFail);
499
PKIX_DECREF(crlEntry);
501
PKIX_DECREF(unresCrlCritExtOIDs);
502
PKIX_DECREF(unresCrlEntryCritExtOIDs);
504
PKIX_RETURN(CERTCHAINCHECKER);
508
* FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
511
* This function creates a CRLSelector suitable for finding a CRL for
512
* the Cert pointed to by "cert", setting the result in the
513
* defaultCRLCheckerState pointed to by "state".
517
* Address of Cert for which a CRLSelector is to be constructed. Must be
520
* Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
523
* Platform-specific context pointer.
526
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
529
* Returns NULL if the function succeeds.
530
* Returns a DefaultCrlCheckerState Error if the function fails in a
532
* Returns a Fatal Error
535
pkix_DefaultCRLChecker_Check_SetSelector(
537
pkix_DefaultCRLCheckerState *state,
540
PKIX_PL_X500Name *certIssuer = NULL;
541
PKIX_PL_BigInt *certSerialNumber = NULL;
542
PKIX_PL_Date *nowDate = NULL;
543
PKIX_ComCRLSelParams *comCrlSelParams = NULL;
544
PKIX_CRLSelector *crlSelector = NULL;
547
(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
548
PKIX_NULLCHECK_TWO(cert, state);
550
PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
551
PKIX_CERTGETISSUERFAILED);
553
PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
554
(cert, &certSerialNumber, plContext),
555
PKIX_CERTGETSERIALNUMBERFAILED);
557
if (state->testDate != NULL) {
559
PKIX_INCREF(state->testDate);
560
nowDate = state->testDate;
564
PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
565
(NULL, &nowDate, plContext),
566
PKIX_DATECREATEUTCTIMEFAILED);
569
PKIX_CHECK(PKIX_ComCRLSelParams_Create
570
(&comCrlSelParams, plContext),
571
PKIX_COMCRLSELPARAMSCREATEFAILED);
573
PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
574
(comCrlSelParams, certIssuer, plContext),
575
PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
577
PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
578
(comCrlSelParams, nowDate, plContext),
579
PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
581
PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
582
(comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
583
PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
585
PKIX_CHECK(PKIX_CRLSelector_Create
587
NULL, /* never used? (PKIX_PL_Object *)checker, */
590
PKIX_CRLSELECTORCREATEFAILED);
592
PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
593
(crlSelector, comCrlSelParams, plContext),
594
PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
596
PKIX_DECREF(state->certIssuer);
597
PKIX_INCREF(certIssuer);
598
state->certIssuer = certIssuer;
599
PKIX_DECREF(state->certSerialNumber);
600
PKIX_INCREF(certSerialNumber);
601
state->certSerialNumber = certSerialNumber;
602
PKIX_DECREF(state->crlSelector);
603
PKIX_INCREF(crlSelector);
604
state->crlSelector = crlSelector;
606
state->crlStoreIndex = 0;
608
PKIX_CHECK(PKIX_List_GetLength
609
(state->certStores, &(state->numCrlStores), plContext),
610
PKIX_LISTGETLENGTHFAILED);
612
state->certHasValidCrl = PKIX_FALSE;
616
PKIX_DECREF(certIssuer);
617
PKIX_DECREF(certSerialNumber);
618
PKIX_DECREF(nowDate);
619
PKIX_DECREF(comCrlSelParams);
620
PKIX_DECREF(crlSelector);
622
PKIX_RETURN(CERTCHAINCHECKER);
626
* FUNCTION: pkix_DefaultCRLChecker_Check_Store
629
* Checks the certStore pointed to by "certStore" for a CRL that may determine
630
* whether the Cert pointed to by "cert" has been revoked.
634
* Address of CertChainChecker which has the state data.
637
* Address of Certificate that is to be validated. Must be non-NULL.
639
* Address of previous public key in the backward chain. May be NULL.
641
* Address of DefaultCrlCheckerState. Must be non-NULL.
642
* "unresolvedCriticalExtensions"
643
* A List OIDs. Not **yet** used in this checker function.
645
* Address of the CertStore to be queried for a relevant CRL. Must be
648
* Address at which platform-dependent information is stored if processing
649
* is suspended for non-blocking I/O. Must be non-NULL.
651
* Platform-specific context pointer.
654
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
657
* Returns NULL if the function succeeds.
658
* Returns a DefaultCrlCheckerState Error if the function fails in a
660
* Returns a Fatal Error
663
pkix_DefaultCRLChecker_Check_Store(
664
PKIX_CertChainChecker *checker,
666
PKIX_PL_PublicKey *prevPublicKey,
667
pkix_DefaultCRLCheckerState *state,
668
PKIX_List *unresolvedCriticalExtensions,
669
PKIX_CertStore *certStore,
674
PKIX_Boolean cacheFlag = PKIX_FALSE;
675
PKIX_Boolean cacheHit = PKIX_FALSE;
676
PKIX_UInt32 numEntries = 0;
678
PKIX_Int32 reasonCode = 0;
679
PKIX_UInt32 allReasonCodes = 0;
680
PKIX_List *crlList = NULL;
681
PKIX_List *crlEntryList = NULL;
682
PKIX_PL_CRLEntry *crlEntry = NULL;
683
PKIX_Error *checkCrlFail = NULL;
684
PKIX_CertStore_CRLCallback getCrls = NULL;
685
void *nbioContext = NULL;
687
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
688
PKIX_NULLCHECK_TWO(checker, cert);
689
PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
691
nbioContext = *pNBIOContext;
692
*pNBIOContext = NULL;
694
/* Are this CertStore's entries in cache? */
695
PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
696
(certStore, &cacheFlag, plContext),
697
PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
701
PKIX_CHECK(pkix_CacheCrlEntry_Lookup
704
state->certSerialNumber,
708
PKIX_CACHECRLENTRYLOOKUPFAILED);
714
/* Use cached data */
716
PKIX_CHECK(PKIX_List_GetLength
717
(crlEntryList, &numEntries, plContext),
718
PKIX_LISTGETLENGTHFAILED);
720
for (i = 0; i < numEntries; i++) {
722
PKIX_CHECK(PKIX_List_GetItem
725
(PKIX_PL_Object **)&crlEntry,
727
PKIX_LISTGETITEMFAILED);
729
PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
730
(crlEntry, &reasonCode, plContext),
731
PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
733
if (reasonCode >= 0) {
734
if (reasonCode >= numReasonCodes)
737
allReasonCodes |= (1 << reasonCode);
739
PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
740
("CRL revocation Reason: %s\n ",
741
reasonCodeMsgString[reasonCode]);
745
PKIX_DECREF(crlEntry);
748
state->reasonCodeMask |= allReasonCodes;
750
if (allReasonCodes != 0) {
752
PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
755
PKIX_DECREF(crlEntryList);
759
if (nbioContext == NULL) {
760
PKIX_CHECK(PKIX_CertStore_GetCRLCallback
761
(certStore, &getCrls, plContext),
762
PKIX_CERTSTOREGETCRLCALLBACKFAILED);
772
PKIX_CHECK(PKIX_CertStore_CrlContinue
778
PKIX_CERTSTORECRLCONTINUEFAILED);
782
* Verify Certificate validity: if one CertStore provides
783
* reason code, we stop here. Instead of exhausting all
784
* CertStores to get all possible reason codes associated
785
* with the Cert. May be expanded if desire otherwise.
788
if (crlList == NULL) {
790
*pNBIOContext = nbioContext;
793
*pNBIOContext = NULL;
795
checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
798
state->certSerialNumber,
806
if (crlEntryList != NULL) {
808
PKIX_CHECK(pkix_CacheCrlEntry_Add
811
state->certSerialNumber,
814
PKIX_CACHECRLENTRYADDFAILED);
816
PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
820
PKIX_DECREF(crlList);
825
PKIX_DECREF(crlEntryList);
826
PKIX_DECREF(crlEntry);
827
PKIX_DECREF(crlList);
828
PKIX_DECREF(checkCrlFail);
830
PKIX_RETURN(CERTCHAINCHECKER);
834
* FUNCTION: pkix_DefaultCRLChecker_Check_Helper
837
* Check if the Cert has been revoked based on the CRL's data. It exhausts all
838
* CertStores and match CRLs at those stores for the certificate. It set the
839
* current date and issuer in CRLSelector to fetching CRL data from cache.
843
* Address of CertChainChecker which has the state data.
846
* Address of Certificate that is to be validated. Must be non-NULL.
848
* Address of previous public key in the backward chain. May be NULL.
850
* Address of DefaultCrlCheckerState. Must be non-NULL.
851
* "unresolvedCriticalExtensions"
852
* A List OIDs. Not **yet** used in this checker function.
854
* Boolean value indicating whether to use or bypass remote CertStores
856
* Address at which platform-dependent information is stored if processing
857
* is suspended for non-blocking I/O. Must be non-NULL.
859
* Platform-specific context pointer.
863
* (see Thread Safety Definitions in Programmer's Guide)
866
* Returns NULL if the function succeeds.
867
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
868
* Returns a Fatal Error
871
pkix_DefaultCRLChecker_Check_Helper(
872
PKIX_CertChainChecker *checker,
874
PKIX_PL_PublicKey *prevPublicKey,
875
pkix_DefaultCRLCheckerState *state,
876
PKIX_List *unresolvedCriticalExtensions,
877
PKIX_Boolean useOnlyLocal,
882
void *nbioContext = NULL;
883
PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
884
PKIX_CertStore *certStore = NULL;
885
PKIX_Error *storeError = NULL;
887
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
888
PKIX_NULLCHECK_THREE(checker, cert, state);
890
nbioContext = *pNBIOContext;
891
*pNBIOContext = NULL; /* prepare for Error exit */
893
while ((state->crlStoreIndex) < (state->numCrlStores)) {
896
* For Basic CRL work, exit the loop when there is a valid
897
* CRL. For advance CRL, need to exhaust CRL until all
898
* reason masks are checked or a revocation is found.
901
if (state->certHasValidCrl == PKIX_TRUE) {
905
PKIX_CHECK(PKIX_List_GetItem
907
state->crlStoreIndex,
908
(PKIX_PL_Object **)&certStore,
910
PKIX_LISTGETITEMFAILED);
912
if (useOnlyLocal == PKIX_FALSE) {
913
certStoreCanBeUsed = PKIX_TRUE;
915
PKIX_CHECK(PKIX_CertStore_GetLocalFlag
916
(certStore, &certStoreCanBeUsed, plContext),
917
PKIX_CERTSTOREGETLOCALFLAGFAILED);
920
if (certStoreCanBeUsed == PKIX_TRUE)
922
/* Catch and re-throw error to preserve information */
923
storeError = pkix_DefaultCRLChecker_Check_Store
928
unresolvedCriticalExtensions,
934
PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
936
if (nbioContext != NULL) {
937
/* I/O still pending. Exit and resume later. */
938
*pNBIOContext = nbioContext;
943
PKIX_DECREF(certStore);
944
state->crlStoreIndex++;
945
} /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
947
if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
948
state->certHasValidCrl == PKIX_FALSE) {
949
PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
954
PKIX_DECREF(certStore);
956
PKIX_RETURN(CERTCHAINCHECKER);
960
* FUNCTION: pkix_DefaultCRLChecker_Check
963
* Check if the Cert has been revoked based the CRLs data. This function
964
* maintains the checker state to be current.
968
* Address of CertChainChecker which has the state data.
971
* Address of Certificate that is to be validated. Must be non-NULL.
972
* "unresolvedCriticalExtensions"
973
* A List OIDs. Not **yet** used in this checker function.
975
* Platform-specific context pointer.
979
* (see Thread Safety Definitions in Programmer's Guide)
982
* Returns NULL if the function succeeds.
983
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
984
* Returns a Fatal Error
987
pkix_DefaultCRLChecker_Check(
988
PKIX_CertChainChecker *checker,
990
PKIX_List *unresolvedCriticalExtensions,
994
pkix_DefaultCRLCheckerState *state = NULL;
995
PKIX_PL_PublicKey *publicKey = NULL;
996
PKIX_PL_PublicKey *newPublicKey = NULL;
997
PKIX_Error *checkKeyUsageFail = NULL;
998
PKIX_Boolean selfIssued = PKIX_FALSE;
999
void *nbioContext = NULL;
1001
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
1002
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
1004
nbioContext = *pNBIOContext;
1005
*pNBIOContext = NULL; /* prepare for Error exit */
1007
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
1008
(checker, (PKIX_PL_Object **)&state, plContext),
1009
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
1011
PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1012
(cert, &publicKey, plContext),
1013
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1016
* If we already have a selector, we were in the middle of checking
1017
* when a certStore returned with non-blocking I/O pendning.
1019
if ((state->crlSelector) == NULL) {
1020
state->certsRemaining--;
1022
PKIX_NULLCHECK_ONE(state->prevPublicKey);
1024
if (state->prevCertCrlSign == PKIX_FALSE) {
1026
(PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
1029
/* Set up CRLSelector */
1030
PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
1031
(cert, state, plContext),
1032
PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
1036
PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
1039
state->prevPublicKey,
1041
unresolvedCriticalExtensions,
1045
PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
1047
if (nbioContext != NULL) {
1048
*pNBIOContext = nbioContext;
1052
PKIX_DECREF(state->crlSelector);
1055
* Some NIST test case in 4.5.* use different publicKeys for
1056
* Cert and its CRL on the chain. Self-issued Certs are used
1057
* to speciy multiple keys for those cases. That is why we apply
1058
* the following algorithm:
1060
* Check if Cert is self-issued. If so, the public key of the Cert
1061
* that issues this Cert (old key) can be used together with this
1062
* current key (new key) for key verification. If there are multiple
1063
* self-issued certs, keys of those Certs (old keys) can also be used
1064
* for key verification. Old key(s) is saved in a list (PrevPublickKey-
1065
* List) and cleared when a Cert is no longer self-issued.
1066
* PrevPublicKey keep key of the previous Cert.
1067
* PrevPublicKeyList keep key(s) of Cert before the previous one.
1069
PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
1070
PKIX_ISCERTSELFISSUEFAILED);
1072
if (selfIssued == PKIX_TRUE) {
1074
if (state->prevPublicKeyList == NULL) {
1076
PKIX_CHECK(PKIX_List_Create
1077
(&state->prevPublicKeyList, plContext),
1078
PKIX_LISTCREATEFAILED);
1082
PKIX_CHECK(PKIX_List_AppendItem
1083
(state->prevPublicKeyList,
1084
(PKIX_PL_Object *) state->prevPublicKey,
1086
PKIX_LISTAPPENDITEMFAILED);
1089
/* Not self-issued Cert any more, clear old key(s) saved */
1090
PKIX_DECREF(state->prevPublicKeyList);
1093
/* Make inheritance and save current Public Key */
1094
PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
1095
(publicKey, state->prevPublicKey, &newPublicKey, plContext),
1096
PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
1098
if (newPublicKey == NULL){
1099
PKIX_INCREF(publicKey);
1100
newPublicKey = publicKey;
1103
PKIX_DECREF(state->prevPublicKey);
1104
PKIX_INCREF(newPublicKey);
1105
state->prevPublicKey = newPublicKey;
1107
/* Save current Cert's crlSign bit for CRL checking later */
1108
if (state->certsRemaining != 0) {
1109
checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
1110
(cert, PKIX_CRL_SIGN, plContext);
1112
state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
1113
PKIX_TRUE : PKIX_FALSE;
1115
PKIX_DECREF(checkKeyUsageFail);
1119
PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
1120
(checker, (PKIX_PL_Object *)state, plContext),
1121
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
1127
PKIX_DECREF(publicKey);
1128
PKIX_DECREF(newPublicKey);
1129
PKIX_DECREF(checkKeyUsageFail);
1131
PKIX_RETURN(CERTCHAINCHECKER);
1135
* FUNCTION: pkix_DefaultCRLChecker_Initialize
1138
* Create a CertChainChecker with DefaultCRLCheckerState.
1142
* Address of CertStore List to be stored in state. Must be non-NULL.
1144
* Address of PKIX_PL_Date to be checked. May be NULL.
1146
* Address of Public Key of Trust Anchor. Must be non-NULL.
1148
* Number of certificates remaining in the chain.
1149
* "nistPolicyEnabled"
1150
* Enable NIST crl policy.
1152
* Address where object pointer will be stored. Must be non-NULL.
1155
* Platform-specific context pointer.
1158
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1161
* Returns NULL if the function succeeds.
1162
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
1163
* Returns a Fatal Error
1166
pkix_DefaultCRLChecker_Initialize(
1167
PKIX_List *certStores,
1168
PKIX_PL_Date *testDate,
1169
PKIX_PL_PublicKey *trustedPubKey,
1170
PKIX_UInt32 certsRemaining,
1171
PKIX_Boolean nistPolicyEnabled,
1172
PKIX_CertChainChecker **pChecker,
1175
pkix_DefaultCRLCheckerState *state = NULL;
1177
PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
1178
PKIX_NULLCHECK_TWO(certStores, pChecker);
1180
PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
1188
PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
1190
PKIX_CHECK(PKIX_CertChainChecker_Create
1191
(pkix_DefaultCRLChecker_Check,
1195
(PKIX_PL_Object *) state,
1198
PKIX_CERTCHAINCHECKERCREATEFAILED);
1204
PKIX_RETURN(CERTCHAINCHECKER);