270
270
if (storeCheckRevocationFn) {
272
storeCheckRevocationFn(certStore, cert, issuer,
274
/* delay sig check if building
276
!chainVerificationState,
278
&revStatus, plContext),
272
(*storeCheckRevocationFn)(certStore, cert, issuer,
273
/* delay sig check if building
274
* a chain by not specifying the time*/
275
chainVerificationState ? date : NULL,
276
/* crl downloading is not done. */
278
&reasonCode, &revStatus, plContext),
279
279
PKIX_CERTSTORECRLCHECKFAILED);
280
280
if (revStatus == PKIX_RevStatus_Revoked) {
338
338
PKIX_CertStore *certStore = NULL;
339
339
PKIX_CertStore *localStore = NULL;
340
340
PKIX_CRLSelector *crlSelector = NULL;
341
PKIX_PL_X500Name *issuerName = NULL;
341
342
pkix_CrlChecker *state = NULL;
342
343
PKIX_UInt32 reasonCode = 0;
343
344
PKIX_UInt32 crlStoreIndex = 0;
344
345
PKIX_UInt32 numCrlStores = 0;
345
346
PKIX_Boolean storeIsLocal = PKIX_FALSE;
346
347
PKIX_List *crlList = NULL;
348
PKIX_List *dpList = NULL;
347
349
void *nbioContext = NULL;
350
351
PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckExternal");
351
352
PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, pNBIOContext);
398
399
if (!localStore) {
399
400
PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND);
403
PKIX_CrlSelector_Create(issuer, date, &crlSelector, plContext),
403
PKIX_PL_Cert_GetCrlDp(cert, &dpList, plContext),
404
PKIX_CERTGETCRLDPFAILED);
405
if (!(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE) &&
406
(!dpList || !dpList->length)) {
410
PKIX_PL_Cert_GetIssuer(cert, &issuerName, plContext),
411
PKIX_CERTGETISSUERFAILED);
413
PKIX_CRLSelector_Create(issuer, dpList, date, &crlSelector, plContext),
404
414
PKIX_CRLCHECKERSETSELECTORFAILED);
406
415
/* Fetch crl and store in a local cert store */
407
416
for (crlStoreIndex = 0;crlStoreIndex < numCrlStores;crlStoreIndex++) {
408
417
PKIX_CertStore_CRLCallback getCrlsFn;
419
428
PKIX_CERTSTOREGETCRLCALLBACKFAILED);
421
/* Bit PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE should
422
* be checked in the stores if we have info on missing
423
* source in crl case. For now, we are not going to do
424
* so, as remote fetching of crls is not implemented. */
426
getCrlsFn(certStore, crlSelector, &nbioContext,
431
(*getCrlsFn)(certStore, crlSelector, &nbioContext,
427
432
&crlList, plContext),
428
433
PKIX_GETCRLSFAILED);
431
storeImportCrlFn(localStore, crlList, plContext),
436
(*storeImportCrlFn)(localStore, issuerName, crlList, plContext),
432
437
PKIX_CERTSTOREFAILTOIMPORTCRLLIST);
435
storeCheckRevocationFn(certStore, cert, issuer, date,
436
PKIX_FALSE /* do not delay sig check */,
437
&reasonCode, &revStatus, plContext),
440
(*storeCheckRevocationFn)(certStore, cert, issuer, date,
441
/* done with crl downloading */
443
&reasonCode, &revStatus, plContext),
438
444
PKIX_CERTSTORECRLCHECKFAILED);
439
445
if (revStatus != PKIX_RevStatus_NoInfo) {
443
449
PKIX_DECREF(certStore);
446
453
/* Update return flags */
449
if (revStatus == PKIX_RevStatus_NoInfo &&
450
methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE &&
454
if (revStatus == PKIX_RevStatus_NoInfo &&
455
((dpList && dpList->length > 0) ||
456
(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE)) &&
451
457
methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
452
458
revStatus = PKIX_RevStatus_Revoked;
454
460
*pRevStatus = revStatus;
456
463
PKIX_DECREF(crlList);
457
464
PKIX_DECREF(certStore);
465
PKIX_DECREF(issuerName);
458
466
PKIX_DECREF(localStore);
459
467
PKIX_DECREF(crlSelector);
added
removed
mozilla/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c
