53
53
* checked. Those OIDs need to be removed from the unresolved critical
54
54
* extension OIDs list manually (instead of by checker automatically).
56
static char *buildCheckedCritExtOIDs[] = {
56
static SECOidTag buildCheckedCritExtOIDs[] = {
57
57
PKIX_CERTKEYUSAGE_OID,
58
58
PKIX_CERTSUBJALTNAME_OID,
59
59
PKIX_BASICCONSTRAINTS_OID,
60
60
PKIX_NAMECONSTRAINTS_OID,
61
61
PKIX_EXTENDEDKEYUSAGE_OID,
62
62
PKIX_NSCERTTYPE_OID,
66
66
/* --Private-ForwardBuilderState-Functions---------------------------------- */
1038
1038
PKIX_ForwardBuilderState *state,
1039
1039
PKIX_List *certChain,
1040
1040
PKIX_TrustAnchor *anchor,
1041
PKIX_Boolean addEkuChecker,
1041
PKIX_Boolean chainRevalidationStage,
1042
1042
void *plContext)
1044
1044
PKIX_List *checkers = NULL;
1051
1051
PKIX_CertChainChecker *sigChecker = NULL;
1052
1052
PKIX_CertChainChecker *policyChecker = NULL;
1053
1053
PKIX_CertChainChecker *userChecker = NULL;
1054
PKIX_CertChainChecker *ekuChecker = NULL;
1055
PKIX_List *userCheckersList = NULL;
1054
PKIX_CertChainChecker *checker = NULL;
1055
PKIX_CertSelector *certSelector = NULL;
1056
1056
PKIX_List *userCheckerExtOIDs = NULL;
1057
1057
PKIX_PL_OID *oid = NULL;
1058
1058
PKIX_Boolean supportForwardChecking = PKIX_FALSE;
1081
1081
procParams = state->buildConstants.procParams;
1083
/* Do need to add eku checker for chains, that we just
1084
* built. KU and EKU get checked by certificate selector
1085
* during chain construction. For other cases when trying
1086
* short cut or for cached chain we need to verify key
1087
* usage again. For those cases the function shoud be
1088
* called with addEkuChecker set to true. */
1089
if (addEkuChecker) {
1091
PKIX_EkuChecker_Create(procParams, &ekuChecker,
1093
PKIX_EKUCHECKERINITIALIZEFAILED);
1083
/* Do need to add a number of checker to revalidate
1084
* a built chain. KU, EKU, CertType and Validity Date
1085
* get checked by certificate selector during chain
1086
* construction, but needed to be checked for chain from
1088
if (chainRevalidationStage) {
1089
PKIX_CHECK(pkix_ExpirationChecker_Initialize
1090
(state->buildConstants.testDate, &checker, plContext),
1091
PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
1092
PKIX_CHECK(PKIX_List_AppendItem
1093
(checkers, (PKIX_PL_Object *)checker, plContext),
1094
PKIX_LISTAPPENDITEMFAILED);
1095
PKIX_DECREF(checker);
1097
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
1098
(procParams, &certSelector, plContext),
1099
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
1101
PKIX_CHECK(pkix_TargetCertChecker_Initialize
1102
(certSelector, numChainCerts, &checker, plContext),
1103
PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
1095
1104
PKIX_CHECK(PKIX_List_AppendItem
1096
(checkers, (PKIX_PL_Object *)ekuChecker, plContext),
1105
(checkers, (PKIX_PL_Object *)checker, plContext),
1097
1106
PKIX_LISTAPPENDITEMFAILED);
1107
PKIX_DECREF(checker);
1100
1110
PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies
1139
1149
PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
1140
1150
PKIX_LISTCREATEFAILED);
1142
for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) {
1152
for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) {
1143
1153
PKIX_CHECK(PKIX_PL_OID_Create
1144
1154
(buildCheckedCritExtOIDs[i], &oid, plContext),
1145
1155
PKIX_OIDCREATEFAILED);
1232
1242
PKIX_LISTAPPENDITEMFAILED);
1244
PKIX_DECREF(state->reversedCertChain);
1234
1245
PKIX_INCREF(reversedCertChain);
1235
1246
state->reversedCertChain = reversedCertChain;
1247
PKIX_DECREF(state->checkedCritExtOIDs);
1236
1248
PKIX_INCREF(buildCheckedCritExtOIDsList);
1237
1249
state->checkedCritExtOIDs = buildCheckedCritExtOIDsList;
1250
PKIX_DECREF(state->checkerChain);
1238
1251
state->checkerChain = checkers;
1239
1252
checkers = NULL;
1240
1253
state->certCheckedIndex = 0;
1247
1260
PKIX_DECREF(oid);
1248
1261
PKIX_DECREF(reversedCertChain);
1249
1262
PKIX_DECREF(buildCheckedCritExtOIDsList);
1263
PKIX_DECREF(checker);
1250
1264
PKIX_DECREF(checkers);
1251
1265
PKIX_DECREF(initialPolicies);
1252
1266
PKIX_DECREF(trustedCert);
1253
1267
PKIX_DECREF(trustedPubKey);
1268
PKIX_DECREF(certSelector);
1254
1269
PKIX_DECREF(sigChecker);
1255
1270
PKIX_DECREF(policyChecker);
1256
1271
PKIX_DECREF(userChecker);
1257
PKIX_DECREF(userCheckersList);
1258
1272
PKIX_DECREF(userCheckerExtOIDs);
1259
PKIX_DECREF(ekuChecker);
1261
1274
PKIX_RETURN(BUILD);
1557
1570
PKIX_List *matchList = NULL;
1558
1571
PKIX_CertSelector *certSel = NULL;
1559
1572
PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
1560
PKIX_Boolean certMatch = PKIX_TRUE;
1562
1574
PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
1582
1594
(anchor, &trustedCert, plContext),
1583
1595
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
1584
1596
pkixErrorResult =
1585
(*selectorMatchCB)(certSel, trustedCert,
1586
&certMatch, plContext);
1587
if (!pkixErrorResult && certMatch) {
1597
(*selectorMatchCB)(certSel, trustedCert, plContext);
1598
if (!pkixErrorResult) {
1588
1599
if (!matchList) {
1589
1600
PKIX_CHECK(PKIX_List_Create(&matchList,
2524
2537
/* IO still pending, resume later */
2527
PKIX_DECREF(state->reversedCertChain);
2528
PKIX_DECREF(state->checkedCritExtOIDs);
2529
PKIX_DECREF(state->checkerChain);
2530
2540
/* checking the error for fatal status */
2531
2541
if (verifyError) {
2532
2542
pkixTempErrorReceived = PKIX_TRUE;
3041
3051
(matchingAnchor, &trustedCert, plContext),
3042
3052
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
3044
if (!state->buildConstants.anchors) {
3045
PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
3046
(trustedCert, PKIX_FALSE, &trusted, plContext),
3047
PKIX_CERTISCERTTRUSTEDFAILED);
3054
if (state->buildConstants.anchors &&
3055
state->buildConstants.anchors->length) {
3049
3056
/* Check if it is one of the trust anchors */
3051
3058
pkix_List_Contains(state->buildConstants.anchors,
3055
3062
PKIX_LISTCONTAINSFAILED);
3064
PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
3065
(trustedCert, PKIX_FALSE, &trusted, plContext),
3066
PKIX_CERTISCERTTRUSTEDFAILED);
3058
3069
if (!trusted) {
3067
3078
(buildResult, &certList, plContext),
3068
3079
PKIX_BUILDRESULTGETCERTCHAINFAILED);
3070
/* setting this variable will trigger addition rev
3071
* checker into cert chain checker list */
3072
state->revCheckDelayed = PKIX_TRUE;
3074
3081
PKIX_CHECK(pkix_Build_ValidationCheckers
3077
3084
matchingAnchor,
3078
PKIX_TRUE, /* Adding eku checker. */
3085
PKIX_TRUE, /* Chain revalidation stage. */
3080
3087
PKIX_BUILDVALIDATIONCHECKERSFAILED);
3082
state->revCheckDelayed = PKIX_FALSE;
3084
3089
PKIX_CHECK_ONLY_FATAL(
3085
3090
pkix_Build_ValidateEntireChain(state, matchingAnchor,
3092
3097
*pNBIOContext = nbioContext;
3095
PKIX_DECREF(state->reversedCertChain);
3096
PKIX_DECREF(state->checkedCritExtOIDs);
3097
PKIX_DECREF(state->checkerChain);
3099
3100
if (!PKIX_ERROR_RECEIVED) {
3100
3101
/* The result from cache is still valid. But we replace an old*/
3101
3102
*pBuildResult = buildResult;
3211
3212
PKIX_TrustAnchor *matchingAnchor = NULL;
3212
3213
PKIX_ForwardBuilderState *state = NULL;
3213
3214
PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
3215
PKIX_CertSelector_MatchCallback selectorCallback = NULL;
3214
3216
PKIX_PL_AIAMgr *aiaMgr = NULL;
3216
3218
PKIX_ENTER(BUILD, "pkix_Build_InitiateBuildChain");
3235
3237
PKIX_LISTGETLENGTHFAILED);
3237
3239
/* retrieve stuff from targetCertConstraints */
3239
3240
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
3240
(procParams, &targetConstraints, plContext),
3241
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
3241
(procParams, &targetConstraints, plContext),
3242
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
3243
3244
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
3244
3245
(targetConstraints, &targetParams, plContext),
3248
3249
(targetParams, &targetCert, plContext),
3249
3250
PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
3253
PKIX_ComCertSelParams_SetLeafCertFlag(targetParams,
3254
PKIX_TRUE, plContext),
3255
PKIX_COMCERTSELPARAMSSETLEAFCERTFLAGFAILED);
3251
3257
PKIX_CHECK(PKIX_ProcessingParams_GetHintCerts
3252
3258
(procParams, &hintCerts, plContext),
3253
3259
PKIX_PROCESSINGPARAMSGETHINTCERTSFAILED);
3329
3335
(tentativeChain, (PKIX_PL_Object *)targetCert, plContext),
3330
3336
PKIX_LISTAPPENDITEMFAILED);
3332
/* Failure here is reportable */
3333
pkixErrorResult = PKIX_PL_Cert_CheckValidity
3334
(targetCert, testDate, plContext);
3335
if (pkixErrorResult) {
3338
if (procParams->qualifyTargetCert) {
3339
/* EE cert validation */
3340
/* Sync up the time on the target selector parameter struct. */
3342
PKIX_ComCertSelParams_SetCertificateValid(targetParams,
3345
PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED);
3347
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
3348
(targetConstraints, &selectorCallback, plContext),
3349
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
3352
(*selectorCallback)(targetConstraints, targetCert,
3354
if (pkixErrorResult) {
3336
3355
pkixErrorClass = pkixErrorResult->errClass;
3337
3356
if (pkixErrorClass == PKIX_FATAL_ERROR) {