1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the PKIX-C library.
16
* The Initial Developer of the Original Code is
17
* Sun Microsystems, Inc.
18
* Portions created by the Initial Developer are
19
* Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
22
* Sun Microsystems, Inc.
24
* Alternatively, the contents of this file may be used under the terms of
25
* either the GNU General Public License Version 2 or later (the "GPL"), or
26
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
* in which case the provisions of the GPL or the LGPL are applicable instead
28
* of those above. If you wish to allow use of your version of this file only
29
* under the terms of either the GPL or the LGPL, and not to allow others to
30
* use your version of this file under the terms of the MPL, indicate your
31
* decision by deleting the provisions above and replace them with the notice
32
* and other provisions required by the GPL or the LGPL. If you do not delete
33
* the provisions above, a recipient may use your version of this file under
34
* the terms of any one of the MPL, the GPL or the LGPL.
36
* ***** END LICENSE BLOCK ***** */
38
* pkix_defaultrevchecker.c
40
* Functions for default Revocation Checker
44
#include "pkix_defaultrevchecker.h"
46
/* --Private-DefaultRevChecker-Functions------------------------------- */
49
* FUNCTION: pkix_DefaultRevChecker_Destroy
50
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
53
pkix_DefaultRevChecker_Destroy(
54
PKIX_PL_Object *object,
57
PKIX_DefaultRevocationChecker *revChecker = NULL;
59
PKIX_ENTER(DEFAULTREVOCATIONCHECKER,
60
"pkix_DefaultRevChecker_Destroy");
61
PKIX_NULLCHECK_ONE(object);
63
/* Check that this object is a DefaultRevocationChecker */
64
PKIX_CHECK(pkix_CheckType
65
(object, PKIX_DEFAULTREVOCATIONCHECKER_TYPE, plContext),
66
PKIX_OBJECTNOTDEFAULTREVOCATIONCHECKER);
68
revChecker = (PKIX_DefaultRevocationChecker *)object;
70
PKIX_DECREF(revChecker->certChainChecker);
71
PKIX_DECREF(revChecker->certStores);
72
PKIX_DECREF(revChecker->testDate);
73
PKIX_DECREF(revChecker->trustedPubKey);
77
PKIX_RETURN(DEFAULTREVOCATIONCHECKER);
81
* FUNCTION: pkix_DefaultRevocationChecker_RegisterSelf
84
* Registers PKIX_DEFAULTREVOCATIONCHECKER_TYPE and its related functions
85
* with systemClasses[]
88
* Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
90
* Since this function is only called by PKIX_PL_Initialize, which should
91
* only be called once, it is acceptable that this function is not
95
pkix_DefaultRevocationChecker_RegisterSelf(void *plContext)
97
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
98
pkix_ClassTable_Entry entry;
100
PKIX_ENTER(DEFAULTREVOCATIONCHECKER,
101
"pkix_DefaultRevocationChecker_RegisterSelf");
103
entry.description = "DefaultRevocationChecker";
104
entry.objCounter = 0;
105
entry.typeObjectSize = sizeof(PKIX_DefaultRevocationChecker);
106
entry.destructor = pkix_DefaultRevChecker_Destroy;
107
entry.equalsFunction = NULL;
108
entry.hashcodeFunction = NULL;
109
entry.toStringFunction = NULL;
110
entry.comparator = NULL;
111
entry.duplicateFunction = NULL;
113
systemClasses[PKIX_DEFAULTREVOCATIONCHECKER_TYPE] = entry;
115
PKIX_RETURN(DEFAULTREVOCATIONCHECKER);
119
* FUNCTION: pkix_DefaultRevChecker_Create
122
* This function uses the List of certStores given by "certStores", the Date
123
* given by "testDate", the PublicKey given by "trustedPubKey", and the number
124
* of certs remaining in the chain given by "certsRemaining" to create a
125
* DefaultRevocationChecker, which is stored at "pRevChecker".
129
* Address of CertStore List to be stored in state. Must be non-NULL.
131
* Address of PKIX_PL_Date to be checked. May be NULL.
133
* Address of Public Key of Trust Anchor. Must be non-NULL.
135
* Number of certificates remaining in the chain.
137
* Address of DefaultRevocationChecker that is returned. Must be non-NULL.
139
* Platform-specific context pointer.
142
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
145
* Returns NULL if the function succeeds.
146
* Returns a DefaultRevocationChecker Error if the function fails in a
148
* Returns a Fatal Error
151
pkix_DefaultRevChecker_Create(
152
PKIX_List *certStores,
153
PKIX_PL_Date *testDate,
154
PKIX_PL_PublicKey *trustedPubKey,
155
PKIX_UInt32 certsRemaining,
156
PKIX_DefaultRevocationChecker **pRevChecker,
159
PKIX_DefaultRevocationChecker *revChecker = NULL;
161
PKIX_ENTER(DEFAULTREVOCATIONCHECKER, "pkix_DefaultRevChecker_Create");
162
PKIX_NULLCHECK_THREE(certStores, trustedPubKey, pRevChecker);
164
PKIX_CHECK(PKIX_PL_Object_Alloc
165
(PKIX_DEFAULTREVOCATIONCHECKER_TYPE,
166
sizeof (PKIX_DefaultRevocationChecker),
167
(PKIX_PL_Object **)&revChecker,
169
PKIX_COULDNOTCREATEDEFAULTREVOCATIONCHECKEROBJECT);
171
/* Initialize fields */
173
revChecker->certChainChecker = NULL;
174
revChecker->check = NULL;
176
PKIX_INCREF(certStores);
177
revChecker->certStores = certStores;
179
PKIX_INCREF(testDate);
180
revChecker->testDate = testDate;
182
PKIX_INCREF(trustedPubKey);
183
revChecker->trustedPubKey = trustedPubKey;
185
revChecker->certsRemaining = certsRemaining;
187
*pRevChecker = revChecker;
192
PKIX_DECREF(revChecker);
194
PKIX_RETURN(DEFAULTREVOCATIONCHECKER);
197
/* --Private-DefaultRevChecker-Functions------------------------------------ */
200
* FUNCTION: pkix_DefaultRevChecker_Check
203
* Check if the Cert has been revoked based on the CRLs data. This function
204
* maintains the checker state to be current.
208
* Address of RevocationCheckerContext which has the state data.
211
* Address of Certificate that is to be validated. Must be non-NULL.
213
* Address of ProcessingParams used to initialize the ExpirationChecker
214
* and TargetCertChecker. Must be non-NULL.
216
* Address at which platform-dependent non-blocking I/O context is stored.
219
* Address where revocation status will be stored. Must be non-NULL.
221
* Platform-specific context pointer.
225
* (see Thread Safety Definitions in Programmer's Guide)
228
* Returns NULL if the function succeeds.
229
* Returns a RevocationChecker Error if the function fails in a non-fatal way.
230
* Returns a Fatal Error
233
pkix_DefaultRevChecker_Check(
234
PKIX_PL_Object *checkerContext,
236
PKIX_ProcessingParams *procParams,
238
PKIX_UInt32 *pReasonCode,
241
PKIX_DefaultRevocationChecker *defaultRevChecker = NULL;
242
PKIX_CertChainChecker *crlChecker = NULL;
243
PKIX_PL_Object *crlCheckerState = NULL;
244
PKIX_CertChainChecker_CheckCallback check = NULL;
245
void *nbioContext = NULL;
247
PKIX_ENTER(REVOCATIONCHECKER, "pkix_DefaultRevChecker_Check");
248
PKIX_NULLCHECK_FOUR(checkerContext, cert, pNBIOContext, pReasonCode);
250
/* Check that this object is a DefaultRevocationChecker */
251
PKIX_CHECK(pkix_CheckType
252
((PKIX_PL_Object *)checkerContext,
253
PKIX_DEFAULTREVOCATIONCHECKER_TYPE,
255
PKIX_OBJECTNOTDEFAULTREVOCATIONCHECKER);
257
defaultRevChecker = (PKIX_DefaultRevocationChecker *)checkerContext;
259
nbioContext = *pNBIOContext;
264
* If we haven't yet created a defaultCrlChecker to do the actual work,
267
if (defaultRevChecker->certChainChecker == NULL) {
268
PKIX_Boolean nistCRLPolicyEnabled = PR_TRUE;
271
pkix_ProcessingParams_GetNISTRevocationPolicyEnabled
272
(procParams, &nistCRLPolicyEnabled, plContext),
273
PKIX_PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED);
276
PKIX_CHECK(pkix_DefaultCRLChecker_Initialize
277
(defaultRevChecker->certStores,
278
defaultRevChecker->testDate,
279
defaultRevChecker->trustedPubKey,
280
defaultRevChecker->certsRemaining,
281
nistCRLPolicyEnabled,
284
PKIX_DEFAULTCRLCHECKERINITIALIZEFAILED);
286
PKIX_CHECK(PKIX_CertChainChecker_GetCheckCallback
287
(crlChecker, &check, plContext),
288
PKIX_CERTCHAINCHECKERGETCHECKCALLBACKFAILED);
290
defaultRevChecker->certChainChecker = crlChecker;
291
defaultRevChecker->check = check;
295
* The defaultCRLChecker, which we are using, wants a CRLSelector
296
* (in its state) to select the Issuer of the target Cert.
298
PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
299
(defaultRevChecker->certChainChecker,
302
PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
304
PKIX_CHECK(pkix_CheckType
305
(crlCheckerState, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
306
PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
308
/* Set up CRLSelector */
309
PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
311
(pkix_DefaultCRLCheckerState *)crlCheckerState,
313
PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
316
(PKIX_CertChainChecker_SetCertChainCheckerState
317
(defaultRevChecker->certChainChecker,
320
PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
322
PKIX_CHECK(defaultRevChecker->check
323
(defaultRevChecker->certChainChecker,
328
PKIX_CERTCHAINCHECKERCHECKCALLBACKFAILED);
330
*pNBIOContext = nbioContext;
334
PKIX_DECREF(crlCheckerState);
336
PKIX_RETURN(REVOCATIONCHECKER);
340
* FUNCTION: pkix_DefaultRevChecker_Initialize
343
* Create a CertChainChecker with DefaultRevChecker.
347
* Address of CertStore List to be stored in state. Must be non-NULL.
349
* Address of PKIX_PL_Date to be checked. May be NULL.
351
* Address of Public Key of Trust Anchor. Must be non-NULL.
353
* Number of certificates remaining in the chain.
355
* Address where object pointer will be stored. Must be non-NULL.
358
* Platform-specific context pointer.
361
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
364
* Returns NULL if the function succeeds.
365
* Returns a CertChainChecker Error if the function fails in a non-fatal way.
366
* Returns a Fatal Error
369
pkix_DefaultRevChecker_Initialize(
370
PKIX_List *certStores,
371
PKIX_PL_Date *testDate,
372
PKIX_PL_PublicKey *trustedPubKey,
373
PKIX_UInt32 certsRemaining,
374
PKIX_RevocationChecker **pChecker,
377
PKIX_DefaultRevocationChecker *revChecker = NULL;
379
PKIX_ENTER(REVOCATIONCHECKER, "pkix_DefaultRevChecker_Initialize");
380
PKIX_NULLCHECK_TWO(certStores, pChecker);
382
PKIX_CHECK(pkix_DefaultRevChecker_Create
389
PKIX_DEFAULTREVCHECKERCREATEFAILED);
391
PKIX_CHECK(PKIX_RevocationChecker_Create
392
(pkix_DefaultRevChecker_Check,
393
(PKIX_PL_Object *)revChecker,
396
PKIX_REVOCATIONCHECKERCREATEFAILED);
400
PKIX_DECREF(revChecker);
402
PKIX_RETURN(REVOCATIONCHECKER);