security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c@6474c204b198 (annotated)
security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rwxr-xr-x
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | /* |
| michael@0 | 5 | * pkix_targetcertchecker.c |
| michael@0 | 6 | * |
| michael@0 | 7 | * Functions for target cert validation |
| michael@0 | 8 | * |
| michael@0 | 9 | */ |
| michael@0 | 10 | |
| michael@0 | 11 | |
| michael@0 | 12 | #include "pkix_targetcertchecker.h" |
| michael@0 | 13 | |
| michael@0 | 14 | /* --Private-TargetCertCheckerState-Functions------------------------------- */ |
| michael@0 | 15 | |
| michael@0 | 16 | /* |
| michael@0 | 17 | * FUNCTION: pkix_TargetCertCheckerState_Destroy |
| michael@0 | 18 | * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) |
| michael@0 | 19 | */ |
| michael@0 | 20 | static PKIX_Error * |
| michael@0 | 21 | pkix_TargetCertCheckerState_Destroy( |
| michael@0 | 22 | PKIX_PL_Object *object, |
| michael@0 | 23 | void *plContext) |
| michael@0 | 24 | { |
| michael@0 | 25 | pkix_TargetCertCheckerState *state = NULL; |
| michael@0 | 26 | |
| michael@0 | 27 | PKIX_ENTER(TARGETCERTCHECKERSTATE, |
| michael@0 | 28 | "pkix_TargetCertCheckerState_Destroy"); |
| michael@0 | 29 | PKIX_NULLCHECK_ONE(object); |
| michael@0 | 30 | |
| michael@0 | 31 | /* Check that this object is a target cert checker state */ |
| michael@0 | 32 | PKIX_CHECK(pkix_CheckType |
| michael@0 | 33 | (object, PKIX_TARGETCERTCHECKERSTATE_TYPE, plContext), |
| michael@0 | 34 | PKIX_OBJECTNOTTARGETCERTCHECKERSTATE); |
| michael@0 | 35 | |
| michael@0 | 36 | state = (pkix_TargetCertCheckerState *)object; |
| michael@0 | 37 | |
| michael@0 | 38 | PKIX_DECREF(state->certSelector); |
| michael@0 | 39 | PKIX_DECREF(state->extKeyUsageOID); |
| michael@0 | 40 | PKIX_DECREF(state->subjAltNameOID); |
| michael@0 | 41 | PKIX_DECREF(state->pathToNameList); |
| michael@0 | 42 | PKIX_DECREF(state->extKeyUsageList); |
| michael@0 | 43 | PKIX_DECREF(state->subjAltNameList); |
| michael@0 | 44 | |
| michael@0 | 45 | cleanup: |
| michael@0 | 46 | |
| michael@0 | 47 | PKIX_RETURN(TARGETCERTCHECKERSTATE); |
| michael@0 | 48 | } |
| michael@0 | 49 | |
| michael@0 | 50 | /* |
| michael@0 | 51 | * FUNCTION: pkix_TargetCertCheckerState_RegisterSelf |
| michael@0 | 52 | * DESCRIPTION: |
| michael@0 | 53 | * Registers PKIX_TARGETCERTCHECKERSTATE_TYPE and its related functions with |
| michael@0 | 54 | * systemClasses[] |
| michael@0 | 55 | * THREAD SAFETY: |
| michael@0 | 56 | * Not Thread Safe - for performance and complexity reasons |
| michael@0 | 57 | * |
| michael@0 | 58 | * Since this function is only called by PKIX_PL_Initialize, which should |
| michael@0 | 59 | * only be called once, it is acceptable that this function is not |
| michael@0 | 60 | * thread-safe. |
| michael@0 | 61 | */ |
| michael@0 | 62 | PKIX_Error * |
| michael@0 | 63 | pkix_TargetCertCheckerState_RegisterSelf(void *plContext) |
| michael@0 | 64 | { |
| michael@0 | 65 | extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; |
| michael@0 | 66 | pkix_ClassTable_Entry entry; |
| michael@0 | 67 | |
| michael@0 | 68 | PKIX_ENTER(TARGETCERTCHECKERSTATE, |
| michael@0 | 69 | "pkix_TargetCertCheckerState_RegisterSelf"); |
| michael@0 | 70 | |
| michael@0 | 71 | entry.description = "TargetCertCheckerState"; |
| michael@0 | 72 | entry.objCounter = 0; |
| michael@0 | 73 | entry.typeObjectSize = sizeof(pkix_TargetCertCheckerState); |
| michael@0 | 74 | entry.destructor = pkix_TargetCertCheckerState_Destroy; |
| michael@0 | 75 | entry.equalsFunction = NULL; |
| michael@0 | 76 | entry.hashcodeFunction = NULL; |
| michael@0 | 77 | entry.toStringFunction = NULL; |
| michael@0 | 78 | entry.comparator = NULL; |
| michael@0 | 79 | entry.duplicateFunction = NULL; |
| michael@0 | 80 | |
| michael@0 | 81 | systemClasses[PKIX_TARGETCERTCHECKERSTATE_TYPE] = entry; |
| michael@0 | 82 | |
| michael@0 | 83 | PKIX_RETURN(TARGETCERTCHECKERSTATE); |
| michael@0 | 84 | } |
| michael@0 | 85 | |
| michael@0 | 86 | /* |
| michael@0 | 87 | * FUNCTION: pkix_TargetCertCheckerState_Create |
| michael@0 | 88 | * DESCRIPTION: |
| michael@0 | 89 | * |
| michael@0 | 90 | * Creates a new TargetCertCheckerState using the CertSelector pointed to |
| michael@0 | 91 | * by "certSelector" and the number of certs represented by "certsRemaining" |
| michael@0 | 92 | * and stores it at "pState". |
| michael@0 | 93 | * |
| michael@0 | 94 | * PARAMETERS: |
| michael@0 | 95 | * "certSelector" |
| michael@0 | 96 | * Address of CertSelector representing the criteria against which the |
| michael@0 | 97 | * final certificate in a chain is to be matched. Must be non-NULL. |
| michael@0 | 98 | * "certsRemaining" |
| michael@0 | 99 | * Number of certificates remaining in the chain. |
| michael@0 | 100 | * "pState" |
| michael@0 | 101 | * Address where object pointer will be stored. Must be non-NULL. |
| michael@0 | 102 | * "plContext" |
| michael@0 | 103 | * Platform-specific context pointer. |
| michael@0 | 104 | * THREAD SAFETY: |
| michael@0 | 105 | * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
| michael@0 | 106 | * RETURNS: |
| michael@0 | 107 | * Returns NULL if the function succeeds. |
| michael@0 | 108 | * Returns a TargetCertCheckerState Error if the function fails in a |
| michael@0 | 109 | * non-fatal way. |
| michael@0 | 110 | * Returns a Fatal Error if the function fails in an unrecoverable way. |
| michael@0 | 111 | */ |
| michael@0 | 112 | PKIX_Error * |
| michael@0 | 113 | pkix_TargetCertCheckerState_Create( |
| michael@0 | 114 | PKIX_CertSelector *certSelector, |
| michael@0 | 115 | PKIX_UInt32 certsRemaining, |
| michael@0 | 116 | pkix_TargetCertCheckerState **pState, |
| michael@0 | 117 | void *plContext) |
| michael@0 | 118 | { |
| michael@0 | 119 | pkix_TargetCertCheckerState *state = NULL; |
| michael@0 | 120 | PKIX_ComCertSelParams *certSelectorParams = NULL; |
| michael@0 | 121 | PKIX_List *pathToNameList = NULL; |
| michael@0 | 122 | PKIX_List *extKeyUsageList = NULL; |
| michael@0 | 123 | PKIX_List *subjAltNameList = NULL; |
| michael@0 | 124 | PKIX_PL_OID *extKeyUsageOID = NULL; |
| michael@0 | 125 | PKIX_PL_OID *subjAltNameOID = NULL; |
| michael@0 | 126 | PKIX_Boolean subjAltNameMatchAll = PKIX_TRUE; |
| michael@0 | 127 | |
| michael@0 | 128 | PKIX_ENTER(TARGETCERTCHECKERSTATE, |
| michael@0 | 129 | "pkix_TargetCertCheckerState_Create"); |
| michael@0 | 130 | PKIX_NULLCHECK_ONE(pState); |
| michael@0 | 131 | |
| michael@0 | 132 | PKIX_CHECK(PKIX_PL_OID_Create |
| michael@0 | 133 | (PKIX_EXTENDEDKEYUSAGE_OID, |
| michael@0 | 134 | &extKeyUsageOID, |
| michael@0 | 135 | plContext), |
| michael@0 | 136 | PKIX_OIDCREATEFAILED); |
| michael@0 | 137 | |
| michael@0 | 138 | PKIX_CHECK(PKIX_PL_OID_Create |
| michael@0 | 139 | (PKIX_CERTSUBJALTNAME_OID, |
| michael@0 | 140 | &subjAltNameOID, |
| michael@0 | 141 | plContext), |
| michael@0 | 142 | PKIX_OIDCREATEFAILED); |
| michael@0 | 143 | |
| michael@0 | 144 | PKIX_CHECK(PKIX_PL_Object_Alloc |
| michael@0 | 145 | (PKIX_TARGETCERTCHECKERSTATE_TYPE, |
| michael@0 | 146 | sizeof (pkix_TargetCertCheckerState), |
| michael@0 | 147 | (PKIX_PL_Object **)&state, |
| michael@0 | 148 | plContext), |
| michael@0 | 149 | PKIX_COULDNOTCREATETARGETCERTCHECKERSTATEOBJECT); |
| michael@0 | 150 | |
| michael@0 | 151 | /* initialize fields */ |
| michael@0 | 152 | |
| michael@0 | 153 | if (certSelector != NULL) { |
| michael@0 | 154 | |
| michael@0 | 155 | PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams |
| michael@0 | 156 | (certSelector, &certSelectorParams, plContext), |
| michael@0 | 157 | PKIX_CERTSELECTORGETCOMMONCERTSELECTORPARAMFAILED); |
| michael@0 | 158 | |
| michael@0 | 159 | if (certSelectorParams != NULL) { |
| michael@0 | 160 | |
| michael@0 | 161 | PKIX_CHECK(PKIX_ComCertSelParams_GetPathToNames |
| michael@0 | 162 | (certSelectorParams, |
| michael@0 | 163 | &pathToNameList, |
| michael@0 | 164 | plContext), |
| michael@0 | 165 | PKIX_COMCERTSELPARAMSGETPATHTONAMESFAILED); |
| michael@0 | 166 | |
| michael@0 | 167 | PKIX_CHECK(PKIX_ComCertSelParams_GetExtendedKeyUsage |
| michael@0 | 168 | (certSelectorParams, |
| michael@0 | 169 | &extKeyUsageList, |
| michael@0 | 170 | plContext), |
| michael@0 | 171 | PKIX_COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED); |
| michael@0 | 172 | |
| michael@0 | 173 | PKIX_CHECK(PKIX_ComCertSelParams_GetSubjAltNames |
| michael@0 | 174 | (certSelectorParams, |
| michael@0 | 175 | &subjAltNameList, |
| michael@0 | 176 | plContext), |
| michael@0 | 177 | PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED); |
| michael@0 | 178 | |
| michael@0 | 179 | PKIX_CHECK(PKIX_ComCertSelParams_GetMatchAllSubjAltNames |
| michael@0 | 180 | (certSelectorParams, |
| michael@0 | 181 | &subjAltNameMatchAll, |
| michael@0 | 182 | plContext), |
| michael@0 | 183 | PKIX_COMCERTSELPARAMSGETSUBJALTNAMESFAILED); |
| michael@0 | 184 | } |
| michael@0 | 185 | } |
| michael@0 | 186 | |
| michael@0 | 187 | state->certsRemaining = certsRemaining; |
| michael@0 | 188 | state->subjAltNameMatchAll = subjAltNameMatchAll; |
| michael@0 | 189 | |
| michael@0 | 190 | PKIX_INCREF(certSelector); |
| michael@0 | 191 | state->certSelector = certSelector; |
| michael@0 | 192 | |
| michael@0 | 193 | state->pathToNameList = pathToNameList; |
| michael@0 | 194 | pathToNameList = NULL; |
| michael@0 | 195 | |
| michael@0 | 196 | state->extKeyUsageList = extKeyUsageList; |
| michael@0 | 197 | extKeyUsageList = NULL; |
| michael@0 | 198 | |
| michael@0 | 199 | state->subjAltNameList = subjAltNameList; |
| michael@0 | 200 | subjAltNameList = NULL; |
| michael@0 | 201 | |
| michael@0 | 202 | state->extKeyUsageOID = extKeyUsageOID; |
| michael@0 | 203 | extKeyUsageOID = NULL; |
| michael@0 | 204 | |
| michael@0 | 205 | state->subjAltNameOID = subjAltNameOID; |
| michael@0 | 206 | subjAltNameOID = NULL; |
| michael@0 | 207 | |
| michael@0 | 208 | *pState = state; |
| michael@0 | 209 | state = NULL; |
| michael@0 | 210 | |
| michael@0 | 211 | cleanup: |
| michael@0 | 212 | |
| michael@0 | 213 | PKIX_DECREF(extKeyUsageOID); |
| michael@0 | 214 | PKIX_DECREF(subjAltNameOID); |
| michael@0 | 215 | PKIX_DECREF(pathToNameList); |
| michael@0 | 216 | PKIX_DECREF(extKeyUsageList); |
| michael@0 | 217 | PKIX_DECREF(subjAltNameList); |
| michael@0 | 218 | PKIX_DECREF(state); |
| michael@0 | 219 | |
| michael@0 | 220 | PKIX_DECREF(certSelectorParams); |
| michael@0 | 221 | |
| michael@0 | 222 | PKIX_RETURN(TARGETCERTCHECKERSTATE); |
| michael@0 | 223 | |
| michael@0 | 224 | } |
| michael@0 | 225 | |
| michael@0 | 226 | /* --Private-TargetCertChecker-Functions------------------------------- */ |
| michael@0 | 227 | |
| michael@0 | 228 | /* |
| michael@0 | 229 | * FUNCTION: pkix_TargetCertChecker_Check |
| michael@0 | 230 | * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h) |
| michael@0 | 231 | */ |
| michael@0 | 232 | PKIX_Error * |
| michael@0 | 233 | pkix_TargetCertChecker_Check( |
| michael@0 | 234 | PKIX_CertChainChecker *checker, |
| michael@0 | 235 | PKIX_PL_Cert *cert, |
| michael@0 | 236 | PKIX_List *unresolvedCriticalExtensions, |
| michael@0 | 237 | void **pNBIOContext, |
| michael@0 | 238 | void *plContext) |
| michael@0 | 239 | { |
| michael@0 | 240 | pkix_TargetCertCheckerState *state = NULL; |
| michael@0 | 241 | PKIX_CertSelector_MatchCallback certSelectorMatch = NULL; |
| michael@0 | 242 | PKIX_PL_CertNameConstraints *nameConstraints = NULL; |
| michael@0 | 243 | PKIX_List *certSubjAltNames = NULL; |
| michael@0 | 244 | PKIX_List *certExtKeyUsageList = NULL; |
| michael@0 | 245 | PKIX_PL_GeneralName *name = NULL; |
| michael@0 | 246 | PKIX_PL_X500Name *certSubjectName = NULL; |
| michael@0 | 247 | PKIX_Boolean checkPassed = PKIX_FALSE; |
| michael@0 | 248 | PKIX_UInt32 numItems, i; |
| michael@0 | 249 | PKIX_UInt32 matchCount = 0; |
| michael@0 | 250 | |
| michael@0 | 251 | PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Check"); |
| michael@0 | 252 | PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); |
| michael@0 | 253 | |
| michael@0 | 254 | *pNBIOContext = NULL; /* we never block on pending I/O */ |
| michael@0 | 255 | |
| michael@0 | 256 | PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState |
| michael@0 | 257 | (checker, (PKIX_PL_Object **)&state, plContext), |
| michael@0 | 258 | PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED); |
| michael@0 | 259 | |
| michael@0 | 260 | (state->certsRemaining)--; |
| michael@0 | 261 | |
| michael@0 | 262 | if (state->pathToNameList != NULL) { |
| michael@0 | 263 | |
| michael@0 | 264 | PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints |
| michael@0 | 265 | (cert, &nameConstraints, plContext), |
| michael@0 | 266 | PKIX_CERTGETNAMECONSTRAINTSFAILED); |
| michael@0 | 267 | |
| michael@0 | 268 | /* |
| michael@0 | 269 | * XXX We should either make the following call a public one |
| michael@0 | 270 | * so it is legal to call from the portability layer or we |
| michael@0 | 271 | * should try to create pathToNameList as CertNameConstraints |
| michael@0 | 272 | * then call the existing check function. |
| michael@0 | 273 | */ |
| michael@0 | 274 | PKIX_CHECK(PKIX_PL_CertNameConstraints_CheckNamesInNameSpace |
| michael@0 | 275 | (state->pathToNameList, |
| michael@0 | 276 | nameConstraints, |
| michael@0 | 277 | &checkPassed, |
| michael@0 | 278 | plContext), |
| michael@0 | 279 | PKIX_CERTNAMECONSTRAINTSCHECKNAMEINNAMESPACEFAILED); |
| michael@0 | 280 | |
| michael@0 | 281 | if (checkPassed != PKIX_TRUE) { |
| michael@0 | 282 | PKIX_ERROR(PKIX_VALIDATIONFAILEDPATHTONAMECHECKFAILED); |
| michael@0 | 283 | } |
| michael@0 | 284 | |
| michael@0 | 285 | } |
| michael@0 | 286 | |
| michael@0 | 287 | PKIX_CHECK(PKIX_PL_Cert_GetSubjectAltNames |
| michael@0 | 288 | (cert, &certSubjAltNames, plContext), |
| michael@0 | 289 | PKIX_CERTGETSUBJALTNAMESFAILED); |
| michael@0 | 290 | |
| michael@0 | 291 | if (state->subjAltNameList != NULL && certSubjAltNames != NULL) { |
| michael@0 | 292 | |
| michael@0 | 293 | PKIX_CHECK(PKIX_List_GetLength |
| michael@0 | 294 | (state->subjAltNameList, &numItems, plContext), |
| michael@0 | 295 | PKIX_LISTGETLENGTHFAILED); |
| michael@0 | 296 | |
| michael@0 | 297 | for (i = 0; i < numItems; i++) { |
| michael@0 | 298 | |
| michael@0 | 299 | PKIX_CHECK(PKIX_List_GetItem |
| michael@0 | 300 | (state->subjAltNameList, |
| michael@0 | 301 | i, |
| michael@0 | 302 | (PKIX_PL_Object **) &name, |
| michael@0 | 303 | plContext), |
| michael@0 | 304 | PKIX_LISTGETITEMFAILED); |
| michael@0 | 305 | |
| michael@0 | 306 | PKIX_CHECK(pkix_List_Contains |
| michael@0 | 307 | (certSubjAltNames, |
| michael@0 | 308 | (PKIX_PL_Object *) name, |
| michael@0 | 309 | &checkPassed, |
| michael@0 | 310 | plContext), |
| michael@0 | 311 | PKIX_LISTCONTAINSFAILED); |
| michael@0 | 312 | |
| michael@0 | 313 | PKIX_DECREF(name); |
| michael@0 | 314 | |
| michael@0 | 315 | if (checkPassed == PKIX_TRUE) { |
| michael@0 | 316 | |
| michael@0 | 317 | if (state->subjAltNameMatchAll == PKIX_FALSE) { |
| michael@0 | 318 | matchCount = numItems; |
| michael@0 | 319 | break; |
| michael@0 | 320 | } else { |
| michael@0 | 321 | /* else continue checking next */ |
| michael@0 | 322 | matchCount++; |
| michael@0 | 323 | } |
| michael@0 | 324 | |
| michael@0 | 325 | } |
| michael@0 | 326 | } |
| michael@0 | 327 | |
| michael@0 | 328 | if (matchCount != numItems) { |
| michael@0 | 329 | PKIX_ERROR(PKIX_SUBJALTNAMECHECKFAILED); |
| michael@0 | 330 | |
| michael@0 | 331 | } |
| michael@0 | 332 | } |
| michael@0 | 333 | |
| michael@0 | 334 | if (state->certsRemaining == 0) { |
| michael@0 | 335 | |
| michael@0 | 336 | if (state->certSelector != NULL) { |
| michael@0 | 337 | PKIX_CHECK(PKIX_CertSelector_GetMatchCallback |
| michael@0 | 338 | (state->certSelector, |
| michael@0 | 339 | &certSelectorMatch, |
| michael@0 | 340 | plContext), |
| michael@0 | 341 | PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); |
| michael@0 | 342 | |
| michael@0 | 343 | PKIX_CHECK(certSelectorMatch |
| michael@0 | 344 | (state->certSelector, |
| michael@0 | 345 | cert, |
| michael@0 | 346 | plContext), |
| michael@0 | 347 | PKIX_CERTSELECTORMATCHFAILED); |
| michael@0 | 348 | } else { |
| michael@0 | 349 | /* Check at least cert/key usages if target cert selector |
| michael@0 | 350 | * is not set. */ |
| michael@0 | 351 | PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, |
| michael@0 | 352 | PKIX_FALSE /* is chain cert*/, |
| michael@0 | 353 | plContext), |
| michael@0 | 354 | PKIX_CERTVERIFYCERTTYPEFAILED); |
| michael@0 | 355 | } |
| michael@0 | 356 | /* |
| michael@0 | 357 | * There are two Extended Key Usage Checkings |
| michael@0 | 358 | * available : |
| michael@0 | 359 | * 1) here at the targetcertchecker where we |
| michael@0 | 360 | * verify the Extended Key Usage OIDs application |
| michael@0 | 361 | * specifies via ComCertSelParams are included |
| michael@0 | 362 | * in Cert's Extended Key Usage OID's. Note, |
| michael@0 | 363 | * this is an OID to OID comparison and only last |
| michael@0 | 364 | * Cert is checked. |
| michael@0 | 365 | * 2) at user defined ekuchecker where checking |
| michael@0 | 366 | * is applied to all Certs on the chain and |
| michael@0 | 367 | * the NSS Extended Key Usage algorithm is |
| michael@0 | 368 | * used. In order to invoke this checking, not |
| michael@0 | 369 | * only does the ComCertSelparams needs to be |
| michael@0 | 370 | * set, the EKU initialize call is required to |
| michael@0 | 371 | * activate the checking. |
| michael@0 | 372 | * |
| michael@0 | 373 | * XXX We use the same ComCertSelParams Set/Get |
| michael@0 | 374 | * functions to set the parameters for both cases. |
| michael@0 | 375 | * We may want to separate them in the future. |
| michael@0 | 376 | */ |
| michael@0 | 377 | |
| michael@0 | 378 | PKIX_CHECK(PKIX_PL_Cert_GetExtendedKeyUsage |
| michael@0 | 379 | (cert, &certExtKeyUsageList, plContext), |
| michael@0 | 380 | PKIX_CERTGETEXTENDEDKEYUSAGEFAILED); |
| michael@0 | 381 | |
| michael@0 | 382 | |
| michael@0 | 383 | if (state->extKeyUsageList != NULL && |
| michael@0 | 384 | certExtKeyUsageList != NULL) { |
| michael@0 | 385 | |
| michael@0 | 386 | PKIX_CHECK(PKIX_List_GetLength |
| michael@0 | 387 | (state->extKeyUsageList, &numItems, plContext), |
| michael@0 | 388 | PKIX_LISTGETLENGTHFAILED); |
| michael@0 | 389 | |
| michael@0 | 390 | for (i = 0; i < numItems; i++) { |
| michael@0 | 391 | |
| michael@0 | 392 | PKIX_CHECK(PKIX_List_GetItem |
| michael@0 | 393 | (state->extKeyUsageList, |
| michael@0 | 394 | i, |
| michael@0 | 395 | (PKIX_PL_Object **) &name, |
| michael@0 | 396 | plContext), |
| michael@0 | 397 | PKIX_LISTGETITEMFAILED); |
| michael@0 | 398 | |
| michael@0 | 399 | PKIX_CHECK(pkix_List_Contains |
| michael@0 | 400 | (certExtKeyUsageList, |
| michael@0 | 401 | (PKIX_PL_Object *) name, |
| michael@0 | 402 | &checkPassed, |
| michael@0 | 403 | plContext), |
| michael@0 | 404 | PKIX_LISTCONTAINSFAILED); |
| michael@0 | 405 | |
| michael@0 | 406 | PKIX_DECREF(name); |
| michael@0 | 407 | |
| michael@0 | 408 | if (checkPassed != PKIX_TRUE) { |
| michael@0 | 409 | PKIX_ERROR |
| michael@0 | 410 | (PKIX_EXTENDEDKEYUSAGECHECKINGFAILED); |
| michael@0 | 411 | |
| michael@0 | 412 | } |
| michael@0 | 413 | } |
| michael@0 | 414 | } |
| michael@0 | 415 | } else { |
| michael@0 | 416 | /* Check key usage and cert type based on certificate usage. */ |
| michael@0 | 417 | PKIX_CHECK(PKIX_PL_Cert_VerifyCertAndKeyType(cert, PKIX_TRUE, |
| michael@0 | 418 | plContext), |
| michael@0 | 419 | PKIX_CERTVERIFYCERTTYPEFAILED); |
| michael@0 | 420 | } |
| michael@0 | 421 | |
| michael@0 | 422 | /* Remove Critical Extension OID from list */ |
| michael@0 | 423 | if (unresolvedCriticalExtensions != NULL) { |
| michael@0 | 424 | |
| michael@0 | 425 | PKIX_CHECK(pkix_List_Remove |
| michael@0 | 426 | (unresolvedCriticalExtensions, |
| michael@0 | 427 | (PKIX_PL_Object *) state->extKeyUsageOID, |
| michael@0 | 428 | plContext), |
| michael@0 | 429 | PKIX_LISTREMOVEFAILED); |
| michael@0 | 430 | |
| michael@0 | 431 | PKIX_CHECK(PKIX_PL_Cert_GetSubject |
| michael@0 | 432 | (cert, &certSubjectName, plContext), |
| michael@0 | 433 | PKIX_CERTGETSUBJECTFAILED); |
| michael@0 | 434 | |
| michael@0 | 435 | if (certSubjAltNames != NULL) { |
| michael@0 | 436 | PKIX_CHECK(pkix_List_Remove |
| michael@0 | 437 | (unresolvedCriticalExtensions, |
| michael@0 | 438 | (PKIX_PL_Object *) state->subjAltNameOID, |
| michael@0 | 439 | plContext), |
| michael@0 | 440 | PKIX_LISTREMOVEFAILED); |
| michael@0 | 441 | } |
| michael@0 | 442 | |
| michael@0 | 443 | } |
| michael@0 | 444 | |
| michael@0 | 445 | cleanup: |
| michael@0 | 446 | |
| michael@0 | 447 | PKIX_DECREF(name); |
| michael@0 | 448 | PKIX_DECREF(nameConstraints); |
| michael@0 | 449 | PKIX_DECREF(certSubjAltNames); |
| michael@0 | 450 | PKIX_DECREF(certExtKeyUsageList); |
| michael@0 | 451 | PKIX_DECREF(certSubjectName); |
| michael@0 | 452 | PKIX_DECREF(state); |
| michael@0 | 453 | |
| michael@0 | 454 | PKIX_RETURN(CERTCHAINCHECKER); |
| michael@0 | 455 | |
| michael@0 | 456 | } |
| michael@0 | 457 | |
| michael@0 | 458 | /* |
| michael@0 | 459 | * FUNCTION: pkix_TargetCertChecker_Initialize |
| michael@0 | 460 | * DESCRIPTION: |
| michael@0 | 461 | * |
| michael@0 | 462 | * Creates a new CertChainChecker and stores it at "pChecker", where it will |
| michael@0 | 463 | * used by pkix_TargetCertChecker_Check to check that the final certificate |
| michael@0 | 464 | * of a chain meets the criteria of the CertSelector pointed to by |
| michael@0 | 465 | * "certSelector". The number of certs remaining in the chain, represented by |
| michael@0 | 466 | * "certsRemaining" is used to initialize the checker's state. |
| michael@0 | 467 | * |
| michael@0 | 468 | * PARAMETERS: |
| michael@0 | 469 | * "certSelector" |
| michael@0 | 470 | * Address of CertSelector representing the criteria against which the |
| michael@0 | 471 | * final certificate in a chain is to be matched. May be NULL. |
| michael@0 | 472 | * "certsRemaining" |
| michael@0 | 473 | * Number of certificates remaining in the chain. |
| michael@0 | 474 | * "pChecker" |
| michael@0 | 475 | * Address where object pointer will be stored. Must be non-NULL. |
| michael@0 | 476 | * "plContext" |
| michael@0 | 477 | * Platform-specific context pointer. |
| michael@0 | 478 | * THREAD SAFETY: |
| michael@0 | 479 | * Thread Safe (see Thread Safety Definitions in Programmer's Guide) |
| michael@0 | 480 | * RETURNS: |
| michael@0 | 481 | * Returns NULL if the function succeeds. |
| michael@0 | 482 | * Returns a CertChainChecker Error if the function fails in a non-fatal way. |
| michael@0 | 483 | * Returns a Fatal Error if the function fails in an unrecoverable way. |
| michael@0 | 484 | */ |
| michael@0 | 485 | PKIX_Error * |
| michael@0 | 486 | pkix_TargetCertChecker_Initialize( |
| michael@0 | 487 | PKIX_CertSelector *certSelector, |
| michael@0 | 488 | PKIX_UInt32 certsRemaining, |
| michael@0 | 489 | PKIX_CertChainChecker **pChecker, |
| michael@0 | 490 | void *plContext) |
| michael@0 | 491 | { |
| michael@0 | 492 | pkix_TargetCertCheckerState *state = NULL; |
| michael@0 | 493 | |
| michael@0 | 494 | PKIX_ENTER(CERTCHAINCHECKER, "pkix_TargetCertChecker_Initialize"); |
| michael@0 | 495 | PKIX_NULLCHECK_ONE(pChecker); |
| michael@0 | 496 | |
| michael@0 | 497 | PKIX_CHECK(pkix_TargetCertCheckerState_Create |
| michael@0 | 498 | (certSelector, certsRemaining, &state, plContext), |
| michael@0 | 499 | PKIX_TARGETCERTCHECKERSTATECREATEFAILED); |
| michael@0 | 500 | |
| michael@0 | 501 | PKIX_CHECK(PKIX_CertChainChecker_Create |
| michael@0 | 502 | (pkix_TargetCertChecker_Check, |
| michael@0 | 503 | PKIX_FALSE, |
| michael@0 | 504 | PKIX_FALSE, |
| michael@0 | 505 | NULL, |
| michael@0 | 506 | (PKIX_PL_Object *)state, |
| michael@0 | 507 | pChecker, |
| michael@0 | 508 | plContext), |
| michael@0 | 509 | PKIX_CERTCHAINCHECKERCREATEFAILED); |
| michael@0 | 510 | |
| michael@0 | 511 | cleanup: |
| michael@0 | 512 | |
| michael@0 | 513 | PKIX_DECREF(state); |
| michael@0 | 514 | |
| michael@0 | 515 | PKIX_RETURN(CERTCHAINCHECKER); |
| michael@0 | 516 | } |
