← Back to branch summary

~ubuntu-branches/ubuntu/maverick/nss/maverick

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c

  • Committer: Bazaar Package Importer
  • Author(s): Chris Coulson
  • Date: 2010-03-25 13:46:06 UTC
  • mfrom: (1.1.11 upstream)
  • Revision ID: james.westby@ubuntu.com-20100325134606-bl6liuok2w9l7snv
Tags: 3.12.6-0ubuntu1
* New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
  - fixes CVE-2009-3555 aka US-CERT VU#120541
* Adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
  - update debian/patches/85_security_load.patch
* Remove patches that are merged upstream
  - delete debian/patches/91_nonexec_stack.patch
  - update debian/patches/series
* Bump nspr dependency to 4.8
  - update debian/control
* Add new symbols for 3.12.6
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
146
146
        /* Allocated in the arena; freed in CERT_Destroy... */
147
147
        CERTCertificatePolicies *certPol = NULL;
148
148
        CERTPolicyInfo **policyInfos = NULL;
149
 
        CERTPolicyInfo *policyInfo = NULL;
150
 
        CERTPolicyQualifier **policyQualifiers = NULL;
151
 
        CERTPolicyQualifier *policyQualifier = NULL;
152
149
 
153
150
        /* Holder for the return value */
154
151
        PKIX_List *infos = NULL;
155
152
 
156
 
        char *oidAscii = NULL;
157
153
        PKIX_PL_OID *pkixOID = NULL;
158
154
        PKIX_List *qualifiers = NULL;
159
155
        PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
204
200
         * building each PKIX_PL_CertPolicyInfo object in turn
205
201
         */
206
202
        while (*policyInfos != NULL) {
207
 
                policyInfo = *policyInfos;
208
 
                policyQualifiers = policyInfo->policyQualifiers;
 
203
                CERTPolicyInfo *policyInfo = *policyInfos;
 
204
                CERTPolicyQualifier **policyQualifiers =
 
205
                                          policyInfo->policyQualifiers;
209
206
                if (policyQualifiers) {
210
207
                        /* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
211
208
                        PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
212
209
                                PKIX_LISTCREATEFAILED);
213
210
 
214
211
                        while (*policyQualifiers != NULL) {
215
 
                            policyQualifier = *policyQualifiers;
 
212
                            CERTPolicyQualifier *policyQualifier =
 
213
                                                         *policyQualifiers;
216
214
 
217
215
                            /* create the qualifier's OID object */
218
 
 
219
 
                            PKIX_CHECK(pkix_pl_oidBytes2Ascii
220
 
                                (&(policyQualifier->qualifierID),
221
 
                                &oidAscii,
222
 
                                plContext),
223
 
                                PKIX_OIDBYTES2ASCIIFAILED);
224
 
 
225
 
                            PKIX_CHECK(PKIX_PL_OID_Create
226
 
                                (oidAscii, &pkixOID, plContext),
 
216
                            PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
 
217
                                (&policyQualifier->qualifierID,
 
218
                                 &pkixOID, plContext),
227
219
                                PKIX_OIDCREATEFAILED);
228
220
 
229
221
                            /* create qualifier's ByteArray object */
250
242
                                plContext),
251
243
                                PKIX_LISTAPPENDITEMFAILED);
252
244
 
253
 
                            PKIX_FREE(oidAscii);
254
245
                            PKIX_DECREF(pkixOID);
255
246
                            PKIX_DECREF(qualifierArray);
256
247
                            PKIX_DECREF(certPolicyQualifier);
269
260
                 * (The CERTPolicyInfo structure has an oid field, but it
270
261
                 * is of type SECOidTag. This function wants a SECItem.)
271
262
                 */
272
 
 
273
 
                PKIX_CHECK(pkix_pl_oidBytes2Ascii
274
 
                        (&(policyInfo->policyID), &oidAscii, plContext),
275
 
                        PKIX_OIDBYTES2ASCIIFAILED);
276
 
 
277
 
                PKIX_CHECK(PKIX_PL_OID_Create
278
 
                        (oidAscii, &pkixOID, plContext),
 
263
                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
 
264
                        (&policyInfo->policyID, &pkixOID, plContext),
279
265
                        PKIX_OIDCREATEFAILED);
280
266
 
281
267
                /* Create a CertPolicyInfo object */
288
274
                        (infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
289
275
                        PKIX_LISTAPPENDITEMFAILED);
290
276
 
291
 
                PKIX_FREE(oidAscii);
292
277
                PKIX_DECREF(pkixOID);
293
278
                PKIX_DECREF(qualifiers);
294
279
                PKIX_DECREF(certPolicyInfo);
313
298
            CERT_DestroyCertificatePoliciesExtension(certPol);
314
299
        }
315
300
 
316
 
        PKIX_FREE(oidAscii);
317
301
        PKIX_DECREF(infos);
318
302
        PKIX_DECREF(pkixOID);
319
303
        PKIX_DECREF(qualifiers);
362
346
        /* Allocated in the arena; freed in CERT_Destroy... */
363
347
        CERTCertificatePolicyMappings *certPolMaps = NULL;
364
348
        CERTPolicyMap **policyMaps = NULL;
365
 
        CERTPolicyMap *policyMap = NULL;
366
349
 
367
350
        /* Holder for the return value */
368
351
        PKIX_List *maps = NULL;
369
352
 
370
 
        char *issuerPolicyOIDAscii = NULL;
371
 
        char *subjectPolicyOIDAscii = NULL;
372
353
        PKIX_PL_OID *issuerDomainOID = NULL;
373
354
        PKIX_PL_OID *subjectDomainOID = NULL;
374
355
        PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
408
389
         * building each CertPolicyMap object in turn
409
390
         */
410
391
        do {
411
 
                policyMap = *policyMaps;
 
392
                CERTPolicyMap *policyMap = *policyMaps;
412
393
 
413
394
                /* create the OID for the issuer Domain Policy */
414
 
 
415
 
                PKIX_CHECK(pkix_pl_oidBytes2Ascii
416
 
                        (&(policyMap->issuerDomainPolicy),
417
 
                        &issuerPolicyOIDAscii,
418
 
                        plContext),
419
 
                        PKIX_OIDBYTES2ASCIIFAILED);
420
 
 
421
 
                PKIX_CHECK(PKIX_PL_OID_Create
422
 
                        (issuerPolicyOIDAscii, &issuerDomainOID, plContext),
 
395
                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
 
396
                        (&policyMap->issuerDomainPolicy,
 
397
                         &issuerDomainOID, plContext),
423
398
                        PKIX_OIDCREATEFAILED);
424
399
 
425
400
                /* create the OID for the subject Domain Policy */
426
 
 
427
 
                PKIX_CHECK(pkix_pl_oidBytes2Ascii
428
 
                        (&(policyMap->subjectDomainPolicy),
429
 
                        &subjectPolicyOIDAscii,
430
 
                        plContext),
431
 
                        PKIX_OIDBYTES2ASCIIFAILED);
432
 
 
433
 
                PKIX_CHECK(PKIX_PL_OID_Create
434
 
                        (subjectPolicyOIDAscii, &subjectDomainOID, plContext),
 
401
                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
 
402
                        (&policyMap->subjectDomainPolicy,
 
403
                         &subjectDomainOID, plContext),
435
404
                        PKIX_OIDCREATEFAILED);
436
405
 
437
406
                /* create the CertPolicyMap */
447
416
                        (maps, (PKIX_PL_Object *)certPolicyMap, plContext),
448
417
                        PKIX_LISTAPPENDITEMFAILED);
449
418
 
450
 
                PKIX_FREE(issuerPolicyOIDAscii);
451
 
                PKIX_FREE(subjectPolicyOIDAscii);
452
419
                PKIX_DECREF(issuerDomainOID);
453
420
                PKIX_DECREF(subjectDomainOID);
454
421
                PKIX_DECREF(certPolicyMap);
469
436
            CERT_DestroyPolicyMappingsExtension(certPolMaps);
470
437
        }
471
438
 
472
 
        PKIX_FREE(issuerPolicyOIDAscii);
473
 
        PKIX_FREE(subjectPolicyOIDAscii);
474
439
        PKIX_DECREF(maps);
475
440
        PKIX_DECREF(issuerDomainOID);
476
441
        PKIX_DECREF(subjectDomainOID);
1221
1186
        PKIX_DECREF(cert->store);
1222
1187
        PKIX_DECREF(cert->authorityInfoAccess);
1223
1188
        PKIX_DECREF(cert->subjectInfoAccess);
 
1189
        PKIX_DECREF(cert->crldpList);
1224
1190
 
1225
1191
        if (cert->arenaNameConstraints){
1226
1192
                /* This arena was allocated for SubjectAltNames */
1491
1457
        cert->authorityInfoAccess = NULL;
1492
1458
        cert->subjectInfoAccess = NULL;
1493
1459
        cert->isUserTrustAnchor = PKIX_FALSE;
 
1460
        cert->crldpList = NULL;
1494
1461
 
1495
1462
        *pCert = cert;
1496
1463
 
2052
2019
        PKIX_PL_OID **pSubjKeyAlgId,
2053
2020
        void *plContext)
2054
2021
{
2055
 
        CERTCertificate *nssCert = NULL;
2056
2022
        PKIX_PL_OID *pubKeyAlgId = NULL;
2057
 
        SECAlgorithmID algorithm;
2058
 
        SECItem algBytes;
2059
 
        char *asciiOID = NULL;
2060
2023
 
2061
2024
        PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
2062
2025
        PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId);
2063
2026
 
2064
2027
        /* if we don't have a cached copy from before, we create one */
2065
2028
        if (cert->publicKeyAlgId == NULL){
2066
 
 
2067
2029
                PKIX_OBJECT_LOCK(cert);
2068
 
 
2069
2030
                if (cert->publicKeyAlgId == NULL){
2070
 
 
2071
 
                        nssCert = cert->nssCert;
2072
 
                        algorithm = nssCert->subjectPublicKeyInfo.algorithm;
2073
 
                        algBytes = algorithm.algorithm;
2074
 
 
2075
 
                        PKIX_NULLCHECK_ONE(algBytes.data);
2076
 
                        if (algBytes.len == 0) {
2077
 
                                PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
 
2031
                        CERTCertificate *nssCert = cert->nssCert;
 
2032
                        SECAlgorithmID *algorithm;
 
2033
                        SECItem *algBytes;
 
2034
 
 
2035
                        algorithm = &nssCert->subjectPublicKeyInfo.algorithm;
 
2036
                        algBytes = &algorithm->algorithm;
 
2037
                        if (!algBytes->data || !algBytes->len) {
 
2038
                            PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
2078
2039
                        }
2079
 
 
2080
 
                        PKIX_CHECK(pkix_pl_oidBytes2Ascii
2081
 
                                    (&algBytes, &asciiOID, plContext),
2082
 
                                    PKIX_OIDBYTES2ASCIIFAILED);
2083
 
 
2084
 
                        PKIX_CHECK(PKIX_PL_OID_Create
2085
 
                                    (asciiOID, &pubKeyAlgId, plContext),
 
2040
                        PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
 
2041
                                    (algBytes, &pubKeyAlgId, plContext),
2086
2042
                                    PKIX_OIDCREATEFAILED);
2087
2043
 
2088
2044
                        /* save a cached copy in case it is asked for again */
2089
2045
                        cert->publicKeyAlgId = pubKeyAlgId;
 
2046
                        pubKeyAlgId = NULL;
2090
2047
                }
2091
 
 
2092
2048
                PKIX_OBJECT_UNLOCK(cert);
2093
2049
        }
2094
2050
 
2096
2052
        *pSubjKeyAlgId = cert->publicKeyAlgId;
2097
2053
 
2098
2054
cleanup:
2099
 
        PKIX_FREE(asciiOID);
 
2055
        PKIX_DECREF(pubKeyAlgId);
2100
2056
        PKIX_RETURN(CERT);
2101
2057
}
2102
2058
 
2413
2369
        CERTCertificate *nssCert = NULL;
2414
2370
        PKIX_PL_OID *pkixOID = NULL;
2415
2371
        PKIX_List *oidsList = NULL;
2416
 
        char *oidAscii = NULL;
2417
2372
        SECItem **oids = NULL;
2418
 
        SECItem *oid = NULL;
2419
2373
        SECItem encodedExtKeyUsage;
2420
2374
        SECStatus rv;
2421
2375
 
2462
2416
                                    PKIX_LISTCREATEFAILED);
2463
2417
 
2464
2418
                        while (*oids){
2465
 
                                oid = *oids++;
2466
 
 
2467
 
                                PKIX_CHECK(pkix_pl_oidBytes2Ascii
2468
 
                                            (oid, &oidAscii, plContext),
2469
 
                                            PKIX_OIDBYTES2ASCIIFAILED);
2470
 
 
2471
 
                                PKIX_CHECK(PKIX_PL_OID_Create
2472
 
                                            (oidAscii, &pkixOID, plContext),
 
2419
                                SECItem *oid = *oids++;
 
2420
 
 
2421
                                PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
 
2422
                                            (oid, &pkixOID, plContext),
2473
2423
                                            PKIX_OIDCREATEFAILED);
2474
2424
 
2475
2425
                                PKIX_CHECK(PKIX_List_AppendItem
2477
2427
                                            (PKIX_PL_Object *)pkixOID,
2478
2428
                                            plContext),
2479
2429
                                            PKIX_LISTAPPENDITEMFAILED);
2480
 
 
2481
 
                                PKIX_FREE(oidAscii);
2482
 
 
2483
2430
                                PKIX_DECREF(pkixOID);
2484
2431
                        }
2485
2432
 
2501
2448
cleanup:
2502
2449
        PKIX_OBJECT_UNLOCK(lockedObject);
2503
2450
 
2504
 
        PKIX_FREE(oidAscii);
2505
2451
        PKIX_DECREF(pkixOID);
2506
2452
        PKIX_DECREF(oidsList);
2507
2453
        CERT_DestroyOidSequence(extKeyUsage);
3040
2986
}
3041
2987
 
3042
2988
/*
 
2989
 * FUNCTION: PKIX_PL_Cert_VerifyCertAndKeyType (see comments in pkix_pl_pki.h)
 
2990
 */
 
2991
PKIX_Error *
 
2992
PKIX_PL_Cert_VerifyCertAndKeyType(
 
2993
        PKIX_PL_Cert *cert,
 
2994
        PKIX_Boolean isChainCert,
 
2995
        void *plContext)
 
2996
{
 
2997
    PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
 
2998
    SECCertificateUsage certificateUsage;
 
2999
    SECCertUsage certUsage = 0;
 
3000
    unsigned int requiredKeyUsage;
 
3001
    unsigned int requiredCertType;
 
3002
    unsigned int certType;
 
3003
    SECStatus rv = SECSuccess;
 
3004
    
 
3005
    PKIX_ENTER(CERT, "PKIX_PL_Cert_VerifyCertType");
 
3006
    PKIX_NULLCHECK_TWO(cert, plContext);
 
3007
    
 
3008
    certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
 
3009
    
 
3010
    /* ensure we obtained a single usage bit only */
 
3011
    PORT_Assert(!(certificateUsage & (certificateUsage - 1)));
 
3012
    
 
3013
    /* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */
 
3014
    while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; }
 
3015
 
 
3016
    /* check key usage and netscape cert type */
 
3017
    cert_GetCertType(cert->nssCert);
 
3018
    certType = cert->nssCert->nsCertType;
 
3019
    if (isChainCert ||
 
3020
        (certUsage != certUsageVerifyCA && certUsage != certUsageAnyCA)) {
 
3021
        rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, isChainCert,
 
3022
                                              &requiredKeyUsage,
 
3023
                                              &requiredCertType);
 
3024
        if (rv == SECFailure) {
 
3025
            PKIX_ERROR(PKIX_UNSUPPORTEDCERTUSAGE);
 
3026
        }
 
3027
    } else {
 
3028
        /* use this key usage and cert type for certUsageAnyCA and
 
3029
         * certUsageVerifyCA. */
 
3030
        requiredKeyUsage = KU_KEY_CERT_SIGN;
 
3031
        requiredCertType = NS_CERT_TYPE_CA;
 
3032
    }
 
3033
    if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
 
3034
        PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
 
3035
    }
 
3036
    if (!(certType & requiredCertType)) {
 
3037
        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
 
3038
    }
 
3039
cleanup:
 
3040
    PKIX_DECREF(basicConstraints);
 
3041
    PKIX_RETURN(CERT);
 
3042
}
 
3043
 
 
3044
/*
3043
3045
 * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage (see comments in pkix_pl_pki.h)
3044
3046
 */
3045
3047
PKIX_Error *
3581
3583
}
3582
3584
 
3583
3585
/*
 
3586
 * FUNCTION: PKIX_PL_Cert_GetCrlDp
 
3587
 * (see comments in pkix_pl_pki.h)
 
3588
 */
 
3589
PKIX_Error *
 
3590
PKIX_PL_Cert_GetCrlDp(
 
3591
    PKIX_PL_Cert *cert,
 
3592
    PKIX_List **pDpList,
 
3593
    void *plContext)
 
3594
{
 
3595
    PKIX_UInt32 dpIndex = 0;
 
3596
    pkix_pl_CrlDp *dp = NULL; 
 
3597
    CERTCrlDistributionPoints *dpoints = NULL;
 
3598
 
 
3599
    PKIX_ENTER(CERT, "PKIX_PL_Cert_GetCrlDp");
 
3600
    PKIX_NULLCHECK_THREE(cert, cert->nssCert, pDpList);
 
3601
                
 
3602
    /* if we don't have a cached copy from before, we create one */
 
3603
    if (cert->crldpList == NULL) {
 
3604
        PKIX_OBJECT_LOCK(cert);
 
3605
        if (cert->crldpList != NULL) {
 
3606
            goto cleanup;
 
3607
        }
 
3608
        PKIX_CHECK(PKIX_List_Create(&cert->crldpList, plContext),
 
3609
                   PKIX_LISTCREATEFAILED);
 
3610
        dpoints = CERT_FindCRLDistributionPoints(cert->nssCert);
 
3611
        if (!dpoints || !dpoints->distPoints) {
 
3612
            goto cleanup;
 
3613
        }
 
3614
        for (;dpoints->distPoints[dpIndex];dpIndex++) {
 
3615
            PKIX_CHECK(
 
3616
                pkix_pl_CrlDp_Create(dpoints->distPoints[dpIndex],
 
3617
                                     &cert->nssCert->issuer,
 
3618
                                     &dp, plContext),
 
3619
                PKIX_CRLDPCREATEFAILED);
 
3620
            /* Create crldp list in reverse order in attempt to get
 
3621
             * to the whole crl first. */
 
3622
            PKIX_CHECK(
 
3623
                PKIX_List_InsertItem(cert->crldpList, 0,
 
3624
                                     (PKIX_PL_Object*)dp,
 
3625
                                     plContext),
 
3626
                PKIX_LISTAPPENDITEMFAILED);
 
3627
            PKIX_DECREF(dp);
 
3628
        }
 
3629
    }
 
3630
cleanup:
 
3631
    PKIX_INCREF(cert->crldpList);
 
3632
    *pDpList = cert->crldpList;
 
3633
 
 
3634
    PKIX_OBJECT_UNLOCK(lockedObject);
 
3635
    PKIX_DECREF(dp);
 
3636
 
 
3637
    PKIX_RETURN(CERT);
 
3638
}
 
3639
 
 
3640
/*
3584
3641
 * FUNCTION: PKIX_PL_Cert_GetCERTCertificate
3585
3642
 * (see comments in pkix_pl_pki.h)
3586
3643
 */