← Back to branch summary

~ubuntu-branches/ubuntu/karmic/nss/karmic-updates

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c

  • Committer: Bazaar Package Importer
  • Author(s): Alexander Sack
  • Date: 2009-06-16 13:23:47 UTC
  • mfrom: (1.1.9 upstream)
  • Revision ID: james.westby@ubuntu.com-20090616132347-311ysb8oep74b98y
Tags: 3.12.3-0ubuntu1
https://launchpad.net/bugs/387751
* new upstream release 3.12.3 RTM (NSS_3_12_3_RTM) (LP: #387751)
* adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
* needs nspr >= 4.7.4
  - update debian/control
* update 85_security_load.patch to latest debian version
  - update debian/patches/85_security_load.patch
* add new symbols for 3.12.3
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
1
 
/* ***** BEGIN LICENSE BLOCK *****
2
 
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3
 
 *
4
 
 * The contents of this file are subject to the Mozilla Public License Version
5
 
 * 1.1 (the "License"); you may not use this file except in compliance with
6
 
 * the License. You may obtain a copy of the License at
7
 
 * http://www.mozilla.org/MPL/
8
 
 *
9
 
 * Software distributed under the License is distributed on an "AS IS" basis,
10
 
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
 
 * for the specific language governing rights and limitations under the
12
 
 * License.
13
 
 *
14
 
 * The Original Code is the PKIX-C library.
15
 
 *
16
 
 * The Initial Developer of the Original Code is
17
 
 * Sun Microsystems, Inc.
18
 
 * Portions created by the Initial Developer are
19
 
 * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
20
 
 *
21
 
 * Contributor(s):
22
 
 *   Sun Microsystems, Inc.
23
 
 *
24
 
 * Alternatively, the contents of this file may be used under the terms of
25
 
 * either the GNU General Public License Version 2 or later (the "GPL"), or
26
 
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
 
 * in which case the provisions of the GPL or the LGPL are applicable instead
28
 
 * of those above. If you wish to allow use of your version of this file only
29
 
 * under the terms of either the GPL or the LGPL, and not to allow others to
30
 
 * use your version of this file under the terms of the MPL, indicate your
31
 
 * decision by deleting the provisions above and replace them with the notice
32
 
 * and other provisions required by the GPL or the LGPL. If you do not delete
33
 
 * the provisions above, a recipient may use your version of this file under
34
 
 * the terms of any one of the MPL, the GPL or the LGPL.
35
 
 *
36
 
 * ***** END LICENSE BLOCK ***** */
37
 
/*
38
 
 * pkix_defaultcrlchecker.c
39
 
 *
40
 
 * Functions for default CRL Checkers
41
 
 *
42
 
 */
43
 
#define CERTCHAINCHECKERDEBUG 1
44
 
 
45
 
#include "pkix_defaultcrlchecker.h"
46
 
 
47
 
static char *reasonCodeMsgString[] = {
48
 
        "Certificate is revoked by CRL for unspecified reason"
49
 
        "Certificate is revoked by CRL for key compromise",
50
 
        "Certificate is revoked by CRL for CA compromise",
51
 
        "Certificate is revoked by CRL for affiliation changed",
52
 
        "Certificate is revoked by CRL for being superseded",
53
 
        "Certificate is revoked by CRL for cessation of operation",
54
 
        "Certificate is revoked by CRL for certificate hold",
55
 
        "Certificate is revoked by CRL for undefined reason",
56
 
        "Certificate is revoked by CRL for being removed from CRL",
57
 
        "Certificate is revoked by CRL for privilege withdrawn",
58
 
        "Certificate is revoked by CRL for aACompromise",
59
 
};
60
 
 
61
 
static const int numReasonCodes = 
62
 
    sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]);
63
 
 
64
 
/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
65
 
 
66
 
/*
67
 
 * FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
68
 
 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
69
 
 */
70
 
static PKIX_Error *
71
 
pkix_DefaultCRLCheckerState_Destroy(
72
 
        PKIX_PL_Object *object,
73
 
        void *plContext)
74
 
{
75
 
        pkix_DefaultCRLCheckerState *state = NULL;
76
 
 
77
 
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
78
 
                    "pkix_DefaultCRLCheckerState_Destroy");
79
 
        PKIX_NULLCHECK_ONE(object);
80
 
 
81
 
        /* Check that this object is a default CRL checker state */
82
 
        PKIX_CHECK(pkix_CheckType
83
 
                    (object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
84
 
                    PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
85
 
 
86
 
        state = (pkix_DefaultCRLCheckerState *)object;
87
 
 
88
 
        state->certHasValidCrl = PKIX_FALSE;
89
 
        state->prevCertCrlSign = PKIX_FALSE;
90
 
        state->reasonCodeMask = 0;
91
 
 
92
 
        PKIX_DECREF(state->certStores);
93
 
        PKIX_DECREF(state->testDate);
94
 
        PKIX_DECREF(state->prevPublicKey);
95
 
        PKIX_DECREF(state->prevPublicKeyList);
96
 
        PKIX_DECREF(state->crlReasonCodeOID);
97
 
        PKIX_DECREF(state->certIssuer);
98
 
        PKIX_DECREF(state->certSerialNumber);
99
 
        PKIX_DECREF(state->crlSelector);
100
 
        state->crlStoreIndex = 0;
101
 
        state->numCrlStores = 0;
102
 
 
103
 
cleanup:
104
 
 
105
 
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
106
 
}
107
 
 
108
 
/*
109
 
 * FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
110
 
 *
111
 
 * DESCRIPTION:
112
 
 *  Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
113
 
 *  with systemClasses[]
114
 
 *
115
 
 * THREAD SAFETY:
116
 
 *  Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
117
 
 *
118
 
 *  Since this function is only called by PKIX_PL_Initialize, which should
119
 
 *  only be called once, it is acceptable that this function is not
120
 
 *  thread-safe.
121
 
 */
122
 
PKIX_Error *
123
 
pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
124
 
{
125
 
        extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
126
 
        pkix_ClassTable_Entry entry;
127
 
 
128
 
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
129
 
                    "pkix_DefaultCRLCheckerState_RegisterSelf");
130
 
 
131
 
        entry.description = "DefaultCRLCheckerState";
132
 
        entry.objCounter = 0;
133
 
        entry.typeObjectSize = sizeof(pkix_DefaultCRLCheckerState);
134
 
        entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
135
 
        entry.equalsFunction = NULL;
136
 
        entry.hashcodeFunction = NULL;
137
 
        entry.toStringFunction = NULL;
138
 
        entry.comparator = NULL;
139
 
        entry.duplicateFunction = NULL;
140
 
 
141
 
        systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
142
 
 
143
 
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
144
 
}
145
 
 
146
 
/*
147
 
 * FUNCTION: pkix_DefaultCRLCheckerState_Create
148
 
 *
149
 
 * DESCRIPTION:
150
 
 *  Allocate and initialize DefaultCRLChecker state data.
151
 
 *
152
 
 * PARAMETERS
153
 
 *  "certStores"
154
 
 *      Address of CertStore List to be stored in state. Must be non-NULL.
155
 
 *  "testDate"
156
 
 *      Address of PKIX_PL_Date to be checked. May be NULL.
157
 
 *  "trustedPubKey"
158
 
 *      Trusted Anchor Public Key for verifying first Cert in the chain.
159
 
 *      Must be non-NULL.
160
 
 *  "certsRemaining"
161
 
 *      Number of certificates remaining in the chain.
162
 
 *  "nistCRLPolicyEnabled"
163
 
 *      If enabled, enforce nist crl policy.
164
 
 *  "pCheckerState"
165
 
 *      Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
166
 
 *  "plContext"
167
 
 *      Platform-specific context pointer.
168
 
 *
169
 
 * THREAD SAFETY:
170
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
171
 
 *
172
 
 * RETURNS:
173
 
 *  Returns NULL if the function succeeds.
174
 
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
175
 
 *  non-fatal way.
176
 
 *  Returns a Fatal Error
177
 
 */
178
 
static PKIX_Error *
179
 
pkix_DefaultCRLCheckerState_Create(
180
 
    PKIX_List *certStores,
181
 
    PKIX_PL_Date *testDate,
182
 
    PKIX_PL_PublicKey *trustedPubKey,
183
 
    PKIX_UInt32 certsRemaining,
184
 
    PKIX_Boolean nistCRLPolicyEnabled,
185
 
    pkix_DefaultCRLCheckerState **pCheckerState,
186
 
    void *plContext)
187
 
{
188
 
        pkix_DefaultCRLCheckerState *state = NULL;
189
 
 
190
 
        PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
191
 
                    "pkix_DefaultCRLCheckerState_Create");
192
 
        PKIX_NULLCHECK_TWO(certStores, pCheckerState);
193
 
 
194
 
        PKIX_CHECK(PKIX_PL_Object_Alloc
195
 
                    (PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
196
 
                    sizeof (pkix_DefaultCRLCheckerState),
197
 
                    (PKIX_PL_Object **)&state,
198
 
                    plContext),
199
 
                    PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
200
 
 
201
 
        /* Initialize fields */
202
 
 
203
 
        PKIX_INCREF(certStores);
204
 
        state->certStores = certStores;
205
 
 
206
 
        PKIX_INCREF(testDate);
207
 
        state->testDate = testDate;
208
 
 
209
 
        PKIX_INCREF(trustedPubKey);
210
 
        state->prevPublicKey = trustedPubKey;
211
 
 
212
 
        state->certHasValidCrl = PKIX_FALSE;
213
 
        state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
214
 
        state->prevCertCrlSign = PKIX_TRUE;
215
 
        state->prevPublicKeyList = NULL;
216
 
        state->reasonCodeMask = 0;
217
 
        state->certsRemaining = certsRemaining;
218
 
 
219
 
        PKIX_CHECK(PKIX_PL_OID_Create
220
 
                    (PKIX_CRLREASONCODE_OID,
221
 
                    &state->crlReasonCodeOID,
222
 
                    plContext),
223
 
                    PKIX_OIDCREATEFAILED);
224
 
 
225
 
        state->certIssuer = NULL;
226
 
        state->certSerialNumber = NULL;
227
 
        state->crlSelector = NULL;
228
 
        state->crlStoreIndex = 0;
229
 
        state->numCrlStores = 0;
230
 
 
231
 
        *pCheckerState = state;
232
 
        state = NULL;
233
 
 
234
 
cleanup:
235
 
 
236
 
        PKIX_DECREF(state);
237
 
 
238
 
        PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
239
 
}
240
 
 
241
 
/* --Private-DefaultCRLChecker-Functions------------------------------------ */
242
 
 
243
 
/*
244
 
 * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
245
 
 *
246
 
 * DESCRIPTION:
247
 
 *  Check validity of "cert" based on CRLs at "crlList" that has correct
248
 
 *  signature verification with "publicKey".
249
 
 *
250
 
 * PARAMETERS
251
 
 *  "cert"
252
 
 *      Address of Cert which has the certificate data. Must be non-NULL.
253
 
 *  "certIssuer"
254
 
 *      Address of Issuer that associates with the Cert. Must be non-NULL.
255
 
 *  "certSerialNumber"
256
 
 *      Address of Serial Number that associates with the Cert. Must be 
257
 
 *      non-NULL.
258
 
 *  "publicKey"
259
 
 *      Address of Public Key that associates with the Cert Issuer.
260
 
 *      Must be non-NULL.
261
 
 *  "crlList"
262
 
 *      A List CRLs that the certificate is verified upon. Must be non-NULL.
263
 
 *  "state"
264
 
 *      Address of DefaultCRLCheckerState which keeps dynamic state data.
265
 
 *      Must be non-NULL.
266
 
 *  "pCrlEntryList"
267
 
 *      Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
268
 
 *      this Cert. May be NULL.
269
 
 *  "plContext"
270
 
 *      Platform-specific context pointer.
271
 
 *
272
 
 * THREAD SAFETY:
273
 
 *  Conditionally Thread Safe
274
 
 *      (see Thread Safety Definitions in Programmer's Guide)
275
 
 *
276
 
 * RETURNS:
277
 
 *  Returns NULL if the function succeeds.
278
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
279
 
 *  Returns a Fatal Error
280
 
 */
281
 
static PKIX_Error *
282
 
pkix_DefaultCRLChecker_CheckCRLs(
283
 
        PKIX_PL_Cert *cert,
284
 
        PKIX_PL_X500Name *certIssuer,
285
 
        PKIX_PL_BigInt *certSerialNumber,
286
 
        PKIX_PL_PublicKey *publicKey,
287
 
        PKIX_List *crlList,
288
 
        pkix_DefaultCRLCheckerState *state,
289
 
        PKIX_List **pCrlEntryList,
290
 
        void *plContext)
291
 
{
292
 
        PKIX_PL_CRL *crl = NULL;
293
 
        PKIX_PL_CRLEntry *crlEntry = NULL;
294
 
        PKIX_PL_PublicKey *pKey = NULL;
295
 
        PKIX_List *unresCrlCritExtOIDs = NULL;
296
 
        PKIX_List *unresCrlEntryCritExtOIDs = NULL;
297
 
        PKIX_List *crlEntryList = NULL;
298
 
        PKIX_Error *verifyFail = NULL;
299
 
        PKIX_UInt32 numCrls = 0;
300
 
        PKIX_UInt32 numKeys = 0;
301
 
        PKIX_UInt32 numCritExtOIDs = 0;
302
 
        PKIX_Boolean crlVerified = PKIX_FALSE;
303
 
        PKIX_Boolean crlRevoking = PKIX_FALSE;
304
 
        PKIX_Int32 reasonCode = 0;
305
 
        PKIX_UInt32 i;
306
 
        PKIX_Int32 j;
307
 
 
308
 
        PKIX_ENTER(CERTCHAINCHECKER,
309
 
                    "pkix_DefaultCRLChecker_CheckCRLs");
310
 
        PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
311
 
 
312
 
        PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
313
 
                    PKIX_LISTGETLENGTHFAILED);
314
 
 
315
 
        if (state->prevPublicKeyList != NULL) {
316
 
 
317
 
                PKIX_CHECK(PKIX_List_GetLength
318
 
                    (state->prevPublicKeyList, &numKeys, plContext),
319
 
                    PKIX_LISTGETLENGTHFAILED);
320
 
        }
321
 
 
322
 
        /* Check if Cert is not revoked by any the the CRLs */
323
 
 
324
 
        for (i = 0; i < numCrls; i++){
325
 
 
326
 
                PKIX_CHECK(PKIX_List_GetItem
327
 
                            (crlList, i, (PKIX_PL_Object **)&crl, plContext),
328
 
                            PKIX_LISTGETITEMFAILED);
329
 
 
330
 
                /*
331
 
                 * Checking serial number (issuer done in selector) then
332
 
                 * verify signature. If matches, get the CRL reason(s).
333
 
                 */
334
 
 
335
 
                if (state->prevCertCrlSign == PKIX_TRUE) {
336
 
                        verifyFail = PKIX_PL_CRL_VerifySignature
337
 
                                (crl, publicKey, plContext);
338
 
                        if (verifyFail == NULL) {
339
 
                                crlVerified = PKIX_TRUE;
340
 
                        } else {
341
 
                                crlVerified = PKIX_FALSE;
342
 
                                PKIX_DECREF(verifyFail);
343
 
                        }
344
 
                }
345
 
 
346
 
                if (crlVerified == PKIX_FALSE) {
347
 
 
348
 
                    /* Verify from old key(s) on the list */
349
 
                    for (j = numKeys - 1; j >= 0; j--) {
350
 
 
351
 
                            PKIX_CHECK(PKIX_List_GetItem
352
 
                                (state->prevPublicKeyList,
353
 
                                j,
354
 
                                (PKIX_PL_Object **) &pKey,
355
 
                                plContext),
356
 
                                PKIX_LISTGETITEMFAILED);
357
 
 
358
 
                            verifyFail = PKIX_PL_CRL_VerifySignature
359
 
                                (crl, pKey, plContext);
360
 
 
361
 
                            if (verifyFail == NULL) {
362
 
                                crlVerified = PKIX_TRUE;
363
 
                                break;
364
 
                            } else {
365
 
                                crlVerified = PKIX_FALSE;
366
 
                                PKIX_DECREF(verifyFail);
367
 
                            }
368
 
 
369
 
                            PKIX_DECREF(pKey);
370
 
                    }
371
 
                }
372
 
 
373
 
                if (crlVerified == PKIX_FALSE) {
374
 
                    /* try next one ... */
375
 
                    goto cleanup_loop;
376
 
                }
377
 
 
378
 
                state->certHasValidCrl = PKIX_TRUE;
379
 
 
380
 
                PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
381
 
                            (crl, &unresCrlCritExtOIDs, plContext),
382
 
                            PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
383
 
 
384
 
                /*
385
 
                 * XXX Advanced CRL work - should put a
386
 
                 * Loop here to process and remove critical
387
 
                 * extension oids.
388
 
                 */
389
 
 
390
 
                if (unresCrlCritExtOIDs) {
391
 
 
392
 
                    PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
393
 
                        &numCritExtOIDs,
394
 
                        plContext),
395
 
                        PKIX_LISTGETLENGTHFAILED);
396
 
 
397
 
                    if (numCritExtOIDs != 0) {
398
 
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
399
 
                                (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
400
 
                        /*
401
 
                         * Uncomment this after we have implemented
402
 
                         * checkers for all the critical extensions.
403
 
                         *
404
 
                         * PKIX_ERROR
405
 
                         *      ("Unrecognized CRL Critical Extension");
406
 
                         */
407
 
                    }
408
 
                }
409
 
 
410
 
                PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
411
 
                            (crl, certSerialNumber, &crlEntry, plContext),
412
 
                            PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
413
 
 
414
 
                if (crlEntry == NULL) {
415
 
                    goto cleanup_loop;
416
 
                }
417
 
 
418
 
                crlRevoking = PKIX_TRUE;
419
 
 
420
 
                PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
421
 
                            (crlEntry,
422
 
                            &reasonCode,
423
 
                            plContext),
424
 
                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
425
 
 
426
 
                /* This is a valid CRLEntry, return it for caching */
427
 
                if (crlEntryList == NULL) {
428
 
                    PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
429
 
                            PKIX_LISTCREATEFAILED);
430
 
 
431
 
                }
432
 
 
433
 
                PKIX_CHECK(PKIX_List_AppendItem
434
 
                        (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
435
 
                        PKIX_LISTAPPENDITEMFAILED);
436
 
 
437
 
                /* Set reason code in state for advance CRL reviewing */
438
 
 
439
 
                if (reasonCode >= 0) {
440
 
                    if (reasonCode >= numReasonCodes) 
441
 
                        reasonCode = 0;
442
 
 
443
 
                    state->reasonCodeMask |= 1 << reasonCode;
444
 
                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
445
 
                        ("CRL revocation Reason: %s\n ",
446
 
                        reasonCodeMsgString[reasonCode]);
447
 
 
448
 
                } else {
449
 
                    PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
450
 
                        ("Revoked by Unknown CRL ReasonCode");
451
 
                }
452
 
 
453
 
                PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
454
 
                            (crlEntry, &unresCrlEntryCritExtOIDs, plContext),
455
 
                            PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
456
 
                if (unresCrlEntryCritExtOIDs) {
457
 
 
458
 
                    PKIX_CHECK(pkix_List_Remove
459
 
                            (unresCrlEntryCritExtOIDs,
460
 
                            (PKIX_PL_Object *) state->crlReasonCodeOID,
461
 
                            plContext),
462
 
                            PKIX_LISTREMOVEFAILED);
463
 
 
464
 
                    PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
465
 
                        &numCritExtOIDs,
466
 
                        plContext),
467
 
                        PKIX_LISTGETLENGTHFAILED);
468
 
 
469
 
                    if (numCritExtOIDs != 0) {
470
 
 
471
 
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
472
 
                            (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
473
 
                        PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
474
 
                    }
475
 
                }
476
 
 
477
 
        cleanup_loop:
478
 
 
479
 
                PKIX_DECREF(pKey);
480
 
                PKIX_DECREF(verifyFail);
481
 
                PKIX_DECREF(pKey);
482
 
                PKIX_DECREF(crlEntry);
483
 
                PKIX_DECREF(crl);
484
 
                PKIX_DECREF(unresCrlCritExtOIDs);
485
 
                PKIX_DECREF(unresCrlEntryCritExtOIDs);
486
 
        }
487
 
 
488
 
        *pCrlEntryList = crlEntryList;
489
 
 
490
 
        if (crlRevoking == PKIX_TRUE) {
491
 
 
492
 
                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
493
 
        }
494
 
 
495
 
cleanup:
496
 
 
497
 
        PKIX_DECREF(pKey);
498
 
        PKIX_DECREF(verifyFail);
499
 
        PKIX_DECREF(crlEntry);
500
 
        PKIX_DECREF(crl);
501
 
        PKIX_DECREF(unresCrlCritExtOIDs);
502
 
        PKIX_DECREF(unresCrlEntryCritExtOIDs);
503
 
 
504
 
        PKIX_RETURN(CERTCHAINCHECKER);
505
 
}
506
 
 
507
 
/*
508
 
 * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
509
 
 *
510
 
 * DESCRIPTION:
511
 
 *  This function creates a CRLSelector suitable for finding a CRL for
512
 
 *  the Cert pointed to by "cert", setting the result in the
513
 
 *  defaultCRLCheckerState pointed to by "state".
514
 
 *
515
 
 * PARAMETERS
516
 
 *  "cert"
517
 
 *      Address of Cert for which a CRLSelector is to be constructed. Must be
518
 
 *      non-NULL.
519
 
 *  "state"
520
 
 *      Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
521
 
 *      be non-NULL.
522
 
 *  "plContext"
523
 
 *      Platform-specific context pointer.
524
 
 *
525
 
 * THREAD SAFETY:
526
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
527
 
 *
528
 
 * RETURNS:
529
 
 *  Returns NULL if the function succeeds.
530
 
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
531
 
 *  non-fatal way.
532
 
 *  Returns a Fatal Error
533
 
 */
534
 
PKIX_Error *
535
 
pkix_DefaultCRLChecker_Check_SetSelector(
536
 
        PKIX_PL_Cert *cert,
537
 
        pkix_DefaultCRLCheckerState *state,
538
 
        void *plContext)
539
 
{
540
 
        PKIX_PL_X500Name *certIssuer = NULL;
541
 
        PKIX_PL_BigInt *certSerialNumber = NULL;
542
 
        PKIX_PL_Date *nowDate = NULL;
543
 
        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
544
 
        PKIX_CRLSelector *crlSelector = NULL;
545
 
 
546
 
        PKIX_ENTER
547
 
                (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
548
 
        PKIX_NULLCHECK_TWO(cert, state);
549
 
 
550
 
        PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
551
 
                PKIX_CERTGETISSUERFAILED);
552
 
 
553
 
        PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
554
 
                (cert, &certSerialNumber, plContext),
555
 
                PKIX_CERTGETSERIALNUMBERFAILED);
556
 
 
557
 
        if (state->testDate != NULL) {
558
 
 
559
 
                PKIX_INCREF(state->testDate);
560
 
                nowDate = state->testDate;
561
 
 
562
 
        } else {
563
 
 
564
 
                PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
565
 
                        (NULL, &nowDate, plContext),
566
 
                        PKIX_DATECREATEUTCTIMEFAILED);
567
 
        }
568
 
 
569
 
        PKIX_CHECK(PKIX_ComCRLSelParams_Create
570
 
                (&comCrlSelParams, plContext),
571
 
                PKIX_COMCRLSELPARAMSCREATEFAILED);
572
 
 
573
 
        PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
574
 
                (comCrlSelParams, certIssuer, plContext),
575
 
                PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
576
 
 
577
 
        PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
578
 
                (comCrlSelParams, nowDate, plContext),
579
 
                PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
580
 
 
581
 
        PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
582
 
                (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
583
 
                PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
584
 
 
585
 
        PKIX_CHECK(PKIX_CRLSelector_Create
586
 
                (NULL,
587
 
                NULL, /* never used? (PKIX_PL_Object *)checker, */
588
 
                &crlSelector,
589
 
                plContext),
590
 
                PKIX_CRLSELECTORCREATEFAILED);
591
 
 
592
 
        PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
593
 
                (crlSelector, comCrlSelParams, plContext),
594
 
                PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
595
 
 
596
 
        PKIX_DECREF(state->certIssuer);
597
 
        PKIX_INCREF(certIssuer);
598
 
        state->certIssuer = certIssuer;
599
 
        PKIX_DECREF(state->certSerialNumber);
600
 
        PKIX_INCREF(certSerialNumber);
601
 
        state->certSerialNumber = certSerialNumber;
602
 
        PKIX_DECREF(state->crlSelector);
603
 
        PKIX_INCREF(crlSelector);
604
 
        state->crlSelector = crlSelector;
605
 
 
606
 
        state->crlStoreIndex = 0;
607
 
 
608
 
        PKIX_CHECK(PKIX_List_GetLength
609
 
                    (state->certStores, &(state->numCrlStores), plContext),
610
 
                    PKIX_LISTGETLENGTHFAILED);
611
 
 
612
 
        state->certHasValidCrl = PKIX_FALSE;
613
 
 
614
 
cleanup:
615
 
 
616
 
        PKIX_DECREF(certIssuer);
617
 
        PKIX_DECREF(certSerialNumber);
618
 
        PKIX_DECREF(nowDate);
619
 
        PKIX_DECREF(comCrlSelParams);
620
 
        PKIX_DECREF(crlSelector);
621
 
 
622
 
        PKIX_RETURN(CERTCHAINCHECKER);
623
 
}
624
 
 
625
 
/*
626
 
 * FUNCTION: pkix_DefaultCRLChecker_Check_Store
627
 
 *
628
 
 * DESCRIPTION:
629
 
 *  Checks the certStore pointed to by "certStore" for a CRL that may determine
630
 
 *  whether the Cert pointed to by "cert" has been revoked.
631
 
 *
632
 
 * PARAMETERS
633
 
 *  "checker"
634
 
 *      Address of CertChainChecker which has the state data.
635
 
 *      Must be non-NULL.
636
 
 *  "cert"
637
 
 *      Address of Certificate that is to be validated. Must be non-NULL.
638
 
 *  "prevPublicKey"
639
 
 *      Address of previous public key in the backward chain. May be NULL.
640
 
 *  "state"
641
 
 *      Address of DefaultCrlCheckerState. Must be non-NULL.
642
 
 *  "unresolvedCriticalExtensions"
643
 
 *      A List OIDs. Not **yet** used in this checker function.
644
 
 *  "certStore"
645
 
 *      Address of the CertStore to be queried for a relevant CRL. Must be
646
 
 *      non-NULL.
647
 
 *  "pNBIOContext"
648
 
 *      Address at which platform-dependent information is stored if processing
649
 
 *      is suspended for non-blocking I/O. Must be non-NULL.
650
 
 *  "plContext"
651
 
 *      Platform-specific context pointer.
652
 
 *
653
 
 * THREAD SAFETY:
654
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
655
 
 *
656
 
 * RETURNS:
657
 
 *  Returns NULL if the function succeeds.
658
 
 *  Returns a DefaultCrlCheckerState Error if the function fails in a
659
 
 *  non-fatal way.
660
 
 *  Returns a Fatal Error
661
 
 */
662
 
static PKIX_Error *
663
 
pkix_DefaultCRLChecker_Check_Store(
664
 
        PKIX_CertChainChecker *checker,
665
 
        PKIX_PL_Cert *cert,
666
 
        PKIX_PL_PublicKey *prevPublicKey,
667
 
        pkix_DefaultCRLCheckerState *state,
668
 
        PKIX_List *unresolvedCriticalExtensions,
669
 
        PKIX_CertStore *certStore,
670
 
        void **pNBIOContext,
671
 
        void *plContext)
672
 
{
673
 
 
674
 
        PKIX_Boolean cacheFlag = PKIX_FALSE;
675
 
        PKIX_Boolean cacheHit = PKIX_FALSE;
676
 
        PKIX_UInt32 numEntries = 0;
677
 
        PKIX_UInt32 i = 0;
678
 
        PKIX_Int32 reasonCode = 0;
679
 
        PKIX_UInt32 allReasonCodes = 0;
680
 
        PKIX_List *crlList = NULL;
681
 
        PKIX_List *crlEntryList = NULL;
682
 
        PKIX_PL_CRLEntry *crlEntry = NULL;
683
 
        PKIX_Error *checkCrlFail = NULL;
684
 
        PKIX_CertStore_CRLCallback getCrls = NULL;
685
 
        void *nbioContext = NULL;
686
 
 
687
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
688
 
        PKIX_NULLCHECK_TWO(checker, cert);
689
 
        PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
690
 
 
691
 
        nbioContext = *pNBIOContext;
692
 
        *pNBIOContext = NULL;
693
 
 
694
 
        /* Are this CertStore's entries in cache? */
695
 
        PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
696
 
                (certStore, &cacheFlag, plContext),
697
 
                PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
698
 
 
699
 
        if (cacheFlag) {
700
 
 
701
 
                PKIX_CHECK(pkix_CacheCrlEntry_Lookup
702
 
                        (certStore,
703
 
                        state->certIssuer,
704
 
                        state->certSerialNumber,
705
 
                        &cacheHit,
706
 
                        &crlEntryList,
707
 
                        plContext),
708
 
                        PKIX_CACHECRLENTRYLOOKUPFAILED);
709
 
 
710
 
        }
711
 
 
712
 
        if (cacheHit) {
713
 
 
714
 
                /* Use cached data */
715
 
 
716
 
                PKIX_CHECK(PKIX_List_GetLength
717
 
                        (crlEntryList, &numEntries, plContext),
718
 
                        PKIX_LISTGETLENGTHFAILED);
719
 
 
720
 
                for (i = 0; i < numEntries; i++) {
721
 
 
722
 
                    PKIX_CHECK(PKIX_List_GetItem
723
 
                            (crlEntryList,
724
 
                            i,
725
 
                            (PKIX_PL_Object **)&crlEntry,
726
 
                            plContext),
727
 
                            PKIX_LISTGETITEMFAILED);
728
 
 
729
 
                    PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
730
 
                            (crlEntry, &reasonCode, plContext),
731
 
                            PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
732
 
 
733
 
                    if (reasonCode >= 0) {
734
 
                        if (reasonCode >= numReasonCodes) 
735
 
                            reasonCode = 0;
736
 
 
737
 
                        allReasonCodes |= (1 << reasonCode);
738
 
 
739
 
                        PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
740
 
                                    ("CRL revocation Reason: %s\n ",
741
 
                                    reasonCodeMsgString[reasonCode]);
742
 
 
743
 
                    }
744
 
 
745
 
                    PKIX_DECREF(crlEntry);
746
 
                }
747
 
 
748
 
                state->reasonCodeMask |= allReasonCodes;
749
 
 
750
 
                if (allReasonCodes != 0) {
751
 
 
752
 
                        PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
753
 
                }
754
 
 
755
 
                PKIX_DECREF(crlEntryList);
756
 
 
757
 
       } else {
758
 
 
759
 
                if (nbioContext == NULL) {
760
 
                        PKIX_CHECK(PKIX_CertStore_GetCRLCallback
761
 
                                (certStore, &getCrls, plContext),
762
 
                                PKIX_CERTSTOREGETCRLCALLBACKFAILED);
763
 
 
764
 
                        PKIX_CHECK(getCrls
765
 
                                (certStore,
766
 
                                state->crlSelector,
767
 
                                &nbioContext,
768
 
                                &crlList,
769
 
                                plContext),
770
 
                                PKIX_GETCRLSFAILED);
771
 
                } else {
772
 
                        PKIX_CHECK(PKIX_CertStore_CrlContinue
773
 
                                (certStore,
774
 
                                state->crlSelector,
775
 
                                &nbioContext,
776
 
                                &crlList,
777
 
                                plContext),
778
 
                                PKIX_CERTSTORECRLCONTINUEFAILED);
779
 
                }
780
 
 
781
 
                /*
782
 
                 * Verify Certificate validity: if one CertStore provides
783
 
                 * reason code, we stop here. Instead of exhausting all
784
 
                 * CertStores to get all possible reason codes associated
785
 
                 *  with the Cert. May be expanded if desire otherwise.
786
 
                 */
787
 
 
788
 
                if (crlList == NULL) {
789
 
 
790
 
                        *pNBIOContext = nbioContext;
791
 
                } else {
792
 
 
793
 
                        *pNBIOContext = NULL;
794
 
 
795
 
                        checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
796
 
                                (cert,
797
 
                                state->certIssuer,
798
 
                                state->certSerialNumber,
799
 
                                prevPublicKey,
800
 
                                crlList,
801
 
                                state,
802
 
                                &crlEntryList,
803
 
                                plContext);
804
 
 
805
 
                        if (checkCrlFail) {
806
 
                                if (crlEntryList != NULL) {
807
 
                                        /* Add to cache */
808
 
                                        PKIX_CHECK(pkix_CacheCrlEntry_Add
809
 
                                               (certStore,
810
 
                                               state->certIssuer,
811
 
                                               state->certSerialNumber,
812
 
                                               crlEntryList,
813
 
                                               plContext),
814
 
                                               PKIX_CACHECRLENTRYADDFAILED);
815
 
                                }
816
 
                                PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
817
 
                        }
818
 
                }
819
 
 
820
 
                PKIX_DECREF(crlList);
821
 
 
822
 
        }
823
 
 
824
 
cleanup:
825
 
        PKIX_DECREF(crlEntryList);
826
 
        PKIX_DECREF(crlEntry);
827
 
        PKIX_DECREF(crlList);
828
 
        PKIX_DECREF(checkCrlFail);
829
 
 
830
 
        PKIX_RETURN(CERTCHAINCHECKER);
831
 
}
832
 
 
833
 
/*
834
 
 * FUNCTION: pkix_DefaultCRLChecker_Check_Helper
835
 
 *
836
 
 * DESCRIPTION:
837
 
 *  Check if the Cert has been revoked based on the CRL's data. It exhausts all
838
 
 *  CertStores and match CRLs at those stores for the certificate. It set the
839
 
 *  current date and issuer in CRLSelector to fetching CRL data from cache.
840
 
 *
841
 
 * PARAMETERS
842
 
 *  "checker"
843
 
 *      Address of CertChainChecker which has the state data.
844
 
 *      Must be non-NULL.
845
 
 *  "cert"
846
 
 *      Address of Certificate that is to be validated. Must be non-NULL.
847
 
 *  "prevPublicKey"
848
 
 *      Address of previous public key in the backward chain. May be NULL.
849
 
 *  "state"
850
 
 *      Address of DefaultCrlCheckerState. Must be non-NULL.
851
 
 *  "unresolvedCriticalExtensions"
852
 
 *      A List OIDs. Not **yet** used in this checker function.
853
 
 *  "useOnlyLocal"
854
 
 *      Boolean value indicating whether to use or bypass remote CertStores
855
 
 *  "pNBIOContext"
856
 
 *      Address at which platform-dependent information is stored if processing
857
 
 *      is suspended for non-blocking I/O. Must be non-NULL.
858
 
 *  "plContext"
859
 
 *      Platform-specific context pointer.
860
 
 *
861
 
 * THREAD SAFETY:
862
 
 *  Not Thread Safe
863
 
 *      (see Thread Safety Definitions in Programmer's Guide)
864
 
 *
865
 
 * RETURNS:
866
 
 *  Returns NULL if the function succeeds.
867
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
868
 
 *  Returns a Fatal Error
869
 
 */
870
 
PKIX_Error *
871
 
pkix_DefaultCRLChecker_Check_Helper(
872
 
        PKIX_CertChainChecker *checker,
873
 
        PKIX_PL_Cert *cert,
874
 
        PKIX_PL_PublicKey *prevPublicKey,
875
 
        pkix_DefaultCRLCheckerState *state,
876
 
        PKIX_List *unresolvedCriticalExtensions,
877
 
        PKIX_Boolean useOnlyLocal,
878
 
        void **pNBIOContext,
879
 
        void *plContext)
880
 
{
881
 
 
882
 
        void *nbioContext = NULL;
883
 
        PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
884
 
        PKIX_CertStore *certStore = NULL;
885
 
        PKIX_Error *storeError = NULL;
886
 
 
887
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
888
 
        PKIX_NULLCHECK_THREE(checker, cert, state);
889
 
 
890
 
        nbioContext = *pNBIOContext;
891
 
        *pNBIOContext = NULL; /* prepare for Error exit */
892
 
 
893
 
        while ((state->crlStoreIndex) < (state->numCrlStores)) {
894
 
 
895
 
                /*
896
 
                 * For Basic CRL work, exit the loop when there is a valid
897
 
                 * CRL. For advance CRL, need to exhaust CRL until all
898
 
                 * reason masks are checked or a revocation is found.
899
 
                 */
900
 
 
901
 
                if (state->certHasValidCrl == PKIX_TRUE) {
902
 
                        break;
903
 
                }
904
 
 
905
 
                PKIX_CHECK(PKIX_List_GetItem
906
 
                        (state->certStores,
907
 
                        state->crlStoreIndex,
908
 
                        (PKIX_PL_Object **)&certStore,
909
 
                        plContext),
910
 
                        PKIX_LISTGETITEMFAILED);
911
 
 
912
 
                if (useOnlyLocal == PKIX_FALSE) {
913
 
                        certStoreCanBeUsed = PKIX_TRUE;
914
 
                } else {
915
 
                        PKIX_CHECK(PKIX_CertStore_GetLocalFlag
916
 
                                (certStore, &certStoreCanBeUsed, plContext),
917
 
                                PKIX_CERTSTOREGETLOCALFLAGFAILED);
918
 
                }
919
 
 
920
 
                if (certStoreCanBeUsed == PKIX_TRUE)
921
 
                {
922
 
                        /* Catch and re-throw error to preserve information */
923
 
                        storeError = pkix_DefaultCRLChecker_Check_Store
924
 
                                (checker,
925
 
                                cert,
926
 
                                prevPublicKey,
927
 
                                state,
928
 
                                unresolvedCriticalExtensions,
929
 
                                certStore,
930
 
                                &nbioContext,
931
 
                                plContext);
932
 
                        PKIX_CHECK
933
 
                                (storeError,
934
 
                                PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
935
 
 
936
 
                        if (nbioContext != NULL) {
937
 
                                /* I/O still pending. Exit and resume later. */
938
 
                                *pNBIOContext = nbioContext;
939
 
                                goto cleanup;
940
 
                        }
941
 
                }
942
 
 
943
 
                PKIX_DECREF(certStore);
944
 
                state->crlStoreIndex++;
945
 
        } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
946
 
 
947
 
        if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
948
 
            state->certHasValidCrl == PKIX_FALSE) {
949
 
            PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
950
 
        }
951
 
 
952
 
cleanup:
953
 
 
954
 
        PKIX_DECREF(certStore);
955
 
 
956
 
        PKIX_RETURN(CERTCHAINCHECKER);
957
 
}
958
 
 
959
 
/*
960
 
 * FUNCTION: pkix_DefaultCRLChecker_Check
961
 
 *
962
 
 * DESCRIPTION:
963
 
 *  Check if the Cert has been revoked based the CRLs data.  This function
964
 
 *  maintains the checker state to be current.
965
 
 *
966
 
 * PARAMETERS
967
 
 *  "checker"
968
 
 *      Address of CertChainChecker which has the state data.
969
 
 *      Must be non-NULL.
970
 
 *  "cert"
971
 
 *      Address of Certificate that is to be validated. Must be non-NULL.
972
 
 *  "unresolvedCriticalExtensions"
973
 
 *      A List OIDs. Not **yet** used in this checker function.
974
 
 *  "plContext"
975
 
 *      Platform-specific context pointer.
976
 
 *
977
 
 * THREAD SAFETY:
978
 
 *  Not Thread Safe
979
 
 *      (see Thread Safety Definitions in Programmer's Guide)
980
 
 *
981
 
 * RETURNS:
982
 
 *  Returns NULL if the function succeeds.
983
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
984
 
 *  Returns a Fatal Error
985
 
 */
986
 
static PKIX_Error *
987
 
pkix_DefaultCRLChecker_Check(
988
 
        PKIX_CertChainChecker *checker,
989
 
        PKIX_PL_Cert *cert,
990
 
        PKIX_List *unresolvedCriticalExtensions,
991
 
        void **pNBIOContext,
992
 
        void *plContext)
993
 
{
994
 
        pkix_DefaultCRLCheckerState *state = NULL;
995
 
        PKIX_PL_PublicKey *publicKey = NULL;
996
 
        PKIX_PL_PublicKey *newPublicKey = NULL;
997
 
        PKIX_Error *checkKeyUsageFail = NULL;
998
 
        PKIX_Boolean selfIssued = PKIX_FALSE;
999
 
        void *nbioContext = NULL;
1000
 
 
1001
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
1002
 
        PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
1003
 
 
1004
 
        nbioContext = *pNBIOContext;
1005
 
        *pNBIOContext = NULL; /* prepare for Error exit */
1006
 
 
1007
 
        PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
1008
 
                    (checker, (PKIX_PL_Object **)&state, plContext),
1009
 
                    PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
1010
 
 
1011
 
        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
1012
 
                    (cert, &publicKey, plContext),
1013
 
                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1014
 
 
1015
 
        /*
1016
 
         * If we already have a selector, we were in the middle of checking
1017
 
         * when a certStore returned with non-blocking I/O pendning.
1018
 
         */
1019
 
        if ((state->crlSelector) == NULL) {
1020
 
                state->certsRemaining--;
1021
 
 
1022
 
                PKIX_NULLCHECK_ONE(state->prevPublicKey);
1023
 
 
1024
 
                if (state->prevCertCrlSign == PKIX_FALSE) {
1025
 
                        PKIX_ERROR
1026
 
                                (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
1027
 
                }
1028
 
 
1029
 
                /* Set up CRLSelector */
1030
 
                PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
1031
 
                        (cert, state, plContext),
1032
 
                        PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
1033
 
 
1034
 
        }
1035
 
 
1036
 
        PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
1037
 
                    (checker,
1038
 
                    cert,
1039
 
                    state->prevPublicKey,
1040
 
                    state,
1041
 
                    unresolvedCriticalExtensions,
1042
 
                    PKIX_FALSE,
1043
 
                    &nbioContext,
1044
 
                    plContext),
1045
 
                    PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
1046
 
 
1047
 
        if (nbioContext != NULL) {
1048
 
                *pNBIOContext = nbioContext;
1049
 
                goto cleanup;
1050
 
        }
1051
 
 
1052
 
        PKIX_DECREF(state->crlSelector);
1053
 
 
1054
 
        /*
1055
 
         * Some NIST test case in 4.5.* use different publicKeys for
1056
 
         * Cert and its CRL on the chain. Self-issued Certs are used
1057
 
         * to speciy multiple keys for those cases. That is why we apply
1058
 
         * the following algorithm:
1059
 
         *
1060
 
         * Check if Cert is self-issued. If so, the public key of the Cert
1061
 
         * that issues this Cert (old key) can be used together with this
1062
 
         * current key (new key) for key verification. If there are multiple
1063
 
         * self-issued certs, keys of those Certs (old keys) can also be used
1064
 
         * for key verification. Old key(s) is saved in a list (PrevPublickKey-
1065
 
         * List) and cleared when a Cert is no longer self-issued.
1066
 
         * PrevPublicKey keep key of the previous Cert.
1067
 
         * PrevPublicKeyList keep key(s) of Cert before the previous one.
1068
 
         */
1069
 
        PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
1070
 
                    PKIX_ISCERTSELFISSUEFAILED);
1071
 
 
1072
 
        if (selfIssued == PKIX_TRUE) {
1073
 
 
1074
 
                if (state->prevPublicKeyList == NULL) {
1075
 
 
1076
 
                        PKIX_CHECK(PKIX_List_Create
1077
 
                            (&state->prevPublicKeyList, plContext),
1078
 
                            PKIX_LISTCREATEFAILED);
1079
 
 
1080
 
                }
1081
 
 
1082
 
                PKIX_CHECK(PKIX_List_AppendItem
1083
 
                            (state->prevPublicKeyList,
1084
 
                            (PKIX_PL_Object *) state->prevPublicKey,
1085
 
                            plContext),
1086
 
                            PKIX_LISTAPPENDITEMFAILED);
1087
 
 
1088
 
        } else {
1089
 
                /* Not self-issued Cert any more, clear old key(s) saved */
1090
 
                PKIX_DECREF(state->prevPublicKeyList);
1091
 
        }
1092
 
 
1093
 
        /* Make inheritance and save current Public Key */
1094
 
        PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
1095
 
                    (publicKey, state->prevPublicKey, &newPublicKey, plContext),
1096
 
                    PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
1097
 
 
1098
 
        if (newPublicKey == NULL){
1099
 
                PKIX_INCREF(publicKey);
1100
 
                newPublicKey = publicKey;
1101
 
        }
1102
 
 
1103
 
        PKIX_DECREF(state->prevPublicKey);
1104
 
        PKIX_INCREF(newPublicKey);
1105
 
        state->prevPublicKey = newPublicKey;
1106
 
 
1107
 
        /* Save current Cert's crlSign bit for CRL checking later */
1108
 
        if (state->certsRemaining != 0) {
1109
 
                checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
1110
 
                        (cert, PKIX_CRL_SIGN, plContext);
1111
 
 
1112
 
                state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
1113
 
                        PKIX_TRUE : PKIX_FALSE;
1114
 
 
1115
 
                PKIX_DECREF(checkKeyUsageFail);
1116
 
        }
1117
 
 
1118
 
/*
1119
 
        PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
1120
 
                (checker, (PKIX_PL_Object *)state, plContext),
1121
 
                PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
1122
 
 */
1123
 
 
1124
 
cleanup:
1125
 
 
1126
 
        PKIX_DECREF(state);
1127
 
        PKIX_DECREF(publicKey);
1128
 
        PKIX_DECREF(newPublicKey);
1129
 
        PKIX_DECREF(checkKeyUsageFail);
1130
 
 
1131
 
        PKIX_RETURN(CERTCHAINCHECKER);
1132
 
}
1133
 
 
1134
 
/*
1135
 
 * FUNCTION: pkix_DefaultCRLChecker_Initialize
1136
 
 *
1137
 
 * DESCRIPTION:
1138
 
 *  Create a CertChainChecker with DefaultCRLCheckerState.
1139
 
 *
1140
 
 * PARAMETERS
1141
 
 *  "certStores"
1142
 
 *      Address of CertStore List to be stored in state. Must be non-NULL.
1143
 
 *  "testDate"
1144
 
 *      Address of PKIX_PL_Date to be checked. May be NULL.
1145
 
 *  "trustedPubKey"
1146
 
 *      Address of Public Key of Trust Anchor. Must be non-NULL.
1147
 
 *  "certsRemaining"
1148
 
 *      Number of certificates remaining in the chain.
1149
 
 *  "nistPolicyEnabled"
1150
 
 *      Enable NIST crl policy.
1151
 
 *  "pChecker"
1152
 
 *      Address where object pointer will be stored. Must be non-NULL.
1153
 
 *      Must be non-NULL.
1154
 
 *  "plContext"
1155
 
 *      Platform-specific context pointer.
1156
 
 *
1157
 
 * THREAD SAFETY:
1158
 
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
1159
 
 *
1160
 
 * RETURNS:
1161
 
 *  Returns NULL if the function succeeds.
1162
 
 *  Returns a CertChainChecker Error if the function fails in a non-fatal way.
1163
 
 *  Returns a Fatal Error
1164
 
 */
1165
 
PKIX_Error *
1166
 
pkix_DefaultCRLChecker_Initialize(
1167
 
        PKIX_List *certStores,
1168
 
        PKIX_PL_Date *testDate,
1169
 
        PKIX_PL_PublicKey *trustedPubKey,
1170
 
        PKIX_UInt32 certsRemaining,
1171
 
        PKIX_Boolean nistPolicyEnabled,
1172
 
        PKIX_CertChainChecker **pChecker,
1173
 
        void *plContext)
1174
 
{
1175
 
        pkix_DefaultCRLCheckerState *state = NULL;
1176
 
 
1177
 
        PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
1178
 
        PKIX_NULLCHECK_TWO(certStores, pChecker);
1179
 
 
1180
 
        PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
1181
 
                    (certStores,
1182
 
                    testDate,
1183
 
                    trustedPubKey,
1184
 
                    certsRemaining,
1185
 
                    nistPolicyEnabled, 
1186
 
                    &state,
1187
 
                    plContext),
1188
 
                    PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
1189
 
 
1190
 
        PKIX_CHECK(PKIX_CertChainChecker_Create
1191
 
                    (pkix_DefaultCRLChecker_Check,
1192
 
                    PKIX_FALSE,
1193
 
                    PKIX_FALSE,
1194
 
                    NULL,
1195
 
                    (PKIX_PL_Object *) state,
1196
 
                    pChecker,
1197
 
                    plContext),
1198
 
                    PKIX_CERTCHAINCHECKERCREATEFAILED);
1199
 
 
1200
 
cleanup:
1201
 
 
1202
 
        PKIX_DECREF(state);
1203
 
 
1204
 
        PKIX_RETURN(CERTCHAINCHECKER);
1205
 
}