1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
* License, v. 2.0. If a copy of the MPL was not distributed with this
3
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7
* CRLSelector Function Definitions
11
#include "pkix_crlselector.h"
13
/* --CRLSelector Private-Functions-------------------------------------- */
16
* FUNCTION: pkix_CRLSelector_Destroy
17
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
20
pkix_CRLSelector_Destroy(
21
PKIX_PL_Object *object,
24
PKIX_CRLSelector *selector = NULL;
26
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Destroy");
27
PKIX_NULLCHECK_ONE(object);
29
PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
30
PKIX_OBJECTNOTCRLSELECTOR);
32
selector = (PKIX_CRLSelector *)object;
34
selector->matchCallback = NULL;
36
PKIX_DECREF(selector->params);
37
PKIX_DECREF(selector->context);
41
PKIX_RETURN(CRLSELECTOR);
45
* FUNCTION: pkix_CRLSelector_ToString_Helper
48
* Helper function that creates a string representation of CRLSelector
49
* pointed to by "crlParams" and stores its address in the object pointed to
54
* Address of CRLSelector whose string representation is desired.
57
* Address of object pointer's destination. Must be non-NULL.
58
* "plContext" - Platform-specific context pointer.
61
* Conditionally Thread Safe
62
* (see Thread Safety Definitions in Programmer's Guide)
65
* Returns NULL if the function succeeds.
66
* Returns a CRLSelector Error if the function fails in a non-fatal way.
67
* Returns a Fatal Error if the function fails in an unrecoverable way.
70
pkix_CRLSelector_ToString_Helper(
71
PKIX_CRLSelector *crlSelector,
72
PKIX_PL_String **pString,
75
PKIX_PL_String *crlSelectorString = NULL;
76
PKIX_PL_String *formatString = NULL;
77
PKIX_PL_String *crlParamsString = NULL;
78
PKIX_PL_String *crlContextString = NULL;
79
char *asciiFormat = NULL;
81
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString_Helper");
82
PKIX_NULLCHECK_TWO(crlSelector, pString);
83
PKIX_NULLCHECK_ONE(crlSelector->params);
87
"\tMatchCallback: 0x%x\n"
92
PKIX_CHECK(PKIX_PL_String_Create
98
PKIX_STRINGCREATEFAILED);
102
((PKIX_PL_Object *)crlSelector->params,
105
PKIX_COMCRLSELPARAMSTOSTRINGFAILED);
108
PKIX_TOSTRING(crlSelector->context, &crlContextString, plContext,
109
PKIX_LISTTOSTRINGFAILED);
111
PKIX_CHECK(PKIX_PL_Sprintf
115
crlSelector->matchCallback,
120
*pString = crlSelectorString;
124
PKIX_DECREF(crlParamsString);
125
PKIX_DECREF(crlContextString);
126
PKIX_DECREF(formatString);
128
PKIX_RETURN(CRLSELECTOR);
132
* FUNCTION: pkix_CRLSelector_ToString
133
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
136
pkix_CRLSelector_ToString(
137
PKIX_PL_Object *object,
138
PKIX_PL_String **pString,
141
PKIX_PL_String *crlSelectorString = NULL;
142
PKIX_CRLSelector *crlSelector = NULL;
144
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_ToString");
145
PKIX_NULLCHECK_TWO(object, pString);
147
PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
148
PKIX_OBJECTNOTCRLSELECTOR);
150
crlSelector = (PKIX_CRLSelector *) object;
152
PKIX_CHECK(pkix_CRLSelector_ToString_Helper
153
(crlSelector, &crlSelectorString, plContext),
154
PKIX_CRLSELECTORTOSTRINGHELPERFAILED);
156
*pString = crlSelectorString;
160
PKIX_RETURN(CRLSELECTOR);
164
* FUNCTION: pkix_CRLSelector_Hashcode
165
* (see comments for PKIX_PL_HashcodeCallback in pkix_pl_system.h)
168
pkix_CRLSelector_Hashcode(
169
PKIX_PL_Object *object,
170
PKIX_UInt32 *pHashcode,
173
PKIX_UInt32 paramsHash = 0;
174
PKIX_UInt32 contextHash = 0;
175
PKIX_UInt32 hash = 0;
177
PKIX_CRLSelector *crlSelector = NULL;
179
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Hashcode");
180
PKIX_NULLCHECK_TWO(object, pHashcode);
182
PKIX_CHECK(pkix_CheckType(object, PKIX_CRLSELECTOR_TYPE, plContext),
183
PKIX_OBJECTNOTCRLSELECTOR);
185
crlSelector = (PKIX_CRLSelector *)object;
187
PKIX_HASHCODE(crlSelector->params, ¶msHash, plContext,
188
PKIX_OBJECTHASHCODEFAILED);
190
PKIX_HASHCODE(crlSelector->context, &contextHash, plContext,
191
PKIX_OBJECTHASHCODEFAILED);
193
hash = 31 * ((PKIX_UInt32)crlSelector->matchCallback +
194
(contextHash << 3)) + paramsHash;
200
PKIX_RETURN(CRLSELECTOR);
204
* FUNCTION: pkix_CRLSelector_Equals
205
* (see comments for PKIX_PL_Equals_Callback in pkix_pl_system.h)
208
pkix_CRLSelector_Equals(
209
PKIX_PL_Object *firstObject,
210
PKIX_PL_Object *secondObject,
211
PKIX_Boolean *pResult,
214
PKIX_CRLSelector *firstCrlSelector = NULL;
215
PKIX_CRLSelector *secondCrlSelector = NULL;
216
PKIX_UInt32 secondType;
217
PKIX_Boolean cmpResult = PKIX_FALSE;
219
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Equals");
220
PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
222
/* test that firstObject is a CRLSelector */
223
PKIX_CHECK(pkix_CheckType
224
(firstObject, PKIX_CRLSELECTOR_TYPE, plContext),
225
PKIX_FIRSTOBJECTNOTCRLSELECTOR);
227
firstCrlSelector = (PKIX_CRLSelector *)firstObject;
228
secondCrlSelector = (PKIX_CRLSelector *)secondObject;
231
* Since we know firstObject is a CRLSelector, if both references are
232
* identical, they must be equal
234
if (firstCrlSelector == secondCrlSelector){
235
*pResult = PKIX_TRUE;
240
* If secondCRLSelector isn't a CRLSelector, we don't throw an error.
241
* We simply return a Boolean result of FALSE
243
*pResult = PKIX_FALSE;
244
PKIX_CHECK(PKIX_PL_Object_GetType
245
((PKIX_PL_Object *)secondCrlSelector,
248
PKIX_COULDNOTGETTYPEOFSECONDARGUMENT);
250
if (secondType != PKIX_CRLSELECTOR_TYPE) {
254
/* Compare MatchCallback address */
255
cmpResult = (firstCrlSelector->matchCallback ==
256
secondCrlSelector->matchCallback);
258
if (cmpResult == PKIX_FALSE) {
262
/* Compare Common CRL Selector Params */
264
(firstCrlSelector->params,
265
secondCrlSelector->params,
268
PKIX_COMCRLSELPARAMSEQUALSFAILED);
271
if (cmpResult == PKIX_FALSE) {
275
/* Compare Context */
277
(firstCrlSelector->context,
278
secondCrlSelector->context,
281
PKIX_COMCRLSELPARAMSEQUALSFAILED);
283
*pResult = cmpResult;
287
PKIX_RETURN(CRLSELECTOR);
291
* FUNCTION: pkix_CRLSelector_Duplicate
292
* (see comments for PKIX_PL_Duplicate_Callback in pkix_pl_system.h)
295
pkix_CRLSelector_Duplicate(
296
PKIX_PL_Object *object,
297
PKIX_PL_Object **pNewObject,
300
PKIX_CRLSelector *old;
301
PKIX_CRLSelector *new = NULL;
303
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_Duplicate");
304
PKIX_NULLCHECK_TWO(object, pNewObject);
306
PKIX_CHECK(pkix_CheckType
307
(object, PKIX_CRLSELECTOR_TYPE, plContext),
308
PKIX_OBJECTNOTCRLSELECTOR);
310
old = (PKIX_CRLSelector *)object;
312
PKIX_CHECK(PKIX_PL_Object_Alloc
313
(PKIX_CRLSELECTOR_TYPE,
314
(PKIX_UInt32)(sizeof (PKIX_CRLSelector)),
315
(PKIX_PL_Object **)&new,
317
PKIX_CREATECRLSELECTORDUPLICATEOBJECTFAILED);
319
new->matchCallback = old->matchCallback;
321
PKIX_DUPLICATE(old->params, &new->params, plContext,
322
PKIX_OBJECTDUPLICATEPARAMSFAILED);
324
PKIX_DUPLICATE(old->context, &new->context, plContext,
325
PKIX_OBJECTDUPLICATECONTEXTFAILED);
327
*pNewObject = (PKIX_PL_Object *)new;
331
if (PKIX_ERROR_RECEIVED){
335
PKIX_RETURN(CRLSELECTOR);
339
* FUNCTION: pkix_CRLSelector_DefaultMatch
342
* This function compares the parameter values (Issuer, date, and CRL number)
343
* set in the ComCRLSelParams of the CRLSelector pointed to by "selector" with
344
* the corresponding values in the CRL pointed to by "crl". When all the
345
* criteria set in the parameter values match the values in "crl", PKIX_TRUE is
346
* stored at "pMatch". If the CRL does not match the CRLSelector's criteria,
347
* PKIX_FALSE is stored at "pMatch".
351
* Address of CRLSelector which is verified for a match
354
* Address of the CRL object to be verified. Must be non-NULL.
356
* Address at which Boolean result is stored. Must be non-NULL.
358
* Platform-specific context pointer.
361
* Conditionally Thread Safe
362
* (see Thread Safety Definitions in Programmer's Guide)
365
* Returns NULL if the function succeeds.
366
* Returns a CRLSelector Error if the function fails in a non-fatal way.
367
* Returns a Fatal Error if the function fails in an unrecoverable way.
370
pkix_CRLSelector_DefaultMatch(
371
PKIX_CRLSelector *selector,
373
PKIX_Boolean *pMatch,
376
PKIX_ComCRLSelParams *params = NULL;
377
PKIX_PL_X500Name *crlIssuerName = NULL;
378
PKIX_PL_X500Name *issuerName = NULL;
379
PKIX_List *selIssuerNames = NULL;
380
PKIX_PL_Date *selDate = NULL;
381
PKIX_Boolean result = PKIX_TRUE;
382
PKIX_UInt32 numIssuers = 0;
384
PKIX_PL_BigInt *minCRLNumber = NULL;
385
PKIX_PL_BigInt *maxCRLNumber = NULL;
386
PKIX_PL_BigInt *crlNumber = NULL;
387
PKIX_Boolean nistPolicyEnabled = PKIX_FALSE;
389
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_DefaultMatch");
390
PKIX_NULLCHECK_TWO(selector, crl);
393
params = selector->params;
395
/* No matching parameter provided, just a match */
396
if (params == NULL) {
400
PKIX_CHECK(PKIX_ComCRLSelParams_GetIssuerNames
401
(params, &selIssuerNames, plContext),
402
PKIX_COMCRLSELPARAMSGETISSUERNAMESFAILED);
404
/* Check for Issuers */
405
if (selIssuerNames != NULL){
409
PKIX_CHECK(PKIX_PL_CRL_GetIssuer
410
(crl, &crlIssuerName, plContext),
411
PKIX_CRLGETISSUERFAILED);
413
PKIX_CHECK(PKIX_List_GetLength
414
(selIssuerNames, &numIssuers, plContext),
415
PKIX_LISTGETLENGTHFAILED);
417
for (i = 0; i < numIssuers; i++){
419
PKIX_CHECK(PKIX_List_GetItem
422
(PKIX_PL_Object **)&issuerName,
424
PKIX_LISTGETITEMFAILED);
426
PKIX_CHECK(PKIX_PL_X500Name_Match
431
PKIX_X500NAMEMATCHFAILED);
433
PKIX_DECREF(issuerName);
435
if (result == PKIX_TRUE) {
440
if (result == PKIX_FALSE) {
441
PKIX_CRLSELECTOR_DEBUG("Issuer Match Failed\N");
442
*pMatch = PKIX_FALSE;
448
PKIX_CHECK(PKIX_ComCRLSelParams_GetDateAndTime
449
(params, &selDate, plContext),
450
PKIX_COMCRLSELPARAMSGETDATEANDTIMEFAILED);
453
if (selDate != NULL){
455
PKIX_CHECK(PKIX_ComCRLSelParams_GetNISTPolicyEnabled
456
(params, &nistPolicyEnabled, plContext),
457
PKIX_COMCRLSELPARAMSGETNISTPOLICYENABLEDFAILED);
459
/* check crl dates only for if NIST policies enforced */
460
if (nistPolicyEnabled) {
463
PKIX_CHECK(PKIX_PL_CRL_VerifyUpdateTime
464
(crl, selDate, &result, plContext),
465
PKIX_CRLVERIFYUPDATETIMEFAILED);
467
if (result == PKIX_FALSE) {
468
*pMatch = PKIX_FALSE;
475
/* Check for CRL number in range */
476
PKIX_CHECK(PKIX_PL_CRL_GetCRLNumber(crl, &crlNumber, plContext),
477
PKIX_CRLGETCRLNUMBERFAILED);
479
if (crlNumber != NULL) {
482
PKIX_CHECK(PKIX_ComCRLSelParams_GetMinCRLNumber
483
(params, &minCRLNumber, plContext),
484
PKIX_COMCRLSELPARAMSGETMINCRLNUMBERFAILED);
486
if (minCRLNumber != NULL) {
488
PKIX_CHECK(PKIX_PL_Object_Compare
489
((PKIX_PL_Object *)minCRLNumber,
490
(PKIX_PL_Object *)crlNumber,
493
PKIX_OBJECTCOMPARATORFAILED);
496
PKIX_CRLSELECTOR_DEBUG
497
("CRL MinNumber Range Match Failed\n");
498
*pMatch = PKIX_FALSE;
503
PKIX_CHECK(PKIX_ComCRLSelParams_GetMaxCRLNumber
504
(params, &maxCRLNumber, plContext),
505
PKIX_COMCRLSELPARAMSGETMAXCRLNUMBERFAILED);
507
if (maxCRLNumber != NULL) {
509
PKIX_CHECK(PKIX_PL_Object_Compare
510
((PKIX_PL_Object *)crlNumber,
511
(PKIX_PL_Object *)maxCRLNumber,
514
PKIX_OBJECTCOMPARATORFAILED);
517
PKIX_CRLSELECTOR_DEBUG
518
(PKIX_CRLMAXNUMBERRANGEMATCHFAILED);
519
*pMatch = PKIX_FALSE;
527
PKIX_DECREF(selIssuerNames);
528
PKIX_DECREF(selDate);
529
PKIX_DECREF(crlIssuerName);
530
PKIX_DECREF(issuerName);
531
PKIX_DECREF(crlNumber);
532
PKIX_DECREF(minCRLNumber);
533
PKIX_DECREF(maxCRLNumber);
535
PKIX_RETURN(CRLSELECTOR);
539
* FUNCTION: pkix_CRLSelector_RegisterSelf
541
* Registers PKIX_CRLSELECTOR_TYPE and its related functions with
544
* Not Thread Safe - for performance and complexity reasons
546
* Since this function is only called by PKIX_PL_Initialize, which should
547
* only be called once, it is acceptable that this function is not
551
pkix_CRLSelector_RegisterSelf(void *plContext)
553
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
554
pkix_ClassTable_Entry entry;
556
PKIX_ENTER(CRLSELECTOR, "pkix_CRLSelector_RegisterSelf");
558
entry.description = "CRLSelector";
559
entry.objCounter = 0;
560
entry.typeObjectSize = sizeof(PKIX_CRLSelector);
561
entry.destructor = pkix_CRLSelector_Destroy;
562
entry.equalsFunction = pkix_CRLSelector_Equals;
563
entry.hashcodeFunction = pkix_CRLSelector_Hashcode;
564
entry.toStringFunction = pkix_CRLSelector_ToString;
565
entry.comparator = NULL;
566
entry.duplicateFunction = pkix_CRLSelector_Duplicate;
568
systemClasses[PKIX_CRLSELECTOR_TYPE] = entry;
570
PKIX_RETURN(CRLSELECTOR);
573
/* --CRLSelector-Public-Functions---------------------------------------- */
575
pkix_CRLSelector_Create(
576
PKIX_CRLSelector_MatchCallback callback,
577
PKIX_PL_Object *crlSelectorContext,
578
PKIX_CRLSelector **pSelector,
581
PKIX_CRLSelector *selector = NULL;
583
PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Create");
584
PKIX_NULLCHECK_ONE(pSelector);
586
PKIX_CHECK(PKIX_PL_Object_Alloc
587
(PKIX_CRLSELECTOR_TYPE,
588
sizeof (PKIX_CRLSelector),
589
(PKIX_PL_Object **)&selector,
591
PKIX_COULDNOTCREATECRLSELECTOROBJECT);
594
* if user specified a particular match callback, we use that one.
595
* otherwise, we use the default match provided.
598
if (callback != NULL){
599
selector->matchCallback = callback;
601
selector->matchCallback = pkix_CRLSelector_DefaultMatch;
604
/* initialize other fields */
605
selector->params = NULL;
607
PKIX_INCREF(crlSelectorContext);
608
selector->context = crlSelectorContext;
610
*pSelector = selector;
615
PKIX_DECREF(selector);
617
PKIX_RETURN(CRLSELECTOR);
621
* FUNCTION: PKIX_CRLSelector_Create (see comments in pkix_crlsel.h)
624
PKIX_CRLSelector_Create(
625
PKIX_PL_Cert *issuer,
626
PKIX_List *crldpList,
628
PKIX_CRLSelector **pCrlSelector,
631
PKIX_PL_X500Name *issuerName = NULL;
632
PKIX_PL_Date *nowDate = NULL;
633
PKIX_ComCRLSelParams *comCrlSelParams = NULL;
634
PKIX_CRLSelector *crlSelector = NULL;
636
PKIX_ENTER(CERTCHAINCHECKER, "PKIX_CrlSelector_Create");
637
PKIX_NULLCHECK_ONE(issuer);
640
PKIX_PL_Cert_GetSubject(issuer, &issuerName, plContext),
641
PKIX_CERTGETISSUERFAILED);
648
PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext),
649
PKIX_DATECREATEUTCTIMEFAILED);
653
PKIX_ComCRLSelParams_Create(&comCrlSelParams, plContext),
654
PKIX_COMCRLSELPARAMSCREATEFAILED);
657
PKIX_ComCRLSelParams_AddIssuerName(comCrlSelParams, issuerName,
659
PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
662
PKIX_ComCRLSelParams_SetCrlDp(comCrlSelParams, crldpList,
664
PKIX_COMCRLSELPARAMSSETCERTFAILED);
667
PKIX_ComCRLSelParams_SetDateAndTime(comCrlSelParams, nowDate,
669
PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
672
pkix_CRLSelector_Create(NULL, NULL, &crlSelector, plContext),
673
PKIX_CRLSELECTORCREATEFAILED);
676
PKIX_CRLSelector_SetCommonCRLSelectorParams(crlSelector,
679
PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
681
*pCrlSelector = crlSelector;
686
PKIX_DECREF(issuerName);
687
PKIX_DECREF(nowDate);
688
PKIX_DECREF(comCrlSelParams);
689
PKIX_DECREF(crlSelector);
691
PKIX_RETURN(CERTCHAINCHECKER);
695
* FUNCTION: PKIX_CRLSelector_GetMatchCallback (see comments in pkix_crlsel.h)
698
PKIX_CRLSelector_GetMatchCallback(
699
PKIX_CRLSelector *selector,
700
PKIX_CRLSelector_MatchCallback *pCallback,
703
PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetMatchCallback");
704
PKIX_NULLCHECK_TWO(selector, pCallback);
706
*pCallback = selector->matchCallback;
708
PKIX_RETURN(CRLSELECTOR);
713
* FUNCTION: PKIX_CRLSelector_GetCRLSelectorContext
714
* (see comments in pkix_crlsel.h)
717
PKIX_CRLSelector_GetCRLSelectorContext(
718
PKIX_CRLSelector *selector,
719
void **pCrlSelectorContext,
722
PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCRLSelectorContext");
723
PKIX_NULLCHECK_TWO(selector, pCrlSelectorContext);
725
PKIX_INCREF(selector->context);
727
*pCrlSelectorContext = selector->context;
730
PKIX_RETURN(CRLSELECTOR);
734
* FUNCTION: PKIX_CRLSelector_GetCommonCRLSelectorParams
735
* (see comments in pkix_crlsel.h)
738
PKIX_CRLSelector_GetCommonCRLSelectorParams(
739
PKIX_CRLSelector *selector,
740
PKIX_ComCRLSelParams **pParams,
743
PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_GetCommonCRLSelectorParams");
744
PKIX_NULLCHECK_TWO(selector, pParams);
746
PKIX_INCREF(selector->params);
748
*pParams = selector->params;
751
PKIX_RETURN(CRLSELECTOR);
755
* FUNCTION: PKIX_CRLSelector_SetCommonCRLSelectorParams
756
* (see comments in pkix_crlsel.h)
759
PKIX_CRLSelector_SetCommonCRLSelectorParams(
760
PKIX_CRLSelector *selector,
761
PKIX_ComCRLSelParams *params,
764
PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_SetCommonCRLSelectorParams");
765
PKIX_NULLCHECK_TWO(selector, params);
767
PKIX_DECREF(selector->params);
770
selector->params = params;
772
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
773
((PKIX_PL_Object *)selector, plContext),
774
PKIX_OBJECTINVALIDATECACHEFAILED);
778
PKIX_RETURN(CRLSELECTOR);
782
* FUNCTION: pkix_CRLSelector_Select
785
* This function applies the selector pointed to by "selector" to each CRL,
786
* in turn, in the List pointed to by "before", and creates a List containing
787
* all the CRLs that matched, or passed the selection process, storing that
788
* List at "pAfter". If no CRLs match, an empty List is stored at "pAfter".
790
* The List returned in "pAfter" is immutable.
794
* Address of CRLSelelector to be applied to the List. Must be non-NULL.
796
* Address of List that is to be filtered. Must be non-NULL.
798
* Address at which resulting List, possibly empty, is stored. Must be
801
* Platform-specific context pointer.
803
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
805
* Returns NULL if the function succeeds.
806
* Returns a CRLSelector Error if the function fails in a non-fatal way.
807
* Returns a Fatal Error if the function fails in an unrecoverable way.
810
pkix_CRLSelector_Select(
811
PKIX_CRLSelector *selector,
816
PKIX_Boolean match = PKIX_FALSE;
817
PKIX_UInt32 numBefore = 0;
819
PKIX_List *filtered = NULL;
820
PKIX_PL_CRL *candidate = NULL;
822
PKIX_ENTER(CRLSELECTOR, "PKIX_CRLSelector_Select");
823
PKIX_NULLCHECK_THREE(selector, before, pAfter);
825
PKIX_CHECK(PKIX_List_Create(&filtered, plContext),
826
PKIX_LISTCREATEFAILED);
828
PKIX_CHECK(PKIX_List_GetLength(before, &numBefore, plContext),
829
PKIX_LISTGETLENGTHFAILED);
831
for (i = 0; i < numBefore; i++) {
833
PKIX_CHECK(PKIX_List_GetItem
834
(before, i, (PKIX_PL_Object **)&candidate, plContext),
835
PKIX_LISTGETITEMFAILED);
837
PKIX_CHECK_ONLY_FATAL(selector->matchCallback
838
(selector, candidate, &match, plContext),
839
PKIX_CRLSELECTORMATCHCALLBACKFAILED);
841
if (!(PKIX_ERROR_RECEIVED) && match == PKIX_TRUE) {
843
PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
845
(PKIX_PL_Object *)candidate,
847
PKIX_LISTAPPENDITEMFAILED);
850
pkixTempErrorReceived = PKIX_FALSE;
851
PKIX_DECREF(candidate);
854
PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext),
855
PKIX_LISTSETIMMUTABLEFAILED);
857
/* Don't throw away the list if one CRL was bad! */
858
pkixTempErrorReceived = PKIX_FALSE;
865
PKIX_DECREF(filtered);
866
PKIX_DECREF(candidate);
868
PKIX_RETURN(CRLSELECTOR);