← Back to branch summary

~ubuntu-branches/ubuntu/raring/nss/raring-security

« back to all changes in this revision

Viewing changes to mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c

  • Committer: Bazaar Package Importer
  • Author(s): Chris Coulson
  • Date: 2010-03-25 13:46:06 UTC
  • mfrom: (1.1.11 upstream)
  • Revision ID: james.westby@ubuntu.com-20100325134606-bl6liuok2w9l7snv
Tags: 3.12.6-0ubuntu1
* New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
  - fixes CVE-2009-3555 aka US-CERT VU#120541
* Adjust patches to changed upstream code base
  - update debian/patches/38_kbsd.patch
  - update debian/patches/38_mips64_build.patch
  - update debian/patches/85_security_load.patch
* Remove patches that are merged upstream
  - delete debian/patches/91_nonexec_stack.patch
  - update debian/patches/series
* Bump nspr dependency to 4.8
  - update debian/control
* Add new symbols for 3.12.6
  - update debian/libnss3-1d.symbols

Show diffs side-by-side

added added

removed removed

Lines of Context:
mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c
53
53
 * checked. Those OIDs need to be removed from the unresolved critical
54
54
 * extension OIDs list manually (instead of by checker automatically).
55
55
 */
56
 
static char *buildCheckedCritExtOIDs[] = {
 
56
static SECOidTag buildCheckedCritExtOIDs[] = {
57
57
        PKIX_CERTKEYUSAGE_OID,
58
58
        PKIX_CERTSUBJALTNAME_OID,
59
59
        PKIX_BASICCONSTRAINTS_OID,
60
60
        PKIX_NAMECONSTRAINTS_OID,
61
61
        PKIX_EXTENDEDKEYUSAGE_OID,
62
62
        PKIX_NSCERTTYPE_OID,
63
 
        NULL
 
63
        PKIX_UNKNOWN_OID
64
64
};
65
65
 
66
66
/* --Private-ForwardBuilderState-Functions---------------------------------- */
1038
1038
        PKIX_ForwardBuilderState *state,
1039
1039
        PKIX_List *certChain,
1040
1040
        PKIX_TrustAnchor *anchor,
1041
 
        PKIX_Boolean addEkuChecker,
 
1041
        PKIX_Boolean chainRevalidationStage,
1042
1042
        void *plContext)
1043
1043
{
1044
1044
        PKIX_List *checkers = NULL;
1051
1051
        PKIX_CertChainChecker *sigChecker = NULL;
1052
1052
        PKIX_CertChainChecker *policyChecker = NULL;
1053
1053
        PKIX_CertChainChecker *userChecker = NULL;
1054
 
        PKIX_CertChainChecker *ekuChecker = NULL;
1055
 
        PKIX_List *userCheckersList = NULL;
 
1054
        PKIX_CertChainChecker *checker = NULL;
 
1055
        PKIX_CertSelector *certSelector = NULL;
1056
1056
        PKIX_List *userCheckerExtOIDs = NULL;
1057
1057
        PKIX_PL_OID *oid = NULL;
1058
1058
        PKIX_Boolean supportForwardChecking = PKIX_FALSE;
1080
1080
 
1081
1081
        procParams = state->buildConstants.procParams;
1082
1082
 
1083
 
        /* Do need to add eku checker for chains, that we just
1084
 
         * built. KU and EKU get checked by certificate selector
1085
 
         * during chain construction. For other cases when trying
1086
 
         * short cut or for cached chain we need to verify key
1087
 
         * usage again. For those cases the function shoud be
1088
 
         * called with addEkuChecker set to true. */
1089
 
        if (addEkuChecker) {
1090
 
            PKIX_CHECK(
1091
 
                PKIX_EkuChecker_Create(procParams, &ekuChecker,
1092
 
                                       plContext),
1093
 
                PKIX_EKUCHECKERINITIALIZEFAILED);
 
1083
        /* Do need to add a number of checker to revalidate
 
1084
         * a built chain. KU, EKU, CertType and Validity Date
 
1085
         * get checked by certificate selector during chain
 
1086
         * construction, but needed to be checked for chain from
 
1087
         * the cache.*/
 
1088
        if (chainRevalidationStage) {
 
1089
            PKIX_CHECK(pkix_ExpirationChecker_Initialize
 
1090
                       (state->buildConstants.testDate, &checker, plContext),
 
1091
                       PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
 
1092
            PKIX_CHECK(PKIX_List_AppendItem
 
1093
                       (checkers, (PKIX_PL_Object *)checker, plContext),
 
1094
                       PKIX_LISTAPPENDITEMFAILED);
 
1095
            PKIX_DECREF(checker);
1094
1096
            
 
1097
            PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
 
1098
                       (procParams, &certSelector, plContext),
 
1099
                    PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
 
1100
 
 
1101
            PKIX_CHECK(pkix_TargetCertChecker_Initialize
 
1102
                       (certSelector, numChainCerts, &checker, plContext),
 
1103
                       PKIX_EXPIRATIONCHECKERINITIALIZEFAILED);
1095
1104
            PKIX_CHECK(PKIX_List_AppendItem
1096
 
                       (checkers, (PKIX_PL_Object *)ekuChecker, plContext),
 
1105
                       (checkers, (PKIX_PL_Object *)checker, plContext),
1097
1106
                       PKIX_LISTAPPENDITEMFAILED);
 
1107
            PKIX_DECREF(checker);
1098
1108
        }
1099
1109
 
1100
1110
        PKIX_CHECK(PKIX_ProcessingParams_GetInitialPolicies
1139
1149
        PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
1140
1150
                PKIX_LISTCREATEFAILED);
1141
1151
 
1142
 
        for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) {
 
1152
        for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) {
1143
1153
                PKIX_CHECK(PKIX_PL_OID_Create
1144
1154
                        (buildCheckedCritExtOIDs[i], &oid, plContext),
1145
1155
                        PKIX_OIDCREATEFAILED);
1231
1241
                    plContext),
1232
1242
                   PKIX_LISTAPPENDITEMFAILED);
1233
1243
 
 
1244
        PKIX_DECREF(state->reversedCertChain);
1234
1245
        PKIX_INCREF(reversedCertChain);
1235
1246
        state->reversedCertChain = reversedCertChain;
 
1247
        PKIX_DECREF(state->checkedCritExtOIDs);
1236
1248
        PKIX_INCREF(buildCheckedCritExtOIDsList);
1237
1249
        state->checkedCritExtOIDs = buildCheckedCritExtOIDsList;
 
1250
        PKIX_DECREF(state->checkerChain);
1238
1251
        state->checkerChain = checkers;
1239
1252
        checkers = NULL;
1240
1253
        state->certCheckedIndex = 0;
1247
1260
        PKIX_DECREF(oid);
1248
1261
        PKIX_DECREF(reversedCertChain);
1249
1262
        PKIX_DECREF(buildCheckedCritExtOIDsList);
 
1263
        PKIX_DECREF(checker);
1250
1264
        PKIX_DECREF(checkers);
1251
1265
        PKIX_DECREF(initialPolicies);
1252
1266
        PKIX_DECREF(trustedCert);
1253
1267
        PKIX_DECREF(trustedPubKey);
 
1268
        PKIX_DECREF(certSelector);
1254
1269
        PKIX_DECREF(sigChecker);
1255
1270
        PKIX_DECREF(policyChecker);
1256
1271
        PKIX_DECREF(userChecker);
1257
 
        PKIX_DECREF(userCheckersList);
1258
1272
        PKIX_DECREF(userCheckerExtOIDs);
1259
 
        PKIX_DECREF(ekuChecker);
1260
1273
 
1261
1274
        PKIX_RETURN(BUILD);
1262
1275
}
1557
1570
    PKIX_List *matchList = NULL;
1558
1571
    PKIX_CertSelector *certSel = NULL;
1559
1572
    PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
1560
 
    PKIX_Boolean certMatch = PKIX_TRUE;
1561
1573
 
1562
1574
    PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
1563
1575
    
1582
1594
                   (anchor, &trustedCert, plContext),
1583
1595
                   PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
1584
1596
        pkixErrorResult =
1585
 
            (*selectorMatchCB)(certSel, trustedCert,
1586
 
                               &certMatch, plContext);
1587
 
        if (!pkixErrorResult && certMatch) {
 
1597
            (*selectorMatchCB)(certSel, trustedCert, plContext);
 
1598
        if (!pkixErrorResult) {
1588
1599
            if (!matchList) {
1589
1600
                PKIX_CHECK(PKIX_List_Create(&matchList,
1590
1601
                                            plContext),
1796
1807
                                PKIX_CHECK(getCerts
1797
1808
                                        (certStore,
1798
1809
                                        state->certSel,
 
1810
                                        state->verifyNode,
1799
1811
                                        &nbioContext,
1800
1812
                                        &certsFound,
1801
1813
                                        plContext),
1804
1816
                                PKIX_CHECK(PKIX_CertStore_CertContinue
1805
1817
                                        (certStore,
1806
1818
                                        state->certSel,
 
1819
                                        state->verifyNode,
1807
1820
                                        &nbioContext,
1808
1821
                                        &certsFound,
1809
1822
                                        plContext),
2524
2537
                            /* IO still pending, resume later */
2525
2538
                            goto cleanup;
2526
2539
                    } else {
2527
 
                            PKIX_DECREF(state->reversedCertChain);
2528
 
                            PKIX_DECREF(state->checkedCritExtOIDs);
2529
 
                            PKIX_DECREF(state->checkerChain);
2530
2540
                            /* checking the error for fatal status */
2531
2541
                            if (verifyError) {
2532
2542
                                pkixTempErrorReceived = PKIX_TRUE;
3041
3051
                   (matchingAnchor, &trustedCert, plContext),
3042
3052
                   PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
3043
3053
        
3044
 
        if (!state->buildConstants.anchors) {
3045
 
            PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
3046
 
                       (trustedCert, PKIX_FALSE, &trusted, plContext),
3047
 
                       PKIX_CERTISCERTTRUSTEDFAILED);
3048
 
        } else {
 
3054
        if (state->buildConstants.anchors &&
 
3055
            state->buildConstants.anchors->length) {
3049
3056
            /* Check if it is one of the trust anchors */
3050
3057
            PKIX_CHECK(
3051
3058
                pkix_List_Contains(state->buildConstants.anchors,
3053
3060
                                   &trusted,
3054
3061
                                   plContext),
3055
3062
                PKIX_LISTCONTAINSFAILED);
 
3063
        } else {
 
3064
            PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
 
3065
                       (trustedCert, PKIX_FALSE, &trusted, plContext),
 
3066
                       PKIX_CERTISCERTTRUSTEDFAILED);
3056
3067
        }
3057
3068
 
3058
3069
        if (!trusted) {
3067
3078
                   (buildResult, &certList, plContext),
3068
3079
                   PKIX_BUILDRESULTGETCERTCHAINFAILED);
3069
3080
        
3070
 
        /* setting this variable will trigger addition rev
3071
 
         * checker into cert chain checker list */
3072
 
        state->revCheckDelayed = PKIX_TRUE;
3073
 
        
3074
3081
        PKIX_CHECK(pkix_Build_ValidationCheckers
3075
3082
                   (state,
3076
3083
                    certList,
3077
3084
                    matchingAnchor,
3078
 
                    PKIX_TRUE,  /* Adding eku checker. */
 
3085
                    PKIX_TRUE,  /* Chain revalidation stage. */
3079
3086
                    plContext),
3080
3087
                   PKIX_BUILDVALIDATIONCHECKERSFAILED);
3081
 
        
3082
 
        state->revCheckDelayed = PKIX_FALSE;
3083
3088
 
3084
3089
        PKIX_CHECK_ONLY_FATAL(
3085
3090
            pkix_Build_ValidateEntireChain(state, matchingAnchor,
3092
3097
            *pNBIOContext = nbioContext;
3093
3098
            goto cleanup;
3094
3099
        }
3095
 
        PKIX_DECREF(state->reversedCertChain);
3096
 
        PKIX_DECREF(state->checkedCritExtOIDs);
3097
 
        PKIX_DECREF(state->checkerChain);
3098
 
        
3099
3100
        if (!PKIX_ERROR_RECEIVED) {
3100
3101
            /* The result from cache is still valid. But we replace an old*/
3101
3102
            *pBuildResult = buildResult;
3211
3212
        PKIX_TrustAnchor *matchingAnchor = NULL;
3212
3213
        PKIX_ForwardBuilderState *state = NULL;
3213
3214
        PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
 
3215
        PKIX_CertSelector_MatchCallback selectorCallback = NULL;
3214
3216
        PKIX_PL_AIAMgr *aiaMgr = NULL;
3215
3217
 
3216
3218
        PKIX_ENTER(BUILD, "pkix_Build_InitiateBuildChain");
3235
3237
                    PKIX_LISTGETLENGTHFAILED);
3236
3238
    
3237
3239
            /* retrieve stuff from targetCertConstraints */
3238
 
    
3239
3240
            PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
3240
 
                    (procParams, &targetConstraints, plContext),
3241
 
                    PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
 
3241
                       (procParams, &targetConstraints, plContext),
 
3242
                       PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
3242
3243
    
3243
3244
            PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
3244
3245
                    (targetConstraints, &targetParams, plContext),
3248
3249
                    (targetParams, &targetCert, plContext),
3249
3250
                    PKIX_COMCERTSELPARAMSGETCERTIFICATEFAILED);
3250
3251
    
 
3252
            PKIX_CHECK(
 
3253
                PKIX_ComCertSelParams_SetLeafCertFlag(targetParams,
 
3254
                                                      PKIX_TRUE, plContext),
 
3255
                PKIX_COMCERTSELPARAMSSETLEAFCERTFLAGFAILED);
 
3256
 
3251
3257
            PKIX_CHECK(PKIX_ProcessingParams_GetHintCerts
3252
3258
                        (procParams, &hintCerts, plContext),
3253
3259
                        PKIX_PROCESSINGPARAMSGETHINTCERTSFAILED);
3329
3335
                    (tentativeChain, (PKIX_PL_Object *)targetCert, plContext),
3330
3336
                    PKIX_LISTAPPENDITEMFAILED);
3331
3337
    
3332
 
            /* Failure here is reportable */
3333
 
            pkixErrorResult = PKIX_PL_Cert_CheckValidity
3334
 
                    (targetCert, testDate, plContext);
3335
 
            if (pkixErrorResult) {
 
3338
            if (procParams->qualifyTargetCert) {
 
3339
                /* EE cert validation */
 
3340
                /* Sync up the time on the target selector parameter struct. */
 
3341
                PKIX_CHECK(
 
3342
                    PKIX_ComCertSelParams_SetCertificateValid(targetParams,
 
3343
                                                              testDate,
 
3344
                                                              plContext),
 
3345
                    PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED);
 
3346
                
 
3347
                PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
 
3348
                           (targetConstraints, &selectorCallback, plContext),
 
3349
                           PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
 
3350
                
 
3351
                pkixErrorResult =
 
3352
                    (*selectorCallback)(targetConstraints, targetCert,
 
3353
                                        plContext);
 
3354
                if (pkixErrorResult) {
3336
3355
                    pkixErrorClass = pkixErrorResult->errClass;
3337
3356
                    if (pkixErrorClass == PKIX_FATAL_ERROR) {
3338
3357
                        goto cleanup;
3353
3372
                    }
3354
3373
                    pkixErrorCode = PKIX_CERTCHECKVALIDITYFAILED;
3355
3374
                    goto cleanup;
 
3375
                }
3356
3376
            }
3357
3377
    
3358
3378
            PKIX_CHECK(PKIX_ProcessingParams_GetCertStores