← Back to branch summary

~ubuntu-branches/ubuntu/raring/nss/raring-security

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c

  • Committer: Bazaar Package Importer
  • Author(s): Chris Coulson
  • Date: 2010-03-25 13:46:06 UTC
  • mfrom: (1.1.11 upstream)
  • Revision ID: james.westby@ubuntu.com-20100325134606-bl6liuok2w9l7snv
Tags: 3.12.6-0ubuntu1
* New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
  - fixes CVE-2009-3555 aka US-CERT VU#120541
* Adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
  - update debian/patches/85_security_load.patch
* Remove patches that are merged upstream
  - delete debian/patches/91_nonexec_stack.patch
  - update debian/patches/series
* Bump nspr dependency to 4.8
  - update debian/control
* Add new symbols for 3.12.6
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
362
362
                        PKIX_ERROR(PKIX_SUBJALTNAMECHECKFAILED);
363
363
 
364
364
                }
365
 
 
366
365
        }
367
366
 
368
367
        if (state->certsRemaining == 0) {
369
368
 
370
 
                if (state->certSelector != NULL) {
371
 
 
372
 
                        PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
373
 
                            (state->certSelector,
 
369
            if (state->certSelector != NULL) {
 
370
                PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
 
371
                           (state->certSelector,
374
372
                            &certSelectorMatch,
375
373
                            plContext),
376
 
                            PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
 
374
                           PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
377
375
 
378
 
                        PKIX_CHECK(certSelectorMatch
379
 
                            (state->certSelector,
 
376
                PKIX_CHECK(certSelectorMatch
 
377
                           (state->certSelector,
380
378
                            cert,
381
 
                            &checkPassed,
382
379
                            plContext),
383
 
                            PKIX_CERTSELECTORMATCHFAILED);
384
 
 
385
 
                        if (checkPassed != PKIX_TRUE){
386
 
                                PKIX_ERROR(PKIX_CERTSELECTORCHECKFAILED);
387
 
                        }
388
 
 
389
 
                        /*
390
 
                         * There are two Extended Key Usage Checkings
391
 
                         * available :
392
 
                         * 1) here at the targetcertchecker where we
393
 
                         *    verify the Extended Key Usage OIDs application
394
 
                         *    specifies via ComCertSelParams are included
395
 
                         *    in Cert's Extended Key Usage OID's. Note,
396
 
                         *    this is an OID to OID comparison and only last
397
 
                         *    Cert is checked.
398
 
                         * 2) at user defined ekuchecker where checking
399
 
                         *    is applied to all Certs on the chain and
400
 
                         *    the NSS Extended Key Usage algorithm is
401
 
                         *    used. In order to invoke this checking, not
402
 
                         *    only does the ComCertSelparams needs to be
403
 
                         *    set, the EKU initialize call is required to
404
 
                         *    activate the checking.
405
 
                         *
406
 
                         * XXX We use the same ComCertSelParams Set/Get
407
 
                         * functions to set the parameters for both cases.
408
 
                         * We may want to separate them in the future.
409
 
                         */
410
 
 
411
 
                        PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
412
 
                            (cert, &certExtKeyUsageList, plContext),
413
 
                            PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
414
 
 
415
 
 
416
 
                        if (state->extKeyUsageList != NULL &&
417
 
                            certExtKeyUsageList != NULL) {
418
 
 
419
 
                            PKIX_CHECK(PKIX_List_GetLength
420
 
                                (state->extKeyUsageList, &numItems, plContext),
421
 
                                PKIX_LISTGETLENGTHFAILED);
422
 
 
423
 
                            for (i = 0; i < numItems; i++) {
424
 
 
425
 
                                PKIX_CHECK(PKIX_List_GetItem
426
 
                                        (state->extKeyUsageList,
427
 
                                        i,
428
 
                                        (PKIX_PL_Object **) &name,
429
 
                                        plContext),
430
 
                                        PKIX_LISTGETITEMFAILED);
431
 
 
432
 
                                PKIX_CHECK(pkix_List_Contains
433
 
                                        (certExtKeyUsageList,
434
 
                                        (PKIX_PL_Object *) name,
435
 
                                        &checkPassed,
436
 
                                        plContext),
437
 
                                        PKIX_LISTCONTAINSFAILED);
438
 
 
439
 
                                PKIX_DECREF(name);
440
 
 
441
 
                                if (checkPassed != PKIX_TRUE) {
442
 
                                    PKIX_ERROR
443
 
                                        (PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
444
 
 
445
 
                                }
446
 
                            }
447
 
 
448
 
                        }
449
 
 
 
380
                           PKIX_CERTSELECTORMATCHFAILED);
 
381
            } else {
 
382
                /* Check at least cert/key usages if target cert selector
 
383
                 * is not set. */
 
384
                PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert,
 
385
                                         PKIX_FALSE  /* is chain cert*/,
 
386
                                         plContext),
 
387
                           PKIX_CERTVERIFYCERTTYPEFAILED);
 
388
            }
 
389
            /*
 
390
             * There are two Extended Key Usage Checkings
 
391
             * available :
 
392
             * 1) here at the targetcertchecker where we
 
393
             *    verify the Extended Key Usage OIDs application
 
394
             *    specifies via ComCertSelParams are included
 
395
             *    in Cert's Extended Key Usage OID's. Note,
 
396
             *    this is an OID to OID comparison and only last
 
397
             *    Cert is checked.
 
398
             * 2) at user defined ekuchecker where checking
 
399
             *    is applied to all Certs on the chain and
 
400
             *    the NSS Extended Key Usage algorithm is
 
401
             *    used. In order to invoke this checking, not
 
402
             *    only does the ComCertSelparams needs to be
 
403
             *    set, the EKU initialize call is required to
 
404
             *    activate the checking.
 
405
             *
 
406
             * XXX We use the same ComCertSelParams Set/Get
 
407
             * functions to set the parameters for both cases.
 
408
             * We may want to separate them in the future.
 
409
             */
 
410
            
 
411
            PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage
 
412
                       (cert, &certExtKeyUsageList, plContext),
 
413
                       PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
 
414
            
 
415
            
 
416
            if (state->extKeyUsageList != NULL &&
 
417
                certExtKeyUsageList != NULL) {
 
418
                
 
419
                PKIX_CHECK(PKIX_List_GetLength
 
420
                           (state->extKeyUsageList, &numItems, plContext),
 
421
                           PKIX_LISTGETLENGTHFAILED);
 
422
                
 
423
                for (i = 0; i < numItems; i++) {
 
424
                    
 
425
                    PKIX_CHECK(PKIX_List_GetItem
 
426
                               (state->extKeyUsageList,
 
427
                                i,
 
428
                                (PKIX_PL_Object **) &name,
 
429
                                plContext),
 
430
                               PKIX_LISTGETITEMFAILED);
 
431
                    
 
432
                    PKIX_CHECK(pkix_List_Contains
 
433
                               (certExtKeyUsageList,
 
434
                                (PKIX_PL_Object *) name,
 
435
                                &checkPassed,
 
436
                                plContext),
 
437
                               PKIX_LISTCONTAINSFAILED);
 
438
                    
 
439
                    PKIX_DECREF(name);
 
440
                    
 
441
                    if (checkPassed != PKIX_TRUE) {
 
442
                        PKIX_ERROR
 
443
                            (PKIX_EXTENDEDKEYUSAGECHECKINGFAILED);
 
444
                        
 
445
                    }
450
446
                }
 
447
            }
 
448
        } else {
 
449
            /* Check key usage and cert type based on certificate usage. */
 
450
            PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, PKIX_TRUE,
 
451
                                                         plContext),
 
452
                       PKIX_CERTVERIFYCERTTYPEFAILED);
451
453
        }
452
454
 
453
455
        /* Remove Critical Extension OID from list */
475
477
 
476
478
cleanup:
477
479
 
 
480
        PKIX_DECREF(name);
478
481
        PKIX_DECREF(nameConstraints);
479
482
        PKIX_DECREF(certSubjAltNames);
480
483
        PKIX_DECREF(certExtKeyUsageList);