1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the PKIX-C library.
16
* The Initial Developer of the Original Code is
17
* Sun Microsystems, Inc.
18
* Portions created by the Initial Developer are
19
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
22
* Sun Microsystems, Inc.
24
* Alternatively, the contents of this file may be used under the terms of
25
* either the GNU General Public License Version 2 or later (the "GPL"), or
26
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
* in which case the provisions of the GPL or the LGPL are applicable instead
28
* of those above. If you wish to allow use of your version of this file only
29
* under the terms of either the GPL or the LGPL, and not to allow others to
30
* use your version of this file under the terms of the MPL, indicate your
31
* decision by deleting the provisions above and replace them with the notice
32
* and other provisions required by the GPL or the LGPL. If you do not delete
33
* the provisions above, a recipient may use your version of this file under
34
* the terms of any one of the MPL, the GPL or the LGPL.
36
* ***** END LICENSE BLOCK ***** */
38
* pkix_nameconstraintschecker.c
40
* Functions for Name Constraints Checkers
44
#include "pkix_nameconstraintschecker.h"
46
/* --Private-NameConstraintsCheckerState-Functions---------------------- */
49
* FUNCTION: pkix_NameConstraintsCheckerstate_Destroy
50
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
53
pkix_NameConstraintsCheckerState_Destroy(
54
PKIX_PL_Object *object,
57
pkix_NameConstraintsCheckerState *state = NULL;
59
PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
60
"pkix_NameConstraintsCheckerState_Destroy");
61
PKIX_NULLCHECK_ONE(object);
63
/* Check that object type */
64
PKIX_CHECK(pkix_CheckType
65
(object, PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE, plContext),
66
PKIX_OBJECTNOTNAMECONSTRAINTSCHECKERSTATE);
68
state = (pkix_NameConstraintsCheckerState *)object;
70
PKIX_DECREF(state->nameConstraints);
71
PKIX_DECREF(state->nameConstraintsOID);
75
PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
79
* FUNCTION: pkix_NameConstraintsCheckerState_RegisterSelf
82
* Registers PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE and its related
83
* functions with systemClasses[]
86
* Not Thread Safe - for performance and complexity reasons
88
* Since this function is only called by PKIX_PL_Initialize, which should
89
* only be called once, it is acceptable that this function is not
93
pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext)
95
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
96
pkix_ClassTable_Entry entry;
98
PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
99
"pkix_NameConstraintsCheckerState_RegisterSelf");
101
entry.description = "NameConstraintsCheckerState";
102
entry.objCounter = 0;
103
entry.typeObjectSize = sizeof(pkix_NameConstraintsCheckerState);
104
entry.destructor = pkix_NameConstraintsCheckerState_Destroy;
105
entry.equalsFunction = NULL;
106
entry.hashcodeFunction = NULL;
107
entry.toStringFunction = NULL;
108
entry.comparator = NULL;
109
entry.duplicateFunction = NULL;
111
systemClasses[PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE] = entry;
113
PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
117
* FUNCTION: pkix_NameConstraintsCheckerState_Create
120
* Allocate and initialize NameConstraintsChecker state data.
124
* Address of NameConstraints to be stored in state. May be NULL.
126
* Number of certificates in the validation chain. This data is used
127
* to identify end-entity.
129
* Address of NameConstraintsCheckerState that is returned. Must be
131
* "plContext" - Platform-specific context pointer.
134
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
137
* Returns NULL if the function succeeds.
138
* Returns a CERTNAMECONSTRAINTSCHECKERSTATE Error if the function fails in
140
* Returns a Fatal Error
143
pkix_NameConstraintsCheckerState_Create(
144
PKIX_PL_CertNameConstraints *nameConstraints,
145
PKIX_UInt32 numCerts,
146
pkix_NameConstraintsCheckerState **pCheckerState,
149
pkix_NameConstraintsCheckerState *state = NULL;
151
PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
152
"pkix_NameConstraintsCheckerState_Create");
153
PKIX_NULLCHECK_ONE(pCheckerState);
155
PKIX_CHECK(PKIX_PL_Object_Alloc
156
(PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE,
157
sizeof (pkix_NameConstraintsCheckerState),
158
(PKIX_PL_Object **)&state,
160
PKIX_COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT);
162
/* Initialize fields */
164
PKIX_CHECK(PKIX_PL_OID_Create
165
(PKIX_NAMECONSTRAINTS_OID,
166
&state->nameConstraintsOID,
168
PKIX_OIDCREATEFAILED);
170
PKIX_INCREF(nameConstraints);
172
state->nameConstraints = nameConstraints;
173
state->certsRemaining = numCerts;
175
*pCheckerState = state;
182
PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
185
/* --Private-NameConstraintsChecker-Functions------------------------- */
188
* FUNCTION: pkix_NameConstraintsChecker_Check
189
* (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
192
pkix_NameConstraintsChecker_Check(
193
PKIX_CertChainChecker *checker,
195
PKIX_List *unresolvedCriticalExtensions,
199
pkix_NameConstraintsCheckerState *state = NULL;
200
PKIX_PL_CertNameConstraints *nameConstraints = NULL;
201
PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
202
PKIX_Boolean selfIssued = PKIX_FALSE;
204
PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
205
PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
207
*pNBIOContext = NULL; /* we never block on pending I/O */
209
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
210
(checker, (PKIX_PL_Object **)&state, plContext),
211
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
213
state->certsRemaining--;
215
/* Get status of self issued */
216
PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
217
PKIX_ISCERTSELFISSUEDFAILED);
219
/* Check on non self-issued and if so only for last cert */
220
if (selfIssued == PKIX_FALSE ||
221
(selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
222
PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
223
(cert, state->nameConstraints, plContext),
224
PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
227
if (state->certsRemaining != 0) {
229
PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
230
(cert, &nameConstraints, plContext),
231
PKIX_CERTGETNAMECONSTRAINTSFAILED);
233
/* Merge with previous name constraints kept in state */
235
if (nameConstraints != NULL) {
237
if (state->nameConstraints == NULL) {
239
state->nameConstraints = nameConstraints;
243
PKIX_CHECK(PKIX_PL_Cert_MergeNameConstraints
245
state->nameConstraints,
246
&mergedNameConstraints,
248
PKIX_CERTMERGENAMECONSTRAINTSFAILED);
250
PKIX_DECREF(nameConstraints);
251
PKIX_DECREF(state->nameConstraints);
253
state->nameConstraints = mergedNameConstraints;
256
/* Remove Name Constraints Extension OID from list */
257
if (unresolvedCriticalExtensions != NULL) {
258
PKIX_CHECK(pkix_List_Remove
259
(unresolvedCriticalExtensions,
260
(PKIX_PL_Object *)state->nameConstraintsOID,
262
PKIX_LISTREMOVEFAILED);
267
PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
268
(checker, (PKIX_PL_Object *)state, plContext),
269
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
275
PKIX_RETURN(CERTCHAINCHECKER);
279
* FUNCTION: pkix_NameConstraintsChecker_Initialize
282
* Create a CertChainChecker with a NameConstraintsCheckerState. The
283
* NameConstraintsCheckerState is created with "trustedNC" and "numCerts"
284
* as its initial state. The CertChainChecker for the NameConstraints is
285
* returned at address of "pChecker".
289
* The NameConstraints from trusted anchor Cert is stored at "trustedNC"
290
* for initialization. May be NULL.
292
* Number of certificates in the validation chain. This data is used
293
* to identify end-entity.
295
* Address of CertChainChecker to bo created and returned.
297
* "plContext" - Platform-specific context pointer.
300
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
303
* Returns NULL if the function succeeds.
304
* Returns a CERTCHAINCHECKER Error if the function fails in a non-fatal way.
305
* Returns a Fatal Error
308
pkix_NameConstraintsChecker_Initialize(
309
PKIX_PL_CertNameConstraints *trustedNC,
310
PKIX_UInt32 numCerts,
311
PKIX_CertChainChecker **pChecker,
314
pkix_NameConstraintsCheckerState *state = NULL;
316
PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Initialize");
317
PKIX_NULLCHECK_ONE(pChecker);
319
PKIX_CHECK(pkix_NameConstraintsCheckerState_Create
320
(trustedNC, numCerts, &state, plContext),
321
PKIX_NAMECONSTRAINTSCHECKERSTATECREATEFAILED);
323
PKIX_CHECK(PKIX_CertChainChecker_Create
324
(pkix_NameConstraintsChecker_Check,
328
(PKIX_PL_Object *) state,
331
PKIX_CERTCHAINCHECKERCREATEFAILED);
337
PKIX_RETURN(CERTCHAINCHECKER);