The Tor Browser / annotate

security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c@6474c204b198 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c

Wed, 31 Dec 2014 06:09:35 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 06:09:35 +0100
changeset 0
6474c204b198
permissions
-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4 /*
michael@0 5 * pkix_defaultcrlchecker.c
michael@0 6 *
michael@0 7 * Functions for default CRL Checkers
michael@0 8 *
michael@0 9 */
michael@0 10 #include "pkix.h"
michael@0 11 #include "pkix_crlchecker.h"
michael@0 12 #include "pkix_tools.h"
michael@0 13
michael@0 14 /* --Private-CRLChecker-Data-and-Types------------------------------- */
michael@0 15
michael@0 16 typedef struct pkix_CrlCheckerStruct {
michael@0 17 /* RevocationMethod is the super class of CrlChecker. */
michael@0 18 pkix_RevocationMethod method;
michael@0 19 PKIX_List *certStores; /* list of CertStore */
michael@0 20 PKIX_PL_VerifyCallback crlVerifyFn;
michael@0 21 } pkix_CrlChecker;
michael@0 22
michael@0 23
michael@0 24 /* --Private-CRLChecker-Functions----------------------------------- */
michael@0 25
michael@0 26 /*
michael@0 27 * FUNCTION: pkix_CrlCheckerstate_Destroy
michael@0 28 * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
michael@0 29 */
michael@0 30 static PKIX_Error *
michael@0 31 pkix_CrlChecker_Destroy(
michael@0 32 PKIX_PL_Object *object,
michael@0 33 void *plContext)
michael@0 34 {
michael@0 35 pkix_CrlChecker *state = NULL;
michael@0 36
michael@0 37 PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_Destroy");
michael@0 38 PKIX_NULLCHECK_ONE(object);
michael@0 39
michael@0 40 /* Check that this object is a default CRL checker state */
michael@0 41 PKIX_CHECK(
michael@0 42 pkix_CheckType(object, PKIX_CRLCHECKER_TYPE, plContext),
michael@0 43 PKIX_OBJECTNOTCRLCHECKER);
michael@0 44
michael@0 45 state = (pkix_CrlChecker *)object;
michael@0 46
michael@0 47 PKIX_DECREF(state->certStores);
michael@0 48
michael@0 49 cleanup:
michael@0 50
michael@0 51 PKIX_RETURN(CRLCHECKER);
michael@0 52 }
michael@0 53
michael@0 54 /*
michael@0 55 * FUNCTION: pkix_CrlChecker_RegisterSelf
michael@0 56 *
michael@0 57 * DESCRIPTION:
michael@0 58 * Registers PKIX_CRLCHECKER_TYPE and its related functions
michael@0 59 * with systemClasses[]
michael@0 60 *
michael@0 61 * THREAD SAFETY:
michael@0 62 * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0 63 *
michael@0 64 * Since this function is only called by PKIX_PL_Initialize, which should
michael@0 65 * only be called once, it is acceptable that this function is not
michael@0 66 * thread-safe.
michael@0 67 */
michael@0 68 PKIX_Error *
michael@0 69 pkix_CrlChecker_RegisterSelf(void *plContext)
michael@0 70 {
michael@0 71 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
michael@0 72 pkix_ClassTable_Entry* entry = &systemClasses[PKIX_CRLCHECKER_TYPE];
michael@0 73
michael@0 74 PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_RegisterSelf");
michael@0 75
michael@0 76 entry->description = "CRLChecker";
michael@0 77 entry->typeObjectSize = sizeof(pkix_CrlChecker);
michael@0 78 entry->destructor = pkix_CrlChecker_Destroy;
michael@0 79
michael@0 80 PKIX_RETURN(CRLCHECKER);
michael@0 81 }
michael@0 82
michael@0 83 /*
michael@0 84 * FUNCTION: pkix_CrlChecker_Create
michael@0 85 *
michael@0 86 * DESCRIPTION:
michael@0 87 * Allocate and initialize CRLChecker state data.
michael@0 88 *
michael@0 89 * PARAMETERS
michael@0 90 * "certStores"
michael@0 91 * Address of CertStore List to be stored in state. Must be non-NULL.
michael@0 92 * "testDate"
michael@0 93 * Address of PKIX_PL_Date to be checked. May be NULL.
michael@0 94 * "trustedPubKey"
michael@0 95 * Trusted Anchor Public Key for verifying first Cert in the chain.
michael@0 96 * Must be non-NULL.
michael@0 97 * "certsRemaining"
michael@0 98 * Number of certificates remaining in the chain.
michael@0 99 * "nistCRLPolicyEnabled"
michael@0 100 * If enabled, enforce nist crl policy.
michael@0 101 * "pChecker"
michael@0 102 * Address of CRLChecker that is returned. Must be non-NULL.
michael@0 103 * "plContext"
michael@0 104 * Platform-specific context pointer.
michael@0 105 *
michael@0 106 * THREAD SAFETY:
michael@0 107 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0 108 *
michael@0 109 * RETURNS:
michael@0 110 * Returns NULL if the function succeeds.
michael@0 111 * Returns a DefaultCrlChecker Error if the function fails in a
michael@0 112 * non-fatal way.
michael@0 113 * Returns a Fatal Error
michael@0 114 */
michael@0 115 PKIX_Error *
michael@0 116 pkix_CrlChecker_Create(PKIX_RevocationMethodType methodType,
michael@0 117 PKIX_UInt32 flags,
michael@0 118 PKIX_UInt32 priority,
michael@0 119 pkix_LocalRevocationCheckFn localRevChecker,
michael@0 120 pkix_ExternalRevocationCheckFn externalRevChecker,
michael@0 121 PKIX_List *certStores,
michael@0 122 PKIX_PL_VerifyCallback crlVerifyFn,
michael@0 123 pkix_RevocationMethod **pChecker,
michael@0 124 void *plContext)
michael@0 125 {
michael@0 126 pkix_CrlChecker *crlChecker = NULL;
michael@0 127
michael@0 128 PKIX_ENTER(CRLCHECKER, "pkix_CrlChecker_Create");
michael@0 129 PKIX_NULLCHECK_TWO(certStores, pChecker);
michael@0 130
michael@0 131 PKIX_CHECK(PKIX_PL_Object_Alloc
michael@0 132 (PKIX_CRLCHECKER_TYPE,
michael@0 133 sizeof (pkix_CrlChecker),
michael@0 134 (PKIX_PL_Object **)&crlChecker,
michael@0 135 plContext),
michael@0 136 PKIX_COULDNOTCREATECRLCHECKEROBJECT);
michael@0 137
michael@0 138 pkixErrorResult = pkix_RevocationMethod_Init(
michael@0 139 (pkix_RevocationMethod*)crlChecker, methodType, flags, priority,
michael@0 140 localRevChecker, externalRevChecker, plContext);
michael@0 141 if (pkixErrorResult) {
michael@0 142 goto cleanup;
michael@0 143 }
michael@0 144
michael@0 145 /* Initialize fields */
michael@0 146 PKIX_INCREF(certStores);
michael@0 147 crlChecker->certStores = certStores;
michael@0 148
michael@0 149 crlChecker->crlVerifyFn = crlVerifyFn;
michael@0 150 *pChecker = (pkix_RevocationMethod*)crlChecker;
michael@0 151 crlChecker = NULL;
michael@0 152
michael@0 153 cleanup:
michael@0 154 PKIX_DECREF(crlChecker);
michael@0 155
michael@0 156 PKIX_RETURN(CRLCHECKER);
michael@0 157 }
michael@0 158
michael@0 159 /* --Private-CRLChecker-Functions------------------------------------ */
michael@0 160
michael@0 161 /*
michael@0 162 * FUNCTION: pkix_CrlChecker_CheckLocal
michael@0 163 *
michael@0 164 * DESCRIPTION:
michael@0 165 * Check if the Cert has been revoked based the CRLs data. This function
michael@0 166 * maintains the checker state to be current.
michael@0 167 *
michael@0 168 * PARAMETERS
michael@0 169 * "checker"
michael@0 170 * Address of CertChainChecker which has the state data.
michael@0 171 * Must be non-NULL.
michael@0 172 * "cert"
michael@0 173 * Address of Certificate that is to be validated. Must be non-NULL.
michael@0 174 * "unreslvdCrtExts"
michael@0 175 * A List OIDs. Not **yet** used in this checker function.
michael@0 176 * "plContext"
michael@0 177 * Platform-specific context pointer.
michael@0 178 *
michael@0 179 * THREAD SAFETY:
michael@0 180 * Not Thread Safe
michael@0 181 * (see Thread Safety Definitions in Programmer's Guide)
michael@0 182 *
michael@0 183 * RETURNS:
michael@0 184 * Returns NULL if the function succeeds.
michael@0 185 * Returns a CertChainChecker Error if the function fails in a non-fatal way.
michael@0 186 * Returns a Fatal Error
michael@0 187 */
michael@0 188 PKIX_Error *
michael@0 189 pkix_CrlChecker_CheckLocal(
michael@0 190 PKIX_PL_Cert *cert,
michael@0 191 PKIX_PL_Cert *issuer,
michael@0 192 PKIX_PL_Date *date,
michael@0 193 pkix_RevocationMethod *checkerObject,
michael@0 194 PKIX_ProcessingParams *procParams,
michael@0 195 PKIX_UInt32 methodFlags,
michael@0 196 PKIX_Boolean chainVerificationState,
michael@0 197 PKIX_RevocationStatus *pRevStatus,
michael@0 198 PKIX_UInt32 *pReasonCode,
michael@0 199 void *plContext)
michael@0 200 {
michael@0 201 PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn;
michael@0 202 PKIX_CertStore *certStore = NULL;
michael@0 203 pkix_CrlChecker *state = NULL;
michael@0 204 PKIX_UInt32 crlStoreIndex = 0;
michael@0 205 PKIX_UInt32 numCrlStores = 0;
michael@0 206 PKIX_Boolean storeIsLocal = PKIX_FALSE;
michael@0 207 PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
michael@0 208
michael@0 209 PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckLocal");
michael@0 210 PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, checkerObject);
michael@0 211
michael@0 212 state = (pkix_CrlChecker*)checkerObject;
michael@0 213
michael@0 214 PKIX_CHECK(
michael@0 215 PKIX_List_GetLength(state->certStores, &numCrlStores, plContext),
michael@0 216 PKIX_LISTGETLENGTHFAILED);
michael@0 217
michael@0 218 for (;crlStoreIndex < numCrlStores;crlStoreIndex++) {
michael@0 219 PKIX_CHECK(
michael@0 220 PKIX_List_GetItem(state->certStores, crlStoreIndex,
michael@0 221 (PKIX_PL_Object **)&certStore,
michael@0 222 plContext),
michael@0 223 PKIX_LISTGETITEMFAILED);
michael@0 224
michael@0 225 PKIX_CHECK(
michael@0 226 PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal,
michael@0 227 plContext),
michael@0 228 PKIX_CERTSTOREGETLOCALFLAGFAILED);
michael@0 229 if (storeIsLocal) {
michael@0 230 PKIX_CHECK(
michael@0 231 PKIX_CertStore_GetCrlCheckerFn(certStore,
michael@0 232 &storeCheckRevocationFn,
michael@0 233 plContext),
michael@0 234 PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
michael@0 235
michael@0 236 if (storeCheckRevocationFn) {
michael@0 237 PKIX_CHECK(
michael@0 238 (*storeCheckRevocationFn)(certStore, cert, issuer,
michael@0 239 /* delay sig check if building
michael@0 240 * a chain by not specifying the time*/
michael@0 241 chainVerificationState ? date : NULL,
michael@0 242 /* crl downloading is not done. */
michael@0 243 PKIX_FALSE,
michael@0 244 pReasonCode, &revStatus, plContext),
michael@0 245 PKIX_CERTSTORECRLCHECKFAILED);
michael@0 246 if (revStatus == PKIX_RevStatus_Revoked) {
michael@0 247 break;
michael@0 248 }
michael@0 249 }
michael@0 250 }
michael@0 251 PKIX_DECREF(certStore);
michael@0 252 } /* while */
michael@0 253
michael@0 254 cleanup:
michael@0 255 *pRevStatus = revStatus;
michael@0 256 PKIX_DECREF(certStore);
michael@0 257
michael@0 258 PKIX_RETURN(CERTCHAINCHECKER);
michael@0 259 }
michael@0 260
michael@0 261 /*
michael@0 262 * FUNCTION: pkix_CrlChecker_CheckRemote
michael@0 263 *
michael@0 264 * DESCRIPTION:
michael@0 265 * Check if the Cert has been revoked based the CRLs data. This function
michael@0 266 * maintains the checker state to be current.
michael@0 267 *
michael@0 268 * PARAMETERS
michael@0 269 * "checker"
michael@0 270 * Address of CertChainChecker which has the state data.
michael@0 271 * Must be non-NULL.
michael@0 272 * "cert"
michael@0 273 * Address of Certificate that is to be validated. Must be non-NULL.
michael@0 274 * "unreslvdCrtExts"
michael@0 275 * A List OIDs. Not **yet** used in this checker function.
michael@0 276 * "plContext"
michael@0 277 * Platform-specific context pointer.
michael@0 278 *
michael@0 279 * THREAD SAFETY:
michael@0 280 * Not Thread Safe
michael@0 281 * (see Thread Safety Definitions in Programmer's Guide)
michael@0 282 *
michael@0 283 * RETURNS:
michael@0 284 * Returns NULL if the function succeeds.
michael@0 285 * Returns a CertChainChecker Error if the function fails in a non-fatal way.
michael@0 286 * Returns a Fatal Error
michael@0 287 */
michael@0 288 PKIX_Error *
michael@0 289 pkix_CrlChecker_CheckExternal(
michael@0 290 PKIX_PL_Cert *cert,
michael@0 291 PKIX_PL_Cert *issuer,
michael@0 292 PKIX_PL_Date *date,
michael@0 293 pkix_RevocationMethod *checkerObject,
michael@0 294 PKIX_ProcessingParams *procParams,
michael@0 295 PKIX_UInt32 methodFlags,
michael@0 296 PKIX_RevocationStatus *pRevStatus,
michael@0 297 PKIX_UInt32 *pReasonCode,
michael@0 298 void **pNBIOContext,
michael@0 299 void *plContext)
michael@0 300 {
michael@0 301 PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn = NULL;
michael@0 302 PKIX_CertStore_ImportCrlCallback storeImportCrlFn = NULL;
michael@0 303 PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
michael@0 304 PKIX_CertStore *certStore = NULL;
michael@0 305 PKIX_CertStore *localStore = NULL;
michael@0 306 PKIX_CRLSelector *crlSelector = NULL;
michael@0 307 PKIX_PL_X500Name *issuerName = NULL;
michael@0 308 pkix_CrlChecker *state = NULL;
michael@0 309 PKIX_UInt32 crlStoreIndex = 0;
michael@0 310 PKIX_UInt32 numCrlStores = 0;
michael@0 311 PKIX_Boolean storeIsLocal = PKIX_FALSE;
michael@0 312 PKIX_List *crlList = NULL;
michael@0 313 PKIX_List *dpList = NULL;
michael@0 314 void *nbioContext = NULL;
michael@0 315
michael@0 316 PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckExternal");
michael@0 317 PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, pNBIOContext);
michael@0 318
michael@0 319 nbioContext = *pNBIOContext;
michael@0 320 *pNBIOContext = NULL; /* prepare for Error exit */
michael@0 321
michael@0 322 state = (pkix_CrlChecker*)checkerObject;
michael@0 323
michael@0 324 PKIX_CHECK(
michael@0 325 PKIX_List_GetLength(state->certStores, &numCrlStores, plContext),
michael@0 326 PKIX_LISTGETLENGTHFAILED);
michael@0 327
michael@0 328 /* Find a cert store that is capable of storing crls */
michael@0 329 for (;crlStoreIndex < numCrlStores;crlStoreIndex++) {
michael@0 330 PKIX_CHECK(
michael@0 331 PKIX_List_GetItem(state->certStores, crlStoreIndex,
michael@0 332 (PKIX_PL_Object **)&certStore,
michael@0 333 plContext),
michael@0 334 PKIX_LISTGETITEMFAILED);
michael@0 335
michael@0 336 PKIX_CHECK(
michael@0 337 PKIX_CertStore_GetLocalFlag(certStore, &storeIsLocal,
michael@0 338 plContext),
michael@0 339 PKIX_CERTSTOREGETLOCALFLAGFAILED);
michael@0 340 if (storeIsLocal) {
michael@0 341 PKIX_CHECK(
michael@0 342 PKIX_CertStore_GetImportCrlCallback(certStore,
michael@0 343 &storeImportCrlFn,
michael@0 344 plContext),
michael@0 345 PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
michael@0 346
michael@0 347 PKIX_CHECK(
michael@0 348 PKIX_CertStore_GetCrlCheckerFn(certStore,
michael@0 349 &storeCheckRevocationFn,
michael@0 350 plContext),
michael@0 351 PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
michael@0 352
michael@0 353 if (storeImportCrlFn && storeCheckRevocationFn) {
michael@0 354 localStore = certStore;
michael@0 355 certStore = NULL;
michael@0 356 break;
michael@0 357 }
michael@0 358 }
michael@0 359 PKIX_DECREF(certStore);
michael@0 360 } /* while */
michael@0 361
michael@0 362 /* Report unknown status if we can not check crl in one of the
michael@0 363 * local stores. */
michael@0 364 if (!localStore) {
michael@0 365 PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND);
michael@0 366 }
michael@0 367 PKIX_CHECK(
michael@0 368 PKIX_PL_Cert_VerifyKeyUsage(issuer, PKIX_CRL_SIGN, plContext),
michael@0 369 PKIX_CERTCHECKKEYUSAGEFAILED);
michael@0 370 PKIX_CHECK(
michael@0 371 PKIX_PL_Cert_GetCrlDp(cert, &dpList, plContext),
michael@0 372 PKIX_CERTGETCRLDPFAILED);
michael@0 373 if (!(methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE) &&
michael@0 374 (!dpList || !dpList->length)) {
michael@0 375 goto cleanup;
michael@0 376 }
michael@0 377 PKIX_CHECK(
michael@0 378 PKIX_PL_Cert_GetIssuer(cert, &issuerName, plContext),
michael@0 379 PKIX_CERTGETISSUERFAILED);
michael@0 380 PKIX_CHECK(
michael@0 381 PKIX_CRLSelector_Create(issuer, dpList, date, &crlSelector, plContext),
michael@0 382 PKIX_CRLCHECKERSETSELECTORFAILED);
michael@0 383 /* Fetch crl and store in a local cert store */
michael@0 384 for (crlStoreIndex = 0;crlStoreIndex < numCrlStores;crlStoreIndex++) {
michael@0 385 PKIX_CertStore_CRLCallback getCrlsFn;
michael@0 386
michael@0 387 PKIX_CHECK(
michael@0 388 PKIX_List_GetItem(state->certStores, crlStoreIndex,
michael@0 389 (PKIX_PL_Object **)&certStore,
michael@0 390 plContext),
michael@0 391 PKIX_LISTGETITEMFAILED);
michael@0 392
michael@0 393 PKIX_CHECK(
michael@0 394 PKIX_CertStore_GetCRLCallback(certStore, &getCrlsFn,
michael@0 395 plContext),
michael@0 396 PKIX_CERTSTOREGETCRLCALLBACKFAILED);
michael@0 397
michael@0 398 PKIX_CHECK(
michael@0 399 (*getCrlsFn)(certStore, crlSelector, &nbioContext,
michael@0 400 &crlList, plContext),
michael@0 401 PKIX_GETCRLSFAILED);
michael@0 402
michael@0 403 PKIX_CHECK(
michael@0 404 (*storeImportCrlFn)(localStore, issuerName, crlList, plContext),
michael@0 405 PKIX_CERTSTOREFAILTOIMPORTCRLLIST);
michael@0 406
michael@0 407 PKIX_CHECK(
michael@0 408 (*storeCheckRevocationFn)(certStore, cert, issuer, date,
michael@0 409 /* done with crl downloading */
michael@0 410 PKIX_TRUE,
michael@0 411 pReasonCode, &revStatus, plContext),
michael@0 412 PKIX_CERTSTORECRLCHECKFAILED);
michael@0 413 if (revStatus != PKIX_RevStatus_NoInfo) {
michael@0 414 break;
michael@0 415 }
michael@0 416 PKIX_DECREF(crlList);
michael@0 417 PKIX_DECREF(certStore);
michael@0 418 } /* while */
michael@0 419
michael@0 420 cleanup:
michael@0 421 /* Update return flags */
michael@0 422 if (revStatus == PKIX_RevStatus_NoInfo &&
michael@0 423 ((dpList && dpList->length > 0) ||
michael@0 424 (methodFlags & PKIX_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE)) &&
michael@0 425 methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
michael@0 426 revStatus = PKIX_RevStatus_Revoked;
michael@0 427 }
michael@0 428 *pRevStatus = revStatus;
michael@0 429
michael@0 430 PKIX_DECREF(dpList);
michael@0 431 PKIX_DECREF(crlList);
michael@0 432 PKIX_DECREF(certStore);
michael@0 433 PKIX_DECREF(issuerName);
michael@0 434 PKIX_DECREF(localStore);
michael@0 435 PKIX_DECREF(crlSelector);
michael@0 436
michael@0 437 PKIX_RETURN(CERTCHAINCHECKER);
michael@0 438 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial