362
362
PKIX_ERROR(PKIX_SUBJALTNAMECHECKFAILED);
368
367
if (state->certsRemaining == 0) {
370
if (state->certSelector != NULL) {
372
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
373
(state->certSelector,
369
if (state->certSelector != NULL) {
370
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
371
(state->certSelector,
374
372
&certSelectorMatch,
376
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
374
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
378
PKIX_CHECK(certSelectorMatch
379
(state->certSelector,
376
PKIX_CHECK(certSelectorMatch
377
(state->certSelector,
383
PKIX_CERTSELECTORMATCHFAILED);
385
if (checkPassed != PKIX_TRUE){
386
PKIX_ERROR(PKIX_CERTSELECTORCHECKFAILED);
390
* There are two Extended Key Usage Checkings
392
* 1) here at the targetcertchecker where we
393
* verify the Extended Key Usage OIDs application
394
* specifies via ComCertSelParams are included
395
* in Cert's Extended Key Usage OID's. Note,
396
* this is an OID to OID comparison and only last
398
* 2) at user defined ekuchecker where checking
399
* is applied to all Certs on the chain and
400
* the NSS Extended Key Usage algorithm is
401
* used. In order to invoke this checking, not
402
* only does the ComCertSelparams needs to be
403
* set, the EKU initialize call is required to
404
* activate the checking.
406
* XXX We use the same ComCertSelParams Set/Get
407
* functions to set the parameters for both cases.
408
* We may want to separate them in the future.
411
PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
412
(cert, &certExtKeyUsageList, plContext),
413
PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
416
if (state->extKeyUsageList != NULL &&
417
certExtKeyUsageList != NULL) {
419
PKIX_CHECK(PKIX_List_GetLength
420
(state->extKeyUsageList, &numItems, plContext),
421
PKIX_LISTGETLENGTHFAILED);
423
for (i = 0; i < numItems; i++) {
425
PKIX_CHECK(PKIX_List_GetItem
426
(state->extKeyUsageList,
428
(PKIX_PL_Object **) &name,
430
PKIX_LISTGETITEMFAILED);
432
PKIX_CHECK(pkix_List_Contains
433
(certExtKeyUsageList,
434
(PKIX_PL_Object *) name,
437
PKIX_LISTCONTAINSFAILED);
441
if (checkPassed != PKIX_TRUE) {
443
(PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
380
PKIX_CERTSELECTORMATCHFAILED);
382
/* Check at least cert/key usages if target cert selector
384
PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert,
385
PKIX_FALSE /* is chain cert*/,
387
PKIX_CERTVERIFYCERTTYPEFAILED);
390
* There are two Extended Key Usage Checkings
392
* 1) here at the targetcertchecker where we
393
* verify the Extended Key Usage OIDs application
394
* specifies via ComCertSelParams are included
395
* in Cert's Extended Key Usage OID's. Note,
396
* this is an OID to OID comparison and only last
398
* 2) at user defined ekuchecker where checking
399
* is applied to all Certs on the chain and
400
* the NSS Extended Key Usage algorithm is
401
* used. In order to invoke this checking, not
402
* only does the ComCertSelparams needs to be
403
* set, the EKU initialize call is required to
404
* activate the checking.
406
* XXX We use the same ComCertSelParams Set/Get
407
* functions to set the parameters for both cases.
408
* We may want to separate them in the future.
411
PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
412
(cert, &certExtKeyUsageList, plContext),
413
PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
416
if (state->extKeyUsageList != NULL &&
417
certExtKeyUsageList != NULL) {
419
PKIX_CHECK(PKIX_List_GetLength
420
(state->extKeyUsageList, &numItems, plContext),
421
PKIX_LISTGETLENGTHFAILED);
423
for (i = 0; i < numItems; i++) {
425
PKIX_CHECK(PKIX_List_GetItem
426
(state->extKeyUsageList,
428
(PKIX_PL_Object **) &name,
430
PKIX_LISTGETITEMFAILED);
432
PKIX_CHECK(pkix_List_Contains
433
(certExtKeyUsageList,
434
(PKIX_PL_Object *) name,
437
PKIX_LISTCONTAINSFAILED);
441
if (checkPassed != PKIX_TRUE) {
443
(PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
449
/* Check key usage and cert type based on certificate usage. */
450
PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, PKIX_TRUE,
452
PKIX_CERTVERIFYCERTTYPEFAILED);
453
455
/* Remove Critical Extension OID from list */