← Back to branch summary

~ubuntu-branches/ubuntu/raring/nss/raring-security

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c

  • Committer: Bazaar Package Importer
  • Author(s): Chris Coulson
  • Date: 2010-03-25 13:46:06 UTC
  • mfrom: (1.1.11 upstream)
  • Revision ID: james.westby@ubuntu.com-20100325134606-bl6liuok2w9l7snv
Tags: 3.12.6-0ubuntu1
* New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
  - fixes CVE-2009-3555 aka US-CERT VU#120541
* Adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
  - update debian/patches/85_security_load.patch
* Remove patches that are merged upstream
  - delete debian/patches/91_nonexec_stack.patch
  - update debian/patches/series
* Bump nspr dependency to 4.8
  - update debian/control
* Add new symbols for 3.12.6
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
296
296
            if (!certPolicyInfos) {
297
297
                PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
298
298
                *pResult = PKIX_FALSE;
299
 
                goto cleanup;
300
 
 
 
299
                PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
301
300
            }
302
301
 
303
302
            PKIX_CHECK(PKIX_List_GetLength
334
333
                        PKIX_DECREF(polOID);
335
334
                }
336
335
                if (!result) {
337
 
                        PKIX_CERTSELECTOR_DEBUG
338
 
                                ("Certificate has no acceptable policies\n");
339
 
                        *pResult = PKIX_FALSE;
340
 
                        goto cleanup;
 
336
                    *pResult = PKIX_FALSE;
 
337
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
341
338
                }
342
339
            }
343
340
        }
407
404
        }
408
405
 
409
406
cleanup:
410
 
 
 
407
        if (PKIX_ERROR_RECEIVED) {
 
408
            *pResult = PKIX_FALSE;
 
409
        }
411
410
        PKIX_DECREF(validityTime);
412
411
 
413
412
        PKIX_RETURN(CERTSELECTOR);
466
465
        }
467
466
 
468
467
cleanup:
 
468
        if (PKIX_ERROR_RECEIVED) {
 
469
            *pResult = PKIX_FALSE;
 
470
        }
469
471
 
470
472
        PKIX_DECREF(nameConstraints);
471
473
        PKIX_RETURN(CERTSELECTOR);
531
533
                        PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
532
534
 
533
535
                if (passed != PKIX_TRUE) {
534
 
                        PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n");
535
 
                        *pResult = PKIX_FALSE;
536
 
                        goto cleanup;
 
536
                    *pResult = PKIX_FALSE;
 
537
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
537
538
                }
538
539
            }
539
540
 
607
608
                    (cert, &certSubjAltNames, plContext),
608
609
                    PKIX_CERTGETSUBJALTNAMESFAILED);
609
610
 
610
 
            if (certSubjAltNames != NULL) {
611
 
 
612
 
                PKIX_CHECK(PKIX_List_GetLength
613
 
                        (subjAltNamesList, &numItems, plContext),
614
 
                        PKIX_LISTGETLENGTHFAILED);
615
 
 
616
 
                for (i = 0; i < numItems; i++) {
617
 
 
618
 
                        PKIX_CHECK(PKIX_List_GetItem
619
 
                            (subjAltNamesList,
 
611
            if (certSubjAltNames == NULL) {
 
612
                *pResult = PKIX_FALSE;
 
613
                PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
 
614
            }
 
615
 
 
616
            PKIX_CHECK(PKIX_List_GetLength
 
617
                       (subjAltNamesList, &numItems, plContext),
 
618
                       PKIX_LISTGETLENGTHFAILED);
 
619
            
 
620
            for (i = 0; i < numItems; i++) {
 
621
                
 
622
                PKIX_CHECK(PKIX_List_GetItem
 
623
                           (subjAltNamesList,
620
624
                            i,
621
625
                            (PKIX_PL_Object **) &name,
622
626
                            plContext),
623
 
                            PKIX_LISTGETITEMFAILED);
624
 
 
625
 
                        PKIX_CHECK(pkix_List_Contains
626
 
                            (certSubjAltNames,
 
627
                           PKIX_LISTGETITEMFAILED);
 
628
                
 
629
                PKIX_CHECK(pkix_List_Contains
 
630
                           (certSubjAltNames,
627
631
                            (PKIX_PL_Object *) name,
628
632
                            &checkPassed,
629
633
                            plContext),
630
 
                            PKIX_LISTCONTAINSFAILED);
631
 
 
632
 
                        PKIX_DECREF(name);
633
 
 
634
 
                        if (checkPassed == PKIX_TRUE) {
635
 
 
636
 
                            if (matchAll == PKIX_FALSE) {
637
 
                                /* one match is good enough */
638
 
                                matchCount = numItems;
639
 
                                break;
640
 
                            } else {
641
 
                            /* else continue checking next */
642
 
                                matchCount++;
643
 
                            }
644
 
 
645
 
                        }
646
 
 
647
 
                }
648
 
 
649
 
                if (matchCount != numItems) {
650
 
                        PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n");
651
 
                        *pResult = PKIX_FALSE;
652
 
                        goto cleanup;
653
 
                }
654
 
 
655
 
            } else {
656
 
 
657
 
                PKIX_CERTSELECTOR_DEBUG
658
 
                        ("SubjAltName Match failed: Cert has no SubjAltName\n");
 
634
                           PKIX_LISTCONTAINSFAILED);
 
635
                
 
636
                PKIX_DECREF(name);
 
637
                
 
638
                if (checkPassed == PKIX_TRUE) {
 
639
                    
 
640
                    if (matchAll == PKIX_FALSE) {
 
641
                        /* one match is good enough */
 
642
                        matchCount = numItems;
 
643
                        break;
 
644
                    } else {
 
645
                        /* else continue checking next */
 
646
                        matchCount++;
 
647
                    }
 
648
                    
 
649
                }
 
650
                
 
651
            }
 
652
            
 
653
            if (matchCount != numItems) {
659
654
                *pResult = PKIX_FALSE;
660
 
                goto cleanup;
 
655
                PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
661
656
            }
662
 
 
663
657
        }
664
658
 
665
659
cleanup:
750
744
                PKIX_DECREF(ekuOid);
751
745
 
752
746
                if (isContained != PKIX_TRUE) {
753
 
                        PKIX_CERTSELECTOR_DEBUG
754
 
                                ("Extended Key Usage Match failed\n");
755
 
                        *pResult = PKIX_FALSE;
756
 
                        goto cleanup;
 
747
                    *pResult = PKIX_FALSE;
 
748
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
757
749
                }
758
750
            }
759
751
        }
819
811
        }
820
812
 
821
813
cleanup:
 
814
        if (PKIX_ERROR_RECEIVED) {
 
815
            *pResult = PKIX_FALSE;
 
816
        }
822
817
 
823
818
        PKIX_RETURN(CERTSELECTOR);
824
819
}
874
869
                    (cert, &certSubjKeyId, plContext),
875
870
                    PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
876
871
 
877
 
                if (certSubjKeyId != NULL) {
878
 
                        PKIX_CHECK(PKIX_PL_Object_Equals
879
 
                                ((PKIX_PL_Object *)selSubjKeyId,
880
 
                                (PKIX_PL_Object *)certSubjKeyId,
881
 
                                &equals,
882
 
                                plContext),
883
 
                                PKIX_OBJECTEQUALSFAILED);
 
872
                if (certSubjKeyId == NULL) {
 
873
                    *pResult = PKIX_FALSE;
 
874
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
 
875
                }
884
876
 
885
 
                        if (equals != PKIX_TRUE) {
886
 
                            PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n");
887
 
                            *pResult = PKIX_FALSE;
888
 
                            goto cleanup;
889
 
                        }
890
 
                } else {
891
 
                    PKIX_CERTSELECTOR_DEBUG
892
 
                        ("SubjKeyId Match failed: Cert has no SubjKeyId\n");
 
877
                PKIX_CHECK(PKIX_PL_Object_Equals
 
878
                           ((PKIX_PL_Object *)selSubjKeyId,
 
879
                            (PKIX_PL_Object *)certSubjKeyId,
 
880
                            &equals,
 
881
                            plContext),
 
882
                           PKIX_OBJECTEQUALSFAILED);
 
883
                
 
884
                if (equals != PKIX_TRUE) {
893
885
                    *pResult = PKIX_FALSE;
894
 
                    goto cleanup;
 
886
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
895
887
                }
896
888
        }
897
889
 
954
946
                    (cert, &certAuthKeyId, plContext),
955
947
                    PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
956
948
 
957
 
                if (certAuthKeyId != NULL) {
958
 
                        PKIX_CHECK(PKIX_PL_Object_Equals
959
 
                                ((PKIX_PL_Object *)selAuthKeyId,
960
 
                                (PKIX_PL_Object *)certAuthKeyId,
961
 
                                &equals,
962
 
                                plContext),
963
 
                                PKIX_OBJECTEQUALSFAILED);
964
 
 
965
 
                        if (equals != PKIX_TRUE) {
966
 
                            PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n");
967
 
                            *pResult = PKIX_FALSE;
968
 
                            goto cleanup;
969
 
                        }
970
 
                } else {
971
 
                    PKIX_CERTSELECTOR_DEBUG
972
 
                        ("AuthKeyId Match failed: Cert has no AuthKeyId\n");
973
 
                    *pResult = PKIX_FALSE;
974
 
                    goto cleanup;
 
949
                if (certAuthKeyId == NULL) {
 
950
                    *pResult = PKIX_FALSE;
 
951
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
 
952
                }
 
953
                PKIX_CHECK(PKIX_PL_Object_Equals
 
954
                           ((PKIX_PL_Object *)selAuthKeyId,
 
955
                            (PKIX_PL_Object *)certAuthKeyId,
 
956
                            &equals,
 
957
                            plContext),
 
958
                           PKIX_OBJECTEQUALSFAILED);
 
959
                
 
960
                if (equals != PKIX_TRUE) {
 
961
                    *pResult = PKIX_FALSE;
 
962
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
975
963
                }
976
964
        }
977
965
 
1035
1023
                    PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
1036
1024
 
1037
1025
                if (certPKAlgId != NULL) {
1038
 
                        PKIX_CHECK(PKIX_PL_Object_Equals
1039
 
                                ((PKIX_PL_Object *)selPKAlgId,
1040
 
                                (PKIX_PL_Object *)certPKAlgId,
1041
 
                                &equals,
1042
 
                                plContext),
1043
 
                                PKIX_OBJECTEQUALSFAILED);
1044
 
 
1045
 
                        if (equals != PKIX_TRUE) {
1046
 
                            PKIX_CERTSELECTOR_DEBUG
1047
 
                                ("SubjPKAlgId Match failed\n");
1048
 
                            *pResult = PKIX_FALSE;
1049
 
                            goto cleanup;
1050
 
                        }
1051
 
                } else {
1052
 
                    PKIX_CERTSELECTOR_DEBUG
1053
 
                        ("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n");
1054
 
                    *pResult = PKIX_FALSE;
1055
 
                    goto cleanup;
 
1026
                    *pResult = PKIX_FALSE;
 
1027
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
 
1028
                }
 
1029
                PKIX_CHECK(PKIX_PL_Object_Equals
 
1030
                           ((PKIX_PL_Object *)selPKAlgId,
 
1031
                            (PKIX_PL_Object *)certPKAlgId,
 
1032
                            &equals,
 
1033
                            plContext),
 
1034
                           PKIX_OBJECTEQUALSFAILED);
 
1035
                
 
1036
                if (equals != PKIX_TRUE) {
 
1037
                    *pResult = PKIX_FALSE;
 
1038
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1056
1039
                }
1057
1040
        }
1058
1041
 
1115
1098
                    (cert, &certPK, plContext),
1116
1099
                    PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1117
1100
 
1118
 
                if (certPK != NULL) {
1119
 
                        PKIX_CHECK(PKIX_PL_Object_Equals
1120
 
                                ((PKIX_PL_Object *)selPK,
1121
 
                                (PKIX_PL_Object *)certPK,
1122
 
                                &equals,
1123
 
                                plContext),
1124
 
                                PKIX_OBJECTEQUALSFAILED);
1125
 
 
1126
 
                        if (equals != PKIX_TRUE) {
1127
 
                            PKIX_CERTSELECTOR_DEBUG
1128
 
                                ("Subject Public Key Match failed\n");
1129
 
                            *pResult = PKIX_FALSE;
1130
 
                            goto cleanup;
1131
 
                        }
1132
 
 
1133
 
                } else {
1134
 
                    PKIX_CERTSELECTOR_DEBUG
1135
 
                        ("SubjPubKey Match failed: Cert has no SubjPubKey\n");
1136
 
                    *pResult = PKIX_FALSE;
1137
 
                    goto cleanup;
 
1101
                if (certPK == NULL) {
 
1102
                    *pResult = PKIX_FALSE;
 
1103
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
 
1104
                }
 
1105
                PKIX_CHECK(PKIX_PL_Object_Equals
 
1106
                           ((PKIX_PL_Object *)selPK,
 
1107
                            (PKIX_PL_Object *)certPK,
 
1108
                            &equals,
 
1109
                            plContext),
 
1110
                           PKIX_OBJECTEQUALSFAILED);
 
1111
                
 
1112
                if (equals != PKIX_TRUE) {
 
1113
                    *pResult = PKIX_FALSE;
 
1114
                    PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1138
1115
                }
1139
1116
        }
1140
1117
 
1152
1129
 *
1153
1130
 *  This default match function determines whether the specified Cert pointed
1154
1131
 *  to by "cert" matches the criteria of the CertSelector pointed to by
1155
 
 *  "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE
1156
 
 *  is stored at "pResult". If the Cert does not match the CertSelector's
1157
 
 *  criteria, PKIX_FALSE is stored at "pResult". 
 
1132
 *  "selector". If the Cert does not match the CertSelector's
 
1133
 *  criteria, an error will be thrown.
1158
1134
 *
1159
1135
 *  This default match function understands how to process the most common
1160
1136
 *  parameters. Any common parameter that is not set is assumed to be disabled,
1175
1151
 *  "cert"
1176
1152
 *      Address of Cert that is to be matched using "selector".
1177
1153
 *      Must be non-NULL.
1178
 
 *  "pResult"
1179
 
 *      Address of PKIX_Boolean that returns the match result.
1180
1154
 *  "plContext"
1181
1155
 *      Platform-specific context pointer.
1182
1156
 * THREAD SAFETY:
1191
1165
pkix_CertSelector_DefaultMatch(
1192
1166
        PKIX_CertSelector *selector,
1193
1167
        PKIX_PL_Cert *cert,
1194
 
        PKIX_Boolean *pResult,
1195
1168
        void *plContext)
1196
1169
{
1197
1170
        PKIX_ComCertSelParams *params = NULL;
1203
1176
        PKIX_PL_BigInt *selSerialNumber = NULL;
1204
1177
        PKIX_PL_Cert *selCert = NULL;
1205
1178
        PKIX_PL_Date *selDate = NULL;
1206
 
        PKIX_UInt32 requiredKeyUsage = 0;
1207
1179
        PKIX_UInt32 selVersion = 0xFFFFFFFF;
1208
1180
        PKIX_UInt32 certVersion = 0;
1209
1181
        PKIX_Boolean result = PKIX_TRUE;
 
1182
        PKIX_Boolean isLeafCert = PKIX_TRUE;
1210
1183
 
1211
1184
#ifdef PKIX_BUILDDEBUG
1212
1185
        PKIX_PL_String *certString = NULL;
1215
1188
#endif
1216
1189
 
1217
1190
        PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
1218
 
        PKIX_NULLCHECK_THREE(selector, cert, pResult);
1219
 
 
1220
 
        *pResult = PKIX_TRUE;
 
1191
        PKIX_NULLCHECK_TWO(selector, cert);
1221
1192
 
1222
1193
        PKIX_INCREF(selector->params);
1223
1194
        params = selector->params;
1224
1195
 
 
1196
        /* Are we looking for CAs? */
 
1197
        PKIX_CHECK(PKIX_ComCertSelParams_GetLeafCertFlag
 
1198
                    (params, &isLeafCert, plContext),
 
1199
                    PKIX_COMCERTSELPARAMSGETLEAFCERTFLAGFAILED);
 
1200
 
1225
1201
        if (params == NULL){
1226
1202
                goto cleanup;
1227
1203
        }
1236
1212
                            PKIX_CERTGETVERSIONFAILED);
1237
1213
 
1238
1214
                if (selVersion != certVersion) {
1239
 
                        PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n");
1240
 
                        *pResult = PKIX_FALSE;
1241
 
                        goto cleanup;
 
1215
                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED);
1242
1216
                }
1243
1217
        }
1244
1218
 
1257
1231
                            PKIX_X500NAMEMATCHFAILED);
1258
1232
 
1259
1233
                        if (result == PKIX_FALSE){
1260
 
                                PKIX_CERTSELECTOR_DEBUG
1261
 
                                        ("Subject Match FAILED\n");
1262
 
                                *pResult = PKIX_FALSE;
1263
 
                                goto cleanup;
 
1234
                            PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
1264
1235
                        }
1265
1236
                } else { /* cert has no subject */
1266
 
                        PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n");
1267
 
                        *pResult = PKIX_FALSE;
1268
 
                        goto cleanup;
1269
 
 
 
1237
                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
1270
1238
                }
1271
1239
        }
1272
1240
 
1284
1252
                            PKIX_X500NAMEMATCHFAILED);
1285
1253
 
1286
1254
                if (result == PKIX_FALSE){
1287
 
                        PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n");
1288
 
                        *pResult = PKIX_FALSE;
1289
 
                        goto cleanup;
 
1255
                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED);
1290
1256
                }
1291
1257
        }
1292
1258
 
1307
1273
                            PKIX_OBJECTEQUALSFAILED);
1308
1274
 
1309
1275
                if (result == PKIX_FALSE){
1310
 
                        PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n");
1311
 
                        *pResult = PKIX_FALSE;
1312
 
                        goto cleanup;
 
1276
                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED);
1313
1277
                }
1314
1278
        }
1315
1279
 
1326
1290
                            PKIX_OBJECTEQUALSFAILED);
1327
1291
 
1328
1292
                if (result == PKIX_FALSE){
1329
 
                        PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n");
1330
 
                        *pResult = PKIX_FALSE;
1331
 
                        goto cleanup;
 
1293
                        PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED);
1332
1294
                }
1333
1295
        }
1334
1296
 
1335
 
 
1336
1297
        PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
1337
1298
                    (params, &selDate, plContext),
1338
1299
                    PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
1343
1304
                            PKIX_CERTCHECKVALIDITYFAILED);
1344
1305
        }
1345
1306
 
1346
 
        PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
1347
 
                    (params, &requiredKeyUsage, plContext),
1348
 
                    PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
1349
 
 
1350
 
        if (requiredKeyUsage != 0) {
1351
 
                PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
1352
 
                            (cert, requiredKeyUsage, plContext),
1353
 
                            PKIX_CERTVERIFYKEYUSAGEFAILED);
1354
 
        }
1355
 
 
1356
1307
        PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
1357
1308
                    (params, cert, &result, plContext),
1358
1309
                    PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
1359
1310
 
1360
 
        if (result == PKIX_FALSE){
1361
 
                PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n");
1362
 
                *pResult = PKIX_FALSE;
1363
 
                goto cleanup;
1364
 
        }
1365
 
 
1366
1311
        PKIX_CHECK(pkix_CertSelector_Match_Policies
1367
1312
                    (params, cert, &result, plContext),
1368
1313
                    PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1369
1314
 
1370
 
        if (result == PKIX_FALSE){
1371
 
                PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n");
1372
 
                *pResult = PKIX_FALSE;
1373
 
                goto cleanup;
1374
 
        }
1375
 
 
1376
1315
        PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
1377
1316
                    (params, cert, &result, plContext),
1378
1317
                    PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
1379
1318
 
1380
 
        if (result == PKIX_FALSE){
1381
 
                PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n");
1382
 
                *pResult = PKIX_FALSE;
1383
 
                goto cleanup;
1384
 
        }
1385
 
 
1386
1319
        PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
1387
1320
                    (params, cert, &result, plContext),
1388
1321
                    PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
1389
1322
 
1390
 
        if (result == PKIX_FALSE){
1391
 
                PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n");
1392
 
                *pResult = PKIX_FALSE;
1393
 
                goto cleanup;
1394
 
        }
1395
 
 
1396
1323
        PKIX_CHECK(pkix_CertSelector_Match_PathToNames
1397
1324
                    (params, cert, &result, plContext),
1398
1325
                    PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
1399
1326
 
1400
 
        if (result == PKIX_FALSE){
1401
 
                PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n");
1402
 
                *pResult = PKIX_FALSE;
1403
 
                goto cleanup;
1404
 
        }
1405
 
 
1406
1327
        PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
1407
1328
                    (params, cert, &result, plContext),
1408
1329
                    PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1409
1330
 
1410
 
        if (result == PKIX_FALSE){
1411
 
                PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n");
1412
 
                *pResult = PKIX_FALSE;
1413
 
                goto cleanup;
1414
 
        }
 
1331
        /* Check key usage and cert type based on certificate usage. */
 
1332
        PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, !isLeafCert,
 
1333
                                                     plContext),
 
1334
                   PKIX_CERTVERIFYCERTTYPEFAILED);
1415
1335
 
 
1336
        /* Next two check are for user supplied additional KU and EKU. */
1416
1337
        PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
1417
1338
                    (params, cert, &result, plContext),
1418
1339
                    PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
1419
1340
 
1420
 
        if (result == PKIX_FALSE){
1421
 
                PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n");
1422
 
                *pResult = PKIX_FALSE;
1423
 
                goto cleanup;
1424
 
        }
1425
 
 
1426
1341
        PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
1427
1342
                    (params, cert, &result, plContext),
1428
1343
                    PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
1429
1344
 
1430
 
        if (result == PKIX_FALSE){
1431
 
                PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n");
1432
 
                *pResult = PKIX_FALSE;
1433
 
                goto cleanup;
1434
 
        }
1435
 
 
1436
1345
        PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
1437
1346
                    (params, cert, &result, plContext),
1438
1347
                    PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
1439
1348
 
1440
 
        if (result == PKIX_FALSE){
1441
 
                PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n");
1442
 
                *pResult = PKIX_FALSE;
1443
 
                goto cleanup;
1444
 
        }
1445
 
 
1446
1349
        PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
1447
1350
                    (params, cert, &result, plContext),
1448
1351
                    PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1449
1352
 
1450
 
        if (result == PKIX_FALSE){
1451
 
                PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n");
1452
 
                *pResult = PKIX_FALSE;
1453
 
                goto cleanup;
1454
 
        }
1455
 
 
1456
1353
        PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
1457
1354
                    (params, cert, &result, plContext),
1458
1355
                    PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1459
1356
 
1460
 
        if (result == PKIX_FALSE){
1461
 
                PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n");
1462
 
                *pResult = PKIX_FALSE;
1463
 
                goto cleanup;
1464
 
        }
1465
 
 
1466
1357
        PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
1467
1358
                    (params, cert, &result, plContext),
1468
1359
                    PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1469
1360
 
1470
 
        if (result == PKIX_FALSE){
1471
 
                PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n");
1472
 
                *pResult = PKIX_FALSE;
1473
 
                goto cleanup;
1474
 
        }
1475
 
 
1476
1361
        /* if we reach here, the cert has successfully matched criteria */
1477
1362
 
1478
1363
 
1725
1610
        PKIX_List **pAfter,
1726
1611
        void *plContext)
1727
1612
{
1728
 
        PKIX_Boolean match = PKIX_FALSE;
1729
1613
        PKIX_UInt32 numBefore = 0;
1730
1614
        PKIX_UInt32 i = 0;
1731
1615
        PKIX_List *filtered = NULL;
1747
1631
                        PKIX_LISTGETITEMFAILED);
1748
1632
 
1749
1633
                PKIX_CHECK_ONLY_FATAL(selector->matchCallback
1750
 
                        (selector, candidate, &match, plContext),
 
1634
                        (selector, candidate, plContext),
1751
1635
                        PKIX_CERTSELECTORMATCHCALLBACKFAILED);
1752
1636
 
1753
 
                if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) {
 
1637
                if (!(PKIX_ERROR_RECEIVED)) {
1754
1638
 
1755
1639
                        PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
1756
1640
                                (filtered,