The Tor Browser / annotate

security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c@6474c204b198 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c

Wed, 31 Dec 2014 06:09:35 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 06:09:35 +0100
changeset 0
6474c204b198
permissions
-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4 /*
michael@0 5 * pkix_ekuchecker.c
michael@0 6 *
michael@0 7 * User Defined ExtenedKeyUsage Function Definitions
michael@0 8 *
michael@0 9 */
michael@0 10
michael@0 11 #include "pkix_ekuchecker.h"
michael@0 12
michael@0 13 SECOidTag ekuOidStrings[] = {
michael@0 14 PKIX_KEY_USAGE_SERVER_AUTH_OID,
michael@0 15 PKIX_KEY_USAGE_CLIENT_AUTH_OID,
michael@0 16 PKIX_KEY_USAGE_CODE_SIGN_OID,
michael@0 17 PKIX_KEY_USAGE_EMAIL_PROTECT_OID,
michael@0 18 PKIX_KEY_USAGE_TIME_STAMP_OID,
michael@0 19 PKIX_KEY_USAGE_OCSP_RESPONDER_OID,
michael@0 20 PKIX_UNKNOWN_OID
michael@0 21 };
michael@0 22
michael@0 23 typedef struct pkix_EkuCheckerStruct {
michael@0 24 PKIX_List *requiredExtKeyUsageOids;
michael@0 25 PKIX_PL_OID *ekuOID;
michael@0 26 } pkix_EkuChecker;
michael@0 27
michael@0 28
michael@0 29 /*
michael@0 30 * FUNCTION: pkix_EkuChecker_Destroy
michael@0 31 * (see comments for PKIX_DestructorCallback in pkix_pl_system.h)
michael@0 32 */
michael@0 33 static PKIX_Error *
michael@0 34 pkix_EkuChecker_Destroy(
michael@0 35 PKIX_PL_Object *object,
michael@0 36 void *plContext)
michael@0 37 {
michael@0 38 pkix_EkuChecker *ekuCheckerState = NULL;
michael@0 39
michael@0 40 PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Destroy");
michael@0 41 PKIX_NULLCHECK_ONE(object);
michael@0 42
michael@0 43 PKIX_CHECK(pkix_CheckType(object, PKIX_EKUCHECKER_TYPE, plContext),
michael@0 44 PKIX_OBJECTNOTANEKUCHECKERSTATE);
michael@0 45
michael@0 46 ekuCheckerState = (pkix_EkuChecker *)object;
michael@0 47
michael@0 48 PKIX_DECREF(ekuCheckerState->ekuOID);
michael@0 49 PKIX_DECREF(ekuCheckerState->requiredExtKeyUsageOids);
michael@0 50
michael@0 51 cleanup:
michael@0 52
michael@0 53 PKIX_RETURN(EKUCHECKER);
michael@0 54 }
michael@0 55
michael@0 56 /*
michael@0 57 * FUNCTION: pkix_EkuChecker_RegisterSelf
michael@0 58 *
michael@0 59 * DESCRIPTION:
michael@0 60 * Registers PKIX_PL_HTTPCERTSTORECONTEXT_TYPE and its related
michael@0 61 * functions with systemClasses[]
michael@0 62 *
michael@0 63 * THREAD SAFETY:
michael@0 64 * Not Thread Safe - for performance and complexity reasons
michael@0 65 *
michael@0 66 * Since this function is only called by PKIX_PL_Initialize, which should
michael@0 67 * only be called once, it is acceptable that this function is not
michael@0 68 * thread-safe.
michael@0 69 */
michael@0 70 PKIX_Error *
michael@0 71 pkix_EkuChecker_RegisterSelf(void *plContext)
michael@0 72 {
michael@0 73 extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
michael@0 74 pkix_ClassTable_Entry *entry = &systemClasses[PKIX_EKUCHECKER_TYPE];
michael@0 75
michael@0 76 PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_RegisterSelf");
michael@0 77
michael@0 78 entry->description = "EkuChecker";
michael@0 79 entry->typeObjectSize = sizeof(pkix_EkuChecker);
michael@0 80 entry->destructor = pkix_EkuChecker_Destroy;
michael@0 81
michael@0 82 PKIX_RETURN(EKUCHECKER);
michael@0 83 }
michael@0 84
michael@0 85 /*
michael@0 86 * FUNCTION: pkix_EkuChecker_Create
michael@0 87 * DESCRIPTION:
michael@0 88 *
michael@0 89 * Creates a new Extend Key Usage CheckerState using "params" to retrieve
michael@0 90 * application specified EKU for verification and stores it at "pState".
michael@0 91 *
michael@0 92 * PARAMETERS:
michael@0 93 * "params"
michael@0 94 * a PKIX_ProcessingParams links to PKIX_ComCertSelParams where a list of
michael@0 95 * Extended Key Usage OIDs specified by application can be retrieved for
michael@0 96 * verification.
michael@0 97 * "pState"
michael@0 98 * Address where state pointer will be stored. Must be non-NULL.
michael@0 99 * "plContext"
michael@0 100 * Platform-specific context pointer.
michael@0 101 * THREAD SAFETY:
michael@0 102 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0 103 * RETURNS:
michael@0 104 * Returns NULL if the function succeeds.
michael@0 105 * Returns a UserDefinedModules Error if the function fails in a
michael@0 106 * non-fatal way.
michael@0 107 * Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0 108 */
michael@0 109 static PKIX_Error *
michael@0 110 pkix_EkuChecker_Create(
michael@0 111 PKIX_ProcessingParams *params,
michael@0 112 pkix_EkuChecker **pState,
michael@0 113 void *plContext)
michael@0 114 {
michael@0 115 pkix_EkuChecker *state = NULL;
michael@0 116 PKIX_CertSelector *certSelector = NULL;
michael@0 117 PKIX_ComCertSelParams *comCertSelParams = NULL;
michael@0 118 PKIX_List *requiredOids = NULL;
michael@0 119
michael@0 120 PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Create");
michael@0 121 PKIX_NULLCHECK_TWO(params, pState);
michael@0 122
michael@0 123 PKIX_CHECK(PKIX_PL_Object_Alloc
michael@0 124 (PKIX_EKUCHECKER_TYPE,
michael@0 125 sizeof (pkix_EkuChecker),
michael@0 126 (PKIX_PL_Object **)&state,
michael@0 127 plContext),
michael@0 128 PKIX_COULDNOTCREATEEKUCHECKERSTATEOBJECT);
michael@0 129
michael@0 130
michael@0 131 PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
michael@0 132 (params, &certSelector, plContext),
michael@0 133 PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
michael@0 134
michael@0 135 if (certSelector != NULL) {
michael@0 136
michael@0 137 /* Get initial EKU OIDs from ComCertSelParams, if set */
michael@0 138 PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
michael@0 139 (certSelector, &comCertSelParams, plContext),
michael@0 140 PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMSFAILED);
michael@0 141
michael@0 142 if (comCertSelParams != NULL) {
michael@0 143 PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage
michael@0 144 (comCertSelParams, &requiredOids, plContext),
michael@0 145 PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED);
michael@0 146
michael@0 147 }
michael@0 148 }
michael@0 149
michael@0 150 PKIX_CHECK(PKIX_PL_OID_Create
michael@0 151 (PKIX_EXTENDEDKEYUSAGE_OID,
michael@0 152 &state->ekuOID,
michael@0 153 plContext),
michael@0 154 PKIX_OIDCREATEFAILED);
michael@0 155
michael@0 156 state->requiredExtKeyUsageOids = requiredOids;
michael@0 157 requiredOids = NULL;
michael@0 158 *pState = state;
michael@0 159 state = NULL;
michael@0 160
michael@0 161 cleanup:
michael@0 162
michael@0 163 PKIX_DECREF(certSelector);
michael@0 164 PKIX_DECREF(comCertSelParams);
michael@0 165 PKIX_DECREF(requiredOids);
michael@0 166 PKIX_DECREF(state);
michael@0 167
michael@0 168 PKIX_RETURN(EKUCHECKER);
michael@0 169 }
michael@0 170
michael@0 171 /*
michael@0 172 * FUNCTION: pkix_EkuChecker_Check
michael@0 173 * DESCRIPTION:
michael@0 174 *
michael@0 175 * This function determines the Extended Key Usage OIDs specified by the
michael@0 176 * application is included in the Extended Key Usage OIDs of this "cert".
michael@0 177 *
michael@0 178 * PARAMETERS:
michael@0 179 * "checker"
michael@0 180 * Address of CertChainChecker which has the state data.
michael@0 181 * Must be non-NULL.
michael@0 182 * "cert"
michael@0 183 * Address of Certificate that is to be validated. Must be non-NULL.
michael@0 184 * "unresolvedCriticalExtensions"
michael@0 185 * A List OIDs. The OID for Extended Key Usage is removed.
michael@0 186 * "plContext"
michael@0 187 * Platform-specific context pointer.
michael@0 188 * THREAD SAFETY:
michael@0 189 * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
michael@0 190 * RETURNS:
michael@0 191 * Returns NULL if the function succeeds.
michael@0 192 * Returns a UserDefinedModules Error if the function fails in
michael@0 193 * a non-fatal way.
michael@0 194 * Returns a Fatal Error if the function fails in an unrecoverable way.
michael@0 195 */
michael@0 196 static PKIX_Error *
michael@0 197 pkix_EkuChecker_Check(
michael@0 198 PKIX_CertChainChecker *checker,
michael@0 199 PKIX_PL_Cert *cert,
michael@0 200 PKIX_List *unresolvedCriticalExtensions,
michael@0 201 void **pNBIOContext,
michael@0 202 void *plContext)
michael@0 203 {
michael@0 204 pkix_EkuChecker *state = NULL;
michael@0 205 PKIX_List *requiredExtKeyUsageList = NULL;
michael@0 206 PKIX_List *certExtKeyUsageList = NULL;
michael@0 207 PKIX_PL_OID *ekuOid = NULL;
michael@0 208 PKIX_Boolean isContained = PKIX_FALSE;
michael@0 209 PKIX_UInt32 numItems = 0;
michael@0 210 PKIX_UInt32 i;
michael@0 211 PKIX_Boolean checkResult = PKIX_TRUE;
michael@0 212
michael@0 213 PKIX_ENTER(EKUCHECKER, "pkix_EkuChecker_Check");
michael@0 214 PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
michael@0 215
michael@0 216 *pNBIOContext = NULL; /* no non-blocking IO */
michael@0 217
michael@0 218 PKIX_CHECK(
michael@0 219 PKIX_CertChainChecker_GetCertChainCheckerState
michael@0 220 (checker, (PKIX_PL_Object **)&state, plContext),
michael@0 221 PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
michael@0 222
michael@0 223 requiredExtKeyUsageList = state->requiredExtKeyUsageOids;
michael@0 224 if (requiredExtKeyUsageList == NULL) {
michael@0 225 goto cleanup;
michael@0 226 }
michael@0 227
michael@0 228 PKIX_CHECK(
michael@0 229 PKIX_List_GetLength(requiredExtKeyUsageList, &numItems,
michael@0 230 plContext),
michael@0 231 PKIX_LISTGETLENGTHFAILED);
michael@0 232 if (numItems == 0) {
michael@0 233 goto cleanup;
michael@0 234 }
michael@0 235
michael@0 236 PKIX_CHECK(
michael@0 237 PKIX_PL_Cert_GetExtendedKeyUsage(cert, &certExtKeyUsageList,
michael@0 238 plContext),
michael@0 239 PKIX_CERTGETEXTENDEDKEYUSAGEFAILED);
michael@0 240
michael@0 241 if (certExtKeyUsageList == NULL) {
michael@0 242 goto cleanup;
michael@0 243 }
michael@0 244
michael@0 245 for (i = 0; i < numItems; i++) {
michael@0 246
michael@0 247 PKIX_CHECK(
michael@0 248 PKIX_List_GetItem(requiredExtKeyUsageList, i,
michael@0 249 (PKIX_PL_Object **)&ekuOid, plContext),
michael@0 250 PKIX_LISTGETITEMFAILED);
michael@0 251
michael@0 252 PKIX_CHECK(
michael@0 253 pkix_List_Contains(certExtKeyUsageList,
michael@0 254 (PKIX_PL_Object *)ekuOid,
michael@0 255 &isContained,
michael@0 256 plContext),
michael@0 257 PKIX_LISTCONTAINSFAILED);
michael@0 258
michael@0 259 PKIX_DECREF(ekuOid);
michael@0 260 if (isContained != PKIX_TRUE) {
michael@0 261 checkResult = PKIX_FALSE;
michael@0 262 goto cleanup;
michael@0 263 }
michael@0 264 }
michael@0 265
michael@0 266 cleanup:
michael@0 267 if (!pkixErrorResult && checkResult == PKIX_FALSE) {
michael@0 268 pkixErrorReceived = PKIX_TRUE;
michael@0 269 pkixErrorCode = PKIX_EXTENDEDKEYUSAGECHECKINGFAILED;
michael@0 270 }
michael@0 271
michael@0 272 PKIX_DECREF(ekuOid);
michael@0 273 PKIX_DECREF(certExtKeyUsageList);
michael@0 274 PKIX_DECREF(state);
michael@0 275
michael@0 276 PKIX_RETURN(EKUCHECKER);
michael@0 277 }
michael@0 278
michael@0 279 /*
michael@0 280 * FUNCTION: pkix_EkuChecker_Initialize
michael@0 281 * (see comments in pkix_sample_modules.h)
michael@0 282 */
michael@0 283 PKIX_Error *
michael@0 284 PKIX_EkuChecker_Create(
michael@0 285 PKIX_ProcessingParams *params,
michael@0 286 PKIX_CertChainChecker **pEkuChecker,
michael@0 287 void *plContext)
michael@0 288 {
michael@0 289 pkix_EkuChecker *state = NULL;
michael@0 290 PKIX_List *critExtOIDsList = NULL;
michael@0 291
michael@0 292 PKIX_ENTER(EKUCHECKER, "PKIX_EkuChecker_Initialize");
michael@0 293 PKIX_NULLCHECK_ONE(params);
michael@0 294
michael@0 295 /*
michael@0 296 * This function and functions in this file provide an example of how
michael@0 297 * an application defined checker can be hooked into libpkix.
michael@0 298 */
michael@0 299
michael@0 300 PKIX_CHECK(pkix_EkuChecker_Create
michael@0 301 (params, &state, plContext),
michael@0 302 PKIX_EKUCHECKERSTATECREATEFAILED);
michael@0 303
michael@0 304 PKIX_CHECK(PKIX_List_Create(&critExtOIDsList, plContext),
michael@0 305 PKIX_LISTCREATEFAILED);
michael@0 306
michael@0 307 PKIX_CHECK(PKIX_List_AppendItem
michael@0 308 (critExtOIDsList,
michael@0 309 (PKIX_PL_Object *)state->ekuOID,
michael@0 310 plContext),
michael@0 311 PKIX_LISTAPPENDITEMFAILED);
michael@0 312
michael@0 313 PKIX_CHECK(PKIX_CertChainChecker_Create
michael@0 314 (pkix_EkuChecker_Check,
michael@0 315 PKIX_TRUE, /* forwardCheckingSupported */
michael@0 316 PKIX_FALSE, /* forwardDirectionExpected */
michael@0 317 critExtOIDsList,
michael@0 318 (PKIX_PL_Object *) state,
michael@0 319 pEkuChecker,
michael@0 320 plContext),
michael@0 321 PKIX_CERTCHAINCHECKERCREATEFAILED);
michael@0 322 cleanup:
michael@0 323
michael@0 324 PKIX_DECREF(critExtOIDsList);
michael@0 325 PKIX_DECREF(state);
michael@0 326
michael@0 327 PKIX_RETURN(EKUCHECKER);
michael@0 328 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial