← Back to branch summary

~ubuntu-branches/ubuntu/maverick/nss/maverick

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c

  • Committer: Bazaar Package Importer
  • Author(s): Alexander Sack
  • Date: 2009-06-16 13:23:47 UTC
  • mfrom: (1.1.9 upstream)
  • Revision ID: james.westby@ubuntu.com-20090616132347-311ysb8oep74b98y
Tags: 3.12.3-0ubuntu1
https://launchpad.net/bugs/387751
* new upstream release 3.12.3 RTM (NSS_3_12_3_RTM) (LP: #387751)
* adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
* needs nspr >= 4.7.4
  - update debian/control
* update 85_security_load.patch to latest debian version
  - update debian/patches/85_security_load.patch
* add new symbols for 3.12.3
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
494
494
}
495
495
 
496
496
/*
 
497
 * FUNCTION: pkix_pl_Pk11CertStore_ImportCrl
 
498
 * DESCRIPTION:
 
499
 *
 
500
 * PARAMETERS:
 
501
 * "params"
 
502
 *      Address of the ComCRLSelParams. Must be non-NULL.
 
503
 * "pSelected"
 
504
 *      Address at which List will be stored. Must be non-NULL.
 
505
 * "plContext"
 
506
 *      Platform-specific context pointer
 
507
 * THREAD SAFETY:
 
508
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
509
 * RETURNS:
 
510
 *  Returns NULL if the function succeeds.
 
511
 *  Returns a CertStore Error if the function fails in a non-fatal way.
 
512
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 
513
 */
 
514
static PKIX_Error *
 
515
pkix_pl_Pk11CertStore_ImportCrl(
 
516
        PKIX_CertStore *store,
 
517
        PKIX_List *crlList,
 
518
        void *plContext)
 
519
{
 
520
    int crlIndex = 0;
 
521
    PKIX_PL_CRL *crl = NULL;
 
522
    CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
 
523
    PKIX_UInt32 listLength;
 
524
 
 
525
    PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_ImportCrl");
 
526
    PKIX_NULLCHECK_ONE(store);
 
527
    
 
528
    if (!crlList) {
 
529
        goto cleanup;
 
530
    }
 
531
    PKIX_CHECK(
 
532
        PKIX_List_GetLength(crlList, &listLength, plContext),
 
533
        PKIX_LISTGETLENGTHFAILED);
 
534
    for (;crlIndex < listLength;crlIndex++) {
 
535
        PKIX_CHECK(
 
536
            PKIX_List_GetItem(crlList, crlIndex, (PKIX_PL_Object**)&crl,
 
537
                              plContext),
 
538
            PKIX_LISTGETITEMFAILED);
 
539
        if (!crl->nssSignedCrl || !crl->nssSignedCrl->derCrl) {
 
540
            PKIX_ERROR(PKIX_NULLARGUMENT);
 
541
        }
 
542
        CERT_CacheCRL(certHandle, crl->nssSignedCrl->derCrl);
 
543
        PKIX_DECREF(crl);
 
544
    }
 
545
 
 
546
cleanup:
 
547
    PKIX_DECREF(crl);
 
548
 
 
549
    PKIX_RETURN(CERTSTORE);
 
550
}
 
551
 
 
552
/*
 
553
 * FUNCTION: pkix_pl_Pk11CertStore_CheckCrl
 
554
 * DESCRIPTION:
 
555
 *
 
556
 * PARAMETERS:
 
557
 * "params"
 
558
 *      Address of the ComCRLSelParams. Must be non-NULL.
 
559
 * "pSelected"
 
560
 *      Address at which List will be stored. Must be non-NULL.
 
561
 * "plContext"
 
562
 *      Platform-specific context pointer
 
563
 * THREAD SAFETY:
 
564
 *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
 
565
 * RETURNS:
 
566
 *  Returns NULL if the function succeeds.
 
567
 *  Returns a CertStore Error if the function fails in a non-fatal way.
 
568
 *  Returns a Fatal Error if the function fails in an unrecoverable way.
 
569
 */
 
570
static PKIX_Error *
 
571
pkix_pl_Pk11CertStore_CheckRevByCrl(
 
572
        PKIX_CertStore *store,
 
573
        PKIX_PL_Cert *pkixCert,
 
574
        PKIX_PL_Cert *pkixIssuer,
 
575
        PKIX_PL_Date *date,
 
576
        PKIX_Boolean delayCrlSigCheck,
 
577
        PKIX_UInt32  *pReasonCode,
 
578
        PKIX_RevocationStatus *pStatus,
 
579
        void *plContext)
 
580
{
 
581
    CERTCRLEntryReasonCode revReason = crlEntryReasonUnspecified;
 
582
    PKIX_RevocationStatus status = PKIX_RevStatus_NoInfo;
 
583
    PRTime time = 0;
 
584
    void *wincx = NULL;
 
585
    PRBool lockedwrite = PR_FALSE;
 
586
    SECStatus rv = SECSuccess;
 
587
    CRLDPCache* dpcache = NULL;
 
588
    CERTCertificate *cert, *issuer;
 
589
    CERTCrlEntry* entry = NULL;
 
590
 
 
591
    PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_CheckRevByCrl");
 
592
    PKIX_NULLCHECK_FOUR(store, pkixCert, pkixIssuer, date);
 
593
 
 
594
    PKIX_CHECK(
 
595
        pkix_pl_Date_GetPRTime(date, &time, plContext),
 
596
        PKIX_DATEGETPRTIMEFAILED);
 
597
 
 
598
    PKIX_CHECK(
 
599
        pkix_pl_NssContext_GetWincx((PKIX_PL_NssContext*)plContext,
 
600
                                    &wincx),
 
601
        PKIX_NSSCONTEXTGETWINCXFAILED);
 
602
 
 
603
    cert = pkixCert->nssCert;
 
604
    issuer = pkixIssuer->nssCert;
 
605
 
 
606
    if (SECSuccess != CERT_CheckCertValidTimes(issuer, time, PR_FALSE))
 
607
    {
 
608
        /* we won't be able to check the CRL's signature if the issuer cert
 
609
           is expired as of the time we are verifying. This may cause a valid
 
610
           CRL to be cached as bad. short-circuit to avoid this case. */
 
611
        PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
 
612
        PKIX_ERROR(PKIX_CRLISSUECERTEXPIRED);
 
613
    }
 
614
 
 
615
    rv = AcquireDPCache(issuer, &issuer->derSubject, NULL,
 
616
                        /* AcquireDPCache will not validate the signature
 
617
                         * on the crl if time is not specified. */
 
618
                        delayCrlSigCheck ? 0: time,
 
619
                        wincx, &dpcache, &lockedwrite);
 
620
    if (rv == SECFailure) {
 
621
        PKIX_ERROR(PKIX_CERTCHECKCRLFAILED);
 
622
    }
 
623
    if ((delayCrlSigCheck && dpcache->invalid) ||
 
624
        /* obtained cache is invalid due to delayed signature check */
 
625
        !dpcache->ncrls) {
 
626
        goto cleanup;
 
627
    }
 
628
    /* now look up the certificate SN in the DP cache's CRL */
 
629
    rv = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
 
630
    if (rv == SECFailure) {
 
631
        PKIX_ERROR(PKIX_CERTCHECKCRLFAILED);
 
632
    }
 
633
    if (entry) {
 
634
        /* check the time if we have one */
 
635
        if (entry->revocationDate.data && entry->revocationDate.len) {
 
636
            PRTime revocationDate = 0;
 
637
            
 
638
            if (SECSuccess == DER_DecodeTimeChoice(&revocationDate,
 
639
                                                   &entry->revocationDate)) {
 
640
                /* we got a good revocation date, only consider the
 
641
                   certificate revoked if the time we are inquiring about
 
642
                   is past the revocation date */
 
643
                if (time >= revocationDate) {
 
644
                    rv = SECFailure;
 
645
                }
 
646
            } else {
 
647
                /* invalid revocation date, consider the certificate
 
648
                   permanently revoked */
 
649
                rv = SECFailure;
 
650
            }
 
651
        } else {
 
652
            /* no revocation date, certificate is permanently revoked */
 
653
            rv = SECFailure;
 
654
        }
 
655
        if (SECFailure == rv) {
 
656
            /* Find real revocation reason */
 
657
            CERT_FindCRLEntryReasonExten(entry, &revReason);
 
658
            status = PKIX_RevStatus_Revoked;
 
659
            PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
 
660
        }
 
661
    } else {
 
662
        status = PKIX_RevStatus_Success;
 
663
    }
 
664
 
 
665
cleanup:
 
666
    *pStatus = status;
 
667
    *pReasonCode = revReason;
 
668
    if (dpcache) {
 
669
        ReleaseDPCache(dpcache, lockedwrite);
 
670
    }
 
671
    PKIX_RETURN(CERTSTORE);    
 
672
}
 
673
 
 
674
 
 
675
/*
497
676
 * FUNCTION: pkix_pl_Pk11CertStore_GetCert
498
677
 *  (see description of PKIX_CertStore_CertCallback in pkix_certstore.h)
499
678
 */
590
769
        /* Don't throw away the list if one cert was bad! */
591
770
        pkixTempErrorReceived = PKIX_FALSE;
592
771
 
593
 
        PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
594
 
                PKIX_LISTSETIMMUTABLEFAILED);
595
 
 
596
772
        *pCertList = filtered;
597
773
        filtered = NULL;
598
774
 
682
858
        /* Don't throw away the list if one CRL was bad! */
683
859
        pkixTempErrorReceived = PKIX_FALSE;
684
860
 
685
 
        PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
686
 
                PKIX_LISTSETIMMUTABLEFAILED);
687
 
 
688
861
        *pCrlList = filtered;
689
862
        filtered = NULL;
690
863
 
720
893
                NULL, /* getCertContinue */
721
894
                NULL, /* getCrlContinue */
722
895
                pkix_pl_Pk11CertStore_CheckTrust,
 
896
                pkix_pl_Pk11CertStore_ImportCrl,
 
897
                pkix_pl_Pk11CertStore_CheckRevByCrl,
723
898
                NULL,
724
899
                PKIX_TRUE, /* cache flag */
725
900
                PKIX_TRUE, /* local - no network I/O */