146
146
/* Allocated in the arena; freed in CERT_Destroy... */
147
147
CERTCertificatePolicies *certPol = NULL;
148
148
CERTPolicyInfo **policyInfos = NULL;
149
CERTPolicyInfo *policyInfo = NULL;
150
CERTPolicyQualifier **policyQualifiers = NULL;
151
CERTPolicyQualifier *policyQualifier = NULL;
153
150
/* Holder for the return value */
154
151
PKIX_List *infos = NULL;
156
char *oidAscii = NULL;
157
153
PKIX_PL_OID *pkixOID = NULL;
158
154
PKIX_List *qualifiers = NULL;
159
155
PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
204
200
* building each PKIX_PL_CertPolicyInfo object in turn
206
202
while (*policyInfos != NULL) {
207
policyInfo = *policyInfos;
208
policyQualifiers = policyInfo->policyQualifiers;
203
CERTPolicyInfo *policyInfo = *policyInfos;
204
CERTPolicyQualifier **policyQualifiers =
205
policyInfo->policyQualifiers;
209
206
if (policyQualifiers) {
210
207
/* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
211
208
PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
212
209
PKIX_LISTCREATEFAILED);
214
211
while (*policyQualifiers != NULL) {
215
policyQualifier = *policyQualifiers;
212
CERTPolicyQualifier *policyQualifier =
217
215
/* create the qualifier's OID object */
219
PKIX_CHECK(pkix_pl_oidBytes2Ascii
220
(&(policyQualifier->qualifierID),
223
PKIX_OIDBYTES2ASCIIFAILED);
225
PKIX_CHECK(PKIX_PL_OID_Create
226
(oidAscii, &pkixOID, plContext),
216
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
217
(&policyQualifier->qualifierID,
218
&pkixOID, plContext),
227
219
PKIX_OIDCREATEFAILED);
229
221
/* create qualifier's ByteArray object */
269
260
* (The CERTPolicyInfo structure has an oid field, but it
270
261
* is of type SECOidTag. This function wants a SECItem.)
273
PKIX_CHECK(pkix_pl_oidBytes2Ascii
274
(&(policyInfo->policyID), &oidAscii, plContext),
275
PKIX_OIDBYTES2ASCIIFAILED);
277
PKIX_CHECK(PKIX_PL_OID_Create
278
(oidAscii, &pkixOID, plContext),
263
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
264
(&policyInfo->policyID, &pkixOID, plContext),
279
265
PKIX_OIDCREATEFAILED);
281
267
/* Create a CertPolicyInfo object */
288
274
(infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
289
275
PKIX_LISTAPPENDITEMFAILED);
292
277
PKIX_DECREF(pkixOID);
293
278
PKIX_DECREF(qualifiers);
294
279
PKIX_DECREF(certPolicyInfo);
362
346
/* Allocated in the arena; freed in CERT_Destroy... */
363
347
CERTCertificatePolicyMappings *certPolMaps = NULL;
364
348
CERTPolicyMap **policyMaps = NULL;
365
CERTPolicyMap *policyMap = NULL;
367
350
/* Holder for the return value */
368
351
PKIX_List *maps = NULL;
370
char *issuerPolicyOIDAscii = NULL;
371
char *subjectPolicyOIDAscii = NULL;
372
353
PKIX_PL_OID *issuerDomainOID = NULL;
373
354
PKIX_PL_OID *subjectDomainOID = NULL;
374
355
PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
408
389
* building each CertPolicyMap object in turn
411
policyMap = *policyMaps;
392
CERTPolicyMap *policyMap = *policyMaps;
413
394
/* create the OID for the issuer Domain Policy */
415
PKIX_CHECK(pkix_pl_oidBytes2Ascii
416
(&(policyMap->issuerDomainPolicy),
417
&issuerPolicyOIDAscii,
419
PKIX_OIDBYTES2ASCIIFAILED);
421
PKIX_CHECK(PKIX_PL_OID_Create
422
(issuerPolicyOIDAscii, &issuerDomainOID, plContext),
395
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
396
(&policyMap->issuerDomainPolicy,
397
&issuerDomainOID, plContext),
423
398
PKIX_OIDCREATEFAILED);
425
400
/* create the OID for the subject Domain Policy */
427
PKIX_CHECK(pkix_pl_oidBytes2Ascii
428
(&(policyMap->subjectDomainPolicy),
429
&subjectPolicyOIDAscii,
431
PKIX_OIDBYTES2ASCIIFAILED);
433
PKIX_CHECK(PKIX_PL_OID_Create
434
(subjectPolicyOIDAscii, &subjectDomainOID, plContext),
401
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
402
(&policyMap->subjectDomainPolicy,
403
&subjectDomainOID, plContext),
435
404
PKIX_OIDCREATEFAILED);
437
406
/* create the CertPolicyMap */
447
416
(maps, (PKIX_PL_Object *)certPolicyMap, plContext),
448
417
PKIX_LISTAPPENDITEMFAILED);
450
PKIX_FREE(issuerPolicyOIDAscii);
451
PKIX_FREE(subjectPolicyOIDAscii);
452
419
PKIX_DECREF(issuerDomainOID);
453
420
PKIX_DECREF(subjectDomainOID);
454
421
PKIX_DECREF(certPolicyMap);
469
436
CERT_DestroyPolicyMappingsExtension(certPolMaps);
472
PKIX_FREE(issuerPolicyOIDAscii);
473
PKIX_FREE(subjectPolicyOIDAscii);
474
439
PKIX_DECREF(maps);
475
440
PKIX_DECREF(issuerDomainOID);
476
441
PKIX_DECREF(subjectDomainOID);
1221
1186
PKIX_DECREF(cert->store);
1222
1187
PKIX_DECREF(cert->authorityInfoAccess);
1223
1188
PKIX_DECREF(cert->subjectInfoAccess);
1189
PKIX_DECREF(cert->crldpList);
1225
1191
if (cert->arenaNameConstraints){
1226
1192
/* This arena was allocated for SubjectAltNames */
2052
2019
PKIX_PL_OID **pSubjKeyAlgId,
2053
2020
void *plContext)
2055
CERTCertificate *nssCert = NULL;
2056
2022
PKIX_PL_OID *pubKeyAlgId = NULL;
2057
SECAlgorithmID algorithm;
2059
char *asciiOID = NULL;
2061
2024
PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
2062
2025
PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId);
2064
2027
/* if we don't have a cached copy from before, we create one */
2065
2028
if (cert->publicKeyAlgId == NULL){
2067
2029
PKIX_OBJECT_LOCK(cert);
2069
2030
if (cert->publicKeyAlgId == NULL){
2071
nssCert = cert->nssCert;
2072
algorithm = nssCert->subjectPublicKeyInfo.algorithm;
2073
algBytes = algorithm.algorithm;
2075
PKIX_NULLCHECK_ONE(algBytes.data);
2076
if (algBytes.len == 0) {
2077
PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
2031
CERTCertificate *nssCert = cert->nssCert;
2032
SECAlgorithmID *algorithm;
2035
algorithm = &nssCert->subjectPublicKeyInfo.algorithm;
2036
algBytes = &algorithm->algorithm;
2037
if (!algBytes->data || !algBytes->len) {
2038
PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
2080
PKIX_CHECK(pkix_pl_oidBytes2Ascii
2081
(&algBytes, &asciiOID, plContext),
2082
PKIX_OIDBYTES2ASCIIFAILED);
2084
PKIX_CHECK(PKIX_PL_OID_Create
2085
(asciiOID, &pubKeyAlgId, plContext),
2040
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
2041
(algBytes, &pubKeyAlgId, plContext),
2086
2042
PKIX_OIDCREATEFAILED);
2088
2044
/* save a cached copy in case it is asked for again */
2089
2045
cert->publicKeyAlgId = pubKeyAlgId;
2092
2048
PKIX_OBJECT_UNLOCK(cert);
2462
2416
PKIX_LISTCREATEFAILED);
2467
PKIX_CHECK(pkix_pl_oidBytes2Ascii
2468
(oid, &oidAscii, plContext),
2469
PKIX_OIDBYTES2ASCIIFAILED);
2471
PKIX_CHECK(PKIX_PL_OID_Create
2472
(oidAscii, &pkixOID, plContext),
2419
SECItem *oid = *oids++;
2421
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
2422
(oid, &pkixOID, plContext),
2473
2423
PKIX_OIDCREATEFAILED);
2475
2425
PKIX_CHECK(PKIX_List_AppendItem
2989
* FUNCTION: PKIX_PL_Cert_VerifyCertAndKeyType (see comments in pkix_pl_pki.h)
2992
PKIX_PL_Cert_VerifyCertAndKeyType(
2994
PKIX_Boolean isChainCert,
2997
PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
2998
SECCertificateUsage certificateUsage;
2999
SECCertUsage certUsage = 0;
3000
unsigned int requiredKeyUsage;
3001
unsigned int requiredCertType;
3002
unsigned int certType;
3003
SECStatus rv = SECSuccess;
3005
PKIX_ENTER(CERT, "PKIX_PL_Cert_VerifyCertType");
3006
PKIX_NULLCHECK_TWO(cert, plContext);
3008
certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
3010
/* ensure we obtained a single usage bit only */
3011
PORT_Assert(!(certificateUsage & (certificateUsage - 1)));
3013
/* convert SECertificateUsage (bit mask) to SECCertUsage (enum) */
3014
while (0 != (certificateUsage = certificateUsage >> 1)) { certUsage++; }
3016
/* check key usage and netscape cert type */
3017
cert_GetCertType(cert->nssCert);
3018
certType = cert->nssCert->nsCertType;
3020
(certUsage != certUsageVerifyCA && certUsage != certUsageAnyCA)) {
3021
rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, isChainCert,
3024
if (rv == SECFailure) {
3025
PKIX_ERROR(PKIX_UNSUPPORTEDCERTUSAGE);
3028
/* use this key usage and cert type for certUsageAnyCA and
3029
* certUsageVerifyCA. */
3030
requiredKeyUsage = KU_KEY_CERT_SIGN;
3031
requiredCertType = NS_CERT_TYPE_CA;
3033
if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
3034
PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
3036
if (!(certType & requiredCertType)) {
3037
PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
3040
PKIX_DECREF(basicConstraints);
3043
3045
* FUNCTION: PKIX_PL_Cert_VerifyKeyUsage (see comments in pkix_pl_pki.h)
3586
* FUNCTION: PKIX_PL_Cert_GetCrlDp
3587
* (see comments in pkix_pl_pki.h)
3590
PKIX_PL_Cert_GetCrlDp(
3592
PKIX_List **pDpList,
3595
PKIX_UInt32 dpIndex = 0;
3596
pkix_pl_CrlDp *dp = NULL;
3597
CERTCrlDistributionPoints *dpoints = NULL;
3599
PKIX_ENTER(CERT, "PKIX_PL_Cert_GetCrlDp");
3600
PKIX_NULLCHECK_THREE(cert, cert->nssCert, pDpList);
3602
/* if we don't have a cached copy from before, we create one */
3603
if (cert->crldpList == NULL) {
3604
PKIX_OBJECT_LOCK(cert);
3605
if (cert->crldpList != NULL) {
3608
PKIX_CHECK(PKIX_List_Create(&cert->crldpList, plContext),
3609
PKIX_LISTCREATEFAILED);
3610
dpoints = CERT_FindCRLDistributionPoints(cert->nssCert);
3611
if (!dpoints || !dpoints->distPoints) {
3614
for (;dpoints->distPoints[dpIndex];dpIndex++) {
3616
pkix_pl_CrlDp_Create(dpoints->distPoints[dpIndex],
3617
&cert->nssCert->issuer,
3619
PKIX_CRLDPCREATEFAILED);
3620
/* Create crldp list in reverse order in attempt to get
3621
* to the whole crl first. */
3623
PKIX_List_InsertItem(cert->crldpList, 0,
3624
(PKIX_PL_Object*)dp,
3626
PKIX_LISTAPPENDITEMFAILED);
3631
PKIX_INCREF(cert->crldpList);
3632
*pDpList = cert->crldpList;
3634
PKIX_OBJECT_UNLOCK(lockedObject);
3584
3641
* FUNCTION: PKIX_PL_Cert_GetCERTCertificate
3585
3642
* (see comments in pkix_pl_pki.h)