942
/* determine if this is a root cert */
943
cert->isRoot = cert_IsRootCert(cert);
942
945
/* initialize the certType */
943
946
rv = cert_GetCertType(cert);
944
947
if ( rv != SECSuccess ) {
948
/* determine if this is a root cert */
949
cert->isRoot = cert_IsRootCert(cert);
951
951
tmpname = CERT_NameToAscii(&cert->subject);
952
952
if ( tmpname != NULL ) {
953
953
cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
1447
1447
** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
1448
1448
** returns SECFailure with some other error code if another error occurs.
1450
** may modify cn, so caller must pass a modifiable copy.
1450
** This function may modify string cn, so caller must pass a modifiable copy.
1452
1452
static SECStatus
1453
1453
cert_TestHostName(char * cn, const char * hn)
1455
int regvalid = PORT_RegExpValid(cn);
1456
if (regvalid != NON_SXP) {
1458
/* cn is a regular expression, try to match the shexp */
1459
int match = PORT_RegExpCaseSearch(hn, cn);
1464
PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1469
/* cn is not a regular expression */
1471
/* compare entire hn with cert name */
1455
static int useShellExp = -1;
1457
if (useShellExp < 0) {
1458
useShellExp = (NULL != PR_GetEnv("NSS_USE_SHEXP_IN_CERT_NAME"));
1461
/* Backward compatible code, uses Shell Expressions (SHEXP). */
1462
int regvalid = PORT_RegExpValid(cn);
1463
if (regvalid != NON_SXP) {
1465
/* cn is a regular expression, try to match the shexp */
1466
int match = PORT_RegExpCaseSearch(hn, cn);
1471
PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1477
/* New approach conforms to RFC 2818. */
1478
char *wildcard = PORT_Strchr(cn, '*');
1479
char *firstcndot = PORT_Strchr(cn, '.');
1480
char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
1481
char *firsthndot = PORT_Strchr(hn, '.');
1483
/* For a cn pattern to be considered valid, the wildcard character...
1484
* - may occur only in a DNS name with at least 3 components, and
1485
* - may occur only as last character in the first component, and
1486
* - may be preceded by additional characters
1488
if (wildcard && secondcndot && secondcndot[1] && firsthndot
1489
&& firstcndot - wildcard == 1
1490
&& secondcndot - firstcndot > 1
1491
&& PORT_Strrchr(cn, '*') == wildcard
1492
&& !PORT_Strncasecmp(cn, hn, wildcard - cn)
1493
&& !PORT_Strcasecmp(firstcndot, firsthndot)) {
1494
/* valid wildcard pattern match */
1498
/* String cn has no wildcard or shell expression.
1499
* Compare entire string hn with cert name.
1472
1501
if (PORT_Strcasecmp(hn, cn) == 0) {
1473
1502
return SECSuccess;
1476
1505
PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
1477
1506
return SECFailure;
1523
1552
** so must copy it.
1525
1554
int cnLen = current->name.other.len;
1526
if (cnLen + 1 > cnBufLen) {
1527
cnBufLen = cnLen + 1;
1555
rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen,
1556
current->name.other.data, cnLen);
1557
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) {
1558
cnBufLen = cnLen * 3 + 3; /* big enough for worst case */
1528
1559
cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
1562
rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen,
1563
current->name.other.data, cnLen);
1532
PORT_Memcpy(cn, current->name.other.data, cnLen);
1534
rv = cert_TestHostName(cn ,hn);
1565
if (rv == SECSuccess)
1566
rv = cert_TestHostName(cn ,hn);
1535
1567
if (rv == SECSuccess)
2107
2139
SEC_DestroyCrl (crl);
2143
cert_Version(CERTCertificate *cert)
2146
if (cert && cert->version.data && cert->version.len) {
2147
version = DER_GetInteger(&cert->version);
2155
cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
2157
CERTCertTrust *trust = cert->trust;
2159
if (trust && (trust->sslFlags |
2161
trust->objectSigningFlags)) {
2163
if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED))
2164
cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
2165
if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
2166
cType |= NS_CERT_TYPE_SSL_CA;
2167
#if defined(CERTDB_NOT_TRUSTED)
2168
if (trust->sslFlags & CERTDB_NOT_TRUSTED)
2169
cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
2170
NS_CERT_TYPE_SSL_CA);
2172
if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED))
2173
cType |= NS_CERT_TYPE_EMAIL;
2174
if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
2175
cType |= NS_CERT_TYPE_EMAIL_CA;
2176
#if defined(CERTDB_NOT_TRUSTED)
2177
if (trust->emailFlags & CERTDB_NOT_TRUSTED)
2178
cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
2180
if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED))
2181
cType |= NS_CERT_TYPE_OBJECT_SIGNING;
2182
if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
2183
cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
2184
#if defined(CERTDB_NOT_TRUSTED)
2185
if (trust->objectSigningFlags & CERTDB_NOT_TRUSTED)
2186
cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING|
2187
NS_CERT_TYPE_OBJECT_SIGNING_CA);
2113
2194
* Does a cert belong to a CA? We decide based on perm database trust
2117
2198
CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
2119
CERTCertTrust *trust;
2127
if ( cert->trust && (cert->trust->sslFlags|cert->trust->emailFlags|
2128
cert->trust->objectSigningFlags)) {
2129
trust = cert->trust;
2130
if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
2131
( ( trust->sslFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
2133
type |= NS_CERT_TYPE_SSL_CA;
2136
if ( ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
2137
( ( trust->emailFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
2139
type |= NS_CERT_TYPE_EMAIL_CA;
2142
if ( ( ( trust->objectSigningFlags & CERTDB_VALID_CA )
2143
== CERTDB_VALID_CA ) ||
2144
( ( trust->objectSigningFlags & CERTDB_TRUSTED_CA )
2145
== CERTDB_TRUSTED_CA ) ) {
2147
type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
2200
unsigned int cType = cert->nsCertType;
2201
PRBool ret = PR_FALSE;
2203
if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
2204
NS_CERT_TYPE_OBJECT_SIGNING_CA)) {
2150
if ( cert->nsCertType &
2151
( NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
2152
NS_CERT_TYPE_OBJECT_SIGNING_CA ) ) {
2208
CERTBasicConstraints constraints;
2210
rv = CERT_FindBasicConstraintExten(cert, &constraints);
2211
if (rv == SECSuccess && constraints.isCA) {
2154
type = (cert->nsCertType & NS_CERT_TYPE_CA);
2156
CERTBasicConstraints constraints;
2157
rv = CERT_FindBasicConstraintExten(cert, &constraints);
2158
if ( rv == SECSuccess ) {
2159
if ( constraints.isCA ) {
2161
type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
2213
cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
2166
/* finally check if it's a FORTEZZA V1 CA */
2167
if (ret == PR_FALSE) {
2168
if (fortezzaIsCA(cert)) {
2170
type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
2175
/* the isRoot flag trumps all */
2217
/* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */
2219
((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) ||
2220
fortezzaIsCA(cert) )) {
2178
/* set only these by default, same as above */
2179
type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
2222
cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
2224
/* Now apply trust overrides, if any */
2225
cType = cert_ComputeTrustOverrides(cert, cType);
2226
ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
2227
NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE;
2182
if ( rettype != NULL ) {
2229
if (rettype != NULL) {