← Back to branch summary

~ubuntu-branches/ubuntu/karmic/nss/karmic-updates

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/top/pkix_basicconstraintschecker.c

  • Committer: Bazaar Package Importer
  • Author(s): Alexander Sack, Fabien Tassin, Alexander Sack
  • Date: 2009-01-11 15:06:17 UTC
  • mfrom: (1.1.8 upstream)
  • Revision ID: james.westby@ubuntu.com-20090111150617-iz4lw05qgy2odorl
Tags: 3.12.2~rc1-0ubuntu1
* New upstream snapshot: 3.12.2 RC1

[ Fabien Tassin <fta@ubuntu.com> ]
* Remove patch applied upstream:
  - drop debian/patches/80_security_tools.patch
  - update debian/patches/series
* Update diverged patches:
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
* Add new symbols to symbols file
  - update debian/libnss3-1d.symbols

[ Alexander Sack <asac@ubuntu.com> ]
* disable soname patch to become binary compatible with upstream
  - update debian/patches/series
* flip links: libnss3.so <- libnss3.so.1d (before: libnss3.so ->
  libnss3.so.1d); same link flipping was done for all other previously
  soname patched libs: libnssutil3.so, libsmime3.so.1d, libssl3.so.1d
  - update debian/libnss3-1d.links
  - update debian/libnss3-1d.symbols
* properly transition links in preinst and postrm; also cover abort-
  cases in the other maintainer scripts
  - add debian/libnss3-1d.postinst
  - add debian/libnss3-1d.postrm
  - add debian/libnss3-1d.preinst
  - add debian/libnss3-1d.prerm
* remove hack from debian/rules that debian uses to recreate
  libsoftokn3.so with a versioned SONAME
  - update debian/rules
* install the unversioned .so binaries
  - update debian/rules
* only install the 4 main libraries into /usr/lib; all the others
  go to pkglibdir
  - update debian/rules
* higher bar for libnspr4 Build-Depend to >= 4.7.3~, which is
  the version where the soname droppage is going to happen
  - update debian/control
* explitily pass libraries to be used for dpkg-gensymbols run of
  dh_makeshlibs
  - update debian/rules
* fix lintian complain about no-shlibs-control-file
  - update debian/rules

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/top/pkix_basicconstraintschecker.c
1
 
/* ***** BEGIN LICENSE BLOCK *****
2
 
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3
 
 *
4
 
 * The contents of this file are subject to the Mozilla Public License Version
5
 
 * 1.1 (the "License"); you may not use this file except in compliance with
6
 
 * the License. You may obtain a copy of the License at
7
 
 * http://www.mozilla.org/MPL/
8
 
 *
9
 
 * Software distributed under the License is distributed on an "AS IS" basis,
10
 
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
 
 * for the specific language governing rights and limitations under the
12
 
 * License.
13
 
 *
14
 
 * The Original Code is the PKIX-C library.
15
 
 *
16
 
 * The Initial Developer of the Original Code is
17
 
 * Sun Microsystems, Inc.
18
 
 * Portions created by the Initial Developer are
19
 
 * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
20
 
 *
21
 
 * Contributor(s):
22
 
 *   Sun Microsystems, Inc.
23
 
 *
24
 
 * Alternatively, the contents of this file may be used under the terms of
25
 
 * either the GNU General Public License Version 2 or later (the "GPL"), or
26
 
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
 
 * in which case the provisions of the GPL or the LGPL are applicable instead
28
 
 * of those above. If you wish to allow use of your version of this file only
29
 
 * under the terms of either the GPL or the LGPL, and not to allow others to
30
 
 * use your version of this file under the terms of the MPL, indicate your
31
 
 * decision by deleting the provisions above and replace them with the notice
32
 
 * and other provisions required by the GPL or the LGPL. If you do not delete
33
 
 * the provisions above, a recipient may use your version of this file under
34
 
 * the terms of any one of the MPL, the GPL or the LGPL.
35
 
 *
36
 
 * ***** END LICENSE BLOCK ***** */
37
 
/*
38
 
 * pkix_basicconstraintschecker.c
39
 
 *
40
 
 * Functions for basic constraints validation
41
 
 *
42
 
 */
43
 
 
44
 
#include "pkix_basicconstraintschecker.h"
45
 
 
46
 
/* --Private-BasicConstraintsCheckerState-Functions------------------------- */
47
 
 
48
 
/*
49
 
 * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
50
 
 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
51
 
 */
52
 
static PKIX_Error *
53
 
pkix_BasicConstraintsCheckerState_Destroy(
54
 
        PKIX_PL_Object *object,
55
 
        void *plContext)
56
 
{
57
 
        pkix_BasicConstraintsCheckerState *state = NULL;
58
 
 
59
 
        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
60
 
                    "pkix_BasicConstraintsCheckerState_Destroy");
61
 
 
62
 
        PKIX_NULLCHECK_ONE(object);
63
 
 
64
 
        /* Check that this object is a basic constraints checker state */
65
 
        PKIX_CHECK(pkix_CheckType
66
 
                (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
67
 
                PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
68
 
 
69
 
        state = (pkix_BasicConstraintsCheckerState *)object;
70
 
 
71
 
        PKIX_DECREF(state->basicConstraintsOID);
72
 
 
73
 
cleanup:
74
 
 
75
 
        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
76
 
}
77
 
 
78
 
/*
79
 
 * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
80
 
 * DESCRIPTION:
81
 
 *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
82
 
 * THREAD SAFETY:
83
 
 *  Not Thread Safe - for performance and complexity reasons
84
 
 *
85
 
 *  Since this function is only called by PKIX_PL_Initialize, which should
86
 
 *  only be called once, it is acceptable that this function is not
87
 
 *  thread-safe.
88
 
 */
89
 
PKIX_Error *
90
 
pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
91
 
{
92
 
        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
93
 
        pkix_ClassTable_Entry entry;
94
 
 
95
 
        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
96
 
                "pkix_BasicConstraintsCheckerState_RegisterSelf");
97
 
 
98
 
        entry.description = "BasicConstraintsCheckerState";
99
 
        entry.objCounter = 0;
100
 
        entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
101
 
        entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
102
 
        entry.equalsFunction = NULL;
103
 
        entry.hashcodeFunction = NULL;
104
 
        entry.toStringFunction = NULL;
105
 
        entry.comparator = NULL;
106
 
        entry.duplicateFunction = NULL;
107
 
 
108
 
        systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
109
 
 
110
 
        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
111
 
}
112
 
 
113
 
/*
114
 
 * FUNCTION: pkix_BasicConstraintsCheckerState_Create
115
 
 * DESCRIPTION:
116
 
 *
117
 
 *  Creates a new BasicConstraintsCheckerState using the number of certs in
118
 
 *  the chain represented by "certsRemaining" and stores it at "pState".
119
 
 *
120
 
 * PARAMETERS:
121
 
 *  "certsRemaining"
122
 
 *      Number of certificates in the chain.
123
 
 *  "pState"
124
 
 *      Address where object pointer will be stored. Must be non-NULL.
125
 
 *  "plContext"
126
 
 *      Platform-specific context pointer.
127
 
 * THREAD SAFETY:
128
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
129
 
 * RETURNS:
130
 
 *  Returns NULL if the function succeeds.
131
 
 *  Returns a BasicConstraintsCheckerState Error if the function fails in a
132
 
 *      non-fatal way.
133
 
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
134
 
 */
135
 
static PKIX_Error *
136
 
pkix_BasicConstraintsCheckerState_Create(
137
 
        PKIX_UInt32 certsRemaining,
138
 
        pkix_BasicConstraintsCheckerState **pState,
139
 
        void *plContext)
140
 
{
141
 
        pkix_BasicConstraintsCheckerState *state = NULL;
142
 
 
143
 
        PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
144
 
                    "pkix_BasicConstraintsCheckerState_Create");
145
 
 
146
 
        PKIX_NULLCHECK_ONE(pState);
147
 
 
148
 
        PKIX_CHECK(PKIX_PL_Object_Alloc
149
 
                    (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
150
 
                    sizeof (pkix_BasicConstraintsCheckerState),
151
 
                    (PKIX_PL_Object **)&state,
152
 
                    plContext),
153
 
                    PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
154
 
 
155
 
        /* initialize fields */
156
 
        state->certsRemaining = certsRemaining;
157
 
        state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
158
 
 
159
 
        PKIX_CHECK(PKIX_PL_OID_Create
160
 
                    (PKIX_BASICCONSTRAINTS_OID,
161
 
                    &state->basicConstraintsOID,
162
 
                    plContext),
163
 
                    PKIX_OIDCREATEFAILED);
164
 
 
165
 
        *pState = state;
166
 
        state = NULL;
167
 
 
168
 
cleanup:
169
 
 
170
 
        PKIX_DECREF(state);
171
 
 
172
 
        PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
173
 
}
174
 
 
175
 
/* --Private-BasicConstraintsChecker-Functions------------------------------ */
176
 
 
177
 
/*
178
 
 * FUNCTION: pkix_BasicConstraintsChecker_Check
179
 
 * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
180
 
 */
181
 
PKIX_Error *
182
 
pkix_BasicConstraintsChecker_Check(
183
 
        PKIX_CertChainChecker *checker,
184
 
        PKIX_PL_Cert *cert,
185
 
        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
186
 
        void **pNBIOContext,
187
 
        void *plContext)
188
 
{
189
 
        PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
190
 
        pkix_BasicConstraintsCheckerState *state = NULL;
191
 
        PKIX_Boolean caFlag = PKIX_FALSE;
192
 
        PKIX_Int32 pathLength = 0;
193
 
        PKIX_Int32 maxPathLength_now;
194
 
        PKIX_Boolean isSelfIssued = PKIX_FALSE;
195
 
 
196
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
197
 
        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
198
 
 
199
 
        *pNBIOContext = NULL; /* we never block on pending I/O */
200
 
 
201
 
        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
202
 
                    (checker, (PKIX_PL_Object **)&state, plContext),
203
 
                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
204
 
 
205
 
        state->certsRemaining--;
206
 
 
207
 
        if (state->certsRemaining != 0) {
208
 
 
209
 
                PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
210
 
                    (cert, &basicConstraints, plContext),
211
 
                    PKIX_CERTGETBASICCONSTRAINTSFAILED);
212
 
 
213
 
                /* get CA Flag and path length */
214
 
                if (basicConstraints != NULL) {
215
 
                        PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
216
 
                            (basicConstraints,
217
 
                            &caFlag,
218
 
                            plContext),
219
 
                            PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
220
 
 
221
 
                if (caFlag == PKIX_TRUE) {
222
 
                        PKIX_CHECK
223
 
                            (PKIX_PL_BasicConstraints_GetPathLenConstraint
224
 
                            (basicConstraints,
225
 
                            &pathLength,
226
 
                            plContext),
227
 
                            PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
228
 
                }
229
 
 
230
 
                }else{
231
 
                        caFlag = PKIX_FALSE;
232
 
                        pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
233
 
                }
234
 
 
235
 
                PKIX_CHECK(pkix_IsCertSelfIssued
236
 
                        (cert,
237
 
                        &isSelfIssued,
238
 
                        plContext),
239
 
                        PKIX_ISCERTSELFISSUEDFAILED);
240
 
 
241
 
                maxPathLength_now = state->maxPathLength;
242
 
 
243
 
                if (isSelfIssued != PKIX_TRUE) {
244
 
 
245
 
                    /* Not last CA Cert, but maxPathLength is down to zero */
246
 
                    if (maxPathLength_now == 0) {
247
 
                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
248
 
                    }
249
 
 
250
 
                    if (caFlag == PKIX_FALSE) {
251
 
                        PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
252
 
                    }
253
 
 
254
 
                    if (maxPathLength_now > 0) { /* can be unlimited (-1) */
255
 
                        maxPathLength_now--;
256
 
                    }
257
 
 
258
 
                }
259
 
 
260
 
                if (caFlag == PKIX_TRUE) {
261
 
                    if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
262
 
                            maxPathLength_now = pathLength;
263
 
                    } else {
264
 
                            /* If pathLength is not specified, don't set */
265
 
                        if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
266
 
                            maxPathLength_now =
267
 
                                    (maxPathLength_now > pathLength)?
268
 
                                    pathLength:maxPathLength_now;
269
 
                        }
270
 
                    }
271
 
                }
272
 
 
273
 
                state->maxPathLength = maxPathLength_now;
274
 
        }
275
 
 
276
 
        /* Remove Basic Constraints Extension OID from list */
277
 
        if (unresolvedCriticalExtensions != NULL) {
278
 
 
279
 
                PKIX_CHECK(pkix_List_Remove
280
 
                            (unresolvedCriticalExtensions,
281
 
                            (PKIX_PL_Object *) state->basicConstraintsOID,
282
 
                            plContext),
283
 
                            PKIX_LISTREMOVEFAILED);
284
 
        }
285
 
 
286
 
 
287
 
        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
288
 
                    (checker, (PKIX_PL_Object *)state, plContext),
289
 
                    PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
290
 
 
291
 
 
292
 
cleanup:
293
 
        PKIX_DECREF(state);
294
 
        PKIX_DECREF(basicConstraints);
295
 
        PKIX_RETURN(CERTCHAINCHECKER);
296
 
 
297
 
}
298
 
 
299
 
/*
300
 
 * FUNCTION: pkix_BasicConstraintsChecker_Initialize
301
 
 * DESCRIPTION:
302
 
 *  Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
303
 
 * THREAD SAFETY:
304
 
 *  Not Thread Safe - for performance and complexity reasons
305
 
 *
306
 
 *  Since this function is only called by PKIX_PL_Initialize, which should
307
 
 *  only be called once, it is acceptable that this function is not
308
 
 *  thread-safe.
309
 
 */
310
 
PKIX_Error *
311
 
pkix_BasicConstraintsChecker_Initialize(
312
 
        PKIX_UInt32 certsRemaining,
313
 
        PKIX_CertChainChecker **pChecker,
314
 
        void *plContext)
315
 
{
316
 
        pkix_BasicConstraintsCheckerState *state = NULL;
317
 
 
318
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
319
 
        PKIX_NULLCHECK_ONE(pChecker);
320
 
 
321
 
        PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
322
 
                    (certsRemaining, &state, plContext),
323
 
                    PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
324
 
 
325
 
        PKIX_CHECK(PKIX_CertChainChecker_Create
326
 
                    (pkix_BasicConstraintsChecker_Check,
327
 
                    PKIX_FALSE,
328
 
                    PKIX_FALSE,
329
 
                    NULL,
330
 
                    (PKIX_PL_Object *)state,
331
 
                    pChecker,
332
 
                    plContext),
333
 
                    PKIX_CERTCHAINCHECKERCHECKFAILED);
334
 
 
335
 
cleanup:
336
 
        PKIX_DECREF(state);
337
 
 
338
 
        PKIX_RETURN(CERTCHAINCHECKER);
339
 
}