1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the PKIX-C library.
16
* The Initial Developer of the Original Code is
17
* Sun Microsystems, Inc.
18
* Portions created by the Initial Developer are
19
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
22
* Sun Microsystems, Inc.
24
* Alternatively, the contents of this file may be used under the terms of
25
* either the GNU General Public License Version 2 or later (the "GPL"), or
26
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
* in which case the provisions of the GPL or the LGPL are applicable instead
28
* of those above. If you wish to allow use of your version of this file only
29
* under the terms of either the GPL or the LGPL, and not to allow others to
30
* use your version of this file under the terms of the MPL, indicate your
31
* decision by deleting the provisions above and replace them with the notice
32
* and other provisions required by the GPL or the LGPL. If you do not delete
33
* the provisions above, a recipient may use your version of this file under
34
* the terms of any one of the MPL, the GPL or the LGPL.
36
* ***** END LICENSE BLOCK ***** */
38
* pkix_defaultcrlchecker.c
40
* Functions for default CRL Checkers
44
#include "pkix_crlchecker.h"
45
#include "pkix_tools.h"
47
/* --Private-CRLChecker-Data-and-Types------------------------------- */
49
typedef struct pkix_CrlCheckerStruct {
50
/* RevocationMethod is the super class of CrlChecker. */
51
pkix_RevocationMethod method;
52
PKIX_List *certStores; /* list of CertStore */
53
PKIX_PL_VerifyCallback crlVerifyFn;
57
/* --Private-CRLChecker-Functions----------------------------------- */
60
* FUNCTION: pkix_CrlCheckerstate_Destroy
61
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
64
pkix_CrlChecker_Destroy(
65
PKIX_PL_Object *object,
68
pkix_CrlChecker *state = NULL;
70
PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_Destroy");
71
PKIX_NULLCHECK_ONE(object);
73
/* Check that this object is a default CRL checker state */
75
pkix_CheckType(object, PKIX_CRLCHECKER_TYPE, plContext),
76
PKIX_OBJECTNOTCRLCHECKER);
78
state = (pkix_CrlChecker *)object;
80
PKIX_DECREF(state->certStores);
84
PKIX_RETURN(CRLCHECKER);
88
* FUNCTION: pkix_CrlChecker_RegisterSelf
91
* Registers PKIX_CRLCHECKER_TYPE and its related functions
92
* with systemClasses[]
95
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
97
* Since this function is only called by PKIX_PL_Initialize, which should
98
* only be called once, it is acceptable that this function is not
102
pkix_CrlChecker_RegisterSelf(void *plContext)
104
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
105
pkix_ClassTable_Entry* entry = &systemClasses[PKIX_CRLCHECKER_TYPE];
107
PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_RegisterSelf");
109
entry->description = "CRLChecker";
110
entry->typeObjectSize = sizeof(pkix_CrlChecker);
111
entry->destructor = pkix_CrlChecker_Destroy;
113
PKIX_RETURN(CRLCHECKER);
117
* FUNCTION: pkix_CrlChecker_Create
120
* Allocate and initialize CRLChecker state data.
124
* Address of CertStore List to be stored in state. Must be non-NULL.
126
* Address of PKIX_PL_Date to be checked. May be NULL.
128
* Trusted Anchor Public Key for verifying first Cert in the chain.
131
* Number of certificates remaining in the chain.
132
* "nistCRLPolicyEnabled"
133
* If enabled, enforce nist crl policy.
135
* Address of CRLChecker that is returned. Must be non-NULL.
137
* Platform-specific context pointer.
140
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
143
* Returns NULL if the function succeeds.
144
* Returns a DefaultCrlChecker Error if the function fails in a
146
* Returns a Fatal Error
149
pkix_CrlChecker_Create(PKIX_RevocationMethodType methodType,
151
PKIX_UInt32 priority,
152
pkix_LocalRevocationCheckFn localRevChecker,
153
pkix_ExternalRevocationCheckFn externalRevChecker,
154
PKIX_List *certStores,
155
PKIX_PL_VerifyCallback crlVerifyFn,
156
pkix_RevocationMethod **pChecker,
159
pkix_CrlChecker *crlChecker = NULL;
161
PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_Create");
162
PKIX_NULLCHECK_TWO(certStores, pChecker);
164
PKIX_CHECK(PKIX_PL_Object_Alloc
165
(PKIX_CRLCHECKER_TYPE,
166
sizeof (pkix_CrlChecker),
167
(PKIX_PL_Object **)&crlChecker,
169
PKIX_COULDNOTCREATECRLCHECKEROBJECT);
171
pkixErrorResult = pkix_RevocationMethod_Init(
172
(pkix_RevocationMethod*)crlChecker, methodType, flags, priority,
173
localRevChecker, externalRevChecker, plContext);
174
if (pkixErrorResult) {
178
/* Initialize fields */
179
PKIX_INCREF(certStores);
180
crlChecker->certStores = certStores;
182
crlChecker->crlVerifyFn = crlVerifyFn;
183
*pChecker = (pkix_RevocationMethod*)crlChecker;
187
PKIX_DECREF(crlChecker);
189
PKIX_RETURN(CRLCHECKER);
192
/* --Private-CRLChecker-Functions------------------------------------ */
195
* FUNCTION: pkix_CrlChecker_CheckLocal
198
* Check if the Cert has been revoked based the CRLs data. This function
199
* maintains the checker state to be current.
203
* Address of CertChainChecker which has the state data.
206
* Address of Certificate that is to be validated. Must be non-NULL.
208
* A List OIDs. Not **yet** used in this checker function.
210
* Platform-specific context pointer.
214
* (see Thread Safety Definitions in Programmer's Guide)
217
* Returns NULL if the function succeeds.
218
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
219
* Returns a Fatal Error
222
pkix_CrlChecker_CheckLocal(
224
PKIX_PL_Cert *issuer,
226
pkix_RevocationMethod *checkerObject,
227
PKIX_ProcessingParams *procParams,
228
PKIX_UInt32 methodFlags,
229
PKIX_Boolean chainVerificationState,
230
PKIX_RevocationStatus *pRevStatus,
231
PKIX_UInt32 *pReasonCode,
234
PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn;
235
PKIX_CertStore *certStore = NULL;
236
pkix_CrlChecker *state = NULL;
237
PKIX_UInt32 reasonCode = 0;
238
PKIX_UInt32 crlStoreIndex = 0;
239
PKIX_UInt32 numCrlStores = 0;
240
PKIX_Boolean storeIsLocal = PKIX_FALSE;
241
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
243
PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckLocal");
244
PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, checkerObject);
246
state = (pkix_CrlChecker*)checkerObject;
249
PKIX_List_GetLength(state->certStores, &numCrlStores, plContext),
250
PKIX_LISTGETLENGTHFAILED);
252
for (;crlStoreIndex < numCrlStores;crlStoreIndex++) {
254
PKIX_List_GetItem(state->certStores, crlStoreIndex,
255
(PKIX_PL_Object **)&certStore,
257
PKIX_LISTGETITEMFAILED);
260
PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal,
262
PKIX_CERTSTOREGETLOCALFLAGFAILED);
265
PKIX_CertStore_GetCrlCheckerFn(certStore,
266
&storeCheckRevocationFn,
268
PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
270
if (storeCheckRevocationFn) {
272
storeCheckRevocationFn(certStore, cert, issuer,
274
/* delay sig check if building
276
!chainVerificationState,
278
&revStatus, plContext),
279
PKIX_CERTSTORECRLCHECKFAILED);
280
if (revStatus == PKIX_RevStatus_Revoked) {
285
PKIX_DECREF(certStore);
289
*pRevStatus = revStatus;
290
PKIX_DECREF(certStore);
292
PKIX_RETURN(CERTCHAINCHECKER);
296
* FUNCTION: pkix_CrlChecker_CheckRemote
299
* Check if the Cert has been revoked based the CRLs data. This function
300
* maintains the checker state to be current.
304
* Address of CertChainChecker which has the state data.
307
* Address of Certificate that is to be validated. Must be non-NULL.
309
* A List OIDs. Not **yet** used in this checker function.
311
* Platform-specific context pointer.
315
* (see Thread Safety Definitions in Programmer's Guide)
318
* Returns NULL if the function succeeds.
319
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
320
* Returns a Fatal Error
323
pkix_CrlChecker_CheckExternal(
325
PKIX_PL_Cert *issuer,
327
pkix_RevocationMethod *checkerObject,
328
PKIX_ProcessingParams *procParams,
329
PKIX_UInt32 methodFlags,
330
PKIX_RevocationStatus *pRevStatus,
331
PKIX_UInt32 *pReasonCode,
335
PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn = NULL;
336
PKIX_CertStore_ImportCrlCallback storeImportCrlFn = NULL;
337
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
338
PKIX_CertStore *certStore = NULL;
339
PKIX_CertStore *localStore = NULL;
340
PKIX_CRLSelector *crlSelector = NULL;
341
pkix_CrlChecker *state = NULL;
342
PKIX_UInt32 reasonCode = 0;
343
PKIX_UInt32 crlStoreIndex = 0;
344
PKIX_UInt32 numCrlStores = 0;
345
PKIX_Boolean storeIsLocal = PKIX_FALSE;
346
PKIX_List *crlList = NULL;
347
void *nbioContext = NULL;
350
PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckExternal");
351
PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, pNBIOContext);
353
nbioContext = *pNBIOContext;
354
*pNBIOContext = NULL; /* prepare for Error exit */
356
state = (pkix_CrlChecker*)checkerObject;
359
PKIX_List_GetLength(state->certStores, &numCrlStores, plContext),
360
PKIX_LISTGETLENGTHFAILED);
362
/* Find a cert store that is capable of storing crls */
363
for (;crlStoreIndex < numCrlStores;crlStoreIndex++) {
365
PKIX_List_GetItem(state->certStores, crlStoreIndex,
366
(PKIX_PL_Object **)&certStore,
368
PKIX_LISTGETITEMFAILED);
371
PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal,
373
PKIX_CERTSTOREGETLOCALFLAGFAILED);
376
PKIX_CertStore_GetImportCrlCallback(certStore,
379
PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
382
PKIX_CertStore_GetCrlCheckerFn(certStore,
383
&storeCheckRevocationFn,
385
PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
387
if (storeImportCrlFn && storeCheckRevocationFn) {
388
localStore = certStore;
393
PKIX_DECREF(certStore);
396
/* Report unknown status if we can not check crl in one of the
399
PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND);
403
PKIX_CrlSelector_Create(issuer, date, &crlSelector, plContext),
404
PKIX_CRLCHECKERSETSELECTORFAILED);
406
/* Fetch crl and store in a local cert store */
407
for (crlStoreIndex = 0;crlStoreIndex < numCrlStores;crlStoreIndex++) {
408
PKIX_CertStore_CRLCallback getCrlsFn;
411
PKIX_List_GetItem(state->certStores, crlStoreIndex,
412
(PKIX_PL_Object **)&certStore,
414
PKIX_LISTGETITEMFAILED);
417
PKIX_CertStore_GetCRLCallback(certStore, &getCrlsFn,
419
PKIX_CERTSTOREGETCRLCALLBACKFAILED);
421
/* Bit PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE should
422
* be checked in the stores if we have info on missing
423
* source in crl case. For now, we are not going to do
424
* so, as remote fetching of crls is not implemented. */
426
getCrlsFn(certStore, crlSelector, &nbioContext,
427
&crlList, plContext),
431
storeImportCrlFn(localStore, crlList, plContext),
432
PKIX_CERTSTOREFAILTOIMPORTCRLLIST);
435
storeCheckRevocationFn(certStore, cert, issuer, date,
436
PKIX_FALSE /* do not delay sig check */,
437
&reasonCode, &revStatus, plContext),
438
PKIX_CERTSTORECRLCHECKFAILED);
439
if (revStatus != PKIX_RevStatus_NoInfo) {
442
PKIX_DECREF(crlList);
443
PKIX_DECREF(certStore);
446
/* Update return flags */
449
if (revStatus == PKIX_RevStatus_NoInfo &&
450
methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE &&
451
methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
452
revStatus = PKIX_RevStatus_Revoked;
454
*pRevStatus = revStatus;
456
PKIX_DECREF(crlList);
457
PKIX_DECREF(certStore);
458
PKIX_DECREF(localStore);
459
PKIX_DECREF(crlSelector);
461
PKIX_RETURN(CERTCHAINCHECKER);