607
608
(cert, &certSubjAltNames, plContext),
608
609
PKIX_CERTGETSUBJALTNAMESFAILED);
610
if (certSubjAltNames != NULL) {
612
PKIX_CHECK(PKIX_List_GetLength
613
(subjAltNamesList, &numItems, plContext),
614
PKIX_LISTGETLENGTHFAILED);
616
for (i = 0; i < numItems; i++) {
618
PKIX_CHECK(PKIX_List_GetItem
611
if (certSubjAltNames == NULL) {
612
*pResult = PKIX_FALSE;
613
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
616
PKIX_CHECK(PKIX_List_GetLength
617
(subjAltNamesList, &numItems, plContext),
618
PKIX_LISTGETLENGTHFAILED);
620
for (i = 0; i < numItems; i++) {
622
PKIX_CHECK(PKIX_List_GetItem
621
625
(PKIX_PL_Object **) &name,
623
PKIX_LISTGETITEMFAILED);
625
PKIX_CHECK(pkix_List_Contains
627
PKIX_LISTGETITEMFAILED);
629
PKIX_CHECK(pkix_List_Contains
627
631
(PKIX_PL_Object *) name,
630
PKIX_LISTCONTAINSFAILED);
634
if (checkPassed == PKIX_TRUE) {
636
if (matchAll == PKIX_FALSE) {
637
/* one match is good enough */
638
matchCount = numItems;
641
/* else continue checking next */
649
if (matchCount != numItems) {
650
PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n");
651
*pResult = PKIX_FALSE;
657
PKIX_CERTSELECTOR_DEBUG
658
("SubjAltName Match failed: Cert has no SubjAltName\n");
634
PKIX_LISTCONTAINSFAILED);
638
if (checkPassed == PKIX_TRUE) {
640
if (matchAll == PKIX_FALSE) {
641
/* one match is good enough */
642
matchCount = numItems;
645
/* else continue checking next */
653
if (matchCount != numItems) {
659
654
*pResult = PKIX_FALSE;
655
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
874
869
(cert, &certSubjKeyId, plContext),
875
870
PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
877
if (certSubjKeyId != NULL) {
878
PKIX_CHECK(PKIX_PL_Object_Equals
879
((PKIX_PL_Object *)selSubjKeyId,
880
(PKIX_PL_Object *)certSubjKeyId,
883
PKIX_OBJECTEQUALSFAILED);
872
if (certSubjKeyId == NULL) {
873
*pResult = PKIX_FALSE;
874
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
885
if (equals != PKIX_TRUE) {
886
PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n");
887
*pResult = PKIX_FALSE;
891
PKIX_CERTSELECTOR_DEBUG
892
("SubjKeyId Match failed: Cert has no SubjKeyId\n");
877
PKIX_CHECK(PKIX_PL_Object_Equals
878
((PKIX_PL_Object *)selSubjKeyId,
879
(PKIX_PL_Object *)certSubjKeyId,
882
PKIX_OBJECTEQUALSFAILED);
884
if (equals != PKIX_TRUE) {
893
885
*pResult = PKIX_FALSE;
886
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
954
946
(cert, &certAuthKeyId, plContext),
955
947
PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
957
if (certAuthKeyId != NULL) {
958
PKIX_CHECK(PKIX_PL_Object_Equals
959
((PKIX_PL_Object *)selAuthKeyId,
960
(PKIX_PL_Object *)certAuthKeyId,
963
PKIX_OBJECTEQUALSFAILED);
965
if (equals != PKIX_TRUE) {
966
PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n");
967
*pResult = PKIX_FALSE;
971
PKIX_CERTSELECTOR_DEBUG
972
("AuthKeyId Match failed: Cert has no AuthKeyId\n");
973
*pResult = PKIX_FALSE;
949
if (certAuthKeyId == NULL) {
950
*pResult = PKIX_FALSE;
951
PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
953
PKIX_CHECK(PKIX_PL_Object_Equals
954
((PKIX_PL_Object *)selAuthKeyId,
955
(PKIX_PL_Object *)certAuthKeyId,
958
PKIX_OBJECTEQUALSFAILED);
960
if (equals != PKIX_TRUE) {
961
*pResult = PKIX_FALSE;
962
PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1035
1023
PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
1037
1025
if (certPKAlgId != NULL) {
1038
PKIX_CHECK(PKIX_PL_Object_Equals
1039
((PKIX_PL_Object *)selPKAlgId,
1040
(PKIX_PL_Object *)certPKAlgId,
1043
PKIX_OBJECTEQUALSFAILED);
1045
if (equals != PKIX_TRUE) {
1046
PKIX_CERTSELECTOR_DEBUG
1047
("SubjPKAlgId Match failed\n");
1048
*pResult = PKIX_FALSE;
1052
PKIX_CERTSELECTOR_DEBUG
1053
("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n");
1054
*pResult = PKIX_FALSE;
1026
*pResult = PKIX_FALSE;
1027
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1029
PKIX_CHECK(PKIX_PL_Object_Equals
1030
((PKIX_PL_Object *)selPKAlgId,
1031
(PKIX_PL_Object *)certPKAlgId,
1034
PKIX_OBJECTEQUALSFAILED);
1036
if (equals != PKIX_TRUE) {
1037
*pResult = PKIX_FALSE;
1038
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1115
1098
(cert, &certPK, plContext),
1116
1099
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
1118
if (certPK != NULL) {
1119
PKIX_CHECK(PKIX_PL_Object_Equals
1120
((PKIX_PL_Object *)selPK,
1121
(PKIX_PL_Object *)certPK,
1124
PKIX_OBJECTEQUALSFAILED);
1126
if (equals != PKIX_TRUE) {
1127
PKIX_CERTSELECTOR_DEBUG
1128
("Subject Public Key Match failed\n");
1129
*pResult = PKIX_FALSE;
1134
PKIX_CERTSELECTOR_DEBUG
1135
("SubjPubKey Match failed: Cert has no SubjPubKey\n");
1136
*pResult = PKIX_FALSE;
1101
if (certPK == NULL) {
1102
*pResult = PKIX_FALSE;
1103
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1105
PKIX_CHECK(PKIX_PL_Object_Equals
1106
((PKIX_PL_Object *)selPK,
1107
(PKIX_PL_Object *)certPK,
1110
PKIX_OBJECTEQUALSFAILED);
1112
if (equals != PKIX_TRUE) {
1113
*pResult = PKIX_FALSE;
1114
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1343
1304
PKIX_CERTCHECKVALIDITYFAILED);
1346
PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
1347
(params, &requiredKeyUsage, plContext),
1348
PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
1350
if (requiredKeyUsage != 0) {
1351
PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
1352
(cert, requiredKeyUsage, plContext),
1353
PKIX_CERTVERIFYKEYUSAGEFAILED);
1356
1307
PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
1357
1308
(params, cert, &result, plContext),
1358
1309
PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
1360
if (result == PKIX_FALSE){
1361
PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n");
1362
*pResult = PKIX_FALSE;
1366
1311
PKIX_CHECK(pkix_CertSelector_Match_Policies
1367
1312
(params, cert, &result, plContext),
1368
1313
PKIX_CERTSELECTORMATCHPOLICIESFAILED);
1370
if (result == PKIX_FALSE){
1371
PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n");
1372
*pResult = PKIX_FALSE;
1376
1315
PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
1377
1316
(params, cert, &result, plContext),
1378
1317
PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
1380
if (result == PKIX_FALSE){
1381
PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n");
1382
*pResult = PKIX_FALSE;
1386
1319
PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
1387
1320
(params, cert, &result, plContext),
1388
1321
PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
1390
if (result == PKIX_FALSE){
1391
PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n");
1392
*pResult = PKIX_FALSE;
1396
1323
PKIX_CHECK(pkix_CertSelector_Match_PathToNames
1397
1324
(params, cert, &result, plContext),
1398
1325
PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
1400
if (result == PKIX_FALSE){
1401
PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n");
1402
*pResult = PKIX_FALSE;
1406
1327
PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
1407
1328
(params, cert, &result, plContext),
1408
1329
PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
1410
if (result == PKIX_FALSE){
1411
PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n");
1412
*pResult = PKIX_FALSE;
1331
/* Check key usage and cert type based on certificate usage. */
1332
PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, !isLeafCert,
1334
PKIX_CERTVERIFYCERTTYPEFAILED);
1336
/* Next two check are for user supplied additional KU and EKU. */
1416
1337
PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
1417
1338
(params, cert, &result, plContext),
1418
1339
PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
1420
if (result == PKIX_FALSE){
1421
PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n");
1422
*pResult = PKIX_FALSE;
1426
1341
PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
1427
1342
(params, cert, &result, plContext),
1428
1343
PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
1430
if (result == PKIX_FALSE){
1431
PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n");
1432
*pResult = PKIX_FALSE;
1436
1345
PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
1437
1346
(params, cert, &result, plContext),
1438
1347
PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
1440
if (result == PKIX_FALSE){
1441
PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n");
1442
*pResult = PKIX_FALSE;
1446
1349
PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
1447
1350
(params, cert, &result, plContext),
1448
1351
PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
1450
if (result == PKIX_FALSE){
1451
PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n");
1452
*pResult = PKIX_FALSE;
1456
1353
PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
1457
1354
(params, cert, &result, plContext),
1458
1355
PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
1460
if (result == PKIX_FALSE){
1461
PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n");
1462
*pResult = PKIX_FALSE;
1466
1357
PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
1467
1358
(params, cert, &result, plContext),
1468
1359
PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
1470
if (result == PKIX_FALSE){
1471
PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n");
1472
*pResult = PKIX_FALSE;
1476
1361
/* if we reach here, the cert has successfully matched criteria */