497
* FUNCTION: pkix_pl_Pk11CertStore_ImportCrl
502
* Address of the ComCRLSelParams. Must be non-NULL.
504
* Address at which List will be stored. Must be non-NULL.
506
* Platform-specific context pointer
508
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
510
* Returns NULL if the function succeeds.
511
* Returns a CertStore Error if the function fails in a non-fatal way.
512
* Returns a Fatal Error if the function fails in an unrecoverable way.
515
pkix_pl_Pk11CertStore_ImportCrl(
516
PKIX_CertStore *store,
521
PKIX_PL_CRL *crl = NULL;
522
CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
523
PKIX_UInt32 listLength;
525
PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_ImportCrl");
526
PKIX_NULLCHECK_ONE(store);
532
PKIX_List_GetLength(crlList, &listLength, plContext),
533
PKIX_LISTGETLENGTHFAILED);
534
for (;crlIndex < listLength;crlIndex++) {
536
PKIX_List_GetItem(crlList, crlIndex, (PKIX_PL_Object**)&crl,
538
PKIX_LISTGETITEMFAILED);
539
if (!crl->nssSignedCrl || !crl->nssSignedCrl->derCrl) {
540
PKIX_ERROR(PKIX_NULLARGUMENT);
542
CERT_CacheCRL(certHandle, crl->nssSignedCrl->derCrl);
549
PKIX_RETURN(CERTSTORE);
553
* FUNCTION: pkix_pl_Pk11CertStore_CheckCrl
558
* Address of the ComCRLSelParams. Must be non-NULL.
560
* Address at which List will be stored. Must be non-NULL.
562
* Platform-specific context pointer
564
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
566
* Returns NULL if the function succeeds.
567
* Returns a CertStore Error if the function fails in a non-fatal way.
568
* Returns a Fatal Error if the function fails in an unrecoverable way.
571
pkix_pl_Pk11CertStore_CheckRevByCrl(
572
PKIX_CertStore *store,
573
PKIX_PL_Cert *pkixCert,
574
PKIX_PL_Cert *pkixIssuer,
576
PKIX_Boolean delayCrlSigCheck,
577
PKIX_UInt32 *pReasonCode,
578
PKIX_RevocationStatus *pStatus,
581
CERTCRLEntryReasonCode revReason = crlEntryReasonUnspecified;
582
PKIX_RevocationStatus status = PKIX_RevStatus_NoInfo;
585
PRBool lockedwrite = PR_FALSE;
586
SECStatus rv = SECSuccess;
587
CRLDPCache* dpcache = NULL;
588
CERTCertificate *cert, *issuer;
589
CERTCrlEntry* entry = NULL;
591
PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CheckRevByCrl");
592
PKIX_NULLCHECK_FOUR(store, pkixCert, pkixIssuer, date);
595
pkix_pl_Date_GetPRTime(date, &time, plContext),
596
PKIX_DATEGETPRTIMEFAILED);
599
pkix_pl_NssContext_GetWincx((PKIX_PL_NssContext*)plContext,
601
PKIX_NSSCONTEXTGETWINCXFAILED);
603
cert = pkixCert->nssCert;
604
issuer = pkixIssuer->nssCert;
606
if (SECSuccess != CERT_CheckCertValidTimes(issuer, time, PR_FALSE))
608
/* we won't be able to check the CRL's signature if the issuer cert
609
is expired as of the time we are verifying. This may cause a valid
610
CRL to be cached as bad. short-circuit to avoid this case. */
611
PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
612
PKIX_ERROR(PKIX_CRLISSUECERTEXPIRED);
615
rv = AcquireDPCache(issuer, &issuer->derSubject, NULL,
616
/* AcquireDPCache will not validate the signature
617
* on the crl if time is not specified. */
618
delayCrlSigCheck ? 0: time,
619
wincx, &dpcache, &lockedwrite);
620
if (rv == SECFailure) {
621
PKIX_ERROR(PKIX_CERTCHECKCRLFAILED);
623
if ((delayCrlSigCheck && dpcache->invalid) ||
624
/* obtained cache is invalid due to delayed signature check */
628
/* now look up the certificate SN in the DP cache's CRL */
629
rv = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
630
if (rv == SECFailure) {
631
PKIX_ERROR(PKIX_CERTCHECKCRLFAILED);
634
/* check the time if we have one */
635
if (entry->revocationDate.data && entry->revocationDate.len) {
636
PRTime revocationDate = 0;
638
if (SECSuccess == DER_DecodeTimeChoice(&revocationDate,
639
&entry->revocationDate)) {
640
/* we got a good revocation date, only consider the
641
certificate revoked if the time we are inquiring about
642
is past the revocation date */
643
if (time >= revocationDate) {
647
/* invalid revocation date, consider the certificate
648
permanently revoked */
652
/* no revocation date, certificate is permanently revoked */
655
if (SECFailure == rv) {
656
/* Find real revocation reason */
657
CERT_FindCRLEntryReasonExten(entry, &revReason);
658
status = PKIX_RevStatus_Revoked;
659
PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
662
status = PKIX_RevStatus_Success;
667
*pReasonCode = revReason;
669
ReleaseDPCache(dpcache, lockedwrite);
671
PKIX_RETURN(CERTSTORE);
497
676
* FUNCTION: pkix_pl_Pk11CertStore_GetCert
498
677
* (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)